DDOS Audit

2,921 views
2,781 views

Published on

A nice article on DDOS Resilience.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,921
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

DDOS Audit

  1. 1. JULY - SEPTEMBER 2010 ISSUE 3 - VOL 1,2010 Business Continuity Management One Attack, I Got Admitted INSIDE Face to Face Phishing
  2. 2. n te n ts c o AUDITING RESILIENCE OF CRITICAL INFRASTRUCTURE AGAINST DDOS 6 FRAUD AND IT: POINTS FOR CONSIDERATION 8 BUSINESS CONTINUITY MANAGEMENT – The BS 25999 approach 11 SOLVING THE PUZZLE CALLED BUSINESS IMPACT ANALYSIS 13 FACE TO FACE - Interview 17 ONE ATTACK, I GOT ADMITTED - Experience 22 PHISHING - The biggest threat to online transaction 24 ISACA CHAMPIONS TROPHY 29
  3. 3. NTR OL” O “I N-CO ME T torial W ELCO Edi Welcome to the third issue of “In-Control” Magazine from the ISACA UAE Chapter. We are in the middle of the year and the chapter has already seen many interesting CPE sessions and an audit analytic workshop. The chapter is planning for more exciting events and our very own I-SAFE 10(regional conference) is scheduled in Oct 10. This year’s I-SAFE theme is focussed on “Corporate Challenges in managing Information Risk beyond 2010...”. The chapter is lining up a number of eminent speakers from various specialities for the I-SAFE conference who would be sharing their experiences and guidance to manage Information Risks. Our biggest asset is our members and their encouragement is driving us all at the board to bring more exciting events which are educational and provide an opportunity for our members to discuss & share experiences. Our third issue has a battery of interesting articles such as Business impact analysis, Fraud & IT and a candid interview with Mr. Ahmed Al Mulla, Vice President, I.T., Dubai Aluminium Company I request all our members to contribute to the magazine by sharing your experiences in the upcoming issues. The “In-Control” editorial board invites you to provide your feedback regarding the Magazine and its contents. We would love to hear from all of you so that we could better serve you and have the relevant contents/ sections added in the next issue. Please email me at gurpreet_k@yahoo.com for any feedback. Regards, Gurpreet Kochar CISA, CISA, CISSP, CEH Chief Editor & Membership Director Chief Editor - GURPREET KOCHAR Associate Editor – HARI PRASAD CHEDE In-Control magazine is designed to provide UAE chapter members with information related to IT governance, audit & security. The opinions, viewpoints published in this magazine are not necessarily those of the ISACA UAE Chapter or its chapter officers. The editorial board of the chapter officers of the ISACA UAE Chapter do not take any responsibility or liability for any losses or damages incurred as a result of reliance on any information provided in this magazine. The editorial board takes care for ensuring that articles are relevant and original but does not take any responsibility for any errors that may appear herein. ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 3
  4. 4. BO ARD HAP TER 2010 C RS ME MBE PRESIDENT VICE PRESIDENT DIRECTOR - PROGRAMS Bharat Raigangar Avinash Totade Ashish Mahal Country Head - Security & Fraud Risk enior Manager- Internal Audit Senior Projects Officer Royal Bank of Scotland NV Dubai Aluminium Company (DUBAL) RAK Bank Dubai, UAE Dubai, UAE PO Box 1531, Mob: +971-50-6229854 Mob.: +971-50-6533852 Dubai,UAE Email: president@isacauae.org Email: vicepresident@isacauae.org Mob : +971-50-7549908 raigangarbharat@yahoo.com avinash.totade@gmail.com Email: ashishmahal@hotmail.com DIRECTOR - MEMBERSHIP DIRECTOR - COMMUNICATIONS SECRETARY Gurpreet Kochar Hari Prasad Chede Biju Nair Manager - Information Systems Audit Senior IT Risk & Security Officer Head of Consumer & IT Audit Emirates Airline Union National Bank Noor Islamic Bank Dubai, UAE Abu Dhabi, UAE Dubai, UAE Email: gurpreet_k@yahoo.com Tel: +971-50-6841501 Mob.: +971 55 2208512 Email: hchede@gmail.com Email: secretary@isacauae.org rsbiju@gmail.com TREASURER DIRECTOR -CERTIFICATIONS DIRECTOR - ACADEMIC RELATIONS Vaishal Mehta R. K. Rao Alok Tuteja Assistant Manager Manager Head of IT Audit IS & BCM RAK Bank ADNOC Dubai Bank Dubai, UAE Abu Dhabi, UAE Mob. : +971507864839 Mob. :+971-50-5500864 Mob. : +971-50-3453890 Email: vaishal@gmail.com Email: raork123@eim.ae Email: aloktuteja@gmail.com DIRECTOR -GOVERNMENT DIRECTOR DIRECTOR RELATIONS Roshan Hamid Mustapha Huneyd Sayed Ahmed Al-Moosawi Senior Security Audit Senior Manager, Senior Auditor - IT Audit, Emirates Airlines Information Security & Biz Continuity Internal Audit, Dubai, UAE Etisalat, Abu Dhabi, Dubai Bank Email: roshanhamid@gmail.com UAE. Dubai, UAE Mob. : +971506625859 Mob. : +971-50-4559114 Email: mhbengal@live.com Email: sayedalmoosawi@dubaibank.ae IMMEDIATE PAST PRESIDENT Nalin Wijetilleke Manager-Business Continuity RAK Bank Dubai, UAE Mob. : +971-50-6598824 Email: pastpresident@isacauae.org nalindw2000@yahoo.com Page 4 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1
  5. 5. President’s Message In this mass-transacting world, the word vision is not just limited to a mental blueprint of what is seen. Rather, it is the unseen, but it does not have to be all clear in the beginning. While every function has a statement of purpose, it is the ideal future state of the function that must guide the way. There is no longer such thing as a static environment or a single possible solution anymore, albeit, the choice to take advantage of the selective ways to protect business as well as the interests of the stakeholders and customers. To fully appreciate the convergence between them, IT changes are to be brought around hand in hand with the economic as well as the social changes in momentum. Just as economy has shown a remarkable inclination to tolerate the global meltdown, on the backdrop, technology has played a pivotal role in building that immunity. Today business is not only about operations and customer retention. It is also about technology. As we know, all organizations are subject to financial crime risks. Recently, Beijing police shutdown a fake Automated Teller Machine (ATM) that was used to steal bank card information. Counterfeit card and cash scams have been reported for years, but counterfeit ATMs have added a new twist to an old scam. Regular techniques and controls for investigations, such as reliance on documentation, statements and non digital evidence are a thing of the past, when dealing with a virtual explosion of frauds and growing scams. While paper may not form a big part of our daily routines anymore, information does. This is where deployment of IT Governance helps continual improvement of areas that are not inherently resilient, keep the disaster kit ready and be confident that the security blanket provides optimal coverage. It is imperative that technology and computer forensics are deployed and governed in a manner that is open, transparent and accountable for performance and results, while continually improving the value equation for organizational objectives. Our community and associated programs serve as a continual medium to promote IT Governance. Sometimes organizations have opportunities but they still incur losses. The pivotal idea behind spreading awareness around IT Governance is not to create panic but to enable it to be taken more seriously. Our theme this year is envisaged to uphold governance focused on “risk-return value” rather than just controls, managing risk and achieving objectives. IT Governance can be described as a broad based movement towards the understanding and quantification of overall IT risks, taking the form of guidance and recommendations. Although investment in backup infrastructure and fallback procedures was difficult in the beginning, organizations have manifested both cost and performance benefits over time. While manual operations are increasingly becoming extinct, they still continue to be important. There are still great strides to be taken in the maturity level and those organizations that truly believe in education and advancement of awareness will emerge to their potential and keep this ball rolling. Thanks and Regards Bharat Raigangar ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 5
