Information Security Philippines

The National Institute of Standards and Technologies released three new drafts of security-related special publications today. They cover e-mail security, intrusion detection and prevention, and securing Web services and applications.

The first is called “Guidelines on Electronic Mail Security,” an update to SP 800-45 released in 2002. The guide includes policy suggestions for deploying and configuring e-mail servers, training employees on security, and applying encryption. NIST will accept public comments on this publication at sp800-45a@nist.gov until Oct. 6.

The second publication is titled “Guide to Intrusion Detection and Prevention Systems.” It provides assistance to agencies for designing, implementing, configuring, securing, monitoring and maintaining IDP systems for an entire enterprise and smaller divisions. It also provides guidance for different network-based IDP systems. NIST will take comments at 800-94comments@nist.gov until Oct. 20.

The third publication, “Guide to Secure Web Services,” deals with Web services security, specifically in applications. It also details security features in Extensible Markup Language; Simple Object Access Protocol; and the Universal Description, Discovery and Integration protocol and related open standards. NIST will accept comments at 800-95comments@nist.gov until Oct. 30.

Since July of 2005, attrition.org has been tracking data loss and data theft incidents not just from the United States, but across the world.

Attrition.org’s archives go back to the year 2000, and with over 142 MILLION records compromised in over 300 incidents across six years, we would finally like to introduce a very basic and rudimentiary database that will assist others in tracking these incidents.

DLDOS (Data Loss Database - Open Source) is a simple flat comma seperated value file that can be imported into your database of choice, whether it be MySQL, Microsoft Access, or Oracle (good luck). We provide the date, the company that reported the breach, the type of data impacted, the number of records impacted, third party companies involved, and a few other sortable items that may be of interest. At this point, attrition.org is not hosting an actual database itself, but the raw data is free and available for use as long as attrition.org is credited for the use of said data. Really, we’re not trying to be jerks, but if you’re going to use our data in your research, be it a web site or paper written for a commercial entity, just give us a shout out please.

(more…)

The National Institute of Standards and Technology (NIST) has released Special Publication 800-88, “Guidelines for Media Sanitation.” The draft guide addresses sanitation techniques for magnetic, optical, electrical and other media types. NIST is careful to note that the “guide is intended to assist organizations and system owners in making practical sanitation decisions based on the type of information on their system media. It does not, and cannot, specifically address all known types of media however; the described draft sanitation decision process can be applied universally to all forms of media and categorizations of information.”
http://www.fcw.com/article95849-08-30-06-Web&printLayout
http://csrc.nist.gov/publications/nistpubs/800-88/SP800-88_Aug2006.pdf
(more…)

5th Annual Philippine IT Security Conference
September 11- 12, 2006
Hotel Intercontinental
Makati City, Philippines 

This year’s 5th Information Systems Security conference and exhibit is dubbed: “ManilaCon 2k6:progress@risk” and is organized by the Information Systems Security Society of the Philippines (ISSSP), in cooperation with the Commission on Information and Communications Technology (CICT) and the National Security Council (NSC) towards the development and implementation of a National Cyber Security Strategy.

We need one to ensure the integration of public and private efforts to counter threats and institutionalize the protection of national and local cyber infrastructures and businesses.

We expect all security concerned CEOs, CIOs, Security Officers and Systems Administrators/Programmers to be more vigilant in securing cyberspace, not just for the protection of their respective enterprises but for the protection and security of all those existing and doing business in cyberspace.

This conference and exhibit is designed to kick-start this national effort and concern.

To join, please see below, details of the program schedule and delegate fees.

For registration or more information, please call Ellen at the ISSSP Secretariat telefax no. 750-3742 or mobile 0920-2413954. Or send email to isssphil[at]yahoo.com. You may also visit http://www.isssp.org.ph/ for other details of this conference and exhibit and/or to register online.

Signed: 

AMADO A. MALACAMAN, JR., President – ISSSP             

Angelo Timoteo M. Diaz De Rivera,  Commissioner – CICT

(more…)

Qualys is trying to do for hosted security services what Salesforce.com did for hosted CRM. The company has a SaaS (Software as a Service) service that monitors a customer’s networks and identifies potential vulnerability points. It’s called vulnerability assessment and, in this age of regulation and compliance, it’s a pretty compelling offering. Matt Hines has an article on hosted security on ExtremeNano.com that talks about how enterprise objections to hosted security services are breaking down.

Paul Gillin spoke to a Qualys customer at Marine Corps Community Services, which oversees a sprawling network of facilities and services for U.S. Marines, and he raved about the benefits of the hosted vulnerability assessment. You’d think the Marines would have pretty good internal security monitoring in place, but this user said Qualys found several major vulnerabilities that his IT organization was unaware of. Also, since the Qualys service operates constantly in the background, new vulnerabilities that are introduced by changes to the network are flagged immediately. You don’t get that if you do your internal assessment every six months or so.

The ExtremeNano article cites a few other companies that are trying to break into this market. It could be that this will be the first part of the corporate infrastructure market to get penetrated by SaaS companies.

This could be a big opportunity for the Philippines to break into the Information Security side of outsourcing. The Philippines has a lot of very talented professionals who are adept in the field of information security. The Philippine local information security community should take a look into this to showcase the talents of our local infosec professionals. 

Source: Computerworld — Software as a Service