Articles

In 2004 Government launched the Electronic Identity (e-ID) as part of its programme to create a strong eGovernment infrastructure based on sound identity management. Government drives the initiative in collaboration with the private sector by championing a strong and secure authentication mechanism that can evolve from the key to eGovernment to the trust behind eCommerce. (1)

Malta's eGovernment services portal relies on the e-ID (the single most trusted authentication mechanism) to provide a one-stop-shop for all eGovernment services. The portal allows the management of the user’s e-ID profile which contains personal details as well as functions for assignment and delegation. Citizens may “delegate” their eServices to other citizens (who have an e-ID) or to registered organisations. Through www.mygov.mt, the e-ID may also be used by organisations (e.g. businesses and administrations) which may “assign” the management of the eServices to an “Organisation Manager” who has an e-ID.(2)

Over the coming 6 months, the governments e-ID system will be implementing a new password policy which will help increase the security of the system for the benefit of its users.

The effect of this new policy is that you will have to reset your password every 90 days.

The e-ID system requires you to provide a strong password that meets the following criteria.
The password must not contain your full e-ID number, first or last name
The password must be at least 8 characters in length
The password must contain English uppercase characters (A through Z)
The password must contain English lowercase characters (a through z)
The password must contain base 10 digits (0 through 9)
The password must not be the same as any of your previous passwords

Here at maltainfosec.org we thought of providing four easy steps to achieve the above:

1. Read-up on how to choose a secure password
2. Avoid common password pitfalls
3. Access a random password generator and pick a password that's secure and easy to remember
4. Finally, cross-check how secure the password you chose actually is

Read on for some more suggestions on how to choose a secure password..

Continue reading "Malta Electronic Identity Password Information"

Posted by Donald Tabone

A few updates on what's happening on maltainfosec.org

We realised that we tend to retweet a lot of tweets from HelpNetSecurity due to the obvious relevance of their articles --- as such instead of RT their posts, we added a new column to the right of our webpage linking to the RSS article feed of HelpNetSecurity. 'Caps off' to the guys at HelpNetSecurity!

We have new competition rules in the pipeline --- we'll be releasing a short article on this shortly --- thanks to our Sponsors!

Meanwhile, a short note to promote an excellent magazine which has released its fourth issue just today.

Digital Forensics Magazine, one of the fastest growing resources available for IT security specialists, launches its fourth edition. With a global coverage, the print and online magazine is fast establishing itself as the must-have magazine for practitioners and students of digital forensics.

Being a subscriber from issue 1 and a DF tutor on behalf of NCC, another 'caps off' & kudos to this excellent magazine which focuses on very relevant topics hitting the nail on the head by striking the right balance between legal aspect of Information Security and Forensics and technical review content. If you haven't subscribed yet, we recommend you visit their website and sign-up - http://www.digitalforensicsmagazine.com/

Issue 4, released online on August 1st 2010, takes a look at how effective traditional digital forensic techniques are at obtaining forensically sound data in scenarios where computer misuse has been used in attempts to frame the innocent. The DFM team also investigates and details the state of digital forensics in law enforcement around the world identifying which countries are doing well and which have much to do, highlighting the disparity in skills and qualifications between each. In a world that is getting ever more interconnected and one in which international online crime is on the increase, the industry should look to establish and apply minimum standards .

The rest of the article gives some more information and article tasters from Issue 4...

Continue reading "Site news"

Posted by Donald Tabone

An article focused around security principles, security standards and the CIA triad by Brad C. Johnson echoed from the ISSA Journal

Information security programs are built on the building blocks of information security basics. This article will describe these basics and give tangible examples of the types of topics and decisions you must grapple with to build such a program.

Abstract

IT information security programs are built on the building blocks of information security basics. The mortar for these blocks are the basic principles of security: confidentiality, integrity, and availability. The blocks that form the foundation are a variety of fundamental security topics such as risk assessments, security policies, asset management, physical security, operational management, and incident management to name a few. Understanding the concepts that define the basics of information security is critical to building a robust security program. This article will describe these basics and give tangible examples of the types of topics and decisions you must grapple with to build such a program.

