Malta Info Security

In 2004 Government launched the Electronic Identity (e-ID) as part of its programme to create a strong eGovernment infrastructure based on sound identity management. Government drives the initiative in collaboration with the private sector by championing a strong and secure authentication mechanism that can evolve from the key to eGovernment to the trust behind eCommerce. (1)

Malta's eGovernment services portal relies on the e-ID (the single most trusted authentication mechanism) to provide a one-stop-shop for all eGovernment services. The portal allows the management of the user’s e-ID profile which contains personal details as well as functions for assignment and delegation. Citizens may “delegate” their eServices to other citizens (who have an e-ID) or to registered organisations. Through www.mygov.mt, the e-ID may also be used by organisations (e.g. businesses and administrations) which may “assign” the management of the eServices to an “Organisation Manager” who has an e-ID.(2)

Over the coming 6 months, the governments e-ID system will be implementing a new password policy which will help increase the security of the system for the benefit of its users.

The effect of this new policy is that you will have to reset your password every 90 days.

The e-ID system requires you to provide a strong password that meets the following criteria.
The password must not contain your full e-ID number, first or last name
The password must be at least 8 characters in length
The password must contain English uppercase characters (A through Z)
The password must contain English lowercase characters (a through z)
The password must contain base 10 digits (0 through 9)
The password must not be the same as any of your previous passwords

Here at maltainfosec.org we thought of providing four easy steps to achieve the above:

1. Read-up on how to choose a secure password
2. Avoid common password pitfalls
3. Access a random password generator and pick a password that's secure and easy to remember
4. Finally, cross-check how secure the password you chose actually is

Read on for some more suggestions on how to choose a secure password..

Continue reading "Malta Electronic Identity Password Information"

Posted by Donald Tabone

A few updates on what's happening on maltainfosec.org

We realised that we tend to retweet a lot of tweets from HelpNetSecurity due to the obvious relevance of their articles --- as such instead of RT their posts, we added a new column to the right of our webpage linking to the RSS article feed of HelpNetSecurity. 'Caps off' to the guys at HelpNetSecurity!

We have new competition rules in the pipeline --- we'll be releasing a short article on this shortly --- thanks to our Sponsors!

Meanwhile, a short note to promote an excellent magazine which has released its fourth issue just today.

Digital Forensics Magazine, one of the fastest growing resources available for IT security specialists, launches its fourth edition. With a global coverage, the print and online magazine is fast establishing itself as the must-have magazine for practitioners and students of digital forensics.

Being a subscriber from issue 1 and a DF tutor on behalf of NCC, another 'caps off' & kudos to this excellent magazine which focuses on very relevant topics hitting the nail on the head by striking the right balance between legal aspect of Information Security and Forensics and technical review content. If you haven't subscribed yet, we recommend you visit their website and sign-up - http://www.digitalforensicsmagazine.com/

Issue 4, released online on August 1st 2010, takes a look at how effective traditional digital forensic techniques are at obtaining forensically sound data in scenarios where computer misuse has been used in attempts to frame the innocent. The DFM team also investigates and details the state of digital forensics in law enforcement around the world identifying which countries are doing well and which have much to do, highlighting the disparity in skills and qualifications between each. In a world that is getting ever more interconnected and one in which international online crime is on the increase, the industry should look to establish and apply minimum standards .

The rest of the article gives some more information and article tasters from Issue 4...

Continue reading "Site news"

Posted by Donald Tabone

Starting August 2010, we will be changing the way we give away our monthly €20 Amazon voucher, courtesy of GFI Software.

Every month, maltainfosec tweets close to 50 tweets and more of various articles -- giving the heads up on cutting edge security news, reviews and whatever is happening in the security arena in Malta and around the world.

All you need to do is Re-tweet (RT) our posts and we will choose a random winner every month to win the Amazon voucher. You will be contacted via Direct-Message (DM) over Twitter if you have been chosen.

So if you haven't signed up for a Twitter account, visit twitter.com, sign-up and start following maltainfosec on Twitter. Retweet (RT) our tweets and you're in for a chance of winning a €20 voucher from Amazon.co.uk or Amazon.com.

