Your SlideShare is downloading. ×
eSecurity magazine 1017
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

eSecurity magazine 1017


Published on

Securing Your Software Development Life Cycle, CycleAnalysis of Vulnerabilities Report, ReportBenets of ISO/IEC 27005:2011 Information Security Risk Management

Securing Your Software Development Life Cycle, CycleAnalysis of Vulnerabilities Report, ReportBenets of ISO/IEC 27005:2011 Information Security Risk Management

Published in: Technology

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Vol 30 - (Q1/2012) PP 15526/10/2012(031392)Securing Your Software Development Life CycleAnalysis of Vulnerabilities ReportBenefits of ISO/IEC 27005:2011 Information Security Risk Management“Security is, I would say, our top priority because for all the exciting things you will be able to do withcomputers.. organizing your lives, staying in touch with people, being creative.. if we dont solve thesesecurity problems, then people will hold back. Businesses will be afraid to put their critical information on itbecause it will be exposed” Bill Gates e-Security | CyberSecurity Malaysia 2012 | Vol: 30 (Q1/2012)
  • 2. ii e-Security | Vol: 30-(Q1/2012) © CyberSecurity Malaysia 2012 - All Rights Reserved
  • 3. For the past few years, we have seen the birth to a gamut of new age cyber threats and how they are encroaching more into every sphere our lives and they come in multi-dimensions. In 2011, we have also seen the emergence of social media and mobile devices etc that has complicated the global cyber security landcape which is further worsened by users’ ignorance, technical incompetency, and lack of strategic cyber security collaboration. We take necessary steps to curb this situation, among others knowledge sharing initiatives via e-Security Bulletin. It is expected that 2012 and beyond will be challenging as cyber crime is consistently becoming sophisticated due to the rapid advancement in technology. In 2011, CyberSecurity Malaysia has received 5,328 online fraud incidents that include various types of Internet scams. That number alone is more than the total number of similar incidents in 2010 and double of those reported in 2009. It is not an exaggeration to say that internet scams i.e. love scams, financial fraud, identity theft etc are fast becoming the crime of choices. For every investigation in the news, there are hundreds that will never make the headline. We learn that criminals can hardly get caught, and even if they do, they can be hardly convicted. As the technology evolves, the risks posed by cyber threats also continue to grow in both scale and sophistication. New techniques and methods may emerge, and the traditional ones would become obsolete. As such, our attitudes towards cyber security should also evolved and innovated. The explosion of Internet has also created the phenomenon towards “digital hacktivism“. 2011 also witnessed hacktivist groups such as “Anonymous” went rampage, worst than the year before. Indeed, “Anonymous” is a revolutionary group, and it will be more sophisticated in the future. Hence our approach towards combating it has to be equally revolutionary. Cyber security requires an innovation or perhaps a fundamental shift in approach towards solving the problems; and we have to act fast to stay ahead. 2012 onward, we need to understand the evolving cyber threats and how they work, and to develop the tools and methods to combat them. We should create more robust and resilient cyber space that can withstand attacks, and also help detect and prevent cyber attacks from occurring. We also need talented people with innovative ideas and commitment from both local and global key cyber security players. Until next time, have a prosperous and secure year ahead. Thank you. Thank you and warmest regards, Lt Col Prof Dato’ Husin Jazri (Retired) CISSP CBCP CEH ISLA CEO, CyberSecurity Malaysia Greetings and welcome to the first edition of eSecurity Bulletin for 2012. Some interesting topics have been lined up in this edition such as security in Software Development Life Cycle (SDLC), principles of security and information security risk management. Also, short but important tips on how to secure your iPad is included. Please spend time to read through the articles. I would like also to highlight our CyberSecurity Clinic which started its operation in September last year. Some of the services being offered are data recovery (for your hard disk, thumb drive, memory card or server), data sanitization and ICT services. Please visit the CyberSecurity Clinic website ( for further information. Last but not least, I want to take this opportunity to thank all contributors for their valuable knowledge sharing. I look forward for more contributions from the security professionals. Best Regards, Asmuni Yusof Lt Col Asmuni Yusof (Retired), Editor • MyCERT 1st Quarter 2012 Summary Report 01 • Security Challenges Emerge with IPv6 Launch 15 • Benefits of ISO/IEC 27005:2011 Information Security 04 • Principles of Security 17 Risk Management • Keep your data safe: Top 4 tips on Securing iPad 21 • Securing Your Software Development Life Cycle 08 • Analysis of Vulnerabilities Report 11PUBLISHED AND DESIGN BY
  • 4. MyCERT 4th Quarter 2011 Summary Report1 Introduction  had increased while other incidents showed a decrease. The MyCERT Quarterly Summary Report provides an overview of activities Figure 1 illustrates incidents received in Q1 carried out by the Malaysian Computer 2012 and classified according to the type of Emergency Response Team (hereinafter incidents handled by MyCERT. referred to as MyCERT), a department within CyberSecurity Malaysia. These activities are related to computer security incidents and trends based on security incidents handled by MyCERT. The summary highlight statistics of incidents according to categories handled by MyCERT in Q1 2012, comprising of security advisories and other activities carried out by MyCERT personnel. The statistics provided in this report reflect only the total number of incidents handled by MyCERT and not elements such as monetary value or repercussions of the Figure 1: Breakdown of Incidents by Classification in Q1 2012 incidents. Computer security incidents handled by MyCERT are those that Figure 2 illustrates incidents received in Q1 occur or originate within the Malaysian constituency. MyCERT works closely with 2012 and classified according to the type other local and global entities to resolve of incidents handled by MyCERT as well as computer security incidents. a comparison with the number of incidents received in the previous quarter. Incidents Trends Q1 2012 Quarter Incidents were reported to MyCERT by Categories of Incidents Q4 Q1 Percentage various parties within the constituency 2011 2012 as well as from foreign sources, which Intrusion Attempt 209 46 -77.99 include home users, private sector entities, Denial of Service 1 5 400 government agencies, security teams from Spam 299 201 -32.77 various countries, foreign CERTs, Special Interest Groups including MyCERT’s proactive Fraud 1153 1491 29.31 monitoring on several cyber incidents. Vulnerability Report 11 16 45.45 Cyber Harassment 105 80 -23.80 From January to March 2012, MyCERT, via Content Related 11 7 -36.36 its Cyber999 service, handled a total of 3,143 incidents representing a 4.40 percent Malicious Codes 142 189 33.09 decrease compared to Q4 2011. In Q1 2012, Intrusion 1357 1108 -18.34 incidents such as Denial of Service, Fraud, Figure 2: Comparison of Incidents between Q4 2012 and Q1 2012 Vulnerabilities Report and Malicious Code e-Security | Vol: 30-(Q1/2012) © CyberSecurity Malaysia 2012 - All Rights Reserved
