SlideShare a Scribd company logo

The Evolving Landscape on Information Security

Simoun Ung
Simoun Ung

This article was submitted for publication in the National Security Review Journal.

1 of 16
Download to read offline
THE EVOLVING LANDSCAPE ON INFORMATION SECURITY By: Wilfred G. Tan, Carlos T. Tengkiat & Simoun S. Ung 31 October 2012 INTRODUCTION We all have a preconceived notion on information technology security; however for a lot of organizations this value is subjective because there is an acceptability of risk. This is not to imply a particular organization is unaware of the value of security; it may simply be that the organization needs to consider the allocation of its resources for security relative to the value of the asset being protected. A large number of organizations, as evidenced by strong growth and interest in security standards such as PCI-DSS [1], either depend on or follow guidelines set forth by government institutions and standards bodies. Conventional wisdom dictates that following guidelines is normally a good approach. As a security officer, planner or executive, one should always consider going beyond the existing standard and to be reminded that the security standards are developed in response to already recorded and occurring incidents. Moreover, security standards take time for the standard setting bodies to create, review, approve and implement. Security is a living practice and needs the proper attention, time and consideration. Laying out and maintaining a comprehensive cyber security plan not only requires expertise, but also involves careful thought, assessment, and constant refinement and adjustments. In addition, legal frameworks differ from country to country; therefore, best practices in one country are not directly portable to a different country, even within similar industries. Unlike more traditional crimes such as theft and robbery, the specific rules and regulations tend to be varied at best for cyber-security and cyber- crime related incidents. Computer security related incidents have risen significantly over the past decade [2] and there is every indication that this trend will continue for the foreseeable future. The Global Security Report of Trustwave [3] presents the origin of cyber-attacks: Russia leads the statistics with 29.6% in the data [3]. However, because 32.5% of all attacks are from of unknown origin, it can be as likely (or equally unlikely) that any one nation is the single source or culprit of all of the incidents. Pinpointing the location in a timely manner is very difficult, if not impossible, given that the technology today allows users to use anonymous proxies to connect to the Internet which further compounds the problem.
This article is written for non-technical executives and policy makers, whose responsibilities require them to interact with information security professionals, as a primer on the current landscape of information security as well as its likely evolution. Security professionals and practitioners are already well-versed in the material contained herein. The paper examines the motivation behind cyber-attacks followed by a survey of common threats and attack variants. It then presents the popular defensive strategies followed by a discussion of future challenges and developments. MOTIVATION Behind all threats and cyber security breaches are either individuals or organizations. Cyber security incidents do not occur in a vacuum. Generally, the motive behind a cyber-attack can be classified as follows: personal reasons, unlawful profiteering, corporate or national interests, and other purposes. Personal Reasons Personal reasons for conducting a cyber-attack include peer recognition, revenge, personal gain or satisfaction, and even curiosity. Some intruders derive a perverse sense of fun from conducting the attack and revel in the psychic income of being noted for notoriety. Unlawful Profiteering Perhaps the most common motivation for conducting a cyber-attack is financial gain. The primary goal of fraud is to gather information that can be used to access funds of other entities for illicit proceeds. Popular targets include savings accounts and payment, debit and credit, card data. Organized criminal syndicates are the primary perpetrators of these attacks. Inopportunely, the skill and savoir-faire developed are often adopted for use in cyber-terrorism and other cyber-attacks. Although there is no data for the Philippines, a study conducted by eWEEK Europe in 2010 [4] on a simulated auction of stolen data determined that the relative value of data is primarily determined by purchaser. The end goal remains the same, obtain information through illegal and fraudulent means which can be used for financial gain. Information itself has become a commodity; it can be traded, bought and sold. Corporate or National Interests The strategic objectives for a corporation or nation-state are sometimes achieved by attacking others using cyber-warfare capabilities. The intent may be to disable a nuclear enrichment program or a more mundane purpose such as spy, steal or subvert a rival‘s plans and secrets. In mid-2010, Stuxnet was discovered. The singular target of this worm was to disable and destroy Siemens industrial equipment which were specifically used to control centrifuges that create nuclear material for a fissionable weapon. According to a study by Symantec in August, 2010 [5], 60% of the computers infected by Stuxnet were in Iran suggesting a highly ‗targeted‘ operation. The worm‘s sophistication and intelligence suggested a nation-state level of sponsorship; speculation was rife that the
United States and Israeli forces were at least partially responsible for the development and deployment of the worm. [5] THREAT EVOLUTION Approaches to attacks have evolved over time, adapting to developments in technology. Tools for exploiting systems have evolved considerably; likewise, tools that are available for testing and exploiting vulnerabilities are readily available in the market. There are even attack platforms freely available that ironically were intended to test the security of a system. Several of the more common threats are outlined below: physical, cyber-stalking, social engineering, phishing, distributed denial of service, network attacks and malwares. Physical In the 1980s, the common practice was to actually go onto the premises of the target company or to harvest data from unprotected sources. Criminals would find ways to physically obtain storage media or hardcopies of data. Dumpster diving, or the sifting through garbage and trash to find bits and pieces of information, is still practiced today. The careless disposal of seemingly innocuous information such as an obsolete version of an information security plan, PIN mailers, passwords, social security numbers, et cetera can facilitate an attack via social engineering or phishing. Today, practices have improved to include tapping into data cabling that are accessible from unsecured areas and the access of unlocked, accessible computer servers and systems. It is still a common occurrence for unencrypted, sensitive data to be lost or stolen from physical media such as USB flash drives, laptops and cellular phones. Cyber-Stalking Cyber-stalkers assault their victims using electronic communication: email, instant messaging (IM) and/or posts to a website or discussion group. While most cyber-attacks target an organization, cyber-stalking tends to be of a more personal nature. Cyber-stalkers typically gather personal and private information about their target then send them harassing or threatening messages. Trolling is a form of cyber-stalking in which negative posts , comments or other defamatory statements are made which are injurious to the reputation or emotional health of the victims. When committed by more than one individual, trolling is also known as cyber-bullying. Sadly, there are cases involving teens which have resulted in the victims committing suicide. Social Engineering Social engineering cyber-attack involves the manipulation of people to perform certain actions that can compromise security; this requires a solid understanding of human responses and behaviour. Although physical contact is not necessary, some form of trickery to gain the confidence of the target is employed. Social engineering attack occurs in two phases: information gathering then the pretext stage in which a believable story is crafted in order to earn legitimacy and gain the trust of the target.
Social engineering is not strenuous on the attacker, thus it is normally employed in conjunction with other forms of cyber-attack. The insertion of malware into otherwise hardened, secure systems is a common combination with social engineering. Many enterprise systems are well protected and require significant time and effort to breach. However, if the attackers are able to use social engineering to insert physical media such as USB flash drives into the internal network, then all the external defences are immediately bypassed. Based on recently conducted social engineering study [6], companies with well-implemented security awareness protocols are more resistant to social engineering tactics. Participants in the oil industry fared better compared to less security aware industries like retail. This study was designed such that questions were designed that would expose security design and architecture of the respondent‘s organization:
The study [6] revealed that certain data can be harvested from the internet itself. Researchers were able to utilize the data culled from the internet in their social engineering tasks to profile a target‘s internal security implementation. The table below displays the details gathered from the questionnaire above in blue while the additive information garnered from the internet is shown in red: Recently, face-to-face social engineering tactics have been increasing; this is disquieting since it may expose the targeted individual to physical danger. Phishing Phishing is an email-based fraud method using legitimate looking email designed to gather personal and financial information from its targets. Crafting emails blending a false premise while spoofing trustworthy websites, victims are encouraged to click on links, send information and otherwise respond. The attackers then use social engineering techniques to extract information to steal personal and financial information. Since emails are generally from an external source, incorporating dangerous payloads in the message requires negligible effort. There are several types of phishing techniques:  Phishing – Emails are masqueraded so as to obtain usernames and passwords from the users via electronic communication.  Spear Phishing – Targeted phishing to specific individuals, personal information on target are gathered to increase probability of success.
 Clone Phishing – A previously legitimate and delivered email is used as a template and cloned; the cloned email, with links and attachments modified, is resent to the victim. This method exploits the social trust between the parties that sent the email.  Whaling – Phishing targeting high profile victims. Phishing is not restricted to electronic information nor to electronic communication channels. Some phishing emails contain telephone numbers, purporting to be customer service; the unsuspecting victim is lured to call and unwittingly give personal information that can later be used by the attacker. One of the best known phishing emails is the ―Nigerian scam.‖ Although there are many variations, the content is essentially the same with the sender pretending to have access to large amount of funds and requiring the assistance of the victim to gain access to the said funds: FROM: MR DAN PATRICK. DEMOCRATIC REPUBLIC OF CONGO. ALTERNATIVE EMAIL: (patrickdan@rediffmail.com). Dear Sir, SEEKING YOUR IMMEDIATE ASSISTANCE. Please permit me to make your acquaintance in so informal a manner. This is necessitated by my urgent need to reach a dependable and trust wordy foreign partner. This request may seem strange and unsolicited but I will crave your indulgence and pray that you view it seriously. My name is. DAN PATRICK of the Democratic Republic of Congo and One of the close aides to the former President of the Democratic Republic of Congo LAURENT KABILA of blessed memory, may his soul rest in peace. Due to the military campaign of LAURENT KABILA to force out the rebels in my country, I and some of my colleagues were instructed by Late President Kabila to go abroad to purchase arms and ammunition worth of Twenty Million, Five Hundred Thousand United States Dollars only (US$20,500,000.00) to fight the rebel group. But when President Kabila was killed in a bloody shoot-out by one of his aide a day before we were schedule to travel out of Congo, We immediately decided to divert the fund into a private security company here in Congo for safe keeping. The security of the said amount is presently being threatened here following the arrest and seizure of properties of Col.Rasheidi Karesava (One of the aides to Laurent Kabila) a tribesman, and some other Military Personnel from our same tribe, by the new President of the Democratic Republic of Congo, the son of late President Laurent Kabila, Joseph Kabila. In view of this, we need a reliable and trustworthy foreign partner who can assist us to move this money out of my country as the beneficiary. WE have sufficient ''CONTACTS'' to move the fund under Diplomatic Cover to a security company in the Europe in your name. This is to ensure that the Diplomatic Baggage is marked ''CONFIDENTIAL'' and it will not pass through normal custom/airport screening and clearance. Our inability to move this money out of Congo all This while lies on our lack of trust on our supposed good friends (western countries) who suddenly became hostile to those of us who worked with the late President Kabila, immediately after his son took office. Though we have neither seen nor met each other, the information we gathered from an associate who has worked in your country has encouraged and convinced us that with your sincere assistance, this transaction will be properly handled with modesty and honesty to a huge success within two weeks. The said money is a state fund and therefore requires a total confidentiality. Thus, if you are willing to assist us move this fund out of Congo, you can contact me through my email address above with your telephone, fax number and personal information to enable us discuss the modalities and what will be your share (percentage) for assisting us. I must use this opportunity and medium to implore You to exercise the utmost indulgence to keep this Matter extraordinarily confidential, Whatever your Decision, while I await your prompt response. NOTE: FOR CONFIDENTIALITY, I WILL ADVISE YOU REPLY ME ON MY ALTERNATIVE EMAIL BOX (patrickdan@rediffmail.com).Thank you and God Bless. Best Regards, MR DAN PATRICK.
