Sunday, May 17, 2015

"Mac" and "Windows" file transfer issue solved

Bought a new Mac? First thing you may do is attach your external hard disk and copy your existing data to your brand new, clean Mac! But hold on, you'll be frustrated to the core if bought Mac without consulting any Techie about "Why not Mac" or "Mac Vs. Windows". When you spend at least $900-1000 on your new Mac, you'll have to spend some more on a tool, popularly known as "Tuxera NTFS for Mac" for a little more $31.

Unless you have a tool like Tuxera, you may not be able to edit/delete/write on your external Hard disk (assuming you have been a Windows user for life and your hard disk is on NTFS file system). By default Mac allows you to only "read" from your NTFS based external hard disk, that means you can copy from your hard disk and can't "copy to" your hard disk.

Mac OS supports HFS+ filesystem, while Windows is generally on FAT32, majorly on NTFS these days! So you either have to buy a tool like Tuxera or format your external hard disk to HFS+, but in that case Windows won't allow you to write on the external hard disk!

Faced this problem exactly on the first day when I bought my Mac, but a friend saved me from all the frustration!

Mac is Sexy but it costs you a lot even after the first big purchase. 

Sunday, May 10, 2015

Start ups and issues with software licensing

Today 1 of my 10 friends already have or want to have a start up of their own, be it a Tech or creative/media or even a small restro. They have all the information that they need on their fingertips, god bless internet! All they want to do is implement their ideas and roll out them as soon as possible, capture market and be the boss for rest of their life time.

Be it USA or India, Tech start ups are growing at tremendous speed. This is an era of mobile apps, the world is getting closer and closer, a well connected cyber world. While building the idea of their own, start ups tend to make use of free stuff as much as possible, to keep the expenses low, which I believe is absolutely brilliant idea. They are more focused and concerned about the shaping of idea and making it commercially sell able.

I have seen many of my friends telling others that it's not always about money but all you need is an idea and a computer with internet to kick start a start up, which is absolutely right in my opinion as well. When it comes to software products, start ups tend to make use of beta/evaluation version, if no option of "Open Source" is available. Another cool thing with start ups is they try to keep it "low" when it comes to IT spend, so you can bring in your laptop/tab to the office and work from it. No need to carry the military grade, bulky "corporate" laptops. So all they do is work on their ideas, have amazing people working in some fancy and even garage looking offices, stack up kitchen full of awesome food, sell the product/service and keep on minting money, isn't it fancy? Yes, indeed it is!

But hold on it isn't that simple these days, you can't just have an idea and a laptop to code unless you have a legit software to play with! Just like you [start ups], even software publishers like Microsoft, Adobe, IBM etc. have to run their businesses. There is a very thin line between free stuff and piracy. When you run a start up, you have 1000s of things to manage and hence there is possibility that you don't even  care if your new(kick ass) programer has a genuine operating system and the legit software to code. As the years pass, you concentrate on increasing revenues, meeting new investors and hiring new people. And one fine day you get a mail from one of these software publishers, asking you how many licenses of their fancy software product do you own?

"Damnnn, what the heck is it? I don't know, I have 40 people using 40 laptops and 30 tabs, it's BYOD, we don't own any of these, why would I care if they have purchased the software that they use or downloaded from torrent??!!??"

Well here's the thing, "With great power comes great responsibility." Its your start up, your employees, your code that they are running on to those 40 laptops and 30 tabs, it's your responsibility to manage the software licensing compliance! It's not difficult these days for software publishers to find out if you have purchased genuine software or you are minting money by using pirated software. You can be sued and your startup's reputation can go for a toss! After all there ain't no such thing as a free lunch. 


So what can you[start up] do?

