Monday, June 15, 2015

Questions about SaaS

Came across this link and found interesting. Very useful questions about SaaS:

http://www.salesforce.com/in/saas/questions-about-saas/

Saturday, April 19, 2014

BYOD risks and Security Policies tips

Bring your own Device (BYOD) is a growing trend and a winning solution. However, it is still a risky preposition. There are many risks while adopting this approach but it is gaining popularity with the benefits it gives.

The first step is to understand perceived risks and evaluate them against organization security posture. Below are few BYOD risks to consider:
Too Many Permission
Mobile application makers have to request permission to access device resources such as camera & contact. These restrictions are provided by mobile OS vendors which is good to have. The bad part is that most users almost grant permission during mobile application install process and didn’t give much importance to fine print. Data leakage is a possible result for the application with too many permission because that could expose contacts, email ids & device location data to unscrupulous people.

Spyware/Adware
The device owner data is being collected by many freely available mobile applications in an effort to sell data to advertising networks. A mobile application collecting data without requesting owner’s permission is considered as adware or spyware. Few applications also install aggressive ad-driven search engines on the device to send users to specific advertiser websites

Rooted & Jailbreak Devices
There are possibilities of jailbreak & root device firmware. Tools have helped automate the process, getting the job done with a few mouse clicks. Restrictions designed to improve device security which are imposed by the device maker can be removed by Jailbreaking. Rooting gives the device owner administrator-level permissions, enabling them to install and run apps that could be potentially malicious in nature.

Software, Devices loop holes
Corporate data can be exposed if an employee failed to apply software security updated on their devices & more complications could be software update process for few devices. The third party applications software coding errors on employee devices are difficult to be controlled by organization.

Cloud Storage Services
Cloud storage services like dropbox offered on mobile platforms could be a concern for data leakage. These storage services could be used by employees to store company data if organizations are missing required restrictions on sensitive data or have not enforced restrictions to use mobile cloud storage app. However, based on organization requirement, it is good to have approved storage solution at organizational level so employees won’t try to bypass security controls.

Stolen or lost Devices
This is one of the biggest risks to organization where employees lost their device connected to corporate network. Few organizations have implemented ways to remotely wipe any corporate data, such as email and contacts, from a lost device. Pushback from employees who don't want to give their employer unfettered access to their device has prompted companies to take a closer look at containerization. By containerizing business data on the device, IT security teams can have the ability to selectively wipe corporate data if the device is stolen or lost.

Wireless Access Points Exposure (WAP)
Few employee devices connect to internet using any open wireless access. These open wireless networks like some hotels or public area can put device owners at man-in-the-middle attacks risk and other threats. To mitigate this threat, organizations can take advantage of technology designed to force wireless users to use a VPN when accessing corporate resources.

Rising Android Malware
Recently mobile malware trends have seen a steady increase in mobile malware targeting Android devices. The bulk of the threat is made up of SMS text messaging Trojans targeted at consumers, but enterprises are not immune. F-Secure detected Zeus and SpyEye banking Trojans that attempt to take advantage of a victim's mobile device. Kaspersky Lab recently identified Red October, a targeted attack campaign that had a mobile malware component.

After looking at these risks, there are few suggestions/tips to have good security policies and controls to mitigate risks and those are widely depends on organizational needs. Few examples of good security policies:

-          Enforce two-factor authentication for remote company server access. This includes something you know (e.g. PIN) and something you have (e.g. security token).
-          Only those types of devices should be used that allow remote location and data deletion. Majority of brands have this feature or support applications which provide this function.
-          Limit access to corporate information based on the type of device and employee need. For example, allow employees to access only email via their smartphone.  If certain employees require remote access to the company server, allow such access only through a secure VPN connection.
-          Ensure that corporate files can only be saved to the company server, not downloaded to the remote device used to access such files if employees have access to company database.
-          Each employee enrolled for BOYD should sign EUA (end-user agreement) or part of employment letter which clearly identifies employee’s obligations, grants the company certain rights with respect to the device so that data can be removed if necessary, addresses reimbursement for data charges, and specifies how to handle data loss.

Conclusion


BYOD is an approach which many organizations are adopting because of its benefits. As with any other technology there are risks involved even with BYOD and can be mitigated by implementing a strong policy incorporating some or all of the technical, legal and administrative safeguards.

References & Take-away:
http://www.crn.com/slide-shows/security/240157796/top-10-byod-risks-facing-the-enterprise.htm by Robert Westervelt July 26, 2013

Wednesday, December 15, 2010

Cryptography Basics

Sometimes you may think how you could transfer your data/information to someone without reveling information to others. Well the answer is cryptography. (note: this is related to basic/ for starting users).

What is Cryptography?

