Read More

Understanding The Cross Site Scripting Attack

A decade ago, there was a shift in the way the computer applications were used, illuminating an epoch of web application development. Now the computers have reached a point where people can write better programs & perform the most complex operation with the application. These circumstances arose the demand of portability and finally, the web-based applications become popular. However, with the emergence of the web-based application, came several kinds of attacks including SQL injection attacks and cross-site scripting. It is essential to understand the threat, its nature and influences in order to prevent it from influencing into our creations.

We have already discussed the SQL injection attack with some corresponding examples in our earlier blog, “Understanding The SQL Injection Attacks”, here we are going to explore deep about the cross-site scripting attack.

Cross-site scripting vulnerability is the most common weakness present in the WordPress Plugin. The following figure illustrates the result of their analysis:

Among the 1599 WordPress plugin vulnerabilities they found after 14 months, the following are the notable distribution

Cross Site Scripting

Image Source: wordfence.com

An Overview Of Cross-Site Scripting

Cross Site Scripting attack, is possible if the attacker is able to trick client system, like browser, to execute some code or script. The client system will execute same by considering that it is the part of the application and runs same in that context. Cross Site Scripting attack primarily targets browser, not Server.

Unlike the SQL injection outbreak, where the hacker is victimizing a vulnerable website to achieve access to its data, the cross-site scripting attack can directly target the user of the website. Though both kinds of attack, inject the malicious code into the website, in cross-site scripting, it is not the website, which is attacked. The malicious codes are usually injected in the comments as well as scripts from where they run automatically. Cross Site Scripting attack, is possible if the attacker is able to trick client system, like browser, to execute some code or script. The client system will execute same by considering that it is the part of the application and runs same in that context. In addition, these attacks affect the reputation of a website by placing the user’s information at the danger of being misused or stolen.

The success of the cross-site scripting attack needs the victim to run a malicious URL that may be created in such a way to appear to be valid or authentic at first look. The clicking on such an URL allows the attacker to execute something malevolent in the browser of the victim.

So, Cross Site Scripting is a low hanging fruit that anyone can trigger without many privileges. This flaw can easily be detected by both white and black box analysis of the application. This flaw doesn’t impact server directly, but it may result in sensitive data leakage resulting in more severe attacks like a hijacking.

Types Of Cross-Site Scripting

There are three different kinds of the cross-site scripting. They are

  • Reflected XSS

In this type, user provided input script is not stored, but merely included in the response from the server, either in results of a search or as an Error message. This type is commonly known as non-persistent or Type-II.

Here the attacker inserts the malicious executable code within an HTTP response. Since it is a non-persistent attack, the inserted attack is not archived within the target application. In addition, it only influences the users who clicked the malicious link.

  • Stored XSS

In stored XSS, user provided input script is stored on the Target Server like a database, visitor log, message forum, comment field, etc. So, every time user visit page, it gets executed. This is also known as persistent or Type-I.

  • DOM Based XSS

Here, the payload is executed in victim’s browser as a result of DOM environment modifications on the Client side. This type is also known as Type-0.

Let us explore the cross-site scripting vulnerability with an example:

Consider the following scenario:

Understanding The Crosssite Scripting Attack

Here user clicks a URL with attack payload. If the server is not filtering data properly, it will send it back as a part of the response. The client system will consider it as a part of code coming from Server and will execute it. This case is known as Reflected type, as the script is reflected back from the Server.

 Reflected type,

As shown above, in case, Server stores this attack script as part of user input, it is called as stored type. In stored type, whenever, the user retrieves the page containing this script, it will be executed.

To demonstrate what aggressors can do by exploiting cross-site scripting vulnerabilities, we have used a simple DNS lookup page.

 what aggressors can do by exploiting cross-site scripting vulnerabilities what aggressors can do by exploiting cross-site scripting vulnerabilities

Here provided input is taken as data, for nslookup command running in the background, to provide the required result. Now, as a part of user input, an attacker can inject a simple JavaScript, which will pop up an alert window.

For example, if the attacker entered the following script as an input:

an attacker can inject a simple JavaScript

The result will pop-up an alert window with the input given:

attacker sends value

Attacker as a part of the script, may call any client function and can extract data accordingly. For example, if they place document.cookie as script value:

document.cookie as script value

It will result in session id under alert window:

reflected type cross site scripting

This attack is called as reflected type cross site scripting. Let us analyse a case, where a blog entry field is present.

 place a simple java script

Here a user can insert a blog content, and will be stored at server side. This entry will be disclosed to all users on retrieving the same. If instead of blog, we place a simple java script like last scenario.

 entry at server side

we can see it is stored as an entry at server side, and will be executed every time page is loaded.

login as a valid user

This scenario is not only valid for current user, but also for any user, who can access the concerned page. Let us login as a valid user, and access same page:

script is triggered

we can see script is triggered accordingly, showcasing session id of concerned user.

persistent or stored cross site scripting

In this case, where script is stored permanently at server side, is known as persistent or stored cross site scripting.

 

Cross Site Scripting Prevention Method

Though the recent browsers comprise an inbuilt XSS filter, they shouldn’t be sound as a substitute to sanitization. They can’t detect entire types of cross-site scripting attacks & aren’t strict to avoid false positives that would prevent web pages from loading. The XSS filter in the web browser should consider as the second line of defense.

As a part of prevention steps, we need to ensure the following actions:

  • Strictly whitelist, filter, and analyze user input at both clients, and server side.

  • Usage of Security headers like Content Security Policy is also recommended, to avoid loading of the script from untrusted sources.

  • It is essential to implement a context-dependent output encoding

  • It is also essential to avoid straining of risky characters and functions since the XSS filters in the browsers cannot recognize the risky payloads

If you capable to determine and avoid cross-site scripting vulnerabilities and protect your application output, then you’ll avoid half of whole vulnerabilities, which might be introduced into the application.


Real World Web Penetration Test Workshop

Read More

Discover What Session Management Is

The session management is a mechanism of basic security component in the broad range of web applications. HTTP is a stateless protocol & the session management facilitates the applications to uniquely determine a certain user across a several numbers of discrete requests as well as to manage the data, which it accumulates about the stance of the interaction of the user with the application. Since the session management plays a key role in the web applications, they become the prime target for the attacks against that application. If a malicious attacker can break the session management of any application, they can easily bypass its whole authentication controls and coverup as other users without having their credentials. In case a hacker compromises the account of an admin in this way, the attacker can control the entire application. Because of this severe influence, OWASP listed the broken authentication and session management as the second vulnerability in its Top 10 lists.

As we have covered basic attacks such as SQL Injection and Cross Site Scripting in the earlier blogs, here we will focus on the Session Management.

Key Pieces Of Session Management

Session management is the process that secures multiple requests to the service from the same entity or user.

  • Session - The session allows storing everything, which we can receive from the client from the entire requests that the client makes.

  • Session Id - Users show they possess a session by entering authentication constraints with each and every request, which generally include the session Id & other aspects like a nonce. The session Ids are generally long as well as random so as it is impossible to guess them.

  • Cookies - In session management, the client security is a major concern. In web browsers, the session ids are often stored in secure cookies. Cookies are the small chunks of information, which are sent from the web server as a response to the client. They are the simplest method used to store client state.

  • Transport - Session management is a process of offering secrets to the authenticated users like session id and involving them return it back to you. The communication secured with cryptographic mechanism is essential to employ session management.

  • Session Expiry - Sessions are generally a temporary object, which expires after certain time period. The life of session object can be extended by using the new request with an extreme age, which cannot be exceeded.

How Session Works

Whenever a user begins using the application, the server can save a Session Id about the user, throughout the application, up to it is destroyed. Hence, whenever the user attempts to use the application, the server will always include his details and it can always handle the actions of the users. As soon as the user exit from the application, the server destroys the user’s information.

how seession management works

The Battle Over Session Management

Weakly implemented Authentication mechanism can be easily exploited by any user, who can send untrusted data to the system. These are commonly found due to improper implementation of Authentication related processes, like Logouts, Password Management, Timeouts etc. Since each implementation is unique with respect to application requirement, this risk needs a thorough analysis of the application, and can’t be easily detected using automated scanners, and tools.

To add further, authentication related risk may lead to concerns like hijacking, where an attacker can take control over the system or can escalate his privileges to send undesired queries.

We know that HTTP is a stateless protocol, it uses cookies, and session Ids to track the state, and maintain the session. Now, improper implementation, or lack of security controls for the same, may lead to its leakage, resulting in the hijacking of complete user state.

How Session Can Be Hijacked:

The sessions can be compromised in different ways. The three most common ways are:

1. Authentication Cookie Theft

Exploit via XSS It involves the method of exploiting the XSS weakness and steal the authentication cookie from the target who opened the infected link. Attackers will use the stolen cookie to compromise the target account. In exploit via XSS method, the hacker sends a link with the malicious JavaScript to the victim to steal the cookies of his browser. As soon as the victim opens the link, the malicious JavaScript will start to execute the instructions crafted by the hacker.

Sniff it over the network/insecure connectionThis method involves two steps to gain unauthorized access. First, the attackers capture the cookie exist over the network or insecure connection with the help of sniffer tools. Then, with the sniffed cookie or session ID, he can achieve unauthorized access even without having a password.

Get it from a victim’s PC- To achieve this the hacker prompt the victim’s computer to run a malicious JavaScript, which includes the action of sending the HTTP request (along with cookies attached) to the hacker.

2. Stealing Session ID

Retrieve it from the URL There are some situations where the application fetches JS files or image from same domain by using HTTP. The issue is when sending a request to an already signed in the domain, the session Id would automatically go. Even if a single URL passes to the server without the HTTP, the session Id would append along with it. This gives the attackers great opportunity to steal the Id.

Get it from response headerThis attack occurs when the script embeds the session Id in the HTTP response header. In case the attacker receives the response instead of the corresponding user, they can gain the details of the session Id.

Collect it from logs – Consider that an organization logs the session Id. An internal attacker of the organization can hijack the entire sessions by simply obtaining access to an application log file.

3. Account Management Attack

Brute force/Dictionary attack Brute force/Dictionary attack generally involves a number of attempts to guess the required information such as username and password. Similarly, when it comes to stealing the session Id, once they understand the pattern of the session Id, they can hijack the account by predicting the session details of the logged users.

Weak Password Policies Setting password based on weak password policies includes the risk of being overwritten or changed by the attackers. With their own password, the attackers can effortlessly steal the session Id to take the control of the user’s session.

Example Scenario: How Improper Cookie Management, Results Into Privilege Escalation Of A User:

To analyze, the request flow between Client, and Server, we have placed Burp as a proxy server in between, which will capture all queries, and enable us to analyze same. The Burp Proxy serves as the web proxy server between the browser & target applications. It allows us to intercept, review and modify the traffic passing between the application and browser.

.With intercept turned off in the "Intercept" tab of the proxy,

intercept

Visit the login page of the application that you’re testing in your browser. Login to the application

testing in your browser

Return to Burp.

Make “Intercept is on" in the proxy

Return to Burp

Refresh your browser page

Now the request is captured by Burp, it can be observed in the intercept tab

request is captured by Burp

We will forward same to the server, without any intervention.

forward same to the server,

The captured request clearly shows Cookie information, where the username and uid are also placed under the header.

Cookie information

Here, if we change the uid value, and send a request to the server, we can see, the user can jump from one user account to another.

Consider a case, if we change the user id value to one, or to some privileged account as shown below:

change the user id value

It may lead to disaster, by escalating privileges to that of an admin.

 implement proper cookie protection mechanism

We need to implement proper cookie protection mechanism, like by utilizing proper flag, management, and implementation policies.

How To Defend Session Management

  • Enhance Cookie Protection. Use ‘HttpOnly’ cookie flag. Ensure to have ‘secure’ cookie flag set. Set the Path and Domain parameters for the cookies accurately. Avoid application code for manipulating the session cookies.

  • Set session expiry time, if it is idle. The session should be expired automatically when it remains idle for a particular time period. This will support to limit the chances a hacker has to steal the session ID or perform unwanted actions.

  • Ensure Strong Passwords. The password should include the restricted complexity. The complexity typically needs the combination of numeric, alphabetic or non-alphanumeric characters. Users should not be allowed to reuse the previous passwords. In addition, imply effective password policy.

  • Ensure the session IDs remain secure by protecting the session ID tokens with SSL.

  • Session IDs should be generated, controlled as well as secured centrally only by the authorization and authentication mechanism instead of under the control of either users or client.

  • Session IDs shouldn’t be exposed in the URLs, which client machines are using to connect to the web server to avoid being copied by the attackers.

Professionals must understand that flawless session management is the main component of creating a secure application. Hope the above information provided an idea on why to ensure good session management and how to implement them.


web app

Read More

Insight Into Web Services Security Testing

At present, the web services have turned into an integral portion of the mobile and web applications. Because the millions of people are using the business and mobile applications, web services are becoming one of the major target or attack vectors of the hackers. Unfortunately, most of the testers today are not bothered about the web service popularities, its recent advancements and demanding testing methodologies & tools. On the other hand, most methodologies that are active in the current organizations either don’t work appropriately or poorly designed to meet the real-world vulnerabilities. Furthermore, there is no proper environment for evaluating the tools and attack techniques of the web services. Well, this article is going to address some useful information about the web services security testing and factors to consider in the implementation of the same.

Reasons Why Hackers Target Web Services

Web service provides the hacker a secondary route to attack the web application. Since in most of the cases, the web services are created in a way to integrate the remote systems into the processes or data of the business. Hence, these services allow direct access for the hacker. The hackers are possibly competent enough to exploit the vulnerabilities present in the web service and thereby bypass the application controls. In addition, most developers, as well as administrators, aren’t focusing on the security challenges of the web services. The penetration testers often found that the web services are developed or installed outside the scope of web application protection.

Web Service Testing

Web services applications are systems that are facilitating the business to inter-operates and are progressing at an unparalleled rate. They are visible on the net similar to any other service. The framework of the web services employs the HTTP protocol as the standard web application in combination with the following technologies:

  • WSDL (Web Service Description Language) -describes the service interfaces

  • SOAP (Simple Object Access Protocol) – offers a means for communication between the client applications and web services

  • UDDI (Universal Description, Discovery & Integration) – employed to register & publish Web services

The vulnerabilities found in the web services are analogous to other common vulnerabilities like information disclosure, SQL injection, and leakage. In addition, web services also comprise unique XML/parser oriented vulnerabilities.

Accurately testing a web service involves something more than using a tool in WSDL to check whether there are security problems. However, the security communities are not putting much effort and time in this area. The traditionally documented testing methodologies and testing techniques not capable enough to meet the ever-evolving vulnerabilities and recent real-world threats to the web services. In addition, currently, the tester has no proper testing environment to test the new tools & techniques and enhance their skills. There is no practical way for the testers to test the new methodologies and tools. Such condition makes the web service testing mystery.

The Issues with Testing The Web Application

The majority of the testing tools or web service available in the market is meant only for the quality assurance, not for security testing. Similarly, the penetration tests aren’t scoped adequately to add the associated web services. In case they are scoped properly, most of the testers possess no idea on how to start web service testing. Once the testers initiate the process, they used to get more confusions especially in case the web service is employing custom or proprietary technology like homegrown authentication mechanisms. Unfortunately, time, which could be used upon evaluating for vulnerabilities and flaws often are used upon constructing interfaces and tools to test the security of web services.

Another problem in the testing the novel web services like Windows Communication Foundation (WCF) is that currently, we have no proper tools to test them properly. Because the WCF web services are designed to employ TCP binding as opposed to the less secure BasicHTTPBinidng. The testing tools, which support the WCF protocols are generally commercial based and mainly offer functional testing.

OWASP Web Service Testing Methodology

The OWASP testing guide v4 states the methodology for the web service testing. They are as follows:

  • WS Information Gathering – Involves determining the WS entry point as well as communication schema

  • Testing WSDL – Once the WS entry point is determined, we can test the WSDL

  • XML structure Testing – If the XML is not formed well, that shall fail once parsed on the server side; hence that should be formed to function properly. The structure of the XML requires being tested to ensure that it runs the entire XML message thoroughly in a serial way to evaluate the XML well-formedness.

  • XML Content Level Testing – Generally the content-level attacks focus on the server that hosting a web service and any apps, which are used by the service.

  • HTTP GET Parameters / REST Testing – Several XML applications are raised by sending them as parameters via HTTP GET queries. Attackers can pass malevolent content via the HTTP GET string to attack the web services.

  • Naughty SOAP Attachments – The risks present in the processing the server attachments and redeployment of the file to the clients. This section tests the attack vectors for the web servers, which accept attachments.

Web Service Testing Checklist

The following list describes the checklist that the testers need to consider while performing the web service security testing.

  • Pre-Assessment

  • Information Gathering

  • Testing Phase

web services information gatheriing

black box information gathering

web services testing phase

Hope the above information would provide you an idea about the recent posture of web services security testing. In the forthcoming years, it will be essential for the security tester to work with the application developers to determine the threat vector, which should be integrated into the continuing threat models for testing web services security


Read More

Top Six Penetration Testing Challenges For Organizations

The security gaps, loopholes as well as weakness prevailing in the software system offers the doorway to attackers or any unauthorized entity, to exploit the system, affecting its confidentiality and integrity. As such, pen testing of the software has become vital to avoid these vulnerabilities to make the software component adequate to survive and defend against the unexpected and expected security attacks.

What Is Penetration Testing?

A Penetration Testing is defined as the study of the consequence of security vulnerability against a software, network, application or any compilation of these. During pen testing, the testers assumes the identity of the attacker and try to accomplish unauthorized access. This testing evaluates the effectiveness of the system’s security controls.

Advantages of Penetration Testing

  • It determines the vulnerable and weaker areas of the software before the attacker spots it.

  • It evaluates the existing security controls of the system to assess its ability in defending the unexpected attacks. This could ensure the level of standards maintained in terms of system security.

  • In addition to the vulnerabilities in the system, the pen test also evaluates various business risks as well as problems, including any kinds of compromise with confidence and authorization of data access within the organization. It supports the organization to prioritize their plans to mitigate various business risks and issues.

  • It also supports to identify as well as meet certain vital security norms, standards and practices, a software is deficient of.

Besides the plenty of benefits, as the technology is evolving, systems or software are becoming more complex than before, there are some challenges associated with penetration testing. In order to ensure effective penetration testing, the tester should take efforts to meet those challenges. Let us point out the top six important penetration testing challenges for the organization to consider.

Top Penetration Testing Challenges for Organizations

  1. Determining the test coverage

  2. Determining what kind of pen testing is required

  3. Understanding difference between penetration testing and vulnerability scanning

  4. Determining the risk associated with disclosure of sensitive data and failure of the system

  5. Approving the target and regularity of pen test

  6. Imagining that the fixing of vulnerabilities detected in pen testing will ensure the total security of the system

Determining the Test Coverage

In the traditional penetration testing, the test scenarios are decided by their test coverage and it is one of the major test measurement criteria. Generally, the testers look for the test cases that support to achieve a high level of test coverage. However, when it comes to today’s complex environment, it becomes challenging to determine the length as well as the breadth of the test coverage since this testing exercises only on the external network interfaces. This assumes that testing the external interface will work equally to testing the software interface directly. However, the fact is different from this. To achieve proper test coverage, the test team requires going beyond the traditional constitutes of the penetration testing.

Determining What Kind Of Pen Testing Is Required

What kind of penetration testing do you need to be performed? – The most common question that you come across when you decide to go for pen testing. Most people recommend starting with external network interface testing. However, the proper answer to this question depends on nature of the business environment. The organization must understand its environment and budget to decide what kind of pen testing that their business requires. It is important to make sure that you invest in the right testing type which suits your needs.

The main reason that makes an organization to find difficulties in choosing the right type of testing is the lack of communication among the security team and application owners. In several cases, the business units realize their exact type after it has started their process. In worst cases, some organization will find out only after they encounter security issues. This misjudgement on the type of testing could delay the project. The best way to handle this challenge is involving entire stakeholders and mandatory roles while deciding on the type of pen testing.

Understanding Difference Between Penetration Testing And Vulnerability Scanning

The most common challenge in the IT security services has been the often confusion as well as interchanging of terms, which people think refer the same thing but refers different. The same thing happens when it comes to, penetration testing, many people confused with the terms penetration testing and vulnerability scanning. They often misused and even swapped out these two terms. When the organization trying to protect themselves from the data breach, this confusion becomes problematic since if one person in the testing team is mentioning about one service, the other person assumes that he is referring to another service that was not intended.

The penetration testers must understand that the main objective of the vulnerability scanning is to determine as well as evaluate possible vulnerabilities in the technical perspective, whereas the penetration testing attempts to exploit the determined vulnerabilities, which may result in unauthorized malicious access, modification, interception of normal organization process and data.

Determining the Risk Associated with Disclosure of Sensitive Data and Failure of System

With ignorance of risk associated with the failure of the system and disclosure of sensitive data, there is clearly no solution to protect the business and their data. The risk associated with these issues encompasses the chances of occurrence of the undefined events and their ability for loss within the organizations. Understanding the impacts allows to plan for the unexpected failure or data leakage and that will support to ensure the success of the application. It also defines how to handle the risks hence the penetration tester can determine, mitigate and avoid security problems. Hence, for each of the determined risk areas, the penetration test scenarios should be established which should accurately test the application and its components to find whether there is risky or not.

Approving the Target and Regularity of Pen Test

Generally, the penetration test begins with the corresponding tester enumerating the target to detect vulnerable systems. The penetration testers should start their asset attacking attempt by learning their pen test targets. Here, they are required to aware the OS platforms, IP addresses, version numbers advertised network ports, patch levels and anything else that can cause the chance to exploit. It is hard for the pen tester to find the potential vulnerability by spending only a few minutes since they must use the information gained in the detection for continued evaluation and attack attempts.

In addition to this, the frequency of the pen testing becomes another challenge for the testers. Since they need to consider several factors while deciding how frequent the pen testing should be performed. For this, they require performing an internal risk assessment as well as threat analysis to identify its risk appetite.

Imagining That the Fixing of Vulnerabilities Detected in Pen Testing Will Ensure the Total Security of The System

If pen testing alone was an effective way to secure applications and network, then the software would be very secure. This is what most of the organizations think, but it is not. The pen testers still uncover security flaws in some application even after detection of possible vulnerabilities during a pen test. Because, daily, often and complex update process to keep the system up-to-date may lead some changes in the associated software and hardware that might result in security issues. This testing alone won’t transform organization’s security outcomes. On the other hand, this test result in a prioritized report of the security loopholes for the target to consider.

These are the common challenges likely to be encountered during the penetration testing. Understanding these issues in advance and establishing a plan to handle them will support the effective pen testing.


Read More

Vulnerability Disclosure Process New Trends

As technology and software systems become complex and increasingly interconnected, the possibility they will comprise vulnerabilities enhances. Vulnerability make the chances for attackers to perform cybercrime or disturb user activity. Though organization taking several possible steps to determine and remediate vulnerabilities, beforehand their products and services are released to market, it is not possible to test everything. As a result, still, there is a possibility of finding the vulnerabilities in the online services and technology products either via accidental discover or intentional investigation. When any vulnerabilities are determined, a clear process for discoverers to disclose their findings to the vendors support to resolve problems without exposing severe undue risks.

What Is Vulnerability Disclosure?

It is the way of publishing details about the computer security issues and a kind of policy, which stipulates recommendation for doing so. Vulnerability disclosures can be either organization or person who finds the weakness or an accountable industry body like CERT (Computer Emergency Readiness Team). They may disclose the vulnerabilities, sometimes after informing the vendor and offering time for them to fix the issues before disclosing the details.

The major debate in the vulnerability disclosure is how much of the details to disclose and when to release it.

Key steps involved in vulnerability disclosures are:

vulnerability disclosures

Types Of Vulnerability Disclosure

Vulnerability disclosure can happen in three different types:

  1. Nondisclosure Vulnerability

It means that discoverers find the vulnerabilities, but keep it secret without disclosing it to either vendor or public. This type is hard to quantify.

1. Nondisclosure Vulnerability

  1. Full Disclosure Vulnerability

In this type, the discoverers find the vulnerabilities and make the entire details of those vulnerabilities available to the public with may or may not informing the vendors.

2. Full Disclosure Vulnerability

  1. Coordinate Or Responsible Vulnerability Disclosure

Here the discoverers send the details of the vulnerabilities to the vendors with the motive of helping them to resolve the problem. After building the solution to the issues, the vendor will publish the vulnerability information to the public along with the patch solution to the issues.

Coordinate Or Responsible Vulnerability Disclosure

This type sometimes includes the coordinator as the third party to perform the coordination process.

third party to perform the coordination

New Trends In Vulnerability Disclosure

Industry range vulnerability disclosure is trending up across the whole industry. Now there are plenty of resources available, which offers best practices. For instance, the NTIA (National Telecommunication and Information Administration) is an agency placed under the Commerce department has made a provisional guide called, ‘Guidelines and Practices for Multi-Party Vulnerability’ that makes a sharp, wider understanding of the overlying interests between the vendors and security researchers and stimulate increased collaboration.

In this continuous effort to support proceed this process forward, some new exemptions are issued to the DMCA (Digital Millennium Copyright Act) by the Library of Congress. These exemptions make protections for people to attack their own devices without worrying that the ban on avoiding protections by DMCA.

The act of applying openness and responsiveness in the process of disclosure or vulnerabilities has permitted public to report things, which have had life-modifying consequences.

Other trends in vulnerability disclosure are as follows:

Vulnerability Severity Trends

Not entire vulnerabilities in the software are equal. There is some difference in their severity. Now it is a trend to have the CVSS (Common Vulnerability Scoring System), a standardized scoring system for measuring the Information Technology vulnerabilities. It is a platform independent system. The base metric of CVSS allocates a score ranges from 0 to 10 as per the severity of the vulnerability. Here the higher scores like 9 and above denotes the greater severity.

Vulnerability Access Complexity Trends

Vulnerabilities can also vary as per their complexity level. Some vulnerabilities are effortless to exploit when compared to others. The complexity of vulnerability is an essential factor to focus on finding the magnitude of the issue that a vulnerability result. A high complexity vulnerability can be exploited in rare and certain circumstances might necessitate less attention over the other lower complexity vulnerability, which can be exploited frequently and easily. Here the CVSS is used to assign the complexity ranking such as High, Medium or Low.

Vulnerability Disclosure Program

These programs offer a chance for the organization to enhance cyber security by pattern into the expertise and skills of ethical hackers as well as security researchers. These programs aim to explain the engagement rules by offering restricted authorization of testing the information system of a company.

Reasons For Caution

Properly managing vulnerabilities often offer issues. Public disclosure, especially premature disclosure can shock consumers, notify competitors of vulnerabilities, stimulate government oversight and result in litigation. Furthermore, allow attackers to exploit the vulnerabilities.


Read More

Dynamic Application Security Testing vs Penetration Testing

If you want to drive down your application security risk, you should aware that there is no single solution to use. Rather, it is required to use a combination of security testing method to guarantee entire security vulnerabilities are determined and fixed. In addition, you should choose the testing methods to safeguard your application based on the SDLC phase you cover. Before employing a security testing, it is vital to have a clear understanding of that testing method and how it is different from others. In order to help you in your learning, here we focused on the difference between the dynamic application security testing and the penetration testing.

Dynamic Application Security Testing

Dynamic Application Security Testing commonly known as the DAST or black box testing is the testing process that takes place during the application is in progress and it attempts to pierce the application in various ways to determine potential vulnerabilities.

This testing is carried from the outside observing in. This simple and less expensive testing doesn’t require the bytecode, binaries and source code to proceed the testing. By offering outside in standpoint, the tools of DAST can offer a valuable overview and are perfect to be utilized in the scenario where the application is running and the source code is not obtainable to the tester.

This sort of testing is useful for industry standard compliance as well as typical security defences for evolving projects.

Penetration Testing

The penetration testing commonly known as pentest is one among the effective security testing methods. This testing approach depends on the simulation of security outbreaks against the application. This testing includes the human element. A penetration tester will attempt to impersonate how a hacker might attack the application using their personal security knowledge and the wide range of penetration testing tools. Organizations also outsource the services of application penetration testing to an external agency if they don’t comprise the resources in-house. This testing kind includes the capability to find vulnerabilities, providing a gateway to be possibly exploited by attackers.

Mainly used to detect standard vulnerability classes that can only be determined by manual testing.

A typical penetration testing refers the following elements:

  • Point of access

  • Determination of weakness in the firewalls, ports, routers, and servers

A Quick Look On Dynamic Application Security Testing And Penetration Testing

The following point doesn’t entirely focus on the comparison of these testing. Some points signify their features in their own prospects.

S.No

Dynamic Application Security Testing

Penetration Testing

1

DAST is the testing of the application while it is being progressed to find the security vulnerabilities.

Penetration testing attempts common hacking techniques and exploits on an application with the owner’s permission. The main intention of this testing is to find the security weakness; hence, they can be resolved.

2

This testing checks the application to find the security flaws, which can’t be detected during the development process.

This testing doesn’t evaluate whether the security protections which were placed are effective. On the other hand, it searches for the point where the application system failed to detect and prevent the vulnerability.

3

DAST review an application looking for security weakness to exploit.

Similarly, Pentest reviews an application looking for security weakness to exploit, but it involves actual human to detect the application design, business logic, and compound flaws.

4

The dynamic testing focusses mainly on the runtime features of the application including:

  • Memory

  • Encryption

  • Performance

  • Permission

  • Configuration

  • Back end code injection

A good penetration testing should focus on entire components of the system including:

  • Operating system

  • Hardware

  • Social engineering attempts

5

Determines highly exploitable vulnerabilities like

  • SQL injection

  • Cross-Site Scripting

  • Authentication issues

  • Server Misconfiguration

  • Vulnerabilities, which are visible only to the authenticated user

Capable of detecting some common vulnerabilities include:

  • Privilege Escalation

  • SQL Injection

  • Deprecated protocols

  • Cross-site scripting

6

Benefits Of DAST

  • Can determine security vulnerabilities linked to operational deployment

  • No need to access the code

  • With prospect of industry adoption, it is lower in cost, easier to adopt and more mature

  • Support to find the vulnerabilities existed outside the source code

  • Support to find the vulnerabilities in the 3rd party interfacing

Benefits Of Penetration Testing

  • Increase business continuity

  • Manage the risk effectively

  • Supports to evaluate security investment

  • Offers third party expert suggestion

7

Drawback

  • The tools of this testing are not capable of detaching the precise point of code weakness and finding difficulty in following coding guidelines.

  • Time consuming

Drawback

  • The effectiveness of the test is entirely depending on the access, knowledge, and method of the penetration tester.

  • Time consuming


Read More

Best Practices for Web Application Security Testing

From email to online banking and shopping, companies today are bringing their businesses open to the web browser of the customers every day. This emergence avoiding the requirement for complex update rollouts and installations. Furthermore, companies are involving the internal web applications extensively for marketing automation, finance, and internal communication. While web application provides a wide range of convenience to the customers as well as businesses, their pervasiveness makes them an attractive attack target for hackers. As a result, scanning & testing the web application or web application security testing for risk is important.

What Is Really Happening With The Organization?

The most organization usually make significant investments in the solutions for the network security, such as firewalls, Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS). Organizations also invest in resources in multiple essential security efforts including, risk assessments, security architectures & policies, pen testing etc. However, they are usually drawn to give low priority or even ignore to thoroughly testing the applications for the security loopholes, before the deployment.

Whilst the network or general level security testing determines the gaps like server patch level, weakness in the 3rd party software, etc., they’re not focused on uncovering application layer security mistakes in the web applications. Organizations require understanding that the vulnerable applications are more likely to be exposed by the hackers. In addition to that, repairing the attack after it happens, can be expensive and can affect the organization’s reputation. Therefore, the organization must mandate the web application security testing without any exceptions prior to deployment and should incorporate security testing into the early stage of the software development lifecycle. The remaining portion of this blog is going to cover the best practices to follow in security testing against the most common attacks.

Buffer Overflow

The buffer overflow happens when the larger data is provided as an input to a program that it be designed to hold.

Best Practices:

  • Track test cases for every input value, where the data types vary from the application type.

  • Negative testing requires being performed to ensure that the application isn’t providing any platform associated details for the malevolent request.

  • Testing the application for the buffer overflow should comprise guaranteeing that any overflow mistakes are determined and mitigated at the early stage of the development process.

  • It is suggested to test the application by submitting different kinds of the Unicode characters.

SQL Injection Attack

This attack happens when an attacker injects the malicious scripts into the SQLs via web forms, to be executed directly against the server database.

Learn More About SQL Injection Attacks

Best Practices:

  • The test cases should also involve the evaluating by inputting special characters in order to confirm that the web application is handling the attack methods & denying the attacker’s access.

  • It is suggested to function with DBAs and developers to determine if the web application requires special system / any built-in database procedures, which can grant the privilege of command execution at OS level. In case the application does not require it, it is suggested to remove such procedures to support, enforce least privilege principle and reduce exposure.

  • Testers should ensure that all the user of the web application possesses the limited privileges, only to execute the essential transactions.

  • In web application security testing, it is encouraging sweeping the application schema tables, particularly the ones with revealing means such as USER, USER_INFO, and USER_PROFILE to guarantee that sensitive details are not readily available.

Cross Site Scripting

This attack involves websites or application, inadvertently comprising malicious HTML scripts or tags in the dynamically created web page depending on the unchecked input from the unreliable sources.

Learn More about CSS

Best Practices:

  • Since the CSS attacks are stimulated by the vulnerabilities in the application & client-side actions, tester should monitor both the server and client sides to reduce the possibilities of this attack.

  • In addition to the input validation, the output requires being validated to ensure that it is correctly HTML encoded.

  • Web applications must thoroughly evaluate all dynamically created output HTML, utilizing inclusion logic, instead of exclusion logic.

  • Discuss with developers and PMs to map out the website and its functionalities

Denial of Service (DoS)

The DoS attack occurs on the web service or website when the attacker overwhelming it with an abundant number of malicious requests to engage whole resources of the network or system in order to drive the service/site unresponsive to the legitimate users.

Best Practices:

  • Applying client session timeouts & releasing related resources is a vital factor in defending against DoS attack. Without proper client timeouts, the website/service can touch its thresholds quicker, as it maintains entire sessions open, holding valuable resources. The testing team should test this thoroughly to confirm client sessions are being timed-out as well as the resources are being unconfined in a timely manner.

  • Testing team should aware of design, the fatigue limits on the resources like CPU, memory, database connections.

  • Testing should comprise simulating burden for the expected amount of maximum simultaneous users, efficiently matching or exceeding the resources restricts to evaluate the behavior of the application in these cases.

  • When errors happen in the web application, testers should verify that application terminates only after finishing entire housekeeping tasks.

  • Testers should evaluate if the web application is ensuring user-level thresholds as opposed global thresholds wherever possible.

  • It is common practice to integrate anti-automation techniques in web applications, to defend DoS attack. Since the attack, almost require automation to succeed.

Improper Error Handling

Improper error handling defines the condition where the error messages of the web application appear too detailed. This condition can make the web application vulnerability to exploit since it allows the hacker to learn more valuable system associated information.

Best Practices:

  • Testers should get the comprehensive list of the error conditions with their detailed output messages. They should use that list as the test entrance criteria.

  • The tester should test the application for all kinds of the error messages, including null pointer exceptions, failed database connections, core dumps etc.

  • The tester should evaluate the applications to ensure that they are flowing a generic error message principle.

  • While performing negative testing, the testers should evaluate entire links in order to ensure they are not revealing harmful system information.

  • The tester should also evaluate to ensure that entire debug messages are eliminated from the web application, before the deployment.

Securing web applications in the organization is not only the responsibilities for tester, but for the developers, architectures, quality assurance team, project management team, and security team. Following above-mentioned best practices for adding solid security testing to the SDLC will provide defense in depth in addition to the secure architecture, network security, secure design, and secure coding practices.


Read More

Software Asset Management

Information Technology is basically modifying the way the business communicates, access, store, transmit and deliver services. Nowadays, the Software Asset Management (SAM) gaining more reputation among the several enterprises as a planned imperative, which facilitates them to gain the highest value from their investments in IT. Moreover, SAM enables organizations to reduce ongoing software related costs, achieve control, and visibility of IT assets, and handle continuous software license compliance. These capabilities have made it as the essential mechanism to optimize the management of enterprise software assets during the software lifecycle.

What is Software Asset Management (SAM)?

SAM is a set of processes or framework, which intentionally monitor and manage the physical, licensing, financial as well as contractual aspects throughout the entire software asset lifecycle.

SAM is about to manage and monitor the following factors:

Software Asset Management

Figure 1: Factors SAM Manage & Control

Why We Need SAM?

As per the recent report of IDC, the complexity of software license will indirectly demand an average of 25 percentage of company’s annual software license budget.

There are some challenges being experienced by the enterprise today, which necessitates the building of SAM. Here are some common challenges, but not limited to:

  • Management of entire Information Technology Assets including upgrades, licenses, software versions, and documentation.

  • More and more client machines like (laptops and PC) and mobile devices linked to insecure networks.

  • Increasing number of virus and security attacks

  • Increasing occurrence of the client security patch issues.

  • Increased usage of open source software and licensed software, which varying in licensing agreements.

  • Most of the licensing agreements need a compulsory periodic independent audit

Benefits of Software Asset Management

SAM includes abundant of benefits to an organization. Most common advantages are

  • Cost Control

  • Greater Security

  • Enhance Governance

  • Decreased Risk

Fundamental Principles Of Software Asset Management

An effective SAM should guarantee that the software is ready to deal with the challenges and can compile with the legal, regulatory, security and IPR supplies of the software or product being used. To develop an effective SAM, it is essential to follow some fundamental principles. Let us have a look on it.

Generic Attributes To Follow

Organizations have been maintaining assets for a long period; however, there are few essential objects which decide good procedures in optimized software asset management from traditional “merely handling the assets”.

The figure shows the six vital adjectives that should be considered as the generic attributes during the assets lifecycle:

Generic Attributes To Follow in sam

Figure 2: Generic attributes

  1. Holistic – SAM should be cross-disciplinary and focus on total value

  2. Sustainable – Plans should offer continues system performance and optimal asset lifecycle

  3. Risk-based – Plans should incorporate risk into entire decision-making

  4. Optimal – Should attempt to find the best comprise among conflicting objectives like performance versus risk versus costs

  5. Systemic – Considering assets in the context of systems and again the total value focused

  6. Systematic – Should be applied in a well-structured management system

  7. Integrated – Finally, a good SAM requires to be everything joined-up. The whole structure should function as a whole.

SAM Implementation

The main principles of SAM are controlling, managing and securing the assets of an organization. SAM should be capable of handling the risk that arises from the accessing of those assets. A vibrant strategy and vision are vital requirements for establishing good SAM. When a company is planning to implement some SAM system, it is essential to follow a cyclic process to guarantee effectiveness.

The lifecycle of SAM includes five basic processes:

SAM Implementation

Figure 3: SAM Cyclic Process

  1. Conduct Inventory

Initial action in the SAM implementation is conducting an inventory of the entire software and hardware available in the organization. A precise inventory will support to establish as well as maintain baseline including:

  • Types of software used in the organization

  • Whether the programs are in recent version

  • Does the organization have any unwanted software, which can be reallocated?

  • Does the organization include licensing shortfall in applications?

  1. Assess Software Usage

Conducting an inventory is actually an initial stage of details gathering that are vital to the software asset implementation. Next, it is essential to consider software usage metering. With this, we can determine the following aspects:

  1. Ensure organization is not purchased any unwanted software. Therefore, we can minimize maintenance costs, plan better for software consumption and re-allocate unused licenses.

  2. Observing whether any unauthorized applications are running, which may introduce viruses, reduce productivity or degrade network functions.

  3. Match And Perform Reconciliation With License Owned

Once the inventory and software metric process are completed, it is time to match the information gathered with the purchasing records to ensure that the company has purchased not very few licenses (that leads to out of compliance) and at the same time not overspent on it.

  1. Review Policies and Procedures

Next, you have to assess whether the existing policies and procedure appropriate enough to support the gathering of this information in a continuing process. Particularly, it is essential to explore the following areas:

  • Software Procurement

  • Software Use

  • License Tracking

Once the evaluation is finished, then document the policies as well as procedures.

  1. Start SAM Ongoing Process

SAM is not a one-time project, it is an ongoing, planned program, which requires being continually assessed as well as modified to satisfy the runtime requirements of an organization. Hence the process should be made as flexible to accept the dynamic changes in a company.

Read More

Application Container Security Guide NIST SP 800 190

Application container or container is the term that refers the OS virtualization technologies. OS virtualization offers a distinct virtualized sight of the Operating System to each application in order to keep each application out-of-the-way from all other entities on the server. Because of the advances in the ease of use as well as the greater focus on the agility of the developer, the OS virtualization now becomes increasingly popular. As like other technologies, the application container also becomes the major target of the security attacks. This article aims to discuss the security concerns related to this technology and useful recommendation for solving those concerns with the reference to the NIST special publication NIST SP 800-190.

