Tag: Security

World’s Biggest Hacker – A Challenge to the Financial, Technology and Corporate Sector Security

Ahmedabad, Gujarat (PRWeb) March 18, 2007 — Born in small village of most famous Indian city known as Pink City of India. Mr. Sharma is in the field of security research from last 8 years. He has now full control over the global web security system. His life was full of struggle and overloaded stress. He mentions his strength and pride by specifying himself as a Full-stop on E-system. His aim was to perform unique tasks across globe, something which no one other then him can perform. He proved this through a LIVE ON AIR telecast on one of the most reputed news channel INDIA TV (http://www.indiatvnews.com). This telecast was aired in the Breaking News on INDIA TV and was the world’s first longest hacking and security related news telecast. This telecast was shown from 9:00 PM to 12:30 AM and is one of the best serialized news programme of India. Minister of Information Technology, Technical Experts, Stock Exchange Experts, Cyber Crime Experts, Indian Star Editors Team and Corporate Profiles were all present during this telecast. Mr. Sharma had hacked several Internet Banking, Internet Trading and Internet Shopping websites all in a single attempt. Recently, Mr. Sharma had also announced about his new security firm Shubhlabh Technologies. He mentions hacking as an expert level work which is technical art of finding vulnerabilities in existing weak security of any online activity through Internet. Kalpesh Sharma, shows the LIVE demonstration on net banking and its loopholes. He proved that no bank is safe for your money. He challenged to all banks that he can hack any bank site because of their loopholes. However, his intention behind proving was to help out peoples become safe and aware of technical security.

First he reserved an airticket on indiatimes.com shopping website for free. The payment was done by hacking the site of IDBI Bank payment gateway. Secondly, he purchased a raincoat from rediff shopping website and payment was done through hacking of Federal Bank. From both websites he received the receipt with order number and confirmed payment that the payment is done and we will deliver it within 3 days…

Alongwith, Mr. Sharma also went for discussion through a debate in the same LIVE telecast with Mr. Dhrender Kumar (Stock Exchange Expert) and Pawan Duggal (Cyber Law Expert) and they felt shocked when they saw all these right in front of their eyes. Mr. Dhrender said that, ” I am shocked to see this situation. Now our money is not safe and we could not take physical risk to keep huge amount of funds with us, because technical era is on it’s way towards progress. In order to avoid this we are using Net Banking, but as seen there are several vulnerabilities in banking system also… “

Mr Pawan Duggal described about some clauses and sections of Information Security Act, and asked peoples who lost their money, can claim up to 10 Million INR. But you have to prove it in the court of law, which is almost very difficult to perform. You can’t get help from consumer court as well, in this situation. No one knows what can be done? Mr. Sharma also hacked the so called safe website of shares and securities trading i.e Indiabulls.com and transferred 100 INR into his Union Bank Savings Account. Indiabulls database site reflected the balance fluctuations, immediately. For discussion on this, Mr Gagan Banga (President of Indiabulls) was called in this LIVE telecast. But instead of accepting his company’s technical mistakes, he challenged against Mr. Sharma’s claims. He fully denied though everything was seen by millions of peoples across nation. He said that, ” It’s not possible to hack our trading website”. Then, Mr. Sharma challenged him to prove it right in that running LIVE telecast, and asked him for oral permissions. Mr. Sharma also added that let public viewers of this telecast give their decisions after he demonstrates it right now. Once Mr. Gagan felt nervous ! because by this they can loose the confidence of people. But at last he accepted that challenge and told to Mr. Sharma that he can come in his office and hack Mr. Gagan’s account. I will give you permission to hack my account, but I can’t give permissions for other hacking other’s accounts. This shows Mr. Gagan have doubt about his website and was afraid of Mr. Sharma’s Challenge.

For further discussion Mr. Shakeel Ahmed (IT Minister of India) came and he told that he is not a technical person, but he will definitely do well for people’s of his country with his technical team… In short, none of our money is safe until and unless, online security vulnerabilities are not removed completely. In order to know more about Mr. Sharma’s research activities and services please go through [http://kalpeshsharma.page.tl]

Network Security – Not With a P2P Network!

Most small business networks grow and evolve as the business grows. In one way, this is good. It shows the business is growing, becoming stronger. Unfortunately, from a network perspective, it can be a disaster in the making.

Most small business networks are setup in a peer-to-peer (P2P) format. In contrast, large corporate networks are setup in a domain format. What does this mean to you?

First, let us define the two network formats. In a P2P format every PC is responsible for its own security access. Basically, each PC is equal to every other PC in the network. These networks generally consist of less than ten computers and require a large amount of administrative overhead to function securely.

In this format the attitudes of the user population is of prime importance. If they have a high level of security conscience then your network will be more secure, if they don’t your network will be wide open to insider exploitation.

You can see the problem. Ten computers and ten administrators equal little accountability.

In a domain system there is a single point of administration, your network administrator. He is responsible for maintaining the network.

A network setup in this format consists of at least one server, a domain controller, to administrate the rest of the network. This domain controller manages user and computer access, freeing the network administrator from the necessity of touching every PC in the network.

