Sunday morning is bit relaxed compared busy weekdays. During morning bazar, I met the Sweet Shop owner in his shop. His mood was terribly down. He was quiet upset and angry at the same time. Once I finished shopping Sweets, I waited for a while for the shop to be vacant. Once other customers left, I took the opportunity to ask him about his setback. I was shocked with the responses as found immense similarities with my experience.

One of his workers came to him at 7am in the morning with fully dressed along with baggage stating that he is going to his home. The reason is that his health is not well. The shop owner offered him to take to the local doctor as his home is in different territory (5-6hrs journey). But the worker was reluctant as he must visit the doctor at his home town only. Without giving any further chance of argument, he left. The shop owner added “he will not come back again”. Similar instances took place to him several times where people leave without notice, all of a sudden and majorly without any valid reasons. Then he expressed the golden words” I am no more employer, rather an employee. I am always being driven by my workers and helplessly not only I have to adjust to the situations, but also cover up their shortfalls myself”.

I became speechless. Same had happened to me several times. But I was under the impression, it happens to my industry (IT) only. But this incident revealed the truth that even the un-organized Sector is affected with the prevailing social trauma.

Recently we had hired a guy called “Samit Bhadra”. Intentionally, I am not changing his name as I want my community to spot him if identify sometimes. He had been hired 4/5 months back as his skill/knowledge/communication was good. My partner had taken him to a customer place, introduced him with customer and explained him the support modalities. Next day he was supposed to carry out some activities. He did not come in normal office joining time. After waiting for one hour people started calling him and as usual calls remained unanswered. Finally, a SMS arrived to the HR person stating that he met an accident and he is under bed rest for few days. He never returned back. Now two, three weeks back, the same guy applied again on one of our opening against our online job advertisement. I was reluctant to consider him due to past irresponsible behavior. But my partner taken a call to explore him further as other alternatives were extremely poor in knowledge wrt him. But before re-hiring him, HR had a long discussion and taken a commitment of non-repeating similar disappearing behavior. Finally he joined and was doing activities sincerely. On his 4th day of joining, we had given him some task to test some tools in office and also to co-ordinate some activities with vendors. Me and my partner went together for a meeting for two hours. On return, we found him not available in office and phones are not reachable. Story continued as earlier and finally we sent someone to his home to verify and at least collect company belongings. He refused to return even the corporate cug SIM even and advised to block it. Now we had not major loss due to this kind of whimsical behavior except the customer commitment. Some activities planned and delegated surrounding him. This disappearing behavior enforced company owners to stretch their legs and fulfil customer commitment.

So finally “Employer transformed to employee”.

This is happening so frequently due to lack of ownership, accountability, sincerity. People leaving all of a sudden, coming late, becoming absent without notice, communication gap are few behavioral patterns which puts employers back to the wall.

What do you think?

Introduction

The civilization has always been interested on protection, let it be primitive or sophisticated present ages. Human Life or property or business, our thoughts revolves on safeguarding the same.

With the advancement with technology, we are getting more engaged with internet and in effect data security is becoming more critical worldwide. Information security is a well-known consideration globally. We are regularly facing attacks, frauds, security breaches, confidentiality issues, information misuse, piracy, sniffing and leakage of data across the domain.

During my last visit to Bangladesh (During 14^th to 18^th March, 2016) , Bangladesh bank fraudulent activities came to my notice. Bangladesh got into the news for all the wrong reasons. The situation enforced the banks to take corrective actions in line of Cyber Security. We thought of spreading awareness on the domain in Bangldeash through our initiative “Infocon”.

Preface

In line with Bangladesh Bank attack, the mandates came to all Banks to cover Information Security and Cyber Security risk/threats in order to secure public money and confidential/critical information.

The Cyber Security Governance and risks assessment are to be enforced across the employees of the organization. There should be preparations for Assessment of technological difficulties and emergency management procedures. The same may be achieved through third party assessment, skill development on security for all Employees.

Information Security should be continuously monitored through Operation Centres 24×7 basis.

PCI-DSS compliance is to be adopted with two-factor authentication systems for Chip-n-Pin based cards. Logs should be collected, maintained, co-related and maintained for all critical assets in order to have proactive measures.