Distributed Denial of Service (DDOS) DDOS is one of the older forms of attacks that are still popular today. In a DDOS attack scenario, the victim typically finds their system slows to a crawl or unable to respond at all. There are several variants that are commonly used such as ICMP Flooding, SYN flooding, Teardrop, and others. The defining aspect of DDOS attacks is the rendering of the target system crippled or inoperable, thereby denying service to the system‘s legitimate users. As recent as mid-2012, DDOS attacks against major financial institutions such as HSBC, Bank of America, and JP Morgan Chase were recorded. [7] The duration and severity of the attack is dependent on the number of zombies, or slave computers, used by the attacker, and the resiliency of the target computer(s) to withstand the attack. A DDOS attack may be used in conjunction with other attacks to exploit vulnerabilities exposed while the DDOS attack is in progress; sometimes, a DDOS attack is a diversionary tactic to enhance the probability of success of other attack methods. Major disruptions to critical infrastructure like defense, utilities and banking will result not only in mere inconvenience due to loss of services but cause significant financial and economic losses. Network attacks The U.S. Department of Defense refers to network attacks as ―… actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.‖ [8] If an attacker successfully connects to the network of the target, innumerable opportunities to launch attacks are made available. Common mistakes in network security are weak, default or non-existent administrator passwords. Moreover, ill-designed networks also allow easy access to database servers, the usual targets for data mining. Attackers can use SQL injection, in which direct SQL text is encoded as part of the attack stream, in an attempt to subversively access a back-end database system. Malwares The current trend of cyber-attacks is predominantly associated with malwares. Trustwave defines malware as ―… often purposefully designed to capture and extricate data, provide remote access, or automate compromised systems into a botnet — or to just cause general mayhem.‖ [9] Malware comes in a myriad of types and varieties. The common categories known today include computer viruses, worms, trojan horses, spyware, adware and rootkits. Entire software product suites and solutions have been created to combat malwares. However, malwares have evolved and continue to do so; they are constantly being updated to meet challenges of exploiting new vulnerabilities and avoid detection by the users and by third-party security products. This accounts for the discouraging statistics that show infections often go undetected. The popularity of malware as an attack vector is evident in the fact that by 2007 the number of malwares created on that one year alone is the equivalent to the combined total of the previous twenty years. [10] Malwares are used with great efficacy to achieve a beachhead in infiltrating systems. Some of the recent incidents involving malware are listed below:
Flame Discovered by the Iranian National Computer Emergency Response Team (CERT), Kaspersky and CrySyS Lab, Flame is widely considered as one of the most sophisticated malware ever created. [11] It spreads via local area network or USB. Infected computers act as a bluetooth beacon and attempts to harvest contact information from nearby bluetooth-enabled devices. At twenty megabytes, Flame is uncharacteristically large for a malware. Its capabilities include recording of audio, keystrokes, screenshots and Skype conversations; thus Flame is deemed a cyber-espionage tool. RSA Breach RSA experienced a security breach in 2011. [12] The attack vector was an email sent to an employee with an Excel attachment that contained a malware. This malware exploited vulnerabilities in Adobe Flash and installed a variant of Poison Ivy, a common remote administration tool. The attackers then obtained critical information including the token seeds in SecureID and algorithm designs used by RSA; consequently, the RSA security tokens were rendered vulnerable for exploitation. This directly resulted in cyber-attacks against Lockheed Martin and L3 Communications, both US military contractors. Malwares have proven to be a very effective and potent tool for cyber-attacks and their continued use will foster further evolution in sophistication and complexity. Organizations should take steps to detect and eradicate malwares; depending solely on the hardening of perimeter defense is a common fallacy to prevent malwares from infiltrating an organization. Common Defensive Strategies Information security personnel and teams tend to use several common defensive strategies. Unfortunately, there is no perfect defensive strategy; therefore, to be effective, a defensive strategy must be continuously upgraded and assessed against the constantly evolving cyber-attack mechanisms and methodologies. Physical There are numerous physical defensive strategies; the most common are the following: 1. Deployment of access systems secured by biometric, ID card, PIN and/or a combination thereof; 2. Closed circuit TV (CCTV) security cameras; and 3. Doors, cages, locks and man-traps. One of the simplest and cost-effective strategies is to locate critical servers and systems in a secure facility; failing that, the servers and systems should be locked in a cage to prevent unauthorized tampering and access. Education, Awareness and Security Policies One of the most effective tools to implement or improve security is education and awareness. Increasing awareness among the staff, peers, management and other employees is crucial in building support towards
implementation of an effective defensive strategy. Unfortunately, countless executives fail to appreciate the value of security; security seems to be an afterthought at best, rather than being a critical factor designed into systems and procedures. Part of the education and awareness processes involve formulating, disseminating and implementing security policies. This is one of the most effective shields against social engineering attempts by reducing the chances of an employee being fooled to divulge crucial information. The value of information security is not apparent until after an intrusion or breach occurs. Once such an event occurs, organizations suffer at the minimum reputational damage. Oftentimes, banks and other financial institutions prefer to pay off the perpetrators in order to preserve their image since the loss of confidence in their security could cost them their entire client base. PREVENTION The old adage, ―an ounce of prevention is better than a pound of cure‖, is certainly applicable to information security. Pro-active measures implemented to prevent a cyber-attack is more cost-effective than reactive security patches and hardware upgrades in response to a security incident. In recent months, several Philippine government websites have been defaced. Most agencies repaired the damage within several hours then simply moved on. Popular sentiment was that since there is no physical harm done, such acts, while not condoned, should be tolerated as a form of expression. On the other hand, the U.S. Congress has enacted laws that consider any form of computer attack on any level against any U.S. government website as an act of war against the United States. Although defacing a website does not necessarily compromise any data, the economic cost and reputational damage that such attacks should be considered and an appropriate, measured response executed. Anti-Virus / Anti-Malware Anti-virus and anti-malware software packages are basic tools of the defensive trade. A properly updated program helps secure the systems and protects users when they inadvertently browse or visit pages with malicious content. Most popular packages now include features and functionality to help protect a web browser. Patch Management There is no perfect software. As such, the software industry relies heavily on patches or upgrades to address flaws in the design, implementation, or performance of the software. Malware exploit known flaws in the installed software to subvert and ultimately gain control over a machine. Therefore, as a defensive strategy, applying patches on the operating systems, anti-virus, anti-malware, and other applications help safeguard computer systems by fixing the known flaws and vulnerabilities. Beyond the issue on intellectual property rights, this is the most important, self-serving incentive to procure properly licensed software as it guarantees that there will be support and maintenance. With open-source software, it is critical to implement a maintenance cycle to ensure that any bugs or vulnerabilities in the software are patched quickly and consistently.
Firewalls Firewalls are network devices that filter traffic; it attempts to segregate public or open traffic that exist beyond the organization‘s network perimeter. Firewalls range from the basic that protect your home network costing a few thousand pesos to the enterprise versions costing several millions. There are many brands of firewalls from manufacturers: Cisco, Juniper, Checkpoint, Fortinet, Huawei, ZTE among others. Of special interest lately is the Congress of the United States position that Huawei and ZTE pose a security threat. [13] A properly configured and maintained firewall defends against many threats. It is a key component in many security strategies implemented today. Ensuring that the firewall is properly patched is another important key to having a good defensive strategy. Regular Testing and Backups Regular tests of information security systems are crucial in maintaining readiness. Internal and external penetration tests, scans, and verification procedures all contribute towards ensuring that systems are configured properly. Regular backups are akin to buying insurance. Failures are an unavoidable part of the human experience and information systems are not exempt. Having a ready backup is no longer a luxury but a necessity. Intrusion Detection Systems/Intrusion Prevention Systems Intrusion detection and intrusion prevention systems (IDPS) are a class of devices that have come into the forefront of defensive arsenal about a decade ago. Such devices are capable of detecting incidents by monitoring events or inspecting packets and, at the start of an incident, trigger some automated response including reconfiguration of firewalls, sending out alerts by SMS or email, locking down ports, et cetera. Most systems in the market today involve the deployment of hardware appliances, few are software based, and these are usually installed in-line either behind, or adjacent to the firewall(s) in an organization‘s network. The NIST [14] lists four types of technologies available today: 1. Network based: examination and detection based on network segments, or network and application protocol. 2. Wireless: examination of wireless network traffic. 3. Network behaviour analysis: examination of system-wide behaviour including the sudden rise of packets, policy violations, et cetera. 4. Host-based: limited to single host examination and events linked to the single host. IDPS are useful in detecting and identifying potential incidents. Therefore, they are an indispensable tool in the defensive toolkit of many information security managers. An IDPS provides intrinsic value by adding automated detection, logging, recording, and monitoring capabilities to an organization, when configured and maintained properly.
