General IT Controls -ITGC & GTAG

General IT Controls (GITC or ITGC)

Information Technology General Controls is a type of internal controls which is combined a set of policies that further ensure effective implementation of those controls in an organization. ITGC is also known as General Computer Controls (GCC).

Companies, auditors, business partners, and shareholders rely on ITGC’s as a key component of integrity over financial statements, business processes and information systems.

GITCs are a critical component of business operations and financial information controls. They provide the foundation for confidence on data, reports, automated controls, and other system functionality underlying business processes. The security, integrity, and reliability of financial information relies on proper access controls, physical facility, logical security, backup & recovery, computing infrastructure, change management, and operational controls.

The information within IT systems is critical for meeting many requirements in an organization such as,

• Financial information relied upon by decision makers that is maintained within the IT systems.
• Many user credential and data are stored in servers as well as in cloud infrastructure. 

In absence of ITGCs controls, employees can’t rely on the data and reports that IT systems provide us. 

When we talk about critical control areas of the above mentioned, let see a one of the control and detailed overview of it.

User Access Management 

User Access provisioning

Granting any new user access is the initial step for maintaining a controlled environment on the IT application. An inappropriate user access could result in posting of unauthorized financial transactions.

User Access De-provisioning

When employees are separated from the organization or leaves, their User credentials can be misused for processing of financial transactions or such operations. Such transactions would not only be unauthorized, but also lack accountability. Similarly, if an employee gets transferred to another division/ department and the old access provisioned to him doesn’t become obsolete, it leaves a chance to be used later.

Excessive access

Access to business application needs to be granted based on roles and responsibilities of users. Provision of access that is not in line with the user’s job responsibilities could lead to posting of unauthorized financials transactions.

Generic and Privilege access

Generic User IDs could lead to accountability issues for transactions processed using such IDs. Further, if privileged or administrative access is granted to Generic User IDs then such access can be misused for posting transactions that could have a pervasive impact on the financial statements.

User Access Review

While restructuring, user access provisioning is key to controlling the access management of an IT application; periodic user access review keeps the access aligned with respect to business requirements. In the absence of periodic user access review, excessive access may remain with the user or within the system. User access review also detects if there are any anomalies in access provisioned, de-provisioned or any other privilege/ excessive access.

Global Technology Audit Guide (GTAG)

The GTAG provides an overview of IT-related risks and controls for business executives, with which the audit activity will provide assurance about all important risks identified. It describes how to identify and assess the risks and standardized and system-specific controls relevant to business applications.

The GTAG controls released so far are as mentioned below

GTAG 1: Information Technology Controls

GTAG 2: Change and Patch Management Controls: Critical for Organizational Success

GTAG 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment

GTAG 4: Management of IT Auditing

GTAG 5: Managing and Auditing Privacy Risks

GTAG 6: Managing and Auditing IT Vulnerabilities

GTAG 7: Information Technology Outsourcing

GTAG 8: Auditing Application Controls

GTAG 9: Identity and Access Management

GTAG 10: Business Continuity Management

GTAG 11: Developing the IT Audit Plan

GTAG 12: Auditing IT Projects

GTAG 13: Fraud Prevention and Detection in the Automated World

GTAG 14: Auditing User-developed Applications

GTAG 15: Formerly Information Security Governance--Removed and combined with GTAG 17

GTAG 16: Data Analysis Technologies

GTAG 17: Auditing IT Governance

While conducting ITGC audit, common questions should be asked and analyzed. 

For example

For Change Management, the questions can be asked such as:-

• How Change Management is planned?
• How Change plan is tested before the change?
• Are changes appropriately documented and approved by authorized personnel?
• Were necessary maintenance changes tested?
• Are appropriate segregation of duties in place for approving and making changes to the production environment?
• How are changes approved and tracked?
• What processes are in place to identify required control gates throughout the system development life cycle (e.g. peer review of code, software security scanning, third party approval).
• How you analyze impacts after a change occurred.

For further suggestions, please provide in the comment section.

-DR

Know about Cyber Squatting

Cyber Squatting

Cybersquatting is the practice of registering an Internet domain name that is likely to be wanted by another person, business, or organization in the hope that it can be sold to them for a profit. 

In Simple it is an unauthorized registration and use of Internet domain names that are identical or like trademarks, service marks, company names, or personal names. So, in the other word it is called domain squatting.