  6. 6. L ITICA KLIST CE OF CR CHEC SI LIEN DOS A RE S TD ITING S AGAIN anian bram ivasu AUD TURE oth S By Vin C STRU I NFRA Recently I had the opportunity to work with one of my friend who was called in by a Big Telecommunication and Internet Service provider in India to check if their systems and network were resilient enough to Defend DDOS attacks, I had the opportunity to help him in this regard and I wish to share this checklist along with ISACA members. We approached this audit from People, process, Technology and Knowledge Management An Auditors Checklist 1. Have the organization Chart to see who are responsible for the various critical assets of the organization a. Roles and responsibilities b. List of critical web services 2. Check to see if they have gone through a background check a. Employment verification b. Educational verification 3. Check if they are properly trained in latest technologies and tools. a. Training documents b. Knowledge management- i. How are they sharing their knowledge among their peers ii. does a mechanism exist to share their knowledge iii. Is the above mechanism documented 4. Check if there is a proper Security policy a. IT security policies b. Check the version number and update date c. Check to see if they are constantly reviewed and updated d. Verify if the updates are being done by the responsible personnel and whether they are going through a process of discussion. e. Cross check with employees on a random basis to see if they are aware on the Security policies and procedures Page 6 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1
  7. 7. f. Check whether there is an end point management security policy. 5. Change management procedures a. Check whether the organization has documented roles and responsibilities chart for change management b Check the awareness of the staff members on change management policy c. Check the documentation of Emergency change management procedures 6. Incident management procedures a. Check to see if an incident management policy is in place b. Review the documentation date and periodicity of update c. Check whether focal points have been identified for incident management communication d. Conduct mini quizzes using pointed questions with the Help desk and other staff members to check their awareness on incident management 7. Help desk Management a. Are there clear roles and responsibilities identified for the help desk staff members b. Are they trained on Incident management, change management? c. Verify training documentation d. Check their awareness levels. 8. Patch management policy a. Check to see if the patch management policy goes through the change management mechanism b. Does the patch management policy go through the CAB c. How are emergency and critical patches installed, verify whether proper process and procedures are in place for tracking and recording them, d. Check to see if the organization has established procedures for release management of patches e. Verify whether they have a list of their critical assets that needs to be patched f. Check the log of patches that have been done on the assets to see if they tally with the ones present in change management and release management dates. h. Are the owners, incharges and team members identifies or is it a single person who takes care of all the patching. 9. Risk management of the Change management and release management process has to be documented a. Verify if proper process has been established to assess the impacts of change b. Verify whether a risk management program exists in the first place with periodic reviews conducted at regular intervals c. Are the patches that are being installed going through a risk management Technological Verifications: 10. Perform vulnerability assessment to test the critical systems and networks against latest threats and vulnerabilities 1. Test the critical applications against known and unknown vulnerabilities. 2. Test the systems under purview for known process weakness and vulnerabilities. 3. Verify if best practices are being followed in line with Leading industrial standards such as NIST etc. 4. Verify if the software is developed in line with the SDLC ( Software Development Life Cycle) 5. Verify if the software that is being developed goes through stress penetration test. 6. Verify if a threat management system/team exists in place to protect the software against known and unknown threats. 7. If the software development has been outsourced? If so check if they have a stringent SLA with the developer who has agreed to develop application subject to SDLC, follow proper change and release management process, update patches in line with the organizational policy and are in line with the organizational security policies and procedures. 11. Vendor Management : Check to see if they have a stringent Service Level agreement with the vendor who can respond immediately to block threats in case of an incident and bring back normalcy in place as early as possible Overall being resilient to DDOS attacks required a multi pronged approach and as the frequency and nature of these attacks increase and go complex more trends will evolve over time and this checklist will improve. Profile: Vinoth Sivasubramanian, ISACA Number 503366 is a Certified CEH, ISO 27001 LA, and an information standards manager at UAE Exchange Centre LLC where he is responsible for the IT policies of the enterprise. Vinoth has six years of information security experience in tel- ecommunications, Finance and consulting. He is a founding member of ISSA UAE and can be reached at vinoth.sivasubramanian@gmail.com. Simran Pal Singh, B-Tech I.T, CCNA, MCP Certified,ISACA Member is a System Engineer at UAE Exchange Centre LLC is focusing on security parameters and has a 3 yrs experience in I.T Infrastructure. He is a member of ISSA UK and can be reached atsimranosahan@gmail.com Vignesh is Director of IT audits in an Audit Firm Providing Information Assurance services to big Clients. HE is CISSP/CISA certified. ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 7
  8. 8. N DER ATIO I FOR CONS TS : POIN onha IT h Nor D ntos N By Sa F RA UD A “There are always people out there looking out to get around fraud measures.” – Betty Riess, Bank of America Frauds are committed by innovative people on the lookout for loopholes within an organization’s internal control system and maximize these loopholes for personal benefit. There is no limit to the imagination of people trying to get the infor- mation needed to commit fraud. In most organizations, information technology plays a key role in aiding or dissuading an individual from committing an offense. This article does not focus on best practices to prevent such offences but rather focuses on the red flags that one should look out for because in my personal experience often, these red flags though noticed are overlooked. It should be noted that in most cases control failures do not happen because of an or- ganization’s unwillingness to adopt leading practice; rather it is due to the ingenuity of a human being that circumvents the best planned controls. This article is meant to assist the readers entrusted with protecting information technology to be able to spot these ingenious individuals or fraudsters and their schemes. Red flags to watch out for are: 1. Fraudsters prefer to use their personal IT resources for official business. By doing so the fraudster has greater control over electronic evidence and can cover his tracks. One of the most common reasons for not being able to recover electronic data pertinent to the fraud event is usually because the perpetrator used his personal IT resources. It is common to hear that the suspect preferred to work on his personal laptop or used his personal email ID rather than the one issued by the company. 2. Use of generic User IDs – A variant of the above point is a fraudster who creates a generic user ID with super user access rights and in some other cases this ID is shared with other employees in the organization. 3. Sharing of password credentials - Fraudsters generally prefer to share their email or application login credentials with a group of employees, thus making it difficult to establish who perpetrated the fraudulent transactions. Some people also have a habit of using a common password for all their login credentials whether personal or official. If the password is compromised at one place, it could lead to grave consequences. 4. In a large organization, a very senior executive resigned and joined a competitor organization. The IT department did not disable this executive’s email address as they were not informed about his resignation by the Human Re- sources Department. This executive received sensitive information about the organization through his email which was part of the Management Committee’s email group. The organization allowed remote email access through Microsoft webmail and he could remotely access his emails without much restriction. Substantial damage was done before this was detected Page 8 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1
