decypher Technologies

June 2015

Cyber Security in a Connected World

The fact that even large organizations have fallen prey to cyber attacks is a clear

indication to view Security beyond Compliance and apply Security Engineering

practices to safeguard Information Assets and Information Systems.

With the alarming rate of increase of security breaches and data

compromise, there is an immediate need to safeguard the Information

Asset and the ICT infrastructure by adopting the right strategies for

providing assurance to the organization, shareholders and customers.

Financials results leaked to the media, confidential business plans

compromised, consumer financial and medical data posted on the web, ATMs

being hacked into, state sponsored cyber terrorism, hacking into the critical

infrastructure are just some of the myriad forms of security breaches hitting the

headlines every other day.

2014’s Top Breaches So Far

eBay

145 Million People Affected

Information Compromised: Encrypted passwords, customer names, e-mail IDs mailing addresses, phone numbers, dates of birth

Montana Department of Public Health and

Human Services 4.6 Million People Affected

Information Compromised: Name, addresses, dates of birth, ssn, information related to health assessments, diagnoses, treatments,, prescriptions, insurance Benesse Holding Inc

20.7 Million People Affected

Information Compromised: Customer names, addresses, telephone numbers, birthdates, gender

Paddy Power

650,000 People Affected

Community Health Systems

4.5 Million People Affected

Information Compromised: Names, addresses, birthdates, telephone numbers, SSN Goodwill

868,000 People Affected

Information Compromised: Names, payment card numbers, expiration dates Google

5 Million People Affected

Information Compromised: Usernames and passwords

Home Depot

56 Million People Affected

Information Compromised: Credit and Debit card numbers

May

2014 Jun 2014 Jul 2014

Jul 2014

Information Compromised: Customer Names, Usernames, addresses, email IDs Phone numbers, dates of birth, question-and-answer security questions Aug

2014

Aug

2014 Sep 2014 Sep

2014

Sep 2014

Oct 2014

0 150 Numbers in Millions 0 150 Numbers in Millions

• • • • • •

• • • • • •

Global Trends in Cyber Security Worldwide Landscape

50% of World’s Netizen’s Identity Compromised

Complex connected Infrastructure Security

Dynamic Ever evolving threat landscape

Dynamic Threat Surface area

Ever Changing Vulnerabilities lifecycle

Cyber Attack far too complex to be handled Indian Landscape

2.9 million people fell victim to cybercrime

$4 Billion in direct financial losses

$3.6 Billion spent in time resolving the crime

4 in 5 have been victims of cyber crime

17% of adults online have experienced cybercrime on their mobile phones

National Critical Infrastructure is under attack Confidential

Top three risks in each region of India

Top three risks in each industrial sectors

India Risk Survey-2014, FICCI – Key messages

Industry

segment

Region

segment

Global View

The United States government believes the security of computer systems is

important to the world due to the increased role of Information

Technology (IT) and the growth of the e-commerce sector.

In the European Union, draft legislation would "require all

companies to report attacks on and breaches of their networks to

local authorities, which would be obliged to make them public

International legal issues of cyber security are complicated in nature due

to conflict of laws in cyberspace. There is no universally applicable

cyber security treaty and many legal experts believe that an

international cyber security treaty is urgently required

India View

• • • •

India has no dedicated cyber security regulation though a few provisions can be

found under the rules framed under the Information Technology Act 2000

National Cyber Security Policy of India 2013 has remained ineffective and non-

implementable

Indian cyber security policy has failed to protect civil liberties of Indians including

privacy rights. Civil liberties protection in cyberspace has been blatantly ignored by

Indian government while e-surveillance projects have been kept intact by the Indian

government

No legal obligation for cyber security breach disclosures

Internet Usage – Statistics

India is 3rd in terms of Internet users and

the Information Technology Infrastructure

& Security spending is projected to grow

from 1 bn to 1.5 bn • 65 mn active internet users, up 28% from 51 mn in 2010 • 50 mn users shop online shopping sites • 46+ mn social network users • 346 mn mobile users subscribed to data packages

