|
Open,
modular systems are the information technology
of the future. These systems must be inter-operable
as well as easy to access and use. But
implementing these systems means critical
data is exchanged through essentially
unprotected media. Small flaws can compromise
system security. Break-ins by hackers
can cause irreparable damage.
CMC
offers its clients security policy design,
application security, operating system
security, and network security. We offer
a range of consulting and service offerings
to secure your systems from unauthorised
access.
Offerings
|
|
Security
audit |
|
|
Application
audit |
|
|
Vulnerability
assessment |
|
|
Server
hardening |
|
|
Information
security policy |
|
|
Penetration testing |
|
|
Business
continuity plan / disaster recovery
plan |
|
|
Training
|
Security
audit
A security audit is conducted to assess
the overall security of the customer's
network, using well-defined procedures
and checklists. This gives an in-depth
understanding of the network from a security
perspective, and helps identify security
loopholes in design, implementation and
practices in the network.
A
security audit can:
|
|
Determine
the level of compliance with the organisation's
existing security policies and procedures |
|
|
Identify
areas of weakness in information systems |
|
|
Provide
recommendations to address these weaknesses |
A
detailed report is presented with all
the vulnerabilities documented in detail.
The report includes a brief description,
known security initiatives, and remedies
for fixing the vulnerability. It includes
recommendations for long-term initiatives
in terms of products and practices, to
ensure a safe network.
Application
audit
An application audit assesses its overall
efficiency and effectiveness. Checklists
are prepared using well-defined procedures,
based on the application and its environment,
and they are used in conducting the audit.
It identifies security loopholes in application
design, development, and implementation.
An
application audit involves reviewing and
assessing issues of functionality vis-à-vis
business requirements, input / output
/ processing controls, auditability, internal
controls built-in at the application software
level, database level, server and client
applications, implementation of separation
of duties, password management, programming
standards and quality assurance, software
development methodology, change and version
control management, and back-up and restore
procedures. A detailed report is presented
with all findings and recommendations.
Vulnerability
assessment
Industry standard remote vulnerability
assessment tools like Cybercop scanner,
ISS internet scanner, and other tools
and techniques are used to analyse the
vulnerabilities of a system / network,
get a hacker's eye-view of the system
and identify security holes which can
be exploited by a remote attacker to compromise
the network. Apart from the tools, select
procedures like access control checking,
user account restrictions, and virus checking
expose specific vulnerabilities. Password
cracking tools check the strength of passwords.
The network is also tested for denial
of service (DoS) attack vulnerabilities.
Scanning tools expose flaws in firewall
rule base content and order.
The
vulnerabilities discovered are presented
in a detailed report. For each vulnerability,
the report includes a brief description,
known initiatives against it, and remedies
for fixing the vulnerability. It includes
recommendations for long-term initiatives
in products and practices, to ensure a
safe network.
Server
hardening
Server hardening is the first line of
defence against a possible intrusion.
The process ensures that all non-essential
services are shut down and a strict access
control policy is put in place. All relevant
security updates are applied to the system
to safeguard against all known vulnerabilities.
A
detailed study of the server uses a combination
of port scanning tools and operating system
commands. This gives a true picture of
the applications / services running on
the system and the ports they require.
The access control policy and audit policy
are analysed. An appropriate access control
policy is designed after consultation
with the customer, so that users are permitted
to access resources on a need-to-know
basis.
All
access to sensitive directories needs
to be audited. Password policy is designed
to discourage users from choosing easily
passwords that are easy to guess. Application
configurations are fine-tuned to prevent
all flaws, including buffer overflow and
vulnerability to DoS attacks. The patch
versions of the basic operating system
(OS) and all applications are compared
to the latest patch releases of the vendors.
Any active service or process that is
not required by the system is terminated.
A modified access control policy, password
policy and audit policy are enforced.
Configuration changes required to protect
the OS and application from potential
security threats are carried out.
After
hardening, the servers are restarted and
logs examined to ensure that functionality
and performance have not been affected
by the changes. The latest security patches
and hotfixes are applied.
A
comprehensive document describing all
the steps taken for hardening the server
is presented to the customer. CMC will
train the system administrators on the
best practices to be followed to maintain
secure servers and methods to update security
patches and monitor security logs, to
identify possible security breaches and
track defaulters.
Information
security policies
Security policies are the primary building
blocks for every successful information
security effort. They are a reference
point for a wide variety of information
security activities. These include designing
controls into application systems, establishing
user access controls, performing risk
analyses, conducting computer crime investigations
and disciplining workers for security
violations.
An
information security policy document is
essential for many reasons. Apart from
defining roles and responsibilities for
workers, a policy document sensitises
and educates them about the potential
problems associated with modern information
systems. This helps minimise the cost
of security incidents, accelerates the
development of new application systems
and helps to assure the consistent implementation
of controls across an organisation's information
systems.
Information
security policies are also important reference
documents for internal audits and for
the resolution of legal disputes about
a management's due diligence. They act
as a clear statement of the management's
intent and thereby help to reduce potential
liability.
Regardless of an organisation's size,
industry, geographical location or the
extent of its computer use, information
security is an important matter that should
be addressed by explicit policies. Harry
DeMaio, former director of data security
programs at IBM, says the lack of a well-defined
corporate information security policy
is the single biggest problem with most
security efforts.
At
CMC, we conduct risk analyses to locate
likely threats and the security requirements;
gather the required information using
well-defined checklists and procedures,
and then develop a security policy based
on BS 7799, and corresponding baseline
standards, guidelines, and procedures
for implementing the security policy.
