Differentiate between Vulnerability & Threat

What is a Threat?

A threat is what we’re trying to protect against.Our enemy could be Earthquake, Fire, Hackers, Malware, System Failure, Criminals and many other unknown forces.

What is Vulnerability?

Vulnerability is a weakness or gap in our protection efforts. Vulnerability can be in form of weak coding, missing anti-virus, weak access control and other related factors.

What is a Risk?

Risk= Vulnerability * Threat

Risk is the product of vulnerability and threat. That is, we get a risk when our systems have a vulnerability that a given threat can attack. Thus, threats may exist, but if there are no vulnerabilities then there is no risk. Similarly, you can have vulnerability, but if you have no threat, then you have no risk.

There should be presence of both the elements (i.e. V*T) to constitute a risk.

Now, let us attempt below exercise to understand the terms more precisely:

(i) “Door is open. Please close it to avoid thieves .If they gets in, we will be robbed”

Identify Threat/Vulnerability/Risk from above statement.

Threat:

Vulnerability:

Risk:

(ii) “If antiviruses are not updated regularly, then new type of virus can destroy our data”

Identify Threat/Vulnerability/Risk from above statement.

Threat:

Vulnerability:

Risk:

Please provide your answers in comment box.  In case of any queries, please do write.

Views : 385

Data Security-Simple Steps to block USB drive

Data Security-Simple Steps to Disable USB Ports.

Needless to say that most common method of data leakage is through USB/Pen drive/Mass storage devices. Also, through such devices our PCs/laptops gets infected by viruses/malwares.  Most of the corporates have centralized control for usage of such devices. However such controls are desirable in the offices of Chartered Accountant/Audit firms also as they have critical database of their clients. It is generally observed that Data Security Policy of CA firms is relatively weak and can be easily compromised. In this article, we will understand simple step-wise description for blocking USB Ports i.e. blocking of Pen Drive/Mass Storage Devices. Please note that no software is required for controlling such devices. (Yes. It’s free of cost. So go ahead (:-   )

There are 2 options to achieve our objective:

(1)    Through Registry

(2)    Through Device Manager

(1)Through Registry:

  1. Go to Start > Run , type “regedit” and press enter to open the registry editor
  2. Navigate to the following key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

In the right pane, select Start and change the value to 4. (The value 3 is to enable USB Storage). Click OK. This will disable your USB port.

Please remember:

Value Function
3 To enable USB Port
4 To disable USB Port

The change will be effective immediately, however sometimes a reboot may be required. This hack will ensure that all the USB storage devices are disabled / blocked or enabled according to your choice

 

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

 

Go to USBSTOR/Start

 

Write 3 to Enable and 4 to Disable USB

(2)Through Device Manager:

  1. Go to Start > Run , type “Device Manager” and press enter to open the Device Manager
  1. Navigate to the following key: Universal Service Bus Controllers
  2. List of installed devices will appear. Select and right click. It will be give ‘Disable Option’

However, please note that above controls will work only if your PCs/Laptops have Administration Password. Otherwise, anyone can redo i.e. enable USB again and fly away with your confidential data.

Prepared By:

  1. Hemang Doshi , CISA, FII

Views : 702

Basics of Risk Assessment

Million Dollar Question: What is Risk? The reason why I refer it as a million dollar question lies in definition(s) of term ‘Risk’. The term ‘Risk’ has been defined in multiple ways and it can be accommodated anywhere anytime and in any situation as per requirement. Inspite of having vivid definition(s) of RISK, in practise every human being is a Risk-Pro. When I say everyone, I mean EVERYONE irrespective of literacy level or profession.

 Let us take a simple illustration. During rainy season, street vendors generally keep a plastic cover to protect their articles. Why So? Because they know that PROBABILITY of having rain is high and it

could IMPACT their valuable articles. In corporate environment, we will complicate the same example by saying “Articles are VULNERABLE to THREAT of rain and hence RISK RESPONSE is required in form of some CONTROL (i.e. plastic cover) to MITIGATE RISK ELEMENT.”

Wow. Now our dear vendor also knows that it is not worth spending Rs. 100/- to purchase a plastic cover to protect his articles costing Rs. 50/-. In our terms: “COST of CONTROL should not exceed COST of RISK”. Now I doubt whether street vendors have ever heard about these terminologies in their life, but pretty much sure that they actually understand RISK and RISK TREATMENT in their daily activities.

Again. What is risk? Let us look into some of the widely accepted definition of risk.

ISO 27005: The potential that a given threat will exploit vulnerabilities of an asset of group of assets and thereby cause harm to the organisation.

