Network Scanning Tools

Network Scanning through Nmap and Nessus

Network scanning is a process used to troubleshoot active devices on a network for vulnerabilities.

Nmap

Nmap is an open source tool security scanner designed for network discovery and security auditing. It uses raw IP packets in original ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (OS) and their versions they are running and what type of packet filters/firewalls are in use, among dozens of other characteristics.

Many network administrators use Nmap for Network Discovery, managing service upgrade schedules and monitoring host or service uptime. 

Once the Nmap scan completes; the output shows

Port Table: Port Table lists the port number and protocol, name of the service running and state such as (Open filtered, closed filtered or unified)

Where Open means that application on target machine is always listening for connection packets. 

Nmap provides information on supported IP protocol rather than listening ports. Apart from that Nmap also provided information on reverse DNS name, OS, device type, MAC address etc. It also have limited capability in Vulnerability scanning. 

Nessus

Nessus is a Comprehensive Vulnerability assessment tool developed by Tenable Network. It is mostly popular and widespread due to its trusted results. 

It detects system, device vulnerabilities, performs configuration assessments, helps in compliance review with policies. It also have capacity to audit cloud infrastructure, host discovery, credential patch audit, web application test etc. 

It comes with both essential (Free) edition and Expert, Professional (business) edition.  

For more information you can follow below links to know further. 

https://nmap.org/

https://www.tenable.com/products/nessus

Thanks

-DR

Understanding CSA STAR

CSA- Security Trust Assurance and Risk (STAR) Program

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA connects the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events, and products.

A cloud service provider (CSP) is a third-party company that provides scalable computing resources that businesses can access over any network, including cloud-based compute, storage, platform, and application services. We know there are many leading organizations in this sector across the globe such as Microsoft, Amazon, Google, Oracle, Alibaba, Rack space etc. as well there are many small firms growing their business in this area gradually.

CSA STAR Certification demonstrates that a cloud service provider conforms to the applicable requirements of ISO 27001, has addressed issues critical to cloud security as outlined in the Cloud Control Matrix (CCM). Through the implementation of CSA STAR Certification, in addition to a compliant ISO/IEC 27001 information security management system, organizations can ensure that they have a full understanding of the risks involved and the business impacts. This allows organizations to put controls in place to protect business critical information.

STAR provides two levels of assurance

Level 1: Self-Assessment based on the Consensus Assessments Initiative Questionnaire (CAIQ). Level 1 is an introductory offering, which is free and open to all CSPs. The CAIQ contains more than 250 questions based on the CCM that a customer or cloud auditor may want to ask of CSPs to assess their compliance with CSA best practices.

Level 2: Independent third-party assessments such as CSA STAR Attestation and CSA STAR Certification. These assessments combine established industry standards with criteria specified in the CCM.

Cloud Control Matrix (CCM)

For security assessments, CSPs use the Cloud Controls Matrix (CCM) to evaluate and document their security controls. CCM is a cyber security controls framework for cloud computing aligned to the CSA best practices, that is considered the de-facto standard for cloud security and privacy. Earlier CCM version 3 was there where it has 133 control objectives and now it is revised with version 4.0.7 (released in 2021) which is composed of 197 control objectives covering fundamental security principles across 17 domains to help cloud customers assess the overall security risk of a CSP.

• It provides fundamental security principles to guide cloud vendors and to assist cloud customers in assessing the overall security risk of a cloud provider.
• Provides a control framework in 17 domains that are cross-walked to other industry-accepted security standards, regulations and controls frameworks to reduce audit complexity.

The CCM v4 scope is mapped with standards of ISO/IEC 27001/02, ISO/IEC 2017/18, NIST SP 800-53, AICPA TSC (2017), PCI DSS v3.2.1, and CIS v8 (Centre for Internet Security).

