Monday, February 19, 2018

SSCP Video Course - Understanding Security Basics


Confidentiality, Integrity, Availability are the three pillars of information security. All security professionals aim to achieve either or all the three areas when designing an information security program. While the video above explains these terms and many others in detail and simplified manner, here I take up a complete scenario to help you understand the context in which these terms can be used.

John has newly joined as a security practitioner in the company “IloveITSoultions” and has been instructed to find ways to improve the security by implementing confidentiality. The company is extending into an e-commerce domain and would like to explore as to how it can provide a seamless experience to the customer by making its site available 24X7. The CSO has also instructed him to explore ways to reduce fraud in the company in light of certain events. What should John do?

Such scenarios are common in the SSCP and CISSP exams and hence it is important to understand the basics concepts of the security. The above video explains these concepts in details.

Exam Tip:

From an exam perspective, read every question very carefully. The examiner may confuse you either by giving an extremely long scenario and asking questions in relation to that or give a direct question but with extremely difficult choices.

Saturday, February 17, 2018

The CISSP CAT Exam Experience


I wrote a blog post in the month of December where I detailed about the new CISSP CAT format being launched by the (ISC)2. The post gave details about the new exam – what would it be all about, what does the new exam mean for you and important points to consider. Well, since I had passed the exam way back in July, there was no way, I would decide to sit for this difficult exam again. Luckily, few of my friends gave the CISSP CAT exam and passed it, so I spoke to them to understand their experience with this new exam format and decided to write about it. So here it goes…

The Study Material

The first question that comes to everyone’s mind is – Do I need to look for a new study material since the exam format has changed. The answer is NO. The CISSP study material remains the same. My friends referred to the following material, but this is not an exhaustive list in any way. My recommendation would be to stick to one particular book and get to know every word and line of it. It is extremely important to understand the concepts rather than focus on gathering 50 different books or videos and getting confused in the end.


Choose whatever suits you best in terms of understanding, writing style.

The Preparation

The new format does not bring any changes to the preparation for this exam from a course material or study perspective. You would have to read, understand and revisit every concept of information security. Yes, the new format may affect some candidates mentally. Study well and take time and learn at your own pace. One of my friends took around six months to prepare for this exam, while the other one just gave it a shot within 5 weeks. So take your time as everyone is different.

Revise every concept again and again. We generally tend to focus on concepts which we are comfortable with. Remember, CISSP has 8 domains and you cannot be an expert in all of them. So make the strong concepts stronger and the weaker ones as strongest. Another piece of advice during preparation is to practice as many questions as you can. Well, you will never be able to get the same difficulty level quotient as the real exam, however, the practice tests, as well as the mock exam, will help give direction to your grey cells to understand as to how could a concept be questioned.

The Exam Time

The formalities remain the same as the previous exam format. You can refer the details in the blog post “Quick tips for the CISSP exam”. Let’s focus on the exam experience. All of the people to whom I spoke to assured me that the exam is a difficult one. The difficulty level has not been compromised with. When you sit in front of the computer screen, you are presented with an NDA which you need to sign within the next 5 minutes. Failure to sign the NDA will result in the cancellation of the exam. Noticeably, there are a few changes – the timer for the exam now shows 180 minutes instead of 360 minutes. Some of you may really feel disappointed that the “Review” & “Review & Flag” options have died in this shift which has occurred.

Friday, February 16, 2018

Launch of SSCP Video Course on YouTube Channel "Learning Security with Mayur"


When I started preparing for "Systems Security Certified Practitioner" certification offered by (ISC)2, there was hardly any free video course material available on the internet for this exam. Even today when you try to find some course material on this exam, you end up either paying heavily on some website(s) or finding video lectures which are extremely outdated.

Hence, as promised earlier, I launch the SSCP video course on my YouTube channel "Learning Security with Mayur". I request you to share, comment, like and subscribe to it.

The videos will also be available on the blog with additional description and pointers. Posts on the topics described in the videos will also be available on the blog. 

Salient Features of this Course :

1. It’s FREE. Yes, it’s absolutely FREE. 
2. I have covered the entire course content in a detailed manner. (all domains)
3. I have provided an exam perspective at the end of every video. Having given the SSCP exam, it feels great to share my own experience.
4. Analogies and Real life examples to help you explain the concepts in a really simple manner.
5. Up to Date content.