ISO/IEC 73: Risk is the combination of the probability of an event and its consequences.

Dictionary Meaning: a situation involving exposure to danger.

ISO 31000: Risk is the “effect of uncertainty on objectives”

Business Dictionary: A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preventive action.

Oxford Dictionary: The probability of something happening multiplied by the resulting cost or benefit if it does.

If you observe, almost every definition speaks directly or indirectly about two terms:

PROBABILITY & IMPACT.

In simplest form, RISK is a product of PROBABILITY and IMPACT.


RISK=PROBABILITY*IMPACT

i.e. RISK=P*I

Both the terms are equally important while determining risk. Let us continue with same plastic cover example. Probability of raining is very high, let say 1, however articles are water-proof and hence impact is Nil i.e. zero even if it rains heavily.

So risk of rain on articles will be:

RISK=P*I

i.e. RISK=1*0 =0

Please note in real life scenario, quantifying RISK is not an easy task. Probability of arriving at ACCURATE PROBABILITY is itself questionable in certain scenario. Okay, I know that ACCURATE and PROBABILITY are incompatible with each other (:-

Another approach to understand the risk is to understand the concept of VULNERABILITY and THREAT. Again there should be presence of both the elements (i.e. V*T) to constitute a risk. A fort without guards is vulnerable to outside attack. However luckily now a days no one is interested to capture a ruined fort and hence threat is nil. Hence risk of attack is nil inspite of high vulnerability as there is absence threat.

 Prime objective of any risk assessment exercise is to identify the risk, understand the risk, quantity the risk (though not possible always) and to threat the risk.

Okay. We do all this exercise. Why? Yes. To protect our precious ASSET. So very first step of risk assessment exercise is to identify the ASSET which we want to protect. This is essence of whole exercise. Why waste time and money on something that is not critical. It must be noted that usefulness of asset is not always defined by its financial value but other attributes also to be accounted for. For example, Data Leakage Prevention Policy (DLPP) aims to protect DATA whose value can be negligible in absence of privacy laws. DATA is considered valuable because of relevant regulations. Assets can be tangible or intangible. Many organisations consider their ‘REPUTATION’ as supreme asset.

Following is structured process to carry out risk assessment  exercise:

(a) Identify the assets.

(b) Identify vulnerabilities/threats

(c) Perform impact analysis. Define risk indicator. Remember, R = P*I. It can be quantified or qualified (High/Medium/Low).

(d) Apply controls through appropriate risk treatment.

(e) Still some vulnerabilities present? Yes. If this acceptable? No. Then apply some more controls. But always ensure COST of CONTROL not to exceed COST of RISK. I would never pay one hundred and fifty crore rupees for insurance premium to protect my bungalow worth Rs. One hundred crore. (No. I don’t have 100 crore bungalow. But hope you got the point)

(f) Okay, now risk is acceptable? Yes. Then live happily with it. Let them reside with us. It is

known as RESIDUAL risk.

Risk assessment is iterative exercise. Above cycle to be repeated at regular interval to address

new vulnerabilities. Continual risk assessment (CRA) is also critical to ensure that existing control

are effective.

Let us understand how above steps are performed to address IT Risks in an organisation:

Identification of Assets:

ISACA’s RISK IT framework defines IT risk as follow:

IT risk is business risk – specifically, the business risk associated with the use, ownership,

operation, involvement, influence and adoption of IT within an Enterprise. It consists of IT related

events that could potentially impact the business.

In order to analyse the IT Risks, prime requirement for an IS auditor is to understand the business

environment. IS auditor is required to gather information about industry and relevant regulatory

statutes. Knowledge of business will help an IS auditor to understand which IT assets contributes to

the business and extent of dependence on technology to process and deliver business information.

This in turn helps him to identify critical IT assets. Risk assessment is then carried out to ensure

confidentiality, integrity and availability (CIA triad) of identified mission critical IT assets.

Threat Analysis:

So now we have identified our TREASURE (ASSET). We must also be aware of who else is interested in our treasure. Our enemy could be earthquake, fire, hackers, malware, system failure, criminals and many other unknown forces. We need to list down each threat that can have impact on assets.

Now assign probability or frequency of occurrence. I know that is not an easy job, but that is what we

are paid for. Probability can also be expressed as a ranking i.e. High, Medium, Low or on a numeric scale i.e. 1 to 10.

Vulnerability Analysis:

Take a magnifying glass and examine our mission critical asset to identify presence of any black

spot. Black spot indicates weakness. Vulnerability can be in form of weak coding, missing anti-virus,

weak access control and other related factors. It is advisable to list down each vulnerability and

corresponding proposed control. Vulnerability to be ranked on the basis of criticality.

