Malta Info Security - Articles

Review: Website protection using CloudFlare

nospam@example.com (Donald Tabone) — Fri, 26 Aug 2011 14:45:57 -0700

Given the recent rise of security breaches and targeted attacks on website through the use of bot nets, it stands to reason that the interest in protecting assets against DDoS attacks has grown - and with good reason too.

However, a little research will reveal that there are various solutions that can be employed to protect valuable online assets that keep cash-cows going. Hardware solutions like Arbor devices work amazingly well, the down side is that they are often very expensive to purchase and maintain. Hybrid solutions such as those of Verisign are also excellent solutions simply because they combine the power of cloud computing with powerful hardware possibly offloading a lot of the administration work involved to the said company (Verisign). Keeping in mind that the latter are mostly enterprise solutions, there is a third option for smaller setups and that is CloudFlare.

CloudFlare offer to protect aand accelerate any online website. Once you switch over your DNS servers to CloudFlare, they optimise the delivery of your sites pages and block threats. In addition they limit abusive bots and crawlers effectively reducing spam and other attacks.

Setup takes less than 5 minutes and its platform independent as all you need to do is change your domains DNS settings. There are three levels you enable. The free version provides stats similar to google analytics about your visitors.

Moreover, the dashboard that you're provided with also allows you to trust/block any websites that show up as posing a threat.

The other two levels are CloudFlare Pro and Enterprise (the latter is still works-in-progress). The advantage of signing up with them on the Pro plan allows for advanced security protection and virtually real-time stats. You also gain full control and insight into whats happening on your site. You can see the full plans here.

Bottom line, is that the free service does an excellent job of providing a threat control dashboard for basic security measures such as blocking of traffic by country or IP range and reputation-based threat protection. Five stars to CloudFlare!

https://www.cloudflare.com/

4 Keys to More Holistic IT Security

nospam@example.com (Donald Tabone) — Fri, 19 Aug 2011 13:23:04 -0700

During 2011, we've seen hackers attack several major businesses. Aside from the recent attack by Anonymous on San Francisco's BART, companies like PinnacleHealth, Sega, PBS, Sony, Lockheed Martin, EA, RSA and Citi have all faced security breaches this year alone. Still, there is a long list of small and medium businesses attacked that never made it to the public eye.

As more public hacking tools with user-friendly GUIs are released every day, well-orchestrated hacker groups with niche targets have become increasingly public, gaining notoriety and inadvertently encouraging other hacker groups to flourish. Most importantly, numerous IT vulnerabilities still remain unexplored. Thus, it goes without saying that information security applications must top every company's list of urgent action items.

Security is no longer a silver bullet or a one-size-fits-all solution; companies must take a holistic approach to creating programs that work. I've seen countless companies buy very expensive and complex tools with the expectation that they will magically solve all problems. However, the same companies struggle in setting up these tools, getting them into action quickly and effectively training staff for on usage. I've also seen companies perform mundane, blanket security functions just to check a box, i.e., implement programs that barely meet security ratings but that do not offer targeted, comprehensive or effective consumer-protection strategies. Still others -- in an attempt to make security everyone's responsibility -- duplicate efforts and miss the opportunity to generate synergy and collaboration among business units.

Here are some key issues that financial institutions should consider in order to move beyond a one-size-fits-all approach and begin successfully fighting cyber attacks.
Continue reading "4 Keys to More Holistic IT Security"

Cyber Security Legal Practice: An Emerging Global Trend

nospam@example.com (Donald Tabone) — Wed, 17 Aug 2011 15:35:57 -0700

Cyber security legal practice is in its infancy stage world over. There are many reasons for the slow espousal of cyber law and cyber security as a mainstream legal practice in various jurisdictions of the world.

I believe that there are many reasons that are forcing a slow growth of cyber security, digital forensics and other segments of cyber law. Stakeholders like business houses, lawyers, etc must play a more pro active role in this regard.

Businesses and information technology go hand in hand and businesses cannot afford to wait. Businesses need to evolve themselves. Same is equally true for the business attorneys / corporate law firms. A law firm advising its client on all legal aspects minus cyber law would not be protecting the commercial interest of its client completely, since for survival and success of every business today, proper understanding as well as implementation of IT is a must.