Reported Attacks

• • •

• • •

Jun’12, Indian's Eastern Navy

Command MoEA, MoHA, DRDO, ITBP -reported attacks NIC email Servers also targeted NTRO believes attacks targeted at networks hosting state secrets Airport Authority of India Servers

attacked Power grid failure

Decypher Technologies is a Cyber Security, Information Technology &

Management Consulting organization. Decypher Technologies provides Cyber

Security engineering consulting services through highly experienced professionals

trained on Ethical Hacking using Open Source tools and Black Box hack methodology.

Decypher Technologies has team of in-house professionals and partners to provide

best in class end-to-end IT Infrastructure and Application consulting.

Introduction

Proven Methodology - Plan –Do-Check-Act

Service Portfolio

Information Security Consulting

Consulting – Third Party Assessments

ISMS – ISO 27001 Consulting and Implementation

Application Security

(i)Security Operation Center

Cyber Forensics & e-Discovery

Sensitive Cyber Crime Investigation

Cyber Security Culture Building

Enterprise Performance Management

Existing Client Panel

Domestic International

Service Offering

Information Security Consulting Offensive Security and Alternative Analysis for Securing Information and Information Systems Approach Our consultants carries out the specific functions of offensive

security, war-gaming, control mechanism assessments through the following :

• Structured design and implementation testing leading to full-scope penetration testing engagements, using custom-built tools to simulate exfiltration tactics related to various persistent attacks

• Testing of security deployment’s performance to

assess preparedness, vulnerabilities and limitations

• Emulate adversary to create real time threat scenario

for meeting the goals of Inspect, Detect and Protect

• Support with focus on intelligence gathering,

profiling, process analysis, 3rd party suppliers, employee awareness and social engineering Value Proposition Focus on often neglected aspects of traditional IT security

implementation and policies by entwining security testing with state of the art security intelligence techniques and demonstrating Return on Investment in security personnel, technology, resources.

Service Offering • APT simulations and Custom Malware Insertion

• Assessment of malware detection capabilities

• Cyber kill chain

• War-gaming exercises

• Specialized perimeter security & compliance assessments

• Penetration Testing of:

• Network Infrastructure including VPN, VOIP

• Wi-Fi networks

• Web and Mobile applications

• Mobility devices

Service Offering Our assessment methodology utilizes analytics and

research oriented techniques so as to provide

value beyond compliance and help organizations

adopt a proactive strategy towards preparedness against information breach or cyber security incident through the following:

Consulting – Third Party Assessments Offensive Security and Alternative Analysis for Securing Information and Information Systems Approach

• • • •

•

•

Assessments for Contractual compliance and

effectiveness

Penetration Testing of Network Infrastructure including

VPN, VOIP,Wi-Fi networks, Web and Mobile

applications

Application Architecture Risk Analysis & Secure Code

Review

Zero-day Vulnerability Management

Digital Forensics and Fraud Analytics

Assessments for Business Continuity

and Disaster Recovery

• Reviewers supported by a team of security researchers for advising on feasible solutions for any identified vulnerability in the technical control environment

• Computer Assisted Review Technique that allows for larger

sampling, reduced touchpoint with auditee, lower cycle time, improved efficiency and accuracy Value Proposition Security beyond compliance with emphasis on research and analytics based reviews in turn assisting clients in optimizing their security investments

• ICT Supply Chain Reviews for Vendor

and Contractors inline with NIST SP 800-161• Information Security Risk Assessments

• Reviews for Security Control

Implementation and Monitoring

•Information security policy formulation;

•Identifying information security objectives and

plans;

•Identifying roles and responsibilities for

information security;

•Communication to the organization about the

importance of adhering to the information

security policy;

•Participation in the ISMS Plan-Do-Check-Act

[PDCA] process, as described in ISO/IEC 27001; &

•Determining the acceptable level of risk.

