Embed Size (px)
DESCRIPTION
This article was submitted for publication in the National Security Review Journal.
Citation preview
THE EVOLVING LANDSCAPE ON INFORMATION SECURITY
By: Wilfred G. Tan , Carlos T. Tengkiat & Simoun S. Ung
31 October 2012
INTRODUCTION
We all have a preconceived notion on information technology security; however for a lot of organizations
this value is subjective because there is an acceptability of risk. This is not to imply a particular
organization is unaware of the value of security; it may simply be that the organization needs to consider
the allocation of its resources for security relative to the value of the asset being protected.
A large number of organizations, as evidenced by strong growth and interest in security standards such as
PCI-DSS [1], either depend on or follow guidelines set forth by government institutions and standards
bodies. Conventional wisdom dictates that following guidelines is normally a good approach. As a
security officer, planner or executive, one should always consider going beyond the existing standard and
to be reminded that the security standards are developed in response to already recorded and occurring
incidents. Moreover, security standards take time for the standard setting bodies to create, review,
approve and implement. Security is a living practice and needs the proper attention, time and
consideration.
Laying out and maintaining a comprehensive cyber security plan not only requires expertise, but also
involves careful thought, assessment, and constant refinement and adjustments. In addition, legal
frameworks differ from country to country; therefore, best practices in one country are not directly
portable to a different country, even within similar industries. Unlike more traditional crimes such as
theft and robbery, the specific rules and regulations tend to be varied at best for cyber-security and cyber-
crime related incidents.
Computer security related incidents have risen significantly over the past decade [2] and there is every
indication that this trend will continue for the foreseeable future. The Global Security Report of
Trustwave [3] presents the origin of cyber-attacks:
Russia leads the statistics with
29.6% in the data [3]. However,
because 32.5% of all attacks are
from of unknown origin, it can be as
likely (or equally unlikely) that any
one nation is the single source or
culprit of all of the incidents.
Pinpointing the location in a timely
manner is very difficult, if not
impossible, given that the technology
today allows users to use anonymous
proxies to connect to the Internet which further compounds the problem.
This article is written for non-technical executives and policy makers, whose responsibilities require them
to interact with information security professionals, as a primer on the current landscape of information
security as well as its likely evolution. Security professionals and practitioners are already well-versed in
the material contained herein. The paper examines the motivation behind cyber-attacks followed by a
survey of common threats and attack variants. It then presents the popular defensive strategies followed
by a discussion of future challenges and developments.
MOTIVATION
Behind all threats and cyber security breaches are either individuals or organizations. Cyber security
incidents do not occur in a vacuum. Generally, the motive behind a cyber-attack can be classified as
follows: personal reasons, unlawful profiteering, corporate or national interests, and other purposes.
Personal Reasons
Personal reasons for conducting a cyber-attack include peer recognition, revenge, personal gain or
satisfaction, and even curiosity. Some intruders derive a perverse sense of fun from conducting the attack
and revel in the psychic income of being noted for notoriety.
Unlawful Profiteering
Perhaps the most common motivation for conducting a cyber-attack is financial gain. The primary goal
of fraud is to gather information that can be used to access funds of other entities for illicit proceeds.
Popular targets include savings accounts and payment, debit and credit, card data. Organized criminal
syndicates are the primary perpetrators of these attacks. Inopportunely, the skill and savoir-faire
developed are often adopted for use in cyber-terrorism and other cyber-attacks.
Although there is no data for the Philippines, a study conducted by eWEEK Europe in 2010 [4] on a
simulated auction of stolen data determined that the relative value of data is primarily determined by
purchaser. The end goal remains the same, obtain information through illegal and fraudulent means
which can be used for financial gain. Information itself has become a commodity; it can be traded,
bought and sold.
Corporate or National Interests
The strategic objectives for a corporation or nation-state are sometimes achieved by attacking others using
cyber-warfare capabilities. The intent may be to disable a nuclear enrichment program or a more
mundane purpose such as spy, steal or subvert a rival‘s plans and secrets.