The proactive role of cyber law cannot be ignored. The principles of cyber law can equally be used by the lawyers to act proactively while developing new legal practices like cyber due diligence, IT audit, policy formulations etc. These are the requirements which must be followed by every business irrespective of level of immediate threat to them.

Last but not the least, the practice of looking at cyber law from individual’s perspective must end. Cyber security is not just about the precautionary measures of safe browsing or protecting / saving your children from the menace of online pornography or cyber bullying or identity theft. Even the government bodies and institutions need to take care of their cyber law and cyber security requirements. The impact of any cyber threat to them could even be more divesting than any other private player.

All these factors necessitate proper formulation of norms, guidelines and laws that can help in prevention of cyber crime and punishment of the same once they occur.

Author: Geeta Dalal
Article cross-posted from International ICT Policies And Strategies

ENISA publishes who-is-who 2011 Directory

nospam@example.com (Donald Tabone) — Fri, 29 Jul 2011 14:31:47 -0700

In March 2011, ENISA published version 6 of what is known as the who-is-who directory on network and information security.

Its target audience is those working closely with NIS issues in Europe. The 'Who-is-Who' documents information on NIS stakeholders (such as national and European authorities and NIS organisations) and contacts, websites, and areas of responsibility or activity. As such, it is a tool for the Agency goal to enhance NIS security levels in Europe, by facilitating contacts between security organisations and other NIS actors.

The publication turns out to be useful as it lists the responsible bodies and their areas of responsibility. Summarised below are the authorities mentioned in ENISA's latest publication for Malta.

National authorities in network and information security
-Malta Communications Authority
-Ministry for Infrastructure, Transport and Communications

Computer Emergency Response Team (CERT)
-mtCERT

Other bodies and organisations active in network and information security
-Malta Information Technology Agency
-CA Malta (Consumers’ Association of Malta)

Sadly there is no mention of entities such as the NSA, CIIP, INFOSEC Council and several others mentioned in a previously written article. Moreover, whilst other countries like the UK and Romania list security entities like ISACA Chapters, our local ISACA chapter is not mentioned.

This article continues to extrapolate the said areas of responsibility for each authority mentioned above.
Continue reading "ENISA publishes who-is-who 2011 Directory"

Malta's National Security Entities

nospam@example.com (Donald Tabone) — Fri, 08 Jul 2011 21:52:26 -0700

In a recent report Malta submitted to ENISA on Network and Information Security (NIS) related matters, the government presented its NIS strategy and governance models in terms of preparedness.

Although Malta has an agency responsible for the implementation of the National Strategy for Information Technology known as the Malta Information Technology Agency (MITA), in 2010, this agency had some of its roles transferred to two new agencies:

- INFOSEC, which is responsible for information security for the government, and has the task of defining the national direction for security;

- The Critical Information Infrastructure Protection (CIIP) Unit, which will be responsible for critical infrastructure protection as well as coordinate all the stakeholders involved in critical information infrastructure issues. The aim of the CIIP Unit is to create a protection plan on a national level. It also has the task of encouraging actors from the private sector (ISPs, banks, etc.) to form their own CERT teams. From that point on, the CIIP Unit will start a forum involving those private sector CERT teams.

In addition the above, two new agencies were created:

- The National Security Agency (NSA) now responsible for security in general, physical security issues and EU information matters.

- The National Security Accreditation Authority (NSAA). This entity is now the overall security authority, under supervision of the prime minister‘s cabinet. This agency supervises the NSA and the CIIP Unit.

The report mentions yet another agency - the INFOSEC Council, created to bring all the government entities together for discussing INFOSEC and CIIP issues.

If it sounds confusing, here's a pictorial representation of these entities taken from the said report.

The report goes on to mention the various legal regulatory frameworks relevant to data protection, privacy, cybercrime and the domestic criminal code concerning eIdentity and eCommunications (p8-10). Finally, the report provides some national statistics outlining how Malta fairs in information technology matters when compared to the rest of Europe.

Interestingly, back in 2004 another report by the Central Information Management Unit (CIMU) also defined the Cabinet Secretariat as the designated Security Accreditation Authority (SAA) that certified individuals who are security cleared by the National Security Authority. At that time MITA (formerly MITTS) was CIMU's agent for operation matters, whilst CIMU acted as the INFOSEC Authority for Malta. Amongst other things, it was responsible, for the accreditation of IT systems and networks working jointly with the National Security Authority to provide information and advice on technical threats to security and the means for protecting them.