The basics

Information security means the protection of both information and information systems. We want to protect these things to ensure that access to them is controlled. We want to make sure that only authorized people and processes can access them and only at appropriate times. We want to make sure that the information is only disclosed in ways that we control, that access to it is not disrupted, and that data is only changed – created, modified, or removed – under the conditions we define.

Information, as we all know, is stored in a variety of ways: on paper, in voicemail systems, in people’s minds, and on a variety of electronic technologies. Information systems can take the form of a group of people (e.g., the Information Security Group), a collection of policies, or a collection of electronic devices (routers, firewalls, security software). All in all, information security is an expansive topic that affects virtually everyone within an enterprise.

The word basic also needs to be put in the appropriate context. Some people assume that it means something trivial or achieved quickly or without a lot of effort. In fact, it is the exact opposite. It is about fundamentals: actions that are rehearsed, acted on, refined, and monitored on a regular basis. In the sport of football, blocking and tackling are considered basic skills that are necessary to succeed at any level. No matter what kinds of offense or defensive schemes are used, they can only be successfully executed with sound blocking and tackling techniques. These techniques are rehearsed continuously throughout the season. These techniques are uniquely coached to fit the special needs of the plays you are trying to run. Information security basics are the same thing. They are practiced continuously.

As we all know, security is not an end-game but an ongoing process: a way of thinking. The more ingrained that security is within the corporate culture, the more likely it is you can succeed at meeting the needs of your business. Security is an iterative process with the goal of continually improving each of your policies, procedures, or controls.
Whether you know it or not, the roots for information security within an IT organization are built on the well-known CIA triad for security policy development[1]# Briefly put, the CIA Triad is a security model built around three critical areas: integrity, confidentiality, and availability. Those concepts are handled within the confines of your hardware, software, and communications information systems. Those information systems and critical areas are therein executed by people, products, and procedures.

Continue reading "Information Security Basics"

Posted by Donald Tabone

The company’s VIPRE technology will allow GFI to offer its own established antivirus product

GFI Software, a market leading provider of software infrastructure products for small and medium-sized enterprises, announced today that it has acquired Sunbelt Software and specifically its VIPRE® product suite. Terms of the transaction were not disclosed. The acquisition will allow GFI to merge VIPRE technology into GFI’s email security and web security solutions group, and will provide GFI with new security products consisting of world-class and innovative technology. The assets of Sunbelt's software distribution business, started over 16 years ago and separate from the technology side of the company (focused on selling DoubleTake high-availability software), will be divested into a separate entity and the company is exploring other strategic partnerships.

Catch the full article here

Posted by Donald Tabone

Conference Reminder: 21st May 2010.
If you have not yet registered and plan to attend, make sure you log on http://www.itgovernancemalta.com/index.php/book-here to reserve a seat.

Educational Event

Tuesday 25th May 2010 from 17:15 to 19:15 at the Radissson Blu Resort, St. Julians

Book Here

The concept of continuous auditing has been around for many years. It has been talked about, researched and theorised. Many organisations have made significant investments of time and money, yet for most organisations it is nothing more than an unrealised dream. As a matter of fact, one organisation's version of continuous auditing may differ dramatically from another organisation's implementation. This event will look at the reasons for this. It will look at how organisations and auditors can breach the gap and turn the concept into reality.

The educational event will also provide an understanding of the concepts and strategies required for continous auditing. During this session you will discover the benefits to be gained from continuous auditing and the practicalities of implementing it in your own organisation.

Speaker Profile

Derek J. Oliver is an Information Audit & Security specialist with over 27 years experience and is qualified as a Certified Information Systems Auditor (CISA), a Certified Information Security Manager (CISM), a Fellow of the British Computer Society (FBCS) and a BCS Chartered IT Professional (CITP). His background in the IT Infrastructure Library (ITIL) is represented by Fellowship of the Institute of IT Service Management (FISM) and he has been recognized as a Member of the Institute of Information Security Professionals (MInstISP). In 1996, he was admitted a Freeman of the City of London and he is a CHIP registered Health Informatics Practitioner at Level 3 (highest).

