Cyber Security has become one of the priorities of businesses. Businesses have to follow certain rules and regulations in order to remain compliant. One side where organisations are building their Information Security and Cyber Security capabilities on the other hand it is equally important to have a knowledgeable leadership which is at least aware of basic Cyber Security concepts.
Cyber-crimes and attacks creates a huge impact our organisation’ security, organisation’s financial growth, and consumer confidence. Each and every business regardless of size or geographic location, is a potential target for hackers. Preparing for and responding to this growing cyber threat is necessary – and it is an executive level responsibility.
There have been many cases where top management becomes victim of cyber security frauds and incidents because of lack of information security awareness.
Although cyber awareness is mandatory for everyone working in the organisation, however it is more essential for the leadership.
Reasons, why top management should attend cyber security trainings:
- Top management often works on privileged accounts, i.e. mostly they work with admin privileges in their systems, hence can lose critical information during any cyber-attack.
- Generally top management IT systems does not comes under continuous monitoring, so it becomes easier for the hacker or malicious user to intrude inside the system and remain undetected.
- Top management has very crucial data about the business which has very high “Hack Value” i.e. the data is worth hacking which generally attracts hackers and competitor.
- Top management generally are the not aware of cyber security and information security’s day to day things, so they are most vulnerable for any cyber threat.
- Top management is mostly using their IT systems outside the organisations network such as conferences, hotel rooms, investors meeting etc since they travel a lot for business purposes. They should be aware of dos and don’ts of cyber security and information security.
- Data leakage from any top management’s system could damage the organisations reputation.
- Top Management often fell prey of cyber security incidents because of their popularity among the rest of world and their credentials available online
- Top managers are most of the times very good management professional, however they lack good IT security skillset, which could be achieved by attending cyber security awareness trainings
What is the Role of Leadership in Information Security Management System (ISMS)?
Leadership plays very important role in Information Security Management System.
- Leadership defines the policies and procedures for Cyber Security and Information Security with respect to the regulatory compliance.
- Leadership provides appropriate financial, technical and human resources for maintaining Information and Cyber Security.
- Leadership is responsible for periodic review of Information Security and Cyber Security status of the organisation.
- Leadership is also responsible for periodic review of risk pertaining to Cyber Security and information security and treatment of high level risk which could be detrimental for the organisation’s growth
- Leadership is responsible for Risk Treatment: Risk Mitigation, Risk Avoidance, Risk Acceptance, and Risk Sharing. The resources to mitigate Information Security and Cyber Security risk shall be provided by leadership
What should be the content of Cyber Security awareness training?
Training should give a basic understanding of information security and cyber security. Clear definition and examples of Confidentiality, Integrity and Availability should be provided.
- Basics of information systems
- Definitions and examples of IT systems like networks and application
- Examples of Information Assets: Networks, Application, People, Documents
- Importance of cyber security and information security
- Difference between Information Technology and Information Security Governance system
- Importance of reviewing information security and Cyber security status of the organisation.
- Difference between IT security and Information Security
- Importance of developing Information Security and Cyber Security training and awareness among employees including vendors and contractual staff.
- Regular Development of competence among the employees for handling information security and cyber security issues.
- Importance of business continuity and disaster recovery.
- Common threat scenarios like phishing, spoofing, Vishing (voice phishing) should also be demonstrated during information security training.
- Risk pertaining to third party or services outsourcing.
- Information and cyber security compliance.
- Change management, capacity management, backup management and incident management.
- Importance of vendor risk assessment and third party security audits.
- Basics of user access management and asset management
- Aspects of vulnerability management and patch management.
- Importance and process of Cyber security forensics process.
- Basics of encryptions and importance of its usage for information security.
- Cyber resilience and table top exercises.
Information Technology and Information Security works hand in hand. Both compliments each other however both are different domains. In many cases it has been observed that due to lack of appropriate knowledge and training many leaders/Top Management are unable to take right decision pertaining to information security and Cyber security which could lead to serious compliance issues sometimes. Attending an awareness session shall be definitely helpful for organisations growth.
A comprehensive training program will help the Top Management to understand the basics of Information and Cyber Security threats and risks. It’s also help the leadership to understand how the compliance for the same should be managed.
