Vulnerability Assessment

Vulnerability Assessment

Vulnerability Assessment or VA is nothing but a testing a system or application to find the weakness/ flaw/ gap/ loop hole or vulnerability point through which a cyber attack can be possible. 

The assessment shows the gaps, so that the security team can fix the gap in time. Through this vulnerability assessment the severity of the vulnerability can be identified such as Critical, High, Moderate or low.

There are four stages of Vulnerability Assessment. 

• Collection of Assets/ Asset Discovery / Map all the end point
• Run Vulnerability Assessment through specific licensed tools to the target host.
• After identification, classification of the vulnerability based on criticality and priority level.
• Prepare a detailed report with remediation plan.

Besides the above stages there can a fifth stage like continuous monitoring with a regular scan. A regular vulnerability assessment helps organizations to identify and fix their flaws and can improve the organization security posture. 

An application level assessment helps in determining vulnerabilities within web applications that are hosted within or outside organization premise. Applications can be accessed through Dynamic Analysis (DAST), static analysis (SAST), Interactive analysis (IAST) and software composition analysis (SCA).

The Severity score can be calculated through CVSS (Common Vulnerability Scoring System) which represents a qualitative risk analysis and provides numerical (0-10) scoring system such as 

9.0-10.0- critical 

7.0-8.9- High

4.0-6.9- Moderate

0.1-3.9- Low

So below are factors are those taken in to consideration while generating the CVSS score:

• Attack Vector
• Attack Complexity
• Privilege Level
• Confidentiality
• Integrity
• Availability

Vulnerabilities are represented by CVE Score (Common Vulnerability Exposure) which is a database of all common vulnerabilities identified across globe. 

For example:

CVE-2019-1255  

CVE: Prefix

2019: Year of discovery

1255: code

Description: A denial of service vulnerability exists in Microsoft defender improperly handles files.

All CVEs can be found and further referred at below portal. 

https://cve.mitre.org/

Benefits

• It prevents organizations from cyber attack such as virus/malware attacks, data breach, DDoS attack, SQL injection, XSS attack, Code injection etc.
• Take remediation action to any loopholes and gaps.
• Meet cyber security compliance and regulatory requirement.

There are many types of Vulnerability assessment carried out across globe with different automated tools.

• Network Based Scan
• Host based Scan
• Wireless network Scan
• Database Scan
• Application Scan
• Container Scan
• Credentialed and non-credentialed Scan
• External Scan / Internal Scan

Tools available in the market are

• Netsparker
• OpenVAS
• Acunetix
• Aircrack
• Nessus
• Qualys
• Solarwind network vulnerability scanner
• Nikto
• Wireshark
• Intruder
• Rapid7

It is known that around 60% of data breach happens due to unpatched vulnerabilities. It improves operational efficiency as well as it will establish a faster mechanism to mitigate exploits. 

Image Source: (https://www.manageengine.com/vulnerability-management/images/vulnerability-assessment-steps.jpg)

For more details you can follow below reference links.

https://www.beyondtrust.com/resources/glossary/vulnerability-assessment

https://www.imperva.com/learn/application-security/vulnerability-assessment/

If you like this post, please comment and share it.

-DR

Equifax Data Breach

Equifax Data breach

In 2017 Equifax one of the largest consumer credit reporting agency announced a data breach which exposed over 147 million individuals and their personal information including personal name, home address, phone number, drivers license and credit card numbers.  

Information Security disaster happens without prior notice. There were number of security lapses in the system of Equifax and majorly there was Web application vulnerability. According to several reports, the attackers were able to move the data from web portal to another server because the network was not properly segmented from one another. Attackers were able to access the user name and password which were stored as plain text. 

In that time there was one vulnerability CVE-2017-5638 was discovered in Apache struts (Open source development framework) for creating enterprise java applications that most of the companies use in their website, including Equifax. That time the patch was not updated by the IT department and ignored the vulnerability. So for the next two months (approximate to 76 days) the attackers (Chinese military) were able to access all the customer data. However those data were unavailable on dark web site, as per researchers. $1.4 Billion was invested by Equifax later to upgrade the security after the incident occurred. 

Later it was known that the breach was happened only on the purpose of espionage. So data governance is the key here, to keep in mind where data is all about your business. The organization have prime responsibility to keep all those data secure way.