In mid-2010, Stuxnet was discovered. The singular target of this worm was to disable and destroy
Siemens industrial equipment which were specifically used to control centrifuges that create nuclear
material for a fissionable weapon. According to a study by Symantec in August, 2010 [5], 60% of the
computers infected by Stuxnet were in Iran suggesting a highly ‗targeted‘ operation. The worm‘s
sophistication and intelligence suggested a nation-state level of sponsorship; speculation was rife that the
United States and Israeli forces were at least partially responsible for the development and deployment of
the worm. [5]
THREAT EVOLUTION
Approaches to attacks have evolved over time, adapting to developments in technology. Tools for
exploiting systems have evolved considerably; likewise, tools that are available for testing and exploiting
vulnerabilities are readily available in the market. There are even attack platforms freely available that
ironically were intended to test the security of a system. Several of the more common threats are outlined
below: physical, cyber-stalking, social engineering, phishing, distributed denial of service, network
attacks and malwares.
Physical
In the 1980s, the common practice was to actually go onto the premises of the target company or to
harvest data from unprotected sources. Criminals would find ways to physically obtain storage media or
hardcopies of data. Dumpster diving, or the sifting through garbage and trash to find bits and pieces of
information, is still practiced today. The careless disposal of seemingly innocuous information such as an
obsolete version of an information security plan, PIN mailers, passwords, social security numbers, et
cetera can facilitate an attack via social engineering or phishing.
Today, practices have improved to include tapping into data cabling that are accessible from unsecured
areas and the access of unlocked, accessible computer servers and systems. It is still a common
occurrence for unencrypted, sensitive data to be lost or stolen from physical media such as USB flash
drives, laptops and cellular phones.
Cyber-Stalking
Cyber-stalkers assault their victims using electronic communication: email, instant messaging (IM) and/or
posts to a website or discussion group. While most cyber-attacks target an organization, cyber-stalking
tends to be of a more personal nature. Cyber-stalkers typically gather personal and private information
about their target then send them harassing or threatening messages.
Trolling is a form of cyber-stalking in which negative posts , comments or other defamatory statements
are made which are injurious to the reputation or emotional health of the victims. When committed by
more than one individual, trolling is also known as cyber-bullying. Sadly, there are cases involving teens
which have resulted in the victims committing suicide.
Social Engineering
Social engineering cyber-attack involves the manipulation of people to perform certain actions that can
compromise security; this requires a solid understanding of human responses and behaviour. Although
physical contact is not necessary, some form of trickery to gain the confidence of the target is employed.
Social engineering attack occurs in two phases: information gathering then the pretext stage in which a
believable story is crafted in order to earn legitimacy and gain the trust of the target.
Social engineering is not strenuous on the attacker, thus it is normally employed in conjunction with other
forms of cyber-attack. The insertion of malware into otherwise hardened, secure systems is a common
combination with social engineering. Many enterprise systems are well protected and require significant
time and effort to breach. However, if the attackers are able to use social engineering to insert physical
media such as USB flash drives into the internal network, then all the external defences are immediately
bypassed.
Based on recently conducted social engineering study [6], companies with well-implemented security
awareness protocols are more resistant to social engineering tactics. Participants in the oil industry fared
better compared to less security aware industries like retail. This study was designed such that questions
were designed that would expose security design and architecture of the respondent‘s organization:
The study [6] revealed that certain data can be harvested from the internet itself. Researchers were able to
utilize the data culled from the internet in their social engineering tasks to profile a target‘s internal
security implementation. The table below displays the details gathered from the questionnaire above in
blue while the additive information garnered from the internet is shown in red:
Recently, face-to-face social engineering tactics have been increasing; this is disquieting since it may
expose the targeted individual to physical danger.
Phishing
Phishing is an email-based fraud method using legitimate looking email designed to gather personal and
financial information from its targets. Crafting emails blending a false premise while spoofing
trustworthy websites, victims are encouraged to click on links, send information and otherwise respond.
The attackers then use social engineering techniques to extract information to steal personal and financial
information. Since emails are generally from an external source, incorporating dangerous payloads in the
message requires negligible effort. There are several types of phishing techniques:
Phishing – Emails are masqueraded so as to obtain usernames and passwords from the users via
electronic communication.
Spear Phishing – Targeted phishing to specific individuals, personal information on target are
gathered to increase probability of success.
Clone Phishing – A previously legitimate and delivered email is used as a template and cloned;
the cloned email, with links and attachments modified, is resent to the victim. This method
exploits the social trust between the parties that sent the email.
Whaling – Phishing targeting high profile victims.