  • 5. 2Figure 3 shows the percentage of incidents Figure 4 shows the breakdown of domainshandled according to categories in Q1 defaced in Q4 2011.2012. Figure 4: Percentage of Web Defacement by Domain in Q1 012 Account compromise incidents continue Figure 3: Percentage of Incidents in Q1 2012 in this quarter as was in the previous one with an increase of 68 incidents comparedIn Q1 2012, a total of 1,108 incidents to 57 in Q4 2011. Account compromise incidents has become a trend nowadayswere received on Intrusion representing in which unscrupulous individuals takean 18.34 percent decrease compared advantage of various techniques toto the previous quarter. The Intrusion compromise legitimate accounts. Theincidents reported to us were mostly web increase in Internet banking and usagedefacements or known as web vandalism of social networking sites combined withfollowed by account compromises. Based lack of security awareness had contributed to the increase in account compromiseon our findings, the majority of web incidents. Account compromise incidentsdefacements were due to vulnerable reported to us involved mostly free basedweb applications or unpatched servers email accounts and social networkinginvolving web servers running on IIS and accounts. These incidents could have beenApache. prevented if users practised good password management such as using strong passwords and properly safeguarding them.In this quarter, we received a total of 689.MY domains defaced belonging to various Users may refer the URL below for goodsectors such as private and government password management practises:sites hosted on servers belonging to local h t t p : / / w w w. a u s c e r t . o rg . a u / re n d e r.web hosting companies. MyCERT responded html?it=2260 web defacement incidents by notifying 002.htmlthe respective Web Administrators torectify the defaced websites by following Incidents involving fraud had increasedour recommendations. to about 29.31 percent in this quarter e-Security | Vol: 30-(Q1/2012) © CyberSecurity Malaysia 2012 - All Rights Reserved
  • 6. compared to the previous quarter. Fraud as Adobe PDF Reader and Multiple Microsoft incidents continue to be a trend in this Vulnerabilities. Attackers often compromise3 quarter and is one of the most frequently end-users’ computers by exploiting reported incidents to Cyber999. In fact, vulnerabilities in the users’ applications. fraud has become a global trend involving Generally, the attacker tricks the user into phishing, Nigerian scams, lottery scams, opening a specially crafted file (i.e. a PDF illegal investments and job scams as it document) or a web page. provides attractive financial returns to the perpetrators. Readers can visit the following URL on A total of 1,153 incidents were received in advisories and alerts released by MyCERT: this quarter, from organisations and home users. Phishing incidents involving foreign advisories/mycert/2011/main/index. and local brands still prevail in this quarter html. along with other types of frauds. Incidents on job scams also increased targeting other Conclusion industries such as hospitals and specialist centres. In conclusion, the number of computer We continue to receive incidents on cyber security incidents reported to us in this harassment in this quarter. However, the quarter had decreased slightly compared number had dropped to about 23.80 percent to the previous quarter. However, several with a total of 80 incidents. Harassment categories of incidents reported to us reports generally involved cyberstalking, continue to increase. The slight decrease cyberbullying, threatening done via emails could be a positive indication that more and social networking sites. A new trend Internet users are aware of current threats we observed in this quarter is luring victims and are taking proper protection measures into posing nude in front of video cams against them. No severe incidents were while chatting with the perpetrators via reported to us in this quarter and we did Skype or MSN Messenger. The captured nude pictures of these victims will then be used not observe any crisis or outbreak in our to threaten the victims to pay some amount constituencies. Nevertheless, users and of money failing which the pictures will be organisations must be constantly vigilant of publicly exposed on social networking sites. the latest computer security threats and are We advised users to be very precautious advised to always take measures to protect with whom they communicate or chat their systems and networks from these on the Internet especially with unknown threats. individuals. In Q1 2012, MyCERT had handled 189 Internet users and organisations may contact incidents on malicious codes, which represented a 33.09 percentage increase MyCERT for assistance at the below contact: compared to the previous quarter. A few of the malicious code incidents we handled E-mail: were active botnet controllers, hosting of Cyber999 Hotline: 1 300 88 2999 malware or malware configuration files Phone: (603) 8992 6969 on compromised machines and malware Fax: (603) 8945 3442 infections on computers. Phone: 019-266 5850 SMS: Type CYBER999 report <email> Advisories and Alerts <report> & SMS to 15888 In Q1 2012, MyCERT had issued a total of ten advisories and alerts for its constituencies Please refer to MyCERT’s website for latest involving popular end-user applications such updates of this Quarterly Summary. ■ e-Security | Vol: 30-(Q1/2012) © CyberSecurity Malaysia 2012 - All Rights Reserved
  • 7. Benefits of ISO/IEC 27005:2011 InformationSecurity Risk Management 4BY | Noor Aida Idris, Lt Col Asmuni Yusof (Retired)Introduction of confidentiality, integrity, availability) and providing clients, partners andThe increasing numbers of cyber regulators, assurance of compliancesecurity incidents has resulted in to an internationally recognised setmanaging information security as one of of information security requirements.the top agendas in many organisations. It is a risk-based approach thatOrganisations have to keep up-to- provides a holistic and structured waydate with information security risks in managing information security forintroduced by new and advanced organisations.technologies, in addition to their ownreliance with such new technology since Risk management is an importantorganisational information now resides concept through information securityin a digital world as well as in physical management. Information security riskmediums. management is needed to ensure the confidentiality, integrity and availabilityInformation security management of information assets is preserved bywas introduced to ensure organisations. According to (Humphreys,organisations were able to secure 2008), risk management is the key totheir most valuable information information security governance by anassets, which concerns critical organisation and to the protection of itsbusiness information. By proactively information assets. If the organisation isprotecting information assets and