General IT Controls -ITGC & GTAG

General IT Controls (GITC or ITGC)

Information Technology General Controls is a type of internal controls which is combined a set of policies that further ensure effective implementation of those controls in an organization. ITGC is also known as General Computer Controls (GCC).

Companies, auditors, business partners, and shareholders rely on ITGC’s as a key component of integrity over financial statements, business processes and information systems.

GITCs are a critical component of business operations and financial information controls. They provide the foundation for confidence on data, reports, automated controls, and other system functionality underlying business processes. The security, integrity, and reliability of financial information relies on proper access controls, physical facility, logical security, backup & recovery, computing infrastructure, change management, and operational controls.

The information within IT systems is critical for meeting many requirements in an organization such as,

• Financial information relied upon by decision makers that is maintained within the IT systems.
• Many user credential and data are stored in servers as well as in cloud infrastructure. 

In absence of ITGCs controls, employees can’t rely on the data and reports that IT systems provide us. 

When we talk about critical control areas of the above mentioned, let see a one of the control and detailed overview of it.

User Access Management 

User Access provisioning

Granting any new user access is the initial step for maintaining a controlled environment on the IT application. An inappropriate user access could result in posting of unauthorized financial transactions.

User Access De-provisioning

When employees are separated from the organization or leaves, their User credentials can be misused for processing of financial transactions or such operations. Such transactions would not only be unauthorized, but also lack accountability. Similarly, if an employee gets transferred to another division/ department and the old access provisioned to him doesn’t become obsolete, it leaves a chance to be used later.

Excessive access

Access to business application needs to be granted based on roles and responsibilities of users. Provision of access that is not in line with the user’s job responsibilities could lead to posting of unauthorized financials transactions.

Generic and Privilege access

Generic User IDs could lead to accountability issues for transactions processed using such IDs. Further, if privileged or administrative access is granted to Generic User IDs then such access can be misused for posting transactions that could have a pervasive impact on the financial statements.

User Access Review

While restructuring, user access provisioning is key to controlling the access management of an IT application; periodic user access review keeps the access aligned with respect to business requirements. In the absence of periodic user access review, excessive access may remain with the user or within the system. User access review also detects if there are any anomalies in access provisioned, de-provisioned or any other privilege/ excessive access.

Global Technology Audit Guide (GTAG)

The GTAG provides an overview of IT-related risks and controls for business executives, with which the audit activity will provide assurance about all important risks identified. It describes how to identify and assess the risks and standardized and system-specific controls relevant to business applications.

The GTAG controls released so far are as mentioned below

GTAG 1: Information Technology Controls

GTAG 2: Change and Patch Management Controls: Critical for Organizational Success

GTAG 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment

GTAG 4: Management of IT Auditing

GTAG 5: Managing and Auditing Privacy Risks

GTAG 6: Managing and Auditing IT Vulnerabilities

GTAG 7: Information Technology Outsourcing

GTAG 8: Auditing Application Controls

GTAG 9: Identity and Access Management

GTAG 10: Business Continuity Management

GTAG 11: Developing the IT Audit Plan

GTAG 12: Auditing IT Projects

GTAG 13: Fraud Prevention and Detection in the Automated World

GTAG 14: Auditing User-developed Applications

GTAG 15: Formerly Information Security Governance--Removed and combined with GTAG 17

GTAG 16: Data Analysis Technologies

GTAG 17: Auditing IT Governance

While conducting ITGC audit, common questions should be asked and analyzed. 

For example

For Change Management, the questions can be asked such as:-

• How Change Management is planned?
• How Change plan is tested before the change?
• Are changes appropriately documented and approved by authorized personnel?
• Were necessary maintenance changes tested?
• Are appropriate segregation of duties in place for approving and making changes to the production environment?
• How are changes approved and tracked?
• What processes are in place to identify required control gates throughout the system development life cycle (e.g. peer review of code, software security scanning, third party approval).
• How you analyze impacts after a change occurred.

For further suggestions, please provide in the comment section.

-DR

Know about Cyber Squatting

Cyber Squatting

Cybersquatting is the practice of registering an Internet domain name that is likely to be wanted by another person, business, or organization in the hope that it can be sold to them for a profit. 

In Simple it is an unauthorized registration and use of Internet domain names that are identical or like trademarks, service marks, company names, or personal names. So, in the other word it is called domain squatting.

It involves the registration of trademarks and trade names as domain names by third parties, who do not possess rights in such names. Simply put, cyber squatters (or bad faith imitators) register trademarks, trade names, business names and so on, belonging to third parties with the common motive of trading on the reputation and goodwill of such third parties by either confusing customers or potential customers, and at times, to even sell the domain name to the rightful owner at a profit. As of study it was found that since 2012, nearly about 2,800 complaints have been filed involving domain name squatting.

That means You have spent many years and a lot of money building your business’s brand. But what you feel when someone could erase a lot of that customization by buying a low cost $10 domain that looks like yours?

