Sunday, July 8, 2018

Access Control and Mark Up Languages

Just like humans use language to talk to each other, we use languages to talk to computers as well. From an identity management and access control purposes, we are going to learn about some specific languages, but before that, it is important to understand the basics.

Today, if you visit a website, you see different kinds of animations, text floating around, advertisements which are interactive, customs views etc. How does this happen? This happens through markup languages and of course some background coding. What is a markup language then?  A markup language is a way to structure text and data sets, and it dictates how these will be viewed and used. When you adjust margins and other formatting capabilities in a word processor, you are marking up the text in the word processor’s markup language. If you develop a web page, you are using some type of markup language.

One such language which you would have heard about is the HTML (Hypertext Markup language). HTML came from Standard Generalized Markup Language (SGML), which came from the Generalized Markup Language (GML).

If you design a web page today, there are multiple such languages to choose from. The markup language allows you to structure your web page and you can control how it looks and some of the actual functionality the page provides. The use of a standard markup language also allows for interoperability. Following basic markup language standards will help you design a page that looks exactly the same on any platform.

Now, you can say, that I would use a particular language to design a webpage or a particular company can choose to adopt a proprietary language of its own. You can appreciate the chaos it would make by considering that if everyone on this earth decided to speak his/her own language, what would happen?

So to make things standardized, intelligent minds came up with a solution. The answer was XML. XML is a universal and foundational standard that provides a structure for other independent markup languages to be built from and still allow for interoperability. Markup languages with various functionalities were built from XML, and while each language provides its own individual functionality, if they all follow the core rules of XML then they are interoperable and can be used across different web-based applications and platforms.

Sounds confusing? so let’s understand this through a simple example. Let’s consider the English language. Mayur is a cybersecurity analyst, John is a zoologist and Karina is a chef. We all can speak to each other using the basic English communication rules. The basic grammatical and sentence building rules will remain the same. However, each of these individuals can use this common language to talk in terms which they can better understand. So while Mayur can have some terms such as firewall, cryptographic controls, mandatory access control, John would use the terms such as carnivorous, mammals and Karina would be using the words such as roasting, poached egg, simmering etc. Each profession has its own “language” to meet its own needs, but each is based on the same core language—English.

In a similar manner, the world wide web also uses a common language such as XML and then each profession can build a new language based on this language to cater to their specific needs.

Now, I’m into the field of cybersecurity and I would like to tweak some languages to help me out with identity and access management. So what should I do?

Well, the intelligent minds before us came together and developed some languages for you which we are going to learn about.

The first one is - Service Provisioning Markup Language (SPML) that allows for the exchange of provisioning data between applications, which could reside in one organization or many.

Consider, John has joined the company IloveITSolutions as a security specialist. An account needs to be created for him, where he would have access to multiple servers, accounts and what not. The language which comes to the rescue of the administrator is the SPML. SPML allows for the automation of user management (account creation, amendments, revocation) and access entitlement configuration related to electronically published services across multiple provisioning systems. This markup language allows for the integration and interoperation of service provisioning requests across various platforms.

It is easy to say that SPML will do all the work. But we must understand how does it do that? SPML is made up of three main entities: The Requesting Authority (RA), which is the entity that is making the request to set up a new account or make changes to an existing account; the Provisioning Service Provider (PSP), which is the software that responds to the account requests; and the Provisioning Service Target (PST), which is the entity that carries out the provisioning activities on the requested system.

When John joins the company, the RA is asked to get to work. The RA creates SPML messages, which provide the requirements of the new account. Whom does it send these requests to? The PSP. This piece of software reviews the requests and compares them to the organization’s approved account creation criteria. If these requests are allowed, the PSP sends new SPML messages to the end systems (PST) that the user actually needs to access. Software on the PST sets up the requested accounts and configures the necessary access rights.

[Sponsored ]Key Features to Look for in a Salesforce Cisco Integration

Investing in a robust CRM like Salesforce is one of the best decisions a business can make. These days where customer experience drives business success, leverage technology like Salesforce indicates a commitment to delivering great service and contributing meaningfully to the success of your customers. Salesforce has allowed companies to build tech stacks that truly work for their teams. For client-facing teams, a reliable CTI like Salesforce-Cisco integration is indispensable.

Computer Telephony Integration or CTI allows teams to connect CRMs like Salesforce to their phone systems. Today, millions of users rely on Salesforce and Cisco, as these solutions are both reliable and time-tested. Integrating the two allows teams to get the most out of each one. Contact centers, helpdesks, sales floors, and customer service reps benefit from CTI solutions directly through features that they use in their daily workflows.

When searching for a Salesforce Cisco integration provider, make sure they deliver these key features:


Click-to-dial transforms phone numbers within Salesforce and your internet browser into links that go straight into a call when clicked. This web-to-phone feature makes the calling process seamless, doing away with having to manually dial on your deskphone and on-screen softphone.

