Learning Security with Mayur

Internet of Things henceforth referred to as IoT in the article refers to all the devices connected to the internet which “talk” to each other. This means if your washing machine is connected to the Internet and it talks to a cloud server giving its health information to the company’s server, it would qualify as IoT device.So, Simply, the Internet of Things is made up of devices – from simple sensors to smartphones and wearables – connected together. . The IoT is one of the most talked about technologies nowadays. Every company is working on its implementation and introduction into our daily lives. Given the increasing number of cyber-attacks, it makes sense to identify the risks faced by the deployment of this technology. The traditional method of doing a risk assessment involves identifying assets, their weaknesses, threats which they may face and potential danger in case of exploitation. On identification of these risk, they are prioritized and countermeasures are adopte

Which color do you like? Choose one – Red, Amber or Green. Let’s try another one – How much would you like your company’s risk to cost – 10,000 $, 20,000 $ or 50,000? Choose one again. Confused? Don’t be. After all, risk analysis is about analyzing risk either in terms of color or a heat map or numbers. The two approaches to risk analysis are Quantitative & Qualitative. Let’s understand them. Quanti – tative Approach This break will help you remember that this approach is related to numbers . Quanti refers to numbers here. We assign monetary and numeric values to all aspects of risk analysis. If you revisit the topic of Risk Assessment , we identified that there are multiple parameters to be taken care of while calculating risk. Hence, in this approach, we assign monetary values to each aspect so that at the end we can quantify or measure what is the value of the risk in dollar terms.  Let’s understand this through a simple example –  There is a buildi

Having understood Risk Management & Risk Assessment in earlier blog posts, it is time for us to understand the various methodologies of risk assessment. The industry has different standardized methodologies when it comes to carrying out risk assessments. Each of the individual methodologies has the same basic core components (identify vulnerabilities, associate threats, calculate risk values), but each has a specific focus. As a security professional, it is important for us to know the best approach for our organization and its needs. The first one is a considered a U.S. federal government standard called as the NIST, SP 800-30.   It lays out the following steps: • System characterization • Threat identification • Vulnerability identification     • Control analysis • Likelihood determination • Impact analysis • Risk determination • Control recommendations • Results documentation The NIST risk management methodology is mainly focused on:  a)

Risk Assessment is a part of the Risk Management process. It is a method of identifying the vulnerabilities and threats and the impact in case the threat agent exploits the vulnerability to suggest security controls. There are a lot of Risk Assessment methodologies which are available such as NIST SP 800, FRAP, OCTAVE, Delphi etc. to assess the level of risk.  In simple terms, risk assessment involves identifying weaknesses , threats and potential danger in case of exploitation and basis this you will recommend certain countermeasures. Sounds Simple? It’s practically the most challenging, time consuming and difficult work in the entire risk management process. Let’s understand what makes this simple straightforward process so difficult to execute. You are a security professional and the CEO calls you to do the security assessment of the site at New Delhi. If you start doing the risk assessment in this case, I assure you that you will end up pulling your hair in the end.

When you speak to security professionals or the management in many organizations, most of them are of the opinion that security risk management is all about deploying the latest security tools available in the market with a focus on applications, hacking, malware, and nowadays data breaches. Although these items are important to be considered, they are an extremely small part of the overall information security puzzle. Consider an organization dealing with nuclear reactor designing and another organization dealing with providing cloud backup solutions. Would risk management be the same for both organizations? The answer is NO which most of you would agree upon. Both organizations would be vulnerable to certain threats which may threaten their business models. Every business exists to make money and security becomes only an issue when this bottom line is affected. Risk Management should always be done with the objective that threats that are identified do not affect the bott

A safeguard or a control or a countermeasure is implemented to reduce risk an organization faces.  Let’s understand it through some examples. 1. A company puts in antivirus solutions to reduce the potential danger from malware. 2. Citizens put in steel gates at the entry of the streets in their areas. 3. A leading e-commerce company deploys a backup solution. 4. Person deploys a CCTV at his home. 5. Since the organization could build a perimeter wall, it deploys security guards to man the area around the building. What do all of these examples have in common? In all of the above examples, we can sense that there is a mechanism which has been deployed to reduce the potential danger which an organization or an individual face. This mechanism reduces the level of risk and is called as a control. There are 3 types of control which can be deployed: 1. Administrative Controls (Managerial) – Controls that are deployed from a management perspective. Also, know

Consider the following two examples: There is an office building where there are no physical security controls. There is no perimeter wall to surround the building. On entry, you do not find any identification proofs being asked. There is no baggage scanner. An e-commerce company has around 50 computers in an office through it which it manages its back-end operations. The systems are not connected to the Internet and hence no anti-virus solutions are installed in the systems. Moreover, anyone can log in to these systems as there is no authentication (simply stated – no username, password) mechanism to log in to the systems. What do you make of the above scenarios? I sense that you understand that in both the above situations, there is a risk to the building and the company. Let’s understand the definitions of the three most commonly used terms in information security. Vulnerability – Weakness. In other words, the inability to withstand the effects of a hosti

1. Security isn’t just one person’s responsibility - To be truly effective, we need to develop a culture of security that transforms it into a company-wide effort. In most organizations, it is believed that security is either the responsibility of the security administrator or the chief security officer. It is the responsibility of everyone in the organization from the foot soldier to the king. 2. Hackers Hail from All Over the world (maybe even beyond) – Your hacker can hail from any part of the world. The organization can be attacked from any part of the world and this cannot be limited to just your district or state or country your organization is based out of. Well, Thanos was nowhere from this world and still he wanted something from Earth. 3. You need to be a team player – Security team needs to work with various cross-functional teams to achieve results. Avengers is what team means and you need to be a team player and keep aside your differences to ensur

Thank you for being a part of this journey with me. Your love and affection have helped me to continuously improve myself and write about information security both in general and related to the CISSP and SSCP exams. I have been thinking about the future course of this blog and based on analysis of the previously published blog posts and reader’s feedback through various channels, going forward, the blog would be segregated into the following major categories. 1. Opinion – This would be a column where I would be sharing my viewpoints and giving relevant examples. 2. Technology/ Cybersecurity Series – This would be 3/5-part series on upcoming technologies, and process improvements to help you understand the technology/process in a simple manner and then instigate you to think about security concerns in those topics. 3. Exam-Related Updates / Course Content – All details about the exam updates/happenings and the entire course material of the SSCP & CISSP exam wi

Domain 8 also sees very little change in terms of course content. 2015 Exam Outline 2018 Exam Outline Understand and apply security in the Software Development Life Cycle (SDLC) Development methodologies Maturity models Operation and maintenance Change management Integrated product team Understand and integrate security in the Software Development Life Cycle (SDLC) Development methodologies Maturity models Operation and maintenance Change management Integrated product team #No Change Enforce security controls in development environments Security of the software environments Security weaknesses and vulnerabilities at the source-code level Configuration management as an aspect of secure coding Security of code repositories Security of application programming interfaces Identify and apply security controls in development environments Security of the software environments Configuration