Outsourcing of information security Within the Philippine context, many organizations, including government agencies, do not have the budget, expertise or capability internally to properly secure their information systems. Accordingly, to properly prepare for a cyber-attack, organizations may resort to outsourcing, analogous to the deployment of private security guards for the protection of physical assets. There is a prevailing misconception regarding the role of law enforcement in information security. By definition, law enforcement agencies provide post-incident investigation, apprehension and filing of charges against suspected perpetrators. Their responsibilities do not include ensuring an organization‘s systems are safe and secure. Typically, a Computer Security Incident Response Team (CSIRT) or a Computer Emergency Response Team (CERT) is engaged to assist an organization to prepare, simulate cyber-attacks and conduct post-assessments of information security systems. FUTURE DEVELOPMENTS AND CHALLENGES Current technological trends are likely to continue in the foreseeable future. With the rapid and accelerating pace of change in technology, a discussion of the pervasive technologies and their prospective impact to information security is warranted. Mobile technology Today‘s smartphones are truly mobile computers; some have greater processing power than desktops from less than a decade ago. Penetration rates in more advanced countries have exceeded 50% and have reached 78% in the United States. [15] This trend will rapidly be replicated in emerging markets like the Philippines, particularly with the commonplace availability of smartphones retailing for less than one hundred US dollars. With the advent of mobile commerce and the Philippine propensity for rapid adoption of mobile phones, there will be a host of new, unforeseen security challenges. This will be accelerated by the deployment of LTE empowering mobile broadband by the local telecommunication carriers. Compounding the security challenges with mobile is the lack of a legal framework and the non-existent registry of mobile SIM cards: attackers utilizing a mobile platform will enjoy even greater anonymity. Initial malware on the mobile platform were largely limited by the fragmented, proprietary operating systems that ran the previous generation of phones. The industry has already consolidated to four major mobile platforms: Apple‘s IOS, Google‘s Android, Windows Mobile and Blackberry. With this convergence, the mobile platform presents a tantalizing target for cyber-attackers. There have been numerous incidents involving social engineering with deceptive messages sent to victims asking them to send money to process their contest winnings or to help a friend or relative in a supposed emergency situation.
Video/Voice Over IP (VOIP) Skype™ was one of the pioneers that allowed people to make voice calls, later adding video calls, for free utilizing IP technology. Nowadays, multi-party video conferencing is already commonplace. The National Telecommunication Commission has issued VOIP licenses for several years already. From an implementation and technology angle, VOIP is terrific: provision of clear communications enabled by constantly improving compression technology. Commercialized form of 3-D hologram communication may soon be achievable. Cyber-attackers recognize that networks carrying voice and video data as an attractive target. A Brazilian CERT noticed an upsurge in scanning for VOIP traffic in their honeypot network. [16] Intruders that gain access to a VOIP system would potentially be able to monitor, access and even reroute all communications made through it. Outsourcing cyber-attacks Insofar as protecting information security systems are being outsourced to trusted professionals, cyber- attackers have also begun to resort to outsourcing. The Russian underground market in cybercrime is vibrant. The inexpensive cost for outsourcing of various methods of cyber-attacks is alarming; a sampling of the available services and its prices is listed below:1 [17] Service Price in US dollars Hiring a DDOS attack $30 to $70 per day Email spam $10 per million emails Bots for a botnet $200 for 2,000 bots ZeuS source code $200 to $500 Hacking a Facebook or Twitter account $130 Hacking a Gmail account $162 Scans of legitimate passports $5 each Traffic $7 to $15 per 1,000 visitors from US and EU As cyber-attacks continue to grow in sophistication, this development of outsourcing cyber-attacks will not only continue unabated, but likely escalate geometrically. CONCLUSION The notion of information security tends to be organization-specific. In the Philippine context, there is a relatively high tolerance for risk. Even within the defence establishment, some of the prevailing attitudes are best characterized by the tongue-in-cheek responses gathered in a series of interviews: ―Our approach is security through obsolescence‖ and ―It‘s only 1‘s and 0‘s anyways, who can read it?‖ With the pervasiveness of the internet and technology in human society today and the resultant diminishing barriers of distance and geopolitical borders, information security must be everyone‘s problem and responsibility.
The Information and Communications Technology Office under the Department of Science and Technology has already set policy that information and communications technology must be governed due to its pervasive and essential nature in today‘s society. [18] The recent attacks to deface government websites should serve as a clarion call for imperative action. Perhaps due to the technical or the rapidly evolving nature, some of the national leadership still do not recognize the gravity of the situation, or lamentably, simply choose to believe it will go away. For some context within the Philippine environment, consider the IT-BPO industry, a sunshine and rapidly growing sector of the Philippine economy: [19] 2011 2012 2013 Industry revenues (USD) $11 Billion $13.6 Billion $16 Billion Full-time employees 638,000 772,000 926,000 How much loss, potential or otherwise, must be suffered by the Philippine economy for information security to be considered a matter of national security? What is the impact to this single sector of a single or a series of cyber-attacks or data breaches exacerbated by inadequate response from government? Government and the private sector must work together to secure our national interest. This article presented an overview of the current landscape of information security. From the motivational aspects behind cyber-attacks to a review of current common threats and attack variants to a presentation of the popular defensive strategies ending with a forward look to future challenges and developments. Although technology and methodologies continue to evolve, the human factor, not rapid technological advancement, continues to be the biggest source of vulnerability:  Many continue to blindly follow security standards set by governments and standards bodies without proper evaluation of their suitability for their own situation.  Lax stewardship is the leading cause of security breaches in established organizations.  Social engineering is still the most prevalent cause of data compromises.  Senior leadership, especially at the national level, typically fail to recognize the critical nature of information security to their organizations until after a breach or other incident has occurred. If the Philippines were to experience a cyber-attack today, there is no single office of primary responsibility within government to mount a coordinated response. At best, the country can only rely on the Philippine Computer Emergency Response Team (PHCERT), ―… a non-profit aggrupation of Information Security Professionals providing Technical and Policy Advisory Services Pro Bono Publico.‖ [20] The National Computer Center recognizes the limited programs and projects that PHCERT can support: ―PHCERT ONLY accepts security incident reports from its members. Technical advise may be provided depending on volunteer availability. Forwarding and coordination to the appropriate law enforcement agency can also be done if the situation warrants or member organization desires to do so.‖ [21] On the legal front, although the Philippines recently enacted the Cybercrime Prevention Act of 2012, Republic Act 10175, to empower law enforcement to better combat cybercrime, the Supreme Court issued a Temporary Restraining Order delaying its implementation by 120 days in response to questions about the constitutionality of certain provisions.
Information security is so pervasive that even a superpower like the United States and advanced societies like Japan with relatively unlimited budgets find it difficult to cope with the immense challenges. Government and private sector must cooperate to make significant progress in this regard. Forging ahead, given the current landscape of information security and its likely progression, the Philippines must take two foundational steps to improve its information security: 1. Government must designate a single office of primary responsibility to prepare, mitigate, and coordinate a response to cyber-attacks; and 2. Government and the private sector must work together and establish a pro-active, independent, fully-functional Computer Emergency Response Team (CERT) and/or Computer Security Incident Response Team (CSIRT). Mabuhay! REFERENCES This article relied extensively on the collective knowledge-base and experience of the authors as well as sources from both the internet and printed material. Similar references were grouped together for brevity. [1] http://blog.elementps.com/element_payment_solutions/2011/11/visa-releases-pci-compliance-level- stats.html [2] http://www.pcworld.com/article/79303/article.html [3] http://2011.appsecusa.org/p/gsr.pdf [4] http://www.techweekeurope.co.uk/news/experts-admit-motivation-for-cyber-attacks-overlooked-6696 [5] http://www.symantec.com/connect/blogs/hackers-behind- stuxnethttp://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-industrial- control-systems; http://www.airdemon.net/stuxnet.html; http://www.reuters.com/article/2010/09/24/security-cyber-iran-idUSLDE68N1OI20100924 [6] http://www.social-engineer.org/social-engineering-ctf-battle-of-the-sexes/ [7] http://arstechnica.com/security/2012/10/ddos-attacks-against-major-us-banks-no-stuxnet/; http://nakedsecurity.sophos.com/2012/09/27/banks-targeted-ddos-attacks/; http://www.bloomberg.com/news/2012-09-28/cyber-attacks-on-u-s-banks-expose-computer- vulnerability.html; http://threatpost.com/en_us/blogs/historic-ddos-attacks-against-major-us-banks- continue-092712 [8] U.S. Department of Defense, Joint Publication 1–02: DOD Dictionary of Military and Associated Terms (November 8, 2010, as amended through May 15, 2011). [9] http://www.iseprograms.com/lib/Trustwave_2012GlobalSecurityReport.pdf [10] http://web.archive.org/web/20071207173837/http://www.f-secure.com/2007/2/ [11] http://www.symantec.com/connect/blogs/flamer-highly-sophisticated-and-discreet-threat-targets- middle-east; http://www.crysys.hu/skywiper/skywiper.pdf [12] Cyber-warfare – The new battlefront for Defence Forces by Dr. Peter Holliday
[13] http://www.forbes.com/sites/simonmontlake/2012/10/08/u-s-congress-flags-chinas-huawei-zte-as- security-threats/; http://online.wsj.com/article/SB10000872396390443615804578041931689859530.html; http://www.reuters.com/article/2012/10/08/us-usa-china-huawei-zte-idUSBRE8960NH20121008 [14] Guide to Intrusion Detection and Prevention Systems - http://csrc.nist.gov/publications/nistpubs/800- 94/SP800-94.pdf [15] http://www.wired.com/beyond_the_beyond/2011/12/42-major-countries-ranked-by-smartphone- penetration-rates/; http://www.thinkwithgoogle.com/mobileplanet/en/ [16] CyberSecurity Challenges in Developing Nations –Dissertation by Adam C. Tagert 12/1/2010, Carnegie Mellon University [17] ―Russian Underground 101‖ by Max Goncharov, Trend Micro Incorporated Research Paper 2012 - http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russian- underground-101.pdf [18] ―2012 Programs‖ Presentation of the Undersecretary Louis Casambre, Executive Director of the Information & Communications Technology Office of the Department of Science and Technology on 21 June 2012 at the Chancery Hall of the US Embassy Manila. [19] IT-BPO Road Map 2011-2016 Business Processing Association of the Philippines www.bpap.org/publications/breakthroughs?download [20] http://www.phcert.org/ [21] http://www.ncc.gov.ph/default.php?a1=2&a2=5&a3=1&a4=PQRS&a5=114 ABOUT THE AUTHORS Simoun is the current Vice Chairman of the Overseas Security Advisory Council of the U.S. Embassy Manila, a federal advisory committee under the State Department. He also serves as the Chairman of the Security Disaster Resource Group of the American Chamber of Commerce of the Philippines. He was a Consultant to the Office of International Policy and Special Concerns of the Department of National Defense and an Advisor to the Supreme Court. He was formerly with the Philippine Coast Guard Auxiliary 101st Squadron, where his last rank was Commander prior to retirement. He holds a Master of Business Administration from the Ivey School of Business, University of Western Ontario, Canada, and a Bachelor of Arts degree in Psychology and Economics from the University of British Columbia. He is currently the CEO and President of PVB Card Corporation, and the Vice Chairman of Bastion Payment Systems in the Philippines, and serves at the boards of several listed firms, both in the Philippines and United States. Simoun has also been tapped as the speaker and lecturer for many engagements, including the Federal Bureau of Investigation and the National Defence College of the Philippines. Wilfred is the founding CEO and President of Bastion Payment Systems. He formerly worked at Unisys for over a decade, where he was involved deeply as a senior systems architect on several notable IT projects of the Philippine government including the National Statistics Office Census Registry System (CRS-ITP), Land Transportation Office, Philippine Ports Authority, and others. Beyond this, Wilfred also worked on many international, government and financial sector projects in the United States, China,
Singapore, Hong Kong, Sri Lanka, Vietnam and Australia. Wilfred holds a Master of Science in Computer Science degree from De La Salle University, Manila (with high distinction), and a Bachelor of Science in Computer Science from the same school. He is a Certified Rational Unified Process Consultant. Carlos is the current Chief Security and Operating Officer of Bastion Payment Systems. He was formerly the assistant director at the Computer Center of the University of Santo Tomas, where he continues today as a senior instructor for computer science. Carlos holds a Bachelor of Science in Computer Science from Chiang Kai Shek College Philippines and Masteral units from De La Salle University. He is a certified Cisco Networking Academy Instructor, and a Microsoft Certified Professional.