Impact Analysis:

Through earlier steps we have identified our Assets, our ENEMIES (Threat Analysis) and our own WEAKNESS (Vulnerability Analysis). Impact Analysis helps us to understand what will happen if all three of them shake hands.

Impact can be measured in terms of QUALITATIVE or QUANTITATIVE. For better risk treatment,  it is advisable to quantify the impact. But as discussed earlier, it is a tough job. Most common method to quantify risk is to calculate single loss expectancy (SLE) and annual loss expectancy (ALE).

SLE=Asset Value*Exposure Factor

Exposure factor can be defined as expected percentage of loss if a threat is realized.

ALE=SLE*Annualized Rate of Occurrence (ARO).

ARO can be defined as estimated frequency of specific threat within a year.

However in absence of precise measurement, impact can also be classified as high/medium/low or some other indicators can also be used. When we speak of Information System, impact can be loss of confidentiality, loss of integrity or loss of availability. Prime purpose of classifying the impact is to prioritize risk treatment for high impact risk.

Risk Treatmetn:

Time to build GREAT WALL OF CHINA. Once potential impact has been identified through

qualitative or quantitative analysis, next step is to decide how to eliminate or reduce the impact i.e.

how to treat the RISK. There are generally four approaches for risk treatment. They are

(i)Risk Mitigation

(ii)Risk Transfer

(iii)Risk Avoidance

(iv)Risk Acceptance

It must be noted that risk treatment  is purely based on perception. For same risk, different

treatment can be applied depending upon how one perceives the risk.

Let us take an example to understand above approaches.

Meteorological  department has indicated heavy rain and we need to attend ISA classes. Risk of  rain can be treated in any of the following way:

-Majority of the students will be well prepared and will arrange for Umbrella or Raincoat to protect

them from Rain. (risk mitigation)

-Some courageous students will not bother to carry Umbrella/Raincoat. (risk acceptance ).

-I am pretty much sure there will be some students like me who will avoid going to classes (risk avoidance).

In an organisation level, it is not always possible to mitigate all the RISK. RISK Free Business is an

illusion. Though objective of risk treatment is to bring greatest possible reduction in RISK. IS auditor

need to understand the IT RISK and corresponding controls.

There are different standardized methodology specifically designed for RISK Assessment of

Information Technology Systems like SP-800-30 document developed by NIST, FRAP (Facilitated RISK

Analysis Process) and OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation).

Though each methodology is developed for specific purpose they have same basic core components

that we already discussed above i.e. identify vulnerabilities and threats and calculate risk values.

Please do write in case of any concerns/query/suggestions.

Views : 1053

Network Security-Simple Steps to Secure Wi-Fi



Network Security-Simple Steps to Secure Wi-Fi

If first question that comes to your mind while reading the topic of this article is ‘Why I need to protect my Wi-Fi??’, then read below some of the major risks associated with unsecured wifi.

What are the risks of using an unsecured wireless network?

In simple language it is like going for a trip without locking your house. Anyone one can enter your house anytime and do anything as per his wish.

Your connection can be enjoyed by anyone for free and please consider yourself lucky if intruders are your neighbours with intention to save some bucks  as it may cost you only some additional bandwidth charges and at the most  slowing down your surfing speed. However, if your connection is used for illegal downloading of music, movie or pornography, the result could be more serious.

And if you are damn unlucky, you will be the chosen one, whose unsecured internet connection can be used to commit crimes of serious level. A criminal who does not want to be caught can use your unsecured internet connection to commit crimes because when it is traced back to the source, your connection will be reported as the scene of the crime.

You may refer below standard clause in your contract with ISP:

CONTENT RESPONSIBILITY AND INTERNET SERVICE USE RESTRICTIONS

Client acknowledges and agrees that it is solely responsible for the Content of its transmissions which pass through the Internet Connection Service. Client also agrees it will not use the Internet Connection Service:

  1. for illegal purposes;
  2. to transmit threatening, obscene or harassing materials, or
  3. to interfere with or disrupt other network users, network services or network equipment.

In nutshell, you are responsible for activities done through your connection.

Also, once an intruder enters your network, they can have access to your data/records and they can also spy your online activities.

So now, please note that, below mentioned steps are much much easier to implement than to defend your innocent self in court of law (:-

The good news is that it is very simple to make your WI-FI connection secure, which will prevent others from stealing your internet and will also prevent hackers from taking control of your computers.