Organizations that are the most prepared to mitigate cyber risks have top management/leadership that are aware and informed of the current cyber security and information security threat environment. Executives and Boards of Directors set organisations policy, approve financial & human resource budget, and provide oversight and leadership. Setting the governance from the top is essential. Cyber security risk management is often considered as an IT issue, however it is a cross-departmental responsibility that requires executive leadership and support. It is very important of any organisation to identify and mitigate any kind of cyber security or information security risk.
There are many online and in house customised training programmes are available worldwide for enhancing cyber security skills at each level in the organisation. A cyber security awareness session would definitely be helpful in order to understand the current risk scenario and how to deal with those situations.
#Tags: Data Breaches,training, top management,executives
#Keywords:Cyber Security, Information security,training,risk, threats,leadership,capacity management, change management, backup,encryption,hack value,
Information security has become a very lucrative career now a days. Every organisation is trying to build their Information security team because of regulatory compliances, market competition and last but not the least increase of cyber security risk on information systems.
Information security is associated in every field of organisation and at least basic awareness is expected from everybody, however a skillset is required to govern and drive the whole Information Security within an organisation.
One can jump into information security at different levels of his/her career, irrespective of his/her educational background. To make it more clear let’s consider few scenarios here
- Anyone who is planning to get into Information Security can start their planning from higher secondary level. In this case the student needs to opt for subjects like Physics Chemistry, Mathematics and IT/IP. Then he/she needs to opt for BTech in Computer Science of IT or BCA(Bachelors of Computer Applications).You can start preparing during your graduation, start formal trainings like on Networks and Servers, and make your fundamentals strong. Gradually by the end of your graduation you can go for CEH(Certified Ethical Hacker), which is an introductory course in Cyber Security.With all these expertise and certifications one can definitely start their career in InfoSec.
Tip: If you are planning for any certification during your graduation do it in the last year because a certification has an expiry date(mostly 3 years from the date of issue)
- If you are not an IT graduate, say you are pursuing B.Sc. or B.Com or B.A., even then you can work in information security. You need to do go for basic trainings network and server trainings like Scenario One. A lot of hard work, dedication and perseverance can make anything possible. A CCNA, Red Hat Linux, Server Administrations and CEH certification will definitely be helpful.
- If you are a working in IT (Information Technology) and now like to switch to information security first generate skill sets in networks, servers and basic cyber security skillset like network security or application security. Once you have good knowledge of Cyber Security, now you can pursue ISO/IEC 27001 Internal Auditor or ISO/IEC 27001 Lead Auditor or Lead Implementer training. After successful completion of training and certification one can start career as an Internal Auditor, Lead Auditor or Lead implementer respectively. You can also work as an Information Security Risk Assessor or a third party auditor.
- If you are a senior level executive having basic skillsets of cyber security and you want a complete migration to Information Security domain, you can start with ISO 27001 Lead Auditor or ISO 27001 Lead Implementer, then gradually you can obtain CISA (Certified Information System Auditor) and CISSP (Certified Information System Security Professional). Certifications like CISA and CISSP are of very high value and one can be a top level information security executive like CISO(Chief Information Security Officer) of any organisation, however these position also requires managerial skill set along with technical skill sets.
- If you are working at a senior position in any organisation in Sales, procurement or any other non IT department and you are fascinated with Information Security and want to pursue your career in it. Yes, you still have chance. What all you need to do is generate a basic skillset in Network and IT infrastructure and you are good to go.
Later on you can learn basics of Cyber Security like Ethical Hacking and can pursue different Information Security Certifications like ISO 27001, PCI-DSS, GDPR etc.
- If you are an IT graduate then you can also pursue Masters in Information Security, after this you can directly start your career in Information Security as a Consultant. MBA with Information Security is a good way to start your career in Information Security. Organisations hire these candidates because they can work both in technical and not technical domains.
- One with a non-technical background and having interest in Information Security can opt for a career in Cyber Laws. After pursuing this one can work as a Legal Consultant with any organisation. This job is also in demand because organisation faces many legal challenges pertaining to Information Security every other day and they need consultants and experts who can guide them in different scenarios.
- If you are a programmer in your existing job profile, you can learn secure coding techniques and hence you enter in information security domain. Now a days many attacks are happening at application level, because of flaws in existing source code. Knowledge in secure coding will definitely be an extra edge for your career and can give you a smooth entry in information security domain.
