PKF AvantEdge

Page 27 of 40

The IOT (Internet of Things) : My Personal Experience

August 24, 2015 / / 0 Comments
ThumbPrint

ThumbPrint

Unless you have been living in a cave or on a secluded island without internet connection, you may have come across the term ‘Internet of Things’ or IoT. According to Gartner, “The Internet of Things (IoT) is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.”

Living in an era where we have easy access to information at the tip of our fingers is now taken for granted. Going out of your home without your smart phone is absolutely unthinkable – well, at least for me. I can be connected with my friends & family members anytime and anywhere – it can’t get better than that right? Well, let’s re-think this carefully.

Security
I am a huge fan of Strava application. This mobile application uses GPS and mobile data to track your activity (be it cycling or running) – it tracks your mileage, exercise effort level (wattage), time taken to complete the activity and then, further provides data on your ranking against other Strava users on the same activity/route. As I cycle and run competitively as a ‘hobby’, Strava is a great way for me to track my improvements and also pit myself against my friends to be the Queen Of Mountain of a certain mountain anywhere in the world. Awesome! – well, maybe….

The great thing with Strava is that it is connected to Facebook. In fact, if you use your Garmin to track your activity, you can set up your Garmin to connect seamlessly to Strava on every activity tracked on Garmin. Notice the word I’ve used here: SEAMLESSLY. Yes, it is that easy. Friends on Facebook are able to know where I was or where I am currently at based on my post through Strava.  Now, my friends can like my activity and comment as well. Let’s just say that a friend of my Facebook friend intends to track me and know my current whereabouts, s/he can definitely find all that information via Facebook. If s/he intends to break-in to my home (assuming s/he knows where I live), can do so as well – because I am not at home – I’m still cycling back to my house. Dangerous? Am I inviting trouble? You bet! The internet of things have enabled different types of devices to be connected seamlessly and we love that; however, have we ever stopped to think of the danger that we’re opening ourselves up to? It doesn’t take much to be information technology savvy to track a person’s whereabouts.

We love to tell our Facebook friends where we are at by posting “Agnes Yew checked in at Mid Valley” or “Agnes Yew checked in at Madam Kwan, Mid Valley City”. Have you ever stopped to think that we’re providing information to people on our whereabouts willingly and this could be used to our disadvantage?

Time to stop and think…

Data Breach
Ashley Madison was recently hacked and it was let out that the hackers had access to its customer database and have posted the information on a public website for all to see. Ashley Madison is a discreet website which allows their customers to hook up with other folks who are interested in dabbling in a little fun outside the marriage bed. If you were a registered customer (married or attached) of Ashley Madison, you’ll be jumping or maybe peeing in your pants as the list of customers are now in the hands of hackers and shared on a public website.

Personal data is very much valued by consumer marketing companies and anyone who has access to a database has the upper hand to sell that information. I’ve been bombarded with these annoying SMS(es) on properties going on sale and what not every day. Yes, every day. I have to add these numbers under SPAM. It’s annoying as I don’t know where and how they got my mobile number. It could be when I got on the internet and signed up for some newsletter and I did not read the fine print and,or, I did not un-check a box to unsubscribe.

The Personal Data Protection Act in Malaysia was gazetted in 2010 and has been in enforcement from April 2013 on-wards. PDPA is supposed to protect consumers whereby companies holding our personal data are obligated to set up policies and a structured framework to ensure that the data is stored safely and not be leaked out. In my opinion, Malaysia is still in its infancy in comparison to US or EU, in terms setting up a stringent DPA (Data Protection Act) framework. Companies are not investing in being PDPA compliant unless they are required to by the Ministry. At the moment, the Finance, Telecommunications and health industry players are required to be PDPA compliant.

As a Malaysian consumer, we have every right to be concerned if companies managing our personal data are not enforcing a certain measure of security to ensure that our data is safely kept. Companies in Europe and US are willing to invest huge dollars in a Security Information Event Management (SIEM) solution to manage internet threat intrusions. At the moment, the Multimedia and Communication Ministry has not published any data on companies in Malaysia that are allocating budgets for SIEM or some sort of Internet Security application.
Time to stop and think….

How to Be Safe
I want to be safe. I want my family members to be safe as well. What measures am I taking to make sure that only people I want to know about me, know about me?
• I and my family members do not post our actual profile pictures on Watsapp, LINE and Facebook.
• I clean up my friends’ list in Facebook every three months. ‘Friend of Friends’ will be deleted.
• I read and uncheck boxes when I sign up for newsletter/etc. online. I read the fine print.
• I do not post my Strava activity until I get home – Announcing that I am Queen of Mountain can wait.
• I do not ‘check in’ to any location using Facebook. Yes, I may miss getting some discounts from that restaurant or shop by not checking in but I really don’t think it is worth letting people know where I am at.
• I block all sms’ numbers that are marketing in nature and park them under SPAM.