There are several types of cybersquatting available such as;

• Typo squatting
• Celebrity Name
• TLDs Exploitation
• Misleading Subdomain
• Gripe Sites
• Look-Alike Domain
• Expiration Date Exploitation
• Homograph Attacks

To Prevent Cybersquatting, you need to check following techniques

• Consult your legal team and follow rules and procedures. There are acts documented such as Anti-Cybersquatting Consumer Protection Act (ACPA), World Intellectual property organization.
• Register Your organization or business quickly.
• Double-Check the Spelling of the Website to Avoid Typo squatting.
• Review your website in regular basis.
• Always check SSL/TLS certificate in the web application.

If you have further suggestions please comment below.

-DR

QR Code Security

Knowing QR Code Security

Have you scanned any QR code

Cybercriminals keep changing their phishing tactics as we become increasingly aware of their scams. The global cybersecurity team has identified QR code as a new email phishing tactic that you should be aware of. 

Quick-response codes (better known as QR codes) are two-dimensional barcodes used to enable users to access data or web-based resources (URLs). These codes are machine-readable codes that look like an array of black and white squares. These codes store website links or other information that can be read by the camera on your smartphone. You might have seen them recently at restaurants, small shops with digital menus or contactless payment have their QR code scan signage placed for payment. 

The actual QR Codes themselves are not designed to be hackable. This is because they are made using a square matrix with pixelated dots so these dots would have to be changed in order to be “hacked.”. The security issues arise from the information connected to the QR Code.

What is a QR-code phishing attempt?

Cybercriminals use QR codes within emails to encourage unsuspecting users to scan the codes, which then redirect them to malicious websites. Attackers can encode malicious links in the QR code that can lead e.g. to phishing sites. Sometimes attackers can embed malicious URLs containing custom malware into a QR code which could then exfiltrate data from a mobile device when scanned.

In many cases, QR-codes scams are designed to send you to what looks like an authentic login page and ultimately steal your login credentials.

How can you protect yourself?

Protecting against these malicious QR codes at all costs is very simple that,  never scan them.

• Particularly when scanning QR Codes from print materials in public places, there may be possible that the original QR Code has been replaced with a sticker of the dangerous one. Therefore, check twice that the QR Code is original.
• Do not scan a QR code you have received via email from an unknown or suspicious source. These codes are designed for physical signage, storefronts, flyers, and digital kiosks, not email.
• Only scan QR codes from trusted locations.

Stay Safe

-DR

RDP Basics

Remote Desktop Protocol

This is quite old technology but yes, it’s very useful now a days. What we know about RDP in generic that, a computer technical support staff can view and control a remote site PC or system through using this technology through internet by sharing the input and display unit and gives the support person the capacity to diagnose and resolve problems remotely.

So here, Remote Desktop Protocol (RDP) is used for communication between the Terminal Server and the Terminal (RDP) Client. RDP is a multichannel capable protocol that allows for distinct virtual channels for carrying the information such as encrypted data, presentation data, license information, device activity, etc. RDP is encapsulated and encrypted within TCP. RDP is designed to support many LAN protocols, such as IPX, NetBIOS, TCP/IP, network topologies like ISDN. It provides remote display and input abilities over network connections for Windows-based applications running on a server. 

Cloud computing technology enables its users to work remotely, but that is where the similarities with RDP end. With cloud computing, users can access applications and files located in the cloud and on cloud servers. But RDP allows them to access files on their computer from a separate location. Both tools are beneficial for remote working but work in very different ways.

Ideally RDP provides 64,000 separate channels for data transmission. The RDP protocol opens a dedicated network channel for communicating data back and forth between the connected machines. It always uses network port 3389 for this purpose. 

RDP Client

You can also use a Remote Desktop client to access your remote PC from almost any device. It applies to Windows 7 Professional, Enterprise edition, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2012 R2, etc.

Advantages

One advantage is that it does not require a VPN. It also keeps data stored securely on the user's desktop, instead of storing it on cloud servers or on the user's unsecured personal devices. Furthermore, RDP enables companies to allow their employees to work from home. This has been helped millions of employees to work during the COVID pandemic situation.

Cons

Remote Desktop Protocol (RDP) has been known since 2016 as a way to attack some computers and networks. Hackers, Malicious cyber attacker,  have developed methods of identifying and exploiting vulnerable RDP sessions via the Internet to steal identities, login credentials and install and launch ransomware attacks.

• One little mis-configuration like exposing RDP to the internet can lead to a cyber-attack. The attacks include weak user login credentials, as computer passwords are also used to access remote RDP logins, which leave users open to brute-force attacks and credential stuffing.
• The lag that RDP causes may result in lower employee productivity.
• RDP can result in a bad users experiencing, especially if they have a slow internet connection.

To keep safe yourself from RDP based attack, you need to follow these steps.