ISMS – ISO 27001 Consulting and Implementation Approach

Confidential

Value Proposition

Service Offering

• All activities must have a methodical approach.

The method may be arbitrary but it must be well

defined and well documented;

• The company or organization must document

its own security goals.

• All of the security measures considered in the

ISMS .

• The standard offers a broad range of security

controls. The organization must decide which

controls are relevant for them to implement

based on the specific needs of their business;

• A process must ensure the continuous

verification of all elements of the security system

through audits and reviews;

• A process must ensure the continuous

improvement of all elements of the information

and security management system

These practices form the framework within which the

organization will establish an ISMS.

Complete assistance is getting you prepared for a ISO 27001 Certification

Approach

•

for comprehensive OWASP based approach application security testing

•

• • • • •

Static and Dynamic code testing

External attack simulations for identification of

vulnerabilities

Proactive attack surface identification using details of

software components, threats, security controls

Architecture level reviews for assessing conformance

to industry best practices

Testing, Audit of End-to-End IT System including Front-

End, Middleware, Back-End Systems

Application patch packaging, testing and

deployment

•

•

•

•

•

•

•

•

•

Threat Modeling

Architecture Risk Analysis

Secure Code Review

Application Security Review

Mobile Application Security

Penetration Testing

Zero-day Vulnerability Management

Secure Coding Practices

Training on Defensive Programming

Value Proposition End-to-end application security management using industry benchmarks and correlation on the

exploitability through due consideration to the applicable threat vectors and early adoption of proactive risk mitigation strategies thereby ensuring Confidentiality, Integrity and Availability of Information Systems. Confidential

Service Offering

Application Security(Mobile Apps included)

Security Operations Center Managing Security Incidents through timely Detection, Classification, Action and Root Cause Analysis Approach Holistic approach that factors critical phases of Prepare,

Prevent, Detect, Respond, Recover for managing Cyber Security Operations through:

•Real-time monitoring / management

•Aggregate Logs

•Aggregate Data

•Coordinate response and remediation

•Reporting to management, auditors, security staff

•Analytics for incident identification and prioritization

•Post Incident analysis

•Forensics

•Investigations Value Proposition Supporting clients on efficient correlation, data mining

and application of homegrown heuristic analytics methodology for proactive protection and early detection of potential incident causing events. Additionally, we facilitate efficient post incident recovery in compliance with applicable regulations and carry out detailed Post Incident Review analysis for Root Cause identification.

Service Offering • Status Monitoring & Incident Detection –

SIEM/AV/IPS/DLP Console

• Initial Diagnostics and Incident Isolation

• Problem Correctional

• Security Systems & Software

management– DAT Updates/Corrective IDS/IPS, Firewall Rules

• Computing Equipment and Endpoint

monitoring

• Third-Party Vendor interaction

• Escalations and Reporting

• Closure of Incidents

• Analytics based predictive modeling

• Persistent Threat Investigation

Cyber Forensics and e-Discovery

Post Incident Assessment and Evidence Collection and Handling Approach

Access to the XYZ Organization cyber forensics methodology and experienced professionals in

managing the incident investigations and recovery. Controlled and well-designed e-Discovery

workflows inline with the legally mandated evidence handling lifecycle.

Provide training on digital evidence collection process, digital forensics and facilitate lab setup thereby improving the turnaround time for case resolution. Training and exposure to prepare electronic documents using best practices model, regular analysis for ensuring quality, key steps include :

•Acquire electronic data in legally acceptable format

•Initial Production Interview and Data Harvest

•Document Processing for identifying potentially

responsive documents

•Document Production for case management

software such as Summation, Ringtail and

Concordance

•On-line repository through our partner Value Proposition

Service Offering • Identify, Extract, Document computer-

based evidence using deep search technique

• Provide litigation support and expert

testimony

• Forensic tools and analytics capability

for APT detection and Insider threat management

• Investigate theft of intellectual property,

trade secrets, especially software theft

• Investigate Inappropriate usage of

computing resource, Corporate misconduct

• Recover and reconstruct deleted

documents

Approach

Sensitive Cyber Crime Investigation

Post Incident Investigation along with local law enforcement agencies

Value Proposition

Service Offering •Understanding Customer case

•Investigating the incident

•Reach a conclusion

•Investigation support

•Liaising with Cyber Crime

Cell

•Liaising with Cyber Crime

Lawyers

•Digital Forensics analysis

•Empanelled lawyers

practicing in Cyber Laws

Complete Customer Confidentiality during and after the investigation. Single point of contact for all