Besides there are needs for ISO 27001:2013, ISO 20000:2011, ISO 9001:2015 standards. Apart from these Risk Assessment Framework based on the industry de-facto standard NIST Controls and FISMA Law/Compliance/ Cobit framework.

People are looking as protecting against malware, ransomware, APT etc

In effect various providers, OEMs positioned their product/solutions to the financial sector potential clients. But different product/solutions on same domain created lots of confusions, dilemma in the customer mind before going for conclusion. Before “Infocom Bangladesh 2016” event is narrated, I will try to explain some of the burning topics on Secuirty which are not only critical for Bangladesh, but across the globe.

Ransomware

Now a days threats are multifold. Every day we are discovering new lines of threats. Ransomware is one of the latest in the bucket. Ransomware is turning out to be one of the most virulent and potentially heart-breaking malware infections to become a victim of. If you are unfortunate enough to accidentally download this type of malicious code — whether through phishing attacks or illegitimate downloads and compromised websites — the malware locks your screen, encrypts your files and attempts to exhort a fee before giving you the cryptographic key required to get your files back. There are many strains of ransomware including CryptoWall, CryptoLocker, CoinVault and Bitcryptor. This malware is nasty enough, however the prediction is that new generations will increase in sophistication — including stealth tactics, the silent encryption of data — on both systems and backups — and potentially the use of kernel components to encrypt files on the fly.

APT

An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defence, manufacturing and the financial industry. An APT attacker often uses spear fishing, a type of social engineering, to gain access to the network through legitimate means. Once access has been achieved, the attacker establishes a back door.

The next step is to gather valid user credentials (especially administrative ones) and move laterally across the network, installing more back doors. The back doors allow the attacker to install bogus utilities and create a “ghost infrastructure” for distributing malware that remains hidden in plain sight.

PCI DSS

PCI-DSS stands for Payment Card Industry Data Security Standard

PCI DSS and related security standards are administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Participating organizations include merchants, payment card issuing banks, processors, developers and other vendors.

There are three ongoing steps for adhering to the PCI DSS:

Assess — identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data.
Remediate — fixing vulnerabilities and not storing cardholder data unless you need it.
Report — compiling and submitting required remediation validation records (if applicable), and submitting compliance reports to the acquiring bank and card brands you do business with.

PCI Data Security Standard – High Level Overview

Build and Maintain a Secure Network and Systems	Install and maintain a firewall configuration to protect cardholder data
Build and Maintain a Secure Network and Systems	Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data	Protect stored cardholder data
Protect Cardholder Data	Encrypt transmission of cardholder data across open, public network
Maintain a Vulnerability Management Program (VAPT)	Protect all systems against malware and regularly update anti-virus software or programs
Maintain a Vulnerability Management Program (VAPT)	Develop and maintain secure systems and applications
Implement Strong Access Control Measures	Restrict access to cardholder data by business need to know
	Identify and authenticate access to system components
	Restrict physical access to cardholder data
Regularly Monitor and Test Networks	Track and monitor all access to network resources and cardholder data
Regularly Monitor and Test Networks	Regularly test security systems and processes
Maintain an Information Security Policy	Maintain a policy that addresses information security for all personnel

Sometimes, in orders to comply with PCI-DSS, some components are essential to implementation as a part of remediation:

Web Application Firewall,
Web Content Filtering,
Endpoint Security,
HIPS (Host Based Intrusion Prevention),
Security Information and Event Management (SIEM),
Vulnerability Assessment and Penetration Testing Tools (VAPT),
Data Leakage Protection (DLP),
File Integrity Monitoring,
End point Encryption,
Privilege User monitoring,
Identity Management (IDM) etc.

ISMS

ISMS is Information Security Management System and the latest standard is ISO 27001:2013. It is essential to protect company data, not only to protect the future of your systems, but also to protect customer information, that has been entrusted to you. This requires a holistic approach covering price, IT Security, physical security and staff policy & procedures. ISO 27001 is the formal standard against which organizations seek independent certification of all their Information Security Management Systems.

