security and assurance lecture jan 14

  • 318 views
Uploaded on

cyber security-->cyber assurance and cyber governance

cyber security-->cyber assurance and cyber governance

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
318
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
8
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Securing the Unsecured in Cyber Space Creating Digital Trust in Cyber Era Cyber Security Cyber Assurance The need of Enterprises of Tomorrow Prof. K. Subramanian SM(IEEE), SMACM, FIETE, FNTF SMCSI,MAIMA,MAIS,MCFE,MISACA(USA) EX-Professor & Director, Advanced Center for Informatics & Innovative Learning (ACIIL), IGNOU Former IT Adviser to CAG of India Ex-SR.1DDG(NIC), Min of Communications & Information Technology Former President, Cyber Society of India Emeritus President, eISSA Academic Advocate of ISACA (USA) in India Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 1
  • 2.     Cyberspace is Dynamic, Undefined and Exponential Countries’ need dynamic laws, keeping pace with the technological advancements In a Virtual Space, Netizens Exist, Citizens Don’t! Trust in E-environments  Lack of a mature IT society  Absence of Single governing body  Legislation  High skill inventory  Reduce fear of being caught  Disgruntled Employees 15th April 2009 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 2 2
  • 3.      "The poor have sometimes objected to being governed badly; the rich have always objected to being governed at all." G. K. Chesterton “Ever since men began to modify their lives by using technology they have found themselves in a series of technological traps.” Roger Revelle “The law is the last interpretation of the law given by the last judge.”- Anon. “Privacy is where technology and the law collide.” --Richard Smith (who traced the ‘I Love You’ and ‘Melissa viruses’) "Technology makes it possible for people to gain control over everything, except over technology" John Tudor 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 3 3
  • 4. In the Era of Digital Age • • • • • Can all users be identified (e.g., employees, contractors, and business partners)? Do IT managers know what users have access to? Can all the interactions among users, assets, and applications be identified? Do IT managers have verifiable evidence that controls are working, and appropriate action takes place when a policy infraction occurs? Does this evidence exist in minutes rather than months? No one standard meets requirements—Advise on specific group standards (medical, commerce/Trade services— Highend-KBPOS) Ten Important Imperatives • • • • • • • • • • IT & Law Security & Risk Business Integration Value to the Enterprise Alignment = collaboration Governance and funding IT sourcing & ITES outsourcing Performance Measures Growing talent Beyond customer service 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 4
  • 5. Perfect Security—A Dream • "Perfect security is not achievable,". • "At the end of the day, [the security function] is about managing the frequency and magnitude of loss." • Concerns PRIVACY • vs • SOCIETY • SAFETY • SECURITY • Trust 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 5
  • 6. “In security matters, there is nothing like absolute security” “We are only trying to build comfort levels, because security costs money and lack of it costs much more” “Comfort level is a manifestation of efforts as well as a realization of its effectiveness & limitations’ Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 6
  • 7. 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 7
  • 8. Cyber Threats 2013 Data,  Mobility,  Questions of Responsibility  1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 8 8
  • 9. 15th April 2009 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 9 9
  • 10. eSecurity Technologies  Cryptography & Cryptology  Steganography  Digital Water Marking Digital Rights Management Cyber Defence technologies (Firewall, IDS/IPS, Perimeter and Self-Defence ) Access Control &ID Management (Rule, Role, Demand Based) Signatures (Digital/Electronic) Cyber Forensics & Cyber Audit      1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 10 10
  • 11. Cyber Security – A Holistic View Authentication Threat Management Encryption & Early Warning Antivirus Honey Pot & Decoy Firewall Technology Intrusion Detection Vulnerability Assessment Policy Compliance Proactive Control Event & Incident Mgmt Access Control & Authorization Identity Config. Attack Mgmt Mgmt Recovery Common Tools/Svcs Console VPN Content Updates & Security Response 24x7 Global Customer Support 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. Source: Symantec Inc 11
  • 12. LOSS OF CREDIBILITY INTERCEPTION SOCIAL ENGINEERING ATTACK ACCIDENTAL DAMAGE DATA EMBARRASSMENT DIDDLING AUTHORISATION PROGRAM CHANGE SCAVENGING DOCUMENTATION PASSWORDS VIRUS ATTACK AUDIT TRAILS NATURAL DISASTER TROJAN HORSES INPUT VALIDATIONS ANTI-VIRUS ENCRYPTION SECURITY GUARDS FINANCIAL INCOMPLETE LOSS PROGRAM CHANGES LOSS OF CUSTOMERS IS BACKUPS HARDWARE MAINTENANCE BUSINESS CONTINUITY PLAN UNAUTHORISED ACCESS HARDWARE / SOFTWARE FAILURE FRAUD & THEFT LOSING TO 12 COMPETITION 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof.