- If you have an investigative mind set then Computer forensics is a good option for you. This role comes into picture when any Cyber Security incident happens in any organisation. A Computer Forensics investigator check the systems and finds out the root cause of the problem, and later on organisation can patch or implement another corrective action on the issue and can prevent recurrence. CHFI (Computer Hacking Forensic Investigator) is a popular certification for this career.
- If you have a good knack of teaching, you can start your career as Information Security Trainer after completion of your graduation and basic Information Security training. Training is very lucrative career among many experienced professionals as well. There are many professionals who are involved into part time training and thus can start their career in Information Security.
From all the above scenarios we can clearly see that Information Security is a path, one cannot attain it overnight. Moving ahead step by step will ease your journey. All the steps in this are equally important. One needs a strong dedication and determination. With our changing business scenario, where the aspect of threat and risk is changing every other day one needs to be updates with the current regulator and statutory requirements.
Tags: BTech, BSc, Cyber laws, career, jobs in cyber security
Keywords : Information Security, Cyber Security, Forensics Investigator, ISO 27001, CISA,CISSP, CHFI, CEH, CCNA.
This era of digitalization and digitization, where every segment of businesses is using technology to provide services to customers, banking and financial industry has transformed their services by financial technology- FinTech.
Fin Tech were providing their services in the form of e-wallets, online and mobile payment systems (Paytm,PayPal, Apple Pay), virtual buying of stocks, etc. But the recent times did bring a bunch of new disruptors that will displace traditional e-commerce providers.Such new FinTechstart-ups are offering more efficient services, seamless customer’s experience, and free person-to-person payments.
FinTechs business can increase profitability and enhance a company’s performance while helping them improve customer service. FinTech also provide an opportunity for companies to expand their portfolio online while solving industry issues such as credit card processing, money transfers, or processing a loan.
But everything is not so smooth with Fintech business. There are few cyber security challenges and risk associated with Fintech business, which every FintechStatups shall be aware of.
What is Fin Tech?
Fin Tech is the abbreviation used for Financial Technology which aims to compete with traditional method of finance. There are many financial institutions consider this term as backend of their business and sometimes regular banking apps are included in this term.
Fintech business includes mobile payments, money transfers, loans, crowd funding, asset management and many other things.
In simple words-FinTechis the implementation of modern technology in traditional financial services and in the management of financial aspects in various companies and business. Anything from the financial mobile apps and new software installed, processing the money transactions and calculating business models.
Risk in Financial Sector:
Even, in general ,every individual and organisation , are worried about information and cyber security , conditions in financial sector is more critical and fin tech business take the issues more seriously. Some of the recent studies shows that banks are investing a large amount of their funds in designing and implementing security to safeguard themselves from cybercriminals
Few more areas of concern includes cloud based technologies, mobile updates and system upgrades. These findings show that cyber security is the most important risk which the Fin Tech companies are facing.
Cybercrime and Cyber security in FinTech Landscape
As FinTech start-ups and companies continue to disrupt the global financial landscape, a peculiar feature and perhaps their biggest advantage is that they are not held back or burdened by law, regulations, or existing systems. Also, they are more aggressive, more agile, and more willing to explore and make risky choices. But this total dependence on technology and adventurous attitude to aid financial services delivery may also be their greatest weaknesses.
Fintech firms are facing Cyber SecurityChallenges in following areas
FinTech firms mainly relies on applications that can access users’ financial profiles to perform a variety of real-time transactions. Applications are used by multiple persons and, are an increasingly common attack vector, and vulnerable code can be exploited as an entryway into financial networks.
FinTechfirms and Banking companies need to ensure that a secure application security strategy such as a virtual private network is in place to protect user data. This should include a web application firewall enabled with current threat intelligence to identify and mitigate known and unknown threats, as well as to detect and patch vulnerabilities
Network and Cloud Security
Like other organisations, manyFinTech firmsalso utilize cloud services to provide consistent, scalable performance with lower upfront costs, rather than the traditional network. However the cloud infrastructure shall be secured differently than a data centre or traditional network. Banks and FinTech firms must ensure that the same security standards they apply to their networks are applied in the cloud.