Rule 1: Play fair, you got to spend some hard cash to procure the software licenses which help you to code and mint the cash.
Rule 2: No exception policy, be it an intern or HR of your start up, a legit operating system with software product should not have any exception policy!
Rule 3: Hygiene checkup, no matter how busy you are in cracking business deals and meeting new highs in revenue, you should ask your IT guy to have surprise checks on the devices that connects to your company's network.
Rule 4: Read licensing agreements, yes those pages filled with jargon are for you to read! You shouldn't "forget" to read the licensing agreements, no matter how heavy they are on your head and eyes, after all you should know what you bought and how it should be used. A sales guy may have exaggerated "few" things that you should know!
Rule 5:  Deploy ITAM tools, you can implement solutions like IT asset management tools, which capture every detail about the software deployed on devices connecting to your network. 
Rule 6: Independent review, it's always advised to have an independent review of your policies and procedures, licensing posture from independent bodies (http://www.ey.com/IE/en/Services/Advisory/IT/EY-software-licensing-assurance) An independent review may not only tell you about your "over usage" but it can also tell you your "under utilization".

It's difficult for a start up to gain confidence of it's customers and investors. Software publishers can sue you for big bucks if you caught up playing with their software licensing. So you better pay for what you use!  


   


Tuesday, September 30, 2014

ISACA Cybersecurity Nexus (CSX)

It's been hardly six months that I "again" stepped into the professional career as Information Security Consultant with one of my dream company. I have been studying Information Systems since last 10 years. And I would say life after MBA is different and far more better!

It's almost two years that I have been closely associated with ISACA. I started off as President for ISACA's first student group in India and after that I'm serving ISACA as International member of Student & Academic subcommittee.

Many a times students ask me, "what should I do to enter into Information Security/ Information Systems Audits and related field". I used to suggest them trainings and certifications like CEH, ISO 27001LA/LI, CISA etc. I personally have high regards for Certified Information Systems Auditor (CISA) which is ISACA's most recognized certification in the world.

CISA is indeed the best certification but when it comes college students or recent graduates they find it difficult to prepare for CISA. As CISA not only tests your theoretical understanding but emphasis a lot on practical experience.
 
ISACA has now introduced Cybersecurity Nexus, a new security knowledge platform and professional program by considering the high demand of cybersecurity skills. 


Cybersecurity Fundamentals Certificate exam tests following aspects of cybersecurity. 
  • Cybersecurity concepts
  • Cybersecurity architecture principles
  • Cybersecurity of networks, systems, applications and data
  • The security implications of the adoption of the emerging technologies
  • Incident responses
This certification is comparatively cheaper, exam fees - $150, introductory price for the study guide is $15 members/$25 non-members (till 30th September). Unlike CISA you don't have to wait for an exam date, you can appear for CSX certification online. 75 questions to solve in 2 hours, you need to secure 65% in order to pass the test.

In order to prepare for CSX certification one can refer
  • Cybersecurity Fundamentals Study Guide - An excellent stand-alone document for individual study of the core concepts and terms that frame and define the fast-changing and increasingly important field of cybersecurity, the guide was compiled and written by cybersecurity experts. The guide explores in detail the four key areas covered in the exam and Includes self-assessment questions and explanations of the answers.
  • Download the complimentary Exam Guide for step-by-step details about the exam process
  • ISACA conference workshops and sessions, CSX webinars, whitepapers, books and other publications
If you are a college student or a recent graduate, I would strongly recommend CSX certification.

For detailed information of CSX certification and program, kindly visit:
www.isaca.org/cyber/Pages/Cybersecurity-Fundamentals-aCertificate.aspx



Saturday, August 3, 2013

Why hire, just pay Bounty?

Lets go five years back, year 2007-08 major news in Information Security industry were:

1. Estonia recovers from massive Denial of Service attack
2. Spear phishing attack at Office of the Secretary of Defense
3. United Nations website hacked
4. Trend Micro website hacked

Strange that even after having Top in Class IT Security infrastructure & talented resources from the area of Security, premier organizations got hacked! Does it mean the Infrastructure and/or 'Security' human resources are useless?