  • 13. 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 13
  • 14. Government Policy Guidelines • Policy on :Identity and Access Management: An eGovernance standards initiative to make e-Government Programs and their services a reality • Draft Document “e-Governance Information Security Standard” (Version 01 dated 12th October 2006)--has proposed additional security controls for E-Governance purposes Viz., Data security and privacy protection, Network security, and Application security; • Draft Document “Base line security requirements & Selection of controls” (Version 01, 12th October 2 006). http://egovstandards.gov.in 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 14
  • 15. Strategy-Policy-Good Practice • “Information Security Policy for Protection Critical Information Infrastructure” (No. CERTIn/NISAP/01, issued on 1st May 2006) –Recent Guidelines • Information & Privacy Protection Policy, apart from IT ACT & RTI ACTS • Stopping Spam Before It Stops You – SPAM Policy to be done • Privacy/Data Protection Legislation-Underway "Data disposal, anonymity, trust, privacy management, and systems development activities are just a few of the many privacy concerns organizations must address and need to thoughtfully create a privacy strategy that is clearly and consistently supported by the KS@2014 csi chennai Lecture Cyber 1/6/2014 top business leaders." Security-->Cyber Assurance Jan 6,2014 Prof. 15
  • 16. Corporate Governance Business Assurance Framework India Initiatives Global Phenomena • 1. Clause 49 • Combines Code of • 2. Basel II & III-RBI UK and SOX of • 3.SEBI- Corporate USA Governance • Basel II & III Implementation directives • Project • 4.Risk managementGovernance RBI & TRAI • IT Governance • 5. MCA Initiatives • Human & Humane • New company Law Governance 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 16 2013 16
  • 17. Learning From Experience ====================== == 1. The only source of knowledge is experience. -- Einstein 2. One must learn by doing the thing; for though you think you know it, you have no certainty, until you try. -- Sophocles 3. Experience is a hard teacher because she gives the test first, and the lesson afterwards. -- Vernon Sanders Law 4. Nothing is a waste of time if you use the experience wisely. -- Rodin Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 17
  • 18. Known Threat Assessment Approaches • Privilege Graph [Dacier et al. 94] • • • Attack Graph [Philips et al. 98, 01, 02] • • • Vertices/nodes represent privilege states Edges/arcs represent privilege escalation Vertices/nodes represent network states Edges/arcs represent atomic exploits Shortcomings • • • • Too many details, very finegrained Without automation, model instantiation is cumbersome Model-checking can help, but state explosion problem Insider attacks may succeed without privilege escalation or vulnerabilities Recent Insider Threat Mitigation Tools • Skybox View • Sureview from Oakley Networks • iGuard from Reconnex • Content Alarm from Tablus • Vontu from Vontu, Inc. • Rule-based techniques • Detect policy violations • Forensics analysis 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 18
  • 19. SEMANTIC ISSUES CERTIFICATION What is certification; what does it denote and mean? TECHNOLOGICAL ISSUES How is certification achieved? How are the prerequisites and context for certification established? What are the principal concepts and elements of certification What is it you are certifying? (Object of certification) What additional concepts and notions are expressed and implied by certification? Certification with respect to what? (Business for certification) What is the Intent of the certification; what is it you are trying to do in certifying something? What relation must exist for certification? (Object/basis relation) ADMINISTRATIVE ISSUES What activities/decisions are prerequisite for certification? Who does the certification? Who is the recipient of the certification? How and when is certification to be conducted? What is the significance of the certification for the certifier? What is the significance of the certification for the recipient? Why certify? 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 19
  • 20. Security Assurance - Expectations “To determine how much is too much, so that we can implement appropriate security measures to build adequate confidence and trust” “To derive a powerful logic for implementing or not implementing a security measure” Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 20
  • 21. Managing Interdependencies Critical in Enterprises/Institutions • Infrastructure characteristics (Organizational, operational, temporal, spatial) • Environment (economic, legal /regulatory, technical, social/political) • Coupling and response behavior (adaptive, inflexible, loose/tight, linear/complex) • Type of failure (common cause, cascading, escalating) • Types of interdependencies (Physical, cyber, logical, geographic) • State of operations (normal, stressed /disrupted, repair/restoration ) . Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 21
  • 22. Identity Management • Identity management is not new, but has evolved from the days of a single password entry onto the network to a comprehensive set of processes and systems that make it easier for all users to access information in real time and in a much more secure manner • ID management tend to center on the technical improvements in system security, the more important benefits are the opportunities gained by collaborating with vendors, suppliers, and customers across the supply chain. • A real value of an [ID management] solution enables ultimately this wide range of business enterprise. Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 22
