FROM THE DESK OF CISO
Engr. Prof. Dr. Athar Mahboob
Tamgha-e-Imtiaz
A Visionary Executive, Creative Engineer,
Passionate Educator and Missionary Entrepreneur
Dr. Athar Mahboob has established a reputation for himself as an engineer and academic leader of distinction. He rose to become the vice chancellor of Islamia University of Bahawalpur and under his leadership the university is pursuing the goal of attaining internationally recognized status.
From September 2019 till November 2019, Dr Athar remained the Vice Chancellor (Chief Executive and Academic Officer) at Khwaja Fareed University of Engineering and Technology, Rahim Yar Khan.
On the educational side, Dr Athar has been a performer of rare quality. He obtained BS and MS degrees in Electrical Engineering from Florida State University, Tallahassee, Florida, USA (1992-1995). In 2005, he obtained a PhD from National University of Sciences and Technology.
His work experience, involving teaching, research and industrial exposure in Pakistan and abroad, spans over 25 years. His research interests include efficient implementation of cryptographic algorithms in hardware and software besides enterprise cyber security. His PhD thesis dealt with efficient implementation of Elliptic Curve Cryptography. The work has been widely published—locally and internationally.
Dr. Athar is also renowned for his work in implentation of Enterprise Implementation Services using Linux, Information Security and Cryptology, Computer Networks and Internet. In such projects, he employs TCP/I, Digital Systems Design and Computer Architecture. His consultancy endeavors are also well known and recognized. A number of prestigious organization’s have sought his counsel in matters of importance. Of these, PTCL, People’s Steel Mills, Pakistan Security Printing Corporation, Institute of Bankers, Pakistan, EFU General Insurance, Dubai Chamber of Commerce and Industry readily come to mind.
Even alongside academic pursuits, he found time to establish and successfully run Ibn Khaldun Systems. More than hundred industrial, financial, manufacturing and military projects were handled under this banner. As a result, Dr. Athar emerged as an industrial project manager and technologist of proven reputation.A rich experience in a variety of sectors has allowed Dr. Athar to educate, train and counsel student engineers in real world engineering problems. For thousands of aspiring students he has been a role model, torch bearer and a favorite teacher. His profound knowledge and variety of experience is a rarity and anyone who finds an opportunity to learn from his knowledge and experience would be accumulating a treasure of a lifetime.
Dr. Athar received the prestigious civil award of Tamgha-e-Imtiaz (Medal of Distinction) in 2012. The president of Pakistan decorated him with this honour on the independence day celebrations.
Q1. Do you have firewall in network??
Answer: Yes we do. A BSD based firewall is in place which keeps an eye on incoming attempts to infiltrate the operating system. It effectively blocks unwanted, unrecognized and suspicious traffic reducing the risk of damage to a minimum
Q2. Do you have a Reverse Proxy Server?
Answer: A type of server that is located behind the firewall in a private network and diverts client requests to an appropriate backend server. The Reverse Proxy has the added benefit of arbirration and control. We have implemented NGINX Reverse Proxy Server in our network. We are using its features as:
O Load balancing
O Web acceleration
O Security and anonymity
Q3. Are you using any network mapper and why?
Answer: Network administrators and security professionals have a never-ending task to perform. They have to constantly check what is running on their networks and the vulnerabilities that pervade the system. A number of monitoring utilities are available for network mapping and security auditing but we use Network Mapper (Nmap, Zenmap) tool to scan our network at least once every month. The choice of Nmap is based on several factors: it is free, it is an open source app designed for vulnerability detection, it is useful for single hosts or vast networks that are linked to scores of devices and subnets. Network administrators commonly use this tool to perform various tasks including identity of devices running on the network, detection of hosts that are available and the services they offer, location of open ports and detection of security risks.
Q4. What is XSS or Cross-Site Scripting and how you have protected your systems from it?
Answer: XSS or cross-site scripting is a type of vulnerability popular among hackers. They use the tool to attack web applications. This tool manages to infiltrate systems by injecting HTML or Java script code on a webpage. All that remains after this is to access the cookies and steal vital information. This is a tested and age old ruse hackers employ to get their job done.