Phishing is not restricted to electronic information nor to electronic communication channels. Some
phishing emails contain telephone numbers, purporting to be customer service; the unsuspecting victim is
lured to call and unwittingly give personal information that can later be used by the attacker. One of the
best known phishing emails is the ―Nigerian scam.‖ Although there are many variations, the content is
essentially the same with the sender pretending to have access to large amount of funds and requiring the
assistance of the victim to gain access to the said funds:
FROM: MR DAN PATRICK. DEMOCRATIC REPUBLIC OF CONGO.
ALTERNATIVE EMAIL: ([email protected]).
Dear Sir,
SEEKING YOUR IMMEDIATE ASSISTANCE. Please permit me to make your acquaintance in so informal
a manner. This is necessitated by my urgent need to reach a dependable and trust wordy foreign partner. This
request may seem strange and unsolicited but I will crave your indulgence and pray that you view it
seriously. My name is. DAN PATRICK of the Democratic Republic of Congo and One of the close aides to
the former President of the Democratic Republic of Congo LAURENT KABILA of blessed memory, may his
soul rest in peace. Due to the military campaign of LAURENT KABILA to force out the rebels in my
country, I and some of my colleagues were instructed by Late President Kabila to go abroad to purchase arms
and ammunition worth of Twenty Million, Five Hundred Thousand United States Dollars only
(US$20,500,000.00) to fight the rebel group. But when President Kabila was killed in a bloody shoot-out by
one of his aide a day before we were schedule to travel out of Congo, We immediately decided to divert the
fund into a private security company here in Congo for safe keeping. The security of the said amount is
presently being threatened here following the arrest and seizure of properties of Col.Rasheidi Karesava (One
of the aides to Laurent Kabila) a tribesman, and some other Military Personnel from our same tribe, by the
new President of the Democratic Republic of Congo, the son of late President Laurent Kabila, Joseph Kabila.
In view of this, we need a reliable and trustworthy foreign partner who can assist us to move this money out
of my country as the beneficiary. WE have sufficient ''CONTACTS'' to move the fund under Diplomatic
Cover to a security company in the Europe in your name. This is to ensure that the Diplomatic Baggage is
marked ''CONFIDENTIAL'' and it will not pass through normal custom/airport screening and clearance. Our
inability to move this money out of Congo all This while lies on our lack of trust on our supposed good
friends (western countries) who suddenly became hostile to those of us who worked with the late President
Kabila, immediately after his son took office. Though we have neither seen nor met each other, the
information we gathered from an associate who has worked in your country has encouraged and convinced us
that with your sincere assistance, this transaction will be properly handled with modesty and honesty to a
huge success within two weeks. The said money is a state fund and therefore requires a total confidentiality.
Thus, if you are willing to assist us move this fund out of Congo, you can contact me through my email
address above with your telephone, fax number and personal information to enable us discuss the modalities
and what will be your share (percentage) for assisting us. I must use this opportunity and medium to implore
You to exercise the utmost indulgence to keep this Matter extraordinarily confidential, Whatever your
Decision, while I await your prompt response. NOTE: FOR CONFIDENTIALITY, I WILL ADVISE YOU
REPLY ME ON MY ALTERNATIVE EMAIL BOX ([email protected]).Thank you and God
Bless.
Best Regards,
MR DAN PATRICK.
Distributed Denial of Service (DDOS)
DDOS is one of the older forms of attacks that are still popular today. In a DDOS attack scenario, the
victim typically finds their system slows to a crawl or unable to respond at all. There are several variants
that are commonly used such as ICMP Flooding, SYN flooding, Teardrop, and others. The defining
aspect of DDOS attacks is the rendering of the target system crippled or inoperable, thereby denying
service to the system‘s legitimate users. As recent as mid-2012, DDOS attacks against major financial
institutions such as HSBC, Bank of America, and JP Morgan Chase were recorded. [7]
The duration and severity of the attack is dependent on the number of zombies, or slave computers, used
by the attacker, and the resiliency of the target computer(s) to withstand the attack. A DDOS attack may
be used in conjunction with other attacks to exploit vulnerabilities exposed while the DDOS attack is in
progress; sometimes, a DDOS attack is a diversionary tactic to enhance the probability of success of other
attack methods. Major disruptions to critical infrastructure like defense, utilities and banking will result
not only in mere inconvenience due to loss of services but cause significant financial and economic
losses.