  9. 9. 5. Introducing new applications - Most high impact frauds are perpetrated by senior man- agement personnel who are empowered to design controls. In these organi- zations fraudsters would push to either introduce new applications or to “upgrade” existing applications. The business case for changing the application is generally vague. What results is that the organization are in a much worse off situation with the new application than previously and more importantly are unable to generate an audit trail for the transactions perpetrated by these individuals. 6. Credit Cards –Organizations (Merchants or Issuing Banks) fail to realize the sensitivity and importance of data contained on the credit cards that routinely passes through the organization. Further in many organizations there are few validation checks while processing a credit card transaction, thus resulting in disputes and losses due to charge-backs. Although the credit card industry has collectively issued standards to improve credit card data security and is actively working towards enforcing them, the incidence of credit card fraud continues to remain high. 7. Lose data when you lose human assets. In a fairly large organization, an employee who was informed that she is terminated, accessed the share folder and deleted all files including the back up. In this organization the data and its back up was located in the same place. The organization did not think it appropriate to withdraw access to this employee before terminating her. 8. Uses of ad hoc wireless network – People using wireless Ethernet connect to the wireless network by attaching to a wireless Access Point (“AP”). This method is secure if configured in the “Infrastructure Mode”, with a MAC ad- dressing filter, having some level of encryption etc. However if the individual is configured to communicate from machine to machine which is also known as “Ad-Hoc”, then the connection may not be secure as an “Ad-Hoc” network is a peer to peer configuration. The best place to find “Ad-Hoc” networks is the airport where people wait- ing for their flights power up their laptops and use the waiting time to complete pending tasks. It is easy for anyone having a little know-how, to be able to connect to these networks and get access to the private or confidential data stored on these laptops especially if strong authentication policies have not been put in place. Also, if you are compromised over a wireless network it is near to impossible to track down where the attack came from. 9. Physical access controls –Most physical breaches are usually low tech rather than hi-tech. It is more likely that an intruder enters through an unlocked door rather than use a sophisticated electronic device to crack the number keypad lock. Further some organizations do not use identification badges or even worse don’t ensure that the pic- ture on the badge is a clear one. I have also noticed organizations where physical security restrictions within the premises is not enforced thus allowing visitors unrestricted access once they have passed the main reception. 10. Internet Security – The Internet is a vast array of loosely connected networks situated all over the world, easily accessible by individual computer hosts in a variety of ways. If you buy movie tickets online, you would need to fill in and submit an electronic form which will contain presumably your name, address and credit card number. This data will pass through a number of computers on its way to the Movie Ticket Web Server. It is once again possible for someone with the know how to intercept this information. Emails and files transferred through an unsecured FTP can also be intercepted. As tated above, this article does not focus on leading practices in securing your information and systems. There are numerous articles and publications on IT best practices which can guide an organization on how to protect their infor- mation assets. This article is meant to raise awareness on the red flags to watch out for, as knowing what the risks are can help an organization manage these situations better. Santosh Noronha is a Manager with Ernst & Young Dubai working in the Fraud Investigation and Dispute Services Practice. Opinions ex- pressed in this article belong solely to the author, and do not necessarily represent the views of Ernst & Young. To comment on this article, feel free to email the author at santosh.noronha@ae.ey.com ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 9
  10. 10. Page 10 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1
  11. 11. Business Continuity Management: The BS 25999 approach. By Mustapha Ensuring the survival of a business through various economic fluctuations has always been a challenge for management at the helm of various organizations. However, recent events like the 9/11 WTC collapse & ter- rorist attacks, the Tsunami catastrophe and several other sociopolitical events have brought forth a new, more extreme challenge, that of ensuring the physical existence of the business, its resources and information that are required to serve its customers. • What is Business Continuity Management? An organization must identify critical products and services that must be delivered to ensure survival and ad- here to legal and contractual obligations of an organization. A proactive planning process to ensure the above is called a Business Continuity Planning. • Business Continuity efforts in the past. Business Continuity Management has been around for several years in various forms. However, no standard was available for organizations to comply with. There have been various tools and guides, foremost among them was the BSi initiated PAS 56 guide. “PAS 56 Guide to Business Continuity Management describes the activities and outcomes involved in establishing a BCM process and provides recommendations for good practice. It provides a generic BCM framework for incident anticipation and response and describes evaluation techniques and crite- ria.” – BSi. Another guide to assist individuals involved in the BCM process was the PAS 83. “PAS 83 is aimed at the person responsible for implementing, delivering and managing BCM within an organization (the BCM manager).” – BSi • The BS25999 approach: The BS 25999 is t he world’s first standard for Business Continuity Management. It replaces the old PAS 56 specification and comprises of two parts:  Part 1 is the Code of Practice provides BCM best practice recommendations. This is a guidance docu- ment only.  Part 2 is the Specification provides the requirements for a Business Continuity Management System (BCMS) based on BCM best practice. This is the part of the standard that can be used to demonstrate compliance via an auditing and certification process. (Definitions Courtesy: British Standards; http://www.bsi-global.com/en/Assessment-andcertification-services/management-systems/Standards- and-Schemes/BS-25999/) The Code of Practice (BS 25999-1) consists of: o Section 1 - Scope and Applicability. This section defines the scope of the standard, clearly stating that it is a best practice guide for organizations. o Section 2 - Terms and Definitions. This section describes the terminology and definitions used within the standard. o Section 3 - Overview of Business Continuity Management. It describes overall process of BCM, and its benefits to organizations. o Section 4 - The Business Continuity Management Policy. Describes the requirement of creating a unam- biguous policy. o Section 5 - BCM Program Management. This segment defines an approach for BCM. o Section 6 - Understanding the organization. In order to implement business continuity strategies and tactics, understanding the organization, threats, risks and overall risk appetite is very impor- tant. ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 11
  12. 12. o Section 7 - Determining BCM Strategies. Once the organization is understand the overall business con- tinuity strategies can be defined for the organization. o Section 8 - Developing and implementing a BCM response. This segment details all aspects of rolling out the BCP and Strategy. o Section 9 - Exercising, maintenance, audit and self-assessment of the BCM culture. It is essential to test and exercise the BCP, without which an organization would not be able to ascertain shortfalls in the plans. o Section 10 - Embedding BCM into the organizations culture. Business continuity should not exist ONLY on paper, but must become a part of organization culture. This segment defines ways to achieve just that. The specification (BS 25999-2) consists of: o Section 1 - Scope. Defines the scope of the standard. o Section 2 - Terms and Definitions. This section describes the terminology and definitions used within the body of the standard. o Section 3 - Planning the Business Continuity Management System (PLAN). Part 2 of the standard is predicated on Plan-Do-Check-Act model of continuous improvement. The first step is to plan the BCMS, establishing and embedding it within the organization. o Section 4 - Implementing and Operating the BCMS (DO) i.e. Implement the plans. This section encom- passes 4 sections of Part 1, that is understand the organization, determine BC strategy, develop & implement a BCM response and finally