Recommended

Cyber Threat to Public Safety Communications
Cyber Threat to Public Safety CommunicationsCyber Threat to Public Safety Communications
Cyber Threat to Public Safety CommunicationsKory Edwards
 
Social Engineering-The Underpinning of Unauthorized Access
Social Engineering-The Underpinning of Unauthorized AccessSocial Engineering-The Underpinning of Unauthorized Access
Social Engineering-The Underpinning of Unauthorized AccessKory Edwards
 
Dell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookDell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookMargarete McGrath
 
Insider threats
Insider threatsInsider threats
Insider threatsizoologic
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
CYBER AWARENESS
CYBER AWARENESSCYBER AWARENESS
CYBER AWARENESSEDUJIE DOMINIC IGHODALO
 
Francesca Bosco, Le nuove sfide della cyber security
Francesca Bosco, Le nuove sfide della cyber securityFrancesca Bosco, Le nuove sfide della cyber security
Francesca Bosco, Le nuove sfide della cyber securityAndrea Rossetti
 
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...CSCJournals
 

Recommended

Cyber Threat to Public Safety Communications
Cyber Threat to Public Safety CommunicationsCyber Threat to Public Safety Communications
Cyber Threat to Public Safety CommunicationsKory Edwards
 
Social Engineering-The Underpinning of Unauthorized Access
Social Engineering-The Underpinning of Unauthorized AccessSocial Engineering-The Underpinning of Unauthorized Access
Social Engineering-The Underpinning of Unauthorized AccessKory Edwards
 
Dell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookDell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookMargarete McGrath
 
Insider threats
Insider threatsInsider threats
Insider threatsizoologic
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
CYBER AWARENESS
CYBER AWARENESSCYBER AWARENESS
CYBER AWARENESSEDUJIE DOMINIC IGHODALO
 
Francesca Bosco, Le nuove sfide della cyber security
Francesca Bosco, Le nuove sfide della cyber securityFrancesca Bosco, Le nuove sfide della cyber security
Francesca Bosco, Le nuove sfide della cyber securityAndrea Rossetti
 
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...CSCJournals
 
Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Deepa Devadas
 
Insider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary DataInsider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary DataLindsey Landolfi
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badbanerjeea
 
7 mike-steenberg-carlos-lopera-us-bank
7 mike-steenberg-carlos-lopera-us-bank7 mike-steenberg-carlos-lopera-us-bank
7 mike-steenberg-carlos-lopera-us-bankshreemala1
 
Cyber War ( World War 3 )
Cyber War ( World War 3 )Cyber War ( World War 3 )
Cyber War ( World War 3 )Sameer Paradia
 
C018131821
C018131821C018131821
C018131821IOSR Journals
 
Cyber Terrorism
Cyber TerrorismCyber Terrorism
Cyber Terrorismloverakk187
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemInternational Journal of Engineering Inventions www.ijeijournal.com
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaTechBiz Forense Digital
 
document on cyber terrorism
document on cyber terrorismdocument on cyber terrorism
document on cyber terrorismKirti Temani
 
THESIS-2(2)
THESIS-2(2)THESIS-2(2)
THESIS-2(2)Elsayed Muhammad
 
Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Chuck Brooks
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessCBIZ, Inc.
 
Cyber Terrorism
Cyber TerrorismCyber Terrorism
Cyber TerrorismSai praveen Seva
 
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...David Sweigert
 
Session 3.2 Zahri Hj Yunos
Session 3.2 Zahri Hj YunosSession 3.2 Zahri Hj Yunos
Session 3.2 Zahri Hj YunosCommonwealth Telecommunications Organisation
 
Cyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece MooreCyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece MooreJamie Moore
 
Network monitoring white paper
Network monitoring white paperNetwork monitoring white paper
Network monitoring white paperImaging Network Technology, LLC
 
Airport security 2013 john mc carthy
Airport security 2013 john mc carthyAirport security 2013 john mc carthy
Airport security 2013 john mc carthyRussell Publishing
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Securityijtsrd
 

More Related Content

What's hot

Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Deepa Devadas
 
Insider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary DataInsider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary DataLindsey Landolfi
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badbanerjeea
 
7 mike-steenberg-carlos-lopera-us-bank
7 mike-steenberg-carlos-lopera-us-bank7 mike-steenberg-carlos-lopera-us-bank
7 mike-steenberg-carlos-lopera-us-bankshreemala1
 
Cyber War ( World War 3 )
Cyber War ( World War 3 )Cyber War ( World War 3 )
Cyber War ( World War 3 )Sameer Paradia
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
document on cyber terrorism
document on cyber terrorismdocument on cyber terrorism
document on cyber terrorismKirti Temani
 
Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Chuck Brooks
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessCBIZ, Inc.
 
