Techknow+

Controls to Address Advanced Persistent Threats & Information Warfare: Preventive Controls: These are the controls which prevent loss from occurring. For example, this control that applies separation of responsibilities like one employee can submit a payment request and second employee must authorize that request, it will minimizes the chances that employee can submit fraudulent payments. Detective Controls: These controls are especially for the monitoring activity to find out the cases where correct practices were not followed. For example, business might settle the general payment request audit logs to identify fraud payments logs Corrective Controls: Corrective controls are designed to restore the system back to the state prior to a destructive event. For example, business may apply full refurbishment of a system from backup tapes after evidence is found that someone has inappropriately altered the payment data. Advanced persistent threats usually target victims at

Lately, a slight change in possible targets and technology used has been witnessed. An interesting research by Kaspersky Lab’s Global Research and Analysis Team (GReAT) has highlighted how the growth of cloud technology and its use have actually given APT hackers another way to attack systems and hide more effectively between the cyber-folds. Another interesting trend is the creation of smaller hacking groups. Rather than large organized sets of individuals, smaller groups will be forming, effectively multiplying the number of attacks, the locations from which the attacks are carried out and number and type of targets. This fragmentation makes it harder for organizations to defend themselves and is in itself a threat.  Also to be noted is the way targets are sought out. APT hacking groups are using a variety of techniques, including, for example, the targeting of high-level executives when staying at hotels. As technology advances, information security managers have more tools

Advanced persistent Threats attacks are systematically planned and accurately executed. These attacks can be break down into four stages or phases:  Incursion  Discovery  Capture  Ex-filtration 1: Incursion In these targeted attacks, hackers enter into the organization's network. During this attack they will be making use of SQL injection attack, zero-day vulnerabilities, social engineering methods, targeted malicious software called as malware, etc. There is a fundamental difference between normal attack and APT. While normal targeted attacks use short-term methods, APTs are designed to launch covert operations over long period of time. Other characteristics of APT incursions are as follows: • Reconnaissance: This is a kind of an information gathering phase. In APT attacks often engage large number of researchers who spend months together studying their targets and making themselves comfortable with target systems, people and processes. • Social engineering: I

APTs are different from other targeted attacks in the following ways: Customized attacks:  Advanced Persistent Threats (APTs) frequently use highly customized methods, tools and access gaining techniques. These techniques are developed specifically for a particular purpose or campaign. These tools include viruses, zero-day vulnerability exploits, rootkits and worms. In addition, APTs often launch series of threats or “kill chains” continuously to attack their targets and ensure continuing access to targeted computers, sometimes including a "sacrificial" threat to trick the target into thinking the attack has been successfully repelled. The objective of Cyber Kill Chains is to enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures. The Cyber Kill Chain framework is part of the Intelligence Driven Defense model for the identification of attack. Low and slow:  Advanced Persistent Threat attacks occur

An APT (Advanced Persistent Threat) is a type of a targeted attack. Targeted attacks use a wide variety of techniques, including drive-by downloads, malware, spyware, phishing and spam, etc. An APT is always a targeted attack, but a targeted attack is not necessarily always an APT. APTs, described as being ultra-sophisticated cyber-attacks against an organisation and its assets, are digital assaults launched by highly skilled cybercriminals that harvest valuable information over the long term; attacks are orderly and persistent. APTs are specific threats that are targeting messaging and content delivery servers, where an attacker delivers targeted malware in attempt to leverage information from the source. The attacker’s objective may be the theft of sensitive and proprietary information or exploitation fraud. The perpetrator applies techniques to get into an organization’s system to exploit it, hanging about as long as possible and attempts to retain control while going unnotice

Negotiating contracts with the potential cloud vendors is complex but crucial for success in the cloud. While click-through agreements seem to make the work easier for low risk applications momentarily, organisations must consider opting for tailored contracts to ensure that all future applications to be hosted in the cloud are completely safe and devoid of legal issues. Some of the common issues that arise due to contracting pitfalls are: (i). Vendor Lock-In More than 75% of enterprises feel that moving to the cloud comes with some percentage of vendor lock-in. While the convenience to shop at one stop, draw a single tailored contract and the standardization of technology seem alluring, things may not look the same in the long run. Vendor lock-in hinders the path to rapid innovation and ultimately knocks down organisational health. Examining the exit options in the contract or opting for an open source cloud stack such as Open Stack may mitigate these problems. (ii). Unilatera