It is a way/practice by which you could hide information. You could actually hide information by writing in such a language which could be understood by recipient. Isn’t that great!! But there is nothing new in this. This is being used from ancient times and so many times breaks.

How does it work in modern time?

The information what you want to transfer is known as plain text & the process of converting it known as encryption. The process of re-converting them known as decryption. Any plain text is encrypted or decrypted using Key.

Types of cryptography

Broadly there are two types of cryptography:

Symmetric Key Cryptography: Also known as private key cryptography. Under this both receiver & sender use same key to encrypt & decrypt. This could be categorized further as block ciphers & stream ciphers. Some examples are Data Encryption Standard (DES), Advanced Encryption Standard (AES), RC4, RC2, etc. The major shortfall of this type, if the key is compromised than message would no longer be hidden.

Asymmetric Key Cryptography: Also known as public key cryptography. Under this there are two keys, one key is used to encrypt & other to decrypt the message. It covers major shortfall of private key cryptography as the sender would only have his private key and other person could only decrypt message if his public key is known.

Which is the unbreakable encryption?

You must be curious to know this. Well it will be “One Time Pad”. Every bit or character from the plaintext is encrypted by a modular addition with a bit or character from a secret random key of the same length as the plaintext, resulting in a ciphertext.

There many other concepts & advance/wide topics in cryptography. Please re-visit to know more & advance topics on this.

Thursday, December 9, 2010

Access Control Basics

To start with, first of all:

What is Access Control?

It is a system/service which enables an ability to control access to areas and resources in computer-based information system or physical facility.

What is AAA?

AAA refers to Authentication, Authorization & Accountability.

Authentication: refers to a process of proving that you are someone whom you claim to be based below factors:

a.       Something you know, like passcode, password, etc
b.      Something you have, like smart card, etc
c.       Something you are, like biometric (fingerprint, retina scan, etc)
d.      Where you are, like in office, outside office, etc

Authorization: refers to a process which decides what a person can do or perform action on objects. Like based on your authorization level you may read some document but can’t write.

Accountability: refers to process which associates a subject with its actions. Like audit trails, logs, etc.

What are the models of Access Control?

The most common models are Discretionary Access Control & Non-Discretionary Access Control. Under Non-Discretionary Access Control, we have Mandatory Access Control (MAC), and Role Based Access Control (RBAC)

Discretionary Access Control (DAC): The owner of the object would decide that who is allowed to access & under what privileges.

Mandatory Access Control (MAC): The system would decide that who is allowed to access & under what privileges based on labels assigned to each object & subject. If both labels (subject & object) are same than access is provided.

Role Based Access Control (RBAC): The system would decide that who is allowed to access & under what privilege based on the role of individuals.

Monday, August 30, 2010

Few Ways Hackers Break Security & Recommendations

Exploiting Defaults
When you install a software/application it comes with some default settings like default installation path, passwords, folder names, etc.

Many compliance suggest you to avoid this situation. Use customizes option as much as possible. Try to avoid installing operating systems into the default drives and folders. Don't install applications and other software into their default locations.

Man-in-the-Middle Attacks
The man-in-the middle attack intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication.

The protection techniques, avoid clicking on links found in e-mails and always verify that links from Web sites stay within trusted domains or still maintain SSL encryption. Deploy IDS (Intrusion Detection System) systems to monitor network traffic as well as DNS and local systems.

Stealing Passwords
Multi-factor authentication is the best possible & recommended ways to protect. However, there are many places which are still depended only on passwords. With the increasing capacity of computers passwords can be cracked easily by the use of Dictionary attacks, brute force attacks, and hybrid attacks (few example). Other factor involve with human capacity. As a human we can remember only some length & as a result human may write their password at different places. There are other factors like insecure protocols that transfer passwords in clear text, keystroke loggers, shoulder surfing/video surveillance, same password at different places, etc which would create this risk. Password theft, password cracking, and even password guessing are still serious threats to IT.

The best protection against these threats is to deploy multifactor authentication systems and to train personnel regarding safe password behavior.


Trojan Horses
Trojan horse is defined as a "malicious, security-breaking program that is disguised as something benign". For example, you download what appears to be a movie or music file, but when you click on it, you unleash a dangerous program that erases your disk, sends your credit card numbers and passwords to a stranger, or lets that stranger hijack your computer to commit illegal denial of service attacks. A Trojan horse could be delivered via e-mail as an attachment, it could be presented on a Web site as a download, or it could be placed on a removable media (memory card, CD/DVD, USB stick, floppy, etc.).

In any case, protection is automated malicious code detection tools, such as modern anti-virus system and other specific forms of malware scanners, and user training.

