Sunday, June 7, 2015

CryptoWall 3.0


Threat –

CryptoWall 3.0

          Is a malware spyware/ransom ware that can steal the victim’s information and ask for the payment from users to release it. It uses Tor ( hidden Internet) to execute its online payment process.

 

How it spreads

Spam/Phishing Emails

It comes as an attachment in an spam or phishing mail (generally in zip file) and once user opens the zip file. It prompts the user to download the PDF file pretending to be harmless “Resume” etc.

  

Protection

Spam filtering 
Internet Firewall 
User awareness 
 

NjRat Malware


Threat –

NjRAT – A remote access Trojan complied in .Net 4.0 capable of  taking complete control of an infected device. The malware is capable of logging keystrokes, downloading and executing files, providing remote desktop access, stealing application credentials, and accessing the infected computer’s webcam and microphone.

 

How it spreads

1.       Spam/Phishing Emails offer users to install video game (need for speed etc.), video games cracks, application key generator and Antivirus etc.

2.       By visiting a compromised website which again asks to download antivirus etc.



Protection  

Internet Firewall
Spam filtering
End Point Protection
User awareness  

 
 

DYRE MALWARE



Threat –

DYRE MALWARE

·         A Trojan with Man in the middle (MITM) attack capabilities and coveted VNC Session,  designed to steal login credentials by grabbing the whole HTTPS POST packet, which contains the login credentials sent to a server  during the authentication process, and forwarding it to its own server.

·         It can then compromise the victim’s Bank /others account and can block the user to access his own account.

·         It has VNC capability as well to perform DoS or DDoS attack through the victim machine once the system is affected with the malware.

·         It works through a configuration file  and currently there are 90 target Banks  (mainly from Romania, United Kingdom, Ireland, USA, and UAE)  in that configuration file  


How it spreads

Spam/Phishing Emails

It comes as an attachment in an spam or phishing mail and once user invokes it, the Trojan executes itself and gets installed on  victim’s computer.

 

How to Protection

Spam Filtering
End Point Protection  
            User awareness  
                  1.       User not to fall prey to unsolicited mails.
                  2.       User  not to open email attachments if sender is unknown or unfamiliar.

Sunday, April 26, 2015

Password Security

 Passwords
Weak passwords are one of the biggest reasons of security breaches all around the world. Whenever someone starts talking about security, he/she definitely will talk about passwords' security. There is a standard list of precautions of Dos and Don’ts.  
Normally you can find this list on any of the security awareness mailer or on Internet and it  goes as follows
1-      Do not create weak passwords.
2-      Imagine strong passwords and the characteristics of strong password are
3.       Create long password 8-9 characters
4.      Your password must consists alphanumeric values and special character.
5.       Use pass-phrase and make it complex for example “TimeforTea” now you can make it “T1mef0rt3a” or  “T1mef@rT3a”
6-      Do not share your password with your friends and colleagues
7-      Do not write your password on postit and stick to monitors and on your desk.
8-      Do not use one password for all the accounts. Try to be creative, categorize the accounts as per confidentiality & criticality and create different password for different type of accounts.
9-      Avoid using public computers to login to your banking accounts.
10-      Try to adopt Two factor authentication wherever possible ; Two factors authentication is a double layer security where you are required to get authenticated with more one than one ways.. for example what you know and what you have. Bio-metric authentication adds "Who you are" component in the authentication.
11-      Beware of the websites that asks your personal details. Do not disclose passwords online.
12-      Beware of the phishing accounts – Phishing is a method, used by attackers to incite users so they can click on the fake links given in the genuine looking email. The sender pretends to be a genuine source like your bank etc. Once you click on the fake link or enter your credentials, the hackers steal your information and misuse it.
13-   Beware of shoulder surfing. Always check your surroundings before you enter the credentials.
Hell Bent to crack
There are lots of free tools easily available on Internet to hack others’ password. Some of the most common are Brutus, RainbowCrack, Wfuzz, Cain and Abel and John the Ripper etc. Due to the high speed internet with more and more bandwidth, it takes quite less time to crack the complex passwords. The Problem is that dictionary words and their combinations are easy to guess. As a matter of fact there are lots of such lists available on internet which you can simple use to crack the password. There are cognitive tools which require some human inputs about the target so they can produce the list of probable password the target can think of...these tools can prove lethal if someone really knows a lot about the target and has the intention to crack his/her secret passwords.
“Single Sign On”
Nowadays, big companies introduce “Single Sign On”, an access management appraoch, where a user logs in once and gains access to all systems without being prompted to log in again at each of them. There are apparent benefits and disadvantages of this approach.  It is easy to remember one strong password than multiple easy passwords. It is convenient and increases the security since it would be difficult and time taking for an attacker to crack the strong password. On the other hand, it is a single point of failure, once a single password compromised, it can create havoc.
Fusion is the way
People are adopting the new fusion approach while creating the password that is mixing two languages. If you know English and Hindi, you can use “Hinglish” to create passwords and that would be really difficult for dictionary attacks to crack.  For instance you can create a password such as “MeraDoggy@049”.  
Do not create so much complex password that you cannot remember and even the strongest password, if kept and stored insecurely serves no purpose.  

Thursday, April 23, 2015

All about CISSP


Hi Folks,

Recently I acquired CISSP (Certififed Information System Security Professional) Certificate and the exam was really a tough one. Once I cleared the exam, I started getting calls from my friends and colleagues who would ask me the tips of passing the exam like what they should study and what should be the correct approach to nail the one of the toughest exam in security domain.

So I thought of summarizing it here so it will be easy for me to just send the link of this blog to my friends and it may prove beneficial for other aspirants as well.