• Keep all the security patches in local system and updated in time.
• Close TCP Port 3389 on the computers and routers if RDP not required.
• Scan your network for computers using RDP and if the service is not needed disable it.
• Restrict login attempts.
• Use two-factor authentication.
• Limit the number of third-party vendors and employees that have access to RDP connections.
• To encrypt RDP traffic, use VPN connections.

Do you have further suggestions feel free to add. 

-DR

Type of Security Events and Incidents

Type of Security Events and Incidents

In Security incident management, there are multiple events arising day by day. Security incidents are events that may indicate that an organization's systems or data have been compromised. As well a security event is something that has significance for system hardware or software, and an incident is an event that disrupts normal operations. 

If we talk about malware, more than 90% of malware is delivered by email and 98% of mobile device malware target Android systems. Study shows, MacOS malware has also increased by 165%. For more details you can visit the statistics at (https://purplesec.us/resources/cyber-security-statistics/)

Here I am just sharing the some of the type of incidents or events happen and that can be further recorded through SIEM or any suitable logger device by storing its event logs for further forensic analysis.

Based on impact, these events or we can say as attacks can further classified as High, Medium, Low. 

The type of infrastructure related incidents are mentioned as below.

• Buffer Overflow attacks
• Port & vulnerability Scan attack
• Password cracking
• Worm/virus outbreak
• File access failures
• Unauthorized server/service restarts
• Unauthorized changes to firewall rules
• SQL injection
• Cross site scripting

Application Security events are as

• Attempted violation of defined role
• Attempted access violations
• Critical user additions, deletions
• Creation, deletion & modification of critical application roles/groups.
• Changes to account & password policies in the application
• Changes to permissions or authorizations for critical application roles/groups.
• Changes to critical application parameters.
• Sensitive Data Exposure

Some of Database related incidents

• Granular monitoring of queries, objects and stored procedures with real-time alerts
• Monitor Access to Sensitive Data
• Insecure system architecture
• Exploiting unpatched services
• Default, Blank, and Weak Username/passwords
• Database access including logins, client IP, server IP and source program information.
• Poor Encryption and Data Breaches
• Denial-of-service Attacks
• Track execution of stored procedures, including who executed a procedure, what procedure name and when, which tables were accessed as a result.
• Track and audit administrative commands such as GRANT.

Some of Network Behavior Anomaly

• Network Traffic Pattern Analysis and Bandwidth Analysis.
• Host behaviors and traffic analysis to identify threats.
• Analysis of traffic patterns & identify nonessential ports and services for normal business operations.
• Anomaly event as belonging to a class of security events (DDoS, Scans, etc.)

Other attacks existed and can be recorded such as

• Trojan Horse Attack.
• Malware/Spyware
• Suspicious registry entries
• Unverified email attachments
• Frequent Login Attempt
• Loss or theft of equipment or component
• Brute force Attack
• Port Scanning
• Insider Breach
• Unauthorized Privilege Escalation
• Destructive Attack
• Advanced persistent threat/ Multistage Attack
• False Positive removal
• email Phishing
• Abnormal browsing behavior
• Client side information leakage
• Cookie Injection
• Traffic sent to and from unknown location
• Excessive bandwidth consumption or memory consumption
• Unapproved changes configuration

Although organizations should be able to handle any incident, they should focus on handling incidents. Every organization should develop their own cyber response framework to defend themselves.

-DR

New Age Phishing via Social Media App

 New age Phishing through social media applications

A simple attack presently helped cyber criminals to carry out globally with rise of use of the social media apps during this pandemic time of Covid. Now FB messengers, telegram, Instagram, WhatsApp became the playground for the hackers. This WhatsApp attack shows us that social engineering is not limited to phishing emails only. 

One of the key indicators of a social engineering attack can be how the message makes you feel. It focuses on emotional response of the victim to act quickly.

How they target;

Basically, through suspicious links either directly or through embedded to image or video or pdf files. It can be, believe me. 

Scene-1

Once the attackers have access to your WhatsApp account, they do have access to all of your WhatsApp contacts and groups and will receive any new messages sent to your account. From there the attackers can message your contacts posturing as you are sending those messages and may ask your friends and family for money for an emergency need.

Scene-2

When you get a new device and download and install WhatsApp from Play store, WhatsApp will then send a 6 digit verification code to the mobile number you have entered. This code verifies that you own the mobile number and device. Once the 6-digit code has been entered that device will then receive WhatsApp messages for that account.

In this attack, the attacker will have already compromised someone’s WhatsApp account (they could have done this via Facebook, not necessarily WhatsApp itself). 

Here, the account they had compromised belonged to an old friend or known person. The attacker then sends a message to the friends of the initial victim stating they have accidentally sent the code to them, or they have issues in receiving the code. 

Here you can see that the attacker tells they 'sent' you the code by mistake, please send back to me. If You sent back 6-digit code, the attackers will successfully compromise the WhatsApp account, too.