Basic Concepts For Application Virtualization And Containers

NIST Definition

niet defination

Application container technologies apply the immutability concept. According to this, the container themselves must be worked as stateless objects, which are deployed but not modified. If a running container requires being upgraded or requires its contents modified, the container is simply destroyed & replaced with the new container, which possesses the updates. This facilitates the support engineers and developers to make & push modifications to the application at a faster pace.

Containers And The Host Operating Systems

When compared to the deployment of the application within the virtual machines, the deployment of the application within the container is effortless. The following figure depicts different deployments:

Containers And The Host Operating Systems

Image source: NIST

Both containers and VMs permits various applications to share the same infrastructure, with different ways of separations. VMs employs a hypervisor, which offers hardware-level isolations of the resources across the VMs. VMs employs a hypervisor, which offers hardware-level separation of the resources across VMs.

With containers, numerous applications share the same operating system kernel instances, but are separated from each other. The operating system kernel is a portion of the host operating system. Two general groups of host OS are available to run the categories. They are:

  • General-purpose OSs- includes container specific functionality and can be used for running numerous sorts of applications. Example: Ubuntu, Red Hat Enterprise Linux, & Windows Server

  • Container-specific OSs- the minimalistic OSs that are explicitly designed to only execute containers. Example: CoreOS Container Linux, Google Container-Optimized OS, and Project Atomic. Often it employs read-only file system to lower the possibilities of a hacker being capable to persist data within it.

Examples of technical competences the container runtime guarantees the host OS delivers include the following:

  • Namespace Isolation – restricts which resources the container can interact with. This comprises interprocess communications, file systems, user information, hostnames, & network interfaces.

  • Resource Allocation – restricts how much of the resources of the host a provided container can consume.

  • Filesystem virtualization - permits various containers to share the same storage without the capability to alter or access the other container storage.

The technical capabilities of the containers vary by the host OS family. The containers are basically a mechanism to offer each application a unique sight of the single OS, hence the tools for accomplishing this isolation are largely dependent on the OS family.

Though the container offers a strong level of separation, they don’t provide as clear & concrete of the security boundary as a virtual machine. This is because the containers share the same OS kernel and can be executed with variable privileges and capabilities of the host, the level of separation between them is less when compared to that in the VM by the hypervisor.

VMs offer several advantages like OS automation, isolation and a wide & deep solutions ecosystem. Enterprises don’t require to make a decision between VMs and containers. Instead, enterprises can continue to employ VMs for deploying, partitioning and managing their hardware, whilst using containers to bundle their application and use each VM more effectively.

Container Technology Architecture

The following image illustrates the five tiers of a container technology architecture.

Container Technology Architecture

Image Source: NIST

  • Tier 1: Developer System – creates images as well as send them for testing & accreditation

  • Tier 2: Testing & Accreditation Systems – validates & verify the image contents, sign image contents and send them to the registry

  • Tier 3: Registries – store images & distribute images to orchestrator based upon request

  • Tier 4: Orchestrators -convert images into the containers & deploy containers to the hosts

  • Tier 5: Hosts – run & stop containers based on the direction of the orchestrator

Container Life Cycle Phase

Since enterprises are typically constructing & deploying several different applications at once, these lifecycle phases frequently happen simultaneously within the same enterprises and shouldn’t be seen as improving stages of maturity.

Image Creation, Testing, And Accreditation

Here the components of the application are build & placed into the image. An image is nothing but a package, which includes entire files needed to run the container. The process of image creation is handled by the developers who are responsible for packaging the application for handoff to the testing. This process typically utilizes build management & automation tools to support the continuous integration process. These tools take the multiple binaries, libraries & other components of the application to conduct testing.

After the image creation process, enterprises typically conduct testing & accreditation. The consistency of creating, testing and accreditation is the main key security and operational advantages of containers.

Image Storage And Retrieval

Images are generally stored in the vital locations to make it simple to control, find, share & reuse them across hosts. The services, which allow developers to simply store images as they’re created, tag & catalog images for the identification & version control to support in discovery as well as reuse images, which others have created is known as registries. Once the images are stored in the registry, it can be simply pulled & run by the DevOps identities across any environment.

Container Deployment And Management

Tools called as orchestrators facilitate DevOps roles or automation working to pull images from the registries, deploy the images into the containers & handle the running containers. When an image gets deployed into the container, a copy of it instead of modifying the image itself is placed within the container & transitioned to a running instance of the application. Container management comprises security management as well as monitoring.

Container Uses

Organizations can experience some multiple valuable benefits for containers. Examples of the container uses are:

  • In Agile development, applications are frequently updated & deployed. The declarative and portability nature of the containers makes these often updates more efficient & easier to test.

  • In Environmental consistency & compartmentalization, developers can possess identical separate environments to build, test and run the application. Containers provide developers the capability to execute the exact copy of the production application locally on the development laptop system, restricting the requirement for sharing and coordination of testing environments and removing the annoyance of decayed testing environments.

  • In Cloud-native applications, developers can build for the microservices architecture from the starting, guaranteeing more effective iteration of the application as well as simplified deployment.

Major Risks For Core Components Of Container Technologies

Risks involved in the core components of the container technologies are:

  • Image vulnerabilities

  • Image configuration defects

  • Embedded malware

  • Embedded clear text secrets

  • Use of untrusted images

  • Insecure connections to registries

  • Stale images in registries

  • Insufficient authentication and authorization restrictions

  • Unbounded administrative access

  • Unauthorized access

  • Poorly separated inter-container network traffic

  • Mixing of workload sensitivity levels

  • Orchestrator node trust

  • Vulnerabilities within the runtime software

  • Unbounded network access from containers

  • Insecure container runtime configurations

  • App vulnerabilities

  • Rogue containers

  • Large attack surface

  • Shared kernel

  • Host OS component vulnerabilities

  • Improper user access rights

  • Host OS file system tampering

A detailed description and countermeasures to these risks are explained in the blog, “NIST SP 800-190 - Major Risks For Core Components Of Container Technologies And Their Countermeasures

Container Technology Life Cycle Security Considerations

To ensure a container environment security, it is important to plan sensibly before installing, configuring as well as deploying container technologies. It is also critical to ensure that the container environment in compliance with the associated enterprise policies, regulations & other needs.

Initiation Phase

Enterprises should think how other policies should be affected by the containers & modify these policies as required to yield containers into attention. There is a chance for the disturbance in the available software and culture development methodologies in the enterprise while introducing container technologies. To enjoy the entire benefits of the container assistances, the processes of the organization should be modified to support this new kind of developing, implementing and supporting applications.

Planning And Design Phase

Forensic is the major consideration in the planning & design phase. The immutable feature of images & containers can actually enhance the forensic abilities; since the demarcation between the action of the image and the actual occurrence of the incident is clearer. Containers are connected with each other by utilizing overlay networks that can often use encryption and encapsulation to allow the traffic to be directed over available networks securely. Memory and process activity in the container is analogous to that which would be detected by conventional application, but with distinct parent processes.

Implementation Phase

After designing the container technology, the proceeding phase is to implement & test the design prototype before tapping the solution into the production. Keep in mind that the container technologies don’t provide the sorts of introspection abilities, which VM technologies do. Connectivity & networking, authentication, management, app functionality, performance & the security are some factors of virtual technologies, which should be evaluated prior to production deployment. Once the evaluation of the prototype has been finished and the container is ready for the usage, the container should primarily be used for a few applications. Issues that happen are possible to affect the various application; hence, it is useful to determine these issues early on; hence, they can be considered before further deployment.

Operations And Maintenance Phase

Operational processes, which are certainly essential for maintaining the container technologies security measures should be conducted regularly. Some example ongoing operational tasks are updating images, distributing updated images to the container, performing vulnerability management and updates of supporting layers. In case any security incidents happen within the containerized environment, the enterprise should be prepared to react with tools and processes, which are optimized for the unique factors of containers.

Disposition Phase

The competency for the containers to deploy and destroy automatically according to the requirements of the application permits highly effective systems. However, it can also present some challenges for forensic, records retention and event data needs. An enterprise should ensure that suitable mechanisms are used to meet their data retention policies.

Examples of problems that need to be addressed are given below:

  • How images & containers must be destroyed

  • What data need to be extracted from the container

  • How that data extraction need to be performed

Data stores & media, which assist the containerized environment must be added in any sorts of disposal plans created by the enterprise.

On the whole, the container refers a transformational alteration in the way the applications are built & run. Enterprises that direct the above-mentioned recommendation can begin to influence containers to actually enhance their entire security.


Read More

How To Adapt To The New Age Of Testing And Development

At this new age, there is no surprise of having several pieces of software working on the single device. This situation leads the requirement of more and keener study and testing to guarantee that the whole device or system functions properly. Because new add-ons to a system or device always include the potential to raise more issues and the system-wide implementation and installation of more software in a single device doesn’t have any exception in this case. Hence, the importance of testing needs to be well acknowledged and recognized. However, just keep in mind, what to test, how to test and when to test; has evolved over the time as like the progressive route of software development.

In this digital world, testing in real time is a 40 percent gray box, 30 percent black box and 30 percent white box model with software development engineer in testing who are now involved to build virtualizations, stubs, performance engineering, automation, test environment management, cloud QA, infrastructure QA, Operation readiness and many more. Here we are going to discuss how to adapt to the new age of testing and development.

Let us begin with the summary of explanation of Melissa Benua, a senior backend software engineer at PlayFab and a senior technical lead at mParticle in an interview. As per her statement, the technology and process have improved over the time, the agile takes a big part of it. With the evolving of plenty of tools, the monitoring and deploying of the software becomes quicker and easier. Now it is possible to roll back a piece of code if anything went wrong very quickly with low cost. Testing has walked on a high progressive path from the manual testing or patching that takes more time and demands more cost. However, with the new age of testing, we can have done testing parallel to the development as in an agile process.

There is no surprise that speed becomes the major focus on the software development. Most organizations are thinking that making the developers to write the test code and make it run automatically can influence more in testing the software. Though it looks fine, there is a lot of things involved in good testing to ensure the security and quality of the product. Developers alone not only enough to cover the whole areas, it is essential to include the successful testers who aware about the unit testing, security testing, or integration testing and its benefits.

What she stated in her keynote is, having each stage includes its own quality bar and then comprising each stage includes its own failure path, whether that is if the system fails it is important to email the developer who verified in bad code. Or in case the deployment fails, roll back the built automatically. Or in case there are blue-green deployments, ensure that the code does not really ever go live.

Evolution In The Testing

Melissa Benua had a walk through on the evolution of the testing from manual testing. Getting an idea of what changes were made in the testing and where we are standing now would help to aware how to adapt to the new age of testing and development. The first thing, it is essential to understand that manual testing is dead in this new age, if it is not dead, it is used only in small parts of the organization. Recently the majority of the organization adopts automation techniques as the best approach to speed release cycles, rapidly evolve code and quickly test fixes to catch defects as well not delay deployment. The following graph shows what kind of tools used for testing in the current trends:

types of testing

img source: info.saucelabs

As depicted in the graph, most of the development team has adopted some range of test automation. QEA, TCOE, QMO, AS, TES, QAE, IV&V etc., are various terminologies that were used in the past within several industries including services, commercial and federal businesses. The current IT industry is moving towards the Digital, Agile and DevOps ways, the testing approach requires something different apart from the black-box testing. Now SDET (Software Development Engineer in Test) is gaining more popularity. They involve writing code that tests the software. The graph shows different points in the development cycle where the test codes are written:

written test

Img source: info.saucelabs

As per the details on the graph, the old method of writing code after the development lifecycle is longer followed.

New Skills To Adopt New Age Of Testing And Development

The modern digital industry is searching the expert who possesses a quality engineering background, packed with the skills sets like automation, programming, awareness on how to process build management, handling environment, generating scripts, etc. Because the tools, which were being used in the software QA industry have been transformed drastically from the old to advanced tools, which has features to offer continuous Delivery (CD) and Continuous Integration (CI). The professionals need to equip with experience in technology and strong domain expertise.

In addition, since the testing is occurring in parallel with the development, testers need to have new skills to adapt to keep up. As like the importance of developers need to learn about testing, the testers definitely require enhancing a wide range of skills including test education. In addition to technical as well as technological awareness, individuals should be likely to implement their knowledge under different demanding contexts. For implementing this effectively, the professional should understand their exact role that would usually endure changing with the evolving technologies. They should also aware how to use their knowledge under various contexts.

To acquire and master in testing key skills, it is recommended to practice tests and have the habit of learning lessons from the observation and experiments. Be open minded and continue learning. In addition to the old skills like functional testing, communication skills, web technologies, etc., there are some new skills need to focus on to adopt new age of testing and development. For example, IOT testing, testing in the cloud and big data testing.


Read More

Web Application Security Practices For Employee Awareness Program

Are you running a company? Well, you should aware that only certain employees within your company comprise a decent understanding of the web application security importance and how it works. The majority of employees have only the basic grasp of the problem, and this can leave them careless. This is a problematic situation since uneducated employees fail to notice the security risks. By educating the employees of your organization, you can make them readily identify vulnerabilities themselves. By making everyone aware what to do if they identify a vulnerability and what not to do if they are victimized, can strengthen the entire web application security process of the organization.

With this in mind, here we listed some important web application security practices to use in your employee training and awareness program.

Application with Least Privileges

Make the employee aware of how to run the web applications with least privileges in addition to educating them regarding its importance. Every web application includes certain privileges on local and remote computers. It is always recommended to use least privilege settings for the application. If any unauthorized person attempts to access the application with incorrect privileges, they can’t able to succeed their attempt. Some guidelines to run the application with least privileges are:

  • Don’t allow the employees to run application with administrator identity

  • Set access control list on entire resources needed for the applications

  • Make them keep the files for the web application in a folder under the application root

  • Ask your employees to avoid allowing the end users to access the root of the server

Prioritize Vulnerabilities

When it comes to testing the set of web applications, it is important to decide which ones are worth to concentrate and which are not too worrisome. The important thing to notice here is that most of the applications include several vulnerabilities. Therefore, employees must be trained to aware which vulnerabilities concentrate on. Train them to research and analyse the application-specific vulnerabilities.

Protect Against Malicious Input

Employees should understand that the input they receive from the users is not always safe. There are a lot of chances for malicious users to submit potentially harmful information to your application. Make your employees follow these guidelines to protect against malicious input:

  • Filter the input from users for HTML tags that might include a script

  • Never display unfiltered user input

  • Avoid storing of unfiltered user input in your database

  • For filtering, it is better to explicitly define the type of inputs you will accept. Avoid filtering out the malicious input because it is hard to anticipate entire possible malicious input

  • Never believe that all details you receive through the HTTP request header are safe. Try to use protections for the query string, cookies, and others

  • Try to avoid keeping the sensitive details in a place easily accessible using the browser like cookies and hidden fields.

Use Cookies Securely

Another important area that organization needs to concentrate when addressing web application security training for the employees is the secure use of cookies. Cookies allow users to be recollected by sites, which they visit. Hence that future visits become faster and personalized. There are lots of possibilities for the cookies to be manipulated by the attackers to achieve access to restricted areas. Recommend the following guidelines for your employees to defend the cookies:

  • Don’t store critical or highly sensitive information on the cookies

  • Try to be conventional when fixing expiration dates for the cookies

  • Encrypt the details that are going to be stored in the cookies

Safe Error Messages

If employees aren’t careful, an attacker or a malicious user can capture essential information about the application using the error messages it shows. Teach them the following guideline:

  • Avoid creating an error message, which displays something that might useful to attackers, like user name

  • Configure web application not to display detailed errors to the end users

  • Introduce a custom error configuration element that allows controlling who can access exceptions

  • Make custom error handling method for situations that results in error

Secure Sensitive Information

Employees should determine the sensitive details that require maintaining private. For example, an encryption key or password. Educate them with these guidelines:

  • Consider the SSL (Secure Socket Layer) while application is involved in the transmission of sensitive information between the server and the browser

  • Employ protected configuration in order to secure vital information in the config files like Machine.config or Web.config

  • Don’t keep the sensitive information in the human readable form

  • Use strong encryption algorithms

Protect Against DoS Threats

Allow your employees to aware the different ways, including Denial-of-Service that malicious users used to compromise the application. Make them follow these guidelines:

  • Employ error handling

  • Check the input size limits before storing or using it

  • Put size protection mechanisms on database queries

  • Set the size limit on the file uploads

Web application security practices are not limited to above details; however, this blog comes as an excellent starting point to support the organization execute a proper awareness program, and provide knowledge that enhances the security behavior inside the organization.


Read More

10 Malware Prevention Tips

Almost all the users who are actively using computers, internet and smartphones, will come encounter some kind of malware, adware or spyware on their systems at some point. It is common to fall in-trap of these harmful programs and the victim numbers are increasing exponentially. However, still, there are several numbers of computer users who are not paying attention to these threats. It is essential to make some good computing habits to prevent the malware attacks. Undoubtedly bad habits will ruin your system and crush its speed to a quit.

The article is about to present 10 useful tips to prevent your computer, application and any other devices from being exposed to harmful malware programs. A quick look at the tips are as follows:

  • Understand how malware functions.
  • Use a firewall, anti-virus, Wi-Fi filtering, anti-malware and anti-exploit technology.
  • Be a smart online performer.
  • Use complex passwords.
  • Restrict user privileges.
  • Secure your network.
  • Restrict the Auto-Run features.
  • Update your browser, operating system, and plugins.
  • Keep your private details safe.
  • Encourage the habit of keeping Backups.

Let us have a brief discussion on tips to avoid malware infections.

1. Understand How Malware Functions

In recent times, malware programmers finding new ways that are hard to predict to spread their harmful programs. Hence, it is essential to be aware of the basic minutiae of the malware in order to be protected from being prone to these attacks.

Malware is nothing but a program, which is specially designed to disable or even damage the targeted system. The main reason for creating this program is to attain the access to the victims’ system without their knowledge about the unauthorized entry. The victims come to aware about the infection only when their system begins unwanted actions, including slow operation and an increase in a number of advertisements that appear.

Malware can have many shapes including keyloggers, spyware, viruses or worms. However, their most common aim is to mess with the system OS and obtain information access that can lead to worst cases like identity theft, information disclosure, etc.

Usually, it gets downloaded with the other program without the intention of the users, then it embeds with the operating system of the computers. It can also spread through unprotected external devices. They can also conquer the target with the possible ways like website, emails, pirated software, social engineering, and passwords. Experts also advised keeping your knowledge update with the latest security news in order to be capable of protecting from unpredicted attacks.

2. Use A Firewall, Anti-Virus, Wi-Fi Filtering, Anti-Malware and Anti-Exploit Technology

The firewall and anti-virus are used as the tools to detect as well as block the untrusted programs and entries in order to prevent from malware infections. In addition to the traditional firewall, it is possible to find the next generation firewall, which combines the functionality of network filtering devices with the traditional firewall device. It is also essential to have the web as well as web-filtering solutions for filtering the internet in order to avoid drive-by downloads of malware programs. Meanwhile, anti-exploit, anti-virus as well as anti-malware software can prevent the unexpected attacks from the unknown agents. Thus, these programs are considered as the shielding programs against the exploit attacks.

In case your email program is inadequate for filtering frauds from your mailbox, then it is suggested to use an extra spam filtering software.

3. Be a Smart Online Performer

Behaving smart while functioning online can be the ideal way to avoid malware infections on your computer. There is no need of special training or expert’s advice to behave smart online, but it is required to be vigilance in order to prevent downloading as well as installing any apps or programs that you don’t trust or required. It is enough to remember the following tips while using the internet:

  • In case you are unsure about a site, leave the site without any second option.

  • Research about the software and its review, when you are going to install it. In case you are not ok with the software after research, then avoid it.

  • Don’t trust the spam email. Avoid email with attachments or links from the unknown sender.

  • It is common to find the pop-up windows that corner you to download a particular software or perform a virus scan. Often, these popups include harmful malware, so don’t open those pop-ups, just close them without clicking anywhere inside it. It is advisable to use the windows task manager to close those windows instead of clicking the X in the popups.

  • It is also possible to get installed with malware during the process of installing some software. Hence, it is essential to pay close attention to the message boxes that arise during the installing process before clicking OK, Next or I Agree. Carefully read the user agreement to ensure that there are no details of malware as a part of running installation.

  • Stay stable without any action when you come across a file with the name of the malware after the famous album, movie or program. Be aware that attackers might be looking for chance by stimulating your temptation.

4. Use Complex Passwords

If you want to avoid password disclosure, then you should use a long password without having any association with your personnel details, change it often, not repeat it for various login and not reveal or write it anywhere. In case, you are ready to remember 5, 462 different passwords, then you can use the password manager that gathers, remembers as well as encrypts the passwords. An ideal way for setting complex password includes using special characters and numbers with uppercase and lowercase alphabets. This unusual character can make your password trickier to guess and can prevent your accounts from hacker attempts.

5. Restrict User Privileges

Most of the malware threats need to have full access rights to the system to function properly. In the recent versions of Windows like 10, 8.1, 7 and Vista includes the User Account Control privilege to restrict the certain action without the user permissions. With this control, the user will be indicated if any application or software attempts to perform any modification to the computer. This kind of restrictions can support to aware about the installation attempt of the unwanted and malware programs.

6. Secure Your Network

Here are the tips for how to use secure network:

  • Avoid using of open Wi-Fi connection. Most of the computers use the Wi-Fi connection to connect to the files, printers and the internet.

  • It is advised to make sure that you are using the Wi-Fi connection that is protected with a strong password.

  • Start to use WPA2 or WPA encryption instead of using open Wi-Fi connection.

  • It is also best to avoid broadcasting your Wi-Fi network name (i.e., SSID).

  • Have the habit of entering your SSID and password manually.

  • Allow your guest to access your Internet with guest SSID and the guest password in case they are evil hackers.

  • Avoid peer to peer connection. Though they are the traditional method for transferring files from one computer to another, they might be plagued with malware and spyware.

7. Restrict the Autorun Features

The malware program usually attaches themselves with connecting devices and drives (such as external hard disk and USBs) and waiting to gain access to the system in which the media is connected. Hence, using such devices to your system propagates the malicious software automatically. In order to avoid such a situation, it is ideal to disable the autorun feature of your operating system. This ensures that no installation would happen without manual approval.

8. Update Your Browser, Operating System and Plugins

The experts are continuously tracking the security issues and enhancing their products against the security vulnerabilities identified. They release their enhanced versions in the form of updates. Hence, if you find any update is available for your operating system, browser, and plugins from the legal source, don’t let it a delay. Keeping these things up-to-day will influence a lot in keeping the system secure against the malware. Update your browser to enjoy the benefits of download screening, pop-up blocking, and automatic upgrade features.

9. Keep Your Private Details Safe

With the increased usage of social media and internet, maintaining of personal details secret has become the trickiest task. In addition to the brute force method, attackers are now well-versed in accessing the victim’s file through the social engineering. Since the evasion in technology aids them to effortlessly gain the enough details of the target via their online accounts. Now they can able to gain details that are even enough for accessing your bank process together with identity stealing.

Useful tips to keep the personal details safe are as follows:

  • Try to be cautious about using social media and message boards

  • Lock down your privacy settings

  • Keep your personal details private

  • Don’t use real identity or name on discussion boards

10. Encourage the Habit Of Keeping Backups

You might be wondering, how the backup helps to prevent malware infection? Well, it is a vital action to consider, though it could influence nothing in the avoiding malware infection. When it comes to preventing tricks on avoiding the risk of malware, it is an important process that can support to recover your computer, in case it is infected with malware. If you want to prevent your data from being infected or corrupted due to unexpected malware attack, then keep the habit of taking backups of your vital data on a regular basis. Opening the system in a safe mode is the most common way that is in practice in order to recover from malware infections. With the data backups, you can able to stand with minimum loss due to the virus infection.


Read More

Advantages of Outsourcing IT Security Functions

IT organizations are facing a more and more varied and progressive number of threats, and there are in need to respond to that threat. On the other hand, organizations are meeting the challenge of increasing customers and marketplace demands with limited resources. Because of these issues, many have decided to use outsourcing as their organizational strategies. IT security outsourcing is defined as the contracting out of Information security services or functions that have previously been controlled by the organization’s staff to the trusted third party.

The practice of outsourcing IT security has been growing steadily in recent years. The IT outsourcing statistics 2016/2017, a recent study states that the majority of the organization surveyed were planning to outsource the IT security.

As shown above, the IT security service includes the highest percent of the amount of work being outsourced.

So, which services or functions of the cyber security to outsource? Well, let us explore this in detail. With the reference to the recent survey conducted by CIO/CSO/Computerworld with the 287 US-based IT & business professionals, the below graph depicts the percentage of computer security services being outsourced:

whats being outsoursed

IT Security Functions To Be Outsourced:

Perhaps organization should outsource IT security services like:

Monitoring Security Center

If an organization lacks the resources to build a team for monitoring the cyber security in real-time, it can outsource the monitoring functions. They can offer the required protection without including massive budgetary bandwidth.

Handling Incident Response

The effective incident response is vital to make the cyber security measures meaningful. If an organization is the lack of an effective incident response plan, that will lead them to increased damages and severely lose after an incident. By outsourcing the incident response plan, the organization is backing up its defenses with the knowledge of a tried & true professional. A managed security service provider can offer insight into a response plan, which you have never been measured.

Training The Employees

Undoubtedly, training to the employees in terms of security should be outsourced to the professionals because this service compulsorily requires the support of specialized individuals. For training the team with latest security trends requires the updated knowledge of the latest threats. Outsourcing the training to the other organization can support to keep the employees to aware the brilliant ways of approaching the security issues.

Network Penetration Testing

Whether external or internal, network penetration testing is an ideal practice in terms of security measure. In most cases, it inclines to be a customer contractile agreement requirement and compliance framework. Outsourcing this testing to the external testers will add benefits of testing in the outsider perspective.

Third-party Assessments

As like the penetration testing, numerous common compliance & contractual requirements frequently requires the 3rd party assessment. Outsourcing 3rd party assessments can be an ideal way to offer the security team of the organization with more time to concentrate on essential things and regular duties.

Why Outsource Security Functions?

There are several reasons that encourage the organizations to outsource the security functions. Some of them are listed below:

Cost Effective

The main objective of outsourcing the service is finance – an organization can receive the security expertise it requires in a cost effective way by allowing someone else to offer it. For example, consider the monitoring service. The main key involved in the security monitoring is attentiveness: attacks can occur at any time. Allowing internal staff for the security monitoring requires at least five full-time employees to work for 24/7. It would be difficult for the organization to find the person with such specialized skills and budget for those people. Furthermore, it is hard to retain them. Outsourcing remains as the cost-effective way to meet the requirements of the organizations.

Advanced Technology & Skill Sets

The MSSP (Managed Security Service Provider) is well-known for their technical knowledge and skill sets in offering security services to a broad-range of businesses. Their team normally includes the best infrastructures and professionals on hand to provide best in class service as per the requirements of their client organizations.

Flexibility

The outsource vendors are flexible enough to adapt to any business environment and their security function can respond rapidly to changing and increasing demands. In addition, they can able to tap a wide range of skills, resources, and capacities. However, the internal staff may include the limited capabilities.

Improved Satisfaction

There is almost a guaranteed satisfaction from the outsourced security vendors when compared to handling by in-house staff. Because, there is a contract, which will lay out the exact things that the outsourced organization must offer in order to continue the business. This would allow the organization to keep the focus on their main business goals and letting the outsourced organization worry about satisfying security demands.

On the whole, while forming a cyber security team, outsourcing some of the cyber security functions can support to handle every issue without massive budgets when it comes to managing cyber security responsibilities.

Read More

Avoid 10 Worst Practices In Software Testing

Testing is performed to ensure the quality of the deliverables to the user. However, the most companies not treating testing as the part of their project. As a result, probably less effort into the software testing than other parts of the project. It is essential to aware that underestimating the testing may lead to face several consequences. Particularly, putting less effort on testing than one should do, will result in severe mistakes in the future. This blog walks through some worst practices in software testing that needs to be avoided.

Worst Practices In Software Testing

  1. Not Having Professional/Experienced Tester To Manage To Test

Still, it is possible to come across the organization where business analysts or developers do testing. Allowing developers to handle testing might increase the chance of missing the semantic/syntactic bugs detections. Testing software in all possible views requires the professional perspective of testers. Developers sometimes rush this phase to meet the project deadlines, which would result in bad code.

  1. Insufficient Time For Testing

In most organizations, the testing phase to rush to balance any delays from the upstream stages. The upstream phases like the design or implementation stages of the SDLC cause pressure, resulting in software with poor quality, to reach the “time-to-market” goal. They underestimate the consequence of compromising testing for a business reason.

  1. Not Determining The Root Cause

Testers not analyzing the bugs or defects determined in the testing to find the root cause. RCA (Root Cause Analysis) supports to minimize the defects in succeeding releases. Determining defect’s root cause can enhance the competency to fix it that guarantees other related bugs don’t arise due to that certain root cause.

  1. Improper Mindset

Team mindset also influences to the certain extent in the performance of the testing. Software testing is the job that needs designated person to be very meticulous. If the organization fails to create a bug-conscious culture by offering the adequate resources, knowledge, and tools, it will affect the mindset of the testers resulting less concentration on their dedicated work. This scenario will lead more bugs that will slip via the cracks.

  1. Overlooking Unimportant Bugs

Just because a bug looks insignificant when it was discovered does not denote it must be dismissed quickly. It might potentially root to a larger problem, or may even be connected to another issue. Each and every bug found need further investigation regardless of big or small.

  1. Poor Bug Reporting

The job of testers involves more than testing functions. In addition to finding bugs as well as designing flaws, reporting those finds is an important work for the testers. Most of the bug reports are poor in quality. The bug reports are not supporting the developers and lacking essential information like a description for the priority of the bug, what went wrong and more.

At least a bug report should include the following details:

  • Who did the test

  • Date of tests

  • Test Result

  • Main data points applied in the testing

  1. Failure To Find High-Risk Areas

Undoubtedly, there will be areas that are riskier than other areas of the software. Those parts will need extra attention. Failing to determine high-risk areas will route to a myriad of wasted testing time. This will result in efforts misplaced and applied in areas, which don’t demand such scrutiny.

  1. Following A Blindfolded Approach

Some testers don’t do any planning and begin testing blindly. They are not understanding and even knowing what other testers are doing and what they are focusing on. This results lack awareness on the scenarios as well as the features they were missed out.

  1. Not Prepared With Required Tools Before Testing

Before beginning testing, testers do not check for the appropriate technologies and tools to mitigate bugs clearer and quicker. They are not checking the tools for taking screenshots, getting the logs, recording your screen, and add-ons for recording additional details to insert to the bug reports. This will increase the likelihoods of the bugs remains undetected.

  1. Not Examining The Requirements Thoroughly

The most costly and biggest mistake that testers do is not reading or analyzing the requirements. Failed to spend at least 5 minutes to read and understand the information and client requirements that would be helpful for testing, makes them spend more time on categorizing or prioritizing the threats. For example, after spending 30 to 60 minutes in the testing as well as logging bugs, they would mark certain bugs as out of scope or invalid. This is because they didn’t examine the requirements clearly or didn’t understand the exact requirement clearly.

Thorough testing is important for software quality assurance. Avoiding the worst practices in the software testing can produce high-end software. Hope, the above details provided you clues on the practices that need to be corrected.


Read More

An Insight On GDPR

For several years, enterprises feared bright a light on the data they processed as well as collected because of the risk of security breaches. With the progress of data insecurity, together with enhancing regulator demands for protection, organizations are experiencing a greater urgency to protect their sensitive data.

At present, the growing drumbeat of disastrous breaches, united with new compliance regulations like GDPR, is modifying the flow for several companies. The GDPR is an element of the Digital Single Market priority of the European Commissions that is aimed at shifting from twenty-eight markets to the one single market, which is intended for the digital age. This regulation modernizes as well as harmonized the framework for the data protection and removes the nuanced implementation strategies, which flourished under the earlier directive.

However, most of the organization is prepared to meet this new privacy regulation. Organizations, which fail to meet GDPR compliance before the time limit will be subject to firm fines and penalties. Which is why we are presenting this blog. The blog will speak about the effects of GDPR on the industry when it comes to security.

GDPR: An Introduction

The GDPR stands for General Data Protection Regulation. It is the EU (European Union’s) recent attempt to guarantee that it can handle the data protection for entire individuals across the Europe. European Parliament has adopted this regulation on 14th April 2016, but it will be enforced on May 25, 2018. It brings most essential privacy change from the previous directories. It is mainly planned to address societal and technological changes, which have happened over the last twenty years by accepting a technology-neutral strategy for regulation.

Any entity, which monitoring or targeting European citizens will require to comply with this new regulation. GDPR provides regulators the unparalleled power to enforce penalties, demanding broad-range privacy changes across companies, including US companies in case they perform business in Europe. GDPR not only meant for enforcing fines and penalties, but also represent a wide range opportunity to:

  • Harness the data value

  • Transform privacy approach

  • Guarantee your organization is competent enough for the tomorrow’s digital economy

The following figure provides an outline of GDPR program implantation areas:

gdpr Program

What Are The Effects Of GDPR On The Industry When It Comes To Security?

Any enterprise, which works with the information associating to the European citizen will need to comply with the GDPR needs, creating it the 1st global data protection law. Most business experts believe that this factor alone will contribute meaningfully to entire organizations around the world, including those who are taking the privacy of the data more seriously. Let us focus on some of the impacts of the GDPR on the industry:

  • Widens The Personnel Data Definition

GDPR widens the personal data by bringing new sorts of personal data under the regulation. GDPR includes 99 articles, among them the article 17 possess impact on the personal data. Article 17 speaks of “right to erasure” or “right to be forgotten”. This means any individual can request the data controller to erase their personal data (such as records, files, replicated copies and backup copies) without any delay and without any cost for making the request.

  • Tightens The Rules For Gaining Valid Consent

It is likely to have a big challenge in the ability to show valid consent for applying personal information due to the enforcement of GDPR. Require companies to ensure they employ simple language when requesting for consent to gather personal data, they require to be clear and concise about how they are going to use the details and they require to understand that inactivity or silence no longer constitute consent. According to GDPR, the companies collecting the personal data required to be competent enough to prove affirmative and clear consent to process the data.

  • Fines Motivate Security Upgrades

Substantial fines are the biggest enticement with the GDPR. The organizations are subject to fines of up to 2% of turnover or €10m in case they failed to implement adequate security controls. For serious security breaches, the organizations even require paying fines up to 4 % of annual turnover or €20m, whichever is greater. Organizations require abandoning what has missed before and go back to initial principles to determine an adequate security approach.

  • Mandatory Appointment Of A DPO

Any companies that depend on the personal information processing will require appointing a DPO (Data Protection Officer), who will act as an extension of the authority of data protection to guarantee personal data activities, processes, & systems adapt to the law. Because, with the technology of today, there are several companies with fewer than ten employees, which process the personal data of numerous people and possess a greater risk than several larger companies.

  • Announces A Common Data Breach Notification Requirement

The GDPR regularise the various laws of data breach notification in the EU and is aimed at guaranteeing companies continuously monitor for breaches. The GDPR requires the organizations to inform the details about their data breach to their local data protection authority within 72 hours of finding it. This means, companies require to guarantee they possess the processes and technologies in place, which will facilitate them to detect as well as respond to a breach. For several enterprises, this may need training and also need to make an alteration to their data security policies.

  • Expands Liability Beyond Data Controllers

According to earlier directives, only the data controllers were responsible for the activities that involve data processing. However, GDPR extends the liability to entire organizations, which touch personal data. It also covers any companies, which provides data processing services to the data controller that means that even companies, which are purely service providers, which function with personal data will require complying with the rules and regulations like data minimisation.

Conclusion

Business requires responding now to confirm they’re prepared for the new regulations. The best solution is to train their employees or employ competent information security professionals to perform the essential changes to compliance.

Read More

Major Risks For Core Components Of Container Technologies And Their Countermeasures NIST SP 800 190

In order to use the container technologies safely, everyone needs to aware of the major security risks involved in that technology and countermeasures to address them. Here in this article, we are going to present the risk of the core components of the container technologies and their countermeasures with the reference to the NIST Special Publication 800-190. The following figure illustrates the core components and the risk involved in them:

core components and the risk involved in container technologies

Image Risks

  • Image vulnerabilities

As images are static archive files, which include entire components to run a given application, the components within the image sometimes missing critical security updates. Therefore, the common risk involved in the containerized settings is deployed containers possessing vulnerabilities; since the image version used to create the container includes vulnerabilities.

Countermeasures:

The organization needs to use management tools designed especially for container technologies because these tools use the pipeline-based build approach & immutable feature of containers as well as images to offer more reliable and actionable results.

  • Image Configuration Defects

The images also include configuring defects that can expose the system to attack, though it is fully up-to-date.

Countermeasures:

The organization must adopt tools & processes to evaluate as well as enforce compliance with best practices for secure configuration. In addition, the container should be executed in an immutable way to derive the security benefits.

  • Embedded Malware

Since images are a collection of files that are packaged together, there is a possibility to include malicious files intentionally or unintentionally within them. An example source of the embedded malware is the utilization of base layer & other images presented by 3rd parties of which the entire provenance isn’t aware.

Countermeasures:

Organizations must continuously oversee entire images to determine the embedded malware. The processes of overseeing should comprise the utilization of malware signature sets & behavioral detection heuristics.

  • Embedded Clear Text Secrets

Several applications need secrets to facilitate secure communication among the components. When an application is packaged into the image, it is possible to embed these secrets directly into the image file. Though, this approach leads a security risk since anyone who has access to the image can effortlessly describe it to aware these secrets.

Countermeasures:

Secrets must be stored external to the images and presented dynamically only at runtime as required. The organization can also integrate the container deployments with the available enterprise secret management systems, which are already in place for keeping secrets in the non-container environments.

  • Use Of Untrusted Images

The ease of use and portability of the containers enhances the temptation of the professionals to run images from the external sources, which mightn’t be trustworthy or validated. These actions result in the risks like introducing malware, including vulnerable components or leaking data.

Countermeasures:

The organization must maintain the set of trusted registries and images and guarantee that only the images from that set are permitted to execute in their container environment, thus addressing the risk of malicious or untrusted components being deployed.

Registry Risks

  • Insecure Connections To Registries

In case the connections to the registries are conducted over an insecure channel, then the image contents are vulnerable to the confidentiality risks, man-in-the-middle attacks, credentials thefts, etc.

Countermeasures:

Organizations must set their development tools, container runtime, and orchestrators to the only association to registries over the encrypted channels. This approach will ensure that entire data pushed to & pulled from the registry happens between trusted endpoints & is encrypted in the transit.

  • Stale Images In Registries

Since registries are the source location for entire images that organization deploys, there is a possibility to store images with vulnerabilities and out-of-date versions over the time. This risk can enhance the possibility of accidental deployment of the known-vulnerable version.

Countermeasures:

Two methods:

  1. The organization can clip registries of vulnerable, unsafe images, which should no longer be employed. This approach can be implemented based on the time triggers & label related with images.

  2. Operational practices must highlight accessing images by using immutable names, which mention discrete image versions to be used.

  • Insufficient Authentication And Authorization Restrictions

Since registries sometimes include images used to execute proprietary or sensitive applications and to contact sensitive data, the insufficient authentication and authorization restrictions can route to intellectual property loss & expose significant technical details.

Countermeasures:

All access to the registries, which include sensitive images should need authentication. Any write access to the registry should need authentication to guarantee that only the images from the trusted entities can be appended to it. Registries also offer a chance to employ context-aware authorization controls to the actions.

Orchestrator Risks

  • Unbounded Administrative Access

A single orchestrator may execute several different applications, each handled by the different teams & with different levels of sensitivity. In case the access offered to users & groups isn’t scoped to their certain requirements, a careless or malicious user could subvert or affect the other containers’ operations.

Countermeasures:

Orchestrators should employ the least privilege access model to ensure that users are only provided the capability to perform the certain actions on the certain containers, hosts, and images their roles need. In addition, the test team members should possess limited access to the containers utilized in production.

  • Unauthorized Access

Orchestrators often comprise their own directory service for authentication that may be discrete from the directories which are already in place within the organization. This can root to weaker account management practices & orphaned accounts since these systems are less strictly managed. Since most of these accounts are privileged in the orchestrator, any compromise on them can root to systemwide compromise.

Countermeasures:

Unauthorized access to the cluster-wide administrative accounts must be controlled tightly to ensure that it provides the capability to affect entire resources in the environment. Organizations should employ multifactor authentication methods and should implement single sign-on to available directory systems.