It is not easy to prevent cross-site scripting (XSS). Some specific techniques do exist that depend on the subtype of XSS vulnerability, on user input usage context and on the framework. Still we do not completely rely on such techniques although we make sure that they are installed on our systems for monitoring purposes. What we do, however, is to sanitize all inputs to keep our applications safe from XSS code. We never use data received without checking it for malicious code. We follow a set of procedures in order to keep our web applications safe from the hacker’s activity:
ESCAPING/ENCODING
We use a suitable escaping/encoding tool that depends on the location of inputs such as HTML escape, JavaScript escape, CSS escape, URL escape, and several others. We also use existing libraries for escaping.
SANITIZING HTML CODE
Whenever the user input requires HTML code, we stay away from using escape/encode because that breaks valid tags. In such cases our choice is to use a verified and trusted library “HTMLSanitizer” that parses and cleans the code.
SETTING HTTPONLY FLAG
To fight off a possible XSS infiltration, we set up HttpOnly flag for cookies which disables access to the cookies from client side JavaScript.
USING CONTENT SECURITY POLICY
We also make use of Content Security Policy to mitigate the effects of a possible XSS infiltration. This tool is an HTTP response header that allows us to control the dynamic resources that can load on to our system.
Q5. What is “SQL Injection” and how do you protect your system from it?
Answer: SQL Injection is also one of the favored techniques of hackers. They use it freely to steal vital information and critical data for their purpose.
Hackers are always on the lookout to find a path into systems where security is weak. , they quietly pass SQL queries, bypass security checks and gain access to vital data. This sequence of operation is often referred to as SQL injection—a method that allows hackers to steal data and disable a system. When they find one Yes we do. A BSD based firewall is in place which keeps an eye on incoming attempts to infiltrate the operating system. It effectively blocks unwanted, unrecognized and suspicious traffic reducing the risk of damage to a minimum
We have security checks on our all input methods that comes from web page, which do not allow any type of SQL injection if detected. Second we have also strong security check on SQL Query Builder which automatically detects any unusual query and block it from running on the database server. Our method to avoid vulnerabilities is based on the following lines:
INPUT VALIDATION
We use regular expressions as whitelists for structured data (such as name, age, income, zip code etc). This simple procedure ensures strong input validation.
In cases where fixed values are supplied (such as drop-down list, radio button etc), we try to match the input data with the returned values and one of the offered choices.
PARAMETRIZED QUERIES
The intended input of user is automatically quoted and the supplied input will not affect any change of intent. Such coding style works as a barrier to SQL injection.
STORED PROCEDURES
In this method the developer groups one or more SQL codes into a logical unit to create an execution plan. The ensuing executions automatically parametrize the codes. In other words, it is a kind of code that is stored in the system and can be used over and over again whenever needed. In effect, there is no need to write the code every time such a need arises. Only an activation of the stored procedure is enough.
Q6. What is a File Upload Vulnerability and what methodology you have adopted to prevent this?
Answer: Hackers are always looking to find a way to enter a system and gain access to the vital data. File uploads provide them with an easy opportunity inject malicious code. That’s why it is imperative to keep uploaded files away from the reach of hackers until they are fully secured. If these measures are not adopted, hackers would easily gain access to systems and cause the damage they intend to.
We are ensuring that upload files cannot be executed.We rename uploaded files in an encrypted string so it will be not possible for any attacker to guess the file name uploaded by him.
We are validating file formats and extension before uploading, so no one can upload any file that is not allowed.
We make sure that the files uploaded from a browser will always possess a Content-Type header. The supplied type are of permitted category and belong to white list.
Q7. What are your methodology to make secure login for every user?
Answer: We are using mixture of Single Sign-On (SSO) and Active Directory (AD). Both provide user authentication service that allows a user to use a single set of login details, for instance a name and password, for multiple applications.
Strict Password policy is implemented so users can create strong passwords that is not easy for any attacker to guess.
Q8. As you are aware that cyber threats are everywhere in the world and no body or organization is safe, what is your opinion in this regard?
Answer: Yes, we are aware that no body and organization is safe and we should adopt precautionary measures on cybersecurity to be protected from any mishappening. Usually we confront ten common types of cyber threats:
1. Malware
2. Phishing
3. Spear Phishing
4. Trojans
5. Ransomware
6. Data Breaches
7. Man in the Middle attack
8. Distributed Denial of Service Attack
9. Attacks on IoT devices
10. Malware on Mobile Apps
Q9. Why do we need to worry about information security?