For more information please refer to below page:

https://www.investopedia.com/news/was-i-hacked-find-out-if-equifax-breach-affects-you/

Thanks

-DR

Understanding PCI DSS Requirements

PCI DSS v 3.2.1 Requirements- an overview

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data.

PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

There are two types of Data available for an account such as Card holder data and sensitive authentication data. 

Card Holder Data:

• Primary Account Number
• Cardholder Name
• Expiration Date
• Service Code

Sensitive Authentication Data:

• Full track data, Magnetic stripe data or chip data
• CAV2/CVC2/CVV2/CID
• PINs/PIN Blocks

PCI DSS requirements apply to organizations where account data (cardholder data and/or sensitive authentication data) is stored, processed or transmitted. Some PCI DSS requirements may also be applicable to organizations that have outsourced their payment operations or management of their CDE. Additionally, organizations that outsource their CDE or payment operations to third parties are responsible for ensuring that the account data is protected by the third party per the applicable PCI DSS requirements.

Detailed PCI DSS Requirements and Security Assessment Procedures:

The detailed PCI DSS requirements are made of basic 12 no of requirements under various headings as mentioned below. There are more controls under the requirements which can further be referred from the guidelines document itself. 

Build and Maintain a Secure Network and Systems:

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data:

Requirement 3: Protect stored cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program:

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.

Requirement 6: Develop and maintain secure systems and applications.

Implement Strong Access Control Measures:

Requirement 7: Restrict access to cardholder data by business need to know.

Requirement 8: Identify and authenticate access to system components.

Requirement 9: Restrict physical access to cardholder data.

Regularly Monitor and Test Networks:

Requirement 10: Track and monitor all access to network resources and cardholder data.

Requirement 11: Regularly test security systems and processes.

Maintain an Information Security Policy:

Requirement 12: Maintain a policy that addresses information security for all personnel.

Apart from above there is additional requirements mentioned in three appendixes as mentioned below:

• Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers.
• Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS for Card-Present POS POI terminal connections.
• Appendix A3: Designated Entities Supplemental Validation.

This content is freely available at Public space within the document available at PCI DSS website for download. I have just summarized the controls and requirement on briefly for basic understanding only. 

https://www.pcisecuritystandards.org/

Thanks

-DR

Basic understanding on ITSM

ITSM

Information Technology Service Management

ITSM is a process where IT teams/ organization manage the end to end delivery of IT services to customers. This includes all the processes and activities to design, create, deliver, and support IT services. 

The ITSM process is aligned with an international standard i.e. ISO/IEC 20000 and it can also be aligned with ITIL best practices. It helps organization to achieve business goals and to deliver the IT services more efficiently and effectively. It helps in improving the services in a continuous way. 

ISO: International Organization for Standardization

IEC: International Electrotechnical Commission

In fact the ISO/IEC Organization develops and publishes the standards which are globally accredited and followed. For more information please refer to https://www.iso.org/about-us.html

So, in the ISO/IEC 20000-1:2011 is a service management system (SMS) standard.  It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS. The requirements include the design, transition, delivery and improvement of services to fulfill agreed service requirements between the organization and customer. Later the standard has been revised to 2018 version i.e. ISO/IEC 20000-1:2018. We will know what the change occurred in 2018.

For effective service management system (SMS), ISO/IEC 20000 is designed based on PDCA (Plan, Do, Check & Act) methodology.

Plan: The SMS needs a proper plan before implementing. It should be established by agreeing and documenting the SMS. Also it includes policies, objectives, plans, processes and procedures to fulfill all service requirement.

Do: Do is nothing but a clear implementation of those policy, process and procedures. Implementing and operating the SMS for design, transition, delivery and improvements of the services.

Check: Here, the SMS needs to be monitored, reviewed, measured to report the outcomes or results.

Act: Taking appropriate action on the results to continually improve performance of the SMS and Services.

Using or implementing a standard based process gives many benefits as;

• A standard helps in reducing risks in organizations.
• It enhances productivities, quality of delivering services.
• Helps in continual service without any disruption.

