Happiest Minds

This blog was originally published by Manoj Rai at Happiest Minds

Mobile apps have been increasingly gaining ground in the communication industry. Enterprises are rapidly adopting innovative mobile applications to transform their business capabilities as the mobile presence is critical for businesses to attract, retain and communicate with customers; it has become an integral part at both work and in their personal lives. The newer mobile computing technologies are increasingly embraced by the consumers across the globe, and this exponential growth of mobile devices and business applications has attracted a large number of well-organized cyber criminals and independent hackers, who are seeking monetary benefits with highly competent modus operandi.

Some Key challenges:

Mobile malware have grown over 17,000 new unique forms, some of  Android/Zitmo, Android/Spitmo and Android/Citmo mobile malware families work in conjunction with the Zeus, Spy Eye and Carberp Windows crimeware suites.

Native Mobile Applications from third parties designed for normal use but containing unintended security vulnerabilities or specifically designed to commit fraud.

Raise of phishing attacks that leverage the limitation of mobile device screen size or web browser view

With more and more customers switching to smart phones, brands today have capitalized this to reach out to their customers directly with more pace, mobility and efficiency than ever before. However, as much as anything virtual comes with transparency, agility and cost effectiveness, it is not entirely devoid of privacy and security issues.

To counter it, brands, whether they serve communication, gaming, utility, multimedia, productivity or travel-based functionality, need to adhere to robust Mobile App Security Tests for the following.

Installation package: Check the installation package thoroughly. This is done by de-compiling, speculating and making modifications to the installable file from the mobile device. A thorough review of the source codes would help you spot vulnerable codes.

Local file system: Run a security check on local file systems to test temporary files and cached data that already exists in the mobile device. This would also help monitor database related security.

Insecure file permissions: Check the internal & external disk space, rights & permission on the target file, file encryption and authorization of user access.

Error handling & session management: Check for application exception management, error handling functionality and randomness of session identifiers, and spot the attacks abusing sessions.

Business logic flaws: Test everything relevant for logic flaws, security functions, multi-stage processes, trust boundaries and adjustments made to quantities.

Client-side injections: Test for client-side injections to detect malicious inputs on the installed applications. Ensure that you also get a cross-site scripting, HTML injection and other relevant checks done.

Server-side validation: Check for validation on the server side for injection, cross-site scripting on the server end.

Replay attack vulnerabilities: Keep an eye on malicious inputs that come as legitimate requests from an authorized or an unauthorized user. Check for response splitting and cache poisoning too.

Permitting the usage of mobile smartphone devices and multi-purpose or mission critical applications in corporate environments by conducting a detailed technical assessment of security controls would enable the stake holders to identify, assess and diligently manage mobile security risks. Mobile security assessment for device security and application security testing are broadly categorized as native mobile application penetration testing, mobile website penetration testing, hybrid application & website penetration testing, native application secure code review, mobile device security & configuration review, secure SDLC consulting on threat modeling & coding.

Mobile App security concerns mainly arise out of malicious functionalities and vulnerabilities. While the above list may act like a checklist to effectively mitigate risks, app developers and security teams must also keep an eye out for new threats at all times.

This blog was originally published by Haren Bhatt at HappiestMinds

Cyber Threat Intelligence (CTI) is a term used to address any kind of information that protects your organization’s IT assets from potential security impeachment. CTI can take many forms. It could be internet based IP addresses or geo locations TTP’s (Tools, Tactics and Practices). These work as indicators or early warnings of attacks which can take a toll on an enterprise’s IT infrastructure. There are numerous vendors across the globe whose CTI can be seamlessly made part of security interfaces like GRC tools, SIEM and other correlation engines. That being said, what information can be employed to generate actionable CTI to defend your enterprise security? Let’s look at the same in detail:

Drivers: Drivers may vary anything from attacks like a ‘zero day’, business related breaking news, or certain announcements that cause vulnerabilities in the enterprise’s activities. Understanding the nature of the drivers can help increase the security vigilance.

Prerequisites: This accounts for everything an attacker would need to trigger an attack on your IT infrastructure through intranet perimeter, network, endpoints and just about anything that is exposed to internet.

Capabilities: The script Kidde’s could generate an attack but may not possess the capacity of post-attack activities. Or a professional attacker could have the capabilities of penetrating an attack but its defense mechanism may not be able to stop provide the attacker with intended results. Understanding the capabilities of the attacks and the attackers in absolute length can help defend security to a great extent.

