Malta Info Security

The next two educational event organised by the ISACA MALTA CHAPTER are the following:

January 26th 2012: The evolution of electronic evidence under Maltese Law by Martin Bajada http://goo.gl/Uf0rI

February 23rd 2012: Talking security – opportunities, lessons learnt by Rodney Naudi
http://goo.gl/G3CkV

Follow the links above to book your place.

Posted by Donald Tabone

ISACA EDUCATIONAL EVENT entitled Project Risk Management Techniques

Date: Thursday 15th December 2011
Time: 17:00 to 19:00
Where: Radisson Blu, St.Julians

There are a few questions that every project manager should ask at the beginning of a project?

What do we hope to gain from this project-end goal?
What factors can keep that from happening?
How should we respond if those events occur?

Every project involves some degree of risk. Identifying potential risks and having a plan for dealing with them can spell the difference between a project that reaches a successful conclusion and one that does not.

This session will focus on the essential techniques in project risk management.

Further details are available directly on the ISACA Malta website here.

Posted by Donald Tabone

CYBER SECURITY SEMINAR jointly organised by ICT Gozo Malta and BCS Malta

When: WEDNESDAY 23rd November 2011
Time: 6pm
Where: MITA’s offices - Gattard House, Blata l-Bajda, MALTA

We are linking this seminar with the Security Leaders Congress being held in Brazil. Benjamin Gittins, CTO, Synaptic Laboratories, speaking at our seminar, has been invited to participate in the Annual Brazil Security Leaders Congress on the 23 Nov. 2011. This 2 day Congress is attended by some 300 CEO/CIO/CTO level executives from public and industry sectors.

• Details on the security Leaders Panel
• Details on the seminar can be found here
• Attendees can register here or email secretary@bcs.org.mt or info@ictgozomalta.eu

Synaptic Labs participation will take place remotely from Malta and will be the first such international participation in the history of the Congress. The invitation to participate is the result of outreach by Synaptic Labs and the ICT Gozo Malta project, creating new international relationships and drawing international attention to Malta as a source of ICT innovation.

The Congress will be streamed live onto the Internet with translation into English. In the panel called "Securing Legitimate Access", Benjamin Gittins will participate along with several prominent Brazilian Information Security Leaders from Government, Industry and Academia.

The seminar will start with participation in the International Panel event, which takes place promptly at 6:30pm. There will be a live link to the Congress for the duration of the Panel event.

This will be followed by a remote webcast presentation to our audience from Fabian Martins (see below), one of the Congress Security Panel participants. We have had strong interest from a range of Synaptic Labs International Collaborators, from other countries, to participate remotely as speakers.

Some of our speakers include:

Fabian Martins (Scopus/Bradesco Bank) – addressing our seminar live from the Security Leaders Congress in Sao Paulo, Brazil.

Bob Quick, CEO Blue Light Systems (London, England). Ex chief officer of Police in the UK with extensive strategic and operational experience in counter terrorism, intelligence, serious and organised crime reduction and business improvement.

Brian Snow, (Maryland, USA) recognised Mathematician and Computer scientist, is former Technical Director of the Information Assurance Directorate,US National Security Agency (Washington).

as well as other Experts from major real-time operating system companies from USA, UK and elsewhere.

The official flyer can be downloaded here.

Posted by Donald Tabone

ICT GOZO MALTA is organizing a webinar entitled "A Practitioner's Guide to Achieving Safe and Secure Software"

When: 2 November 2011
Duration: 1 hour
Time: 9.30am(UK), 10.30am(Europe), 3pm(India)

Green Hills Software (a company that offers an operating system with the highest security level certification ever achieved in the world: CC EAL6+ and DO-178B Level A) and LDRA are hosting a joint one-hour webinar on Wednesday 2nd November 2011 at the times above.

With the evolution of computing, devices incorporate an ever-increasing amount of software. Software is key to bettering the user interface, boosting device responsiveness, and adding more features to your product. Software complexity increases the risk of programming and security errors—a risk companies cannot afford.

This one-hour webinar is suitable for security experts and software engineers and engineering managers, students and educators interested in learning about developing software in compliance with industry specific standards; Systems engineers interested in learning about the interface between systems & software in a safety-critical environment.