  • Poorly Separated Inter-Container Network Traffic

In several containerized environments, the traffic between the individual nodes is directed through a virtual overlay network. The worst case is the traffic risk from the various applications which sharing the same virtual networks. In case, the application with various levels of sensitivity are using the same virtual network, the sensitive internal applications may be exposed to greater risk due to network attacks.

Countermeasures:

Orchestrators should be designed to isolate network traffic into different virtual networks based on the sensitivity level. With the possibility of per-app segmentation, the organizations as well as use cases, simply describing networks based on sensitivity level offers sufficient risk mitigation within the manageable complexity degree.

  • Mixing Of Workload Sensitivity Levels

By default, orchestrators can place workloads of varying levels of sensitivity on the same host. If a critical vulnerability presents in the web server, then that can leave the container which processing sensitive financial data at a greater risk of security compromise.

Countermeasures:

Orchestrators must be configured to separate deployments to certain sets of hosts by levels of sensitivity. It should define rules to defend high-sensitivity workloads from being run in the same environment as those executing lower-sensitivity workloads. A best practice is to bundle containers together based on relative sensitivity & to guarantee that a provided host kernel only executes containers of the single sensitivity level.

  • Orchestrator Node Trust

Weak orchestrator design can present the orchestrator and all components of the other container technology into increased risk.

Countermeasures:

The platforms of the orchestration must be designed to present features, which make a secure environment for entire applications they run. The orchestrators should guarantee that the nodes are introduced to the cluster in a secure manner and offer an accurate inventory of the nodes & their connectivity states.

Container Risks

  • Vulnerabilities Within The Runtime Software

This risk is certainly dangerous in case they allow the scenarios like container escape in which malicious software can breech resources in the other containers & the host Operating System itself.

Countermeasures:

The container runtime should be carefully tracked for vulnerabilities & when issuers are determined, they should be remedied as soon as possible. The organization must use tools to search for any instances at the risk and to guarantee that orchestrators permit deployments to appropriately maintain runtimes.

  • Unbounded Network Access From Containers

In several container runtimes, individual containers are capable to access the host OS. In case the container is acting maliciously, it would permit this network traffic to expose other resources to risk.

Countermeasures:

The organization must control the outlet network traffic created by containers. At least, these controls must be in use at network borders, guaranteeing containers aren’t capable to send traffic over the networks of varying sensitivity levels. The organization should employ compilation of available network level devices & several app-aware network filtering.

  • Insecure Container Runtime Configurations

Container runtime exposes several configurable choices to administrators. configuring them improperly can reduce the level of system security.

Countermeasures:

The organization must automate compliance with the runtime configuration standards of the container. It can use processes or tools, which continuously evaluate the configuration setting over the environment and enforce them. Secure computing 7 profiles are mechanisms, which can be applied to constrain the system-level competencies containers are assigned at runtime.

  • App Vulnerabilities

Containers may be compromised because of the flaws present in the application they run. This isn’t an issue with the containers themselves; however, instead, is the manifestation of software errors within the container environment.

Countermeasures:

Enterprises should implement extra tools, which are container aware & designed to function at the scale & change rate with containers. The tools must be capable to automatically profile a containerized application using behavioral learning as well as to construct security profiles for them to reduce human communication. These profiles should also be capable to prevent & detect irregularities at runtime.

  • Rogue Containers

Rogue Containers are unsanctioned or unplanned containers in the environment. In a development environment, this can be a common occurrence, since application developers may establish containers as the ways of testing their code. In case, these containers aren't placed via the vulnerability scanning rigors and proper configuration, they may be susceptible to exploits.

Countermeasures:

Organizations must institute different landscape for development, production, test and other processes, each with certain controls to offer role-based access control and management activities. Further, enterprises are encouraged to employ security tools to enforce baseline needs for managing vulnerability.

Host OS Risks

  • Large Attack Surface

Every host includes the attack surface. The larger the attack surface is, the higher the chances that an attacker can determine and gain access to the vulnerability to compromise the host OS as well as the containers running on it.

Countermeasures:

The organization should employ the minimalistic Operating Systems to reduce the attack surfaces as well as mitigate the risks & hardening activities related to general-purpose Operating Systems. The host OS shouldn’t run unwanted system services, which enhance its attack & patching surface areas.

  • Shared Kernel

The using of shared kernel invariable leads to the larger inter-object attack surface, even for the container specific OSs.

Countermeasures:

Together with grouping, the container workloads based on the sensitivity level, organization ensure that the containerized workloads aren’t mixed with non-containerized workloads over the same host instance. This approach makes it safer and simpler to apply defense, which is optimized for container protection.

  • Host OS Component Vulnerabilities

All host OSs, including container-specific ones, presents foundational system component. These components can include vulnerabilities & since they available, low in the architecture of container technology, they can influence entire containers as well as applications, which run on the hosts.

Countermeasures:

The organization must implement management tools and practices to evaluate the component versioning provided for the base OS functionality and management. Host OSs should be functioning in an immutable way with no state or data stored persistently and uniquely.

  • Improper User Access Rights

Container-certain OSs are not optimized to support the multiuser scenarios; because interactive user login must be rare. Enterprises are exposed to danger when the user logs on to the hosts directly to handle containers, instead of going via an orchestration layer.

Countermeasures:

Organization need to ensure that entire authentication to the Operating System is audited, login irregularities are monitored & any escalation to conduct privileged functions are logged.

  • Host OS File System Tampering

Insecure container configurations can put host volumes to experience file tampering risks. These changes could influence the security and stability of the host & other containers executing on it.

Countermeasures:

Guarantee that containers are executed with the negligible set of permissions required for the file system. Organizations should make sure that rarely containers should base local file systems on the host. They should use tools, which can oversee what directories are being placed by containers & protects the container's deployment which violates these policies.

Hardware Countermeasures

The rising complexity of the systems & the deeply embedded nature of the threats requires that security should be extended to entire components of the container technology, beginning with the firmware and hardware. This procedure would create a distributed trusted computing system and offer the most secure and trusted way to build, orchestrate, run and handle containers.

The trusted computing model must begin with measures boot that offers a verified system platform & constructs a trust chain directed with hardware and enlarged to the OS kernels, bootloaders, and the OS components to facilitate cryptographic evaluation of system images, boot mechanisms, container images and container runtimes.

Hope, the above-mentioned risks as well as their corresponding countermeasures provided you an idea on how to implement the container technologies in a secure way.


Read More

A Brief Summary On Information Security Handbook A Guide For Managers

Information security has become a recognized business activity today. Every professional in the organization understand the importance of protecting the resources and information. Though they aware about the importance, still there is a gap in the resources. This is because of the of the lack of knowledge of the information security. Hence, we are going to summarize the NIST special publication called Information Security Handbook: A Guide For Managers.

This publication includes the overview of the elements of the information security program to support the security professionals in understanding how to create and implement the information security program. Nearly, entire topics of this document have been discussed in our various blogs, here we presented a brief overview and links to the corresponding blogs.

Information Security Governance

Information security, an essential function in the organization needs to be handled and governed properly to reduce the risk of the organization’s operations. It is also essential to ensure the ability of the organization to perform business effectively. Information security governance guarantees that the enterprises are proactively applying the proper information security controls in order to support their missions while handling the evolving risks in the security.

To explore more about the information security governance, read the blog, NIST SP 800 100 Information Security Governance. This blog has covered the major concepts of the information security governance such as:

  • Information Security Governance Components

  • Information Security Governance Challenges and Keys to Success

System Development Life Cycle

The system development life cycle walks through the entire process of constructing, implementing as well as a retiring information system via a multi-step process such as:

  • Initiation

  • Analysis

  • Design

  • Implementation

  • Maintenance

  • Disposal

Security Activities In The SDLC

  • Initiation Phase comprises activities like Needs Determination, Security Categorization, and Preliminary Risk Assessment

  • Development/Acquisition Phase comprises activities like Requirements Analysis/ Development, Risk Assessment, Cost Considerations and Reporting, Security Planning, Security Control Development, Developmental Security Test and Evaluation, and Other Planning Components

  • Implementation Phase comprises activities like Security Test and Evaluation, Inspection and Acceptance, System Integration/ Installation, Security Certification, and Security Accreditation.

  • Operations/Maintenance Phase comprises activities like Configuration Management and Control, and Continuous Monitoring.

  • Disposal Phase comprises activities like Information Preservation, Media Sanitization and Hardware and Software Disposal.

Awareness And Training

Awareness and training regarding information security are one of the important critical components. When it comes to the total security solution, organizations should not overstate the importance of the employees in attaining security goals and the training as a countermeasure for security threats. The security awareness & training program is the important components in the information security program. Establishing as well as maintaining a relevant and robust information security awareness & training program in addition to the other information security program provide the workforce with the details & tools required to protect the vital information resources of the organization.

To know more about this section, go through the blog, NIST SP 800 – 100 – Awareness And Training. The blog covers concepts like

  • Awareness & Training Policy

  • Components: Awareness, Training, Education, and Certification

  • Designing, Developing, and Implementing an Awareness and Training Program

  • Post-Implementation

Capital Planning And Investment Control

The rising competition for the limited budgets as well as resources requires the organization allocates existing funding toward their information security investments, which holds the highest priority. This can be obtained via a formal enterprise CPIC (Capital Planning and Investment Control) process to enable and control the outlay of organization funds. FISMA (Federal Information Security Management Act) and other available federal regulations charge the organization with incorporating security activities & the capital planning as well as investment control process.

Interconnecting Systems

A system interconnection is nothing but a direct connection of the two or more information systems for the purpose of sharing data & other information resources. Enterprise prefers to interconnect their system for various reasons, according to their organizational requirements.

Life-Cycle Management Approach

The life-cycle approach for the system interconnection includes four phases:

  1. Planning the Interconnection;

  2. Establishing the Interconnection;

  3. Maintaining the Interconnection;

  4. Disconnecting the Interconnection

Planning The Interconnection

Participating enterprises perform preliminary actions and analyze entire relevant security, technical and administrative problems. The following diagram depicts the steps involved in planning the interconnection phase:

planning the interconnection

Establishing the Interconnection

Once the interconnection activities are planned & approved, the interconnection can be established. The steps recommended for this phase are illustrated below:

estabilishing the interconnection

Maintaining The Interconnection

The participating enterprise must maintain the interconnection, once it is established in order to guarantee that it functions securely and properly. Sample activities recommended during this phase are:

  • Maintain the equipment

  • Analyze audit logs

  • Manage user profiles

  • Maintain system security plans

  • Conduct security reviews

Disconnecting The Interconnection

Disconnection may be planned or happen due to an emergency.

Performance Measure

Performance measures program of an organization includes a myriad of benefits in terms of financial and organizational. Enterprises can create information security metrics, which measures the security program effectiveness and offer data to be evaluated. With the metrics to target the investment of the security, an organization can receive the best of their existing resources.

To know more about the performance measures, go through the blog, NIST SP-800-100 – Performance Measures.

Security Planning

Security Planning is important to receive an overview of the security needs of the system as well as a description of the controls existing or planned for satisfying those needs. The purpose of this plan is to offer an overview of the system’s security requirements and describes the controls for satisfying those requirements. The system security plan assigns the responsibilities and desired behavior of entire individuals who use the system.

The blog, NIST SP-800-100 – Security Planning And Contingency Planning provides an overview of the security planning. The blog covers

  • Security Planning Roles and Responsibilities

  • System Security Plan Approval

  • Security Control Selection

  • Completion and Approval Dates

  • Ongoing System Security Plan Maintenance

Information Technology Contingency Planning

Information technology contingency planning is an essential process for developing GSS (General Support Systems) and MA (Major Applications) with corresponding backup methods & procedures for applying data recovery as well as reconstitution against Information Technology risks.

The blog, NIST SP-800-100 – Security Planning And Contingency Planning also talks about the contingency planning.

Risk Management

An effective risk management is an essential component of the successful security program. The main aims of the risk management process of an organization are to protect the enterprise & its competency to perform its missions.

For more details of the risk management, view the blog, NIST SP-800-100 – Risk Management And Security Certification Process. The blog includes the detailed information of the risk assessment, risk mitigation, and evaluation & assessment.

Certification, Accreditation, And Security Assessments

The essential activities which support the risk management process are the certification and accreditation. Security certification is defined as the comprehensive assessment of the operational, management and technical controls in terms of security in the system, created in support of the security accreditations, to identify the level to which the security controls are applied properly, functioning intended and providing the desired result to satisfy the security needs.

The blog, NIST SP-800-100 – Risk Management And Security Certification Process covers the brief overview of these essential activities.

Security Services And Products Acquisition

Information security products and services remain as the important elements of the enterprise information security program. The Organization chooses the security products and services available in the market and uses it in the entire program to handle the design, development & maintenance of its security infrastructure and to defend its mission-critical details.

Read NIST SP 800-100 – Security Services And Products Acquisitions blog, to aware more about the security services and products acquisitions. The blog walks through

  • Information Security Services Life Cycle

  • Selecting Information Security Services

  • Selecting Information Security Products

  • Security Checklists for IT Products

  • Organizational Conflict of Interest

Incident Response

The organization today wants to analyze the risk to their system and take proper measures to reduce its influence to the acceptable level. They also need to possess a well-defined incident response capability to detect the incidents rapidly, reduce destruction and loss, determine weakness and restore IT operations rapidly.

The blog, NIST SP-100-80- Incident Response And Configuration Management cover the outline of the incident response phases.

Configuration Management

The objective of the configuration management is to handle the impacts of difference/changes in the configuration of the information system. CM supports to remove the risks of problems, confusion, and unwanted spending.

Configuration Management is discussed more in the blog, NIST SP-100-80- Incident Response And Configuration Management.

Hope, the details provided in this blog and its associated blogs inform the information security professionals about the various factors of the information security, which they will be likely to implement & supervise in their corresponding enterprise.

Read More

Incident Response And Configuration Management NIST SP 800 100

Attacks on the information security system and the networks have continuously raising and organizations today are actively taking the numerous measures to prevent such attacks. However, it is not possible to prevent all kinds of the incidents from occurring. The organization needs to analyze the risk to their system and take proper measures to reduce its influence to the acceptable level. They also need to possess a well-defined incident response capability to detect the incidents rapidly, reduce destruction and loss, determine weakness and restore IT operations rapidly. This article is about to discuss the outline of the incident response phases and the configuration management with the reference to the NIST SP 100-800.

Incident Response Lifecycle

The following figure illustrates the major phases included in the incident response:

incident handling lifecycle

Preparation

Incident preparation involves creating an incident response competency to make the organization prevent its system, network, and application from the incident by ensuring adequate security and respond to any incidents if happens. The incident response team needs to involve in a certain set of actions to prevent as well as handle the incidents. The overview of those actions is described below:

Preparing For Incident Response

Making the accurate planning as well as implementation decisions are the main key to construct an effective incident response program. The followings are the tasks needed to concentrate during the preparation phase of the incident response:

  • Create organization specific definition for the “incident” to make the incident scope clear

  • Make an incident response policy

  • Develop incident response & reporting procedures

  • Make guidelines for connecting with external parties

  • Define essential services of the incident response team

  • Choose a team structure & staffing model

  • Staff & train the response team

Preparing To Collect Incident Data

Being prepared for collecting subjective and objective data for each incident is an important action in the preparation phase. These data are useful in the process of meeting the requirements, measuring the success of the team, and making funding decisions. When it comes to collecting the data, an organization needs to focus on gathering the data which are actionable, instead of considering the entire available data.

Preventing Incidents

When compared to reacting a problem after they happen, preventing them from occurring can be the most effective and less costly effort. In case organization’s security controls are insufficient, then there is a chance for the high volumes of incidents and it also overwhelms the resources and competency for a response that would result in incomplete or delayed recovery. The organization needs to complement the incident response competency with the sufficient resources in order to perform their incident handling effectively. The main aim of this process is to reduce the incident frequency in order to allow the incident handling team to focus on the serious incidents. The followings are some of the example practices, which will support to prevent the incident from happening:

  • Comprising a patch management program that will support the system administrators in determining, obtaining, testing & deploying patches, which remove identified vulnerabilities

  • Configuring perimeter of the network to deny the entire activity, which is not permitted

  • Deploying software to detect & stop malicious code

Detection and Analysis

Detection and Analysis phase involves determining whether an incident has happened or not. If so, it determines the extent, type, and magnitude of the incident. The organization can detect incident by using several different ways with varying extents of fidelity and detail. For example:

  • Manual Method: User report

  • Automated Detection: host-based and network-based intrusion detection, log analysis and anti-virus software

Generally, initial analysis is conducted by the automated detection system to select the events for the manual review. Whatever techniques used to detect the incident, the effectiveness of this action depends on the quality of the data, which is taken as the input for the detection. Once the process of incident identification is completed, the team need to take action as soon as possible to analyze as well as validate the identified incidents. They also require to analyse each and every step they have taken. The process of analyses intends to determine the scope, attack methods & targeted vulnerabilities of the incident. The result of the analysis should offer enough details for the team to perform subsequent activities. Furthermore, the organization should also create an escalation process to follow when the incident response team members fail to respond to any incident within the given time.

Containment, Eradication, And Recovery

It is essential to prevent the spreading of the incident since it overwhelms the resources and increases damage. Incident containment early in the incident handling process is an ideal way to solve this issue. Decision making, such as disabling certain system functions, shutting down a system and disconnecting the system from the network are the important part of the containment. After the containment of an incident, the next necessary step to eliminate the incident component is eradication. For example: deleting malicious code and disabling the breached user accounts.

In some case, eradication is considered as unnecessary and performed along with recovery action. Recovery actions involve restoring the system to its normal operating state. Recovery may include actions like:

  • Installing patches

  • Restoring systems from backups

  • Tightening network perimeter security

  • Changing passwords

Post-Incident Activity

After an incident has been handled successfully, the enterprise should conduct a lesson-learned meeting that offers a platform to review the effectiveness of the incident response actions and determine mandatory enhancements to available security practices and controls. The information gathered from the lessons -learned meetings and data accumulated during the incident handling process should be employed to determine systemic security deficiencies and weakness in the procedures and policies.

Configuration Management (CM)

Changes to the software, hardware, or firmware components of the information system can possess a significant influence on the security system. Configuration Management is essential to handle the influence of difference or changes in the configuration of the information system/network. It supports in streamlining the processes of change management and protect changes, which could detrimentally impact the security position of the system before they occur. As per the process of CM, the changes in the system should be tested before the implementation in order to observe the influences of the changes, thereby reducing the risk of the opposing result.

The following tables list the seven configuration management controls, which are mandatory to implement:

configuration magagement

Configuration Management In The System Development Life Cycle

Due to the ever-increasing impact of the security issues, now it becomes essential to address the CM in the SDLC process. In the Software Development Lifecycle process, the planning of the CM takes place in phase 2 and phase 3. CM process implementation falls on phase 4. the phase 4, operation/maintenance, includes the CM change control & auditing steps. In case, there was a notable change addressed the configuration management process, then it is essential to recertify and reaccredit the system.

Configuration Management Roles And Responsibilities

For implementing an effective CM, several roles need to be included. An enterprise must guarantee that they are aware of the proposed changes & assess that a detailed review & approval strategy is in place. In addition, they should also address separation of duties to ensure that the changes are applied only after being tested & approved.

As we have discussed the roles and responsibilities in the blog, An Introduction To Information Security Roles and Responsibilities, the examples of responsibilities for the configuration management are as follows:

Chief Information Officer (CIO)

  • Setting forth policies regarding CM

  • Implementing CM at the uppermost level of the enterprise

System Owner

  • For developing the functional needs & analyzing that the needs are implemented appropriately

Information Systems Security Officer (ISSO)

  • Addressing security issues associated with the CM program

  • Offering expertise & decision support to the CCRB (Configuration Control Review Board)

CCRB

  • Analysing CM metric details on the funding & other CM-associated problems

  • Discussing & resolving change requests, which require extra resources or funding to implement

CM Manager

Responsible for the day-to-day activities:

For example:

  • Documenting & implementing the configuration management plan

  • Creating system baselines & evaluating controls

System Users

  • For reporting any vulnerabilities or new needs, which are determined in the recent software versions

Developers

  • Coordinating & working with the configuration management manager to determine, resolve & implement controls

Configuration Management Process

The configuration management process determines the steps needed to guarantee that entire changes are adequately requested, assessed & authorized. This process also offers a step-by-step detailed procedure for determining, processing, tracking & documenting changes.

The following figure illustrates the examples of the CM process:

Configuration Management Process

Identify Change

Identifying the need for the change is the beginning step of the CM process. A change may comprise the updating the records or fields of the database to enhance the OS with the recent security patches. After the identification of the changes, it is important to submit the change request to the proper decision-making body.

Evaluate Change Request

Once the change request is initiated, the effects of the change of the system should be analyzed. Guidelines for the impact analyze includes:

  • Whether the change is feasible and enhance the system’s performance or security

  • Whether the security of the system will be influenced by the change

  • Whether the change affects the security components

Implementation Decision

Once the changes are evaluated, any one of the following activities should need to take:

  • Approve – authorize implementation and document the authorization signature

  • Deny – denial of request irrespective of the information and circumstances

  • Defer – postpone a decision until further notice

Implement Approved Change Request

Once the decision on the change implementation has been made, it is the time to move it from the test environment to the production.

Continuous Monitoring

Continuous monitoring of the CM process ensures that the configuration management is operating as desired and the applied changes don’t adversely influence either the security or performance of the system. Agencies can use configuration verification tests and system audits for the continuous monitoring system.

Hope the above details provide foundational information on the incident response and configuration management activities.

Read More

Security Services And Products Acquisitions NIST SP 800 100

Information security products and services remain as the important elements of the enterprise information security program. The Organization chooses the security products and services available in the market and uses it in the entire program to handle the design, development & maintenance of its security infrastructure and to defend its mission-critical details.

In addition to the product-selection process, organizations are encouraged to use the cost-benefit analysis, to find the cost related to risk mitigation and life-cycle cost estimates. The acquisition of product and service bears some notable risks that organization needs to determine and mitigate. Those risks come with potential impacts, hence the organization should not underestimate the importance of handling the process of information security services and product acquisitions. In choosing this kind of services and products, the organization should enforce risk management processes in the setting of the security service life cycle.

Roles Involved In The Product-Selection Process

The process of choosing the security products and services involves the contribution of numerous information security personnel within the organization. They are as follows:

  • Contracting Officer

  • Chief Information Officer

  • Contracting Officer’s Technical Representative

  • Security Program Manager

  • Information Technology (IT) Investment Review Board (IRB)

  • Program Manager

  • Privacy Officer

Information Security Services Life Cycle

The lifecycle of the information security services provides the framework for the security decision makers.

information security services lifecycle

  1. Initiation: This phase recognizes need when to begin the service lifecycle. It includes security categorization, needs determinations and the initial risk assessment.

  2. Assessment: Includes creating an accurate description of the recent environment before the decision makers can apply a service & mount a service provider. It analyses opportunities and barriers. Determines options and risks.

  3. Solution: The decision makers select the proper solution from the available options determined during the assessment phase. It develops the business case.

  4. Implementation: At the phase, the service providers are implemented. This phase finalizes & execute the implementation plan.

  5. Operations: Service lifecycle becomes iterative. This phase monitors & measures the performance of the organization. It evaluates and evolve.

  6. Closeout: This phase chooses the proper exit strategy and implements the chosen exit strategy.

Selecting Information Security Services

The organization needs to review the status of their current security programs and the security controls before choosing the certain services. The organization should also apply the risk management process to determine an effective compilation of management, technical and operational security controls, which will mitigate the risk to the acceptable level. The type and number of the proper security controls & their associated information security service can vary throughout the service life cycle of a certain system.

The following table describes the categories of the information security services:

Selecting Information Security Services

Selecting Information Security Services Management Tools

Due to the potential harm sourced by the inadequate security, the security decision makers and program managers must use effective management tools to enhance the possibilities of the success of the obtained security services. The two essential tools are:

  1. Metrics: Facilitates the accountability and decision making via relevant data collection, data analysis, and practice performance data reporting.

  2. Service Agreement: Agreement between the organization, which requesting the security services and the service provider. It specifies the entire services the provider is to produce, the service duration, to what extent, etc.

Information Security Services Issues

Implementing a security service as well as service arrangement is a complex process; since, each security service includes its own associated risks and costs, similar to the service arrangement. Taking a decision according to an issue can include major implication on the other areas of the organization.

The following table lists the various types of issues and factors associated with the security services, which are divided into six categories:

Information Security Services Issues

General Considerations For Information Security Services

In order to identify the service provider, which best suits the needs of the organization, the decision makers will require getting answers for some valuable questions. The questions relating to these needs should become a part of the standard process of the organization for researching & evaluating the security providers and their services. The questions should at least cover the following six major issue categories:

  1. Strategic/ Mission

  2. Budgetary/ Funding

  3. Technical/ Architectural

  4. Organizational

  5. Personnel

  6. Policy/Process

Selecting Information Security Products

As similar to the security services, organization needs to review the status of their current security programs and the security controls before choosing the certain products.

The following table lists the examples of common issues to consider before choosing the products:

information security services

To enable the determination and review of such considerations, the security managers need to use a set of questions while considering a certain product for their program. Some instances of the products sorts include intrusion detection, access control, and other information security associated products. Prior to deciding to purchase any sort of security products, the security managers need to consider the capabilities of the product, compatibility with other product & considerations related to environments.

Organizational Conflict Of Interest

An OCI (Organizational Conflict of Interest) may happen when a party to a contract includes a past/present/future interest associated with the work to be performed or already performed that may reduce its ability to produce technically sound object service. The organization is suggested to do their best to avoid OCI before they arise. While handling the information service lifecycle, organizations should consider the following steps in terms of OCI:

  • Determining the availability of OCIs

  • Mitigating the OCI effect to an acceptable level

  • Waiving the OCI

Hope, the above details provides the organization a clear understanding of the process and consideration involved in selecting the information security services and products.

Read More

OWASP TOP 10 2017 Critical Web Application Security Risks

Why Do We Need To Secure Web Applications?

Companies use web applications for every factor of their business operations from the public websites to mission-serious business applications. With the increase in usability and vulnerabilities, web applications now become the target for the attackers to gain access. The followings are the reason why we need to secure web applications:

  • Easy target, directly exposed Public Interface

  • Larger Attack Surface

  • Addition of Complex Design & Features, increase chances of Attacks

  • Root Cause of above 80% of Security Attacks are directly or indirectly related to the Web

Why Web Security?

With a web application threats are becoming more frequent occurrence; several organizations are struggling to implement security on their web application programs; since they unaware what to do.

Understanding that “Security is a process, not a product” could be an ideal solution for their searches.

Web Security Testing: Current Limitations

The followings are the reasons that stands behind the failure of web security testing:

  • Organizations focus on Testing Business Functionality & Capability on Deployed Applications

  • Security Testing is the last thing to consider, usually after Functional Testing

  • Current trend shows an exponential increase in vulnerability list related to Web Applications

Introducing OWASP

Open Web Application Security Project (OWASP) is an International Non-Profit Charitable Open Source organization. Its participation is free and open to all. It is a technology agnostic and contributed selflessly to the security community. OWASP address Risk-based approach.

OWASP Top 10: Web Application Security Risk

This document includes the list of the 10 most web security risk in the web application. The errors listed occur most frequently in the web application and they’re dangerous since they’ll allow the hackers completely control the software and steal data. The primary aim of the list is to educate developers, designers, architects and organizations about consequences of most common web application security vulnerabilities.

OWASP Risk Rating Methodology

OWASP uses its Risk rating methodology, to analyse severity of these Risk, based on their impact, and prevalence.

Let us begin with, Standard risk model

OWASP has proposed the systematic, Risk Rating Methodology, assisting organizations to effectively analyse and manage the corresponding Web Security Risk.

Steps Involved

Steps Involved in security chekup owasp 2017

Step#1: Identify A Risk

Identify Security Risk that needs to be rated. It gathers information about the following aspects:

  • Involved Threat Agents

  • Attack used

  • Vulnerability involved

  • Business Impact

Step#2: Factors For Estimating Likelihood

The main goal is to estimate the likelihood of a successful attack.

  • Threat agent: Estimate the likelihood of a successful attack by the group of threat agents

  • Vulnerability agent: Estimate the likelihood of the certain vulnerability involved being revealed & exploited.

Step#3: Factors For Estimating Impact

Focus on the impact of the successful attack. It concentrates on the technical impact and business impact.

Step#4: Determining The Severity Of Risk

Proceeding with the following steps:

  • Find Likelihood & Impact based on Score

  • Determine Severity

Step#5: Deciding What To Fix

Once the risks are classified, then prioritize list to determine what to fix.

Step#6: Customizing The Risk Rating Model

Three ways to customize the model are:

  • Adding Factors

  • Customizing Options

  • Weighting Factors

OWASP Top 10: How Each Risk Is Analyzed

The table illustrates how each risk is analysed in the OWASP Top 10 document :

each risk analyzed

OWASP Top 10: 2013 & 2017 Web App Security Risk

The threat environment for the API and web application continually changes. To appear up-to-date, OWASP Top 10 periodically updates their list with the recent dangerous security vulnerabilities. Recently, it announced the release of OWASP Top 10 Critical Web Application Security Risks.

Here is the comparison of OWASP Top 10 - 2013 (Previous Version and OWASP Top 10 - 2017 (Current Version)

owasp 2013 vs 2017

As shown in the above illustration:

  • The vulnerabilities A4 – Insecure Direct Object Reference and A7- Missing Function Level Access Control in the 2013 list are merged and listed as A4-Broken Access Control in the 2017 list.

  • Moreover, in the OWAPS 2017, three new risks called A4:2017-XML External Entities (XXE), A8:2017-Insecure Deserialization, and A10:2017-Insufficient Logging and Monitoring are added additionally

  • The risks A8 – Cross-site Request Forgery and A10 – Unvalidated Redirects and Forwards was found in the only minimum percentage of applications, both are dropped from the list of critical web application security risks.

For More Details on OWASP Top 10 2017 Risk ...

 


Read More

Risk Management And Security Certification Process NIST SP 800 100

For successful information security program, the organization needs an important component called effective risk management process. Since it protects the organization & its ability to achieve missions, in addition to the information assets. As we have discussed the information security risk management in the blog, An Introduction To Information Security Guide - Risk Management, Assurance And Security Consideration, here we are going to explore deep into the risk management and its supporting activities including certification, accreditation and security assessments with the reference to the NIST Special Publication 800-100.

Risk Management

Risk Management is a combination of three processes, such as:

  1. Risk Assessment
  2. Risk Mitigation
  3. Evaluation & assessment

Risk Assessment

The main goal of this process is to determine and evaluate the risks to a specified environment. The organization needs to follow six important processes that are illustrated below to meet the risk assessment goals.

Risk assessment

Image source: NIST

1. System Characterization

This step starts with the determination of the system resources, boundaries, and information. System characterization establishes risk assessment effort scope, defines the operational authorization boundaries and present information.

System characterization describes the following things:

  • Essential Components: Hardware, software, external interfaces, people, and data.

  • Factors that affect system security:

    • System functional requirements
    • Information flows throughout the system
    • System network topology
    • Organizational security policy & architecture
    • Management, operational, & technical security controls implemented or premeditated to be implemented
    • Physical & environmental security mechanisms

2. Threat Identification

Threat Identification involves in identifying the threat sources, which possess the potential to exploit the system weaknesses. The common threats are categorized into the following areas:

  • Natural Threats: earthquakes, floods, tornadoes, electrical storms, landslides, and avalanches
  • Human Threats: Intentional & non-intentional
  • Environmental Threats: power failure

3. Vulnerability Identification

Organizations identify vulnerabilities by using a compilation of several sources and techniques. To begin the vulnerability identification process, an organization can review the sources like audit reports, previous risk assessments, security advisories and vulnerability lists. Security testing with automated vulnerability scanning tools like ST&E (Security, Test, and Evaluation) and Pen Test can be applied to identify vulnerabilities.

4. Risk Analysis

The risk analysis step involves the estimation of the risk, possible to the system. This analysis needs to consider some closely intertwined steps that include:

  • Impact Analysis
  • Control Analysis
  • Likelihood determination
  • Risk determination
  • Impact Analysis

The impact analysis focuses on the factors like influence to the data, system and the enterprise’s mission. Furthermore, it also considers the sensitivity and criticality of the data and system. Impact analysis can be specified in the qualitative terms like high, low and moderate.

  • Control Analysis

It analysis the controls in places to defend the system. It can be performed by using a questionnaire or checklist. The result of this step can be applied to strengthen the identification of the possibility, which a certain threat might exploit a specific vulnerability.

  • Likelihood Determination

Likelihood determination focuses on the motivation of a threat source and its competency to exploit a weakness, the characteristic of the vulnerability, the effectiveness of the mitigating controls, and the existence of the controls. Likelihood ratings are specified in the qualitative terms like high, low and moderate.

  • Risk Determination

Once the risk likelihood and impact analysis rating have been obtained, then the extent of risk to the organization and system can be determined by multiplying the threat impact and threat likelihood ratings. The following table explains how to calculate the risk rating from the result of threat likelihood and impact analysis using a 3X3 matrix :

Risk Determination

The following table defines the risk scales as well as the required management actions:

Nist Risk Analysis

5. Control Recommendations

The main goal of this step is to reduce the risk level to the information system & its data to the extent that an organization thinks acceptable. This recommendation remains as the important input for the process of risk mitigation at the time, which the recommended technical and procedural security controls are analyzed, prioritized and implemented.

The factors to consider in this step are as follows:

  • Efficiency of recommended options
  • Legislation & regulation
  • Organizational policy
  • Operational influence
  • Safety & reliability

6. Results Documentation

This mechanism formally reports the outcomes of entire risk assessment activities. The reports aim to describe as well as document the risk position of the information system whilst it is functioning in its specified environment and to deliver managers with adequate information to make risk-based decisions.

The risk assessment reports describe the following things:

  • Assessment scope according to the system characterization
  • Methodology applied to perform the risk assessment
  • Individual observations from the risk assessment process
  • Estimation of the entire risk posture of the security system

Risk Mitigation

Risk Mitigation attempts to prioritize, analyze and implement the proper risk-reducing controls suggested from the process of risk assessment.

An organization may use several ways to reduce the risks to the systems including:

  • Risk avoidance
  • Risk assumption
  • Risk planning, research, & acknowledgment
  • Risk transference

The following figure illustrates a simple strategy to determine whether the risk mitigation action is important:

Risk Mitigation

Image source: NIST

Based on the result of the risk assessment process where each risk is determined and analyzed, managers then decide whether the identified risk is acceptable or unacceptable. In addition, they also decide whether to execute extra controls or not, in order to mitigate the unacceptable risks.

Once the organization has made a decision on which risks need to be addressed, then they follow a seven-step approach in the risk mitigation process to guide the security control selections. The seven-step approach comprises:

  1. Prioritize actions
  2. Evaluate recommended control options
  3. Conduct cost-benefit analyses
  4. Select controls
  5. Assign responsibility
  6. Develop a safeguard implementation plan
  7. Implement selected control(s)

Evaluation And Assessment

Generally, the changes, which happen to the systems during daily operations possess the potential to unfavourably affect the system’s security in some fashion. Focusing on it, is the main goal of the evaluation and assessment process and it also guarantee that the system endures operating in a safe & secure manner. This final step of the risk management is usually conducted at the security certification phase that offers input required to finalize the actions of risk assessment.

Certification, Accreditation, And Security Assessments

Security Certification and Accreditation are an integral part of the information security program of the organization and they support the risk management process. These activities are designed to guarantee that the system will function with the proper management review, that re-accreditation happens periodically and that there is continuous monitoring of system security controls.

As similar to the system security plans and risk assessments, security assessments possess an ideal role in the security accreditation. It is important that organization officials comprise the complete & accurate information on the status of their information security system to make risk-based decisions.

Security certification is defined as the comprehensive assessment of the operational, management and technical controls in terms of security in the system, created in support of the security accreditations, to identify the level to which the security controls are applied properly, functioning intended and providing the desired result to satisfy the security needs.

Certification, Accreditation, And Security Assessments Roles And Responsibilities

As we have described the roles and responsibilities involved in the information security, in the blog, An Introduction To Information Security - Roles & Responsibilities, the following section points out the specific responsibilities of the officials in the security certification and accreditation.

Chief Information Officer

  • Broadcast cost-effective practices to comprise risk assessment, threat & vulnerability assessments and outcomes of security control assessments.

  • In performance with authorizing personnel, identify proper resource allocation for security systems and programs.

Authorizing Official

  • Supervise the budget & business operations of the system

  • Create and issue a final/interim decision on granting, or denying authority to access the system

Senior Agency Information Security Officer

  • Designate as the primary liaison of the CIO to the authorizing officials, ISSOs, and information system owners

Information System Owner

  • Develop & maintain the system security plan

  • Produce necessary system-oriented documentation to the certification authority

Information Owner

  • Found rules for appropriate use & protection of the information

  • Interconnect level of information assurance compulsory for the system with the proper system owner

Information System Security Officer

  • Perform day-to-day security operations of the system

  • Develop system security policy and plan

  • Update security plan

Certification Agent

Individual or a group responsible for performing a security certification/ security control assessment in the information system.

Responsibilities:

  • Assess the security plan to guarantee the plan delivers applicable security controls preceding to preparing the certification process

  • Performs a complete assessment of the operational, management, and technical controls in the information system

User Representatives

  • Responsible for recognizing mission/operational necessities and for fulfilling the security needs & security controls defined in the system security plan.

Delegation Of Roles

At the decision of the senior organizational officials, specific security certification & accreditation roles can be delegated and appropriately documented. For example, the organization may appoint properly qualified individuals like contractors, to carry out the activities related to the security certification & accreditation role.

Security Certification And Accreditation Process

Four distinct phases are involved in the security certification and accreditation process. They are:

  1. Initiation Phase
  2. Security Certification Phase
  3. Security Accreditation Phase
  4. Continuous Monitoring Phase

1. Initiation Phase:

This phase will guarantee that the certification agent will begin the security control assessment action only when the security plan content gets approval from the SAISO and authorizing officials.

This phase comprises three important tasks:

  • Preparation
  • Notification & Resource Identification

  • Security plan review, analysis & acceptance

2. Security Certification Phase

This phase recognizes the level to which the system security controls are implemented properly, functioning as intended and providing the anticipated system security posture.

This phase includes two tasks:

  • Security Control Assessment

  • Security Certification Documentation

3. Security Accreditation

This phase aims to support the certification authority to identify whether the remaining identified vulnerabilities position an acceptable range of risk to the organization.

This phase comprises two important tasks:

  • Security accreditation decision

  • Security accreditation documentation

After completing this phase, the security personnel will be facing any one of the following scenarios:

  • Formal authorization to operate the system is granted

  • Authorization to operate the system is denied

  • Authorization to operate the system is granted under certain terms & conditions

4. Continuous Monitoring Phase

This phase is an essential component, which checks the security controls status in the system on a continuous basis. An effective continues monitoring program needs to consider the following things:

  • Configuration management & configuration control processes in the system

  • Security influence analyses on the modification of the systems

  • Evaluation of the chosen security controls in the system & reporting of the security status of the corresponding officials

Security Certification Documentation

The process of security certification and accreditation process ends with the risk management decision by the organizational official. The accreditation package documents the outcome of the security certification. This document produces the essential information required by the authorizing officials to make a risk-based decision. This package includes the following documents:

  • Approved system security plan – Produce an overview of the security needs and describes the measures that official has taken to match with those needs.

  • Security assessment report – Summarizes the outcome of the activities stated by the certification agent.

  • Plan of Action and Milestones – Describes the measures, which have been applied to correct the deficiencies recognized at the time of security controls assessment and to eliminate identified system vulnerabilities

Accreditation Decisions

The accreditation decision communicates the decision of the accreditation authority and provides the official with:

  • Security accreditation decisions
  • Supporting foundation for the decision
  • Terms & conditions for the authorization

Program Assessments

Federal Information Security Management Act (FISMA) needs each organization to develop, implement and document an organization-wide security program to offer information security for the system, which supports assets and operations of the organization including those managed by another contractor, agency or other source. To guarantee the effectiveness and adequacy of the security controls, organization officials need to conduct the annual reviews of the security program of their organization & submit the resulting report to the Office of Management and Budget (OMB).

On the whole, the organization needs to assess the risk to establish the effective security controls, in to order to manage the unacceptable risk. In addition, they need to perform security certification, accreditation and assessment to ensure the effectiveness of the security controls.

Read More

Security Planning And Contingency Planning NIST SP 800 100

Security Planning is important to receive an overview of the security needs of the system as well as a description of the controls existing or planned for satisfying those needs. Similarly, information technology contingency planning is an essential process for developing GSS (General Support Systems) and MA (Major Applications) with corresponding backup methods & procedures for applying data recovery as well as reconstitution against Information Technology risks. Let us explore more about these planning, which is described in the NIST SP-100-800.

