The Evolving Landscape on Information Security
Upcoming SlideShare
Loading in...5
×
 

The Evolving Landscape on Information Security

on

  • 1,319 views

This article was submitted for publication in the National Security Review Journal.

This article was submitted for publication in the National Security Review Journal.

Statistics

Views

Total Views
1,319
Slideshare-icon Views on SlideShare
1,319
Embed Views
0

Actions

Likes
0
Downloads
19
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    The Evolving Landscape on Information Security The Evolving Landscape on Information Security Document Transcript

    • THE EVOLVING LANDSCAPE ON INFORMATION SECURITY By: Wilfred G. Tan, Carlos T. Tengkiat & Simoun S. Ung 31 October 2012INTRODUCTIONWe all have a preconceived notion on information technology security; however for a lot of organizationsthis value is subjective because there is an acceptability of risk. This is not to imply a particularorganization is unaware of the value of security; it may simply be that the organization needs to considerthe allocation of its resources for security relative to the value of the asset being protected.A large number of organizations, as evidenced by strong growth and interest in security standards such asPCI-DSS [1], either depend on or follow guidelines set forth by government institutions and standardsbodies. Conventional wisdom dictates that following guidelines is normally a good approach. As asecurity officer, planner or executive, one should always consider going beyond the existing standard andto be reminded that the security standards are developed in response to already recorded and occurringincidents. Moreover, security standards take time for the standard setting bodies to create, review,approve and implement. Security is a living practice and needs the proper attention, time andconsideration.Laying out and maintaining a comprehensive cyber security plan not only requires expertise, but alsoinvolves careful thought, assessment, and constant refinement and adjustments. In addition, legalframeworks differ from country to country; therefore, best practices in one country are not directlyportable to a different country, even within similar industries. Unlike more traditional crimes such astheft and robbery, the specific rules and regulations tend to be varied at best for cyber-security and cyber-crime related incidents.Computer security related incidents have risen significantly over the past decade [2] and there is everyindication that this trend will continue for the foreseeable future. The Global Security Report ofTrustwave [3] presents the origin of cyber-attacks:Russia leads the statistics with29.6% in the data [3]. However,because 32.5% of all attacks arefrom of unknown origin, it can be aslikely (or equally unlikely) that anyone nation is the single source orculprit of all of the incidents.Pinpointing the location in a timelymanner is very difficult, if notimpossible, given that the technologytoday allows users to use anonymousproxies to connect to the Internet which further compounds the problem.
    • This article is written for non-technical executives and policy makers, whose responsibilities require themto interact with information security professionals, as a primer on the current landscape of informationsecurity as well as its likely evolution. Security professionals and practitioners are already well-versed inthe material contained herein. The paper examines the motivation behind cyber-attacks followed by asurvey of common threats and attack variants. It then presents the popular defensive strategies followedby a discussion of future challenges and developments.MOTIVATIONBehind all threats and cyber security breaches are either individuals or organizations. Cyber securityincidents do not occur in a vacuum. Generally, the motive behind a cyber-attack can be classified asfollows: personal reasons, unlawful profiteering, corporate or national interests, and other purposes. Personal ReasonsPersonal reasons for conducting a cyber-attack include peer recognition, revenge, personal gain orsatisfaction, and even curiosity. Some intruders derive a perverse sense of fun from conducting the attackand revel in the psychic income of being noted for notoriety. Unlawful ProfiteeringPerhaps the most common motivation for conducting a cyber-attack is financial gain. The primary goalof fraud is to gather information that can be used to access funds of other entities for illicit proceeds.Popular targets include savings accounts and payment, debit and credit, card data. Organized criminalsyndicates are the primary perpetrators of these attacks. Inopportunely, the skill and savoir-fairedeveloped are often adopted for use in cyber-terrorism and other cyber-attacks.Although there is no data for the Philippines, a study conducted by eWEEK Europe in 2010 [4] on asimulated auction of stolen data determined that the relative value of data is primarily determined bypurchaser. The end goal remains the same, obtain information through illegal and fraudulent meanswhich can be used for financial gain. Information itself has become a commodity; it can be traded,bought and sold. Corporate or National InterestsThe strategic objectives for a corporation or nation-state are sometimes achieved by attacking others usingcyber-warfare capabilities. The intent may be to disable a nuclear enrichment program or a moremundane purpose such as spy, steal or subvert a rival‘s plans and secrets.In mid-2010, Stuxnet was discovered. The singular target of this worm was to disable and destroySiemens industrial equipment which were specifically used to control centrifuges that create nuclearmaterial for a fissionable weapon. According to a study by Symantec in August, 2010 [5], 60% of thecomputers infected by Stuxnet were in Iran suggesting a highly ‗targeted‘ operation. The worm‘ssophistication and intelligence suggested a nation-state level of sponsorship; speculation was rife that the
