Sunday, October 29, 2017

Simplifying Guest Access

Guest may be a vendor or an auditor or a repetitive visiting personnel, who is not an employee of the organisation needs to be given similar level of attention. Though IT professionals find it really difficult in terming exclusive access control which an organisation might want to define for them and what kind of security controls needs to be implemented for them.

Designing an effective access management for the corporate visitors needs to be going through an effective brainstroming session and excessive planning, which will again would call for understanding what we have and what we want to implement, in order to derive at the goal. In every sense, we have to decide how much flexibility and stringancy needs to be implemented for a visitor.

There are different approach to tackle this problem, but the main mantra for this is to have utmost accountability placed in the system so that any loopholes can be patched before it turns out to be a threat to the organisation. The intend should be to understand how much access and reveleation needs to be given. Effectively, lets simplify this cumbersome process by identifying certain important parameters

1. who will connect? and 
2. what will connect?

now lets design an accoutability architecture

Like the questions asked above there are certain basic things, which needs to be thought and noted. In general, when a access is made, first a machine initiates a connection. A machine can be a laptop or a mobile device like cell phones. But in every case, an device based authentication is initiated over a network protocol like TCP and hence we have to first, authenticate and authorise the same on the trustworthiness of the device which is connecting to the network and for the same, and layer 2 accountability is important, which will be on ARP and MAC address.

Second thing would be, who is connecting ? In normal instances, we generally look into the user profiles, which only involves the rights given to a specific user but here this is not important here. visitiors are never given a pro-active right and hence it is very important to have to have a seperate authentcator than what an internal employee would have an hence an local authentication mechanism would be ideal in this case.

if we try to combine the both the above cases, then a unique technology is evolved, which everyone knows as "Network Access Control (NAC)", which is an unique combination of device based and user based authentication mechanisms, which gives a solid ground to provide maximum accountability of the incoming access request.

Hence, it is very important that we think on the both cost and comfort in management where cost is an important component to think and decide on right solutions and technologies which fits the best in your organisation.   

Monday, February 24, 2014

A Humble Request !!!

A humble request to all my readers, to support me for this noble cause



Lets join our hands to give a normal life to this 10 yr old girl.

Friday, January 20, 2012

Layer 7 Security

With every passing second the cyber attacks are getting more and more complex, making it hard to detect. Most of the attacks are executed in a stealth mode, where most of the radars fail to detect these attacks. Surprisingly, the focus of hackers have changed from cracking down a website to cracking down of applications.

This calls for changing the vocabolary of Security and make them point to the root level of the infections. I understand, what ever it takes ,mit cannot go beyond OSI layers, then why not we start repersenting the security with OSI Model.

So now what we are talking about, is to secure the application layers and we call it as LAYER 7 Security. While we say it as Layer 7 Seurity, it is actually securing the appkication layers starting from SESSION to APPLICATION layers. Sounds interesting...right

On a fundamental ground, we are putting some security measures to prevent our applications to fall into the traps of application service worms. For an example, we use OUTLOOK as a mail client and also use the same application through internet. Logically this application simultaenously works on SMTP/25 and HTTP/80 ports and gives the same output. Now if we have to infect this application, we know that there is an open channel on which this application is working. This clears our first level of information gathering on creating a point of infection.

Funniest part is, we usually neglect the possibilities of application infection. We feel the application created is secured and will work smoothly in any conditions and what ever the problems would arise will be only from infrastructure hosting the application. That is the reason, we put all our efforts in securing our infrastructure leaving the application as it is.

OWASP talks heavily on securing the application against TOP 10 most affected vulnerailities. It gives us a fundamental guidelines to asses our application on all layers of security breaches, which might turn up to a threat in near future.

So what i am saying is , it is an application there cannot be any assumptions on the security posture of the application. One has to asses the application only to be sure it is not comprisable. Applications depend on infrastructure only for processing the data but how they do is entirely on the business or application logic embeded in them.

Wednesday, January 4, 2012

Performance Test

Performance Testing is an art to evaluate a resouce or an application to react in a sudden burst in the request coming to them. This test is not an intrusion test but the challenge is to determine if it relates with Denial Of Service (DoS) attack. To be very precise, it is very difficult to justify the difference.

Performance Test is more identical to a Stress Testing, Only thing is, we generally relate Stress Testing with applications or a server and Performance Testing with the network.

