1. JULY - SEPTEMBER 2010 ISSUE 3 - VOL 1,2010
Business Continuity Management
One Attack, I Got Admitted
INSIDE Face to Face
Phishing
2. n te n ts
c o AUDITING RESILIENCE OF CRITICAL
INFRASTRUCTURE AGAINST DDOS 6
FRAUD AND IT:
POINTS FOR CONSIDERATION 8
BUSINESS CONTINUITY MANAGEMENT –
The BS 25999 approach 11
SOLVING THE PUZZLE CALLED
BUSINESS IMPACT ANALYSIS 13
FACE TO FACE - Interview
17
ONE ATTACK, I GOT ADMITTED -
Experience 22
PHISHING - The biggest threat to online
transaction 24
ISACA CHAMPIONS TROPHY
29
3. NTR OL”
O “I N-CO
ME T torial
W ELCO Edi
Welcome to the third issue of “In-Control” Magazine from the ISACA UAE Chapter. We are in the middle
of the year and the chapter has already seen many interesting CPE sessions and an audit analytic
workshop. The chapter is planning for more exciting events and our very own I-SAFE 10(regional
conference) is scheduled in Oct 10.
This year’s I-SAFE theme is focussed on “Corporate Challenges in managing Information Risk beyond
2010...”. The chapter is lining up a number of eminent speakers from various specialities for the I-SAFE
conference who would be sharing their experiences and guidance to manage Information Risks.
Our biggest asset is our members and their encouragement is driving us all at the board to bring more
exciting events which are educational and provide an opportunity for our members to discuss & share
experiences.
Our third issue has a battery of interesting articles such as Business impact analysis, Fraud & IT and a
candid interview with Mr. Ahmed Al Mulla, Vice President, I.T., Dubai Aluminium Company
I request all our members to contribute to the magazine by sharing your experiences in the upcoming issues.
The “In-Control” editorial board invites you to provide your feedback regarding the Magazine and its
contents. We would love to hear from all of you so that we could better serve you and have the relevant
contents/ sections added in the next issue.
Please email me at gurpreet_k@yahoo.com for any feedback.
Regards,
Gurpreet Kochar
CISA, CISA, CISSP, CEH
Chief Editor & Membership Director
Chief Editor - GURPREET KOCHAR
Associate Editor – HARI PRASAD CHEDE
In-Control magazine is designed to provide UAE chapter members with information related to IT
governance, audit & security. The opinions, viewpoints published in this magazine are not necessarily
those of the ISACA UAE Chapter or its chapter officers. The editorial board of the chapter officers of
the ISACA UAE Chapter do not take any responsibility or liability for any losses or damages incurred as
a result of reliance on any information provided in this magazine. The editorial board takes care for
ensuring that articles are relevant and original but does not take any responsibility for any errors that may
appear herein.
ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 3
4. BO ARD
HAP TER 2010
C RS
ME MBE
PRESIDENT VICE PRESIDENT DIRECTOR - PROGRAMS
Bharat Raigangar Avinash Totade Ashish Mahal
Country Head - Security & Fraud Risk enior Manager- Internal Audit Senior Projects Officer
Royal Bank of Scotland NV Dubai Aluminium Company (DUBAL) RAK Bank
Dubai, UAE Dubai, UAE PO Box 1531,
Mob: +971-50-6229854 Mob.: +971-50-6533852 Dubai,UAE
Email: president@isacauae.org Email: vicepresident@isacauae.org Mob : +971-50-7549908
raigangarbharat@yahoo.com avinash.totade@gmail.com Email: ashishmahal@hotmail.com
DIRECTOR - MEMBERSHIP DIRECTOR - COMMUNICATIONS SECRETARY
Gurpreet Kochar Hari Prasad Chede Biju Nair
Manager - Information Systems Audit Senior IT Risk & Security Officer Head of Consumer & IT Audit
Emirates Airline Union National Bank Noor Islamic Bank
Dubai, UAE Abu Dhabi, UAE Dubai, UAE
Email: gurpreet_k@yahoo.com Tel: +971-50-6841501 Mob.: +971 55 2208512
Email: hchede@gmail.com Email: secretary@isacauae.org
rsbiju@gmail.com
TREASURER DIRECTOR -CERTIFICATIONS DIRECTOR - ACADEMIC RELATIONS
Vaishal Mehta R. K. Rao Alok Tuteja
Assistant Manager Manager Head of IT Audit
IS & BCM RAK Bank ADNOC
Dubai Bank Dubai, UAE Abu Dhabi, UAE
Mob. : +971507864839 Mob. :+971-50-5500864 Mob. : +971-50-3453890
Email: vaishal@gmail.com Email: raork123@eim.ae Email: aloktuteja@gmail.com
DIRECTOR -GOVERNMENT DIRECTOR DIRECTOR
RELATIONS Roshan Hamid Mustapha Huneyd
Sayed Ahmed Al-Moosawi Senior Security Audit Senior Manager,
Senior Auditor - IT Audit, Emirates Airlines Information Security & Biz Continuity
Internal Audit, Dubai, UAE Etisalat, Abu Dhabi,
Dubai Bank Email: roshanhamid@gmail.com UAE.
Dubai, UAE Mob. : +971506625859
Mob. : +971-50-4559114 Email: mhbengal@live.com
Email: sayedalmoosawi@dubaibank.ae
IMMEDIATE PAST PRESIDENT
Nalin Wijetilleke
Manager-Business Continuity
RAK Bank
Dubai, UAE
Mob. : +971-50-6598824
Email: pastpresident@isacauae.org
nalindw2000@yahoo.com
Page 4 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1
5. President’s Message
In this mass-transacting world, the word vision is not just limited to a
mental blueprint of what is seen. Rather, it is the unseen, but it does
not have to be all clear in the beginning. While every function has a
statement of purpose, it is the ideal future state of the function that must
guide the way. There is no longer such thing as a static environment or
a single possible solution anymore, albeit, the choice to take advantage
of the selective ways to protect business as well as the interests of
the stakeholders and customers. To fully appreciate the convergence
between them, IT changes are to be brought around hand in hand with
the economic as well as the social changes in momentum.
Just as economy has shown a remarkable inclination to tolerate the
global meltdown, on the backdrop, technology has played a pivotal role
in building that immunity. Today business is not only about operations
and customer retention. It is also about technology. As we know, all
organizations are subject to financial crime risks. Recently, Beijing police
shutdown a fake Automated Teller Machine (ATM) that was used to
steal bank card information. Counterfeit card and cash scams have
been reported for years, but counterfeit ATMs have added a new twist
to an old scam.
Regular techniques and controls for investigations, such as reliance on
documentation, statements and non digital evidence are a thing of the past, when dealing with a virtual
explosion of frauds and growing scams. While paper may not form a big part of our daily routines
anymore, information does. This is where deployment of IT Governance helps continual improvement
of areas that are not inherently resilient, keep the disaster kit ready and be confident that the security
blanket provides optimal coverage. It is imperative that technology and computer forensics are
deployed and governed in a manner that is open, transparent and accountable for performance and
results, while continually improving the value equation for organizational objectives.
Our community and associated programs serve as a continual medium to promote IT Governance.