Below are some simple steps to surf safely:

(1)Take control of your Router through unique password:

Step 1: Login to your wireless router.

Open Internet Explorer and type in the address http://192.168.0.1 or  http://192.168.1.1 (By default, most router will have 192.168.0.1 or 192.168.1.1 as the default Router IP address. This is the address you would enter into your browser’s address bar to access the router configuration page.)

Not able to access through http://192.168.0.1  or http://192.168.1.1.  No need to worry. We will manually find your Router’s Address:

-Go to Start

-search for CMD

-give command ‘ipconfig’

-Default Gateway is your Router’s IP Address.

 

Now login to your router. What??. You don’t have user ID and password??.  Don’t worry. I do have you credentials (provided you have not changed it earlier)

Your user ID and password should be:

Five Characters.  All small. 1st alphabet then 4th alphabet then 13th alphabet then 12th alphabet then 14th alphabet

Making it simple for you:

User ID admin
Password admin

OR

User ID admin
Password (blank)

If it’s not working for you, please google for default user ID/password for your router/service provider.

Step 2: Change your USER ID and Password immediately.

-Go to settings

-User Settings

-Update your New Credentials

(2) MAC Filtering:

Every Machine (PC/Laptop/Mobiles) has a unique identification number. That is known as Media Access Control (MAC) address. So through this control, you allow access to only selected devices. Any other device trying to access you network will be rejected by your router.

Step 1: Indentify MAC addresses of your all devices.

Now question arises how to identify MAC address of your machine.

MAC of PC/Laptop:

-Go to Start

-search for CMD

-give command ‘getmac’

-Physical Address is your MAC address.

MAC of Mobile:

-Go to Settings.

-Select ‘About Device’ (About Phone)

-Select Status.

-Scroll down to Wi-Fi MAC Address to see your MAC Address.

Step 2: Update all the MAC addresses for which you want access:

Go to Settings/Security/MAC Filter/Enable MAC Address Filtering and update MAC addresses for which you want access.

You can also use Black-list to specifically reject some MAC addresses.

(3) Disable SSID:

SSID is kind of floating of RFP (Request for Proposal). You can name it RFH (Request for Hacking).  A Service Set Identifier (SSID) is the wireless network name broadcast by a router and it is visible for all wireless devices. When a wireless device searches the area for wireless networks it will detect the SSID.

I don’t see any need for such open broadcast unless you want to promote your Wi-Fi (in case of hotel/restaurant/lounge/mall etc). To disable broadcast go to Wi-Fi Profiles and look for SSID Broadcast and select Disable option

(4) Enable Encryption:

Encryption helps to scrambles the information we send through wireless network into a code so that it’s difficult for other to access. Using encryption is the effective way to secure your network from intruders.

Two main types of encryption are available for this purpose: Wi-Fi Protected Access (WPA) and Wired Equivalent Privacy (WEP). WPA 2 is the strongest encryption standard for wireless connection as on today.

(5) Monitor Your Network:

There are many wireless network monitoring tools available in the market. Some of them are free and very much reliable. Netcut and whoisonmywifi are reliable one. Through such tool you can monitor and see and do easy analysis for devices joining and exiting your network. It helps to keep your WiFi safe, secure, and running smoothly.

Please note that all the screenshots/paths have been explained considering Reliance Pro 3 wifi connection. If you have any other service provider, there may be slight changes in setting parameters.

Please do write in case of any query/concerns/suggestions.

Views : 2954

CISA certification-How to get through


CISA CertificationCISA Certification: How to get through



What is CISA:

The Certified Information Systems Auditor (CISA) is a certification issued by the Information Systems Audit and Control Association (ISACA).

Certified Information Systems Auditor (CISA) is a globally recognized certification in the field of audit, control and security of information systems. CISA gained worldwide acceptance having uniform certification criteria, the certification has a high degree of visibility and recognition in the fields of IT security, IT audit, IT risk management and governance. Vacancies in the areas of IT security management, IT audit or IT risk management often ask for a CISA certification. The exam tends to be associated with a high failure rate. CISA is awarded by ISACA.

Why CISA:

-Confirms your knowledge and experience

-Quantifies and markets your expertise

-Demonstrates that you have gained and maintained the level of knowledge required to meet the dynamic challenges of a modern enterprise

-Is globally recognized as the mark of excellence for the IS audit professional

-Combines the achievement of passing a comprehensive exam with recognition of work and educational experience, providing you with credibility in the marketplace.