Network attacks
The U.S. Department of Defense refers to network attacks as ―… actions taken through the use of
computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer
networks, or the computers and networks themselves.‖ [8] If an attacker successfully connects to the
network of the target, innumerable opportunities to launch attacks are made available.
Common mistakes in network security are weak, default or non-existent administrator passwords.
Moreover, ill-designed networks also allow easy access to database servers, the usual targets for data
mining. Attackers can use SQL injection, in which direct SQL text is encoded as part of the attack
stream, in an attempt to subversively access a back-end database system.
Malwares
The current trend of cyber-attacks is predominantly associated with malwares. Trustwave defines
malware as ―… often purposefully designed to capture and extricate data, provide remote access, or
automate compromised systems into a botnet — or to just cause general mayhem.‖ [9] Malware comes in
a myriad of types and varieties. The common categories known today include computer viruses, worms,
trojan horses, spyware, adware and rootkits.
Entire software product suites and solutions have been created to combat malwares. However, malwares
have evolved and continue to do so; they are constantly being updated to meet challenges of exploiting
new vulnerabilities and avoid detection by the users and by third-party security products. This accounts
for the discouraging statistics that show infections often go undetected. The popularity of malware as an
attack vector is evident in the fact that by 2007 the number of malwares created on that one year alone is
the equivalent to the combined total of the previous twenty years. [10]
Malwares are used with great efficacy to achieve a beachhead in infiltrating systems. Some of the recent
incidents involving malware are listed below:
Flame
Discovered by the Iranian National Computer Emergency Response Team (CERT), Kaspersky and
CrySyS Lab, Flame is widely considered as one of the most sophisticated malware ever created. [11] It
spreads via local area network or USB. Infected computers act as a bluetooth beacon and attempts to
harvest contact information from nearby bluetooth-enabled devices. At twenty megabytes, Flame is
uncharacteristically large for a malware. Its capabilities include recording of audio, keystrokes,
screenshots and Skype conversations; thus Flame is deemed a cyber-espionage tool.
RSA Breach
RSA experienced a security breach in 2011. [12] The attack vector was an email sent to an employee
with an Excel attachment that contained a malware. This malware exploited vulnerabilities in Adobe
Flash and installed a variant of Poison Ivy, a common remote administration tool. The attackers then
obtained critical information including the token seeds in SecureID and algorithm designs used by RSA;
consequently, the RSA security tokens were rendered vulnerable for exploitation. This directly resulted
in cyber-attacks against Lockheed Martin and L3 Communications, both US military contractors.
Malwares have proven to be a very effective and potent tool for cyber-attacks and their continued use will
foster further evolution in sophistication and complexity. Organizations should take steps to detect and
eradicate malwares; depending solely on the hardening of perimeter defense is a common fallacy to
prevent malwares from infiltrating an organization.
Common Defensive Strategies
Information security personnel and teams tend to use several common defensive strategies.
Unfortunately, there is no perfect defensive strategy; therefore, to be effective, a defensive strategy must
be continuously upgraded and assessed against the constantly evolving cyber-attack mechanisms and
methodologies.
Physical
There are numerous physical defensive strategies; the most common are the following:
1. Deployment of access systems secured by biometric, ID card, PIN and/or a combination thereof;
2. Closed circuit TV (CCTV) security cameras; and
3. Doors, cages, locks and man-traps.
One of the simplest and cost-effective strategies is to locate critical servers and systems in a secure
facility; failing that, the servers and systems should be locked in a cage to prevent unauthorized tampering
and access.
Education, Awareness and Security Policies
One of the most effective tools to implement or improve security is education and awareness. Increasing
awareness among the staff, peers, management and other employees is crucial in building support towards
implementation of an effective defensive strategy. Unfortunately, countless executives fail to appreciate
the value of security; security seems to be an afterthought at best, rather than being a critical factor
designed into systems and procedures. Part of the education and awareness processes involve
formulating, disseminating and implementing security policies. This is one of the most effective shields
against social engineering attempts by reducing the chances of an employee being fooled to divulge
crucial information.
The value of information security is not apparent until after an intrusion or breach occurs. Once such an
event occurs, organizations suffer at the minimum reputational damage. Oftentimes, banks and other
financial institutions prefer to pay off the perpetrators in order to preserve their image since the loss of
confidence in their security could cost them their entire client base.