Components: Another element to considered to better equip security concerns is keeping an account of the attacking component’s tools, tactics and procedures that were used in the past attacks conducted by the attacker. This would help generate indicators to better prepare for the forthcoming attacks.

Measurement: Measurement is important to determine the impact of the attack, mostly in terms of number and types of security events which are generated during the pre-attack condition. The more ways we can interpret different natures and depths of these measurements, the more the security interface can work on the counter-attack measures and recovery processes.

This post was originally published by Jyothi Babu at HappiestMinds

Cyber-crimes are becoming increasingly sophisticated and ambitious in the current age of advanced persistent threats, zero- day attacks and advanced malware. Highly sophisticated threat actors are focused on stealing confidential information including intellectual property, PII, Credit card information, medical records, customer information and state or federal information. If we analyse the key happenings in the threat landscape last year, we can see that businesses have witnessed the highest magnitude of online crime in 2015 with the average total cost of a data breach increased to $3.79 million from $3.52 million in 2014. Studies from renowned institutes reveal that cybercrime will become a $2.1 trillion problem by 2019. The technology revolution happening around IoT, Mobility, Cloud, Wearables and Advanced Machine Learning are also expected to affect the security landscape and enable an expanded set of cyber threats in the upcoming years. Global CISO’s believe that cybercrime will become a key driver in shaping the internet governance, data storage and usage, and how the respective stakeholders engage with each other in the cyberspace.

Certain key focus areas in the cyber-crime space includes:

Data storage and processing in the cloud : The storage and processing of data in the cloud raise security concerns. Lack of competent security policies in the cloud can enable cyber criminals to target the data in the cloud.

Handling sensitive personal information collected through wearables: Wearable devices handle lots of sensitive personal information and it is mostly managed by smart phones. The lack of proper security measures can enable cyber criminals to target wearable platform a key area for cyber-attacks.

Big Data or Data aggregation in the form of large datasets : Organizations are focussed on Big Data storage and analysis to derive actionable business intelligence from it. However, aggregation of large data sets without proper data security policies can make data breaches more rewarding for cyber criminals.

Cyber Extortion or Ransomware attacks: Ransomware threats have started dominating the cyber security landscape recently. It is a matter of greater concern as the impact of ransomware attacks can bring a halt to the business operations itself.

Hardware attacks: The all-time hardware attacks for cyber criminals are expected to continue in the coming years as well. The evolution of tools and sophistication in attack methodologies can make the hardware attacks more prominent.

Social Engineering Techniques: Employing social engineering techniques for cyber-attacks are expected to increase in the coming years. Such attack models will help attackers to bypass defenses easily and thereby achieve their malicious motives by persuading the victims.

Digital Technologies are advancing quickly and threats are evolving along with it. Well-equipped and highly focused Cyber attackers are actively developing new ways to compromise organizational security postures by leveraging sophisticated techniques. The new gen cyber attackers are well organized and even state sponsored. They work collaboratively as teams or leveraging lower-level security vulnerabilities to launch targeted attacks by leveraging attack models ranging from phishing emails, social engineering techniques, and attacks that launch from a legitimate website. In this age of increasing number of interconnected devices including wearables and IOT enabled automobiles and concepts like BYOD it is a constant threat for organizations to safe guard sensitive data including personal health information, credit card related data, sensitive business data, employee information.

Predictions on the future threat landscape

Cyberwarfare, the politically motivated or state sponsored attacks is a key area of concern in cyber security landscape. It focusses on digital attacks on the networks, systems and data of another state, with the aim of creating significant disruption/destruction or for strategic espionage.

IT discussions are focused on the upcoming revolution of quantum computing and its impact in the cyber security space. As several of current security mechanisms including public-key encryption and digital signatures could be cracked by quantum computing, cyber security experts are looking forward to develop quantum resistant algorithms and advanced cryptographic technologies to come up with.

Smart cities with smart transportation, smart healthcare, intelligent buildings and smart power grids contribute another upcoming revolution in the technology space. This increasingly interconnected ecosystem also increases the vulnerability, both to malicious attacks and unintentional incidents.

This post was originally published by Isaac George at Happiest Minds Right now it feels like the whole world is moving to digital at breakneck speed. Banks, insurance companies, retailers and large manufacturers are all looking at how they can digitally transform the organisation to keep up with customer demand, business expectations and compete globally.

However, while digital transformation is becoming all-pervasive agreement on what digital transformation actually means, how to leverage its potential, and most importantly how to make a digital transformation project a success still remains elusive for many.