exercise/maintenance/review. o Section 5 - Monitoring and Reviewing the BCMS (CHECK) i.e. to ensure that the BCMS is continually monitored, it covers internal audit and management review of the BCMS. o Section 6 - Maintaining and Improving the BCMS (ACT) i.e. to ensure that the BCMS is appropriately maintained, improved and corrective actions are taken. The adoption of an effective BCM process within an organization will have immense and far reaching benefits. Apart from various straight forward benefits of a BCMS like enabling mission critical activities to recover from an incident, there are other intrinsic benefits. o It assists in reducing the organizations risk exposure as the BCM will require carrying out a risk analysis and ascertaining appropriate controls to mitigate those risks. o It also helps organizations meet legal and compliance obligations and achieve organizational efficiency. o It can help protect shareholder value as risk exposure is reduced. In today’s competitive business environment and a highly volatile socio -economic scenario, a BCMS is no longer a luxury, but an essential function for any organization. References and further reading: o http://www.bsi-global.com/en/Shop/Publication-Detail/?pid=000000000030078064 o http://www.bsi-global.com/en/Assessment-and-certification-services/management-systems/Standards- and-Schemes/BS-25999/Benefits/ o http://www.etpconsulting.co.uk/Learn-Business-Continuity/business_benefits.htm o http://www.thebci.org/gpg.htm o http://www.thebci.org/standards.htm Mustapha currently works with the Etisalat Network & Information Security Development section as Manager, Information Security Manage- ment looking after Enterprise and Business units, working on infrastructure and service security, security research and policies in addition to managing ISMS projects within Etisalat. He has more than 9 years of Information Security experience including stints with the ministry of Information, Saudi Arabia, Softcell Technologies (India) prior to joining Etisalat. Page 12 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1
  13. 13. S IM PACT ES USIN L LED B ING LE CA E SETT E PUZZ IS TH m mania G TH NALYS Subra N ar R OLVI veshw A By Vis S Business Impact Analysis (BIA) is a vital cog in any business function in one company which is rated as organization’s Business Continuity Plan (BCP). BIA is very critical may not even exist in another. In such a different from other stages of BCP. In BIA we would complex scenario, it is of paramount importance to assume a hypothetical situation of an organization being tailor-stitch the approach to suit the organization. affected by a disruption and consider the repercussions from a holistic point of view. Answer to the question The ideal BIA should answer to the question “How long “What Should I recover and how quickly should I can a process wait before it creates an impact to an recover” are determined solely on the results of BIA organization?” Adopting the famous cliché “Disasters process. The parameterisation and methodology used occurs in different shapes and sizes”, it makes us in BIA is by far the single most important factor when it wonder what type of time scale or magnification comes to successful business continuity operations. should be adopted to determine our proposed disaster scenario. Even though BIA is universally considered as ‘a part’ One method of dealing with this uncertainty is to split of the BCP process, carrying out BIA as an isolated up the aftermath of a disaster into two components exercise could also prove beneficial to the organization. and they in turn should drive the analysis. The two This article discusses three different aspects of BIA: components are: Effects of Disruption and Impacts of methodology to conduct a successful BIA, arguing Disruption. the case for BIA as an isolated exercise and how to maintain BIA project lifecycle. 1. Effect of Disruption: When a disruption occurs, it may result in a loss of BIA – The science behind it some tangible item. The losses lead to non availability The recovery priority and the budget that will be of resources, which in turn may lead to non-functioning allocated for putting in place contingency measures of a process and this in turn may lead to causing an are determined by the results of BIA. Interestingly and impact to the organization. rightly so there is no structure that could be followed for BIA. BIA is like assembling pieces of puzzles into a puzzle board that has no boundaries. A disruptive event may lead to one or more of the following: unavailability or loss of key personnel, physical assets, information assets and facility. In the There is no “one size fits all” solution for BIA. A particular ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 13
  14. 14. effect, we are asking the question “Can the function be bigger picture of the organization and not isolated carried out if these key resources are unavailable due departments. The recovery priority should be one to disruption? single sheet- which contains all the functions that are sorted in chronological order of recovery. Quantifying and summing up the effect of disruption for a particular business function will help us understand BIA-an isolated exercise the dependence of the function on key resources. The success of a BIA exercise depends on how well we For instance, a function which requires a person with understand the business of the organization. It is one specific skill set may have a higher effect value than stage where the process owners sit across the table and a function that can be carried out by personnel with discuss with the BCP team the intricacies of business normal requirements. operations. A functional analysis of the department is The ultimate aim of carrying out BIA is to identify the carried out and this can help us have a real insight into maximum tolerable downtime for a business function. what is happening within the organization. It is important that we appreciate a function based on the impact it has on the organization and should take There may be processes that exists on documentation into consideration the scenario of not having the key but are no longer carried out. At the same time there resources to carry out the particular function due to a might be processes that are being done and there exist disruptive event. no documentation for the same. These gaps can be filled during the course of a BIA exercise. 2. Impact of Disruption The impact for an organization, when a function is As the processes are carried on a day to day basis, we disrupted is calculated based on one or more of the may never know if we are dependent on something so following factors such as: financial impact, operational drastically that we may tend to take it for granted. For impact, legal or regulatory implication, impact on instance, a manufacturing company might not even internal or external employees and impact on vendors consider its regular raw materials supplier as a key cum suppliers. resource as it is dealing with that particular company on a day to day basis. BIA exercise can help the For each of the applicable impact, a value can be organization the importance of dependencies. assigned depending on the impact. This “value” is BIA – Lifecycle subjective. It is impossible to assign a value out of a BIA is not a one off activity. Almost all the business mathematical calculation. It is imperative that we involve continuity plans have provision for testing the recovery business process owners during this exercise as they strategies. Drills are conducted to test the emergency have a better understanding about their business. response and live tests are conducted to ascertain if Coming back to business functions, it is important recovery strategies are available within the specified to make sure that there is minimal of granularity as time limit. Maintenance activities are carried out on going to process level approach may complicate the a periodic basis to ensure that the right personnel scenario. are available to carry out their respective roles in BCP. We may even carryout a checklist guided risk The linkage – BIA and Recovery Priority assessment. Another contentious issue is how to translate the numerical value of impact to approved recovery time BIA result affects the recovery strategies. The impact of limits. If the impacts and effects calculated would a business function on an organization might change translate directly to the Maximum Tolerable Downtime, over a period of time, i.e. a process which might have our jobs would be easier. been the most critical and the first to be recovered due to the financial returns, may no longer give the same returns to the organization. In such a scenario do we One way of assigning maximum tolerable downtime need the same recovery strategy for that process? If to the processes is by categorizing the functions as BIA is not current, we may end up spending money business critical, enablers, important processes, and for maintaining back up strategies for a process that ‘can wait’ processes based on the effect and impact doesn’t exist! attributes. Later a time bucket can be created for each of the above category. Another important factor will be the new regulatory requirement affecting the organization. Suddenly there So what are the time buckets? Shorter the recovery may be a process within the legal department which time means more financial commitment and more work cannot be disrupted. load. The analysis that we have carried out for effects and impacts of disruption should be comprehensive enough and self explanatory to convince the top There should be enough appreciation of BIA within management for any additional budget support. the organization. It should be ensured that any new One important consideration for projecting the functions that are introduced will be analyzed and accepted downtime for a function is for us to see the bought under the purview of BIA. Page 14 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1