Following a Master of Science (MSc) degree in Information Technology, awarded for his work on disaster recovery and business continuity planning, he received a Doctorate (PhD) for research into the various elements of executive policies contributing to information security management. He has since been awarded an Honorary DBA by Belford University in recognition of his work in the development of the CISM designation. He is internationally regarded as an expert in Information Security Governance, especially using CobiT, ITIL and ISO27001 and is a regular presenter at many international conferences and training courses on a variety of security, fraud and audit topics.

ISACA MALTA CHAPTER members attend for free to this educational event.

Reduced Fee: €15* *Members of Malta Institute of Accountants, Malta Institute of Management, IEEE, and British Computer Society are eligible for the reduced fee.
Others €20

Posted by Donald Tabone

SANS has an excellent website with a collection of Security Awareness Tips coming from various contributors. Amongst them are nifty ways to ensure you do not fall as a victim to identity theft or worse. I've collected some of them below:

- Always lock your computer (by pressing CTRL + ALT + DELETE and hitting "Enter") before walking away from it. Find the section that explains how to create a simple desktop shortcut to lock your PC.
- Use variations on a strong "core" password
- Don't Investigate a Security Problem Unless You Are Authorized by the System Owner
- Protect Yourself from Identity Theft
- Check for encryption or secure sites when providing confidential information online
- Patch and update on a regular basis
- Don't Trust Links Sent in Email Messages.. Phishing with a 'Ph'
- Don't click on links in pop-ups or banner advertisements
- "Can you hear me now?" Do NOT trust your cell phone Bluetooth earpiece - think its unlikely.. see the below YouTube video..

Take a moment to browse through the SANS site when you next get a chance..!

Continue reading "Watching your online customs.."

Posted by Donald Tabone

One of the most common questions that I get asked is "What does it take to be a security professional?" The answer is often not easily found especially since companies tend to look beyond certifications and degrees. Of course if you couple experience with academic qualifications you actually have the best of both worlds.. but what does it really take to be a respected information security professional? The following is an extract from an article I came across. It attempts to address some aspects that go beyond skill sets.. in fact I might dare call them soft skills..

To be considered a respected Information Security Professional nowadays requires more than just knowing the bits or bytes, or the controls required by a given framework by heart. Being successful in your Information Security career requires you to have a deep understanding of the business needs (and how to enable, not disrupt them), sharp communication skills and a swift ability to sell yourself.

1. Learn to communicate effectively
2. Learn to say ‘may be’ rather than ‘no’
3. Social networking sites are not just extensions of instant messengers
4. Monitor security industry budgets and salary trends
5. Don’t be limited to just reading
6. Blogging is serious business
7. Don’t be afraid of starting a business

Read the full article here.

Once you've homed on these skills, check out the 10 coolest Information Security Careers..

Source: My Information Security Job

Posted by Donald Tabone

Fiber Optic Valley is one of Europe’s leading high-tech communities with a population of around 500,000 in the south eastern region of Sweden. This is a cluster of ICT companies and educational institutes developing cutting edge applications using fiber optic technologies and telecommunications. Fiber Optic Valley has a vision that by 2015 it will become the fiber optic centre of Europe. The Valley is being transformed to make Sweden into the world leader in the development of products and services based on fiber optics.

Cluster Manager at Fiber Optic Valley, Jeanette Waax will be giving a presentation answering the following questions:

Why does this community need a vision, what technologies are involved?
Why do companies such as Ericcson get involved in such ventures?
How do ICT companies collaborate with educational institutions to develop new applications?

Where: STC Training
When: Thursday 14th January
Time: 18.00

These are some of the topics that will be dealt with during this presentation and will also highlight some cutting edge applications developed at the Valley.

This is an event which is not to be missed! Please confirm your attendance by sending an email to info@stcmalta.com by no later than Monday 11th January. Bookings are on a first come first served basis.