Because of our dependence on software-driven devices, they must be as safe or safer. Software complexity increases the risk of programming and security errors—a risk companies cannot afford.
This webinar will help you produce quality software, obtain compliance, or follow a nationally-mandated safety certification such as IEC 61508 (general industrial), ISO/DIS 26262 (automotive), EN 50128 (railway/transportation), IEC 61513 (nuclear).

For further information and links to register please follow the source link below.

Source

ICT GOZO MALTA is a project to create and enhance international ICT collaboraton and related economic activity in the Maltese islands founded by The Gozo Business Chamber & Synaptic Laboratories Ltd.

Posted by Donald Tabone

UPDATE: Please note the date has changed

The Institute of Computer Education in Zebbug will be holding a training course to attain the Security+ certification.

Course Duration: 42hrs (14 lessons) – 3 hours per lecture
Starting Date: Monday 23rd January 2012
Time: 6.00PM – 9.00PM

The topics covered will prepare you for the SY0-301 or JK0-018 exam, namely:

Network Security
Compliance and Operational Security
Threats and Vulnerabilities
Application, Data and Host Security
Access Control and Identity Management
Cryptography

What’s Included:
Training by a Certified and Experienced Trainer
Courseware
Certification

The cost of the course is €455 and you can book your place online

Be aware that the classes are on a first-come first-serve basis up to a maximum of 15 students.

Posted by Donald Tabone

Given the recent rise of security breaches and targeted attacks on website through the use of bot nets, it stands to reason that the interest in protecting assets against DDoS attacks has grown - and with good reason too.

However, a little research will reveal that there are various solutions that can be employed to protect valuable online assets that keep cash-cows going. Hardware solutions like Arbor devices work amazingly well, the down side is that they are often very expensive to purchase and maintain. Hybrid solutions such as those of Verisign are also excellent solutions simply because they combine the power of cloud computing with powerful hardware possibly offloading a lot of the administration work involved to the said company (Verisign). Keeping in mind that the latter are mostly enterprise solutions, there is a third option for smaller setups and that is CloudFlare.

CloudFlare offer to protect aand accelerate any online website. Once you switch over your DNS servers to CloudFlare, they optimise the delivery of your sites pages and block threats. In addition they limit abusive bots and crawlers effectively reducing spam and other attacks.

Setup takes less than 5 minutes and its platform independent as all you need to do is change your domains DNS settings. There are three levels you enable. The free version provides stats similar to google analytics about your visitors.

Moreover, the dashboard that you're provided with also allows you to trust/block any websites that show up as posing a threat.

The other two levels are CloudFlare Pro and Enterprise (the latter is still works-in-progress). The advantage of signing up with them on the Pro plan allows for advanced security protection and virtually real-time stats. You also gain full control and insight into whats happening on your site. You can see the full plans here.

Bottom line, is that the free service does an excellent job of providing a threat control dashboard for basic security measures such as blocking of traffic by country or IP range and reputation-based threat protection. Five stars to CloudFlare!

https://www.cloudflare.com/

Posted by Donald Tabone

During 2011, we've seen hackers attack several major businesses. Aside from the recent attack by Anonymous on San Francisco's BART, companies like PinnacleHealth, Sega, PBS, Sony, Lockheed Martin, EA, RSA and Citi have all faced security breaches this year alone. Still, there is a long list of small and medium businesses attacked that never made it to the public eye.

As more public hacking tools with user-friendly GUIs are released every day, well-orchestrated hacker groups with niche targets have become increasingly public, gaining notoriety and inadvertently encouraging other hacker groups to flourish. Most importantly, numerous IT vulnerabilities still remain unexplored. Thus, it goes without saying that information security applications must top every company's list of urgent action items.

Security is no longer a silver bullet or a one-size-fits-all solution; companies must take a holistic approach to creating programs that work. I've seen countless companies buy very expensive and complex tools with the expectation that they will magically solve all problems. However, the same companies struggle in setting up these tools, getting them into action quickly and effectively training staff for on usage. I've also seen companies perform mundane, blanket security functions just to check a box, i.e., implement programs that barely meet security ratings but that do not offer targeted, comprehensive or effective consumer-protection strategies. Still others -- in an attempt to make security everyone's responsibility -- duplicate efforts and miss the opportunity to generate synergy and collaboration among business units.

