upnorth

Level 44
Verified
Trusted
Content Creator
Malware Hunter
Kaspersky, a leading global cybersecurity company, has achieved ISO/IEC 27001:2013 certification; the international standard outlining best practices for information security management systems. Issued by TÜV AUSTRIA, the certification confirms that the company’s data security systems, including Kaspersky Security Network, meets industry best practices.

ISO/IEC 27001 is the most widely used information security standard prepared and published by the International Organization for Standardization (ISO), the world’s largest developer of voluntary international standards. It includes requirements on how to implement, monitor, maintain and continually improve an Information Security Management System (ISMS) within the context of the organization and its business needs. Conformity with this internationally recognized standard lies at the core of Kaspersky’s approach to implementing and managing information security, as it proves the completeness and rigor of security controls while providing clients with an additional level of assurance.

Certification was validated following an assessment done by the independent certification body TÜV AUSTRIA. It covered management systems of the delivery of malicious and suspicious files using the Kaspersky Security Network (KSN) infrastructure, as well as safe storage and access to these files in the company’s Distributed File System (KLDFS). This include the company’s data centers in Zurich, Switzerland; Frankfurt, Germany; Toronto, Canada and Moscow, Russia.

 

jetman

Level 7
Verified
I think the article above about SO/IEC 27001:2013 certification is more about Kaspersky's data practices. The accusations about Kaspersky being involved in espionage are entirely separate matters.

I don't think there was ever any technical evidence that Kaspersky software is used for state survelliance.

However, I think the concern is that as a Russian company, they would ultimately have to follow any instructions which their government would like them to carry out in the future. Plus they possibly have government agents amongst their staff- even if they don't realise this. To be fair, I expect most of the large security companies are spied on to a certain extent.

But I have no idea is the above is true. I use Kaspersky, which shows how concerned I am !
 

RejZoR

Level 14
Verified
What espionage? The last mega drama around Kaspersky was entirely manufactured by twisting facts in such a way that they looked guilty. Where in reality it was Kaspersky that caught NSA's contractors shuffling around hack tools. That's the only wrongdoing they did. Detecting hack tools they were not suppose to detect coz they were used by NSA and not meant to be found. As for hackings and other things, of course Kaspersky cooperates with local authorities which happen to be... RUSSIAN. Just like Symantec, McAfee or any other American security firm cooperates with FBI and the likes when they have something on it.
 

AtlBo

Level 27
Verified
Content Creator
Kaspersky deserves recognition. Others can earn it too. It's good for a company to make the world a better place :)

Everyone should take a look at KSC free and see exactly what Kaspersky has done in the form of a free program. The investment in quality coding practices is evident, and the company makes good decisions too. How good must their paid be lol? Hello awards.
 

upnorth

Level 44
Verified
Trusted
Content Creator
Malware Hunter
What exactly was certified and how the certification was performed.

ISO 27001 is an international standard with requirements for the creation, maintenance, and development of information security management systems. Essentially, it’s a collection of best practices addressing security management measures to protect information and guarantee customers protection of their data. To conduct certification , an independent entity — in our case, TÜV AUSTRIA — sends auditors whose main goal is to check how the processes that provide cybersecurity comply with best practices. During the audit, they evaluate processes in various departments including HR, IT, R&D, and Security) and compile a comprehensive report, which other independent experts then analyze to confirm the impartiality of the auditors. Finally, the independent organization issues a certificate, which in our case confirms that the information security management system complies with best practices.

Our customers are interested primarily in whether we provide the greatest possible level of security for processes of delivery of malicious and suspicious objects (files) for additional automatic and manual analysis by our experts, and whether we then store those objects reliably. This area is a central one for any antivirus company. Therefore, we pursued certification of the delivery mechanisms for malicious and suspicious files using the infrastructure of Kaspersky Security Network and their safe storage in the Kaspersky Lab Distributed File System. However, the auditor was not restricted to this area only. Many services in the company are arranged in a similar way.

Many factors affect the safety of any process, and information security management systems can help define those factors and provide timely protection. Many questions in cybersecurity management can be considered fundamental. Who has access to information systems and critical data? How did their job application process go? How do employees work with documents and information systems? How does the security team handle revoking access rights when an employee leaves? How aware are employees of possible cyberthreats and means of protection against them? How do administrators work with computers running critical operations?

The protection system also considers new types of threats and counteraction, for example, protection against APT attacks, countering the possible risks of using new technologies, including using machine-learning algorithms.

With the above in mind, the auditors analyzed documentation, talked with employees from various departments, and analyzed the technical and organizational aspects of data protection, such as the processes of recruiting, dismissal, and training. They studied how the IT service maintains the corporate network, and they visited our data centers. They also watched how employees work, checked whether they left printed documents and removable media lying around the office and if they locked their computers when away from their desks, as well as what their monitors and dashboards displayed and what kinds of programs they used to work. In other words, they analyzed the practices that apply to the entire company, paying special attention to the verification of information security management system processes: security analysis by management, risk management, incident management, corrective actions, audits, ensuring employees’ cybersecurity awareness, and maintaining business continuity.
 

MacDefender

Level 11
Verified
A previous day job involved being in a war room analyzing newly discovered compromised devices that I worked on.

The level of sophistication I've seen from such attacks (usually the personal devices of high value targets) was just astounding, ranging from well covered up zero-day exploits to hardware attacks.

If you are worried about a state sponsored actor targeting you, whether it's Russia or the NSA or China, I frankly do not expect ANY commercial product on the market to protect you. I really hope that's not why educated people are choosing an AV software.....

So that leaves what matters: Does the product deliver the level of protection that you want, and do you trust it?

The former, I would safely say yes, Kaspersky products have consistently tested near or at the top of the pack whether it's dynamic or static protection. The latter? That's a really hard question to answer for everyone. Honestly cloud-based AVs creep me out a little -- almost every engine has some cloud component and they all involve agreeing to submit samples automatically for things the cloud doesn't recognize. You are placing a lot of trust in a third party and basically only have your gut and their track record to make that decision on. Your control ends with "well my AV just uploaded this EXE to their servers, from my IP address". What they do with that, and how much of the upload transaction they log? I'm not sure you have anything to go on but your trust in them.
 

Vitali Ortzi

Level 19
Verified
I think the article above about SO/IEC 27001:2013 certification is more about Kaspersky's data practices. The accusations about Kaspersky being involved in espionage are entirely separate matters.

I don't think there was ever any technical evidence that Kaspersky software is used for state survelliance.

However, I think the concern is that as a Russian company, they would ultimately have to follow any instructions which their government would like them to carry out in the future. Plus they possibly have government agents amongst their staff- even if they don't realise this. To be fair, I expect most of the large security companies are spied on to a certain extent.

But I have no idea is the above is true. I use Kaspersky, which shows how concerned I am !
Probably Israel knows more about it since Dugu 2.0
 
Top