Friday, April 29, 2022

Network Scanning Tools

Network Scanning through Nmap and Nessus

Network scanning is a process used to troubleshoot active devices on a network for vulnerabilities.

Nmap

Nmap is an open source tool security scanner designed for network discovery and security auditing. It uses raw IP packets in original ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (OS) and their versions they are running and what type of packet filters/firewalls are in use, among dozens of other characteristics.

Many network administrators use Nmap for Network Discovery, managing service upgrade schedules and monitoring host or service uptime. 

Once the Nmap scan completes; the output shows

Port Table: Port Table lists the port number and protocol, name of the service running and state such as (Open filtered, closed filtered or unified)

Where Open means that application on target machine is always listening for connection packets. 

Nmap provides information on supported IP protocol rather than listening ports. Apart from that Nmap also provided information on reverse DNS name, OS, device type, MAC address etc. It also have limited capability in Vulnerability scanning. 

Nessus

Nessus is a Comprehensive Vulnerability assessment tool developed by Tenable Network. It is mostly popular and widespread due to its trusted results. 

It detects system, device vulnerabilities, performs configuration assessments, helps in compliance review with policies. It also have capacity to audit cloud infrastructure, host discovery, credential patch audit, web application test etc. 

It comes with both essential (Free) edition and Expert, Professional (business) edition.  

For more information you can follow below links to know further. 

https://nmap.org/
https://www.tenable.com/products/nessus

Thanks

-DR

Saturday, March 5, 2022

Understanding CSA STAR

CSA- Security Trust Assurance and Risk (STAR) Program

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA connects the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events, and products.

A cloud service provider (CSP) is a third-party company that provides scalable computing resources that businesses can access over any network, including cloud-based compute, storage, platform, and application services. We know there are many leading organizations in this sector across the globe such as Microsoft, Amazon, Google, Oracle, Alibaba, Rack space etc. as well there are many small firms growing their business in this area gradually.

CSA STAR Certification demonstrates that a cloud service provider conforms to the applicable requirements of ISO 27001, has addressed issues critical to cloud security as outlined in the Cloud Control Matrix (CCM). Through the implementation of CSA STAR Certification, in addition to a compliant ISO/IEC 27001 information security management system, organizations can ensure that they have a full understanding of the risks involved and the business impacts. This allows organizations to put controls in place to protect business critical information.

STAR provides two levels of assurance

Level 1: Self-Assessment based on the Consensus Assessments Initiative Questionnaire (CAIQ). Level 1 is an introductory offering, which is free and open to all CSPs. The CAIQ contains more than 250 questions based on the CCM that a customer or cloud auditor may want to ask of CSPs to assess their compliance with CSA best practices.

Level 2: Independent third-party assessments such as CSA STAR Attestation and CSA STAR Certification. These assessments combine established industry standards with criteria specified in the CCM.

Cloud Control Matrix (CCM)

For security assessments, CSPs use the Cloud Controls Matrix (CCM) to evaluate and document their security controls. CCM is a cyber security controls framework for cloud computing aligned to the CSA best practices, that is considered the de-facto standard for cloud security and privacy. Earlier CCM version 3 was there where it has 133 control objectives and now it is revised with version 4.0.7 (released in 2021) which is composed of 197 control objectives covering fundamental security principles across 17 domains to help cloud customers assess the overall security risk of a CSP.

  • It provides fundamental security principles to guide cloud vendors and to assist cloud customers in assessing the overall security risk of a cloud provider.
  • Provides a control framework in 17 domains that are cross-walked to other industry-accepted security standards, regulations and controls frameworks to reduce audit complexity.

The CCM v4 scope is mapped with standards of ISO/IEC 27001/02, ISO/IEC 2017/18, NIST SP 800-53, AICPA TSC (2017), PCI DSS v3.2.1, and CIS v8 (Centre for Internet Security).

The key 17 domains and the number of controls covered in each domain in the CCM V4 are mentioned as below:

  • Audit and Assurance (A&A):6
  • Application and Interface Security (AIS):6
  • Business Continuity Management and Operational Resilience (BCR): 10
  • Change Control and Configuration Management (CCC):9
  • Cryptography, encryption and Key Management (CEK):20
  • Data Centre Security (DCS):15
  • Data Security and Privacy lifecycle Management (DSP): 18
  • Governance, Risk and Compliance (GRC):8
  • Human Resource (HRS):13
  • Identity and Access Management (IAM):15
  • Interoperability and Portability (IPY): 4
  • Infrastructure and Virtualization Security (IVS): 9
  • Logging and Monitoring (LOG): 13
  • Security Incident Management, E-Discovery, & Cloud Forensic (SEF):8
  • Supply Chain Management, Transparency and Accountability (STA):14
  • Threat and Vulnerability Management (TVM): 10
  • Universal Endpoint Management (UEM): 14

To become a Certified STAR auditor, individuals need to take training and pass exams from the respective training providers. To become a Cloud Security expert, individual professionals need to earn Certificate of Cloud Security Knowledge (CCSK). In CCSK you will learn to establish a baseline of security best practices when dealing with a broad array of responsibilities, from cloud governance to configuring technical security controls.