Here are some key issues that financial institutions should consider in order to move beyond a one-size-fits-all approach and begin successfully fighting cyber attacks.

Continue reading "4 Keys to More Holistic IT Security"

Posted by Donald Tabone

Cyber security legal practice is in its infancy stage world over. There are many reasons for the slow espousal of cyber law and cyber security as a mainstream legal practice in various jurisdictions of the world.

I believe that there are many reasons that are forcing a slow growth of cyber security, digital forensics and other segments of cyber law. Stakeholders like business houses, lawyers, etc must play a more pro active role in this regard.

Businesses and information technology go hand in hand and businesses cannot afford to wait. Businesses need to evolve themselves. Same is equally true for the business attorneys / corporate law firms. A law firm advising its client on all legal aspects minus cyber law would not be protecting the commercial interest of its client completely, since for survival and success of every business today, proper understanding as well as implementation of IT is a must.

The proactive role of cyber law cannot be ignored. The principles of cyber law can equally be used by the lawyers to act proactively while developing new legal practices like cyber due diligence, IT audit, policy formulations etc. These are the requirements which must be followed by every business irrespective of level of immediate threat to them.

Last but not the least, the practice of looking at cyber law from individual’s perspective must end. Cyber security is not just about the precautionary measures of safe browsing or protecting / saving your children from the menace of online pornography or cyber bullying or identity theft. Even the government bodies and institutions need to take care of their cyber law and cyber security requirements. The impact of any cyber threat to them could even be more divesting than any other private player.

All these factors necessitate proper formulation of norms, guidelines and laws that can help in prevention of cyber crime and punishment of the same once they occur.

Author: Geeta Dalal
Article cross-posted from International ICT Policies And Strategies

Posted by Donald Tabone

We are pleased to announce that the ICT Gozo Malta (ICTGM) Project will be formally launched by the Hon. Giovanna Debono, Minister for Gozo. Other speakers include the Hon. Jason Azzopardi, Parliamentary Secretary - Ministry of Finance, Mr Claudio Grech, Chairman MITA, and others. The event is being sponsored by GO and will be followed by some light refreshments.

Date: Friday, 5th August 2011 at 11:00 am
Location: The CALYPSO HOTEL, Marsalforn, GOZO, MALTA

The ICTGM projects (see http://www.ictgozomalta.eu) seek to attract inward investment for Innovation and development in Gozo, and also Malta, leading to the creation of new jobs and opportunities in Gozo and Malta, as well as the development and enhancement of new skills and specialisations which can contribute to the Government aim of Malta becoming an ICT Regional Hub of excellence in Europe and beyond.

Businesses, Banks, ICT companies, ICT Educationalists, ICT Graduates and ICT students are welcome and encouraged to attend. We strongly encourage anyone working in Information and Communications Technology (ICT), to attend the launch event and learn what this project is about and what it may mean for you, for Gozo and Malta. You will also get to meet members of the Project team and can register to be included on progress and future updates.

Please call the GBC on +356 2155 0305 or email gbc@ictgozomalta.eu for details and RSVP if you will be attending. For further details on the Project contact David Pace on +356 7963 0221 or email dave.pace@ictgozomalta.eu.

For more information, see the flyer here: http://bitly.com/o8eM7A

Posted by Donald Tabone

In March 2011, ENISA published version 6 of what is known as the who-is-who directory on network and information security.

Its target audience is those working closely with NIS issues in Europe. The 'Who-is-Who' documents information on NIS stakeholders (such as national and European authorities and NIS organisations) and contacts, websites, and areas of responsibility or activity. As such, it is a tool for the Agency goal to enhance NIS security levels in Europe, by facilitating contacts between security organisations and other NIS actors.

The publication turns out to be useful as it lists the responsible bodies and their areas of responsibility. Summarised below are the authorities mentioned in ENISA's latest publication for Malta.