Answer: New security threats emerge every day in the form of malware that get installed on user’s machine as a result of phishing attempts by hackers. Such attempts deceive employees into giving up confidential data to viruses, worms and identity thefts. Often the threats designed to attack and infiltrate a system in an organization are difficult to handle. That is because the programs installed to protect the system are eithernot good enough or they do not function properly.
Cyber security is a sure strategy to manage data effectively. It involves the use of technologies, protocols and administrative measures to provide protection.
Q10. Who can be involved in a cyber-attack, if we would like to know your enemies & why is it necessary to protect from cyber threats?
Answer: Cyber threats are of varying nature and the potential to cause electrical blackouts, failure of military installations and breaches in secrets of national importance. They can also result in theft of valuable data like those of medical records, phone and computer networks, and business information. What’s more they can disrupt or disable systems that run large enterprises affecting lives related to the organization. So, it would not be an exaggeration to claim that cyber attacks have the potential to endanger the daily routine of lives on a mass scale.
With the passage of time, the threats are growing more serious as Gartner, a cyber security specialist, explains, “Cybersecurity risks pervade every organization and aren’t always under IT’s direct control. Business leaders are forging ahead with their digital business initiatives, and those leaders are making technology-related risk choices every day. Increased cyber risk is real — but so are the data security solutions.”
A DOZEN DANGEROUS THINGS
There are at least a dozen ways a vicious cyber attack can be committed. Knowledge of these is essential to devise a counter strategy. We must also be aware of the ways the systems can be compromised and confidential information can be encroached upon.
1. Hacking
2. Virus dissemination
3. Logic bombs
4. Denial-of-Service attack
5. Phishing
6. Email bombing and spamming
7. Web jacking
8. Cyber stalking
9. Data diddling
10. Identity Theft and Credit Card Fraud
11. Salami slicing attack
12. Software Piracy
Q11. What cyber security measures have you introduced and implemented in your company?
Answer: To provide safety and security to business data, cash flow and customers’ information, we use different cyber security measures. These measures are aimed at preventing risks from a variety of sources including:
Spyware of malware which are internet-borne
Weaknesses of the users like easily decodable password or misplaced information
System or software flaws that turn into vulnerabilities
Subvert system or software attributes
REQUIRED MEASURES
Some tools and processes can be fairly easy to introduce but the benefits they offer are tremendous. They can be simply adopted by businesses of smaller size as well. If these tools or processes are combined, there is a manifold increase in their effectiveness against the most common cyber threats. Here is one strategy that relates to passwords:
Coining strong passwords is an art by itself and consists of a number of strategies that are easy to adopt and practice:
Always using a combination of upper and lower case letters, numbers and symbols
Making the password eight to twelve characters long Regularly changing the password as an extra precaution.
Avoiding use of personal information while coining the password.
Making it a point to never use the same password for multiple accounts.
Making use of two factor authentication further beefs up the security features.
CONTROLS ON ACCESS
We make sure that individuals access only that data and services for which they have been authorized. There are no barriers, however, on physical access to premises and computer networks. Following procedures are routine at our place:
Restricting access to authorized individuals only
Enforcing application controls to limit access to data and services
Placing strong controls on what can be copied from the system and stored on external devices
Placing limits on receiving and sending of certain types of email attachments
PUTTING UP FIREWALL
Firewalls are essentially the gatekeepers that form a barrier between the system and the v ast expanse of internet. They are most effective preventive measure against spread of cyber threats including viruses and malware. We make sure that our setup and firewall devices are properly installed and are fully functional. We carry out regular checks to make sure that the latest software and firmware updates are installed and are in order.
SOFTWARE FOR SECURITY
To make sure that no malicious code enters our system, we have installed anti-spyware, anti malware and anti-virus software. These software detect and block potentially dangerous material that can enter our systems and can cause disruption in smooth running
REGULAR UPDATES
Updates and upgrades are essential for keeping the software in perfect shape. This simple strategy helps us protect against known bugs and vulnerabilities. Adhering to this g helps us in many ways. The greatest benefit is we avoid exposing our systems to the activities of cyber criminals.