  15. 15. BIA needs to be revisited on a periodic basis. The period of repeat has to be decided by the organization. Carrying out BIA on a yearly basis may concurrently match functions and its impact. However such a strategy may require moving processes up and down the priority ladder and hence marking major changes to the recovery strategies. Carrying out BIA whenever there is a change in the business environment can be another option. Business directives, regulatory requirements, market expansion, launch of new products or services may serve as indicators for carrying out a BIA. Visveshwar R Subramaniam B.E, CCNP, MCSA, MCTS, is an Information Security Consultant working with Baker Tilly MKM, UAE. He was involved in development of Business Continuity Plans for clients in the ITES, Banking and Logistic sector. ISACA membership no: 629325 ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 15
  16. 16. CALL FOR ARTICLES FOR ISACA UAE MAGAZINE Submission deadline for the next issue is OCT 30, 2010. Email your articles to Associate Editor at: hchede@gmail.com
  17. 17. Interview with Mr. Ahmad M. Mulla I.T. GOVERNANCE: TAKING IT FROM THE TOP Mr. Ahmad M. Almulla has an extensive experience in the field of I.T. for over 20 years. He started his career as a Programmer in 1988 in Dubai Aluminium Company Limited and since then has worked in all the areas of Information Technology department such as Application Development, Information Security, Architecture Designing and Networking, Process Control, etc and is currently Vice President, Information Technology of Dubai Aluminium Company Limited (DUBAL). He is also a member of the Executive Management Committee in DUBAL. He is a Bachelor of Science from The University of Arizona in Computer Engineering and Masters in Business Administration (MBA) from University of New England, Australia. Additionally, he has completed the “Program for Executive Development” from International Institute for Management Development (IMD). Yatri Jerajani (Senior Project Leader– I.T. Governance) & Saptorshi Datta (Senior Information Systems Auditor) at Dubai Aluminium Company Limited (DUBAL) spoke to Ahmad M. Almulla - Vice President, I.T., Dubai Aluminium Company Limited to know his views on I.T. Governance. Following is the transcript of the interview. Saptorshi: Good Morning Ahmad. We wish to speak on “I.T. Governance” which we all know is one of your favourite topics and very much close to your heart. Can you please tell us, what is Governance all about? Ahmad: A very good morning guys. Yes, you people are very much right in saying that I.T. Governance is very close to my heart and is a matter of prime importance in today’s business scenario irrespective of the nature of business. Now let me explain what governance is. Governance is the policies, roles, responsibilities, and processes that you establish in an enterprise to guide, direct, and control the activities and processes to accomplish business goals. Every organization has unique needs and goals that will affect its approach to governance. Good governance will result in achievement of business goals and is in line with all applicable laws, regulations, and ethics. Saptorshi: Ahmad, we have seen people getting confused with Corporate Governance and I.T. Governance. What are your views and also tell us why do people give so much importance to I.T. Governance these day? Ahmad: Corporate governance consists of the set of processes, customs, policies, laws and institutions affecting the way people direct administer or control a corporation. Corporate governance also includes the relationships among the many players involved (the stakeholders) and the corporate goals. The principal players include the shareholders, management, and the board of directors, other stakeholders include employees, suppliers, customers, banks and other lenders, regulators, the environment and the community at large. Information Technology Governance, is a subset discipline of Corporate Governance focused on Information Technology (I.T.) systems and their performance and risk management. It deals primarily with the connection between business focus and I.T. management of an organization. We all know that I.T. Governance is defined as “… The leadership and organizational structures and processes that ensure that the organization’s I.T. sustains and extends the organization’s strategies and objectives.” by I.T. Governance Institute. People now days give so much of importance to I.T. Governance as I.T. has now spread into all the units in a business and in today’s world we cannot think about businesses surviving without IT. An organisation without I.T. governance is reactive, unable to plan, acquire or develop the correct skills or understand priorities and meet the business objectives. For example without a structured process, all projects are number-one priorities. With budgets being cut for I.T., it is difficult to know where to focus. I.T. governance processes allow I.T. to understand and manage I.T.-enabled business change. The business determines priorities and defines investments, allowing I.T. to identify their staffing, infrastructure requirements and make investments in the correct skill sets, training and hardware at the correct time, ensuring value to the organization. Saptorshi: Have you implemented I.T. Governance in DUBAL? Ahmad: Yes, DUBAL has implemented I.T. Governance. This has been done by having an internally defined framework for I.T. governance. Please have a look at this diagram which will help you to understand how we have implemented in DUBAL. This framework is also reviewed regularly and updated should we feel changes are required. ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 17
  18. 18. Yatri: Hi Ahmad. I was listening to the conversation and waiting to ask you about your opinion regarding primary goals for implementing I.T. Governance? Ahmad: Yatri, I was expecting such a question from you. We implemented I.T. Governance in DUBAL to achieve the following: • Align I.T. strategy with the business strategy • Assure management that the investments in I.T. generate business value • I.T. related risks are managed appropriately • Management of I.T. resources • Measuring the performance of I.T. This is performed in DUBAL by way of measuring the KPI’s using a Balanced Scorecard (BSC). The BSC has been implemented organisation wide including I.T. which is contributing to the organisational Vision, Mission, Strategy and Goals. Saptorshi: We hear about many I.T. frameworks. Did you follow any existing available I.T. Governance framework? Ahmad: While we reviewed the various frameworks available for I.T. like COBIT, ITIL, etc. we did not directly take them as our I.T. governance framework but tailored them to our requirements and implemented our own framework. Yatri: It is very remarkable that you have not adopted any framework but tailored them as per DUBAL’s requirement. Can you please tell us how and when did you start your journey? What was the approach adopted and where are you now? Ahmad: We started our journey in this direction way back in 2006 by defining a formal I.T. strategy in line with the vision set forth by our company management. I.T. Strategy set the objectives with focused activities such as: a. Reinforce Customer Orientation b. Restructure I.T. c. Transform Infrastructure d. Sustain Operational Excellence e. Develop & Implement Outsourcing Strategy This required a restructure in the I.T. organisation and the creation of a dedicated department for I.T. Governance which would directly report to me thus ensuring independent, unbiased view of how I.T. is performing. In 2007 we created our own I.T. Governance Framework and implemented this as our I.T. Balanced Scorecard which contributed to the Corporate Balanced Scorecard. We also did a benchmarking against COBIT, ITIL, and ISO20000 to check where we stand as per the international best practices, frameworks and standards. Page 18 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1