National authorities in network and information security
-Malta Communications Authority
-Ministry for Infrastructure, Transport and Communications

Computer Emergency Response Team (CERT)
-mtCERT

Other bodies and organisations active in network and information security
-Malta Information Technology Agency
-CA Malta (Consumers’ Association of Malta)

Sadly there is no mention of entities such as the NSA, CIIP, INFOSEC Council and several others mentioned in a previously written article. Moreover, whilst other countries like the UK and Romania list security entities like ISACA Chapters, our local ISACA chapter is not mentioned.

This article continues to extrapolate the said areas of responsibility for each authority mentioned above.

Continue reading "ENISA publishes who-is-who 2011 Directory"

Posted by Donald Tabone

In a recent report Malta submitted to ENISA on Network and Information Security (NIS) related matters, the government presented its NIS strategy and governance models in terms of preparedness.

Although Malta has an agency responsible for the implementation of the National Strategy for Information Technology known as the Malta Information Technology Agency (MITA), in 2010, this agency had some of its roles transferred to two new agencies:

- INFOSEC, which is responsible for information security for the government, and has the task of defining the national direction for security;

- The Critical Information Infrastructure Protection (CIIP) Unit, which will be responsible for critical infrastructure protection as well as coordinate all the stakeholders involved in critical information infrastructure issues. The aim of the CIIP Unit is to create a protection plan on a national level. It also has the task of encouraging actors from the private sector (ISPs, banks, etc.) to form their own CERT teams. From that point on, the CIIP Unit will start a forum involving those private sector CERT teams.

In addition the above, two new agencies were created:

- The National Security Agency (NSA) now responsible for security in general, physical security issues and EU information matters.

- The National Security Accreditation Authority (NSAA). This entity is now the overall security authority, under supervision of the prime minister‘s cabinet. This agency supervises the NSA and the CIIP Unit.

The report mentions yet another agency - the INFOSEC Council, created to bring all the government entities together for discussing INFOSEC and CIIP issues.

If it sounds confusing, here's a pictorial representation of these entities taken from the said report.


The report goes on to mention the various legal regulatory frameworks relevant to data protection, privacy, cybercrime and the domestic criminal code concerning eIdentity and eCommunications (p8-10). Finally, the report provides some national statistics outlining how Malta fairs in information technology matters when compared to the rest of Europe.

Interestingly, back in 2004 another report by the Central Information Management Unit (CIMU) also defined the Cabinet Secretariat as the designated Security Accreditation Authority (SAA) that certified individuals who are security cleared by the National Security Authority. At that time MITA (formerly MITTS) was CIMU's agent for operation matters, whilst CIMU acted as the INFOSEC Authority for Malta. Amongst other things, it was responsible, for the accreditation of IT systems and networks working jointly with the National Security Authority to provide information and advice on technical threats to security and the means for protecting them.

At that time, the National Security Authority (then NSA) was the Malta Security Service. It was responsible in terms of the law for the security vetting of personnel who may have access to or handle classified information or who are involved in the technical operation maintenance of communication and information systems containing classified information. It was also charged with the setting of standards of security in the Central Registry and sub-Registries.

There are currently no websites for the NSAA, NSA, CIIP and INFOSEC so there is very little information on the mandate or structure of these entities. Nevertheless, I anticipate a lot more visibility as the regulatory role of the government with regards to information security slowly becomes more prominent.

Posted by Donald Tabone

Amongst the various law related topics I'm studying, a recent essay I submitted revolved around online privacy and the way different generations have put different values to it. From the legal aspect, privacy is relatively well defined as laws differentiate between 'personal details' and 'sensitive details' - however they are mostly there to guard against when they essentially get abused - in other words used or shared for reasons unapproved by us without specific consent. I won't go into the merits and the specifics of the law, however it pretty much comes down to us.

Meaning that, just like we choose to disclose our personal details to internet giants like Google - we inevitably weigh the information disclosure we choose to disclose against the benefits we very greedly (as humans) choose to benefit from. The problem with this approach, is that the information we trade for such 'free' services tends to come at a high price we don't immediately realise. As we all know, information is power and Google's aim is to harvest this information and profit from it - discreetly.