DETECTING INTRUSION
Maintaining a constant vigil is key to a safe and sound system. That is why we employ intrusion detectors to keep an eye on our systems and notice any unusual network activity. If we make note of any suspicious activity that can eventually turn into a security breach, the software alerts everyone concerned by generating an alarm in the form of an e-mail.
RAISING AWARENESS
A reasonable amount of awareness imparted by way of training sessions and awareness programs is a huge asset in making sure of secure and safe environment. We make sure that our employees understand the procedures fully well and have the willingness to practice what they have learnt. Training programs are a regular feature of our business because that is how our employees keep pace with the new developments and new strategies to deploy.
Q12. How would we tackle with non-state actors …black hat hackers?
Answer: There is a variety in the forms and functions of hackers. There are blackhat hackers, commonly known as the blackhats who are the most vicious. They have scant respect for the law and by nature are malevolent. They can strike anytime, anywhere and, at times, they can do the damage just for mfun. The thrill and excitement that comes from disrupting the functioning of a system is no less than ecstasy for them. But most often blackhats work to make money. A lot of it.
The blackhats are different from the whitehats and the greyhats. The whitehats are the good people who work in the guise of hackers. Their aim is to prevent the attacks of the blackhats or undo the damage blackhats have already caused.
In contrast, the grayhats are the ones who live on both sides of the divide. They will work as a criminal and against the law at one time and at other times they will work against the criminals and to uphold the rule of law. Their conscience allows them to ride between the two sides. When we come across a blackhat we know that we are dealing with a skilled person who knows the technique to attack a system and exploit networks to achieve his own ends.
Q13. How Black Hat Hackers Damage the System?
Answer: There are different types of black hat hackers, from those who act alone to those who operate within large, highly profitable cybercrime organizations. Many black hat hackers started out as so-called “script kiddies,” who set out to exploit security vulnerabilities then evolved their techniques to make quick money.
The upper levels of the black hat security world are skilled hackers working for sophisticated cybercrime organizations, which often work in the same way as legitimate businesses. These organizations have partners, resellers, and vendors with whom they buy and sell malware licenses for use by other criminal organizations around the world.Black hat hackers deploy a wide range of techniques to target and attack victims. Some hacks are quick and automated, using bots that roam across the internet in search of unprotected devices and software vulnerabilities. Other attacks are the result of social engineering and highly sophisticated tactics, such as phishing attacks that spread malware and malicious links and attachments.
1. Security Measures to Survive Black Hat
2. Firewalls
3. Content Filters
4. Intrusion Prevention Systems (IPS)
5. Server Hardening
6. Computer Use Policy
7. Security Testing
8. Employee Training
Q14. Do you have all the information that need to oversee cyber risk?
Answer: We should have following information to oversee cyber risk:
1. An understanding of an organization’s security status
2. Locating the gaps
3. Creating a team
4. Assigning responsibilities
5. Training and upgrading employees
6. Implementing cyber awareness across all departments
7. Developing risk assessment programs
8. Creating and maintaining a foolproof instant response and business continuity program
Q15. How effective is your cyber security strategy at addressing business risks?
Answer: We follow a five tier approach to mitigate cyber security risks
#1 We identify and document asset risks
#2 We also identify and document external and internal threats
#3 We assess the risks or vulnerabilities
#4 We identify potential business impacts and likelihoods
#5 We identify and prioritize risk responses
This approach is systematic and is based on identifying, evaluating and prioritizing threats that are lurking around an organization. The method is customizable and enables an organization to adapt the cyber security program according to specific needs and operational vulnerabilities.
Cyber security risk measures the probability of attack, loss of critical assets, loss of vital information, and reputational damage.
Q16. How do we protect sensitive information handled and stored by third party vendors?
Answer: To make matters simple and easy to follow, we list down and implement policies of DO’s and DONT’s:
“DO” LIST
1. Do recognize the asset value of an organization’s information before allowing any third party to access it.
2. Do create security expectations for the organization’s vendors outlining the procedures to access data with security protocols
3. Do have an incident response plan. A procedure should be in place so that third parties can notify the organization when an incident occurs. A minimal level of information sharing should be maintained with vendors or third parties so that they can meet your requirements.
4. Do make sure that the list is the starting point of procedures but relying on the list entirely for securing the data is not advisable.
