1. JULY - SEPTEMBER 2010 ISSUE 3 - VOL 1,2010Business Continuity ManagementOne Attack, I Got Admitted INSIDE Face to FacePhishing

2. n te n ts c o AUDITING RESILIENCE OF CRITICAL INFRASTRUCTURE AGAINST DDOS6 FRAUD AND IT: POINTS FOR CONSIDERATION 8 BUSINESS CONTINUITY MANAGEMENT The BS 25999 approach 11 SOLVING THE PUZZLE CALLED BUSINESS IMPACT ANALYSIS13 FACE TO FACE - Interview 17 ONE ATTACK, I GOT ADMITTED - Experience22 PHISHING - The biggest threat to online transaction 24 ISACA CHAMPIONS TROPHY 29 3. NTR OL O I N-CO ME T torialW ELCOEdiWelcome to the third issue of In-Control Magazine from the ISACA UAE Chapter. We are in the middle of the year and the chapter has already seen many interesting CPE sessions and an audit analytic workshop. The chapter is planning for more exciting events and our very own I-SAFE 10(regional conference) is scheduled in Oct 10.This years I-SAFE theme is focussed on Corporate Challenges in managing Information Risk beyond 2010.... The chapter is lining up a number of eminent speakers from various specialities for the I-SAFE conference who would be sharing their experiences and guidance to manage Information Risks.Our biggest asset is our members and their encouragement is driving us all at the board to bring more exciting events which are educational and provide an opportunity for our members to discuss & share experiences.Our third issue has a battery of interesting articles such as Business impact analysis, Fraud & IT and a candid interview with Mr. Ahmed Al Mulla, Vice President, I.T., Dubai Aluminium CompanyI request all our members to contribute to the magazine by sharing your experiences in the upcoming issues.The In-Control editorial board invites you to provide your feedback regarding the Magazine and its contents. We would love to hear from all of you so that we could better serve you and have the relevant contents/ sections added in the next issue.Please email me at gurpreet_k@yahoo.com for any feedback.Regards,Gurpreet Kochar CISA, CISA, CISSP, CEH Chief Editor & Membership DirectorChief Editor - GURPREET KOCHARAssociate Editor HARI PRASAD CHEDEIn-Control magazine is designed to provide UAE chapter members with information related to IT governance, audit & security. The opinions, viewpoints published in this magazine are not necessarily those of the ISACA UAE Chapter or its chapter officers. The editorial board of the chapter officers of the ISACA UAE Chapter do not take any responsibility or liability for any losses or damages incurred as a result of reliance on any information provided in this magazine. The editorial board takes care for ensuring that articles are relevant and original but does not take any responsibility for any errors that may appear herein. ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.orgPage 3 4. BO ARDHAP TER 2010CRSME MBE PRESIDENTVICE PRESIDENTDIRECTOR - PROGRAMSBharat Raigangar Avinash TotadeAshish MahalCountry Head - Security & Fraud Risk enior Manager- Internal Audit Senior Projects OfficerRoyal Bank of Scotland NVDubai Aluminium Company (DUBAL) RAK BankDubai, UAE Dubai, UAEPO Box 1531,Mob: +971-50-6229854 Mob.: +971-50-6533852 Dubai,UAEEmail: president@isacauae.orgEmail: vicepresident@isacauae.org Mob : +971-50-7549908 raigangarbharat@yahoo.comavinash.totade@gmail.com Email: ashishmahal@hotmail.com DIRECTOR - MEMBERSHIPDIRECTOR - COMMUNICATIONS SECRETARYGurpreet KocharHari Prasad Chede Biju NairManager - Information Systems AuditSenior IT Risk & Security Officer Head of Consumer & IT AuditEmirates Airline Union National Bank Noor Islamic BankDubai, UAE Abu Dhabi, UAEDubai, UAEEmail: gurpreet_k@yahoo.comTel: +971-50-6841501Mob.: +971 55 2208512 Email: hchede@gmail.com Email: secretary@isacauae.orgrsbiju@gmail.com TREASURERDIRECTOR -CERTIFICATIONSDIRECTOR - ACADEMIC RELATIONSVaishal MehtaR. K. Rao Alok TutejaAssistant ManagerManager Head of IT AuditIS & BCM RAK BankADNOCDubai Bank Dubai, UAEAbu Dhabi, UAEMob. : +971507864839 Mob. :+971-50-5500864 Mob. : +971-50-3453890Email: vaishal@gmail.com Email: raork123@eim.aeEmail: aloktuteja@gmail.comDIRECTOR -GOVERNMENT DIRECTORDIRECTORRELATIONSRoshan HamidMustapha HuneydSayed Ahmed Al-Moosawi Senior Security Audit Senior Manager,Senior Auditor - IT Audit, Emirates Airlines Information Security & Biz ContinuityInternal Audit,Dubai, UAEEtisalat, Abu Dhabi,Dubai Bank Email: roshanhamid@gmail.comUAE.Dubai, UAE Mob. : +971506625859Mob. : +971-50-4559114 Email: mhbengal@live.comEmail: sayedalmoosawi@dubaibank.ae IMMEDIATE PAST PRESIDENTNalin WijetillekeManager-Business ContinuityRAK BankDubai, UAEMob. : +971-50-6598824Email: pastpresident@isacauae.org nalindw2000@yahoo.com Page 4THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1 5. Presidents Message In this mass-transacting world, the word vision is not just limited to a mental blueprint of what is seen. Rather, it is the unseen, but it does not have to be all clear in the beginning. While every function has a statement of purpose, it is the ideal future state of the function that must guide the way. There is no longer such thing as a static environment or a single possible solution anymore, albeit, the choice to take advantage of the selective ways to protect business as well as the interests of the stakeholders and customers. To fully appreciate the convergence between them, IT changes are to be brought around hand in hand with the economic as well as the social changes in momentum.Just as economy has shown a remarkable inclination to tolerate the global meltdown, on the backdrop, technology has played a pivotal role in building that immunity. Today business is not only about operations and customer retention. It is also about technology. As we know, all organizations are subject to financial crime risks. Recently, Beijing police shutdown a fake Automated Teller Machine (ATM) that was used to steal bank card information. Counterfeit card and cash scams have been reported for years, but counterfeit ATMs have added a new twist to an old scam. Regular techniques and controls for investigations, such as reliance on documentation, statements and non digital evidence are a thing of the past, when dealing with a virtual explosion of frauds and growing scams. While paper may not form a big part of our daily routines anymore, information does. This is where deployment of IT Governance helps continual improvement of areas that are not inherently resilient, keep the disaster kit ready and be confident that the security blanket provides optimal coverage. It is imperative that technology and computer forensics are deployed and governed in a manner that is open, transparent and accountable for performance and results, while continually improving the value equation for organizational objectives.Our community and associated programs serve as a continual medium to promote IT Governance. Sometimes organizations have opportunities but they still incur losses. The pivotal idea behind spreading awareness around IT Governance is not to create panic but to enable it to be taken more seriously. Our theme this year is envisaged to uphold governance focused on risk-return value rather than just controls, managing risk and achieving objectives.IT Governance can be described as a broad based movement towards the understanding and quantification of overall IT risks, taking the form of guidance and recommendations. Although investment in backup infrastructure and fallback procedures was difficult in the beginning, organizations have manifested both cost and performance benefits over time. While manual operations are increasingly becoming extinct, they still continue to be important.There are still great strides to be taken in the maturity level and those organizations that truly believe in education and advancement of awareness will emerge to their potential and keep this ball rolling. Thanks and RegardsBharat Raigangar ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTERwww.isacauae.orgPage 5 6. L ITICA KLISTCEOF CR CHECSI LIEN DOS A RES TDITING S AGAIN anianbramivasu AUD TUREoth S By Vin C STRUI NFRA Recently I had the opportunity to work with one of my friend who was called in by a Big Telecommunication and InternetService provider in India to check if their systems and network were resilient enough to Defend DDOS attacks, I had theopportunity to help him in this regard and I wish to share this checklist along with ISACA members. We approached this audit from People, process, Technology and Knowledge Management An Auditors Checklist 1. Have the organization Chart to see who are responsible for the various critical assets of the organization a. Roles and responsibilities b. List of critical web services 2. Check to see if they have gone through a background check a. Employment