Feb
6
The next educational event organised by the ISACA MALTA CHAPTER will be held on the
23rd of February between 18:00 and 20:00. The topic to be tackled during this event is "The Business Value of Virtualization". The event will be held at the
Radisson Blu Resort in St. Julians.
The event is eligible for CISA/CISM CPE Hours. We are awaiting approval for MIA CPE hours
This event will discuss the value delivery of making effective and efficient use of virtualization to local businesses. Topics to be discussed during the event shall include:
-Virtualization and the value delivery from IT assets
-Cost of ownership and operation
-Achieve more with less IT resources through virtualization
-Improved Business Continuity And Disaster Recovery
-Security & Compliance of virtual workloads
Continue reading "ISACA Event: The Business Value of Virtualization"
Posted by Donald Tabone
Jan
7
Fiber Optic Valley is one of Europe’s leading high-tech communities with a population of around 500,000 in the south eastern region of Sweden. This is a cluster of ICT companies and educational institutes developing cutting edge applications using fiber optic technologies and telecommunications. Fiber Optic Valley has a vision that by 2015 it will become the fiber optic centre of Europe. The Valley is being transformed to make Sweden into the world leader in the development of products and services based on fiber optics.
Cluster Manager at Fiber Optic Valley, Jeanette Waax will be giving a presentation answering the following questions:
Why does this community need a vision, what technologies are involved?
Why do companies such as Ericcson get involved in such ventures?
How do ICT companies collaborate with educational institutions to develop new applications?
Where: STC Training
When: Thursday 14th January
Time: 18.00
These are some of the topics that will be dealt with during this presentation and will also highlight some cutting edge applications developed at the Valley.
This is an event which is not to be missed! Please confirm your attendance by sending an email to
info@stcmalta.com by no later than
Monday 11th January. Bookings are on a first come first served basis.
STC Training
Posted by Donald Tabone
Jan
5
Welcome to the New Year.. its the dawn of a new year and we're moving fast.
Technology and life in general seem to be moving at rate faster than I ever recall. Recently I was in London and one of the staple places my son and I visited was the Science Museum in S. Kensington. Whilst walking through the corridors of the 'old' technology section I talked to him how my first computer was a Memotech 512s2 with Basic, Assembler (Z80) and even a database language called Noddy... of course my speech was cut short with ... "dad, cut it . You're ancient.." --- and yet I REALLY am not THAT old.. so he made me promise NOT to brag on and on about how we used tapes to load stuff up that took an age -- and just observe and not give him the "In my time..." spiel.
New year resolutions apart.. as I normally come up to scratch with the usual technology predictions for the forthcoming year.. I increasingly see "sensational" headlined tweets such as "The era of Mobile Internet is dawning" and "Hackers Brew Self-Destruct Code to Counter Police Forensics.. " all designed to sir something in the reader ... and that one thing often boils down to
fear through curiosity.
Inspired by BruceS, I recently I read the book "The Science of Fear" by Daniel Gardner. It is an excellent read as the author recounts his personal experiences and slowly progresses to explain and interpret them in an exceptional way -- merging a rather heavy element of psychology with simple explanations of why we act the way we act when faced with decisions and different circumstances. In a nutshell, the way we perform risk management is somewhat always biased and subjective whos origins are instinctive. So fear (as well as other factors, of course) has a bearing -- a very heavy bearing in the way we do risk management and react to incidents.
The next ISACA talk, entitled "The Cost of Fear" focuses on these same points and attempts to put them into perspective showing us why we often downplay risk. The media, numbers, culture, group thinking, historic events and human nature all contribute to the way we ascertain risk. Sometimes we readily take on risk accepting the consequences -- other times our instinctive nature takes the better of us -- two analogies Daniel Gardner calls "Head" and "Gut".
Quoting from Gartner's book, "Unreasoning fear" as Roosevelt called it, may be bad for those who experience it and society at large, but it's wonderful for shareholders. The opportunities are limitless. All that's required is that fears keep rising, and those who reap the profits know which buttons to push in our Stone Age minds to ensure that happens.
So whilst I plunge in yet more studying for 2 more years as I undertake an LLM, I look forward to what's to come and the next ISACA presentation. Don't forget to keep up to date & follow us on Twitter!
Happy New Year to all..!
Posted by Donald Tabone
Jan
5
The next local ISACA chapter educational event happening on 12/01/10 is to be entitled The Cost of Fear
In a 200 page book about mankind's evolution, the last two hundred years would span a quarter of a page. Our brain's evolution has been outmatched by the technological advances it itself is creating, landing us in an environment which we cannot comprehend. The media fill us with irrational scare stories. Politicians often use fear to push an agenda. Even when we consciously disbelieve their stories, they mark our thoughts and affect our decisions.