So whilst TOS and Privacy Policies change eating away at our privacy, we continue to use these systems because of the heavy dependence we have come to benefit from. Of course some see this as a win-win situation however here's how our privacy levels are being defined by these giants. Being connected is all good -- and all about being in touch and up-to-date - which is fine, however take this scenario.

I use GMail, have an Android phone, use Picasa, advertise using Adsense and Adwords, post on Buzz, use the Google Calendar, Chrome Sync for bookmarks and passwords, maintain my Contacts as Google Contacts, host docs online, use Google Latitude and Maps, host a couple of sites with Google and Google's chat. Seriously, which aspect of my daily live doesn't Google know of?

Arguably the information I share is common knowledge - but is the information I share with this company worth the privacy I'm giving up?
Just as in the past Google has committed several privacy violations, what keeps them from continuing to redefine privacy with the information they now posses?

What ticks me off, is that despite their innovations, they still continue to do their thing. In the upcoming Google+ launch, Google has stated that Google+ Profiles Will Be Public and that it's soon to terminate all private profiles (after July 31st)

This is also much different than Facebook’s privacy as you are able to virtually vanish by disallowing people to search for you, friend request you, message you or see any of your info. In Google+, if you have a profile, others can find you within the Google+ network.

Where do we go from here? As the masses flock to adopt a Facebook alternative - we'll wait and see what privacy advocates have to say about Google's privacy implementation. Hopefully laws and regulations will moderate Google's decisions to redefine privacy models as we know them - wherein hopefully the user should be able to decide what level of information Google is to share or disclose.

Posted by Donald Tabone

If you run a business of any size these days, running a network security audit is an essential process. The computer network in just about every organization contains information, the majority of which will either be business critical and/or sensitive in nature. Protecting that data is of paramount importance. But how can you achieve that objective if you are not sure whether the corporate network is secure in the first place?

A network security audit comes into play here as it will allow you to assess the number and type of security holes and vulnerabilities that exist on your business network.

The basic premise of a network security audit

The first network security audit that you run will fill focus on cataloguing your network’s assets and locations including:

· The devices connected to the network
· The operating systems running on those devices
· The level of updates/patches that have been applied to those systems

Continue reading "Why you need to do a network security audit"

Posted by Donald Tabone

Once again, in line with maltainfosec's aim of disseminating useful information on common web vulnerability threats, Veracode have published a number of free easy-to-understand security threat guides proving useful for audiences ranging from IT executives to consumer-level cell phone users.

Each guide consists of key concepts, impacts and videos giving an explanation of the threat itself. You can grab free these guides through the following links:

SQL Injection: http://www.veracode.com/security/sql-injection
Cross Site Scripting: http://www.veracode.com/security/xss
Cross Site Request Forgery: http://www.veracode.com/security/csrf
LDAP Injection: http://www.veracode.com/security/ldap-injection
Mobile Code Security: http://www.veracode.com/security/mobile-code-security

We hope we find these guides as useful as we found them!

Posted by Donald Tabone

How using a vulnerability scanner boosts productivity

A vulnerability scanner is a security tool that can be used to help you identify weaknesses in your system before the bad guys do. A vulnerability scanner can discover devices on your network that are open to known vulnerabilities. This can be achieved in different ways, such as by checking for specific patches or updates through registry entries on Windows machines, or by actually trying to exploit known vulnerabilities on the target device.

The benefits of using a vulnerability scanner vs. manual reviews

Whilst a vulnerability scanner may not be able to prevent attacks in and of itself, it will raise security awareness and provide reports on the risks that have been detected. It will also highlight which of those risks should be given the highest priority.
Vulnerability scanning can be either a manual or an automatic process.

A manual scan offers full process control and allows an administrator with a deep knowledge level to cover smart attack vectors. However, it is a slow process and far too prone to errors, especially if the administrator fails to employ a certain scan or doesn’t have the required level of skill to spot new or uncommon exploits.

On the other hand, a vulnerability scanner will automate many, if not most, of the tasks that network and system administrators need to employ in order to guarantee the security of the systems they are charged with protecting.