When a user logs onto her PC in a P2P network she only authenticates on it, in a domain system it is a little more complicated.

In a domain system she logs onto her computer, her login ID is first checked with the domain controller. If it is found she is granted access to the network resources assigned to her. Then she is allowed to log on to her desktop. If her ID isn’t found then she only has access to her local PC.

Now that you know a little about the two network structures you can see the advantages of the domain design.

As stated earlier this format requires planning to achieve. You must sit down and outline what you want your network to accomplish.

Consider what access your users really need to do their jobs. In the computer security world this is called granting the least amount of access required to do the job. Do your sales reps really need access to your financial files? What about external vendors?

All of this needs to be thought out and addressed.

Here’s an example of how I setup a small sales organization. This business consisted of about eight employees and the two owners. With the assistance of the owners we defined three user groups.

The owners group was granted full and complete access, while each of the other groups received lesser and different accesses. The admin group received access to the financial and administrative functions, and the sales groups receive assess to the sales and customer management data. Specifically, they were excluded from the financial and administrative and the owner’s functions.

Additionally, we setup auditing of both successful and unsuccessful attempts to view certain types of data. We did this to add a layer of accountability to the network. This increases the security of their customer’s data because we can now tell who and when the data was accessed.

Network security personnel know that most network security breaches occur from the inside!

In my experience most small businesses use the P2P format because it is the easiest to implement and because they don’t know the security compromises they are working under.

This can be a ticking time bomb for your business. Eventually, you will experience a security lapse that could land you in court.

For instance, you have an employee leave your business. This employee downloaded all of your customer data before he left. Next, he sells this data to someone who uses it to steal the identity of several of your customers. Eventually, this theft is discovered and traced back to your employee.

Your former customers in fully justifiable outrage take you to court charging you with negligence. Specifically, they hold you responsible for failing to safeguard their personal information.

Your case will be much stronger if you can show you have positive control of your network. You can point out your security procedures. Employee logon auditing, security updates, acceptable use agreements, etc. In short you can show that you have taken the steps that a reasonable person would take to secure your network and customer data.

Hopefully, your lawyer can then place the blame directly where it belongs. On the employee who stole the information in the first place. Ask your attorney about this! Don’t just take my work for it, I’m not a lawyer.

Remember, network security is a result of through planning, not hap hazard improvisation. Give your network the same attention you give to the rest of your business.

If you do not have the skills or the time to be your own network administrator, you can contract with someone to handle this for you on a part-time basis. Just make sure they are reputable, you are putting your business in their hands.

5 Significant Cyber Security Risks Businesses Should Ponder

In the recent years, it has been observed that many businesses have been rapidly affected by various types of cyber attacks. Companies continue to be under great pressure and strive to keep their information safe and secure. Some of the common security risks businesses continue to face have been listed below:

1. Human factor and peoples’ reactive mindset: The employees working in the business could form the major base for cyber threats as they are more prone to open phishing emails or download links that could turn out to be malware. Moreover, the top level management or people at the C level will be less prone to become malicious insiders. Due to this a serious concern of privilege abuse by lower level employees is more common as they become malicious insiders and measures need to be taken to overcome this problem.

2. Password protection measures play vital role: Businesses should be extremely aware that they should maintain all important business accounts with a two factor password authentication such that it may not be easily hacked. This password needs to be changed and maintained effectively once in 30 or 45 days to keep it more safe and away from any security attacks.

3. Aging Infrastructure and drastic Patch Management necessary: In addition to the above security risks, hardware can also be a major issue as lifecycle of most of the devices is becoming increasingly shorter these days. Purchase only new hardware that can uphold updates such that aging factor can be taken care off. Recent attacks such as the WannaCry and Petya outbreaks have underlined the importance of regular software updates that needs to be taken up. Even for Eternal Blue, it allowed the malware to spread within corporate networks without any user interaction, making these outbreaks particularly virulent. The above incidents do show the importance of protecting vulnerable systems and patching is a key way to do it.

4. Difficulty with Data Integrations: It is interesting to note that the amount of data that flows through an organization could for reasons overwhelm anyone as it contains very critical information. This could be about employees, partners, stakeholders, service providers etc. But integrating various data sources is crucial to have a clear understanding of various risks involved within or outside the organization.

5. Lack of a Proper security recovery plan: Most businesses are still unaware of the impounding risks with cyber security and lack a proper plan to overcome such situations. They need to draft a plan that contains the actions that could be taken up when there is a cyber attack and thus can quickly and efficiently minimize the risk and save information or other economic losses.

How Can Businesses protect themselves?

Certain solutions like SecOps provide superior customer experience along with a robust cyber security. This security product has capabilities of secure operations while focusing on delivering a seamless customer experience. This specific Security and Experience go together approach finds the right balance between the ease of user experience and effectiveness of security protection. These solutions cover the entire software lifecycle, from secure design to security testing in development and QA, app self-protection and monitoring in product and patching. Security is an enabler of new business opportunities in addition to helping protect your company’s people, data, and systems. Cloud Security is achieved through following certain cloud adoption strategies with specific focus placed on security and privacy to improve all operations and make them secure.

