Learning Security with Mayur

The 4 steps to complete access management are identification, authentication, authorization, and accountability. Many confuse or consider that identification and authentication are the same, while some forget or give the least importance to auditing. These are four distinct concepts and must be understood as such. Identification Whenever you log in to most of the websites, you submit a username. In case you create an account, you are asked to choose a username which identifies you. This username which you provide during login is “Identification”. It is simply a way of claiming your identity. From an information security point of view, identification describes a method where you claim whom you are. If you notice, you share your username with anyone. Your email id is a form of identification and you share this identification with everyone to receive emails. This means that identification is a public form of information. Authentication So now you have entered you

Internet of Things henceforth referred to as IoT in the article refers to all the devices connected to the internet which “talk” to each other. This means if your washing machine is connected to the Internet and it talks to a cloud server giving its health information to the company’s server, it would qualify as IoT device.So, Simply, the Internet of Things is made up of devices – from simple sensors to smartphones and wearables – connected together. . The IoT is one of the most talked about technologies nowadays. Every company is working on its implementation and introduction into our daily lives. Given the increasing number of cyber-attacks, it makes sense to identify the risks faced by the deployment of this technology. The traditional method of doing a risk assessment involves identifying assets, their weaknesses, threats which they may face and potential danger in case of exploitation. On identification of these risk, they are prioritized and countermeasures are adopte

Which color do you like? Choose one – Red, Amber or Green. Let’s try another one – How much would you like your company’s risk to cost – 10,000 $, 20,000 $ or 50,000? Choose one again. Confused? Don’t be. After all, risk analysis is about analyzing risk either in terms of color or a heat map or numbers. The two approaches to risk analysis are Quantitative & Qualitative. Let’s understand them. Quanti – tative Approach This break will help you remember that this approach is related to numbers . Quanti refers to numbers here. We assign monetary and numeric values to all aspects of risk analysis. If you revisit the topic of Risk Assessment , we identified that there are multiple parameters to be taken care of while calculating risk. Hence, in this approach, we assign monetary values to each aspect so that at the end we can quantify or measure what is the value of the risk in dollar terms.  Let’s understand this through a simple example –  There is a buildi

Having understood Risk Management & Risk Assessment in earlier blog posts, it is time for us to understand the various methodologies of risk assessment. The industry has different standardized methodologies when it comes to carrying out risk assessments. Each of the individual methodologies has the same basic core components (identify vulnerabilities, associate threats, calculate risk values), but each has a specific focus. As a security professional, it is important for us to know the best approach for our organization and its needs. The first one is a considered a U.S. federal government standard called as the NIST, SP 800-30.   It lays out the following steps: • System characterization • Threat identification • Vulnerability identification     • Control analysis • Likelihood determination • Impact analysis • Risk determination • Control recommendations • Results documentation The NIST risk management methodology is mainly focused on:  a)

Risk Assessment is a part of the Risk Management process. It is a method of identifying the vulnerabilities and threats and the impact in case the threat agent exploits the vulnerability to suggest security controls. There are a lot of Risk Assessment methodologies which are available such as NIST SP 800, FRAP, OCTAVE, Delphi etc. to assess the level of risk.  In simple terms, risk assessment involves identifying weaknesses , threats and potential danger in case of exploitation and basis this you will recommend certain countermeasures. Sounds Simple? It’s practically the most challenging, time consuming and difficult work in the entire risk management process. Let’s understand what makes this simple straightforward process so difficult to execute. You are a security professional and the CEO calls you to do the security assessment of the site at New Delhi. If you start doing the risk assessment in this case, I assure you that you will end up pulling your hair in the end.

When you speak to security professionals or the management in many organizations, most of them are of the opinion that security risk management is all about deploying the latest security tools available in the market with a focus on applications, hacking, malware, and nowadays data breaches. Although these items are important to be considered, they are an extremely small part of the overall information security puzzle. Consider an organization dealing with nuclear reactor designing and another organization dealing with providing cloud backup solutions. Would risk management be the same for both organizations? The answer is NO which most of you would agree upon. Both organizations would be vulnerable to certain threats which may threaten their business models. Every business exists to make money and security becomes only an issue when this bottom line is affected. Risk Management should always be done with the objective that threats that are identified do not affect the bott

A safeguard or a control or a countermeasure is implemented to reduce risk an organization faces.  Let’s understand it through some examples. 1. A company puts in antivirus solutions to reduce the potential danger from malware. 2. Citizens put in steel gates at the entry of the streets in their areas. 3. A leading e-commerce company deploys a backup solution. 4. Person deploys a CCTV at his home. 5. Since the organization could build a perimeter wall, it deploys security guards to man the area around the building. What do all of these examples have in common? In all of the above examples, we can sense that there is a mechanism which has been deployed to reduce the potential danger which an organization or an individual face. This mechanism reduces the level of risk and is called as a control. There are 3 types of control which can be deployed: 1. Administrative Controls (Managerial) – Controls that are deployed from a management perspective. Also, know