    • United States and Israeli forces were at least partially responsible for the development and deployment ofthe worm. [5]THREAT EVOLUTIONApproaches to attacks have evolved over time, adapting to developments in technology. Tools forexploiting systems have evolved considerably; likewise, tools that are available for testing and exploitingvulnerabilities are readily available in the market. There are even attack platforms freely available thatironically were intended to test the security of a system. Several of the more common threats are outlinedbelow: physical, cyber-stalking, social engineering, phishing, distributed denial of service, networkattacks and malwares. PhysicalIn the 1980s, the common practice was to actually go onto the premises of the target company or toharvest data from unprotected sources. Criminals would find ways to physically obtain storage media orhardcopies of data. Dumpster diving, or the sifting through garbage and trash to find bits and pieces ofinformation, is still practiced today. The careless disposal of seemingly innocuous information such as anobsolete version of an information security plan, PIN mailers, passwords, social security numbers, etcetera can facilitate an attack via social engineering or phishing.Today, practices have improved to include tapping into data cabling that are accessible from unsecuredareas and the access of unlocked, accessible computer servers and systems. It is still a commonoccurrence for unencrypted, sensitive data to be lost or stolen from physical media such as USB flashdrives, laptops and cellular phones. Cyber-StalkingCyber-stalkers assault their victims using electronic communication: email, instant messaging (IM) and/orposts to a website or discussion group. While most cyber-attacks target an organization, cyber-stalkingtends to be of a more personal nature. Cyber-stalkers typically gather personal and private informationabout their target then send them harassing or threatening messages.Trolling is a form of cyber-stalking in which negative posts , comments or other defamatory statementsare made which are injurious to the reputation or emotional health of the victims. When committed bymore than one individual, trolling is also known as cyber-bullying. Sadly, there are cases involving teenswhich have resulted in the victims committing suicide. Social EngineeringSocial engineering cyber-attack involves the manipulation of people to perform certain actions that cancompromise security; this requires a solid understanding of human responses and behaviour. Althoughphysical contact is not necessary, some form of trickery to gain the confidence of the target is employed.Social engineering attack occurs in two phases: information gathering then the pretext stage in which abelievable story is crafted in order to earn legitimacy and gain the trust of the target.
    • Social engineering is not strenuous on the attacker, thus it is normally employed in conjunction with otherforms of cyber-attack. The insertion of malware into otherwise hardened, secure systems is a commoncombination with social engineering. Many enterprise systems are well protected and require significanttime and effort to breach. However, if the attackers are able to use social engineering to insert physicalmedia such as USB flash drives into the internal network, then all the external defences are immediatelybypassed.Based on recently conducted social engineering study [6], companies with well-implemented securityawareness protocols are more resistant to social engineering tactics. Participants in the oil industry faredbetter compared to less security aware industries like retail. This study was designed such that questionswere designed that would expose security design and architecture of the respondent‘s organization:
    • The study [6] revealed that certain data can be harvested from the internet itself. Researchers were able toutilize the data culled from the internet in their social engineering tasks to profile a target‘s internalsecurity implementation. The table below displays the details gathered from the questionnaire above inblue while the additive information garnered from the internet is shown in red:Recently, face-to-face social engineering tactics have been increasing; this is disquieting since it mayexpose the targeted individual to physical danger. PhishingPhishing is an email-based fraud method using legitimate looking email designed to gather personal andfinancial information from its targets. Crafting emails blending a false premise while spoofingtrustworthy websites, victims are encouraged to click on links, send information and otherwise respond.The attackers then use social engineering techniques to extract information to steal personal and financialinformation. Since emails are generally from an external source, incorporating dangerous payloads in themessage requires negligible effort. There are several types of phishing techniques:  Phishing – Emails are masqueraded so as to obtain usernames and passwords from the users via electronic communication.  Spear Phishing – Targeted phishing to specific individuals, personal information on target are gathered to increase probability of success.
