“El Sibakero”, #1

Introducing infosec.ph’s weekly cartoon strip, “El Sibakero”.

http://www.facebook.com/pages/The-El-Sibakero-Project/151004647367

More InfoSec Glossary: Freely Available ISO 27000 PDF

The ISO 27000 (Information security management systems — Overview and vocabulary) document is part of ISO’s Publicly Available Standards. Because of this, you may download it, store it on your PC, and print out one copy of the file, but aren’t allowed to transfer or place it on a network without the authorization of the copyright owner. You can read the whole License Agreement, and download the ISO 27000 document here.

---

Another place to check out for InfoSec definitions is at the Software and Systems Engineering Vocabulary (SE VOCAB) Site. This is a project of the IEEE Computer Society, and ISO/IEC JTC 1/SC7.

---

SITE NEWS
It has been a very busy couple of months for the Admins of Infosec.ph. In behalf of the other Admins, thank you for all your comments and support. Some of the comments have specific questions which we choose not to publish. For these kinds of more specific questions and comments, you may e-mail us at infosecphils@gmail.com.

For news updates, kindly check out our Facebook Page, and our Twitter page.

CIS Consensus Security Metrics V.1.0.0

In mid-May the Center for Internet Security, the same people that give us free benchmarks, released their Consensus Metric Definitions V.1.0.0. It’s a free 90 page pdf containing 20 Metric Definitions under 6 Business Functions.

The 6 Business Functions and the metric areas under them are as follows:

Incident Management
- Mean-Time to Incident Discovery
- Number of Incidents
- Mean-Time Between Security Incidents
- Mean-Time to Incident Recovery

Vulnerability Management
- Vulnerability Scanning Coverage
- Percent of Systems with No Known Severe Vulnerabilities
- Mean-Time to Mitigate Vulnerabilities
- Number of Known Vulnerabilities

Patch Management
- Patch Policy Compliance
- Patch Management Coverage
- Mean-Time to Patch

Application Security
- Number of Applications
- Percent of Critical Applications
- Risk Assessment Coverage
- Security Testing Coverage

Configuration Management
- Mean-Time to Complete Changes
- Percent of Changes with Security Reviews
- Percent of Changes with Security Exceptions

Financial Metrics
- IT Security Spending as Percentage of IT Budget
- IT Security Budget Allocation

CIS is currently defining additional consensus metrics, so more there will be more to follow. Please check out CIS’s document to find out how to measure the metrics mentioned above. It would be nice to see a mapping to ISO/IEC 27002:2005… just in case Metric Center’s Catalog doesn’t already have the above metrics. Metric Center’s mapping is the best mapping to ISO/IEC 27k2:2k5 that I’ve seen to date, and I’m hoping that they won’t start charging to check out their site in the future.

ISO’s Glossary of IT Security Terminology

Since I haven’t put up my own Glossary of IT Security Terms, and there are tons of reputable sources on the web, I’ll will be linking to them instead.

First up is the ISO/IEC Joint Technical Committee 1, Sub-Committee 27’s Standing Document 6: Glossary of IT Security Terminology. It is a freely downloadable zipped Excel file with around 1,700 rows of definitions (some of which repeat depending on the reference material and working group). It also references the source document, and it is as of April 29, 2009. A Sample of the document follows:

Term:
Biometric

Definition:
automated recognition of individuals based on their behavioural and biological characteristics NOTE Definition from [2].

Stds/TRs/Drafts:
ISO/IEC FDIS 19792: 2009-04-16

WG:
WG3

Please note that FDIS stands for Final Draft International Standard. Working group 3 works on “Security Evaluation Criteria.” Please see here for more on the different Working Groups of SC27. The recently published ISO/IEC 19792’s title is, “Information technology — Security techniques — Security evaluation of biometrics”.

The Philippine Data Privacy Act

The Philippine Data Privacy Act is apparently stuck in Congress. They adjourned on June 5 and started again on July 27.

In the same vein that the country currently has no Anti-Cybercrime legislation, the Philippines has no specific Data Privacy Act. One of the best sources of information regarding the current state of legislation is Mr. Philip Varilla’s presentation on “Privacy Framework in the Philippines“, which if one Googles for “Philippine Privacy Law”, can be found in the website of the Office of the Privacy Commissioner for Personal Data… of Hong Kong.

The presentation states that privacy is a basic right bestowed by the Constitution’s Bill of Rights Section 2, “The right of the people to be secure in their persons, houses, papers,”; and Section 3, “The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law….”

