InfoSec Philippines

Information Security, Technology News and Opinions

Site News, March 24, 2010

Posted by Jaime Raphael Licauco, CISSP, GSEC on March 24, 2010

Updated the Blogs/Personal Websites Page and added Social Media Security, Qualys’ The Laws of Vulnerabilities and The RSA Blog and Podcast Speaking of Security.

Since I had no better page to put it, I included the site Cryptome to the White Papers and References Page. Also added to that page is Team Cymru’s Reading Room and The Register’s Whitepapers and tech resources.

In case you aren’t familiar with Cryptome, they publish leaked customer privacy policies of corporations like Google, Microsoft, etc.

Team Cymru describes themselves as, “an Illinois non-profit and a US Federal 501(c)3 organization. We are a group of technologists passionate about making the Internet more secure and dedicated to that goal.”

Posted in Site News | Tagged: | Leave a Comment »

Annual Security Reports, Part 3

Posted by Jaime Raphael Licauco, CISSP, GSEC on February 11, 2010

PWC Global state of information security survey
Survey by CIO Magazine, CSO Magazine and PwC

Structure is as follows:

I. Spending: A decline in growth rate – but a manifestly reluctant one
Finding #1
The economic downturn has shaken up the normal roster of leading drivers of information security spending—and very nearly jumped to the top of the list.

Finding #2
Not surprisingly, security spending is under pressure. Most executives are eyeing strategies to cancel, defer or downsize
security-related initiatives.

Finding #3
Yet far fewer executives are actually “cutting security back”. And among the half or less that are taking action, most are taking the
least dramatic response.

II. Impacts of the downturn: Rising pressure amid evidence of gains
Finding #4
Although given a reprieve, of sorts, from the budget knife, the information security function is under pressure to “perform”.

Finding #5
After years of “thinking differently”, business and IT leaders may be starting to think like each other.

Finding #6
Companies have made strong advances in several critical arenas over the last 12 months including strategy, assessment and
compliance as well as people and organization.

III. New trends: What this year’s decision-makers are focusing on
Finding #7
After years in the limelight, protecting data elements is now a top priority—arguably—at the most critical time.

Finding #8
Companies are beginning to focus acutely on the risks associated with social networking.

Finding #9
While IT asset virtualization is a growing priority, only one out of every two respondents believes that it improves information security.

IV. Global shifts: South America steps out – while China takes the lead
Finding #10
With more mature security practices than any other regions of the world, North America eases up on investment—unlike Asia, which
relentlessly presses ahead.

Finding #11
South America achieves major, double-digit advances in security practices—bypassing Europe at a breathless clip.

Finding #12
As China muscles its way through the economic downturn, its security capabilities have stepped nimbly ahead of India’s—in a
dramatic shift from last year’s trend—and, in the same one-year sweep, ahead of those in the US and most of the world.

Download the full report here.



Sophos Security Threat Report 2010

Structure is as follows:

Social media
– Battle lines are drawn
– Why businesses are concerned
– Koobface
– The Mikeyy Mooney worms
– Also a “localized” problem
– Emerging vectors for social networking attacks
– How to mitigate the risk

Data loss and encryption
– Data leaks lead to broken businesses
– Preventing data loss

Web threats
– The web remains the biggest vehicle for malware
– Fake AV and SEO malware stir up trouble
– Reducing web risks

Email threats
– Email malware is far from dead

Spam
– How spam spreads
– IM and social networking spam
– Other forms of spam

Malware trends
– Malware: A money-making machine
– Adobe Reader is a key malware target
– Conficker worm gains notoriety in 2009
– Other malware vehicles

Windows 7
– New platforms, new challenges
– Windows 7 security features

Apple Macs
– Soft but significant targets

Mobile devices
– BlackBerry malware
– iPhone malware
– Google Android, Palm Pre and Nokia Maemo

Cybercrime
– The cybercrime economy
– Partnerka: Criminal affiliate networks
– Timeline of cybercrime incidents, arrests and sentencings in 2009

Cyberwar and cyberterror
– Government involvement in cyberwar in 2009

The future: What does 2010 hold?

References

Download the full report here.