[ Competition base-rules ]

1. The competition is open to anyone anywhere.
2. You can only win once.
3. The competition is not open to contributors of http://maltainfosec.org
4. If the winner does not reply to our Direct Message (DM) within a week, maltainfosec will choose another winner
5. The winner must be a follower of maltainfosec on Twitter
6. We reserve the right to change the competition rules from time to time, in which case, the changes will be reflected in this post.

Good luck

Posted by Donald Tabone

An article focused around security principles, security standards and the CIA triad by Brad C. Johnson echoed from the ISSA Journal

Information security programs are built on the building blocks of information security basics. This article will describe these basics and give tangible examples of the types of topics and decisions you must grapple with to build such a program.

Abstract

IT information security programs are built on the building blocks of information security basics. The mortar for these blocks are the basic principles of security: confidentiality, integrity, and availability. The blocks that form the foundation are a variety of fundamental security topics such as risk assessments, security policies, asset management, physical security, operational management, and incident management to name a few. Understanding the concepts that define the basics of information security is critical to building a robust security program. This article will describe these basics and give tangible examples of the types of topics and decisions you must grapple with to build such a program.

The basics

Information security means the protection of both information and information systems. We want to protect these things to ensure that access to them is controlled. We want to make sure that only authorized people and processes can access them and only at appropriate times. We want to make sure that the information is only disclosed in ways that we control, that access to it is not disrupted, and that data is only changed – created, modified, or removed – under the conditions we define.

Information, as we all know, is stored in a variety of ways: on paper, in voicemail systems, in people’s minds, and on a variety of electronic technologies. Information systems can take the form of a group of people (e.g., the Information Security Group), a collection of policies, or a collection of electronic devices (routers, firewalls, security software). All in all, information security is an expansive topic that affects virtually everyone within an enterprise.

The word basic also needs to be put in the appropriate context. Some people assume that it means something trivial or achieved quickly or without a lot of effort. In fact, it is the exact opposite. It is about fundamentals: actions that are rehearsed, acted on, refined, and monitored on a regular basis. In the sport of football, blocking and tackling are considered basic skills that are necessary to succeed at any level. No matter what kinds of offense or defensive schemes are used, they can only be successfully executed with sound blocking and tackling techniques. These techniques are rehearsed continuously throughout the season. These techniques are uniquely coached to fit the special needs of the plays you are trying to run. Information security basics are the same thing. They are practiced continuously.

As we all know, security is not an end-game but an ongoing process: a way of thinking. The more ingrained that security is within the corporate culture, the more likely it is you can succeed at meeting the needs of your business. Security is an iterative process with the goal of continually improving each of your policies, procedures, or controls.
Whether you know it or not, the roots for information security within an IT organization are built on the well-known CIA triad for security policy development[1]# Briefly put, the CIA Triad is a security model built around three critical areas: integrity, confidentiality, and availability. Those concepts are handled within the confines of your hardware, software, and communications information systems. Those information systems and critical areas are therein executed by people, products, and procedures.

Continue reading "Information Security Basics"

Posted by Donald Tabone

The company’s VIPRE technology will allow GFI to offer its own established antivirus product

GFI Software, a market leading provider of software infrastructure products for small and medium-sized enterprises, announced today that it has acquired Sunbelt Software and specifically its VIPRE® product suite. Terms of the transaction were not disclosed. The acquisition will allow GFI to merge VIPRE technology into GFI’s email security and web security solutions group, and will provide GFI with new security products consisting of world-class and innovative technology. The assets of Sunbelt's software distribution business, started over 16 years ago and separate from the technology side of the company (focused on selling DoubleTake high-availability software), will be divested into a separate entity and the company is exploring other strategic partnerships.

Catch the full article here

Posted by Donald Tabone

St. Martins Institute will be holding a meeting in regards to their MSc Information Security programme on Friday 18th June.

This meeting will be addressed by Dr Colin Walter, Course Director at the Information Security Group, Royal Holloway of the University of London.

Date: 18th June 2010
Time: 5.30pm to 6.30pm
Venue: St Martin’s Institute of IT room 227

Should you wish to attend, please send an email to abianchi at stmartins.edu.mt to reserve a seat.