Below are the ITSM Processes mentioned just on a brief, as we cannot keep all the standard information here because those are copyrighted materials. So, lets look in to the 2011 edition standard for an overall understanding. Later 2018 edition changes will be bring in to the notice. 

The entire Service Management System mentioned below for reference describes primary clauses and sub clauses

Clause 4: Service Management System General Requirements

• Management Responsibility
• Governance of processes operated by other parties
• Documentation Management
• Resource Management
• Establish & Improve SMS

Clause 5: Design and Transition of New or Changed Services

• Plan new or changed services
• Design and development of new or changed services
• Transition of new or changed services

Clause 6: Service Delivery Process

• Service level management
• Service reporting
• Service continuity and availability management
• Budgeting and Accounting for Services
• Capacity management
• Information Security Management

Clause 7: Relationship Process

• Business relationship management
• Supplier management

Clause 8: Resolution Process

• Incident and service request management
• Problem management

Clause 9: Control Process

• Configuration management
• Change Management
• Release and deployment management

We can cover some important sub clauses in later post. Although all the clauses and sub clauses are important and keeps the organization compliance to standards.

If you have any further questions and suggestions please feel free to post it below.

-DR

 

Basic understanding of ITIL

Information Technology Infrastructure Library (ITIL)

Information Technology Infrastructure Library (ITIL) is a framework of practice for IT Service Management or to provide better IT service delivery. It describes all the processes, procedures, records, checklists which can be implemented and applied by organizations. The structured approach of ITIL can help in managing risk in a business or organization. As well it strengthens customer relationship and keeping the customer at their satisfactory limit.

There are individual ITIL Certifications available globally to proof your understanding, gain credits and working skill on ITIL process. The range of certification comes such as ITIL Foundation, ITIL Intermediate, ITIL Expert and ITIL Master.

The ITIL Foundation Certificate in IT Service Management is designed to certify the candidate upon his/ her understandings on ITIL terminology, basic concepts, practices on service management, service lifecycle.

Before going to learn the basics about ITIL, let me take you to understand some important terms which are essential to know.

Process: A process is a structured set of activities designed to accomplish a defined objective. These Processes are measurable, that provide results to customers or stakeholders, are continual and iterative and are always originating from a particular event. 

Process Owner: Process Owner is someone who is responsible for the result of output of the process and they manage the process models. 

Function: Functions can make use of one or more processes, activities.  

Service: A Service is nothing but delivering some value to customer.

Demand: Need and use of service is known as demand.

Service provider: Someone who provides service to its customers. The service provider can provide service by hiring external third party.

Customer: Organization or individual who receives a service offerings.

Service Management: Service Management is a set of capacity to deliver the service to the customers.

Service Life Cycle: The ITIL is based on the Service life cycle which is to describe the processes of how services are to be initiated and maintained. 

Service Portfolio: A Service portfolio is something that describes all the services of the service provider in terms of business and value. 

Service catalogue: A part of service portfolio which includes the list of services, capacity and other offerings of the service provider that is visible to customer. It can be shown on website or can be documented (We know it as business leaflets). This Service Catalogue can be Business or Technical.

Service Level Agreement: Service Level Agreement or SLA is an agreement mutually agreed between service provider and customer having their scope, goal and objectives defined. 

Now come to the ITIL processes.

The ITIL process basically focuses on service lifecycle. The service lifecycle consists of five phases as mentioned below.

• Service Strategy
• Service Design
• Service Transition
• Service Operation
• Continual Service improvement 

Now here have a look in to the phases of service lifecycle on little details for a clear understanding.

Service Strategy:

The primary objective of Service Strategy is to help service providers to develop the ability to think and act in a strategic manner or market driven approach. It is important to align business in to services. So planning for business capability is essential. Processes come under strategy are Financial Management, Service Portfolio Management, demand management, Business relationship management, Strategy management.

There are four “P”s that guide the service strategy effectively i.e. Perspective, Position, Plan and Pattern. 

Service Design:

During the service designing phase, a product or service is being developed including it’s architecture, processes, policy and documents, business requirements. The processes come under designing phase are such as Service Catalogue Management, Service Level Management, Capacity Management, Availability Management, Information security management, Supplier management and IT service continuity management.

There are four fundamental “P” s in Service Design such as people, products, processes.