Along with detection and prevention, this security must also be dynamically scalable andadaptable to ensure that is can grow seamlessly alongside cloud use. Additionally, in order to secure financial data, FinTechfirms need to implement aloud access security, along with internal segmentation to improve data visibility while integrating industry security standards.
Inadequate Threat Intelligence
Threat Intelligence is another challenge for FinTechfirms, an integrated defence needs to be enabled with automated threat intelligence to become a holistic system. As FinTechfirms andbanks enter partnerships, it will be impossible for IT teams to gather and assess all of this threat intelligence promptly manually. Automation, artificial intelligence and Machine learning will be integral to this process.
Cybercriminals are already leveraging automation to make attacks more persistent and effective. Likewise, artificial intelligence, machine learning and automation integrated into network security tools enable the detection and prevention of attacks in real-time, allowing organizations to keep pace with cybercriminals.
Lack of Establishment of better Security Protocols
This is one of the most significant issues that FinTechstart-ups firms face is selecting best security mechanism, like securityprotocols to enhance encryption data. Inadequate security protocols, data is easily exposed, leaving companies vulnerable to attacks.
Tunnelling protocols used in VPNs are effective at encrypting FinTech data. Some of the best-known tunnelling protocols include:
- Point-to-Point Tunnelling Protocol.
- Layer Two Tunnelling Protocol.
- Internet Key Exchange version 2.
- Secure Socket Tunnelling Protocol.
These tunnelling protocols provide different levels of protection and provide security in different ways. FinTech should research and become more familiar with the different types of protocols and how to use them within a virtual private network – this is especially true in a financial environment where cyber threats are imminent and ongoing
Addressing Vulnerabilities in Information Technology Systems
Integration of multiple systems and technologies leads to multiple cyber vulnerabilities. When two systems that are not designed at the same time by the same developers often pose compatibility issues and challenges in security, given the limitations in technology. Technology Engineers face issues while integrating two different systems, sometimes engineers working on different systems doesn’t even know how the other system works and vice versa, which makes identification of vulnerabilities more difficult.
Cybercriminals like hackers exploit these vulnerabilities to gain access to the system.
Many cybercriminals gain access to applications and networks because of improper configuration during installation. There are other techniques that are often used like spear-phishing, where humans mistakenly open spam emails and download malicious attachments or enter confidential information into fake websites to which they are redirected. So this is important for all Fintech Statups to raise awareness of cybercriminal risks and educate the newly banked on digital and financial literacy to teach them best practices to ensure security when engaging in financial transactions online.
Lack of Compliance Regulations related to Cyber Security
Rapid growth in happening fast in FinTech firms. FinTechstart-ups are flexible enough to change and adapt to evolve alongside consumer demands, rapidly.They are flexible andquick partly because there are not the same regulatory rules as traditional financial services for them. However, there are no regulations are controlling the way start-ups conduct their business. This is making the FinTech firms vulnerable because, they can sacrifice cyber security in order to capture the market as fast as possible.
FinTech Companies are collecting and storing personal information, so they needs to safeguard customer data. Further the challenge of is the way they protect this data. Many of FinTech firms have adopted bank-level security measures and fine-tuned them for their digital platforms.
Use of secure applications , regular vulnerability assessments on networks and applications , patching the applications on time, using Secure socket Layer(SSL) encryption while transferring the data is the must for enhancing cyber security.Fintech can opt for ISO 27001:2013 (ISMS) for overall cybersecurity.
There is need of some strong regulation, which would inspire start-ups to invest some of that venture capital money into their security. As the FinTechindustry grows, so will their defence against breaches.
What is Plagiarism ?
Plagiarism is an act of Fraud – i.e copying/stealing someone’s work/content or borrowing someone’s original ideas/thoughts . But “copying” and “borrowing” can be a serious offense.
Plagiarism is considered as dishonesty and a breach of ethics.Plagiarism is not only a crime but it can be termed as violation of law towards copyrighting. According to copyright law its a serious ethical offense of copying someone’s ideas, content, thoughts, or expressions. Though Plagiarism is not defined in books of laws or punishable by law, but it is punishable rather by institutions (including associations, educational institutions/colleges, and commercial entities, such as publishing companies all over the world).
What about images, videos, and music?
Using someone’s images/idea of image, videos or a single piece of music in your work or creativity, without getting proper permissions is also termed under plagiarism
The following tasks are very common in now a days. Despite their usage/popularity, they still termed under plagiarism.