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...David Sweigert
 
Cyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece MooreCyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece MooreJamie Moore
 
Airport security 2013 john mc carthy
Airport security 2013 john mc carthyAirport security 2013 john mc carthy
Airport security 2013 john mc carthyRussell Publishing
 

What's hot (20)

Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10
 
Insider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary DataInsider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary Data
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-bad
 
7 mike-steenberg-carlos-lopera-us-bank
7 mike-steenberg-carlos-lopera-us-bank7 mike-steenberg-carlos-lopera-us-bank
7 mike-steenberg-carlos-lopera-us-bank
 
Cyber War ( World War 3 )
Cyber War ( World War 3 )Cyber War ( World War 3 )
Cyber War ( World War 3 )
 
C018131821
C018131821C018131821
C018131821
 
Cyber Terrorism
Cyber TerrorismCyber Terrorism
Cyber Terrorism
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection System
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
document on cyber terrorism
document on cyber terrorismdocument on cyber terrorism
document on cyber terrorism
 
THESIS-2(2)
THESIS-2(2)THESIS-2(2)
THESIS-2(2)
 
Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security Awareness
 
Cyber Terrorism
Cyber TerrorismCyber Terrorism
Cyber Terrorism
 
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
Worldwide Cyber Threats report to House Permanent Select Committee on Intelli...
 
Session 3.2 Zahri Hj Yunos
Session 3.2 Zahri Hj YunosSession 3.2 Zahri Hj Yunos
Session 3.2 Zahri Hj Yunos
 
Cyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece MooreCyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece Moore
 
Network monitoring white paper
Network monitoring white paperNetwork monitoring white paper
Network monitoring white paper
 
Airport security 2013 john mc carthy
Airport security 2013 john mc carthyAirport security 2013 john mc carthy
Airport security 2013 john mc carthy
 

Similar to The Evolving Landscape on Information Security

Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Securityijtsrd
 
Institutional Cybersecurity from Military Perspective
Institutional Cybersecurity from Military PerspectiveInstitutional Cybersecurity from Military Perspective
Institutional Cybersecurity from Military PerspectiveGovernment
 
Cyber Security Intelligence
Cyber Security IntelligenceCyber Security Intelligence
Cyber Security Intelligenceijtsrd
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEMJoseph DeFever
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligencewbesse
 
Cyber Crime and Cyber Security
Cyber Crime and Cyber SecurityCyber Crime and Cyber Security
Cyber Crime and Cyber Securityijtsrd
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecuritySpark Security
 
Cyber attack awareness and prevention in network security
Cyber attack awareness and prevention in network securityCyber attack awareness and prevention in network security
Cyber attack awareness and prevention in network securityIJICTJOURNAL
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber securityAliyuMuhammadButu
 
Cyber Security Matters a book by Hama David Bundo
Cyber Security Matters a book by Hama David BundoCyber Security Matters a book by Hama David Bundo
Cyber Security Matters a book by Hama David Bundohdbundo
 
No National 'Stand Your Cyberground' Law Please
No National 'Stand Your Cyberground' Law PleaseNo National 'Stand Your Cyberground' Law Please
No National 'Stand Your Cyberground' Law PleaseWilliam McBorrough
 
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING ijmvsc
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCybAnastaciaShadelb
 
Data Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisData Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisIJERD Editor
 
Information Sharing of Cyber Threat Intelligence with their Issue and Challenges
Information Sharing of Cyber Threat Intelligence with their Issue and ChallengesInformation Sharing of Cyber Threat Intelligence with their Issue and Challenges
Information Sharing of Cyber Threat Intelligence with their Issue and Challengesijtsrd
 
Journal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993ConJournal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993Conkarenahmanny4c
 
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docxJournal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docxcroysierkathey
 
You Are the Target
You Are the TargetYou Are the Target
You Are the TargetEMC
 

Similar to The Evolving Landscape on Information Security (20)

Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Security
 
Institutional Cybersecurity from Military Perspective
Institutional Cybersecurity from Military PerspectiveInstitutional Cybersecurity from Military Perspective
Institutional Cybersecurity from Military Perspective
 
Cyber Security Intelligence
Cyber Security IntelligenceCyber Security Intelligence
Cyber Security Intelligence
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEM
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
 
Cyber Crime and Cyber Security
Cyber Crime and Cyber SecurityCyber Crime and Cyber Security
Cyber Crime and Cyber Security
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for Cybersecurity
 
Cyber attack awareness and prevention in network security
Cyber attack awareness and prevention in network securityCyber attack awareness and prevention in network security
Cyber attack awareness and prevention in network security
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber security
 
Cyber Security Matters a book by Hama David Bundo
Cyber Security Matters a book by Hama David BundoCyber Security Matters a book by Hama David Bundo
Cyber Security Matters a book by Hama David Bundo
 
No National 'Stand Your Cyberground' Law Please
No National 'Stand Your Cyberground' Law PleaseNo National 'Stand Your Cyberground' Law Please
No National 'Stand Your Cyberground' Law Please
 
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
Data Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisData Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network Analysis
 
Information Sharing of Cyber Threat Intelligence with their Issue and Challenges
Information Sharing of Cyber Threat Intelligence with their Issue and ChallengesInformation Sharing of Cyber Threat Intelligence with their Issue and Challenges
Information Sharing of Cyber Threat Intelligence with their Issue and Challenges
 
Journal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993ConJournal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993Con
 
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docxJournal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
 
