InfoSec Philippines

Information Security, Technology News and Opinions

Archive for August, 2009

CIS Consensus Security Metrics V.1.0.0

Posted by Jaime Raphael Licauco, CISSP, GSEC on August 27, 2009

In mid-May the Center for Internet Security, the same people that give us free benchmarks, released their Consensus Metric Definitions V.1.0.0. It’s a free 90 page pdf containing 20 Metric Definitions under 6 Business Functions.

The 6 Business Functions and the metric areas under them are as follows:

Incident Management
– Mean-Time to Incident Discovery
– Number of Incidents
– Mean-Time Between Security Incidents
– Mean-Time to Incident Recovery

Vulnerability Management
– Vulnerability Scanning Coverage
– Percent of Systems with No Known Severe Vulnerabilities
– Mean-Time to Mitigate Vulnerabilities
– Number of Known Vulnerabilities

Patch Management
– Patch Policy Compliance
– Patch Management Coverage
– Mean-Time to Patch

Application Security
– Number of Applications
– Percent of Critical Applications
– Risk Assessment Coverage
– Security Testing Coverage

Configuration Management
– Mean-Time to Complete Changes
– Percent of Changes with Security Reviews
– Percent of Changes with Security Exceptions

Financial Metrics
– IT Security Spending as Percentage of IT Budget
– IT Security Budget Allocation

CIS is currently defining additional consensus metrics, so more there will be more to follow. Please check out CIS’s document to find out how to measure the metrics mentioned above. It would be nice to see a mapping to ISO/IEC 27002:2005… just in case Metric Center’s Catalog doesn’t already have the above metrics. Metric Center’s mapping is the best mapping to ISO/IEC 27k2:2k5 that I’ve seen to date, and I’m hoping that they won’t start charging to check out their site in the future.

Posted in Metrics | Tagged: , | 2 Comments »

ISO’s Glossary of IT Security Terminology

Posted by Jaime Raphael Licauco, CISSP, GSEC on August 24, 2009

Since I haven’t put up my own Glossary of IT Security Terms, and there are tons of reputable sources on the web, I’ll will be linking to them instead.

First up is the ISO/IEC Joint Technical Committee 1, Sub-Committee 27’s Standing Document 6: Glossary of IT Security Terminology. It is a freely downloadable zipped Excel file with around 1,700 rows of definitions (some of which repeat depending on the reference material and working group). It also references the source document, and it is as of April 29, 2009. A Sample of the document follows:

Term:
Biometric

Definition:
automated recognition of individuals based on their behavioural and biological characteristics NOTE Definition from [2].

Stds/TRs/Drafts:
ISO/IEC FDIS 19792: 2009-04-16

WG:
WG3

Please note that FDIS stands for Final Draft International Standard. Working group 3 works on “Security Evaluation Criteria.” Please see here for more on the different Working Groups of SC27. The recently published ISO/IEC 19792’s title is, “Information technology — Security techniques — Security evaluation of biometrics”.

Posted in Glossary | Tagged: , , , , , | Leave a Comment »

The Philippine Data Privacy Act

Posted by Jaime Raphael Licauco, CISSP, GSEC on August 10, 2009

The Philippine Data Privacy Act is apparently stuck in Congress. They adjourned on June 5 and started again on July 27.

In the same vein that the country currently has no Anti-Cybercrime legislation, the Philippines has no specific Data Privacy Act. One of the best sources of information regarding the current state of legislation is Mr. Philip Varilla’s presentation on “Privacy Framework in the Philippines“, which if one Googles for “Philippine Privacy Law”, can be found in the website of the Office of the Privacy Commissioner for Personal Data… of Hong Kong.

The presentation states that privacy is a basic right bestowed by the Constitution’s Bill of Rights Section 2, “The right of the people to be secure in their persons, houses, papers,”; and Section 3, “The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law….”

