YALAMANCHILI Software Exports YALAMANCHILI Software Exports LtdLtd

INFORMATION SECURITY INFORMATION SECURITY

YALAMANCHILI : Information Security OrganizationInformation Security Steering Committee

Information Security Task Force

Information Security Task Force

3 Company Confidential

ISMS OverviewEstablishment of ISMSThe Organization has defined the scope of the ISMS in terms of its business, location, assets & technology. The Security Policy Statement and the objectives are defined and they are aligned with the business goals of the organization. The risk assessment is based on the assets identified and their criticality to the Business functioning. The control mechanisms are selected based on the risk assessment carried out formally. The management has formally approved the implementation & operation of the ISMS with its full support. A Statement of Applicability (SOA) has been prepared based on the control objectives and the controls selected with the justification for the controls excluded.

Monitoring and review the ISMSSecurity Incident Response Team (SIRT) is established to monitor the security breaches. Internal Audit Team is established to monitor and review the continuous implementation of the information security system in the organization. Regular Meetings are conducted by the Core Team with the SIRT and Audit teams to review the effectiveness of the system and to improve it on the continuous basis. A management review process has been established and carried out to continuously improve the ISMS. Internal Audits are carried out on the regular basis to ensure conformity to the requirements that forms the input to the management review process.

Maintenance and Improvement of the ISMSThe output of the Internal Audits, Management Review and security incidents forms the basis for improving the ISMS. Appropriate corrective actions are taken and preventive measures are also enforced to remove the causes of non-conformity. This is reviewed and implemented by the ISMS Team.

Information

What is Information?

◦ An asset that has value to an organization◦ Exist in several forms:

Messages written on paper, stored in tapes, transmitted in electronic forms, etc

◦ Needs to be suitably protected against wide range of threats to ensure: Business continuity Minimize business loss Maximize ROI and business opportunities

1. Protects Business information from a range of threats

2. Ensures business continuity

3. Minimizes financial loss

4. Increases business opportunities

5. Improve security posture and culture

Why is Information Security necessary?Why is Information Security necessary?

Reputation loss

Financial loss

Intellectual property loss

Legislative Breaches leading to legal actions (Cyber Law)

Loss of customer confidence

Business interruption costs

Security breaches leads to…

Evolution of Information Security?Evolution of Information Security?

• ISO 27001 provides the specification for ISMS. It has evolved from BS7799, a Standard published by the British Standard Institute (BSI)

• The Information Security Management System is intended to ensure C-I-A

• CONFIDENTIALITY : Ensuring that information is accessible only to those authorized to have access

• INTEGRITY : Safeguarding the accuracy and completeness of information and processing methods

• AVAILABILITY : Ensuring that authorized users have access to information and associated assets when required

PEOPLE

PROCESSES

TECHNOLOGYOrganization

Staff

Business

Processes

Technology

used by

Organization

Information Security Components Information Security Components

ISO 27001 Standard

Main components of ISO 27001

◦ Compulsory Clause 4 to 8• Information security & Risk management system (Clause 4)• Management responsibility (Clause 5)• Internal ISMS audits (Clause 6)• Management review of the ISMS (Clause 7)• ISMS improvement (Clause 8)

◦ ISO 27001 (ISMS Domains) 11 domains, 39 control objectives & 133 controls

Information Security Policy

Organisation of Information

Security

Asset Management

Human Resource Security

Physical & Environmental

Security

Communication & Operations Management

Access Control

Information acquisition,

development &maintenance

Security Incident

Management

Business Continuity

Management

Compliance

Confiden

tialit

y Integrity

Availability

ISO 27001 (ISMS Domains)

ISO 27001 (ISMS Domains)1. Security policy (A.5)

– Info Security Document– Review of the Info Security Policy

1. Organization of information security (A.6)– Management Commitment– Roles and Responsibilities defined– Confidentiality Agreements– Contact with authorities and special interest groups– Addressing security when dealing with 3rd-parties e.g. suppliers, customers, etc.