You Are the Target
You Are the TargetYou Are the Target
You Are the Target
 

The Evolving Landscape on Information Security

  • 1. THE EVOLVING LANDSCAPE ON INFORMATION SECURITY By: Wilfred G. Tan, Carlos T. Tengkiat & Simoun S. Ung 31 October 2012 INTRODUCTION We all have a preconceived notion on information technology security; however for a lot of organizations this value is subjective because there is an acceptability of risk. This is not to imply a particular organization is unaware of the value of security; it may simply be that the organization needs to consider the allocation of its resources for security relative to the value of the asset being protected. A large number of organizations, as evidenced by strong growth and interest in security standards such as PCI-DSS [1], either depend on or follow guidelines set forth by government institutions and standards bodies. Conventional wisdom dictates that following guidelines is normally a good approach. As a security officer, planner or executive, one should always consider going beyond the existing standard and to be reminded that the security standards are developed in response to already recorded and occurring incidents. Moreover, security standards take time for the standard setting bodies to create, review, approve and implement. Security is a living practice and needs the proper attention, time and consideration. Laying out and maintaining a comprehensive cyber security plan not only requires expertise, but also involves careful thought, assessment, and constant refinement and adjustments. In addition, legal frameworks differ from country to country; therefore, best practices in one country are not directly portable to a different country, even within similar industries. Unlike more traditional crimes such as theft and robbery, the specific rules and regulations tend to be varied at best for cyber-security and cyber- crime related incidents. Computer security related incidents have risen significantly over the past decade [2] and there is every indication that this trend will continue for the foreseeable future. The Global Security Report of Trustwave [3] presents the origin of cyber-attacks: Russia leads the statistics with 29.6% in the data [3]. However, because 32.5% of all attacks are from of unknown origin, it can be as likely (or equally unlikely) that any one nation is the single source or culprit of all of the incidents. Pinpointing the location in a timely manner is very difficult, if not impossible, given that the technology today allows users to use anonymous proxies to connect to the Internet which further compounds the problem.
  • 2. This article is written for non-technical executives and policy makers, whose responsibilities require them to interact with information security professionals, as a primer on the current landscape of information security as well as its likely evolution. Security professionals and practitioners are already well-versed in the material contained herein. The paper examines the motivation behind cyber-attacks followed by a survey of common threats and attack variants. It then presents the popular defensive strategies followed by a discussion of future challenges and developments. MOTIVATION Behind all threats and cyber security breaches are either individuals or organizations. Cyber security incidents do not occur in a vacuum. Generally, the motive behind a cyber-attack can be classified as follows: personal reasons, unlawful profiteering, corporate or national interests, and other purposes. Personal Reasons Personal reasons for conducting a cyber-attack include peer recognition, revenge, personal gain or satisfaction, and even curiosity. Some intruders derive a perverse sense of fun from conducting the attack and revel in the psychic income of being noted for notoriety. Unlawful Profiteering Perhaps the most common motivation for conducting a cyber-attack is financial gain. The primary goal of fraud is to gather information that can be used to access funds of other entities for illicit proceeds. Popular targets include savings accounts and payment, debit and credit, card data. Organized criminal syndicates are the primary perpetrators of these attacks. Inopportunely, the skill and savoir-faire developed are often adopted for use in cyber-terrorism and other cyber-attacks. Although there is no data for the Philippines, a study conducted by eWEEK Europe in 2010 [4] on a simulated auction of stolen data determined that the relative value of data is primarily determined by purchaser. The end goal remains the same, obtain information through illegal and fraudulent means which can be used for financial gain. Information itself has become a commodity; it can be traded, bought and sold. Corporate or National Interests The strategic objectives for a corporation or nation-state are sometimes achieved by attacking others using cyber-warfare capabilities. The intent may be to disable a nuclear enrichment program or a more mundane purpose such as spy, steal or subvert a rival‘s plans and secrets. In mid-2010, Stuxnet was discovered. The singular target of this worm was to disable and destroy Siemens industrial equipment which were specifically used to control centrifuges that create nuclear material for a fissionable weapon. According to a study by Symantec in August, 2010 [5], 60% of the computers infected by Stuxnet were in Iran suggesting a highly ‗targeted‘ operation. The worm‘s sophistication and intelligence suggested a nation-state level of sponsorship; speculation was rife that the
  • 3. United States and Israeli forces were at least partially responsible for the development and deployment of the worm. [5] THREAT EVOLUTION Approaches to attacks have evolved over time, adapting to developments in technology. Tools for exploiting systems have evolved considerably; likewise, tools that are available for testing and exploiting vulnerabilities are readily available in the market. There are even attack platforms freely available that ironically were intended to test the security of a system. Several of the more common threats are outlined below: physical, cyber-stalking, social engineering, phishing, distributed denial of service, network attacks and malwares. Physical In the 1980s, the common practice was to actually go onto the premises of the target company or to harvest data from unprotected sources. Criminals would find ways to physically obtain storage media or hardcopies of data. Dumpster diving, or the sifting through garbage and trash to find bits and pieces of information, is still practiced today. The careless disposal of seemingly innocuous information such as an obsolete version of an information security plan, PIN mailers, passwords, social security numbers, et cetera can facilitate an attack via social engineering or phishing. Today, practices have improved to include tapping into data cabling that are accessible from unsecured areas and the access of unlocked, accessible computer servers and systems. It is still a common occurrence for unencrypted, sensitive data to be lost or stolen from physical media such as USB flash drives, laptops and cellular phones. Cyber-Stalking Cyber-stalkers assault their victims using electronic communication: email, instant messaging (IM) and/or posts to a website or discussion group. While most cyber-attacks target an organization, cyber-stalking tends to be of a more personal nature. Cyber-stalkers typically gather personal and private information about their target then send them harassing or threatening messages. Trolling is a form of cyber-stalking in which negative posts , comments or other defamatory statements are made which are injurious to the reputation or emotional health of the victims. When committed by more than one individual, trolling is also known as cyber-bullying. Sadly, there are cases involving teens which have resulted in the victims committing suicide. Social Engineering Social engineering cyber-attack involves the manipulation of people to perform certain actions that can compromise security; this requires a solid understanding of human responses and behaviour. Although physical contact is not necessary, some form of trickery to gain the confidence of the target is employed. Social engineering attack occurs in two phases: information gathering then the pretext stage in which a believable story is crafted in order to earn legitimacy and gain the trust of the target.
  • 4. Social engineering is not strenuous on the attacker, thus it is normally employed in conjunction with other forms of cyber-attack. The insertion of malware into otherwise hardened, secure systems is a common combination with social engineering. Many enterprise systems are well protected and require significant time and effort to breach. However, if the attackers are able to use social engineering to insert physical media such as USB flash drives into the internal network, then all the external defences are immediately bypassed. Based on recently conducted social engineering study [6], companies with well-implemented security awareness protocols are more resistant to social engineering tactics. Participants in the oil industry fared better compared to less security aware industries like retail. This study was designed such that questions were designed that would expose security design and architecture of the respondent‘s organization:
  • 5. The study [6] revealed that certain data can be harvested from the internet itself. Researchers were able to utilize the data culled from the internet in their social engineering tasks to profile a target‘s internal security implementation. The table below displays the details gathered from the questionnaire above in blue while the additive information garnered from the internet is shown in red: Recently, face-to-face social engineering tactics have been increasing; this is disquieting since it may expose the targeted individual to physical danger. Phishing Phishing is an email-based fraud method using legitimate looking email designed to gather personal and financial information from its targets. Crafting emails blending a false premise while spoofing trustworthy websites, victims are encouraged to click on links, send information and otherwise respond. The attackers then use social engineering techniques to extract information to steal personal and financial information. Since emails are generally from an external source, incorporating dangerous payloads in the message requires negligible effort. There are several types of phishing techniques:  Phishing – Emails are masqueraded so as to obtain usernames and passwords from the users via electronic communication.  Spear Phishing – Targeted phishing to specific individuals, personal information on target are gathered to increase probability of success.
  • 6. Clone Phishing – A previously legitimate and delivered email is used as a template and cloned; the cloned email, with links and attachments modified, is resent to the victim. This method exploits the social trust between the parties that sent the email.  Whaling – Phishing targeting high profile victims. Phishing is not restricted to electronic information nor to electronic communication channels. Some phishing emails contain telephone numbers, purporting to be customer service; the unsuspecting victim is lured to call and unwittingly give personal information that can later be used by the attacker. One of the best known phishing emails is the ―Nigerian scam.‖ Although there are many variations, the content is essentially the same with the sender pretending to have access to large amount of funds and requiring the assistance of the victim to gain access to the said funds: FROM: MR DAN PATRICK. DEMOCRATIC REPUBLIC OF CONGO. ALTERNATIVE EMAIL: (patrickdan@rediffmail.com). Dear Sir, SEEKING YOUR IMMEDIATE ASSISTANCE. Please permit me to make your acquaintance in so informal a manner. This is necessitated by my urgent need to reach a dependable and trust wordy foreign partner. This request may seem strange and unsolicited but I will crave your indulgence and pray that you view it seriously. My name is. DAN PATRICK of the Democratic Republic of Congo and One of the close aides to the former President of the Democratic Republic of Congo LAURENT KABILA of blessed memory, may his soul rest in peace. Due to the military campaign of LAURENT KABILA to force out the rebels in my country, I and some of my colleagues were instructed by Late President Kabila to go abroad to purchase arms and ammunition worth of Twenty Million, Five Hundred Thousand United States Dollars only (US$20,500,000.00) to fight the rebel group. But when President Kabila was killed in a bloody shoot-out by one of his aide a day before we were schedule to travel out of Congo, We immediately decided to divert the fund into a private security company here in Congo for safe keeping. The security of the said amount is presently being threatened here following the arrest and seizure of properties of Col.Rasheidi Karesava (One of the aides to Laurent Kabila) a tribesman, and some other Military Personnel from our same tribe, by the new President of the Democratic Republic of Congo, the son of late President Laurent Kabila, Joseph Kabila. In view of this, we need a reliable and trustworthy foreign partner who can assist us to move this money out of my country as the beneficiary. WE have sufficient ''CONTACTS'' to move the fund under Diplomatic Cover to a security company in the Europe in your name. This is to ensure that the Diplomatic Baggage is marked ''CONFIDENTIAL'' and it will not pass through normal custom/airport screening and clearance. Our inability to move this money out of Congo all This while lies on our lack of trust on our supposed good friends (western countries) who suddenly became hostile to those of us who worked with the late President Kabila, immediately after his son took office. Though we have neither seen nor met each other, the information we gathered from an associate who has worked in your country has encouraged and convinced us that with your sincere assistance, this transaction will be properly handled with modesty and honesty to a huge success within two weeks. The said money is a state fund and therefore requires a total confidentiality. Thus, if you are willing to assist us move this fund out of Congo, you can contact me through my email address above with your telephone, fax number and personal information to enable us discuss the modalities and what will be your share (percentage) for assisting us. I must use this opportunity and medium to implore You to exercise the utmost indulgence to keep this Matter extraordinarily confidential, Whatever your Decision, while I await your prompt response. NOTE: FOR CONFIDENTIALITY, I WILL ADVISE YOU REPLY ME ON MY ALTERNATIVE EMAIL BOX (patrickdan@rediffmail.com).Thank you and God Bless. Best Regards, MR DAN PATRICK.