STC Training

Posted by Donald Tabone

Welcome to the New Year.. its the dawn of a new year and we're moving fast.

Technology and life in general seem to be moving at rate faster than I ever recall. Recently I was in London and one of the staple places my son and I visited was the Science Museum in S. Kensington. Whilst walking through the corridors of the 'old' technology section I talked to him how my first computer was a Memotech 512s2 with Basic, Assembler (Z80) and even a database language called Noddy... of course my speech was cut short with ... "dad, cut it . You're ancient.." --- and yet I REALLY am not THAT old.. so he made me promise NOT to brag on and on about how we used tapes to load stuff up that took an age -- and just observe and not give him the "In my time..." spiel.

New year resolutions apart.. as I normally come up to scratch with the usual technology predictions for the forthcoming year.. I increasingly see "sensational" headlined tweets such as "The era of Mobile Internet is dawning" and "Hackers Brew Self-Destruct Code to Counter Police Forensics.. " all designed to sir something in the reader ... and that one thing often boils down to fear through curiosity.

Inspired by BruceS, I recently I read the book "The Science of Fear" by Daniel Gardner. It is an excellent read as the author recounts his personal experiences and slowly progresses to explain and interpret them in an exceptional way -- merging a rather heavy element of psychology with simple explanations of why we act the way we act when faced with decisions and different circumstances. In a nutshell, the way we perform risk management is somewhat always biased and subjective whos origins are instinctive. So fear (as well as other factors, of course) has a bearing -- a very heavy bearing in the way we do risk management and react to incidents.

The next ISACA talk, entitled "The Cost of Fear" focuses on these same points and attempts to put them into perspective showing us why we often downplay risk. The media, numbers, culture, group thinking, historic events and human nature all contribute to the way we ascertain risk. Sometimes we readily take on risk accepting the consequences -- other times our instinctive nature takes the better of us -- two analogies Daniel Gardner calls "Head" and "Gut".

Quoting from Gartner's book, "Unreasoning fear" as Roosevelt called it, may be bad for those who experience it and society at large, but it's wonderful for shareholders. The opportunities are limitless. All that's required is that fears keep rising, and those who reap the profits know which buttons to push in our Stone Age minds to ensure that happens.

So whilst I plunge in yet more studying for 2 more years as I undertake an LLM, I look forward to what's to come and the next ISACA presentation. Don't forget to keep up to date & follow us on Twitter!

Happy New Year to all..!

Posted by Donald Tabone

1060 hits

as per XKCD! Next thing we'll know we'll be in hibernation mode.. that's surely safe!

Posted by Donald Tabone

It has been a quite few years now that I have been teaching computer forensics on behalf of the UK's NCC and the subject. Recently I have given a talk for the local ISACA chapter entitled 'The Realm of Digital Forensics' which went pretty well. It's main aim was to introduce people coming from an auditing background to the subject. This worked well, however the talk couldn't get technical as I would have lost my audience.

That brings me to the point of the article. From a local perspective; being a relatively new subject; there is very little knowledge of what the job entails. Skills at various levels both technical and non-technical. Not to mention soft-skills which are somehow always assumed to exist. Although we are a small island and specialization in a particular field is not necessarily a good thing for your career, the truth is that from a legal perspective we still need these skills and services --- as communication technologies multiply every six months and more and more information is saved in digital format, the reality is that there WILL be (and is) abuse. The consequence takes the form of embezzlement, harassment, fraud, espionage and a myriad of other cyber-crimes that start becoming more prevalent as companies lose money.

Recently I was lucky enough to win a study bursary to continue studying and obtain a Masters degree in IT & Telecommunications Law with the University of Strathclyde. This, coupled with my technical skills, will give me an excellent insight to the legal aspect of information security. I envisage that local private companies, government and even the legal system will need these skills as cyber-crimes continue to rise.

What we now need is for communities to recognize that for digital evidence to hold in a court of law, not only do chain-of-evidence and chain-of-custodies apply, but there must be adequate funding, awareness and recognition of expertise.