Security Planning

System security plan defines responsibilities and anticipated behavior of entire individuals who involved in accessing the system. It should reproduce inputs from various officials with responsibilities regarding the systems, like the system owner, the information owners and the SAISO (Senior Agency Information Security Officer). Since the system security plan is an essential deliverable in the SDLC process, the users and officials who are responsible for describing the system needs should be familiar with the security planning process. The following guidance offers fundamental details on how to create a security plan with reference to the applicable federal needs and it’s effortlessly adaptable to different organizational structures.

Major Applications, General Support Systems, and Minor Applications

The entire information system should be covered by a security plan and categorized as MA (Major Application) or GSS (General Support System). System security plan for the minor applications aren’t needed since the controls for those applications are offered by the MA or GSS in their function. In those situations where the minor application isn’t connected to a GSS or MA, the minor application must be explained briefly in a GSS plan.

Security Planning Roles And Responsibilities

The organization should designate corresponding professionals within their organization in the following activities for effective security planning:

  • For periodic review, POA &M (Plans of action and milestones) and modification of system security plans

  • In reviewing the plan prior to schedule with certification and accreditation process

  • Follow up the security controls & updating them to ensure they meet the current situation

  • For analysing and confirm that the security controls, which are defined in the system security plan are reliable with the FIPS 199 security category

As we have discussed the roles and responsibilities in the blog, An Introduction To Information Technology – Roles and Responsibilities, here we listed some of the responsibilities, which are specific to the Information Security Planning.

Responsibilities Of Chief Information Officer

  • Appointing a SAISO to carry out the responsibilities of CIO for system security planning

  • Handling the determination, implementation & assessment of security controls

  • Supporting senior agency officials for system plans

  • Determining and developing security controls for the organization

Responsibilities Of Information System Owner

  • Creating the security plan in assistance with information owners, ISSO, the SAISO, the system administration and end users

  • Handling the system security plan & guaranteeing that the system is operated based on the security requirements

  • Guaranteeing that support personnel and system users receive the necessary security training and supporting in the determination, implementation, and evaluation of the security controls

Responsibilities Of Information Owner

  • Creating the rules for the proper use & protection of the data and information

  • Presenting input to the information system owners on the security controls and security requirements for the information systems

  • Deciding the types of privileges to the information system

  • Supporting in determining and evaluating the common security controls

Responsibilities Of Senior Agency Information Security Officer

  • Carrying out the responsibilities of the CIO for security planning

  • Supporting the development, review & acceptance of the system security plans with ISSOs, information system owners, and the authorizing officials

  • Supporting in determining, implementing, and evaluating the most common security controls

  • Processing professional qualifications like training & experience needed to develop & review security plans

Responsibilities Of Information System Security Officer

  • Supporting the SAISO in determining, implementing, and evaluating the most common security controls

  • Supporting the development & maintenance of the security plan

Rules of Behavior

The rules of behavior, a form of security control should clearly define responsibilities as well as the expected behavior of entire individuals who have access to the system. It should also state the significance of inconsistent behavior/noncompliance & be made obtainable to every user preceding to getting authorization for access.

System Security Plan Approval

Organizational policy should address who is accountable for system security plan approval & procedures created for plan submissions. Preceding to certification & accreditation process, the corresponding official independent from the organizational system owner generally approves the plan.

System Boundary Analysis and Security Controls

The impact levels of FIPS 199 must be focused while drawing the system boundaries and when choosing the baseline security controls. The baseline security controls can be tailored according to the risk assessment and local conditions such as:

  • Organization-specific security requirements

  • Cost-benefit analyses

  • Specific threat information

  • Special circumstances

  • Compensating controls availability

The process of exclusively assigning information resources to the information system describes the system’s security boundary. Organizations include flexibility in identifying what constitutes the information system. In case a group of information resources is determined as the information system, then the resources should be under the control of same direct management. It is also feasible for the information system to comprise multiple subsystems. A subsystem is defined as the major component or subdivision of the information system.

Security Controls

FIPS 200 present the 17 minimum security needs for information systems. An organization must satisfy minimum security needs in this standard by implementing security controls based on the designated influence degrees of the information systems. An organization includes the flexibility to modify the control baseline based on the terms & conditions. The modifying activities include:

  • Compensating controls specification

  • Scoping guidance application

  • Agency-defined parameters specification in the security controls

Scoping Guidance

The subsystem generally falls under the authority of the same management and are comprised within a single security plan. The following figure illustrates a GSS along with 3 subsystems:

nist scoping guide

Image source: NIST

Scoping guidance offers an organization with certain terms & conditions on the implementation and applicability of individual security controls. Security plans should determine which security controls applied scoping guidance & comprise a definition of the kind of considerations, which were made.

Compensating Controls

These controls are the operational, management or technical controls utilized by an organization in lieu of agreed controls in the high, moderate and low-security control baselines that offer comparable/equivalent protection for the information system.

Common Security Controls

An organization-wide prospect of the information security program enables the determination of the common security controls, which can be used to one or more organization information systems. Common security controls can be applied to:

  • Entire organization information systems

  • A group of systems at a certain site

  • Common information systems, applications or systems deployed at various operational sites

Security Control Selection

An organization must satisfy minimum security needs in FIPS 199 by choosing the proper security controls & assurance requirements to achieve enough security. However, this process is a risk-based and multifaceted activity involving operational and management personnel within the agency.

Completion and Approval Dates

The completion date for the security plan should be mentioned. It should be restructured every time the plan is reviewed and updated. The security plan should also include the date the designated authority and authorizing officials approve the plan.

Ongoing System Security Plan Maintenance

Once the security plan is accredited, then it should involve periodic assessment and review to ensure that the plan endures reflecting the proper details about the system. The items to be included in the review are:

  • Revolution in information system owner

  • Revolution in information security authority

  • Major revolution in system architecture

  • Revolution in system scope

  • Revolution in authorizing official

Information Technology Contingency Planning

Risks to the information systems may be technological, natural or human in nature. The contingency planning includes the process of recovery & documentation of procedures for performing recovery. The following figure illustrates the activities of contingency planning in each phase that should be stated during entire stages of the SDLC:

Information Technology Contingency Planning

Image source: NIST

The strategies of recovery should be assembled into the MA or GSS’s architecture on the development stage. The contingency processes must be tested & maintained at the implementation stage. The contingency plan should be drilled and maintained in the operation/maintenance stage. At the disposal stage, the legacy system should stay intact & operational as an eventuality to the system until the new information system has been tested.

Seven Step IT Contingency Planning Process

  1. Develop Contingency Planning Policy Statement

The first step in the developing IT contingency plan is establishing the contingency planning policy. The statement should describe the following things:

  • Entire contingency objectives

  • Roles & Responsibilities

  • Identify leadership

  • Resource requirements

  • Develop maintenance schedules

  • Test, training & exercise schedules

 

  1. Conduct Business Impact Analysis (BIA)

It is the critical step to aware the components of the information systems, impacts of potential downtime and interdependencies. It is conducted by determining the critical system's resources. The resources are further examined to identify how long the performance of the resources could be withdrawn from the system prior an unacceptable influence is experienced.

  1. Identify Preventive Controls

Implementing the preventive controls might address, outage influence determined by the BIA. Common preventive controls comprise:

  • Uninterruptible power supply

  • Nonelectronic records

  • Fire Suppression systems

  • Often, scheduled data backups

  1. Develop Recovery Strategies

Despite the preventive measures are implemented, there might be a chance for the occurrence of the disruption. Therefore, it is essential to place the recovery strategy to recover data as well as system operations. The strategies of the recovery are designed for the compilation of methods that together mitigates the entire spectrum of risks.

  1. Develop IT Contingency Plan

The recovery strategy executing procedures are charted in the Information Technology Contingency Plan. The plan is designed using the five important components as illustrated in the following figure:

5. Develop IT Contingency Plan

Image source: NIST

The supporting information & appendices phase offers the supplementary information, which is important to aware the context. The notification, recovery and reconstitution phases include the documentations of procedures.

  1. Plan Testing, Training, And Exercises

Officials responsible for executing the contingency plan should be trained to conduct the procedures, the system strategy should be tested and the plan should be exercised.

The planned testing should comprise:

  • System performance using substitute equipment

  • System recovery on a substitute platform from the backup media

  • System performance using substitute equipment

  • Notification procedures

Personnel training should comprise:

  • Security requirements

  • Plan Purpose

  • Cross-team coordination & communication

  • Individual responsibilities

  • Team-specific processes

Procedures plan exercise should be intended to individually examine and then collectively examine multiple components of the whole plan.

  1. Plan Maintenance

The contingency plan should always be kept in a ready state for applying instantly upon notification. The periodic reviews of the contingency plan should be performed for the currency of vendor information & key personnel, the recovery strategy, system components & dependencies, operational requirements and vital records.

Hope the information covered in this section regarding the system security planning and information system contingency planning will help you to effectively protect the organization.

Read More

Performance Measures NIST SP 800 100

Organizations experience numerous financial and organizational benefits of the performance measures program. An effective metrics program can offer useful data for guiding the provision of information security resources. Here in this article, we are going to summarize the performance measures program with the reference to the NIST Special Publication 800- 100.

Organizations can create information Security metrics, which validates the efficiency of their security program. The metrics offer data to be analysed as well as used by system owners and program managers to isolate issues, target funds, particularly in the regions in the requirement of enhancement and justify investment requests. With the metrics, an organization can experience the best value from the existing resources.

The four interdependent components present in the information performance management program are:

  1. Senior Management SupportEstablishes a concentration on security within the uppermost levels of the enterprise.

  2. Security Policies and Procedures Essential to enforce compliance. Metrics aren’t easily attainable in the lack of policies & procedures.

  3. Quantifiable Performance Metrics Established to capture & offer meaningful performance data.

  4. Analyses Result of analyzing the metrics data are utilized to apply lessons learned, enhance the efficiency of available security controls & plan future controls to satisfy new security needs as they happen.

The laws, rules & regulations that cite IT performance measurements in general as well as Information security performance measurement in specific, as needs are as follows

  • Government Performance and Results Act (GPRA)

  • Clinger-Cohen Act

  • Government Paperwork Elimination Act (GPEA)

  • Federal Information Security Management Act (FISMA)

Metrics

Metrics are defined as the tools, which support decision making. It plays as an important element in the toolkit of the managers in making as well as substantiating decisions, in addition to the external mandates, experience, and strategies.

Metrics are generally used to answer the following three basic questions:

  • Am I employing the tasks for which I am answerable?”

  • How competently or effectively am I achieving those tasks?”

  • What influence are those tasks consuming on the mission?”

Metrics Development And Implementation Approach

Metric development and metrics implementation are the two main processes that guide the establishment as well as the operation of the information security metric program.

  • Metric Development ProcessCreates the beginning set of metrics and choice of the metric subsets suitable for the enterprise at a given time.

  • Metric Implementation Process Activates a metrics program, which is iterative and guarantees that proper factors of Information Security are measured for the certain time period.

Metric Development Process

The process of information security metrics development includes two major activities:

  1. Determining and describing the recent information security program

  2. Developing as well as choosing certain metrics to measure efficiency, implementation, efficiency and the influence of the security controls.

The following figure depicts the position of information security metrics in a larger enterprise context:

Security Metrics

Image source: NIST

As shown in the above figure, the metric development process doesn’t need to be sequential. The kind of metric depends on the maturity of the security program.

The phase 5,6, & 7 present in the figure involve creating metrics, which measures process implementation, efficiency/effectiveness, and mission impact. The certain factor of the security, which metrics will concentrate on will depend on the maturity of the information security program.

The organization should prioritize metrics to guarantee that the final set of metrics selected for initial implementation includes the following attributes:

  • Enables enhancement of implementation of high-priority security control

  • Uses data, which can believably be attained from available processes & data repositories

  • Measures processes, which already available and are comparatively stable.

  • The organization also derives metrics from the available data sources like security certification & accreditation, incident statistics, security assessments, POA&M (plan of action and milestones) and independent reviews. An organization may use a weighing scale to distinguish the rank of selected metrics & to guarantee that the results precisely reflect available security program priorities.

Metric Program Implementation

Information Security metrics are used for monitoring performance of the information security control and stimulating performance enhancement actions. As shown in the figure, there are six phases in this iterative process:

Security program implemantation

Image Source: NIST

  1. Prepare For Data Collection

Includes activities, which are essential for creating a complete information security metrics program. The followings are the actions involved:

  • Information metrics identifications, definitions, selection, and development activities

  • Creating a plan for metric program implementation

Once the metrics have been determined, certain implementation stages should be described on how to gather, analyze, & report the information security metrics. These stages should be documented in the organization metric program implementation plan.

The followings are some of the items to be included in the plan:

  • Metrics roles & responsibilities

  • Audience

  • Metrics collection, analysis & reporting process, which is tailored to the certain enterprise processes, structure, procedures, and policies

  • Details of coordination with CIO

  • Selection or creation of data collection & tracking tools

  • Metrics summary reporting formats

  1. Collect Data And Analyze Results

Involves activities, which are important for guaranteeing that the gathered metrics are utilized to gain an awareness of system security and to determine corresponding enhancement actions. The activities included in this phase are:

  • Collect metrics data based on the processes, which is defined in the security metrics program implementation plan

  • Consolidate gathered data and keep in a format helpful to data analysis & reporting

  • Perform gap analysis, compare gathered measurements with victims if defined and determine gaps between desired and actual performance

  • Determine causes of poor performance

  • Determine areas need enhancement

  1. Identify Corrective Actions

Involves creating a plan, which will offer the guidance of how to fulfil the implementation gap. The activities included in this phase are:

  • Identify a range of corrective action

  • Prioritize Corrective Actions according to Total Risk Mitigation Goals

  • Select Most Suitable Corrective Actions

4. & 5. Develop Business Case & Obtain Resources

The phase 4 and 5 involves the budgeting cycle needed for attaining resources required for implementing the actions of remediation determined in phase 3. The steps involved in developing a business case depend on industry practices & mandated guidance that includes OMB (Office of Management and Budget) Circular A-11, GPRA and the Clinger-Cohen Act. The outcome of the preceding three phases will be encompassed in the business case.

  1. Apply Corrective Actions

States applying corrective actions are identified via data analysis and as described in an appropriate business case or POA&M. Once the corrective actions are involved, the cycle finishes itself & restarts with subsequent data gathering and analysis. Frequent performance measurements will guarantee that in case corrective actions aren’t implemented as planned, quick subsequent corrections can be established internally by the enterprise, thus avoiding the opening of issues during external audits, accreditation and certification efforts.

Hope, the above information explains the metrics development process and metrics program implementation and how to use them to justify security control investments.

Read More

NIST Special Publication An Introduction To Information Security 800 12 R 1

Recently, understanding the information security is important to the entire organization to safeguard their information & perform their business. Information security protects the ability of the organization to function, enable the safe operations of its applications, safeguard the data it collects & uses and prevents the technology assets. There are also risks and challenges involve in the implementation of information security in the organization.

In order to support the organization to secure their systems and resources, NIST has released a special publication called An Introduction To Information Security, which offers a high-level outline of the information security principles including security concepts and control families.

As we have explained each and every section of this publication in our blogs, here we are going to present an overview of this document and links to the corresponding blogs, which discussed the concepts in details.

Important Terminology

NIST Definition

nist defination on security

Elements Of Information Security

The eight major elements of the information security are

  1. Supports the organization mission

  2. An integral element of the sound management

  3. Protections are implemented in such a way commensurate with risk

  4. Roles & responsibilities are made explicit

  5. Responsibilities for the system owners exceed beyond their own organization

  6. Need a comprehensive & integrated approach

  7. Assessed & monitored regularly

  8. Constrained by cultural and societal factors

Roles And Responsibilities

Clearly defined roles & responsibilities support the enterprise and its workers work in an efficient way by entitling who is responsible for doing specific tasks. In a small organization, this approach will support to evenly distribute the workloads as a worker may be needed to handle more than one work. In a large enterprise, this approach will support ensure that no work is overlooked.

The blog, An Introduction To Information Security - Roles & Responsibilities, covers the outline of the basic roles and responsibilities involved in the information security.

Threats And Vulnerabilities: A Brief Overview

Vulnerabilities make the systems prone to a myriad of activities, which can result in irreversible losses to the organization. With the right knowledge, an organization can enhance the degree of their security.

The blog, An Introduction To Information Security – Description Of Threat Environment And Information Security Policy presents an overview of threats and vulnerabilities

Information Security Policy

Information Security policy is a collection of regulations, rules, directives, and practices, which defines how an enterprise handles, protects & distribute information. Manager’s decisions in the information security problems vary based on the different kinds of the policies.

The blog, An Introduction To Information Security – Description Of Threat Environment And Information Security Policy covers the outline of the information security policy, to assist the organization in the process of managerial decisions.

Information Security Risk Management

Risk Management is the procedure of reducing the risks to enterprise operations and assets, other enterprises, individuals and the nation.

Industries today are routinely handled a myriad of risks. To support the organization, manage security risk, the risk management is explained clearly in the blog, An Introduction To Information Security Guide – Risk Management, Assurance, And Security Consideration.

Assurance

Assurance is the extent of confidence one possesses that security measures defend system and information by guaranteeing their integrity, availability, confidentiality, non-repudiation, and authentication. The plans for assurance and categories of the assurance methods & tools are explained deeply in the blog, An Introduction To Information Security Guide – Risk Management, Assurance, And Security Consideration.

Security Considerations In System Support And Operations

It is essential to consider security as a portion of the system support & operation. If an organization fails to do so, it can be detrimental to its security. To understand the support and activities, which are associated directly with the security aspects, explore the blog, An Introduction To Information Security Guide – Risk Management, Assurance, And Security Consideration.

Cryptography

It is an essential tool for preventing the information in the organization and implemented in several factors of the information security. The basic aspects of the cryptographic techniques and details of certain ways to enhance the cryptographic security are explained in the blog, An Introduction To Information Security – Cryptography And Control Families.

Control Families

To understand the brief description of the security control families, just refer the blog, An Introduction To Information Security – Cryptography And Control Families. It comprises the description, examples, and details of how organizations address those security controls.

On the whole, we have explained security principles that organization may influence to aware the security requirements of their system in the above-mentioned blogs in accordance to the overview of NIST publication.

Read More

An Introduction To Information Security Cryptography And Control Families

Cryptography is the science of communicating the message in a secret code. This technique involves encoding a data (called as encryption), with a certain set of keys while sending and decoding the data (called as decryption) using same or diverse keys at the receiver’s end.

It includes a variety of algorithms for storing as well as transmitting sensitive details in a manner that only proposed receiver can access and read. In this section, we are going to explore outline of the basic factors of the cryptographic technologies and some certain ways the cryptography can be implemented to enhance security which is described in the NIST S.P-800-12r1. Furthermore, this article also presents the description of essential control families. 

Cryptography

Uses Of Cryptography
 
It is used to prevent data both outside and inside the system. An inside system may be protected with physical and logical access controls. However, the system’s outside data can be protected only by the cryptography. It offers a solution to preventing data even when those data are no longer under the control of the originator.

  • Data Encryption - Cryptography provides cost-effective data confidentiality via the data encryption. Encryption is a technique, which transfers intelligible data (plain text) into an unintelligible text (ciphertext). This process is reversed via the decryption process. For example, Advanced Encryption Standard (AES) is a cryptographic algorithm that can be applied to encrypt and decrypt to protect the electronic data. 
  • Integrity - It ensures the integrity by detecting both the unintentional and intentional modification.
  • Electronic Signatures - It offers a means of associating documents with a certain person, as is accomplished in the written signature. Electronic signatures can be authenticated uniquely for a sensitive message and only for that sensitive message. 

Types Of Electronic Signatures:

  • Secret Key Electronic Signatures -  employed using MACs
  • Public Key Electronic Signatures - employed using public key cryptography

User Authentication- It forms the basis for various authentication techniques and enhances the security in the user authentication techniques.

Implementation Issues To Consider

When designing, implementing and integrating the cryptographic techniques, it is essential to consider some issues that include:

1. Selecting Design and Implementation Standards
2. Deciding Software, Hardware, or Firmware Implementations
3. Managing keys
4. Security of Cryptographic Modules
5. Applying Cryptography to Networks
6. Complying with Export Rules

1. Selecting Design And Implementation Standards

NIST and other enterprises have released several standards for designing, implementing and integrating cryptographic techniques. These standards can support enterprises to reduce costs as well as prevent their investments in the technology. 
The organization should choose the proper cryptographic standard accordance with the trends in acceptance of the standard, cost-effectiveness analysis, and interoperability needs. Each standard needs to be analyzed carefully to identify it is appropriate to the desired application of the enterprise.

2. Deciding Between Software, Hardware, Or Firmware Implementations

Cryptography can be applied in hardware, software or firmware. Each mode includes its associated costs and benefits. For example:

  • Generally, software is less expensive, but slower than hardware. 
  • For large systems, the hardware is less expensive.

In most cases, cryptography is applied using hardware and controlled by software. This hybrid solution ensures that hardware devices are offered with proper information and isn’t bypassed. We can find firmware in cell phones, USB keyboards, and smart TVs. It is critical to ensure the security of the firmware implementation.  Hardware available with built-in protection that can prevent the malicious firmware modifications. 

3. Managing Keys

The security of the message that is protected with cryptography depends on the security of the keys. Key management is essential to protect the keys from modification and unauthorized access. Managing keys involves generation, storage, distribution, use, entry, destruction, and archiving of keys.
A business which involve geographically distributed user needs to maintain a public key with enhancing level of confidence in the integrity and binding. Furthermore, it may also essential to integrate date/time to stamp for authentication of old signatures. 

4. Security Of Cryptographic Modules

Cryptography is generally implemented in the modules of software, hardware, firmware or by combining them as a hybrid solution. Thus, the module includes the certain control parameters, the cryptographic algorithm(s) and temporary storage services for the key(s). The module should be protected against tampering and other security issues to ensure the proper cryptographic functioning. 

5. Applying Cryptography To Networks

Implementing cryptographic techniques within the networking application often need special considerations. Here, the appropriateness of the cryptographic module depends on its competence for handling special needs imposed by network protocols & software. It is mandatory that cryptography technique meets the needs forced by the communications devices and doesn’t interfere with the efficient and proper functioning of the network. 
On the network, data is either encrypted using end-to-end encryption or link encryption. Link encryption encrypts the entire data along with the communication path, whereas in an end-to-end encryption, the data is encrypted but the routing information stays visible. 

6. Complying With Export Rules

The rules that govern the export of cryptographic implementation can be complex because they cover multiple factors. In addition, the rules may change whenever the cryptography field evolves. Hence, it is important to address the questions that concern the export rules with the support of proper legal counsel. 

Cost Consideration

Protecting information with the help of cryptographic includes both direct and indirect cost, which can be determined by the availability of products. A wide range of products are available for employing cryptography in add-on boards, integrated circuits, adaptors & stand-alone units. 

Direct costs

It includes:

  • Implementing or acquiring cryptographic module & integrating it into the system. The cryptographic module and various other problems like logical & physical configuration, security level, and special processing needs will include an influence on cost. 
  • Handling the cryptography algorithm, key generation, archiving, distribution, disposal and security measures to preventing the keys

Indirect Costs

It includes:

  • A reduction in network or system performance, resulting from the extra pressure of incorporating cryptographic protection to communicated or stored data.
  • Modifications in the means user communicate with the system, because of more stringent security enforcement.

Control Families

The following section will provide the brief description of the control families, which are essential to address the operational, management and technical factors of protecting the organization’s system and information.

1. Access Controls (AC)

Access is the capability to make use of the system. Access control is defined as the process of granting/denying a certain request to:

  • Acquire and use information and associated information processing services
  • Enter certain physical facilities like military establishments, federal buildings, and border crossing entrances.

Examples: separation of duties, account management, least privilege, information flow enforcement, and session termination.

AC In Organizations:

Organizations restrict:

  • System access to the authorized users
  • The kinds of functions & transactions, which authorized users are allowed to exercise
  • Devices

2. Awareness And Training (AT)

Awareness and Training involve the action of making system users aware of their security responsibilities & educating them correct practices to change their behavior. It supports the individual accountability that is one among most essential ways to enhance information security. 

The purpose of the awareness & training is to increase security by:

  • Increase awareness of the requirement to protect system resources
  • Enhancing knowledge and skills, hence the system users can continue their jobs securely
  • Constructing in-depth knowledge as required to design, implement and operate security programs for the systems and organizations

Examples: security awareness training, security training records, and role-based security training.

 AT In Organizations:

  • Ensures the personnel involved in the organizational systems are aware of the security risks related to their activities
  • Ensures that the personnel are properly trained to perform their assigned security-oriented duties & responsibilities

3. Audit And Accountability (AU)

An audit is the independent examination and review of activities and records to evaluate the competency of system controls & guarantee compliance with created policies & operational procedures. An audit trail is nothing but a record that maintains the record of operations of the individuals who have accessed a system at a given period. 

Examples: time stamps, audit events, protection of audit information, nonrepudiation, and session audit and audit record retention.

AU In Organizations:

  • Create, protect & retain the system audit records required to facilitate the analysis, monitoring, reporting, and investigation
  • Guarantee that the individual users’ action can be uniquely outlined to them; hence, they can be detained accountable

4. Assessment, Authorization, And Monitoring (CA)

Assessment defines the testing or evaluation of the technical, management and operational security controls for the system to identify the extent to which the security controls are applied correctly, functioning as intended and offering the desired result with respect to satisfying the needs of the system.

Examples: security assessments, plans of action & milestones, system interconnections, and continuous monitoring.

CA In Organizations:

  • Periodically evaluate the security controls in the organization to identify whether the controls are effective in their application
  • Develop & implement POA (Plans Of Action) designed to address deficiencies & reduce vulnerabilities in the systems. 

5. Configuration Management (Cm)

Configuration management is defined as the collection of actions focused on creating and maintaining the products’ and systems’ integrity via the control of processes for starting, changing & monitoring the config of those systems and products throughout the SDLC.

Examples: configuration change control, baseline configuration, least functionality, security impact analysis, and software usage restrictions.

CM In Organizations:

  • Create & maintain the baseline config and inventories of the systems
  • Create & enforce the configuration setting of the security for IT products employed in the systems

6. Contingency Planning (CP)

A contingency planning is the management policy & procedure used for direct response of the organization to a supposed loss of mission competency.

Examples: contingency training, contingency plan, system backup, system recovery & reconstitution, and contingency plan testing.

CP In Organizations:

  • Construct, maintain & effectively execute plans for an emergency response
  • Backup operations

7. Identification And Authentication (IA)

Identification is the ways of evaluating the identity of the process, user or device, as a requirement for allowing access to a system resource. Identification & authentication is defined as the technical measure, which prevents unauthorized processes or individuals from access a system. 

Examples: Device identification & authentication, authenticator feedback, identifier management, re-authentication and authenticator management. 

IA In Organizations:

  • Identify processes, users or devices of the organizational systems
  • Verify or authenticate the identities of those processes, users or devices

8. Individual Participation (IP)

This control addresses the individual interaction with the system to facilitate them to create reliable assumptions of how the organizational system is processing the information about them.

Examples: privacy notice, redress, consent, and privacy act statements for the organizations.

IP In Organizations:

  • Request consent for processing the PII
  • Offer notice to the user about the processing of PII

9. Incident Response (IR)

Incident Response includes the swift actions in order to reduce the influence of the attack that will occur in future in the organization.

Examples: Incident response testing, incident handling, incident reporting, incident response training, and incident monitoring.

IR In Organizations:

  • Create an operational incident handling competency for the systems
  • Track, report and document the incidents to the corresponding authorities

10. Maintenance (MA)

The organization needs to establish a set of procedures to keep the systems working in good order and to reduce risks from the software and hardware failures.

Examples: nonlocal maintenance, maintenance tools controlled maintenance, and timely maintenance. 

MA In Organizations:

  • Conduct periodic & timely maintenance on the systems
  • Offer effective controls on the techniques, tools, mechanisms & personal used to perform maintenance

11. Media Protection (MP)

It is a control, which addresses the protection of the system media that can be defined as digital & non-digital.

Examples: media storage, media access, media transport, media marking, and media sanitization.

MP In Organizations:

  • Protect system media both digital and paper
  • Restrict access to information on the system media to the authorized personnel

12. Privacy Authorization (PA)

This control supports an organization in guaranteeing that it is the only processing PII in ways, which it possesses the authority for & clear purpose for performing so.

Examples: purpose specification, authority to collect, & information sharing with external parties.

PA In Organizations:

  • Determine the legal bases, which authorize certain PII collection use, sharing, and maintenance
  • Handling PII sharing with external parties

13. Physical And Environmental Protection (PE)

This control refers the measures that are taken to protect buildings, and associated supporting infrastructure against the threats linked to their physical environment.

Examples: physical access control, physical access authorizations, emergency lighting, asset monitoring, and information leakage.

PE In Organizations:

  • Restrict physical access to the equipment, systems, and the corresponding operating environments to the authorized individuals
  • Offer proper environmental controls in the facilities comprising systems

14. Planning (PL)

Proper planning enables the systems to provide a security level adequate with the risk related to the system operation, enhance productivity& performance and enable new means of organizing and managing.

Examples: security concept of operations, rules of behavior, and central management.

PL In Organizations:

  • Develop, document, update and implement security plans for the system that defines the controls in place for the systems

15. Program Management (PM)

It is a comprehensive management approach to handle the management issues in terms of security that protect the resources and assets.

Examples: POA & M, information security resources, and system inventory.

16. Personnel Security (PS)

This control seeks to reduce the risk, which staff poses to assets through malicious user to the resources of the organization.

Examples: personnel termination, personnel transfer, personnel sanctions and access agreements. 

PS In Organization:

  • Guarantees that individuals inhabiting position of the security responsibility are trustworthy and satisfy security criteria for them
  • Employ formal sanctions for the officials failing to conform to security policies & procedures

17. Risk Assessment (RA)

This control determines & prioritize the risks to the assets, operations, individuals of the organization, which may result from the operation of the system. To know more about RA, explore the blog, An Introduction To Information Security Guide – Risk Management, Assurance, And Security Consideration. 

Examples: risk assessment, security categorization, and vulnerability scanning.

 RA In Organizations

  • Periodically evaluate the risk to the operation, assets, and individuals.

18. System And Services Acquisition (SA)

This control insists that security requirements need to be integrated early into the architecture and those considerations should meet the mission and processes of the organization.

Examples: acquisition process, criticality analysis, and supply chain protection. 

SA In Organizations

  • Allocate adequate resources to protect the systems
  • Employ SDLC processes, which integrate security considerations

19. System And Communications Protection (SC)

This control presents an array of defends for the systems. 

Examples: application partitioning, session authenticity, operations security, and usage restrictions. 

SC In Organizations

  • Monitor, control & protect organizational communications
  • Employ software development techniques, architectural designs, and system engineering principles, which promote effective security 

20. System And Information Integrity (SI)

This control is defined as the protection against improper modifications/destructions of information and it also ensures authenticity and non-repudiation of the information.

Examples: malicious code protection, flaw remediation, error handling, and memory protection.

SI In Organizations:

  • Identify, correct and report information errors in a timely manner
  • Provide safeguards from malicious code at the proper location within the systems

Hope the above information provides the basic understanding of how cryptographic techniques and access controls are implemented in the organizations.

Read More

Guidelines For Information Assessment Methodologies NIST SP 800 115

With information security assessment methodologies, an organization can confirm that their security systems are working properly and determine any security needs, which aren’t met, in addition to addressing the security weaknesses. In our blog, A Brief Summary Of NIST SP 800-115 - Information Security Testing And Assessment, we have provided the outline of the key elements of assessment methodologies and techniques. Here we are going to explore the guidelines and recommendations of the Information Assessment Methodologies with the reference to NIST SP 800-115.
 
In most organizations, information security assessment is overlooked since it requires the availability of resources like staff, time, software and hardware. This factor limits, frequency and type of security assessments. However, the resource challenge can be mitigated by the following actions:

  • Evaluating the kinds of security examination and tests the enterprise will execute
  • Creating a proper methodology
  • Determining the required resources
  • Structuring the process of assessments to support expected needs

Benefits Of Security Assessment Methodologies:

  • Offer structure and consistency to security testing that can reduce testing risks
  • Accelerate the transition of new staff designated for assessment
  • Address resource constraints linked with security assessments

There are several accepted methodologies available to conduct various forms of information security assessments. The following figure illustrates the phased approach that includes several advantages like simple to follow and offer multiple breaking points for the staff transition:

planning for information security in an organization
 

1. Security Assessment Planning

For a successful security assessment, it is critical to have proper planning. Let us focus on the guidelines for the proper security assessment planning.

Developing A Security Assessment Policy

  • An enterprise should create a security assessment policy to offer guidance and direction for their assessments.
  • The policy should determine security assessment needs and hold liable those individuals answerable for guaranteeing that assessments fulfil the requirements. 
  • The policy that is approved should be distributed to the corresponding staff and third parties who are responsible to conduct the security assessments for the enterprise. 
  • It is essential to review the policy at least annually as well as whenever there is an update in the assessment associated requirements. 

Prioritizing & Scheduling Assessments

  • An enterprise should decide on choosing systems for the assessment and how frequent these assessments should be accomplished.
  • They should consider system categorization, scheduling requirements, expected benefits, resource availability and applicable regulations where security assessment is required while prioritizing the assessments. 
  • Technical consideration support to determine the frequency of the assessment like a planned system upgrade is conducted before performing testing or waiting until known vulnerabilities are corrected.

Selection & Customizing Techniques 

Several factors that organization needs to consider while identifying which techniques must be applied for a certain assessment. These includes:

  • Assessment objectives
  • Classes of techniques, which can acquire information to provision those objectives
  • Proper techniques in each class
  • Some techniques demand organization to identify the viewpoint (like internal or external) of the assessors

Determining The Logistics

Addressing logistics include determining entire required resources for performing assessments. They are:

  • Selecting the assessment team with appropriate experience and skills
  • Selecting locations & environments from which to conduct the assessment
  • Obtaining and configuring entire required technical tools

Assessment Plan Development

  • It is recommended to document the activities planned to conduct an assessment and other associated information.
  • A plan must be created for every security assessment to offer the boundaries and rules to which assessors should adhere.
  • The plan must determine the networks and systems to be evaluated, the level and type of testing allowed, data handling requirements, logistic information on the assessment and incident handling guidance.

Addressing Legal Considerations

  • An enterprise should assess legal concerns when commencing a security assessment, especially in case the assessment includes intrusive tests or in case the assessments requires to be conducted by an external unit. 
  • Legal departments may analyze the assessment plan, report privacy concerns & perform other actions with assistance of assessment planning.

 
Security Assessment Execution

The following details will offer the key element for the assessors to focus on throughout the assessment execution phase. 

Coordination

Assessors require coordination throughout the entire execution phase of the assessment. Coordination requirements are identified by the ROE (Rule Of Engagement) or assessment plan and must be followed accordingly. Assessors should ensure that their coordination should address the following:

  • Stakeholders are mindful of the assessment activities, schedule and potential influence the assessment may possess.
  • The assessment doesn’t happen during new technology integration, upgrades or other situation when the security of the system is altered.
  • Assessors are endowed with needed access levels of the systems and facility, as appropriate.
  • Corresponding individuals are informed if an incident takes place to cease the activities until the security incident is reported.

Assessing

It is important that entire assessor should understand the plan and ROE.    They are recommended to periodically review and assess the ROE and plan during the assessment. In case a security incident happens while the assessment is in progress, it should be reported to the corresponding response team. In that situation, the incident team follows the normal escalation process and the assessor must follow the recommended actions in the plan or ROE. The most recommended action is that the assessment process for the system which is influenced by the incident should be stopped. 

Analysis

In the assessment process, it is suggested to perform analysis to determine false positives, determine the root cause of vulnerabilities and categorize vulnerabilities.
For determining false positive, assessors can analyze their findings with a manual examination or automated tools.

An enterprise can categorize their finding based on the security controls & control families in “NIST SP 800-53”. This can support vulnerability analysis, documentation, and remediation.

Data Handling

An enterprise should document the data handling requirements in the ROE or assessment plan, and follow to their governing policies concerning the system vulnerability handling. The following are a recommendation for proper data handling:

  • Data Collection - The team should gather relevant details throughout the assessment process. Types of details that assessors require to collect are architecture & configuration data and assessor activities. 
  • Data Storage - Assessors are responsible to ensure the secure storage of the data that they collected during the security assessment. The information they need to store securely are:
    • Assessment Plans & ROE
    • Assessment results report
    • Documentation on network architecture and system security configuration
    • POA & M (Plan Of Action & Milestones) or corrective action plan

Data Transmission

Sometimes, the assessment data needs to transmit over the internet. It is essential to ensure the secure data transfer to protect it from the compromise. The recommendations are:

  • The ROE or assessment plan should report the need of as well as a process for, transmitting the vital informations
  • Encrypt individual files that include sensitive information
  • Encrypt communication channels with FIPS-compliant encryption
  • Provide details through mailed or delivered soft or hard copies

Data Destruction - When the security assessment information is no longer required, the hard copy documentation, the assessment system & media should be sanitized. 

  • An enterprise should include the policy on the sanitization needs for their assessment systems.
  • Third-party assessors must guarantee that they aware the requirement of the enterprise for sanitization.

Post Testing Activities

In the security assessment execution phase, the findings are expressed in the vulnerabilities perspective, whereas, in the post testing phase, appropriate steps are taken to address the vulnerabilities, which have been identified. Here is the recommendation to translate the findings into effective actions to enhance the security:

Mitigation Recommendation

  • Apart from the analysis which is happened during the testing phase, the final analysis including the mitigation recommendation development needs to conduct after the completion of entire testing activities. 
  • There may be required to create both technical as well as non-technical mitigation recommendation that requires being developed to address the processes of the organization.
  • Example mitigation actions are process, policy & procedure modifications, new security techniques deployment, security architecture modifications and OS & application patches deployment.

Reporting

Once the analysis gets completed, it is required to generate a report, which identifies network, system, and enterprise vulnerabilities & their mitigation actions. The outcome of the testing can be utilized in the following ways:

  • As a reference for tracking the progress of the organization in satisfying security requirements
  • As a benchmark for corrective action
  • For defining mitigation activities to report determined vulnerabilities
  • To evaluate the implementation posture of security requirements

Remediation/Mitigation

The POA & M offers the program management office along with information and needed actions required to appropriately mitigate risks. As an accompaniment to the POA & M, an enterprise may develop processes or strategies for implementing the plan. An enterprise should consider the following four steps at a minimum during their process of remediation implementation:

  1. Test the remediation recommendation
  2. Coordinate with POA & M via the configuration control or configuration management board of the enterprise.
  3. Mitigation actions should be implemented & verified to guarantee their accurate implementation.
  4. Continuously update POA & Ms in order to determine actions, which have been completely acquired, partially acquired or pending by other systems.

The above information covered the guidelines that assessors should consider during the information security assessments. The organization can follow these recommendations to determine the effectiveness of their security control.

Hack2Secure is as one of the few global vendors with a capability to deliver End-to-End Information Security programs via Training, Certification (PearsonVUE) and Services across Information Security domains aligned with Industry Security requirements and Best practices. Connect with us to explore more. 

Read More

A Brief Summary Of Technical Assessment Techniques NIST SP 800 115

Testing and examination techniques are used to evaluate the security status of the organization’s system and networks.NIST SP 800-115 described the thirteen assessment techniques under three main categories. As we covered the outline of the technical assessment techniques in the blog, “A Brief Summary Of NIST SP 800-115 – Information Security Testing And Assessment”, we posted this blog to address, a brief summary of those technical assessment techniques, which are depicted in the following figure:

technical assessment techniques

Review Techniques

1. Documentation Review

It determines if the technical factors of the policies & procedures are comprehensive and current. These documents offer the basement for the security posture of the organization. The documents to review to ensure technical completeness and accuracy includes:

  • Security architecture, policies, and requirements
  • Standard operating procedures
  • System security plans & authorization agreements
  • Memos of agreement and understanding for system interconnections
  • Incident Response Plans

The documentation review can determine the weakness and gaps, which could root to improperly or missing implemented security controls. It ensures that organization’s security controls are applied properly. The outcome of this technique can be used to enhance other examination and testing techniques. 

2. Log Review 

Determines whether the security controls are recording the proper details and of the enterprise is followed by the log management policies. Audit logs, a source of historical details can be utilized to support, evaluate that the system is functioning, based on the established policies.
The following examples are log information, which may be helpful during technical security assessments:

  • System or authentication server logs may comprise successful / failed authentication attempts.
  • System logs may comprise system & service startup & shutdown details, file accesses, installations of unlicensed software, security policy changes, file accesses, privilege use and account changes. 
  • Intrusion detection & prevention system logs may comprise malicious action and inappropriate use.
  • Antivirus log may comprise update failures & other signs of outdated signatures & software.