It also states that the following Philippine laws are relevant:
- REPUBLIC ACT (RA) 8505 (An Act providing Assistance and Protection for Rape Victims…) SECTION 5. Protective measures.
- RA 8369 (An Act Establishing Family Courts, granting them Exclusive Original Jurisdiction over Child and Family Cases…) SECTION 12. Privacy and Confidentiality of Proceedings.
- Law on Secrecy of Bank Deposits Republic Act No.1405, as amended
- E-COMMERCE ACT (ECA) RA 8792

If one wants to understand the current state of data privacy in the Philippines, I suggest downloading the above presentation. Reading it made me wonder why the Philippines doesn’t seem to have HIPAA like legislation specific to HMO’s making them liable in case they do not protect your medical information.

The Philippines, being a member of APEC, will be aligning its Data Privacy legislation with the APEC Framework.
The APEC Framework can be downloaded here.

Other Related Links:
(Inquirer.net Feb 2009) RP joins APEC data privacy initiatives
The Electronic Commerce Act and its Implementing Rules and Regulations (40 page pdf)
(Out-law.com) Why the APEC Privacy Framework is unlikely to protect privacy [published Oct 2007]
Philippines Convenes Seminar to Explore New Privacy Legislation
(Inquirer.net Oct 2008)Senate must pass IP, data privacy laws
(Global Sky.com) Outsourcing in the Philippines: Is your privacy protected?
ARC Frequently Asked Questions
(Chan Robles) E-Commerce Act of 2000
(Scribed) Republic Act 8792
(GMA News Blog) Janette Toral’s Blog
(Digital Filipino) Salient Features of RA8792, The E-Commerce Law
(Wikipedia) Information privacy law
(Wikipedia) US Health Insurance Portability and Accountability Act
(Wikipedia) EU Data Protection Directive

Draft Philippine Cybercrime Prevention Act

In case you’d like to see the current draft bill being deliberated in Congress, you can find it here.

Articles in the end of May with relation to the Cybercrime bill:
(Newsbreak) Latest sex video scandal highlights need for cyber crime law
(Computerworld Philippines) National ICT Month

The Hacker Manifesto

Since Black Hat USA(Presentations available here) and Defcon 17 concluded a week ago, I found it fitting to post here the classic, “Hacker Manifesto.” This comes from Phrack Magazine’s Volume One, Issue 7, Phile 3 of 10 originally entitled, “The Conscience of a Hacker” by The Mentor and written on Jan 8, 1986.

---

The Hacker Manifesto

by
+++The Mentor+++
Written January 8, 1986

Another one got caught today, it’s all over the papers. “Teenager Arrested in Computer Crime Scandal”, “Hacker Arrested after Bank Tampering”…

Damn kids. They’re all alike.

But did you, in your three-piece psychology and 1950’s technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?

I am a hacker, enter my world…

Mine is a world that begins with school… I’m smarter than most of the other kids, this crap they teach us bores me…

Damn underachiever. They’re all alike.

I’m in junior high or high school. I’ve listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. “No, Ms. Smith, I didn’t show my work. I did it in my head…”

Damn kid. Probably copied it. They’re all alike.

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it’s because I screwed it up. Not because it doesn’t like me… Or feels threatened by me.. Or thinks I’m a smart ass.. Or doesn’t like teaching and shouldn’t be here…

Damn kid. All he does is play games. They’re all alike.

And then it happened… a door opened to a world… rushing through the phone line like heroin through an addict’s veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought… a board is found. “This is it… this is where I belong…” I know everyone here… even if I’ve never met them, never talked to them, may never hear from them again… I know you all…

Damn kid. Tying up the phone line again. They’re all alike…

You bet your ass we’re all alike… we’ve been spoon-fed baby food at school when we hungered for steak… the bits of meat that you did let slip through were pre-chewed and tasteless. We’ve been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.

This is our world now… the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn’t run by profiteering gluttons, and you call us criminals. We explore… and you call us criminals. We seek after knowledge… and you call us criminals. We exist without skin color, without nationality, without religious bias… and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it’s for our own good, yet we’re the criminals.

Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all… after all, we’re all alike.