Sometimes organizations have opportunities but they still incur losses. The pivotal idea behind
spreading awareness around IT Governance is not to create panic but to enable it to be taken more
seriously. Our theme this year is envisaged to uphold governance focused on “risk-return value” rather
than just controls, managing risk and achieving objectives.
IT Governance can be described as a broad based movement towards the understanding and
quantification of overall IT risks, taking the form of guidance and recommendations. Although investment
in backup infrastructure and fallback procedures was difficult in the beginning, organizations have
manifested both cost and performance benefits over time. While manual operations are increasingly
becoming extinct, they still continue to be important.
There are still great strides to be taken in the maturity level and those organizations that truly believe in
education and advancement of awareness will emerge to their potential and keep this ball rolling.
Thanks and Regards
Bharat Raigangar
ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 5
6. L
ITICA KLIST
CE OF CR CHEC
SI LIEN DOS A
RE S TD
ITING S AGAIN
anian
bram
ivasu
AUD TURE
oth S
By Vin
C
STRU
I NFRA
Recently I had the opportunity to work with one of my friend who was called in by a Big Telecommunication and Internet
Service provider in India to check if their systems and network were resilient enough to Defend DDOS attacks, I had the
opportunity to help him in this regard and I wish to share this checklist along with ISACA members.
We approached this audit from People, process, Technology and Knowledge Management
An Auditors Checklist
1. Have the organization Chart to see who are responsible for the various critical assets of the organization
a. Roles and responsibilities
b. List of critical web services
2. Check to see if they have gone through a background check
a. Employment verification
b. Educational verification
3. Check if they are properly trained in latest technologies and tools.
a. Training documents
b. Knowledge management-
i. How are they sharing their knowledge among their peers
ii. does a mechanism exist to share their knowledge
iii. Is the above mechanism documented
4. Check if there is a proper Security policy
a. IT security policies
b. Check the version number and update date
c. Check to see if they are constantly reviewed and updated
d. Verify if the updates are being done by the responsible personnel and whether they are going
through a process of discussion.
e. Cross check with employees on a random basis to see if they are aware on the Security policies
and procedures
Page 6 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1
7. f. Check whether there is an end point management security policy.
5. Change management procedures
a. Check whether the organization has documented roles and responsibilities chart for change management
b Check the awareness of the staff members on change management policy
c. Check the documentation of Emergency change management procedures
6. Incident management procedures
a. Check to see if an incident management policy is in place
b. Review the documentation date and periodicity of update
c. Check whether focal points have been identified for incident management communication
d. Conduct mini quizzes using pointed questions with the Help desk and other staff members to check
their awareness on incident management
7. Help desk Management
a. Are there clear roles and responsibilities identified for the help desk staff members
b. Are they trained on Incident management, change management?
c. Verify training documentation
d. Check their awareness levels.
8. Patch management policy
a. Check to see if the patch management policy goes through the change management mechanism
b. Does the patch management policy go through the CAB
c. How are emergency and critical patches installed, verify whether proper process and procedures
are in place for tracking and recording them,
d. Check to see if the organization has established procedures for release management of patches
e. Verify whether they have a list of their critical assets that needs to be patched
f. Check the log of patches that have been done on the assets to see if they tally with the ones present in change
management and release management dates.
h. Are the owners, incharges and team members identifies or is it a single person who takes care of
all the patching.
9. Risk management of the Change management and release management process has to be documented
a. Verify if proper process has been established to assess the impacts of change
b. Verify whether a risk management program exists in the first place with periodic reviews conducted at
regular intervals
c. Are the patches that are being installed going through a risk management
Technological Verifications:
10. Perform vulnerability assessment to test the critical systems and networks against latest threats and
vulnerabilities
1. Test the critical applications against known and unknown vulnerabilities.
2. Test the systems under purview for known process weakness and vulnerabilities.
3. Verify if best practices are being followed in line with Leading industrial standards such as NIST etc.
4. Verify if the software is developed in line with the SDLC ( Software Development Life Cycle)
5. Verify if the software that is being developed goes through stress penetration test.
6. Verify if a threat management system/team exists in place to protect the software against known and
unknown threats.
7. If the software development has been outsourced? If so check if they have a stringent SLA with the
developer who has agreed to develop application subject to SDLC, follow proper change and
release management process, update patches in line with the organizational policy and are in line
with the organizational security policies and procedures.
11. Vendor Management : Check to see if they have a stringent Service Level agreement with the vendor who can
respond immediately to block threats in case of an incident and bring back normalcy in place as early as possible
Overall being resilient to DDOS attacks required a multi pronged approach and as the frequency and nature of
these attacks increase and go complex more trends will evolve over time and this checklist will improve.
Profile: Vinoth Sivasubramanian, ISACA Number 503366 is a Certified CEH, ISO 27001 LA, and an information standards manager at UAE
Exchange Centre LLC where he is responsible for the IT policies of the enterprise. Vinoth has six years of information security experience in tel-
ecommunications, Finance and consulting. He is a founding member of ISSA UAE and can be reached at vinoth.sivasubramanian@gmail.com.
Simran Pal Singh, B-Tech I.T, CCNA, MCP Certified,ISACA Member is a System Engineer at UAE Exchange Centre LLC is focusing on security
parameters and has a 3 yrs experience in I.T Infrastructure. He is a member of ISSA UK and can be reached atsimranosahan@gmail.com
Vignesh is Director of IT audits in an Audit Firm Providing Information Assurance services to big Clients. HE is CISSP/CISA certified.
ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 7
8. N
DER ATIO
I
FOR CONS
TS
: POIN
onha
IT
h Nor
D
ntos
N
By Sa
F RA UD A
“There are always people out there looking out to get around fraud measures.” – Betty Riess, Bank of America
Frauds are committed by innovative people on the lookout for loopholes within an organization’s internal control system
and maximize these loopholes for personal benefit. There is no limit to the imagination of people trying to get the infor-
mation needed to commit fraud. In most organizations, information technology plays a key role in aiding or dissuading
an individual from committing an offense. This article does not focus on best practices to prevent such offences but
rather focuses on the red flags that one should look out for because in my personal experience often, these red flags
though noticed are overlooked. It should be noted that in most cases control failures do not happen because of an or-
ganization’s unwillingness to adopt leading practice; rather it is due to the ingenuity of a human being that circumvents
the best planned controls. This article is meant to assist the readers entrusted with protecting information technology
to be able to spot these ingenious individuals or fraudsters and their schemes.
Red flags to watch out for are:
1. Fraudsters prefer to use their personal IT resources for official business. By doing so the fraudster has greater
control over electronic evidence and can cover his tracks. One of the most common reasons for not being able
to recover electronic data pertinent to the fraud event is usually because the perpetrator used his personal IT
resources. It is common to hear that the suspect preferred to work on his personal laptop or used his personal
email ID rather than the one issued by the company.
2. Use of generic User IDs – A variant of the above point is a fraudster who creates a generic user ID with super user
access rights and in some other cases this ID is shared with other employees in the organization.
3. Sharing of password credentials - Fraudsters generally prefer to share their email or application login credentials
with a group of employees, thus making it difficult to establish who perpetrated the fraudulent transactions. Some
people also have a habit of using a common password for all their login credentials whether personal or official. If
the password is compromised at one place, it could lead to grave consequences.