verification b. Educational verification 3. Check if they are properly trained in latest technologies and tools. a. Training documents b. Knowledge management- i. How are they sharing their knowledge among their peers ii.does a mechanism exist to share their knowledge iii. Is the above mechanism documented 4. Check if there is a proper Security policy a. IT security policies b. Check the version number and update date c. Check to see if they are constantly reviewed and updated d. Verify if the updates are being done by the responsible personnel and whether they are going through a process of discussion. e. Cross check with employees on a random basis to see if they are aware on the Security policies and proceduresPage 6 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1 7. f. Check whether there is an end point management security policy.5. Change management proceduresa. Check whether the organization has documented roles and responsibilities chart for change managementb Check the awareness of the staff members on change management policyc. Check the documentation of Emergency change management procedures6. Incident management proceduresa. Check to see if an incident management policy is in placeb. Review the documentation date and periodicity of updatec. Check whether focal points have been identified for incident management communicationd. Conduct mini quizzes using pointed questions with the Help desk and other staff members to check their awareness on incident management7. Help desk Managementa. Are there clear roles and responsibilities identified for the help desk staff membersb. Are they trained on Incident management, change management?c. Verify training documentationd. Check their awareness levels.8. Patch management policya. Check to see if the patch management policy goes through the change management mechanismb. Does the patch management policy go through the CABc. How are emergency and critical patches installed, verify whether proper process and procedures are in place for tracking and recording them,d. Check to see if the organization has established procedures for release management of patchese. Verify whether they have a list of their critical assets that needs to be patchedf. Check the log of patches that have been done on the assets to see if they tally with the ones present in change management and release management dates.h. Are the owners, incharges and team members identifies or is it a single person who takes care of all the patching.9. Risk management of the Change management and release management process has to be documenteda. Verify if proper process has been established to assess the impacts of changeb. Verify whether a risk management program exists in the first place with periodic reviews conducted at regular intervalsc. Are the patches that are being installed going through a risk managementTechnological Verifications: 10. Perform vulnerability assessment to test the critical systems and networks against latest threats and vulnerabilities 1. Test the critical applications against known and unknown vulnerabilities. 2. Test the systems under purview for known process weakness and vulnerabilities. 3. Verify if best practices are being followed in line with Leading industrial standards such as NIST etc. 4. Verify if the software is developed in line with the SDLC ( Software Development Life Cycle) 5. Verify if the software that is being developed goes through stress penetration test. 6. Verify if a threat management system/team exists in place to protect the software against known andunknown threats. 7. If the software development has been outsourced? If so check if they have a stringent SLA with thedeveloper who has agreed to develop application subject to SDLC, follow proper change andrelease management process, update patches in line with the organizational policy and are in linewith the organizational security policies and procedures.11. Vendor Management : Check to see if they have a stringent Service Level agreement with the vendor who can respond immediately to block threats in case of an incident and bring back normalcy in place as early as possible Overall being resilient to DDOS attacks required a multi pronged approach and as the frequency and nature of these attacks increase and go complex more trends will evolve over time and this checklist will improve. Profile: Vinoth Sivasubramanian, ISACA Number 503366 is a Certified CEH, ISO 27001 LA, and an information standards manager at UAE Exchange Centre LLC where he is responsible for the IT policies of the enterprise. Vinoth has six years of information security experience in tel- ecommunications, Finance and consulting. He is a founding member of ISSA UAE and can be reached at vinoth.sivasubramanian@gmail.com. Simran Pal Singh, B-Tech I.T, CCNA, MCP Certified,ISACA Member is a System Engineer at UAE Exchange Centre LLC is focusing on security parameters and has a 3 yrs experience in I.T Infrastructure. He is a member of ISSA UK and can be reached atsimranosahan@gmail.com Vignesh is Director of IT audits in an Audit Firm Providing Information Assurance services to big Clients. HE is CISSP/CISA certified. ISSUE 3 VOL 1THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.orgPage 7 8. N DER ATIOI FOR CONSTS: POIN onhaITh Nor Dntos NBy SaFRA UD A There are always people out there looking out to get around fraud measures. Betty Riess, Bank of AmericaFrauds are committed by innovative people on the lookout for loopholes within an organizations internal control systemand maximize these loopholes for personal benefit. There is no limit to the imagination of people trying to get the infor-mation needed to commit fraud. In most organizations, information technology plays a key role in aiding or dissuadingan individual from committing an offense. This article does not focus on best practices to prevent such offences butrather focuses on the red flags that one should look out for because in my personal experience often, these red flagsthough noticed are overlooked. It should be noted that in most cases control failures do not happen because of an or-ganizations unwillingness to adopt leading practice; rather it is due to the ingenuity of a human being that circumventsthe best planned controls. This article is meant to assist the readers entrusted with protecting information technologyto be able to spot these ingenious individuals or fraudsters and their schemes.Red flags to watch out for are:1.Fraudsters prefer to use their personal IT resources for official business. By doing so the fraudster has greatercontrol over electronic evidence and can cover his tracks. One of the most common reasons for not being ableto recover electronic data pertinent to the fraud event is usually because the perpetrator used his personal ITresources. It is common to hear that the suspect preferred to work on his personal laptop or used his personalemail ID rather than the one issued by the company.2.Use of generic User IDs A variant of the above point is a fraudster who creates a generic user ID with super useraccess rights and in some other cases this ID is shared with other employees in the organization.3.Sharing of password credentials - Fraudsters generally prefer to share their email or application login credentialswith a group of employees, thus making it difficult to establish who perpetrated the fraudulent transactions. Somepeople also have a habit of using a common password for all their login credentials whether personal or official. Ifthe password is compromised at one place, it could lead to grave consequences.4.In a large organization, a very senior executive resigned and joined a competitor organization. The IT departmentdid not disable this executives email address as they were not informed about his resignation by the Human Re-sources Department. This executive received sensitive information about the organization through his email whichwas part of the Management Committees email group. The organization allowed remote email access throughMicrosoft webmail and he could remotely access his emails without much restriction. Substantial damage wasdone before this was detected Page 8 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.orgISSUE 3 VOL 1 9. 5.Introducing new applications - Most high impact frauds are perpetrated by senior man- agement personnel who are empowered to design controls. In these organi- zations fraudsters would push to either introduce new applications or to upgrade existing applications. The business case for changing the application is generally vague. What results is that the organization are in a much worse off situation with the new application than previously and more importantly are unable to generate an audit trail for the transactions perpetrated by these individuals. 