Upcoming Webinars

IT Governance Free Webinars

itgovernance.co.uk will be giving the following free 1 hour webinars:

July 23 Thu 11 PM Phil Time Mastering ISO27001
July 30 Thu 11 PM Phil Time Data Protection Act Webinar
Aug 06 Thu 11 PM Phil Time IT Governance Webinar
Aug 13 Thu 11 PM Phil Time Leadership in a Difficult Climate
Aug 20 Thu 11 PM Phil Time Best Practice Business Continuity Management
Aug 27 Thu 11 PM Phil Time Green IT in Practice

---

BSI America will be giving the following free 1 hour webinars:

July 24   Fri   1AM Phil Time      What Does it Cost to Implement a Management System?
Aug 6     Thu 1AM Phil Time      BSI Launches New Version of Entropy™ Software*
Aug 7     Fri   1AM Phil Time      Implementing International Supply Chain Security Throughout Operations
Aug 13   Thu 1AM Phil Time      7 Steps to Improving your Business Case for Management System Software
Aug 21   Fri   1AM Phil Time      CMDCAS for Medical Device Manufacturers
*Entropy is BSI’s Management Systems Software

---

Gartner Free Webinars

July 29 Wed 9AM US EDT    Use IT to Drive Savings in Your Business
July 29 Wed 10AM US EDT  Spend Less Get More Secure
July 29 Wed 12PM US EDT   Use IT to Drive Savings in Your Business
July 29 Wed 1PM US EDT    Spend Less Get More Secure
Aug 12 Wed 3PM Sydney Time How to Modernize IT While on a Budget

Note: Some of the above links were first posted in the InfoSec Philippines Facebook Page by its members or the author.

---

Site News

Updated the Whitepapers and References Links Page to include Securosis.

Information Security Career Links

There has been increasing interest in InfoSec Jobs possibly due to the following:
ISC2’s InfoSecurity Professional Magazine for Winter 2008 stated that CISSPs are needed in Japan due to J-SOX. Japan also has around 60% of the world’s ISMS (ISO 27001) implementations due to the demise of the “Secure Information Systems Accreditation Scheme for Information-Processing Service Companies” in March 2001.

Yahoo’s Hotjobs recently had an article stating that the most lucrative job due to Obama’s stimulus plan is being a Computer Security Specialist.

The worldwide Information Security Surveys conducted by at least 2 of the big 4 Audit firms, stated that regardless of the worldwide financial crisis, the majority of survey respondents will either maintain or increase security spending.

The more the worldwide recession continues, the more financial motivation there is for cyber criminals, and therefore companies will want to protect their assets even more. Think about it, if you have a lot of cash in your person, you’ll more likely think of security in the bad part of town than in the posh side.*

But before you think about trying out a job in InfoSec, you might want to check out the following links:
(Search Security) How to find Jobs in Information Security – also links to the 6 part Information Security Leaders: Careers podcast series

(Securology) So You Think You Want a Job in Computer Security

Donald Donzal’s DIY Career in Ethical Hacking Presentation, and MP3 (27 MB). – This is the longer, R-rated version that was given on Oct 31, 2008 at Chicago Con. If you would like the shorter (and what he calls the Disney) version presented at the SANS What Works in Pen Testing Summit earlier in 2008, you can find the mp3 and presentation here.

(Search Security) An Introduction to Information Security Career Advisor

Hack Your Own Information Security Career

(About.com) Information Security – All about Information Security in IT

PaulDotCom Podcast 159 – Where the Information Security Leaders website founders Lee Kushner and Mike Murray are interviewed.

Art of Information Security interviews Lee Kushner Part 1 and Part 2.

(NY Times) So You Want to Be a Cybersleuth?

10 Dos and Don’ts for Security Job Interviews

Job Seekers: Get Ready for the ‘Character’ Interview

The Security Certification Directory

*Of course not all InfoSec jobs in the ongoing recession are (excuse the pun) secure. If you are currently an InfoSec professional, and are concerned because of lower revenues or job cuts in your company, you might want to read, the articles “How to prepare for a layoff or ‘career incident’” and “Surviving Layoffs: Five Career Lessons from the Security Trenches“.

Note: Some of the above links were first posted in the InfoSec Philippines Facebook Page by its members and the author.

Mostly CA Links on Lean IT

The “CA Advisor” (which is the Security Management Newsletter of CA) for April 2009, has a bunch of articles on Lean IT.

Notable articles in the Newsletter are:
CA’s RSA Keynote Explores Transformation of Identity and Access Management

Make IT Leaner with Identity-Centric Data Loss Prevention

Q&A: The Future of Role and Compliance Management

How Lean IT Can Maximize Value and Minimize Cost

White Papers
The Case for Lean IT
Lean has been successfully applied to domains beyond manufacturing, including to enterprise IT

Masters of Lean IT
Learn how 3 visionary IT executives maximized value and minimized waste

Gartner – Cost Cutting While Improving Security March 2008

Gartner – Managing IT Risks During Cost-Cutting Periods Oct 2008