Service Transition:

Then here comes service Transition phase, where the product or service goes planning or designing from scratch to new (live) or modified or changed from old to new. 

The objective is to the new or changed service meets the expectations of the business. In this phase a transition strategy needs to be defined first. Then all the related processes needs to be reviewed and the plan for transition can be coordinated. Then the transition is supported for successful rollout. 

There should be guidelines and procedures defined and implemented for service transition. Implement all changes through change management or within service transition process. Test the changes prior to release and deploy. 

The processes and functions come under transition phase are such as Transition Planning & Support, Change Management, Configuration Management, Release & Deployment Management, Service testing, Service evaluation, Knowledge Management.

We will discuss each ahead in later posts.

Service Operation:

The Service Operation is fulfilling the effectiveness of the service offerings to ensure value for the customer and service provider. It emphasizes on the overall coordination and execution of activities that enable the ongoing service operation.

Generally during service operation phase many issues arises, complains raised, requests came and risks identified and incidents happen. 

The processes come under operation phase are such as Event Management, Incident Management, Request Management, Problem Management, Access Management, Monitoring and Control, IT Operation Management, Servicedesk Management.

Continual Service Improvement:

The primary objective of this phase is to measure and analyze service level achievements by comparing them to the requirements in the Service Level Agreement (SLA).

It helps service providers to identify their gaps and to bring improvements in all phases of the service lifecycle. It aims to operate more cost effective IT services/ services without sacrificing customer satisfaction. 

There is CSI improvement process and service reporting process to work in continual service improvement phase.

The CSI improvement process describes how to measure and report service improvement. The process is closely aligned to PDCA model (ITSM). 

The 7 step measurement for Service Improvement is mentioned below;

1. What should you measure
2. What Can you measure
3. Measure all the gathered data
4. Process data
5. Analyze data
6. Present and use information
7. Implement corrective action

Further we can go to other ITSM part where many things will be covered including the PDCA model. 

If you have further question, feel free to share it. 

-DR

All about Security Operation Centre

Security Operation Centre (SOC)

Security Operation Centre (SOC) also known as Cyber Security Operation Centre (CSOC) plays very crucial part in terms of preventing, detecting, monitoring, containing, and remediating Information Security threats and vulnerabilities from critical applications, device and systems in an organization.

It centralizes by integrating people, process and technology. SOC implementation has been started since 2015/ 2016 at various Banking sectors, enterprise sectors. 

It acts like a central command and control centre connected to all the Organization’s IT Infrastructure, network devices, applications, servers etc. Depending upon variety of technology, SOC team can depend on latest threat intelligence to identify whether the threat is active or not.

Many people have a simple misconception that I have a SIEM (Security Information and Event Management; one post is there in this blog on SIEM) so I am operating a SOC.  But this is not practically how SOC works. It is not an easy task in setting up a Security Operations Centre supported by multiple security monitoring technologies and real-time threat updates. But yes, SIEM is one prime critical device used at SOC. The SIEM is also combined with other components such as Logger, Connector and UBA (User Behaviour Analysis). Connector connects the devices. A Logger is used for collecting the logs by deploying loggers at end point network. Then these logs are being correlated and analyzed by UBA. So the key indicators of compromise can be found, may be it user activity or any system events.

An illustrative components of SOC, provided below

 

So to establish SOC, you need to identify the key processes. These include event classification, event prioritization, event analysis, Event remediation, Monitoring and reporting.

What makes a SOC unique is the ability to monitor all systems on an ongoing basis, as employees work in shifts, rotating and logging activity around the clock. In addition to monitoring activity, a SOC should do Vulnerability Assessment and Penetration Testing with all the network devices and applications integrated with it. In turn it will help a lot to finding the gaps and close those gaps in a preventive approach. The logs need to be analyzed such as;

• The logs on which a SOC works;
• Log from Firewall Device
• Log from End point Devices
• Log from proxy servers
• Service Logs
• Malwares

Earlier in my post I have provided the list of Security Incidents. Those security incidents can arise at any organization during the operation. Such as;

• Targeted Scanning/Reconnaissance of network and IT infrastructure.
• Large scale defacement and sematic attacks on websites.
• Large scale spoofing
• Malicious code attacks (virus/worm/Trojans/Botnets)
• Large scale spam attacks
• Ransomware attacks.
• Identity theft and Phishing attacks
• Social Engineering
• Denial of Service attack (DoS) and Distributed Denial of Service attack (DDoS)
• Application level attack
• Infrastructure attack
• Router level attack
• Attacks on trusted infrastructure
• Cyber Espionage and Advanced Persistent Threat

When building a SOC there are similar requirement of IT and Non-IT devices we use in Data Centre projects. We also need a large video wall system for centralized monitoring. There are multiple designing factors to be considered for effective design of the SOC.