Lets come back to year 2012-13

Organizations like Facebook, Google, Microsoft, Paypal, ebay and many more are allowing hackers to hack their websites! Well there's no trap, you find vulnerabilities, exploit them, give proof of concept to Security teams of those organizations *that's it*

So your next question might be, whats next? Why would a hacker give POC to Facebook? Answer is simple, to earn Bug Bounties! I hate numbers but let me give you some statistics, as per one source Facebook itself paid 329 people across 51 countries total bounty amount that exceed $1 million!

Check out this website which gives a list of Organizations who have bug bounty program https://bugcrowd.com/list-of-bug-bounty-programs/

Just imagine, Facebook pays minimum $500 for a valid bug and there is no upper cap! Severe the vulnerability, the richer you become!

I'm sure you might be thinking, what should i do to be a Bounty Hunter? Well let me tell you, it's not difficult at all to find these bugs. The only thing you need is knowledge of how internet works , if you can play well with technology like - php, javascripts, asp.net, python, shell etc. the list goes on, another best thing is awareness about OWASP Top 10 vulnerabilities And last but not the least - Patience! You might just find a bug in your College's website within minutes, but it may take months to find out a bug in Facebook!

So my point is, even after having kick ass security professionals in your organization why do you still have to pay bounties? Aren't they effective in securing your organization's website? Why don't you just fire them and pay only bug bounties?

Well In my opinion it's difficult to 'Why hire, just pay Bounty', no one/no organization on this planet earth can claim to provide 100% security. Risk is uncertain, technology changes very often so there is absolutely no option than having dedicated security professionals to monitor, plan, act your organization's perimeter security! Lets talk about Java, one of the most widely used technology, platform. Lately Java has been in news, every now and then because of the vulnerability in the platform. So if Java Version XX is vulnerable to certain attack (know to public) and if your Application is built on Java Version XX then your application is vulnerable! Then Java releases an update, if your IT/security team fails to apply it to your application - possibly you'll get Royally Hacked even by a Script Kiddie.

I really liked the concept of Bug Bounty, it's more or less similar to crowd sourcing where in you openly ask general public to hack you! It may happen, you'll get tons of security bugs identified by kids which your 5yrs+ experienced Security Tester missed out very easily. So you pay the hacker, who are termed as White Hat Hackers and he spreads it on Social Network. Few more hackers read it & try hacking into your application, finding more bugs for you. In this way even after being in production, you application get tested by people every now and then. They contribute to your application making it more secured than earlier & in return they get paid for their efforts.

I would conclude by stating, our Ecosystem is becoming matured day by day and programs like Bug Bounties are helping organizations to strengthen their fences not by it's employees but by intruders itself!

NOTE: I'm strictly against differentiating hackers into White/Black, they are just 'hackers'. If a so called White Hat Hacker can't think like Black Hat Hacker (Cracker), he'll never be able to help you in protecting yourself from Black Hat Hackers(Cracker).  

Happy (bug) Hunting!

Thursday, June 20, 2013

True Caller, breach of Privacy?

Me to Friend: "Hey I got a missed calls from this XXXXXX number, almost 10 times yesterday."
Friend to Me: "Give me 10 seconds & I'll find out who that is! I have True Caller App on my Android Phone"


Quite typical scenario, you may just feel - WoW that's awesome, very helpful app it is; But don't get too excited, there's a catch! Any unknown person can randomly search by a telephone number, that whom the number belongs to.

So what I did is, I changed last two digits of the ten digit mobile number series & I could get the name of the person to whom that number belongs. 

770 919 6001
770 919 6002
770 919 6003
770 919 6004
770 919 6005

I'm sure you might not be happy with this feature which you may call, 'search by Number'. TeleMarketing Companies must be making most use of this app, as they are getting 'Free' dump of potential leads all around the globe.

I don't want to touch any other Pros/Cons of True Caller, as I'm mainly interested in 'Search by Number' feature.

