Posts

YouTube Channel (Re)Launch

Image
It has been a journey with multiple ups and downs for me. I started this blog 5 years ago, (time flies! you know) and around some time in 2018, I decided on a YouTube Channel. I uploaded some videos and it received a very tepid response. I uploaded a few more videos and waited and I still did not see much change. However, at that time, I committed a big mistake. I stopped and in a way, I quit. That is a lesson for everyone out there. Don’t quit. It takes time, but be there and work on it. Improve yourself and you will see one day that all the hard work you have done will surely result in something worthwhile. I have been working on some personal projects for quite some time now and a lot of them are ready to be launched or I should say in some cases relaunched. Well, the YouTube Channel definitely falls under the second category.  What is this Channel about? This channel is about understanding security concepts in a simple manner. This deals with various domains of CISSP / SSCP and the

The must-have skills for cybersecurity aren't the ones you think!!

Image
What comes to your mind when you think of information security? If you watch a lot of movies, especially the ones involving the CIA, you would imagine a nerd in a basement trying to hack into the world’s most secure places with no life other than that. When it comes to the office, you imagine him to be a nerd ( again!! probably), sitting in one corner trying to protect your corporate infrastructure.  Information security only gets associated with technical stuff such as firewalls, passwords, encryption, and most importantly hacking. Look at most of the job descriptions, and they will always mention the same. A search on the “top skills a cybersecurity leader should have”, results in Simplilearn telling us about network security, cloud security, virtual machines, coding, etc.  These are important parameters but are just a small part of the skillset of information security professional. The MOST and I repeat, the MOST important skill a cybersecurity leader needs is the art of articulatio

Security Policy – How to write one?

Image
  Consider you are a security expert employed by: 1) A big entertainment company, OR 2) Product Company, OR 3) Manufacturing company.  And you have been asked to create the security policy for the organization. How would you go about creating one? While the simplest way would be to Google examples of the security policy and copy, paste, and create one. If you have that in mind, you can skip reading this post. However, if you are looking to create a custom security policy that caters to your organization, you are in the right place. Before we start jumping on how to create a security policy, we must understand what is a policy. Wiki defines a policy as “A policy is a statement of intent and is implemented as a procedure or protocol.” Safeopedia explains it as “Policies are rules, principles, guidelines or frameworks that are adopted or designed by an organization to achieve long-term goals. Policies are formulated to direct and exert influence on all the major decisions to be mad

The TOCTTOU attack

Image
Intriguing attack name isn’t it? Pronounced as TOCKTOO, this is a time-of-check/time-of-use (TOC/TOU) attack. This deals with the sequence of steps a system uses to complete a task. This type of attack takes advantage of the dependency on the timing of events that take place in a multitasking operating system. Let’s take some routine day-to-day examples to better understand this concept. Note that these examples are mentioned to help you better understand the concept. Do you love Netflix? Well, I do. When you watch a series on Netflix, you need to authenticate yourself. Let’s break this into 2 steps: Process 1: Validates your credentials to check your subscription validity. Process 2: Open up the series for you. In a TOC TOU attack, the attacker ensures that process 2 is executed before process 1. If you may wonder how can this happen, consider that operating systems and applications are, in reality, just lines and lines of instructions. An operating system must carry out instruction 1

Horizon Scanning: A Beginner’s Guide

Image
“Horizon scanning is a technique for detecting early signs of potentially important developments through a systematic examination of potential threats and opportunities, with emphasis on new technology and its effects on the issue at hand.” With the world interconnected than ever before, an event in one place has the power to impact people across the world. Recently when a ship was stuck in the Suez canal, it resulted in shipping delays and the loss of millions of dollars. This event further created sub-events of its own and impacted in ways we are yet to identify. Volatility in Dow Jones affects the Asian markets and climate crisis in a country has the potential to increase the prices for consumers across the world. Despite the efforts of witches and mages throughout the ages, the future can never be accurately foretold. In our modern world, our organizations turn to risk management as the latter-day shaman to divine the potential pitfalls and opportunities lurking in the midst of tom

Data Security Lifecycle 2.0

Image
The Cloud Security Alliance Guidance explains the Data Security Lifecycle which mentions the various phases data undergoes in the cloud. This lifecycle was adopted from a blog article on Securosis. Rich Mogull, Analyst & CEO, stated that he was not happy with his work since it seemed rushed and did not sufficiently address the cloud aspects. They have released the Data Security Lifecycle 2.0 and this blog post is an attempt to present it in simple terms. Before we delve into the nuances of the improved version of the life cycle, a sneak peek into the old one would help us appreciate the changes. The V1.0 is depicted below.  The lifecycle has a total of six phases - Create, Store, Use, Share, Archive, and Destroy. While the depiction in a circular step-by-step manner may seem that one phase follows the other, it is not so. Creating and storing may happen simultaneously and archive may not happen if the information is not required to be stored for long-term purposes. In essence, the