Scene-3

Since November 2021, this has came to notice some messages in WhatsApp being received that “Is it you in the Video” with a suspicious link. This is a social engineering or phishing attack where, if you click on the link, it will provide a user credential fake page for your FB or messenger. Then if you try to log in to that fake account, then your original account gets compromised. 

Similarly, the attacker sends the same message to all your contacts to follow the same steps. 

What to Do?

• Use (Two Factor Authentication) 2FA on any account for safety.
• Use Password Manager.
• Use Anti-virus for mobile too.
• Do not receive any WhatsApp calls. 

Please refer to below a State Government guidelines shared here for awareness purpose. 

Please follow guidelines and stay safe!

-DR

SSO and MFA authentication

SSO and MFA Authentication

There was a time where, we were using simple combination of a user name and password to protect our most vulnerable information, accounts. But the hackers are always one step ahead, they do Phishing, Identity theft, data breaches, malware attack to compromise the system at any time around the globe.

Now a days many new technologies introduced to provide additional layer of protection to our confidential and personal information over web.

SSO

Single-sign on (SSO) is a login technique or security solution in which users have one set of credentials (Username and passwords) to access multiple applications at a single time. The main benefit of SSO is the efficient centralized approach. Users can access multiple services without pausing to enter new credentials or to remember multiple username and passwords which are complex in nature. 

The SSO solution internally stores the multiple credentials for every section of software users need to access and then validates the users with those systems when they need to be accessed. This can improve user experience when used externally and boost workflow when used internally. It utilizes industry standards like Kerberos, X.509 or SAML 2.0 and replaces the passwords with security tokens.

The advantage of SSO is, users only need to remember one password at all times for login.

However there is one key risk for adopting this technology is, if a hacker or malicious actor hacks your one account, then he will be able to take other associated accounts or applications to its control. Loss of availability of SSO application means a user will not be able to access any other applications, becoming a single point of failure.

MFA

Multi factor Authentication (MFA) uses numerous different factors to verify a person’s identity and grant access to multiple software, systems, and data. Generally, MFA systems use two or more techniques to authenticate individuals with its concept such as What you know, What you Have, Who you are, What you do. 

Now, we aware that many applications are using MFA such as Google uses 2FA and MFA for securing its products. The advantage of multi-factor authentication is that, in most cases, it’s very secure. The combination of a password, physical token, and biometric can significantly reduce the risk of security breaches.

When implementing MFA, organizations typically choose two of the concepts as described above. So, a user might need to enter a password and a Short Message Service (SMS) code. The system might require MFA with every login or only when users login on a new device.

In organizations while using different applications under SAP systems while using the Employee Self Service Portal, you need to log in through SSO + MFA in your active directory, but you also need to connect through the firm provided VPN to keep your system more secured. 

So, we can optimally use both technology at one place to strengthen our security perimeter which can further improves both user experience and security.

Do you have any further suggestions, please do comment!

-DR

Orchestration Basics

Orchestration

Orchestration is an integrated system for automated EMS system, configuration management, patch management, cloud management and coordination of computer systems, applications, Security management and services. Orchestration helps IT system to manage complex tasks and workflows easily. So, it suits for large scale network or virtual environment. The orchestration differs from automation. 

Orchestration layer also provides Role-based policy management, administration, configure and enforce role based policies. It helps in automated creation of virtual and physical instances and assignment of virtual infrastructure through appropriate tooling to support end-to-end automated provisioning and bare metal provisioning.

Cloud orchestration can be used to provision or deploy resources such as servers, assign or increase storage capacity, create virtual machines and manage networking among other tasks.

In IT Orchestration tool, it ranges from simple script-based app deployment tool to more specialized offerings like Kubernetes’ container orchestration solution. In the past few years, these containers have dramatically transformed the way software organizations build, ship, and maintain their applications.

 The key benefits of orchestration 

• Limited downtime or system outage
• Speed and accuracy in operation
• It can save developer time
• It has reduced errors
• Increased productivity
• Reduced IT cost
• Centralized policy management
• Auto scaling of resources

Example of some orchestration tools as; Rancher, Kubernetes, Meshosphere, Marathon, Nomad, Docker swarm, Minikube, Cloudfy, AZK, AKS, GKE. Many tools come as open source also. 

Kubernetes

The most popular orchestration tool is Kubernetes. It is an open source platform and designed by Google. It can help in automate deployment, containerized workload and services.

Some Key features of Kubernetes

• It is self healing
• Configuration management
• Storage orchestration
• Service discovery
• Load balancing

OpenShift

Similarly, OpenShift is made on the top of Kubernetes with community version as well as enterprise edition by Red Hat. It also offers container management and orchestration. It comes as in below layer;

• Red Hat Open Shift Kubernetes Engine
• Red Hat Open Shift Container Platform
• Red Hat Open Shift Platform Plus

Red Hat OpenShift Container Platform is based on Docker-formatted Linux containers, Kubernetes orchestration, and Red Hat Enterprise Linux (RHEL). It is available at AWS cloud platform.