(The entire course will be available in some time.)

In case you want certain specific topics to be included or explained in detail, comment on the video(s) so that I can improve the content.

Looking forward to your love and support as always.

Happy Learning. 😊

Note: These videos are free ONLY for personal use. Connect with me for any kind of commercial usage in organizations or educational institutes.

Tuesday, February 13, 2018

[Cyber-Security Awareness Series] The Delay


YourDomain.com was a big name in the domain management of various fortune 500 companies. Whenever a person or an organization wanted to buy or renew a domain name, “yourdomain.com” was the place to be for everyone. In a way, it was the market leader in this industry holding a 90% market share.

It was the early morning of 13th February, when Jason, the lead engineer noticed something strange in the name servers of the company. The domains owned by the various customers were not reflecting on the administrative page. He immediately called his boss informing him of the problem. He also called the help desk of the company inquiring if any issues had been reported to them. Jason was surprised to hear that a number of customers had called and logged in grievances. The domain names and websites of various top customers were either being redirected to objectionable websites or reported as offline. The messaging services were also affected as the domain was not reachable.

Jason’s boss, Yurik, hurriedly entered the office. He was on a call with the top management when Jason waved him to come immediately. The incident management team had also been called immediately. While everyone was trying to understand as to what had happened, a person of the incident management team declared that he no longer has access to the company's main application administrative page. He told that he had been shut out of the system because someone else had logged in as the administrator and locked him out.

Yurik wondered as to how the incident management team could be logged out of the system. Yurik asked the team if they could check as to who had logged into the system. While the team was checking, Maya, the PR manager called Yurik. She had to release a statement to the media as multiple websites had reported about the offline domains of companies around the world. The number was mind-boggling. Around 333,000 websites had been misdirected or offline because of the domain name fiasco.
“Hacked” – what came to the mind of Yurik when he responded to Maya. 

While the incident management team was trying to log in back again into the administrative server, Jason suggested to shut down the server and remove it from the network. In that manner, the administrator would have had to wait to log in again until the time the server was back online. The incident management team decided to give it a try to this crude solution as they would be able to at least login into the system and shuffle through the logs to identify the person behind this. However, they warned that this may lead to a loss of data. Yurik gave his go ahead as no one had any other ideas.

Jason and Yurik looked as the server rebooted. It took around 20 minutes for the incident management team to identify who had logged in to the system. The result was shocking.

Sunday, February 11, 2018

The New Age of Social Engineering


Many years ago, when social engineering started via mails, you could appreciate and easily identify, if careful, that this is a phishing mail. You could find mistakes in the emails which were sent - different font sizes in different lines, absurd mail ids etc. With time everyone improves and so have the social engineers. It’s a new world and the rules of the game have changed completely. Welcome to the new age of social engineering.

Warrior Alone

For most users, the experience of dealing with a phishing mail is a solitary one. When you receive a mail in your inbox, you are the one who decides whether to open it or discard it, reply to or flag it etc. If you take a wrong step, you can get the organization in grave danger. Occasionally, everyone has an inkling to either respond to or click on a link which is provided in a mail. 

Today’s social engineering schemes are a step ahead. Let’s consider some of them:

    1.Let’s Reply Back - 
    In earlier times when phishing mailers were sent, no one bothered to answer those emails in case you had a query. However, in today’s world, the players of this game spend both time and energy by responding to each and every query to sound genuine.
    Consider this mail chain: The mail is responded back and has a trickery when first sent out. The link is deliberately made not to work in the first mail sent. You may find it strange, but it’s a strategy. In this manner, people who respond back will definitely fall in the trap of the malicious person. Since you receive a response back, you consider it to be genuine.
    Image description not specified.Image description not specified.Image description not specified.


    2.Let’s be Vague
    Well, you may find it funny, but we have a tendency to respond to vague e-mails. We need to find more about the mail sent to us. Consider this mail communication in which a fake mail comes. Since it is vague in nature and questions my work, I may respond to it like I did in this example below. The attachment containing the malware is now sent. Look at the note which is deliberately put to make me angry so that I should open it. Even though the attachment may not be applicable to me, the work of the malicious person is done, the moment I open it.
    Image description not specified.