For teams that deal with high call volumes day in and out, the click-to-dial feature delivers big savings in the form of shaved seconds that easily translate to hours per team per day. Click-to-dial directly affects the bottomline and influences important business activities like workforce management and resource planning.


Screenpops are a key feature of an effective Salesforce Cisco integration. Screenpops are on-screen pop-ups that deliver customer records instantly when you make an outbound or inbound call. Some CTI solutions only offer screenpops that show recorded customer data in a uniform manner. It’s best to choose a CTI solution that displays role-based customer records. For example, a service rep would need different data compared to a sales agent. Role-based customer data display from screenpops level-up the benefits teams can get out of their integrations.

Call notes, call dispositions

Still part of the screenpop, a key feature you must look for in a CTI solution is the ability to take notes right on the pop-up. Some providers only allow you to view records and will bring the rep or agent to the CRM interface if they want to make changes to the record. Best-in-class CTI solutions provide teams the option to change call dispositions, take notes, and create tasks right on the screen pop. Any client-facing team will benefit from the saved time and smoother workflow of this feature.

Task creation through natural language processing

Task creation right on the screenpop saves a lot of time especially for big teams. A way to amplify this benefit is through natural language processing. Natural language processing or NLP uses machine learning to “read” a user’s notes and creates tasks and calendar entries based on them.

Team collaboration features

Integrating Salesforce and Cisco also makes team collaboration easier for sales, support, and service teams, especially when their chosen CTI solution provides features that foster teamwork. The @mention feature makes it easier for reps to quickly assign or notify teammates about call updates or any pending action items that need to be done.

Automatic call logging

Your CTI should help you get the most out of Salesforce. Automatic call logging should is a basic but crucial feature that CTI providers should be able to deliver. When a user takes notes and wraps up a call on the screenpop, this feature automatically logs the updates on the CRM, saving time that used to go to manually entering call updates, setting dispositions, and assigning tasks to teammates. Automatic call logging ensures that organizations are on the same page across different departments.

Local presence dialing

Another key Salesforce Cisco integration feature that’s extra important for sales teams is local presence dialing. Local presence allows sales teams to show a local area code on the caller ID of the person they’re calling. This improves pick up and connect rates for outbound calling teams.

Call reporting and analytics

Any business would benefit from the constant improvement of their teams that are in constant contact with their prospects and customers. Today, organizations are committed to making data-driven decisions when it comes to implementing changes and solutions to improve the results they’re getting no matter the department. A key feature you’d have to look for in a Salesforce-Cisco integration is the ability to support your data-driven efforts.

With high volume calling, managers are unable to monitor each call, leaving teams in the dark when they don’t have a data capture solution in place. CTI solutions should be able to provide features that allow management activities like call monitoring, call recording, call transcription, and data-rich call activity records.

With call reporting and call analytics features, organizations can use the gathered and visually-presented data to categorically measure the performance of their teams, craft targeted solutions to their unique challenges, and track important customer experience metrics.
From customer service call centers to sales floors, these key CTI features ensure that businesses are able to maintain and gain competitive advantage through technology that allows them to deliver great customer experience

Note: This article is published on this blog in collaboration with Tenfold. For any queries/concerns, you can connect with the team at

Monday, June 11, 2018

Identification, Authentication, Authorization, and Accountability

The 4 steps to complete access management are identification, authentication, authorization, and accountability. Many confuse or consider that identification and authentication are the same, while some forget or give the least importance to auditing. These are four distinct concepts and must be understood as such.


Whenever you log in to most of the websites, you submit a username. In case you create an account, you are asked to choose a username which identifies you. This username which you provide during login is “Identification”. It is simply a way of claiming your identity.

From an information security point of view, identification describes a method where you claim whom you are. If you notice, you share your username with anyone. Your email id is a form of identification and you share this identification with everyone to receive emails. This means that identification is a public form of information.


So now you have entered your username, what do you enter next? The password. This is what authentication is about. Here you authenticate or prove yourself that you are the person whom you are claiming to be. Authentication can be done through various mechanisms. Let’s understand these types.

There are commonly 3 ways of authenticating: something you know, something you have and something you are. 

Something You Know: Here the authentication happens with your knowledge or what you know. This can be a PIN, password, key, pet’s name etc. This is the most common authentication implemented today. This is also one of the cheapest authentication mechanisms.

Something You Have: Here the authentication happens with ownership, i.e. something you have or own. An access id card, credit card, RSA token, security badge are all examples of things you can own and authenticate yourself with. In case this badge is stolen or lost, this could be an issue in those cases.

Something You Are: Here the authentication happens with YOU (characteristic). Your physical attribute is used to authenticate you. Characteristics such as fingerprints, voice print, iris scan, palm print etc. are examples of characteristics or biometrics. An issue with this can be you can never change your characteristics if someone gets hold of your biometrics, unlike a password which can be changed.