So here the key IT components that will be required as mentioned below, however this list is just an indicative, it depends on the organization depending upon its network size and requirement. 

• Web Application Firewall
• Anti-Phishing Appliance
• Anti-APT Appliance
• SIEM
• DDoS appliance
• Log Management Appliance
• Network Flow Analyzer
• Network Switches/ Access Switches
• Router
• KVM devices
• Storage Devices

Besides the above devices, orchestration can be done using SOAR application (Security Orchestration, Automation and Response) is the technology just introduced recently that allows an organization to define incident analysis and response procedures in automatic or digital way. 

As well there are probability of many false positive events that could be arise or logged through the incident management system automatically. That should be minimized while planning for the risk mitigation or report. 

False positive events are generally those are system information events and those have neither any impact on the system or network. Means it incorrectly indicates any vulnerability or malicious activity but not a legitimate security threat.

Therefore there are more depth in to its operation and resource requirements. Different cyber skilled people are required with segregated duty and defined roles and responsibility. The resources such as Security Analyst 1 (L1), L2 Analyst, SOC engineer, L3 Analyst, Threat Intelligent Expert, Forensic Analyst and SOC Manager etc. Everyone have their crucial role in operation of a Security Operation Centre.

So this is just a basic information about SOC and its operation concept. 

-DR

How to Secure your Enterprise Infrastructure

Enterprise Infrastructure Security

Presently Enterprises/ Corporate are becoming target for the cyber attacks. Security breaches are occurring more frequently and becoming more sophisticated. Attacks are growing both in number and complexity. Technologies and new tools exposing organizations more. 

The security defense strategy somewhere is lagging behind. Many organizations do not care about the safety and security. When I have some experience in participating and conducting one global security survey from X firm, where out of approximately 1000 nos. of enterprises and from the consolidated survey result it was noticed that;

• Approximately 55% of organizations do not think to protect their overall system.
• The biggest cyber threats to the organizations are Phishing, Cyber attack, Malware, Spam, Fraud, Internal attack, Espionage, etc.
• Most vulnerabilities lies in careless or unaware employees, outdated security controls, unauthorized access, use of smart phone, cloud computing & IoT.
• Approximately 53% of organizations do not have any system to identify Breach, identify Vulnerability, Threat Intelligence, Data protection, Identity & Access Management.
• Although there are some good news that;
• New type of roles in a Organization are rising such as Chief Security Officer (CSO) and Chief Information Security Officer (CISO) to specifically focus on cyber landscape.
• Establishment of Security Operation Center (SOC) have increased gradually.
• Assessments such as vendor risk assessment, vulnerability assessment, penetration testing, forensic analysis and using device level security such as SIEM, DLP, zero trust, IDS/IPS, IAM & Firewall have increased.

Here I can suggest a little checklist for considering the Infrastructure security and which can  be taken for a best practice approach with further consulting to experts. This can be implemented gradually with proper design thinking an budgeting in advance.

• Need to protect offline access or end point encryption on desktops, laptops and servers by using Symantec end point protection, Bit Locker etc.
• Implementation of process execution prevention by using AppLocker, BeyondTrust, Avecto etc.
• Implementation of network segregation such as VLAN, IPSEC etc. 
• Log review and analysis for anomalies by using SIEM tools.
• Keeping a regular automatic backup solution.
• Using centralized anti-virus solutions or anti-exploit solutions.
• Regularly doing the configuration reviews, firewall policy reviews, Vulnerability Assessment and Penetration Testing etc.
• Using Identity Management, Password Management, Data protection etc.

Therefore, Organizations/ Enterprises need to look beyond preventive measures in their security assessments. There should be robust cyber plan to improve their protection. 

-DR