    Image description not specified.

    Image description not specified.

Monday, February 5, 2018

[Cyber-Security Awareness Series] Your Credentials , Your Identity



Mark was the head of the Marketing Department in the company “IloveITSolutions”. He had spent 25 long years in this organization. He was working on a marketing plan for an upcoming product launch. He had communicated his requirement of two interns for his department which had still not been fulfilled. He called up the HR department to understand the delay in getting the two interns. The HR communicated that the interns would be arriving today; however, would be busy in a 2-day induction workshop organized for the new joiners. Mark was in no mood to let another 2 days pass by. He instructed the HR to send those interns immediately to him. He was the opinion that such induction sessions where the HR elaborated the policies of the organizations were of no use.

Around an hour later, two nervous faces entered Mark’s cabin. Mark instructed them to prepare a marketing proposal by the end of the day. Annie and John looked at each other and enquired about the credentials to be used for logging into the systems. Mark gave them his own credentials and went to attend some other planned meetings with his team members.

Well, Annie and John logged into the system using his credentials and found a treasure trove of data. They almost checked in every presentation they could find on upcoming product launches to marketing plans for the next year. They also worked on the presentation which Mark had instructed them to do.

After working with Mark for about a month, Annie and John left the company. They wanted to take up a regular job now. They got an offer from a competitor firm “Me2ITSoultions”.

Jack was the head of the marketing department in Me2ITSoultions and was quite interested in understanding as to what had Annie and John learned about marketing from the well-known Mark, his arch rival. Luck was on his side. He not only got to know what had Annie and John had learned but also what they brought with them. The treasure trove of data copied using Mark’s credentials by both of them for reference purposes was at his disposal.

Sunday, February 4, 2018

Personally Identifiable Information - Free of Cost. Wanna know how?


Recently, one of my friends told me about an application (mobile app) which could easily fetch a lot of details about a vehicle and its owner. I was quite intrigued and decided to check this app out. When I logged onto the Google Play store, I found that there was not just one app but multiple apps which are offering anyone’s details free of cost to everyone in this world.

Well, the first one of them is “RTO: Vahan Vehicle Registration”. It is quite simple. You just need to enter the vehicle’s number and voila, you get a trove of data. The app claims to provide you the following details - Owner Name, Address, Age, Engine Number, Chassis Number, Vehicle Registration Date, Vehicle Registration City, Type, Model, City, and State. The second one is “RTO Vehicle Information”. It also offers same details free of cost to you.

These apps only work for vehicle registration in India. 

Screenshots of the apps - courtesy Play Store:


      



While the free service is appreciated, there is no need to offer somebody’s privacy and personal details on a silver platter to anyone in the world. Consider the following cases (hypothetical) in ways by which the data can be misused:

Case 1: Address Misuse

Consider a lady traveling in her own car to the office every day. She uses her personal vehicle to make this trip. A person who would like to know as to where she lives would just need to note down her car details and the application does the rest. 
That can be further misused in several ways.

Case2: Data Collection by Insurance Agents

We receive multiple calls of loan offerings, insurance offerings etc. every day. These apps can easily be used by insurance agents to contact the owners offering insurance offers based on the vehicle registration details. 

 A lot of this information may be classified as Personally identifiable information (PII) which these apps are providing to unauthorized users across the world.

Although these apps claim to provide several benefits yet these apps have a lot of privacy concerns. In my opinion, such services should be limited to the law enforcement authorities or some specific stakeholders only.

The issue is not just limited to such applications on the play store. There are a lot of websites which ask you to provide a lot of information before you can download anything from their website. Yes, in those cases, it is not displaying your data as these apps are showing, however, if those websites do not put in requisite controls to protect that data, the issue at hand remains the same.

What do you think of this? Is this debate on PII sharing and privacy valid basis the information shared above?

Would love to hear if you have found similar apps or websites which gather or showcase the PII.

Saturday, February 3, 2018

Your Own Fingerprint could be your Enemy


Imagine you are sipping cold coffee and enjoying the view outside your room, when you receive a message on your smartphone that you have spent 5 million rupees at a shopping mall in Dubai. After the initial shock when you enquire about the transaction, you are shocked to know that you have swiped your fingerprint and approved the transaction.