Dual factor Authentication / Multifactor Authentication – If more than one factor of authentication is used, it is called as multi-factor authentication. Dual means 2, hence 2 factors will be used. Example – PIN + Access ID card (Something you know + Something you have) is an example of dual factor authentication. Consider a top-secret research organization, where a person has to showcase his access ID card, then enter a PIN and then get his IRIS scanned to get access, this means that the organization has deployed multi-factor authentication.


A lot of times, many people get confused with authentication and authorization. To many, it seems simple, if I’m authenticated, I’m authorized to do anything. Once the subject provides its credentials and is properly identified, the system it is trying to access needs to determine if this subject has been given the necessary rights and privileges to carry out the requested actions. Consider your mail, where you log in and provide your credentials. You will be able to compose a mail, delete a mail and do certain changes which you are authorized to do. Can you make changes to the messaging server? No, since you are not authorized to do so. Hence successful authentication does not guarantee authorization. Successful authentication only proves that your credentials exist in the system and you have successfully proved the identity you were claiming. However, to make any changes, you need authorization. The system may check these privileges through an access control matrix or a rule-based solution through you would be authorized to make the changes.


The final piece in the puzzle is about accountability. Imagine where a user has been given certain privileges to work. What happens when he/she decides to misuse those privileges? If the audit logs are available, then you’ll be able to investigate and make the subject who has misused those privileges accountable on the basis of those logs. The subject needs to be held accountable for the actions taken within a system or domain. The only way to ensure accountability is if the subject is uniquely identified and the subject’s actions are recorded. Auditing capabilities ensure users are accountable for their actions, verify that the security policies are enforced, and can be used as investigation tools.

If all the 4 pieces work, then the access management is complete. Although there are multiple aspects to access management, the 4 pillars need to be equally strong, else it will affect the foundation of identity and access management.

What are your thoughts on this?

Saturday, May 26, 2018

Security Risk Assessment in The Internet of Things

Internet of Things henceforth referred to as IoT in the article refers to all the devices connected to the internet which “talk” to each other. This means if your washing machine is connected to the Internet and it talks to a cloud server giving its health information to the company’s server, it would qualify as IoT device.So, Simply, the Internet of Things is made up of devices – from simple sensors to smartphones and wearables – connected together.
The IoT is one of the most talked about technologies nowadays. Every company is working on its implementation and introduction into our daily lives. Given the increasing number of cyber-attacks, it makes sense to identify the risks faced by the deployment of this technology. The traditional method of doing a risk assessment involves identifying assets, their weaknesses, threats which they may face and potential danger in case of exploitation. On identification of these risk, they are prioritized and countermeasures are adopted to treat this risks.

These traditional approaches are based on certain assumptions, the primary one being that the dynamism is extremely low. When you identify the assets, this would be one-time activity and these assets won’t change much in a risk assessment period of say 6 months at the least. What if the number of assets and the risk associated with them was to change every minute or day? Clearly, the risk assessment methodologies such as NIST SP 800-30, OCTAVE, FRAP etc are not equipped to handle the complexity which IoT presents us. 

In this blog post, we will try to understand the current methods of risk assessment, their shortcomings in their application to complex systems such as IoT and propose certain methods to handle the issues at hand.

In the earlier blog post on Risk Management, we learned about risk management being defined as:
A process of identifying the threats and vulnerabilities which a business faces, assessing the risk arising out of them, reducing it to an acceptable level and then maintaining that acceptable level.

If we apply the same definition in the IoT environment, the overall concept of risk management remains the same. Wouldn’t it? In principle, yes. However, let us understand the practical challenges here. Risk Assessment is an integral part of Risk Management. Risk assessment has certain methodologies through which we can assess the risk(s) faced by the organization. If we apply, NIST SP 800-30, we need to identify the assets ( IT only), the vulnerabilities, the threats faced and then the calculation of risk and proposing countermeasures to treat the risk and then monitor the complete system. 

Let’s take another one. Facilitated Risk Analysis Approach (FRAP) is focused on identifying the systems that really need assessing to reduce time and costs. It analyses one system, application or a business at a time. Data is gathered and threats to the business operations are prioritized based on their criticality. Since it is a qualitative approach, you ask experts to gather around and discuss the risks which this particular assets, system or application would face.

If you observe these methodologies, you would appreciate the fact that they are focused on identifying critical assets and the harm that may occur to them or the threats faced by a particular asset or an application. This means you follow the asset-based approach or a threat based approach when you use these methodologies.

Clearly, the approach taken by these methodologies apply best to a static system. When the complexity and dynamism in the system changes every minute, such risk assessment methodologies will not stand the test of time. Risk is a complex word in itself. It is a probabilistic measure of a threat exploiting a vulnerability. When threats and vulnerabilities change on a continuous basis, the calculation (quantitative) or identification (qualitative) of risks faced becomes an enormous challenge.

