Malta Info Security

Cyber crime and digital Forensics

nospam@example.com (Donald Tabone) — Fri, 30 Oct 2009 10:01:43 -0700

It has been a quite few years now that I have been teaching computer forensics on behalf of the UK's NCC and the subject. Recently I have given a talk for the local ISACA chapter entitled 'The Realm of Digital Forensics' which went pretty well. It's main aim was to introduce people coming from an auditing background to the subject. This worked well, however the talk couldn't get technical as I would have lost my audience.

That brings me to the point of the article. From a local perspective; being a relatively new subject; there is very little knowledge of what the job entails. Skills at various levels both technical and non-technical. Not to mention soft-skills which are somehow always assumed to exist. Although we are a small island and specialization in a particular field is not necessarily a good thing for your career, the truth is that from a legal perspective we still need these skills and services --- as communication technologies multiply every six months and more and more information is saved in digital format, the reality is that there WILL be (and is) abuse. The consequence takes the form of embezzlement, harassment, fraud, espionage and a myriad of other cyber-crimes that start becoming more prevalent as companies lose money.

Recently I was lucky enough to win a study bursary to continue studying and obtain a Masters degree in IT & Telecommunications Law with the University of Strathclyde. This, coupled with my technical skills, will give me an excellent insight to the legal aspect of information security. I envisage that local private companies, government and even the legal system will need these skills as cyber-crimes continue to rise.

What we now need is for communities to recognize that for digital evidence to hold in a court of law, not only do chain-of-evidence and chain-of-custodies apply, but there must be adequate funding, awareness and recognition of expertise.

Cyber-crime is a reality. It's time we recognize it and allocate resources on a national scale to ensure awareness and justice in a proper manner. Are we dealing with it in the right way?

Security Attitudes

nospam@example.com (Donald Tabone) — Tue, 15 Sep 2009 14:03:40 -0700

While it's been a while that I last posted an article on maltainfosec.org, I must admit I've recently been over the top of my head with my studies. The good thing is that my degree is over and plans are in place to start a post-grad in law (LLM). Moreover, I was invited to give a presentation next October on Network Information Systems (NIS) and CERT from a local private perspective. More details of this to come later on.

Meanwhile, we are slowly making the transition to micro-blogging, sharing relevant infosec information through Twitter

Going back to the original title of the article -- As you might imagine different people have different perceptions of information security, which in turn exposes different attitudes towards the subject -- most of which are lax unfortunately. Whilst large companies that invest in security do so because of compliance (primarily), their internal security departments use it as leverage to enforce controls -- however the expense is never seen as an investment or insurance, rather its a thorn that they have to deal and put up with -- and this is common even for smaller companies of around 50 people. On the local scene this stands to be very true and its a pity as security often gets overlooked or worse, sidetracked -- and we learn through failures to protect information, exposures and mistakes-- what I would call the 'hard way'.

Not only does this apply to the local scene, but also large kick-ass innovative companies like Apple. To be fair, they have been responding a little faster over the past few months especially with the release of 10.6.1 of Snow Leopard.. then again they are also known to work on patches given there is enough demand. What comes to mind is an old Java flaw that took months to be updated by Apple.

The bottom line is companies fix stuff because they stand to lose money -- and the driver for any business (like we all know) IS money. So if its in the interest of the company, the security attitude is immediately escalated and given priority -- other than that -- given the times we live in where budgets and time are always tight --- the least security pro's interfere with life cycles - the better.

... In the interest of whoever has this sort of attitude, let's hope that it doesn't bite them back in the ass

".. Security is not about being killed by an alligator..Usually, it is about being eaten to death by a thousand chickens..."

Humor: Google Opt Out feature protects privacy..

nospam@example.com (Donald Tabone) — Wed, 12 Aug 2009 13:38:18 -0700

Google Opt Out Feature Lets Users Protect Privacy By Moving To Remote Village

Source

Seminar: Securing Electronic Information Assets

nospam@example.com (Donald Tabone) — Thu, 16 Jul 2009 07:49:36 -0700

ICT Solutions will be holding a seminar on the subject of securing electronic information assets:

Date: Wednesday the 22nd of July
Place: Westin Dragonara, in the morning

The seminar is free of charge, and is targeted at IT professionals, enterprise risk executives, data managers and IT security personnel. The presentations will be delivered by industry professionals representing three leading suppliers. HP will be delivering an interesting session on planning requirements for implementing an effective information security strategy. The second topic to be tackled is the management of privilege identities and the management of enterprise wide passwords. The presentation will be delivered by the leaders in the field Cyber-Ark. Finally Agiliance will tackle the topic of automating IT governance, risk and compliance. After the sessions there will be a networking brunch.

Kindly send an e-mail on info@ictsolutions.com.mt to register your intent*

Regards,

Gordon Micallef
President
ISACA MALTA CHAPTER

* This is a free ISACA membership service provided by ISACA MALTA CHAPTER and the Chapter is not responsible in any way for the organisation of this event and has no affiliations with the organisations mentioned above.