4 Security Tools Cleared Defense Contractors Need

Cleared defense contractors provide the technology and know-how that delivers products and services to our defense industry. CDCs and be a prime contractor or subcontractor and are contracted to support government organizations. The designation of CDC indicates that the organization is a government contractor with a facility clearance and is made up of employees with personnel security clearances. With classified contracts, the CDCs are required to protect their government customer’s classified information while performing on classified contracts.

The CDCs are part of the National Industrial Security Program (NISP). The National Industrial Security Program Operating Manual (NISPOM) provides guidance on how to perform on classified contracts. The guidance includes topics such as employee responsibilities, required training, continuous evaluation, maintaining security clearance, and much more. The Defense Counter-Intelligence and Security Agency (DCSA) formally known as DSS provides most DoD agency oversight and compliance reviews. They perform vulnerability assessments and determine how well a CDC protects classified information according to the NISPOM.

Cleared Defense Contractors have a big job not only performing on classified contracts, protecting classified information, but also documenting or validating compliance. The following tools should be in the CDC’s toolbox and can be employed to help them remain in compliance and demonstrate their level of compliance.

1. National Industrial Program Operating Manual (NISPOM)

The National Industrial Security Program Operating Manual (NISPOM) is the Department of Defense’s instruction to contractors of how to protect classified information. This printing of the NISPOM includes the latest from the Defense Security Services to include an Index and Industrial Security Letters. The NISPOM addresses a cleared contractor’s responsibilities including: Security Clearances, Required Training and Briefings, Classification and Markings, Safeguarding Classified Information, Visits and Meetings, Subcontracting, Information System Security, Special Requirements, International Security Requirements and much more.

2. International Traffic in Arms Regulation (ITAR)

“Any person who engages in the United States in the business of either manufacturing or exporting defense articles or furnishing defense services is required to register… ” ITAR “It is the contractor’s responsibility to comply with all applicable laws and regulations regarding export-controlled items.”-DDTC

Companies that provide defense goods and services should understand how to protect US technology; the ITAR provides the answers. ITAR is the defense product and service provider’s guide book for knowing when and how to obtain an export license. This book provides answers to:

Which defense contractors should register with the DDTC?

Which defense commodities require export licenses?

Which defense services require export licenses?

What are corporate and government export responsibilities?

What constitutes an export?

How does one apply for a license or technical assistance agreement?

3. Self Inspection Handbook For NISP Contractors

The National Industrial Security Program Operating Manual (NISPOM) requires all participants in the National Industrial Security Program (NISP) to conduct their own security reviews (self-inspections). This Self-Inspection Handbook is designed as a job aid to assist you in complying with this requirement. It is not intended to be used as a checklist only. Rather it is intended to assist you in developing a viable self-inspection program specifically tailored to the classified needs of your cleared company. You will also find they have included various techniques that will help enhance the overall quality of your self-inspection. To be most effective it is suggested that you look at your self-inspection as a three-step process: 1) pre-inspection 2) self-inspection 3) post-inspection.

4. Training for Cleared Employees

a. Initial Security Awareness Training and Security Awareness Refresher Training

Initial Security Awareness Training and Security Awareness Refresher Training

The main presentation is great for initial training or for refresher annual security awareness training required of all cleared employees.

NISPOM requires the following training topics during initial training and refresher training:

• Threat Awareness Security Briefing Including Insider Threat

• Counterintelligence Awareness Briefing

• Overview Of The Security Classification System

• Employee Reporting Obligations And Requirements, Including Insider Threat

• Cybersecurity awareness training for all authorized IS users

NISPOM Training contains requirements for the Annual Security Awareness and Initial Security Training.

b. Derivative Classifier Training

The NISPOM outlines requirements for derivative classification training to include… the proper application of the derivative classification principles, with an emphasis on avoiding over-classification, at least once every 2 years. Those without this training are not authorized to perform the tasks.

Contractor personnel make derivative classification decisions when they incorporate, paraphrase, restate, or generate in new form, information that is already classified; then mark the newly developed material consistently with the classification markings that apply to the source information.

c. Insider Threat Training

This training program includes the NISPOM identified Insider Threat Training requirements. The NISPOM has identified the following requirements to establish an Insider Threat Program. Download and present the training here and meet the training requirements:

• Designate an Insider Threat senior official

• Establish an Insider Threat Program / Self-certify the Implementation Plan in writing to DSS.

• Establish an Insider Threat Program group

• Provide Insider Threat training

• Monitor classified network activity

• Gather, integrate, and report relevant and credible information; detect insiders posing risk to classified information; and mitigate insider threat risk

• Conduct self-inspections of Insider Threat Program.

d. SF 312 Briefing

This Training is for Newly Cleared Employees and should be given prior to Initial Security Briefings

Newly cleared employees must sign an SF-312, Non Disclosure Agreement. Instead of just having them sign the box, why not give them the appropriate SF-312 Briefing describing what exactly is on the form and why they are signing it.

As mentioned earlier, CDCs not only have to perform on classified contracts according to contractual requirements, but they are evaluated on how well they are protecting classified information. The tools mentioned above are designed to assist the CDCs in meeting requirements.

Exit mobile version