  • 7. Distributed Denial of Service (DDOS) DDOS is one of the older forms of attacks that are still popular today. In a DDOS attack scenario, the victim typically finds their system slows to a crawl or unable to respond at all. There are several variants that are commonly used such as ICMP Flooding, SYN flooding, Teardrop, and others. The defining aspect of DDOS attacks is the rendering of the target system crippled or inoperable, thereby denying service to the system‘s legitimate users. As recent as mid-2012, DDOS attacks against major financial institutions such as HSBC, Bank of America, and JP Morgan Chase were recorded. [7] The duration and severity of the attack is dependent on the number of zombies, or slave computers, used by the attacker, and the resiliency of the target computer(s) to withstand the attack. A DDOS attack may be used in conjunction with other attacks to exploit vulnerabilities exposed while the DDOS attack is in progress; sometimes, a DDOS attack is a diversionary tactic to enhance the probability of success of other attack methods. Major disruptions to critical infrastructure like defense, utilities and banking will result not only in mere inconvenience due to loss of services but cause significant financial and economic losses. Network attacks The U.S. Department of Defense refers to network attacks as ―… actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.‖ [8] If an attacker successfully connects to the network of the target, innumerable opportunities to launch attacks are made available. Common mistakes in network security are weak, default or non-existent administrator passwords. Moreover, ill-designed networks also allow easy access to database servers, the usual targets for data mining. Attackers can use SQL injection, in which direct SQL text is encoded as part of the attack stream, in an attempt to subversively access a back-end database system. Malwares The current trend of cyber-attacks is predominantly associated with malwares. Trustwave defines malware as ―… often purposefully designed to capture and extricate data, provide remote access, or automate compromised systems into a botnet — or to just cause general mayhem.‖ [9] Malware comes in a myriad of types and varieties. The common categories known today include computer viruses, worms, trojan horses, spyware, adware and rootkits. Entire software product suites and solutions have been created to combat malwares. However, malwares have evolved and continue to do so; they are constantly being updated to meet challenges of exploiting new vulnerabilities and avoid detection by the users and by third-party security products. This accounts for the discouraging statistics that show infections often go undetected. The popularity of malware as an attack vector is evident in the fact that by 2007 the number of malwares created on that one year alone is the equivalent to the combined total of the previous twenty years. [10] Malwares are used with great efficacy to achieve a beachhead in infiltrating systems. Some of the recent incidents involving malware are listed below:
  • 8. Flame Discovered by the Iranian National Computer Emergency Response Team (CERT), Kaspersky and CrySyS Lab, Flame is widely considered as one of the most sophisticated malware ever created. [11] It spreads via local area network or USB. Infected computers act as a bluetooth beacon and attempts to harvest contact information from nearby bluetooth-enabled devices. At twenty megabytes, Flame is uncharacteristically large for a malware. Its capabilities include recording of audio, keystrokes, screenshots and Skype conversations; thus Flame is deemed a cyber-espionage tool. RSA Breach RSA experienced a security breach in 2011. [12] The attack vector was an email sent to an employee with an Excel attachment that contained a malware. This malware exploited vulnerabilities in Adobe Flash and installed a variant of Poison Ivy, a common remote administration tool. The attackers then obtained critical information including the token seeds in SecureID and algorithm designs used by RSA; consequently, the RSA security tokens were rendered vulnerable for exploitation. This directly resulted in cyber-attacks against Lockheed Martin and L3 Communications, both US military contractors. Malwares have proven to be a very effective and potent tool for cyber-attacks and their continued use will foster further evolution in sophistication and complexity. Organizations should take steps to detect and eradicate malwares; depending solely on the hardening of perimeter defense is a common fallacy to prevent malwares from infiltrating an organization. Common Defensive Strategies Information security personnel and teams tend to use several common defensive strategies. Unfortunately, there is no perfect defensive strategy; therefore, to be effective, a defensive strategy must be continuously upgraded and assessed against the constantly evolving cyber-attack mechanisms and methodologies. Physical There are numerous physical defensive strategies; the most common are the following: 1. Deployment of access systems secured by biometric, ID card, PIN and/or a combination thereof; 2. Closed circuit TV (CCTV) security cameras; and 3. Doors, cages, locks and man-traps. One of the simplest and cost-effective strategies is to locate critical servers and systems in a secure facility; failing that, the servers and systems should be locked in a cage to prevent unauthorized tampering and access. Education, Awareness and Security Policies One of the most effective tools to implement or improve security is education and awareness. Increasing awareness among the staff, peers, management and other employees is crucial in building support towards
  • 9. implementation of an effective defensive strategy. Unfortunately, countless executives fail to appreciate the value of security; security seems to be an afterthought at best, rather than being a critical factor designed into systems and procedures. Part of the education and awareness processes involve formulating, disseminating and implementing security policies. This is one of the most effective shields against social engineering attempts by reducing the chances of an employee being fooled to divulge crucial information. The value of information security is not apparent until after an intrusion or breach occurs. Once such an event occurs, organizations suffer at the minimum reputational damage. Oftentimes, banks and other financial institutions prefer to pay off the perpetrators in order to preserve their image since the loss of confidence in their security could cost them their entire client base. PREVENTION The old adage, ―an ounce of prevention is better than a pound of cure‖, is certainly applicable to information security. Pro-active measures implemented to prevent a cyber-attack is more cost-effective than reactive security patches and hardware upgrades in response to a security incident. In recent months, several Philippine government websites have been defaced. Most agencies repaired the damage within several hours then simply moved on. Popular sentiment was that since there is no physical harm done, such acts, while not condoned, should be tolerated as a form of expression. On the other hand, the U.S. Congress has enacted laws that consider any form of computer attack on any level against any U.S. government website as an act of war against the United States. Although defacing a website does not necessarily compromise any data, the economic cost and reputational damage that such attacks should be considered and an appropriate, measured response executed. Anti-Virus / Anti-Malware Anti-virus and anti-malware software packages are basic tools of the defensive trade. A properly updated program helps secure the systems and protects users when they inadvertently browse or visit pages with malicious content. Most popular packages now include features and functionality to help protect a web browser. Patch Management There is no perfect software. As such, the software industry relies heavily on patches or upgrades to address flaws in the design, implementation, or performance of the software. Malware exploit known flaws in the installed software to subvert and ultimately gain control over a machine. Therefore, as a defensive strategy, applying patches on the operating systems, anti-virus, anti-malware, and other applications help safeguard computer systems by fixing the known flaws and vulnerabilities. Beyond the issue on intellectual property rights, this is the most important, self-serving incentive to procure properly licensed software as it guarantees that there will be support and maintenance. With open-source software, it is critical to implement a maintenance cycle to ensure that any bugs or vulnerabilities in the software are patched quickly and consistently.
  • 10. Firewalls Firewalls are network devices that filter traffic; it attempts to segregate public or open traffic that exist beyond the organization‘s network perimeter. Firewalls range from the basic that protect your home network costing a few thousand pesos to the enterprise versions costing several millions. There are many brands of firewalls from manufacturers: Cisco, Juniper, Checkpoint, Fortinet, Huawei, ZTE among others. Of special interest lately is the Congress of the United States position that Huawei and ZTE pose a security threat. [13] A properly configured and maintained firewall defends against many threats. It is a key component in many security strategies implemented today. Ensuring that the firewall is properly patched is another important key to having a good defensive strategy. Regular Testing and Backups Regular tests of information security systems are crucial in maintaining readiness. Internal and external penetration tests, scans, and verification procedures all contribute towards ensuring that systems are configured properly. Regular backups are akin to buying insurance. Failures are an unavoidable part of the human experience and information systems are not exempt. Having a ready backup is no longer a luxury but a necessity. Intrusion Detection Systems/Intrusion Prevention Systems Intrusion detection and intrusion prevention systems (IDPS) are a class of devices that have come into the forefront of defensive arsenal about a decade ago. Such devices are capable of detecting incidents by monitoring events or inspecting packets and, at the start of an incident, trigger some automated response including reconfiguration of firewalls, sending out alerts by SMS or email, locking down ports, et cetera. Most systems in the market today involve the deployment of hardware appliances, few are software based, and these are usually installed in-line either behind, or adjacent to the firewall(s) in an organization‘s network. The NIST [14] lists four types of technologies available today: 1. Network based: examination and detection based on network segments, or network and application protocol. 2. Wireless: examination of wireless network traffic. 3. Network behaviour analysis: examination of system-wide behaviour including the sudden rise of packets, policy violations, et cetera. 4. Host-based: limited to single host examination and events linked to the single host. IDPS are useful in detecting and identifying potential incidents. Therefore, they are an indispensable tool in the defensive toolkit of many information security managers. An IDPS provides intrinsic value by adding automated detection, logging, recording, and monitoring capabilities to an organization, when configured and maintained properly.