    •  Clone Phishing – A previously legitimate and delivered email is used as a template and cloned; the cloned email, with links and attachments modified, is resent to the victim. This method exploits the social trust between the parties that sent the email.  Whaling – Phishing targeting high profile victims.Phishing is not restricted to electronic information nor to electronic communication channels. Somephishing emails contain telephone numbers, purporting to be customer service; the unsuspecting victim islured to call and unwittingly give personal information that can later be used by the attacker. One of thebest known phishing emails is the ―Nigerian scam.‖ Although there are many variations, the content isessentially the same with the sender pretending to have access to large amount of funds and requiring theassistance of the victim to gain access to the said funds: FROM: MR DAN PATRICK. DEMOCRATIC REPUBLIC OF CONGO. ALTERNATIVE EMAIL: (patrickdan@rediffmail.com). Dear Sir, SEEKING YOUR IMMEDIATE ASSISTANCE. Please permit me to make your acquaintance in so informal a manner. This is necessitated by my urgent need to reach a dependable and trust wordy foreign partner. This request may seem strange and unsolicited but I will crave your indulgence and pray that you view it seriously. My name is. DAN PATRICK of the Democratic Republic of Congo and One of the close aides to the former President of the Democratic Republic of Congo LAURENT KABILA of blessed memory, may his soul rest in peace. Due to the military campaign of LAURENT KABILA to force out the rebels in my country, I and some of my colleagues were instructed by Late President Kabila to go abroad to purchase arms and ammunition worth of Twenty Million, Five Hundred Thousand United States Dollars only (US$20,500,000.00) to fight the rebel group. But when President Kabila was killed in a bloody shoot-out by one of his aide a day before we were schedule to travel out of Congo, We immediately decided to divert the fund into a private security company here in Congo for safe keeping. The security of the said amount is presently being threatened here following the arrest and seizure of properties of Col.Rasheidi Karesava (One of the aides to Laurent Kabila) a tribesman, and some other Military Personnel from our same tribe, by the new President of the Democratic Republic of Congo, the son of late President Laurent Kabila, Joseph Kabila. In view of this, we need a reliable and trustworthy foreign partner who can assist us to move this money out of my country as the beneficiary. WE have sufficient CONTACTS to move the fund under Diplomatic Cover to a security company in the Europe in your name. This is to ensure that the Diplomatic Baggage is marked CONFIDENTIAL and it will not pass through normal custom/airport screening and clearance. Our inability to move this money out of Congo all This while lies on our lack of trust on our supposed good friends (western countries) who suddenly became hostile to those of us who worked with the late President Kabila, immediately after his son took office. Though we have neither seen nor met each other, the information we gathered from an associate who has worked in your country has encouraged and convinced us that with your sincere assistance, this transaction will be properly handled with modesty and honesty to a huge success within two weeks. The said money is a state fund and therefore requires a total confidentiality. Thus, if you are willing to assist us move this fund out of Congo, you can contact me through my email address above with your telephone, fax number and personal information to enable us discuss the modalities and what will be your share (percentage) for assisting us. I must use this opportunity and medium to implore You to exercise the utmost indulgence to keep this Matter extraordinarily confidential, Whatever your Decision, while I await your prompt response. NOTE: FOR CONFIDENTIALITY, I WILL ADVISE YOU REPLY ME ON MY ALTERNATIVE EMAIL BOX (patrickdan@rediffmail.com).Thank you and God Bless. Best Regards, MR DAN PATRICK.