It also states that the following Philippine laws are relevant:
– REPUBLIC ACT (RA) 8505 (An Act providing Assistance and Protection for Rape Victims…) SECTION 5. Protective measures.
– RA 8369 (An Act Establishing Family Courts, granting them Exclusive Original Jurisdiction over Child and Family Cases…) SECTION 12. Privacy and Confidentiality of Proceedings.
– Law on Secrecy of Bank Deposits Republic Act No.1405, as amended
– E-COMMERCE ACT (ECA) RA 8792

If one wants to understand the current state of data privacy in the Philippines, I suggest downloading the above presentation. Reading it made me wonder why the Philippines doesn’t seem to have HIPAA like legislation specific to HMO’s making them liable in case they do not protect your medical information.

The Philippines, being a member of APEC, will be aligning its Data Privacy legislation with the APEC Framework.
The APEC Framework can be downloaded here.

Other Related Links:
(Inquirer.net Feb 2009) RP joins APEC data privacy initiatives
The Electronic Commerce Act and its Implementing Rules and Regulations (40 page pdf)
(Out-law.com) Why the APEC Privacy Framework is unlikely to protect privacy [published Oct 2007]
Philippines Convenes Seminar to Explore New Privacy Legislation
(Inquirer.net Oct 2008)Senate must pass IP, data privacy laws
(Global Sky.com) Outsourcing in the Philippines: Is your privacy protected?
ARC Frequently Asked Questions
(Chan Robles) E-Commerce Act of 2000
(Scribed) Republic Act 8792
(GMA News Blog) Janette Toral’s Blog
(Digital Filipino) Salient Features of RA8792, The E-Commerce Law
(Wikipedia) Information privacy law
(Wikipedia) US Health Insurance Portability and Accountability Act
(Wikipedia) EU Data Protection Directive

Posted in encryption, Legal, Philippines, Presentations, Privacy | 1 Comment »

Draft Philippine Cybercrime Prevention Act

Posted by Jaime Raphael Licauco, CISSP, GSEC on August 10, 2009

In case you’d like to see the current draft bill being deliberated in Congress, you can find it here.

Articles in the end of May with relation to the Cybercrime bill:
(Newsbreak) Latest sex video scandal highlights need for cyber crime law
(Computerworld Philippines) National ICT Month

Posted in Legal, Philippines | Tagged: , , , | 2 Comments »

The Hacker Manifesto

Posted by Jaime Raphael Licauco, CISSP, GSEC on August 6, 2009

Since Black Hat USA(Presentations available here) and Defcon 17 concluded a week ago, I found it fitting to post here the classic, “Hacker Manifesto.” This comes from Phrack Magazine’s Volume One, Issue 7, Phile 3 of 10 originally entitled, “The Conscience of a Hacker” by The Mentor and written on Jan 8, 1986.


The Hacker Manifesto

by
+++The Mentor+++
Written January 8, 1986

Another one got caught today, it’s all over the papers. “Teenager Arrested in Computer Crime Scandal”, “Hacker Arrested after Bank Tampering”…

Damn kids. They’re all alike.

But did you, in your three-piece psychology and 1950’s technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?

I am a hacker, enter my world…

Mine is a world that begins with school… I’m smarter than most of the other kids, this crap they teach us bores me…

Damn underachiever. They’re all alike.

I’m in junior high or high school. I’ve listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. “No, Ms. Smith, I didn’t show my work. I did it in my head…”

Damn kid. Probably copied it. They’re all alike.

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it’s because I screwed it up. Not because it doesn’t like me… Or feels threatened by me.. Or thinks I’m a smart ass.. Or doesn’t like teaching and shouldn’t be here…

Damn kid. All he does is play games. They’re all alike.

And then it happened… a door opened to a world… rushing through the phone line like heroin through an addict’s veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought… a board is found. “This is it… this is where I belong…” I know everyone here… even if I’ve never met them, never talked to them, may never hear from them again… I know you all…

Damn kid. Tying up the phone line again. They’re all alike…

You bet your ass we’re all alike… we’ve been spoon-fed baby food at school when we hungered for steak… the bits of meat that you did let slip through were pre-chewed and tasteless. We’ve been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.

This is our world now… the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn’t run by profiteering gluttons, and you call us criminals. We explore… and you call us criminals. We seek after knowledge… and you call us criminals. We exist without skin color, without nationality, without religious bias… and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it’s for our own good, yet we’re the criminals.

Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all… after all, we’re all alike.

Posted in Presentations | Tagged: , , | 3 Comments »