A vulnerability scanning tool will also automatically update itself with regard to the latest exploits which is a key point when you consider how quickly they are being discovered – not many IT experts can remember all the exploits from a couple of years ago, let alone ones that surfaced in the last month.

An automated tool is also of benefit because it produces detailed reports of its actions, allowing an administrator to then zoom in and target anything that gets flagged as being of particular interest. The main benefit though, and the easiest one to quantify and cost, is the time saving generated by utilizing a vulnerability scanner.

Continue reading "How using a vulnerability scanner boosts productivity"

Posted by Donald Tabone

IDC has the pleasure of inviting you to the IDC Datacenters Transformation, Cloud Computing and Security Roadshow which will take place on 15 April 2011, 09:00AM, at the WESTIN DRAGONARA

When: 15 APRIL 2011
Time: 9:00 AM,
Where: WESTIN DRAGONARA HOTEL, MALTA

KEY TOPICS

- Virtualization
- The Datacenter of the Future
- Storage Software and Hardware
- Information Lifecycle Management
- Green Datacenters
- Managed Services for the Datacenter Cloud Services & Cloud Computing
- The Transformative Interplay between Cloud & Traditional IT Offerings
- Cloud Computing & the SMB Market: Drivers & Opportunities
- Shifting Priorities & Opportunities for Traditional Service Providers
- Security in the Cloud

Speakers

Matthew Gat, CEO, MITA
Marco Gercke, Attorney-at-law
Tom Schwieters Vice President, Regional Director for Central Europe, IDC Hungary
George Dimitriou, Stakeholders Relations,ENISA

Click here to register

Continue reading "Event: IDC Datacenters Transformation, Cloud Computing & Security Roadshow"

Posted by Donald Tabone

A half-day training event is being organised by PwC Academy, entitled Auditing Web Applications.

Date: 8th of April 2011
Time: 9am-1:30pm
Fee: €65 per participant
Speaker: Mr. Nathan Gatt M.Sc Information Security, CISSP, CISA

You can download the full PwC Academy training document here for further details and booking.

Posted by Donald Tabone

Our sponsor GFI is organising a Careers Day

GFI Software provides web and mail security, archiving and fax, networking and security software and hosted IT solutions for small to medium-sized enterprises (SME) via an extensive global partner community.

Place: Radisson Blu Resort, St Julian’s
Date: Saturday, April 16
Time: 9.30am - 4.00p

GFI are looking for:

-SOFTWARE DEVELOPERS
-SOFTWARE TESTERS
-TECHNICAL COMMUNICATORS (USER EXPERIENCE)
-TECHNICAL SUPPORT REPRESENTATIVES
-SECURITY RESEARCHERS
-WEB DEVELOPERS

Download the PDF flyer here!

Posted by Donald Tabone

An evening educational session organised by ISACA Malta Chapter.

Title - An Introduction to Computer Contracts by Dr Antonio Ghio & Dr Paul Gonzi
Date – Thursday 17th March 2011
Time – 17:00 to 19:00
Place – Radisson Blu Resort, St Julians

ISACA MALTA CHAPTER Members are invited to attend this educational event free of charge. They in turn, can be accompanied by a colleague / non-member to attend also free of charge.

Reduced fee: €15 – for members of the Malta Institute of Accountants, the Malta Institute of Management, the IEEE, and the British Computer Society.

Fee for all other attendees: €20

Click HERE to register

Continue reading "ISACA Educational Event"

Posted by Donald Tabone

An evening educational session organised by ISACA Malta Chapter.

Title – A Demonstration of the Top Web Security Threats
Date – Wednesday 16th February 2011
Time – 17:00 to 19:00
Place – Radisson Blu Resort, St Julians

ISACA MALTA CHAPTER Members are invited to attend this educational event free of charge. They in turn, can be accompanied by a colleague / non-member to attend also free of charge.

Reduced fee: €15 – for members of the Malta Institute of Accountants, the Malta Institute of Management, the IEEE, and the British Computer Society.

Fee for all other attendees: €20
This talk will be delivered by Mr Sandro Gauci

To register click here

Continue reading "ISACA Educational Event"

Posted by Donald Tabone