At that time, the National Security Authority (then NSA) was the Malta Security Service. It was responsible in terms of the law for the security vetting of personnel who may have access to or handle classified information or who are involved in the technical operation maintenance of communication and information systems containing classified information. It was also charged with the setting of standards of security in the Central Registry and sub-Registries.

There are currently no websites for the NSAA, NSA, CIIP and INFOSEC so there is very little information on the mandate or structure of these entities. Nevertheless, I anticipate a lot more visibility as the regulatory role of the government with regards to information security slowly becomes more prominent.

Google and privacy issues

nospam@example.com (Donald Tabone) — Wed, 06 Jul 2011 11:10:29 -0700

Amongst the various law related topics I'm studying, a recent essay I submitted revolved around online privacy and the way different generations have put different values to it. From the legal aspect, privacy is relatively well defined as laws differentiate between 'personal details' and 'sensitive details' - however they are mostly there to guard against when they essentially get abused - in other words used or shared for reasons unapproved by us without specific consent. I won't go into the merits and the specifics of the law, however it pretty much comes down to us.

Meaning that, just like we choose to disclose our personal details to internet giants like Google - we inevitably weigh the information disclosure we choose to disclose against the benefits we very greedly (as humans) choose to benefit from. The problem with this approach, is that the information we trade for such 'free' services tends to come at a high price we don't immediately realise. As we all know, information is power and Google's aim is to harvest this information and profit from it - discreetly.

So whilst TOS and Privacy Policies change eating away at our privacy, we continue to use these systems because of the heavy dependence we have come to benefit from. Of course some see this as a win-win situation however here's how our privacy levels are being defined by these giants. Being connected is all good -- and all about being in touch and up-to-date - which is fine, however take this scenario.

I use GMail, have an Android phone, use Picasa, advertise using Adsense and Adwords, post on Buzz, use the Google Calendar, Chrome Sync for bookmarks and passwords, maintain my Contacts as Google Contacts, host docs online, use Google Latitude and Maps, host a couple of sites with Google and Google's chat. Seriously, which aspect of my daily live doesn't Google know of?

Arguably the information I share is common knowledge - but is the information I share with this company worth the privacy I'm giving up?
Just as in the past Google has committed several privacy violations, what keeps them from continuing to redefine privacy with the information they now posses?

What ticks me off, is that despite their innovations, they still continue to do their thing. In the upcoming Google+ launch, Google has stated that Google+ Profiles Will Be Public and that it's soon to terminate all private profiles (after July 31st)

This is also much different than Facebook’s privacy as you are able to virtually vanish by disallowing people to search for you, friend request you, message you or see any of your info. In Google+, if you have a profile, others can find you within the Google+ network.

Where do we go from here? As the masses flock to adopt a Facebook alternative - we'll wait and see what privacy advocates have to say about Google's privacy implementation. Hopefully laws and regulations will moderate Google's decisions to redefine privacy models as we know them - wherein hopefully the user should be able to decide what level of information Google is to share or disclose.

Why you need to do a network security audit

nospam@example.com (Donald Tabone) — Fri, 01 Jul 2011 07:43:53 -0700

If you run a business of any size these days, running a network security audit is an essential process. The computer network in just about every organization contains information, the majority of which will either be business critical and/or sensitive in nature. Protecting that data is of paramount importance. But how can you achieve that objective if you are not sure whether the corporate network is secure in the first place?

A network security audit comes into play here as it will allow you to assess the number and type of security holes and vulnerabilities that exist on your business network.

The basic premise of a network security audit

The first network security audit that you run will fill focus on cataloguing your network’s assets and locations including:

· The devices connected to the network
· The operating systems running on those devices
· The level of updates/patches that have been applied to those systems
Continue reading "Why you need to do a network security audit"

Free Security Threat Guides

nospam@example.com (Donald Tabone) — Mon, 20 Jun 2011 15:02:35 -0700

Once again, in line with maltainfosec's aim of disseminating useful information on common web vulnerability threats, Veracode have published a number of free easy-to-understand security threat guides proving useful for audiences ranging from IT executives to consumer-level cell phone users.