4. In a large organization, a very senior executive resigned and joined a competitor organization. The IT department
did not disable this executive’s email address as they were not informed about his resignation by the Human Re-
sources Department. This executive received sensitive information about the organization through his email which
was part of the Management Committee’s email group. The organization allowed remote email access through
Microsoft webmail and he could remotely access his emails without much restriction. Substantial damage was
done before this was detected
Page 8 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1
9. 5. Introducing new applications - Most high impact frauds are perpetrated by senior man-
agement personnel who are empowered to design controls. In these organi-
zations fraudsters would push to either introduce new applications
or to “upgrade” existing applications. The business case
for changing the application is generally vague. What
results is that the organization are in a much worse off
situation with the new application than previously and
more importantly are unable to generate an audit trail
for the transactions perpetrated by these individuals.
6. Credit Cards –Organizations (Merchants or Issuing
Banks) fail to realize the sensitivity and importance
of data contained on the credit cards that routinely
passes through the organization. Further in many
organizations there are few validation checks while processing a credit card
transaction, thus resulting in disputes and losses due to charge-backs. Although the credit
card industry has collectively issued standards to improve credit card data security and is actively working
towards enforcing them, the incidence of credit card fraud continues to remain high.
7. Lose data when you lose human assets. In a fairly large organization, an employee who was informed that she
is terminated, accessed the share folder and deleted all files including the back up. In this organization the data
and its back up was located in the same place. The organization did not think it appropriate to withdraw access
to this employee before terminating her.
8. Uses of ad hoc wireless network – People using wireless Ethernet connect to the wireless network by attaching to
a wireless Access Point (“AP”). This method is secure if configured in the “Infrastructure Mode”, with a MAC ad-
dressing filter, having some level of encryption etc. However if the individual is configured to communicate from
machine to machine which is also known as “Ad-Hoc”, then the connection may not be secure as an “Ad-Hoc”
network is a peer to peer configuration. The best place to find “Ad-Hoc” networks is the airport where people wait-
ing for their flights power up their laptops and use the waiting time to complete pending tasks. It is easy for anyone
having a little know-how, to be able to connect to these networks and get access to the private or confidential
data stored on these laptops especially if strong authentication policies have not been put in place. Also, if you
are compromised over a wireless network it is near to impossible to track down where the attack came from.
9. Physical access controls –Most physical breaches are usually low tech rather than hi-tech. It is more likely that an
intruder enters through an unlocked door rather than use a sophisticated electronic device to crack the number
keypad lock. Further some organizations do not use identification badges or even worse don’t ensure that the pic-
ture on the badge is a clear one. I have also noticed organizations where physical security restrictions within the
premises is not enforced thus allowing visitors unrestricted access once they have passed the main reception.
10. Internet Security – The Internet is a vast array of loosely connected networks situated all over the world, easily
accessible by individual computer hosts in a variety of ways. If you buy movie tickets online, you would need to fill
in and submit an electronic form which will contain presumably your name, address and credit card number. This
data will pass through a number of computers on its way to the Movie Ticket Web Server. It is once again possible
for someone with the know how to intercept this information. Emails and files transferred through an unsecured
FTP can also be intercepted.
As tated above, this article does not focus on leading practices in securing your information and systems. There are
numerous articles and publications on IT best practices which can guide an organization on how to protect their infor-
mation assets. This article is meant to raise awareness on the red flags to watch out for, as knowing what the risks are
can help an organization manage these situations better.
Santosh Noronha is a Manager with Ernst & Young Dubai working in the Fraud Investigation and Dispute Services Practice. Opinions ex-
pressed in this article belong solely to the author, and do not necessarily represent the views of Ernst & Young. To comment on this article, feel
free to email the author at santosh.noronha@ae.ey.com
ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 9
10. Page 10 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1
11. Business Continuity Management:
The BS 25999 approach. By Mustapha
Ensuring the survival of a business through various economic fluctuations has always been a challenge for
management at the helm of various organizations. However, recent events like the 9/11 WTC collapse & ter-
rorist attacks, the Tsunami catastrophe and several other sociopolitical events have brought forth a new, more
extreme challenge, that of ensuring the physical existence of the business, its resources and information that
are required to serve its customers.
• What is Business Continuity Management?
An organization must identify critical products and services that must be delivered to ensure survival and ad-
here to legal and contractual obligations of an organization. A proactive planning process to ensure the above
is called a Business Continuity Planning.
• Business Continuity efforts in the past.
Business Continuity Management has been around for several years in various forms. However, no standard
was available for organizations to comply with. There have been various tools and guides, foremost among
them was the BSi initiated PAS 56 guide.
“PAS 56 Guide to Business Continuity Management describes the activities and outcomes involved in
establishing a BCM process and provides recommendations for good practice. It provides a generic
BCM framework for incident anticipation and response and describes evaluation techniques and crite-
ria.” – BSi.
Another guide to assist individuals involved in the BCM process was the PAS 83.
“PAS 83 is aimed at the person responsible for implementing, delivering and managing BCM within an
organization (the BCM manager).” – BSi
• The BS25999 approach:
The BS 25999 is t he world’s first standard for Business Continuity Management. It replaces the old PAS 56
specification and comprises of two parts:
Part 1 is the Code of Practice provides BCM best practice recommendations. This is a guidance docu-
ment only.
Part 2 is the Specification provides the requirements for a Business Continuity Management System
(BCMS) based on BCM best practice. This is the part of the standard that can be used to demonstrate
compliance via an auditing and certification process.
(Definitions Courtesy: British Standards;
http://www.bsi-global.com/en/Assessment-andcertification-services/management-systems/Standards-
and-Schemes/BS-25999/)
The Code of Practice (BS 25999-1) consists of:
o Section 1 - Scope and Applicability. This section defines the scope of the standard, clearly stating that it
is a best practice guide for organizations.
o Section 2 - Terms and Definitions. This section describes the terminology and definitions used within the
standard.
o Section 3 - Overview of Business Continuity Management. It describes overall process of BCM, and its
benefits to organizations.
o Section 4 - The Business Continuity Management Policy. Describes the requirement of creating a unam-
biguous policy.
o Section 5 - BCM Program Management. This segment defines an approach for BCM.
o Section 6 - Understanding the organization. In order to implement business continuity strategies and
tactics, understanding the organization, threats, risks and overall risk appetite is very impor-
tant.
ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 11
12. o Section 7 - Determining BCM Strategies. Once the organization is understand the overall business con-
tinuity strategies can be defined for the organization.
o Section 8 - Developing and implementing a BCM response. This segment details all aspects of rolling
out the BCP and Strategy.
o Section 9 - Exercising, maintenance, audit and self-assessment of the BCM culture. It is essential to
test and exercise the BCP, without which an organization would not be able to ascertain
shortfalls in the plans.
o Section 10 - Embedding BCM into the organizations culture. Business continuity should not exist ONLY
on paper, but must become a part of organization culture. This segment defines ways to
achieve just that.