IS0 27001 helps to protect against

Customer Information leakage
Virus & hacker attacks
Incompatible software conflicts
Failure to back up systems
Loss or theft of unencrypted backups
Internal security breaches
Loss of information resulting from staff turnover
System downtime

Ideal Coverage should include:

ISMS Scope Definitions
ISO 27001 ” Gap “Analysis Assessments
Performing an assessment of your existing ISMS
Information Security Policy and Procedure Development
Information Security Risk Assessments
ISMS Manual Development
ISO 27001 ISMS Implementation Support
Security Improvement Plans
Incident Management Plans
ISMS & Internal Audits
Management Reviews
Pre-certification Audits and support
Post Certification Audits Corrective Action Support
ISMS Trainings for Management & Employee
Integration of ISMS with COBIT, COSO, ITIL/ISO 20000 etc

VAPT

Vulnerability assessments and penetration testing (pen tests for short) are processed to identify threats and Vulnerabilities in the IT landscape using valuable tools, that can benefit any information security program and they are both integral components of a Management process.

Vulnerability Assessment

A vulnerability assessment is the process of identifying and quantifying security vulnerabilities in an environment. It is an in-depth evaluation of your information security posture, indicating weaknesses as well as providing the appropriate mitigation procedures required to either eliminate those weaknesses or reduce them to an acceptable level of risk.

Vulnerability Assessments Follow These General Steps

Catalog assets and resources in a system
Assign quantifiable value and importance to the resources
Identify the security vulnerabilities or potential threats to each resource
Mitigate or eliminate the most serious vulnerabilities for the most valuable resources

Penetration Test

A penetration test simulates the actions of an external and/or internal cyber attacker that aims to breach the information security of the organization. Using many tools and techniques, the penetration tester (ethical hacker) attempts to exploit critical systems and gain access to sensitive data.

Depending on the scope, a pen test can expand beyond the network to include social engineering attacks or physical security tests. Also, there are two primary types of pen tests: “white box”, which uses vulnerability assessment and other pre-disclosed information, and “black box”, which is performed with very little knowledge of the target systems and it is left to the tester to perform their own reconnaissance.

Penetration Testing Follow These General Steps

Determination of scope
Targeted information gathering or reconnaissance
Exploit attempts for access and escalation
Sensitive data collection testing
Clean up and final reporting

With the increase of usage for Social, Mobile apps, Cloud, Big Data, IoT (more precisely SMAC – Social, Mobility, Analytics and Cloud), we are approaching towards a danger zone. Hope you have heard of Jeep Cherokee incident where hackers can take control of a connected car and lead you to death as well.

Event Details

Prime Infoserv LLP being a domain expert in the category, wanted to spread the awareness on Information Security and “Infocon Bangladesh 2016” took birth. The idea was to empower Enterprises with better wisdom with knowledge for doing proper diligence, understanding the actual need to cover-up the concerns.

The event took place on 16-04-2016 (Saturday) with the audience from major banks. Speakers took sessions on various aspects of cyber security and risks. The knowledge sharing was OEM agnostic in order to spread more awareness so that people can be more empowered to take decision beyond OEM/System Integrator Influence. The sessions were fully interactive like Q&A, discussions with concern areas and off course encouragement with surprise gifts.

Event had kicked off with lunch, followed by discussions on the burning topics as mentioned above.

The attendees were awarded with Trend Micro endorsed certificate.

More details of the events can be fetched from below links:

Conclusion

Infocon is not just an event, rather a process to build eco system surrounding the topic. We intent to create forums where domain experts and attendees can exchange thoughts even after events. There will be follow-up awareness sessions. There are serious thoughts to publish a Book covering pain points and resolutions to spread the awareness.

This retrospection will bring our smile back in order to have peace and fulfilment with wisdom.

We will have follow-up event in Bangladesh. Upcoming events are being planned in Kolkata, Bhutan, London, Africa and Mauritius.

Stay tuned for our upcoming initiatives under the brand “Infocon”.

As usual with my any other visit, this trip was not completed without localization. I had visited several persons including customers and as usual hospitality was awesome. I tried fakruddin and hazi biriyani which are treated as legacy. Besides “Bakharkhani” was one more food tasted as ethic local item.