An IoT device is not much of a complete system in itself. It needs the help of many parts to fully function and be usable. It is like a part of the body which is useless without the complete body. In extremely simple terms, an IoT system would be made up of at least 3 components – application, cloud environment and Thing environment. All these would communicate with each other using application programming interfaces. The following article explains this in detail -

Thursday, May 24, 2018

Risk Analysis Approaches

Which color do you like? Choose one – Red, Amber or Green. Let’s try another one – How much would you like your company’s risk to cost – 10,000 $, 20,000 $ or 50,000? Choose one again. Confused? Don’t be. After all, risk analysis is about analyzing risk either in terms of color or a heat map or numbers.

The two approaches to risk analysis are Quantitative & Qualitative. Let’s understand them.

Quanti – tative Approach

This break will help you remember that this approach is related to numbers. Quanti refers to numbers here. We assign monetary and numeric values to all aspects of risk analysis. If you revisit the topic of Risk Assessment, we identified that there are multiple parameters to be taken care of while calculating risk. Hence, in this approach, we assign monetary values to each aspect so that at the end we can quantify or measure what is the value of the risk in dollar terms. 

Let’s understand this through a simple example – 

There is a building which has a cost of 100,000$. There is no fire suppression system installed in the building. In case of a fire, the building may be damaged and will suffer a loss of 25000$ that is, around 25%.  Over past experiences, it has been seen that the fire may occur once in every 5 years. 

This information above has been gathered as a part of risk assessment. Clearly, you can observe that every aspect has been assigned a value. The asset value (cost of building) has been derived at 100,000$. The loss has also been quantified.  This is what Quantitative Analysis is all about. 

Numbers are incomplete without some formulas.  So here comes the formula:

Asset Value * Exposure Factor = Single Loss Expectancy

Asset Value – What is the value of the asset? You have to include (at the risk assessment) all sorts of cost here to make up the asset value such as cost to develop this asset, cost to maintain it, cost to replace it, money spent on it to make it usable, the value of the asset to owners etc. Here the building value has been identified as 100,000$ which is inclusive of all such costs.

Exposure Factor – What is the exposure if the threat materializes? What percentage of the asset value would be destroyed in case of realization of the threat? Here the building is affected by the fire and that would be destroyed by around 25%. This value is the exposure factor.

Single Loss Expectancy - Actual Loss in case of realization of a threat. Notice the word expectancy here. We are expecting that this would be the loss in case of actual fire.

In our example, if we wish to calculate the SLE, it would be like this –

AV – 100,000$

EF – 25% or ¼ or 0.25

Hence, SLE = 100,000 *0.25 = 25,000$.

Therefore, the company would suffer a loss of 25,000$ from a fire.

Wait, the movie has not finished yet. Notice the last line in the scenario above. Past experiences have shown the occurrence of a fire once every 5 years.  What does this mean and how does it fit here?

Every business needs to make such assessments over a year. If a fire occurs once every 5 years, this means the damage due to the loss would be over a period of 5 years, that is, 25,000$ spread over a period of 5 years. This implies that the company can choose to spend 5,000$ every year to cover any losses arising out of this situation.

This leads us to another formula.

Single Loss Expectancy * Annualized rate of occurrence = Annual Loss Expectancy

Annualized Rate of Occurrence – This value represents the estimated frequency with which a specific threat would occur over a period of 1 year. 

Here the ARO would be 1/5 or 0.2.

Hence, the annual loss which the company may face is 25,000$ * 0.2 = 5,000$.

This value would help the company take a decision over the controls it would like to implement and what money would it can spend. 

Risk Assessment Methodology

Having understood Risk Management & Risk Assessment in earlier blog posts, it is time for us to understand the various methodologies of risk assessment. The industry has different standardized methodologies when it comes to carrying out risk assessments. Each of the individual methodologies has the same basic core components (identify vulnerabilities, associate threats, calculate risk values), but each has a specific focus. As a security professional, it is important for us to know the best approach for our organization and its needs.

The first one is a considered a U.S. federal government standard called as the NIST, SP 800-30. 

It lays out the following steps:
• System characterization
• Threat identification
• Vulnerability identification    
• Control analysis
• Likelihood determination
• Impact analysis
• Risk determination
• Control recommendations
• Results documentation

The NIST risk management methodology is mainly focused on: 
a) computer systems.
b) IT security issues. 