Posted by Donald Tabone

ICT Solutions is organising a morning seminar with HP to present HP's Business Critical Infrastructure.

The seminar is aimed at IT and business executives with an interest in business continuity. Registration is free and may be completed using the registration form below.

Date: 23 June 2010
Time: 08:30 - 13:00
Venue: Westin Dragonara Resort, St. Julian's
Topics: An Introduction to HP Converged Infrastructure, Enterprise Solutions for your Mission Critical Business Environment, How to handle the Data Explosion- HP Storage Strategies, HP Business Networking Solutions.

More information can be found here.

Posted by Donald Tabone

Conference Reminder: 21st May 2010.
If you have not yet registered and plan to attend, make sure you log on http://www.itgovernancemalta.com/index.php/book-here to reserve a seat.

Educational Event

Tuesday 25th May 2010 from 17:15 to 19:15 at the Radissson Blu Resort, St. Julians

Book Here

The concept of continuous auditing has been around for many years. It has been talked about, researched and theorised. Many organisations have made significant investments of time and money, yet for most organisations it is nothing more than an unrealised dream. As a matter of fact, one organisation's version of continuous auditing may differ dramatically from another organisation's implementation. This event will look at the reasons for this. It will look at how organisations and auditors can breach the gap and turn the concept into reality.

The educational event will also provide an understanding of the concepts and strategies required for continous auditing. During this session you will discover the benefits to be gained from continuous auditing and the practicalities of implementing it in your own organisation.

Speaker Profile

Derek J. Oliver is an Information Audit & Security specialist with over 27 years experience and is qualified as a Certified Information Systems Auditor (CISA), a Certified Information Security Manager (CISM), a Fellow of the British Computer Society (FBCS) and a BCS Chartered IT Professional (CITP). His background in the IT Infrastructure Library (ITIL) is represented by Fellowship of the Institute of IT Service Management (FISM) and he has been recognized as a Member of the Institute of Information Security Professionals (MInstISP). In 1996, he was admitted a Freeman of the City of London and he is a CHIP registered Health Informatics Practitioner at Level 3 (highest).

Following a Master of Science (MSc) degree in Information Technology, awarded for his work on disaster recovery and business continuity planning, he received a Doctorate (PhD) for research into the various elements of executive policies contributing to information security management. He has since been awarded an Honorary DBA by Belford University in recognition of his work in the development of the CISM designation. He is internationally regarded as an expert in Information Security Governance, especially using CobiT, ITIL and ISO27001 and is a regular presenter at many international conferences and training courses on a variety of security, fraud and audit topics.

ISACA MALTA CHAPTER members attend for free to this educational event.

Reduced Fee: €15* *Members of Malta Institute of Accountants, Malta Institute of Management, IEEE, and British Computer Society are eligible for the reduced fee.
Others €20

Posted by Donald Tabone

SANS has an excellent website with a collection of Security Awareness Tips coming from various contributors. Amongst them are nifty ways to ensure you do not fall as a victim to identity theft or worse. I've collected some of them below:

- Always lock your computer (by pressing CTRL + ALT + DELETE and hitting "Enter") before walking away from it. Find the section that explains how to create a simple desktop shortcut to lock your PC.
- Use variations on a strong "core" password
- Don't Investigate a Security Problem Unless You Are Authorized by the System Owner
- Protect Yourself from Identity Theft
- Check for encryption or secure sites when providing confidential information online
- Patch and update on a regular basis
- Don't Trust Links Sent in Email Messages.. Phishing with a 'Ph'
- Don't click on links in pop-ups or banner advertisements
- "Can you hear me now?" Do NOT trust your cell phone Bluetooth earpiece - think its unlikely.. see the below YouTube video..

Take a moment to browse through the SANS site when you next get a chance..!

Continue reading "Watching your online customs.."

Posted by Donald Tabone

Computime Ltd would like to invite you to a half-day specialized security seminar which is being held at the San Gorg Corinthia in St George’s Bay on Wednesday 14th April.