PREVENTION
The old adage, ―an ounce of prevention is better than a pound of cure‖, is certainly applicable to
information security. Pro-active measures implemented to prevent a cyber-attack is more cost-effective
than reactive security patches and hardware upgrades in response to a security incident.
In recent months, several Philippine government websites have been defaced. Most agencies repaired the
damage within several hours then simply moved on. Popular sentiment was that since there is no physical
harm done, such acts, while not condoned, should be tolerated as a form of expression. On the other
hand, the U.S. Congress has enacted laws that consider any form of computer attack on any level against
any U.S. government website as an act of war against the United States. Although defacing a website
does not necessarily compromise any data, the economic cost and reputational damage that such attacks
should be considered and an appropriate, measured response executed.
Anti-Virus / Anti-Malware
Anti-virus and anti-malware software packages are basic tools of the defensive trade. A properly updated
program helps secure the systems and protects users when they inadvertently browse or visit pages with
malicious content. Most popular packages now include features and functionality to help protect a web
browser.
Patch Management
There is no perfect software. As such, the software industry relies heavily on patches or upgrades to
address flaws in the design, implementation, or performance of the software. Malware exploit known
flaws in the installed software to subvert and ultimately gain control over a machine. Therefore, as a
defensive strategy, applying patches on the operating systems, anti-virus, anti-malware, and other
applications help safeguard computer systems by fixing the known flaws and vulnerabilities. Beyond the
issue on intellectual property rights, this is the most important, self-serving incentive to procure properly
licensed software as it guarantees that there will be support and maintenance. With open-source software,
it is critical to implement a maintenance cycle to ensure that any bugs or vulnerabilities in the software
are patched quickly and consistently.
Firewalls
Firewalls are network devices that filter traffic; it attempts to segregate public or open traffic that exist
beyond the organization‘s network perimeter. Firewalls range from the basic that protect your home
network costing a few thousand pesos to the enterprise versions costing several millions. There are many
brands of firewalls from manufacturers: Cisco, Juniper, Checkpoint, Fortinet, Huawei, ZTE among others.
Of special interest lately is the Congress of the United States position that Huawei and ZTE pose a
security threat. [13]
A properly configured and maintained firewall defends against many threats. It is a key component in
many security strategies implemented today. Ensuring that the firewall is properly patched is another
important key to having a good defensive strategy.
Regular Testing and Backups
Regular tests of information security systems are crucial in maintaining readiness. Internal and external
penetration tests, scans, and verification procedures all contribute towards ensuring that systems are
configured properly. Regular backups are akin to buying insurance. Failures are an unavoidable part of
the human experience and information systems are not exempt. Having a ready backup is no longer a
luxury but a necessity.
Intrusion Detection Systems/Intrusion Prevention Systems
Intrusion detection and intrusion prevention systems (IDPS) are a class of devices that have come into the
forefront of defensive arsenal about a decade ago. Such devices are capable of detecting incidents by
monitoring events or inspecting packets and, at the start of an incident, trigger some automated response
including reconfiguration of firewalls, sending out alerts by SMS or email, locking down ports, et cetera.
Most systems in the market today involve the deployment of hardware appliances, few are software
based, and these are usually installed in-line either behind, or adjacent to the firewall(s) in an
organization‘s network. The NIST [14] lists four types of technologies available today:
1. Network based: examination and detection based on network segments, or network and
application protocol.
2. Wireless: examination of wireless network traffic.
3. Network behaviour analysis: examination of system-wide behaviour including the sudden rise of
packets, policy violations, et cetera.
4. Host-based: limited to single host examination and events linked to the single host.
IDPS are useful in detecting and identifying potential incidents. Therefore, they are an indispensable tool
in the defensive toolkit of many information security managers. An IDPS provides intrinsic value by
adding automated detection, logging, recording, and monitoring capabilities to an organization, when
configured and maintained properly.
Outsourcing of information security
Within the Philippine context, many organizations, including government agencies, do not have the
budget, expertise or capability internally to properly secure their information systems. Accordingly, to
properly prepare for a cyber-attack, organizations may resort to outsourcing, analogous to the deployment
of private security guards for the protection of physical assets.
There is a prevailing misconception regarding the role of law enforcement in information security. By
definition, law enforcement agencies provide post-incident investigation, apprehension and filing of
charges against suspected perpetrators. Their responsibilities do not include ensuring an organization‘s
systems are safe and secure. Typically, a Computer Security Incident Response Team (CSIRT) or a
Computer Emergency Response Team (CERT) is engaged to assist an organization to prepare, simulate
cyber-attacks and conduct post-assessments of information security systems.