2. FRAP (Facilitated Risk Analysis Process)

Qualitative methodology 
Focus only on the systems that really need to be assessed. 
• Helps to reduce costs and time spent in risk assessment.
• Risk assessment steps are only carried out on the item(s) that needs it the most. 
• It is to be used to analyze one system, application, or business process at a time. 
• Data is gathered and threats to business operations are prioritized based on their criticality. 
• The risk assessment team documents the controls that need to be put in place to reduce the identified risks along with action plans for control implementation efforts.
• This methodology does not support the idea of calculating probability or likelihood.
• The criticalities of the risks are determined by the team members' understanding of business processes.
• The goal is to keep the scope of the assessment small and the assessment processes simple to allow for efficiency and cost-effectiveness.

3. OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) 

• Based on the idea that the people working in the environments best understand what is needed and what kind of risks they are facing. 
• The individuals who make up the risk assessment team go through rounds of facilitated workshops. 
• The facilitator helps the team members understand the risk methodology and how to apply it to the vulnerabilities and threats identified within their specific business units. 
• Scope of an OCTAVE assessment is usually very wide compared to the more focused approach of FRAP.
• Where FRAP would be used to assess a system or application, OCTAVE would be used to assess all systems, applications, and business processes within the organization.

4. ISO/IEC 27005 

• is an international standard for how risk management should be carried out in the framework of an information security management system (ISMS). 
• Deals with IT and the softer security issues (documentation, personnel security, training, etc.) 

5. Failure Modes and Effect Analysis (FMEA)

• is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process.
• commonly used in product development and operational environments. 
• The goal is to identify where something is most likely going to break and either fix the flaws that could cause this issue or implement controls to reduce the impact of the break. 

Saturday, May 19, 2018

Understanding Risk Assessment

Risk Assessment is a part of the Risk Management process. It is a method of identifying the vulnerabilities and threats and the impact in case the threat agent exploits the vulnerability to suggest security controls. There are a lot of Risk Assessment methodologies which are available such as NIST SP 800, FRAP, OCTAVE, Delphi etc. to assess the level of risk. 

In simple terms, risk assessment involves identifying weaknesses, threats and potential danger in case of exploitation and basis this you will recommend certain countermeasures.

Sounds Simple? It’s practically the most challenging, time consuming and difficult work in the entire risk management process. Let’s understand what makes this simple straightforward process so difficult to execute. You are a security professional and the CEO calls you to do the security assessment of the site at New Delhi. If you start doing the risk assessment in this case, I assure you that you will end up pulling your hair in the end. Why so? You will realize the answer to this question if you answer the following questions:

1. What is the scope of your risk assessment? 
2. Does it involve only the physical assets of the building? 
3. Do you need to consider all the functions operating out of the building?
4. Do you need to involve the third party vendors under this assessment?
5. Would you include the intangible assets in this assessment?
6. What is the time limit for this assessment?
7. Are there any budgetary constraints for this assessment?
8. What methodology would you choose for the asset valuation? Will you include to be scrapped assets?

Unfortunately, a lot of security professionals and businesses do not identify the answer to these questions before beginning with the risk assessment.  

The most important criteria for any risk assessment is the buy-in from the top management. This buy-in must include the time limit and budget for the risk assessment activity. In some cases, the scope of this assessment may be defined by the top management or the middle management level. If the scope, time and budget are finalized, half of the problem is solved. 

 Let’s talk about the other half. Risk Assessment involves the following 4 steps:

1. Identify the assets and their valuations.
2. Identify the vulnerabilities and threats associated with them.
3. Quantify the probability and business impact of these potential threats.
4. Recommend countermeasures with a balance b/w cost and benefit.

Clearly, you will find that it is really simple to complete these steps. Yes, it is. However, there is a catch. Well, there is always a catch in the security role. Let’s understand this step by step.

1. As a security professional, you may be an expert in security, but you will not be able to understand all the risk a department faces. This issue can be resolved by working with the cross-functional team. Since each organization has different departments, and each department has its own functionality, resources, tasks, hence for or the most effective risk analysis, an organization must build a risk analysis team that includes individuals from many or all departments to ensure that all of the threats are identified and addressed. Hence, there is a lot of dependency amongst this team to work together to do this assessment.

2. Asset identification – Tangible or Intangible or Both – This needs to be finalized in the early stages itself. 

3. Asset Valuation – It is important to ask questions during this phase. There are many costs that are associated with a particular asset which is not limited to the market cost of the asset. The value placed on information is relative to the parties involved, what work was required to develop it, how much it costs to maintain, what damage would result if it were lost or destroyed, what enemies would pay for it, and what liability penalties could be endured. If this activity is not done in a proper manner, it would create an issue when countermeasures are to be deployed. An organization working on advance defense projects would deploy different countermeasures for its servers that an ice cream vending machine remotely controlled by a server.

If all such steps are done, you have completed the risk assessment. Now you can present the report to the CEO which asked you to do the risk assessment. Wait, the CEO has a different report from another professional who was asked to conduct such an assessment. The results are as different as day and night. This is a common issue which comes up when a standard methodology is not followed for risk assessment.

