New Viruses as reported

The recent developments that hackers are adopting to target the systems are pretty interesting.  The Batchwiper as detected by the Iranian CERT and the Trojan as reported with evade technology are the two recent developments.  The Batch Wiper though can be contained with certain precautionary measures, but the Trojan with evade technology would certainly be something that would create a widespread Havoc.  

With the evade technology the Anti-Virus Firms would need time and research to ensure that the right set of detection & quarantine techniques are used so as not to jeopardize the O/S routines that the Trojans use to evade the AV.

Specifically with the Trojan that is reported and that waits for the left Mouse Click routine to execute the commands is one tricky case.  Certainly, we can't stop using mouse with the fear of the Trojan getting executed.....

Time to look out and dig deeper around these aspects to ensure that the corporate as well as home users are impacted the least.....

Misconceptions around SSAE 16 / ISAE3402 / CSAE 3416

Post my previous post, I received a mail from one of my Friend around SSAE 16 / ISAE 3402 and I provided the reply to the friend and then thought, why not share the explanation with the wider Audiences for the good.  May be if somewhere I made a mistake, I would also get to learn -

Hi MT,

 

You are doing a good job...:-)

 

"The discussion was more centered around the need of Assurance Standards like SSAE 16 and ISAE 3402 and the interesting twist that was brought in was "If my organization is ISO 27001 Certified, do I still need to undergo SSAE 16 or ISAE 3402 Audits?"

It took me good enough time initially to make the person understand that the ISO 27001 standard and the controls framework revolves around the Information Security and not just IT Security."

 

Well, I've the same confusion... rather argument. Though ISO27001 is focused on Information Security, it doesn't stop you from adding additional controls, if required. As it is a standard, everything is in black and white..nothing more nothing less...just follow/comply to whatever is mentioned. If you need to add additional controls that you considered as very important, then add the controls and comply.

 

Wherein SSAE16 leads to confusion as they allow you to define your own controls based on GCC (general computer controls). If I select 10 controls, which I feel as important, for example, it is not necessary that you will agree to that, as you may have a different opinion and probably select few different controls that you feel as important. In other words, if 2 people are asked to define the controls for the same environment, the list of controls will definitely not match.

 

Whether it is ISO27001 or SSAE 16, the auditor will test the stated/defined controls and provide an opinion...of course in a different way i.e. either qualification or non-conformity, but the end result is the same.

 

So, the question is still the same, "If my organization is ISO 27001 Certified, why do I still need to undergo SSAE 16 or ISAE 3402 Audits?"

 

Can you help me understand please?

----------------------------------------------------------

My Reply - 

The point is the way the Audit is approached.  ISO 27001 is quite Generic Control Set that revolves around the set of Industry Standard Controls that may or may not be applicable to the set of given Industry Scenario.  The ISO 27001 is Organization wide control environment where you may select or omit the control from within the 133 controls that are defined in the Standard.  You may add a new control, but that needs to be covered under one of the predefined 11 control clauses (domains).  once done, you define the SOA to identify the controls as applicable/omitted from your Organizational environment.  Under such case the Audit is focused around the SOA and the reasoning for omitting a given control.

However, when you look at the specific set of operations for the given Client, the environment may differ from the overall organizational control set.  Certain controls may be applicable from the current set of ISO 27001 controls and certain controls that have been omitted from the Organizational perspective may be applicable in that scenario.  This certainly requires the organizations to go for SSAE 16 / ISAE 3402 (CSAE 3416 in Canadian Context) by defining specific set of controls.  