Zombie Accounts Jeopardise Security

nospam@example.com (Donald Tabone) — Fri, 10 Jul 2009 12:07:09 -0700

53% of IT managers are largely unaware of employee access rights to systems!

This causes a proliferation of zombie accounts – accounts that remain active after employees have left the company.

However, these same administrators say they have a high level of confidence that zombie accounts cannot trigger a malicious attack or perpetrate a data leak, despite high-profile evidence to the contrary. This is according to a global survey of 236 business managers from large enterprises.
Continue reading "Zombie Accounts Jeopardise Security"

Humor: Oh no..

nospam@example.com (Donald Tabone) — Tue, 23 Jun 2009 19:32:02 -0700

Seven Deadly Sins of Home Office Security

nospam@example.com (Donald Tabone) — Tue, 23 Jun 2009 07:31:40 -0700

According to the human resources association World at Work, 17.2 million Americans worked from home or remotely at least one day per month for their employer last year and the 2007 book 'Microtrends' estimates that 4.2 million Americans work full-time from home.

Good security is a key to good productivity...

Continue reading "Seven Deadly Sins of Home Office Security"

Holistic Enterprise Security

nospam@example.com (Donald Tabone) — Thu, 18 Jun 2009 22:39:14 -0700

Echoing an article I wrote for www.ecsuite.com

To what extent are you prepared to protect your investment from the myriad of vulnerabilities today’s businesses have to deal with? Understanding how the security puzzle is structured is the first step to knowing how to apply a holistic approach. Given that the implementation of this approach does take time, not addressing any one part is guaranteed to have a negative effect on the overall running of your business.

Deciding where and how to start implementing security measures in your company can be a daunting task. No matter if you’re just starting up a new business or whether you already have a number of security controls in place, often complying to standards doesn’t necessarily mean you’ve got your assets covered. This puts your company in a critical position to work toward protecting your investments. Ad hoc implementations of security controls will spiral out of control often leaving you in a more vulnerable position than when you started off. Thinking of what a business might stand to lose has never been more important in this day and age.
Continue reading "Holistic Enterprise Security"

Interesting breach statistics..

nospam@example.com (Donald Tabone) — Tue, 26 May 2009 12:04:16 -0700

Statistically it has been shown that often many breaches to a business happen from the inside -- most notably becuase employees already have access to systems and enjoy a certain level of trust.

Reading a recent article by Ron Codon, UK Bureau Chief -- it becomes apparent that according to Matthjis van der Wel; who is head of forensics at Verizon Business; 80% of 600 breaches which happened over the last five years come from outside an organisation! This can be found in the following report published by Van der Wel in April.

The report goes on to emphasise that "organisations are making stupid (information security) mistakes as in failing to patch vulnerabilties, using default passwords and forgetting to close down user accounts when employees leave an organisation. The end result is data loss.

Quoted from the original article, some simple rules for reducing damage are the following:

- Do not use default passwords.
- Ensure that third-party suppliers (such as maintenance companies) do not use default passwords or shared credentials for all their clients.
- Do regular network scans to check what servers you have. If you don't know what you have, you can't protect it.
- Patch regularly, using an up-to-date network diagram to ensure all systems are covered.
- Ensure user accounts are closed when employees leave. "In the majority of the cases we've seen, a terminated employee was involved," says van der Wel. "Go through the user accounts list and check that all users are still employed within your organisation."
- Examine system file logs to establish what is normal behaviour on the system. Then you will be in a better position to recognise abnormal behaviour.
- Get IT staff to come up with different attack scenarios.
- Analyse IDS alerts, or outsource the process to a specialist service company. Do not just ignore the alerts like an annoying car alarm that keeps going off.
- Analyse IP addresses of outgoing connections.

Van der Wel's advice is to use your own staff to spot the systems' weaknesses. "Sit down with a couple of knowledgeable IT guys and come up with different attack scenarios. Ask how they would attack their own organisation. Imagine how that would show up in the log files. After that, go and look in the log files to see if anyone has done it. If you can think of it, so could others. We don't see many IT organisations spending their money doing things like that. They would rather spend the money on a new box." -- very well said!

Full article

FREE refresher webinars CISA, CISM and CGEIT

nospam@example.com (Donald Tabone) — Tue, 26 May 2009 09:25:55 -0700

During the 2008 cycles of ISACA exams, the CISA Refresher Webinars created a positive impact on numerous exam-takers and in many cases made a world of difference for those who passed the exam. Thanks to all ISACA Chapters and other friends, exam-takers from all over the world have registered for these free classes and benefited from the teachings offered.

FREE refresher webinars and the offering has been expanded to cover the June 2009 CISA, CISM and CGEIT exams. These webinars are designed to review the concepts to be tested in each exam and are not intended to replace or provide the knowledge you would learn in a complete review class. This is a free service to all exam-takers in the interest of increasing the passing rate.