6.Credit Cards Organizations (Merchants or Issuing Banks) fail to realize the sensitivity and importance of data contained on the credit cards that routinely passes through the organization. Further in many organizations there are few validation checks whileprocessing a credit card transaction, thus resulting in disputes and losses due to charge-backs. Although the credit card industry has collectively issued standards to improvecredit card data security and is actively working towards enforcing them, the incidence of credit card fraud continues to remain high. 7.Lose data when you lose human assets. In a fairly large organization, an employee who was informed that she is terminated, accessed the share folder and deleted all files including the back up. In this organization the data and its back up was located in the same place. The organization did not think it appropriate to withdraw access to this employee before terminating her. 8.Uses of ad hoc wireless network People using wireless Ethernet connect to the wireless network by attaching to a wireless Access Point (AP). This method is secure if configured in the Infrastructure Mode, with a MAC ad- dressing filter, having some level of encryption etc. However if the individual is configured to communicate from machine to machine which is also known as Ad-Hoc, then the connection may not be secure as an Ad-Hoc network is a peer to peer configuration. The best place to find Ad-Hoc networks is the airport where people wait- ing for their flights power up their laptops and use the waiting time to complete pending tasks. It is easy for anyone having a little know-how, to be able to connect to these networks and get access to the private or confidential data stored on these laptops especially if strong authentication policies have not been put in place. Also, if you are compromised over a wireless network it is near to impossible to track down where the attack came from. 9.Physical access controls Most physical breaches are usually low tech rather than hi-tech. It is more likely that an intruder enters through an unlocked door rather than use a sophisticated electronic device to crack the number keypad lock. Further some organizations do not use identification badges or even worse dont ensure that the pic- ture on the badge is a clear one. I have also noticed organizations where physical security restrictions within the premises is not enforced thus allowing visitors unrestricted access once they have passed the main reception. 10. Internet Security The Internet is a vast array of loosely connected networks situated all over the world, easily accessible by individual computer hosts in a variety of ways. If you buy movie tickets online, you would need to fill in and submit an electronic form which will contain presumably your name, address and credit card number. This data will pass through a number of computers on its way to the Movie Ticket Web Server. It is once again possible for someone with the know how to intercept this information. Emails and files transferred through an unsecured FTP can also be intercepted. As tated above, this article does not focus on leading practices in securing your information and systems. There are numerous articles and publications on IT best practices which can guide an organization on how to protect their infor- mation assets. This article is meant to raise awareness on the red flags to watch out for, as knowing what the risks are can help an organization manage these situations better. Santosh Noronha is a Manager with Ernst & Young Dubai working in the Fraud Investigation and Dispute Services Practice. Opinions ex-pressed in this article belong solely to the author, and do not necessarily represent the views of Ernst & Young. To comment on this article, feelfree to email the author at santosh.noronha@ae.ey.com ISSUE 3 VOL 1THE MAGAZINE FROM ISACA UAE CHAPTERwww.isacauae.org Page 9 10. Page 10 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1 11. Business Continuity Management: The BS 25999 approach. By Mustapha Ensuring the survival of a business through various economic fluctuations has always been a challenge for management at the helm of various organizations. However, recent events like the 9/11 WTC collapse & ter- rorist attacks, the Tsunami catastrophe and several other sociopolitical events have brought forth a new, more extreme challenge, that of ensuring the physical existence of the business, its resources and information that are required to serve its customers. What is Business Continuity Management? An organization must identify critical products and services that must be delivered to ensure survival and ad- here to legal and contractual obligations of an organization. A proactive planning process to ensure the above is called a Business Continuity Planning. Business Continuity efforts in the past. Business Continuity Management has been around for several years in various forms. However, no standard was available for organizations to comply with. There have been various tools and guides, foremost among them was the BSi initiated PAS 56 guide.PAS 56 Guide to Business Continuity Management describes the activities and outcomes involved in establishing a BCM process and provides recommendations for good practice. It provides a generic BCM framework for incident anticipation and response and describes evaluation techniques and crite- ria. BSi.Another guide to assist individuals involved in the BCM process was the PAS 83.PAS 83 is aimed at the person responsible for implementing, delivering and managing BCM within an organization (the BCM manager). BSi The BS25999 approach: The BS 25999 is t he worlds first standard for Business Continuity Management. It replaces the old PAS 56 specification and comprises of two parts: Part 1 is the Code of Practice provides BCM best practice recommendations. This is a guidance docu-ment only. Part 2 is the Specification provides the requirements for a Business Continuity Management System(BCMS) based on BCM best practice. This is the part of the standard that can be used to demonstratecompliance via an auditing and certification process.(Definitions Courtesy: British Standards;http://www.bsi-global.com/en/Assessment-andcertification-services/management-systems/Standards-and-Schemes/BS-25999/)The Code of Practice (BS 25999-1) consists of: o Section 1 - Scope and Applicability. This section defines the scope of the standard, clearly stating that it is a best practice guide for organizations. o Section 2 - Terms and Definitions. This section describes the terminology and definitions used within the standard. o Section 3 - Overview of Business Continuity Management. It describes overall process of BCM, and its benefits to organizations. o Section 4 - The Business Continuity Management Policy. Describes the requirement of creating a unam- biguous policy. o Section 5 - BCM Program Management. This segment defines an approach for BCM. o Section 6 - Understanding the organization. In order to implement business continuity strategies and tactics, understanding the organization, threats, risks and overall risk appetite is very impor- tant. ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTERwww.isacauae.org Page 11 12. o Section 7 -Determining BCM Strategies. Once the organization is understand the overall business con-tinuity strategies can be defined for the organization. o Section 8 - Developing and implementing a BCM response. This segment details all aspects of rollingout the BCP and Strategy. o Section 9 - Exercising, maintenance, audit and self-assessment of the BCM culture. It is essential totest and exercise the BCP, without which an organization would not be able to ascertainshortfalls in the plans. o Section 10 - Embedding BCM into the organizations culture. Business continuity should not exist ONLYon paper, but must become a part of organization culture. This segment defines ways toachieve just that.The specification (BS 25999-2) consists of: o Section 1 -Scope. Defines the scope of the standard. o Section 2 -Terms and Definitions. This section describes the terminology and definitions used within thebody of the standard. o Section 3 -Planning the Business Continuity Management System (PLAN). Part 2 of the standard ispredicated on Plan-Do-Check-Act model of continuous improvement. The first step is toplan the BCMS, establishing and embedding it within the organization. o Section 4 -Implementing and Operating the BCMS (DO) i.e. Implement the plans. This section encom-passes 4 sections of Part 1, that is understand the organization, determine BC strategy,develop & implement a BCM response and finally exercise/maintenance/review. o Section 5 -Monitoring and Reviewing the BCMS (CHECK) i.e. to ensure that the BCMS is continuallymonitored, it covers internal audit and management review of the BCMS. o Section 6 -Maintaining and Improving the BCMS (ACT) i.e. to ensure that the BCMS is appropriatelymaintained, improved and corrective actions are taken.The adoption of an effective BCM process within an organization will have immense and far reaching benefits. Apart from various straight forward benefits of a BCMS like enabling mission critical activities to recover from an incident, there are other intrinsic benefits.o It assists in reducing the organizations risk exposure as the BCM will require carrying out a risk analysis and ascertaining appropriate controls to mitigate those risks. o It also helps organizations meet legal and compliance obligations and achieve organizational efficiency. o It can help protect shareholder value as risk exposure is reduced.In todays competitive business environment and a highly volatile socio -economic scenario, a BCMS is no longer a luxury, but an essential function for any organization.References and further reading:o http://www.bsi-global.com/en/Shop/Publication-Detail/?pid=000000000030078064o http://www.bsi-global.com/en/Assessment-and-certification-services/management-systems/Standards-and-Schemes/BS-25999/Benefits/o http://www.etpconsulting.co.uk/Learn-Business-Continuity/business_benefits.htmo http://www.thebci.org/gpg.htmo http://www.thebci.org/standards.htm Mustapha currently works with the Etisalat Network & Information Security Development section as Manager, Information Security Manage- ment looking after Enterprise and Business units, working on infrastructure and service security, security research and policies in addition to managing ISMS projects within Etisalat. He has more than 9 years of Information Security experience including stints with the ministry of Information, Saudi Arabia, Softcell Technologies (India) prior to joining Etisalat. Page 12THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1 13. S IM PACTES USINL LED B ING LE CA E SETT E PUZZ IS THmmaniaG TH NALYSSubra N ar R OLVI veshwABy VisS Business Impact Analysis (BIA) is a vital cog in any business function in one company which is rated as organizations Business Continuity Plan (BCP). BIA isvery critical may not even exist in another. In such a different from other stages of BCP. In BIA we wouldcomplex scenario, it is of paramount importance to assume a hypothetical situation of an organization being tailor-stitch the approach to suit the organization. affected by a disruption and consider the repercussions from a holistic point of view. Answer to the questionThe ideal BIA should answer to the question How long What Should I recover and how quickly should Ican a process wait before it creates an impact to an recover are determined solely on the results of BIAorganization? Adopting the famous clich Disasters process. The parameterisation and methodology usedoccurs in different shapes and sizes, it makes us in BIA is by far the single most important factor when itwonder what type of time scale or magnification comes to successful business continuity operations.should be adopted to determine our proposed disasterscenario. Even though BIA is universally considered as a partOne method of dealing with this uncertainty is to split of the BCP process, carrying out BIA as an isolatedup the aftermath of a disaster into two components exercise could also prove beneficial to the organization.and they in turn should drive the analysis. The two This article discusses three different aspects of BIA: components are: Effects of Disruption and Impacts of methodology to conduct a successful BIA, arguing Disruption. the case for BIA as an isolated exercise and how to maintain BIA project lifecycle.1. Effect of Disruption:When a disruption occurs, it may result in a loss of BIA The science behind itsome tangible item. The losses lead to non availability The recovery priority and the budget that will beof resources, which in turn may lead to non-functioning allocated for putting in place contingency measuresof a process and this in turn may lead to causing an are determined by the results of BIA. Interestingly andimpact to the organization. rightly so there is no structure that could be followed for BIA. BIA is like assembling pieces of puzzles into a puzzle board that has no boundaries. A disruptive event may lead to one or more of thefollowing: unavailability or loss of key personnel,physical assets, information assets and facility. In the There is no one size fits all solution for BIA. A particularISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTERwww.isacauae.org Page 13 14. effect, we are asking the question Can the function bebigger picture of the organization and not isolated carried out if these key resources are unavailable due departments. The recovery priority should be one to disruption? single sheet- which contains all the functions that aresorted in chronological order of recovery. Quantifying and summing up the effect of disruption for a particular business function will help us understand BIA-an isolated exercise the dependence of the function on key resources. The success of a BIA exercise depends on how well we For instance, a function which requires a person withunderstand the business of the organization. It is one specific skill set may have a higher effect value than stage where the process owners sit across the table and a function that can be carried out by personnel with discuss with the BCP team the intricacies of business normal requirements. operations. A functional analysis of the department is The ultimate aim of carrying out BIA is to identify thecarried out and this can help us have a real insight into maximum tolerable downtime for a business function.what is happening within the organization. It is important that we appreciate a function based on the impact it has on the organization and should takeThere may be processes that exists on documentation into consideration the scenario of not having the keybut are no longer carried out. At the same time there resources to carry out the particular function due to amight be processes that are being done and there exist disruptive event.no documentation for the same. These gaps can befilled during the course of a BIA exercise. 2. Impact of Disruption The impact for an organization, when a function is As the processes are carried on a day to day basis, we disrupted is calculated based on one or more of themay never know if we are dependent on something so following factors such as: financial impact, operational drastically that we may tend to take it for granted. For impact, legal or regulatory implication, impact on instance, a manufacturing company might not even internal or external employees and impact on vendors consider its regular raw materials supplier as a key cum suppliers. resource as it is dealing with that particular companyon a day to day basis. BIA exercise can help the For each of the applicable impact, a value can beorganization the importance of dependencies. assigned depending on the impact. This value isBIA Lifecycle subjective. It is impossible to assign a value out of aBIA is not a one off activity. Almost all the business mathematical calculation. It is imperative that we involve continuity plans have provision for testing the recovery business process owners during this exercise as they strategies. Drills are conducted to test the emergency have a better understanding about their business.response and live tests are conducted to ascertain if Coming back to business functions, it is important recovery strategies are available within the specified to make sure that there is minimal of granularity as time limit. Maintenance activities are carried out on going to process level approach may complicate the a periodic basis to ensure that the right personnel scenario.are available to carry out their respective roles inBCP. We may even carryout a checklist guided risk The linkage BIA and Recovery Priorityassessment. Another contentious issue is how to translate the numerical value of impact to approved recovery timeBIA result affects the recovery strategies. The impact of limits. If the impacts and effects calculated woulda business function on an organization might change translate directly to the Maximum Tolerable Downtime,over a period of time, i.e. a process which might have our jobs would be easier.been the most critical and the first to be recovered dueto the financial returns, may no longer give the samereturns to the organization. In such a scenario do we One way of assigning maximum tolerable downtimeneed the same recovery strategy for that process? If to the processes