Monday, 29 February 2016

Data Security-Simple Steps to Block USB Devices

Data Security-Simple Steps to Disable USB Ports.


Needless to say that most common method of data leakage is through USB/Pen drive/Mass storage devices. Also, through such devices our PCs/laptops gets infected by viruses/malwares.  Most of the corporates have centralized control for usage of such devices. However such controls are desirable in the offices of Chartered Accountant/Audit firms also as they have critical database of their clients. It is generally observed that Data Security Policy of CA firms is relatively weak and can be easily compromised. In this article, we will understand simple step-wise description for blocking USB Ports i.e. blocking of Pen Drive/Mass Storage Devices. Please note that no software is required for controlling such devices. (Yes. It’s free of cost. So go ahead (:-   )

There are 2 options to achieve our objective:
(1)    Through Registry
(2)    Through Device Manager

(1)Through Registry:
1.       Go to Start > Run , type “regedit” and press enter to open the registry editor
2.       Navigate to the following key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR
In the right pane, select Start and change the value to 4. (The value 3 is to enable USB Storage). Click OK. This will disable your USB port.

Please remember:
Value
Function
3
To enable USB Port
4
To disable USB Port

The change will be effective immediately, however sometimes a reboot may be required. This hack will ensure that all the USB storage devices are disabled / blocked or enabled according to your choice
 
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR
 
Go to USBSTOR/Start 

 
Write 3 to Enable and 4 to Disable USB


(2)Through Device Manager:
  1. Go to Start > Run , type “Device Manager” and press enter to open the Device Manager
2.        Navigate to the following key: Universal Service Bus Controllers
3.       List of installed devices will appear. Select and right click. It will be give ‘Disable Option’








However, please note that above controls will work only if your PCs/Laptops have Administration Password. Otherwise, anyone can redo i.e. enable USB again and fly away with your confidential data.
Prepared By:
CA. Hemang Doshi , CISA, FII


Sunday, 28 February 2016

Basics of Risk Assessment - IT Audit


Million Dollar Question: What is Risk? The reason why I refer it as a million dollar question lies in
definition(s) of term ‘Risk’. The term ‘Risk’ has been defined in multiple ways and it can be
accommodated anywhere anytime and in any situation as per requirement. Inspite of having vivid
definition(s) of RISK, in practise every human being is a Risk-Pro. When I say everyone, I mean
EVERYONE irrespective of literacy level or profession.

Let us take a simple illustration. During rainy season, street vendors generally keep a plastic cover to
protect their articles. Why So? Because they know that PROBABILITY of having rain is high and it
could IMPACT their valuable articles. In corporate environment, we will complicate the same
example by saying “Articles are VULNERABLE to THREAT of rain and hence RISK RESPONSE is required in form of some CONTROL (i.e. plastic cover) to MITIGATE RISK ELEMENT.”
Wow. Now our dear vendor also knows that it is not worth spending Rs. 100/- to purchase a plastic cover to protect his articles costing Rs. 50/-. In our terms: “COST of CONTROL should not exceed COST of RISK”. Now I doubt whether street vendors have ever heard about these terminologies in their life, but pretty much sure that they actually understand RISK and RISK TREATMENT in their daily activities.

Again. What is risk? Let us look into some of the widely accepted definition of risk.

ISO 27005: The potential that a given threat will exploit vulnerabilities of an asset of group of
assets and thereby cause harm to the organisation.

ISO/IEC 73: Risk is the combination of the probability of an event and its consequences.

Dictionary Meaning: a situation involving exposure to danger.

ISO 31000: Risk is the “effect of uncertainty on objectives”

Business Dictionary: A probability or threat of damage, injury, liability, loss, or any other negative
occurrence that is caused by external or internal vulnerabilities, and that may be avoided through
preventive action.

Oxford Dictionary: The probability of something happening multiplied by the resulting cost or benefit if it does.

If you observe, almost every definition speaks directly or indirectly about two terms:
PROBABILITY & IMPACT.

In simplest form, RISK is a product of PROBABILITY and IMPACT.

Network Security-Simple Step to Secure Wireless Connection (Wi-Fi)



Network Security-Simple Steps to Secure Wi-Fi

If first question that comes to your mind while reading the topic of this article is ‘Why I need to protect my Wi-Fi??’, then read below some of the major risks associated with unsecured wifi.
What are the risks of using an unsecured wireless network?

In simple language it is like going for a trip without locking your house. Anyone one can enter your house anytime and do anything as per his wish.

Your connection can be enjoyed by anyone for free and please consider yourself lucky if intruders are your neighbours with intention to save some bucks  as it may cost you only some additional bandwidth charges and at the most  slowing down your surfing speed. However, if your connection is used for illegal downloading of music, movie or pornography, the result could be more serious.

And if you are damn unlucky, you will be the chosen one, whose unsecured internet connection can be used to commit crimes of serious level. A criminal who does not want to be caught can use your unsecured internet connection to commit crimes because when it is traced back to the source, your connection will be reported as the scene of the crime.