Different folks may have different appetites of risk tolerance towards being bombarded by SPAM or wanting to let the world know what they are doing or where they are at. The effort level you put into ensuring that you and your family members are safe is a choice and for me, is a very important choice.
Stop and think…..

For PDPA Training/Advisory or Internet Security Applications, drop us an email at avantedge@pkfmalaysia.com or contact us at +603 6203 1888.

by Agnes Yew, PKFAE Project Manager

PCI-DSS Landscape in Malaysia

August 21, 2015 / / 0 Comments

pci-compliance

2014; this was the year where PCI DSS really took off for many companies and organisations in Malaysia. More and more banks have pushed their merchants to be compliant and certified with PCI DSS.  While a few merchants require Level 1 certification or Level 2 validation, a bulk of them will fall under Level 3 and Level 4 Merchants. That means a lot of ASV scans, and a lot of Self-Assessment Questionnaire (SAQ) Advisory. I was asked this question: why are these banks, who are traditionally so dormant and make corporate decisions slower than a crippled sloth, half blind and halfway to the grave, now have suddenly become so actively engaged in PCI DSS? Perhaps this is due to the pressure they get from the card brands – especially VISA and MasterCard.

After what happened to the infamous Target retailer during the 2013 – 2014 and other high profile hacks, card brands are now in caution mode and have become more stringent to entities connecting to them. This, in line with the new PCI-DSS V3.1 means that controls are more stringent and auditees are more frustrated. Like everything in PCI – it’s a top down domino effect – VISA insists on banks being certified – banks claim that they cannot be certified but they are in the process, and they in turn insist their third party processors or merchants be compliant. I call this ‘passing the buck’ philosophy. It’s an open secret that no banks in Malaysia are certified. They will claim they are compliant, the same way my 25 year old refrigerator is compliant to green and environmental friendly regulations. It’s not.

Because banks push this compliance downstream, this “passing the buck” effect has caused many entities to start actively looking in every direction to be certified or compliant because they don’t want to lose connection with the bank. Is it fair? As one of our merchant client bluntly puts it: “It’s like being blamed by tobacco companies for polluting the planet with our smoking.” While drawing in a long drag on his Marlboro Lights and looking wistfully into space.

Should banks be certified? Of course.

However, for them to get certified in a specified period of time is difficult due to their ever changing business nature and an overly large scope of systems, people and processes under PCI requirements. Therefore they will need more time to remediate all the gaps and guess what – one of gaps would invariably be getting their third parties (like my client with his Marlboro Lights) certified.

At the end, the service providers and merchants and payment gateways are forced to be more aware that PCI is needed for them to ensure the continuity of their business especially if it involves VISA and MasterCard. So why aren’t they getting certified?

The answer lies in the implementation cost. Smaller to medium merchants, emerging payment gateways who have limited funds, limited clients – they might consider that the cost of them to pay for any breach is lower compared to certification. For example the need for an IDS/IPS (Intrusion Detection/Prevention System), the need for a system logging server, the need to perform daily log review and review reports.  All of these require either additional effort or cost in terms of time, human resource or investment to acquire new devices.

With problems, there will always be solutions. We are keenly aware not all clients can afford the expensive solutions such as having separate devices for IDS, FIM (File Integrity Monitoring), syslog and etc. Or to build a Security Operation Center ground up. We have crafted out different solutions to serve our customer’s needs, from providing an all in one system for compliance to even having them outsource their compliance headache to us. Yes, we love to transfer headaches from clients to ourselves. We call our solution PCI Panadol. Just kidding, but it’s a great name.

Our solution starts with this question: How do we get you compliant with the least effort, least time and least money possible – and to maintain compliance with these 3 LEASTS (effort, time, money)?

Overall, awareness of PCI DSS has grown a lot in Malaysia. PKF Avant Edge does monthly PCI Awareness training (HRDF Claimable) and we have served large clients through such training.  As for implementation, it is just as important to know what is UNNECESSARY for PCI than what is necessary. It starts with the scope. Start right, and you might just cross the other side of certification and celebrate with a party. Start wrong, and you are looking at a very, very, very long journey with very little happiness in it.

For PCI scoping or advisory on how we can help you in your PCI-DSS journey, drop us an email at avantedge@pkfmalaysia.com or contact us at +603 6203 1888.

by Wafiy Karim, PCI Consultant.

PDPA Training – Tropicana Medical Centre

August 3, 2015 / / 0 Comments

tropicana-medical-center-logo

We had the privilege recently to conduct our PDPA Assessment Training to Tropicana Medical Centre – to almost 40 people over 2 sessions. We touched on several topics, including a live demonstration of using software for hacking and personal data collection through the internet. Furthermore, we went through the Personal Data Protection Act – and more importantly how to implement into companies.

Each companies have different implementation – each has different DNA and risk profile. The important thing is not to just use PDPA Act as a blanket implementation, but tie the requirements of PDPA (or the spirit of it, as we say) to known standards – the General Accepted Privacy Principles (GAPP) from AICPA and the Health Insurance Portability and Accountability Act (HIPAA), as well as the well known ISO27001 and PCI-DSS for IT controls.