So this is for basic understanding for orchestration. Refer further reads for in depth knowledge. 

Feel free to share your feedback through comments below. Like and share. 

-DR

Internet of Things (IoT) Basics

Internet of Things (IoT)

Internet of Things. I feel this is very late post, as per the day I am posting it. Everyone knows it and many organization have already started implementing the IoT around the globe. Many smart devices were manufactured and sold. People are very happy.

IoT belongs to multiple or many physical devices that are connected to the internet and all can collect and share data with each other without human interference. There are the computing devices connected through wireless into a network. 

IoT collects, analyzes, and processes data streams in real-time without any delay to make control decisions in an active manner.

A smart watch, smart light bulb, smart thermostat, smart air conditioner, sensors, Amazon echo, smart tv, wireless printer, audio assistant, VOIP, Washing machine, Dish washer, smart lock, smart doorbells, smart refrigerator, automobiles and many more.

There are more connected things than the total number of people in the earth. As per news from multiple vendors, it is predicted that in total there will be 100 billion connected IoT devices by 2025.

IoT consists of software defined and hardware defined product. It is virtual representation of physical product. 

Key components of IoT

• Network Infrastructure
• Gateway
• Devices or Sensors
• Cloud Infrastructure

There are affordable and reliable low power sensors are making IoT technology possible for more manufacturers now a days. 

Advantages

• Technology Optimization
• Reduced waste
• Improved data collection
• Privacy
• Ease of Use
• Increasing efficiency
• Improves tracking
• Health analysis
• Edge Computing
• More use of Industrial IoT 
• Automation

There are many industries who get benefited from IoT are;

Manufacturing, automotive, Healthcare, Transportation and logistics and Retail etc. 

As we know some of the manufacturers are adding sensors to the components of their products so that they can transmit data back about how they are performing through user experience program.

Analytics and Big data are important things that play critical role in transforming data in to useful information. Big data means a huge amount (Pb or Gb) of structured and unstructured data and analyzing those data to get the insights of the business requirement. The role of big data in IoT is to process a huge quantity of data on a real-time basis and storing them using different storage technologies.

Similarly, IoT security is very important aspect also and it needs to be taken care of in every steps during the development phase. There are many ways you can secure your IoT network devices and minimize the security risks.

On a brief note,

• Do not keep all default passwords of devices including access points.
• Use Multifactor authentication
• Use VPN and encryption technology
• Do your network segmentation 
• Update software and patch regularly 
• Monitor regularly 

Connected device are rapidly growing day by day and being popular. There is a probability of having at least one device at our home. All the connected devices are known as internet of things (IoT).

IoT is purely dependent on the sensors. Without proper sensor, IoT is like body without soul. 

The sensors are those hardware that monitors, measures and collects data. They send data to the primary device and then is processed through data analysis to GUI interface. There are many types of sensors such as:

Temperature Sensors: These sensors are often used in the Information technology, manufacturing and agriculture industries. These tiny devices measure room temperature of a device temperature within safety limit and sends data to a centralized location.

Proximity Sensors: When you walk to a store, then instantly you receive one special offer, discount via test message or application notifications in your smart phone. That's because a proximity sensor in a retail store identified you and that are open to receiving promotions. 

There are many other sensors such as humidity sensor, smoke detector, water sensor, level sensor, pressure sensor etc. 

Many luxurious cars also come in many sensors such as rain sensor, dust sensor, automatic door lock, etc.

So, this is just a basic information for your understanding. Do you have nay comments and suggestions, please post your comment. Share only if you feel its useful. 

-DR

Software Vulnerability and Security

Software Vulnerability and Security

A software vulnerability is a loophole or glitch or flaw or weakness present in the software or application or operating system. Every system has its own vulnerability let it be android, Linux, windows, Flash player, Adobe, etc.

There are many ways to find out those vulnerabilities such as scanning, injecting, scripting etc. Through scanning the web application, you can find the hole in the website or application and through scanning the physical system, you can identify the operating system and other application vulnerabilities. 

An attacker can exploit a vulnerability in software or application to steal or manipulate sensitive and critical data or information, can join the system to a botnet, install a backdoor, or plant other types of malwares, trojans etc.  Also, after penetration into one network host, the attacker could use that host to breakdown into other hosts on the same network.

To avoid, software vulnerability, Software developers must learn secure coding best practices, and automatic as well as manual security testing must be carried out during the entire software development process.

Some important software vulnerability are such as;

Buffer Overflow:

This Vulnerability occurs when a program tries to add more data is put in the fixed length buffer than its storage capacity allows. As a result, it can crash the program, corrupt data, and even cause the execution of malicious code. Coding errors are typically the cause of buffer overflow and mainly the languages like C, C++, Java are responsible for this kind of glitch.

To avoid buffer overflow, developers of applications should avoid standard library functions in C/C++ that are not bounds-checked, such as strcpy, gets, strncat() and scanf.