You may refer below standard clause in your contract with ISP:

CONTENT RESPONSIBILITY AND INTERNET SERVICE USE RESTRICTIONS

Client acknowledges and agrees that it is solely responsible for the Content of its transmissions which pass through the Internet Connection Service. Client also agrees it will not use the Internet Connection Service:
1. for illegal purposes;
2. to transmit threatening, obscene or harassing materials, or
3. to interfere with or disrupt other network users, network services or network equipment.
In nutshell, you are responsible for activities done through your connection.
Also, once an intruder enters your network, they can have access to your data/records and they can also spy your online activities. 

So now, please note that, below mentioned steps are much much easier to implement than to defend your innocent self in court of law (:-

The good news is that it is very simple to make your WI-FI connection secure, which will prevent others from stealing your internet and will also prevent hackers from taking control of your computers.
Below are some simple steps to surf safely:
(1)Take control of your Router through unique password:
Step 1: Login to your wireless router.
Open Internet Explorer and type in the address http://192.168.0.1 or  http://192.168.1.1 (By default, most router will have 192.168.0.1 or 192.168.1.1 as the default Router IP address. This is the address you would enter into your browser's address bar to access the router configuration page.)



Not able to access through http://192.168.0.1  or http://192.168.1.1.  No need to worry. We will manually find your Router’s Address:
-Go to Start
-search for CMD
-give command ‘ipconfig’
-Default Gateway is your Router’s IP Address.

  
Now login to your router. What??. You don’t have user ID and password??.  Don’t worry. I do have you credentials (provided you have not changed it earlier)

Your user ID and password should be:

Five Characters.  All small. 1st alphabet then 4th alphabet then 13th alphabet then 12th alphabet then 14th alphabet


Making it simple for you:

User ID
admin
Password
admin

                    OR

User ID
admin
Password (blank)


If it’s not working for you, please google for default user ID/password for your router/service provider.




Step 2: Change your USER ID and Password immediately.
-Go to settings
-User Settings
-Update your New Credentials






(2) MAC Filtering:
Every Machine (PC/Laptop/Mobiles) has a unique identification number. That is known as Media Access Control (MAC) address. So through this control, you allow access to only selected devices. Any other device trying to access you network will be rejected by your router. 
Step 1: Indentify MAC addresses of your all devices.
Now question arises how to identify MAC address of your machine.
MAC of PC/Laptop:
-Go to Start
-search for CMD
-give command ‘getmac’
-Physical Address is your MAC address.





MAC of Mobile:

-Go to Settings.
-Select ‘About Device’ (About Phone)
-Select Status.
-Scroll down to Wi-Fi MAC Address to see your MAC Address.

Step 2: Update all the MAC addresses for which you want access:
Go to Settings/Security/MAC Filter/Enable MAC Address Filtering and update MAC addresses for which you want access.
You can also use Black-list to specifically reject some MAC addresses.



(3) Disable SSID:
SSID is kind of floating of RFP (Request for Proposal). You can name it RFH (Request for Hacking).  A Service Set Identifier (SSID) is the wireless network name broadcast by a router and it is visible for all wireless devices. When a wireless device searches the area for wireless networks it will detect the SSID.


 I don’t see any need for such open broadcast unless you want to promote your Wi-Fi (in case of hotel/restaurant/lounge/mall etc). To disable broadcast go to Wi-Fi Profiles and look for SSID Broadcast and select Disable option

(4) Enable Encryption:
Encryption helps to scrambles the information we send through wireless network into a code so that it’s difficult for other to access. Using encryption is the effective way to secure your network from intruders.
Two main types of encryption are available for this purpose: Wi-Fi Protected Access (WPA) and Wired Equivalent Privacy (WEP). WPA 2 is the strongest encryption standard for wireless connection as on today.


(5) Monitor Your Network:
There are many wireless network monitoring tools available in the market. Some of them are free and very much reliable. Netcut and whoisonmywifi are reliable one. Through such tool you can monitor and see and do easy analysis for devices joining and exiting your network. It helps to keep your WiFi safe, secure, and running smoothly.


Please note that all the screenshots/paths have been explained considering Reliance Pro 3 wifi connection. If you have any other service provider, there may be slight changes in setting parameters.

Please do write in case of any query/concerns/suggestions.



CISA Certification- Approach for Success




CISA Certification: How to get through



What is CISA:
The Certified Information Systems Auditor (CISA) is a certification issued by the Information Systems Audit and Control Association (ISACA).
Certified Information Systems Auditor (CISA) is a globally recognized certification in the field of audit, control and security of information systems. CISA gained worldwide acceptance having uniform certification criteria, the certification has a high degree of visibility and recognition in the fields of IT security, IT audit, IT risk management and governance. Vacancies in the areas of IT security management, IT audit or IT risk management often ask for a CISA certification. The exam tends to be associated with a high failure rate. CISA is awarded by ISACA.