Generally these type of testing is done by simulating a trusted traffic and out bursting it to target a server or an application, but generally donot have any concern with the security angle. One must be vey smart, when conducting these type of tests, that wheather this is not creating or increasing the network latency there by jamming other communication channels. With the increase in the Request per Second parameter to an broadcast level will tryto bring down the resource or the application because the server will not able to respond or acknowledge these type of burst because of the service window set in them. More over on the physical level the NIC cards cannot pump up to these type of spikes because of their transaction limits.

Few things which needs to be understood before executing these type of tests:

1. The network design of the organization: Since the packets has to pass through all the network levels, it is very important to understand the network structure.

2. The Device functionality: The devices like routere, firwalls, switches, who are already busy in inspecting, routing and forwarding the normal packets, will react with this outburst. One has to query about their acceptability limit and then plan the outburst otherwise they will jam the internal line. One also has to make sure that devices like firewalls, IDS/IPS etc. understand these outbursts not as a attack and permit the same to enter into the network.

3. Current Internal Throughput: All components communicate with themselves using the throughput in the internal network. Optimal use of the throughput ensures effective communication between the devices. In a sceanario, where the packets per second is increased from the normal rate, there is always a chance that the exixting components might collapse because they might not be able to cope up with this burst.

4. Target Scalability: To look this in a easy way, normal NIC cards can boost up their transmission and reception limit to 100 mbps from 10 mbps, but if there is something higher than that, then the jamming happens. On a broader angle, this might be a smaller problem but actually the intensity of this problem is very deep. If the NIC card jams up then the entire traffic would be permanantly blocked ot allowed to the application and if the application is not tuned to address these type of outburst then it will crash down, creating a DoS attack.

So what i want to say is? these type of tests needs to be planned in an effective manner thinking on the security angle rather on the test. One mis-planning will create huge damage in the network and the target asset.

Friday, November 25, 2011

Security is sometimes Unsecure


We have been getting lot of online PDF files and also consider that format to be very much secure as it is a picture format. But what i will present below are some facts, which will make you think again on the defination of Security

Stegnography : An art to hide malicious files inside picture formats. The recent terriost attacks were successfully executed with this technology. With increase in the maturity within global cyber intelligence group world wide, movement of information in a public platform without getting detected is becoming more and more critical. So this art came as a rescue, to understand this art, we need to understand that this is not a recent technology but it is very old one. But the importance, has grown with the growing strictness in global cyber law on sharing information.

The motive is simple, you need to take a picture or anything which is of embedded in nature, where the internals are not visible and then inject a malicious object inside that, is tricky. There are tools like S-Tools 4, using which you can put anything in any picture. The interface is clean, with no much jargons and one can easyly understand, how to handle the application;. The coolest part is that the injection can be done simply with dragging and droping the file into the picture. But one thing you need to keep in mind is to choose the object smaller in size as compared with the parent picture.

But this is not the same with PDF files, one cannot inject an object in that so easy. having a very condensed architecture that finding the right insertion point is very difficult. But it not that, it is safe. There is a tool called FileInsight, which opens the architecture of any online PDF. If you want to infect any online PDF, you can just open it using this tool and paste anything you need. The good part is, whatever you do, you do online, so no saving on the hard disk.

This tool takes a PDF URL and opens the entire logic in front of you, you can see everything, how the file is working or what is the logic behind the file format. You can create a small probe and paste the code in the file and send the file. I will not call this totally Stegnography, as it more on images, but i will include this as a part of the technology.

Now the question is how to detect this, open your eyes when you see any picture. The easiest way to detect this, is the change of the color schema of the picture. The % of change in the pixals will determine the type of object it is carrying. The problem is more in PDF, as no one detect the presence of an object just by seeing that. Modern day's anti-viruses also fail in detecting such probes and so even after having most advanced security technologies, fail to prevent the threat.

Wednesday, November 2, 2011

Artificial Intelligence (AI)


We all have seen lot of movies, focusing on "ARTIFICIAL INTELLIGENCE"., but how many of us really understand this concept? First of all, is it really possible to replicate human intelligence and make a system or an agent which will show the same kind of adaptability to its environment and intelligently produces the same kind of reasult, which a human being could have produced.

Sounds Intresting, AI has been designed as a branch of computer science, which deals in understand the emotional stimulas and creating intelligent agents, within the same human wavelength. The focus is to create an intelligent race of intelligent species , who can double the productivity graph with out facing a human latency.

Many prominent scientists have given their entire life in doing behavioural analysis on human intelligence and still they are not able to decode the exact pattern to replicate the human behavour. But there are lot of researches going on this ground and people have started making human endroids. These endroids are classified as in the higher classes of robots, who can act and react like humans.

Some of the specialized projects in Artificial Intelligence (AI) are:

Cat : A - Brain simulation


Cyc, an attempt to assemble an ontology and database of everyday knowledge, enabling human-like reasoning.