Research shows that you're likely to be underestimating your real risks. You're also likely to be spending too much attention on risks which matter little to your business. Justin Vassallo will analyse the findings of scientific research to discover the complex methods by which our brain takes risk judgements, and enable us to unravel them.
Continue reading "Event: Managing Risk - The Cost of Fear"
Posted by Donald Tabone
Dec
29
as per
XKCD! Next thing we'll know we'll be in hibernation mode.. that's surely safe!
Posted by Donald Tabone
Dec
14
"A demonstration of the top web security threats"
The next educational event organised by the
ISACA MALTA CHAPTER will be held on the 15th of December between 18:00 and 20:00. The topic to be tackled during this event is "A demonstration of the top web security threats" and the speaker during the event will be Sandro Gauci. The event will be held at the Radisson Blu Resort in St. Julians.
The event is eligible for CISA/CISM CPE Hours. ISACA members attend for free.
Sandro Gauci is the owner and Founder of EnableSecurity (www.enablesecurity.com) where he performs R&D and security consultancy for mid-sized companies. Sandro has over 9 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. His passion is vulnerability research and has previously worked together with various vendors such as Microsoft and Sun to fix security holes. Sandro is the author of the free VoIP security scanning suite SIPVicious (sipvicious.org) and can be contacted at sandro@enablesecurity.com. Read his blog at blog.enablesecurity.com.
Book your attendance to this event on
www.isaca-malta.org.
Posted by Donald Tabone
Oct
30
It has been a quite few years now that I have been teaching computer forensics on behalf of the UK's NCC and the subject. Recently I have given a talk for the local ISACA chapter entitled
'The Realm of Digital Forensics' which went pretty well. It's main aim was to introduce people coming from an auditing background to the subject. This worked well, however the talk couldn't get technical as I would have lost my audience.
That brings me to the point of the article. From a local perspective; being a relatively new subject; there is very little knowledge of what the job entails. Skills at various levels both technical and non-technical. Not to mention soft-skills which are somehow always assumed to exist. Although we are a small island and specialization in a particular field is not necessarily a good thing for your career, the truth is that from a legal perspective we still need these skills and services --- as communication technologies multiply every six months and more and more information is saved in digital format, the reality is that there WILL be (and is) abuse. The consequence takes the form of embezzlement, harassment, fraud, espionage and a myriad of other cyber-crimes that start becoming more prevalent as companies lose money.
Recently I was lucky enough to
win a study bursary to continue studying and obtain a Masters degree in IT & Telecommunications Law with the University of Strathclyde. This, coupled with my technical skills, will give me an excellent insight to the legal aspect of information security. I envisage that local private companies, government and even the legal system will need these skills as cyber-crimes continue to rise.
What we now need is for communities to recognize that for digital evidence to hold in a court of law, not only do chain-of-evidence and chain-of-custodies apply, but there must be adequate funding, awareness and recognition of expertise.
Cyber-crime is a reality. It's time we recognize it and allocate resources on a national scale to ensure awareness and justice in a proper manner. Are we dealing with it in the right way?
Posted by Donald Tabone
Sep
15
While it's been a while that I last posted an article on maltainfosec.org, I must admit I've recently been over the top of my head with my studies. The good thing is that my degree is over and plans are in place to start a post-grad in law (LLM). Moreover, I was invited to give a presentation next October on Network Information Systems (NIS) and
CERT from a local private perspective. More details of this to come later on.
Meanwhile, we are slowly making the transition to micro-blogging, sharing relevant infosec information through Twitter
Going back to the original title of the article -- As you might imagine different people have different perceptions of information security, which in turn exposes different attitudes towards the subject -- most of which are lax unfortunately. Whilst large companies that invest in security do so because of compliance (primarily), their internal security departments use it as leverage to enforce controls -- however the expense is never seen as an investment or insurance, rather its a thorn that they have to deal and put up with -- and this is common even for smaller companies of around 50 people. On the local scene this stands to be very true and its a pity as security often gets overlooked or worse, sidetracked -- and we learn through failures to protect information, exposures and mistakes-- what I would call the 'hard way'.
Not only does this apply to the local scene, but also large kick-ass innovative companies like Apple. To be fair, they have been responding a little faster over the past few months especially with the release of 10.6.1 of Snow Leopard.. then again they are also known to work on patches given there is enough demand. What comes to mind is an old Java flaw that took months to be updated by Apple.