Assessors can manually review the logs or review with automated audit tools to generate customized reports, to summarize log contents & track them to perform certain assessment activities. 

3. Ruleset Review

A ruleset is defined as the collection of signatures or rules, which network traffic /system activity is equated against to identify what action to accomplish. Ruleset review involves ensuring comprehensiveness as well as determine weakness and gaps in the security devices. This technique can also reveal inefficiencies, which negatively influence the performance of the ruleset. 
The following table shows the rulesets to review and the types of checks conducted in the ruleset:

ruleset to review

4. System Configuration Review

Includes the process of determining vulnerabilities in the security configuration controls like systems not been configured or hardened based on security policies. This technique will uncover unwanted services & applications, improper logging & backup setting and improper account & password settings.

Assessors can use manual review techniques to evaluate the security setting and compare them with suggested setting checklists. SCAP (Security Content Automation Protocol) and other tools are available to apply certain standards to facilitate automated vulnerability management, policy compliance evaluation, and measurement. It is recommended to prefer automated checks whenever feasible since they can be completed quickly and offer consistent & repeatable results.

5. Network Sniffing

This passive technique can monitor network communication, evaluate header & payloads and decodes protocols. The main reason that encourages the use of network sniffing are:

  • Capturing & replaying network traffic 
  • Identifying inappropriate and unauthorized activities
  • Performing passive network discovery

A sniffer is a tool that is required to connect to the network to perform network sniffing. Sniffers can be deployed at locations like:

  • At the perimeter for assessing traffic entering & exiting the network
  • Behind IDSs/IPSs for determining whether the signatures are triggering & being responded
  • Behind firewalls for assessing whether the rulesets are properly filtering the traffic

6. File Integrity Checking

Offer a chance to determine that the files in the system have been altered computing & keeping a checksum and creating a file checksum catalog or database. This capability is generally added to any kind of commercial host-based IDS. This technique is effective when the files of the system are evaluated with a reference database that has been created using a secure system. To ensure the security of the reference database, it should be kept offline. It is recommended to use SHA-1 cryptographic checksum for this technique to ensure the data integrity. 

Target Identification & Analysis Techniques

7. Network Discovery

This technique includes a number of methods that discover responding as well as active hosts on the network, determine weakness and aware how the network functions. Both passive or examination and active or testing techniques available for determining devices on the network. 

  • The passive techniques utilize a network sniffer to analyze network traffic and track the active hosts’ IP address to report, which OS have been determined and which ports are in routine on the network. 
  • The active techniques send different sorts of network packers like ICMP (Internet Control Message Protocol) pings to implore responses from the network hosts. 

8. Network Port & Service Identification

It uses a port scanner to determine network ports & service functioning on the active hosts and the application, which is running each determined service. Enterprises should perform network port & service identification to determine the hosts if this hasn’t already been achieved by other ways and flag possibly vulnerable services. This detail can be utilized to identify targets for the penetration testing. Some scanners can support determine the application running on a certain port via a process known as service identification. 

9. Vulnerability Scanning

Similar to network port & service identification, this technique determines hosts as well as host attributes, but it also tries to determine vulnerabilities instead of depending on the human understanding of the scanning outcomes. Several vulnerability scanners are packed to receive the outcome from network port and service identification that lowers the amount of effort required for vulnerability scanning. It can support to identify missing patches, outdated software versions, misconfiguration and evaluate compliance with, or variations from the security policy of an enterprise.
 

10. Wireless Scanning 

Organization today are required to test as well as secure their organizational wireless environment. The wireless scanning techniques can support organizations discover corrective actions to address risks caused by wireless enabled technologies. It comes in following scanning techniques:

Passive Wireless Scanning - Passive Scanning needs to be performed frequently to complement security measure of the wireless. Since the wireless scanning tools applied to perform passive scans not transmitting data and not affecting the functioning of the deployed devices, they stay undetected by the malicious users. 
 
Active Wireless Scanning - Active scanning builds on the details gathered during passive scans, & tries to link to the identified device as well as conduct the vulnerability related or penetration testing. Enterprise should be vigilant while conducting an active scan to ensure they don’t unintentionally scan devices on neighbouring enterprise, which are within their that range. 

Wireless Device Location Tracking -It is important to attempt to locate the doubtful devices while performing wireless scanning. Once the rogue devices are identified, the security person should handle the situation based on the certain policies and procedures – such as reconfiguring it, shutting it or removing it completely. If the devices require being removed completely, the security personnel should track the transmission and location of devices to evaluate its activities before it’s confiscated.

Bluetooth Scanning - Enterprises, which require checking compliance with the security requirements of Bluetooth, passive scanning for the Bluetooth-activated wireless devices must be performed to analyze potential presence & activity. 

Target Vulnerable Validation Techniques

11. Password Cracking 

The process of recuperating passwords from the password hashes kept in a system or transferred over networks. It is generally conducted during assessment processes to determine accounts that have weak passwords. It is conducted on hashes, which are intercepted by the network sniffer during being transmitted over the network or obtained from a target system. Once the hashes are acquired, a password cracker rapidly creates additional hashes until the assessor stops the cracking attempt or a match is determined. This technique is used to ensure the policy compliance by comparing acceptable password composition.

12. Penetration Testing 

Includes launching real attacks on the data and systems, which uses techniques and tools commonly utilized by hackers to determine methods for avoiding the security aspects of an application, network, or system. 

Penetration Testing Phases

Four phases of the penetration testing are:

phases of penetration testing
 

1. Planning Phase – Rules are determined, management approval gets confirmed & documented, and testing objectives are set. No actual testing happens in this phase.

2.Discovery Phase - Includes two phases.

  • Begins the actual testing and comprise information gathering & scanning.
  • Includes vulnerability analysis that comprises comparing the applications, services and OS scanned host opposed to vulnerability database and testers knowledge on vulnerabilities.

3. Attack Phase – Process of validating previously determined vulnerabilities by tackling to exploit them.

4. Reporting Phase – Happens simultaneously with the three phases of this technique. The report describes determined vulnerabilities, provide a risk rating and offer guidance to mitigate the determined weaknesses.

Penetration Testing Logistics

The scenario of penetration testing should focus mainly on locating & targeting an exploitable weakness in the design & implementation of the system, application, or network. The test must replicate the most damaging and most likely attack patterns. 

13. Social Engineering

Involves testing the human element & user awareness regarding the security factors to reveal the weakness in the user behaviors like failing to obey standard procedures. It can be conducted via analog and digital. The results of this testing are applied to enhance the security aspects of the enterprise. Testers are required to produce a thorough final report that includes both successful & unsuccessful tactics used in order to support enterprise to adapt their training programs in terms of security awareness. 

The following table illustrates the capabilities of the security assessment techniques and baseline skillset required. 

capabilities of the security assessment techniques
 

target identification and analysis

target vulnerable validation techniques

Hope the above summarization of assessment techniques can help you in processing the assessment methodologies and leveraging the assessment purposes. 

Hack2Secure is as one of the few global vendors with capability to deliver End-to-End Information Security programs viz Training, Certification (PearsonVUE) and Services across Information Security domains aligned with Industry Security requirements and Best practices. Connect with us to explore more.

Read More

Information Security Testing And Assessment NIST SP 800 115

In today’s world, security is not an extravagant, but a complete necessity. Most organizations find severe to perform adequate information security testing and assessment to determine gaps in their environment, which create risk. Keeping this in mind, here we present a brief summary of NIST SP 800-115 – Information Testing and Assessment. This document aims to offer guidelines for enterprises regarding planning & conducting technical information security assessments and testing, analyzing findings & building mitigation strategies. 

Security Testing And Examination Overview

NIST Definition 

Security Testing And Examination Overview

Information Security Assessment Methodology

Several accepted methodologies are available for performing various kinds of information security assessments. The methodology should comprise at least three important phases. They are as follows:

Information Security Assessment Methodology

1. Security Assessment Planning
Proper Planning is essential for the successful security assessment and it comprises the following actions:

  • Developing A Security Assessment Policy –  Enterprise should develop this policy to offer guidance and direction for their security assessments. 
  • Prioritizing And Scheduling Assessments – Enterprise should determine which systems should experience technical assessments & how frequent these assessments should be completed. The prioritization depends on expected benefits, system categorization, application regulations and scheduling requirements. 
  • Selecting & Customizing Techniques – After determining the assessment objectives, the enterprise should choose the technique classes to be utilized to acquire information, which supports those objectives & certain techniques within the selected class. 
  • Assessment Logistics –  It includes determining entire resources needed for performing the assessment, needed software and hardware testing tools and the environment for which testing is performed. It can be addressed by the following elements:
    • Assessor Selection & Skills
    • Location Selection
    • Technical Tools and Resource Selection
  • Assessment Plan Development – An assessment plan offers accountability and structure by documenting the actions planned for the assessment, with other associated information. 
  • Legal Consideration – A validation of potential legal anxieties for an assessment must be addressed before beginning an assessment. 

2. Security Assessment Execution

During this phase, vulnerabilities are determined by the techniques and methods decided in the planning phases & determined in the ROE or assessment plan. The key points to focus on this phase are as follows:

  • Coordination – Throughout the assessment, the assessor requires to coordinate with different entities of the enterprise.
  • Assessing -  It is suggested that the assessors frequently review the ROE or plan during the assessment. 
  • Analysis – Enterprise should conduct an analysis to determine the causes of vulnerabilities, categorize vulnerabilities and identify false positives. 
  • Data Handling – Enterprise should guarantee proper documentation of needs for data handling in the ROE or assessment plan and obey to their policies about the system vulnerabilities handling. Suggested methods for data handling are Data Collection, Data Storage, Data Transmission, and Data Destruction.

3. Post Testing Activities

Involves the act of translating the findings identified from execution phase into actions, which will enhance security. Steps involved in this phase are:

  • Mitigation Recommendation – After the completion of entire testing capabilities, it is essential to develop mitigation recommendations (which includes the result of the root cause analysis) for each finding. 
  • Reporting – Once the analysis has been completed, a report must be created, which identifies the network, system, and organization’s vulnerabilities & their recommended mitigation activities. 
  • Remediation/Mitigation – Enterprise may consider building a process or strategy for applying a plan to acceptable remediate or mitigate the risk. 

Technical Assessment Techniques

Myriads of technical security testing & examination techniques available that can be applied to evaluate the security position of networks and systems of organization. The commonly used assessment techniques are grouped into the following three categories:

Technical Assessment Techniques

1. Review Techniques

It examines the applications, systems, policies & procedures to determine security vulnerabilities. 

The common review techniques are described in the following:

  • Documentation Review – Determines whether the technical factors of policies & procedures are up-to-date and comprehensive. It can discover the weakness and gaps, which could lead to improperly implement or missing security controls. It doesn’t guarantee that security controls are applied properly instead ensures the guidance and direction available to support security infrastructure. 
  • Log Review -  Determines whether the security controls are recording the proper details and of the enterprise is followed to the log management policies. Audit logs, a source of historical details can be utilized to support evaluate that the system is functioning based on the established policies.
  • Ruleset Review – A ruleset is defined as the collection of signatures or rules, which network traffic /system activity is equated against to identify what action to accomplish. Ruleset review involves ensuring comprehensiveness as well as determine weakness and gaps in the security devices. 
  • System Configuration Review – Includes the process of determining vulnerabilities in the security configuration controls like systems not been configured or hardened based on security policies. SCAP (Security Content Automation Protocol) is a method for applying certain standards to facilitate automated vulnerability management, policy compliance evaluation, and measurement. 
  • Network Sniffing - This passive technique monitors network communications, examines headers & payloads to flag details of interest and decodes protocols. In addition to this, network sniffing can also be applied as the target identification & analysis techniques. 
  • File Integrity Checking – Offer a chance to determine that the files in the system have been altered computing & keeping a checksum and creating a file checksum catalog or database. This capability is generally added to any kind of commercial host-based IDS. 

2. Target Identification & Analysis Techniques

It aims to identify the active devices as well as their related services and ports, & evaluating them for possible vulnerabilities. 

  • Network Discovery – Uses various methods to determine active as well as responding hosts on the network, determine weakness, & learn the operation of networks. For discovering devices on the network, it uses both passive or examination and active or testing techniques. It also detects rogue or unauthorized devices functioning of the network.
  • Network Port & Service Identification – It uses a port scanner to determine network ports & service functioning on the active hosts and the application, which is running each determined service. Enterprises should perform network port & service identification to determine the hosts if this hasn’t already been achieved by other ways and flag possibly vulnerable services. This detail can be utilized to identify targets for the penetration testing. 
  • Vulnerability Scanning -  It can support to identify missing patches, outdated software versions, misconfiguration and evaluate compliance with, or variations from the security policy of an enterprise. 
  • Wireless Scanning – Organization today are required to test as well as secure their organization wireless environment. The wireless scanning techniques can support organizations discover corrective actions to address risks caused by wireless enabled technologies. It comes in following scanning techniques:
    • Passive Wireless Scanning
    • Active Wireless Scanning
    • Wireless Device Location Tracking
    • Bluetooth Scanning

3. Target Vulnerable Validation Techniques

Explores the existence of the vulnerabilities using the details gathered from target identification & analysis. 

  • Password Cracking – Process of recuperating passwords from the password hashes kept in a system or transferred over networks. 
  • Penetration Testing – Includes launching real attacks on the data and systems, which uses techniques and tools commonly utilized by hackers to determine methods for avoiding the security aspects of an application, network, or system. 
  • Social Engineering – Involves testing the human element & user awareness regarding the security factors to reveal the weakness in the user behaviors like failing to obey standard procedures. It can be conducted via analog and digital. 

Comparing Test and Examination

Comparing Test and Examination

In most cases, a compilation of examination and testing techniques can offer a more appropriate picture of security.

Testing Viewpoints

Tests can be conducted from several viewpoints. The two common viewpoints are:

1. External & Internal – In the view of how easily the malicious insider or external hackers successfully compromise the system security. External testing aims to reveal the vulnerabilities, which could be exploited by the external hackers by performing testing from the outside the enterprise’s security parameter. Internal security testing aims to reveal the vulnerabilities, which could be exploited by the internal malicious users and demonstrates the possible damage this kind of attacker could root by the way of working on the internal system and network as well as assuming the trusted user’s identity or an attacker.

 2. Overt (White Hat Testing) & Covert (Black Hat Testing) – In the view of previous knowledge that evaluators possess of the victim or victim environment. Overt Security testing involves conducting internal/external testing with the consent and knowledge of the enterprise’s IT staff, facilitating a comprehensive assessment of system or network security position. Covert security testing involves an adversarial approach by conducting tests with the complete knowledge & permissions of upper management instead of using knowledge of the enterprise’s IT staff. 

This article presented the outline of the key elements of the security testing and assessment. A comprehensive recommendation and guidelines of each technique. Read More....

Hack2Secure is as one of the few global vendors with capability to deliver End-to-End Information Security programs viz Training, Certification (PearsonVUE) and Services across Information Security domains aligned with Industry Security requirements and Best practices. Connect with us to explore more.

Read More

NIST SP 800 100 Awareness And Training

The IT and Information Security are progressing rapidly than any other field. Considering the essentials of these functions today, businesses are entirely dependently on things running securely and smoothly. In order to achieve this, a proportional allocation of the resources to the people who are properly educated on these critical functions is essential. NIST SP 800 – 100 Information Security Handbook: A Guide For Managers explained the basic components for professional development, including the security awareness, training, education & certification. Let us explore the outline of these components. 

Importance Of Awareness And Training Program

When it comes to the total security solution, organizations should not overstate the importance of the employees in attaining security goals and the training as a countermeasure for security threats. The security awareness & training program is the important components in the information security program. Establishing as well as maintaining a relevant and robust information security awareness & training program in addition to the other information security program provide the workforce with the details & tools required to protect the vital information resources of the organization. These programs support to ensure that people at all ranges of the enterprise understand their responsibilities in terms of information security to properly use as well as protect the resources and information entrusted to them. Organizations, which continually train their employees in a security policy and role-based responsibilities will achieve a higher success rate in protecting resources. 

Awareness & Training Policy

All personnel within the organization have information security responsibilities; hence the organization should identify and training those individuals who possess significant responsibilities for the information security. Some organization includes the formal education and certification as the portion of the complete training solution for their employees. 

Components: Awareness, Training, Education, & Certification

Information Security Policy of an enterprise should include a clear section dedicated to the organization-wide requirement for security awareness and training program. 

The security awareness and training program requirements should be documented in the organization-level policy and it should include the following things:

  • Security roles & responsibilities definitions
  • Establishment of program strategy & program plan
  • Program plan implementation
  • Maintenance of the awareness & training program

1. Awareness 

Awareness is a compiled solution of actions, which promote security, create accountability and notify the employees of security news. It seeks to focus the attention of individual on the issues. This program continually impulses the security messages to the workforce in various formats. 
The awareness program includes the development of the following elements:

  • Awareness Tools

Awareness tools promote the information security and notify users about the threats & vulnerabilities, which impact their organization and personal work environment by the way of describing and communicating what is & what isn’t allowed.  Types of tools are as follows:

  • Events like security awareness day
  • Promotional materials
  • Behavioural rules
  • Briefing on program/issue-specific/system-specific
  • Communication

Communication with users, executives, managers, and other covers the large portion of the effort of awareness. A plan for communication is needed to determine stakeholders, kinds of the details that are to be dispersed, disseminating information channels, a way of communication (one/two-way) & the information exchange frequencies. Activities, which support communications are

  • Assessment
  • Strategic Plan
  • Program Implementation
  • Outreach

Outreach is essential for the best practices within the organization. It includes two elements for inter- and intra-agency awareness. The intra-agency elements encourage internal awareness of the security. The interagency elements encourage sharing among organizations and are applied to influence awareness & training resources. 

2. Training

Information security training endeavours to produce required and relevant security skills and knowledge to the employees. It supports competency developments and helps people learn and understand how to carry their security role. 

Difference between Training and Awareness:

3. Education

It integrates the entire security competencies and skills of the various functional experts into a common figure of knowledge and complements a multidisciplinary training of the concepts, principles, and issues. It aims to produce information security experts & professionals who are proficient of vision & proactive response. 

4. Certification

The professionalization integrates education, training, and experience with the assessment mechanism to assess skills and knowledge, resulting in the certification of the competence.
The following figure illustrates the relationship among these key components:

Image source: NIST 800-100

Since certifications are provided by a variety of enterprises, there is a diverse difference among the certifications. Some of them are listed below:

  • Certificate Of Completion- Provided to the individuals exclusively as an evidence of completion of a certain course.
  • Industry / Vendor Certification – Validate skills and knowledge via testing and provide a varying degree of declaration that the individual has a certain level of skills, knowledge, and abilities with respect to a pre-defined knowledge bodies. 
  • Graduate Certificates – Awarded by the academic institutions to professional who effectively finish entire graduation needs for a certain program. 

How To Design, Develop And Implement An Awareness & Training Program?

The development of the awareness and training program includes three main steps:

1. Designing The Awareness & Training Program

While designing the awareness and training program, it is essential to consider the mission of the organization. The designing step should answer the following question:

“What is the plan for establishing & implementing information security awareness & training chances, which are compliant with the prevailing directive ? "

In this design step, the organization’s requirements are identified, an organization-wide awareness & training plan is established, enterprise buy-in is secured & priorities are determined.

2. Developing The Awareness And Training Material

Once the program is designed, the awareness & training material can be established. While developing materials, it is essential to consider the following questions:

  • What behavior does an organization need to reinforce?
  • What skills does an organization need the audience to understand and apply?

The materials should be developed in a way that it makes the attendees feel like it was created specifically for them. An interesting, relevant and current materials can make any kind of the program effective. 

3. Implementing The Awareness & Training Program

The action of implementing the awareness & training program should be taken only after the completion of the following activities:

  • Requirement assessment has been directed
  • A strategy has been established
  • Program plan for executing that strategy has been finished
  • Awareness & training material has been created

The implementation of the program, including the following details should be entirely explained to the enterprise to obtain support for its implementation as well as the commitment of fundamental resources:

  • Expectation of management & staff support
  • Expected program result
  • Organization benefits
  • Funding issues

Post-Implementation

In case sufficient attention isn’t paid to the IT infrastructure changes, technology advancements, changes in mission & priorities of the organization and organizational changes, there would be a possibility of the failure of the information security awareness & training program. CIOs and SAISOs (Senior Agency Information Security Officers) require to be conscious of these issues and add mechanisms into their approach to guarantee the security. The organization requires to include the following post-implementation actions to ensure the ongoing performance measures:

  1. Monitoring Compliance
  2. Evaluation & Feedback 
  3. Managing change
  4. Program Success Indicator

1. Monitoring Compliance
After implementation of the program, the processes must be placed to monitor the compliance & effectiveness. Monitoring compliance includes assessing the program statues with the database information & mapping it to the standards of the organization. Reports should be generated and applied to determine problems or gaps. After that, corrective action & essential follow-up can be taken.

2. Evaluation & Feedback

These are the critical components of the security awareness & training program. In order to conduct continuous enhancement, it is essential to evaluate the existing program. Furthermore, the feedback mechanism must be created to address points, primarily established for the awareness & training program. Some of the evaluation & feedback mechanisms, which can be utilized for the updating purpose are:

  • Surveys
  • Independent observation
  • Evaluation forms
  • Interviews
  • Status reports
  • Technology Shifts
  • Focus groups
  • Benchmarking

3. Managing Change

It is essential to guarantee that the program continues to manage the following common changes:

  • Requirement of new skills & capabilities
  • Changes in architecture and technology
  • Changes in objective and mission of the organization
  • Homeland defense
  • New laws & court decisions

4. Program Success Indicators

Some key indicators for measuring the support for and acceptance of the information security awareness and training programs are listed below:

  • Key stakeholder proves support and commitment
  • Sufficient funding is accounted and available to implement the strategy
  • Proper placement of professionals within the organization, with key security responsibilities enable strategy implementation
  • Structure to support broad dispersal and posting of awareness and training materials is implemented and funded
  • Senior level officials provide messages to the staff about security, champion the program & prove training support by committing resources to the program. 

Securing an information in the organization is a team process and requires the dedication of the skilled individual to perform their security roles. To ensure this, designing and implementing the proper information security awareness training and certification is mandatory for an organization.


Read More

How SSL TLS Protocol Utilizes Cryptography and PKI

Introduction

Here we will explore basic details on Public Key Infrastructure, How SSL TLS protocol utilizes same, in its handshake process, along with few of the famous vulnerabilities related with SSL TLS. Let’s start from scratch, and understand the basic building blocks first.

Cryptography

Cryptography is the science of communicating the message in a secret code. Provides methods of Storing and Transmitting Data, in a form that only intended person can Process and Read. 

Encryption

Encryption converts the information into a secret code called ciphertext so that it cannot be understood until it’s decrypted into plain text again.

The cryptography is categorized into two basic types:

  1. Symmetric Key Cryptography or private key encryption
  2. Asymmetric Key Cryptography or public key encryption

1. Symmetric Key Cryptography

It is also known as a single key or conventional algorithm. This encryption scheme is about using the same secret key for both enciphering and deciphering. 
Examples of Symmetric Encryption

  • Data Encryption Standard (DES)
  • Advanced Encryption Standard (AES)

2. Asymmetric Key Cryptography

The public key cryptography uses two different mathematically related keys: one for encrypting the message called the public key and another for decryption called the private key. 

Public Key Infrastructure (PKI)

It is an infrastructure required to Create, Manage, Distribute, Use, Store and Revoke Certificates. 
As per PKI, the sender has a mathematically aligned Key Pair

  • Public Key to Encrypt
  • Private Key to Decrypt

Thereby a message encrypted with a key by the sender can only be decrypted by the intended receiver with another key. PKI ensures confidentiality and authentication to confirm key ownership by using a digital certificate.

Digital Certificates - Ensuring Whom To Trust

A digitally signed certificate assures the public key and the identity of the client. It is the Digital Computer Files ensuring Authentication & Data Encryption. The certification authority (known as CA) uniquely issues this certificate to specific domains and server. They are authenticated by a Certificate Authority and valid for a definite Time period.

Certificate Authority

CA is a reliable third party, which is responsible for allotting, cancelling and distributing digital certificates. Verisign, Comodo, DigiCert, and GlobalSign are some of the examples of trusted third-party companies.

Encryption, Hashing & Digital Signature

Hashing

A hash is commonly defined as the “signature on the packet”. It creates a hash signature known as a hash value or message digest from the message to be transferred. It is sometimes referred as the one-way function; since it is simple to convert messages to hash value, but not possible to get the message from the hash value.

Hash Value Vs Encryption

People sometimes misunderstand that both hash value and encryption are same, but the fact is, they are different. Here are the significant differences between these two techniques:

hash value
Digital Signature

Digital signature involves generating a signature using some mathematical logic to guarantee the sender identity and data integrity. The electronic signature generated is just like a hand-written signature. Digital Signatures make use of Asymmetric Cryptography, for secure transaction of person's identity.

TLS/SSL Protocol & Handshake

Transport Layer Security/Secure Socket Layer

This protocol follows Public & Private Keys (PKI) for flexible Encryption Scheme. These set of protocols uses X.509 certificates and Asymmetric Cryptography to authenticate counterparts with whom they are communicating and for Key exchange between them. After effective key exchange, a common set of Keys are generated at both ends, and thus further make use of Symmetric Cryptography for 'channel' encryption. TLS/SSL ensures confidentiality, message integrity and authentication of Keys. On the other hand, there is no space for non-repudiation; since they don’t provide proof of delivery or proof of origin. 

 

TSL/SSL Handshake

The following steps explain how a TSL/SSL handshake is performed with an example:
The messages that compose this communication are:

  1. Client Hello
  2. Server Hello
  3. Server Authentication and Key Exchange 
  4. Client Authentication and Key Exchange
  5. Key Generation
  6. Finish

Here, we will see, how Client and Server public and private keys, along with different attributes, are used to calculate a Symmetric key and is further used for encrypted communication.
For example, as depicted in the following figure, Tom (or client) wants to start a secure communication with the Bank Web Server (or Server) to access his online bank account via a web browser.

 Cryptography & PKI

  • Now they initiate the handshake process to make a decision on key.

cryptography and KPI

  • The client initiates the handshake process, by generating a client hello message (includes 32-byte random number and other crypto information) and sends it to the server.
  • Then, the server creates a server hello (includes the crypto information and random number) and sends it to the client. 

client authentication and key exchange

  • For secure communication, in addition to the Hello message, the server also sends its public key, which is used to encrypt the digital certificate.
  • On receiving the server certificate, the client verifies the digital certificate and ensures the server’s identity.

client authentication and key exchange

  • After validation, the client sends its certificate or public key to the server to allow the server validate its identity. 

Up till now, the entire details are communicated in a clear text form and they are vulnerable to tampering or sniffing.

  • In order to ensure integrity, the client encrypts its certificate with its private key and transfers it to the server as shown above. 
  • After receiving the client’s encrypted certificate, the server decrypts it by using the public key of the client and validates the certificate. 

key generation

  • By the time, the crypto details are concluded and both sides are validated, the client again creates a random number, known as PMSc (Pre-Master Secret). It then encrypts the PMSc using the server’s public key and sends it to the server.
  • The server obtains the PMSc by decrypting the message with its private key. 

Now, both the ends are able to create the same Master Secret with this crypto information. Master key will be used as a symmetric key and encryption key in proceeding communication.

end stage in cryptography

  • In order to confirm the Master Secret, the client encrypts some data with its Master Secret and sends it along with end SSL Handshake (i.e. Finish message), to the server.
  • To ensure the integrity and re-confirm the security of the connection, the server re-encrypt the data received from the client with its Master Secret. Then sends it along with end SSL Handshake (i.e., Finish message) to the client.

Once the client validates and confirms, both sides continues further communication by using the Master Secret as the symmetric key.  

Hope the above descriptions and examples have provided you a clear picture in order to understand about how this security protocols make the cryptographic technique to ensure the secure communication. 


 

Read More

An Introduction To Information Security Description Of Threat Environment And Information Security Policy

In order to launch a secure computing environment, the organization should make sure that their applications and data aren’t vulnerable to malicious attacks. Before planning and implementing the security-enhanced policies on the environment, it is essential to aware about the kinds of a potential threat to the present computing environment. The organization should understand the threat environment since the threat environment comprises various kinds of attacks that an enterprise faces, so if organization aware its enemy, then it will be helpful to plan the security strategies for defending from the unwanted attackers. 

NIST SP 800-12 Rev 1 called, An Introduction To Information Security presented an overview of threats and vulnerabilities. Here we have summarized the important details regarding the threat environment together with an overview of information security policy with the reference to the NIST publication. 

Threats & Vulnerabilities

Vulnerabilities are the weakness present in the system, internal controls, system security procedure or implementation, which could be exploited by the threat sources. Vulnerabilities place the systems liable to a myriad of activities, which can cause irreversible losses, including comprise of the entire database or systems. In this current environment, adversary finds more opportunity to exploit the system vulnerabilities with the help of the right tools and knowledge. The damage imposed on the security compromised systems can differ based on the threat source.

To protect the system from the risk as well as to implement the cost-effective security measures, the organization requires to aware the system vulnerabilities along with threat sources & events that exploit the vulnerabilities.

If a system is vulnerable, threat events can result from threat sources.  A threat event is nothing but a situation or incident, which could result in unwanted impacts. 

Threat sources come in adversarial and non-adversarial types:

1. Adversarial Threats Source refers the individuals, groups, entities or organizations which search to exploit the dependence of organization on cyber resources.

2. Non-Adversarial Threat Source represents the natural disaster/erroneous movements achieved by an individual in the sequence of performing their regular responsibilities.

Description Of Threat Sources And Events

The following figure illustrates the examples of the threat sources and events:

where does the threat come from

Adversarial Threat Sources And Events

1. Fraud & Theft

Systems can be broken for fraud & theft by performing traditional fraud methods or new methods. The main motive behind this threat source is financial gain.  The fraud & theft can be performed by both the insider and outsider. 

Techniques Involved:

There are several techniques that attackers used to commit this exploitation. Some of the most notable techniques are:

  • Social Media - Individuals or employees account in social media provide a way of collecting contact information, personal connections and interests of the victimized individual that in turn can be used to commit a social engineering attack. Social media worsens the evolving problems of fraud, so companies should consider it as the serious concern while implementing systems. 
  • Social Engineering - Social engineering is a technique which trusts heavily on the human interaction to inspire an individual to interrupt security protocols as well as influences them to disclose confidential information. Mostly these types of attacks can happen via online or phone.
  • Advanced Persistent Threat (APT) - Instead of attempting to cause damage, advanced persistent threat once gained access to the certain information and data, attempts to harvest those details from the target or network. 

2. Insider Threat

It is a threat to the enterprise, which comes from the personnel within the enterprise such as an employee / a former employee. For example, employee sabotage is a threat this is initiated by the knowledge of termination that causes crucial issues in the enterprise and their systems.
 
Disabling the employee’s access once they terminated is the ideal way to mitigate the damage sourced by this threat. Some of the system-related employee sabotages are:

  • Destroying facilities or hardware.
  • Crashing systems.
  • Entering incorrect data, holding data and deleting data.
  • Inserting malicious code, which destroys data or program.
  • Preventing system access by chaining administrative passwords.

3. Malicious Hacker 

Malicious hacker is an individual or group who illegally access systems, steal information, or cause damage by the way of understanding the networks, systems, and programs. Understanding the motivation, which insists the hackers can support an enterprise to implement the security controls in order to prevent the possibility of a system breach. 

Sub Categories of the malicious hacker threat sources are:

  • Attackers - Attackers poses a high threat of brief disruptions, which could cause serious damage to the infrastructure or business. With the availability of attack scripts & protocol over the internet, even the attackers who didn’t have the expertise affect difficult targets by simply downloading the scripts. 
  • Bot-Network Operators- Bot-network operators undertake the control of various systems to organize attacks & distribute spam, phishing schemes, and malicious code.
  • Criminal Groups- Organized criminal groups utilize spam, spyware, and phishing to execute online fraud and identity theft with the motive of monetary gain.  
  • Foreign Intelligence Services - Foreign intelligence services utilize cyber tools to commit espionage and information gathering activities. Furthermore, most of the nation is working to create information warfare programs, doctrines and capabilities enable an entity, which possesses a significant impact by interrupting the communications, supply and economic infrastructure. 
  • Phisher-The phisher is an individual or group, which execute phishing, spam or malicious code schemes to steal information or identities for the monetary gain. 
  • Spammers - The spammer is an individual or group, which distributes unwanted email with false or hidden information to promote products, distribute malicious code, perform phishing or attack organizations. 
  • Spyware/ Malicious Code Authors - They are individuals or groups or organization who maliciously perform attacks against customers by distributing malicious code and spyware. 
  • Terrorists - They search to incapacitate, destroy or exploit critical infrastructures to disturb the national security, weaken the economy, cause mass causalities and damage public morale & confidence.
  • Industrial Spies - Industrial Spies searches to obtain intellectual knowledge and property using clandestine methods. 

4. Malicious Code

It can be a virus, Trojan horse, logic bombs, worms and other software designed for attacking a platform.

  • Viruses - Viruses are code segment, which reproduces by attributing copies of itself to available executables. Sometimes virus includes an additional payload, which triggers when certain conditions are met. 
  • Trojan Horse - Trojan Horse is a program, which performs the desired action; however, that also comprise undesirable and unexpected functions. 
  • Worm - The worm is a self-replicating program, which is self-contained & doesn’t need a user intervention or host program. It commonly utilizes network services to distribute to other systems.
  • Logic Bomb - Logic Bomb includes a secret set of instructions and intentionally injected into a software or program to perform a malicious action at a liable data & time or when a certain condition is met. 
  • Ransomware - This malicious code limits or blocks access to the system by encrypting certain files or locking the certain screen until the ransom is paid. 

Non- Adversarial Threat Sources And Events

1. Errors & Omissions

It can be unintentionally sourced by the user who develops & edit data or operators who process multiple transactions on the enterprise systems. This non-adversarial threat source can degrade system integrity & data, cause programming or database errors.  In the worst case, these errors can cause the system crash. Even software applications aren’t capable to detect all kinds of errors and omissions. Hence it is recommended to establish proper awareness & training program in order to reduce the severity of the errors and omissions.

2. Loss Of Physical & Infrastructure Support

This threat event comprises power failures, water outages, loss of communications, fire, disruption of transportation services, sewer malfunctions, civil unrest, flood, and strikes. The loss of physical and infrastructure support sometimes results in the system downtime. 

3. Impacts To Personal Privacy Of Information Sharing

With the accumulation of massive amounts of personal information by private sectors and the government has made numerous chances for the people to come across privacy problems. Many of the individuals and organizations prefer cloud service for the long-term storage. As with plenty of benefits that cloud services offer, it also includes the chances of personal information being accessed by the attackers with the technical skill sets. Similarly, social media has contributed to this threat; since the malicious hackers can use the personal information to bypass the authentication measures. These kinds of disclosures can lead to unexpected uses of such details. 

Information Security Policy

When the organization receives a clear understanding on the threat landscapes, subsequently they are required to establish a proper information security policy. Information security policy is a collective of regulations, directives, rules, regulations, and practices, which prescribes how an enterprise handles, protects & distributes information. The following section presents the outline of the information security policy, according to the NIST report, NIST SP 800 – 12 Rev 1.

Since the policy is inscribed at an extensive level, enterprises need to develop standards, guidelines & procedures, which provides managers, system administrators and users a clearer approach to execute policy & meet organizational goals.

NIST Definition:

nist defiination 
In order to differentiate various types of policy, NIST categorizes policy into 3 basic types:

policy for infosec

1. Program Policy

The program policy is employed to establish an information security program of the organization. These policies set the tactical direction for security & assign resources for its application within the enterprise. 

Program Policy Basic Components

  • Purpose - Program policy includes a statement explaining purpose & goal of the program. Security associated requirements such as confidentiality, integrity, and availability can form the foundation of goals launched in the policy.
  • Scope - Program policies should be referred to which resources the security program protects. Most programs cover all systems & organizational personnel while some are restricted in scope (only for organization’s information security program).
  • Responsibilities- Once the security program is launched, the responsibility of the officials in the organization need to be addressed. Roles and responsibilities were presented in detail in the blog, “An Introduction To Information Security - Roles & Responsibilities”. 
  • Compliance - Program policies address two basic compliances:
    • General Compliance: Ensures meeting the needs to create a program as well as responsibilities allocated therein to numerous organizational components.
    • Use of certain penalties & disciplinary actions: Normally, certain penalties for various violations aren’t detailed in the high-level security policy document, instead, it authorizes the formation of compliance structures, which comprise violations & certain disciplinary actions. 

2. Issues Specific Policy

The issue-specific policies are created to address the portions of current concern and relevance to an enterprise. The main intent is to offer certain instructions and guidance on the proper usage of resources within the employees. 

Some examples of issue-specific policies are email privacy, internet access, social media, BYOD (Bring Your Own Device), physical emergency, use of external storage, policy violations, and privacy rights.

Issue-Specific Policy Basic Components

Similar to the program policy issues specific policy also includes the compliance and roles & responsibilities components. In addition to this, it comprises the following components:

  • Issue Statement – To express the policy on a certain issue, information owner defines the issue with relevant terms, conditions, and distinctions. It is useful to outline the goal for the policy to enable compliance.
  • Statement of the Enterprise’s Position -  After stating the issues and its related terms & conditions, it is required to state the position of the enterprise.
  • Applicability – Applicability is included to clarify where, when, how, to what and to whom a policy applies.
  • Points of Contacts & Supplementary Information – For the issue-specific policy, it is required to indicate the corresponding personnel to contact with the enterprise for further information, compliance, and guidance. 

3. System-specific Policy

System-specific policies offer direction and information on what activities are permitted in a certain system. It is suggested to consider this policy in a two-level model: security objectives & operational security rules.

  1. Security Objectives - A first step in the management process that begins with the evaluation of the requirement for confidentiality, integrity, and availability.
  2. Operational Security Rules – Once the security objectives are determined, the management identifies and documents the rules for managing & operating the system. 

Cost Consideration

A number of costs are involved in developing as well as implementing the information security policies. These include:

  1. Cost of implementing the policy & addressing its influences on the enterprise, its personnel, and resources.
  2. Cost of policy development process.
  3. Cost for various management and administrative activities, which required for drafting, coordinating, reviewing, disseminating, clearing and publishing policies.
  4. Cost of staffing and training.

When establishing information security policy, it is important to consider the possible threat that the organization vulnerable to. Hope the above description of the threats available, and basic details on security policy would be helpful to create an effective security policy program.

Read More

Information Security Guide To Risk Management Assurance And Security Consideration

The security risk is the major cause of vagueness in any enterprise. Thus, organizations increasingly focus on determining and managing that risk before they affect their business. The ability of the organization to manage the Information Security risk will support them act more confidently on the business protection.  In addition to this, companies should assure that their security measure will function as intended. For this, they need to consider security in the system support and operations. In order to help the organizations, here we presented the outline of the risk management, security assurance and security considerations in the system support and operations with the reference in the NIST Special Publication 800-12 Rev. 1.

Information Security Risk Management

The risk is nothing but a measure of a level a unit is susceptible by an event or circumstance, and characteristically a function of the adverse influence, which would rise of the event or circumstance happens and the possibility of occurrence. 
Risk Management is the procedure of reducing the risks to enterprise operations and assets, other enterprises, individuals and the nation. 
Four steps involved in the risk management are:

1. Framing Risks -This step defines how enterprises create a risk setting for their environment in which decisions regarding risks are made. Its main purpose is to launch a risk management procedure, which addresses how enterprise intent to assess, monitor and respond to risks while making transparent and explicit the risk perceptions, which organization habitually use in both operational and investment decisions. 

2. Assessing Risks – This step defines how enterprise evaluate risks within the enterprise risk frame setting. Its main purpose is to determine:

  • Threats to enterprise operations and assets, other organizations, individuals, and nation
  • Internal & external vulnerabilities of enterprises
  • The harm to the enterprise, which may happen given the possibility of threats exploiting weaknesses
  • The possibility that harm will happen

3. Responding to risk – This step addresses how enterprise responds to risk once that is determined according to the risk assessment results. Its main purpose is to offer a consistent, enterprise-wide response to the risk based on the enterprise risk frame by:

  • Creating alternative sequences of actions to respond to risk
  • Assessing the alternative action sequences
  • Identifying the corresponding sequence of actions reliably with enterprise risk tolerance
  • Implementing risks, responses according to the selected sequence of action

 
4. Monitoring Risk – This step addresses how enterprise monitors risk over the period of time. Its purpose is to:

  • Check that planned risk response measures are properly implemented and that security needs derived from or traceable to enterprise mission/ functions, federal legislation, regulations, directives, standards, policies, and guidelines are fulfilled.
  • Identify the ongoing efficiency of the risk response measures
  • Determining risk influencing changes to system and environment of the organization

NIST Risk Management Framework (RMF)

Risks management Framework promotes the strategy of almost real-time risks management & ongoing system authorization via the continuous monitoring process implementation. It allows senior leaders gain the essential details to make cost-effective and risk-based decisions with respect to enterprise system supporting their basic missions and functions. It also integrates security aspects into the enterprise SDLC process. 