FUTURE DEVELOPMENTS AND CHALLENGES
Current technological trends are likely to continue in the foreseeable future. With the rapid and
accelerating pace of change in technology, a discussion of the pervasive technologies and their
prospective impact to information security is warranted.
Mobile technology
Today‘s smartphones are truly mobile computers; some have greater processing power than desktops
from less than a decade ago. Penetration rates in more advanced countries have exceeded 50% and have
reached 78% in the United States. [15] This trend will rapidly be replicated in emerging markets like the
Philippines, particularly with the commonplace availability of smartphones retailing for less than one
hundred US dollars.
With the advent of mobile commerce and the Philippine propensity for rapid adoption of mobile phones,
there will be a host of new, unforeseen security challenges. This will be accelerated by the deployment of
LTE empowering mobile broadband by the local telecommunication carriers. Compounding the security
challenges with mobile is the lack of a legal framework and the non-existent registry of mobile SIM
cards: attackers utilizing a mobile platform will enjoy even greater anonymity.
Initial malware on the mobile platform were largely limited by the fragmented, proprietary operating
systems that ran the previous generation of phones. The industry has already consolidated to four major
mobile platforms: Apple‘s IOS, Google‘s Android, Windows Mobile and Blackberry. With this
convergence, the mobile platform presents a tantalizing target for cyber-attackers. There have been
numerous incidents involving social engineering with deceptive messages sent to victims asking them to
send money to process their contest winnings or to help a friend or relative in a supposed emergency
situation.
Video/Voice Over IP (VOIP)
Skype™
was one of the pioneers that allowed people to make voice calls, later adding video calls, for free
utilizing IP technology. Nowadays, multi-party video conferencing is already commonplace. The
National Telecommunication Commission has issued VOIP licenses for several years already. From an
implementation and technology angle, VOIP is terrific: provision of clear communications enabled by
constantly improving compression technology. Commercialized form of 3-D hologram communication
may soon be achievable.
Cyber-attackers recognize that networks carrying voice and video data as an attractive target. A Brazilian
CERT noticed an upsurge in scanning for VOIP traffic in their honeypot network. [16] Intruders that gain
access to a VOIP system would potentially be able to monitor, access and even reroute all
communications made through it.
Outsourcing cyber-attacks
Insofar as protecting information security systems are being outsourced to trusted professionals, cyber-
attackers have also begun to resort to outsourcing. The Russian underground market in cybercrime is
vibrant. The inexpensive cost for outsourcing of various methods of cyber-attacks is alarming; a
sampling of the available services and its prices is listed below:1 [17]
Service Price in US dollars
Hiring a DDOS attack $30 to $70 per day
Email spam $10 per million emails
Bots for a botnet $200 for 2,000 bots
ZeuS source code $200 to $500
Hacking a Facebook or Twitter account $130
Hacking a Gmail account $162
Scans of legitimate passports $5 each
Traffic $7 to $15 per 1,000 visitors from US and EU
As cyber-attacks continue to grow in sophistication, this development of outsourcing cyber-attacks will
not only continue unabated, but likely escalate geometrically.
CONCLUSION
The notion of information security tends to be organization-specific. In the Philippine context, there is a
relatively high tolerance for risk. Even within the defence establishment, some of the prevailing attitudes
are best characterized by the tongue-in-cheek responses gathered in a series of interviews: ―Our approach
is security through obsolescence‖ and ―It‘s only 1‘s and 0‘s anyways, who can read it?‖ With the
pervasiveness of the internet and technology in human society today and the resultant diminishing barriers
of distance and geopolitical borders, information security must be everyone‘s problem and responsibility.
The Information and Communications Technology Office under the Department of Science and
Technology has already set policy that information and communications technology must be governed
due to its pervasive and essential nature in today‘s society. [18] The recent attacks to deface government
websites should serve as a clarion call for imperative action. Perhaps due to the technical or the rapidly
evolving nature, some of the national leadership still do not recognize the gravity of the situation, or
lamentably, simply choose to believe it will go away.