Let me give you an interesting perspective on the difference of Scope of ISO 27001 and SSAE 16 / ISAE 3402 / CSAE 3416 - 

1. ISO 27001 specifically focuses on the Controls around Information Security, it does not cover the other scope like Contract Management, Delivery Organization & SLAs, these controls may be defined in the SSAE 16 / ISAE 3402 / CSAE 3416.  ISO 27001 doesn't have the provision on these sets
2. ISO 27001 Certification revolves around the Set of 11 Control Clauses, where as in case of the SSAE 16 / ISAE 3402 /CSAE 3416, you would find that the Control Clauses can be customized to suit the environment, operations and services to be covered.
3. Interesting point is around the set of Controls and Operations that are covered in both the cases.  As I mentioned above ISO 27001 focuses on Information Security and the Controls and Operations around that. However if we look at the SSAE 16 / ISAE 3402 / CSAE 3416 they can cover other set of operations and controls like Accounting Principles, Financial Controls etc.
4. SSAE 16 / ISAE 3402 / CSAE 3416 SOC 1 controls and Audit Reports revolve around the Service Organization Controls that impact the Internal Controls on Financial Reporting (ICFRs) of the client. ISO 27001 does not focus on ICFRs.
5. SOC 2 Reporting focuses more around 5 Trust Principles and how each control is implemented, monitored, executed etc.  Even SOC 3 Controls focus on the same 5 trust principles, but the objective of reports is different
6. SOC 1 & SOC 2 Audit Reports are restrictive reports and the Intended Audience are limited set of people within the Service Provider and Client Organization. SOC 3 reports are not so confidential and can be shared publicly as desired.

I hope this clarifies you with the difference between the two Standards and Reporting Requirements

Misconceptions around SSAE 16 / ISAE3402

Pretty recently was indulged in a discussion around the need of Certification to the Need of Assurance.  It was a pretty interesting discussion that led me to evaluate the conceptions and misconceptions that prevail in the industry. I thought why not share it with the rest of the folks who would like to participate in the discussion here (though the discussion is over in the real life)

The discussion was more centered around the need of Assurance Standards like SSAE 16 and ISAE 3402 and the interesting twist that was brought in was "If my organization is ISO 27001 Certified, do I still need to undergo SSAE 16 or ISAE 3402 Audits?"

It took me good enough time initially to make the person understand that the ISO 27001 standard and the controls framework revolves around the Information Security and not just IT Security.  The certification process and the audit methodology involved has a different perspective from the perspective that SSAE 16 or ISAE 3402 Audits take.    

Another argument that was thrown in during the discussion was SSAE 16 and ISAE 3402 are aligned to the Financial Industry and the other industries do not have much benefit of adopting these standards. I had a tough time addressing this point as the set of people were not ready to understand the point for the misconception had a deep rooted belief behind it.  To explain them I had to then break the entire Audit and Reporting perspective of SSAE 16 and ISAE 3402 by the Audit Reports and the manner in which Audit is Approached.  The discussion went from points to tangents with the counter arguments, and there I had to actually dissect the SSAE 16 and ISAE 3402 Reporting requirements as based on the Impact to ICFRs and the Trust Principles. The explanation around Corporate Governance and impact to ICFRs and the relationship between SSAE 16 SOC 1 Type II and ISAE 3402 Type II report helped the audience to clarify the misconceptions they were carrying.

Another aspect that came in to my notice is the misconception around the Reporting requirements in ISAE 3402.  I was a bit startled that one of the person from a Senior Audit Position came with the SOC 2 Reporting requirements for ISAE 3402.  I clarified to them that there is no SOC 1, SOC 2 or SOC 3 reporting requirement in ISAE 3402, however ISAE 3000 provides with a provision to customize the ISAE 3402 reports to suit the Reporting Requirements and that the ISAE 3402 Report may be based on SOC 1, SOC 2 or SOC 3 as may be deemed reasonable.

The next point was to distinguish between the Certification and the Audit Report to provide "Reasonable Assurance".  Most of the participants in the discussion carried a misconception around SSAE 16 and ISAE 3402 about the "Certification". They thought that the Auditors issue or release a Certificate of Compliance.  However, they well noted when explained that the SSAE 16 as well as ISAE 3402 Audits do not result in any certification, rather they result in issuance of an Audit Report that "may be" called a Report on Compliance Status and where the Auditors provide with "Qualified" or "Unqualified" opinion on Service Organization's Controls as defined and implemented for the given "client" operations. 