The specification (BS 25999-2) consists of:
o Section 1 - Scope. Defines the scope of the standard.
o Section 2 - Terms and Definitions. This section describes the terminology and definitions used within the
body of the standard.
o Section 3 - Planning the Business Continuity Management System (PLAN). Part 2 of the standard is
predicated on Plan-Do-Check-Act model of continuous improvement. The first step is to
plan the BCMS, establishing and embedding it within the organization.
o Section 4 - Implementing and Operating the BCMS (DO) i.e. Implement the plans. This section encom-
passes 4 sections of Part 1, that is understand the organization, determine BC strategy,
develop & implement a BCM response and finally exercise/maintenance/review.
o Section 5 - Monitoring and Reviewing the BCMS (CHECK) i.e. to ensure that the BCMS is continually
monitored, it covers internal audit and management review of the BCMS.
o Section 6 - Maintaining and Improving the BCMS (ACT) i.e. to ensure that the BCMS is appropriately
maintained, improved and corrective actions are taken.
The adoption of an effective BCM process within an organization will have immense and far reaching
benefits. Apart from various straight forward benefits of a BCMS like enabling mission critical activities to
recover from an incident, there are other intrinsic benefits.
o It assists in reducing the organizations risk exposure as the BCM will require carrying out a risk analysis
and ascertaining appropriate controls to mitigate those risks.
o It also helps organizations meet legal and compliance obligations and achieve organizational efficiency.
o It can help protect shareholder value as risk exposure is reduced.
In today’s competitive business environment and a highly volatile socio -economic scenario, a BCMS is no
longer a luxury, but an essential function for any organization.
References and further reading:
o http://www.bsi-global.com/en/Shop/Publication-Detail/?pid=000000000030078064
o http://www.bsi-global.com/en/Assessment-and-certification-services/management-systems/Standards-
and-Schemes/BS-25999/Benefits/
o http://www.etpconsulting.co.uk/Learn-Business-Continuity/business_benefits.htm
o http://www.thebci.org/gpg.htm
o http://www.thebci.org/standards.htm
Mustapha currently works with the Etisalat Network & Information Security Development section as Manager, Information Security Manage-
ment looking after Enterprise and Business units, working on infrastructure and service security, security research and policies in addition
to managing ISMS projects within Etisalat. He has more than 9 years of Information Security experience including stints with the ministry of
Information, Saudi Arabia, Softcell Technologies (India) prior to joining Etisalat.
Page 12 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1
13. S IM PACT
ES
USIN
L LED B ING
LE CA E SETT
E PUZZ IS TH
m
mania
G TH NALYS
Subra
N
ar R
OLVI
veshw
A
By Vis
S
Business Impact Analysis (BIA) is a vital cog in any business function in one company which is rated as
organization’s Business Continuity Plan (BCP). BIA is very critical may not even exist in another. In such a
different from other stages of BCP. In BIA we would complex scenario, it is of paramount importance to
assume a hypothetical situation of an organization being tailor-stitch the approach to suit the organization.
affected by a disruption and consider the repercussions
from a holistic point of view. Answer to the question
The ideal BIA should answer to the question “How long
“What Should I recover and how quickly should I
can a process wait before it creates an impact to an
recover” are determined solely on the results of BIA
organization?” Adopting the famous cliché “Disasters
process. The parameterisation and methodology used
occurs in different shapes and sizes”, it makes us
in BIA is by far the single most important factor when it
wonder what type of time scale or magnification
comes to successful business continuity operations.
should be adopted to determine our proposed disaster
scenario.
Even though BIA is universally considered as ‘a part’ One method of dealing with this uncertainty is to split
of the BCP process, carrying out BIA as an isolated up the aftermath of a disaster into two components
exercise could also prove beneficial to the organization. and they in turn should drive the analysis. The two
This article discusses three different aspects of BIA: components are: Effects of Disruption and Impacts of
methodology to conduct a successful BIA, arguing Disruption.
the case for BIA as an isolated exercise and how to
maintain BIA project lifecycle.
1. Effect of Disruption:
When a disruption occurs, it may result in a loss of
BIA – The science behind it
some tangible item. The losses lead to non availability
The recovery priority and the budget that will be of resources, which in turn may lead to non-functioning
allocated for putting in place contingency measures of a process and this in turn may lead to causing an
are determined by the results of BIA. Interestingly and impact to the organization.
rightly so there is no structure that could be followed
for BIA. BIA is like assembling pieces of puzzles into a
puzzle board that has no boundaries. A disruptive event may lead to one or more of the
following: unavailability or loss of key personnel,
physical assets, information assets and facility. In the
There is no “one size fits all” solution for BIA. A particular
ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 13
14. effect, we are asking the question “Can the function be bigger picture of the organization and not isolated
carried out if these key resources are unavailable due departments. The recovery priority should be one
to disruption? single sheet- which contains all the functions that are
sorted in chronological order of recovery.
Quantifying and summing up the effect of disruption for
a particular business function will help us understand BIA-an isolated exercise
the dependence of the function on key resources. The success of a BIA exercise depends on how well we
For instance, a function which requires a person with understand the business of the organization. It is one
specific skill set may have a higher effect value than stage where the process owners sit across the table and
a function that can be carried out by personnel with discuss with the BCP team the intricacies of business
normal requirements. operations. A functional analysis of the department is
The ultimate aim of carrying out BIA is to identify the carried out and this can help us have a real insight into
maximum tolerable downtime for a business function. what is happening within the organization.
It is important that we appreciate a function based on
the impact it has on the organization and should take
There may be processes that exists on documentation
into consideration the scenario of not having the key
but are no longer carried out. At the same time there
resources to carry out the particular function due to a
might be processes that are being done and there exist
disruptive event.
no documentation for the same. These gaps can be
filled during the course of a BIA exercise.
2. Impact of Disruption
The impact for an organization, when a function is As the processes are carried on a day to day basis, we
disrupted is calculated based on one or more of the may never know if we are dependent on something so
following factors such as: financial impact, operational drastically that we may tend to take it for granted. For
impact, legal or regulatory implication, impact on instance, a manufacturing company might not even
internal or external employees and impact on vendors consider its regular raw materials supplier as a key
cum suppliers. resource as it is dealing with that particular company
on a day to day basis. BIA exercise can help the
For each of the applicable impact, a value can be organization the importance of dependencies.
assigned depending on the impact. This “value” is BIA – Lifecycle
subjective. It is impossible to assign a value out of a BIA is not a one off activity. Almost all the business
mathematical calculation. It is imperative that we involve continuity plans have provision for testing the recovery
business process owners during this exercise as they strategies. Drills are conducted to test the emergency
have a better understanding about their business. response and live tests are conducted to ascertain if
Coming back to business functions, it is important recovery strategies are available within the specified
to make sure that there is minimal of granularity as time limit. Maintenance activities are carried out on
going to process level approach may complicate the a periodic basis to ensure that the right personnel
scenario. are available to carry out their respective roles in
BCP. We may even carryout a checklist guided risk
The linkage – BIA and Recovery Priority assessment.
Another contentious issue is how to translate the
numerical value of impact to approved recovery time BIA result affects the recovery strategies. The impact of
limits. If the impacts and effects calculated would a business function on an organization might change
translate directly to the Maximum Tolerable Downtime, over a period of time, i.e. a process which might have
our jobs would be easier. been the most critical and the first to be recovered due
to the financial returns, may no longer give the same
returns to the organization. In such a scenario do we
One way of assigning maximum tolerable downtime
need the same recovery strategy for that process? If
to the processes is by categorizing the functions as
BIA is not current, we may end up spending money
business critical, enablers, important processes, and
for maintaining back up strategies for a process that
‘can wait’ processes based on the effect and impact
doesn’t exist!
attributes. Later a time bucket can be created for each
of the above category.