Posted in Annual Security Reports | Leave a Comment »

Annual Security Reports, Part 2

Posted by Jaime Raphael Licauco, CISSP, GSEC on January 29, 2010

7 Safe UK Breach Investigations Report

As reported by The H Security, this report confirms the Verizon 2009 Data Breach Report, that the majority of attacks come from external sources (80%). Of all the successful breaches that were detected and analyzed (since even security experts can’t be 100% sure what kind of data was stolen) 85% were Payment Card Information.

Check out the full report here.


Verizon 2009 Data Breach Investigations Supplemental Report

This supplemental report was released in the 2nd week of December 2009 and describes the Top 15 threats along with real world examples. Indicators and Countermeasures (or Mitigators) were also included.

The Top 15 Threats from the report were:
1. Keyloggers and Spyware
2. Backdoor or Command/Control
3. SQL injection
4. Abuse of system access/privileges
5. Unauthorized access via default credentials
6. Violation of Acceptable Use and other policies
7. Unauthorized access via weak or misconfigured ACLs
8. Packet Sniffer
9. Unauthorized access via stolen credentials
10. Pretexting (Social Engineering)
11. Authentication bypass
12. Physical theft of asset
13. Brute-force attack
14. RAM scraper
15. Phishing (and endless *ishing variations)

I really like the Indicators and Mitigators sections of the Threat Action Catalogue, since they can be easily integrated into a technical Security Awareness Program.

Check out the report here.

If you’d like to access the the Verizon 2009 Data Breach Investigations Report, released back in April 2009, click here. The summary of which can be found here.

Posted in Annual Security Reports | Tagged: , , , , , | Leave a Comment »

Annual Security Reports, Part 1

Posted by Jaime Raphael Licauco, CISSP, GSEC on January 24, 2010

Annual Report Pandalabs 2009
Topics include:
2009 in figures
The year at a glance (Web 2.0, Blackhat SEO Techniques, Cyberwar)
Threats in 2009 (The profitability of rogueware, Banker Trojans, Conficker)
Spam
Main vulnerabilities in 2009
Trends in 2010

Download the full report here



Ernst & Young’s 12th annual global information security survey

Key survey findings include (taken Verbatim from the report):

Managing risks
– Improving information security risk management is top security priority for the next year.
– External and internal attacks are increasing.
– Reprisals from recently separated employees have become a major concern.

Addressing challenges
– Availability of skilled information security resources is the greatest challenge to effectively delivering information security initiatives.
– Despite most organizations maintaining current spending on information security, adequate budget is still a significant challenge to delivering security initiatives.
– Security training and awareness programs are falling short of expectations.

Complying with regulations
– Regulatory compliance continues to be an important driver for information security.
– Cost compliance remains high, with few companies planning to spend less in the next 12 months.
– Too few organizations have taken the necessary steps to protect personal information.

Leveraging technology
– Implementing DLP technologies is the top security priority for many organizations.
– The lack of endpoint encryption remains a key risk with few companies encrypting laptops or desktop computers.
– Virtualization and cloud computing are gaining greater adoption, but few companies are considering the information security implications.


Download the full report here

Posted in Annual Security Reports | Tagged: , , , | Leave a Comment »

Prioritizing Information Security Risks with Threat Agent Risk Assessment

Posted by xrsolis on January 18, 2010

Hello, I’m Xander and I’m a new contributor to the InfoSec Philippines blog. I was lurking on the Security Metrics Mailing list and the recent discussions were about Intel’s TARA methodology, which they’re using for their internal Information Security Risk Assessments. Intel’s methodology is centered on the most exposure that can be brought about by Threat Agents. Check out the whitepaper here.

Posted in Metrics | Tagged: , , , , | 2 Comments »

Happy Holidays from InfoSec Philippines!

Posted by Jaime Raphael Licauco, CISSP, GSEC on December 21, 2009

As 2009 comes to a close, we here at InfoSec.PH would like to thank everyone for supporting our site this year. We appreciate the comments and suggestions in improving our site to better help in spreading InfoSec awareness in the Philippines.

So from all of us here at InfoSec.PH, Merry X’mas and a Happy New Year 🙂

Posted in El Sibakero | Leave a Comment »