The key 17 domains and the number of controls covered in each domain in the CCM V4 are mentioned as below:

• Audit and Assurance (A&A):6
• Application and Interface Security (AIS):6
• Business Continuity Management and Operational Resilience (BCR): 10
• Change Control and Configuration Management (CCC):9
• Cryptography, encryption and Key Management (CEK):20
• Data Centre Security (DCS):15
• Data Security and Privacy lifecycle Management (DSP): 18
• Governance, Risk and Compliance (GRC):8
• Human Resource (HRS):13
• Identity and Access Management (IAM):15
• Interoperability and Portability (IPY): 4
• Infrastructure and Virtualization Security (IVS): 9
• Logging and Monitoring (LOG): 13
• Security Incident Management, E-Discovery, & Cloud Forensic (SEF):8
• Supply Chain Management, Transparency and Accountability (STA):14
• Threat and Vulnerability Management (TVM): 10
• Universal Endpoint Management (UEM): 14

To become a Certified STAR auditor, individuals need to take training and pass exams from the respective training providers. To become a Cloud Security expert, individual professionals need to earn Certificate of Cloud Security Knowledge (CCSK). In CCSK you will learn to establish a baseline of security best practices when dealing with a broad array of responsibilities, from cloud governance to configuring technical security controls.

Reference for further read.

https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/

 https://cloudsecurityalliance.org/star/

 

Thanks

-DR

Third Party Risk Management

Third Party Risk Management (TPRM)

Third Party Risk Management is the process of identifying, assessing and controlling or mitigating the risks associated with outsourced critical functions, services and external parties.

Third Party Risk Management or TPRM is managing risks related to the third parties or called as vendors, suppliers, contractors and service providers.

Third party risks can be further categorized as: 

• Operational risk
• Information security risk 
• regulatory risk 
• financial risk 
• strategic risk 

Since third party relationship are very critical to business, risk management is also important to safeguard the Organization. Every organization depends on third parties to receive any service or support. 

Even in some scenarios, those vendor use another sub vendor to provide the service. Those are known as fourth party.

Anyway we are discussing about the third party assessment here. During the service, the third party have some access to the primary organization, its information systems, its confidential data and information during the engagement. 

There are possibility of sharing many different kinds of data/information with consent or without consent which are such proprietary or confidential business information, personal data like (name, address, mobile number), employee data, employee benefit information, financial data, bank account information, credit card/ debit card data, organization insider information, IP address, location, system configuration,  Source code of software, Access control list, network configuration data, customer data, corporate customer data, internal reports, passwords/pins, login credentials, etc.

So in case of any incident happens such as data breach, cyber attack, data theft at third party environment, it also creates threat to the primary organization. As well it impacts towards the employee and resources, which also involves the reputational damage.

Key Components of TPRM

• Risk Assessment
• Due Diligence
• Contractual Safeguard
• Ongoing Monitoring
• Incident Response

In ISO/IEC 27001 standard, we have supplier relationship clauses which says, each organization should identify and document their vendors name, type of service they provide in one place. Also the type of information access that the supplier has needed to be mentioned. There should Non Disclosure Agreement (NDA) need to be signed between the organization and its suppliers/vendors. There shall be a supplier agreement which needs to be established. 

The supplier agreement should contain at least below items;

• Description or list of information to be provided or access rights is given.
• Information must be classified based on the criticality (Restricted, Confidential, Internal, Public).
• All the legal and contractual requirements.
• Acceptable usage policy
• Scope or service description
• Information Security policy which are applicable
• Right to audit supplier process and controls
• SLA terms and penalty conditions
• Many more are there to be decided by organization and the committee.

During an on boarding phase of a third party or vendor in to an engagement, an initial assessment, Due Diligence activity should also be there which can include many end to end questionnaires need to be answered and answers should be analyzed to determine the risk in the engagement.  

Few assessment questionnaires are listed below as a sample:

• Whether there is BCP plan ready for the engagement or not?
• What will be financial impact in case of any breach happens?
• Is there any data breach history available or not?
• How many employees are there in the organization?
• What about the infrastructure and scope?
• What are the applications the supplier wants to provide support?
• What is data retention policy?
• How data are managed, stored, deleted?
• How hosting service is being carried out?
• How vendor is accessing data in which medium?
• Is there technologies involved or not such as DLP, encryption, HTTPS, FTPS?
• Is there escalation matrix drafted or not?
• Is there information security policy ready or not?

Based on the answers, the risk can be calculated and vendor profiling can be made. These assessments should at least carried out for vendors in a time interval to ensure, if there is any change occurred in people, process, technology and location occurred. Similarly risks can be classified as Critical, High, Medium, Low for each vendor. 

When there are higher risk calculated then risk assessment will be there and vendor will be assessed again and again to determine the threats and vulnerabilities. Impact should be analyzed. Because threats and vulnerabilities change in time. The risks identified must be closed in remediation phase or risk treatment phase and it should be continuously monitored. 

During risk treatment or remediation phase, there are lots of controls which can be considered and followed from the standards, guidelines and organization own policies. 

