Best Practices

XML External Entity Attack

XML External Entity Attack

It is the type of attack which parses the XML input and allows an attacker to interfere with an application's processing of XML data. It occurs when untrusted XML input containing a reference to an external entity is processed by a weekly configured XML. This attack may lead to leakage of confidential data from the server, denial of service, Server-side request forgery (SSRF), port scanning.
The Safest way to prevent this is always to disable the Document Type Definitions (External Entities) completely.
If it is not possible to disable DTDs completely, then external entities and external document type definitions must be disabled.
Please click the below link to read more

Authored by : Faizan Qazi, TCS Cyber Security

Uninstall Sophos components using GUID by Powershell

Sophos Anti-Virus and its components can be uninstalled by using GUID and ‘MsiExec.exe’ (Windows Installer). This GUID’s can be found from “Registry Editor” (regedit.exe).

The paths in Registry Editor for 64bit windows OS are:
‘HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall‘ (64bit node) & ‘HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall‘ (32 bit node).

Before dive down into Powershell Scripting, let us member, Sophos components needs to be uninstalled in a particular order and it depends on Sophos version and can be found in Sophos Support portal.
First Sophos services needs to be identified and stopped before proceeding to uninstall.

Below is the Powershell snippet to identify Sophos services and stop the services:
Get-Service | ? {$_.DisplayName -like "Sophos*"} | Stop-Service

Next, need to find the GUID’s of components and uninstall path of Sophos Endpoint Defense

Exploit PoC: Linux command execution on Vim/Neovim vulnerability (CVE-2019-12735)

Exploit PoC: Linux command execution on Vim/Neovim vulnerability (CVE-2019-12735)

CVE ID: CVE-2019-12735
Category: Remote Code Execution
Severity: High (CVSS score 9.3)

The flaw resides in Linux Vim/Neovim editor in the way how those editors handle the "modelines" a feature that's enabled by default to automatically find and apply a set of custom preferences as mentioned by the creator of a file at the starting and ending lines in a document. Therefore, just opening an innocent looking specially crafted malicious file using Vim or Neovim editor could allow attackers to execute commands on Linux system and ultimately take over the target system.

Affected Products:
• Vim before version 8.1.1365
• Neovim before version 0.3.6

Please click the below PDF to read more

Authored by : Magrabur Alam Sofily , Cyber Security, TCS

Manual Access Re-certification to Avoid Risk of Data Breach

Some of the major data breaches have been carried out by internal users. A couple of examples are Sports Direct in 2017 and Sage in 2016. In fact, a research by Intel Security had estimated that around 43% of data breaches happen because of internal users. That makes internal users a big risk in terms of data security. As a direct consequence, access of employees to information assets within an organization is a major security control. The biggest challenge in managing access risk is how to have the correct access levels for different employees in different functions and at different roles. Too restrictive access policies can impact the efficiency of business operations, while very open access controls can substantially raise the risk of data breach – by employees intentionally or unintentionally.

Security Information and Event Management (SIEM) Solution -Best Practices

Security Information and Event Management (SIEM) Solution -Best Practices
Security information and event management (SIEM) systems is an approach to get a centralized view of the information coming out of multiple defense mechanisms, end user devices, applications and servers of the organization in most understandable and standard format. It serves multiple purposes like auditing, reporting, log retention, incident response and most importantly real-time monitoring which provides a capability to alert at the initial stages of cyber-attacks to your organization. In Summary, it will show what you want to see.  Hence, to get most out of it, it should be managed properly. 

Cybersecurity v1.1 draft (NIST)

Released Jan 10, 2017 NEW REVISION: Cyber Supply Chain Risk Management – The organization can quickly and efficiently account for emerging cyber supply chain risks using real-time or near real-time information and leveraging an institutionalized knowledge of cyber supply chain risk management with its external suppliers and partners as well as internally, in related functional areas and at all levels of the organization. The organization communicates proactively and uses formal (e.g. agreements) and informal mechanisms to develop and maintain strong relationships with its suppliers, partners, and individual and organizational buyers.

Draft SP 800-181 NICE Cybersecurity Workforce Framework (NCWF) by NIST

Draft SP 800-181 NICE Cybersecurity Workforce Framework (NCWF) by NIST

NIST released draft NICE Cybersecurity Workforce Framework (NCWF) to more effectively identify, recruit, develop and maintain nation’s cybersecurity talent. The framework provides a common language to categorize and describe cybersecurity work that will help organizations build a strong labor staff to protect systems and data.

As the threats to cybersecurity and the protections implemented grow and evolve, a cybersecurity workforce must be prepared to adapt, design, develop, implement, maintain, measure, and understand all aspects of cyber security. A cybersecurity workforce includes not only technically focused staff but those who apply knowledge of cyber security and its inherent challenges when preparing their organization to successfully implement its mission. A knowledgeable and skilled cybersecurity workforce can implement and maintain protections and take actions to meet nation’s needs.

10 Effective ways to get more out of risk management

10 Effective ways to get more out of risk management
To counter organization's operation risks in today’s dynamic world, there is a need for robust risk and control self-assessment framework which will enable your company to assess control's maturity level regularly against the risks to operations. You may think of including (but not limited to) the following actions/activities as part of risk & control self-assessment.
  1. Agree risks are complete and accurate - Take into account risks identified through internal and 3rd Party risks, security audits, incident logs (IT only) , significant business changes/ new regulations, external data, and risks identified in ICAAP scenario sessions(Banking and Financial sectors).
  2. Identify root cause of Risks.

Security Awareness- How much is enough?

Security Awareness- How much is enough?

Security awareness- A very big buzz word. We all know and often say that awareness is the key to security. An organization who is aware has much more likelihood of being secure than its counterparts. But to what extent do we give awareness to the audiences? When we address them, generally we talk about what is information, what is meant by its security, what aspects of information we secure, what are the general controls we have and what are the common/ grave mistakes one could do and what could be its possible impact.

Well, if we say awareness is directly related to perception of information security risks, then awareness in itself might become another risk because you are making aware the audiences what could go wrong sometimes, without realizing the fact, that unless you would have told them, they might never get to know about that and thus giving them a chance to say “Ah, I don’t know that this kind of breach is that simple?”


Subscribe to RSS - Best Practices