    • Distributed Denial of Service (DDOS)DDOS is one of the older forms of attacks that are still popular today. In a DDOS attack scenario, thevictim typically finds their system slows to a crawl or unable to respond at all. There are several variantsthat are commonly used such as ICMP Flooding, SYN flooding, Teardrop, and others. The definingaspect of DDOS attacks is the rendering of the target system crippled or inoperable, thereby denyingservice to the system‘s legitimate users. As recent as mid-2012, DDOS attacks against major financialinstitutions such as HSBC, Bank of America, and JP Morgan Chase were recorded. [7]The duration and severity of the attack is dependent on the number of zombies, or slave computers, usedby the attacker, and the resiliency of the target computer(s) to withstand the attack. A DDOS attack maybe used in conjunction with other attacks to exploit vulnerabilities exposed while the DDOS attack is inprogress; sometimes, a DDOS attack is a diversionary tactic to enhance the probability of success of otherattack methods. Major disruptions to critical infrastructure like defense, utilities and banking will resultnot only in mere inconvenience due to loss of services but cause significant financial and economiclosses. Network attacksThe U.S. Department of Defense refers to network attacks as ―… actions taken through the use ofcomputer networks to disrupt, deny, degrade, or destroy information resident in computers and computernetworks, or the computers and networks themselves.‖ [8] If an attacker successfully connects to thenetwork of the target, innumerable opportunities to launch attacks are made available.Common mistakes in network security are weak, default or non-existent administrator passwords.Moreover, ill-designed networks also allow easy access to database servers, the usual targets for datamining. Attackers can use SQL injection, in which direct SQL text is encoded as part of the attackstream, in an attempt to subversively access a back-end database system. MalwaresThe current trend of cyber-attacks is predominantly associated with malwares. Trustwave definesmalware as ―… often purposefully designed to capture and extricate data, provide remote access, orautomate compromised systems into a botnet — or to just cause general mayhem.‖ [9] Malware comes ina myriad of types and varieties. The common categories known today include computer viruses, worms,trojan horses, spyware, adware and rootkits.Entire software product suites and solutions have been created to combat malwares. However, malwareshave evolved and continue to do so; they are constantly being updated to meet challenges of exploitingnew vulnerabilities and avoid detection by the users and by third-party security products. This accountsfor the discouraging statistics that show infections often go undetected. The popularity of malware as anattack vector is evident in the fact that by 2007 the number of malwares created on that one year alone isthe equivalent to the combined total of the previous twenty years. [10]Malwares are used with great efficacy to achieve a beachhead in infiltrating systems. Some of the recentincidents involving malware are listed below:
    • FlameDiscovered by the Iranian National Computer Emergency Response Team (CERT), Kaspersky andCrySyS Lab, Flame is widely considered as one of the most sophisticated malware ever created. [11] Itspreads via local area network or USB. Infected computers act as a bluetooth beacon and attempts toharvest contact information from nearby bluetooth-enabled devices. At twenty megabytes, Flame isuncharacteristically large for a malware. Its capabilities include recording of audio, keystrokes,screenshots and Skype conversations; thus Flame is deemed a cyber-espionage tool. RSA BreachRSA experienced a security breach in 2011. [12] The attack vector was an email sent to an employeewith an Excel attachment that contained a malware. This malware exploited vulnerabilities in AdobeFlash and installed a variant of Poison Ivy, a common remote administration tool. The attackers thenobtained critical information including the token seeds in SecureID and algorithm designs used by RSA;consequently, the RSA security tokens were rendered vulnerable for exploitation. This directly resultedin cyber-attacks against Lockheed Martin and L3 Communications, both US military contractors.Malwares have proven to be a very effective and potent tool for cyber-attacks and their continued use willfoster further evolution in sophistication and complexity. Organizations should take steps to detect anderadicate malwares; depending solely on the hardening of perimeter defense is a common fallacy toprevent malwares from infiltrating an organization.Common Defensive StrategiesInformation security personnel and teams tend to use several common defensive strategies.Unfortunately, there is no perfect defensive strategy; therefore, to be effective, a defensive strategy mustbe continuously upgraded and assessed against the constantly evolving cyber-attack mechanisms andmethodologies. PhysicalThere are numerous physical defensive strategies; the most common are the following: 1. Deployment of access systems secured by biometric, ID card, PIN and/or a combination thereof; 2. Closed circuit TV (CCTV) security cameras; and 3. Doors, cages, locks and man-traps.One of the simplest and cost-effective strategies is to locate critical servers and systems in a securefacility; failing that, the servers and systems should be locked in a cage to prevent unauthorized tamperingand access. Education, Awareness and Security PoliciesOne of the most effective tools to implement or improve security is education and awareness. Increasingawareness among the staff, peers, management and other employees is crucial in building support towards