  19. 19. In 2008 we set up the I.T. Governance Committee and redefined all the I.T. processes in line with ITIL and the requirements of ISO 20000-1:2005 In 2009 we got certified to ISO20000-1:2005. Presently we continue to learn and based on our learning’s we continue to enhance and integrate our performance statistics Saptorshi: Ahmad, I am very curious to know how long it took to implement the I.T. Governance framework. Ahmad: It took us about 4 years to reach where we are today and we continue to learn by consistently planning, implementing, following, reviewing, measuring and correcting our efforts using a continuous improvement methodology by way of a PDCA (Deming’s) cycle based approach as advocated by most of the frameworks and standards available today Yatri: Ahmad, do you require consultancy services to implement I.T. Governance? Did you seek any external expertise in implementing the I.T. governance framework? Ahmad: For specific initiatives like implementation of ISMS and ITSM in DUBAL we did seek help of external expertise but there was no specific external expertise sought to implement the I.T. governance framework at DUBAL. Saptorshi: As you said that you have a dedicated I.T. Governance department in DUBAL and this department has been formed after you took over as CIO. What exactly is the function of the department? Ahmad: Yes, you are correct the department came into existence in 2006 when we defined our I.T. strategy inline with the corporate strategy. This department directly reports to me and it ensures and provides assurance that I.T.’s contribution is in-line with our annual objectives (which is aligned with our business requirements) by defining, guiding, supporting, measuring, and validating, the adequacy & effectiveness of the processes of Information Technology. The I.T. governance section looks after: • I.T. Strategy / Strategic Objectives Implementation • Project Management Office (PMO) • I.T. Balanced Scorecard (BSC) / I.T. KPI Reporting • I.T. Documentation & Quality Assurance • Annual Maintenance Contracts • I.T. Audits • Information Security Management System (ISMS) • I.T. Service Management System (ITSM) • Annual CAPEX, OPEX & Man Power Planning • I.T. Customer Survey • Training Programs, etc Yatri: As an IT professional I know that there are lot of hardship faced to implement something new. Can you please share with us the typical challenges faced during implementation? Ahmad: Yes Yatri, like any other I.T. projects, we also faced challenges. I can share with you a number of challenges that we faced during the project. But the biggest challenge I see that we had and very admirably addressed was cultural change management. They are as follows: • Resistance to change • Keeping expectations at a realistic level • Implementing newly developed processes, policies and procedures • Identify, measure, and manage appropriate KPIs • Meeting project deadlines amidst other operational involvement • Striking an optimum balance between business needs, cost, and resource availability Saptorshi: We all would like to know what are the key success factors which contributed to your implementation of IT Governance? Ahmad: We faced quite a few challenges and some of the important ones are: Sustaining Management support and commitment Making sure we know; Where we are (e.g. Gap assessment / Benchmark) Where we want to go (Scope, maturity) ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 19
  20. 20. How to get there (Initiating the project / allocate resources) How do we know whether we got there (e.g. KPIs, Certification) Awareness and training Cultural Change Management Resource commitment Saptorshi: What are the benefits you have seen having implemented I.T. Governance? Ahmad: Saptorshi please look at the table here (given below) as to how IT’s performance has improved over a period of time. As we have matured, over a period of time, the table below shows how we have not only improved on the KPI’s that we were measuring but also introduced new KPI’s. MEASURES 2006 2007 2008 2009 CAPEX Expenditure 66.51% 83.57% 72.68 72.66% OPEX Expenditure 81.36% 102.29% 100.50% 88.01% Customer Satisfaction Not measured 92.00% 93.00% 94.00% Quality of Service Provided Not measured Not measured Not measured 90.24% Quality of Projects delivered Not measured Not measured Not measured 87.48% Delivery of Projects within Time 84.80% 92.18% 94.78% 94.94% Availability of I.T. Services 99.90% 99.71% 99.44% 99.80% Progress of Risk Treatment Not measured Not measured Not measured 89.70% Retention, Attraction, and Develop- Not measured 72.67% 93.90% 94.11% ment of Skills Over and above this has helped DUBAL in the recent years to win the following awards (specifically from an I.T. perspective): I.T. Governance Assurance Forum Award 2006 ACN Arab Technology Award 2007 CIO 20 Middle East 2008 ACN Arab Technology Award 2008 Excellence in Information Integrity Awards – Gold Award (For-Profit) 2008 I.T. Governance Assurance Forum Award 2008 Oracle BI / EPM Excellence Award 2009 CIO Top 10 ME Award 2009 This has also helped DUBAL in getting certified and continued certification to the various standards as given here • ISO 9001:2000 : Quality Management Systems • ISO/TS 16949:2002 : QMS for Automotive Production & Relevant Service Part Organization • ISO 14001 : Environmental Management Systems • OHSAS 18001 : Occupational Health & Safety Management Systems • ISO/IEC 27001:2005 : Information Security Management System • ISO/IEC 20000-1:2005 : Information Technology Service Management Yatri: Ahmad before we end this interview could you please tell us how do you continue to ensure that your I.T. governance activities are aligned to the business? Ahmad: Every year, in line with the corporate vision set forth all the business units of DUBAL (including I.T.) define their strategic objectives and measure them throughout the year. The I.T. Strategy and the yearly strategic objectives are reviewed at the start of the year to check their alignment to Corporate Strategy and Corporate Strategic Objectives. Subsequently the Corporate Objectives at the corporate level and the I.T. objectives at the I.T. level are reviewed through review meetings conducted bi-annually where the progress reports for all initiatives are reviewed. Over and above this I.T. Strategy related Audits are conducted regularly. Saptorshi and Yatri: Thank you Ahmad for sharing your views on I.T. governance with us and we appreciate you taking some time off from your busy schedule and providing us you invaluable time to chat and inform us on this extremely important and one of your favourite topics of I.T. Governance. We are sure ISACA UAE Chapter members will find these views very useful and inspiring. Page 20 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1
  21. 21. CGEIT Exam Boot Camp For more details please contact: Mr. Hariprasad Chede on 050-6841501 or email at: hchede@gmail.com
  22. 22. DM ITTED T A CK , I GO atterje e ATTA ee Ch Joysr NE By O Don’t scare its not a heart attack but yes, it was a attack for which today I took interest for protection of Information system and got enrolled in CISA, Every morning I report to a person who is CISA qualified, my Boss is CISA qualified, his name has lesser alphabets than the degrees, whenever I speak of increments he asks from me a professional degree that to, any degree which will help to protect the information assets, I use to grumble that he is not interested in giving me a salary hike, but yes he is always with the same idea to achieve a degree, he told me “you are still young, and can appear for professional degrees” but at that point of time I was running in my late 20’s, I was always in dilemma, being a married lady how can I devote time for studies, everyday he used to remind me when will I register myself to CISA, but I didn’t give importance to that, I used to grumble that he is not ready to pay increment but he is after me for wastage of my money the argument was still on …. After few days, One incident changed my views, I was excited to chat with my friends and I found my mail box empty, it was without a single mail, none of the old mails were there, as well as all my public chat box were without any messages or scraps, I discussed with my friends, I was simply shaken, coz I have heard about hacking but never faced it, I was very upset that all my favorite mails were no more in my mail box, my father who is no more in this world I lost his mails also, many of my important bank account numbers and statements were saved in my mail box and then I felt the importance of security, I had to stop all my bank transactions for few days, coz I use to store my pin numbers in my mail box, I was very much dependent on my mail box, in short you can say that I was not only in a financial loss but it was also emotional loss, I was staying in an apartment without lock, which I realized the day when the my mail box was attacked by a hacker. Luckily or incidentally it happened with me, so I could feel that how bad we feel when we loose all our assets, yes it was not regular asset, It was all my information assets. I was unable to sleep for the entire night, next day I came to office, the first activity done by me that day was I finally registered in ISACA. It was good, that better late than never I understood the importance of Protection of Information Assets. What I feel, the awareness is still very less, the young generation is addicted to mail box and all this chat rooms, so the Page 22 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISACA UAE