Digital transformation can be viewed holistically as the confluence of SMAC (social, mobile, analytics and cloud) technologies, cutting through business processes, enabling agile & secure infrastructure, leveraging IoT & connected devises, driven by seamless integration into (and upgrading) of current IT systems and underpinned by actionable insights for sustainable differentiation across customer experience and business efficiency.

In fact, you could argue that customer experience is a big driver for digital transformation projects and will continue to be for a long time to come. What this means is:

The personalisation of content, experience, pricing, recommendation, service and so on; the provision of real-time and aware applications that leverage preferences, insights, context and location awareness; systems or processes that enable on-going customer engagement for deeper insights that drive higher loyalty and advocacy; an omni-channel approach that provides the flexibility and choice for customers to leverage any channel they want;

The business efficiency theme driving digital transformation projects is all around creating differentiation for organisations through one or more of the following: helping an organisation to become more agile and responsive in its ability to identify either opportunities or to protect against threats; taking cost optimisation to the next level by further automating mundane and routine tasks that can be more efficiently handled by intelligent systems; creating better decision making powered by real-time data and insights, rather than by gut-feel and intuition; and unleashing the ability to innovate through the provision of new offerings or different business models.

That said, the key driver for most organisations around digital transformation primarily stems from the fact that it offers tremendous opportunity to enable business differentiation and impact in the market.

It will give many organisations the competitive edge they are looking for – and in some instances change the game in their respective sectors.

However, embarking on a digital transformation programme comes with its own set of challenges and requires an enormous amount of change to the organisation in order to bring in this new approach.

This is a complicated programme of work that involves people, process and technology, which are all equally important.

Here are four critical success factors that will help organisations tap into the tremendous potential that digital can offer:

Transformation

Like any transformation exercise, digital transformation needs to align to business vision, strategy, with the clarity of an implementation roadmap and a series of connected initiatives to achieve the goals.A digital transformation project with no executive management commitment and support is the most common pitfall for organisations. Point solution implementation without the definition of a roadmap of connected initiatives. It requires leadership buy-in and working collaboratively with a range of key stakeholders.

Complement your capabilities

Assessing your digital capabilities is just the first stage. You then need a plan to get your project from where you are to where you need to be. As this is likely to be a large transformation programme, it is critically important that the project team keeps referring back to their original assessment and plan.This will keep the team grounded throughout as to why they are going through the pain to get the organisation where it needs to be to advance the business in a world that has become increasingly mobile and progressively digital.

Front & back end

Any digital transformation should look to leverage your current IT investments and systems. If you only focus on digitising the front-end technologies without adequate consideration for the enablement and modernisation of your existing systems, you won’t leverage the full potential and benefits of the digital project.

Multi-functional buy-in

A fundamental review of all your business processes and capabilities is required with a view to optimize them by leveraging digital technologies. Digital is all pervasive and not something led by IT or Marketing or independent business departments – more than ever it needs a multi-function team.A multi-disciplinary approach is a prerequisite for a digital transformation initiative to be successful. Companies need to be careful that it does not creates silos & internal competition.

See also: 3 steps to future proofing a business with digital transformation

Most companies tend to start small with pilots and proof of concepts. That is a good way of getting buy-in, however it needs to be aligned to an overall vision and road-map. In my experience if a digital transformation project lacks management or stakeholder buy-in and/or fails to adequately take into consideration its current IT landscape, then alarm bells should start ringing as these two factors are the most common cause of stress, delays and failed digital projects. And remember, time frames for these types of projects also tend to shrink due to demands from the business.Try to set a realistic time frame rather than the time frame that the business dictates and work with a digital partner that has the ability and agility to deliver what you need. Otherwise you are certain to set yourself up for failure.

Many companies today are seeing that digital transformation can help them remain competitive and continue to create business value for their customers and themselves. Companies that are missing this opportunity risk losing their competitive position.

And digital is not about technology anymore, it is about improving your customer’s experience and improving business efficiencies for your team.

As a way to start thinking about this, here are a few questions:

What can digital do for you? Do you have clarity on that? How might another organization help address these questions in a joint effort with you?

We at Happiest Minds Technologies are seeing how Digital Transformation is helping companies in several ways. For example, a highly-respected IT consulting firm is leveraging digital content to increase revenue from existing clients and generate revenue from new prospects they could not effectively serve before. A global investment bank is enhancing financial regulatory compliance by partnering with an outside firm to execute new digital processes.

More generally, digital transformation can enable business agility, allowing a company to compete better on speed and flexibility. This can help build more productive and stronger partnerships with customers. Digital Transformation is also helping some companies improve efficiencies and customer experience at the same time.