The following figure depicts the overview of the RMF:

rmf

Categorize – Organization needs to categorize the systems as well as the information managed, stored and transmitted in accordance with impact analysis. 

Select – Then, the organization needs to involve in selecting the initial set of system baseline security controls according to the security categorization and tailoring & supplementing the control baseline as required accordance with the enterprise risks and local condition assessment. 

Implement – Enterprise is accountable for implementing information security controls and defining how those controls are working within the system and operation. 

Assess – At this step, the enterprise needs to assess the security controls with the proper assessment procedures and to identify the level which the controls are executed correctly, operating as intended & producing the expected outcome.

Authorize – As per the result of the security control assessment, a senior official in the enterprise authorizes the system to function and continue to function. The senior official makes this decision according to the identification of the risks to enterprise assets & operations, other organizations, individuals and the nation resulting from the system operation and the decision.

Monitor – The final stage of the RMF is to monitor the security controls continuously to guarantee that they’re effective even changes happen in the system and the environment. Enterprise monitors the security controls on the continuous basis, including evaluating control effectively, documenting alteration to the system, conducting security influence analysis of the related chances & reporting the security status to the designated officials. 

Information Security Assurance

Authorization & Assurance
NIST Definitions

nist defination
Security Engineering

The size & complexity of the systems today make creating a reliable system a priority. System security engineering offers a straightforward approach for creating dependable systems in the complex computing environment. This section presents the two divisions of assurance methods & tools: 

design
 
1. Design And Implementation Assurance

This method addresses the design of the systems and whether the features of an application, system or component satisfies the software requirements & specifications. It examines the system design, progress, and installation. It can be applied throughout the entire lifecycle of the system, but generally associated with the development and implementation phase. This method can be achieved by using the following techniques:

Advanced Or Trusted Development - The advanced or trusted development methodologies, system architectures or software engineering techniques can offer assurance in the development of COTS (Commercial off-the-shelf) products & customized systems. For example, formal modeling, security design & development reviews, ISO 9000 quality techniques, mathematical proofs, ISO 15288 or trusted computing base (TCB). 
Reliable Architecture - The reliable system architecture that uses fault tolerance, shadowing, redundancy or RAID features are primarily linked with system availability.

  • Reliable Security - Ease of safe use is the main factor that resides in the reliable security that postulated that the system is simpler to secure is possible to be secure. 
  • Evaluations - Evaluation of a product normally includes testing. It can be performed by several kinds of the enterprises, including independent enterprises such as professional & trade organization, domestic & foreign government agencies, individual users or commercial groups.
  • Assurance Documentation - Assurance documentation can report the system or specific component security. System-level documentation defines the security needs of the systems and how they’ve been implemented. Component documentation will be an off-the-shelf product, while the implementer or system designer will typically create system documentation. 
  • Warranties, Integrity Statement & Liabilities - Warranties are the additional assurance source and it gives the sense of commitment to correct the errors within the specified timeframes. It also speaks about the quality of the product. Integrity statement is a certificate or formal declaration of the product. It can be increased by the promise to liability (pay for losses) if the product doesn’t follow to the integrity statement. 
  • Manufacturer’s Published Assertions - The published assertions to the developer or manufacturer present a limited amount of assurance according to the reputation. 
  • Distribution Assurance - It is essential to aware that software has received without modification particularly in case it is distributed. We can use digital signatures and check bits since they can provide high assurance about that code hasn’t been modified.

2. Operational Assurance

Operation assurance reports whether the technical features of the system include vulnerabilities or are being bypassed and there needed procedures are being tailored.
 
The organization utilizes three methods to keep operational assurance:

1. System Assessments -  An event to evaluate security. Assessment methods comprise examination, interview, and testing. 
2. System Audits – An independent examination and review of the records & activities to evaluate the system control adequacy and to guarantee compliance with launching policies and procedures. There are several methods and tools, which can be used to audit including:

  • Automated Tools – Used to support uncover threats and vulnerabilities.
  • Internal Control Audits – Review controls in the system to determine whether they are effective by using techniques like testing, observation, and inquiry. 
  • Using The System Security Plan (SSP) – Presents implementation details against the system that can be audited.
  • Penetration Testing – Involves several methods to effort to break the system security. 

3. System Monitoring – Process for keeping ongoing security awareness, vulnerabilities & threats to aid enterprise risk management decisions. The methods and tools used in system monitoring are as follows:

  • Review System Logs – Analyze system-generated logs to find security problems.
  • Automated Tools – Examples of automated tools used to monitor the system for the security issues are malicious code scanners, checksum, password strength checkers, host-based intrusion detection system, system performance monitoring analysis and integrity verification programs.
  • Configuration Management – Provides assurance that organizational system in function has been configured to standards and needs, that any alteration to be made are revised and that such modification has been authorized by the management preceding to implementation. 
  • Trade Literature/Publications/Electronic News – Furthermore, it is essential to monitor these external sources of information that includes details about the security vulnerabilities, patches and other things that influence the security.

Security Considerations In System Support And Operations

System support & operations refer to entire aspects involved in the running of a system. The failure to include security as a portion of the support & operations of systems can result in damage to the enterprise. The following are some of the categories that organization’s policies and procedures fail to address:

  • User Support – An essential security consideration for the user support peoples is being capable to recognize which issues are security-related.
  • Software Support – Several elements involved in the software support. One element controls what software is running on the system. Another element ensures that software hasn’t been altered without proper authorization. 
  • Configuration Management – Process of chasing and approving the alterations to the system to ensure that the changes don’t unintentionally or unknowingly affect security. In addition, it ensures that changes are replicated in other documentation like a contingency plan. 
  • Backups – System support officials or users often back up the data and software. It is important to backup only the necessary detail and in a secure way. 
  • Media Controls -  Includes a wide range of measures to offer environmental and physical protection as well as accountability for digital & non-digital media.
  • Documentation – To ensure consistency and continuity, the entire factors of system support and operations need to be documented. 
  • Maintenance- If the system maintenance is not proper, then the security vulnerability will get introduced. 

In addition to effective risk management and security assurance, the organization should ensure security consideration at the system support and operation for implementing the flawless information security in their business. 

Read More

Rapid rise in SSL TLS security vulnerabilities

Encryption is a valued, supported in maintaining integrity and privacy. It maintains the data safe from the attacker’s eyes. It stops people mugging the app usage habits, passwords, and credit card details. As the advancement in technology continues, the complexity to stay secure also continues to rise. This makes the people encrypt their network with secure standard protocols, SSL/TLS. SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols, which enables secure communication over the network. 

As per the reports of security experts, most of the organization begins to encrypt their internet traffic. 

According to the ESG Report :

Nearly 87 % of the enterprise they measured encrypt at least 25 % of their entire network traffic

Likewise, Zscaler, Inc, the top cloud security enterprise announced 

An average of 60 % of the communication over their cloud has been using SSL/TLS

These statements sound that organizations begin to believe that they are halfway to the web safer with SSL/TLS against the cookie stealing, content hijacking, eavesdropping, and censorship.

While this internet security protocol is a boon for the organization who have privacy concerns, their IT teams will need to face a huge traffic influx; since, they can’t look inside the network without decryption technology. 

Unfortunately, online attackers are now stepping up their SSL/TLS facility to conceal their malicious activities. This scenario forces the organizations to understand the fact that the increase in the SSL/TLS usage comprises both legitimate as well as malicious happenings, as attacks rely on legal SSL certificate to spread their malicious content. 

In addition to the reason of exploiting new vulnerabilities that pave the way to use SSL adoption as the weapon in the enemy’s hand, attackers find a new benefit of using SSL/TLS as it masks and complicate the detection of attack traffic in the application and network level traffic. 

According to the Global Application and Network Security Report published by Radware:

In 2016, 39% of the surveyed organization accepted that they have been victimized by the SSL vectors

The following figure illustrates the Radware measure regarding enterprises, which experienced SSL-based attacks.

ssl based attack

Radware explained that the SSL based attacks come in several forms:

  • Encrypted SSL Floods 
  • SSL Renegotiation
  • HTTPs Floods
  • Encrypted Web Application Attacks

In addition, the researchers of Zscaler.Inc states that the cyber criminals are turning to SSL/TLS vulnerabilities to deliver malicious attacks. They revealed that they have blocked approximately 8.4 million SSL/TLS based traffic request per day. Among those requests, they find that 600,000 request comprises advanced threats.  

malicious content delivered over ssl/tls

Image Source: Zscaler

They have found that various attack types concealed within the packets of SSL/TSL. Most primary types include malware, adware, exploits kits and malware call-backs. 

The other key findings of the researchers on the communication over Zscaler cloud are:

  • The malicious content being transferred over the SSL/TLS protocol has expanded in the last 6 months. 
  • They have blocked around twelve thousand phishing attacks, per day transferred over SSL/TLS
  • Among the web exploits that are happening per day, approximately 300 hits include SSL as a portion of infection chain 
  • New malicious payloads exploiting SSL/TLS for the C&C process
    • 60 % were encompassed of various Banking Trojan families
    • 25 % were encompassed of ransomware families
    • 12 % were encompassed of info-stealer Trojan families
    • 3 % were from other assorted families

How It Complicating Detection And Mitigation?

With these findings, there is no doubt that the leveraging of encrypted traffic as an outbreak vector is on the upfront. This rise is further challenging several mandatory solutions for detecting as well as mitigating threats. Most of the organizations don’t include the action of the inspecting SSL/TLS traffic in their security process because it demands decryption of encrypted traffic that challenges the IT team.

Because the SSL and encryption are effective at complicating several attributes, which support determine whether traffic is legitimate or malicious. Most of the cyber-attack solutions failed to identify the malicious traffic from the sources of encrypted traffic and isolating that traffic in order to mitigate them. The decrypting & re-encrypting the SSL/TLS traffic raises the needs of traffic processing and in many cases, requires effort beyond the performance of the devices that are used for mitigating attacks. Most of those devices are stateful, inline and unable to manage SSL encrypted attacks. 

A survey of Radware, regarding the capacity of available security solutions for decrypting, inspecting and re-encrypting traffic states that most are functioning blindly. Around 75% of the industry experts doubt their security strategy to offer complete protection against the encrypted attack. 

As more and more attacks rely on the SSL/TLS, enterprises require taking the essential steps to ensure that their entire data is protected and the bad traffic is not sneaking past their fortifications. 


Read More

Information Security Spending Will Upturn In Future

Cybersecurity is no longer a problem that bothers only IT and security professionals; the influence has protracted to the C-suite & boardroom. Concerns and awareness about security threats and incidents have become a top priority for organizations and consumers. In the stir of raising security incidents and keen regulations, organizations are scrambling to protect their networks and data. It makes a push, which is catalyzing expansion in the market for the technologies and solutions of cybersecurity.
 
According to the Gartner’s latest forecast report on the market for information security spending, in 2017 there will be a 7% growth in spending on security products and service from the previous year and the highest growth will be expected in the upcoming years. 

The following figure summarize the IT security spending forecast report of the Gartner researches:

spending in it market
Increasing awareness among the board directors and CEOs regarding the business impact of the security incidents in addition to the evolving landscape have sourced the continues spending on the security related services and products. 

They forecast that the following segments will attain a notable growth in terms of security spending:

Gartner says that organizations begin to move from the traditional security spending strategy, which mainly focuses on the prevention-only approaches to the detection and response based security strategies. The migration to the approach of detection and response against security extends people, technology, and process elements & will root a massive growth in the security market over the next five years. Furthermore, organizations now begin to feel that preventive approaches haven’t been effective in blocking malicious attacks. 

The necessity to better detect and respond to security incidents has also developed new security product segments. They are as follows:

eveloped new security product segments.

This migration doesn’t mean that prevention against security threats is unimportant. The organization should understand that prevention is useless unless it is knotted with the detection & response capability.  Gartner advices that businesses should balance in their spending to include both prevention approaches and detection & response approaches. 

Under the infrastructure protection segment, the security testing market is forecasted to receive a fast growth. Especially, the IAST (Interactive Application Security Testing), the emerging security testing tool will contribute more to the expansion on spending. The continued occurrences of data breaches and enhancing demands for the application security testing roots the increased spending on the testing tools. 

The security services, particularly IT consulting, outsourcing and implementation services will last to be the wildest growing segment. This is because the security practices must be capable to meet the continuously evolving threats as well as security requirements. Undoubtedly, doing so will require investments in the corresponding processes & technologies to avoid, protect, detect & respond to the security risks. Unfortunately, most of the enterprises are weakening to do so. This leads them to consider third party vendors as the significant source to support against cyber risk. 

Another important factor that Gartner report focussed on is a shortage of skills. As preventive approaches were continued to the most common strategies for past decades, most of the organizations lack the knowledge of detection & response strategies. This makes the enterprises to search for the external support for the Managed Security Service providers, security consultants, and outsourcers.

On the other hand, the appearance of specialized MDR (Managed detection & response) services come as a treat to the conventional MSSPs. Since in the security market, there are a vast amount of point solutions which address the detection & response approaches continue to emerge, Security Managers and CISOs finds some manageability issues and roots them to spend on the management platforms & service. 

Despite, the hardware support service is expected to receive slow growth since the adoption of public cloud, SaaS (Software as a Service) and virtual appliances reduces the requirement of overall attached hardware support. 

However, a researcher from Gartner suggests that enhancing security is not just depends on the spending on new security technologies. It is not enough to do the basics right; hence, the enterprises should address the basic security & risk associated elements like centralized log management, threat centric vulnerability management, backups, internal network segmentation and system hardening to significantly improve the security posture. 

Guidelines For Effective Security Strategy

By considering these forecast, in order to guide you to wisely invest on the security technologies, here we listed some guidelines.

  • Analyse the gaps, which exist in your current security processes and controls.
  • Identify if there is any supplementary protection to be achieved via configuration of available security tools, or applying features and controls, which are not being used in your business.
  • If you decided to invest in the new security technology, evaluate whether that investment adds unique value to your business or just overlap the available security control.
  • Build competency management capability by educating the workforce with security training, which enables them to proactively prevent, detect and respond to the cyber crime.

Gartner’s recent forecast on the spending on the security market alarms the business about how to balance their investment on the security spending. The organization should analyze their existing security strategy and plan the wise investment to keep their business away from the possibilities of being targeted by cyber criminals.

Hack2Secure is as one of the few global vendors with a capability to deliver End-to-End Information Security programs via Training, Certification (PearsonVUE) and Services across Information Security domains aligned with Industry Security Requirements and Best practices. Connect with us to explore more.

Read More

NIST SP 800 100 Information Security Governance

With the increasing complexity of the IT infrastructure and a continuously changing security threat and risk environment, organizations today are required to manage as well as govern the Information Security. Properly managing and governing of the Information Security support to reduce the risks and ensure the organization’s capability to do their business in a secure way. This article is about the outline of information security governance in accordance with the special publication of the NIST, called, Information Security Handbook: A Guide for Managers.

NIST Definition Of Information Security Governance

information security goverence

Information Security Governance includes its own requirements, activities, challenges, and sorts of structures. It also includes a defining role in determining key roles and responsibilities in the Information Security. In addition, impacts the policy development, oversight and ongoing monitoring activities of Information Security. In order to guarantee a certain level of support of business missions & the proper implementation of the security requirement, each organization should create a formal structure of information security governance. Let us begin with the information security governance requirements.

Information Security Governance Requirements 

The United States Congress and OMB (Office Management and Budget) have introduced a set of laws, directives, and regulations that oversee establishment & implementation of the information security practices. The organization must create clear reporting needs that fulfil the legislative requirements, directives, and regulations formed by Congress. The organization should modify the practice of their information security governance based on their own missions, operations & needs. 

Examples of the key legislative acts, which define entire governance requirements are:

  • The Government Performance and Results Act (GPRA)
  • The Paperwork Reduction Act (PRA)
  • The Federal Financial Management Improvement Act (FFMIA)
  • The Clinger-Cohen Act
  • The Federal Information Security Management Act  (FISMA)

Information Security Governance Components

Organizations should incorporate their activities of information security governance with the entire activities and structure of the organization by guaranteeing the proper participation of the enterprise officials in overseeing the security control implementation throughout the enterprise. The key activities, which enables the integrations are:

  • Strategic planning
  • Organization design & development
  • Establishment of the roles & responsibilities
  • Integration with organization architecture
  • Documentation of objectives of security policies and guidance

The following diagram depicts the relationship among the above-mentioned components:

infosec governance componets

Image source: NIST SP 800 - 100

Information Security Strategic Planning

The organization requires to create a strategic plan for the program activities and create an annual performance plan that covers each program activity in terms of their budget. The strategic plan should be refreshed for every three years. The organization should incorporate the information security into their strategic planning process by creating and documenting the information security strategies, which directly support their strategic & performance planning activities.

The enterprise information security strategy should:

  • Establish a complete framework to facilitate the development, assessment, institutionalization, and enhancement of the organization’s information security program.
  • Support the entire organization strategic & performance plans with this content visibly noticeable to these higher-end sources.

Information Security Governance Structure

Structure of information security can be considered in various ways. The two basic structure models are: 

1.Centralized Structure

infosec centralized structure

2.Decentralized Structure

Decentralized Structure

In reality, organizations usually adopt the hybrid model, which includes centralized structure model at one end and decentralized structure model at the other end since it is quite rare to implement the governance completely based on centralized or decentralized structure. 

Key Governance Roles & Responsibilities

FISMA provides the detailed roles and responsibilities of the key governance. As we have discussed the key roles and responsibilities in the information security in our blog, An Introduction To Information Security - Roles & Responsibilities, here we listed some sample responsibilities of the governance roles. 

Agency Head

Some of the FISMA assigned responsibilities are:

  • Guaranteeing that the information security program is properly created, documented, & implemented to offer security for entire networks, systems, and data, which support the organization’s operations.
  • Guaranteeing that the information security processes are incorporated with strategic & operational planning processes in order to defend the mission of the organization.
  • Guaranteeing that the senior agency officers provide the essential authority to defend the assets and operations under their control

Chief Information Officer

Some of the FISMA assigned responsibilities are:

  • Designating a SAISO (Senior Agency Information Security Officer).
  • Developing & maintaining an enterprise-wide information security program.
  • Developing & maintaining security policies, procedures & control techniques for addressing requirements.

Senior Agency Information Security Officer

Some of the FISMA assigned responsibilities are:

  • Primarily performing the duties of information security.
  • Training & supervising personals with important responsibilities for the information security.
  • Periodically testing & analysing the effectiveness of the security policies, procedures & practices.

Chief Enterprise Architect

Some of the FISMA assigned responsibilities are:

  • Leading organization architecture development & implementation efforts
  • Collaborating with business lines within the organization to guarantee proper incorporation of the business lines into enterprise architecture
  • Participating in the activities of the organizational strategic planning & performance planning to guarantee proper incorporation of enterprise architecture

Related Roles

The following are the responsibilities of the some of the primary senior administration roles:

  • Inspector General (IG) – Works to evaluate the information security practices of the organization and identifies vulnerabilities & the possible requirements to adopt security measures. 
  • Chief Financial Officer – Reviews the cost goals of major security investments and reporting the financial management information.
  • Chief Privacy Officer / other designated official with privacy responsibilities – Works to keep a proper balance between the privacy and security needs and works to guarantee that one is never compromised for the other.
  • Physical Security Officer/other designated official with physical security responsibilities – Responsible for the entire implementation & management of the controls of physical security across the organization, to comprise incorporation with controls of information security. 
  • Personnel Security Officer/ other designated official with personnel security responsibilities - Responsible for the entire implementation & management of the controls of personnel security across the organization, to comprise incorporation with controls of information security. 
  • Acquisitions/Contracting – Responsible for handling contracts and supervising their implementation

Integration With Enterprise Architecture

The organization needs to integrate the security into their organization architecture development life cycle. This integration support to comply with the OMB requirements and offer the following benefits:

  • Reduce the reporting burden
  • Incorporation of security data
  • Preservation of security needs

Information Security Policies & Guidance

Information security policy is one of the basic components of the information security governance. If there is no policy, then governance possess no rules and substances to enforce.
Organization information security policy must address the basics of information security governance structure, such as:

  • Information security roles & responsibilities.
  • Statement of the security controls baselines.
  • Statement of rules for beyond the baseline.
  • Behaviour rules, which organization users are expected to follow.

Ongoing monitoring

It is important to constantly review the information security governance to ensure the following things:

  • Ongoing information security activities are offering proper support to the organization mission.
  • Policies & procedures are up-to-date and aligned with developing technologies.
  • Controls are obtaining their proposal purpose.

The key ongoing activities, which assist in supervising and enhancing the information governance activities of the organization are:

  • Plans of Action & Milestones
  • Measurements & Metrics
  • Continuous Assessments
  • Configuration Management
  • Network Monitoring
  • Incidents & Events Statistics

Information Security Governance Challenges

The following are the some of the challenges that organization is likely to experience in its process to create an information security governance:

  • Balancing widespread requirements, creating from various governing bodies.
  • Maintaining currency.
  • Balancing legislation & agency-specific policy.
  • Prioritizing available funding based on the recruitment.

On the whole, information security governance offers a framework for creating as well as maintaining the security program, which will advance with the enterprise it supports. 

Read More

An Introduction To Information Security Roles and Responsibilities

Information security involves securing information assets, financial information, customer data and other sensitive details. In order to accomplish the Information Security, organization, regardless of size needs to clearly define the roles and responsibilities of their professionals. For larger organizations, this will support to ensure that no work is ignored and for small organizations & less structured organization, this will support to evenly distribute the workload as the workers may be needed to involve in more than one task. Here in this article, we are going to present the outline of the basic roles and responsibilities involved in the information security with reference to the NIST special publication 800 – 12 Revision 1

Roles and responbility of cyber security


1. Risk Executive Function 

This role represents an individual or group of members such as CEO, board members, CIO within an enterprise who are responsible for guaranteeing that risk related considerations are viewed, and overall strategic goals are stated to meet the business missions and functions.

Basic Responsibilities:

  • Defining a complete strategy to address the security risk across the whole enterprise.
  • Developing an enterprise risk management strategy.
  • Supervising risk associated activities across the enterprise.

2. Chief Executive Officer

This role represents the highest-level senior executive or officials in the enterprise who includes the whole responsibility to offer protection of information security commensurate with the possibilities and influence of the risk, which may result from unauthorized disclosure, access, destruction, and modification. 

Basic Responsibilities:

  • Integrating the process of information security management with the process of strategic as well as operational planning
  • Ensuring that the systems and information used to facilitate organization operation includes the respective information security safeguards
  • Approving that the trained personnel are fulfilling with associated information security policies, legislation, instructions, directives, and guidelines

3. Chief Information Officer

This role represents the official of the organization who is responsible for designating the senior information security officer, developing as well as maintaining policies, procedures & control techniques of security, supervising personnel with notable responsibilities for security & guaranteeing that personnel is properly trained and supporting senior enterprise officials with their security activities. 

Basic Responsibilities:

  • Allocating resources for system protections that support the business mission and functions of the organization
  • Guaranteeing that systems are shielded by confirming security plans & are permitted to function
  • Ensuring that there is an enterprise-wide security program, which is being effectively implemented

4. Information Owner

This role represents the official in the enterprise who includes the authority on the operation, management or statutory for certain details.
 
Basic Responsibilities:

  • Establishing the rules for the proper use as well as protection of the sensitive details
  • Offering input to the system owners about the security controls and requirements needed to sufficiently protect the sensitive information.
  • Creating the policies & procedures supervising its generation, processing, collection, disposal and dissemination

5. Senior Agency Information Security Officer 

This role represents the official in the enterprise who is responsible for serving as the chief contact person between the enterprise chief information officer and the system owners, authorizing officials, system security officers, and common control providers. This role can also be referred as the Chief Information Security Officer.

Basic Responsibilities:

  • Managing & implementing an enterprise-wide information security program.
  • Assuming the responsibility of confirming security control assessor when required.

6. Authorizing Official

This role represents the senior officials in the executives who possess the authority to assume the responsibility for functioning a system at a certain range of risk to enterprise assets & operations.

Basic Responsibilities:

  • Confirming security plans, action plans and determining whether certain changes in the environments or systems of the operation need reauthorization.
  • Guaranteeing that designated representatives are performing their activities and function with the security authorization.

7. Authorizing Official Designated Representative

This role represents the official who coordinates as well as conduct the essential day-to-day activities linked with the security authorization process on behalf of the authorizing official.

Basic Responsibilities:

  • Assuming the responsibilities of the authorizing officials.
  • Taking decisions with respect to planning & resourcing of the authorization process, monitoring, and approval of the implementation of the action plan.
  • Preparing the authorization package, acquiring the signature of the authorizing officials on the documents related to authorization decision.

8. Senior Agency Official for Privacy 

This role represents the senior official of the organization who possesses the entire accountability and responsibility for guaranteeing implementation of privacy protections such as full compliance of agency with federal laws, policies, and regulations associated with privacy.

Basic Responsibilities:

  • Supervising, facilitating and coordinating the privacy compliance efforts of the agency.
  • Reviewing the information privacy procedures of the agency to guaranteeing that they’re comprehensive as well as current.
  • Ensuring that the contractors and employees of the agency receive proper education and training programs about the information regulation, policies, procedures and privacy laws governing the information handling of the agency.

9. Common Control Provider

The role represents an individual or group who are responsible for the creation, implementation, evaluation and supervising of the common controls. 

Basic Responsibilities:

  • Documenting the enterprise-identified common controls in the organizational documents like security plan.
  • Guaranteeing that desired evaluations of the common controls are taken out by capable assessors defined by the enterprise.

10. System Owner

This role represents the officers who are responsible for the activities including procurement, integration, development, alteration, operation, maintenance & disposal of the system. 

Basic Responsibilities:

  • Addressing the user’s operational interests.
  • Guaranteeing the compilation with security requirements.
  • Creating & developing the system security plan.
  • Guaranteeing that the system is operated and deployed based on the agreed security controls.

11. System Security Officer

This role represents the officer who is responsible for guaranteeing that a proper operational security position is maintained in the systems.

Basic Responsibilities: 

  • Supervising the regular security operation of the system.
  • Supporting the security policies & procedures development and guaranteeing compliance with those security policies & procedures.

12. Information Security Architect

This role represents the individual or group who are responsible for guaranteeing that security requirements mandatory to safeguard business mission and the process of the organization are perfectly addressed in entire factors of enterprise architecture such as segments, reference models, and solution models.

Basic Responsibilities:

  • Serving as the contact person between the organization architect & the security engineer.
  • Coordinating with common control providers, system owners and system security officers on the distribution of security controls as common, hybrid or system-dependent controls.

13. System Security Engineer

This role represents the individual or group who is responsible for performing security engineering activities for the systems.

Basic Responsibilities:

  • Designing & developing enterprise systems or enhancing legacy systems.
  • Coordinating security-oriented activities with the security architects, system owners, senior agency information security officers, system security officers and common control providers.

14. Security Control Assessor

This role represents the individual or group who is responsible for performing a comprehensive evaluation of the operational, managerial and technical security controls as well as the control enhancements inherited by or used within the systems for determining the complete effectiveness of the security controls.

Basic Responsibilities:

  • Offering an evaluation to determine deficiencies or weakness in the system & its operating environments.
  • Suggesting corrective actions to address determined vulnerabilities.
  • Preparing a security assessment report comprising the results of the evaluation.

15. System Administrator

This role represents the individual or group who are responsible for forming up and preserving a system / certain component of the system.

Basic Responsibilities:

  • Installing, configuring & updating hardware & software.
  • Establishing & managing user accounts.
  • Supervising backup & recovery tasks.
  • Implementing technical controls related to security.

16. User

The user is an individual/group / organization who possesses rights to access the data of an organization to perform their assigned duties.

Key Responsibilities:

  • Following to policies, which govern acceptable utilization of systems.
  • Employing the enterprise provided resources for certain purposes only
  • Reporting suspicious or anomalies system behavior. 

17. Other Supporting Roles

  • Auditors – Responsible to analyze the systems to identify whether the security controls are appropriate and whether the system satisfies stated security needs and enterprise policies.
  • Physical Security Staff – Responsible for creating & enforcing corresponding physical security controls.
  • Disaster Recovery Staff – Responsible for eventuality planning for the whole organization & function with other staffs to acquire extra eventuality planning support as required. 
  • Quality Assurance Staff – Responsible for enhancing the program quality by guaranteeing the integrity, confidentiality, and availability of the system.
  • Procurement Office Staff – Responsible for guaranteeing that enterprise procurements have been revised by corresponding officials.
  • Training Office Staff -   Responsible to ensure effective training program.
  • Human Resources – Responsible for security-oriented exit procedures when workers leave an enterprise. Work closely on problems, including background investigations. 
  • Risk Management Staff – Responsible for analysing the entire manner of risks in terms of security to which the enterprise may be exposed. 
  • Physical Plant Staff – Responsible for guaranteeing the services provision, fundamental to the security as well as the safe operation of the systems.
  • Privacy Office Staff – Responsible for keeping a complete privacy program, which guarantees compliance with privacy needs, develops & analysis privacy policy, and handles privacy risks. 

The above outline of the roles and responsibilities are not a comprehensive list in terms of information security but the basic roles should consider. Organizations can customize their structure according to their resources and requirements.

Read More

Rise Of Information Security Concerns

More and more personal information and business value worldwide are quickly moving into digital form on worldwide interconnected technology platforms. Due to this, the risks that are caused by cyber attacks becomes raising daunting. Criminals chase financial gain via identity theft and fraud; competitors disturb business or steal intellectual resources to grab the advantage. Enterprise regardless of size begins to understand that the tradition protection perimeter technology strategies are insufficient to handle the security threats that arises recently. In addition, cyber security concerns endure featuring at enterprise globally. Here in this article, we are going to discuss about the valuable reasons that stands behind the rise of information security concerns among the organization and individuals. 

1. Security Attacks On The Rise

Security attacks have been on the mounting spiral. There is an unending escalation in both frequency and size of attacks. Hackers seem to be achieving success in causing harm to the enterprise by the way of stealing the resources. As per the semantic report, which was released in 2016, over 1-million of web attacks happening roughly on a daily basis. Since cyber criminals now are increasingly cleverer, using new tools and innovative technologies to their wars, there is no wonder of the report of the PandaLabs (Panda Security’s anti-malware laboratory) that states that they had a seizure more than 18 million new samples of malware. 

In addition, according to the new report of ITRC (Identity Theft Resources Center) and CyberScout, the number of data breaches which was tracked in 2016 represents a considerable hike of 40% over the record of 2015. The following graph illustrates the rise in security attacks:

cybersecurity future report


Source: idtheftcentre

And these increases in the security attacks make the enterprises across the world concerns for their business security and searching for the steps to ensure protection against threats. 

2. Causing Both Active & Passive Losses

As countless of dollars’ worth of dealing is happening worldwide daily via the internet, there is an enhancing requirement to execute effective protection as well as measures to meet and repel the security related crimes. Hackers not only targets the large private sectors, but also the smaller firms and governmental websites. Because of the attacks, enterprises not only face the financial losses but also endangered losing clients, market share, and prestige. Even they can have damaged their reputations. If an enterprise experience downtime with security attack, there would be a most expensive attack consequence, even up to 1.5 million$ for larger businesses. 

Security attacks not only leads the active losses as mentioned above, but some passive losses too. For example, after the security attack, organization need to prevent such attack from happening again in the future. Enterprise ends with spending extra budget for this though this can’t be directly routed to the recovery of security breaches. 

A worst case to aware is that a research of the National Cyber Security Alliance revealed that around 60% of hacked small & medium sized enterprises go out of their business after six months of the attack. 

In addition, a research from Juniper Research, a leading market analyst, states that the average cost of the data breach will beat $150 million by the year 2020, as several business infrastructures get connected.  

Undoubtedly, every enterprise would be scared of hearing these losses as there might be a chance of being fall into one of the victims in future. 

3. Lack Of Security Awareness & Plan

Regardless of what kind of industry you are working for or running, digitized data, communication, and information remain the major part of the success of the enterprise. The important information in the wrong hand can lead to security attack, which causes data & financial losses.

As per the 2014 Cyber Security Intelligence Index, 95 % of entire security incidents comprises human errors. Most employees don’t aware how to prevent themselves and their enterprise from risk. Hackers are continually advancing their strategies, however, still, most of the individuals are still unaware of the kinds of threats they’re possible to encounter. 

A report on knowledge of employee on the data privacy & cyber security exposed that 88 % of employees are in lack of awareness to break defendable cyber incidents. 

In addition to this unawareness, most of the organizations are lack in proper security plan and strategies. In IT industry only 5% of enterprises maintain security compliance requirements in consideration while developing the product. With the reference of Barkly, Dec 2016, Security Confidence Headed into 2017, the following figure depicts that only 31 % of enterprises are taking efforts to make a security plan to meet the threats, the remaining are clueless or made no changes in their plan in terms of security. 

Security plan

4. Massive Security Resource Crunch

Despite the business risks possessed by the cyber attacks, security leaders spotlight the lack of technology and staff expertise as the main reason that behinds these attacks remain unchecked. 

In addition, most of the enterprises faced increased security risks because of lack of skilled cyber security experts. According to the study of  Tripwire, 75 % of enterprises, lack the skilled experts to deal with the cyber-attacks. Despite the demand of skilled professionals, enterprises have encountered a workforce shortage. According to the study of Frost & Sullivan, it is estimated that there will be a shortfall around 1.5 million of trained cyber security professional by 2020. 

Moreover, the CEO of Symantec states that job opening for the cyber security is anticipated to rise to 6 million worldwide by 2019.

5. Clueless Individuals

In addition to these surprise about the sources and impacts of the cyber attacks that continuing to expand, the worst thing here is most of the individuals remains clueless on what to do with these issues. Of course, there is value in the security training program, still not all the programs are value for money and effectiveness. Furthermore, there is a lack of affordable Vendor Independent Programs providing Real-Time Exposure. Though the training programs are well crafted, without possessing real-time exposure, their effectiveness is low, their value is doubtful and they’re a waste of money and time. 

Keeping all these factors that raise the security concerns, Hack2Secure, one of the few global vendors delivers End-to-End Information Security programs via Training, Certification (PearsonVUE) and Services across Information Security domains aligned with Industry Security requirements and Best practices. We are providing customizable vendor independent training programs along with real time exposures. As we are evaluating and enhancing the skill set of professionals in terms of security, we aim to fulfill the demand of resources and competent experts. Connect with us to explore more.

Read More

6 Factors That Would Act As The Contributors For The Progress In The Cybercrime

Criminals yield benefit of technology in several different ways. Especially, the internet becomes the great tool for the scammers and other malicious users because it permits them to perform their trade while standing behind the digital anonymity. Cybercrime affects our society in a myriad of ways both in the offline and online. Likewise, the incident of cyber-crime is on the upturn, and as a result of rising use of technology as well as rising volumes of data enterprises, it is no wonder. However, a recent report from the Cybersecurity Ventures tabs everyone to frighten about the digital world.

According to the report, A Cybercrime Revelation published by the Cybersecurity Ventures, 

“Cybercrime Cost Estimates Have Risen From $400 Billion In Early 2015 To $6 Trillion By 2021”

The cost includes the damage & destruction of data, lost productivity, stolen money, intellectual property theft, personal & financial data theft, fraud, embezzlement, forensic investigation, reputational harm and much more.
 
This report predicts that the following factors would act as the contributors for the progress in the cybercrime. 

  1. Digital Growth
  2. Cyber Security Spending
  3. Speed of Cyber Offense over Cyber Defense
  4. Money & the Laws
  5. Cybersecurity Workforce Shortage
  6. Attack Against Small Business

Organizations which suffer a cybercrime are expected to have the opportunity, revenue and customer losses. Given the complication of the today’s interrelated world, we all need to work together in order to protect the enterprise from cybercrime. Here we have presented the overview of the contributing factors, according to the report in order to encourage the enterprise to strengthen their cyber security efforts. 

1. Digital Growth

Among the several contributing factors, the expansion of global attack surface that attackers target sounds as the absolute predictor. 
For Example:

Microsoft researched the digital growth and estimated the following changes will happen in 2020:

estimated
Similarly, CIO of Federal Communication Commission estimates how the people, web server and data online will be in 2022:


According to a research of Secure Decisions, around 111 billion lines of programming code being developed each year and these will include the chance of having billions of vulnerabilities, which can be exploited. 

In addition to the digital growth, the attacks like Social Engineering, Phishing, Machine-to-Machine attacks and Ransomware increase the chances of hackers entering into the organization networks. 

These raised numbers increase the level of complexity and risks of cyber-attacks & security exposures. 

2. Cybersecurity Spending

“$1 Trillion Cumulatively Will Be Spent Globally On Cyber Security From 2017 To 2021”

The cyber security has received more focus, attention, and investments, organizations today are spending enough amount on the products and services which support to defend against the cybercrime. 
A report from Gartner.Inc, which states that worldwide spending on the cyber security have touched $75 billion in the year 2015 can be the best evidence on the influence of cyber security spending. 
Cybersecurity Vendors forecast that this spending will reach $1 trillion over the consecutive five years (2017 to 2021). 

3. Speed Of Cyber Offense Over Cyber Defense

The Black -Hats or offenders are ahead of the White-Hats or defenders today. This is the main problem in the cyber security because the offenders or attackers still possess the edge over the defenders or good guys. In the current situation, 11 % of security compromise is achieved within seconds and another 82% takes just an hour because the attackers can work without any rules and their main aim is breaking the rules. By contrast, defenders are packed with rules of permissions and engagements; hence their defensive response is comparatively slow, often take hours or days. 

4. Money & The Laws

The crypto currencies empowered the cyber criminals. The rise of these kinds of currencies has increased the chance of safe & easy, to claim & receive an amount anonymously. This has influenced the type and number of cybercrime opportunities. Moreover, the lack of effective Law Enforcement makes the criminals no fear of payback and allows them to continue hacking. 

5. Cybersecurity Workforce Shortage

Right now, the cyber security and associated workforce shortage are extremely severe. The organizations require security leadership to remedy the issues. As per the Cybersecurity jobs report, approximately one million positions of cyber security openings remain unfilled in 2016 and this number is forecast to rise to 1.5 million in the future.

cybersecurity workforce shortage
This shortage would leave the corporate IT security team and CISOs shorthanded, as well as the scramble for the talent whilst cybercrimes, are intensifying. 

6. Small Business Are Targets

Nearly half of the total cyber-attacks target the smaller organizations. All organizations find it hard to solve the impacts of the cyber attacks on their own. This is especially true for the small business who don’t possess enough resources and employ full-time cyber defense professionals. In addition, most of the small and medium sized business do not include email security, data protection & an employee awareness training program in place. These lacking factors make them prone to the cyber attacks often. 

How to Fight Back

Of course, the cyber war would not end, ever; however, we can neutralize the hackers by the cyber defenders. 
Since the employees are the weakest link for the cyber attack, the organization should plan proper training programs to make them the first line of defense against the attacks. A study from the IBM ‘s IBV (Institute for Business Value) indicated that 57% of the HR officers report that they have conducted employee training, which addresses the cybersecurity factors. Cybersecurity Vendors predicts that the employee security education programs would become a basic defense strategy by the year 2021.  
 
Hope the above information, offers helpful information on the costs and contributing factors of the cybercrime. This would make you aware better how to spend your information security budgets.

Hack2Secure is as one of the few global vendors with a capability to deliver End-to-End Information Security programs via Training, Certification (PearsonVUE) and Services across Information Security domains aligned with Industry Security Requirements and Best practices. Connect with us to explore more.

Read More

Threat Modeling Design For Security Benefits

Security risk management is a major concern across the several organizations worldwide. Most of these companies implement some kind of security program, which includes activities like vulnerability remediation & penetration testing that typically happens in the final stage of the development cycle. However, it is important to design security into the software to resolve the security issues early. This is because the security issues are relatively simple as well as cost-effective to address at this time. This is where the importance of threat modeling design for security comes in. 

Threat modeling is a security control completed during the architecture as well as the design phase of the software development life cycle to determine and reduce the risk present in the software. It identifies the weaknesses and possible threats early in the software design phase, mitigates the danger of attacks and reduces the high cost of solving vulnerabilities determined in the production stage. NIST (National Institute of Standards and Technology) estimates that the error fixes achieved after the software is released can affect in 30 times the price of fixes achieved during the design stage. 