- Copying images from someone’s else website and publishing them in your website or papers
- Using copyrighted music or taking small piece from someone else video for making your own videos/music.
- Giving performance of someone’s copyrighted music (i.e., playing a cover).
Modern technology and the expansion of Internet have given everyone an access to lot of information.. Original and unique ideas/concepts have become rarer.Now a days everybody is reproducing other people’s ideas/concepts, and presenting them as their own. To keep a check on this, there are various tools available on internet to detect plagiarism.
Tools Available to detect plagiarism are :
If You are using wordpress website, then You can use following plugins to check plagiarism :
The Law of Plagiarism:
There is no legal law made for plagiarism. But Colleges, Schools, Universities and professionals have the authority to punish anyone who has done plagiarism.
There are many ways they can punish the plagiarists like expulsion from college/university or revoke a degree, can cancel the admission but it all depends upon the Institute how they want this act to be handled.
Security Measures to Protect Servers and Data from Hackers
There are many security measures to protect servers and data from hackers but to choose the right one is the most important. Especially when you start a business website whether it’s an e-commerce website or a static website, a secured server is a primary concern of everyone.
To run a fully functional application/website, your server should be secure enough to handle the traffic.
CyberLaws.tech helps you protect your server in following ways :
Update your kernel and OS :
Make sure the server you are using, is having current and updated softwares. Always Use the stable version which has been tested more than any beta version available. An old kernel can lead to an easy target for virus, that can harm your server.
Monitor Logs :
Do you have any clue what are log records ? How often are they updated and rotated? LogWatch is a tool, which will email you all the daily reports of your server’s activities that includes anything it determines unusual, eg: repeated failed logins. You should also manually check the logs to keep an eye.
People spend hundreds of hours on website but usually forget to take backups which is the most important thing.There are two ways you can save your data :
- Manual Backup : You can use a seperate hard disk for keeping your data secure or you can keep your application/website data on remote system and should regularly keep a check on the backup.
- WordPress website : If your are using wordpress CMS then you can install following plugins to take automatic backups
Limit Access to a Minimum :
Never give more access to your user, than they require.Never give them access to shell, restrict file access to a minimum and leave other services turned off by default until requested, and if your are doing through wordpress then you can use free plugins to limit access to your website. Restricted Site Access
Lock down the PHP versions and use Mod_Security with Apache :
PHP, a server scripting language is always at large security risk, but there are a few steps to do that helps lock it down. CGI has Suexec,which helps to runs processes as the user,and PHP has something similar called PHPSuexec but with downfalls. You should always use open_base directory protection, have safe_mode on system wide, turn off register_globals, enable_dl and allow_url_open to help lock things down.
Review Processes Running and Remove Extra Software :
You can’t protect a system until and unless you don’t know what’s on it. If a hacker adds a script or an extra process, then you will not be able to identify why your server is not working.you should know what all processes are running on your system and who all users are there.
Use a Firewall :
You should always make sure the your server has firewall running all the time. A firewall is like a screen door to your house. If someone tries to get into your server, which is very likely to happen anytime, the first thing they’re going to try is, to upload something unusual stuff or their own service like redirecting to some other server. A firewalls can stop both incoming and outgoing attacks/viruses even when you’re are sleeping. We would recommend using APF on Linux systems or TinyFirewall on Windows Servers.
What Is GDPR?
GDPR give guidelines to organizations for handling the information of their customers/individuals. GDPR actually gives more controls to individuals over their personal information. Moreover GDPR specifies how consumer data should be used and how it should be protected.
Once Asked in an Interview, What Is the Difference Between Defect and a Bug?
Candidate: Can I Explain this with an example.
Candidate: Once a guy went to a tea shop and ordered one cup of tea and when the tea came he saw a fly in his cup.
Now this is a BUG.
Employer: Laughed and said my dear now you tell me what is a defect?
Candidate: Once a Guy went to a tea shop and ordered a tea and when a tea came he tasted and said there is less sugar in the tea.
Now this is a defect!
Employer: Laughed Hahahaha Haaa and said Can You Elaborate what you want to say?
Candidate: Yes Sir!
You can manage to drink a cup of tea with less or more sugar but you can’t drink a cup of tea with a bug.