Sensitive Data Exposure:

Sensitive data such as addresses, passwords, and account numbers must be correctly protected. If it isn't, untrustworthy agents gain access to the sensitive data.

Broken Authentication

Authentication and session management application functions need to be executed correctly.

Security Misconfiguration

Security misconfiguration are often result of insecure default configuration, misconfigured HTTP headers, unnecessary HTTP methods. Attackers can exploit security misconfigurations to gain knowledge of the application and API components during their reconnaissance phase.

To avoid this flaw following points need to considered.

• Do not use vendor or OEM supplied defaults for system passwords and other security parameters. 
• Modify the password policy by enabling enforcement, setting maximum duration to 90 days or less. 
• Protect all systems against malware and regularly update software.
• Configure the BIG-IP ASM security policy to blacklist, safe guard your account.

Considering the software development life cycle and attack scenarios, OWASP Top 10 vulnerability came in to picture to provide more in depth security posture of software and applications. 

The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted.

All OWASP tools, documents, videos, presentations, and chapters are free and open to anyone interested in improving application security. 

Just in a brief, below is the list of OWASP Top 10 Vulnerabilities.

• A01:2021-Broken Access Control
• A02:2021-Cryptographic Failures
• A03:2021-Injection
• A04:2021-Insecure Design
• A05:2021-Security Misconfiguration
• A06:2021-Vulnerable and Outdated Components
• A07:2021-Identification and Authentication Failures
• A08:2021-Software and Data Integrity Failures
• A09:2021-Security Logging and Monitoring Failures
• A10:2021-Server-Side Request Forgery

You can refer to OWASP website for further details.

-DR

Securing Email Server

Email Security

Email security can be assumed as describing different procedures and techniques for protecting email accounts, content, and email communication against unauthorized access, loss or compromise. Mail is the prime method or common entry point used to initiate an advanced attack. Presently everyone uses either on-premise or cloud based email and for everywhere, malware, whaling, spam and phishing emails are common. 

Many attacks usually done using misleading messages to seduce users to disclose sensitive information through requesting to open attachments or click on hyperlinks that install malware on the device. A small loophole can down the entire network. Sometimes experience professionals also fall as victim to such kind of attacks. 

So below are some best practice guides for in depth email security.

Setup SPAM filter:

A SPAM filter saves the user from all the incoming mails. This is very crucial for the email security. Dedicated appliances are available in market to handle large amount of mails. Always remember to take subscription on DNS Blackhole list. This will block most spams in mail.

A Domain Name System-based blackhole list, Domain Name System blacklist (DNSBL) or real-time blackhole list (RBL) is a service for operation of mail servers to perform a check via a Domain Name System (DNS) query whether a sending host's IP address is blacklisted for email spam. Mostly all mail server software can be configured to check such lists, typically declining, or flagging messages from such harmful sites. 

Enable rate control to prevent remote senders from overwhelming the server. Enable content analysis to heuristically block or quarantine probable spam.

DLP Rules:

Set up powerful data leak prevention (DLP) rules which can help to stop outbound email data loss and can have capability to set allow/deny lists.

Enable SPF

It is used to prevent email spoofing. A sender policy framework (SPF) works by publishing a DNS record of which servers are permitted to send email from a specific domain. SPF should be enabled on all edge email server to ensure that both emails coming into your organization can be checked for SPF.

Enable DKIM

Domain Keys Identified Mail (DKIM) adds an encrypted signature on every message that can be validated by a remote server against a DNS TXT record. Failure to use DKIM decreases the integrity of email and increases the likelihood of the domain being blacklisted.

Set a Throttling Policy

In some cases, a legitimate user becomes a spammer because of falling for a phishing scam or otherwise had their password compromised. So, restrict the number of recipients per sender per day and number of emails per day to prevent the account compromised. Throttling policy settings are stored in Active Directory. With the throttling policy, users associated can have a maximum of defined concurrent requests running in Exchange Web Services.

Email Encryption

To ensure end-to-end privacy for emails is to encrypt the email itself between the sender and the recipient.

Attachment Restriction

Email attachments is also considered as an effective malware delivery system, so it’s important to restrict the types of attachments that come through your server. The most dangerous file types are executables, so extensions such as .exe, .bat, .vbs, .jar, and so forth should always be blocked. The attachment size should be restricted.

Keep Security logs

Retain all the logs. It’s a good idea to develop a log retention policy for your site. This should include what type of information is stored and for how long whether online or offline and whether the data is confidential.

There are top solution providers for email security in market and are Microsoft Defender for Office 365, Cisco Email Security, Barracuda Essentials, Forcepoint etc. 

So, this is just a basic information on email security steps. You can do further research to get the required information. 

Feel free to comment your suggestions. 

Thanks

-DR

Data Life Cycle and Protecting Data

Data Life Cycle and Protecting the Data.