Another important factor will be the new regulatory
requirement affecting the organization. Suddenly there
So what are the time buckets? Shorter the recovery
may be a process within the legal department which
time means more financial commitment and more work
cannot be disrupted.
load. The analysis that we have carried out for effects
and impacts of disruption should be comprehensive
enough and self explanatory to convince the top There should be enough appreciation of BIA within
management for any additional budget support. the organization. It should be ensured that any new
One important consideration for projecting the functions that are introduced will be analyzed and
accepted downtime for a function is for us to see the bought under the purview of BIA.
Page 14 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1
15. BIA needs to be revisited on a periodic basis. The period of repeat has to be decided by the organization.
Carrying out BIA on a yearly basis may concurrently match functions and its impact. However such a strategy
may require moving processes up and down the priority ladder and hence marking major changes to the recovery
strategies.
Carrying out BIA whenever there is a change in the business environment can be another option. Business
directives, regulatory requirements, market expansion, launch of new products or services may serve as indicators
for carrying out a BIA.
Visveshwar R Subramaniam B.E, CCNP, MCSA, MCTS, is an Information Security Consultant working with Baker Tilly MKM, UAE. He was
involved in development of Business Continuity Plans for clients in the ITES, Banking and Logistic sector. ISACA membership no: 629325
ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 15
16. CALL
FOR
ARTICLES
FOR ISACA UAE MAGAZINE
Submission deadline for the next issue is OCT 30, 2010.
Email your articles to Associate Editor at: hchede@gmail.com
17. Interview with
Mr. Ahmad M. Mulla
I.T. GOVERNANCE: TAKING IT FROM THE TOP
Mr. Ahmad M. Almulla has an extensive experience in the field of I.T. for over 20 years.
He started his career as a Programmer in 1988 in Dubai Aluminium Company Limited
and since then has worked in all the areas of Information Technology department
such as Application Development, Information Security, Architecture Designing
and Networking, Process Control, etc and is currently Vice President, Information
Technology of Dubai Aluminium Company Limited (DUBAL). He is also a member
of the Executive Management Committee in DUBAL. He is a Bachelor of Science
from The University of Arizona in Computer Engineering and Masters in Business
Administration (MBA) from University of New England, Australia. Additionally, he has
completed the “Program for Executive Development” from International Institute for
Management Development (IMD).
Yatri Jerajani (Senior Project Leader– I.T. Governance) & Saptorshi Datta (Senior
Information Systems Auditor) at Dubai Aluminium Company Limited (DUBAL) spoke
to Ahmad M. Almulla - Vice President, I.T., Dubai Aluminium Company Limited to
know his views on I.T. Governance. Following is the transcript of the interview.
Saptorshi: Good Morning Ahmad. We wish to speak on “I.T. Governance” which we all know is one of your favourite
topics and very much close to your heart. Can you please tell us, what is Governance all about?
Ahmad: A very good morning guys. Yes, you people are very much right in saying that I.T. Governance is very close
to my heart and is a matter of prime importance in today’s business scenario irrespective of the nature of
business. Now let me explain what governance is. Governance is the policies, roles, responsibilities, and
processes that you establish in an enterprise to guide, direct, and control the activities and processes to
accomplish business goals. Every organization has unique needs and goals that will affect its approach to
governance. Good governance will result in achievement of business goals and is in line with all applicable
laws, regulations, and ethics.
Saptorshi: Ahmad, we have seen people getting confused with Corporate Governance and I.T. Governance. What
are your views and also tell us why do people give so much importance to I.T. Governance these day?
Ahmad: Corporate governance consists of the set of processes, customs, policies, laws and institutions affecting the
way people direct administer or control a corporation. Corporate governance also includes the relationships
among the many players involved (the stakeholders) and the corporate goals. The principal players include
the shareholders, management, and the board of directors, other stakeholders include employees, suppliers,
customers, banks and other lenders, regulators, the environment and the community at large.
Information Technology Governance, is a subset discipline of Corporate Governance focused on Information
Technology (I.T.) systems and their performance and risk management. It deals primarily with the connection
between business focus and I.T. management of an organization.
We all know that I.T. Governance is defined as “… The leadership and organizational structures and
processes that ensure that the organization’s I.T. sustains and extends the organization’s strategies
and objectives.” by I.T. Governance Institute.
People now days give so much of importance to I.T. Governance as I.T. has now spread into all the units in a
business and in today’s world we cannot think about businesses surviving without IT. An organisation without
I.T. governance is reactive, unable to plan, acquire or develop the correct skills or understand priorities and
meet the business objectives.
For example without a structured process, all projects are number-one priorities. With budgets being cut for
I.T., it is difficult to know where to focus. I.T. governance processes allow I.T. to understand and manage
I.T.-enabled business change. The business determines priorities and defines investments, allowing I.T. to
identify their staffing, infrastructure requirements and make investments in the correct skill sets, training and
hardware at the correct time, ensuring value to the organization.
Saptorshi: Have you implemented I.T. Governance in DUBAL?
Ahmad: Yes, DUBAL has implemented I.T. Governance. This has been done by having an internally defined framework for
I.T. governance. Please have a look at this diagram which will help you to understand how we have implemented
in DUBAL. This framework is also reviewed regularly and updated should we feel changes are required.
ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 17
18. Yatri: Hi Ahmad. I was listening to the conversation and waiting to ask you about your opinion regarding
primary goals for implementing I.T. Governance?
Ahmad: Yatri, I was expecting such a question from you. We implemented I.T. Governance in DUBAL to achieve the
following:
• Align I.T. strategy with the business strategy
• Assure management that the investments in I.T. generate business value
• I.T. related risks are managed appropriately
• Management of I.T. resources
• Measuring the performance of I.T.
This is performed in DUBAL by way of measuring the KPI’s using a Balanced Scorecard (BSC). The BSC has
been implemented organisation wide including I.T. which is contributing to the organisational Vision, Mission,
Strategy and Goals.
Saptorshi: We hear about many I.T. frameworks. Did you follow any existing available I.T. Governance
framework?
Ahmad: While we reviewed the various frameworks available for I.T. like COBIT, ITIL, etc. we did not directly take
them as our I.T. governance framework but tailored them to our requirements and implemented our own
framework.
Yatri: It is very remarkable that you have not adopted any framework but tailored them as per DUBAL’s
requirement. Can you please tell us how and when did you start your journey? What was the approach
adopted and where are you now?
Ahmad: We started our journey in this direction way back in 2006 by defining a formal I.T. strategy in line with the
vision set forth by our company management.
I.T. Strategy set the objectives with focused activities such as:
a. Reinforce Customer Orientation
b. Restructure I.T.
c. Transform Infrastructure
d. Sustain Operational Excellence
e. Develop & Implement Outsourcing Strategy
This required a restructure in the I.T. organisation and the creation of a dedicated department for I.T. Governance which
would directly report to me thus ensuring independent, unbiased view of how I.T. is performing.
In 2007 we created our own I.T. Governance Framework and implemented this as our I.T. Balanced Scorecard which
contributed to the Corporate Balanced Scorecard. We also did a benchmarking against COBIT, ITIL, and ISO20000 to
check where we stand as per the international best practices, frameworks and standards.