ISO 27001 (ISMS Domains)

3. Asset management (A.7)– Inventory, Ownership and acceptable use of assets– Information classification guidelines and labeling

4. Human resources security (A.8)– Security roles and responsibilities– Screening and terms & conditions of employment– Disciplinary process– Termination or change of employment

ISO 27001 (ISMS Domains)

5. Physical and environmental security (A.9)

– Physical entry controls, Working in secure areas, isolation for sensitive areas

– Equipment Security

• Sitting & supporting utilities• Maintenance• Secure Disposal or re-use of equipment

ISO 27001 (ISMS Domains)

6. Communications and operations management (A.10)

– Change Management– Segregation of duties– Third party service delivery management

• SLA definition• Monitoring of their services

– Capacity Management– Protection against malicious code and mobile code– Backup – Network Security Management– Media Handling & Exchange of information– Monitoring

ISO 27001 (ISMS Domains)

7. Access Control (A.11)

– Access control policy– User access management– User responsibilities– Network, O.S., Application access control– Mobile Computing & Teleworking

ISO 27001 (ISMS Domains)

8. Information systems acquisition, development & maintenance (A.12)

– Security requirements of information system– Correct processing in applications– Cryptographic controls– Security in development and support processes– Technical Vulnerability Management

ISO 27001 (ISMS Domains)

9. Information Security Incident Management (A.13)– Reporting & Management of information security events and weaknesses

10. Business Continuity Management (A.14)– Business continuity & risk assessment– BC plan– Testing

11.Compliance (A.15)– Compliance with legal requirements– Compliance with security policies & standards and

technical compliance

ISO 27001 (ISMS Domains)

FEATURES of ISO 27001FEATURES of ISO 27001

Plan, Do, Check, Act (PDCA) Process ModelProcess Based Approach Stress on Continual Process ImprovementsScope covers Information Security not only IT SecurityCovers People, Process and Technology5600 plus organizations worldwide have been certified11 Domains, 39 Control objectives, 133 controls

19

Technical Vulnerability Assessment : Key Components

Technical Vulnerability Assessment : Activities

Footprinting Network Scan

Enumeration

Vulnerability Discovery

Vulnerability Exploitation

The foot-printing phase queries information in the public domain. The goal is to discover how much useful information an attacker can obtain about the target

The scanning phase is used to determine what services are running on the systems. These services are the attacker’s entry points into the network.

The enumeration phase is where the open services found during the scanning phase are queried to see what information they leak to the outside world

During this phase, Technical consultants attempt to discover vulnerabilities in all the systems that are reachable from the Internet

In this phase, Technical consultants attempt to actively exploit the vulnerabilities discovered to gain some level of access on the target systems

WHAT IS RISK?WHAT IS RISK?

Risk: A possibility that a Threat exploits a Vulnerability in an asset and causes damage or loss to the asset.

Threat: Something that can potentially cause damage to the organization, IT Systems or network.

Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.

• Risk Management is the name given to a logical and systematic method of identifying, analyzing, treating and monitoring the risks involved in any activity or process.

• Risk Management is a methodology that helps managers make best use of their available resources

1. Identification of Critical Assets

2. Determination of Asset Values (CIA)

3. Identification of Threats & Vulnerability

4. Determination of Probability

5. Determination of Risk Impact Values

6. Identification of controls to mitigate risk (Treatment)

Risk Assessment : 4 Way Approach

VulnerabilitiesImpact

Threats Likelihood

Asset ExamineAsset Value

ExamineCause of

Risks

CalculateRisk

L

Balance between

Likelihood of Occurrence

Expenditure on controls

Business Harm

RiskTreatment

Plan

AssetList

HM

Risk Assessment:

• How likely is the risk event to happen? (Probability and frequency?)