unaware of the risk(s) it faces, it will notmanaging information security risks, deploy or implement security controls;organisations can reduce the likelihood thus fail to protect its most critical assets.and/or the impact on their information Several guidance are available to assistassets from a wide range of information organisations manage their informationsecurity threats. Today, there are various security risks, one of it is ISO/IECmechanisms being practised by different 27005:2011 Information Security Riskorganisations in managing information Management. The objective of this papersecurity. Among which is via information is to convey benefits of implementingsecurity management systems based information security risk managementon ISO/IEC 27001: 2005 Information based on ISO/IEC 27005:2011 InformationSecurity Management Systems (ISMS) - Security Risk Management.Requirements.ISO/IEC 27001 is one of the published Introduction to ISO/IECstandards in the ISO 27000 family that 27005:2011- Informationprovides the general requirements for Security Risk Managementimplementing information securitymanagement systems. This standard ISO/IEC 27005 contains description ofprovides organisations with means for information security risk managementprotecting their information (in terms processes and activities, which provide e-Security | Vol: 30-(Q1/2012) © CyberSecurity Malaysia 2012 - All Rights Reserved
  • 8. guidelines to organisations to manage risk assessment, information security5 their information security risks. This risk treatment, information security risk standard, which was first introduced acceptance, information security risk in 2005, has been revised recently and communication and consultation and re-published in 2011. The standard is one information security risk monitoring and of the standards which play a significant review. These five processes are illustrated role for the successful implementation of in Figure 1. ISMS. Benefits of ISO/IEC 27005 In the authors’ opinion, there are several key advantages when organisations refer to ISO/IEC 27005 for implementing information security risk management. Firstly, this standard can be used by any type of organisation. Secondly, this standard supports the requirements of information security risk assessment specified in ISO/IEC 27001. And thirdly, this standard, which has been revised to align with three other risk management standards, can be used by organisations that wish to manage their information security risks in similar fashion to the way they manage other risks. This standard is applicable to any type of organisation Figure 1: ISO/IEC 27005 Information Security Risk Management Processes One of the attractions of ISO/IEC 27005 is the risk management processes described in the standard which is The standard supports risk applicable to all organisations, no matter assessment requirements specified the size or type. As a matter of fact, the in ISO/IEC 27001 information security risk management processes defined by the standard can Another key benefit offered by the be applied not just to the organisation ISO/IEC 27005 standard is that it as a whole, but to any discrete part of supports the information security risk the organisation (e.g. a department, assessment requirements specified in a physical location, a business service ISO/IEC 27001. Thus, organisations or a critical function), any information that wish to be certified against ISO/ system, existing or planned or particular IEC 27001 certification may refer to aspects of control (e.g. business ISO/IEC 27005 when implementing the continuity planning). information security risk assessment. Information security risk management The mapping of clauses in ISO/IEC 27005 described in ISO/IEC 27005 consists with risk assessment requirements in of five processes which are: context ISO/IEC 27001 is discussed in detail establishment, information security below: e-Security | Vol: 30-(Q1/2012) © CyberSecurity Malaysia 2012 - All Rights Reserved
  • 9. a) Clause 7 – Context establishment on the outcome of the risk assessment,In ISO/IEC 27005, the context of risk the expected cost for implementing 6management for an organisation is these risk treatment options and theestablished first. In establishing context expected benefits from these options.for risk management, both external The information security risk treatmentand internal context for setting the processes is in line with ISO/IECbasic criteria necessary for information 27001:2005 clause 4.2.1 f) Identify andsecurity risk management, defining the evaluate options for the treatment ofscope and boundaries, and establishing appropriate organisation operating theinformation security risk management. d) Clause 10 – InformationThe context establishment process is security risk acceptancein line with ISO/IEC 27001:2005 clause The decision to accept the risks4.2.1 c) Define the risk assessment and responsibilities for decisionsapproach of the organisation. are made and formally recorded in the information security riskb) Clause 8 – Information security acceptance process. This process is risk assessment important to ensure that the upperThe context establishment process management is aware of the risksis followed by a risk assessment and also on the plans to treat theprocess. There are three sub risks. The information security riskprocesses included in a risk acceptance process is in line withassessment process which are risk ISO/IEC 27001:2005 clause 4.2.1identification, risk analysis and g) Select control objectives andrisk evaluation. Risk assessment controls for the treatment of risksprocess determines the value of the and h) Obtain management approvalinformation assets, identifies the of the proposed residual risks.applicable threats and vulnerabilitiesthat exist (or could exist), identifies e) Clause 11 – Information securitythe existing controls and their effect risk communication andon the risk identified, determines consultationthe potential consequences and The risk communication andfinally prioritises the derived risks consultation process involves activitiesand ranks them against the risk to achieve an agreement on how toevaluation criteria set in the context manage risks by exchanging and/orestablishment. The information sharing information about those riskssecurity risk assessment process between the decision-makers andis in line with ISO/IEC 27001:2005 other stakeholders. The informationclause 4.2.1 d) Identify the risks and security risk communication ande) Analyse and evaluate the risks. consultation process is in line with ISO/IEC 27001:2005 clause 4.2.4c) Clause 9 – Information security c) Communicate the actions and risk treatment improvements to all interested partiesNext is the risk treatment process. The with a level of detail appropriate to theinformation security risk treatment circumstances and, as relevant, agreeprocess involves planning to treat on how to proceed.the identified risks. There are 4options available for risk treatment: f) Clause 12 – Information securityrisk modification, risk retention, risk risk monitoring and reviewavoidance and risk sharing. Selecting the On-going monitoring and reviewrisk treatment options should be based of current information security e-Security | Vol: 30-(Q1/2012) © CyberSecurity Malaysia 2012 - All Rights Reserved
