Feeds:
Posts
Comments

Archive for the ‘Information Security’ Category

I wonder how many people will give their passwords when simply be asked so. This morning, I received below email, purportedly came from Google, which asked me to confirm that I still want to use Gmail. Of course I still want to use it, how else could I chat during office hour?

Everytime I receive a phishing email like this, I always see which email address it really came from. In this case, it is verifyscess@googledesk.com. Googledesk? Hm, not a bad attempt as masquerading itself as the mighty Google.
And verifyscess? Must be an attempt to circumvent spam blocker or other filters. Spammers really should look for other ways because wrong spellings make email sounds too fake.

googledesk

Read Full Post »

What happened to YB Elizabeth Wong must be a nightmare. Technologies have been (mis)used to take private photo of her, and to distibute it online. I hope she will not resign over this matter, because it would encourage more of such practice. I am approaching this matter from security point of view, not political.

My stand on this is not dissimilar to Exclusionary Rule in the U.S. , which says that evidence gathered in violation of defendant’s constitutional right is inadmissible for criminal prosecution in the court of law. This is to discourage illegal conduct of investigation by removing all benefits that it would have brought.

Applying to this case, we can discourage the practice of such trespass on privacy by doing the same – remove all benefits it has, hence all reasons to do it in the first place.

Everyone is actually exposed to privacy attack as more and more data of us is circulating on the internet. For those who do not realise how horrific and terrifying this is – please read the book Schneier on Security. It discusses about security in general, without delving too much into technicality and is highly suggestable to everyone. I love the chapter on privacy most of all, this is one of the motivations for me writing about it myself now.

How about Facebook and all its features, tagging etc ? I just found this wonderful link on how to manage Facebook privacy settings. Consider paying it a visit, at least!

ps: I am a Bukit Lanjan resident, at least for another week.

Suggested reading:

schneier

Read Full Post »

Finally got an idea for my Master thesis. Personally, I think it’s a splendid idea. I sent an email to Prof. Azizah asking for opinion, and she seems to think it’s worthy of research. But she foresees that I might have difficulty with Literature Review, because it is not known what real-life problems I may solve.

I consulted with Dr Asri and Syaril too and they said the same. Idea seems very good to solve security problems in movies and fictions, but for real-life, they dont know too.

But, why can’t I solve fictional problems? Surely it has happened somewhere. Sadly, that’s not what academic thesis is about.

Anyway I’m sure I could tweak things out to make things fit. At least now I have a direction and scope to work my ideas.

Pretty relieved. I can outstation without worrying too much about my studies.

Read Full Post »

Some of the article reviews I wrote which are relevant to Information Security Management.

[1] IT Security in the USA, Japan and China : A Study on Initiatives and Trends within Policy, R&D, Industry and Technology.

Original article   Article Review

[2] Managing Security Threats and Vulnerabilities for Small to Medium Enterprises

Original article   Article Review

[3] National Cybersecurity Policy & Implementation for Government of Indonesia

Original article   Article Review

[4] Certifying Information Security Management System

Original article   Article Review

Read Full Post »

Back up

Businesses and organization now depend on Information Technology heavily. However, there are too many threats that could cause damage and harm to information as an asset.

Should these businesses and organizations back down from these threats, or should they back up?

The answer is obvious. They must back up. In this context, it means businesses and organizations must constantly back up information and data which are considered valuable to them. This could be customer data, trade secret, intellectual property, software, multimedia files and so on. Creating back up means creating copies of these data, so that if the original data is damaged or corrupted, it can be restored to previous state from the backup. This ensures continuity of operations. In fact, backup has been recognized as an important element in Information Security Management System as outlined in ISO27000 series.

Backup process is more than choosing Save As… in Microsoft Word. For businesses and organizations, data is usually very large in size hence require large capacity  storage media. Backup process must be automated, and must be done periodically. For this purpose, there are three main backup strategies that could be implemented, full backup, differential backup and incremental backup.

Full backup

Here, all information and data are copied into the backup. This is the easiest strategy, but might be costly in terms of processing and time when the data is too large.

For example,

          Original copy : I love chicken wings.

          Full backup : I love chicken wings.