  23. 23. generation should be well aware of all the protection of all type of assets used by them on daily basis. Some children share there parents’ laptop, blackberry or PC or any other source by which many data can be leaked but not only the children but the parents are not at all bothered. When we invest money somewhere we think to extract most out of it, utilize the whole amount invested, the same thing I did, I started attending all seminars conducted by ISACA UAE chapter. My interest grew more when I went for all those seminars conducted by the UAE chapter, believe me, friends registration is not the end for CISA, attending all these event will open up many views, which we are not at all aware, I really liked a seminar which was on business disaster & recovery. Business continuity planning (BC P) and contingency planning in support of operations are elements of an internal control system established to manage availability and restore critical processes in the event of interruption. The most import ant part of such a plan deals with the cost-effective support of the information system. The ultimate goal of the process is to be able to respond to incidents that may impact people, operations and ability to deliver goods and services to the marketplace. My organization is implementing ERP, so I am very busy , but I decided to join the classes so that I can at least understand what is CISA all about, the CISA classes are like chocolate sauce topping in a delicious Ice-Cream, Till now I attended 3 classes, believe me dear friends, once you meet all the persons who are already qualified you get a boost up for studying further, same happened with me, once I reach class and see that age is no bar here, I feel so happy, I always use to repent that why did I start late, but after meeting my classmates in UAE chapter I feel that I am not late, thanks, to the hacker who hacked all my mails and off course my boss who has promised me a better stability after I achieve my CISA degree. Nowadays, we are so much dependent in systems, I don’t remember when I went to ticket counter for purchasing movie tickets, I don’t remember when I paid my utility bills thru cash, everything now and then what I do, rather, we do are online payments, so we should be really very much aware of all this facts. When we spend a single penny from our pocket we are always careful so, now it is the time to think on behalf of our owners or management point of view, how can we protect the assets, which will be a profit to the entire society. Now my interest towards CISA is 100%, I am not concerned about the degrees but yes all this awareness will give me a proper angle to give my best for my organization, Getting enrolled and understanding the importance of CISA degrees was simply affair but joining the CISA classes declares that I am finally married. The roles of Information System auditors are becoming very significant, so CISA certification will not only benefit the candidates but also the management. People gathering knowledge can give there best for the management. Safeguarding assets, maintaining integrity, consume resource efficiently should be the the aim of an IS Auditor. The expectations from the auditors are high across the globe, they represent higher management, so, they sh ould follow the best practices, most of the organizations are dependent on information systems each and every transactions are processed online, so the management wants that assurance from the auditors that they will take care of the organization and understand the business. Ever since I have decided to appear for CISA I am really benefited, I am aware of the best practices followed not only in the country where I stay now but I am aware of the best practices followed and accepted globally. I am aware of the role of Information Technology in achieving sustained regulatory compliance. If we can work in a team we can provide a reliable IT processing environment. I am working in the Internal audit department which linked up with my professional degree will allow me to perform best for my present organization. We stop studying after our college days but nowadays we should really be aware of all the facts, which will automatically come if we are attending all the seminars, lectures by qualified or by going thru the study magazines. I always dreamt to work in police or CID department but my parents & my brothers didn’t allow me being the one and only pampered girl member, they used to think that how can I fight or face criminals. But, now I am sure that my dream will come true very soon, I will love to face the cyber criminals for which I don’t have to fight physically but yes mentally, In my near future I would wish to work as a private detective and investigator to reduce crime related issues with Information system, but till then I will give my best for my present company and assure the management that their information system & assets are all protected. Joysree Chatterjee 0554941020. ISACA UAE THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 23
  24. 24. E O NLIN AT TO THRE IG GEST NS? u Nair HE B SACTIO By Bij T ISH ING – TRAN PH Background The Current Trends Frauds using Internet and other electronic media have The most recent survey report (May 2010) on phishing been on the increase ever since the popularity of internet from Antiphishing.org has revealed the following disturbing spread beyond the research laboratories. While critical trends in phishing. transactions through Internet like online shopping, online banking and online trading gathered momentum, so did Avalanche phishing gang was responsible for two-thirds on line frauds and we started calling them e-crimes. In a of all phishing attacks launched in the second half of March 2010 report published by UK Payments Authority, 2009. online losses was reported at 59.7 million pounds for 2008-2009 which is a 14% increase compared to the previous reporting period. This is in contrast to the trends More Brands under Attack than Ever Before, hitting shown in other areas of card fraud which was showing Record High in Q4 2009. a decreasing trend during the corresponding period. Phishing, coupled with distribution of Trojans through Financial Services (39%) and Payment Services (33%) phishing emails and fake websites has become the most continue to be the most targeted industry sectors. wide spread form of e-crime at present. Use of Sub Domains in hosting phishing sites are on the Phishing, as a form of financial crime, has come a long increase and could become a bigger target in the future. way since the technique was first described in technical literature in 1987 and the first recorded use of the term One of the most positive trends shown from this survey phishing in 1996. Now Vishing, Pharming, Spear phishing, was that the average uptime of all phishing attacks Whaling and typo phishing have evolved from the traditional continued to drop compared to previous periods. “phishing”. Phishing in its simplest form of definition is a “criminal mechanism employing both social engineering Avalanche is the name given to the world’s most prolific and technical ploys to steal consumers’ personal identity, phishing gang, and to the infrastructure it uses to host data and financial account credentials.” phishing sites. They perfected a system for deploying mass-produced phishing sites, and for distributing Page 24 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISACA UAE
