InfoSec Philippines

Information Security, Technology News and Opinions

Posts Tagged ‘SANS’

SANS 2008 Salary and Certification Survey

Posted by Jaime Raphael Licauco, CISSP, GSEC on March 11, 2009

The SANS Salary and Certification Survey which was conducted in November 2008 with a total of 2,120 respondents, came out early last month with the following conclusion:

“Despite the current economy, the demand for qualified information security professionals is predicted to increase through 2016, according to the Bureau of Labor Statistics. Those with formal education and professional certifications have the best opportunities to advance their careers as well as their salaries.

Security threats reached their highest levels in 2008 and are predicted to increase in 2009. With external as well as internal threats, commercial organizations, financial institutions, state and local governments and the military will continue to require qualified information security professionals to protect their systems and data. With an average entry-level (0 – 2 years of experience) salary of $70,807, security professionals are expected to hold a certain level of education, certifications, and experience as well as pursue a variety of informal and formal continuing education efforts to stay current in the industry.”

Check out the SANS 2008 Salary and Certification Survey here.


Posted in Certification, Survey | Tagged: , , , , , | Leave a Comment »

CAG and Metricon 3 Slides

Posted by Jaime Raphael Licauco, CISSP, GSEC on March 6, 2009

A few days ago, SANS and and a US consortium of FED agencies released the Consensus Audit Guidelines Draft 1.0. It is described as the “Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance”.

Some of these controls may be included in ISO 27001 implementations to complement controls found in 27002 since 27001 has been criticized for not having enough controls regarding Web App Security and Wireless Security. Take note that these controls are specific and technology based.

The controls are as follows:
Critical Control 1: Inventory of authorized and unauthorized hardware.
Critical Control 2: Inventory of authorized and unauthorized software; enforcement of white lists of authorized software.
Critical Control 3: Secure configurations for hardware and software on laptops, workstations, and servers.
Critical Control 4: Secure configurations of network devices such as firewalls, routers, and switches.
Critical Control 5: Boundary Defense
Critical Control 6: Maintenance, Monitoring and Analysis of Complete Audit Logs
Critical Control 7: Application Software Security
Critical Control 8: Controlled Use of Administrative Privileges
Critical Control 9: Controlled Access Based On Need to Know
Critical Control 10: Continuous Vulnerability Testing and Remediation
Critical Control 11: Dormant Account Monitoring and Control
Critical Control 12: Anti-Malware Defenses
Critical Control 13: Limitation and Control of Ports, Protocols and Services
Critical Control 14: Wireless Device Control
Critical Control 15: Data Leakage Protection
Critical Control 16: Secure Network Engineering
Critical Control 17: Red Team Exercises
Critical Control 18: Incident Response Capability
Critical Control 19: Data Recovery Capability
Critical Control 20: Security Skills Assessment and Appropriate Training To Fill Gaps

A related article in GCN states that CAG is not a substitute for FISMA guidance. The NIST will also be finishing the 3rd revision of their SP800-53 (Recommended Security Controls for Fed Info Systems and Orgs) revision soon and comments will be closed by March 27. The current drafts can be found here.

Metricon 3 Slides
Metricon 3 slides have been out for since July 2008, but since I haven’t posted them here, I’m including a link here.

My favorites are:
Sandy Hawke’s Bringing Metrics into the Enterprise, Kevin Peuhkurinen’s Balanced Scorecard Approach to InfoSec Metrics, Caroline Wong’s Global Information Security Metrics, and Yolanta Beres’ Security Analytics Driving Better Metrics.

Site News
Since you’ve probably noticed, I’ve added Search to the site and changed the Theme. I’ve also updated links in ISMS and Security Metrics.

Posted in ISMS, Metrics | Tagged: , , , | 2 Comments »

Global InfoSec Surveys and Adobe Reader Vulnerabilities

Posted by Jaime Raphael Licauco, CISSP, GSEC on November 8, 2008

Ernst & Young’s 2008 Information Security Survey

EY released their Global Information Security Survey 2008 a few weeks ago. The survey was conducted from June 6 – August 1, 2008, in more than 50 countries and with nearly 1,400 participating organizations.