          Changes to original copy : I love chicken wings and spaghetti.

          Full backup : I love chicken wings and spaghetti.

Differential backup

When data is too large for full backup, this strategy can be adopted instead. Here, only changes to data since the last full backup are stored. Thus, when data loss occurs, the original copy can be restored from the full backup file, and the differential backup file. This strategy reduces the need for frequent full backup which can be an expensive operation.

For example,

          1) Original copy : I love chicken wings

              Full backup : I love chicken wings

          2) Changes to original copy : I love chicken wings and spaghetti

              Full backup : I love chicken wings

              Differential backup : and spaghetti

          3) Changes to original copy : I love chicken wings and spaghetti but not fish

              Full backup : I love chicken wings

              Differential backup : and spaghetti but not fish

Incremental backup

This strategy requires that changes to data since the last backup or the last incremental backup are recorded into separate files. Hence, we will have many incremental backup files, which must be kept in sequence.

For example,

          1) Original copy : I love chicken wings

              Full backup : I love chicken wings

          2) Changes to original copy : I love chicken wings and spaghetti

              Full backup : I love chicken wings

              Incremental backup : and spaghetti

          3) Changes to original copy : I love chicken wings and spaghetti but not fish

              Full backup : I love chicken wings

              Incremental backup : and spaghetti

              Incremental backup 2 : but not fish

There are other important considerations than choosing the strategy when planning a backup. The type of media storage, and where to store these media must be decided carefully. Backup media must be stored away from original copies to ensure they are not subject to same risk i.e. fire, natural disaster, power outage etc. Prime Minister and Deputy Prime Minister rarely be seen together, not because they hate each other but to avoid being subject to same risk. Same principle applies to backup !

Read Full Post »

For the past two days, I have been reading Internet scholarly materials on non-technical issues relating to Information Security. What I initially thought to be a boring subject (in contrast to computer security technicals) is slowly  proving otherwise.

One of the study papers I read was titled “IT Security in the USA, Japan and China : A Study on Initiatives and Trends within Policy, R&D, Industry and Technology“, developed by Swedish Institute for Growth Policy Studies. This paper was written with objective to provide input to Vinnova regarding different trends of importance for the funding of IT security R&D, Swedish formulation of IT and innovation policy. The study paper was released in 2005, ran up to 100 pages but worth reading from front to back. The gem of this paper is the insight into the initiatives and concerns of the three leading world powers: USA, Japan and China and how they strategise to improve IT security.

United States of America (USA)

In the USA, IT security is not given high priority in comparison to other Homeland Security issues. This is reflected by annual federal budget in which cyber security R&D is allocated only 200 million USD when the total budget for Homeland Security was 10 billion USD. This is probably because IT incidents very rarely involves casualties. However, there has been significant investments by private entities.

Increased cybersecurity could be managed by industrial initiatives or by increased government regulation. To IT industry, regulation could be a threat to the development, and general market-based approaches are more preferable. This leads to resistance in the US by several large companies within IT industry to any kind of major government cyber security initiatives which have an impact on policy formulation. Meeting regulation requirements can also be a burden to businesses which naturally are more concerned with profit making rather than worrying about compliance.

There has been continual development in legislation framework since early 1996 by the passing of new security, accountability and privacy related Acts by the Congress. While these Acts are non IT-specific, it has great implications for companies from information security aspect. Among these acts are:

Act Compliance Cost (2005)
Sarbanes-Oxley Act  USD 6.1 billion
Gramm-Leach-Billey Act USD 1.3 billion
Health Insurance Portability and Accountability Act USD 3.7 billion

In brief, Sarbanes-Oxley Act (SOX) requires information security to be employed to ensure the effectiveness of internal controls over financial reporting. It was introduced in 2002 to protect investors and shareholders by ensuring the integrity of financial and forcing corporate officials to take full responsibility for public disclosures required under the law. SOX was created in response to highly controversial financial fraud cases relating to companies such as Enron and WorldCom in 2002. The Act came into full enforcement in early 2005.

