Justin David Pineda, C|EH Lyceum of the Philippines University (LPU) Batangas City, Batangas February 2, 2105 http://justinspeaks.wordpress.com

Present: Sr. Application Security

Specialist, The Coca-Cola Company

Faculty (Part-time), Asia Pacific College

Past

Security Analyst, Silversky

The need for information security Summary of security threats 2014 Balancing security in the industry Demand for information security

professionals Security certifications

Software Development – Creating a secure application

Network Administration– Deployment of firewalls, intrusion detection systems

Think about a security problem that must be solved and apply your CS skills.

April 2014

Security bug in OpenSSL cryptography library.

Results from improper input validation. Registered under CVE-2014-0160. Discovered by Canadian Cyber Incident

Response Centre. Approx. half a million web servers are

affected.

Heartbeat – extension for keep alive of secure communications

Problem: No bounds checking Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are

vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable

September 2014

Security bug used in UNIX bash shell Allows attacker to execute arbitrary

commands remotely to vulnerable versions. Registered under CVE-2014-627.

Affected systems:

Linux, BSD, and Mac OS X distributions

All unpatched Bash versions between 1.14 through 4.3 (i.e. all releases until now) are at risk.

Test on your system: env 'VAR=() { :;}; echo Bash is vulnerable!'

'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"

Update Bash version.

Companies are starting to move their infrastructure in the cloud.

Caveats:

You lack control of the infrastructure.

You rely on a third-party implementation.

Reality: Smart devices are getting smaller and smaller yet more powerful than before.

Caveats: How will companies react?

Should they suppress the use of these devices?

What are the threats of these smart devices?

Issues on taking response when a security issue is reported.

For example, BayanPatrol, Hulicam etc. What should be the process for incident

response?

Very strict security policies

no USB’s or any removable media

limited websites that can be visited

not allowed to send non-work related e-mails using company e-mail

Need to change password every 30 days Password complexity Reusing of passwords are prohibited (min

days of password change required)

Relatively young in the PH High demand for security professionals Supply is relatively low compared to other IT

roles. Security Operations/Information Risk

Manager is starting to become an independent department.

IT Security is just a subset of Infosec IT Security:

Application Security – securing applications

Host Security – AV, personal firewall

Network Security – firewalls, anti-spam, intrusion detection systems

Physical security – external and internal controls

Personnel security – manage security guards Operational security – policies (e.g. no ID no

entry, AUP) Risk management – assessment, remediation Legal & Regulations – RA 8750, RA 10175

CS/IT doesn’t have a board exam. You need certifications to prove your

expertise. (getting a driver’s license) You need to practice what you learned. Certifications are internationally recognized. Certifications will help you professionally. Goal: Specialist to Management

Are we being watched?

Explore the cybercrimes Create meaningful laws that

would “really” benefit the public. Public, specifically Filipinos, must

be protected when transacting online.