There might be questions come to mind, if a vendor not agrees to follow the TPRM process or denies to sign the NDA. It is simple that never sign contract with that vendor and choose an alternative vendor. There are many available in the market. 

In case alternative not available, then the SLA and contract should be revised and should be accepted by both parties as per applicable law.

Example of some TPRM tools those help organizations in managing the third party risk are as;

• RSA Archer
• OneTrust
• ServiceNow
• SignalX
• Aravo
• Prevalent

Below is an illustrative of TPRM process

(Image source: mazars.us)

Therefore this all about TPRM basics, while this is very vast domain and its future scope is large. All the TPRM process come and fall within Risk Identification, Risk Assessment or evaluation, Risk remediation and Risk monitoring phases come within a Third Party Risk Management.

If you have any comments and suggestions please provide.

You can further refer to below links for more information

https://signalx.ai/blog/11-best-tools-for-third-party-risk-management/

https://www.onetrust.com/blog/third-party-risk-management/

Thank you.

-DR 

The Flexbooker Data Breach | Cyber news

The Flexbooker Data Breach | Cyber News

FlexBooker, a digital scheduling platform or online appointment scheduling tool helps in booking appointments, employee calendar synching, automatic time zone conversion, having waitlist feature, integrate other video calling applications. Many tax companies, food and beverage companies and manufacturer companies use FlexBooker within their organization around globe. It helps as smarter way to deal with business. 

In January 2022, FlexBooker accepted and apologized for a data breach occurred in last December, that involved the sensitive information of 3.7 million users including full names, email addresses, phone numbers and appointment details. There were some partial credit card data available along with hash password value. 

The company told that, the customer database which was maintained at ZDNet in an Amazon server.  The Flexbooker have mis-configured the AWS account. That AWS server was compromised by a Distributed Denial of Service (DDoS) attack.  However within next 12 hours Felxbooker have restored their backup and were able to operate normally.

A hacker group known as “Uawrongteam” has claimed responsibility for this DDoS attack. During this incident, the system data storage was accessed and downloaded. After downloading, the data were leaked on an online forum which was a dedicated trading of hacking data in dark web. As per hackers, the database was filled with around 10 million lines of customer information (demographic data).

Things need to be considered to keep safe organizational data:

• Always use encryption for data at rest and in transit.
• Organization should review user access policy and user access list on regular interval.
• Customer should use strong password and change that regularly.
• Passwords should be protected.
• Build effective backup system and recovery system in place on a high priority.
• Protect your system from unexpected power outage.
• Use firewall and antivirus to protect the sensitive data.
• Customers should be aware that, they should not give their personal data unless it’s mandatory to provide.
• As well human error cannot be ignored so continuously educating your work force through training programme is vital to protect the organization from data breach.

So concern about privacy is important!! Never Keep it under estimated. 

-DR

Understanding Virtual Reality

Virtual Reality Basic understanding

Many of us must have experienced Virtual reality or VR box using with mobiles. VR is the use of computer technology to build simulated  environments or programming environment having intelligent interfaces. Virtual reality places the user inside a three-dimensional experience and in which an apparently real situation associated to space and time factor is virtually emulated. Instead of viewing a screen in front of them, users are immersed in and interact with 3D worlds.

Technology

VR technology commonly consists of different types of gadgets such as headsets, specialized data globes, camera, vive controller, joysticks and motion trackers. Driven by applications or web-based VR, the technology is accessible via a web browser.

Virtual reality (VR) is an all-enveloping artificial and fully immersive experience that obscures the natural world. 

The key features of VR:

Believable:

Virtual Reality primarily focuses on creating an environment, where user need to believe it first when presented before them or otherwise the illusion rendered by virtual reality would tend to disappear.

Interactive: 

virtual reality systems focus on generating a thrust with the user in terms of interaction and giving realistic experience.

Immersive: 

The immersive experience gives the viewer the experience to manipulate or interact with the imagination or the virtual world.

There are many types of VR available such as;

• Fully Immersive
• Non-immersive
• Augmented Reality
• Collaborative VR
• Web based VR

Fully Immersive

A fully immersive VR experience is obtained based on the integration of three different aspects. In the first case, a virtual world needs to be developed based on the application of a computer simulation that encourages the users to fully explore and get immersed in such. Secondly, an effective computer is needed that helps in easily tracking the movements of the users on a real-time framework and thereby adjust the experience of the latter. Finally, in the third case, a hardware needs to be linked to the computer that contributes in immersing the users inside the virtual or simulated world. It gives 360 degree feelings to the user that they are in a environment.

