security and assurance lecture jan 14
DESCRIPTION
cyber security-->cyber assurance and cyber governanceTRANSCRIPT
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 1
Securing the Unsecured in Cyber Space
Creating Digital Trust in Cyber Era
Cyber Security Cyber Assurance
The need of Enterprises of Tomorrow
Prof. K. Subramanian
SM(IEEE), SMACM, FIETE, FNTF SMCSI,MAIMA,MAIS,MCFE,MISACA(USA)
EX-Professor & Director, Advanced Center for Informatics & Innovative Learning (ACIIL), IGNOU
Former IT Adviser to CAG of India
Ex-SR.1DDG(NIC), Min of Communications & Information Technology
Former President, Cyber Society of India
Emeritus President, eISSA
Academic Advocate of ISACA (USA) in India
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 2 15th April 2009
Cyberspace is Dynamic, Undefined and Exponential
Countries’ need dynamic laws, keeping pace with the technological advancements
In a Virtual Space, Netizens Exist, Citizens Don’t!
Trust in E-environments
Lack of a mature IT society
Absence of Single governing body
Legislation
High skill inventory
Reduce fear of being caught
Disgruntled Employees
2
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 3
"The poor have sometimes objected to being governed badly; the rich have always objected to being governed at all." G. K. Chesterton
“Ever since men began to modify their lives by using technology they have found themselves in a series of technological traps.” Roger Revelle
“The law is the last interpretation of the law given by the last judge.”- Anon.
“Privacy is where technology and the law collide.” --Richard Smith (who traced the ‘I Love You’ and ‘Melissa viruses’)
"Technology makes it possible for people to gain control over everything, except over technology" John Tudor
3
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 4
In the Era of Digital Age
• Can all users be identified (e.g., employees, contractors, and business partners)?
• Do IT managers know what users have access to?
• Can all the interactions among users, assets, and applications be identified?
• Do IT managers have verifiable evidence that controls are working, and appropriate action takes place when a policy infraction occurs? Does this evidence exist in minutes rather than months?
• No one standard meets requirements—Advise on specific group standards (medical, commerce/Trade services— High-end-KBPOS)
Ten Important Imperatives
• IT & Law
• Security & Risk
• Business Integration
• Value to the Enterprise
• Alignment = collaboration
• Governance and funding
• IT sourcing & ITES outsourcing
• Performance Measures
• Growing talent
• Beyond customer service
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 5
Perfect Security—A Dream
• "Perfect security is
not achievable,".
• "At the end of the
day, [the security
function] is about
managing the
frequency and
magnitude of loss."
• Concerns
PRIVACY
• vs
• SOCIETY
• SAFETY
• SECURITY
• Trust
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 6
“In security matters,
there is nothing like absolute security”
“We are only trying to build comfort levels, because security costs money and lack of
it costs much more”
“Comfort level is a manifestation of efforts as well as a realization of its effectiveness &
limitations’
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 7 1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 8
Data,
Mobility,
Questions of Responsibility
8
Cyber Threats 2013
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 9 15th April 2009 9
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 10
eSecurity Technologies
Cryptography & Cryptology
Steganography Digital Water Marking
Digital Rights Management
Cyber Defence technologies (Firewall, IDS/IPS, Perimeter and Self-Defence )
Access Control &ID Management (Rule, Role, Demand Based)
Signatures (Digital/Electronic)
Cyber Forensics & Cyber Audit
10
1/6/2014
1/6/2014 Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 11
Cyber Security – A Holistic View
Authentication
Access Control
& Authorization
Identity
Mgmt
Antivirus
Firewall
Intrusion
Detection
VPN
Content
Updates &
Security
Response
24x7
Global
Customer
Support Attack
Recovery
Tools/Svcs
Honey Pot
& Decoy
Technology
Threat Management
& Early Warning
Vulnerability
Assessment
Policy
Compliance
Event &
Incident Mgmt
Config.