  • 11. Outsourcing of information security Within the Philippine context, many organizations, including government agencies, do not have the budget, expertise or capability internally to properly secure their information systems. Accordingly, to properly prepare for a cyber-attack, organizations may resort to outsourcing, analogous to the deployment of private security guards for the protection of physical assets. There is a prevailing misconception regarding the role of law enforcement in information security. By definition, law enforcement agencies provide post-incident investigation, apprehension and filing of charges against suspected perpetrators. Their responsibilities do not include ensuring an organization‘s systems are safe and secure. Typically, a Computer Security Incident Response Team (CSIRT) or a Computer Emergency Response Team (CERT) is engaged to assist an organization to prepare, simulate cyber-attacks and conduct post-assessments of information security systems. FUTURE DEVELOPMENTS AND CHALLENGES Current technological trends are likely to continue in the foreseeable future. With the rapid and accelerating pace of change in technology, a discussion of the pervasive technologies and their prospective impact to information security is warranted. Mobile technology Today‘s smartphones are truly mobile computers; some have greater processing power than desktops from less than a decade ago. Penetration rates in more advanced countries have exceeded 50% and have reached 78% in the United States. [15] This trend will rapidly be replicated in emerging markets like the Philippines, particularly with the commonplace availability of smartphones retailing for less than one hundred US dollars. With the advent of mobile commerce and the Philippine propensity for rapid adoption of mobile phones, there will be a host of new, unforeseen security challenges. This will be accelerated by the deployment of LTE empowering mobile broadband by the local telecommunication carriers. Compounding the security challenges with mobile is the lack of a legal framework and the non-existent registry of mobile SIM cards: attackers utilizing a mobile platform will enjoy even greater anonymity. Initial malware on the mobile platform were largely limited by the fragmented, proprietary operating systems that ran the previous generation of phones. The industry has already consolidated to four major mobile platforms: Apple‘s IOS, Google‘s Android, Windows Mobile and Blackberry. With this convergence, the mobile platform presents a tantalizing target for cyber-attackers. There have been numerous incidents involving social engineering with deceptive messages sent to victims asking them to send money to process their contest winnings or to help a friend or relative in a supposed emergency situation.
  • 12. Video/Voice Over IP (VOIP) Skype™ was one of the pioneers that allowed people to make voice calls, later adding video calls, for free utilizing IP technology. Nowadays, multi-party video conferencing is already commonplace. The National Telecommunication Commission has issued VOIP licenses for several years already. From an implementation and technology angle, VOIP is terrific: provision of clear communications enabled by constantly improving compression technology. Commercialized form of 3-D hologram communication may soon be achievable. Cyber-attackers recognize that networks carrying voice and video data as an attractive target. A Brazilian CERT noticed an upsurge in scanning for VOIP traffic in their honeypot network. [16] Intruders that gain access to a VOIP system would potentially be able to monitor, access and even reroute all communications made through it. Outsourcing cyber-attacks Insofar as protecting information security systems are being outsourced to trusted professionals, cyber- attackers have also begun to resort to outsourcing. The Russian underground market in cybercrime is vibrant. The inexpensive cost for outsourcing of various methods of cyber-attacks is alarming; a sampling of the available services and its prices is listed below:1 [17] Service Price in US dollars Hiring a DDOS attack $30 to $70 per day Email spam $10 per million emails Bots for a botnet $200 for 2,000 bots ZeuS source code $200 to $500 Hacking a Facebook or Twitter account $130 Hacking a Gmail account $162 Scans of legitimate passports $5 each Traffic $7 to $15 per 1,000 visitors from US and EU As cyber-attacks continue to grow in sophistication, this development of outsourcing cyber-attacks will not only continue unabated, but likely escalate geometrically. CONCLUSION The notion of information security tends to be organization-specific. In the Philippine context, there is a relatively high tolerance for risk. Even within the defence establishment, some of the prevailing attitudes are best characterized by the tongue-in-cheek responses gathered in a series of interviews: ―Our approach is security through obsolescence‖ and ―It‘s only 1‘s and 0‘s anyways, who can read it?‖ With the pervasiveness of the internet and technology in human society today and the resultant diminishing barriers of distance and geopolitical borders, information security must be everyone‘s problem and responsibility.
  • 13. The Information and Communications Technology Office under the Department of Science and Technology has already set policy that information and communications technology must be governed due to its pervasive and essential nature in today‘s society. [18] The recent attacks to deface government websites should serve as a clarion call for imperative action. Perhaps due to the technical or the rapidly evolving nature, some of the national leadership still do not recognize the gravity of the situation, or lamentably, simply choose to believe it will go away. For some context within the Philippine environment, consider the IT-BPO industry, a sunshine and rapidly growing sector of the Philippine economy: [19] 2011 2012 2013 Industry revenues (USD) $11 Billion $13.6 Billion $16 Billion Full-time employees 638,000 772,000 926,000 How much loss, potential or otherwise, must be suffered by the Philippine economy for information security to be considered a matter of national security? What is the impact to this single sector of a single or a series of cyber-attacks or data breaches exacerbated by inadequate response from government? Government and the private sector must work together to secure our national interest. This article presented an overview of the current landscape of information security. From the motivational aspects behind cyber-attacks to a review of current common threats and attack variants to a presentation of the popular defensive strategies ending with a forward look to future challenges and developments. Although technology and methodologies continue to evolve, the human factor, not rapid technological advancement, continues to be the biggest source of vulnerability:  Many continue to blindly follow security standards set by governments and standards bodies without proper evaluation of their suitability for their own situation.  Lax stewardship is the leading cause of security breaches in established organizations.  Social engineering is still the most prevalent cause of data compromises.  Senior leadership, especially at the national level, typically fail to recognize the critical nature of information security to their organizations until after a breach or other incident has occurred. If the Philippines were to experience a cyber-attack today, there is no single office of primary responsibility within government to mount a coordinated response. At best, the country can only rely on the Philippine Computer Emergency Response Team (PHCERT), ―… a non-profit aggrupation of Information Security Professionals providing Technical and Policy Advisory Services Pro Bono Publico.‖ [20] The National Computer Center recognizes the limited programs and projects that PHCERT can support: ―PHCERT ONLY accepts security incident reports from its members. Technical advise may be provided depending on volunteer availability. Forwarding and coordination to the appropriate law enforcement agency can also be done if the situation warrants or member organization desires to do so.‖ [21] On the legal front, although the Philippines recently enacted the Cybercrime Prevention Act of 2012, Republic Act 10175, to empower law enforcement to better combat cybercrime, the Supreme Court issued a Temporary Restraining Order delaying its implementation by 120 days in response to questions about the constitutionality of certain provisions.
  • 14. Information security is so pervasive that even a superpower like the United States and advanced societies like Japan with relatively unlimited budgets find it difficult to cope with the immense challenges. Government and private sector must cooperate to make significant progress in this regard. Forging ahead, given the current landscape of information security and its likely progression, the Philippines must take two foundational steps to improve its information security: 1. Government must designate a single office of primary responsibility to prepare, mitigate, and coordinate a response to cyber-attacks; and 2. Government and the private sector must work together and establish a pro-active, independent, fully-functional Computer Emergency Response Team (CERT) and/or Computer Security Incident Response Team (CSIRT). Mabuhay! REFERENCES This article relied extensively on the collective knowledge-base and experience of the authors as well as sources from both the internet and printed material. Similar references were grouped together for brevity. [1] http://blog.elementps.com/element_payment_solutions/2011/11/visa-releases-pci-compliance-level- stats.html [2] http://www.pcworld.com/article/79303/article.html [3] http://2011.appsecusa.org/p/gsr.pdf [4] http://www.techweekeurope.co.uk/news/experts-admit-motivation-for-cyber-attacks-overlooked-6696 [5] http://www.symantec.com/connect/blogs/hackers-behind- stuxnethttp://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-industrial- control-systems; http://www.airdemon.net/stuxnet.html; http://www.reuters.com/article/2010/09/24/security-cyber-iran-idUSLDE68N1OI20100924 [6] http://www.social-engineer.org/social-engineering-ctf-battle-of-the-sexes/ [7] http://arstechnica.com/security/2012/10/ddos-attacks-against-major-us-banks-no-stuxnet/; http://nakedsecurity.sophos.com/2012/09/27/banks-targeted-ddos-attacks/; http://www.bloomberg.com/news/2012-09-28/cyber-attacks-on-u-s-banks-expose-computer- vulnerability.html; http://threatpost.com/en_us/blogs/historic-ddos-attacks-against-major-us-banks- continue-092712 [8] U.S. Department of Defense, Joint Publication 1–02: DOD Dictionary of Military and Associated Terms (November 8, 2010, as amended through May 15, 2011). [9] http://www.iseprograms.com/lib/Trustwave_2012GlobalSecurityReport.pdf [10] http://web.archive.org/web/20071207173837/http://www.f-secure.com/2007/2/ [11] http://www.symantec.com/connect/blogs/flamer-highly-sophisticated-and-discreet-threat-targets- middle-east; http://www.crysys.hu/skywiper/skywiper.pdf [12] Cyber-warfare – The new battlefront for Defence Forces by Dr. Peter Holliday
  • 15. [13] http://www.forbes.com/sites/simonmontlake/2012/10/08/u-s-congress-flags-chinas-huawei-zte-as- security-threats/; http://online.wsj.com/article/SB10000872396390443615804578041931689859530.html; http://www.reuters.com/article/2012/10/08/us-usa-china-huawei-zte-idUSBRE8960NH20121008 [14] Guide to Intrusion Detection and Prevention Systems - http://csrc.nist.gov/publications/nistpubs/800- 94/SP800-94.pdf [15] http://www.wired.com/beyond_the_beyond/2011/12/42-major-countries-ranked-by-smartphone- penetration-rates/; http://www.thinkwithgoogle.com/mobileplanet/en/ [16] CyberSecurity Challenges in Developing Nations –Dissertation by Adam C. Tagert 12/1/2010, Carnegie Mellon University [17] ―Russian Underground 101‖ by Max Goncharov, Trend Micro Incorporated Research Paper 2012 - http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russian- underground-101.pdf [18] ―2012 Programs‖ Presentation of the Undersecretary Louis Casambre, Executive Director of the Information & Communications Technology Office of the Department of Science and Technology on 21 June 2012 at the Chancery Hall of the US Embassy Manila. [19] IT-BPO Road Map 2011-2016 Business Processing Association of the Philippines www.bpap.org/publications/breakthroughs?download [20] http://www.phcert.org/ [21] http://www.ncc.gov.ph/default.php?a1=2&a2=5&a3=1&a4=PQRS&a5=114 ABOUT THE AUTHORS Simoun is the current Vice Chairman of the Overseas Security Advisory Council of the U.S. Embassy Manila, a federal advisory committee under the State Department. He also serves as the Chairman of the Security Disaster Resource Group of the American Chamber of Commerce of the Philippines. He was a Consultant to the Office of International Policy and Special Concerns of the Department of National Defense and an Advisor to the Supreme Court. He was formerly with the Philippine Coast Guard Auxiliary 101st Squadron, where his last rank was Commander prior to retirement. He holds a Master of Business Administration from the Ivey School of Business, University of Western Ontario, Canada, and a Bachelor of Arts degree in Psychology and Economics from the University of British Columbia. He is currently the CEO and President of PVB Card Corporation, and the Vice Chairman of Bastion Payment Systems in the Philippines, and serves at the boards of several listed firms, both in the Philippines and United States. Simoun has also been tapped as the speaker and lecturer for many engagements, including the Federal Bureau of Investigation and the National Defence College of the Philippines. Wilfred is the founding CEO and President of Bastion Payment Systems. He formerly worked at Unisys for over a decade, where he was involved deeply as a senior systems architect on several notable IT projects of the Philippine government including the National Statistics Office Census Registry System (CRS-ITP), Land Transportation Office, Philippine Ports Authority, and others. Beyond this, Wilfred also worked on many international, government and financial sector projects in the United States, China,
  • 16. Singapore, Hong Kong, Sri Lanka, Vietnam and Australia. Wilfred holds a Master of Science in Computer Science degree from De La Salle University, Manila (with high distinction), and a Bachelor of Science in Computer Science from the same school. He is a Certified Rational Unified Process Consultant. Carlos is the current Chief Security and Operating Officer of Bastion Payment Systems. He was formerly the assistant director at the Computer Center of the University of Santo Tomas, where he continues today as a senior instructor for computer science. Carlos holds a Bachelor of Science in Computer Science from Chiang Kai Shek College Philippines and Masteral units from De La Salle University. He is a certified Cisco Networking Academy Instructor, and a Microsoft Certified Professional.