“DON’T” LIST
1. Don’t rely on a generic expectation for security
2. Don’t allow third parties to access data without conducting procedural assessments
3. Don’t allow anyone—either from the third party or from the organization—to have free access to organization’s data.
4. Don’t permit third parties to access the organization’s vital data by using unapproved devices.
Q17.Do you have the right data governance strategy to minimize cyber risk…
Answer: Data governance is an essential component of cyber security function. For better protection against cyber threats, an organization should have a clear cut idea about the data that must be protected and the methods to be employed to protect the data.
Data governance is all about assigning priorities different sets of data in order of high value and high risk. This allows the cyber security professionals to deploy additional resources for protecting the data if the need demands.
Q18. Are your employees fully equipped with cyber technology and have all required certification?
Answer: We are supporting and giving guidance to our employees to get following certification and yes we love to send our employees to get necessary certification from cybersecurity institutions.
1. Certified Ethical Hacker (CEH) …
2. CompTIA Security+ …
3. Certified Information System Security Professional (CISSP) …
4. Certified Information Security Manager (CISM) …
5. Certified Information Systems Auditor (CISA) …
6. Certified Cloud Security Professional (CCSP) etc.
Q19. Why do we need to worry about information security?
Answer: Information security is central to organized and proper data management. It employs technologies, protocols, systems and administrative measures to provide safety and security to confidential information. This protection is necessary to safeguard integrity and business interests.
Q20. What do you think the biggest cyber security threats right now, especially in perspective of Pakistan and what do you suggest to tackle these threats?
Answer: Employees who are negligent and careless or those who do not follow the procedures advised and streamlined by the CISOs are the greatest risk to the organization. Such employees pose a security threat of 78% to the organization. Personal devices connected to the system network (BYOD) pose a security threat of 68%. And those who use commercial cloud applications in the workplace pose a security threat of 66%. The percentages are nearly the same for Pakistan. This magnitude of threat is certainly big enough to make us adopt necessary cyber security measures.
Q21. People receive messages and emails that may be from malicious hackers, how can they be safe?
Answer: Whenever a hacker gains access to any email account on the systems network, he scans the contact list. This is usually the starting point of a hacker’s activity. Soon after accessing the digital contact list, they start sending out mails inviting the addressee to click a link or send money. Most employees who are ignorant of such ruses, unwittingly click the suspicious link and pay a heavy price.
Q22. Do we need cyber security insurance?
Answer: Cyber liability insurance, short for cyber security, privacy and media liability insurance, provides cover in case of a cyber attack or data breach. If your network or computer systems often come under attack and are infected by viruses, for example, then cyber liability insurance can be essential.
Q23. Are your information security and business priorities aligned?
Answer: Information security is critical to making sure that strategic capabilities are securely planned, developed and implemented. Such capabilities can be broadened to include enhanced collaboration, a virtual global office, or cloud computing.
Q24. What do you think that people of Pakistan are well informed about cyber security and threats…if they are not well informed please advise?
Answer: Our country has distinct position in the region. It has a teledensity of 75% and offers the most economical rates for internet services. The 3G/4G LTE data plans are on offer for as low as $5/10GB—the lowest in the region. The number of smartphone users exceed 40m, a large majority of this population is online surfing for information.The scenario apparently seems encouraging and a sign of progress, but some of the black sheep amongst us exploit the situation for their own ulterior motives. The swift and high speed internet enables them to pursue their heinous activities to target women who fall prey to the traps. At the end women get to suffer from these activities.
Call this illicit activity what you may but there is method to this madness. The negative characters set up a number of fake accounts and trap women into sharing their personal details. In no time, the ordeal for women begins. A tale of harassment and blackmailing begins which often ends
in tragedy.
The market is filled with cheap and easily accessible software and hardware that allow a user to infiltrate mobile devices and computers in order to track someone’s social movements.
Even in presence of legislation and a cyber crime cell in FIA, the incidents of such crimes far outnumber those that are brought to justice. A majority of them do not even get reported because of the social stigma attached to this type of crimes.
Q25. Please give some suggestions for our viewers to what safe guard they adopt to avoid cyber mishappening?
Answer: 10 Ways to Prevent Cyber Attacks.
1. Train your staff
2. Ensure Endpoint Protection
3. Install a Firewall
4. Backup your data
5. Control access to your systems
6. Wifi Security
7. Employee personal accounts
8. Access Management
9. Passwords
