Stealing Credit Card information from POS

Posted on December 24, 2012 by Vijayashankar Na

Stealing of Credit card information when used on the Internet is a known vulnerability. It had also been observed that certain criminals had bought credit card information by bribing the employees of merchant establishments or by stealing the POS swiping device itself. Some established bogus business by offering goods at low rates only to steal the credit card information. Now it has been reported that a virus named Dexter has been identified which resides in the point of sale equipment used by merchants which has the capability to steal credit card information. Details

Posted in Cyber Crime | Leave a comment

Vulnerabilities in human space

Posted on December 24, 2012 by Vijayashankar Na

According to NIST (National Institute of Standards and Technology), a “Vulnerability” in Risk Analysis context is defined as a”flaw or weakness in system security procedures, design,implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system,s security polity”.

An organization undertaking a TIA (Total Information Assurance) program needs to identify the vulnerabilities in all three dimensions namely the Technology, Law and Human Resources.

In this article let’s briefly focus on some of the vulnerabilities in the human system.

“Social engineering” is one of the most successful attacks on system security that causes data breach time and again. For a Social Engineering Attack (SEA) to succeed the organization must have vulnerable people inside. The organization trying to mitigate the human risks therefore needs to identify its weak spots and fortify them.

Human risks arise because of various reasons such as

a) Faulty recruitment
b) Faulty training
c) Faulty personnel management

At the time of recruitment it is necessary for an organization to do an effective “background check”. Normally “Background Check” is understood as checking the educational documents submitted or the previous employer’s confidential report. These are of course necessary but are not sufficient. What is important is a “Psychographic Analysis” of the employee and its mapping to the known organizational work conditions. To achieve this, the candidate may need to be subjected to an appropriate “Aptitude Test” through which his psychographic profile can be mapped. Some of the attributes that need to be assessed are “Propensity to deviate from procedures”, “Ability to meet stress”, “Attitude towards Authority”, “Attitude to revenge”, “Attitude to Money”,etc.

It is necessary to understand that no person is perfect and hence it is natural to find some elements of “Undesirable traits” in every employee. Some times a “Trait” is a reflection of circumstances and an employee may change significantly over time. Expertise is therefore required to make a proper assessment of the results of the tests without unfairly branding any new employee. But observations made are to be used for designing an appropriate tracking mechanism to follow the employee’s development in the organisation over a period of time.

This should be followed up during the course of employment with appropriate training based on the TISM model (Theory of Information Security Motivation) which includes three elements of personnel management namely Awareness, Acceptance, Inspiration, besides Availability and Mandate. Strategies such as “Whistle blowing”, “dispute resolution through ombudsman” etc are additional measures that an organization needs to consider

Further, when a person leaves the organization, an analysis of the “Exit Interview” is also required to review the mistakes committed by the organization and improve. It is obvious that the “Exit Interview” has to be conducted by an authority with which the outgoing candidate is likely to express his views freely and in good faith. It is also necessary to accept that most of the exists are under stress and disappointment and a certain level of negative feeling about the management is normal. They have to be interpreted properly and without causing undue damage to the existing employees.

It is clear that dealing with human risks is not a simple HR function. In fact most organizations may not have in-house expertise since the HR functions may be over burdened with the day-to-day affairs of managing the new recruitment, allocation of personnel to different projects and attrition related issues. “Evaluation” of behavioural aspects of people has to be handled by experts in behavioural science with adequate under standing of Cyber sociology, Cyber Criminology and related aspects.

The subject of “Cyber Space Behavioural Analysis” is an emerging field of study and an important ingredient of HR personnel’s training in future.

Naavi

Posted in Cyber Crime, Cyber Law, Information Assurance | Tagged , , , | Leave a comment

Starting an Information Assurance Program

Posted on December 23, 2012 by Vijayashankar Na

Information Assurance (IA) is a management initiative to ensure Confidentiality, Integrity, Availability, Authentication and Non Repudiation of information in an organization. Taking the practical difficulties involved in achieving a satisfactory level of IA, Naavi has suggested a “Total Information Assurance”(TIA) plan under a “Modular Implementation” strategy. The essence of this Total Information Assurance for Modular Implementation approach (TIA4MI) is to set up achievable milestones that the organization can effectively address in its IA program so that it can achieve its TIA objective in measurable steps.

iaf_pyramid2

The TIA4MF approach depicted in the above diagram envisages that the focus of the organization in Level I will be to ensure “availability” of information to meet its business needs. This will be followed by “Integrity”,”confidentiality”, “Authentication” and “Non Repudiation” in that order. In each of the target levels, the focus is on the Core objective of the level. However it must be remembered that the levels lower to the target level are deemed to be already addressed to a satisfactory level while concurrent implementation of higher level objectives are considered desirable.