The facts about CISSP exam are all available on internet like the CISSP Certification is governed by International Information Systems Security Certification Consortium, also known as (ISC)². This Certificate has been approved by United States DoD (Department of Defense). There are around 100 thousands CISSP around the world as of now. CISSP contains 10 domains which are as follows

1.Access control
2.Telecommunications and network security
3.Information security governance and risk management
4.Software development security
5.Cryptography
6.Security architecture and design
7.Operations security
8.Business continuity and disaster recovery planning
9.Legal, regulations, investigations and compliance
10.Physical (environmental) security

This is an online exam and can be booked via Pearson VUE. The fee is $599 for one attempt. The exam contains 250 questions which are mostly cognitive and you get 6 hours for the exam.

Once you pass the exam, you need to get endorsement from one of the existing CISSP holder to become Certified. You have the option of becoming Associate ISC2 in case you do not possess the minimum requirement of work experience to get the endorsement.

Now comes the tricky part - The preparation. There are lots of good writers and trainer for CISSP but I studied Shon Harris, She had a wonderful ability to describe the lengthy and boring subjects with so much ease and fun.

I studied the CISSP book written by Shon Harris "CISSP All-in-One" and I attempted the questions given in the book and other 500 questions in the questions bank but this is not enough. One needs to go into details and refer other books like "CISSP Practice: 2250 Questions, Answers, and Explanations" and online information wherever required.

What I have found is that CISSP exam is not only about the knowledge but it is a mind game as well. The questions asked in exam are so unique in their formation, that you will hardly come across to any question you have seen previously but still if you are clear on the Security fundamentals and have a clear understandings of the CISSP domains, you can still figure out the answers. Below are the important points to note down -

  1. You need to prepare for the exam in a planned way. You need to devote some time daily for study. You just cannot do it in two full days.
  2. You just cannot rely on one book or one question bank. Shon Harris is good but look for other sources also.
  3. You need to attempt all the questions given in the book and in questions banks. You need to be well versed in how to eliminate the wrong answers. Check some videos on YouTube.
  4. You need to hold your nerve while taking exam. You may feel you are not going to pass it, but still give your best, and keep patience till the end.
  5. Do not give up and leave the test in the middle, Attempt all the questions.
  6. Do not waste time on difficult questions. First answers the questions you find easy and then come back again to answer the difficult ones.
  7. Do not change the answer again and again. Most of the time, what you think first time could be the correct answer. Just do not be panic and answer with patience
  8. Believe me 6 hours are not a very lengthy time for CISSP. You need 6 hours that's why they have provided.
  9. Finally keep you cool and believe in yourself. If you could not do it you wouldn't have attempted it.

I hope this will help you.



Sunday, April 19, 2015

Defense in Depth


With the evolution of technologies our dependency on digital devices has increased manifold. And we are exposed to cyber-attacks more than ever. Lately, some of giant organizations like Sony and Amazon have become the victims of cyber-attacks and that have sent ripples to the others similar or smaller and less protected establishments to ponder over how immune they are for such attacks or what defense mechanism they have to defend if such attacks happen to their organizations. As they say Cyber Attack is not the question of yes or no it is the question of ‘When’, we need to be as ready as expecting the attack today itself. Security is never much but the terms; ROI (Return on Investment) and cost benefit analysis are also relevant. Most of organizations adopt multilayered security approach, Security at the perimeter-Firewalls, DMZ (De militarized Zone), IPS (Intrusion Prevention System), IDS (Intrusion Detection System) Honey pots, WAFs (Web Application Firewall) and Host based Protection System as Antivirus, Anti-spy ware, threat protection etc. Considering this as not enough, many organizations place SOC (Security Operations Centre) and NOC (Network Operations Center) to have a robust mechanism in order to defend the cyber-attacks. SIEM (Security Incident and Event Management) helps to captures logs in real time, generate alerts and does the correlations also to identify the abnormal or suspicious activities on the network. SIEM solutions like HP Arcsight, MacAfee ESM, and Alien Vault USM also help in auditing breaches such as misuse of the privilege user IDs and unauthorized changes etc. organizations are also introducing End User IT Analytic Solutions like Nexthink & SysTrack that monitor the end user activities in real time and generate alerts and reports to helpdesk to respond to any security incident quickly and efficiently.  ISO27001 and ISO27035 articulate the need of a robust Security Incident Management to actually make use of these automated security tools. Unless the organizations have a strong Incident Management in place, they will find themselves off-guard when they have to do a face to face with DoS/DDoS (Denial of Service/Distributed Denial of Service) attack for example.

The basic components of a Security Incident Management are Preparation, Detection & Analysis, Containment Eradication & Recovery, and Post Incident Activity 

 

This is a continuous cycle and each subset of the cycle is as important as the entire cycle. Organizations need to have a clear and well defined Incident Management Policy & guidelines with clarity on the roles and responsibility of all the teams/individuals involved in the cause. Post Mortem to actually find out lessons learnt is very important as they say “There is a principle that says, never waste a good crisis."

However as the defense security is not complete without strong Incident Management Program, the same is true about Information Security Awareness. Security Awareness has lately become the major part of any security defense program. Given the rise of Social engineering techniques such as phishing, spear phishing, email spoofing and APTs Security Awareness has become the talk of the town. With the help of Social engineering attackers can penetrate even the strongest perimeter security and break into the most reliable and secured network. Many companies are investing on security awareness program besides other traditional security protection measures.  Security Awareness can thwart most of the security incidents and can keep a check on insider attacks. Organizations need to have a thorough Information Security Awareness Program in place to educate the employees about the security threats and best practices.