Shariyaz's Information Security Blog

Saturday, August 24, 2013

About me

Shariyaz Abdeen

I am a Technical Project Manager with 10+ years experience managing medium to large scale Software Development and Cloud migration project who has a keen interest in Information security, cloud Infrastructure migration.

My passion for Information security has driven me to stay up to date with the latest trends and technologies in the field, allowing me to effectively manage and protect sensitive information.

Thursday, August 1, 2013

Information Security Guide for Parents - Part 1

Online Information Security Guide for Parents

Nowadays Information security plays a vital role in our day to day life. Especially the social media have gone main-stream among the teenagers. Starting from sharing personal information with your friends and connecting with new people, online banking, and online shopping have been trending. While posting the personal data online users are vulnerable for threats, therefore let’s consider the rising threats which are coupled with these trends and the article will highlight how to mitigate these attacks.

First of all let’s dig into the social network. People post sensitive data such as pictures, connect with strangers, chatting and messaging strangers that you have never met before. Anyone with a malicious intention can deceive people and tempt them to revile sensitive personal data, which will be used for scams and even blackmailing people. So let’s see how we can mitigate this. First of all control the visibility of your sensitive data. Do not revel your sensitive data in the public domain, use the data visibility option in social networks to protect your private data and stop listing it in search engines for public access. Also it is very important to be concern whom do you add on social networks as a friend. Best practices do not add strangers. Most of the social network attacks are based on deception which is also called as Social Engineering. This can be used to perform identity thrift and steal your virtual presence.

To mitigate this we have to click links with caution. Also by analyzing the URL we can easily segregate the fake facebook login page from the original. ( http://www.facebook.com) because even though the attacker can create an identical page they cannot manipulate the URL. Couple of other factors to consider while doing an online payment is to look whether the URL changes for HTTPS, which is a secure socket layer. So the data transfer between the server and your PC such as bank logins, credit card detail is encrypted. The attacker who uses to monitor your internet traffic using an attack such as sniffing will not have access to your bank login or credit card details. We can use some core level guidelines such as installing a viruses guard and updating it frequently to shield your data against viruses, Trojans houses and worms. Also using strong passwords or making your password bomb proof will protect you from brute force attacks. To strengthen the passwords use at least one upper case, one lower case, one number and special symbol character while exceeding the password length of 8 characters.

No system is perfect in fact only way to make it safe by locking the computer in a safe and barring it underground.

1. Introduction for parents on online child safety

Internet has become the information highway of a teenager’s day to day life. While internet opens the doors for many opportunities to learn and share knowledge, it also opens a gateway to access content which will harm the child such as pornography, illegal communities or illegal content with a click of a mouse. Also internet will be the ideal place where a stranger can introduce himself and keep in touch very easily using the social networks, chat and any VOIP (Voice over Internet Protocol) facility such as Skype or email. There is nothing wrong surfing the internet but parents and children should be aware of what lies beyond the browser. On the other hand, the internet enables them to make new friends who are situated in distant places, and remain in touch with old friends. It encourages shy people to come out of their shell. This would also indirectly equip them to appreciate people around them. Research on these two paradoxical views has shown that the internet did not undermine social and communication skills development.

2. Personal Information

Children should be aware of the information they are submitting to the web sites and the standard that should follow by the organization. Especially children should go through the data assurance and privacy policy of the web site before disclosing personal information. This is very important because most of the social networks gather personal data of individuals and sell them to third party vendors, who will use the information as a part of their marketing strategy.

What are your responsibilities in protecting your personal data?

· Think before disclosing your information, and think again.

· Never give your bank account or password information when the conversation was not initiated by you.

· Only disclose information that is needed by the organization.

· Question why someone might ask for your particular personal information.

What are your rights? ^[1]

You have the right to:

· Obtain a copy of all of the personal information that an organization holds about you. You may need to pay a small fee to the organization

· Choose not to receive direct marketing information. You can request this by writing to the organization concerned.

· Have incorrect, misleading or out-of-date personal information about you corrected.

· Know whether an organization, or someone acting on their behalf, is processing personal information about you.

· Know what information is being processed, why it is being processed and to whom it may be disclosed.

· Know where an organization received its information about you.

Click Here for Information Security Guide for Parents - Part 2

5. Reference

[1]. http://www.bcs.org/upload/pdf/pdgc.pdf

[2]. http://sg.news.yahoo.com/two-teens-convicted-us-viral-video-rape-case-033207040.html

[3]. http://www.apa.org/science/about/psa/2003/12/jackson.aspx

[4]. http://www.fbi.gov/stats-services/publications/parent-guide

Author - Shariyaz Abdeen

http://lk.linkedin.com/in/shariyaz
shariyaz1@gmail.com

Monday, July 8, 2013

Data Leakage Prevention

Securing Organizations Confidential Data with Data Loss Prevention Systems

Data leakage prevention is one of the key topics which we have been talking in present. Due to the organizations moving towards big data, financial systems, ERP and other data storage solutions which resides in cyber space, we have seen increasing number of frauds associated with the technology revolution in the cyberspace. It’s all about data.

This post highlights the threats and the counter measures, so we can protect the sensitive personal data. I prefer the approach of “ Trust but verify model ”. Because if the statistics are speaking most of the malicious attacks are carried out with the involvement of the internal users. Therefore we have to protect the data aligning with the security standards and countries privacy laws. In my point of view there should be a balance between security measurements and privacy.

Potential Threats

ID Theft Tops FTC's List of Complaints

• For the 5^th straight year, identity theft ranked 1^st of all fraud complaints.