Cyber Crime related incidents

Cyber Security Culture Building Driving Security Behavior through Training, Awareness and Education for meeting the Organization's Security goals using Gamification Techniques, Simulations & War-game rehearsals

Approach

Structured approach to culture building process in the client organization by utilizing simulation based continual assessment techniques in turn ensuring cyber security maturity amongst individuals. Customized thematic training modules with special focus on lessons learnt during security incidents.

• Simulation based awareness, training and education in cyber security engineering, compliant to NIST SP 800:50

• Periodic assessments of employees through

simulated Social Engineering techniques

• War-gaming scenarios and role play for

security incident handling

• Virtual Training Environment based learning

• Specialized domain trainings for key IT staff

• Customised awareness programs for

Inculcating behavior of reporting incidents, vulnerabilities

Value Proposition

Service Offering

Decypher Technologies Value Preposition

Key Differentiators

End to End Cyber Security Expertise, End point to Infrastructure. Domain

coverage includes Artificial Intelligence, Threat Analytics, Ethical Hacking , Security

Incident Management, etc. including ATM networks.

Topmost professionals in Cyber Security from varied industry domain to

provide risk based consulting Vs only Standard based

Blend of professionals from Business Process, BFSI and Consulting domain

Business enhancing security solution , thus optimizing cost of doing business

More than 600 CIO , CTO’s and CISO’s present in current teams social network

Proven track record in Designing, Developing, Implementing, Managing

holistic security programs for safeguarding Information Assets and Systems for

Global Organizations

Autonomous, Standardized and documented procedural workflows for

optimization and sustainability of security practices at client end

Product Agnostic and flexible approach.

Decypher Technologies

Leadership Team

Partner Profile

Rajesh Sapkal Certified Senior Resource in Information Security/Digital Forensics

Rajesh has over 20 years of experience in areas of Information Security, IT Audit, Application controls, Management controls, Security Procedures and Business Process controls. As a founder of Decypher Technologies, a core Information Security consulting firm, he has been instrumental in successfully completing complex assignments for various organizations and has successfully redone the entire network architecture of a Global MNC bringing it at par with the big IT companies in this space. He has successfully completed Information Security Consulting assignments for various offshore Banks and Financial Institutions and was instrumental in the roll out of DLP at a leading Casino in Macau.

In his role as Global Head – Information Security at Capgemini, he was responsible for ISO 27001 certifications at Capgemini FSSBU (Kanbay). He has also set up a SOC (Security Operations Centre) and handled product comparison, vendor identification and negotiations and was instrumental in the Global roll-out of PGP, RSA and Safeword across Capgemini. In his role in Oracle (as Manager Information Security -India), he handled issues from Compliance, Audit, Abuse cases, Forensic Investigations, Liaison with Cyber Crime division of State Police, Creating Security Awareness etc. In his earlier jobs with KPMG, he successfully completed assignments on SAP controls review, Building application and Network security review, ITGC and risk assessment. He also setup a complete IT organization and handled Project Management for a new process at WNS Global Services.

Rajesh’s areas of proficiency include Security, Public Key Infrastructure, IT Controls Review, Software Engineering, Networking, IT Infrastructure security Audit, IT Security Policy and Procedure Development, Penetration Testing, Application reviews and Application level security, Digital Forensics, Project Management, Defining IT Processes and Procedures, Business Continuity Planning / Disaster Recovery Planning (BCP/DRP), Digital forensics.

Thank You