Let’s explore the risk assessment methodologies in the next article. 

What are your thoughts on risk assessment? Which of the following steps do you find the most difficult? Share your thoughts in the comments below.

Wednesday, May 16, 2018

Demystifying Risk Management

When you speak to security professionals or the management in many organizations, most of them are of the opinion that security risk management is all about deploying the latest security tools available in the market with a focus on applications, hacking and malware and nowadays data breach. Although these items are important to be considered, yet they are an extremely small part of the overall information security puzzle.

Consider an organization dealing with nuclear reactor designing and another organization dealing with providing cloud backup solutions. Would the risk management be the same for both the organizations? The answer is NO which most of you would agree upon. Both the organizations would be vulnerable to certain threats which may threaten its business models. Every business exists to make money and security become only an issue when this bottom line is affected. Risk Management should always be done with the objective that threats which are identified do not affect the bottom line. Hence, it is critical that security professionals understand threats faced by a company, but it is more important that they understand how to calculate the risk of these threats and map them to business drivers.

Let’s take up the two scenarios once again. In both the cases, there would be innumerable threats which these businesses will face. Should that business work on resolving every threat it faces? From a business standpoint, it can allot only a certain amount of money to resolve these threats. What security professionals need to understand that even if a company faces innumerable threats through a lot of vulnerabilities, they need to prioritize the risk arising out from these threats and resolve them with the limited budget available to them. In order to do so, every business will come up with an acceptable level of risk which it can withstand even it materializes. 

Basis the above discussion, we can easily define risk management as:

Process of identifying the threats and vulnerabilities which a business faces, assessing the risk arising out of them, reducing it to an acceptable level and then maintaining that acceptable level. 

We must ponder over two important facts here: management & maintaining. Management of the risk means identifying, resolving and then reviewing again and repeating this cycle again. A lot of security professionals confuse this with term Risk Assessment. Risk Assessment is only a part of the overall Risk Management cycle. Maintaining is another important aspect which a lot of companies get confused with. Risk Management should not be a “fit it forget it” approach and must be done on a periodic basis to ensure that the acceptable level of risk is maintained at all times. But what happens when a new risk comes up but does not affect the acceptable level of risk.

Imagine the business handling the nuclear reactor faces a new risk because a vulnerability has been discovered in an application which controls the cooling of the reactor. The vulnerability can be exploited by an attacker by manually logging into the system and running a specific command via the command prompt through an administrator access only. 

What should a security professional do? The first step should be is to assess the change in the risk which has occurred in comparison to the acceptable level. To evaluate this, a risk assessment needs to be done which will help the professional understand what needs to be the future course of action. Many companies, however, do not evaluate the change in the risk levels and start focusing on patching the vulnerability itself which is a wrong approach. You may argue that a new vulnerability when detected may impact the company and hence needs to be patched anyway. So why not focus on patching it straight away? It ultimately boils down to the security budget and resources which you have at your disposal. If the security budget is tight and no resources are available and there is no change in the acceptable risk levels, it would be a good option to either postpone or prioritize the important issues at hand, rather than immediately focusing on patching the vulnerability. 

Since every organization has a finite amount of money and an almost infinite number of vulnerabilities, properly ranking the most critical vulnerabilities to ensure that your company is maintaining the acceptable level of risk, is what risk management is all about. Carrying out risk management properly means that you have a holistic understanding of your organization, the threats it faces, the countermeasures that can be put into place to deal with those threats, and continuous monitoring to ensure the acceptable risk level is being met on an ongoing basis.

Monday, May 14, 2018

Understanding Control Types & Functionality

A safeguard or a control or a countermeasure is implemented to reduce risk an organization faces. 

Let’s understand it through some examples.

1. A company puts in antivirus solutions to reduce the potential danger from malware.
2. Citizens put in steel gates at the entry of the streets in their areas.
3. A leading e-commerce company deploys a backup solution.
4. Person deploys a CCTV at his home.
5. Since the organization could build a perimeter wall, it deploys security guards to man the area around the building.

What do all of these examples have in common? In all of the above examples, we can sense that there is a mechanism which has been deployed to reduce the potential danger which an organization or an individual face. This mechanism reduces the level of risk and is called as a control.

There are 3 types of control which can be deployed:

1. Administrative Controls (Managerial) – Controls that are deployed from a management perspective. Also, known as soft controls as they are soft in nature. Examples of such controls include security policies, training, internal company standards etc.

2. Technical Controls (Logical) – Controls that are technical in nature and deal more from a logical perspective. Deployment of firewalls, encryption, anti-virus, access authentication etc.

3. Physical Controls – These are put in place to ensure physical security. Examples include – security guards, fences, perimeter walls, CCTV, doors, dogs etc.