Non-immersive VR

In non-immersive VR, it provides a computer generated environment without feeling of being deeply involved in the virtual world.

Augmented reality (AR) 

AR came in to picture now a days that enhances users’ real-world views with digital covers that comes with highly visual and interactive artificial objects. In AR, the real world is viewed directly or via a device such as a camera to create a visual and adds to that vision with computer-generated inputs such as still graphics, audio or video. 

AR is different from VR because it adds to the real-world experience rather than creating a new experience from scratch.

Collaborative VR

Collaborative VR or collaborative environment is where collaboration occurs from remote location such as virtual meeting room for meetings.

Example: Facebook, The wild, Arthur, Hoppin, Moot Up, Glue, etc.

Web based VR

Web VR is something you can experience the VR in your browser. It provides better performance as well, it supports both VR and AR. 

Examples of web based VR are, showroom, Zoo, Interspace sudio, Konterball etc. 

So this is only basics about the virtual reality presented for your understanding. 

Thanks!!

-DR

Robotic Process Automation or RPA

Robotic Process Automation or RPA

Automation

Automation is nothing but using machines to replace the human works only, not humans.

Automation is known in various ways such as;

Bots, Business process automation, RPA, email automation, software robotics, intelligent automation, digital labor, artificial intelligence, robots taking jobs.

Many of us heard, RPA will replace our jobs and we will be job less. But that is just a false statement by a robot. 

RPA or Robotic Process Automations does not have actual involvements of machinery or mechanical robots. It is software robot that optimizes business processes by minimizing the human errors and duplicating the human actions in digital applications.

It is a software technology that makes it easy to build, deploy and manage robots that duplicate human actions. Now it came to social media platform also, where you can sleep at night and your chat bot can work for you. 

A Software that mimics human behavior. This human behavior is rule based and requires digital inputs for the software. 

Below is the list of RPA functions based on  use cases

• An RPA can log in to an application
• File Management including moving files and folders 
• Developing Chat Bot chat with predefined options 
• Copy and paste data 
• It can complete online forms
• Help in email processing
• It can answer to telephones
• Can understand screen contents
• It can navigate systems
• It can identify and extract data  
• Candidate recruitment Process
• HR system
• Time and Attendance Management System
• Education and Training purpose
• Supply and Demand Planning
• Social Media Handle

In contrast to traditional software, RPA can work across multiple sectors such as Power and utility Sector, Healthcare Sector, Telecom and IT and can operate various applications through one single user interface.

Benefits:

The benefits of RPA is as mentioned below:

• RPA streamlines workflows which leads to organizations make more profit.
• It can help many industries to address their specific operational issues in new ways.
• It become flexible and more responsive.
• Enables in decreasing operational cost.
• Improves compliance and customer satisfaction.
• You have more time to think how you can further develop.
• It can help in accelerating the transformation with greater resilience.
• More accuracy and boosted productivity. 

Example of RPA tools such as UiPath, BluePrism, Automation Anywhere, work fusion, Kofax, Edgeverve, Kryon Systems etc. Further you can search these software company’s own websites and refer to their white papers. 

So these software bots work instead of human to do repetitive and lower value work so that, human are free to focus on the things they do best, think more on innovation. 

Note that RPA is not Artificial Intelligence (AI). But if we mix AI in to RPA, it can result us more output and increases the work capacity. 

So this is just a overview and you can refer other sources for further understandings. 

-DR

What is Blockchain Technology

Blockchain Technology

A Blockchain is a type of database used for digital ledger. It is distributed over a computer network. Blockchain stires information in digital format. The best example is Crypto currency is being utilized through the Blockchain Technology.

Blockchain is identified as a technology or concept that has helped in revolutionizing the activities carried out in the digital world. It ideally contributes in enhancing the level of trust between the parties involved in a transaction.

In the Blockchain, the data are structured and kept in groups or known as blocks. Each block have their own storage capacity and each block is linked to an another block through a logical chain. Each block in the chain have their own timestamp. Each of the different data blocks are  secured and also linked to each other based on the application of cryptographic rules or chains.

Components of a Block

In Blockchain, the block is divided in to two parts such as Header & Body.

