Data Security

The need for real time information has changed the way we communicate. IT infrastructure of an organization is transforming, responding to the business requirements of current capacity augmentation and capabilities improvements and to the requirements of network extensions to partners and service providers. Trends such as mobility, virtualization and wireless are driving the infrastructure towards optimization and renewed flexibility. Growth of social networking, applications moving to cloud, adoption of Mobile computing devices is changing the way we interact or connect to networks. All these innovations are improving the service delivery but at the same time also leading to new age threats and growth of zero day attacks.

This changing environment where more and more businesses are demanding flexibility, are increasingly making the IT environment complex and diverse. There is a growth of multi-channel strategies that exposes systems to an unsecure outside world. Further, organizations are extending their reach through mobile computing and increased reliance on business partners which may not have the same standard of security. There is also a lack of security consideration given to the IT products in the design and development stages.

Another challenge, corporate face today is the inadequacy of skilled resources who can dedicate their efforts over building a comprehensive threat and vulnerability management functions. Currently, it is observed that there Security update management is week as there are time lags in patching and updating the systems; and a negligent approach towards the evolving vulnerabilities and threats.

While all these issues are important for corporates, they are also susceptible to the growth of attacker community, which is getting organized and building capabilities to penetrate and hack into comprehensive IT systems. Some of the latest cybercrime trends which are gaining attention of the security professionals are:

• Rise of web as a significant attack vector for malware distribution
• Growth of intelligent Trojan targeting specific industry like Bank aimed at pharming account details
• Emergence of Man-in-browser attacks
• Targeted attack on social networking sites
• Use of end user’s machine for launching targeted attacks, targeting end user through un-patched software
• Attacks targeted at new upgrade to web layer that promises rich internet experience
• Emergence of crimeware-as-a-service, with Vulnerabilities and exploits on sale and Botnets acting as infrastructure for cybercriminals, which is adopting new methods and techniques
• Attack on new communication protocols such as VOIP
• Exploitation of command control mechanisms- exploiting SCADA protocols- that are used in critical infrastructure such as power stations

As per National Crime Record Bureau (NCRB), a total of 288 cases were registered in the year 2008, under the IT Act 2000, which is 32.7 % more than previous year. In the same year 176 cases were registered under IPC relating to cyber crimes.

While corporates need to ensure that they build mechanism and capability to overcome or respond to these issues, individuals using the system also need to be aware of the security implications of their operations including:

1. Insecure endpoint systems as a result of inadequate endpoint security measures
2. Insecure configuration exposing their systems and data, allowing threats to widespread their reach, and submitting their IT asset to be used for the perpetrating security attacks
3. Insecure online behavior leading to compromising security of their systems

The enormous array of threats, pose new challenges to the industry but they are not undefeatable. Increased user education and protection can ensure that networks and individuals can be protected from such attacks.

• Design the organization based on clearly identified, enterprise-specific information security and risk management requirements.
• Educate stakeholders about the importance of — and differences between — information security and IT-related risk management.
• Develop a clear understanding of the enterprise’s business goals and risks, corporate culture, industry vertical, regulatory framework, and other drivers and constraints before deciding on a reporting structure.
• Make personnel decisions based on functional requirements and overall “fit,” rather than on technical skills or knowledge, with the goal of building functional disciplines that will work wherever they report.
• Develop an organization that can adapt to changing priorities and requirements.

It is important to recognize that there is no “right” structure for every enterprise’s information security organization. There is, however, a structure that is right for a specific enterprise at a specific time. The key for developing and implementing appropriate organizational structure is to have a Data Centric approach, wherein consolidation of detailed assessment of the enterprise’s security and risk management requirements are considered.