• What would be the impact, cost or consequences of that event occurring? (Economic, political, social?)

Risk Treatment:

• Develop and implement a plan with specific counter-measures to address the identified risks.

Consider:

• Priorities (Strategic and operational)

• Resources (human, financial and technical)

• Risk acceptance, (i.e., low risks)

• Document your risk management plan and describe the reasons behind selecting the risk and for the treatment chosen.

High User Knowledge of IT

Systems

Theft, Sabotage,

Misuse, Social Engineering

Virus Attacks

Systems & Network Failure

Lack Of Documentation

Lapse in Physical Security

Natural Calamities &

Fire

RISKS & THREATSRISKS & THREATS

SO HOW DO WE SO HOW DO WE OVERCOME THESE OVERCOME THESE PROBLEMS?PROBLEMS?

Information Security is an integral part of our commitment to establish a safe and secure environment. YALAMANCHILI aims to establish controls for confidentiality, integrity and availability by,

Managing key information assets including customer data

Complying to the security aspects of business requirements, legal, regulatory &

contractual obligations

Ensuring that any risks involved, are formally and periodically assessed, towards

promoting & enhancing organization-wide information security practices

Evaluating the Information Security Management System in terms of its effectiveness &

efficiency, towards continual process improvement of the Organization’s security

standards

Spreading awareness on information security practices through induction and

continuous training

30

NARADA - Overview

YSE uses the NARADA™ V4.0 application to provide the services stated above to banking clients. The NARADA™ application developed by YSE is a card management switch equipped to handle various requirements such as card management, online card authorization and transaction processing for the banks. It connects to the MasterCard and VISA services by connecting to the External Access Server - VISA Extended Access Server (EAS) for VISA and MasterCard Interface Processor (MIP) for MasterCard issuer transactions. A separate instance of the NARADA™ application is created for each bank depending on the type of services requested by the banks. The cards issued and processed for each bank is segregated from the rest of the banks. The NARADA™ application has various modules to carry out the processes such as transaction processing, billing issuing and acquiring as mentioned above. The various modules and their functionalities are –

31

NARADA - Overview

NARADA™ Debit V4.0 – This system acts as a gateway for processing of issuer transactions from the VISA gateway to the bank host gateway for debit card transactions.

NARADA™ ATMC V4.0 – This module of the application is the ATM connect application which is used for driving various ATM’s transactions through the standard messaging protocol.

NARADA™ Credit Host V4.0 – This application module processes Credit Card Transactions as a third party processor for the banks and acts as a gateway for processing online ATM and POS transactions through EAS or the MIP interface. This application module also manages the credit card bill generation process.

NARADA™ Prepaid Host – This system processes prepaid transactions as a third party processor for the banks and acts as a gateway for processing online ATM and POS transactions through the VISA or the MasterCard interface.

PCI DSS (Payment Card Industry - Data Security PCI DSS (Payment Card Industry - Data Security Standard)Standard)

• PCI DSS is a standard framed by the payment brands (VISA, Master, Amex, JCB, Discover) to protect card holder data

• Compliance is required of all entities that store, process, or transmit cardholder data.

• The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data.

• Certification Cycle of PCI DSS is once in every year

1.Install and maintain a firewall configuration to protect card holder data.

2.Do not use vendor-supplied defaults for system passwords or for other security parameters.

3.Protect stored cardholder data.

4.Encrypt transmission of cardholder data across open, public networks.

5.Use and regularly update anti-virus software or programs

6.Develop and maintain secure systems and applications.

7.Restrict access to cardholder data by business need-to-know.

8.Assign a unique ID to each person with computer access.

9.Restrict physical access to cardholder data.

10.Track and monitor all access to network resources and cardholder data.

11.Regularly test security systems and processes.

12.Maintain a policy that addresses information security for employees and contractors.

