Saturday, July 13, 2013

Simplifying ISO 27001 Clause A.10.10

Clause A.10.10 revolves around monitoring with the objective of detecting unauthorized information processing activities.  Though there can be many ways to do the same,   automation is the most preferred way to do so owing to the size and amount of logged data.  It becomes humanly insane task to review logs manually.

But when I look at the various sub clauses of the Standard, I tend to infer the following points - 
  1. It is not mandatory to have an SIEM or any automated solution for real time log collection and Analysis.  Clause A.10.10.1 states - "Audit Logs recording User Activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring."  That means logging is important whether or not you do it real time is not compulsory.  A review is indeed required.
  2. Added to the above is Clause A.10.10.2 stating - "Procedures for monitoring use of information processing facilities shall be established and the results of the monitoring activities reviewed regularly". Going by this the standard is not asserting on Automated or manual process, the organization may choose to do it manually or automate it depending on the business requirements.  If in your procedures you mention out that the activity would be done on a manual basis, it would be fine as long as you can evidence that the logs are being reviewed and monitoring is being conducted with regular reports rolling.
  3. Nothing in ISO 27001 is mandatory.  Not even the clause A.10.10, You may choose or not choose a control to adopt it and develop the "Statement of Applicability" limiting the Scope and extent of adopting ISO 27001 standard.  The scope may be limited to geographic locations, systems, facilities, departments, personnel involved, operations etc.  However, due caution needs to be taken while developing the Statement of Applicability to provide a valid business driven reason to exclude any of the controls and related scope.  Be cautious that Auditors may call out the inter-dependencies of the systems and or operations citing the touch points and may therefore press that their is a non-conformity.
Overall, specifically with regards to the clause A.10.10, I see no problem with the manual approach as long as it is duly documented and followed. Auditors generally would tend to call out a "Need For Improvement" in their observations and there would be time given till re-certification Audit.  It hence would be appropriate to define a plan and lay-out a way forward to achieve automation over a period of time.  Auditors would be fine if they see that their is an intent to achieve and they would then Audit accordingly.

As I conclude, please note that ISO 27001 doesn't tell you How to do it. The standards lays out What is to be done and that too from the Best Practice standpoint.

Friday, July 5, 2013

Use of Technology for Payment Transactions

The days when we used to make payments with hard cash are long gone.  With the advent of new age technology, Bank cards (Debit/Credit) and the Internet Banking, we all do go for convenience payment sitting in the comfort of our home and / or office.  The payments made in this way are something that can be tracked without dealing with the trouble of paper receipts.  

That's said, it is critically important to review the options before making payments with the use of technology as along with the convenience of making payment, technological advancements have provided the newer ways for attacks and scams.  Initially there were Phishing Attacks where the attacker would host a Dummy Site for the target bank and get the required information and enjoy the proceedings.  As the users started getting smarter and the Banks started implementing tighter security norms and getting the fake sites down, there came the Vishing Attack or where the attacker posing as the genuine Phone Banker or Customer Service Associate tries to extract relevant information including Sensitive Personal Information and PIN/CVV/CVC of the Card being discussed about. In many instances the Customers Do fall pray to such calls and they end up loosing their hard earned money.  Typical Case to be read here - Paying bill online costs man Rs 50,000

Now the main points to be noted while making online payments or while getting on for online transactions  are - 
  1. For making online payments, ensure that you register the organization, to whom you want to make payment, at your Bank's Internet Banking site
  2. If you find it cumbersome to register the Biller at your Bank's site, please ensure that you make the payment from the Official Site of the Biller and also by creating your own Account on that site
  3. Ensure that you DO NOT use any third party website for any online Bill Pay, as they may claim  to facilitate the transaction, but this is NOT always safe
Another aspect that needs to be taken care of is the payment through IVR System of the Biller or the Bank.  It is pretty important to note the following points - 
  1. Never reveal Sensitive Information like CVC/CVV/PIN during an Automated Call or while talking to the Phone Banker or Customer Service Representative
  2. It is critical to note that you never get a Call from either the Bank or the Biller stating to share your sensitive information to enable the payment through Phone Banking or IVR.  A Payment through IVR or Phone can only be initiated when you would call the Bank or the Biller to make such Payments
  3. Please ensure that if anyone claiming to be from the Bank or from the Biller seeks to gain your PIN/CVV/CVC and other information that is generally not sought by Banks / Biller, disengage yourself from the call and raise a written complain with your Bank / Biller through netbanking/biller website. This will trigger a automated response to your mail box.  Do not reply to that address and just wait for an official mail from your bank (delivered in netbanking inbox) and or Biller (delivered at your Registered email address).  
  4. You have a choice to refer the case to the Consumer Forum / RBI / Appellate Tribunal depending on your choice and party involved. When you refer the case to concerned authority you wold need to provide details around the transaction that is being referred, the person's name (if you remember), time you made the call, duration of the call and summary of the call proceedings.  Remember that IVR calls are always recorded and in such a case your claims can be verified at the Bank / Biller's side.
So, to be safe is in your hands and to ensure that you don't fall pray to such cases is totally in your hands.  You need to be really careful for not disclosing the sensitive information to anyone or on any weblink that you may get claiming to be of a bank.