Mgmt Common
Console
Encryption
Proactive
Control
Source: Symantec Inc
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 12
FRAUD
& THEFT
SCAVENGING
VIRUS
ATTACK
ACCIDENTAL
DAMAGE
NATURAL
DISASTER
UNAUTHORISED
ACCESS
INTERCEPTION
TROJAN
HORSES
INCOMPLETE
PROGRAM
CHANGES
HARDWARE /
SOFTWARE
FAILURE
SOCIAL
ENGINEERING
ATTACK
DATA
DIDDLING
IS
PASSWORDS
ENCRYPTION
ANTI-VIRUS
BACKUPS
HARDWARE
MAINTENANCE SECURITY
GUARDS
INPUT
VALIDATIONS
AUDIT TRAILS
PROGRAM
CHANGE
DOCUMENTATION
AUTHORISATION
BUSINESS
CONTINUITY
PLAN
LOSING TO
COMPETITION
LOSS OF
CUSTOMERS
LOSS OF
CREDIBILITY
EMBARRASSMENT
FINANCIAL
LOSS
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 13 1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 14
Government Policy Guidelines
• Policy on :Identity and Access Management: An e-Governance standards initiative to make e-Government Programs and their services a reality
• Draft Document “e-Governance Information Security Standard” (Version 01 dated 12th October 2006)--has proposed additional security controls for E-Governance purposes Viz., Data security and privacy protection, Network security, and Application security;
• Draft Document “Base line security requirements & Selection of controls” (Version 01, 12th October 2 006).
http://egovstandards.gov.in
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 15
Strategy-Policy-Good Practice
• “Information Security Policy for Protection Critical Information Infrastructure” (No. CERT-In/NISAP/01, issued on 1st May 2006) –Recent Guidelines
• Information & Privacy Protection Policy, apart from IT ACT & RTI ACTS
• Stopping Spam Before It Stops You – SPAM Policy to be done
• Privacy/Data Protection Legislation-Underway
"Data disposal, anonymity, trust, privacy management, and systems development activities are just a few of the many privacy concerns organizations must address and need to thoughtfully create a privacy strategy that is clearly and consistently supported by the top business leaders." 1/6/2014
Corporate Governance
Business Assurance Framework
Global Phenomena
• Combines Code of UK and SOX of USA
• Basel II & III
• Project Governance
• IT Governance
• Human & Humane Governance
India Initiatives
• 1. Clause 49
• 2. Basel II & III-RBI
• 3.SEBI- Corporate Governance Implementation directives
• 4.Risk management-RBI & TRAI
• 5. MCA Initiatives
• New company Law 2013
16 1/6/2014 Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 16
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 17
Learning From Experience
======================
==
1. The only source of knowledge is experience. -- Einstein 2. One must learn by doing the thing; for though you think you know it, you have no certainty, until you try. -- Sophocles 3. Experience is a hard teacher because she gives the test first, and the lesson afterwards. -- Vernon Sanders Law 4. Nothing is a waste of time if you use the experience wisely. -- Rodin
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 18
Known Threat Assessment Approaches
• Privilege Graph [Dacier et al. 94] • Vertices/nodes represent privilege
states
• Edges/arcs represent privilege escalation
• Attack Graph [Philips et al. 98, 01, 02] • Vertices/nodes represent network
states
• Edges/arcs represent atomic exploits
• Shortcomings • Too many details, very fine-
grained
• Without automation, model instantiation is cumbersome
• Model-checking can help, but state explosion problem
• Insider attacks may succeed without privilege escalation or vulnerabilities
Recent Insider Threat Mitigation Tools
• Skybox View
• Sureview from Oakley
Networks
• iGuard from Reconnex
• Content Alarm from
Tablus
• Vontu from Vontu, Inc.
• Rule-based techniques
• Detect policy violations
• Forensics analysis
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 19
CERTIFICATION SEMANTIC ISSUES
What is certification; what does
it denote and mean?
What are the principal concepts
and elements of certification
What additional concepts and
notions are expressed and
implied by certification?
What is the Intent of the
certification; what is it you are
trying to do in certifying
something?
TECHNOLOGICAL ISSUES
How is certification achieved?
How are the prerequisites and
context for certification established?
What is it you are certifying?
(Object of certification)
Certification with respect to what?
(Business for certification)
What relation must exist for
certification?
(Object/basis relation)
What activities/decisions are
prerequisite for certification?
How and when is certification to
be conducted?
ADMINISTRATIVE
ISSUES
Who does the certification?
Who is the recipient of the
certification?
What is the significance of the
certification for the certifier?
What is the significance of the
certification for the recipient?
Why certify?
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 20
“To determine how much is too much, so that we can implement appropriate security
measures to build adequate confidence and trust”
“To derive a powerful logic for implementing or not
implementing a security measure”
Security Assurance - Expectations
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 21
Managing Interdependencies
Critical in Enterprises/Institutions • Infrastructure characteristics (Organizational,
operational, temporal, spatial)
• Environment (economic, legal /regulatory, technical, social/political)
• Coupling and response behavior (adaptive, inflexible, loose/tight, linear/complex)
• Type of failure (common cause, cascading, escalating)
• Types of interdependencies
(Physical, cyber, logical, geographic)
• State of operations
(normal, stressed /disrupted, repair/restoration)
.