IT Controls are generally important to the implementation of PDPA due to the fact that in most companies, information has been digitised and stored in some database or some logical storage (as opposed to metal cabinets as days of old).

Aside from those, we went through a very useful demonstration of Alien Vault, as a way to control assets, secure the network and monitor traffic to ensure information is not breached.

AlienVault Setup 2: Deploying into your network

July 16, 2015 / / 0 Comments

Deployment of AlienVault generally will depend on your network complexity.

For us, we only have an AIO (All In One). While this is great, the lack of sensors make network visibility limited. Basically we can see traffic within the network segment we are connected to. Another issue here is that everyone can see/ping the AV server, which generally isn’t too great. Let’s call this the Invasion Approach. Everyone sees the Alien Ship invading the network.

Another scenario would be to segment your network and deploy remote sensors in each segment and sends back data to a secure segment – we call this the Mother Ship Approach, where these little alien ships send back information to the big mother ship in space – like that Independence Day movie.

Another scenario would be to have multi-server, multi-sensors. We will call this the Divide and Conquer strategy. This makes the whole SIEM infrastructure harder to compromise, lowering its visibility to other devices and also distributes workload over different areas.

Remember – anyone hacking into the SIEM has access to a whole lot of informatin so its worth defending.

For our deployment scenario, we are deploying it for IDS, network vulnerability and asset management purposes – and will be doing it on a SPAN port in our main switch.

Now, let’s get some information.

For more details on Alien Vault products and services, please drop us an email at alienvault@pkfmalaysia.com

AlienVault Setup 1: VMWare Esxi 5.1

July 15, 2015 / / 0 Comments

AV1

We decided to get an old server we had lying around the office and turn it into our AV (AlienVault) machine using a trial license (30-day full spec).

We faced several issues, which I will put it down in this article and a few others to guide others in installing AV product in their network.

1) Installing VMWare Vsphere 6.0

AlienVault is actually quite easy to install. Getting VMWare ESXi or VSphere running in an old machine was a different story. So before we even get AV up and running, we had to coax our machine to run VM. The first issue was that there was no CD drive. This wasn’t so difficult, you have basically two choices:

a) Boot with a CD, with a VMWare ISO image

b) Boot from USB, if your BIOS supports it.

As it turns out, our BIOS was able to support USB boot. So we used the extremely useful Rufus (https://rufus.akeo.ie/) tool to burn the ISO image we downloaded from at  VMWare https://my.vmware.com/web/vmware/evalcenter?p=free-esxi6.

We set up the BIOS to boot from USB and immediately got into the installation portion for VM. So far so good.

2) Unsupported network adapter

Immediately we got hit with an unsupported network adapter and basicall VMWare refused to go on. At this point we have 3 options:

a) Hack the image and inject the drivers of our network adapter in (I believe it was Realtek 8168 GB Ethernet)

b) Purchase and set up an adapter that is in the compatibility list at http://www.vmware.com/resources/compatibility/search.php

c) Downgrade VMWare 6 to 5.1 or below

Fortunately we had an older version of VMWare a few years back in our network drive and we chose to take the path of C), since Realtek was supported by VMWare then. Why they removed the support, I have no idea.

We re-did the image to 5.1 and rebooted to USB – this time, we got through without any issue, and VMWare ESXi was installed!

d) Deploying AlienVault 

Once you had your VM server up, you just download the client and deploy the AV OVF using File -> Deploy OVF Template. Of course, you obviously have to download the Trial AV first. Head over to www.alienvault.com/free-trial.

Just use default settings BUT choose ‘Thin Provisioning’ as disk format to avoid having to pre-allocate the full amount of disk space. This will allocate a minimal footprint for your image and grow as you store logs.

e) Power On — Not.

We still had some minor issues, such as the error stating that the virtual CPU configured were more than the physical – in this case, it was simply right clicking the VM – Edit Settings -> CPUs and lowering the number of CPUs from 8 to 4. You might not face this, but remember we are using a low spec system.

f) Power On — NOT again.

This time it powers up but when we try to get into AV console, we get blanked. Check the event logs. It stated:

“The CPU has been disabled by the guest operating system. You will need to power off or reset the virtual machine at this point.”

We were a little stumped at this point and googling didn’t really revealed much. More information over at

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2000542

But again, that was still not so helpful.

I chanced upon a similar issue where I recall in the earlier VM installation that VMware was complaining about this system not being able to support Hardware Virtualisation and that to ensure this was enabled in BIOS. Tinkering around the BIOS, found the setting for Intel Technology Virtualisation to be ‘disabled’.

Enabled it and it worked like a charm.

Alien Vault is finally up and ready to go! Next article, we will look into the basic functions of Alien Vault.

P/s – make sure you have a different IP setting on the AV VM image and the actual host itself. Since VMware also has a WebUI, you won’t be able to access AV if you put the same IP address.

« Older posts Newer posts »

© 2024 PKF AvantEdge

Up ↑