PCI DSS RequirementsPCI DSS Requirements

34 Company Confidential

Tools For Compliance

Log management – Kiwi Log Viewer

IDS/IPS – part of Firewall

File Integrity - OSIRIS

AV - AVG

VA – MacAfee (External)

Pen Test – PCI approved Vendor - SISA

Card Scanning – Files are encrypted and deleted after a period

Log Management Log management is nothing but It's about keeping your logs in a safe place, putting

them where you can easily inspect them with tools

Keep an eye on your log files

They tell you something important...

• Lots of things happen, and someone needs to keep an eye on them...• Not really practical to do it by hand!

First, need to centralize and consolidate log files

Log all messages from routers, switches and servers to a single machine – a logserver

All logging from network equipment and UNIX servers is done using syslog

Windows can be configured to use syslog as well, with some tools

Log locally, but also to the central server

Log Management

PCI-DSS Requirement 12 says…

Logging mechanisms and the ability to track user activities are critical in reverting, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.

So the Logs should be placed in a centralized manner for ease of reference.

Local disk

serversyslog

Router Switch

SyslogServer

Syslog Server

IDS/IPS IDS (Intrusion Detection System):

•Passive ~ Out of band

•These devices can monitor and analyze events that occur on a network or system, thus looking for intrusion attempts based on signatures or patterns.

•IDS requires careful tuning to network conditions to be effective, otherwise false positives are too high to make the system useful.

IPS (Intrusion Prevention System)

•IPS can provide more accurate alerts.

•IPS uses multi-method detection.

•False Positive ~ may unnecessarily suspend a connection and therefore block legal traffic immediately.

•Gartner: “This real-time response which registers attacks as legitimate events, even if those attacks have no bearing on the network, could be too disruptive to operations.” (Ratzlaff)

IDS/IPS

PCI-DSS Requirement 11.4 Guidance Use intrusion detection systems, and/or intrusionprevention systems to monitor all traffic in thecardholder data environment and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up-to-date.

These tools compare the traffic coming into the network with known “signatures” of thousands of compromise types (hacker tools, Trojans andother malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection via these tools, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these tools should be monitored, so that the attempted intrusions can be stopped.

There are thousands of compromise types, with more being discovered on adaily basis. Stale versions of these systems will not have current “signatures”and will not identify new vulnerabilities that could lead to an undetectedbreach. Vendors of these products provide frequent, often daily, updates.

File Integrity Monitoring

File integrity monitoring is critical for security and compliance initiatives, and is a requirement for PCI compliance. File Integrity Monitor™ provides an agent less file integrity  auditing solution that gives you the ability to monitor an asset’s details all the way down to the file level without requiring software agents on the monitored system. File Integrity Monitoring solution discovers significant file integrity detail, such as:

• File size• Version• When it was created• When it was modified• The login name of any user who modifies the file• Its attributes (e.g., Read-Only, Hidden, System, etc.)

As an extra safeguard against file tampering, the solution also monitors file checksums – MD5 or SHA-1 on Windows-based systems and MD5 or any user-defined hash algorithm on Unix-based systems - providing cryptography-based monitoring for file changes.

File Integrity Monitoring PCI-DSS Requirement 11.5 and 10.5.5 Guidance

Deploy file-integrity monitoring software to alert personnel to unauthorized modification of criticalsystem files, configuration files, or content files, andconfigure the software to perform critical filecomparisons at least weekly.

File-integrity monitoring (FIM) systems check for changes to critical files, and notify when such changes are detected. There are both off-the-shelf and open source tools available for file integrity monitoring. If not implemented properly and the output of the FIM monitored, a malicious individual could alter configuration file contents, operating system programs, or applicationexecutables. Such unauthorized changes, if undetected, could render existing security controls ineffective and/or result in cardholder data being stolen with no perceptible impact to normal processing.

Use file-integrity monitoring and change detectionsoftware on logs to ensure thatexisting log data cannot be changed withoutgenerating alerts (although new data beingadded should not cause an alert).