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 22
Identity Management
• Identity management is not new, but has evolved from the days of a single password entry onto the network to a comprehensive set of processes and systems that make it easier for all users to access information in real time and in a much more secure manner
• ID management tend to center on the technical improvements in system security, the more important benefits are the opportunities gained by collaborating with vendors, suppliers, and customers across the supply chain.
• A real value of an [ID management] solution enables ultimately this wide range of business enterprise.
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 23
Biometric System Operates on
•Verification
•Identification
1/6/2014 Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 24
Biometrics
Biometrics
1/6/2014 Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 25
Layered E-trust Framework
PKI Technology
Trusted Digital Identity
Infrastructure
Shared E-trust
Applications
Computing E-trust
Services
Single e-trust
Applications
Infrastructure
Layer 2 Service Provider
example: Identrus Layer 2 Service Provider
example IDENTRUS
B2B, B2C, SET, C2C
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 26
Present Risk Certification Issues
Trust • Trust cannot be bought or sold. It has to be
created
• Trust is earned and not given away.
• Trusted third party or a trusted CA
raises - trusted in relationship to whom
- trusted by whom?
- trusted for what?
- trusted for how long?
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 27
9 Rules of Risk Management
• There is no return without risk • Rewards to go to those who take risks.
• Be Transparent • Risk is measured, and managed by
people, not mathematical models.
• Know what you Don’t know • Question the assumptions you make
• Communicate • Risk should be discussed openly
• Diversify • Multiple risk will produce more consistent
rewards
• Sow Discipline • A consistent and rigorous approach will
beat a constantly changing strategy
• Use common sense • It is better to be approximately right, than
to be precisely wrong.
• Return is only half the question • Decisions to be made only by considering
the risk and return of the possibilities.
RiskMetrics Group
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 28 28
• UNIVERSALITY: Each person should have the characteristics
• Distinctiveness: Any two persons should be different in terms of the characteristic.
• Permanence: The characteristic should be sufficiently in-variant (w.r.to the matching criterion) over a period of time.
• Collectability: The characteristic should be quantatively measurable.
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 29
• Uniform Naming convention-absence
• Birth & Death registration-Incomplete
• No social security registration number
• Absence of Identity such as phones, driving licenses available with every body
• Electoral ID DB- Complete set not there but at least covers 600-650 m records-not auditable and verifiable
• Absence of PAN & other ID number for everybody-Not auditable & verifiable
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 30 23rd June 2005 30 Cognizant Address
• By Possession
• Password • Static
• Dynamic
• By Association
• PIN/TOKEN
• By Card
• By Biometrics
• By Government
• PAN(TAXATION)
• Passport
• Social Security Number
• Citizenship ID NO.
• Senior Citizen NUMBER
1/6/2014
1/6/2014 Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 31
• Domain Name System (DNS)
• Dynamic Host Configuration Protocol (DHCP)
• Remote Authentication Dial-In User Service (RADIUS)
• Lightweight Directory Access Protocol (LDAP)
• Microsoft ’s Active Directory
• Novell Directory Services (NDS)
• Public Key Infrastructure (PKI)
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 32
• Most enterprises have no common, unified database of user profiles, access rights, and device identity. This situation has put the integrity of core infrastructure network services in jeopardy in the following areas:
• Security.
• Reliability.
• Cost.
• Software Version Control.
• Scalability.
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 33 15th April 2009
Internal Competition from Liberalization
World Competition from Globalization
Entrenched Competition Abroad
Asymmetry in Scale, Technology, Brands
Industry Shakeouts and Restructuring
Learn more about own Businesses.
Reach out to all Business & Function Heads.
Sharpen Internal Consultancy Competences.
Proactively Seize the Repertoire of MS & Partners
Foster two way flow of IS & Line Talent.
33
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 34
Key Areas of Assurance
• Organizational
- Systems in place to identify & mitigate differing risk perceptions of
stakeholders to meet business needs
• Supplier
- Confidence that controls of third party suppliers adequate & meets
organization’s benchmarks
• Business Partners
- Confirmation that security arrangements with partners assess & mitigate
business risk
• Services & IT Systems
- Capability of developers, suppliers of IT services & systems to implement
effective systems to manage risks to the organization’s business
34
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 35 15th April 2009
Prof. KS@2009: BMS CII Conference
New delhi April14-15, 2009
Benefits of Assurance
• Contributes to effectiveness & efficiency of business operations
• Ensures reliability & continuity of information systems
• Assists in compliance with laws & regulations
• Assures that organizational risk exposure mitigated
• Confirms that internal information accurate & reliable
• Increases investor and lenders confidence
15th April 2009 35
Prof. KS@2009: BMS CII Conference
New delhi April14-15, 2009
1/6/2014
Cyber Assurance Framework
• Insurance-Protection of classified assets
• Audit—Gives comfort level (Internal/External) • Pre audit
• Concurrent audit
• Post audit
• Assurance-More degree of comfort as it is multi-layered.