is by categorizing the functions asBIA is not current, we may end up spending money business critical, enablers, important processes, andfor maintaining back up strategies for a process that can wait processes based on the effect and impactdoesnt exist! attributes. Later a time bucket can be created for each of the above category.Another important factor will be the new regulatoryrequirement affecting the organization. Suddenly there So what are the time buckets? Shorter the recoverymay be a process within the legal department which time means more financial commitment and more workcannot be disrupted. load. The analysis that we have carried out for effects and impacts of disruption should be comprehensive enough and self explanatory to convince the topThere should be enough appreciation of BIA within management for any additional budget support.the organization. It should be ensured that any new One important consideration for projecting the functions that are introduced will be analyzed and accepted downtime for a function is for us to see thebought under the purview of BIA.Page 14 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1 15. BIA needs to be revisited on a periodic basis. The period of repeat has to be decided by the organization. Carrying out BIA on a yearly basis may concurrently match functions and its impact. However such a strategy may require moving processes up and down the priority ladder and hence marking major changes to the recovery strategies.Carrying out BIA whenever there is a change in the business environment can be another option. Business directives, regulatory requirements, market expansion, launch of new products or services may serve as indicators for carrying out a BIA. Visveshwar R Subramaniam B.E, CCNP, MCSA, MCTS, is an Information Security Consultant working with Baker Tilly MKM, UAE. He was involved in development of Business Continuity Plans for clients in the ITES, Banking and Logistic sector. ISACA membership no: 629325ISSUE 3 VOL 1THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 15 16. CALL FOR ARTICLES FOR ISACA UAE MAGAZINE Submission deadline for the next issue is OCT 30, 2010. Email your articles to Associate Editor at: hchede@gmail.com 17. Interview withMr. Ahmad M. Mulla I.T. GOVERNANCE: TAKING IT FROM THE TOP Mr. Ahmad M. Almulla has an extensive experience in the field of I.T. for over 20 years. He started his career as a Programmer in 1988 in Dubai Aluminium Company Limited and since then has worked in all the areas of Information Technology department such as Application Development, Information Security, Architecture Designing and Networking, Process Control, etc and is currently Vice President, Information Technology of Dubai Aluminium Company Limited (DUBAL). He is also a member of the Executive Management Committee in DUBAL. He is a Bachelor of Science from The University of Arizona in Computer Engineering and Masters in Business Administration (MBA) from University of New England, Australia. Additionally, he has completed the Program for Executive Development from International Institute for Management Development (IMD). Yatri Jerajani (Senior Project Leader I.T. Governance) & Saptorshi Datta (Senior Information Systems Auditor) at Dubai Aluminium Company Limited (DUBAL) spoke to Ahmad M. Almulla - Vice President, I.T., Dubai Aluminium Company Limited to know his views on I.T. Governance. Following is the transcript of the interview.Saptorshi: Good Morning Ahmad. We wish to speak on I.T. Governance which we all know is one of your favouritetopics and very much close to your heart. Can you please tell us, what is Governance all about? Ahmad: A very good morning guys. Yes, you people are very much right in saying that I.T. Governance is very closeto my heart and is a matter of prime importance in todays business scenario irrespective of the nature ofbusiness. Now let me explain what governance is. Governance is the policies, roles, responsibilities, andprocesses that you establish in an enterprise to guide, direct, and control the activities and processes toaccomplish business goals. Every organization has unique needs and goals that will affect its approach togovernance. Good governance will result in achievement of business goals and is in line with all applicablelaws, regulations, and ethics. Saptorshi: Ahmad, we have seen people getting confused with Corporate Governance and I.T. Governance. Whatare your views and also tell us why do people give so much importance to I.T. Governance these day? Ahmad: Corporate governance consists of the set of processes, customs, policies, laws and institutions affecting theway people direct administer or control a corporation. Corporate governance also includes the relationshipsamong the many players involved (the stakeholders) and the corporate goals. The principal players includethe shareholders, management, and the board of directors, other stakeholders include employees, suppliers,customers, banks and other lenders, regulators, the environment and the community at large.Information Technology Governance, is a subset discipline of Corporate Governance focused on InformationTechnology (I.T.) systems and their performance and risk management. It deals primarily with the connectionbetween business focus and I.T. management of an organization.We all know that I.T. Governance is defined as The leadership and organizational structures andprocesses that ensure that the organizations I.T. sustains and extends the organizations strategiesand objectives. by I.T. Governance Institute.People now days give so much of importance to I.T. Governance as I.T. has now spread into all the units in abusiness and in todays world we cannot think about businesses surviving without IT. An organisation withoutI.T. governance is reactive, unable to plan, acquire or develop the correct skills or understand priorities andmeet the business objectives.For example without a structured process, all projects are number-one priorities. With budgets being cut forI.T., it is difficult to know where to focus. I.T. governance processes allow I.T. to understand and manageI.T.-enabled business change. The business determines priorities and defines investments, allowing I.T. toidentify their staffing, infrastructure requirements and make investments in the correct skill sets, training andhardware at the correct time, ensuring value to the organization.Saptorshi: Have you implemented I.T. Governance in DUBAL? Ahmad: Yes, DUBAL has implemented I.T. Governance. This has been done by having an internally defined framework forI.T. governance. Please have a look at this diagram which will help you to understand how we have implementedin DUBAL. This framework is also reviewed regularly and updated should we feel changes are required. ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTERwww.isacauae.org Page 17 18. Yatri:Hi Ahmad. I was listening to the conversation and waiting to ask you about your opinion regarding primary goals for implementing I.T. Governance? Ahmad:Yatri, I was expecting such a question from you. We implemented I.T. Governance in DUBAL to achieve the following: AlignI.T.strategywiththebusinessstrategy AssuremanagementthattheinvestmentsinI.T.generatebusinessvalue I.T.relatedrisksaremanagedappropriately ManagementofI.T.resources MeasuringtheperformanceofI.T. This is performed in DUBAL by way of measuring the KPIs using a Balanced Scorecard (BSC). The BSC has been implemented organisation wide including I.T. which is contributing to the organisational Vision, Mission, Strategy and Goals.Saptorshi:We hear about many I.T. frameworks. Did you follow any existing available I.T. Governance framework? Ahmad:While we reviewed the various frameworks available for I.T. like COBIT, ITIL, etc. we did not directly take them as our I.T. governance framework but tailored them to our requirements and implemented our own framework.Yatri: It is very remarkable that you have not adopted any framework but tailored them as per DUBALsrequirement. Can you please tell us how and when did you start your journey? What was the approachadopted and where are you now? Ahmad: We started our journey in this direction way back in 2006 by defining a formal I.T. strategy in line with thevision set forth by our company management. I.T. Strategy set the objectives with focused activities such as:a. Reinforce Customer Orientationb. Restructure I.T.c. Transform Infrastructured. Sustain Operational Excellencee. Develop & Implement Outsourcing Strategy This required a restructure in the I.T. organisation and the creation of a dedicated department for I.T. Governance which would directly report to me thus ensuring independent, unbiased view of how I.T. is performing. In 2007 we created