Each guide consists of key concepts, impacts and videos giving an explanation of the threat itself. You can grab free these guides through the following links:

SQL Injection: http://www.veracode.com/security/sql-injection
Cross Site Scripting: http://www.veracode.com/security/xss
Cross Site Request Forgery: http://www.veracode.com/security/csrf
LDAP Injection: http://www.veracode.com/security/ldap-injection
Mobile Code Security: http://www.veracode.com/security/mobile-code-security

We hope we find these guides as useful as we found them!

How using a vulnerability scanner boosts productivity

nospam@example.com (Donald Tabone) — Mon, 13 Jun 2011 18:48:02 -0700

How using a vulnerability scanner boosts productivity

A vulnerability scanner is a security tool that can be used to help you identify weaknesses in your system before the bad guys do. A vulnerability scanner can discover devices on your network that are open to known vulnerabilities. This can be achieved in different ways, such as by checking for specific patches or updates through registry entries on Windows machines, or by actually trying to exploit known vulnerabilities on the target device.

The benefits of using a vulnerability scanner vs. manual reviews

Whilst a vulnerability scanner may not be able to prevent attacks in and of itself, it will raise security awareness and provide reports on the risks that have been detected. It will also highlight which of those risks should be given the highest priority.
Vulnerability scanning can be either a manual or an automatic process.

A manual scan offers full process control and allows an administrator with a deep knowledge level to cover smart attack vectors. However, it is a slow process and far too prone to errors, especially if the administrator fails to employ a certain scan or doesn’t have the required level of skill to spot new or uncommon exploits.

On the other hand, a vulnerability scanner will automate many, if not most, of the tasks that network and system administrators need to employ in order to guarantee the security of the systems they are charged with protecting.

A vulnerability scanning tool will also automatically update itself with regard to the latest exploits which is a key point when you consider how quickly they are being discovered – not many IT experts can remember all the exploits from a couple of years ago, let alone ones that surfaced in the last month.

An automated tool is also of benefit because it produces detailed reports of its actions, allowing an administrator to then zoom in and target anything that gets flagged as being of particular interest. The main benefit though, and the easiest one to quantify and cost, is the time saving generated by utilizing a vulnerability scanner.

Continue reading "How using a vulnerability scanner boosts productivity"

Malta Electronic Identity Password Information

nospam@example.com (Donald Tabone) — Mon, 02 Aug 2010 13:21:26 -0700

In 2004 Government launched the Electronic Identity (e-ID) as part of its programme to create a strong eGovernment infrastructure based on sound identity management. Government drives the initiative in collaboration with the private sector by championing a strong and secure authentication mechanism that can evolve from the key to eGovernment to the trust behind eCommerce. (1)

Malta's eGovernment services portal relies on the e-ID (the single most trusted authentication mechanism) to provide a one-stop-shop for all eGovernment services. The portal allows the management of the user’s e-ID profile which contains personal details as well as functions for assignment and delegation. Citizens may “delegate” their eServices to other citizens (who have an e-ID) or to registered organisations. Through www.mygov.mt, the e-ID may also be used by organisations (e.g. businesses and administrations) which may “assign” the management of the eServices to an “Organisation Manager” who has an e-ID.(2)

Over the coming 6 months, the governments e-ID system will be implementing a new password policy which will help increase the security of the system for the benefit of its users.

The effect of this new policy is that you will have to reset your password every 90 days.

The e-ID system requires you to provide a strong password that meets the following criteria.
The password must not contain your full e-ID number, first or last name
The password must be at least 8 characters in length
The password must contain English uppercase characters (A through Z)
The password must contain English lowercase characters (a through z)
The password must contain base 10 digits (0 through 9)
The password must not be the same as any of your previous passwords

Here at maltainfosec.org we thought of providing four easy steps to achieve the above:

1. Read-up on how to choose a secure password
2. Avoid common password pitfalls
3. Access a random password generator and pick a password that's secure and easy to remember
4. Finally, cross-check how secure the password you chose actually is

Read on for some more suggestions on how to choose a secure password..
Continue reading "Malta Electronic Identity Password Information"

Site news

nospam@example.com (Donald Tabone) — Sun, 01 Aug 2010 09:13:01 -0700

A few updates on what's happening on maltainfosec.org

We realised that we tend to retweet a lot of tweets from HelpNetSecurity due to the obvious relevance of their articles --- as such instead of RT their posts, we added a new column to the right of our webpage linking to the RSS article feed of HelpNetSecurity. 'Caps off' to the guys at HelpNetSecurity!