The seminar is aimed to help you:

1) Automate and Patrol Your Organisation’s Security Learn about the latest solutions in Security and Event Management from LogRhythm, a company which provides enterprise-class Log Management and SIEM 2.0 solutions that empower organizations to comply with regulations, secure their networks, optimize IT operations and gain visibility over all their security activity.

2) Fast track to PCI Compliance All malicious activity that can result in compromise of core enterprise assets such as intellectual property, know-how, trade secrets, and customer data, must be stopped regardless of the perpetrator's location. Packet GENERAL Networks will tackle issues of data security — protection of proprietary and sensitive corporate information assets from unauthorized/illegal access or use, disclosure, modification, and/or destruction, as well as PCI Compliance solutions.

Join us to learn more about Computime’s solutions in IT security, especially in view of Security Information and Event Management (SIEM) and Payment Card Industry Data Security Standards (PCI DSS) Compliance. Our key speakers are industry experts who will help you better understand the security threats your organization may be facing, how to interpret log information in order to be able to assess the security levels of your system, and how to ensure PCI compliance in accordance to current law requirements.

More details on the specific LinkedIn page

Posted by Donald Tabone

The next educational event organised by the ISACA MALTA CHAPTER will be held on the 23rd March between 18:00 and 20:00. The topic to be tackled during this event is "The Economics of the Green Agenda in Information Technology”. The event will be held at the Radisson Blu Resort in St. Julians.

The event is eligible for CISA/CISM CPE Hours. We are awaiting approval for MIA CPE hours.

Book your attendance to this event on www.isaca-malta.org.

The speaker of this event is Mr. Anton Cristina – General Manager, at Computer Solutions Malta

Anton joined Computer Solutions in Q3 2008. He comes with a wealth of experience within the IT Industry gained overseas. Before re-locating to Malta, Anton worked with big blue IBM Ireland. He worked with IBM Global Services consulting customers on E-business Hosting, Business Continuity & Recovery Services, Organizational Strategy & Change. Anton has cross Industry experience and went on to running the SMB Territory in Ireland and drove IBM’s Systems integrator capabilities in the Irish Market.

For this event, Anton will identify and discuss the relevant issues of The Green Agenda and the economic and other benefits that technology brings to the table through consolidation, cloud computing and virtualization. He will discuss how these issues are shaping business strategies in today’s economic climate. In addition Anton will touch on the challenges C-level Executives face as they aim to strike a balance between a green IT strategy and a green balance sheet. The event will interest CEOs, CFOs, CIOs, CTOs, Data Centre Managers, IT Architects, Software Developers, Testers, Auditors, as well IT Auditors from all industry sectors. These executives strive to protect their organisation’s revenue streams and business reputation by appropriately investing in making their business more effective and resilient.

ISACA MALTA CHAPTER members attend for free.
Reduced Fee: €15*
Others €20

*Members of Malta Institute of Accountants, Malta Institute of
Management, IEEE, and British Computer Society are eligible for the
reduced fee.

ISACA MALTA CHAPTER

Posted by Donald Tabone

There's an upcoming CISSP seminar coming along organised by Computer Domain. The training programme is fully covered by myPotential scheme and as such the fee will be refunded to you through tax credits given that you successfully complete the programme.

The trainer is a foreign expert employed directly by (ISC)2 and the examination will be available at the end of the training programme locally as well.

The syllabus is available from here
The application form is available from here

If you'd like more information, you may use the contact details at the top of the page to get in contact with Computer Domain.

Posted by Donald Tabone

One of the most common questions that I get asked is "What does it take to be a security professional?" The answer is often not easily found especially since companies tend to look beyond certifications and degrees. Of course if you couple experience with academic qualifications you actually have the best of both worlds.. but what does it really take to be a respected information security professional? The following is an extract from an article I came across. It attempts to address some aspects that go beyond skill sets.. in fact I might dare call them soft skills..

To be considered a respected Information Security Professional nowadays requires more than just knowing the bits or bytes, or the controls required by a given framework by heart. Being successful in your Information Security career requires you to have a deep understanding of the business needs (and how to enable, not disrupt them), sharp communication skills and a swift ability to sell yourself.