  • 10. 7 risks are important because risks information security risk management are not static. New threats and and implementing ISMS based on ISO/ vulnerabilities may arise at any point IEC 27001. in time; likelihood or consequences may change abruptly without any Conclusion indication. Thus, constant and continuous monitoring on the risks Information security risk management is necessary to detect these changes. is one of the requirements in ISO/IEC By conducting regular monitoring 27001 ISMS. As stated earlier, ISO/ and review may also ensure that IEC 27005 is an essential companion the risk management context, the for implementing ISMS based on ISO/ outcome of the risk assessment IEC 27001. The advice and guidance and risk treatment plans remain contained in the standard is useful relevant to the organisation. The for any organisation intending information security risk monitoring to manage their information and review process is in line with security risks effectively. The three ISO/IEC 27001:2005 clause 4.2.3 d) advantages described in this paper can be enjoyed by organisations Review risk assessments at planned managing their information security intervals and review the residual risks based on ISO/IEC 27005. ■ risks and the identified acceptable levels of risks. Easy alignment with other risk References management standards Another advantage for organisations 1. ISO/IEC, “Information Technology – that choose ISO/IEC 27005 when security techniques – information implementing information security security risk management systems”, risk management is that they can ISO/IEC 27005 International Standard, align the way they manage other 2011. risks, such as enterprise-wide risks, 2. ISO/IEC, “Information Technology – with information security risks. This security techniques – information security is due to ISO/IEC 27005 being revised management system – Requirements”, recently to reflect changes in three ISO/IEC 27001 International Standard, risk management standards which are: 2005. • ISO 31000:2009 - Risk management 3. International Organization for - Principles and Guidelines; Standardization website,, • ISO 31010:2009 - Risk management accessed on 23 March 2012. - Risk Assessment Techniques; and 4. ISO27001 Security website, www. • ISO Guide 73:2009 - Risk, accessed on 23 Management Vocabulary. March 2012. 5. Humphreys, E. 2008. Information As an example, organisations that security management standards: have adopted ISO 31000 for managing Compliance, governance and risk their enterprise-wide risks may find management, information security that they can manage their information security risks in a similar fashion. technical report 13 (2008) 247–255. Thus, lesser time and resources may 6. Humphreys E. 2010. Information be used when embarking on the Security Risk Management – Handbook journey of adopting ISO/IEC 27005 for for ISO/IEC 27001, BSI Standards. e-Security | Vol: 30-(Q1/2012) © CyberSecurity Malaysia 2012 - All Rights Reserved
  • 11. Securing Your Software Development LifeCycle 8BY | Norahana Salimin “When an organisation (SDLC) comes into the picture as incorporates security in an attractive preventive measure. its SDLC, inevitably it Securing SDLC benefits from products and applications that are Software Development Life Cycle (SDLC) [2] is a process, model secure by design.” and methodology of creating or modifying an information system. According to the InternationalIntroduction Information Systems Security Certification Consortium, Inc. (ISC)²Quality software does not really mean [3], secure SDLC phases comprised of Requirement, Design, Coding,secure software. Building security Testing, Acceptance, Deployment,into software development is often Operations, Maintenance andseemed as a major pain in the neck. Disposal. Initially, developers mustIn certain cases, security is treated have firm concepts of softwareas an obstacle to the successful security. With a solid knowledge incompletion of a software project. security concepts, only then can it be applied to the phases outlinedThat’s the reason why security is in SDLC. This paper discusses the bestusually considered as the last factor. practices on securing the phases of SDLC.The emergence of worldwide cyber-attacks especially in Malaysia [1], Requirementwhere the attackers were targeting The requirement phase or securesoftware (mostly web applications) requirement is defined as theused by government agencies, critical outline of security controls and thenational information infrastructure integration of those security controls(CNII) and high profile corporations, into the development process. Policy,raised a pertinent question. How standards, patterns and practices (PnP),seriously did the government and external regulatory and compliancethe corporate sector viewed security? requirements must be included into the security requirements. Confidentiality,How do they ensure that sensitive integrity, availability, authentication,data belonging to ordinary citizens or authorisation and auditing of datacustomers are not exposed or stolen? must also be included. A way toThere are possibilities that corrective gather these security requirementsactions may have been taken to is by referring to the modellingresolve the situation. However, methodologies of used and misusedwhat about preventive measures cases where understanding theto ensure that lightning does not threats against a system will producestrike twice? This is where securing the countermeasures to protect thethe software development life cycle system. e-Security | Vol: 30-(Q1/2012) © CyberSecurity Malaysia 2012 - All Rights Reserved
  • 12. Design Acceptance Secure concept in the design phase is basically The acceptance phase is secured by9 about structuring the software from a security ensuring that the software in question perspective. Performing a threat modelling meets the necessary requirements before exercise will identify the surface attacks being deployed. In the pre-deployment and security criteria that will be valuable in stage, the completion criteria and risk structuring the software in terms of security. acceptance levels needs to be outlined. Security criteria must be met before a particular Software documentation should be software is released for deployment. The in place. In the post-release stage, principles of security design are many. Among independent testing, validation and them are those having the least privilege, verification of the said software by third separation of duties, complete mediation, parties such as obtaining a Common defence in depth, fail safe, weakest links, single Criteria certification may be applied. point of failure, etc. The technologies being used to match these designs are identity and Deployment, Operations, Maintenance authentication management, information flow and Disposal control, audit management, data protection, The deployment, operations, maintenance digital rights management, computing and disposal phase concerns on environment and integrity management. vulnerabilities that have not been countered by the software and future vulnerabilities Coding that may be discovered during deployment. Secure coding involves the usage of coding Software that is delivered to customers and testing standards, applying security should be digitally signed to avoid being testing tools such as fuzzing and static- tampered