our own I.T. Governance Framework and implemented this as our I.T. Balanced Scorecard which contributed to the Corporate Balanced Scorecard. We also did a benchmarking against COBIT, ITIL, and ISO20000 to check where we stand as per the international best practices, frameworks and standards. Page 18THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1 19. In 2008 we set up the I.T. Governance Committee and redefined all the I.T. processes in line with ITIL and the requirements of ISO 20000-1:2005 In 2009 we got certified to ISO20000-1:2005. Presently we continue to learn and based on our learnings we continue to enhance and integrate our performance statisticsSaptorshi:Ahmad, I am very curious to know how long it took to implement the I.T. Governance framework. Ahmad:It took us about 4 years to reach where we are today and we continue to learn by consistently planning, implementing, following, reviewing, measuring and correcting our efforts using a continuous improvement methodology by way of a PDCA (Demings) cycle based approach as advocated by most of the frameworks and standards available todayYatri:Ahmad, do you require consultancy services to implement I.T. Governance? Did you seek any external expertise in implementing the I.T. governance framework? Ahmad:For specific initiatives like implementation of ISMS and ITSM in DUBAL we did seek help of external expertise but there was no specific external expertise sought to implement the I.T. governance framework at DUBAL.Saptorshi:As you said that you have a dedicated I.T. Governance department in DUBAL and this department has been formed after you took over as CIO. What exactly is the function of the department? Ahmad:Yes, you are correct the department came into existence in 2006 when we defined our I.T. strategy inline with the corporate strategy. This department directly reports to me and it ensures and provides assurance that I.T.s contribution is in-line with our annual objectives (which is aligned with our business requirements) by defining, guiding, supporting, measuring, and validating, the adequacy & effectiveness of the processes of Information Technology. The I.T. governance section looks after: I.T.Strategy/StrategicObjectivesImplementation ProjectManagementOffice(PMO) I.T.BalancedScorecard(BSC)/I.T.KPIReporting I.T.Documentation&QualityAssurance AnnualMaintenanceContracts I.T.Audits InformationSecurityManagementSystem(ISMS) I.T.ServiceManagementSystem(ITSM) AnnualCAPEX,OPEX&ManPowerPlanning I.T.CustomerSurvey TrainingPrograms,etcYatri:As an IT professional I know that there are lot of hardship faced to implement something new. Can you please share with us the typical challenges faced during implementation? Ahmad:Yes Yatri, like any other I.T. projects, we also faced challenges. I can share with you a number of challenges that we faced during the project. But the biggest challenge I see that we had and very admirably addressed was cultural change management. They are as follows: Resistancetochange Keepingexpectationsatarealisticlevel Implementingnewlydevelopedprocesses,policiesandprocedures Identify,measure,andmanageappropriateKPIs Meetingprojectdeadlinesamidstotheroperationalinvolvement Strikinganoptimumbalancebetweenbusinessneeds,cost,andresourceavailabilitySaptorshi:We all would like to know what are the key success factors which contributed to your implementation of IT Governance? Ahmad:We faced quite a few challenges and some of the important ones are: Sustaining Management support and commitment Making sure we know; Where we are (e.g. Gap assessment / Benchmark) Where we want to go (Scope, maturity)ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.orgPage 19 20. How to get there (Initiating the project / allocate resources)How do we know whether we got there (e.g. KPIs, Certification)Awareness and trainingCultural Change ManagementResource commitment Saptorshi:What are the benefits you have seen having implemented I.T. Governance? Ahmad:Saptorshi please look at the table here (given below) as to how ITs performance has improved over a period of time. As we have matured, over a period of time, the table below shows how we have not only improved on the KPIs that we were measuring but also introduced new KPIs.MEASURES2006 20072008 2009CAPEXExpenditure66.51% 83.57%72.6872.66%OPEXExpenditure81.36% 102.29% 100.50%88.01%Customer Satisfaction Not measured 92.00%93.00% 94.00%Quality of Service Provided Not measured Not measuredNot measured 90.24%Quality of Projects delivered Not measured Not measuredNot measured 87.48%Delivery of Projects within Time84.80% 92.18%94.78% 94.94%Availability of I.T. Services 99.90% 99.71%99.44% 99.80%Progress of Risk TreatmentNot measured Not measuredNot measured 89.70%Retention, Attraction, and Develop- Not measured 72.67%93.90% 94.11%ment of Skills Over and above this has helped DUBAL in the recent years to win the following awards (specifically from an I.T. perspective): I.T. Governance Assurance Forum Award 2006 ACN Arab Technology Award 2007 CIO 20 Middle East 2008 ACN Arab Technology Award 2008 Excellence in Information Integrity Awards Gold Award (For-Profit) 2008 I.T. Governance Assurance Forum Award 2008 Oracle BI / EPM Excellence Award 2009 CIO Top 10 ME Award 2009This has also helped DUBAL in getting certified and continued certification to the various standards as given here ISO9001:2000:QualityManagementSystems ISO/TS16949:2002 :QMSforAutomotiveProduction&RelevantServicePartOrganization ISO14001 :EnvironmentalManagementSystems OHSAS18001 :OccupationalHealth&SafetyManagementSystems ISO/IEC27001:2005 :InformationSecurityManagementSystem ISO/IEC20000-1:2005 :InformationTechnologyServiceManagementYatri:Ahmad before we end this interview could you please tell us how do you continue to ensure that your I.T. governance activities are aligned to the business? Ahmad:Every year, in line with the corporate vision set forth all the business units of DUBAL (including I.T.) define their strategic objectives and measure them throughout the year. The I.T. Strategy and the yearly strategic objectives are reviewed at the start of the year to check their alignment to Corporate Strategy and Corporate Strategic Objectives. Subsequently the Corporate Objectives at the corporate level and the I.T. objectives at the I.T. level are reviewed through review meetings conducted bi-annually where the progress reports for all initiatives are reviewed. Over and above this I.T. Strategy related Audits are conducted regularly.Saptorshi and Yatri:Thank you Ahmad for sharing your views on I.T. governance with us and we appreciate you taking some timeoff from your busy schedule and providing us you invaluable time to chat and inform us on this extremelyimportant and one of your favourite topics of I.T. Governance. We are sure ISACA UAE Chapter members willfind these views very useful and inspiring. Page 20THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1 21. CGEIT Exam Boot Camp For more details please contact: Mr. Hariprasad Chede on 050-6841501 oremail at: hchede@gmail.com 22. DM ITTEDT ACK , I GO atterje e ATTA ee ChJoysr NE By O Dont scare its not a heart attack but yes, it was a attack for which today I took interest for protection of Information system and got enrolled in CISA, Every morning I report to a person who is CISA qualified, my Boss is CISA qualified, his name has lesser alphabets than the degrees, whenever I speak of increments he asks from me a professional degree that to, any degree which will help to protect the information assets, I use to grumble that he is not interested in giving me a salary hike, but yes he is always with the same idea to achieve a degree, he told me you are still young, and can appear for professional degrees but at that point of time I was running in my late 20s, I was always in dilemma, being a married lady how can I devote time for studies, everyday he used to remind me when will I register myself to CISA, but I didnt give importance to that, I used to grumble that he is not ready to pay increment but he is after me for wastage of my money the argument was still on .After few days, One incident changed my views, I was excited to chat with my friends and I found my mail box empty, it was without a single mail, none of the old mails were there, as well as all my public chat box were without any messages or scraps, I discussed with my friends, I was simply shaken, coz I have heard about hacking but never faced it, I was very upset that all my favorite mails were no more in my mail box, my father who is no more in this world I lost his mails also, many of my important bank account numbers and statements were saved in my mail box and then I felt the importance of security, I had to stop all my bank transactions