1. Learn to communicate effectively
2. Learn to say ‘may be’ rather than ‘no’
3. Social networking sites are not just extensions of instant messengers
4. Monitor security industry budgets and salary trends
5. Don’t be limited to just reading
6. Blogging is serious business
7. Don’t be afraid of starting a business

Read the full article here.

Once you've homed on these skills, check out the 10 coolest Information Security Careers..

Source: My Information Security Job

Posted by Donald Tabone

The next educational event organised by the ISACA MALTA CHAPTER will be held on the 23rd of February between 18:00 and 20:00. The topic to be tackled during this event is "The Business Value of Virtualization". The event will be held at the Radisson Blu Resort in St. Julians.

The event is eligible for CISA/CISM CPE Hours. We are awaiting approval for MIA CPE hours

This event will discuss the value delivery of making effective and efficient use of virtualization to local businesses. Topics to be discussed during the event shall include:

-Virtualization and the value delivery from IT assets
-Cost of ownership and operation
-Achieve more with less IT resources through virtualization
-Improved Business Continuity And Disaster Recovery
-Security & Compliance of virtual workloads

Continue reading "ISACA Event: The Business Value of Virtualization"

Posted by Donald Tabone

Fiber Optic Valley is one of Europe’s leading high-tech communities with a population of around 500,000 in the south eastern region of Sweden. This is a cluster of ICT companies and educational institutes developing cutting edge applications using fiber optic technologies and telecommunications. Fiber Optic Valley has a vision that by 2015 it will become the fiber optic centre of Europe. The Valley is being transformed to make Sweden into the world leader in the development of products and services based on fiber optics.

Cluster Manager at Fiber Optic Valley, Jeanette Waax will be giving a presentation answering the following questions:

Why does this community need a vision, what technologies are involved?
Why do companies such as Ericcson get involved in such ventures?
How do ICT companies collaborate with educational institutions to develop new applications?

Where: STC Training
When: Thursday 14th January
Time: 18.00

These are some of the topics that will be dealt with during this presentation and will also highlight some cutting edge applications developed at the Valley.

This is an event which is not to be missed! Please confirm your attendance by sending an email to info@stcmalta.com by no later than Monday 11th January. Bookings are on a first come first served basis.

STC Training

Posted by Donald Tabone

Welcome to the New Year.. its the dawn of a new year and we're moving fast.

Technology and life in general seem to be moving at rate faster than I ever recall. Recently I was in London and one of the staple places my son and I visited was the Science Museum in S. Kensington. Whilst walking through the corridors of the 'old' technology section I talked to him how my first computer was a Memotech 512s2 with Basic, Assembler (Z80) and even a database language called Noddy... of course my speech was cut short with ... "dad, cut it . You're ancient.." --- and yet I REALLY am not THAT old.. so he made me promise NOT to brag on and on about how we used tapes to load stuff up that took an age -- and just observe and not give him the "In my time..." spiel.

New year resolutions apart.. as I normally come up to scratch with the usual technology predictions for the forthcoming year.. I increasingly see "sensational" headlined tweets such as "The era of Mobile Internet is dawning" and "Hackers Brew Self-Destruct Code to Counter Police Forensics.. " all designed to sir something in the reader ... and that one thing often boils down to fear through curiosity.

Inspired by BruceS, I recently I read the book "The Science of Fear" by Daniel Gardner. It is an excellent read as the author recounts his personal experiences and slowly progresses to explain and interpret them in an exceptional way -- merging a rather heavy element of psychology with simple explanations of why we act the way we act when faced with decisions and different circumstances. In a nutshell, the way we perform risk management is somewhat always biased and subjective whos origins are instinctive. So fear (as well as other factors, of course) has a bearing -- a very heavy bearing in the way we do risk management and react to incidents.

The next ISACA talk, entitled "The Cost of Fear" focuses on these same points and attempts to put them into perspective showing us why we often downplay risk. The media, numbers, culture, group thinking, historic events and human nature all contribute to the way we ascertain risk. Sometimes we readily take on risk accepting the consequences -- other times our instinctive nature takes the better of us -- two analogies Daniel Gardner calls "Head" and "Gut".