    • implementation of an effective defensive strategy. Unfortunately, countless executives fail to appreciatethe value of security; security seems to be an afterthought at best, rather than being a critical factordesigned into systems and procedures. Part of the education and awareness processes involveformulating, disseminating and implementing security policies. This is one of the most effective shieldsagainst social engineering attempts by reducing the chances of an employee being fooled to divulgecrucial information.The value of information security is not apparent until after an intrusion or breach occurs. Once such anevent occurs, organizations suffer at the minimum reputational damage. Oftentimes, banks and otherfinancial institutions prefer to pay off the perpetrators in order to preserve their image since the loss ofconfidence in their security could cost them their entire client base.PREVENTIONThe old adage, ―an ounce of prevention is better than a pound of cure‖, is certainly applicable toinformation security. Pro-active measures implemented to prevent a cyber-attack is more cost-effectivethan reactive security patches and hardware upgrades in response to a security incident.In recent months, several Philippine government websites have been defaced. Most agencies repaired thedamage within several hours then simply moved on. Popular sentiment was that since there is no physicalharm done, such acts, while not condoned, should be tolerated as a form of expression. On the otherhand, the U.S. Congress has enacted laws that consider any form of computer attack on any level againstany U.S. government website as an act of war against the United States. Although defacing a websitedoes not necessarily compromise any data, the economic cost and reputational damage that such attacksshould be considered and an appropriate, measured response executed. Anti-Virus / Anti-MalwareAnti-virus and anti-malware software packages are basic tools of the defensive trade. A properly updatedprogram helps secure the systems and protects users when they inadvertently browse or visit pages withmalicious content. Most popular packages now include features and functionality to help protect a webbrowser. Patch ManagementThere is no perfect software. As such, the software industry relies heavily on patches or upgrades toaddress flaws in the design, implementation, or performance of the software. Malware exploit knownflaws in the installed software to subvert and ultimately gain control over a machine. Therefore, as adefensive strategy, applying patches on the operating systems, anti-virus, anti-malware, and otherapplications help safeguard computer systems by fixing the known flaws and vulnerabilities. Beyond theissue on intellectual property rights, this is the most important, self-serving incentive to procure properlylicensed software as it guarantees that there will be support and maintenance. With open-source software,it is critical to implement a maintenance cycle to ensure that any bugs or vulnerabilities in the softwareare patched quickly and consistently.
    • FirewallsFirewalls are network devices that filter traffic; it attempts to segregate public or open traffic that existbeyond the organization‘s network perimeter. Firewalls range from the basic that protect your homenetwork costing a few thousand pesos to the enterprise versions costing several millions. There are manybrands of firewalls from manufacturers: Cisco, Juniper, Checkpoint, Fortinet, Huawei, ZTE among others.Of special interest lately is the Congress of the United States position that Huawei and ZTE pose asecurity threat. [13]A properly configured and maintained firewall defends against many threats. It is a key component inmany security strategies implemented today. Ensuring that the firewall is properly patched is anotherimportant key to having a good defensive strategy. Regular Testing and BackupsRegular tests of information security systems are crucial in maintaining readiness. Internal and externalpenetration tests, scans, and verification procedures all contribute towards ensuring that systems areconfigured properly. Regular backups are akin to buying insurance. Failures are an unavoidable part ofthe human experience and information systems are not exempt. Having a ready backup is no longer aluxury but a necessity. Intrusion Detection Systems/Intrusion Prevention SystemsIntrusion detection and intrusion prevention systems (IDPS) are a class of devices that have come into theforefront of defensive arsenal about a decade ago. Such devices are capable of detecting incidents bymonitoring events or inspecting packets and, at the start of an incident, trigger some automated responseincluding reconfiguration of firewalls, sending out alerts by SMS or email, locking down ports, et cetera.Most systems in the market today involve the deployment of hardware appliances, few are softwarebased, and these are usually installed in-line either behind, or adjacent to the firewall(s) in anorganization‘s network. The NIST [14] lists four types of technologies available today: 1. Network based: examination and detection based on network segments, or network and application protocol. 2. Wireless: examination of wireless network traffic. 3. Network behaviour analysis: examination of system-wide behaviour including the sudden rise of packets, policy violations, et cetera. 4. Host-based: limited to single host examination and events linked to the single host.IDPS are useful in detecting and identifying potential incidents. Therefore, they are an indispensable toolin the defensive toolkit of many information security managers. An IDPS provides intrinsic value byadding automated detection, logging, recording, and monitoring capabilities to an organization, whenconfigured and maintained properly.