with. Installation of software analysis code scanning and the review of should be securely deployed with the help source codes. Knowing common software of an installation manual. Configurations vulnerabilities and countermeasures such as should be hardened to avoid incorrect injection, cross site scripting, buffer overflow system implementations. The secure and broken session management is a must usage of software or system operations to ensure these vulnerabilities are covered should be documented in the operation during coding. Defensive coding practices manual. Patch management and support can be applied such as type safe practises, memory management, error handling and management should be implemented to locality. Source code versioning is also gather information from users on errors important to ensure verified codes are not they encountered, as this may be the overwritten by unverified source codes. To source for attackers to launch an attack. ensure codes are not being tampered, digitally signing source codes is now a good practise. When software is to be replaced or retired, several processes need to be in place to Testing ensure it is executed in a secure manner. If a Secure testing is conducted when software replacement system exists, the replacement functionalities are complete and ready to should be operational before retirement enter testing trials. These trials must not takes place. Approval from the management be ignored. Black box test is focused on is required before any act of removal or testing without knowledge regarding the replacement is carried out. Only then the design of the software. White box test on system’s access controls are terminated or the other hand is testing with the required removed to prevent unauthorised access. knowledge. Fuzz testing is executed by Finally, the retired system or software services injecting random data to observe the are to be shut down to reduce the attack behaviour of the software while defensive potential, securely delete configurations coding testing is the examination of and data from the server and eventually common vulnerabilities in the software. uninstalling the system. e-Security | Vol: 30-(Q1/2012) © CyberSecurity Malaysia 2012 - All Rights Reserved
  • 13. Initiatives to improve security it was executed in a secure process. However, the depths of verifying the SDLC processes willon SDLC depend on the evaluation assurance level (EAL) 10For a child, early childhood education such as chosen by the developer for their product. Thepreschool and kindergarten is the best method to benefit of a CC certified product is that thefoster a greater learning development. The same developer will have some level of assurance thatconcept applies with our security environment. their product was properly tested and verified byThe ‘kindergarten’ for most software developers is a third party on its security features. The otherthe higher learning institutions. These institutions benefit is that the developer’s potential customerscan play an important role in the initiative to (government agencies or corporations) maysecure product lifecycles. It can be achieved by favour a CC certified product because of a certainemphasising more security aspects in the syllabus to level of confidence in the security functionalities.teach future developers the importance of securityas a whole. Collaboration between the academicworld and security experts from the industry can Conclusionalso speed up the transfer of knowledge since ithas become more familiar with the current trends The initiatives taken by developers to secureand approaches on the how-to methodologies. overall software lifecycle and the extraWith these efforts, our future developers will initiatives taken to promote secure producthave a security-in-mind attitude while developing development and usage by the governmenttheir software, thus reducing the potential of and higher learning institutions will eventuallydesigning unsecured software. reduce the possibility of a successful attack and exploitation. This will then ensure thatCyberSecurity Malaysia [4], as the national cyber only hack-resilient software is created. Securingsecurity specialist centre and an agency under the software lifecycles are not an all-in-one solutionpurview of the Ministry of Science, Technology because it also very much depends on theand Innovation (MOSTI) provides ICT security hosts, networks and the people using the stated software. However, at least, security flaws arespecialist services and continuously monitors detected at an early stage and thus, reducethreats to national security. In translating the software vulnerabilities from being exploited.responsibility into implementation, CyberSecurity With all these joint initiatives, we will at leastMalaysia is pioneering the initiative in securing have some assurance that our informationICT products, regardless of the state of being i.e. and ICT environment are secure from cyber-software, hardware or firmware. Furthermore, attacks.■this initiative was established to promote secureproduct development for developers. Theinitiative was implemented by establishing a Referencesproduct evaluation scheme in Malaysia. 1. Malaysia Government WebsitesThe established scheme [5] is now known as Disrupted, Malaysian Common Criteria Evaluation and com/news/2011-06-16/malaysia-Certification (MyCC) scheme. The Information government-websites-attacked.htmlSecurity Certification Body (ISCB) and the 2. System Development Life Cycle, Wikipedia, http://Malaysian Security Evaluation Facility (MySEF) established under CyberSecurity Malaysia Life_Cycleto execute certification and evaluation processes 3. CSSLP Candidate Information Bulletin, Inc., (ISC)²separately. The standards [6] that are being portal, are Common Criteria (CC) and Common 4. CyberSecurity Malaysia’s Web Portal,Methodology for Information Technology Security http://www.cybersecurity.myEvaluation, which are international standardsthat are widely used for independent security 5. Malaysian Common Criteria Evaluationevaluation in ICT products. When a developer and Certification (MyCC) scheme portal,enters into a CC certification, CyberSecurity MySEF will evaluate not only the product 6. Common Criteria Web Portal, http://but also the SDLC phases of the product to ensure e-Security | Vol: 30-(Q1/2012) © CyberSecurity Malaysia 2012 - All Rights Reserved