We have new competition rules in the pipeline --- we'll be releasing a short article on this shortly --- thanks to our Sponsors!

Meanwhile, a short note to promote an excellent magazine which has released its fourth issue just today.

Digital Forensics Magazine, one of the fastest growing resources available for IT security specialists, launches its fourth edition. With a global coverage, the print and online magazine is fast establishing itself as the must-have magazine for practitioners and students of digital forensics.

Being a subscriber from issue 1 and a DF tutor on behalf of NCC, another 'caps off' & kudos to this excellent magazine which focuses on very relevant topics hitting the nail on the head by striking the right balance between legal aspect of Information Security and Forensics and technical review content. If you haven't subscribed yet, we recommend you visit their website and sign-up - http://www.digitalforensicsmagazine.com/

Issue 4, released online on August 1st 2010, takes a look at how effective traditional digital forensic techniques are at obtaining forensically sound data in scenarios where computer misuse has been used in attempts to frame the innocent. The DFM team also investigates and details the state of digital forensics in law enforcement around the world identifying which countries are doing well and which have much to do, highlighting the disparity in skills and qualifications between each. In a world that is getting ever more interconnected and one in which international online crime is on the increase, the industry should look to establish and apply minimum standards .

The rest of the article gives some more information and article tasters from Issue 4...
Continue reading "Site news"

Information Security Basics

nospam@example.com (Donald Tabone) — Sat, 24 Jul 2010 10:08:57 -0700

An article focused around security principles, security standards and the CIA triad by Brad C. Johnson echoed from the ISSA Journal

Information security programs are built on the building blocks of information security basics. This article will describe these basics and give tangible examples of the types of topics and decisions you must grapple with to build such a program.

Abstract

IT information security programs are built on the building blocks of information security basics. The mortar for these blocks are the basic principles of security: confidentiality, integrity, and availability. The blocks that form the foundation are a variety of fundamental security topics such as risk assessments, security policies, asset management, physical security, operational management, and incident management to name a few. Understanding the concepts that define the basics of information security is critical to building a robust security program. This article will describe these basics and give tangible examples of the types of topics and decisions you must grapple with to build such a program.

The basics

Information security means the protection of both information and information systems. We want to protect these things to ensure that access to them is controlled. We want to make sure that only authorized people and processes can access them and only at appropriate times. We want to make sure that the information is only disclosed in ways that we control, that access to it is not disrupted, and that data is only changed – created, modified, or removed – under the conditions we define.

Information, as we all know, is stored in a variety of ways: on paper, in voicemail systems, in people’s minds, and on a variety of electronic technologies. Information systems can take the form of a group of people (e.g., the Information Security Group), a collection of policies, or a collection of electronic devices (routers, firewalls, security software). All in all, information security is an expansive topic that affects virtually everyone within an enterprise.

The word basic also needs to be put in the appropriate context. Some people assume that it means something trivial or achieved quickly or without a lot of effort. In fact, it is the exact opposite. It is about fundamentals: actions that are rehearsed, acted on, refined, and monitored on a regular basis. In the sport of football, blocking and tackling are considered basic skills that are necessary to succeed at any level. No matter what kinds of offense or defensive schemes are used, they can only be successfully executed with sound blocking and tackling techniques. These techniques are rehearsed continuously throughout the season. These techniques are uniquely coached to fit the special needs of the plays you are trying to run. Information security basics are the same thing. They are practiced continuously.