All these types of controls provide the following six types of functionalities:

1. Preventive – Controls that try to prevent an incident from happening.
2. Corrective – Control that fixes things after an incident has happened.
3. Detective – Where issues can be detected in advance.
4. Recovery – Controls that help you recover from the incident
5. Deterrent -  Discourage an attacker from attacking.
6. Compensating – An alternative control put in place to compensate for the intended control.

These definitions are quite straightforward and should be applied as such. For example – Consider the second example where steel gates have been deployed. Steel gates are a preventive control deployed by the people. Your train of thought may also run in this manner. An attacker would see the steel gate and find it to be a deterrent, and hence this must be considered a deterrent control. Note that in any case, you need to understand the basic intent behind that control and you’ll get the functionality right. A steel gate has been deployed to prevent something bad from happening and hence is a preventive control.

Another point to remember is that the controls must be deployed in layered fashion like an onion. It is advisable to put preventive, detective and corrective controls in a layered fashion to ensure that you  should be able to prevent the attack from happening in the first case ; if you could not prevent it, you should be able to detect it and in case you failed to detect it, you should be able to correct what has happened.

Let’s leave you with something to work upon. 

Todd is a security specialist deployed by a leading e-commerce company. He has been asked to create a list of preventive controls which can be deployed to protect the company’s internet facing servers from being hacked. Can you list down a few preventive controls to help Todd?

Saturday, May 12, 2018

Understanding Vulnerability, Threat & Risk

Consider the following two examples:

There is an office building where there are no physical security controls. There is no perimeter wall to surround the building. On entry, you do not find any identification proofs being asked. There is no baggage scanner.

An e-commerce company has around 50 computers in an office through it which it manages its back-end operations. The systems are not connected to the Internet and hence no anti-virus solutions are installed in the systems. Moreover, anyone can log in these systems as there is no authentication (simply stated – no username, password) mechanism to log in the systems.

What do you make of the above scenarios? I sense that you understand that in both the above situations, there is a risk to the building and the company. Let’s understand the definitions of the three most commonly used terms in information security.

Vulnerability – Weakness. In other words, the inability to withstand the effects of a hostile environment. In terms of information security, we refer to a weakness from the aspect of physical security or logical, i.e. it can be hardware, software, human or physical weakness.
Now read the scenarios once again. Can you identify the vulnerabilities in these scenarios? In the first one, one of the weakness can be a lack of the perimeter wall. Here the perimeter wall would be called in as a countermeasure. A countermeasure is a safeguard that is put in place. Hence vulnerability can also be defined as “lack of countermeasure”. Another weakness is that there are no identification proofs being asked which allows anyone to enter the building.

In the 2nd scenario, lack of antivirus solution will be considered as a vulnerability. The lack of any authentication mechanism is also a weakness.

Threat – Potential Danger of the vulnerability being exploited. In the first scenario, there is a threat of a person entering the building and attacking it. In the 2nd scenario, there can be a potential danger of the systems being exposed to viruses or encrypted via a ransomware attack. In both these cases, there is a potential danger of the weaknesses in the systems being exploited by an entity. This entity is known as the threat agent. So simply stated, the threat agent is an entity that can exploit the weaknesses in the system. A threat agent can be a person or a software or a bot.

Risk – Read the above scenarios once again. What is the likelihood here that the building will be attacked or the systems will be hit with a ransomware attack? It is this probability which you calculate or guess via your experience is the risk. The risk in numerical terms will be a multiplication of threat and vulnerability as defined in many books. If the vulnerability gets exploited by a threat agent, damage may occur. Hence, the real potential damage which can happen is Risk.

Let me ask you another question. Do you think the risk would change if I give you additional information that the office building is near a military zone and the systems have the USB ports disabled? If your answer to this is yes, it’s great. This is called as the context in which you talk about Risk. A risk is not something which is calculated once and acted upon or which is common in every context or scenario. With changing scenarios and conditions and countermeasures, risk changes. Unfortunately, many organizations do not understand this fact.

Let’s consider the following scenario to understand these terms better once again.

JJ is the new security manager in a firm. He is asked to review the risk which his organization faces and submit a report. Upon analyzing the company controls, JJ finds that the company does not have an asset inventory in place. The users are also not aware of the policies and procedures of the organization.

1.       What would JJ classify the awareness issue as?
a.       Threat
b.       Threat Agent
c.       Risk
d.       Vulnerability.
2.       How you classify the asset inventory issue?
a.       Threat
b.       Threat Agent
c.       Risk
d.       Vulnerability

Write your answers in the comment section below. 

Monday, May 7, 2018

8 Important Cybersecurity lessons to learn from Avengers

1. Security isn’t just one person’s responsibility - To be truly effective, we need to develop a culture of security that transforms it into a company-wide effort. In most organizations, it is believed that security is either the responsibility of the security administrator or the chief security officer. It is the responsibility of everyone in the organization from the foot soldier to the king.