for few days, coz I use to store my pin numbers in my mail box, I was very much dependent on my mail box, in short you can say that I was not only in a financial loss but it was also emotional loss, I was staying in an apartment without lock, which I realized the day when the my mail box was attacked by a hacker.Luckily or incidentally it happened with me, so I could feel that how bad we feel when we loose all our assets, yes it was not regular asset, It was all my information assets.I was unable to sleep for the entire night, next day I came to office, the first activity done by me that day was I finally registered in ISACA.It was good, that better late than never I understood the importance of Protection of Information Assets. What I feel, the awareness is still very less, the young generation is addicted to mail box and all this chat rooms, so the Page 22 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.orgISACA UAE 23. generation should be well aware of all the protection of all type of assets used by them on daily basis. Some children share there parents laptop, blackberry or PC or any other source by which many data can be leaked but not only the children but the parents are not at all bothered.When we invest money somewhere we think to extract most out of it, utilize the whole amount invested, the same thing I did, I started attending all seminars conducted by ISACA UAE chapter. My interest grew more when I went for all those seminars conducted by the UAE chapter, believe me, friends registration is not the end for CISA, attending all these event will open up many views, which we are not at all aware, I really liked a seminar which was on business disaster & recovery. Business continuity planning (BC P) and contingency planning in support of operations are elements of an internal control system established to manage availability and restore critical processes in the event of interruption.The most import ant part of such a plan deals with the cost-effective support of the information system. The ultimate goal of the process is to be able to respond to incidents that may impact people, operations and ability to deliver goods and services to the marketplace. My organization is implementing ERP, so I am very busy , but I decided to join the classes so that I can at least understand what is CISA all about, the CISA classes are like chocolate sauce topping in a delicious Ice-Cream,Till now I attended 3 classes, believe me dear friends, once you meet all the persons who are already qualified you get a boost up for studying further, same happened with me, once I reach class and see that age is no bar here, I feel so happy, I always use to repent that why did I start late, but after meeting my classmates in UAE chapter I feel that I am not late, thanks, to the hacker who hacked all my mails and off course my boss who has promised me a better stability after I achieve my CISA degree.Nowadays, we are so much dependent in systems, I dont remember when I went to ticket counter for purchasing movie tickets, I dont remember when I paid my utility bills thru cash, everything now and then what I do, rather, we do are online payments, so we should be really very much aware of all this facts.When we spend a single penny from our pocket we are always careful so, now it is the time to think on behalf of our owners or management point of view, how can we protect the assets, which will be a profit to the entire society.Now my interest towards CISA is 100%, I am not concerned about the degrees but yes all this awareness will give me a proper angle to give my best for my organization, Getting enrolled and understanding the importance of CISA degrees was simply affair but joining the CISA classes declares that I am finally married.The roles of Information System auditors are becoming very significant, so CISA certification will not only benefit the candidates but also the management. People gathering knowledge can give there best for the management. Safeguarding assets, maintaining integrity, consume resource efficiently should be the the aim of an IS Auditor. The expectations from the auditors are high across the globe, they represent higher management, so, they sh ould follow the best practices, most of the organizations are dependent on information systems each and every transactions are processed online, so the management wants that assurance from the auditors that they will take care of the organization and understand the business. Ever since I have decided to appear for CISA I am really benefited, I am aware of the best practices followed not only in the country where I stay now but I am aware of the best practices followed and accepted globally. I am aware of the role of Information Technology in achieving sustained regulatory compliance. If we can work in a team we can provide a reliable IT processing environment. I am working in the Internal audit department which linked up with my professional degree will allow me to perform best for my present organization. We stop studying after our college days but nowadays we should really be aware of all the facts, which will automatically come if we are attending all the seminars, lectures by qualified or by going thru the study magazines. I always dreamt to work in police or CID department but my parents & my brothers didnt allow me being the one and only pampered girl member, they used to think that how can I fight or face criminals. But, now I am sure that my dream will come true very soon, I will love to face the cyber criminals for which I dont have to fight physically but yes mentally, In my near future I would wish to work as a private detective and investigator to reduce crime related issues with Information system, but till then I will give my best for my present company and assure the management that their information system & assets are all protected.Joysree Chatterjee 0554941020. ISACA UAE THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 23 24. E O NLIN AT TOTHRE IG GEST NS?u NairHE B SACTIO By Bij T ISH ING TRAN PHBackground The Current Trends Frauds using Internet and other electronic media haveThe most recent survey report (May 2010) on phishing been on the increase ever since the popularity of internet from Antiphishing.org has revealed the following disturbing spread beyond the research laboratories. While criticaltrends in phishing. transactions through Internet like online shopping, online banking and online trading gathered momentum, so didAvalanche phishing gang was responsible for two-thirds on line frauds and we started calling them e-crimes. In aof all phishing attacks launched in the second half of March 2010 report published by UK Payments Authority,2009. online losses was reported at 59.7 million pounds for 2008-2009 which is a 14% increase compared to the previous reporting period. This is in contrast to the trends More Brands under Attack than Ever Before, hitting shown in other areas of card fraud which was showing Record High in Q4 2009. a decreasing trend during the corresponding period. Phishing, coupled with distribution of Trojans through Financial Services (39%) and Payment Services (33%) phishing emails and fake websites has become the mostcontinue to be the most targeted industry sectors. wide spread form of e-crime at present. Use of Sub Domains in hosting phishing sites are on the Phishing, as a form of financial crime, has come a longincrease and could become a bigger target in the future. way since the technique was first described in technical literature in 1987 and the first recorded use of the termOne of the most positive trends shown from this survey phishing in 1996. Now Vishing, Pharming, Spear phishing,was that the average uptime of all phishing attacks Whaling and typo phishing have evolved from the traditionalcontinued to drop compared to previous periods. phishing. Phishing in its simplest form of definition is a criminal mechanism employing both social engineeringAvalanche is the name given to the worlds most prolific and technical ploys to steal consumers personal identity, phishing gang, and to the infrastructure it uses to host data and financial account credentials. phishing sites. They perfected a system for deployingmass-produced phishing sites, and for distributingPage 24THE MAGAZINE FROM ISACA UAE CHAPTERwww.isacauae.orgISACA UAE 25. malware that gives the gang additional capabilities for theft. This was also used to distribute the dangerous Trojan named Zeus which was a sophisticated piece of malware that the criminals incorporated into its phishing and spamming campaigns. Current trends shows a reduced activity of Avalanche compared to second half of 2009, however researchers fear that this is just a time of hibernation. They