    • Outsourcing of information securityWithin the Philippine context, many organizations, including government agencies, do not have thebudget, expertise or capability internally to properly secure their information systems. Accordingly, toproperly prepare for a cyber-attack, organizations may resort to outsourcing, analogous to the deploymentof private security guards for the protection of physical assets.There is a prevailing misconception regarding the role of law enforcement in information security. Bydefinition, law enforcement agencies provide post-incident investigation, apprehension and filing ofcharges against suspected perpetrators. Their responsibilities do not include ensuring an organization‘ssystems are safe and secure. Typically, a Computer Security Incident Response Team (CSIRT) or aComputer Emergency Response Team (CERT) is engaged to assist an organization to prepare, simulatecyber-attacks and conduct post-assessments of information security systems.FUTURE DEVELOPMENTS AND CHALLENGESCurrent technological trends are likely to continue in the foreseeable future. With the rapid andaccelerating pace of change in technology, a discussion of the pervasive technologies and theirprospective impact to information security is warranted. Mobile technologyToday‘s smartphones are truly mobile computers; some have greater processing power than desktopsfrom less than a decade ago. Penetration rates in more advanced countries have exceeded 50% and havereached 78% in the United States. [15] This trend will rapidly be replicated in emerging markets like thePhilippines, particularly with the commonplace availability of smartphones retailing for less than onehundred US dollars.With the advent of mobile commerce and the Philippine propensity for rapid adoption of mobile phones,there will be a host of new, unforeseen security challenges. This will be accelerated by the deployment ofLTE empowering mobile broadband by the local telecommunication carriers. Compounding the securitychallenges with mobile is the lack of a legal framework and the non-existent registry of mobile SIMcards: attackers utilizing a mobile platform will enjoy even greater anonymity.Initial malware on the mobile platform were largely limited by the fragmented, proprietary operatingsystems that ran the previous generation of phones. The industry has already consolidated to four majormobile platforms: Apple‘s IOS, Google‘s Android, Windows Mobile and Blackberry. With thisconvergence, the mobile platform presents a tantalizing target for cyber-attackers. There have beennumerous incidents involving social engineering with deceptive messages sent to victims asking them tosend money to process their contest winnings or to help a friend or relative in a supposed emergencysituation.
    • Video/Voice Over IP (VOIP)Skype™ was one of the pioneers that allowed people to make voice calls, later adding video calls, for freeutilizing IP technology. Nowadays, multi-party video conferencing is already commonplace. TheNational Telecommunication Commission has issued VOIP licenses for several years already. From animplementation and technology angle, VOIP is terrific: provision of clear communications enabled byconstantly improving compression technology. Commercialized form of 3-D hologram communicationmay soon be achievable.Cyber-attackers recognize that networks carrying voice and video data as an attractive target. A BrazilianCERT noticed an upsurge in scanning for VOIP traffic in their honeypot network. [16] Intruders that gainaccess to a VOIP system would potentially be able to monitor, access and even reroute allcommunications made through it. Outsourcing cyber-attacksInsofar as protecting information security systems are being outsourced to trusted professionals, cyber-attackers have also begun to resort to outsourcing. The Russian underground market in cybercrime isvibrant. The inexpensive cost for outsourcing of various methods of cyber-attacks is alarming; asampling of the available services and its prices is listed below:1 [17] Service Price in US dollars Hiring a DDOS attack $30 to $70 per day Email spam $10 per million emails Bots for a botnet $200 for 2,000 bots ZeuS source code $200 to $500 Hacking a Facebook or Twitter account $130 Hacking a Gmail account $162 Scans of legitimate passports $5 each Traffic $7 to $15 per 1,000 visitors from US and EUAs cyber-attacks continue to grow in sophistication, this development of outsourcing cyber-attacks willnot only continue unabated, but likely escalate geometrically.CONCLUSIONThe notion of information security tends to be organization-specific. In the Philippine context, there is arelatively high tolerance for risk. Even within the defence establishment, some of the prevailing attitudesare best characterized by the tongue-in-cheek responses gathered in a series of interviews: ―Our approachis security through obsolescence‖ and ―It‘s only 1‘s and 0‘s anyways, who can read it?‖ With thepervasiveness of the internet and technology in human society today and the resultant diminishing barriersof distance and geopolitical borders, information security must be everyone‘s problem and responsibility.