Page 18 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1
19. In 2008 we set up the I.T. Governance Committee and redefined all the I.T. processes in line with ITIL and the requirements
of ISO 20000-1:2005
In 2009 we got certified to ISO20000-1:2005. Presently we continue to learn and based on our learning’s we continue to
enhance and integrate our performance statistics
Saptorshi: Ahmad, I am very curious to know how long it took to implement the I.T. Governance framework.
Ahmad: It took us about 4 years to reach where we are today and we continue to learn by consistently planning,
implementing, following, reviewing, measuring and correcting our efforts using a continuous improvement
methodology by way of a PDCA (Deming’s) cycle based approach as advocated by most of the frameworks
and standards available today
Yatri: Ahmad, do you require consultancy services to implement I.T. Governance? Did you seek any external
expertise in implementing the I.T. governance framework?
Ahmad: For specific initiatives like implementation of ISMS and ITSM in DUBAL we did seek help of external expertise
but there was no specific external expertise sought to implement the I.T. governance framework at DUBAL.
Saptorshi: As you said that you have a dedicated I.T. Governance department in DUBAL and this department has
been formed after you took over as CIO. What exactly is the function of the department?
Ahmad: Yes, you are correct the department came into existence in 2006 when we defined our I.T. strategy inline with
the corporate strategy. This department directly reports to me and it ensures and provides assurance that
I.T.’s contribution is in-line with our annual objectives (which is aligned with our business requirements) by
defining, guiding, supporting, measuring, and validating, the adequacy & effectiveness of the processes of
Information Technology.
The I.T. governance section looks after:
• I.T. Strategy / Strategic Objectives Implementation
• Project Management Office (PMO)
• I.T. Balanced Scorecard (BSC) / I.T. KPI Reporting
• I.T. Documentation & Quality Assurance
• Annual Maintenance Contracts
• I.T. Audits
• Information Security Management System (ISMS)
• I.T. Service Management System (ITSM)
• Annual CAPEX, OPEX & Man Power Planning
• I.T. Customer Survey
• Training Programs, etc
Yatri: As an IT professional I know that there are lot of hardship faced to implement something new. Can
you please share with us the typical challenges faced during implementation?
Ahmad: Yes Yatri, like any other I.T. projects, we also faced challenges. I can share with you a number of challenges
that we faced during the project. But the biggest challenge I see that we had and very admirably addressed
was cultural change management. They are as follows:
• Resistance to change
• Keeping expectations at a realistic level
• Implementing newly developed processes, policies and procedures
• Identify, measure, and manage appropriate KPIs
• Meeting project deadlines amidst other operational involvement
• Striking an optimum balance between business needs, cost, and resource availability
Saptorshi: We all would like to know what are the key success factors which contributed to your implementation
of IT Governance?
Ahmad: We faced quite a few challenges and some of the important ones are:
Sustaining Management support and commitment
Making sure we know;
Where we are (e.g. Gap assessment / Benchmark)
Where we want to go (Scope, maturity)
ISSUE 3 VOL 1 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 19
20. How to get there (Initiating the project / allocate resources)
How do we know whether we got there (e.g. KPIs, Certification)
Awareness and training
Cultural Change Management
Resource commitment
Saptorshi: What are the benefits you have seen having implemented I.T. Governance?
Ahmad: Saptorshi please look at the table here (given below) as to how IT’s performance has improved over a period
of time. As we have matured, over a period of time, the table below shows how we have not only improved
on the KPI’s that we were measuring but also introduced new KPI’s.
MEASURES 2006 2007 2008 2009
CAPEX Expenditure 66.51% 83.57% 72.68 72.66%
OPEX Expenditure 81.36% 102.29% 100.50% 88.01%
Customer Satisfaction Not measured 92.00% 93.00% 94.00%
Quality of Service Provided Not measured Not measured Not measured 90.24%
Quality of Projects delivered Not measured Not measured Not measured 87.48%
Delivery of Projects within Time 84.80% 92.18% 94.78% 94.94%
Availability of I.T. Services 99.90% 99.71% 99.44% 99.80%
Progress of Risk Treatment Not measured Not measured Not measured 89.70%
Retention, Attraction, and Develop- Not measured 72.67% 93.90% 94.11%
ment of Skills
Over and above this has helped DUBAL in the recent years to win the following awards (specifically from an I.T.
perspective):
I.T. Governance Assurance Forum Award 2006
ACN Arab Technology Award 2007
CIO 20 Middle East 2008
ACN Arab Technology Award 2008
Excellence in Information Integrity Awards – Gold Award (For-Profit) 2008
I.T. Governance Assurance Forum Award 2008
Oracle BI / EPM Excellence Award 2009
CIO Top 10 ME Award 2009
This has also helped DUBAL in getting certified and continued certification to the various standards as given here
• ISO 9001:2000 : Quality Management Systems
• ISO/TS 16949:2002 : QMS for Automotive Production & Relevant Service Part Organization
• ISO 14001 : Environmental Management Systems
• OHSAS 18001 : Occupational Health & Safety Management Systems
• ISO/IEC 27001:2005 : Information Security Management System
• ISO/IEC 20000-1:2005 : Information Technology Service Management
Yatri: Ahmad before we end this interview could you please tell us how do you continue to ensure that your
I.T. governance activities are aligned to the business?
Ahmad: Every year, in line with the corporate vision set forth all the business units of DUBAL (including I.T.) define
their strategic objectives and measure them throughout the year. The I.T. Strategy and the yearly strategic
objectives are reviewed at the start of the year to check their alignment to Corporate Strategy and Corporate
Strategic Objectives. Subsequently the Corporate Objectives at the corporate level and the I.T. objectives at
the I.T. level are reviewed through review meetings conducted bi-annually where the progress reports for all
initiatives are reviewed. Over and above this I.T. Strategy related Audits are conducted regularly.
Saptorshi and Yatri:
Thank you Ahmad for sharing your views on I.T. governance with us and we appreciate you taking some time
off from your busy schedule and providing us you invaluable time to chat and inform us on this extremely
important and one of your favourite topics of I.T. Governance. We are sure ISACA UAE Chapter members will
find these views very useful and inspiring.
Page 20 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISSUE 3 VOL 1
21. CGEIT Exam
Boot Camp
For more details please contact:
Mr. Hariprasad Chede on
050-6841501 or
email at: hchede@gmail.com
22. DM ITTED
T A
CK , I GO atterje
e
ATTA
ee Ch
Joysr
NE
By
O
Don’t scare its not a heart attack but yes, it was a attack for which today I took interest for protection of Information system
and got enrolled in CISA,
Every morning I report to a person who is CISA qualified, my Boss is CISA qualified, his name has lesser alphabets than
the degrees, whenever I speak of increments he asks from me a professional degree that to, any degree which will help to
protect the information assets, I use to grumble that he is not interested in giving me a salary hike, but yes he is always with
the same idea to achieve a degree, he told me “you are still young, and can appear for professional degrees” but at that
point of time I was running in my late 20’s, I was always in dilemma, being a married lady how can I devote time for studies,
everyday he used to remind me when will I register myself to CISA, but I didn’t give importance to that, I used to grumble
that he is not ready to pay increment but he is after me for wastage of my money the argument was still on ….