In addition, fixing error later on the SDLC also significantly influence the user productivity. On the other hand, it is possible to achieve data protection much easier at the design stage. Therefore, when considering security, a most common methodology is to build a certain threat model design that tries to define the kinds of attacks, which are possible to happen. This approach is helpful when building file system/file system filter driver since it forces the developer to focus on the possible attack vectors against a file driver. Possessing determined potential threats, a file driver developer finds simple to consider the ways of defending against threats to strengthen the entire security of the system. 

As we already discussed the Threat Modeling Process For Secure Design Implementation in our earlier blog, here we are going to focus on the benefit of the threat modeling design.

Why Do We Require To Perform The Threat Modeling Design?

The organization experiences several benefits from the threat modeling. A good threat model describes and constrains the objectives; hence, it could be possible to declare proper care in terms of protecting digital assets. The threat modeling also supports to define the essential security features & control need by the system. Added to this, it drives as well as focus essential security processes, including security testing and code analysis. 

It supports to prioritize the kinds of attacks in order to address as well as support to choose controls for mitigating risks.  Drive reliable standards to apply a security policy to the enterprise. Prioritize risk handling by beating into the real-time threat intelligence. A threat model offers a baseline for identifying where the risk exposure exists to minimize them. It enlarges the other calculations by appending further attack vectors and determining new kinds of vulnerabilities. 

In addition to the special association, the threat modeling possesses with the secure architecture, as it also supports an input to the actions, which happen in other phases of the software development lifecycle including requirement identification, code reviewing, test planning and penetration testing. It informs these actions and provides an invaluable vision into the approaches that attackers could choose to affect the system.

Benefits Of Performing Threat Modeling At The Architectural Level

Threat modeling design supports to 

  • Confirm suitability of the determined security structures to be implemented
  • Identify gaps in the security structures to be implemented
  • Identify any further security aspects
  • Identify policy & process requirements
  • Identify requirements that to be inserted into security operations
  • Identify logging & monitoring requirements
  • Understand business continuity requirements
  • Understand capacity & availability requirements

Benefits Of Performing Threat Modeling At The Design Level

Threat modeling design supports to 

  • Identify vulnerabilities, which require being fixed at the design level and fed this into the development phase
  • Identify information assets, which require security controls
  • Map the determined security controls into Administrative / Technical / Physical controls (this action can be performed at the architectural level too, but performing it at the design stage supports in being granular). 
  • Identify security test cases or security test scenarios in order to test the security needs.

As the digital world increases in reliance on the system for sensitive information, the possibilities of software being hacked are also raised. Security requires to be a portion of the design process of software. Applying security at the design stage with the help of threat modeling process guarantees that software security is being built, thus reducing the chance of an attack. 

Read More

NIST Guide On Application Whitelisting A Quick Summarization

Application whitelisting is nothing but a technology that is created to maintain the system secure from the unwanted software like malware. It works to keep the malware as well as other unwanted malicious software from functioning on a computer system. NIST Special Publication 800-167, called Guide to Application Whitelisting includes the basics of application whitelisting as well as its planning & implementation. With the aim of making the organization which wants to stop threats, understanding these essential concepts, here we presented a quick summary of the same. 

An application whitelist is defined as the set of applications as well as application components, which are authorized to apply in an enterprise. This technology uses whitelists to decide which applications are allowed to execute on the host. Thereby it prevents the execution of unlicensed software, malware, and other unauthorized software. 

Application Whitelisting Basics

Basic definitions as per NIST :

Application Whitelisting Basics

Major Difference Between Application Whitelisting And Security Technologies

Major Difference Between Application Whitelisting And Security Technologies


Types Of Application Whitelisting

Application whitelisting is based on the following types:
1. Application files and folder attributes, which can be evaluated
2. Application resources handled
3. Whitelist generation techniques

1. Files and Folder Attributes

Application whitelisting can be available according to the variability of files and folder attributes that are listed below:

  • File Path

Application whitelisting based on this attribute permits the entire applications presented within a certain file path. Here, the path requires being prevented by some strict access control otherwise there would be a chance to allow any malicious files presented in the directory to be executed. 

  • File Name

The application or application components are permitted based on their File Name. If a file becomes infected or replaced, there would not be a change in the file name. Similarly, hackers could find a way to place the malicious file with the accepted file name format. Hence, it is recommended to use this attribute complied with other attributes. 

  • File Size

Accepting application based on the file size includes the assumption that malicious files have different file size as compared to the original. However, attackers can make the infected files to appear in same file size as their benign matching part. Therefore, this attribute is generally paired with other attributes like a file name.

  • Digital Signature Or Publisher

Application whitelisting are based on the digital signature provided by the publisher or the identity of the publisher. 

  • Cryptographic Hash

Whitelisting applications based on the strong cryptographic algorithm associated with the hash function is almost accurate regardless of the file path, file name and its digital signature until the file is updated. 

2. Application resources

Application whitelisting is often permitted or restricted based on monitoring executable. In addition, most of these technologies also include the capability to monitor some other kinds of application associated files like scripts, libraries, browser-plugins, macros, configuration files and application-associated registry entries. 

3. Whitelist Generation Techniques

Whitelist generation comes in two primary methods:

Method 1: Consider the vendor provided details on the known application’s characteristics along with organization generated details on the organization specific application’s characteristics. 

Method 2: Scanning the files on the clean host in order to form a good known reference point. 

Both methods are effective on their own until the application is updated or any new application gets installed.

Application Whitelisting Modes

Most of the application whitelisting come in two operational runtime modes:

1.Audit Mode

This mode allows whole items including those, which are not listed on the whitelist & logs their execution. It offers data in the process of continuous monitoring and analyses.

2. Enforcement Mode

This mode automatically permits and blocks the execution of whitelisted items and blacklisted items respectively.

Different Forms Of Enforcement Mode Are:

  • Whitelist Enforcement – Block the execution of entire items excepts the whitelisted items.
  • User Prompting – Depends on the user or administrators command to accept or reject the files, which are not whitelisted or blacklisted.
  • Blacklist Enforcement – Allows the execution of entire items excepts the blacklisted items.

Application Whitelisting Technologies Uses

In addition to the offering application access control, application whitelisting technologies can be employed in other purposes such as:

  • Software Inventory – This technology can maintain an inventory of the applications as well as application versions that is installed on each host. Useful in identifying unlicensed applications, prohibited applications, wrong version software, modified applications, malware, unknown applications, and unauthorized applications.
  • File Integrity Monitoring – Application whitelisting technologies perform continuous or frequent monitoring of attempted changes to the files. Useful in preventing files changes or report file changes.
  • Incident Response – Whitelisting technologies check the files on the host with the characteristics of malicious files captured after responding to an incident in order to find that they have been compromised or not.
  • Data Storage Access control -  Permits only the encrypted device or devices with a certain serial number.  Thereby restricts the file read, write & execution on the removable media.
  • Memory Protection – Prevents the attacks that affect the files in the memory.
  • Software Reputation Services – Reviews the software that the application is bundled with, in order to analyse for substantial security risk.
  • Anti-malware Technology Integration – Integrate with other malware analysis product to identify the malicious content.

Operational Environment Differences

When it comes on selecting & deploying application whitelisting, it is essential to consider the important differences in the operational environment. They are as follows:

  • Standalone Or Small Office/Home Office(SOHO) – Small or informal system installation, which is used for business or home purpose. It is, the least secure one.
  • Managed or Enterprise – Refers to the large organizational systems along with defined suites of software and hardware configurations, generally comprising of Centrally Managed IT products.
  • Specialized Security-Limited Functionality (SSLF) Or Custom – Includes systems in which the degree and functionality of the security don’t fit the Managed or Standalone environments.  It is a highly restrictive and secure environment.

Assessing Application Whitelisting Solution

The evaluating process includes the following steps:

1. Analysis of environment in which the hosts or the system will be functioning.

2. Consider whether a built-in application whitelisting or third-party solution are feasible

3. Test the perspective whitelisting technology in the monitoring mode to understand how it behaves

Planning And Implementation Of Application Whitelisting

For a successful planning as well as implementation of the application whitelisting, it is important to follow the step-by-step phased approached presented below:

Planning And Implementation Of Application WhitelistingInitiation

The initiation phase involves to determining the current as well as future requirements for the application whitelisting. It also aims to determine how those requirements can best be satisfied. The requirements need to consider are:

  • External Requirements – The enterprise may be subject to review by another enterprise, which requires application whitelisting.
  • System & Network Requirements – It is essential to understand the nature of these requirements to choose compatible solutions with the vital functionality. Factors to consider are:
    • Characteristics of devices, which require application whitelisting
    • Technical attributes of interface systems

Requirement Analysis Outcomes

  • Identification of types of applications / application components.
  • Determination of classes of whitelisting application, which should be applied to balance usability, maintainability and security.
  • Analysis of requirements documentations including performance requirements, security capabilities, management requirements, usability and maintenance requirements and the security of the technology.

Design

Once the requirements have been determined and the suitable technologies have been chosen, then the next action to focus on is designing a solution, which meets those requirements.   It is vital to make accurate design decision to prevent the application whitelisting implementation to be susceptible to compromise / failed. Major design factor to focus on are as follows:

  • Cryptography - It should be applied in three ways for the technologies. They are:

1. To create & verify cryptographic hashes for files & other application components.
2. To evaluate digital signature.
3. To protect the confidentiality & integrity of communication among the individual hosts & centralized management.

  • Solution Architecture - Involves the selection of software and devices to offer application whitelisting services & the centralized element placements within the available network infrastructure.
  • Whitelist Management - Involves the establishment of trusted publishers, updaters, users, etc.

Implementation 

Once the solution is designed, the consequent step is implementation & test of a design prototype. Initially, the action of implementation and testing should be performed on the test devices or lab. Only the application whitelisting solution in the final stage should be allowed to implement on the production devices. The factors of the prototype solution that need evaluation comprise the following:

  • Application Control Functionality
  • Management
  • Logging/alerting
  • Performance
  • Security of Implementation

Deployment

The next phase that comes after testing and resolving any issues is, deployment. An enterprise should follow gradual deployment from a small number of hosts. This will help to avoid several issues includes loss of availability. Most of the issues that happen are possibly happen on multiple hosts; hence, it is useful to determine such issues at the time of the testing process deploying the 1st hosts; hence those issues can be concentrated before widespread deployment. 

Management

The final stage is to ensure the long lasting. Managing an application whitelisting solution involves functioning the deployed solution & maintaining the architecture, software, policies and other solution components of the application whitelisting.

Some Typical Actions Are As Follows:

  • Updating the whitelist in order to add new / updated applications
  • Testing & applying patches to the whitelisting software
  • Deploying application whitelisting solution for additional platforms
  • Doing key management duties
  • Adopting policies as per the change in the requirements
  • Monitoring components for the security and operational issues
  • Regularly performing testing to guarantee that whitelisting is working properly
  • Performing regular vulnerability valuations

This article almost covers the basics of the application whitelisting and overview of the planning and implementation of the application whitelisting which are examined in the NIST Guide. 

Hack2Secure is as one of the few global vendors with capability to deliver End-to-End Information Security programs viz Training, Certification (PearsonVUE) and Services across Information Security domains aligned with Industry Security requirements and Best practices. Connect with us to explore more.


Read More

10 Security Processes For Organizations To Adopt in 2017

As the technology continues to grow and evolve, businesses require focusing on the technologies range that they’re using and the day-to-day complications as well as problems that arise. Focusing their concentration on these things will support businesses to determine areas of both strengths and weaknesses. However, many companies do not have good enough security processes in place for preventing their confidential resources. For example, as per the statistic report of Barkly, the following chart illustrates that around 52% of organizations are not doing required security changes in 2017 even though they experienced an attack in 2016.

 Hack2Secure action plan for organisation in 2017

While businesses see security as essential, several may not completely understand how their enterprise is in danger and what step to take. Of course, most of the businesses have tried to determine the risks of cyber threats faced by their enterprise via audits or risk assessments and most possess some sort of controls or rules in place. Although these actions can still fall short to meet the ever-rising security demands. 

Businesses required to guarantee that their security processes are up-to-date as attackers continue to dig into new fields. Hackers use phishing or ransomware scams to attack organizations who mightn’t have the strong cyber security measures. There are several security compliance needs requiring to address. An organization must adopt proper security processes which stand agreeable to such fundamentals. Next, we are going to focus on some of the security processes that organizations should adopt in 2017 to ensure a secure environment for their businesses for current and future risks.

1. Possess A Security Strategy

Business should possess a security strategy mapped out that comprises: determine the assets that require protecting, assess how instant the threat is in the business & who requires access to particular details within the enterprise. 

2. Train Employees And Users

No matter how capable the users and employees, the human will be the weakest link in terms of IT security. Hence, it is important to train them regularly on the best practices of cyber security. The training should comprise how to identify a phishing email, generate & maintain strong passwords, stay away from dangerous applications, guarantee sensitive information isn’t taken and other associated user security risks.

3. Manage Paperwork

It is important to ensure security in both digitally and physically. The position of important paperwork or hard copies should be maintained properly because critical details may make attacking effortless if it becomes accessible by the wrong hands.
 

4. Update Software & Systems

With hackers constantly discovering new techniques and searching for new weakness, an enhanced security solution is only capable for so long. To prevent the business against security breaches, the organization should ensure that their hardware and software security is up-to-date with recent features.  

5. Make An Incident Response Plan

No matter, how well the organizations are following the security best practices and strategies, still they get breached. It is recommended to have a response plan that will support to limit the damage resulted from breach if happens and allows to remediate effectively. 

6. Create A Formal Security Governance Strategy

Develop and maintain a framework, which offers assurance security strategies are associated with and help the business is more vital than every advanced tool in the security stack. While selecting any of these methods, make sure that the program offers the capability to use a risk-based strategy and facilitates the team to find incidents, investigate efficiently and respond quickly. 

7. Encrypt The Data

Filesystems, stored data & across-the-wire transfers required to be encrypted with standard algorithms. Encryption supports to protect the sensitive data and prevent the data from loss and hacking.

8. Back Up Data

Organizations, which have been hit with Wannacry or Petya will tell the world how essential it is to ensure backing up the files. It is important for enterprises to maintain a complete working backup of entire data not only in the security hygiene perspective but also to meet emerging security attacks.

9.  Be Vigilant On Social Media

Most of the organizations now possess a social media existence. As like the personal information, the organization should be vigilant about details of the organization they share on social media. Hackers are capable to take the details that are displayed in social media and impersonate the business.
 

10.  Identify Insider Threats

While well-trained employee serves as the organization security front line, technology comes as the last line of safeguarding. Supervising the user activity prevent to avoid unauthorized behavior and check user actions to ensure there is no violation of security policy. In case if the insider threats are undetected, an organization might encounter a costly loss due to insider breaches. 

In short, the organization should follow some essential security processes to make the security a top in place in their business. Failing to follow these strategies could result in the severe security breach that could reach the organization out of business. We Hack2Secure has been offering the training and consultancy services to support organization to stay secure. 

Read More

Essential Components In The Aim Of Achieving Total Security In The Cloud

When using cloud services, ensuring appropriate security protection could ultimately support to reduce potential loss of business. When planning to shift to cloud computing, it is incredible to have a better understanding of the advantages of potential security as well as the risk associated with the cloud computing. Both the customers and cloud service providers include the responsibilities of maintaining awareness, setting priorities, weighing alternatives and effecting alters in privacy as well as security to prevent essential loss of control. 


Here are some of the security risks that need to be addressed to ensure secure cloud computing:

cloud security risk


Components To Consider For Achieving Total Cloud Security 

For transferring data and applications to the cloud, maintaining the security level is very critical. Here are ten essential components to consider for achieving total security in the cloud :

componets of cloud
1. Assure The Existence Of Effective Governess, Risks & Compliance Processes

Organizations establish compliance policies & procedures to secure their corporate assets and intellectual property in the IT environment. These procedures and policies, the company security plan as well as quality improvement process create the organization’s risk management, security governance, and compliance model. Similarly, in the cloud environment, it is essential to document SLA (Service Level Agreement) that includes these requirements.  This will support to ensure that the data and application are secured based on the security governance and compliance policy. 

2. Audit Operational & Business Processes

Auditing the IT systems compliance is an important action to guarantee in the industry, government or corporate policies and requirements. The security audit of operational and business process in the cloud service is also an important aspect when it comes in terms of security consideration. Audits must be accomplished by a skilled and experienced staff. In addition, security audits should be taken based on the security control standards. 

3. Maintain People, Roles & Identities

People accessing the cloud platform should be logged and monitored regardless of their entitlement and roles, to offer an audit of the entire access to application and data. It is important to have a formalized approach for handling the people who access any of the software and hardware to store, execute or transmit applications and data. The cloud service provider should demonstrate and disclose these approaches to their customer. 

4. Protect Data And Information 

Though the organization moved to using the cloud computing infrastructure, data remains the core of the information security concerns. With the distributed nature of this infrastructure as well as shared responsibilities, data and information require added focus. Security considerations need to apply to data at rest and data in motion states. 
 

5. Enforce Privacy Policies

Since data protection and privacy is demanding importance, involving regulations and laws associated with storage, acquisitions, and use of PII (Personally Identifiable Information) is recommended. The privacy policies should include the following aspects:

  • The scope of things to be protected
  • The objects to which the laws and regulations apply
  • The rules regarding the transfer of sensitive data to other regions
  • Whether the country includes the government data protection agency that includes special authority for data privacy.

6. Evaluate The Security Provisions

To safeguard the applications from a wide range of security breaches, it is incredible to understand the security provisions considerations as per the various cloud deployment models.  Each model, including IaaS (Infrastructure as a Service), SaaS (Software as a Service) and PaaS (Platform as a Service) includes different requirements and responsibilities of security. 

7. Secure Cloud Network And Connections

It is important to ensure only the legitimate network traffics are allowed and the malicious network traffics are blocked. Customers and cloud service providers are required to assess the external network controls as per the following areas:

  • Traffic screening
  • Denial-of-service protection
  • Intrusion detection & prevention
  • Logging and Notification

8. Assess Security Controls Of Physical Infrastructure & Facilities

In cloud computing, the information security system depends on the security controls of the physical infrastructure as well as facilities of the cloud service providers. It is vital to assess whether the following security controls are addressed:

  • Physical infrastructure & facilities must be placed in secure areas
  • Control of staffs working in secure places
  • Protection from environmental and external threats
  • Equipment security controls
  • Human resource security
  • Backup, continuity, and redundancy plans

9. Maintain Security Terms In The Service Agreement

The security service agreement should include the security responsibilities and aspects like the security breach reporting.  Evaluating and reporting the compliance of cloud service providers regarding the data protection is a crucial metric of the efficiency of the entire enterprise security plan. 

10. Assure The Removal Of Exit Processes  

From the perspective of security, achieving reversibility is important once the customer has finished the process of termination. It is essential to assure that the data copies are permanently deleted from the cloud environment (including backup locations & online data stores).

The security threats, as well as security requirements in the cloud environment, differ for different deployment models.  The steps to mitigate such threats and implement the security controls also vary depending upon the cloud service model chosen. The above essential components remain as the common approach to achieve the total cloud security.

Read More

An Overview On Incident Response Checklist

Planning as well as preparing for the surprising security incident is the greatest challenge, that IT professionals are facing today. A security incident is referred as the violation of law, policy or unacceptable action, which includes valuable assets. It is essential for the organization to come with a plan before an incident affects them. A perfect incident response plan can reduce the effects of the security breach and negative publicity. Furthermore, it is vital that a response plan is well-formulated, supported and regularly tested. Supporting with good policies are not enough for the successful, incident response, it requires checklist, procedures, tools, and training.

An incredible part of the incident response handling is the checklist. With the guidance of procedures, checklists offer direction for the incident handling team. Since the checklist requires frequent updates, they are often underutilized, overlooked or outdated in most organizations.  This article is about to make yourself understand the essential things about the incident response checklist.

Importance Of Incident Response Checklist

The checklist is used to reviewing critical logs while responding to a successful incident and also be applied for log review. A good checklist can address certain scenarios and break-down critical responsibilities into smaller pieces. It also supports the responders document the whole thing, which happens in an exact, standard as well as repeatable way. It will support the organization’s legal action. 

Guide To Create A Checklist

Deciding which topics to consider for a checklist can be complicated. It is essential to ensure that you have covered entire basis. There is no need to build so many checklists, which can overload the incident response team. Try to avoid creating an overly specific checklist, this will be less applicable to the varied scenarios. It is an ideal way to make a checklist for each threat which is widely faced by the enterprise. 

The initial objective of creating a checklist is identifying entire members of the incident response team. The next step involves providing employees with the written procedures of the incident response. 

Elements Of An Effective Checklist

  • The checklists should be maintained up-to-date to ensure that they are in the line of the policies and procedures of the organization and the industry best practices.
  • Only the major steps to be accomplished should be covered in the checklist.
  • The checklist should not exceed two pages.
  • Checklists should have proper approval (from management, human resources, legal, etc.) as like the policies & procedures
  • It is important to ensure that everyone involved in the task of incident response should be aware of the checklist in addition to the policies and procedures. Furthermore, they should aware where to determine them before a security incident happens. 

Things Should Not To Do With Checklists

  • Never use the checklists as the replacement for testing of or training on incident response plan
  • Checklists shouldn’t be excessively detailed. 
  • Avoid dictating response step-by-step since they can make checklist awkward. 
  • The checklist should be considered as the supplement of the decision-making of the incident response rather than replacing.

Incident Checklist Outline

The following are a walk through on the generalized incident response checklist.You can use these details as a starting point for your action of creating a checklist. 

Preparation

  • Identify ownership & responsibility for entire system of the organization
  • Clear communication channel
  • Incident Response plan aware of and potential to deal APT style attacks
  • In-house potentials or contract with partner for
  • Containment approach for APT
  • Legal Team
  • Press Team

Identification

  • Remote access trojan
  • Command & Control
  • Encrypted communications determined
  • Direct External Notification
  • Covert channel discovered
  • Data discovered outside the organization
  • Notification to enterprise staff should happen in a discrete manner
  • Host-based IDS/IPS alert of surprised data access, call, port open

Containment

  • Watch & learn Vs Disconnect
  • Extract & Find characteristic of adversary
  • Determine what is being theft
  • Determine legal ramifications
  • Is it proper to disconnect the whole segment from the network?
  • Contact Law Enforcement
  • Public Reporting?

Eradication

  • Imperative that entire affected systems be gathered, & complete forensic images build
  • Close the entire network courses of ex-filtrations
  • Close the entire course of re-infection
  • Remove entire C+C/ RAT/ Backdoors

Recovery

  • Close future network courses of ex-filtrations
  • Re-engineer systems to defense reinfection
  • Segment sensitive data to more restricted areas
  • Employ auditing for sensitive data access
  • Determine staffs in the environment who accidentally or intentionally supported APT

Lessons Learned

  • Measure executive stance towards information assurance and incident handling
  • Advance intelligence group for determination APT attack
  • A campaign to support staff members of various kinds of threats
  • Re-catalog & re-value possessions in front of APT approaches and targets
  • Progress methods for APT response
  • Combination of data from entire sources

The above information, offers the major actions to be performed in incident handling. The outline provides guidelines on essential things to be focussed while creating a checklist, it does not state the exact steps that must always be followed. They can vary according to the nature and type of the incidents.

Read More

Why SWADLP Certification Is Best Suited For Software Security Professional

Everyone aware how vulnerable today’s desktop, web-based and mobile applications to a security attack. There is an evidence that the majority of the security issues are resulted due to the human error. Hence, companies are now turning their attention to the literacy and skills of their workforce. Their primary focus is on the certain roles as well as expertise on the technical team.  For clearly finding the right competencies, organizations are now following the strategy of recruiting certified people with the security capabilities to perform at their extreme potential. 

Among the few outstanding certifications for infosec professionals, SWADLP (Secure Web Application Development Lifecycle Practitioner) yield the desired result in the software security. The main reason is that it is launched with sufficient knowledge of where the skill gaps in the professionals exist. SWADLP applied the best approach to pinpoint this security learning requirement to allow the candidates to evaluate their current implementation level skills in order to enhance their competency. An added benefit of this approach is that it amplifies the awareness of the employees on learning requirements and supports break-down any obstacles to learn fundamental security skills. The evolution of this course indicated raised awareness and skills of software security.

Thousands of professionals can have attained the hands-on knowledge of the secure software development lifecycle by the SWADLP which would encompass the best quality of security aspects to avoid the happening of security incidents. The certification exam encompasses the hard-headed questions to ensure the prerequisite security SDLC skill set of the candidate.

Why Is SWADLP Certification Best Suited For Software Security?

SWADLP claims that for dealing with the risk, it is essential to embed the security needs within every process of the software development rather than considered as a separate tower. It aims to make the technology professionals understand the risk in business and its association to security. This certification has been remaining as the ideal platform for the professionals to analyse where they in the secure software development and demonstrate their competency to the organization. The professional should have a thorough knowledge of the application security standards, best practices, threats, as well as assurance methodologies to face this certification exam. In this way, SWADLP serving hard to fill the security skills gap, thereby supporting the organizations to tackle the security challenges. 

SWADLP attempts to ease the beginning point and make it simpler for professionals who have the willingness and interest to hunt security professions and are looking for a turning point in their security career. It offers the exact way to advance in this domain with the right knowledge and skill set. Most of the software development organization expects the professionals who have the strong background in the secure software development. 

Outline Of How SWADLP Certification Support Software Security

SWADLP certification covers the world recognized standards and best practices in order to ensure the professional’s knowledge as well as understanding level on the secure software development requirements. The main advantage of this certification is that it evaluates not only the acceptable competency in the security concepts, but also to function well with applying the proper procedures to identify and resolve security related incidents if any. Systemized into seven phases of the software development, SWADLP provides the necessary strategy for building security into the software design, development, testing as well as maintenance. Its main goal is making the security professionals capable enough to meet the security requirement during the software development. 

Hack2Secure swadlp certification path
 

Let us have a look at the roadmap of the SWADLP certification


Phase 1: Security Awareness

For building a secure product, it is mandatory to have an adequate awareness of the IT security programs, various security assurance methodologies, and standards. The concepts covered in this phase will provide the details of basic security fundamentals and related attacks. It focuses to make them as the human firewall to defend against the cyber threats.

Phase 2: Building Security Requirements

It is well familiar that requirement gathering is the most critical to the victory of any major development process. This phase of the course aims to make the candidates confident in collecting the entire security needs up front. 

Phase 3: Ensuring Secure Design

Architectural and design mistakes hold the notable positions that lead to a security compromise. Implementing security in the design phase of the development requires the security experts and architects who master in the design principles. SWADLP supports the professionals to enhance their knowledge in this prospect to build a best possible scenario for ensuring secure design.  

Phase 4: Secure Implementation

Most of the security incidents roots from the defects present in the source code when designing, implementing as well as integrating applications. The effective training plan of the SWADLP allows the developers to known the essential to follow secure coding principles & how to apply them, then integrate them into software architecture elements. It also educates the programmers to develop secure code. 

Phase 5: Web Application Security Testing

This phase involves in the process of validating that the candidate is capable enough to ensure that entire security requirements that were mapped out at the initial stage of the development lifecycle are being implemented correctly.  It covers the methodologies to identify the threats as well as vulnerabilities in each phase of the development process and insist to correct them in good time. 

Phase 6: Security Review & Response

This phase focuses to enhance and evaluate the knowledge of the participants in detecting as well as responding to software security incidents to ensure that they having insight on real threats and risks to the confidentiality, integrity, and availability of the products. The knowledge gained from this phase can support to determine recovery and auditing requirements for systems. 

Phase 7: Securing Maintenance Cycle

It is common in operation that anomalies might be uncovered, change in operating environments and rise of a new requirement in user surface. This phase introduces the software maintenance fundamentals that include definitions, terminology, maintenance host handling, upgrade maintenance and much more.  

In addition to expanding the technical skills vital to develop a secure software, SWADLP helping the people to defend the networks and system from the today’s threats. SWADLP certification and training has been designed with the practical requirements of the professionals in mind; hence, they can deploy what they have learned directly to their office.

Read More

Skills Involved In Incident Response

Driven by enhancing sophisticated exploits as well as highly identified cyber criminals underground, the security breaches can demand an organization something more than the sensitive data. There is incredible to have a successful security program for ensuring secure endure of businesses. A security program should not only contain the ability to determine the vulnerabilities and reduce the influence through well-designed controls and architecture, but also the ability to respond to negative incidents when all else flops. This necessitates the organization to invest in incident response capabilities. They are also required to define as well as staff a team to rapidly understand the possibility and the influences of an identified breach. 
 

 What Is The Incident Response?

Incident response is defined as the organized strategy for addressing and handling the aftershock of an incident (also called as security attack or breach). The main goal of incident response is to manage the critical situation in a manner that reduces the recovery costs & time and limit damage including collateral damage to brand reputation. 

Skills Involved For An Incident Response?

For handling the incidents, organizations are in need to build a team commonly called CSIRT (Computer Security Incident Response Team). The team should include the set of skills as well as technical expertise to effectively respond to the incidents, communicate with the constituency and perform analysis tasks. The team should also be competent issue solvers and should effortlessly acclimate to change. In addition to this, some critical skills are involved in the process of incident response.  Being aware of, course of activities involved in incident handling, in addition, to prevent attacks from occurring or handling them from attaining worse, would support to achieve a sophisticated exploration of the skills required.  

  • Monitor networks and systems for intrusions
  • Determine security vulnerabilities and flaws
  • Perform risk analysis, security audits, penetration testing and network forensics
  • Perform reverse engineering proceeding with malware analysis
  • Develop a set of responses to address security problems
  • Generate protocols for organizational communication and handling with law enforcements when a security incident happens
  • Create an incident response plan, which includes the policies, procedures, security gap assessments, training, playbooks and table top testing
  • Produce technical brief and incident reports for administrators, management, and the end-user
  • Connect with other cyber-threat analysis groups
  • The followings are the basic personal and technical skills involved in the incident response process. 

Incident handling

Personal Skills

The incident response requires a wide array of personal skills since a major portion of the incident responding’s daily activity involves communication, presentation and more.

Communication - The effective communication skill is a critical element involved in incident responding. It is required to ensure that the team can effectively obtain and supply the information required to help. A large part of communication happens via the written word. The written communication can come in various forms, including:

  • Responses via email regarding concerning incidents
  • Documentation of vulnerabilities, incident reports, events and other technical details
  • Guidelines and notifications, which are offered to the constituency
  • Internal development of incident policies and procedures
  • Other additional communication to management, staff or other relevant agents

Hence, the staff of the incident responding team should be able to write concisely and clearly, explain the activities accurately and offer details that are simple to understand. Moreover, the effective spoken communication is also a vital requirement. This communication takes through face-to-face discussions or telephone exchanges. The staff’s method of communication, the tone of voice and the language should remain calm, professional and confident. 

Presentation Skill - The activities of incident response often need presentation skills required for a management or sponsor briefing, technical presentation, a panel discussion or some form of public-speaking engagement. 

Capability To Follow Procedures And Policies - Another notable skill required in incident response is the capability to follow as well as support the generated procedures and policies of the team and the organization. The staff should understand why and how the procedures and policies came into existence. They should be prepared to follow and accept the guidelines and rules to ensure a reliable and consistent incident response service.
 

Technical Skills

The basic technical skills have been categorized into two divisions:

             1.Technical Foundation Skills

             2. Incident Handling Skills.
 

1. Technical Foundation Skills

These skills need a fundamental understanding of the primary technologies and the issues, which affect the team or constituency. These skills are required to aware how software and systems are organized and how they function, the risks linked with the different technologies in use, & the approaches and strategies for securing, protecting and repairing the systems.

Security Principles - The team requires to have a basic understanding of fundamental security principles. This knowledge will help to understand the issues which can arise if corresponding security measure hasn't been implemented properly. 
 
Security Weakness/ Vulnerabilities - The skills in this area support to aware how the certain attack is injected in a hardware or software technology. The team should be capable of recognizing as well as categorize the most common kinds of weakness and associated attacks.  

Risks - There is incredible to have a straightforward understanding of security risk analysis. The team should aware the constituency of different kinds of risks. In addition, they should possess the knowledge of the network security concepts in order to recognize vulnerable points in the configurations of the network. 

Malware Analysis - The incident response team must aware how to achieve surface analysis to realize a malware, its characters and entire vital details from a high-range perspective.   They should be possessed with the skills to aware how malware attacks happen and are propagated, the damage and risks come with such attacks, mitigation and prevention strategies, exposure and removal processes as well as recovery techniques. 

2. Incident Handling Skills 

Within the wide array of technical skills, incident handling skills are subset involved in incident response. These skills are allied with the primary daily activities of the corresponding team.

Local Team Procedures And Policies - The team must possess the knowledge of the procedures and policies, which organizes the operation of the incident response activities. Each and every factor of the process will possibly lead back to a procedure or policy, which must be followed. The team requires this background knowledge and should possess a strong understanding of the guiding ideologies. 

Identifying/Understanding Intruder Techniques - The team should be possessed with skills on corresponding methods to prevent against the known threat techniques as well as the risks linked to the attacks.

Moreover, another incredible skill is the evaluation of and connection between the incidents to alarm a new attack technique, intruder tool, attack vector, etc. The staff should be able to:

  • Undertake technical evaluation of the intruder techniques and tools
  • Identify a new weakness
  • Determine new intrusion techniques as per the footprints & their effects

Incident Analysis - They must be able to analyse the incident and capable of finding the answers to the following questions:

  • Who is involved?
  • What time frame?
  • What has happened?
  • Where did the threat originate from?
  • Why did it occur?
  • How were the computer or application vulnerable?

They need to determine what important details are missing, the scope & effect of the activity and where the clarification is needed. They also require determining the attacks or tools used, time frames, the level of access compromised, implications or damage allied with the attack as well as the sites/hosts involved. 

Handling Of Incident Records - Another major skill required in the incident response or handling is the ability to maintain the incident records. To guarantee that these records are well-maintained, the team must aware the technology involved to handle the incident report records, aiding details and other associated files. The important thing to remember is that the incident records should be up-to-date, well-documented, and consistently maintained.

Whether you are a professional who is looking for a career in the security handling domain or responsible for forming an incident response team, just focus on the above skills to obtain a successful fit. 

Read More

Walk Through On Step by Step Action Plan On Incident Handling

Every day, organization across the world suffer-attacks, frequently resulting in the substantial brand damage as well as financial penalties. Even one security incident is enough for the customer to lose trust on an organization and shift their business elsewhere. An immediate response when a breach occurs is incredible to reduce the destruction and loss. Hence, it is important for the organization to have a process plan to deal with the misuse of networks and system, thereby they can immediately aware what to do in case an incident occurs. 

What Are Security Incident And Incident Handling?

A security incident is an intrusion to an event finding a violation of security policies, standard security practices or acceptable user policies. Incident handling is a term that denotes the response by an organization or person when a violation or intrusion is suspected. A careful and organized reaction to a security incident can touch the difference between total disaster and complete recovery. 
Every organization has its own method for determining, defining as well as responding to the destructions of its security standards and policies. Here we listed some of the fundamental incident handling processes 

Six Basic Incident Handling Process:

Hack2Secure Incident Handling

1. Preparation 

Broadly, addressing the security issues includes the procedures to prevent the attack and how to respond effectively to the successful attack. Some range of preparation is required to reduce the potential damage results from an attack. Preparation for the incident can be done in two ways:

1.By having comprehensive and clear security policies and the hardware as well as software resources to enforce them. 
2.By having an evidently defined plan for responding to incidents and a trained team, which can implement the plan.

At the time of successful incident, a rushed decision-making might not be operative. On the other hand, by establishing procedures, policies as well as agreements, in advance, we can reduce the incident counts. 

The active plan for the preparation process includes:

  • Apply proactive techniques to avoid incidents
  • Mature Management Provision for an incident handling competency
  • Form and organize the skilled incident handling team
  • Establish an alternative communication plan
  • Offer Easy reporting facilities
  • Arrange training for the incident handling team
  • Build guiding principle of inter-departmental cooperation
  • Pay specific concentration to associations with system administrators
  • Establish interfaces to law implementation agencies & another incident response team

2. Identification

It is not possible to respond to an attack or incident unless it is detected. The process of incident handling should pay attention to the sorts of security associated events, and mechanisms in both hardware and software. It is also essential to concentrate where it is possible to detect the destructions of the security policies. In case the network comprises segments, which are not passive or even actively monitored, then it is essential to note that down.
 
The identification process includes the action of identifying whether an incident has occurred or not and in case one has happened, finding the nature of that incident. Usually, identification starts after noticing an anomaly in the network or system. This phase also covers informing as well as soliciting support from experts who can able to handle and resolve the issue. 

The activity plans covered in this process are:

  • Allocate a skilled person to be in charge of the incident
  • Determine whether the event is an incident or not (keep in mind that all the events are not the incidents.)
  • Keen to keep a verifiable chain of problem
  • Co-ordinate with the person who offer network services
  • Notify appropriate officials

3. Containment

Once an incident has been determined, proper actions must be started to reduce the influence of the attack. Containment involves the administrators or user to take actions to prevent remaining network and systems from the incident and limit damage. The main goal of this process is to prevent the attack from getting worse.

The activity plans in this process include:

  • Engage team to survey the situation
  • Maintain a low profile
  • If possible, avoid potentially compromised code
  • Back up the system
  • Identify the danger of continuing operations
  • Continue to discuss with system owners
  • Change passwords

4. Eradication

The eradication process involves in eliminating or mitigating the factors which resulted in the compromise of security. System security compromise can be distressing for the system owner and organisation. In case the incident handling team doesn’t adequately eradicate the issues of a successful incident, and in case another compromise takes place, then the management legally question the capability of the incident handling team. 

The activity plans involved in this process are:

  • Determine source and symptoms of the incident
  • Enhance defenses
  • Perform vulnerability analysis
  • Remove the source of the incident
  • Locate the recent clean backup

5. Recovery

The goal of the recovery phase is to fetch affected components back into the production atmosphere carefully, to ensure that it won’t lead another incident. Proper test, monitoring and validation of systems are incredible to put it back into production in order to verify that they’re not being infected again by malware or by some other ways.

The important decision to implement at this phase are:

  • Time & data to restore the operations
  • How to test & verify that the infected systems are clean as well as fully functional
  • The duration of intensive care to perceive for abnormal behaviours
  • The tools to monitor, test & validate system behavior

6.  Lessons Learned

The main goal of this phase is to learn a lesson from the incident. That lesson will support to perform better action in the future. Executing follow-up activity is one among the most appreciated activities in the incident handling. Organization, which follow up after the issue have been controlled can enhance their incident handling ability. The follow up action also supports to accuse those who have cracked the law.

A plan for incident handling is something that the organization must have in place. Follow the above step-by-step action plan to proactively defend your business against highly dangerous cyber-attacks, now and in upcoming years.

Read More

Why Employees Are The Weakest Link In The Defense Against Ransomware

Parallel to the phishing attacks, ransomware is undoubtedly the most profitable and successful style of attack for the cyber terrorists. It is estimated that this attack cost targets nearly $1billion across the world. Instead of collecting the money, this bigger threat, leaving the company alone, few new alternatives are found to abolish the data as opposed to encipher with no ways of recovery. Uninformed and negligent employees can put the organizations in risk of ransomware. This situation leaves the organizations pondering what the next progression could bring. 

This attack comes with a far-reaching impact on the people and business. It is not just demanding the hard-earned money, but also the reputation as well as jobs. Ransomware possibly happened via phishing emails, which occurs by made the employees click the infected link, possibly a malevolent Microsoft Word file that enables the ransomware. This enforces to aware the fact, “Employees are the weakest link in the defense against ransomware”.

A report called, “The Rise of Ransomware” released by the Ponemon Institute also claimed that the employees are the weakest link that enables ransomware. They conducted the survey with 618 persons in the organizations who possess the responsibility for covering the infections of ransomware within their company. As per the report, here is the graph that depicts how confident that the employees can detect infections that result in ransomware attack.

Employee confidence

As shown in the graph, only 9% of persons are very confident and 20 % are confident that their workers can detect infections that could result in ransomware attack.

How Employees Place Companies At The Ransomware Infection Risk

Usually, ransomware enters into IT systems via phishing emails triggered by the employee. The important fact to consider here is that the most of the employees aren’t very well-versed in differentiating the legitimate emails from the fraud ones, which intends to inject malicious program onto their systems. The injection can be done by appending a call-to-action, making recipient to open an attachment, which includes a malware. If the malicious software or file gets installed onto the system, the malware starts to disable the function of the system and preventing the legitimate user from opening certain important files or from accessing those files.