The principle of integrity and confidentiality is pervasive across all stages. We should always be aware of how securely managing the personal information to prevent accidental loss or unauthorized access. Every data has its own life cycle. This life cycle is the sequence of stages that a data goes through from its initial generation/collection or capture to its eventual archival and/or deletion at the end. While protecting the data always use security by design approach. 

• Collection of Data
• Storing of Data
• Using of Data
• Sharing of Data
• Transferring Data
• Retaining Data
• Deleting Data

Collection of Data:

• While collecting data, only collect personal information for the purpose specified in your privacy notice.
• Consider the amount and type of personal data you need for your purpose.
• Never use the data for marketing, advertising, or analytics.
• Only collect personal information that is adequate, relevant, and limited to your specific purpose.
• Only use approved method to collect the data to ensure integrity and confidentiality.

Storing personal Data:

• Always ensure to store personal information in line with the data storage policy that are applicable. 
• Ensure hard copy of data is securely locked and pseudonymizing data before storing. 
• Financial records and trade secrets need to be stored with the according access and use permissions.
• The data storage solution/system needs to be adequate in terms of long period of storage capability and redundancy.
• Since, many organizations presently choosing cloud service for their primary data storage instead of their local on premise infrastructure. While this is a feasible approach, given that the cloud service provider offers acceptable and adequate redundancy, it comes with the risk of losing the full control of the data and, in cases where the data is neither encrypted in transit nor at rest, unauthorized access to the data by the provider is possible.

Using Data:

• Any changed or additional uses of personal information must be documented.
• Ensure personal information is accurate and used as per requirement.

Sharing Data:

• Prevent unauthorized access on data while sharing.
• Ensure secure mechanism and best practices while sharing data such as end-to-end encryption, double check permission settings, maintaining audit trail etc. 

Transferring Data:

• While transferring data, Secure Data Transfer (SDT) provides a way to securely read and write logical volume data between groups or clusters within a network.
• SDT uses OpenSSL software libraries with the TLS 1.2 protocol following both AES-256 and AES-128 bit key.
• Sharing personal information across borders can be sometimes complex.
• The secure transmission methods of data transmission are Email encryption, Website encryption, FTP and SFTP protocol use. 
• Encrypt data in motion, encrypt data at rest and authenticate from both sender and receiver end to verify.

Retaining Data:

• There shall be data retention policy documented. A data retention policy is a key step in managing and protecting an organization’s important data to avoid any civil, criminal and financial consequences and attract penalty that sometimes outcome from poor data management practices.
• Determine regulations that is applicable for you and your organization.
• Only retain personal information which have specified purpose.

Deleting Data:

• When you have your job done, delete the personal data. 
• Dispose the data or delete the data securely. 
• Use shredder in case of destroying the hard copy or paper documents. Use data wipe tools for securely erasing the data from hard drive. 
• Types of data deletion also includes overwriting, formatting, degaussing, physical destruction (drill or crush) etc. 

The data breaches consequences are rapidly growing day by day. So be aware and educate the own employees in the organization are also important.

Do you have any additional comments, feel free to post. 

Like and Subscribe!

Thanks!

-DR

Cyber Security Awareness Month October 2021

Cyber Security Awareness Month.

October month is celebrated as global cyber security awareness month and previously it was known as National cyber security month. 

In 2021, this year it is themed as “Do Your Part. #BeCyberSmart.”

Many organizations, firms spreading their awareness campaign around globe. So I wanted to be part of sharing some awareness. So in just a simple way I am sharing the awareness tips shared by DSCI. So be cyber safe. Avoid unknown links, think before click. 

Below are the few power tips on;

• Password Safety
• Phishing and Email Security
• How to maintain social media Hygiene
• Work from anywhere tips
• Web surfing security tips
• Portable media security tips

Source: DSCI

For more cyber security posts please refer my all posts from January 2021.

https://diptechlearn.blogspot.com/2021

Thanks

-DR. 

HTTP Requests

HTTP Requests

Whenever we visit a page on the web, our computer uses the Hypertext Transfer Protocol (HTTP) to downloads or fetches that page (HTML) from another computer or server somewhere on the Internet.

For example: http://abc456.com/index.html/79u0u 

In server client architecture, HTTP (Hypertext Transfer Protocol) is an application layer protocol used to communicate hypermedia documents between the devices, browsers. It is built over TCP/IP protocol and it works same as a request and response protocol between a client and server. 

There are methods used for HTTP as mentioned below;

• GET
• POST
• PUT
• HEAD
• DELETE
• PATCH
• OPTIONS

There are two methods which are used: HTTP GET and HTTP POST. 

The HTTP GET request method is used to request a resource from the server. Web browsers generally use HTTP GET and HTTP POST, but others such as desktop and mobile applications use many others forms. It is less secure and is easier to hack for script kiddies because data sent is part of the URL. So it's saved in browser history and server logs in plaintext.