Let me give you an idea about, How True Caller gets you details?
Somebody who has your mobile number & name saved in his mobile number installs True Caller App. And he does nothing, his contact list gets sync with True Caller's Database! Basically you do not have the control on saving yourself from getting Listed in this Global Directory!

But don't get panic, True Caller offers you freedom to get unlisted from their Database/Global Directory. All you need to do is visit http://www.truecaller.com/unlist If you are very much concerned about your privacy, just unlist yourself!

True Caller in my view is 'New Generation Mobile Yellow Pages' which is being used all over the world. I often heard/saw people making Fuss about True Caller & breach of Privacy. But after reading http://www.truecaller.com/how-it-works/ one can understand why it's not really a 'Breach of Privacy'.

But there's still a catch, I'm unsure whether Unlisting from True Caller, really unlist you from True Caller's Database? They might be having a flag set next to every telephone number in their database which tells the app to show the number in search listing or not. So the number might not be actually deleted from True Caller's Database. In this case, yes this a MAJOR Privacy/Security breach. And I highly suspect that must be the case with True Caller.

Finally I would conclude, in this Digital & Connected world it is difficult to keep yourself 'Private'. The word Privacy holds literally no meaning, when you do not control the data/information that is flowing through web of interconnected electronic devices. If you want to hide yourself in the True Caller's Listing just Unlist yourself, but it might not actually Unlisting you from True Callers Database! So curse people for saving your telephone number in their Contact List, well that would be silly isn't it?

Friday, June 14, 2013

Compliance - The Dark Side

[Specific to Information Security]

Before touching main point, let me give you an idea about 'What exactly is Compliance'.

In simple words, compliance is nothing but Standard Rules that are accepted all over the world. Entities related with a particular industry has to comply to certain standards, to gain licenses/ customer trust in order to operate & generate cash flow.

For example, if you are an eCommerece Entrepreneur who deals heavily with Online Money  by using Third Party Payment solution which is PCI DSS compliant. If you want & if you have sufficient capability to operate Online Transaction on your own then you have to comply to PCI DSS standard, get your facility certified and you are ready to do business on your own!

Sounds simple, right? But this isn't simple at all!

Roughly I would say there are few steps
  1. Identify your business vertical.
  2. Find out different compliance/standards which may be mandate/help you to win customers! (Some of your customers may explicitly ask you to comply to certain standards like ISO 9001 - Quality, ISO 27001 - Information Security etc. before dealing with you)
  3. Identify the scope for which you would like to go ahead and get certified. (Scope can be a department within the company or whole company)
  4. Hire consultant, get the standard implemented & get it Certified from Certifying Authorities!
 Lets talk specifically about Information Security related compliance/standards like ISO 27001, PCI DSS etc.

Ideally once an organization get itself certified for the first time, it has to follow the guidelines/processes that are defined & then it has to undergo recertifications after stipulated time period, say after every 2 years. This ensures that organization comply with Industry best practices - standards.

But what exactly happens?

Case 1: XYZ, a software development firm contacts ABC, Information security consulting firm. Ask them to help them in getting ISO 27001 certified. ABC deploys it's resource on XYZ's premise and make sure all the processes are as per the required standard. Once implementation is done, Lead Auditor visits the firm, XYZ. Audits the processes with respect to ISO 27001 standard and eventually XYZ earns ISO 27001 Certification. Barely a month & they start operating how they used to do prior to earning the ISO 27001 certification. As if they have never heard of ISO 27001 compliance.
Meanwhile They keep winning customers by showing they comply to ISO 27001 & certified too!
Just before the Certification is expiring they contact XYZ & ask them to help in re certification. IT manager asks every Department head to make sure every body is following all the policies & again for a while the process document starts getting followed.

So why this *fuss* about Compliance? Organizations today worry about Compliance & not security but they forget, Merely getting a certificate to your organization doesn't guarantee you Security! Unless your people, your employee actually follow the processes religiously.