Cyber-crime is a reality. It's time we recognize it and allocate resources on a national scale to ensure awareness and justice in a proper manner. Are we dealing with it in the right way?

Posted by Donald Tabone

While it's been a while that I last posted an article on maltainfosec.org, I must admit I've recently been over the top of my head with my studies. The good thing is that my degree is over and plans are in place to start a post-grad in law (LLM). Moreover, I was invited to give a presentation next October on Network Information Systems (NIS) and CERT from a local private perspective. More details of this to come later on.

Meanwhile, we are slowly making the transition to micro-blogging, sharing relevant infosec information through Twitter

Going back to the original title of the article -- As you might imagine different people have different perceptions of information security, which in turn exposes different attitudes towards the subject -- most of which are lax unfortunately. Whilst large companies that invest in security do so because of compliance (primarily), their internal security departments use it as leverage to enforce controls -- however the expense is never seen as an investment or insurance, rather its a thorn that they have to deal and put up with -- and this is common even for smaller companies of around 50 people. On the local scene this stands to be very true and its a pity as security often gets overlooked or worse, sidetracked -- and we learn through failures to protect information, exposures and mistakes-- what I would call the 'hard way'.

Not only does this apply to the local scene, but also large kick-ass innovative companies like Apple. To be fair, they have been responding a little faster over the past few months especially with the release of 10.6.1 of Snow Leopard.. then again they are also known to work on patches given there is enough demand. What comes to mind is an old Java flaw that took months to be updated by Apple.

The bottom line is companies fix stuff because they stand to lose money -- and the driver for any business (like we all know) IS money. So if its in the interest of the company, the security attitude is immediately escalated and given priority -- other than that -- given the times we live in where budgets and time are always tight --- the least security pro's interfere with life cycles - the better.

... In the interest of whoever has this sort of attitude, let's hope that it doesn't bite them back in the ass

".. Security is not about being killed by an alligator..Usually, it is about being eaten to death by a thousand chickens..."

Posted by Donald Tabone

Google Opt Out Feature Lets Users Protect Privacy By Moving To Remote Village

Source

Posted by Donald Tabone

53% of IT managers are largely unaware of employee access rights to systems!

This causes a proliferation of zombie accounts – accounts that remain active after employees have left the company.

However, these same administrators say they have a high level of confidence that zombie accounts cannot trigger a malicious attack or perpetrate a data leak, despite high-profile evidence to the contrary. This is according to a global survey of 236 business managers from large enterprises.

Continue reading "Zombie Accounts Jeopardise Security"

Posted by Donald Tabone

Posted by Donald Tabone

According to the human resources association World at Work, 17.2 million Americans worked from home or remotely at least one day per month for their employer last year and the 2007 book 'Microtrends' estimates that 4.2 million Americans work full-time from home.

Good security is a key to good productivity...

Continue reading "Seven Deadly Sins of Home Office Security"

Posted by Donald Tabone

Echoing an article I wrote for www.ecsuite.com

To what extent are you prepared to protect your investment from the myriad of vulnerabilities today’s businesses have to deal with? Understanding how the security puzzle is structured is the first step to knowing how to apply a holistic approach. Given that the implementation of this approach does take time, not addressing any one part is guaranteed to have a negative effect on the overall running of your business.

Deciding where and how to start implementing security measures in your company can be a daunting task. No matter if you’re just starting up a new business or whether you already have a number of security controls in place, often complying to standards doesn’t necessarily mean you’ve got your assets covered. This puts your company in a critical position to work toward protecting your investments. Ad hoc implementations of security controls will spiral out of control often leaving you in a more vulnerable position than when you started off. Thinking of what a business might stand to lose has never been more important in this day and age.

Continue reading "Holistic Enterprise Security"

Posted by Donald Tabone

Statistically it has been shown that often many breaches to a business happen from the inside -- most notably becuase employees already have access to systems and enjoy a certain level of trust.