Any organisation dealing with sensitive/personal information must regulate this information carefully to avoid legal disputes in case of any discrepancies. Legal contracts must be drawn to ensure that the liability of data is shifted to the side of the user and the organisation is insulated from any issues pertaining to content such as copyright infringement, illegal data, and classified information. Businesses need to have expectations right when it comes to legal issues related to the cloud. What kind of information does the user/employees of a company store in the cloud are to be strictly monitored and regulated. If the company does not have such resources to mediate, then it should have Terms and Agreements duly signed by the user - so that the liability of content/data stored on the cloud is on the user. This way, the business can avoid legal issues. Content issues that may arise includes Copyright infringement, illegal data, classified information etc. One classic example c

Virtualisation forms the backbone of cloud computing. Virtual Desktop Infrastructure (VDI) allows an employee’s desktop to be moved into the virtual environment in a central server thus enabling hardware cost reduction and better control over the use of software applications. However, doing so with a software license that has geographical limitations on the type of hardware deployed or does not allow the use of the software in a virtualised setup may result in copyright infringement. In such cases, the license must be re-negotiated at an additional cost for unlimited number of instances or for a specific number of instances in the virtual machine. Additionally the confidentiality provisions of the software license regarding the disclosure of proprietary software must be reviewed to avoid the breach situation.

With a third-party organisation managing the infrastructure in the cloud, the responsibility to maintain privacy of all personal data is enhanced. It is common and acceptable to share personal data with the cloud but the decision must be an informed one. Personal details of employees, customer data and company secrets must be protected against the potential risks of theft and leakage. One of the classic examples would be that of hacking attacks on Sony PlayStation Network in 2011 – which we discussed in earlier chapters. If this can happen to Sony, which has most of its infrastructure internally, imagine the level of caution that needs to be in place while trusting third party cloud service providers. Let us briefly discuss different elements that need to be made available in contracts and agreements while moving to the cloud. Privacy and Data Protection According to a research by IDC (International Data Corporation), 71% of enterprises say preventing the exposure of confidentia

models that are available in the industry -  Standard Contract Standard Contract model contains the most common terms and conditions listed in the agreement. It talks about • The security and data protection standards followed by the cloud service providers • Capacity allocation and scalability terms • Location of the datacentres • Lock-in period (which talks about how long the client would sign up for) • Pricing structure and payment terms • Periodic audits and updates These are the general terms that would be included in a standard contracting model. This model is also referred to as Click-Through Agreement - as the client just needs to review the contract and sign off with minimal or no changes. Both the client and the service provider know about all the agreement terms prevalent in the industry. Usually, standard contracting model is utilised by the organisation whose cloud requirements are not mission critical or when they do not, intend to move their confidential

The SPOT framework of cloud governance enables easy understanding of how cloud governance can be established in an organisation. SPOT stands for- S- Stakeholders and Scope Like the SOA governance, cloud governance also demands stakeholder and decision authority enablement. For instance, who is held accountable for the deployment of cloud? Who makes decisions on the procurement of cloud solutions? The cloud governance committee must be formed with the participation of employees from different departments such as IT, compliance, legal, audit, the particular line of business and risk management. P-Policies and Processes The “Policies and Process” part of the framework refers to defining and mapping of each governance policy and process to its respective dimension in the cloud governance lifecycle management. Legal contracts, SLA management, architectural processes and fault alerts are some of the processes established through this component of the SPOT framework. O – Organis

As the need to carefully handle the complex IT systems and services in enterprises increases, the significance of cloud governance also increases. The enterprise governance solution will comprise of the following measures: • Access Controls: Deploy role-based access control (RBAC) to accommodate specific levels of access across the design, development and QA teams. Apply access limitations to cloud resources for both internal and external teams. The internal policies practised thus far can be extended to the cloud. The clients in a multi-tenant environment must be clearly separated with no interdependencies. • Financial Controls: Tracking cloud expenditure can be done by recording the cost involved each time a new resource is provisioned across the cloud. The cost can be limited when a hard cap is reached. • Key Management and Encryption: While the encrypted data stays with the service provider, access to the encryption key, credentials and other security keys must be restrict