This however is not the first time that I had been in such a situation, where I had to explain the requirement to undergo an Audit that is more of Attestation Audit than a Certification Audit. But I hope that as these two standards come more into practice, the situation would not look so grim to me.

BYOD Program & Controls Requirement - II

As I wrote the previous Post - BYOD Program & Controls Requirement I received the comment on WFH, but I am certainly not covering that in this article, as that is a separate topic of discussion. What is more interesting that broke out as a discussion point with a colleague over a cup of coffee.  The discussion actually presented a counter argument to the Jump Server configuration.  

While in the discussion, I was very much inclined to and well still am that an organization as the first step to BYOD program should define the set of machines that they would allow.  It is pretty much important for the organization to define whether they are going to allow.  The Deep Dive on the topic reveals that the selection of devices would prompt additional thought process or should I say depending on the Support Strategy for the BYOD program the organization needs to define what devices would be allowed.

The various strategies would revolve around user experience v/s technological deployments. If an organization would like to restrict user experience and go with technological deployments that would ensure Data Security and related controls, the organization would then need to restrict the BYOD to Laptops and Desktops (may be or when its WFH). In this case the controls would be around the set of controls that have already been discussed in the previous post as mentioned above.

In case the organization would select User Experience then the organization would need to ensure that they provide support to any device and enhance the Mobility aspect of the user.  This decision however needs to be based on the following decisions - 

1. What applications would be supported for BYOD and what level of modifications / application changes would need to be carried out?
2. What level of Security would be needed to extend the support to the devices?
3. What would be the application support, would it be Browser based only or Client based with a part of the program sits on the client side
4. Would VPN security be extended to these Devices that would be supported?

There are many more questions that need to be answered for a Successful BYOD program. The Organization would additionally need to check if One Device One Number sort of Program be adopted or not. If the organization would decide to implement this program for increased mobility they need to ensure the Soft Phone Support. 

The BYOD Program as it seems is not actually an easy decision to take as the organization would require to answer many other questions and Specifically that would help them ensure mitigating Risks and meeting Compliance Requirements in Operationally Effective and Efficient Manner

BYOD Program & Controls Requirement

BYOD or Bring Your Own Device is the way organizations are planning to take.  The talk is going abuzz in the corporate world as it would help organizations reduce their IT budget and increase operational efficiency.  In my view it is not that bad an idea, but would require looking a bit deeper at the Compliance perspective and the risks that would emanate when an organization would run BYOD.  The Organizations would require investing and managing various technological solutions to ensure that the Data Privacy and Protection Laws of the world are addresses and that the common framework of controls is enforced across all the devices that come in being due to BYOD. 

The BYOD program from the aspect of controlling data access and ensuring data protection would need to evaluate and consider deploying following technologies:

•   Jump Server – to log in to the organizations corporate network and provide viral desktop environment to the users.  The virtual desktop would have all the desired user settings including file & print configuration, Proxy settings, mailbox configuration and the application shortcuts for the desired applications for the user concerned
• Network Admission Control – to control the risks emanating from the unpatched and unprotected personal devices that can introduce Trojans, viruses, worms, BOTS etc in the corporate network.  The Organizations would need to critically look at investing on a strict Anti-Virus & Patch Management Regime Supported by the Network Admission Control devices.
• Two Factor Authentications – to ensure that the password compromises do not impact / provide access to the corporate network. Additionally this would also help organizations to be able to support the Work from Home (WFH) program thus further reducing their operational cost associated with Facility Management for the ever growing number of seats with workforce increase.

These are just the indicative controls that should be considered or rather implemented by the organizations seriously going the BYOD path.  Certainly the CXOs of the world would be better placed to take the final decision on the set of controls from the likes of IDM, DLP, SSO to add to.  This would certainly require an indepth assessment on the requirements and the risks emanating to an organization.