Header in the block contains the identity of the block, transaction information, hashing of previous block header and timestamp. In body the transaction data is basically stored in a structural form in a tree format with different types of nodes.

In Case of traditional database, all data are connected and stored to a centralized database or location. But in case of Blockchain, all data are interconnected and decentralized. So in traditional database, if one node fails the entire database becomes inaccessible whereas, in Blockchain if one or more nodes fail, still the database remains accessible.

Another prime component of Blockchain is Distributed Ledger. The Distributed Ledger is known as a database that has its presence across diverse locations and thereby is used by

large number of users. This Distributed Ledger in comparison to Centralized Ledger operates in decentralized manner. The files stored in the distributed ledger have their own timestamp and are also embedded with an unique cryptographically designed signature.

Presently the Blockchain Technology is used at multiple areas such as in Dispute Management, Policy impositions, Tax Management, Creation of data repository, Financial Transaction processing, Management of rules, Electoral or voting process, Medical records management, Land records, Education, certificate issuance.

In India, Government at many states have started implementing blockchain at many sectors. Below is a referral image from twitter.

Advantages of using Blockchain

• Transaction Transparency
• Not a single point of failure
• Collaboration
• Audit supporting
• Reliability

Risk

There is one risk associated with the Distributed Ledger Technology (DLT) i.e. Cyber Risk. As this system does not spontaneously check and rectify the storage of data sets, there are possible many incorrect data being stored in the system. These incorrect data tends to weaken the system and can lead to data leak in case of cyber attack occurs. 

-DR

Log4j Vulnerability overview

Log4j Vulnerability

In 2021 before the year-end holiday begins, the Log4j vulnerability came in to knowledge as an extensively active cyber attack happened across globe. It was a Zero-day vulnerability affecting the widely used Apache Log4j Java-based logging library that could be weaponized to execute malicious code or malware or in form of ransomware and allows a complete takeover of a vulnerable system.

As per Microsoft’s research it was came in to understand that, the vulnerabilities allow remote code execution by an unauthenticated attacker to gain complete access to a target system. It can be triggered when a specially crafted string is parsed and processed by the vulnerable Log4j 2 component. This could happen through any user provided input. Successful exploitation allows for arbitrary code execution in the targeted application.

This vulnerability was identified as remote code execution vulnerability with a critical to moderate rating and with a CVE code assigned as CVE-2021-44228.

A Zero-Day vulnerability is a flaw in a software or application for which no official patch or security update has been released or software manufacturer / vendor may or may not be aware of the vulnerability.

On December 14, 2021, it was noticed that Apache Log4j use cases are affected in versions 2.15.0 and earlier. Many OEM, software manufacturers were impacted due to this vulnerabilities including Cisco, Microsoft, Oracle. Many organization has published and shared their advisory for the Log4j vulnerability.

Similarly attackers have again released a false patch to support the above vulnerability loaded with ransomware and malwares. 

So again some advisory were published not to go for patch update immediately. After waiting certain period, there must be update. So All systems, including those that are not internet facing, are also potentially vulnerable to these vulnerabilities, so backend systems including all micro services should also be upgraded.  No Java version patch can mitigate these vulnerabilities. The recommended action is to update Apache Log4j. Systems that have already been updated to 2.15.0 should move to 2.16.0 or later asap for extra protection against other possible vulnerabilities.

This was just a basic knowledge about the vulnerability. Please refer to vulnerability database, specific guidelines, advisories or contact the vendor before updating any security patches.

Thanks!

-DR

Welcome to New Year 2022

Hello world !

A warm welcome to everyone to the beginning of a new year.

Wishing everyone a Happy New Year 2022. Stay Blessed and Happy.

May this year brings lots of changes and filled with more excitements.

This year I am planning to bring more and more technology contents if the time allows. 

Note, this blog is always an updating one. Whenever I find useful info, I update it in my own way whether in older post or newer post. So Just check-in, walkthrough and read as per your interested posts. 

Many post are in draft mode and under edit. Due to lack of time, it is delayed. But surely it will come. So Stay tuned. 

This year I have a thought to add new disruptive technology information. How the world is changing with technology such as RPA, Machine Learning, Business Intelligence, Blockchain, 3D printing etc. Although these technology have introduced since couple of years back and development is ongoing too in different aspects and areas.

So Just walkthrough to understand the concepts and fundamentals.

Thanks once again for trusting me and reading this blog!

Stay Safe.

Take Care.

-DR