Penetration
testing
Penetration testing is used to analyse
the vulnerabilities of a system / network
remotely. This gives a hacker's eye-view
of the system and identifies security
holes which could be exploited by a remote
attacker. Industry standard remote vulnerability
assessment tools are used to simulate
a range of attacks.
The
tools used are determined depending on
the type of network and operating systems
in the environment. These include standard
tools like ISS internet scanner, Cybercop
scanner, Whisker, as well as others. War
diallers are used to identify dial-up
connections, which can bypass firewalls.
In case of an 'informed' penetration testing,
the system / network administrator is
notified in advance. At the pre-determined
time, the test is carried out using the
set of tools and techniques. Select procedures
are used to expose application-specific
vulnerabilities, including weak encryption
and insecure coding practices. Brute force
network password-cracking tools are used
to break weak passwords. The network is
also tested for DoS attack vulnerabilities.
Custom-built stealth scanning tools are
used to expose flaws in firewall rule-base
content and order.
The
CMC team performs penetration testing
in accordance with the open source security
testing methodology manual (OSSTMM) and
the open web application security project
(OWASP). The list of vulnerabilities discovered
is presented in a detailed report. For
each vulnerability, the report includes
a brief description, known initiatives
against it, the level of skill required,
and remedies for fixing it. Long-term
initiatives in terms of products and practices
are recommended, to ensure a safe network.
Business
continuity planning / disaster recovery
planning
Globalisation and the explosive growth
in internet and intranet computing has
increased the demand for continuous operations.
A business continuity / disaster recovery
plan (BCP / DRP) enables organisations
achieve high availability and continuity
of operations. BCP / DRP is a comprehensive
statement of consistent actions to be
taken before, during and after a disaster.
A BCP / DRP plan provides a balance between
acceptable potential losses and acceptable
one-time and annual costs. The BCP/DRP
plan can mitigate the potential risks
to an acceptable level and enable continuity
of critical business functions in case
of disasters.
The
CMC team conducts a business impact analysis
and a risk analysis to identify the areas
that would suffer the greatest financial
and operational loss in the event of a
range of possible disasters, including
natural, technical and human threats.
It identifies:
|
|
The
organisation's mission critical activities,
their dependencies and the single
points of failure |
|
|
Activities
needed for survival and the maximum
outage time that can be tolerated
by the organisation as a result of
a disaster or disruption. |
These
tasks require customised assessment questionnaires
and checklists. The team then identifies
appropriate recovery strategies. Based
on the output of the risk analysis and
business impact analysis, the CMC team
develops a comprehensive BCP / DRP plan
in line with industry best practices which
conforms with standards.
IT
security training programmes
CMC offers three security training courses:
|
|
IT
security course for top executives
The course is for CEOs, CIOs, general
managers, project managers, and other
top executives. It is of two days'
duration. It enables participants
to appreciate the importance of IT
security in today's world and helps
them take appropriate policy decisions
to secure their company's information
resources. |
|
|
Basic
course on IT security for technical
staff
The course is for novice technical
staff like system administrators and
network administrators. It is of five
days' duration. It enables participants
to appreciate the importance of IT
security in today's world and helps
them implement best practices in configuring
their systems and tools, and prevent
cyber threats to the information resources
of their organisations. |
|
|
Advanced
course on IT security for technical
staff
The course is for technical staff
like system administrators and network
administrators with a few years of
experience. It is of five days' duration.
It enables participants to implement
best practices in configuring their
systems and tools, as well as prevent
cyber threats to the information resources
of their organisations. It also trains
them to undertake an incident-handling
role in their organisations. |
Sessions
are handled by certified (CISA / CISSP)
faculty trained by premier organisations
like the Australian computer emergency
response team (AusCERT) and the computer
emergency response team / co-ordination
centre, USA (CERT / CC). The centre for
IT security has also designed customised
courses for the banking community and
law enforcement agencies. It has trained
more than 300 technical staff and 100
top executives to date.
Strengths
The communications and networking group
has CISSP and CISA-certified manpower
trained by CERT / CC and AusCERT, to provide
consultancy services. A well-equipped
IT security lab is available to conduct
penetration tests.
Indicative
client list
|
|
Reserve
Bank of India (RBI) |
|
|
Space
Applications Centre (SAC), Ahmedabad |
|
|
Hindustan
Aeronautics Ltd, Bangalore |
|
|
Indian
Overseas Bank (IOB), Chennai |
|
|
State Bank of Patiala, Patiala |
|
|
Election
Commission of India, New Delhi |
|
|
Neyveli
Lignite Corporation Ltd (NLC) |
|
|
Material
Organisation, Eastern Naval Command,
Vishakapatnam |
|
|
Small
Scale Industries Organisation, New
Delhi |
|
|
Mahindra and Mahindra, Mumbai |
|
|
HPCL,
Mumbai |
|
|
TNPL,
Chennai |
|
|
BPCL,
Mumbai |
|
|
DoEACC,
New Delhi |
|
|
IDRBT,
Hyderabad |
|
|
Andhra
Bank, Hyderabad |
|
|
HWSB,
Hyderabad |
|
|
MetalJunction.com,
Kolkata |
Benefits
|
|
Vulnerabilities
of servers and security devices are
identified, as well as weaknesses
in their configuration |
|
|
Weaknesses
in network architecture and network
performance are identified |
|
|
Weaknesses
in web application and database management
are identified, as well as inadequacy
of software development standards |
|
|
Website
response time improved |
|
|
Recommended
measures to be taken to strengthen
security |
Contact
Head - CS
CMC Limited
CMC House
C-18, Bandra Kurla Complex
Bandra (E), Mumbai – 400 051
Tel: 91-22-26591000
Fax: 91-22-26591046
Email: cs@cmcltd.com
|