File-integrity monitoring systems check for changes to critical files, and notify when such changes are noted. For file-integrity monitoring purposes, an entity usually monitors files that don’t regularly change, but when changed indicate apossible compromise. For log files (which do change frequently) what should be monitored are, for example, when a log file is deleted, suddenly grows or shrinks significantly, and any other indicators that a malicious individual hastampered with a log file. There are both off-the-shelf and open source tools available for file-integrity monitoring.

Anti-Virus• Malicious software, commonly referred to as “malware”—including viruses,

worms, and Trojans—enters the network during many business approved activities including employees’ e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities.

• Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats.

• An Antivirus (or "anti-virus") software is a class of program that searches your hard drive and floppy disks for any known or potential viruses.

• The market for this kind of program has expanded because of Internet growth and the increasing use of the Internet by businesses concerned about protecting their computer assets.

• To help prevent the most current viruses, you must update your antivirus software regularly. You can set up most types of antivirus software to update automatically.

Anti-VirusPCI-DSS Requirement 5 Guidance

5.1 Deploy anti-virus software on all systems commonlyaffected by malicious software (particularly personalcomputers and servers).

There is a constant stream of attacks using widely published exploits, often “0 day" (published and spread throughout networks within an hour of discovery) against otherwise secured systems. Without anti-virus software that is updated regularly, these new forms of malicious software can attack and disable your network.Malicious software may be unknowingly downloaded and/or installed from the internet, but computers are also vulnerable when using removable storage devices such as CDs and DVDs, USB memory sticks and hard drives, digital cameras, personal digital assistants (PDAs) and other peripheral devices. Without anti-virus software installed, these computers may become access points into your network, and/or maliciously target information within the network.

5.1.1 Ensure that all anti-virus programs arecapable of detecting, removing, andprotecting against all known types ofmalicious software.

It is important to protect against ALL types and forms of malicious software.

5.2 Ensure that all anti-virus mechanisms are current,actively running, and capable of generating auditlogs.

The best anti-virus software is limited in effectiveness if it does not have current anti-virus signatures or if it isn't active in the network or on an individual‘s computer. Audit logs provide the ability to monitor virus activity and anti-virus reactions.

Vulnerability Assessment

• Vulnerabilities in IT systems can be considered as ‘holes’ or ‘errors’

• The vulnerabilities may be due to improper system design or coding or both.

• When a vulnerability is exploited, then it results in “Security violation” or in simple terms called “impact”

• Denial of service, privilege escalation are some of the examples of impacts.

• “Vulnerability Identification is a process in which IT systems are scanned for known and unknown vulnerabilities by using proper tools (called vulnerability scanners)”

• “Vulnerability Analysis is a process by which the identified vulnerabilities are analyzed and for severity based on the criticality of the System”

Vulnerability Assessment

PCI-DSS Requirement 11.2 Guidance Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).

A vulnerability scan is an automated tool run against external and internal network devices and servers, designed to expose potential vulnerabilities and identify ports in networks that could be found and exploited by maliciousindividuals. Once these weaknesses are identified, the entity corrects them, and repeats the scan to verify the vulnerabilities have been corrected.At the time of an entity’s initial PCI DSS assessment, it is possible that four quarterly scans have not yet been performed. If the most recent scan result meets the criteria for a passing scan, and there are policies and procedures in place for future quarterly scans, the intent of this requirement is met. It is notnecessary to delay an “in place” assessment for this requirement due to a lack of four scans if these conditions are satisfied.

Penetration Testing Testing the security of systems and architectures from a hacker’s point of

view

A “simulated attack” with a predetermined goal

Access points to your Network

• Internet gateways• Modems• Wireless networks• Physical entry• Social engineering

Two Types of Testing Approach

• External View (Hacker)• Internal View ( Disgruntled Employee or Contractors)

46

PCI DSS - Certificate

Thank You