Access Controls Financial Controls API (Application Program Interface) Integration Logging and Auditing Key Management and Encryption Access Controls: it is essential to prevent multiple employees making changes or modifications at the same time. Instead of providing access to the whole IT team, it is good to limit access to specific people or specific team. All others can have their modifications done to the application through raising requests to a specific set of individuals. In some enterprises, they have implemented role-based security model. Here, the roles would be super-administrators, administrators, developers, managers and employees. Different roles would have different access levels. For example, super-administrators or super-admins would have complete access to everything – including the ability to assign administrator roles to people. Managers might only have approval rights for specific team-related requirements. They might have limited access to specific mod

Need for Cloud Governance Ever since cloud technology has turned into a mainstream IT resource, security and compliance have been its major issues. Not every cloud deployment sees success, and not every cloud project yields the desired results for its organisation. However, most IT decision makers have come to terms with the fact that when coupled with the right tools and strategies, cloud usage can surpass the security offered by in-house legacy applications and emerge as a true game changer. Cloud governance plays a vital role in this capability. By implementing cloud governance, organisations can avoid the following issues: • Security and privacy risks: Which may arise due to unauthorised downloads/ installation of software, storage of illegal data and access to restricted sites by users. • Vendor lock-in: Many vendors opt for this, as this clause causes organisations to depend on the cloud service provider (or vendor) for products and services. The clause is usually made

What is Cloud Governance? Cloud governance can be defined as the set of policies or principles that act as a guidance for the adoption, use and management of cloud technology services. Cloud governance is an ongoing process that must sit on top of existing governance models. Cloud governance can be compared to an insurance policy which does not prevent disaster but instead lays the path to easy recovery in case of a catastrophe. Organisations and Groups that Focus on Addressing Standards Issues: There are a lot of cloud computing standards organisations and informal groups that are dedicated to address various standards issues that arise in any cloud environment. These groups have defined various guidelines and best practices to help interoperability and portability of data and applications. Some of the well-known organisations are as follows: • National Institute of Standards and Technology (NIST), United States • Cloud Security Alliance • Open Grid Forum (OGF) • Object

Once the decision to embrace the cloud has been taken, organisations must chart out a detailed plan that marks their journey to the cloud. Listed below are the top challenges battled in a cloud environment by the cloud vendor, client as well as the end user. Keeping up with security requirements: Security tops the list of challenges when it comes to Cloud Computing as organisations lose their direct control over data. A cloud vendor must be aware of all security measures to be implemented while dealing with critical data and have them in place. Obtaining the right knowledge and expertise: With the advent of Cloud Computing, the role of the IT department has significantly changed and so has their need for knowledge and skills. Organisations must equip themselves with the required resources as well as the tools to implement robust cloud applications.  Choosing the right vendor: Partnering with the right vendor is the key to success in the cloud. Organisations must follow a fail-s

Cloud Computing can be practically used to host any kind of web application. Some of the common applications hosted on the cloud are CRM, email archiving system, payroll processing and so on. The conditions below outline the most preferred cases where Cloud Computing can yield the maximum benefits:  Resource-hungry applications: Applications that demand many resources like the CPU, memory, storage or time can be hosted on the cloud efficiently. Applications with extreme spikes and troughs: Consider the example of an HR system that is accessed by employees only a few times in a year. However, on the review day, every employee in the organisation logs onto the system thus slowing down the system. Such applications with varying utilisation rates are most suitable to be hosted on the cloud. Special Server Configuration: When applications demand non-standard settings, the cloud server is a much easier option to be configured to perfectly fit the requirements. Backup and Recovery:

Cloud vulnerability can be defined as a weakness in any part of the cloud environment and can be used by a potential attacker for personal gain. Some common vulnerabilitie s are: Session riding: When attackers use the information from cookies to perform data theft or any similar cyber crime, it is referred to as session riding. Tricking users into sending authenticated requests to fake websites is another form of this vulnerability. Virtual Machine Escape: Any vulnerability in the hyper-visor paves the way for potential attacks on the hyper-visors as well as for all virtual machines running on top of it. This vulnerability, though rare, still exists and can cause serious damage in the worst cases. Reliability and Availability: Availability of the cloud service directly translates to business value for the client. However, power outages, technical glitches and natural disasters are some common sources that lead to cloud downtime. While a very minimal downtime for maintenance pur

Combining Different Services The convergence of the three service delivery models - PaaS, IaaS and SaaS seems to be the future of Cloud Computing. By combining SaaS and PaaS delivery models, organisations can build applications efficiently and deploy them quickly to end users. When application developers become increasingly dependent on PaaS tools for building the software, they will ultimately want better control over the underlying infrastructure. Thus, upcoming cloud solutions will focus on satisfying the entire stack of organisational needs. Obstacles for Cloud Technology- Data security and privacy issues: Moving to the cloud means loss of control over applications and data to a third party provider; thus, issues related to security and privacy are inevitable. Failed adherence to regulatory and compliance measures : Data in the cloud may be stored in a different location for better performance and to avoid localised outages. In such cases, apart from the industry-specifi

Cloud computing services for application and infrastructure needs are widely being adopted by big and small organisations. In contrast to the traditional IT setup where a huge capital investment was required for the purchase of software and hardware, cloud computing services enables organisations to align costs to actual usage. They make businesses highly agile, operationally efficient and remarkably flexible. Cloud computing services range from satisfying a single functional need of an organisation to delivering the entire data center through networks. With cloud computing, innovation is accelerated and the opportunity to focus entirely on the core business operations are enhanced.  Delivery models that can be broadly classified into three services- • Software as a Service ( SaaS ) Software as a Service (SaaS) allows an organisation to access the desired software applications through the cloud on a subscription basis. The SaaS vendor offers access to the software

Cloud computing is rapidly becoming a significant part of the overall IT strategy and more and more organisations are dedicating a substantial part of their IT budget towards this trend. Cloud computing is here to stay and deliver the following benefits. Mobilising the workforce Cloud computing allows device-agnostic access to data and from any location. It breaks all kinds of barriers and helps employees to stay connected on the move. Increased cost control Cloud computing saves a lot of money by eliminating the need for upfront investment in infrastructure and software. The pay-as-you go model brings down operational costs and allows higher efficiency Enhanced productivity Cloud allows flexible provisioning of resources with the least impact on internal operations. Personnel tend to focus better and highly productive results can be obtained. Reduced impact on the environment With fewer data centers and shared resources, enterprises moving to the cloud earn the eco-

The cloud infrastructure refers to the back end components of the cloud architecture such as servers, storage devices, networking elements and virtualisation software. Thus cloud infrastructure is a mix of both hardware and software components. It is an essential part of all three cloud-computing models. Business organisations use the cloud infrastructure to host their applications. To use the cloud infrastructure of the service provider, clients make use of pay-as-you-go model in which they pay for only the services used by them. This is a very cost-efficient means of using the required infrastructure and can be done in an hourly, weekly or monthly basis. Most cloud service providers who are into Infrastructure services rely on virtual machine technology (or Virtualisation) to deliver servers and run client applications. Virtual servers act really well like physical servers delivering a certain number of microprocessor (CPU) cycles, memory access and network bandwidth to cust

Cloud computing architecture refers to all components and sub-components that together form the structure of the cloud computing system. This architecture can be divided into three parts for better understanding – front end, back end and middleware. Each part of the cloud architecture has its own set of functionalities and protocols that work together to deliver on-demand services to user-facing hardware as well as software. In general, the architecture is evolved out of large distributed network applications over the last two decades. Hence it supports any system where resources can be pooled and partitioned as required. The general cloud architecture is capable of running multiple software applications running on multiple virtual hardware in multiple locations to efficiently render on-demand services to the users. The users could be using these software applications from their desktop or laptop or mobile or tablets. Usually, whatever the user is looking at – through t