  • 23. Biometric System Operates on •Verification •Identification Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 23
  • 24. Biometrics Biometrics 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 24
  • 25. Layered E-trust Framework Computing E-trust Services Shared E-trust Applications Trusted Digital Identity Infrastructure PKI Technology Single e-trust Applications B2B, B2C, SET, C2C Infrastructure Layer 2 Service Provider Layer 2 Service Provider example: Identrus example IDENTRUS 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 25
  • 26. Present Risk Certification Issues Trust • Trust cannot be bought or sold. It has to be created • Trust is earned and not given away. • Trusted third party or a trusted CA raises - trusted in relationship to whom - trusted by whom? - trusted for what? - trusted for how long? Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 26
  • 27. 9 Rules of Risk Management • There is no return without risk • • Be Transparent • • A consistent and rigorous approach will beat a constantly changing strategy Use common sense • • Multiple risk will produce more consistent rewards Sow Discipline • • Risk should be discussed openly Diversify • • Question the assumptions you make Communicate • • Risk is measured, and managed by people, not mathematical models. Know what you Don’t know • • Rewards to go to those who take risks. It is better to be approximately right, than to be precisely wrong. Return is only half the question • Decisions to be made only by considering the risk and return of the possibilities. RiskMetrics Group 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 27
  • 28. • UNIVERSALITY: Each person should have the characteristics • Distinctiveness: Any two persons should be different in terms of the characteristic. • Permanence: The characteristic should be sufficiently in-variant (w.r.to the matching criterion) over a period of time. • Collectability: The characteristic should be quantatively measurable. 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 28 28
  • 29. • Uniform Naming convention-absence • Birth & Death registration-Incomplete • No social security registration number • Absence of Identity such as phones, driving licenses available with every body • Electoral ID DB- Complete set not there but at least covers 600-650 m records-not auditable and verifiable • Absence of PAN & other ID number for everybody-Not auditable & verifiable 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 29
  • 30. • By Possession • Password • Static • Dynamic • By Association • PIN/TOKEN • By Card • By Biometrics • By Government • PAN(TAXATION) • Passport • Social Security Number • Citizenship ID NO. • Senior Citizen NUMBER 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. Cognizant Address 23rd June 2005 30 30
  • 31. • • • • • • Domain Name System (DNS) Dynamic Host Configuration Protocol (DHCP) Remote Authentication Dial-In User Service (RADIUS) Lightweight Directory Access Protocol (LDAP) Microsoft ’s Active Directory Novell Directory Services (NDS) • Public Key Infrastructure (PKI) 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 31
  • 32. • Most enterprises have no common, unified database of user profiles, access rights, and device identity. This situation has put the integrity of core infrastructure network services in jeopardy in the following areas: • Security. • Reliability. • Cost. • Software Version Control. • Scalability. 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 32
  • 33.  Internal Competition from Liberalization  Learn more about own Businesses.  World Competition from Globalization  Reach out to all Business & Function Heads.  Entrenched Competition Abroad  Sharpen Internal Consultancy Competences.  Asymmetry in Scale, Technology, Brands  Proactively Seize the Repertoire of MS & Partners  Foster two way flow of IS & Line Talent.  Industry Shakeouts and Restructuring 15th April 2009 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 33 33
  • 34. Key Areas of Assurance • Organizational - Systems in place to identify & mitigate differing risk perceptions of stakeholders to meet business needs • Supplier - Confidence that controls of third party suppliers adequate & meets organization’s benchmarks • Business Partners - Confirmation that security arrangements with partners assess & mitigate business risk • Services & IT Systems - Capability of developers, suppliers of IT services & systems to implement effective systems to manage risks to the organization’s business 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 34 34
  • 35. Benefits of Assurance • Contributes to effectiveness & efficiency of business operations • Ensures reliability & continuity of information systems • Assists in compliance with laws & regulations • Assures that organizational risk exposure mitigated • Confirms that internal information accurate & reliable • Increases investor and lenders confidence 15th April 2009 15th April 2009 Prof. KS@2009: BMS CII Conference Prof. KS@2009: BMS CII Conference New delhi April14-15, 2009 New delhi April14-15, 2009 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 35 35