Please find below the links to register for the CISA, CISM and CGEIT web-based seminars:

CISA May 26 at 3PM EST: https://www2.gotomeeting.com/register/830376282
CISA June 1 at 9AM EST: https://www2.gotomeeting.com/register/119400850
CISM: https://www2.gotomeeting.com/register/789736306
CGEIT: https://www2.gotomeeting.com/register/566801275

Source

Event: Business Model for Information Security

nospam@example.com (Donald Tabone) — Fri, 15 May 2009 07:55:55 -0700

In 2008, ISACA entered into a formal agreement with the University of Southern California (USA) Marshall School of Business Institute for Critical Information Infrastructure Protection to continue the development of its Systemic Security Management Model. The Business Model for Information Security takes a business oriented approach to managing information security, building on the foundational concepts developed by the Institute. It utilizes systems thinking to clarify complex relationships within the enterprise, and thus to more effectively
manage security.

This session introduces the model and its core concepts to organisations, particularly to:

-Senior business executives;
-Information security managers;
-Those who have responsibility for managing business risk;
-Individuals who have responsibility for the design, implementation, monitoring and improvement of an information security management system.

When: 1st June 2009
Where: Radisson SAS Baypoint Resort, St. Julians
Time: 17:00 - 19:00
Speaker: Mr. Derek Oliver, Chair of the Development Team

The attendance fee for this event is €20 including coffee break. ISACA members will be entitled to free entrance to this event.

Credit card code to combat fraud

nospam@example.com (Donald Tabone) — Wed, 13 May 2009 09:32:41 -0700

Back in October 2007, I remember seeing an article about a next-generation credit card that incorporates a 12-button keyboard, a microprocessor and an embedded alphanumeric display promises to provide unprecedented security in phone and online banking transactions.

Once again in BBC news today I come across another similar article on the same lines regarding a similar credit card to combat fraud.

A credit card with a built-in display is being tested by Visa with the aim of reducing online fraud. The Emue Card generates and displays a unique code each time it is used. Developers say that the new technology would make it very hard for fraudsters, as any transaction would require the pin to generate the code. The card is currently being trialled by 500 employees of Deloitte with the aim of assessing the technology by the end of the year.

Sandra Alzetta, head of innovation at Visa, said that the card was bringing the principles of chip and pin technology to the online world.

"The card needs to be globally compatible: that means embossed characters for mechanical swipes, a magnetic strip for systems that require a signature, the fixed three digit security code and now the unique four figure code. "

"Once certified by Visa it is then down to the banks and credit card companies to decide if they take up the new technology, but Ms Alzetta said she was confident they would"

"One of the things we're testing is how long the battery lasts - the plan is for it to work for more than three years, which means your card should expire before it runs out of power."

Source

100 courses on Computer Information Systems and Security

nospam@example.com (Donald Tabone) — Tue, 12 May 2009 08:55:39 -0700

Whether you’ve been accepted to a degree program and want to work ahead, already have a degree and want to learn more or just want to delve into the world of computer and information systems, you’ll find plenty to keep you busy through a variety of open courseware offerings. From courses that teach the basics of computer science to those that delve into specialty areas, you’re sure to find something that will help you learn more and gain confidence in the field.

http://tinyurl.com/q285ym

Thanks goes to Kelly..

EC wants software makers held liable for code

nospam@example.com (Donald Tabone) — Mon, 11 May 2009 09:49:45 -0700

The European Commission is proposing that software makers give guarantees about the security and efficiency of their code

Software companies could be held responsible for the security and efficacy of their products, if a new European Commission consumer protection proposal becomes law.

[BSA director of public policy Francisco Mingorance] said the performance of a piece of software depends on the environment it operates in, how the code is updated, whether it is possible to adapt and modify the software, and whether the code is attacked.
According to Mingorance, the proposed regulatory extension would cover all software, including beta products, and would cover both proprietary and open-source software.

Right now, under the current EU Sales and Guarantees Directive, physical products are expected to carry a guarantee of two years. Extending those terms to software would have the effect of limiting customer choice, as contract terms would have to be extended to a minimum of two years, Mingorance added.

Software companies have long argued against accepting responsibility for the security and efficiency of their code. Linux kernel developer Alan Cox in 2007 told a House of Lords Committee that neither proprietary nor open-source developers should be held accountable for their code.

Source

Information Security Solutions Europe Conference

nospam@example.com (Donald Tabone) — Mon, 11 May 2009 09:47:38 -0700

This year the Information Security Solutions Europe Conference (ISSE 2009) will be held on 6-8 October 2009 in The Hague, The Netherlands.

ISSE is Europe's only independent, interdisciplinary, security conference. It is designed to educate & inform on the latest developments in technology, solutions, market trends and best practice.

Now in its eleventh year and jointly organised by EEMA, ENISA, TeleTrusT and the municipality of the Hague; ISSE 2009 will attract over 400 representatives from across Europe, providing an informal and stimulating environment for attendees to learn, share experiences and explore solutions with their European counterparts, focusing on security and related issues like cost of ownership, risk management and interoperability.

To join them or for further information please visit the event website at http://www.isse.eu.com

ISSE 2009 is co-organised by ENISA