Quoting from Gartner's book, "Unreasoning fear" as Roosevelt called it, may be bad for those who experience it and society at large, but it's wonderful for shareholders. The opportunities are limitless. All that's required is that fears keep rising, and those who reap the profits know which buttons to push in our Stone Age minds to ensure that happens.

So whilst I plunge in yet more studying for 2 more years as I undertake an LLM, I look forward to what's to come and the next ISACA presentation. Don't forget to keep up to date & follow us on Twitter!

Happy New Year to all..!

Posted by Donald Tabone

1060 hits

The next local ISACA chapter educational event happening on 12/01/10 is to be entitled The Cost of Fear

In a 200 page book about mankind's evolution, the last two hundred years would span a quarter of a page. Our brain's evolution has been outmatched by the technological advances it itself is creating, landing us in an environment which we cannot comprehend. The media fill us with irrational scare stories. Politicians often use fear to push an agenda. Even when we consciously disbelieve their stories, they mark our thoughts and affect our decisions.

Research shows that you're likely to be underestimating your real risks. You're also likely to be spending too much attention on risks which matter little to your business. Justin Vassallo will analyse the findings of scientific research to discover the complex methods by which our brain takes risk judgements, and enable us to unravel them.

Continue reading "Event: Managing Risk - The Cost of Fear"

Posted by Donald Tabone

as per XKCD! Next thing we'll know we'll be in hibernation mode.. that's surely safe!

Posted by Donald Tabone

"A demonstration of the top web security threats"


The next educational event organised by the ISACA MALTA CHAPTER will be held on the 15th of December between 18:00 and 20:00. The topic to be tackled during this event is "A demonstration of the top web security threats" and the speaker during the event will be Sandro Gauci. The event will be held at the Radisson Blu Resort in St. Julians.

The event is eligible for CISA/CISM CPE Hours. ISACA members attend for free.

Sandro Gauci is the owner and Founder of EnableSecurity (www.enablesecurity.com) where he performs R&D and security consultancy for mid-sized companies. Sandro has over 9 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. His passion is vulnerability research and has previously worked together with various vendors such as Microsoft and Sun to fix security holes. Sandro is the author of the free VoIP security scanning suite SIPVicious (sipvicious.org) and can be contacted at sandro@enablesecurity.com. Read his blog at blog.enablesecurity.com.

Book your attendance to this event on www.isaca-malta.org.

Posted by Donald Tabone

It has been a quite few years now that I have been teaching computer forensics on behalf of the UK's NCC and the subject. Recently I have given a talk for the local ISACA chapter entitled 'The Realm of Digital Forensics' which went pretty well. It's main aim was to introduce people coming from an auditing background to the subject. This worked well, however the talk couldn't get technical as I would have lost my audience.

That brings me to the point of the article. From a local perspective; being a relatively new subject; there is very little knowledge of what the job entails. Skills at various levels both technical and non-technical. Not to mention soft-skills which are somehow always assumed to exist. Although we are a small island and specialization in a particular field is not necessarily a good thing for your career, the truth is that from a legal perspective we still need these skills and services --- as communication technologies multiply every six months and more and more information is saved in digital format, the reality is that there WILL be (and is) abuse. The consequence takes the form of embezzlement, harassment, fraud, espionage and a myriad of other cyber-crimes that start becoming more prevalent as companies lose money.

Recently I was lucky enough to win a study bursary to continue studying and obtain a Masters degree in IT & Telecommunications Law with the University of Strathclyde. This, coupled with my technical skills, will give me an excellent insight to the legal aspect of information security. I envisage that local private companies, government and even the legal system will need these skills as cyber-crimes continue to rise.

What we now need is for communities to recognize that for digital evidence to hold in a court of law, not only do chain-of-evidence and chain-of-custodies apply, but there must be adequate funding, awareness and recognition of expertise.

Cyber-crime is a reality. It's time we recognize it and allocate resources on a national scale to ensure awareness and justice in a proper manner. Are we dealing with it in the right way?

Posted by Donald Tabone