After few days, One incident changed my views, I was excited to chat with my friends and I found my mail box empty, it
was without a single mail, none of the old mails were there, as well as all my public chat box were without any messages
or scraps, I discussed with my friends, I was simply shaken, coz I have heard about hacking but never faced it, I was very
upset that all my favorite mails were no more in my mail box, my father who is no more in this world I lost his mails also,
many of my important bank account numbers and statements were saved in my mail box and then I felt the importance of
security, I had to stop all my bank transactions for few days, coz I use to store my pin numbers in my mail box, I was very
much dependent on my mail box, in short you can say that I was not only in a financial loss but it was also emotional loss,
I was staying in an apartment without lock, which I realized the day when the my mail box was attacked by a hacker.
Luckily or incidentally it happened with me, so I could feel that how bad we feel when we loose all our assets, yes it was not
regular asset, It was all my information assets.
I was unable to sleep for the entire night, next day I came to office, the first activity done by me that day was I finally
registered in ISACA.
It was good, that better late than never I understood the importance of Protection of Information Assets.
What I feel, the awareness is still very less, the young generation is addicted to mail box and all this chat rooms, so the
Page 22 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISACA UAE
23. generation should be well aware of all the protection of all type of assets used by them on daily basis. Some children share
there parents’ laptop, blackberry or PC or any other source by which many data can be leaked but not only the children but
the parents are not at all bothered.
When we invest money somewhere we think to extract most out of it, utilize the whole amount invested, the same thing I did,
I started attending all seminars conducted by ISACA UAE chapter. My interest grew more when I went for all those seminars
conducted by the UAE chapter, believe me, friends registration is not the end for CISA, attending all these event will open
up many views, which we are not at all aware, I really liked a seminar which was on business disaster & recovery.
Business continuity planning (BC P) and contingency planning in support of operations are elements of an internal control
system established to manage availability and restore critical processes in the event of interruption.
The most import ant part of such a plan deals with the cost-effective support of the information system.
The ultimate goal of the process is to be able to respond to incidents that may impact people, operations and ability to
deliver goods and services to the marketplace. My organization is implementing ERP, so I am very busy , but I decided to
join the classes so that I can at least understand what is CISA all about, the CISA classes are like chocolate sauce topping
in a delicious Ice-Cream,
Till now I attended 3 classes, believe me dear friends, once you meet all the persons who are already qualified you get a
boost up for studying further, same happened with me, once I reach class and see that age is no bar here, I feel so happy,
I always use to repent that why did I start late, but after meeting my classmates in UAE chapter I feel that I am not late,
thanks, to the hacker who hacked all my mails and off course my boss who has promised me a better stability after I
achieve my CISA degree.
Nowadays, we are so much dependent in systems, I don’t remember when I went to ticket counter for purchasing movie
tickets, I don’t remember when I paid my utility bills thru cash, everything now and then what I do, rather, we do are online
payments, so we should be really very much aware of all this facts.
When we spend a single penny from our pocket we are always careful so, now it is the time to think on behalf of our owners
or management point of view, how can we protect the assets, which will be a profit to the entire society.
Now my interest towards CISA is 100%, I am not concerned about the degrees but yes all this awareness will give me a
proper angle to give my best for my organization, Getting enrolled and understanding the importance of CISA degrees was
simply affair but joining the CISA classes declares that I am finally married.
The roles of Information System auditors are becoming very significant, so CISA certification will not only benefit the
candidates but also the management. People gathering knowledge can give there best for the management.
Safeguarding assets, maintaining integrity, consume resource efficiently should be the the aim of an IS Auditor. The
expectations from the auditors are high across the globe, they represent higher management, so, they sh ould follow
the best practices, most of the organizations are dependent on information systems each and every transactions are
processed online, so the management wants that assurance from the auditors that they will take care of the organization
and understand the business.
Ever since I have decided to appear for CISA I am really benefited, I am aware of the best practices followed not only in
the country where I stay now but I am aware of the best practices followed and accepted globally. I am aware of the role of
Information Technology in achieving sustained regulatory compliance. If we can work in a team we can provide a reliable IT
processing environment.
I am working in the Internal audit department which linked up with my professional degree will allow me to perform best
for my present organization. We stop studying after our college days but nowadays we should really be aware of all the
facts, which will automatically come if we are attending all the seminars, lectures by qualified or by going thru the study
magazines.
I always dreamt to work in police or CID department but my parents & my brothers didn’t allow me being the one and only
pampered girl member, they used to think that how can I fight or face criminals. But, now I am sure that my dream will come
true very soon, I will love to face the cyber criminals for which I don’t have to fight physically but yes mentally, In my near
future I would wish to work as a private detective and investigator to reduce crime related issues with Information system,
but till then I will give my best for my present company and assure the management that their information system & assets
are all protected.
Joysree Chatterjee
0554941020.
ISACA UAE THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 23
24. E
O NLIN
AT TO
THRE
IG GEST NS? u Nair
HE B SACTIO
By Bij
T
ISH ING – TRAN
PH
Background The Current Trends
Frauds using Internet and other electronic media have The most recent survey report (May 2010) on phishing
been on the increase ever since the popularity of internet from Antiphishing.org has revealed the following disturbing
spread beyond the research laboratories. While critical trends in phishing.
transactions through Internet like online shopping, online
banking and online trading gathered momentum, so did
Avalanche phishing gang was responsible for two-thirds
on line frauds and we started calling them e-crimes. In a
of all phishing attacks launched in the second half of
March 2010 report published by UK Payments Authority,
2009.
online losses was reported at 59.7 million pounds for
2008-2009 which is a 14% increase compared to the
previous reporting period. This is in contrast to the trends More Brands under Attack than Ever Before, hitting
shown in other areas of card fraud which was showing Record High in Q4 2009.
a decreasing trend during the corresponding period.
Phishing, coupled with distribution of Trojans through Financial Services (39%) and Payment Services (33%)
phishing emails and fake websites has become the most continue to be the most targeted industry sectors.
wide spread form of e-crime at present.
Use of Sub Domains in hosting phishing sites are on the
Phishing, as a form of financial crime, has come a long increase and could become a bigger target in the future.
way since the technique was first described in technical
literature in 1987 and the first recorded use of the term
One of the most positive trends shown from this survey
phishing in 1996. Now Vishing, Pharming, Spear phishing,
was that the average uptime of all phishing attacks
Whaling and typo phishing have evolved from the traditional
continued to drop compared to previous periods.
“phishing”. Phishing in its simplest form of definition is a
“criminal mechanism employing both social engineering Avalanche is the name given to the world’s most prolific
and technical ploys to steal consumers’ personal identity, phishing gang, and to the infrastructure it uses to host
data and financial account credentials.” phishing sites. They perfected a system for deploying
mass-produced phishing sites, and for distributing
Page 24 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISACA UAE
25. malware that gives the gang additional capabilities for theft. This was also used to distribute the dangerous Trojan
named Zeus which was a sophisticated piece of malware that the criminals incorporated into its phishing and
spamming campaigns. Current trends shows a reduced activity of Avalanche compared to second half of 2009,
however researchers fear that this is just a time of hibernation. They are expected to rejuvenate, probably with
a different name and different modus operandi, just like its predecessor Rock Phish which was very prolific and
successful from 2006 to 2008.
