ISO 27001 Article Bank
What is Phishing? Why it is a threat?
Phishing is an activity carried out by a fraudulent person or entity. In Phishing, the fraudulent person tries to gain sensitive information of other persons by masking as a trustworthy entity in an electronic communication (chat, email, etc.). The sensitive information that can be compromised include usernames, passwords, debit and credit card details, and other personally identifiable information.
The word phishing is taken from the common word “fishing” which is an activity to catch fish (victim) using a bait.
Why is Phishing dangerous?
In phishing, usually a victim receives a message which appears to be genuine and that it has been sent by a known contact or entity. When the victim opens this message, an attachment or links in the message may point to and/or install malware on the device of the user. In some cases, it also directs users to a malicious website where the user is tricked to give out personally identifiable information which may also involve divulging financial information. Thus, sensitive information like passwords, account IDs or credit card details, etc are compromised. The victim undergoes a loss of image, money, reputation and can even by trapped into crime.
How to prevent Phishing?
Phishing can be avoided by both user behavior and by the use of anti-phishing tools. Phishing can be prevented by the following ways:
- Do not give your personal information over email or chat to a stranger. In case the request has come from a known person also, double check by calling the person to make sure that he/she actually sent this email or chat message.
- Never click on links, download files or open attachments in emails from senders not known to you
- Never divulge information when a pop up screen comes up and asks for your personal information
- Install effective anti-virus, anti-spyware software, firewalls, spam filters etc.
- Keep checking your financial information at regular intervals to see that there are no debits from unknown sources.
- In case of organizations, it is better to provide training to personnel on how to avoid phishing in their daily work.
Article on the importance of SOA
The Statement of Applicability is one of the key documents in the implementation of ISO 27001:2013.
What is SOA ?
The Statement of Applicability (SOA) (ISO 27001 Clause 6.1.3 d) is a statement that defines what controls (out of the 114 controls given in the Annex A of the ISO 27001:2013) are applicable and will be implemented.
Why is the SOA important?
The SOA is a good summary of the accepted controls that are being implemented in an organization as part of the ISMS drive. This provides a ready checklist against which the implementation can be checked. Since the SOA justifies the inclusion and exclusion of controls from Annex A, we clearly know that the selected controls need to have a policy, procedure and records and thus keeps a check on whether the controls can be demonstrated when required.
A well written SOA helps in deciding on minimum required documentation that is sufficient to demonstrate that the selected controls are implemented.
Thus, if you invest time in writing a good SOA, the ISMS implementation in your organization will be at optimum level and with a better focus.
Dangers of SQL Injection Attacks (SQLi)
SQL (Structured Query Language) Injection is a “malicious” code injection method adopted by a hacker to attack data-driven applications. Here, the attacker injects malicious SQL Statements into the form input boxes
What can a Hacker do with SQL Injection attacks?
Through SQL Injection attacks, the hacker uses the input fields to send his/her own requests to the database. By this he/she can bypass the authentication and authorization of a web application. The attacker can also access the entire website, can make themselves administrator, can delete records, etc.
How to Prevent SQL Injection Attacks?
- Make sure that while accessing or installing a database you use an account with least possible privileges.
- The sensitive data in the database must be encrypted suitably.
- See that the input is constrained by validating the inputs to take care of type, length, range of values, etc.
- Do a code review to check for the possibility of second-order attacks.
- Be sure that error messages does not give a hint or information about the internal architecture of the application or the database.
- Use stored procedures and re-validate data in stored procedures.