Well, don’t look at me in this manner and neither dismiss this as a wild fantasy. This is neither a fantasy nor a scene from an upcoming movie.

If you would like to know how this will happen, read ahead.

Fingerprint – Just a bitmap Image!!!

With the introduction of the finger print scanner on iPhone, it became natural for other smartphone manufacturers to follow suit. The market was flooded with fingerprint scanners on smartphones.

To understand the weakness which can be exploited, you need to understand the basics of how a fingerprint is stored in a smartphone.

Most smartphones store fingerprint images in an unencrypted, readable-by-any-app .bmp file — just as a common bitmap picture. Any software, which has access to user’s pictures and Internet, could steal them. Android Authority published an extremely informative article on the types of finger print scanners and the way they scan them.

Many smartphones have poorly protected sensors, which let malware get the pictures right from the fingerprint scanners. 

Aadhaar based Authentication

An article in The Economic Times reported that the government is planning to replace all PIN and Passwords with Aadhaar based authentication using fingerprints. It was also reported sometime back that PIN may be supplemented with fingerprints or only fingerprints in case of debit card transactions.

We need to understand that fingerprint although in theory may sound fool proof, however it can be one of the easiest to hack and misuse.

Consider this case – Your fingerprint from your phone is stolen. Aadhaar number can be easily retrieved from the thousands of places where you submit it as a residence or photo id proof. With this combination a hacker can do multiple transactions in one go and you would not be able to stop it as you can change your passwords but not your fingerprint.

Critics may argue that the fingerprints stored in Aadhaar database is in a different format from that stored in your smartphone. The card based transaction which Niti Aayog has proposed is also considering the use of IRIS scanner. While I may not like to counter this without proper artifacts, I would like to point out at this point of time, that fingerprints and IRIS scanners deployed in smartphones would not offer the kind of security, which custom designed devices at military establishments do.

The Misuse

1. The bitmap image can be easily extracted and a print of that image can be misused in multiple ways.

2. There are multiple malicious apps which copy the bitmap file and may send the file to a remote server.

3. You can change your password, but not your fingerprints.

4. The government already has your set of fingerprints via Aadhaar and you’re being asked to use the same as your password. The consequences can be disastrous if the Big Brother decides to misuse it.

5. The fingerprints may be used in terrorist activities and you may held accountable simply because your fingerprints were found at that place.

The False Truth

When you hear that a fingerprint is not a password, and owners cannot share it with other people, forget or eventually show to others — don’t believe it. This year researchers demonstrated how easy it is to steal a fingerprint — remotely, even without a face-to-face contact. One can do it with a quality photo of victim’s fingers. An SLR camera with a good zooming lens or even a magazine photo printed in high resolution are enough. By the way, the same method can be used to fake an iris.

When your password leaks, you can change it in a few minutes, but you have to live with your fingerprints for the rest of your life. What if they are stolen? This is why you should not fully believe marketing promises of popular vendors.

Follow these Rules

1.  Despite vendors promises, don’t use your fingerprint scanner to authenticate to Paytm and other financial services. This is not safe. Now the phone is in your hands, tomorrow it’s stolen. A thief can easily copy your fingerprints right from the phone surface and use a case to buy something. Compromising passwords is harder — but only if you use them correctly.

2. Usually people choose the index finger or a thumb as their biometric login. It’s convenient, but not right, because these are the fingers we use the most when working with a phone. That’s why it’s quite possible to find an intact print of these fingers on any phone and make a fake case to break your protection — especially as there are a lot of manuals on the Internet. So it’s better to use the little and the ring fingers on the left hand for right-handers and vice versa.

3.  A fingerprint scanner is not enough to protect your personal data. If you care about privacy, consider using a special app. For example, Kaspersky Internet Security for Android has built-in Anti-Theft and Personal Contacts functions. They can help you track a stolen phone, remotely wipe all data from the device or hide your text message history and contact list from a beady eye.

Conclusion

A fingerprint scanner is a great innovation, which is more useful, than harmful. But don’t rely only on it too much — use the new technology wisely and don’t neglect passwords, two-factor authentication and other security measures.