The bottom line is companies fix stuff because they stand to lose money -- and the driver for any business (like we all know) IS money. So if its in the interest of the company, the security attitude is immediately escalated and given priority -- other than that -- given the times we live in where budgets and time are always tight --- the least security pro's interfere with life cycles - the better.
... In the interest of whoever has this sort of attitude, let's hope that it doesn't bite them back in the ass
".. Security is not about being killed by an alligator..Usually, it is about being eaten to death by a thousand chickens..."
Posted by Donald Tabone
Jul
16
ICT Solutions will be holding a seminar on the subject of securing electronic information assets:
Date: Wednesday the 22nd of July
Place: Westin Dragonara, in the morning
The seminar is free of charge, and is targeted at IT professionals, enterprise risk executives, data managers and IT security personnel. The presentations will be delivered by industry professionals representing three leading suppliers. HP will be delivering an interesting session on planning requirements for implementing an effective information security strategy. The second topic to be tackled is the management of privilege identities and the management of enterprise wide passwords. The presentation will be delivered by the leaders in the field Cyber-Ark. Finally Agiliance will tackle the topic of automating IT governance, risk and compliance. After the sessions there will be a networking brunch.
Kindly send an e-mail on
info@ictsolutions.com.mt to register your intent*
Regards,
Gordon Micallef
President
ISACA MALTA CHAPTER
* This is a free ISACA membership service provided by ISACA MALTA CHAPTER and the Chapter is not responsible in any way for the organisation of this event and has no affiliations with the organisations mentioned above.
Posted by Donald Tabone
Jul
10
53% of IT managers are largely unaware of employee access rights to systems!
This causes a proliferation of zombie accounts – accounts that remain active after employees have left the company.
However, these same administrators say they have a high level of confidence that zombie accounts cannot trigger a malicious attack or perpetrate a data leak, despite high-profile evidence to the contrary. This is according to a
global survey of 236 business managers from large enterprises.
Continue reading "Zombie Accounts Jeopardise Security"
Posted by Donald Tabone
Jun
23
According to the human resources association World at Work, 17.2 million Americans worked from home or remotely at least one day per month for their employer last year and the 2007 book 'Microtrends' estimates that 4.2 million Americans work full-time from home.
Good security is a key to good productivity...
Continue reading "Seven Deadly Sins of Home Office Security"
Posted by Donald Tabone
Jun
18
Echoing an article I wrote for www.ecsuite.com
To what extent are you prepared to protect your investment from the myriad of vulnerabilities today’s businesses have to deal with? Understanding how the security puzzle is structured is the first step to knowing how to apply a holistic approach. Given that the implementation of this approach does take time, not addressing any one part is guaranteed to have a negative effect on the overall running of your business.
Deciding where and how to start implementing security measures in your company can be a daunting task. No matter if you’re just starting up a new business or whether you already have a number of security controls in place, often complying to standards doesn’t necessarily mean you’ve got your assets covered. This puts your company in a critical position to work toward protecting your investments. Ad hoc implementations of security controls will spiral out of control often leaving you in a more vulnerable position than when you started off. Thinking of what a business might stand to lose has never been more important in this day and age.
Continue reading "Holistic Enterprise Security"
Posted by Donald Tabone
May
26
Statistically it has been shown that often many breaches to a business happen from the inside -- most notably becuase employees already have access to systems and enjoy a certain level of trust.
Reading a recent article by Ron Codon, UK Bureau Chief -- it becomes apparent that according to Matthjis van der Wel; who is head of forensics at Verizon Business; 80% of 600 breaches which happened over the last five years come from
outside an organisation! This can be found in the following
report published by Van der Wel in April.
The report goes on to emphasise that "organisations are making stupid (information security) mistakes as in failing to patch vulnerabilties, using default passwords and forgetting to close down user accounts when employees leave an organisation. The end result is data loss.
Quoted from the original article, some simple rules for reducing damage are the following:
- Do not use default passwords.
- Ensure that third-party suppliers (such as maintenance companies) do not use default passwords or shared credentials for all their clients.
- Do regular network scans to check what servers you have. If you don't know what you have, you can't protect it.
- Patch regularly, using an up-to-date network diagram to ensure all systems are covered.
- Ensure user accounts are closed when employees leave. "In the majority of the cases we've seen, a terminated employee was involved," says van der Wel. "Go through the user accounts list and check that all users are still employed within your organisation."
- Examine system file logs to establish what is normal behaviour on the system. Then you will be in a better position to recognise abnormal behaviour.
- Get IT staff to come up with different attack scenarios.
- Analyse IDS alerts, or outsource the process to a specialist service company. Do not just ignore the alerts like an annoying car alarm that keeps going off.
- Analyse IP addresses of outgoing connections.