    • The Information and Communications Technology Office under the Department of Science andTechnology has already set policy that information and communications technology must be governeddue to its pervasive and essential nature in today‘s society. [18] The recent attacks to deface governmentwebsites should serve as a clarion call for imperative action. Perhaps due to the technical or the rapidlyevolving nature, some of the national leadership still do not recognize the gravity of the situation, orlamentably, simply choose to believe it will go away.For some context within the Philippine environment, consider the IT-BPO industry, a sunshine andrapidly growing sector of the Philippine economy: [19] 2011 2012 2013 Industry revenues (USD) $11 Billion $13.6 Billion $16 Billion Full-time employees 638,000 772,000 926,000How much loss, potential or otherwise, must be suffered by the Philippine economy for informationsecurity to be considered a matter of national security? What is the impact to this single sector of a singleor a series of cyber-attacks or data breaches exacerbated by inadequate response from government?Government and the private sector must work together to secure our national interest.This article presented an overview of the current landscape of information security. From themotivational aspects behind cyber-attacks to a review of current common threats and attack variants to apresentation of the popular defensive strategies ending with a forward look to future challenges anddevelopments. Although technology and methodologies continue to evolve, the human factor, not rapidtechnological advancement, continues to be the biggest source of vulnerability:  Many continue to blindly follow security standards set by governments and standards bodies without proper evaluation of their suitability for their own situation.  Lax stewardship is the leading cause of security breaches in established organizations.  Social engineering is still the most prevalent cause of data compromises.  Senior leadership, especially at the national level, typically fail to recognize the critical nature of information security to their organizations until after a breach or other incident has occurred.If the Philippines were to experience a cyber-attack today, there is no single office of primaryresponsibility within government to mount a coordinated response. At best, the country can only rely onthe Philippine Computer Emergency Response Team (PHCERT), ―… a non-profit aggrupation ofInformation Security Professionals providing Technical and Policy Advisory Services Pro BonoPublico.‖ [20] The National Computer Center recognizes the limited programs and projects thatPHCERT can support: ―PHCERT ONLY accepts security incident reports from its members. Technicaladvise may be provided depending on volunteer availability. Forwarding and coordination to theappropriate law enforcement agency can also be done if the situation warrants or member organizationdesires to do so.‖ [21] On the legal front, although the Philippines recently enacted the CybercrimePrevention Act of 2012, Republic Act 10175, to empower law enforcement to better combat cybercrime,the Supreme Court issued a Temporary Restraining Order delaying its implementation by 120 days inresponse to questions about the constitutionality of certain provisions.
    • Information security is so pervasive that even a superpower like the United States and advanced societieslike Japan with relatively unlimited budgets find it difficult to cope with the immense challenges.Government and private sector must cooperate to make significant progress in this regard. Forging ahead,given the current landscape of information security and its likely progression, the Philippines must taketwo foundational steps to improve its information security: 1. Government must designate a single office of primary responsibility to prepare, mitigate, and coordinate a response to cyber-attacks; and 2. Government and the private sector must work together and establish a pro-active, independent, fully-functional Computer Emergency Response Team (CERT) and/or Computer Security Incident Response Team (CSIRT).Mabuhay!REFERENCESThis article relied extensively on the collective knowledge-base and experience of the authors as well assources from both the internet and printed material. Similar references were grouped together for brevity.