Another way that causes the ransomware infection includes emails offering a URL, which recipients are prompted to click. Generally, the URL appears like a well-known and popular website. Hence, the recipients have no clue that there is something risk with the website. Once the URL is clicked, it will go to the malicious website and the malware is automatically installed on the computer. Once the malware gets installed, it includes the capability to spread across entire systems that it is linked to, thereby infecting as well as blocking the access to the whole network. 

Employee activity

With the reference to the report, “The Rise of Ransomware”, the following graph illustrates the activities of employees in an organization that possibly paves the way for the entry of ransomware attack:

60% of the employees using the third-party applications such as Slack, Dropbox, or Spotify on their business computers. 59% of employees used to click the link without ensuring its security for their personal use. 58% of employees are caught by social engineering or phishing scam, which appears like a legitimate business request. 57% of employees using their business computers to access their personal emails or social media accounts during working hours. 

How To Stop Employee’s Risky Behaviours To Prevent Ransomware

Entire organizations, regardless of size, should consider enhancing a data security culture to prevent from ransomware. Here are the three effective ways to make the employees to defenses against this attack. 

Training For IT Security Employees

1. Training

Offering employees with interactive training resources like webinars and seminars will benefit to support their own data security. Making employees more security savvy against the cyber threats can facilitate to defend the company’s information as well. 

2. Empowering

Communication from higher management level on the risk of cyber threats as well as the serious role every individual play in safeguarding the customers’ and business’ data. It is important to make the employees feel that cyber security is a threat to them. Encourage them to be vigilant as well as report issues to IT.

3. Incentivize

Incentivization or Gamification can really be the best way to solidify the security culture among the employees.  For example, implementing a scoring system for the employees who are reporting the doubtful emails to the security department. This approach can make every employee to carefully watch the security issues for the company. 

Hope you understand the risk of leaving the employees unaware about the ransomware attack. Take a step to make your employees aware of the risk and prevent them from leaving your organization vulnerable to the ransomware. It is the first step of defense.

Read More

Following Challenges for Application Security in Cloud

The advantages of cloud infrastructure such as enhanced productivity, efficiency, agility, and cost saving made the cloud influence the IT industries. Though cloud computing comprises the capability to share services and information using the internet without any requirement of physical infrastructure, it includes the vulnerability related to security threats that must be addressed. As services and information are shared over the internet, it is important to understand the security challenges associated with the application.

Regardless of where an application is placed, ensuring application security remains a major concern. It is the security concern that requires a great attention of organizations.

Applications On Cloud Are Exposed To A Broad Range Of Threats

Recently the primary attack surface has transformed to the application layer from the network layer. This is because the service interfaces and operating systems exist in the cloud have been toughened to expose a minimized profile. Therefore, attackers target more on the application framework or application logic than the server exists behind the toughened network perimeter. Though several applications are generated in-house, developers rarely focus on security and it potentially results in the security issues throughout the entire application lifecycle. Moreover, the wider acceptance of cloud technology means that attack routes are enhancing as applications influence external service providers for the platform, infrastructure, and software.

Generating a complete patch management system is essential; however, practically this approach ends up with costly and difficult. Typical applications are developed on the open source components by the 3rd party developers who depend on open web frameworks. While with the shorter development time and interoperability, it results with the expensive patch management to address security vulnerabilities. A mistake in one module of open source program should be patched for every instance it’s involved with. Hence, when it comes to a public cloud environment, with dynamic application frameworks and infrastructure, this can become very hard to handle.  

Application Security In The Cloud: Who Is Responsible?

A common question that several organizations arise is, Who is responsible for application security handling in the cloud? Is the application owner or cloud service provider owning this?

Application owners are responsible for the security of the applications, which resides in the cloud infrastructure. This is because the cloud service provider includes no visibility into the things happening at the application layer.

The following diagram shows which portion of the security relies on whom.

Security Relies

Following Challenges For Application Security In Cloud

In addition to open up a new trend for access, storage, productivity and flexibility, cloud also opened up several new security concerns. Here we listed some application security issues. Being aware of application security issues can support to build the effective cloud security strategy to prevent your business. 

1.  Application Vulnerabilities

Vulnerable applications are applications, which includes errors and faults that can perform malicious actions. It may involve accessing confidential data, stop a legitimate service to affect proper functioning, perform unwanted actions or send malicious applications to the devices. These applications are susceptible to hackers searching to exploit as well as attack. OWASP analyses such kind of weakness and exploits and publish OWASP top 10 list. Generally, entire application vulnerabilities in the traditional environment apply on the cloud computing infrastructure and the most predominant cloud-based application vulnerabilities are as follows:

  • Client-side injection
  • Server-side injection
  • Session Management
  • Logical Mistakes
  • Exposure of valuable data

2. Malware And Spyware

Another notable application security problem that affects several users and must be addressed before deploying an application in cloud infrastructure is the malware. Malware injections are codes or scripts embedded into the cloud services, which serves as valid instances and execute as SaaS to the cloud servers. In other words, the malicious scripts can be inserted into the cloud and appeared as the portion of the service or software, which is functioning within the cloud server themselves. In case the injection is executed successfully, the cloud starts functioning as per the malicious code. Thereby attackers can eavesdrop, influence the confidentiality and integrity of the data and steal data. The malware injection threat has become one of the major security issues in the system of cloud computing.
There is also need to focus on Spyware. It collects and uses the private and personal details like contact list, location, email and photos without any proper permission and uses these details in future for unwanted actions like cash fraud.

3. Bad BOTs

Recently, most visitors of the websites are BOTs. Approximately 30% of traffic results from bad BOTS or non-useful BOTs. While people do not think them as a security issue, yet, non-useful BOTs can have wasted 30% in server resources, leads to huge productivity loss. Bad Bots should be considered as the malware since they can inflict havoc on networks and computers. They can waste valuable resources, flood sites with DDoS (Distributed Denial of Service) attacks and steal proprietary information. 

4. DDoS Attacks On Application Layer (Protocol Or Volumetric Exploits)

Protection from application layer DDoS attack has become a major consideration for the cloud service provider and application owners. 
Dissimilar to other cyber attacks that are focused on hijacking sensitive information, DoS assaults don’t try to influence the security perimeter. Instead, they try to make the servers and websites unavailable to authentic users. In some worst cases, the DDoS attack can be utilized as a cover up for other unwanted activities and affect the security appliances. 

5. Insecure APIs

Application Programming Interfaces offer users the chance to personalize their cloud experience. Keep in mind that APIs can become a threat to the cloud security because of the distributed in nature. APIs not only involves in offering the companies the capability to personalize features of the cloud service to meet the business requirements but also provide access, authentication and power encryption.  The vulnerability of the application programming interface present in the communication, which occurs between applications. APIs offer programmer and businesses the tools to create their code to incorporate their application with other critical software. While this can support programmers, they also include exploitable security risks. 

The above application security challenges can be hard to find and offer greater harm for the organization and users. It is best to stay ahead of the attackers to ensure that you mitigate them before attackers find & exploit them. 


https://www.online.hack2secure.com/courses/live-online-web-application-security-testing-wast

Read More

Understanding SQL Injection Attacks

Every day countless of web servers, as well as systems, are explored, scanned and attacked. Now the attacks have exceeded beyond worms and viruses. Particularly, vulnerable to hacker are a web application, web server security, application security software and entire website security. SQL injection is the most malicious hacking method. It is also referred as inference attack. The effectiveness and versatility of the SQL injection make it most preferred choice among the attackers.

In this attack, the hacker appends SQL query code as an input to a web form to gain access or alter the resources or data. 

What Are SQL Injection Attacks?

SQL injection technique exploits how the web pages of the target website communicate with its back-end databases. In a worst case, the hacker inserts some SQL statements into the web application via the web server and obtains the answers to those queries or achieve the execution of other related SQL statements. In case web application trusts the input entered by the user and doesn’t validate the details at the server, it is possible to be exploited by SQL injection attacks. When it comes to the data breaches situation, the SQL injection includes three main uses:

1. Query-sensitive data from databases
2. Alter significant data within databases
3. Provide malware to the application or system

Why SQL Injections Matter?

Still, the SQL language remains as the dominant way of inserting, retrieving and filtering data in the database. Even a loading of single web page requires loads of SQL queries to execute regardless of the size of the website or business. Hence, just armed with a web browser, an internet connection and some core knowledge of the SQL, cybercriminals can exploit the weakness in the web application by extracting data, determining or resetting user or admin credentials and utilizing it as an entry point for severing assaults on the network. Based on a report by Verizon Business, nearly 24% of payment card breaches happen due to SQL injection attack. This attack occupies the second position next to malware in terms of card breaches. 

Keep in mind that, this attack can function in any kind of SQL database; however, PHP-based websites are the major targets since they can be formed by anyone (for example, WordPress) and frequently includes plenty of valuable details about the clients within their database. 

Types Of SQL Injection Attack

SQL injection attacks can be categorized in various ways, according to the response received from the server, the sort of data withdrawal channel, impact point, injection point location, the intent of the attack, etc. 

Response received from the server:

  • Blind SQL Injections
  • Boolean-based blind injections.
  • Time-based blind injections.

Error-based SQL injections:

  • Union query type
  • Double query Injections

Sort of data withdrawal channel:

  • Inline
  • Out-of-band

Impact point:

  • First-order injections
  • Second-order injections

Injection point location:

  • Injection through user input form fields
  • Injection through cookies
  • Injection through server variables

Intent of attacking:

  • Identifying injectable parameters
  • Determining database schema
  • Performing database fingerprinting

Extracting data:

  • Adding or modifying data
  • Executing remote commands
  • Bypassing authentication
  • Performing privilege escalation
  • Evading detection
  • Performing denial of service

Damages Caused By SQL Injections

  • Stealing of user credentials like a username and password for criminals or commercial purpose and completely rubbing out of details or ruining the pages of the website.
  • Corruption of complete database as well as deleting of entire backups
  • Silent spying as well as monitoring activities by competitors.

SQL Injection Example

Generally, when a user of the website enters data into a front-end form on a website, then a SQL query is generated and sent to the database. For example, consider a logon form that submits the username and password submitted by the user to the database via a SQL statement. If the inputs are valid, the database responds and display the details required, whereas the inputs are not valid, the database shows an error message.

SQL Query Processing:

The below HTML code asks login information from the user:

Sql Processing
When the user clicks the login button after entering the logon information, the browser submits the following string to the server that includes the logon credentials:

sql processing 2

Let us consider, the SQL statement at the backend for validating username and password:

sql processing 3

If the user enters the information as shown below:

  • Username: admin
  • Password: E5gh@

The statement to be executed would be
sql processing with password

Let us see how the SQL injection activity happens. The diagram shows the steps that attackers were taken to exploit the authentication flaws related to username:

Example:

after sql processing

The Login Form:

the login form

 

Generated SQL statements and background process:

Generated SQL Statements And Background ProcessThe input bypasses the username condition by placing a single quote, making username field as blank. Now, second condition can be replaced as OR one equal to ONE, which is logically always true. We can see, two conditions are placed, and OR operator tells that at least one should be true. 
Further, it bypassed other originally placed SQL conditions, by placing two dashes and a space, telling the interpreter that remaining data is a statement, and needs to be ignored. Additional One after space is just to avoid any confusion with respect to spaces.
Here, we can see all logical conditions and requirements are completed, and original AND condition, along with password requirement is bypassed.
As a result of this execution, the attacker logged into the admin page:

width: auto; height: auto

Preventive Steps Against SQL Injection Attacks

Organizations can focus on following steps to prevent them from SQL Injection Attacks:

Never trust the user inputs – It must always be validated before use in SQL statements.

Stored procedures – These can abstract the SQL statements & consider the entire input as just parameters.

Prepared statements – It involves creating the SQL query as a first action and then treating entire submitted data as parameters. It has no influence on the SQL statement syntax.

Regular expressions – It is used to detect the harmful code and eliminate it before the SQL statement executions.

Proper error Message – This policy states that avoid revealing sensitive details and the location where the error happened on the error message.

Limited user access rights for database connection – Only required access permissions should be provided in the accounts for making a database connection. This can support minimize the SQL statements that execute dynamically on the server.

In SQL injection, hackers can trick interpreter by pushing some logical sequences of characters, along with standard commands, or keywords as per parsing engine. Hope the above details on the SQL injection attacks provided you a clear understanding on how it’s working and how to prevent it from happening.


Read More

How To Protect Yourself From The Global Ransomware Attack

Cybercrime has been expanding upward and Ransomware is one among the dangerous cyber threats, which affects both consumers and organizations. Ransomware is a type of malicious software, which involves taking the system as a hostage and keeping it for a particular reason.  

Organizations and consumers require to be fully aware of the risk posed by this attack and develop defenses on ongoing priority. There are some multilayer approaches that can reduce the chance of attack. However, understanding the background of this attack can support to adopt the best practices. Let us begin with what ransom attacks are.

What Are Ransomware Attacks?

The ransomware attack is about to lock the target machine by encrypting its data to prevent the owner or user from using it until they accept to pay their demands. This malware is often spread by web pop-ups or email comprises locking features and threatening to abolish people’s data if they’re not agreed to pay. This global cyber-attack has transmitted over 200, 000 computers over 150 countries including, the U.S, Canada, UK, and Italy.

The following pie chart depicts the infection of ransomware by region during January 2015 to April 2016, as per the report of Symantec.

most countries affected in ransomware attack

In addition to the consumer, almost every sector of the organization has been targeted by this attack. Symantec analyzed and reported the statistic details of known sectors which encounter ransomware attack during January 2015 to April 2016.

The following diagram illustrates the statistics:

organisations

Factors Stimulating The Growth And Persistence

In recent times, several numbers of the key factors that drive the growth of this infection.

Here are some of them:

  • Strong Encryption Implementation – Support attackers to create robust threats
  • Arrival of cryptocurrencies – Operates as an alternative for traditional financial system
  • Effective infection vectors – Includes Malicious emails, Exploit kits, Malvertising, Brute-forcing passwords, Exploiting server vulnerabilities and much more.
  • Advanced attack techniques – With legitimate tools, attackers can hack the network by exploiting their vulnerabilities. 
  • Ransom-as-a-Service – Rise of RaaS has allowed even a little-skilled hacker to distribute the malware.

Severity Of Ransomware Attacks Over Traditional Security

The organization generally invests in the security solutions to prevent them from the ransomware infection. Based on the survey of barkly, the infections have successfully bypassed that solutions.

The following graph illustrates the protection gap as per the report:

bypassing

A surprising fact as per the survey is the half of these organizations react with double their investment in the same above-mentioned poor-performing solutions.

Here are the details of the investment: 

investment for infosec

How To Protect Yourself From The Global Ransomware Attack?

Hence, in order to effectively prevent the infection, it is essential to choose the proactive preventive measures in addition to the basic security solutions.
The simpler proactive methods to prevent the infection are focusing on the main delivery channels of injection and taking steps to prevent it from achieving a beachhead.

Preventing this infection involves focusing on the following things:

1. Preventing malware from being distributed via email
2. Preventing malware from being distributed via exploit kit
3. Preventing malware from beginning on an endpoint

1. Preventing Malware From Being Distributed Via Email

Email is the first infection vector for malware, a proper step should be taken to avoid getting wrong emails as well as clicking the link should not cause a data encryption disaster. As we aware that email filtering includes the holes of bypassing the attacks, there are some approaches that are proven to be effective to some extent.

These include:

  • Avoid clicking on the links without analyzing their URL
  • Avoid opening attachments from unconfirmed sources
  • Don’t share sensitive details over email
  • Don’t feel shy to report any phishing email
  • Have a limit of sharing office messages
  • Train your employees about the phishing emails with examples

2. Preventing Malware From Being Distributed Via Exploit Kit

Second dangerous infection vector is exploited kit or web drive-by. This involves infecting the victims when they accessed a compromised program or website.

There are two possible ways to prevent from attack via exploit kit:

1. Installing ad-blocker that can prevent the user from malevolent web advertisement.
2. Enhance the patch management.

Based on the complexity and size of the organization, maintaining the applications and systems updated can also support to prevent this attack.

Some of the frequently exploited vulnerabilities are:

  • CVE-2002-0953
  • CVE-2011-0877
  • CVE-2001-0876
  • CVE-2003-0818
  • CVE-2015-0204
  • CVE-2015-1637
  • CVE-2001-0680
  • CVE-1999-1058
  • CVE-2002-0126
  • CVE-2012-1054

Focusing on patching these vulnerabilities can influence a lot in your preventive measures.

3. Preventing Malware From Beginning On An Endpoint

Enhance the system capacity to make it harder the ransomware to encrypt its data and run effectively. The main thing here is, made changes in the computer system in the prospect of defence. The defence feature of the system should take steps automatically to stop the unwanted behaviour in addition to signalling about the presence of these behaviours.

Some of the adjustment needed to do in the setting of the system includes:

  • Disable MS office macros
  • Block executable files from running by following software restriction policies
  • Personalize anti-spam setting
  • Disable Windows PowerShell    
  • Deactivate AutoPay
  • Block known malevolent The Onion Router (Tor) IP addresses

Keep in mind that security is not about fixing in one single solution. It is about reducing the risk incrementally.

Ransomware severely relies on users not taking defense measures when managing suspicious files or links. Hope, the above information will help you understand the real facts and hint on where to start! 

Read More

About Petya Ransomware Attack And Know How To Prevent

In recent times, cybercriminals disturb the digital world with their favourite business model, called, ransomware. Next to ‘WannaCry’ outbreak, ‘Petya’, a new ransomware weapon has made an international stimulation. On June 27, the Petya seized the global attention with some severe attacks in several countries including Europe, France, Denmark, the United States and India. Initially, when the threat takes place in Ukraine, several security experts found some similarities to the recent ransomware attack WannaCry.  

Petya attack involves that virus moving from one system to another within an infected enterprise; however, isn’t searching the World Wide Web for targets.  The security experts all over the world involved in great research to understand this recent threat. Since the experts have a lot of conflicts regarding the background of this threat, here we presented an overview of Petya with the details available up to now.

What Is Petya Ransomware?

Petya is a kind of ransomware that includes some similarity with the WannaCry attack. Kaspersky a security research company states that Petya threat could be different from Petya.A, PetrWrap or Petya.D.  This vicious kind of virus locks the hard drive and files on the computer with the help of encryption techniques. As of now, there is no effective tool to decrypt the settings. 

Here is a screenshot of the message displayed on the screen when it was hit by ransomware.

PetyaMassage

( Img source: technet )

Symantec, a security company confirmed that the Petya threat uses the exploit called “External Blue”, which was thought to have been generated by the US National Security Agency. And it was believed to be leaked in April 2017 by a cybercriminal group called Shadow Brokers. The main thing should note here is that the Microsoft has been fixed this vulnerability in ‘Security Update MS17-010’.  Machines that are protected against this vulnerability with ‘Security Update MS17-010’ are not infected by this certain spreading mechanism. 

However, Petya comprises some other tricks to spread inside the networks. Group-IB, Russian security company states that this threat used “LASDUMP” tool to gather the password and valuable details of the Windows systems and domain controllers over the network. 
This ransomware threat tries to encrypt the files with the file extensions that are listed below: 


 
Distinct from ransomware, Petya doesn’t add a new file extension to the encrypted files. Rather than, it overwrites the encrypted files. 

Enumerated Petya Technical Breakdown:

  • This version was hit on 18th June 2017
  • It scans the local network and attempts to spread by WMI calls and PsExec calls
  • It uses API calls to link Active Directory as well as DHCP environments
  • It uses a modified version of Mimikatz to scrapheap admin credentials

How Petya Differs From WannaCry?

The main difference between these two threats is their way of spreading. WannaCry uses one vulnerability whereas Petya uses multiple vulnerabilities. Next, WannaCry includes only encrypted files as the locking systems, but Petya includes something more than that. 

Who Are The Victims Of Petya Cyberattack?

The exact scope and size of the threats are still being researched; however, what official statements express is that it first took place in Ukraine. Next, it spread to the systems in the worldwide. It affects industries and business across the U.K, U.S, Denmark, India, Germany, France, New Zealand and Australia as per the report by CNN. The criminals had even attacked Mondelez, a snack enterprise that owns Cadbury and Oreos stuff. Most of the attacks are happening in random with targeting random email or IP address. People from all criteria get whacked with this threat, including small organization, large organization, physicians’ offices and even police departments.

How To Prevent From Petya?

In addition to the general tips to protect against ran    somware attacks that we discussed in our previous blog, Petya requires some additional tips:

  • Educate your employees with Staff Phishing Awareness programs to train them to identify suspect emails. In addition, make them aware of the impacts of clicking any unwanted links and opening attachments from unauthorized persons.
  • Ensure your computer is updated with Microsoft MS17-010 security or disable SMBv1 to prevent the Petya from spreading.
  • Guarantee entire critical security updates are applied rapidly with the stronger patch management process.
  • Ensure that your network is installed with recent antivirus that includes the definitions to detect as well as prevent the latest threats. You can also think about the using of Petya Infection Blocking as an alternative to Anti-Virus.

What To Do If You Suspect Your Device Is Influenced With Petya?

Don’t power back the computer or reboot your system; since the threat makes its damage at the sequence of bootup. It includes running of fake CHKDSK/CheckDisk with a fake warning as shown below:

( Img source: itsecurityexpert )

If you find any message like this, immediately power off the system and connect with Incident Handling Team or IT Security Office in your Organization.   

Recently, the Petya ransomware attack sounds to be spreading rapidly and indefinitely. It is essential to remain cautious against these kinds of attacks and make sure that the protections are implemented. 

Read More

DDoS Attacks Are Possible On Web Applications

For many people who want to succeed in their online business, a DDoS (Distributed Denial of Service Attacks) attack would remain as the nightmare. Not only the sales and reputation, it can ruin everything they worked hard to build. Hackers can make a web application temporarily unavailable with the DDoS site. It can slow down a website.  

What Is A DDoS Attack?

There exists an enhanced array of attack vectors built to disturb the proper working of websites and web applications. These disturb are commonly known as DoS (Denial of Service) attack.  They are generally grouped with a single attack source. The situation where DoS attacks are stimulated from several sources opposed to the same victim, they are mentioned as Distributed Denial of Service (DDoS).  Traditionally, this attack has been allied with botnets, which is a huge network of the victim systems (ranging from a hundred to more than ten million) that are controlled remotely. 

Who Should Be Concerned About A DDoS Attack?

If you are functioning a gambling, financial service, high-income, competitive niche or a huge customer database website, you’re much more likely the target of the DDoS attack. The most common DDoS attack destination includes file sharing websites, the Internet, service providers and Domain Name Services. 

As per the report of Akamai, here is the statistical report of targeted industries:

industry affected by ddos attack

Effects Of DDoS Attack

In case this attack successfully overloaded a system along with good traffic volume as well as consumed critical resources like disk storage, bandwidth, database connections, CPU memory, etc., the intruder can restrict legitimate handlers from accessing the system. Moreover, these attacks can deadly damage an entire network. It also includes the ability to wear router processing capacity and even resources to cause the network stack. Consequently, they can lead to bandwidth collapse or fatigue. 

In recent times, the brand and business depend on the online presence, hence a protracted downtime could result in some costly effects. The hackers generally ask for ransom to quit their DDoS attacks. On the other hand, cyber terrorists and hacktivists are the attackers normally build the DDoS attacks to garner publicity or as an act of revenge.

Types Of DDoS Attack

DDoS attack vectors and techniques besieged at web application can be divided into three main categories:

Hack2Secure explains Types Of DDoS Attack

1. Volume Based DDoS

These kinds of attacks are altered to saturate the hosting infrastructure bandwidth of the web application by directing high network traffic to the victim. Volume based attacks are simple to initiate and don’t need identification as well as application weaknesses exploitations. At present, this sort of DDoS attacks has constructed hundreds of gigabits volume of traffic per second. Moreover, they have disturbed some of the world’s largest Internet providers.

2. Layer 3 DDoS Attacks

This sort of attack generally targets weakness and nuances in the TCP stack, which handles data transportation between the operating systems and infrastructure devices of the web application. Hackers promote specially designed packers to cause overflow or disturb TCP state details. This, in turn, causes additional work for the target device’s network processing functions and slow down the responses. 

3. Layer 7 DDoS Attacks

These attacks target a certain weakness in the web application configuration and intermediate supporting services. This would slow down, hang or crash the applications. In many cases, these attacks operate HTTP requests, which is sent to the web servers, exploits the vulnerabilities present in the custom code, web server software or business logic of the application. Since they focus on the certain weakness present in the code and logic of the applications, it is trickier to combat these attacks with filtering technologies. 

DDoS Protection

The DDOS protection refers to a series of actions that attempt or try to resolve the above-mentioned problems. It also protects the network from future attacks. Since the DDoS attacks differ in method and type, we can’t stop them all in one single solution. However, a proactive guideline can support to avoid this attack. Here are some of the useful recommendations to avoid the influence of DDoS attacks:

1. Conduct a Risk Assessment: Identify an important application and data of the enterprise and the potential impact that various attacks cause on the enterprise. 

2. Create a formal DDoS incident response procedure: Make sure that the incident response procedure includes preparation guidelines and attack response.

3. Deploy a layered DDoS preventive strategy: While preparing a strategy, consider the entire factor of the environment. Also review cloud, on-site and ISP-based solutions. 

4. Know ISP Options: Create an accurate list with names & contact details for entire ISP and 3rd party providers; hence, you can contact them in any emergency situation.

5. Learn Lessons: After an attack, irrespective of the result, learn something that could be useful in handling future attacks.

6. Test the environment – Regularly test the exposed systems to determine, and avoid weak points and limitations before grabbing hacker’s attention. 

7. Leverage handled security services: Assess the offerings of, any DDoS protection services provided by the security service provider.

Because of the raising possibilities of DDoS attacks on the web application, the organization should concentrate on the effective measures to prevent the attack. It is essential to find out an out-of-band preventive and management solution. 


Read More

5 Step Process To Adopt Secure SDLC In An Organization

Every organization today is looking for ways to ensure and assure Secure Product. The trend now is to adopt “build-in” Security measures instead of spending money on “bolt-on” Security measures separately. It is ideal to adopt Secure SDLC as a process to integrate the required security controls at the appropriate level of the software development. 

Typically, companies handle a structured approach to delivering the product as per Client requirements. Since Software production structure varies from one organization to another and depends on several internal and external factors. It is required to ensure Security is adopted as a process integrated with existing workflow and methodologies.

sdlc process to follow

Now, if we want to adopt Secure SDLC as a process, we need to ensure below 5 Steps are followed, measured and effectively ensured.

1. Identify And Equip Key Resources & Stakeholders

Building Team is the first and most crucial part of Secure SDLC process implementation project. We need to ensure the correct resources are identified and structured based on the requirements of the secure SDLC to make the outlook for success. The number of stakeholders and resources will vary from one organization to another, depending on the software development strategy that it follows. However, we need to ensure team consist of individuals of different Role and Department. Here, individuals with Technical Expertise are equally important as that from the Leadership Team. Here is how your Secure SDLC Task

Force could look like:

position for cyber security professionals
Figure 1: Secure SDLC Task Force

 

Roles & Functions

Director

The director is responsible for the control, superintendence, and direction of the businesses and activities of the company.


CISO 

The chief Information Security Officer is a senior level executive. He is responsible for converting the complex business problems into effective security controls.


Project manager

The project manager is an individual who possesses the roles of planning, structuring, managing, handling, reporting as well as communicating on entire phases. 


Security Manager

Security Manager organizes and supervises the entire security activities of the company.


Risk or Compliance Officer

Officer manages the Corporate compliance program. He reviews and assesses compliance problems within the company.


Project Leader

The project leader is responsible for offering the functional subject matter knowledge and functional accountability and ownership for the results of the project.


 Assurance Team

The assurance team plan, direct and coordinate assurance programs to ensure products meets the certain standards. They also formulate the control policies. 


Architects

Architects create or select the appropriate architecture for systems, such that it matches business requirements, satisfies stakeholder needs and attain the expected results under certain constraints. 


Developer

Developers are persons concerned with the duties of secure design, test as well as maintenance of the program for the product.


Functional QA 

Functional QA assesses the products to ensure that it meets the business needs.


Regression/ Maintenance QA

Maintenance QA supervises the company’s security maintenance resources to prevent from downtime. 


Customers

Customers are the units of business with the requirement for the project being developed.


3rd Party Consultant

3rd Party Consultant is responsible for evaluating the product based on the secure SDLC framework. They also involve in document creation and review. 


Once the required resources are identified, then the organization should train them and ensure their expertise to develop the project successfully.

2. Analysis And Alignment

The organization needs to perform the analyse and alignment mechanism to visualize the association between its business strategies and processes. 
There is generally some important actions need to take for the analyse and alignment process. These include:

security for business process
 

3. Process Development

The process development phase involves the action of creating the most effective processes that offer the best results. It comprises several goals.

These follow:

  • Making efficient utilization of resources (money, time, staff, raw materials, and work)
  • Enhancing the product quality
  • Serving the requirement of the clients

This phase involves assigning the roles as well as responsibilities to the staff by matching their skills. Next, implement the measurement criteria and choose the tracking tools to measure the performance of the process management. This will support to achieve the following goals:

  • Identify the impacts of the business as per the project management enhancement initiatives
  • Compare the cost of project management benefits
  • Ensure that the project management initiatives, achieving its objectives

4. Implementation

The success of any structure is critically reliant on an effective approach to the implementation. This phase involves the action of executing the process management; hence that the idea becomes a reality. The first thing here is to ensure the end-user awareness about the secure SDLC. Human mistakes come next to the technology in terms of factors that leads to failure of the product. A proper action, including the training programs should take place to make the end user aware essential things about the product and how to remain successful against the security threats as well as risks. 

Form a define and development department, which should comprise the incident handling team. This team is responsible for creating threat information sharing, active defense, critical infrastructure protection and incident preparedness. They should also analyse the process continuously to ensure everything is running smoothly and take appropriate action whenever any issues arise. 

5. Evaluation 

A systematic approach for receiving the details regarding the performance of the organization as well as the aspects that influence the performance. This phase considers the organization process as the key unit of evaluation to ensure that the whole thing is running as per the framework.  

The above-discussed steps are prominent enough for secure SDLC implementation. Some additional steps may add for certain tasks based on the necessity and cost and time involved.

Read More

Cyber Security Vs Information Security

With the prominent increase in the regular occurrence of the security breaches, organizations are in need to protect their essential information. When it comes to taking steps on security measures, companies often confused with an Information Security profession and Cybersecurity profession regarding which one is appropriate for their needs. In addition to organizations, professionals who want to determine which profession is best for their career often need to distinguish these professions. 

Often, we use the terms Information Security and Cybersecurity interchangeable, though they both are not the same thing. These terms come with both the overlapping and the difference. Let us have an overview of Cybersecurity Vs Information Security.

Definition Of Information Security And Cybersecurity

When searching on these terms, it is possible to come across the myriad of contradictory definitions. 

Information Security

Information Security (also known as InfoSec) guarantees that the data, including both physical and digital is safeguarded from unauthorized use, access, disruption, inspection, modification, destruction or recording. In case a business is beginning to generate a security program, Information Security is where they should start; since, it is the data security foundation.

Cybersecurity

Cybersecurity guarantees that the computers, data, and network of the organization is defended from the unauthorized digital attack, access or damage by the mean of implementing several processes, practices, and technologies.  This security is to prevent the data, network, and reputation of the company against the attack. 

Connection Between The Cybersecurity And Information Security

People never use the terms interchangeably unless there is a strong interconnection between those terms. The same thing happens on the Cybersecurity and Information Security.

A physical security component is available to Information Security and Cybersecurity. Either a data is stored digitally or physically, there is need to make sure that the entire physical access control is generated in place in order to avoid unauthorized access. 

Both practices consider the value of data.

In Information Security, the main concern is safeguarding the data of the company from the illegal access of any kind, whereas, in Cybersecurity, the main concern is safeguarding the data of the company from illegal digital access. 

Keep in mind that both of these practices consider the data as the utmost importance. Professionals belongs to both of these domains need to find what data is critical to the company.
 
As per the Novainfose, the Cybersecurity is considered as a subset of the Information Security:

Figure 1: How Cybersecurity is a part of Information Security

   cyber security is a part of information security

In Figure 1, Information Security is indicated as the super-set of the Cybersecurity. This is because anything in the land of cyber would comprise the information.
 

 

Figure 2: Information Security and Cybersecurity

                                      cybersecurity vs information security                                                                                 

                                                                                   

According to the site Center for Cyber and Information Security, Information Security ensures the protection of both Digital and Analog information.  Cybersecurity ensures the protection of things, which are vulnerable via ICT (including both information (physical and digital) and non-information things).

 

 

Figure 3: Overlapping of Information Security & Cyber Security


cybersecurity vs information security

              

It shows the clear relationship between the Information, ICT Security, and Cybersecurity. Both Information Security and Cybersecurity are synonymous.Since Information Security is the Information Technology protection, whereas ICT Security is communication and Information Technology protection.

Though the Information Security and Cybersecurity are closely overlapped, there are some essential differences between the two. 

  


To conclude, Cybersecurity is about to protect only the digital information while Information Security is to protect the information, irrespective of whether it’s kept digitally or not.

Read More

Crucial Stages of Software Security Testing Life Cycle

Today’s most valuable commodity of business is none other than the Trust. Ensuring the security of the software or customer information is essential to maintain the good faith. As the applications evolve, the vulnerability risk rises to a great extent. A well-executed and powerful security testing plan can support to uncover the entire security as well as privacy issues in the software and application. Moreover, it is an ideal way to ensure that the software is well-protected from the illegal access and from dangerous vulnerabilities. 
According to the report of OWASP, a great software security professionals, the following are the some of the top security threats that affect the software: 

  • Injection
  • Cross-Site Scripting
  • Broken Authentication & Session Management
  • Security Misconfiguration
  • Insecure Direct Object References
  • Sensitive Data Exposure
  • Cross-site Request Forgery (CSRF)
  • Missing Function Level Access Control
  • Using Known Vulnerable Components
  • Invalidated Forwards and Redirects

The security testing has to turn out to be an undeniably critical part of the development strategy of an organization. The main reason for this is the raise of the security breaches, which organizations are fronting today. The scope of this article covers the essential things need to know about the software security testing and the crucial stages of the software security testing life cycle.

Security Testing Definition

Security testing is a process that ensures the systems, as well as applications in an enterprise, are free from vulnerabilities, which may lead to a big loss. The main objective of the security testing of any software is about detecting entire possible weakness and loopholes of the software that might lead to an information loss at the hands of intruders. The software security testing is measured in two varieties: the data protection and the data accessible. With the security testing, organizations can ensure their users that their details remain secure from unauthorized access and no one can access it without permission. 

Methods That May Be Used During Software Security Testing

Service Access Points -   This technique ensures that there are enough number of access points to co-operate with entire users and guarantee security.

Data Protection – This technique means that the data are secured with an encryption method and only the authorized user can see and access the detailed information.

Brute-force Attack – Guessing the right password takes several numbers of attempts. That is why applications and websites, restrict their number of attempts to log into the system.

System Access – With this technique, an access possibility is well-defined by the role as well as the rights of the authorized users in a definite management system. 

Cross-Site Scripting Or SQL Injections – Based on this technique, an application should possess special limitation to prevent hacker’s attack. 

Security Testing Vs Conventional Testing
A quick comparison between security testing and conventional testing of the software:
    

   

                 Security Testing           Conventional Testing
The attribute of this testing highlights what a software shouldn’t perform instead of what it should perform. The attribute of this testing highlights what a software should do. 

The main aim of this testing is to evaluate the negative needs reporting something that shouldn’t occur ever.   

For instance, “An external attacker shouldn’t be capable of changing the web page contents” and “unauthorized user shouldn’t be capable of accessing the data”. 

In order to apply conventional testing to the negative approach, we have to make every conceivable set of non-possible conditions.

 

Where To Begin Security Testing?

As per the Open Source Security Testing Methodology Manual,

“Fact doesn’t come from the outstanding leaps of detection, but rather from the slight, watchful steps of verification”. 

Approaching testing in a small and a comprehensible piece can ensure to avoid mistakes. The more complex the software need to test, the more complex the security program and increase the chances of flaws. 

For instance, consider the system handling complex tasks. Since adding more tasks to the system can increase the chances of mistakes, complicate the tasks and becomes slower & slower. The same things happen in the testing security. Hence it is essential to manage the complexity properly. This task can be accomplished by the proper definition of the security test.

The following seven steps can support to define the security test properly:

1. Define exactly what you have to protect and these are termed as assets.
2. Determine the area around the assets that comprise the protection mechanisms as well as services made around the assets. This step is termed as the engagement zone.
3. Define entire things outside your engagement zone, which you want to maintain your assets operationally.
4. Define how your possibility communicates with itself as well as with the outside.
5. Identify the tools, which required for each test.
6. Regulate what details you need to understand from the test.
7. Assure the software security test, which you have created follows the Rules of Engagement and some guidelines to ensure the proper security test process without making misconceptions, misunderstanding or false expectations.

Security Testing Framework

It is essential to build an end-to-end testing framework to assess and enhance the software security. Several organizations still consider the security testing as the portion of penetration testing. However, the things have changed. While performing penetration testing of a complex software, it is typically inefficient at determining the bugs and depends extremely on the tester’s skills. In order to improve the software security, it is vital to enhance the quality of the software. That states security testing should be carried out at each stage of software development life cycle:

These stages are as follows:

1. Definition
2. Design
3. Develop
4. Deploy
5. Maintenance

For instance, the Cyber Crime Website of the US Government details a study related to the recent criminal cases and the company’s loss. Based on the study, the typical loss exceeds USD $100, 000. With considering losses like this, software companies are suggested to concentrate on the security testing at the early stages of the software development rather than just following black box security testing that can only be carried out on products, which have finalized. 

With the reference to the OWASP testing framework workflow, here we presented the typical security testing framework (Figure 1), which can be developed within a company. 
This testing framework contains the following actions:

  • Before the development process begins
  • During definition & design process
  • During development process
  • During deployment process 
  • Maintenance & Operations

Figure 1: Testing Framework Workflow


                                     

This framework includes the tasks and techniques, which are suitable for the different stages of the SDLC (Software Development Life Cycle). Organizations can use this framework to make their own software testing framework. This is not a perspective framework. The organization can extend as well as remodel this flexible approach to fit into their development process. 

Security Testing Methods

Based on the details covered in the OWASP Testing Guide, let us have a look at the different testing techniques that can be used when creating a security testing program. 

1. Manual Inspection and Review
2. Threat Modelling
3. Code Review
4. Penetration Testing

1. Manual Inspections And Review

Manual Inspections are the process of reviews performed by a human, which generally involves testing the consequences of people, processes, and policies. This method also comprises technology decisions inspections like architectural designs.
This method comes with the following benefits:

  • No technology support is required
  • Flexibility
  • Can be used in different variety of scenarios
  • Enhance teamwork
  • Can be carried out early in the software development life cycle

Drawbacks with this method include:

  • Time consuming
  • Require efficient human thought, and skills
  • Supporting materials not available

2. Threat Modelling

This is one of the popular techniques that are used by the software designers to treat the security threats, which their system possibly faces. This method involves the development of mitigation process for possible security vulnerabilities. It supports the developers to focus on their unavoidable restricted resources and the portions of the software that requires more attention. 
Advantages of the threat modelling include:

  • Can be carried out early in the software development life cycle
  • Flexibility
  • Enables to view the system in the prospect of attackers

The drawback of this method includes:

  • Relatively new technique to understand

3. Code Review

This method involves the process of manually evaluating the software source code against the security issues. 
Advantages of this method involve:

  • Accuracy
  • Fast
  • Effectiveness
  • Completeness

The drawback of this method includes:

  • Can’t detect run-time defects effortlessly
  • Require highly talented developers
  • Chance of missing errors in the compiled libraries

4. Penetration Testing

Penetration testing, commonly known as ethical hacking or black box testing, has been used in testing the security of the network for several years. In this method, the tester attempts to access the software as like the attackers to determine the exploit vulnerabilities. 
The penetration testing can be subcategorized into:

1. Introduction & Objectives
2. Information Gathering
3. Configuration & Deployment Management Testing
4. Identity Management Testing
5. Authentication Testing
6. Authorization Testing
7. Session Management Testing
8. Input Validation Testing
9. Cryptography
10. Error Handling
11. Client Side Testing
12. Business Logic Testing  

Advantages of the Penetration Testing are:

  • Fast
  • Economical
  • Comparatively, requires minimum skill sets

Drawbacks of this method include:

  • Taken at the final stage of the SDLC
  • Front influence testing only

Conclusion

Hope the above information would provide you an understanding of the software security testing. Security testing is the ideal way to measure how much secure your software is. As we discussed, it is highly suggested to include this testing as a part of the SDLC process.