Reading a recent article by Ron Codon, UK Bureau Chief -- it becomes apparent that according to Matthjis van der Wel; who is head of forensics at Verizon Business; 80% of 600 breaches which happened over the last five years come from outside an organisation! This can be found in the following report published by Van der Wel in April.

The report goes on to emphasise that "organisations are making stupid (information security) mistakes as in failing to patch vulnerabilties, using default passwords and forgetting to close down user accounts when employees leave an organisation. The end result is data loss.

Quoted from the original article, some simple rules for reducing damage are the following:

- Do not use default passwords.
- Ensure that third-party suppliers (such as maintenance companies) do not use default passwords or shared credentials for all their clients.
- Do regular network scans to check what servers you have. If you don't know what you have, you can't protect it.
- Patch regularly, using an up-to-date network diagram to ensure all systems are covered.
- Ensure user accounts are closed when employees leave. "In the majority of the cases we've seen, a terminated employee was involved," says van der Wel. "Go through the user accounts list and check that all users are still employed within your organisation."
- Examine system file logs to establish what is normal behaviour on the system. Then you will be in a better position to recognise abnormal behaviour.
- Get IT staff to come up with different attack scenarios.
- Analyse IDS alerts, or outsource the process to a specialist service company. Do not just ignore the alerts like an annoying car alarm that keeps going off.
- Analyse IP addresses of outgoing connections.

Van der Wel's advice is to use your own staff to spot the systems' weaknesses. "Sit down with a couple of knowledgeable IT guys and come up with different attack scenarios. Ask how they would attack their own organisation. Imagine how that would show up in the log files. After that, go and look in the log files to see if anyone has done it. If you can think of it, so could others. We don't see many IT organisations spending their money doing things like that. They would rather spend the money on a new box." -- very well said!

Full article

Posted by Donald Tabone

During the 2008 cycles of ISACA exams, the CISA Refresher Webinars created a positive impact on numerous exam-takers and in many cases made a world of difference for those who passed the exam. Thanks to all ISACA Chapters and other friends, exam-takers from all over the world have registered for these free classes and benefited from the teachings offered.

FREE refresher webinars and the offering has been expanded to cover the June 2009 CISA, CISM and CGEIT exams. These webinars are designed to review the concepts to be tested in each exam and are not intended to replace or provide the knowledge you would learn in a complete review class. This is a free service to all exam-takers in the interest of increasing the passing rate.

Please find below the links to register for the CISA, CISM and CGEIT web-based seminars:

CISA May 26 at 3PM EST: https://www2.gotomeeting.com/register/830376282
CISA June 1 at 9AM EST: https://www2.gotomeeting.com/register/119400850
CISM: https://www2.gotomeeting.com/register/789736306
CGEIT: https://www2.gotomeeting.com/register/566801275

Source

Posted by Donald Tabone

Back in October 2007, I remember seeing an article about a next-generation credit card that incorporates a 12-button keyboard, a microprocessor and an embedded alphanumeric display promises to provide unprecedented security in phone and online banking transactions.

Once again in BBC news today I come across another similar article on the same lines regarding a similar credit card to combat fraud.

A credit card with a built-in display is being tested by Visa with the aim of reducing online fraud. The Emue Card generates and displays a unique code each time it is used. Developers say that the new technology would make it very hard for fraudsters, as any transaction would require the pin to generate the code. The card is currently being trialled by 500 employees of Deloitte with the aim of assessing the technology by the end of the year.

Sandra Alzetta, head of innovation at Visa, said that the card was bringing the principles of chip and pin technology to the online world.

"The card needs to be globally compatible: that means embossed characters for mechanical swipes, a magnetic strip for systems that require a signature, the fixed three digit security code and now the unique four figure code. "

"Once certified by Visa it is then down to the banks and credit card companies to decide if they take up the new technology, but Ms Alzetta said she was confident they would"

"One of the things we're testing is how long the battery lasts - the plan is for it to work for more than three years, which means your card should expire before it runs out of power."

Source

Posted by Donald Tabone