  • 14. Analysis of Vulnerabilities Report11 BY | Sharifah Roziah Binti Mohd Kassim Introduction Analysis Vulnerability is referred to as security Type of Jan Feb Mar vulnerability or a flaw in a software or Vulnerabilities application that makes it infeasible Misconfiguration - 2 0 4 even when the product is used properly. Disclosure The presence of vulnerabilities in software or application provides Web 0 4 8 opportunity to attackers to exploit System 0 1 0 it and compromise a system. TOTAL 2 5 12 Vulnerabilities reports refer to reports Table 1: Vulnerabilities Report Q1 (Jan - Mar) 2012 or incidents regarding vulnerabilities that are present in a system, software or application. Vulnerabilities Report is sub classified into the followings: • Misconfiguration: A problem exists with certain misconfigurations which may allow root access or system compromise from any Graph 1: Vulnerabilities Report Q1 (Jan - Mar) 2012 account on the system and might lead to information leak, data Out of the 19 incidents, six incidents manipulation and many more. involved misconfigurations, 12 involved • Web: User or complainant report websites and one involved system as vulnerabilities which are related to shown in Table 2 and Graph 2 below. websites. • System: User or complainant report Type of Vulnerability Total vulnerabilities on any specific Misconfiguration - 6 system. Disclosure Web 12 Vulnerabilities Reports are basically received from third parties and very System 1 seldom from the owner of the systems Table 2: Total Incidents on Sub Categories of Vulnerabilities or web themselves. Third parties include those from CyberSecurity Malaysia on pro-active monitoring and information received from trusted sources such as from security mailing lists and other Computer Emergency Response Teams. Vulnerabilities Reports received must be validated first by checking if the reported vulnerability actually exists. Once validated, Incident Handlers will inform the respective owners of the vulnerability and provide recommendations for rectification. Table 2: Percentage of Incidents by Sub Categories of Vulnerabilities e-Security | Vol: 30-(Q1/2012) © CyberSecurity Malaysia 2012 - All Rights Reserved
  • 15. 12From the graph above we can seethat the majority of vulnerabilitiesincidents involved web with a totalof 63 percent compared to othersub categories. This is followed bymisconfigurations at 32 percent andsystems at 5 percent.Researchers at WhiteHat Security havediscovered that the duration of anaverage site exposed to vulnerabilitiesis about 270 days before they areremediated. The big time gap actually Graph 3: Percentage of Incidents on Different Types ofgives more opportunity for attackers Vulnerabilitiesto exploit the vulnerable websites.Vulnerabilities in web are mostlydue to vulnerable web applications Based on analysis, the most populardue to improper input validation and vulnerability reported is SQL Injectionsanitisation, improper error checkingand handling. vulnerability representing 30 percent compared to other vulnerabilities.Web Application Developers can This is followed by Informationfollow general good practises in Disclosure representing 29 percentsecuring their web applications and Cross Site Scripting which iswhere inputs are properly validated at 25 percent. Directory Listing,and sanitised and errors are properly Open Redirection, Logic Error andchecked and handled. Improper Data Validation each is atVarious types of vulnerabilities were four percent.discovered based on the incidentsreceived which were SQL Injection, An open redirect is an applicationDirectory Listing, Info Disclosure, that takes a parameter and redirectsImproper Data Validation, Open a user to the parameter value withoutRedirection, Logic Error and Cross Site any validation. This vulnerabilityScripting. The number of incidents is used in phishing attacks to getreceived on the above vulnerabilities users to visit malicious sites withoutcan be referred at Table 3 and Graph them realising it. Cross-site scripting3 below. (XSS) is a type of computer security vulnerability typically found in Web Jan Feb Mar TOTAL applications (such as web browsers through breaches of browser security)SQL Injection 2 5 7 that enables attackers to inject client-Directory Listing 1 1 side script into web pages viewed byInfo Disclosure 1 2 4 7 other users. SQL injection is an oftenImproper data 1 1 used technique to attack databasesvalidation through a website. This is usually done by including portions of SQLOpen 1 1 statements in a web form entry fieldRedirection or GET requests in an attempt to getLogic Error 1 1 the website to pass a newly formedCross Site 6 6 rogue SQL command to the databaseScripting (e.g. dump the database contents to Table 3: Figure on Different Types of Vulnerabilities the attacker). e-Security | Vol: 30-(Q1/2012) © CyberSecurity Malaysia 2012 - All Rights Reserved
  • 16. 13 Administrators may refer to the URL listing on any folders handled by below for recommendation on fixing the web server. SQL Injection vulnerabilities: 2. Information disclosure or data leak which enables anyone to view h t t p : / / w w w. m y c e r t . o r g . m y / e n / database information belonging resources/web_security/main/main/ to the website. detail/573/index.html 3. Email account passwords Information disclosure enables an belonging to users in an attacker to gain valuable information organisation’s had been leaked/ about a system. The disclosure disclosed and posted on public could be due to unintentional websites such as at pastebin. acts, misconfigurations or due to 4. Misconfigurations that allow any vulnerabilities. user to view file configurations of a system or web. Directory listing is referred to as a web 5. Vulnerable websites allows users server that is configured to display to change the value of their total the list of all files contained in this amount of payment that had directory. This is not recommended been valued/passed by a website because the directory may contain to payment gateways during files that are normally not exposed through links on the web site. A payment processes. By right, user can view a list of all files from websites should not allow users this directory possibly exposing to modify the value or payment sensitive information. Logic error is parameters as the value is a fixed a bug in a programme that causes value set by the website. it to operate incorrectly, but not to 6. Vulnerabilities found in the web terminate abnormally (or crash). A applications allowing remote logic error produces an unintended or users to view phpmyadmin undesired output or other behaviour, settings. although it may not immediately be 7. Information disclosure by recognised as such. Improper data government staffs on public/free validation is when software does not validate input properly, an attacker discussion groups the likes of is able to craft the input in a form YahooGroup. that is not expected by the rest 8. Cross site scripting is a web of the application. This will lead application vulnerability allowing to parts of the system receiving a remote attacker to trick users unintended input, which may result in executing malicious scripts via in an altered control flow, arbitrary their websites. control of a resource, or arbitrary code execution. Out of the 19 incidents received on Vulnerabilities Report, a total Common incidents related to of 25 websites and systems were vulnerabilities found in Q1 reported. These websites and 2012: systems belonged to various sectors 1. Directory Listing on web server ranging from government agencies, due to misconfiguration on the financial institutions and private web server which allows directory and educational entities as shown in e-Security | Vol: 30-(Q1/2012) © CyberSecurity Malaysia 2012 - All Rights Reserved