2. Hackers Hail from All Over the world (maybe even beyond) – Your hacker can hail from any part of the world. The organization can be attacked from any part of the world and this cannot be limited to just your district or state or country your organization is based out of. Well, Thanos was nowhere from this world and still he wanted something from Earth.

3. You need to be a team player – Security team needs to work with various cross-functional teams to achieve results. Avengers is what team means and you need to be a team player and keep aside your differences to ensure security is implemented in the best manner possible.

4. Communication is key - Your coworkers will always have different ideas, motivations, and communication styles than you do — so it's imperative that you take the time to actively listen to the other members of your team when they speak up with their ideas or objections. 

5. Good security comes in layers – You're on a battlefield. There's an impenetrable mass of troops in front of you. You can't possibly break through it. What do you do? Defense In Depth is an ancient military strategy designed to solve exactly this problem. The battle in Wakanda shows that we need to be prepared on multiple fronts to save our precious infrastructure.

6. Improving security isn’t a one in a lifetime activity –  If you have followed Iron Man, who is an integral part of Avengers, you would appreciate the changes which he has brought into his suit. The latest Iron Man’s suit in Avenger’s Infinity War boasts of Nanotechnology being integrated into it. In a similar sense, we need to bring about changes in our security deployment basis the risk assessment done on a continuous basis.

7. Preparing for the Inevitable –  We need to be always prepared for the inevitable. Security isn’t a morning activity which needs to be performed once in the morning like brushing your teeth. Being prepared for an attack 24*7 by implementing various security controls is the key to survival.

8. Beware of “red flags.” – When security teams highlight the vulnerabilities through risk assessments, internal audits or when the SIEM tools beep continuously, do not ignore those red flags. If you ignore these early warnings, you may end up getting half of your organization’s finances and brand value wiped in no time.

Image Courtesy : Google & Marvel.

Blog Updates for the Reader

Thank you for being a part of this journey with me. Your love and affection have helped me to continuously improve myself and write about information security both in general and related to the CISSP and SSCP exam. I have been thinking about the future course of this blog and based on analysis of the previously published blog posts and reader’s feedback through various channels, going forward, the blog would be segregated into the following major categories.

1. Opinion – This would be a column where I would be sharing my viewpoints giving relevant examples.

2. Technology/ Cybersecurity Series – This would be 3/5-part series on upcoming technologies, process improvements to help you understand the technology/process in a simple manner and then instigate you to think about security concerns in those topics.

3. Exam Related Updates / Course Content – All details about the exam updates/happenings and the entire course material of SSCP & CISSP exam will be posted on the blog. 

4. Video Courses – The Video Courses of various exams will be posted on the YouTube Channel and the blog.

In addition to this, there may be general articles on various trending security happenings occasionally.

I request your co-operation and utmost support to help me improve this blog so that I can present you security related stuff in an easy, engaging and simple format. Your comments and feedback are highly valuable to me. Share your ideas, opinions or suggestions in the comments section below.

Thank you once again to all the readers around the world. Keep reading and sharing :)

Friday, May 4, 2018

CISSP Domain 8 Changes - 2018 vs 2015

Domain 8 also sees very little change in terms of course content.

2015 Exam Outline
2018 Exam Outline
Understand and apply security in the Software Development Life Cycle (SDLC)
  • Development methodologies
  • Maturity models
  • Operation and maintenance
  • Change management
  • Integrated product team

Understand and integrate security in the Software Development Life Cycle (SDLC)
  • Development methodologies
  • Maturity models
  • Operation and maintenance
  • Change management
  • Integrated product team

#No Change
Enforce security controls in development environments
  • Security of the software environments
  • Security weaknesses and vulnerabilities at the source-code level
  • Configuration management as an aspect of secure coding
  • Security of code repositories
  • Security of application programming interfaces

Identify and apply security controls in development environments
  • Security of the software environments
  • Configuration management as an aspect of secure coding
  • Security of code repositories

#No Change
Assess the effectiveness of software security
  • Auditing and logging of changes
  • Risk analysis and mitigation
  • Acceptance Testing

Assess the effectiveness of software security
  • Auditing and logging of changes
  • Risk analysis and mitigation

#No Change. Just removed acceptance testing.
Assess security impact of acquired software
Assess security impact of acquired software
#No Change

Define and apply secure coding guidelines and standards
  • Security weaknesses and vulnerabilities at the source-code level
  • Security of application programming interfaces
  • Secure coding practices

#No Change. Added secure coding practices.

In Summary ,

 %Weightage in 2015 
% Weightage in 2018
Security and Risk Management
Asset Security
Security Architecture and Engineering
Communications and Network Security
Identity and Access Management (IAM)
Security Assessment and Testing
Security Operations
Software Development Security