[1] http://blog.elementps.com/element_payment_solutions/2011/11/visa-releases-pci-compliance-level-stats.html[2] http://www.pcworld.com/article/79303/article.html[3] http://2011.appsecusa.org/p/gsr.pdf[4] http://www.techweekeurope.co.uk/news/experts-admit-motivation-for-cyber-attacks-overlooked-6696[5] http://www.symantec.com/connect/blogs/hackers-behind-stuxnethttp://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-industrial-control-systems; http://www.airdemon.net/stuxnet.html;http://www.reuters.com/article/2010/09/24/security-cyber-iran-idUSLDE68N1OI20100924[6] http://www.social-engineer.org/social-engineering-ctf-battle-of-the-sexes/[7] http://arstechnica.com/security/2012/10/ddos-attacks-against-major-us-banks-no-stuxnet/;http://nakedsecurity.sophos.com/2012/09/27/banks-targeted-ddos-attacks/;http://www.bloomberg.com/news/2012-09-28/cyber-attacks-on-u-s-banks-expose-computer-vulnerability.html; http://threatpost.com/en_us/blogs/historic-ddos-attacks-against-major-us-banks-continue-092712[8] U.S. Department of Defense, Joint Publication 1–02: DOD Dictionary of Military and AssociatedTerms (November 8, 2010, as amended through May 15, 2011).[9] http://www.iseprograms.com/lib/Trustwave_2012GlobalSecurityReport.pdf[10] http://web.archive.org/web/20071207173837/http://www.f-secure.com/2007/2/[11] http://www.symantec.com/connect/blogs/flamer-highly-sophisticated-and-discreet-threat-targets-middle-east; http://www.crysys.hu/skywiper/skywiper.pdf[12] Cyber-warfare – The new battlefront for Defence Forces by Dr. Peter Holliday
    • [13] http://www.forbes.com/sites/simonmontlake/2012/10/08/u-s-congress-flags-chinas-huawei-zte-as-security-threats/;http://online.wsj.com/article/SB10000872396390443615804578041931689859530.html;http://www.reuters.com/article/2012/10/08/us-usa-china-huawei-zte-idUSBRE8960NH20121008[14] Guide to Intrusion Detection and Prevention Systems - http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf[15] http://www.wired.com/beyond_the_beyond/2011/12/42-major-countries-ranked-by-smartphone-penetration-rates/; http://www.thinkwithgoogle.com/mobileplanet/en/[16] CyberSecurity Challenges in Developing Nations –Dissertation by Adam C. Tagert 12/1/2010,Carnegie Mellon University[17] ―Russian Underground 101‖ by Max Goncharov, Trend Micro Incorporated Research Paper 2012 -http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russian-underground-101.pdf[18] ―2012 Programs‖ Presentation of the Undersecretary Louis Casambre, Executive Director of theInformation & Communications Technology Office of the Department of Science and Technology on 21June 2012 at the Chancery Hall of the US Embassy Manila.[19] IT-BPO Road Map 2011-2016 Business Processing Association of the Philippineswww.bpap.org/publications/breakthroughs?download[20] http://www.phcert.org/[21] http://www.ncc.gov.ph/default.php?a1=2&a2=5&a3=1&a4=PQRS&a5=114ABOUT THE AUTHORSSimoun is the current Vice Chairman of the Overseas Security Advisory Council of the U.S. EmbassyManila, a federal advisory committee under the State Department. He also serves as the Chairman of theSecurity Disaster Resource Group of the American Chamber of Commerce of the Philippines. He was aConsultant to the Office of International Policy and Special Concerns of the Department of NationalDefense and an Advisor to the Supreme Court. He was formerly with the Philippine Coast GuardAuxiliary 101st Squadron, where his last rank was Commander prior to retirement. He holds a Master ofBusiness Administration from the Ivey School of Business, University of Western Ontario, Canada, and aBachelor of Arts degree in Psychology and Economics from the University of British Columbia. He iscurrently the CEO and President of PVB Card Corporation, and the Vice Chairman of Bastion PaymentSystems in the Philippines, and serves at the boards of several listed firms, both in the Philippines andUnited States. Simoun has also been tapped as the speaker and lecturer for many engagements, includingthe Federal Bureau of Investigation and the National Defence College of the Philippines.Wilfred is the founding CEO and President of Bastion Payment Systems. He formerly worked at Unisysfor over a decade, where he was involved deeply as a senior systems architect on several notable ITprojects of the Philippine government including the National Statistics Office Census Registry System(CRS-ITP), Land Transportation Office, Philippine Ports Authority, and others. Beyond this, Wilfredalso worked on many international, government and financial sector projects in the United States, China,
    • Singapore, Hong Kong, Sri Lanka, Vietnam and Australia. Wilfred holds a Master of Science inComputer Science degree from De La Salle University, Manila (with high distinction), and a Bachelor ofScience in Computer Science from the same school. He is a Certified Rational Unified ProcessConsultant.Carlos is the current Chief Security and Operating Officer of Bastion Payment Systems. He was formerlythe assistant director at the Computer Center of the University of Santo Tomas, where he continues todayas a senior instructor for computer science. Carlos holds a Bachelor of Science in Computer Science fromChiang Kai Shek College Philippines and Masteral units from De La Salle University. He is a certifiedCisco Networking Academy Instructor, and a Microsoft Certified Professional.