  • 17. Table 4 and Graph 4. 14Sectors TOTALGovernment 10Banking/Financial Institu- 1tionsPrivate Sector 12Educational 2 Table 4: Figure on total incidents based on Sectors Graph 5: Break of Type of Vulnerability Based on Sectors Conclusion In conclusion, the number of incidents received in this quarter on Vulnerabilities Report was considered low with a total of 19 incidents. Though the number was not alarming, System Administrators must be vigilant on vulnerabilities that may be present in their systems Graph 4: Total Incidents on Vulnerability Reports based and applications. The repercussions on Sectors from these vulnerabilities can be severe to the affected organisationsA total of 12 vulnerable websites were even due to a small misconfigurationfound to belong to private sector firms, in their systems such as disclosurefollowed by 10 website involving of sensitive information to the publicgovernment agencies, two websites belonging to the organisation. Theinvolving educational institutions and disclosed information can be furtherone website involving a banking firm. manipulated by irresponsible parties for malicious purposes on the net. AsOut of the figures above, Information such, System Administrators mustDisclosure vulnerabilities were mainly always make sure their systems anddetected in the government sector applications are regularly patched/websites which were at four websites, updated and checked/fixed forfollowed by private sector with two any errors or misconfigurations.websites. Banking and educational In addition, they are advised tosector recorded one website each regularly monitor their logs tothat were vulnerable to Information detect any anomalous activities indisclosure, as can be referred to in Graph their systems. ■5. SQL Injection and Cross Site Scriptingvulnerabilities were mainly found inwebsites belong to the private sector Referenceswith four websites on SQL Injection andanother four websites on Cross Site 1. h t t p : / / i n f o s e c i s l a n d . c o m /Scripting, followed by the government blogview/12417-Report-Websites-sector with three websites vulnerable to Remain-Vulnerable-to-Attacks.htmlSQL Injection and one website vulnerable 2. Cross Site Scripting. 3. e-Security | Vol: 30-(Q1/2012) © CyberSecurity Malaysia 2012 - All Rights Reserved
  • 18. Security Challenges Emerge with IPv615 BY | George Chang organizations and Web leaders such “Most systems that are as Google, Facebook and Yahoo!, not IPv6 enabled have among others have made the leap the ability to handle a to the updated Internet protocol, work-around, which is IPv6, in an official worldwide launch. Yes, this time, IPv6 is here to wrap an IPv6 packet to stay. with an IPv4 header. They read the header, but they A nd the transition has bec om e increasingly necessary. T he cannot read the contents current IPv 4 protocol, w hi c h of the packet itself.” can handle around 3. 7 bi l l i on addresses, has simply run out of address space, thanks in p art No doubt, the global launch of the to the mobile dev ice explo s i on. Internet Protocol, IPv6 on June 6, Meanwhile IPv 6, for all in te nts 2012 ushers in a new era in the and purposes, has unlim i t e d evolution and widespread adoption address capacity to accommo d ate of Internet infrastructure around a rapidly growing global Inte rne t the globe. As the successor to the and mobile infrastructure. current Internet Protocol, IPv4, IPv6 is critical to the Internet’s However, with the launching of continued growth as a platform the IPv6 protocol worldwide, for innovation and economic researchers and IT professionals development. are anticipating some challenges, especially on the security front. The world already has had a small taste of what is to come in June of For one, the relative newness and last year during World IPv6 Day. lack of knowledge around the Spearheaded by the Internet Society, IPv6 protocol will inevitably pave the effort galvanized more than the way for misconfigurations, 1000 Web sites, tech companies compatibility issues and other and ISPs to collectively switch to implementation gaffes. There is IPv6 for a total of 24 hours in an not the institutional knowledge effort to “test drive” the protocol around IPv6 the way there is around to predetermine and mitigate any IPv4, which has been around for possible glitches that might occur decades and enjoys an extensive during an actual launch. knowledge base. On June 6, 2012, top tech But perhaps the biggest security e-Security | Vol: 30-(Q1/2012) © CyberSecurity Malaysia 2012 - All Rights Reserved
  • 19. 16issue is that many security security devices could be overlookingnetworking devices are equipped critical pieces of malicious trafficwith capabilities that allow them that could potentially compromiseto forward IPv6 traffic, but not their network.inspect it. And, because IPv6is enabled by default on many Some of the policies in IPv4platforms in networks today – such and technologies you rely uponas Windows 7 – IPv6 compliant may only work in IPv4 andsystems are already installed in not IPv6, which means gapstheir networks. in your security coverage. In t h i s c a s e , h o w e v e r, k n o w i n gMost systems that are not IPv6 is not even half the battle.enabled have the ability to Upgrading networking securityhandle a work-around, which infrastructure to accommodateis to wrap an IPv6 packet with IPv6 is no small undertaking anda n I P v 4 h e a d e r. T h e y r e a d t h e will likely take years to be phasedh e a d e r, b u t t h e y c a n n o t r e a d t h e in c o m p l e t e l y. S u b s e q u e n t l y,contents of the packet itself. many organizations, facingThey cannot do their normal potentially costly and timedeep packet inspection, and they consuming hardware upgrades,just forward the packet. Only are not planning to embrace IPv6when they have a dual stack any time soon.implementation would they beallowed to simultaneously allow Yet enterprises cannot shy awaynetwork security functionality to from the issue for too long as aboth process and fully inspect lot more IPv6 traffic will hit theirpackets from both the IPv4 and networks after the 6 June launching.IPv6 protocols. When IPv6 is going to be 5 to 10 percent of your data − rather thanSeveral vendors have this a fraction of a percent − upgradefunctionality it − not all − and that’s avoidance becomes much harderone of the risks facing network to justify. Enterprises and CIOssecurity professionals today. need to start pondering over thePeople have to make sure that problem soon. ■their security product can inspectIPv6 traffic. If it can just forwardIPv6 traffic, it could be forwardingmalicious content. George Chang is Fortinet’s Regional Director for Southeast Asia & Hong Kong. Fortinet is a leading provider of network security appliancesEven with a dual stack and the worldwide leader in Unified Threat Man-implementation, however, agement or UTM. Fortinet integrates multipleorganizations need to determine levels of security protection (such as firewall, an-if they have the same feature set tivirus, intrusion prevention, VPN, spyware pre-enabled for the IPv4 protocol as vention and antispam) to help customers protectthey do for IPv6. If not, the network against network and content level threats. e-Security | Vol: 30-(Q1/2012) © CyberSecurity Malaysia 2012 - All Rights Reserved