• Management
• Operational
• Technology/technical
• Network
• Legal
• Impact
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 37 15th April 2009
Prof. KS@2009: BMS CII Conference
New delhi April14-15, 2009
Standards, Standards, Standards
Technical Vs Management
Security
Audit
Interoperability
Interface (systems/devises/communications)
Architecture/Building Blocks/reusable
HCI (Human Computer Interface)
Process (Quality & Work)
Environmental (Physical, Safety, Security)
Data Interchange & mail messaging (Information/Data Exchange)
Layout/Imprint
BCM
Technical Standards-
Specifications-mainly
for interoperability,
accessibility and
Interactivity
Management
standards-Auditable &
Verifiable-Certification
& Compliance
15th April 2009 37
Prof. KS@2009: BMS CII Conference
New delhi April14-15, 2009
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 38
Importance of Group Standards -no one standard meets all requirements ISO 27001/BS7799 Vs COBIT Vs CMM Vs ITIL
Mission
Business Objectives
Business Risks
Applicable Risks
Internal Controls
Review
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 39
Transition: Insurance Assurance
&
Assurance Layered Framework • Insurance • Audit
Pre, Concurrent, Post
• IT Audit • Environmental • Operational • Technology • Network • Financial • Management • Impact
• Electronics Continuous Audit • Certification • Assurance
• Management
Assurance(GRC)
• Operational Assurance
(Risk & ROI)
• Technical Assurance
(Availability, Serviceability
& Maintainability)
• Revenue Assurance
(Leakage & Fraud)
• Legal Compliance &
Assurance (Governance)
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 40
Cyber Governance Components
• Environmental & ICT Infrastructure
• Operational (logistics Integration)
• Technology (synergy & Convergence)
• Network (multi Modal Network)
• Management (HRM & SCM &CRM)
• Impact (feed-back correction)
Operational Integration
(Functional)
Professional Integration
(HR)
Emotional/Cultural
Integration
Technology Integration
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 41 41
Legislative Trust &Techno-Legal issues &
Amendment to IT Act or Legislation of New Acts Legal/Regulatory
Framework & Attributes
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability of information
• Authentication for retrieval
• Authorized access and control of access
• Security standards for certification and mandatory for compliance for Electronic Achieves
• Information/Data Protection (Privacy and Piracy)
• Information management and Continuous preservation in Electronic Archives
• Information Assurance and Auditability
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 42
“IT Regulations and Policies-Compliance &
Management” Pre-requisites Physical Infrastructure and Mind-set
• PAST: We have inherited a past, for which we cannot be held responsible ;
• PRESENT: have fashioned the present on the basis of development models, which have undergone many mid-course corrections
• FUTURE: The path to the future -- a future in which India and Indians will play a dominant role in world affairs -- is replete with opportunities and challenges.
In a number of key areas, it is necessary Break from the past in order to achieve our Vision.
We have within ourselves the capacity to succeed
We have to embrace Integrated Security & Cyber Assurance
Framework
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 43 43
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 44
CXO~CEO Internal Strategic Alliances
CIO & CEO Business Led Info. strategy
CIO & CMO Competitive Edge & CVP
CIO & CTO
Cost-Benefit Optimization
CIO & CFO Shareholder Value Maximization
CIO & CHRO
Employee Performance and Rewards
CIO & Business Partners
Virtual Extended Enterprise
The Productivity/Performance Promise
• Capital Productivity (ROI, EVA, MVA)
• Material Productivity (60% of Cost)
• Managerial Productivity (Information Worker)
• Labour Productivity (Enabled by IW)
• Company Productivity
Micro
• Factor Productivity
Macro
1/6/2014
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 45
Towards Information/Business
Assurance • Increasingly, the goal isn't about information
security but about information/Business
assurance, which deals with issues such as
data/information availability and integrity.
• That means organizations should focus not
only on risk avoidance but also on risk
management. "You have to be able to
evaluate risks and articulate them in business
terms“
--Jane Scott-Norris, CISO at the U.S.