As we all know, security is not an end-game but an ongoing process: a way of thinking. The more ingrained that security is within the corporate culture, the more likely it is you can succeed at meeting the needs of your business. Security is an iterative process with the goal of continually improving each of your policies, procedures, or controls.
Whether you know it or not, the roots for information security within an IT organization are built on the well-known CIA triad for security policy development[1]# Briefly put, the CIA Triad is a security model built around three critical areas: integrity, confidentiality, and availability. Those concepts are handled within the confines of your hardware, software, and communications information systems. Those information systems and critical areas are therein executed by people, products, and procedures.
Continue reading "Information Security Basics"

GFI Software Enhances its Security Product Offering with the Acquisition of Sunbelt Software

nospam@example.com (Donald Tabone) — Wed, 14 Jul 2010 13:34:12 -0700

The company’s VIPRE technology will allow GFI to offer its own established antivirus product

GFI Software, a market leading provider of software infrastructure products for small and medium-sized enterprises, announced today that it has acquired Sunbelt Software and specifically its VIPRE® product suite. Terms of the transaction were not disclosed. The acquisition will allow GFI to merge VIPRE technology into GFI’s email security and web security solutions group, and will provide GFI with new security products consisting of world-class and innovative technology. The assets of Sunbelt's software distribution business, started over 16 years ago and separate from the technology side of the company (focused on selling DoubleTake high-availability software), will be divested into a separate entity and the company is exploring other strategic partnerships.

Catch the full article here

ISACA Conference & Educational Event

nospam@example.com (Donald Tabone) — Mon, 17 May 2010 14:13:24 -0700

Conference Reminder: 21st May 2010.
If you have not yet registered and plan to attend, make sure you log on http://www.itgovernancemalta.com/index.php/book-here to reserve a seat.

Educational Event

Tuesday 25th May 2010 from 17:15 to 19:15 at the Radissson Blu Resort, St. Julians

Book Here

The concept of continuous auditing has been around for many years. It has been talked about, researched and theorised. Many organisations have made significant investments of time and money, yet for most organisations it is nothing more than an unrealised dream. As a matter of fact, one organisation's version of continuous auditing may differ dramatically from another organisation's implementation. This event will look at the reasons for this. It will look at how organisations and auditors can breach the gap and turn the concept into reality.

The educational event will also provide an understanding of the concepts and strategies required for continous auditing. During this session you will discover the benefits to be gained from continuous auditing and the practicalities of implementing it in your own organisation.

Speaker Profile

Derek J. Oliver is an Information Audit & Security specialist with over 27 years experience and is qualified as a Certified Information Systems Auditor (CISA), a Certified Information Security Manager (CISM), a Fellow of the British Computer Society (FBCS) and a BCS Chartered IT Professional (CITP). His background in the IT Infrastructure Library (ITIL) is represented by Fellowship of the Institute of IT Service Management (FISM) and he has been recognized as a Member of the Institute of Information Security Professionals (MInstISP). In 1996, he was admitted a Freeman of the City of London and he is a CHIP registered Health Informatics Practitioner at Level 3 (highest).

Following a Master of Science (MSc) degree in Information Technology, awarded for his work on disaster recovery and business continuity planning, he received a Doctorate (PhD) for research into the various elements of executive policies contributing to information security management. He has since been awarded an Honorary DBA by Belford University in recognition of his work in the development of the CISM designation. He is internationally regarded as an expert in Information Security Governance, especially using CobiT, ITIL and ISO27001 and is a regular presenter at many international conferences and training courses on a variety of security, fraud and audit topics.

ISACA MALTA CHAPTER members attend for free to this educational event.

Reduced Fee: €15* *Members of Malta Institute of Accountants, Malta Institute of Management, IEEE, and British Computer Society are eligible for the reduced fee.
Others €20

Watching your online customs..

nospam@example.com (Donald Tabone) — Mon, 12 Apr 2010 09:48:27 -0700

SANS has an excellent website with a collection of Security Awareness Tips coming from various contributors. Amongst them are nifty ways to ensure you do not fall as a victim to identity theft or worse. I've collected some of them below:

- Always lock your computer (by pressing CTRL + ALT + DELETE and hitting "Enter") before walking away from it. Find the section that explains how to create a simple desktop shortcut to lock your PC.
- Use variations on a strong "core" password
- Don't Investigate a Security Problem Unless You Are Authorized by the System Owner
- Protect Yourself from Identity Theft
- Check for encryption or secure sites when providing confidential information online
- Patch and update on a regular basis
- Don't Trust Links Sent in Email Messages.. Phishing with a 'Ph'
- Don't click on links in pop-ups or banner advertisements
- "Can you hear me now?" Do NOT trust your cell phone Bluetooth earpiece - think its unlikely.. see the below YouTube video..

Take a moment to browse through the SANS site when you next get a chance..!
Continue reading "Watching your online customs.."