Why CISA:
-Confirms your knowledge and experience
-Quantifies and markets your expertise
-Demonstrates that you have gained and maintained the level of knowledge required to meet the dynamic challenges of a modern enterprise
-Is globally recognized as the mark of excellence for the IS audit professional
-Combines the achievement of passing a comprehensive exam with recognition of work and educational experience, providing you with credibility in the marketplace.
-Increases your value to your organization
-Gives you a competitive advantage over peers when seeking job growth
-Helps you achieve a high professional standard through ISACA’s requirements for continuing education and ethical conduct


Exam Pattern:
CISA exams are conducted three times a year: in June, September and December. The exam is known to be difficult examination and having four hours in length, consists of 200 multiple choice questions and uses the format of one correct answer per question. The scoring is weighted depending on an predetermined value for each question with a passing score of 450 points and a 800-point score as the maximum. Some questions are purely for statistical purposes and do not affect the candidate's score.


Preparation:
To be honest, it’s not an easy task. But if you follow below pattern for preparation, I am sure your certification is not far away.
Resource Requirement:
Only investment that I recommend is buying ‘CISA Review Questions, Answers & Explanations Database’ from ISACA website (isaca.org). Cost will be approximately 12000/- INR. But same is worth investing if you aspire to clear CISA in first attempt.
Database is online version with features as follow:
The CISA Review Questions, Answers & Explanations Database is a comprehensive 1,200-question pool of items. The database is available via the web, allowing our CISA Candidates to log in at home, at work or anywhere they have Internet connectivity.
Exam candidates can take sample exams with randomly selected questions and view the results by job practice domain, allowing for concentrated study in particular areas. Additionally questions generated during a study session are sorted based on previous scoring history, allowing CISA candidates to identify their strengths and weaknesses and focus their study efforts accordingly.
Other features provide the ability to select sample exams by specific job practice domain, view questions that were previously answered incorrectly and vary the length of study sessions, giving candidates the ability to customize their study approach to fit their needs.
Now, treat this database as bible for studying CISA.  Please rigorously follow below pattern:
(i)Get one thing absolutely clear. No other study material is required. That will unnecessary create confusion.
(ii)Please start preparation atleast before 4 months of examination.
(iii)Now, this is very very important. Please attempt 40 questions daily. Total time required is  less than half an hour per day. No excuses even on weekends/holidays. I am not recommending any more study. 40 questions daily is the only requirement that will help us to get certification. Please note that, this question database resembles the actual questions asked in CISA examination. Though questions may be framed differently, testing concept remains same. How do I know? I attempted CISA examination twice.
(iv)If you follow 40-40 rule, within a month, you will able to attempt more than 1000 questions. Please note when you attempt a question, please pay more attention on explanation part i.e why a particular answer is correct and why other three are not. Also note that for many questions testing concept will be repetitive in nature. So more question you attempt, more confidence you get. Simple.
(v)In case you want to supplement your study, I recommend ‘ALL-IN-ONE’ by Peter H Gregory. Technicalities have been superbly simplified by Peter.
(vi)Sharing my experience. During my first attempt, I collected lot many freely available study materials from website. Mugged up many technical definitions. Went through acronyms and glossaries. Attempted MCQs available from different websites. Seen online videos. But nothing worked. I failed. Though all this things helped me to gain some technical knowledge, I was not able differentiate between correct answer and other three distracters in examination. First of all it took lot of time to understand questions. How would you expect me to answer, when I am struggling to find out even what the hell is the question (:-
Anyways, for the second attempt, I purchased Question-Answer Software from ISACA (i know it’s painful to pay for the study material (:-   ) and started attempting daily atleast 40 questions. It helped me gradually to understand:
(i)Pattern of Questions
(ii)What is the testing concept behind any question.
(iii)Easily able to identify distracters.
(iv)Easily able to co-relate correct answer with question.
(v)Helped me to manage time element.

So, below is my result for second attempt:
Dear Mr. Hemang Doshi:
RE: CISA Exam Result Notification -- Exam ID: 14812446
At your request (per your exam registration authorization), this email is being sent to notify you of your September 2014 CISA exam result. A scaled score of 450 or higher is required to pass, which represents the minimum consistent standard of knowledge as established by ISACA's CISA Certification Committee.
We are pleased to inform you that you successfully PASSED the exam with a total scaled score of 600.Your score was in the top 5 percent of those testing. For your information, your exam results by area are provided below.
SCALED SCORES OF YOUR PERFORMANCE BY AREA:
The Process of Auditing Information Systems: 711
Governance and Management of IT: 490
Information Systems Acquisition, Development and Implementation: 667
Information Systems Operations, Maintenance and Support: 554
Protection of Information Assets: 591

The above represents a conversion of individually weighted raw scores based on a common scale. As such do not attempt to apply a simple arithmetic mean to convert area scores to your total scaled score.


(vii)If you want to try your luck without spending much, I do have some question banks. Please visit 


Prepared by: CA. Hemang Doshi , FIII, CISA.