Phishing website uptimes
The most critical success factor against phishing attack, in addition to user awareness, is the speed with which the
fake websites can be brought down. This needs the concerted efforts of the security professionals, internet service
providers as well as regulators. The APWG report shows the results of these efforts across different countries in the
world. Given below is the table showing the regions’ performance against some of the more internet savvy countries
in the world.
TLD TLD Location No. of Unique Phishing Unique Domain Names Domains in registry Average
(Top Level attacks 2H2009 used for phishing 2H200 November 2009 Uptime
Domain) 2nd Half 2009
hh:mm:ss
ae United Arab 8 7 87,000 80:20:04
Emirates
bh Bahrain 1 1 80:43:05
kw Kuwait 2 2 331:46:23
sa Saudi Arabia 12 7 17,543 59:16:41
uk United Kingdom 14,387 1,554 8,098,544 15:41:22
in India 176 66 5,70,523 28:48:21
cn China 2,826 228 13,680,727 15:32:32
More efforts are required in the region to reduce the average uptime of these phishing websites. It is in this context
that the setting up of aeCERT and their effective operations gains significance. Since their efforts have been very
commendable in the space of information protection so far, the average uptime of the phishing web sites will hopefully
keep on decreasing thereby giving better protection to consumers as well as the businesses in the region.
Protection against Phishing Attacks
While creation of awareness and improved transaction processes are the best defense against transaction frauds
using phishing attacks, there are certain technical solutions also that provide proactive defense against outbreaks of
such attacks.
Digital watermarks
A digital watermark is a hidden seal that is embedded in a Web page. When such a web page is duplicated, monitoring
teams can be alerted and the web site can be taken down. Source IP address accessing the phishing site can be
tracked using the Watermark. This enables tracking of affected accounts (analysis of accounts accessed from these
source IPs by looking at Internet Banking logs). Sometimes the first source IP is the attacker testing the site and hence
his IP can also be blocked.
DNS Monitoring
Continuous monitoring of hosting of domains having similar names and web addresses gives protection against
possible hosting of phishing sites.
Referrer logs
A sudden influx of referrer logs to the genuine website from a single source, other than a search engine, could give an
indication that a phishing attack is happening on the brand. This is because many times the phished web site gives
genuine links to the original website for images and other non critical links which will be clicked by the users.
ISACA UAE THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org Page 25
26. Spam traps
Tracking of spam mails within the domain address of the organization, especially “double bounce” mails could indicate
a phishing attack. A sudden influx of mails which have invalid from as well as to address could result in double bounce
mails showing increased level of spams and possible phishing mails for the domain.
Conclusion
There is no single solution to prevent phishing attacks across all domains and across all continents. A concerted
effort involving end user awareness, regulatory participation and contributions from information security community
is needed to fight this menace on an ongoing basis. It is not just enough to be pro-active; you should be alert on a
24x7x365 basis in order to identify the next wave of attacks on online transactions.
Biju Nair CISA, CISSP has been working in the Information Security and IT Audit domains for the last 12 years. He has spearheaded the data
protection initiatives for several banks in the region and is currently working as the Head of IT & Consumer Audit for Noor Islamic Bank. He is
also the current secretary of ISACA UAE Chapter.
Page 26 THE MAGAZINE FROM ISACA UAE CHAPTER www.isacauae.org ISACA UAE
27. EARN 16 CREDIT POINTS
I-SAFE 10 25th & 26th October 2010,
INFORMATION
Information is a key asset used by
organizations in achieving business objectives.
SECURITY
It is imperative in this e-world to maintain
the confidentiality, integrity & availability of
information. Find out the new trends in security
and ways to manage your information security.
AUDIT & ASSURANCE
CORPORATE CHALLENGES IN MANAGING It is critical to provide an independent audit
& assurance to strategically manage the
INFORMATION RISKS BEYOND 2010... information risks in the organization. Find out
from the experts the paradigm change in the
profession and the new ways to provide audit
& assurance services.
The 4th annual integrated
conference covering various
aspects for managing the FORENSICS
most important asset of an
organisation - Information
Determine the process & new ways in
investigating information resources.
EMERGING TECHNOLOGIES
Find out new technologies to better manage
your information and information resources.
VENUE
25th & 26th OCT, 2010
DHOW PALACE
Dubai, U.A.E.
CONTACT DETAILS
Please register online at www.isacauae.org or contact Ashish Mahal on +971-50-7549908
or email to ashishmahal@gmail.com for registration or any additional information
28. CISA EXAM REVIEW CLASSES
For more details please contact:
R. K. Rao on 05500864 or
email at: raork123@eim.ae
29. “ALL
WORK
NO PLAY
MAKES
US DULL"
19th November 2010
ISACA UAE Chapter brings an opportunity for its Network with professionals on the field
members to network with fellow professionals on the
field by participating in the first ever “SIX (6) a side For more information regarding the event please
indoor cricket tournament”. ISACA invites all members contact Vaishal Mehta on +971 50 786 4839
to form a team from their organization or other Email: vaishal@gmail.com
organization and lift the "ISACA UAE Chapter
Champions Trophy".
We can accommodate only a limited number of teams,
so rush in your team entries by filling the attached
registration form. The organizing committee will accept
teams on first-come-first-serve basis. Pre-registration
of all teams is required by 30/08/2010. The event will be
held at In-Sportz, Dubai.
30. ENTRY FORM
To enter the tournament, complete the form below,
All payments to be made in favour of DNATA-ISACA.
Cheques to be forwarded to ISACA UAE Chapter,
Vaishal Mehta, ISACA Treasurer, P.O.BOX – 186645.
Mobile : +971507864839 Email: vaishal@gmail.com
Team Name : ____________________________________________________________________
Captain’s Name : ____________________________________________________________________
Contact Number : ____________________________________________________________________
Company/Organisation : ____________________________________________________________________
Postal Address : ____________________________________________________________________
E-mail Address : ____________________________________________________________________
-: TEAM MEMBERS :-
1 ________________________________________________
Contact Number: ______________________ Signature_____________________
2 ________________________________________________
Contact Number: ______________________ Signature_____________________
3 ________________________________________________
Contact Number: ______________________ Signature_____________________
4 ________________________________________________
Contact Number: ______________________ Signature_____________________
5 ________________________________________________
Contact Number: ______________________ Signature_____________________
6 ________________________________________________
Contact Number: ______________________ Signature_____________________
7 Reserve _______________________________________
Contact Number: ______________________ Signature_____________________
8 Reserve _______________________________________
Contact Number: ______________________ Signature_____________________
Teams Cost: AED 800/-, The team should minimum constitute of 5 ISACA Members, you are only allowed to have
only 3 non-member in your team.
We, the undersigned, and the members of the ________________________ team will not hold ISACA UAE Chapter, or
any of it’s Board Directors or volunteers responsible for any injuries occurred to person or property during the ISACA
Champion’s Trophy held on Friday, November 19, 2010. We agree to play according to the spirit of the game, and will
respect and accept the decisions of the umpires and match coordinator adjudicating the tournament.
PLEASE NOTE:
To guarantee your place in the tournament, the full amount must be paid to the ISACA UAE Chapter thus,
the first 6 teams to pay the full tournament fee will be entered into the tournament.