-Increases your value to your organization

-Gives you a competitive advantage over peers when seeking job growth

-Helps you achieve a high professional standard through ISACA’s requirements for continuing education and ethical conduct

Exam Pattern:

CISA exams are conducted three times a year: in June, September and December. The exam is known to be difficult examination and having four hours in length, consists of 200 multiple choice questions and uses the format of one correct answer per question. The scoring is weighted depending on an predetermined value for each question with a passing score of 450 points and a 800-point score as the maximum. Some questions are purely for statistical purposes and do not affect the candidate’s score.

Preparation:

To be honest, it’s not an easy task. But if you follow below pattern for preparation, I am sure your certification is not far away.

Resource Requirement:

Only investment that I recommend is buying ‘CISA Review Questions, Answers & Explanations Database’ from ISACA website (isaca.org). Cost will be approximately 12000/- INR. But same is worth investing if you aspire to clear CISA in first attempt.

Database is online version with features as follow:

The CISA Review Questions, Answers & Explanations Database is a comprehensive 1,200-question pool of items. The database is available via the web, allowing our CISA Candidates to log in at home, at work or anywhere they have Internet connectivity.

Exam candidates can take sample exams with randomly selected questions and view the results by job practice domain, allowing for concentrated study in particular areas. Additionally questions generated during a study session are sorted based on previous scoring history, allowing CISA candidates to identify their strengths and weaknesses and focus their study efforts accordingly.

Other features provide the ability to select sample exams by specific job practice domain, view questions that were previously answered incorrectly and vary the length of study sessions, giving candidates the ability to customize their study approach to fit their needs.

Now, treat this database as bible for studying CISA.  Please rigorously follow below pattern:

(i)Get one thing absolutely clear. No other study material is required. That will unnecessary create confusion.

(ii)Please start preparation atleast before 4 months of examination.

(iii)Now, this is very very important. Please attempt 40 questions daily. Total time required is  less than half an hour per day. No excuses even on weekends/holidays. I am not recommending any more study. 40 questions daily is the only requirement that will help us to get certification. Please note that, this question database resembles the actual questions asked in CISA examination. Though questions may be framed differently, testing concept remains same. How do I know? I attempted CISA examination twice.

(iv)If you follow 40-40 rule, within a month, you will able to attempt more than 1000 questions. Please note when you attempt a question, please pay more attention on explanation part i.e why a particular answer is correct and why other three are not. Also note that for many questions testing concept will be repetitive in nature. So more question you attempt, more confidence you get. Simple.

(v)In case you want to supplement your study, I recommend ‘ALL-IN-ONE’ by Peter H Gregory. Technicalities have been superbly simplified by Peter.

(vi)Sharing my experience. During my first attempt, I collected lot many freely available study materials from website. Mugged up many technical definitions. Went through acronyms and glossaries. Attempted MCQs available from different websites. Seen online videos. But nothing worked. I failed. Though all this things helped me to gain some technical knowledge, I was not able differentiate between correct answer and other three distracters in examination. First of all it took lot of time to understand questions. How would you expect me to answer, when I am struggling to find out even what the hell is the question (:-

Anyways, for the second attempt, I purchased Question-Answer Software from ISACA (i know it’s painful to pay for the study material (:-   ) and started attempting daily atleast 40 questions. It helped me gradually to understand:

(i)Pattern of Questions

(ii)What is the testing concept behind any question.

(iii)Easily able to identify distracters.

(iv)Easily able to co-relate correct answer with question.

(v)Helped me to manage time element.

So, below is my result for second attempt:

Dear Mr. Hemang Doshi:

RE: CISA Exam Result Notification — Exam ID: 14812446

At your request (per your exam registration authorization), this email is being sent to notify you of your September 2014 CISA exam result. A scaled score of 450 or higher is required to pass, which represents the minimum consistent standard of knowledge as established by ISACA’s CISA Certification Committee.

We are pleased to inform you that you successfully PASSED the exam with a total scaled score of 600.Your score was in the top 5 percent of those testing. For your information, your exam results by area are provided below.

SCALED SCORES OF YOUR PERFORMANCE BY AREA:

The Process of Auditing Information Systems: 711
Governance and Management of IT: 490
Information Systems Acquisition, Development and Implementation: 667
Information Systems Operations, Maintenance and Support: 554
Protection of Information Assets: 591

The above represents a conversion of individually weighted raw scores based on a common scale. As such do not attempt to apply a simple arithmetic mean to convert area scores to your total scaled score.

(vii)If you want to try your luck without spending much, I do have some question banks. Please drop  your email ID in comments and I will be happy to forward the same to you.

Prepared by: CA. Hemang Doshi , FIII, CISA.

Views : 748