Whereas Gramm-Leach-Billey Act (GLBA) requires financial institutions to ensure confidentiality, integrity and security of customer information i.e. name, social security number, income and credit card history. The Health Insurance Portability and Accountability Act (HIPAA) instead governs privacy, security and electronic transactiosn for healthcare providers.

Japan

In contrast to USA, Japan gives high priority to IT Security. This can be seen from their commitment to local development and partnership in international arena. For example, on September 9, 2003 Japan made an agreement with USA that the two countries should embrace their roles as global leaders to create a “culture of security”. Japan also had an agreement with European Union since 2004 which includes initiatives to make the internet more secure by sharing perspectives, policy thinking and spam fighting. Collaborations with neighbouring China and Korea were also established for standardization of high-speed network and joint experimental trials.

The strong commitment of Japan government to promotion of IT can be reflected in their initiative to introduce IT Strategic Headquarter in the cabinet office led by Prime Minister Jonichiro Koizumi himself, with participation of all ministers and eight additional non-government experts. The headquarter has the task to promote and advanced Japanese information and telecommunication network society.

China

IT Security policy in China was born much later than USA or Japan, but has been receiving attention from the Chinese government since the publish of Preliminary Suggestions on the Strengthening of IT Security in 2003 by State Council Informatization Office. The document which has now been renamed “Document 27 of the State Council”, is partly confidential as it includes the aspect of national security.

China’s strategy for building the nation’s IT security protection system adheres to two main principles :

  1. Active defending (jiji fangyu)
  2. All direction prevention (zonghe fangfan)

These two principles in tandem mean that the whole society should understand that IT security is common responsibility of everyone i.e. government, enterprises, private persons and hence must take active defence measures by constant development of processes and technologies.

At the moment, China has a lot to worry about with regard to IT Security. As outlined by Mr. Gu Jianguo, Deputy Director General of Public Information Net Security Inspection Bureau of the Ministry of Public Security, some of Chinese IT infrastructure weaknesses are (NS 2005C) :

  1. Weak fundamental backup capability and infrastructure of IT security
  2. Some of core technologies are still not totally controlled by China
  3. Very slow IT security research and development and industrialization of security products

China however is placing a lot of importance on IPv6 development and infrastructure and aim to be the largest IPv6 network in the future. IPv6 is Internet Protocol version 6, which is a large improvement to current widely deployed IPv4 in terms of security and address space. It has been said that Stanford University has more IPv4 address than China (some call it myth and claim this had been debunked).

Well, 100-page study is too much to summarise, but above much I could do. I dont know where Malaysia stands in IT security in aspect of development, research, policy and legislation. What I know is if our IT infrastructure are not secured against cyber attacks, and there is no extensive legislation to punish wrongdoers, we can expect criminality to move into digital realm fast. Many businesses, government agencies, organizations and financial institutions are dependent on IT technology. Hence, if IT infrastructures and processes are not secured, we can only expect these operations to be the same. Disastrous !

Reference :

IT Security in the USA, Japan and China : A Study on Initiatives and Trends within Policy, R&D, Industry and Technology

Read Full Post »

A computer forensic investigator must not only be well-equipped with technical knowledge of computing and information technology, but also have good understanding of computer forensic law. This is primarily important to ensure that the evidence collected following an incident will be admissible in court and have enough weightage to support the prosecution of the criminals.

There are several legal principles related to computer-based evidence or digital evidence:

  1. Chain of custody
  2. Admissibility of evidence
  3. Evidential value of evidence
  4. Manner of extracting evidence
  5. Privacy issues.

Chain of custody

Chain of custody is about maintaining a complete account of the sequence of events that took place following the reporting of the computer incident. This includes how evidence was collected, analyzed and preserved for presentment in court. This chain of custody must be unbroken for the evidence to be trustworthy.

Admissibility and Evidential Value of Evidence

To support their case, lawyers need to not only bring evidence to court, but also ensure its value. High value or weightage of the evidence will strengthen a case, whereas low weightage weakens.

Manner of Extracting Evidence and Privacy

The way the evidence is collected must comply with local laws. Evidence collected under duress, or by breaching other laws such as privacy laws can be challenged on legal ground.

 

Reference :  E-Security Law & Strategy

Read Full Post »

Older Posts »