Eurisko, a language by Douglas Lenat for solving problems which consists of heuristics, including heuristics for how to use and change its heuristics.


Mycin, an early medical expert system.



Cat : B - Cognitive architectures


CALO, a DARPA-funded, 25-institution effort to integrate numerous artificial intelligence approaches (natural language processing, speech recognition, machine vision, probabilistic logic, planning, reasoning, numerous forms of machine learning) into an AI assistant that learns to help manage your office environment.

SHIAI (Semi Human Instinctive Artificial Intelligence), an AI methodology based on the use of semi-human instincts, developed at Islamic Azad University in 2004.

Virtual Woman, the oldest continuous form of virtual life — a chatterbot, virtual reality, artificial intelligence, video game, and virtual human.


Cat : C - Games


Chinook, a computer program that plays English draughts; the first to win the world champion title in the competition against humans.

Deep Blue, a chess-playing computer developed by IBM which beat Garry Kasparov in 1997.

FreeHAL, a self-learning conversation simulator (Chatterbot) which uses semantic nets to organize its knowledge in order to imitate a very close human behavior within conversations.


Cat : D - Knowledge and reasoning

Blue Brain Project, an attempt to create a synthetic brain by reverse-engineering the mammalian brain down to the molecular level.

HNeT (Holographic Neural Technology), a technology by AND Corporation (Artificial Neural Devices) based on non linear phase coherence/decoherence principles.


Hierarchical Temporal Memory, a technology by Numenta to capture and replicate the properties of the neocortex.


Cat : E - Motion and manipulation



  • Cog, a robot developed by MIT to study theories of cognitive science and artificial intelligence, now discontinued.




  • Grand Challenge 5 – Architecture of Brain and Mind, a UK attempt to understand and model natural intelligence at various levels of abstraction, demonstrating results in a succession of increasingly sophisticated working robots.



  • Cat : F - Natural language processing

    AIML, an XML dialect for creating natural language software agents.

    A.L.I.C.E., an award-winning natural language processing chatterbot.

    ELIZA, a famous 1966 computer program by Joseph Weizenbaum, which parodied person-centered therapy.


    If this works out well then we can save human lives in wars and other critical and emergency situations. We can replicate endlessly and keep on creating intelligent agents, which will serve the mankind in the same way humans serve.


    # The project information is taken from http://en.wikipedia.org/wiki/List_of_notable_artificial_intelligence_projects








    Monday, October 24, 2011

    Honey Pots and Honey Nets - A new defense mantra !!

    We keep saying that , we need to invent measures to track down any malicious activity coming to our website or application or our network. But for that, what do we invent?we cone down to those traditional measures of having a bunch of firewalls or IPS, heavily configured on signatures to guard our premises. One more step, is deploying enteriprise monitoring and management systems to help us to keep an eye on the activity happeing outside the network.

    But then also how to catch a hacker, who comes ane easily hacks down the site even having these technologies in place. The problem is, we are not thinking like a hacker, rather we are thinking like a administrator, who do not have any inovative ways of solving this problem because he has his boundaries set. One needs to be very much innovative these days to catch these smart fellows.

    First thing to remember, no hacker will reveil his own identity. If at all you are successfull in getting hold of an identity details, be sure that this one is nothing but FAKE. If you realize, you still be on the same step from where you started some days back. So, what to do??

    There is an intresting technology, which attracts the hacker to hack the resource and there by catching the person beind the intention, this is called "HONEY POT" or "HONEY NET".

    The concept is very simple, its like putting a goat to catch a tiger. Here also we do the same thing, we create a trap to attract the hackers and then we catch them. These applications create a trap, by opening some fake  ports or services, making the hacker realize that the target is very vulnerable. He feel excited to see many backdoors, enabling his easy access. In thiswhole process, the application captures all the necessary credentials and alerts the user of the activity and that is how the person gets caught.

    I have personally used it and tested with many situations. I also tried to integrate the application with my incident management framework and it worked. Now i dont have to over configure my security devices nor introduce any new technology to ensure the security of my organization. Honey Pots cater a single network setup and if an organization has multiple networks then they can go for Honey Nets.

    Specifically, these types of traps are used by organizations, which are dealing with national security or dealing with high level classified data like defense organisations, space research, ordinance factories etc. the threat to these type of organization is always alrarming and needs to be stringent in terms of security. But at the end, we also understand that irrespective of the type of the organization , the data is always critical in itself and to ensure its security , it is advisable to implement this as an additional defense layer.