Hardening the servers, updating Log books just before Audit can fool the auditor but not the hackers. Today hackers are sophisticated, they do proper reconnaissance before attacking your organizations assets. They know your weak links, your people. It might be easy for you to Harden the Servers but it's a pain when it comes to Harden the People.

So how do you tackle this situation? A Surprise Audit, may be yes! This should be done by the Certifying Bodies (CBs) who gives out the Certification to Organizations. Once an Organization is Certified after some period CBs, should do a Surprise Audit to check if Organization is following the standard that is set! I have heard it from experts that - Audit's are never Surprise. But in my opinion there has to be a separate term called 'Surprise Audit' which should be done by the CBs in order to have certain discipline.

 In my opinion Flow should be as:
Compliance Implementation(Day 0 to Day 30) --> Internal Audit (Day 31) -->Patching of NCs(Day 32 to Day 36) --> Final Audit (Day 40) --> Surprise Audit (~ Day 110) 

Post Security Audit, CBs should produce NCs to Organization along with a Warning. Organization should patch the NCs and produce the report to CB. Any further NCs and Organization's Certificate should be revoked by the CB.

Though this will also not give guarantee of 100% security but it'll at least ensure things are more Harden than what they were earlier.This will help the overall Security Ecosystem.

*** IMPORTANT NOTE: THESE ARE MY PERSONAL VIEWS, THIS HAS NOTHING TO DO WITH ANY PARTICULAR ORGANIZATION THAT I WAS/AM ASSOCIATED WITH ***


Wednesday, March 6, 2013

Smart Phones, are they really Smart? [InfoSec Perspective]

It was a pleasant night, I was having dinner and I got call from my friend that she lost her Phone! If it was 2005-08 no body would have got panic but this is Droid Age! And I left my dinner half done, to search her lost phone.

How many of you use smart phones? Today you will rarely find some one who is not using Android/WP/Blackberry, smart isn't it? But it's correctly said, with great power comes great responsibility. In case of smart phones it's Responsibility of Protecting the data within them.

Let's take a scenario, when you buy a droid phone the very first step you do is 'Configure Google Account' with the device. By doing so you are downloading your email headers directly on phone, syncing Contacts with/out email IDs, mobile numbers and what not. What is it? It's a data, which holds tremendous value untapped (unless somebody sells it in market!). Most of the people don't realize it unless it falls in wrong hands.
Another scenario, you flaunt your Droid phone with 5/8/12 mega pixel camera with blah blah features and lens. And off course you click 1000s of pics, to hide some candid and *strictly private* photos you make Folders inside Folders and put it [General Case]. These smart phones gives you extra power of storing location of the photos that you have clicked! Great isn't it? But imagine if you lost your phone and somebody copy all your photos on computer and make Great use out of it!

So what to do? Come on I'm not going to suggest you not to use *Smart Phones* but all you need to do is be little smart in order to use one!

My suggestions:

Step 1: Use Invisible Pattern (1000 times better than visible patterns, protects you from shoulder surfing) or pass code to implement basic security to your smart phone.
Step 2: Go for free version Antiviruses that are available in market place, many of them have feature of *Theft Protection* The moment somebody takes out sim card from your mobile and puts another, presetted mobile numbers gets the alert about loss of your mobile, some of them also provides current location of phone!
Step 3: Now a days SD Card Locker apps are available in market for free, do use it. Most of the photos,messages and other app data are stored on SD card. If you apply another layer of security, it'll be hard to retrieve the data & false password try will eventually erase the data on SD Card.
Step 4: RemoteWipe - This is a part of Mobile Device Management (MDM), it's of great help which can erase your data remotely if you happen to loose your phone.

If preventive measures are taken already then it's most likely that you'll worry only about Mobile Device and not the data, if you lose your phone somewhere!

Smart Phones are not Smart without you being it first!


I don't want to claim that implementing above controls will make your phone Risk Free but it'll definitely make it less vulnerable to data theft/loss.