are expected to rejuvenate, probably with a different name and different modus operandi, just like its predecessor Rock Phish which was very prolific and successful from 2006 to 2008. Phishing website uptimes The most critical success factor against phishing attack, in addition to user awareness, is the speed with which the fake websites can be brought down. This needs the concerted efforts of the security professionals, internet service providers as well as regulators. The APWG report shows the results of these efforts across different countries in the world. Given below is the table showing the regions performance against some of the more internet savvy countries in the world.TLDTLD LocationNo. of Unique Phishing Unique Domain NamesDomains in registry Average (Top Levelattacks 2H2009 used for phishing 2H200November 2009 Uptime Domain) 2nd Half 2009 hh:mm:ssae United Arab 8787,00080:20:04 Emiratesbh Bahrain 1180:43:05kw Kuwait22331:46:23sa Saudi Arabia12 717,54359:16:41uk United Kingdom 14,3871,5548,098,544 15:41:22in India 17666 5,70,52328:48:21cn China 2,82622813,680,72715:32:32 More efforts are required in the region to reduce the average uptime of these phishing websites. It is in this context that the setting up of aeCERT and their effective operations gains significance. Since their efforts have been very commendable in the space of information protection so far, the average uptime of the phishing web sites will hopefully keep on decreasing thereby giving better protection to consumers as well as the businesses in the region. Protection against Phishing Attacks While creation of awareness and improved transaction processes are the best defense against transaction frauds using phishing attacks, there are certain technical solutions also that provide proactive defense against outbreaks of such attacks. Digital watermarks A digital watermark is a hidden seal that is embedded in a Web page. When such a web page is duplicated, monitoring teams can be alerted and the web site can be taken down. Source IP address accessing the phishing site can be tracked using the Watermark. This enables tracking of affected accounts (analysis of accounts accessed from these source IPs by looking at Internet Banking logs). Sometimes the first source IP is the attacker testing the site and hence his IP can also be blocked. DNS Monitoring Continuous monitoring of hosting of domains having similar names and web addresses gives protection against possible hosting of phishing sites. Referrer logs A sudden influx of referrer logs to the genuine website from a single source, other than a search engine, could give an indication that a phishing attack is happening on the brand. This is because many times the phished web site gives genuine links to the original website for images and other non critical links which will be clicked by the users. ISACA UAETHE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.orgPage 25 26. Spam traps Tracking of spam mails within the domain address of the organization, especially double bounce mails could indicate a phishing attack. A sudden influx of mails which have invalid from as well as to address could result in double bounce mails showing increased level of spams and possible phishing mails for the domain. Conclusion There is no single solution to prevent phishing attacks across all domains and across all continents. A concerted effort involving end user awareness, regulatory participation and contributions from information security community is needed to fight this menace on an ongoing basis. It is not just enough to be pro-active; you should be alert on a 24x7x365 basis in order to identify the next wave of attacks on online transactions. Biju Nair CISA, CISSP has been working in the Information Security and IT Audit domains for the last 12 years. He has spearheaded the data protection initiatives for several banks in the region and is currently working as the Head of IT & Consumer Audit for Noor Islamic Bank. He is also the current secretary of ISACA UAE Chapter. Page 26 THE MAGAZINE FROM ISACA UAE CHAPTERwww.isacauae.org ISACA UAE 27. EARN 16 CREDIT POINTSI-SAFE 10 25th & 26th October 2010,INFORMATIONInformation is a key asset used by organizations in achieving business objectives.SECURITYIt is imperative in this e-world to maintain the confidentiality, integrity & availability of information. Find out the new trends in security and ways to manage your information security.AUDIT & ASSURANCECORPORATE CHALLENGES IN MANAGINGIt is critical to provide an independent audit & assurance to strategically manage theINFORMATION RISKS BEYOND 2010... information risks in the organization. Find out from the experts the paradigm change in the profession and the new ways to provide audit & assurance services.The 4th annual integrated conference covering variousaspects for managing theFORENSICSmost important asset of anorganisation - Information Determine the process & new ways in investigating information resources.EMERGING TECHNOLOGIESFind out new technologies to better manage your information and information resources. VENUE25th & 26th OCT, 2010DHOW PALACE Dubai, U.A.E. CONTACT DETAILSPlease register online at www.isacauae.org or contact Ashish Mahal on +971-50-7549908 or email to ashishmahal@gmail.com for registration or any additional information 28. CISA EXAM REVIEW CLASSES For more details please contact: R. K. Rao on 05500864 or email at: raork123@eim.ae 29. ALL WORK NO PLAY MAKES US DULL"19th November 2010 ISACA UAE Chapter brings an opportunity for its Network with professionals on the field members to network with fellow professionals on the field by participating in the first ever SIX (6) a sideFor more information regarding the event please indoor cricket tournament. ISACA invites all members contact Vaishal Mehta on +971 50 786 4839 to form a team from their organization or other Email: vaishal@gmail.com organization and lift the "ISACA UAE Chapter Champions Trophy".We can accommodate only a limited number of teams, so rush in your team entries by filling the attached registration form. The organizing committee will accept teams on first-come-first-serve basis. Pre-registration of all teams is required by 30/08/2010. The event will be held at In-Sportz, Dubai. 30. ENTRY FORM To enter the tournament, complete the form below, All payments to be made in favour of DNATA-ISACA. Cheques to be forwarded to ISACA UAE Chapter, VaishalMehta,ISACATreasurer,P.O.BOX186645. Mobile : +971507864839 Email: vaishal@gmail.com Team Name:____________________________________________________________________Captains Name :____________________________________________________________________Contact Number :____________________________________________________________________Company/Organisation :____________________________________________________________________Postal Address :____________________________________________________________________E-mail Address :____________________________________________________________________-: TEAM MEMBERS :-1 ________________________________________________Contact Number: ______________________Signature_____________________2 ________________________________________________Contact Number: ______________________Signature_____________________3 ________________________________________________Contact Number: ______________________Signature_____________________4 ________________________________________________Contact Number: ______________________ Signature_____________________5 ________________________________________________Contact Number: ______________________Signature_____________________6 ________________________________________________Contact Number: ______________________Signature_____________________7 Reserve_______________________________________Contact Number: ______________________Signature_____________________8 Reserve_______________________________________Contact Number: ______________________Signature_____________________ Teams Cost: AED 800/-, The team should minimum constitute of 5 ISACA Members, you are only allowed to have only 3 non-member in your team.We, the undersigned, and the members of the ________________________ team will not hold ISACA UAE Chapter, or any of its Board Directors or volunteers responsible for any injuries occurred to person or property during the ISACA Champions Trophy held on Friday, November 19, 2010. We agree to play according to the spirit of the game, and will respect and accept the decisions of the umpires and match coordinator adjudicating the tournament.PLEASE NOTE: To guarantee your place in the tournament, the full amount must be paid to the ISACA UAE Chapter thus, the first 6 teams to pay the full tournament fee will be entered into the tournament.