Tuesday, March 1, 2022

Third Party Risk Management

Third Party Risk Management (TPRM)

Third Party Risk Management is the process of identifying, assessing and controlling or mitigating the risks associated with outsourced critical functions, services and external parties.

Third Party Risk Management or TPRM is managing risks related to the third parties or called as vendors, suppliers, contractors and service providers.

Third party risks can be further categorized as: 

  • Operational risk
  • Information security risk 
  • regulatory risk 
  • financial risk 
  • strategic risk 

Since third party relationship are very critical to business, risk management is also important to safeguard the Organization. Every organization depends on third parties to receive any service or support. 

Even in some scenarios, those vendor use another sub vendor to provide the service. Those are known as fourth party.

Anyway we are discussing about the third party assessment here. During the service, the third party have some access to the primary organization, its information systems, its confidential data and information during the engagement. 

There are possibility of sharing many different kinds of data/information with consent or without consent which are such proprietary or confidential business information, personal data like (name, address, mobile number), employee data, employee benefit information, financial data, bank account information, credit card/ debit card data, organization insider information, IP address, location, system configuration,  Source code of software, Access control list, network configuration data, customer data, corporate customer data, internal reports, passwords/pins, login credentials, etc.

So in case of any incident happens such as data breach, cyber attack, data theft at third party environment, it also creates threat to the primary organization. As well it impacts towards the employee and resources, which also involves the reputational damage.

Key Components of TPRM

  • Risk Assessment
  • Due Diligence
  • Contractual Safeguard
  • Ongoing Monitoring
  • Incident Response

In ISO/IEC 27001 standard, we have supplier relationship clauses which says, each organization should identify and document their vendors name, type of service they provide in one place. Also the type of information access that the supplier has needed to be mentioned. There should Non Disclosure Agreement (NDA) need to be signed between the organization and its suppliers/vendors. There shall be a supplier agreement which needs to be established. 

The supplier agreement should contain at least below items;

  • Description or list of information to be provided or access rights is given.
  • Information must be classified based on the criticality (Restricted, Confidential, Internal, Public).
  • All the legal and contractual requirements.
  • Acceptable usage policy
  • Scope or service description
  • Information Security policy which are applicable
  • Right to audit supplier process and controls
  • SLA terms and penalty conditions
  • Many more are there to be decided by organization and the committee.

During an on boarding phase of a third party or vendor in to an engagement, an initial assessment, Due Diligence activity should also be there which can include many end to end questionnaires need to be answered and answers should be analyzed to determine the risk in the engagement.  

Few assessment questionnaires are listed below as a sample:

  • Whether there is BCP plan ready for the engagement or not?
  • What will be financial impact in case of any breach happens?
  • Is there any data breach history available or not?
  • How many employees are there in the organization?
  • What about the infrastructure and scope?
  • What are the applications the supplier wants to provide support?
  • What is data retention policy?
  • How data are managed, stored, deleted?
  • How hosting service is being carried out?
  • How vendor is accessing data in which medium?
  • Is there technologies involved or not such as DLP, encryption, HTTPS, FTPS?
  • Is there escalation matrix drafted or not?
  • Is there information security policy ready or not?

Based on the answers, the risk can be calculated and vendor profiling can be made. These assessments should at least carried out for vendors in a time interval to ensure, if there is any change occurred in people, process, technology and location occurred. Similarly risks can be classified as Critical, High, Medium, Low for each vendor. 

When there are higher risk calculated then risk assessment will be there and vendor will be assessed again and again to determine the threats and vulnerabilities. Impact should be analyzed. Because threats and vulnerabilities change in time. The risks identified must be closed in remediation phase or risk treatment phase and it should be continuously monitored. 

During risk treatment or remediation phase, there are lots of controls which can be considered and followed from the standards, guidelines and organization own policies. 

There might be questions come to mind, if a vendor not agrees to follow the TPRM process or denies to sign the NDA. It is simple that never sign contract with that vendor and choose an alternative vendor. There are many available in the market. 

In case alternative not available, then the SLA and contract should be revised and should be accepted by both parties as per applicable law.

Example of some TPRM tools those help organizations in managing the third party risk are as;

  • RSA Archer
  • OneTrust
  • ServiceNow
  • SignalX
  • Aravo
  • Prevalent
Below is an illustrative of TPRM process

(Image source: mazars.us)

Therefore this all about TPRM basics, while this is very vast domain and its future scope is large. All the TPRM process come and fall within Risk Identification, Risk Assessment or evaluation, Risk remediation and Risk monitoring phases come within a Third Party Risk Management.

If you have any comments and suggestions please provide.

You can further refer to below links for more information

https://signalx.ai/blog/11-best-tools-for-third-party-risk-management/

https://www.onetrust.com/blog/third-party-risk-management/


Thank you.

-DR 


Network Scanning Tools

Network Scanning through Nmap and Nessus Network scanning is a process used to troubleshoot active devices on a network for vulnerabilities....