Gadget - The Technology of Enslavement

When we look around ourselves, we find that we are living in the ever evolving world of Gadgets or we can rather say that we are being enslaved by the Gadgets.  So what is a Gadget? Let’s draw a caricature of Gadget with following definition –

“A Gadget is a small device or appliance with a particular functionality that may be considered as a novelty over and above the existing technological products.  They may be scaled down version of the technological products or may be an upscale version, but one thing they surely add to the use is comfort and user friendliness.” Gadgets are often referred as Gizmos also.

When we look at the Gadgets that we have around us, we find them touching every walk of our life; right from the morning alarm to the phones to the driving aids of Bluetooth and to the e-readers all have evolved over past decade or so.  Below we discuss some of the most talked gadgets today

1.       Smartphones – With the features of Alarms, Digital Diaries, Notes, emails, News and Web Surfing, ebooks, chats and messengers, camera etc. they have changed the way the world used to communicate. Add to the new generation of smartphones that have video-calling facility.

2.       E-readers – They have really reduced the millions and zillions of pages in small and thin electronic readers to provide the ease of carrying our favorite books whenever and wherever we go.  Add to that the books available for free and on the subscription based facility to be able to choose from thousands of books in just one thin device, even smaller than our usual text books.

3.       Digital Cameras – Gone are the days when we had to buy the camera, the role and then run around to do the errands of getting the role developed and print.  Now we are in the era where we can simply take the photo and share that with our friends and family across geographies in minutes with just a click.  Well, indeed the new generation of cameras are talking about share on Social networks via a Wi-Fi Connectivity

4.       Tablets – The new generation of Computing Devices that have really submerged the difference between a smartphone and a Laptop/desktop.  Moreover the touchscreen, the camera, the video capture functionality, the e-reader etc are all merged in this one device that provide the facility to connect either through a wi-fi or normal mobile phone network.  Though they are not yet a success in India, but future is still bright for them.

5.       Game Consoles – With the Playstations and Xboxs, the games have entered the living room of the house with the video sensitivity added and the Motion detector helping you imitate the real world. These gaming Consoles have also converged the normal social points to the living rooms by converging the TV and Gym to our living rooms.

So indeed, it is not exaggerating to say, we are becoming the Slaves of Gadgets and Drifting to a world of Monotony.

Process v/s Technology

I often get into these sorts of arguments where the technology implementation teams keep telling me that the documentation that they have been told to do is just waste of time and I keep telling them to follow the protocols of documentation without which I would not sign-off the implementation. 

Yeah they call me as the Bad Boy or IT because they see me as the STOP sign on the way of their "successful" implementations.  I tell them be what it is, I am not going to let them go without adequate documentation, right from the planning stage to Build Guide to Hardening and then the Management and Monitoring activities. 

I really get a lot of flake from incidentally the same set of people, even after repeatedly telling them that the Industry just doesn't run on the technology, but it relies a lot on the associated processes.  The Processes that are defined and designed to be repeatable, to be continuous, to be consistent and so on. 

Technology certainly is an enabler, but to get the desired output from the technological deployment, to get the desired support during breakfix and troubleshoot technology, the processes followed play an important role.  If we follow the process during initial stages and document the way the implementations have been carried out, it would be easier for the operations team to be able to manage and troubleshoot the implementation if the need arises to.  If we document the breakfix, management and maintenance activities right at the time of implementation, the overall manner in which the teams would handle the technological deployment, would be the same irrespective of the person handling the task. This would bring a consistent approach in to deal with the problems and document them to create a Known Error Data Base (KEDB) or Knowledge Management Database (KMDB).  This would certainly help in reduced time in error handling or problem management as the team involved will not have to re-invent the wheel to identify the solution.

Processes that way though are seen as time consuming, they actually are there to make one's life easier and smoother.  It is thus important to understand the role of Processes in the Technological World. 

For me both the Process as well as the Technology are Vital Cogwheels of the Cart and without them the survival or IT would be tough!!!