It involves the registration of trademarks and trade names as domain names by third parties, who do not possess rights in such names. Simply put, cyber squatters (or bad faith imitators) register trademarks, trade names, business names and so on, belonging to third parties with the common motive of trading on the reputation and goodwill of such third parties by either confusing customers or potential customers, and at times, to even sell the domain name to the rightful owner at a profit. As of study it was found that since 2012, nearly about 2,800 complaints have been filed involving domain name squatting.

That means You have spent many years and a lot of money building your business’s brand. But what you feel when someone could erase a lot of that customization by buying a low cost $10 domain that looks like yours?

There are several types of cybersquatting available such as;

• Typo squatting
• Celebrity Name
• TLDs Exploitation
• Misleading Subdomain
• Gripe Sites
• Look-Alike Domain
• Expiration Date Exploitation
• Homograph Attacks

To Prevent Cybersquatting, you need to check following techniques

• Consult your legal team and follow rules and procedures. There are acts documented such as Anti-Cybersquatting Consumer Protection Act (ACPA), World Intellectual property organization.
• Register Your organization or business quickly.
• Double-Check the Spelling of the Website to Avoid Typo squatting.
• Review your website in regular basis.
• Always check SSL/TLS certificate in the web application.

If you have further suggestions please comment below.

-DR

QR Code Security

Knowing QR Code Security

Have you scanned any QR code

Cybercriminals keep changing their phishing tactics as we become increasingly aware of their scams. The global cybersecurity team has identified QR code as a new email phishing tactic that you should be aware of. 

Quick-response codes (better known as QR codes) are two-dimensional barcodes used to enable users to access data or web-based resources (URLs). These codes are machine-readable codes that look like an array of black and white squares. These codes store website links or other information that can be read by the camera on your smartphone. You might have seen them recently at restaurants, small shops with digital menus or contactless payment have their QR code scan signage placed for payment. 

The actual QR Codes themselves are not designed to be hackable. This is because they are made using a square matrix with pixelated dots so these dots would have to be changed in order to be “hacked.”. The security issues arise from the information connected to the QR Code.

What is a QR-code phishing attempt?

Cybercriminals use QR codes within emails to encourage unsuspecting users to scan the codes, which then redirect them to malicious websites. Attackers can encode malicious links in the QR code that can lead e.g. to phishing sites. Sometimes attackers can embed malicious URLs containing custom malware into a QR code which could then exfiltrate data from a mobile device when scanned.

In many cases, QR-codes scams are designed to send you to what looks like an authentic login page and ultimately steal your login credentials.

How can you protect yourself?

Protecting against these malicious QR codes at all costs is very simple that,  never scan them.

• Particularly when scanning QR Codes from print materials in public places, there may be possible that the original QR Code has been replaced with a sticker of the dangerous one. Therefore, check twice that the QR Code is original.
• Do not scan a QR code you have received via email from an unknown or suspicious source. These codes are designed for physical signage, storefronts, flyers, and digital kiosks, not email.
• Only scan QR codes from trusted locations.

Stay Safe

-DR

RDP Basics

Remote Desktop Protocol

This is quite old technology but yes, it’s very useful now a days. What we know about RDP in generic that, a computer technical support staff can view and control a remote site PC or system through using this technology through internet by sharing the input and display unit and gives the support person the capacity to diagnose and resolve problems remotely.

So here, Remote Desktop Protocol (RDP) is used for communication between the Terminal Server and the Terminal (RDP) Client. RDP is a multichannel capable protocol that allows for distinct virtual channels for carrying the information such as encrypted data, presentation data, license information, device activity, etc. RDP is encapsulated and encrypted within TCP. RDP is designed to support many LAN protocols, such as IPX, NetBIOS, TCP/IP, network topologies like ISDN. It provides remote display and input abilities over network connections for Windows-based applications running on a server. 

Cloud computing technology enables its users to work remotely, but that is where the similarities with RDP end. With cloud computing, users can access applications and files located in the cloud and on cloud servers. But RDP allows them to access files on their computer from a separate location. Both tools are beneficial for remote working but work in very different ways.

Ideally RDP provides 64,000 separate channels for data transmission. The RDP protocol opens a dedicated network channel for communicating data back and forth between the connected machines. It always uses network port 3389 for this purpose. 

RDP Client

You can also use a Remote Desktop client to access your remote PC from almost any device. It applies to Windows 7 Professional, Enterprise edition, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2012 R2, etc.