HTTP POST is a method meant to send data to the server from an HTTP client. The HTTP POST method requests the web server accept the data enclosed in the body of the POST message. This is often used while submitting login or contact forms or uploading files and images to the server. The HTTP POST method is used to create or add a resource on the server. It becomes difficult in case of hacking because the parameters are not stored or saved in internet browser history or in web server logs.

GET method is visible to everyone as it will be displayed in the browser's address bar and has limits on the amount of information to send whereas POST method variables are not displayed in the URL.

The initial HTTP protocol was with a version of 0.9 with protocol supported by GET. Then version 1.0 released with supporting protocols GET, POST and HEAD. 

Later 1.1 version came with protocol supported by GET, POST, HEAD, OPTIONS, PUT, DELETE, TRACE, and CONNECT. 

HTTP 2.0 later came also known as HTTP 2 with supporting protocols such as GET, POST, HEAD, OPTIONS, PUT, DELETE, TRACE, CONNECT, and PATCH.

This is just a basic understanding. 

-DR

Business Continuity Plan (BCP) and BCMS

Business Continuity Plan (BCP)

And

Business Continuity Management System (BCMS)

Today we are going to discuss very critical business function and is very much responsible for any business operation.

Every business is prone to a disaster and threats. No system is 100% secure now a days. These disruptions can come in many forms such as natural disasters, fire, long power outage, losing key employees, delayed deliveries, cyber-attacks, etc.

The capability of an organization to continue the delivery of products and services, within acceptable timeframes, at predefined capacity, during a disruption is known as business continuity. Means no disruption during incidents or recover the system within allowable time. 

Business Continuity Planning (BCP) is a process of creating information systems environment in such a way that it could help in preventing and recovery from business disruptions from disasters or major incidents or threats.

Benefits 

The goal of a BCP is to minimize operational risk in the face of a natural or man-made disruption/ disaster. 

Business Continuity Policy

• A Business Continuity Policy provides framework for setting business continuity objectives. It is a Commitment to satisfy applicable requirements whether it is regulatory or legal or contractual. It is a commitment to continual improvement.
• It should be documented, reviewed, approved and signed by a top management. 
• It should be communicated inside the organization and the interested parties.

Business Continuity Plan

Business Continuity Plan is defining steps that required to restore business processes following a disruption within an agreed time. The plan will also trigger for invocation, people to be involved, communications etc. 

The business continuity plans are the tests/ plans/ strategy for testing the continuity of the system to deal the treats/risks to the organization. Any event that could negatively impact the operation need to be included in the BCP plan. 

To completely define BCP one has to think two aspects;

• It should be ensured that an organization could continue business as normal, or on an acceptable level in the wake of disaster.
• IT should be restored/recovered to a state like that before the disaster.

Therefore, an organization should develop Business Continuity Plan (BCP) by below steps:-

1. Conduct a Business impact analysis (BIA) to identify sensitive and critical functions, processes and resources that support them.
2. Identify, document and implement to recover critical business functions.
3. Organize or form a business continuity team and compile a business continuity plan.
4. Conduct training and awareness for a business continuity team and testing the plans in regular interval.

Procedure for documenting BCP 

• Identify and document a plan or test or drill to schedule for BCP. In case of of you are running one Data Centre or large network and server infrastructure, you need to identify the possible failures such as ups power failure, Fire at Data Centre, Internet failure, Switch/ Router failure Server failure, Storage Failure, PAC failure, Firewall failure, antivirus failure, etc. each test in a year.
• Document a Back-up and restore policy for each component or a service before the BCP test or drill.
• Identify and document emergency contact numbers during any emergency such as difficulties in recovery in case of incident.
• Before planning for BCP test communicate to stakeholders about the BCP schedule.
• Form or constitute BCP team such as BCP coordinator, emergency response team, BCP test team, data back-up and restore team.
• Invoke BCP plan as per the schedule and approved plans. 
• All BCP plan should be approved earlier to the test by the management representative.
• Keep back up for the assets/ devices configurations, configuration documents hard copy, policy hard copy, testing method, recovery plans, emergency contact numbers.
• Keep observations on fail over and load test.
• Check the restoration after reboot or restart for its normal behavior.
• Analysis the risks identified during the tests/plans.
• Document the test results whether fail or success, total time taken for recovery, key personnel involved during the process. 
• Approve the test result.
• If the test is not successful, always keep your roll back plan updated and handy. 
• Conduct awareness and trainings on the improvement if any.

Business Continuity Management System (BCMS)

The international standard that defines the requirements for a BCMS (Business Continuity Management System) is ISO 22301: 2019 standard. It was first introduced at year 2012. It contains:

• Business continuity objectives and planning to achieve them
• Planning changes to the business continuity management system
• Business impact analysis and risk assessment
• Business continuity plans and procedures

So, this is just a fundamental knowledge on BCP and its procedure. Hope it may have helped in the understanding. 

Please feel free to comment or provide your suggestions. 

-DR