State Department
1/6/2014 Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 46
Comparison of Seals
WEB Certification
Product Cost Privacy
of Data
Security
of Data
Business
Policies
Transaction
Processing
Integrity
BBB Online Low No No Lightly
Covered No
TRUSTe Low Yes No No No
Veri-Sign Low to
Medium No
Yes: Data
Transmittal
No: Data Storage
No No
ICSA High Yes Yes Somewhat
Covered
Lightly
Covered
WebTrust High Yes Yes Yes Yes
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 47
Security Governance Maturity Model
47 1/6/2014
Cyber Forensics & Cyber Frauds
• Digital forensics
• Email forensics
• Image forensics
• Video Forensics
• Storage Forensics
• Audio Forensics
• Network forensics
• Data/Information forensics
1/6/2014 Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 48
Types of Frauds
Conflict of Interest Nepotism Gratuities
False Statements Omissions Favoritism
False Claims Forgery Kickbacks
Misappropriation Conspiracy Alterations
Breach of Duty Bribery Substitution
Impersonation Embezzlement Extortion
1/6/2014 Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 49
Common Red Flags Signaling
Management Fraud
o Management decisions are dominated by an individual or small group.
o Managers’ accounting attitudes are unduly aggressive.
o Managers place much emphasis on meeting earnings projections.
o Management’s business reputation is poor.
o Management has engaged in opinion shopping.
o Managers are evasive responding to auditors’ queries.
o Managers engage in frequent disputes with auditors.
o Managers display significant disrespect for regulatory bodies.
o Company has a weak internal control environment. 1/6/2014 Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 50
Common Red Flags Signaling
Management Fraud
o Company accounting personnel are lax or inexperienced in their duties.
o Company employs inexperienced managers.
o Company is in a period of rapid growth.
o Company profit lags the industry.
o Company has going concern problems (bankruptcy).
o Company is decentralized without adequate monitoring.
o Company has many difficult accounting measurement and presentation issues.
o The company may be offered for sale.
o The company makes acquisitions using its stock.
1/6/2014 Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 51
Common Red Flags Signaling Employee
Fraud
o Missing documents.
o Unusual endorsements on checks.
o Unexplained adjustments to inventory balances.
o Unexplained adjustments to accounts receivable.
o Customer complaints.
o Adjustments to receivables and payables.
o Increased past due receivables.
o Inventory shortages.
o General ledger does not balance.
1/6/2014 Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 52
Common Red Flags Signaling Employee
Fraud
o Old items in bank reconciliations.
o Old outstanding checks.
o Unusual patterns in deposits in transit.
o Cash shortages and overages.
o Excessive voids and credit memos.
o Increased scrap.
o Alterations on documents.
o Duplicate payments.
o Employees cannot be found.
o Documents photocopied
o Dormant accounts become active.
o Common names or addresses for refunds.
1/6/2014 Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 53
“Honest Abraham” Lincoln
After angrily turning
down a bribe, he said,
“Every man has his
price, and he was
getting close to mine.”
Under the right set of
circumstances anyone could
become a fraud perpetrator. 1/6/2014 Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 54
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 55
IT Security predictions 2014
1.Pirated software*
Pirated software will drive insecurity in much more dynamic ways than previously realized. Users of pirated software are afraid to download updates, thus are exposed to security risks because their software is entirely unpatched. Also, newer versions of pirated software now come with malware pre-installed. As a result, users of pirated software will become the new “Typhoid Marys” of the global computing community.
*IBM's X-Force research team
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 56
IT Security Predictions 2013
2.social networks and ups the ante
Social engineering meets social networks and ups the ante for creative compromises. Criminal organizations are increasingly sophisticated in how they attack different social networking sites. For example, Twitter is being used as a distribution engine for malware. LinkedIn, however, is being used for highly targeted attacks against high-value individuals. We will see these organizations use these sites in creative new ways in 2010 that will accelerate compromises and identity theft, especially as new commercial applications increase the disclosure of valuable personal information on these sites.
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 57
IT Security predictions 2014
3.0 Criminals take to the cloud
Criminals take to the cloud. We have
already seen the emergence of “exploits
as a service.” In 2013 we will see
criminals take to cloud computing to
increase their efficiency and
effectiveness.
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 58
IT Security predictions 2014
• a rise in attacks on health care organizations will occur for similar reasons,
• continued attacks on retailers big and small, tax authorities,
• school systems - anywhere where lots of records are kept by organizations that haven't traditionally had best practice security in place
Security & Governance - Final Message
“In Governance matters
Past is no guarantee;
Present is imperfect
&
Future is uncertain“
“Failure is not when we fall down, but when we fail to get up”
1/6/2014 Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 59
Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 60
FOR FURTHER INFORMATION PLEASE CONTACT :-
E-MAIL:
91-11-22723557
Let us Secure and Cyber Assure our Enterprises by Good Governance
1/6/2014