Some of the key findings were:

  • Protecting reputation and brand has become a significant driver for InfoSec
  • People remain the weakest link
  • International InfoSec standards are gaining greater acceptance
  • Growing third-party risk are not being addressed
  • Business continuity still bound to IT
  • Another notable finding is that despite of the current period of economic pressures and of slowed growth, only 5% of respondents indicated a planned reduction in InfoSec expenditures, while 50% were planning to increase their investment in InfoSec. This is supported by similar numbers from CIO Magazine, CSO Magazine and PWC’s Global state of information security survey 2008 (pdf, 2.79 MB). Key highlights are stated here, and another summary can be found in a article.

    For more information about the survey, click here. If you want a pdf copy of Ernst & Young’s 2008 Global Information Security Survey (1.42 MB) click here. For other informative pdfs from Ernst & Young regarding InfoSec, check out their Technology and Security Risk Services page.

    Adobe Reader vulns remind us why updating ASAP matters

    What I mean by ASAP here is after the correct patch management or change management procedures have been done. Patching/updating with no concern for proper procedures can easily lead to downtime and possibly even more vulnerabilities.

    I’m saying this after the SANS Internet Storm Center came across pdf files that exploited the recently found Javascript buffer overflow vulnerability. They also took note that at the time of writing (Nov 7, 2008) NO ANTI VIRUS could detect the malicious pdf.

    However, had you updated your Adobe Reader to version 9 (Windows systems) a few weeks back, you wouldn’t even need to think of the problem.

    Posted in ISMS, News, vulnerability | Tagged: , , , , , , , , , , , , | Leave a Comment »

    Upcoming Free Webinars

    Posted by Jaime Raphael Licauco, CISSP, GSEC on November 5, 2008

    Infosecurity magazine will have an upcoming webinar on “Advancements in eCrime and their implications on web security” on Tuesday, November 11, 2008 at 11pm Philippine Standard Time. Duration of the Webinar will be an hour.

    Modern Crimeware is a term coined to describe recent web-related attacks. In the ‘old’ days of virus and malware, the primary motive was fame. Modern crimeware is fuelled by financial motives and has evolved into an intricate economy of supply and demand, distributors, affiliations, and pricing models.

    For more details, click here.

    Wednesday, November 05 at 2:00 PM EST (1900 UTC/GMT) Note: This would be November 06 at 3:00 AM Philippine Time.

    SANS is happy to bring you the latest in our complimentary series of Webcasts. Join us as SANS presents:

    Reduce IT Costs by Unleashing Log Power

    Featuring: Chima Njaka

    Sponsored by:

    For more details, click here. will have Webinars on

    (Wednesday November 5, 2008 2:00PM Eastern)
    Thursday November 6, 2008, 3:00 AM Philippine Time
    Data Leakage Though Leadership Roundtable Webcast
    Moderated by Rich Mogull
    Panelists from Courion, Proofpoint, Secure Computing and Vericept

    (Thursday November 6, 2008 2:00PM Eastern)
    Friday November 7, 2008 3:00AM Philippine Time
    Forensics are Not Enough! Case Studies in Proactive Network Defense using Security Information and Event Management (SIEM) Technology
    Presented by TriGeo

    Posted in Webinars | Tagged: , , , , , , , , | Leave a Comment »

    Upcoming Seminars and Conventions in Manila

    Posted by Jaime Raphael Licauco, CISSP, GSEC on November 4, 2008

    The Information Systems Security Society of the Philippines (ISSSP) will be conducting their ManilaCon 2008 on November 11-12, 2008. No info yet on how much and where this will be held. I’ll be posting this up ASAP. Or you can just email them at

    Microsoft Philippines’ Security and Cooperation Program will be giving a Security and Forensics Training on November 20-21, 2008, 9AM to 5PM at the Microsoft Office and Exchange Conference Rooms, 16th Floor, 6750 Ayala Office Tower, Makati City. As far as I know, this is FREE. E-mail or call Mellie Valimento at 860-8671 for more details. Speaking of Forensics, CyberSpeak’s Podcast for Oct 20 were their experiences from SANS What works in Forensics and Incident Response Summit.

    Posted in News, Philippines | Tagged: , , , , | 1 Comment »