Advantages

One advantage is that it does not require a VPN. It also keeps data stored securely on the user's desktop, instead of storing it on cloud servers or on the user's unsecured personal devices. Furthermore, RDP enables companies to allow their employees to work from home. This has been helped millions of employees to work during the COVID pandemic situation.

Cons

Remote Desktop Protocol (RDP) has been known since 2016 as a way to attack some computers and networks. Hackers, Malicious cyber attacker,  have developed methods of identifying and exploiting vulnerable RDP sessions via the Internet to steal identities, login credentials and install and launch ransomware attacks.

• One little mis-configuration like exposing RDP to the internet can lead to a cyber-attack. The attacks include weak user login credentials, as computer passwords are also used to access remote RDP logins, which leave users open to brute-force attacks and credential stuffing.
• The lag that RDP causes may result in lower employee productivity.
• RDP can result in a bad users experiencing, especially if they have a slow internet connection.

To keep safe yourself from RDP based attack, you need to follow these steps.

• Keep all the security patches in local system and updated in time.
• Close TCP Port 3389 on the computers and routers if RDP not required.
• Scan your network for computers using RDP and if the service is not needed disable it.
• Restrict login attempts.
• Use two-factor authentication.
• Limit the number of third-party vendors and employees that have access to RDP connections.
• To encrypt RDP traffic, use VPN connections.

Do you have further suggestions feel free to add. 

-DR

Type of Security Events and Incidents

Type of Security Events and Incidents

In Security incident management, there are multiple events arising day by day. Security incidents are events that may indicate that an organization's systems or data have been compromised. As well a security event is something that has significance for system hardware or software, and an incident is an event that disrupts normal operations. 

If we talk about malware, more than 90% of malware is delivered by email and 98% of mobile device malware target Android systems. Study shows, MacOS malware has also increased by 165%. For more details you can visit the statistics at (https://purplesec.us/resources/cyber-security-statistics/)

Here I am just sharing the some of the type of incidents or events happen and that can be further recorded through SIEM or any suitable logger device by storing its event logs for further forensic analysis.

Based on impact, these events or we can say as attacks can further classified as High, Medium, Low. 

The type of infrastructure related incidents are mentioned as below.

• Buffer Overflow attacks
• Port & vulnerability Scan attack
• Password cracking
• Worm/virus outbreak
• File access failures
• Unauthorized server/service restarts
• Unauthorized changes to firewall rules
• SQL injection
• Cross site scripting

Application Security events are as

• Attempted violation of defined role
• Attempted access violations
• Critical user additions, deletions
• Creation, deletion & modification of critical application roles/groups.
• Changes to account & password policies in the application
• Changes to permissions or authorizations for critical application roles/groups.
• Changes to critical application parameters.
• Sensitive Data Exposure

Some of Database related incidents

• Granular monitoring of queries, objects and stored procedures with real-time alerts
• Monitor Access to Sensitive Data
• Insecure system architecture
• Exploiting unpatched services
• Default, Blank, and Weak Username/passwords
• Database access including logins, client IP, server IP and source program information.
• Poor Encryption and Data Breaches
• Denial-of-service Attacks
• Track execution of stored procedures, including who executed a procedure, what procedure name and when, which tables were accessed as a result.
• Track and audit administrative commands such as GRANT.

Some of Network Behavior Anomaly

• Network Traffic Pattern Analysis and Bandwidth Analysis.
• Host behaviors and traffic analysis to identify threats.
• Analysis of traffic patterns & identify nonessential ports and services for normal business operations.
• Anomaly event as belonging to a class of security events (DDoS, Scans, etc.)

Other attacks existed and can be recorded such as

• Trojan Horse Attack.
• Malware/Spyware
• Suspicious registry entries
• Unverified email attachments
• Frequent Login Attempt
• Loss or theft of equipment or component
• Brute force Attack
• Port Scanning
• Insider Breach
• Unauthorized Privilege Escalation
• Destructive Attack
• Advanced persistent threat/ Multistage Attack
• False Positive removal
• email Phishing
• Abnormal browsing behavior
• Client side information leakage
• Cookie Injection
• Traffic sent to and from unknown location
• Excessive bandwidth consumption or memory consumption
• Unapproved changes configuration

Although organizations should be able to handle any incident, they should focus on handling incidents. Every organization should develop their own cyber response framework to defend themselves.

-DR