Van der Wel's advice is to use your own staff to spot the systems' weaknesses. "Sit down with a couple of knowledgeable IT guys and come up with different attack scenarios. Ask how they would attack their own organisation. Imagine how that would show up in the log files. After that, go and look in the log files to see if anyone has done it. If you can think of it, so could others. We don't see many IT organisations spending their money doing things like that. They would rather spend the money on a new box." -- very well said!
Full article
Posted by Donald Tabone
May
26
During the 2008 cycles of ISACA exams, the CISA Refresher Webinars created a positive impact on numerous exam-takers and in many cases made a world of difference for those who passed the exam. Thanks to all ISACA Chapters and other friends, exam-takers from all over the world have registered for these free classes and benefited from the teachings offered.
FREE refresher webinars and the offering has been expanded to cover the June 2009 CISA, CISM and CGEIT exams. These webinars are designed to review the concepts to be tested in each exam and are not intended to replace or provide the knowledge you would learn in a complete review class. This is a free service to all exam-takers in the interest of increasing the passing rate.
Please find below the links to register for the CISA, CISM and CGEIT web-based seminars:
CISA May 26 at 3PM EST: https://www2.gotomeeting.com/register/830376282
CISA June 1 at 9AM EST: https://www2.gotomeeting.com/register/119400850
CISM: https://www2.gotomeeting.com/register/789736306
CGEIT: https://www2.gotomeeting.com/register/566801275
Source
Posted by Donald Tabone
May
15
In 2008, ISACA entered into a formal agreement with the University of Southern California (USA) Marshall School of Business Institute for Critical Information Infrastructure Protection to continue the development of its Systemic Security Management Model. The Business Model for Information Security takes a business oriented approach to managing information security, building on the foundational concepts developed by the Institute. It utilizes systems thinking to clarify complex relationships within the enterprise, and thus to more effectively
manage security.
This session introduces the model and its core concepts to organisations, particularly to:
-Senior business executives;
-Information security managers;
-Those who have responsibility for managing business risk;
-Individuals who have responsibility for the design, implementation, monitoring and improvement of an information security management system.
When: 1st June 2009
Where: Radisson SAS Baypoint Resort, St. Julians
Time: 17:00 - 19:00
Speaker: Mr. Derek Oliver, Chair of the Development Team
The attendance fee for this event is €20 including coffee break. ISACA members will be entitled to free entrance to this event.
Posted by Donald Tabone
May
13
Back in October 2007, I remember seeing an
article about a next-generation credit card that incorporates a 12-button keyboard, a microprocessor and an embedded alphanumeric display promises to provide unprecedented security in phone and online banking transactions.
Once again in BBC news today I come across another similar
article on the same lines regarding a similar credit card to combat fraud.
A credit card with a built-in display is being tested by Visa with the aim of reducing online fraud. The Emue Card generates and displays a unique code each time it is used. Developers say that the new technology would make it very hard for fraudsters, as any transaction would require the pin to generate the code. The card is currently being trialled by 500 employees of Deloitte with the aim of assessing the technology by the end of the year.
Sandra Alzetta, head of innovation at Visa, said that the card was bringing the principles of chip and pin technology to the online world.
"The card needs to be globally compatible: that means embossed characters for mechanical swipes, a magnetic strip for systems that require a signature, the fixed three digit security code and now the unique four figure code. "
"Once certified by Visa it is then down to the banks and credit card companies to decide if they take up the new technology, but Ms Alzetta said she was confident they would"
"One of the things we're testing is how long the battery lasts - the plan is for it to work for more than three years, which means your card should expire before it runs out of power."
Source
Posted by Donald Tabone
May
11
The European Commission is proposing that software makers give guarantees about the security and efficiency of their code
Software companies could be held responsible for the security and efficacy of their products, if a new European Commission consumer protection proposal becomes law.
[BSA director of public policy Francisco Mingorance] said the performance of a piece of software depends on the environment it operates in, how the code is updated, whether it is possible to adapt and modify the software, and whether the code is attacked.
According to Mingorance, the proposed regulatory extension would cover all software, including beta products, and would cover both proprietary and open-source software.
Right now, under the current EU Sales and Guarantees Directive, physical products are expected to carry a guarantee of two years. Extending those terms to software would have the effect of limiting customer choice, as contract terms would have to be extended to a minimum of two years, Mingorance added.
Software companies have long argued against accepting responsibility for the security and efficiency of their code. Linux kernel developer Alan Cox in 2007 told a House of Lords Committee that neither proprietary nor open-source developers should be held accountable for their code.
Source
Posted by Donald Tabone
Twitter