Please ensure to verify the Website address as it would always have some altered information if it would be from the imposter. And the most important thing - if you suspect that your information has been compromised - raise a Red Flag Complain immediately with the Bank.  Bank's Do provide you with all the required help to protect against any fraudulent activity in your account.  In case you know that someone gained your personal information and has misused it, please lodge a written complain with the bank before you head to the Law Enforcing Agency.  A Copy of the Complain raised with Bank always helps you in your case and the Banks then have to ensure that they do cooperate in your case to get you the rightful justice.

However, in the current technological era, the old saying "Better to be Safe than Sorry" as well as "Precaution is Cure" still stand true.  So take due precautions to not let someone defraud you...its your information and you have the right to refusal for imparting the same...

Sunday, May 12, 2013

$45 Million Heist with Prepaid Card Duplication: Lessons Learned

In my previous post "$45 Million Heist with Prepaid Card Duplication", I had highlighted the questions that creep up in our mind as general readers or followers of the news.  Those questions are basically something that need to be dealt with or answered for a meaningful conclusion of the investigation.

However, from the Risk Management perspective and the ongoing compliance enforcement, there are few critical lessons learned if the GRC world is watching this incident from that perspective.  

It was really amazing to learn the way these scammers came along together and indulged in such a widespread scam to cover 27 countries as reported.  Here is the first lesson learned - 
  • Organize your move and collateral to ensure that Risks are covered at all times. This can be achieved only when you have a sound Risk Management Framework to document All the possible Risks and monitor them on an ongoing basis
Banking organizations across the 27 countries failed to identify the large chunk of withdrawals from their ATMs. Here is the second lesson learned - 
  • Banks need to put a governing policy to monitor the cash withdrawals from their ATMs. They need to closely review the Cash withdrawal pattern from various ATMs they own. This would help raise the red flag faster
Payment Processors failed to maintain their security measures in-line with those required for Banking Organizations. Here is the third lesson learned - 
  • Payment Processors must ensure that they deploy layered security to ensure that the Databases are always hosted in the most secure zone and preferably be protected by host based IPS systems that would raise alarms on detecting any anomalous behavior
Card Networks failed to raise the alarm too and rather delisted a given payment processor that was breached.  This is certainly an act of washing out once own hands of the responsibility. Fourth lesson learned here - 
  • Card Networks need to ensure that they control the limits once defined. Meaning, once a Payment Processor or Bank has defined transaction limit on a given Pre-Paid Card, it needs to be populated to the Card Network. This should be a One Time one way update.  Generally a Pre-Paid Card user is not worried with the limits set on the card as they use cards for limited set of transactions only.  So if there is a change in the Transaction limit from the Payment Processor or Bank, the Card Network should over-write it....(this may seem to be insensible to many, but would help avoid such heists in future)
The entire Banking System across the reported 27 Countries failed to detect the heist and report it. here is the Fifth Lesson learned - 
  • The Banking system across world would need to develop a Governance mechanism to share daily charge back reports and highlight the cases that they seem are alarming. This would help the target banks to react faster than not and help avoid such mass scale heists
Few other lessons learned - 
  1. Payment processors and Banks to ensure that they have transaction monitoring systems deployed specifically for the Pre-Paid Cards as with the change in the Guard on Debit and Credit Cards, Scammers would focus on less secure cards
  2. Payment processors and Banks to develop systems to ensure that Risk Management Function is made responsible to review the anomalous behavior as noted in the transaction monitoring systems and as received in the charge back reports
  3. Information Security Mechanisms are beefed up across all the Payment Processors and Across the Payment Networks to help thwart such attempts in future
  4. Though Pre-Paid Cards are not related to any person in particular and hence they are not treated at par with the other Bank Cards, it it critical that Data Protection Regulations do cover these Cards. PCI Council too must ensure that they have comprehensive steps taken to this effect and bring the Pre-Paid Cards under the Scanner of PCI-DSS. They should also ensure that the Applications used for the Purpose are brought under the Scanner of PA-DSS.
------------------------------------------------------------------------------------------------------------

Thursday, March 28, 2013

Government unveils roadmap for use of new internet addresses

Quoted Article:






This is one of the most awaited change that the government is now rolling out.  Though late in the race, still better as this would kick off the next level of development and would result in far reaching results.  With this change, the reach of Internet would be possible even at the remote villages and towns and will help establish a better Governance Framework. 

A few out there might try to relate this to the various Schemes and Yojanas that are run by government and how this change would impact in far reaching results of those schemes? Now these are the things that we need to understand that rolling out IPV6 would help roll out more internet kiosks across the villages and would enable reach of information to the remote areas. 

There is also a great deal of benefit that can be derived by automating more Post offices and as I read the term the other day if Postal Department modernizes and applies for Banking license, then well you got a lot of things moving towards betterment of rural areas :).  These post offices can also be used as Cyber Cafe's with minimal charge on surfing to learn and surfing to have information sort of model.

Interestingly, if this change is coupled with few other changes like setting up Cyber Kiosks for Children Education, it would be less costlier to take education to villages. The interactive classes can be setup for educating not just the children, but also the illiterates.  The classes would increase participation of children who would though would be fascinated by the advancement of the technology, but would love to attend the school as they would see themselves as part of a bigger class that they would see.

Another scheme that can make more impact would be the Information Sharing with the farmers through the Cyber Kiosks that would help them learn about the weather forecasts, farming techniques, usage of manure, knowing the policies and procedures of lone facilities as well as the Govt supported rates. more advanced information would lead to more advanced farming and better productivity to boost the Agricultural Sector

These are just a few benefits that I see, there can be many more for that matter and for that the strategists in the Government need to run their brains and think out of the box :)