  • 20. Principles of Security17 BY | John Hopkinson The “Principles of Security” must be be responsible for ensuring that any kept in mind and should underlay actions related to the processing and/ all security guidelines and activities. or sanitisation do not serve to degrade They are particularly important, and or otherwise compromise the integrity should be used for guidance, when of the information technology system. the rules (laws, policies, etc.) are The use of information technology absent, not clear, or are in conflict. systems are intended to augment human The following Principles of Security capabilities, but is not intended to does not tell you what to do, but they replace, circumvent, or otherwise render provide guidance in deciding what obsolete, the basic concept of individual actions you need to take. accountability. Sensitive Information Least Privilege All organisations have information, the Any person, or surrogate information disclosure or compromise of which, by technology resource or feature, shall whatever means, may have undesirable only be granted that privilege necessary consequences. It has long been to perform their assigned task or established that structured physical function. protection of sensitive information is a necessity. With the growing dependence Need-To-Know on information technology, it follows that structured protection must exist Any person shall only be given access within those resources. to a specific information technology resource if such access is required in Proven Environment the completion of assigned tasks. Only individuals authorised to access sensitive Until proven secure by a responsible information shall be allowed access to authority, no environment shall be information technology systems: assumed to be secure. The assumption of security poses a greater threat than • that process sensitive information the absence of security. For example, it • have processed sensitive information in cannot be assumed that the complexities the past but have not been appropriately of commercially supplied hardware or sanitised. software afford any level of protection. Individual Accountability Segregation of Responsibility Any person who possesses, or through the Responsibilities must be segregated so use of information technology system(s), that, as far as possible, no one person has processes sensitive information, shall be total control over a particular resource responsible for the safeguarding of that or process. To avoid total control, dual information and shall be accountable responsibility should be implemented therefore. Any person who uses an so that manipulation of that resource information technology system which cannot be accomplished without the processes sensitive information shall knowledge of another person. e-Security | Vol: 30-(Q1/2012) © CyberSecurity Malaysia 2012 - All Rights Reserved
  • 21. Security Effectiveness Controls 18Security is only as good as the knowledge No control, or a combination thereof,and attitude of the people who use it. will ever provide total protection. Acceptance of some measure of risk isWeak Link Syndrome unavoidable. All controls must satisfy the following:Overall security is only as good as theweakest link. These weak links can be • The risk that is being addressedexploited by unauthorised parties with must be describedmalicious intent. • The risk should be capable of beingMutual Acceptance monitored for change of magnitudeIf a group of people or an individual • The risk should be quantified, so that the magnitude of risk to bewishes to communicate with others, accepted is identifiedthe communication must be acceptableby all parties privy to it. The chain ofcommunication is constantly at risk Risk Acceptanceeven when information is held in trust. Risk acceptance is a valid and an appropriate technique for theLevels of Protection provision of cost effective security.The levels of protection must be Risk acceptance may only be used byimplemented gradually so as to be a competent authority, generally thiscommensurate with the sensitivity of refers to the Owner.the information processed. Security FailureContinuity of Protection In all cases of security failure, or doubtAll security principles, policies and arising as to the appropriate action thatmechanisms for their implementation in needs to be taken, the guiding principlesan information technology environment are “Default to the Most Secure”. Onlymust be invoked at all times unless in exceptional circumstances shall thespecific dispensation has been granted competent authority moderate thisby an appropriate authority. In such a principle. A decision to moderate mustcircumstance, a time period must be be confirmed periodically in writing.stipulated. Human FallibilityProtection Implementation Individuals who have been screenedUnless deemed impossible or should be able to be trusted. However,unnecessary by an appropriate people are fallible and thereforeauthority, protection features must be mechanisms and services must beimplemented to provide multiple levels in place to help prevent people fromor rings of security. making mistakes. ■ Mr. Hopkinson has extensive experience in the securityAssurance of Protection field in both the military and commercial sectors. As a re- searcher in information technology security, he focused onAutomatic and/or manual protection assurance, risk analysis, risk management, and securitytechniques must be employed regularly metrics. He develops strategies with regard to standards and consortia activities, and action plans to fulfil those strat-to verify that all security mechanisms egies. He assists organizations in developing their securityare invoked and operating properly. strategies and plans to implement those strategies. e-Security | Vol: 30-(Q1/2012) © CyberSecurity Malaysia 2012 - All Rights Reserved
  • 22. Keep your data safe: Top 4 tips on Securing19 iPad Just in case you have never the information. The l e s s heard of an iPad, it is a tablet information y ou grant, the computer from Apple Inc. Its less risky it is. size and weight which fall between smart phones and • Don’t jailbreak y our i P ad , laptop computers make it a unless y ou strictly nee d a popular device nowadays. The jailbroken app or feature . If latest model - iPad 3 had been y ou do jailbreak it, be su re t o launched recently with exciting change the root password . ■ features and new specifications. If you have already bought the latest Apple iPad or planning to buy one for yourself soon, Fortinet is a leading provider of network h e r e i s s o m e g o o d a d v i c e f ro m security appliances and the worldwide leader in Axelle Apvrille, F o r t i n e t ’s Unified Threat Management (UTM). Fortinet inte- Senior Mobile Anti-Virus grates multiple levels of security protection (such Researcher: as firewall, antivirus, intrusion prevention, VPN, spyware prevention and antispam) to help cus- • I f c o n n e cte d to 3G : kee p an tomers protect against network and content e y e o n yo ur su bscr i ption level threats. b i l l , i n pa r ti cul a r re l ated t o s e n di ng S M S o r I nte rnet u sa g e . Thi s i s wh a t m o b ile m a l w a re u se th e mo st, so if s o m e t h i ng i s wro ng, check y o u r a pps a n d repo r t any i s su e t o AV vendo r s a nd/or your oper a to r. S u spi ci ous s a m p l e s ca n be se nt for analysis to su bm i tvi r us@ f o r t i n e m . • D o n ’t ha ve yo u r pa sswords s t o re d by the bro wse r. Ra ther, u se a we l l -kno wn/wel l -r ated p a s sw o rd sa f e a ppl i ca ti o n. • D o n o t l et a ppl i ca ti o ns use y o u r c ur rent l o ca ti o n o r any o t h e r pr i va te da ta , u nless y o u re al l y wa nt the m to use e-Security | Vol: 30-(Q1/2012) © CyberSecurity Malaysia 2012 - All Rights Reserved