• 10 million cases of Identity Theft annually.

• 59 percent of companies have detected some internal abuse of their networks

Top 10 Most Frequent Incidents

Patient PHI sent to partner, again, and again
Employee 401k information sent outbound and inbound
Payroll data being sent to home email address
Draft press release to outside legal council
Financial and M&A postings to message boards
Source code sent with resume to competitor
SSNs…and thousands of them
Credit Card or account numbers….and thousands of them
Confidential patient information
Internal memos and confidential information

Data Loss Prevention - Three Key Customer Challenges

Where is my confidential data stored?– Data at Rest
This address the data storage and databases.
Where is my confidential data going?– Data in Motion
This address the data leakage protection which is done in the network layer.
How do I fix my data loss problems? – Data Policy Enforcement

Why Data Loss Prevention is a Priority

• Compliance

• Brand and Reputation Protection

• Remediation Cost

Unified Data at Rest and Data in Motion Protection

DLP Solutions

Now let’s consider the solution are available to mitigate this and secure your data. DLP solution are one of the sophisticated tool which can use to protect data while having insight of your data. Below I have add some market leading DLPs and some of the features which caught my eye. Mainly most of the DLP have the same features but depending on the vendor the products maturity and few features changes. Mainly in almost in all DLPs the data leakage protection is broken in to three layers. It is the network data protection, storage data protection and endpoint data protection.

Definition of Data Loss Prevention

Products that, based on central policies, identify, monitor, and protect data at rest, in motion, and in use, through deep content analysis.

-Rich Mogull of Securosis

Identify where holes or exit points where leaks may occur

Instant messaging (Yahoo Instant Messaging, Windows Live)

P2P file sharing (e.g. LimeWire case as reported by LA Times)

Media streaming

Web mail (Yahoo mail, Gmail, Hotmail)

USB storage devices (ZDNet story from UK)

Removable drives

Devices connected through external ports (Firewire, serial, parallel)

FTP server

Printouts

How data are flagged and identified

Initial predefined policies

Social security numbers

Prescribed in HIPAA, SOX, GLBA, etc.(Bank account numbers, Credit card numbers)

Customized categories based on client needs

Data Discovery

Looks into the content and not just the file type

Examine context considerations (factor in parent directories, user group matching)

Structured data matching (SSN, credit card numbers, etc)

Unstructured data matching (diagrams, source codes, media files)

Fingerprint the data by using one way hash and saved in the database

Information can then be used to identify confidential data elsewhere

Three different levels of DLP solution

Data in Motion

Data which uses HTTP, FTP, IM, P2P and SMTP protocols are mirrored in the DLP server for inspection where visibility is enhanced

Data at Rest

Data in file servers, databases, hosts computers set for file sharing, etc.

Data at End Points

Data which sits on end user hosts (workstations and notebooks)

Technical Feature Considerations

Deep content analysis, monitoring and prevention

Identification and blocking capability

Centralized Management

Central policy setting, dashboard features

Broad content management across platforms and ease of Integration

Review of information infrastructure including software for requirement and compatibility issues

Automated remediation

Transfer confidential files, LDAP lookup, secure purging of sensitive data

Business Environment Considerations

Matching with Business Need

Matches defined business need over feature allure

Market Presence

Major presence in the market, financial industry experience

Staffing Needs

Staffing considerations to handle additional responsibilities

Email Security with DLP

End point Security with DLP

Nowadays DLP Solutions have couple of interesting technologies to provide endpoint Data Leakage prevention methods to assist the upcoming endpoint technologies such as BOYD (Bring Your Own Device).

The below setup is an example of how we can configure endpoint security to the mobile devices in your company network. But to function properly your excising proxy server should support the https decryption. Proxies such Squid, ISA don't support https decryption.

DLP Vendor Comparison

Trust but Verify - Threat modeling

At the end of this blog i would like to remind you that DLP another example for the Trust but Threat Verify model as OWASP Threat modeling says. But again we should carefully analyse the pros and cons of the solution before implementing.

Author - Shariyaz Abdeen

Monday, March 18, 2013

information security - How to Secure your data

When we look into online payment fraud, credit card fraud, banking fraud and social network password hacking attempts a technique called phishing is frequently used. The base of this attack is creating an identical web page of the original web site and tricking the user to enter the user credentials such as the username and the password. For instance you will receive an email from facebook which contains a link to win a free iPhone. The temptation is irresistible so the users will click the link and it will land into a page which is similar to facebook and the user will enter the user’s credentials, which is accounted by an attacker. To mitigate this we have to click links with caution. Also by analyzing the URL we can easily segregate the fake facebook login page from the original. ( http://www.facebook.com) because even though the attacker can create an identical page they cannot manipulate the URL. Couple of other factors to consider while doing an online payment is to look whether the URL changes for HTTPS, which is a secure socket layer. So the data transfer between the server and your PC such as bank logins, credit card detail is encrypted. The attacker who uses to monitor your internet traffic using an attack such as sniffing will not have access to your bank login or credit card details. We can use some core level guidelines such as installing a viruses guard and updating it frequently to shield your data against viruses, Trojans houses and worms. Also using strong passwords or making your password bomb proof will protect you from brute force attacks. To strengthen the passwords use at least one upper case, one lower case, one number and special symbol character while exceeding the password length of 8 characters.

No system is perfect in fact only way to make it safe by locking the computer in a safe and barring it underground.

Author - Shariyaz Abdeen