  25. 25. malware that gives the gang additional capabilities for theft. This was also used to distribute the dangerous Trojan named Zeus which was a sophisticated piece of malware that the criminals incorporated into its phishing and spamming campaigns. Current trends shows a reduced activity of Avalanche compared to second half of 2009, however researchers fear that this is just a time of hibernation. They are expected to rejuvenate, probably with a different name and different modus operandi, just like its predecessor Rock Phish which was very prolific and successful from 2006 to 2008. Phishing website uptimes The most critical success factor against phishing attack, in addition to user awareness, is the speed with which the fake websites can be brought down. This needs the concerted efforts of the security professionals, internet service providers as well as regulators. The APWG report shows the results of these efforts across different countries in the world. Given below is the table showing the regions’ performance against some of the more internet savvy countries in the world. TLD TLD Location No. of Unique Phishing Unique Domain Names Domains in registry Average (Top Level attacks 2H2009 used for phishing 2H200 November 2009 Uptime Domain) 2nd Half 2009 hh:mm:ss ae United Arab 8 7 87,000 80:20:04 Emirates bh Bahrain 1 1 80:43:05 kw Kuwait 2 2 331:46:23 sa Saudi Arabia 12 7 17,543 59:16:41 uk United Kingdom 14,387 1,554 8,098,544 15:41:22 in India 176 66 5,70,523 28:48:21 cn China 2,826 228 13,680,727 15:32:32 More efforts are required in the region to reduce the average uptime of these phishing websites. It is in this context that the setting up of aeCERT and their effective operations gains significance. Since their efforts have been very commendable in the space of information protection so far, the average uptime of the phishing web sites will hopefully keep on decreasing thereby giving better protection to consumers as well as the businesses in the region. Protection against Phishing Attacks While creation of awareness and improved transaction processes are the best defense against transaction frauds using phishing attacks, there are certain technical solutions also that provide proactive defense against outbreaks of such attacks. Digital watermarks A digital watermark is a hidden seal that is embedded in a Web page. When such a web page is duplicated, monitoring teams can be alerted and the web site can be taken down. Source IP address accessing the phishing site can be tracked using the Watermark. This enables tracking of affected accounts (analysis of accounts accessed from these source IPs by looking at Internet Banking logs). Sometimes the first source IP is the attacker testing the site and hence his IP can also be blocked. DNS Monitoring Continuous monitoring of hosting of domains having similar names and web addresses gives protection against possible hosting of phishing sites. Referrer logs A sudden influx of referrer logs to the genuine website from a single source, other than a search engine, could give an indication that a phishing attack is happening on the brand. This is because many times the phished web site gives genuine links to the original website for images and other non critical links which will be clicked by the users. ISACA UAE THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 25
  26. 26. Spam traps Tracking of spam mails within the domain address of the organization, especially “double bounce” mails could indicate a phishing attack. A sudden influx of mails which have invalid from as well as to address could result in double bounce mails showing increased level of spams and possible phishing mails for the domain. Conclusion There is no single solution to prevent phishing attacks across all domains and across all continents. A concerted effort involving end user awareness, regulatory participation and contributions from information security community is needed to fight this menace on an ongoing basis. It is not just enough to be pro-active; you should be alert on a 24x7x365 basis in order to identify the next wave of attacks on online transactions. Biju Nair CISA, CISSP has been working in the Information Security and IT Audit domains for the last 12 years. He has spearheaded the data protection initiatives for several banks in the region and is currently working as the Head of IT & Consumer Audit for Noor Islamic Bank. He is also the current secretary of ISACA UAE Chapter. Page 26 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISACA UAE
  27. 27. EARN 16 CREDIT POINTS I-SAFE 10 25th & 26th October 2010, INFORMATION Information is a key asset used by organizations in achieving business objectives. SECURITY It is imperative in this e-world to maintain the confidentiality, integrity & availability of information. Find out the new trends in security and ways to manage your information security. AUDIT & ASSURANCE CORPORATE CHALLENGES IN MANAGING It is critical to provide an independent audit & assurance to strategically manage the INFORMATION RISKS BEYOND 2010... information risks in the organization. Find out from the experts the paradigm change in the profession and the new ways to provide audit & assurance services. The 4th annual integrated conference covering various aspects for managing the FORENSICS most important asset of an organisation - Information Determine the process & new ways in investigating information resources. EMERGING TECHNOLOGIES Find out new technologies to better manage your information and information resources. VENUE 25th & 26th OCT, 2010 DHOW PALACE Dubai, U.A.E. CONTACT DETAILS Please register online at www.isacauae.org or contact Ashish Mahal on +971-50-7549908 or email to ashishmahal@gmail.com for registration or any additional information
  28. 28. CISA EXAM REVIEW CLASSES For more details please contact: R. K. Rao on 05500864 or email at: raork123@eim.ae
  29. 29. “ALL WORK NO PLAY MAKES US DULL" 19th November 2010 ISACA UAE Chapter brings an opportunity for its Network with professionals on the field members to network with fellow professionals on the field by participating in the first ever “SIX (6) a side For more information regarding the event please indoor cricket tournament”. ISACA invites all members contact Vaishal Mehta on +971 50 786 4839 to form a team from their organization or other Email: vaishal@gmail.com organization and lift the "ISACA UAE Chapter Champions Trophy". We can accommodate only a limited number of teams, so rush in your team entries by filling the attached registration form. The organizing committee will accept teams on first-come-first-serve basis. Pre-registration of all teams is required by 30/08/2010. The event will be held at In-Sportz, Dubai.
  30. 30. ENTRY FORM To enter the tournament, complete the form below, All payments to be made in favour of DNATA-ISACA. Cheques to be forwarded to ISACA UAE Chapter, Vaishal Mehta, ISACA Treasurer, P.O.BOX – 186645. Mobile : +971507864839 Email: vaishal@gmail.com Team Name : ____________________________________________________________________ Captain’s Name : ____________________________________________________________________ Contact Number : ____________________________________________________________________ Company/Organisation : ____________________________________________________________________ Postal Address : ____________________________________________________________________ E-mail Address : ____________________________________________________________________ -: TEAM MEMBERS :- 1 ________________________________________________ Contact Number: ______________________ Signature_____________________ 2 ________________________________________________ Contact Number: ______________________ Signature_____________________ 3 ________________________________________________ Contact Number: ______________________ Signature_____________________ 4 ________________________________________________ Contact Number: ______________________ Signature_____________________ 5 ________________________________________________ Contact Number: ______________________ Signature_____________________ 6 ________________________________________________ Contact Number: ______________________ Signature_____________________ 7 Reserve _______________________________________ Contact Number: ______________________ Signature_____________________ 8 Reserve _______________________________________ Contact Number: ______________________ Signature_____________________ Teams Cost: AED 800/-, The team should minimum constitute of 5 ISACA Members, you are only allowed to have only 3 non-member in your team. We, the undersigned, and the members of the ________________________ team will not hold ISACA UAE Chapter, or any of it’s Board Directors or volunteers responsible for any injuries occurred to person or property during the ISACA Champion’s Trophy held on Friday, November 19, 2010. We agree to play according to the spirit of the game, and will respect and accept the decisions of the umpires and match coordinator adjudicating the tournament. PLEASE NOTE: To guarantee your place in the tournament, the full amount must be paid to the ISACA UAE Chapter thus, the first 6 teams to pay the full tournament fee will be entered into the tournament.

×