  • 36. Cyber Assurance Framework • Insurance-Protection of classified assets • Audit—Gives comfort level (Internal/External) • Pre audit • Concurrent audit • Post audit • Assurance-More degree of comfort as it is multilayered. • • • • • • Management Operational Technology/technical Network Legal Impact
  • 37. Standards, Standards, Standards Technical Vs Management            Security Audit Interoperability Interface (systems/devises/communications) Architecture/Building Blocks/reusable HCI (Human Computer Interface) Process (Quality & Work) Environmental (Physical, Safety, Security) Data Interchange & mail messaging (Information/Data Exchange) Layout/Imprint BCM   Technical StandardsSpecifications-mainly for interoperability, accessibility and Interactivity Management standards-Auditable & Verifiable-Certification & Compliance 15th April 2009 15th April 2009 Prof. KS@2009: BMS CII Conference Prof. KS@2009: BMS CII Conference New delhi April14-15, 2009 New delhi April14-15, 2009 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 37 37
  • 38. Importance of Group Standards -no one standard meets all requirements ISO 27001/BS7799 Vs COBIT Vs CMM Vs ITIL Mission Business Objectives Business Risks Applicable Risks Internal Controls Review 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 38
  • 39. Transition: Insurance Assurance & Assurance Layered Framework • • • • • • Insurance Audit Pre, Concurrent, Post • • • • • • • • • IT Audit Environmental Operational Technology Network Financial Management Impact Electronics Continuous Audit Certification Assurance • • • Management Assurance(GRC) Operational Assurance (Risk & ROI) Technical Assurance (Availability, Serviceability & Maintainability) Revenue Assurance (Leakage & Fraud) Legal Compliance & Assurance (Governance) 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 39
  • 40. Cyber Governance Components • Environmental & ICT Infrastructure  • Operational (logistics Integration) • Technology (synergy & Convergence) • Network (multi Modal Network) • Management (HRM & SCM &CRM)    Operational Integration (Functional) Professional Integration (HR) Emotional/Cultural Integration Technology Integration • Impact (feed-back correction) 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 40
  • 41. Legislative Trust &Techno-Legal issues & Amendment to IT Act or Legislation of New Acts • Authentication for retrieval • Authorized access and control of access • Security standards for certification and mandatory for compliance for Electronic Achieves • Information/Data Protection (Privacy and Piracy) • Information management and Continuous preservation in Electronic Archives • Information Assurance and Auditability Legal/Regulatory Framework & Attributes Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability of information 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 41 41
  • 42. “IT Regulations and Policies-Compliance & Management” Pre-requisites Physical Infrastructure and Mind-set • PAST: We have inherited a past, for which we cannot be held • responsible ; PRESENT: have fashioned the present on the basis of development models, which have undergone many mid-course corrections • FUTURE: The path to the future -- a future in which India and Indians will play a dominant role in world affairs -- is replete with opportunities and challenges. In a number of key areas, it is necessary Break from the past in order to achieve our Vision. We have within ourselves the capacity to succeed We have to embrace Integrated Security & Cyber Assurance Framework 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 42
  • 43. 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 43 43
  • 44. CXO~CEO Internal Strategic Alliances  CIO & CEO Business Led Info. strategy  CIO & CMO Competitive Edge & CVP  The Productivity/Performance Promise • • CIO & CTO Cost-Benefit Optimization •  CIO & CFO Shareholder Value Maximization •  CIO & CHRO Employee Performance and Rewards  CIO & Business Partners Virtual Extended Enterprise • • Capital Productivity (ROI, EVA, MVA) Material Productivity (60% of Cost) Managerial Productivity (Information Worker) Labour Productivity (Enabled by IW) Company Productivity Micro Factor Productivity Macro 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 44
  • 45. Towards Information/Business Assurance • Increasingly, the goal isn't about information security but about information/Business assurance, which deals with issues such as data/information availability and integrity. • That means organizations should focus not only on risk avoidance but also on risk management. "You have to be able to evaluate risks and articulate them in business terms“ --Jane Scott-Norris, CISO at the U.S. State Department Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 45
  • 46. Comparison of Seals WEB Certification Security of Data Business Policies Transaction Processing Integrity Product Cost Privacy of Data BBB Online Low No No Lightly Covered No TRUSTe Low Yes No No No Veri-Sign Low to Medium No Yes: Data Transmittal No: Data Storage No No ICSA High Yes Yes Somewhat Covered Lightly Covered WebTrust High Yes Yes Yes Yes 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 46
  • 47. Security Governance Maturity Model 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 47 47