Extensive Learning
External hackers, learn how to overcome your security barriers by researching your organization. This process can be called reconnaissance, discovery, or footprinting. Ultimately, it is intensive, focused research into all information available about your organization from public and non-so-public resources.
If you've done any research or reading into warfare tactics, you are aware that the most important weapon you can have at your disposal is information. Hackers know this and spend considerable time and effort acquiring a complete weapon store. What is often disconcerting is how much your organization freely contributes to the hacker's weapon stockpile. Most organizations are hemorrhaging data; companies freely give away too much information that can be used against them in various types of logical and physical attacks. Here are just a few common examples of what a hacker can learn about your organization in very less time:
• The names of your top executives and any flashy employees you have by perusing your archive of press releases.
• The company address, phone number, and fax number from domain name registration.
• The service provider for Internet access through DNS lookup and traceroute.
• Employee home addresses, phone numbers, employment history, family members, previous addresses, criminal record, driving history, and more by looking up their names in various free and paid background research sites.
• The operating systems, major programs, programming languages, specialized platforms, network device vendors, and more from job site postings.
• Physical weaknesses, vantage points, lines of sight, entry ways, covert access paths, and more from satellite images of your company and employee addresses.
• Usernames, e-mail addresses, phone numbers, directory structure, filenames, OS type,Web server platform, scripting languages,Web application environments, and more from Web site scanners.
• Confidential documents accidentally posted to a Web site from archive.org and Google hacking.
• Flaws in your products, problems with staff, internal issues, company politics, and more from blogs, product reviews, company critiques, and competitive intelligence services.
A hacker will spend over most of their time in information-gathering activities. The more the attacker learns about you, the easier the subsequent attack becomes.
As for defense, you are ultimately at a loss—mainly because it is already too late. Once information is out on the Internet, it is always out there. You can obviously clean up and sterilize any information resource currently under your direct control. You can even contact third-party information repositories to request that they change your information. Some online data systems, such as domain registrars, offer privacy and security services (for a fee, of course). You can also control or limit the output of information in the future by being more discrete in your announcements, product details, press releases, etc.
However, it is the information that you can't change or remove from the Internet that will continue to erode your security.
The only way to manage uncontrollable information is to make changes to your environment so that it is no longer correct or relevant.

Social Engineering

Firewalls, IDS’s, IPS’s, and anti-malware scanners have made intrusions and hacking a difficult task.
However, the bad news is many hackers have expanded their idea of what hacking means to include social engineering: hackers are going after the weakest link in any organization's security—the people.
People are always the biggest problem with security because they are the only element within the secured environment that has the ability to choose to violate the rules. People can be coerced, tricked, duped, or forced into violating some aspect of the security system in order to grant a hacker access. The age-old problem of people exploiting other people by taking advantage of human nature has returned as a means to bypass modern security technology.
Protection against social engineering is primarily education. Training personnel about what to look for and to report all abnormal or awkward interactions can be effective countermeasures. But this is only true if everyone in the organization realizes that they are a social engineering target. In fact, the more a person believes that their position in the company is so minor that they would not be a worthwhile target, the more they are actually the preferred targets of the hacker.


Keeping an eye on new Vulnerabilities

Hackers always keep any eye on development of vulnerabilities using web search, blogs, etc. The more the hacker can discover about possible attack points, the more likely it is that they can discover a weakness you have not patched, protect, or even become aware of. To combat vulnerability research on the part of the hacker, you have to be just as attentive as the hacker.
You have to monitor developments on new vulnerabilities by checking blogs, discussion forums, etc. and you need to watch the third-party security oversight discussion groups and web sites to learn about issues that vendors are failing to make public or that don't yet have easy solutions. These include places like securityfocus.com, US CERT, CVE, etc.

Insider

All too often when hacking is discussed, it is assumed that the hacker is some unknown outsider. However, studies have shown that a majority of security violations actually are caused by internal employees. So, one of the most effective ways for a hacker to breach security is to be an employee. This can be read in two different ways. First, the hacker can get a job at the target company and then exploit that access once they gain the trust of the organization. Second, an existing employee can become displeased and choose to cause harm to the company as a form of revenge or retribution.

In either case, when someone on the inside decides to attack the company network, many of the security defenses erected against outside hacking and intrusion are often ineffective. Instead, internal defenses specific to managing internal threats need to be deployed. This could include keystroke monitoring, tighter enforcement of the principle of least privilege, preventing users from installing software, not allowing any external removable media source, disabling all USB ports, extensive auditing, host-based IDS/IPS, and Internet filtering and monitoring.

Information Security Policy

Every organization should have IS policy in place which would deal with Risk Management, Crisis Management, Incident Management, etc. These types of policies ensure that you have right things at the right place.

Having only policy won’t help you but you should ensure that your organization adhere those policies. Organisation should have proper team & department for information security. After all, information is the most vital piece for organization success.

Friday, August 27, 2010