Once an organization resolves to start a TIA program, it needs to go through the process of “Risk Analysis” to identify the risks and steps needed to mitigate the risks.

Risk analysis depends on the “Threats” and “Vulnerabilities” that exist in relation to the information assets of an organization. We must understand that “Vulnerabilities” exist within the systems and “Threats” arise from outside the systems.

“Vulnerability” represents a “Flaw” or “Weakness” in system security procedures, design, implementation or internal controls that could result in a breach of security either through a deliberate action or through an accident.

“Threat” on the other hand is the potential for such vulnerabilities to be exploited. Threats may arise from external sources and not under the control of the organization.

Many organizations who are in the process of adopting IT in their business are driven by the operational requirements and often donot factor in Information Security as a part of their IT objectives. As a result they reach advance levels of IT implementation without a proper incorporation of Information Security principles. When such organizations decide to undertake an IA program the management will suddenly realize that they donot know where to start from.

Of course they can start by inviting an external IA Consultant and start their IA program under his guidance. However it would be advisable for the organization to at least prepare the foundation from which they can have a meaningful dialogue with an IA consultant. The lack of understanding of the issues involved may make it difficult for the IA consultant and the organization to arrive at a mutually acceptable engagement. In fact the IA consultant will not be able to make a proper estimation of the efforts required for IA implementation and hence the dialogue may get frustrating.

In order to improve the quality of the dialogue with the IA consultant it is essential for the organization to develop its own understanding of the requirement of IA in their organization.

The very first step in this direction is for the organization to understand what is the information they are intending to protect in their organization and where are they located. In other words they need to “identify” information, “classify” it into different categories such as “Personal”, “Sensitive”, “Business” etc., and “locate” them within the organization.

This Idenitify-Classify-Locate exercise (ICL Exercise) is the first step that an organization needs to undertake in embarking on an IA program.

It is possible that even this ICL Exercise may require an organization to call in an external consultant for assistance. This should however be treated as an “Information Assurance Preliminary Study” rather than an “IA Risk Analysis”.

Some organizations may treat the ICL exercise as part of the IA Risk Analysis and expect the consultant to undertake the exercise. While there is nothing wrong in this approach, the problem arises when the organization does not understand the difference which makes it difficult for them to appreciate and accept the effort estimates that are required to be accepted before the consultant begins his work. Without completion of the ICL exercise it is also not possible for the IA consultant to arrive at the effort estimate.

These problems are more common in SMEs who are undertaking an Information Assurance audit for the first time and also in most of he E-Governance projects.

“ICL before IA” is therefore what Naavi suggests organizations to adopt as a management principle as they try to move from IT implementation to Information Security consideration.

Naavi

PLEASE NOTE:

This website has been in existence since 1998.  

Older posts before the site switched to word press are available through the link at the top and here below.

OLD POSTS

Posted in Information Assurance | Leave a comment

Beware of Bogus LinkedIn invitations

Posted on December 21, 2012 by Vijayashankar Na

Invitations from unknown persons in LinkedIn or Face Book or other sites are considered potential risks since accepting such invitations could lead to downloading of dangerous viruses.

Even if the invitations appear to come from friends it is unreliable since it could be spoofed email.

It is better to delete such emails and go direct to your linked in or Facebook accounts and accept invitations from your inbox there… Related Story

Posted in Cyber Crime | Leave a comment

Facebook to introduce “Paid Message Delivery”

Posted on December 21, 2012 by Vijayashankar Na

Facebook has started an test for delivering messages to Facebook users from people other than public against payment of money. Refer here

I see an advantage in the service to deliver legal notices to the Facebook users who might have committed offences such as creating a fake profile etc. At present such notices have to be routed through Facebook. Even if only this business is considered (Which is price insensitive), Facebook is likely to generate good revenue from the proposed service.

Posted in Privacy | Leave a comment

Instagram service rules changed

Posted on December 21, 2012 by Vijayashankar Na

Instagram is a service which is supposed to make sharing of mobile pictures on Social networking sites easy. However the privacy rules attached to the service had raised a ruckus recently as it was felt that the private photographs shared by people on Facebook could eventually be sold for commercial exploitation without the users of Facebook deriving any benefit.

It is now stated that these changes in the Instagram rules have been withdrawn. Refer Here

Posted in Privacy, Uncategorized | Leave a comment