  • 48. Cyber Forensics & Cyber Frauds • • • • • • • • Digital forensics Email forensics Image forensics Video Forensics Storage Forensics Audio Forensics Network forensics Data/Information forensics 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 48
  • 49. Types of Frauds Conflict of Interest Nepotism Gratuities False Statements Omissions Favoritism False Claims Forgery Kickbacks Misappropriation Conspiracy Alterations Breach of Duty Bribery Substitution Impersonation Embezzlement Extortion 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 49
  • 50. Common Red Flags Signaling Management Fraud o Management decisions are dominated by an individual or small group. o Managers’ accounting attitudes are unduly aggressive. o Managers place much emphasis on meeting earnings projections. o Management’s business reputation is poor. o Management has engaged in opinion shopping. o Managers are evasive responding to auditors’ queries. o Managers engage in frequent disputes with auditors. o Managers display significant disrespect for regulatory bodies. Prof. o 1/6/2014 KS@2014 csi chennai Lectureinternal control environment. Company has a weak Cyber Security-->Cyber Assurance Jan 6,2014 50
  • 51. Common Red Flags Signaling Management Fraud o Company accounting personnel are lax or inexperienced in their duties. o Company employs inexperienced managers. o Company is in a period of rapid growth. o Company profit lags the industry. o Company has going concern problems (bankruptcy). o Company is decentralized without adequate monitoring. o Company has many difficult accounting measurement and presentation issues. o The company may be offered for sale. 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 51 o The company makes acquisitions using its stock.
  • 52. Common Red Flags Signaling Employee Fraud o Customer o Missing complaints. documents. o Adjustments to o Unusual receivables and endorsements on payables. checks. o Increased past due o Unexplained receivables. adjustments to o Inventory shortages. inventory o General ledger does balances. not balance. o Unexplained adjustments to accounts 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 52 receivable.
  • 53. Common Red Flags Signaling Employee Fraud o Increased scrap. o Alterations on documents. o Duplicate payments. o Employees cannot be found. o Documents photocopied o Dormant accounts become active. o Common names or addresses for 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 53 refunds. o Old items in bank reconciliations. o Old outstanding checks. o Unusual patterns in deposits in transit. o Cash shortages and overages. o Excessive voids and credit memos.
  • 54. “Honest Abraham” Lincoln After angrily turning down a bribe, he said, “Every man has his price, and he was getting close to mine.” Under the right set of circumstances anyone could become a fraud perpetrator. 1/6/2014 Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 54
  • 55. IT Security predictions 2014 1.Pirated software* Pirated software will drive insecurity in much more dynamic ways than previously realized. Users of pirated software are afraid to download updates, thus are exposed to security risks because their software is entirely unpatched. Also, newer versions of pirated software now come with malware preinstalled. As a result, users of pirated software will become the new “Typhoid Marys” of the global computing community. *IBM's X-Force research team Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 55
  • 56. IT Security Predictions 2013 2.social networks and ups the ante Social engineering meets social networks and ups the ante for creative compromises. Criminal organizations are increasingly sophisticated in how they attack different social networking sites. For example, Twitter is being used as a distribution engine for malware. LinkedIn, however, is being used for highly targeted attacks against high-value individuals. We will see these organizations use these sites in creative new ways in 2010 that will accelerate compromises and identity theft, especially as new commercial applications increase the disclosure of valuable personal information on these sites. Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 56
  • 57. IT Security predictions 2014 3.0 Criminals take to the cloud Criminals take to the cloud. We have already seen the emergence of “exploits as a service.” In 2013 we will see criminals take to cloud computing to increase their efficiency and effectiveness. Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 57
  • 58. IT Security predictions 2014 • a rise in attacks on health care organizations will occur for similar reasons, • continued attacks on retailers big and small, tax authorities, • school systems - anywhere where lots of records are kept by organizations that haven't traditionally had best practice security in place Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 58
  • 59. Security & Governance - Final Message “In Governance matters Past is no guarantee; Present is imperfect & Future is uncertain“ “Failure is not when we fall down, but when we fail 6,2014 59 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan to get up” Prof.
  • 60. Let us Secure and Cyber Assure our Enterprises by Good Governance FOR FURTHER INFORMATION PLEASE CONTACT :    E-MAIL: ksdir@nic.in ksmanian48@gmail.com ksmanian1948@gmail.c om  ksmanian20032004@ya hoo.com   91-11-22723557 1/6/2014 KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 Prof. 60