For some context within the Philippine environment, consider the IT-BPO industry, a sunshine and
rapidly growing sector of the Philippine economy: [19]
2011 2012 2013
Industry revenues (USD) $11 Billion $13.6 Billion $16 Billion
Full-time employees 638,000 772,000 926,000
How much loss, potential or otherwise, must be suffered by the Philippine economy for information
security to be considered a matter of national security? What is the impact to this single sector of a single
or a series of cyber-attacks or data breaches exacerbated by inadequate response from government?
Government and the private sector must work together to secure our national interest.
This article presented an overview of the current landscape of information security. From the
motivational aspects behind cyber-attacks to a review of current common threats and attack variants to a
presentation of the popular defensive strategies ending with a forward look to future challenges and
developments. Although technology and methodologies continue to evolve, the human factor, not rapid
technological advancement, continues to be the biggest source of vulnerability:
Many continue to blindly follow security standards set by governments and standards bodies
without proper evaluation of their suitability for their own situation.
Lax stewardship is the leading cause of security breaches in established organizations.
Social engineering is still the most prevalent cause of data compromises.
Senior leadership, especially at the national level, typically fail to recognize the critical nature of
information security to their organizations until after a breach or other incident has occurred.
If the Philippines were to experience a cyber-attack today, there is no single office of primary
responsibility within government to mount a coordinated response. At best, the country can only rely on
the Philippine Computer Emergency Response Team (PHCERT), ―… a non-profit aggrupation of
Information Security Professionals providing Technical and Policy Advisory Services Pro Bono
Publico.‖ [20] The National Computer Center recognizes the limited programs and projects that
PHCERT can support: ―PHCERT ONLY accepts security incident reports from its members. Technical
advise may be provided depending on volunteer availability. Forwarding and coordination to the
appropriate law enforcement agency can also be done if the situation warrants or member organization
desires to do so.‖ [21] On the legal front, although the Philippines recently enacted the Cybercrime
Prevention Act of 2012, Republic Act 10175, to empower law enforcement to better combat cybercrime,
the Supreme Court issued a Temporary Restraining Order delaying its implementation by 120 days in
response to questions about the constitutionality of certain provisions.
Information security is so pervasive that even a superpower like the United States and advanced societies
like Japan with relatively unlimited budgets find it difficult to cope with the immense challenges.
Government and private sector must cooperate to make significant progress in this regard. Forging ahead,
given the current landscape of information security and its likely progression, the Philippines must take
two foundational steps to improve its information security:
1. Government must designate a single office of primary responsibility to prepare, mitigate, and
coordinate a response to cyber-attacks; and
2. Government and the private sector must work together and establish a pro-active, independent,
fully-functional Computer Emergency Response Team (CERT) and/or Computer Security
Incident Response Team (CSIRT).
Mabuhay!
REFERENCES
This article relied extensively on the collective knowledge-base and experience of the authors as well as
sources from both the internet and printed material. Similar references were grouped together for brevity.
[1] http://blog.elementps.com/element_payment_solutions/2011/11/visa-releases-pci-compliance-level-
stats.html
[2] http://www.pcworld.com/article/79303/article.html
[3] http://2011.appsecusa.org/p/gsr.pdf
[4] http://www.techweekeurope.co.uk/news/experts-admit-motivation-for-cyber-attacks-overlooked-6696
[5] http://www.symantec.com/connect/blogs/hackers-behind-
stuxnethttp://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-industrial-
control-systems; http://www.airdemon.net/stuxnet.html;
http://www.reuters.com/article/2010/09/24/security-cyber-iran-idUSLDE68N1OI20100924
[6] http://www.social-engineer.org/social-engineering-ctf-battle-of-the-sexes/
[7] http://arstechnica.com/security/2012/10/ddos-attacks-against-major-us-banks-no-stuxnet/;
http://nakedsecurity.sophos.com/2012/09/27/banks-targeted-ddos-attacks/;
http://www.bloomberg.com/news/2012-09-28/cyber-attacks-on-u-s-banks-expose-computer-
vulnerability.html; http://threatpost.com/en_us/blogs/historic-ddos-attacks-against-major-us-banks-
continue-092712
[8] U.S. Department of Defense, Joint Publication 1–02: DOD Dictionary of Military and Associated
Terms (November 8, 2010, as amended through May 15, 2011).
[9] http://www.iseprograms.com/lib/Trustwave_2012GlobalSecurityReport.pdf
[10] http://web.archive.org/web/20071207173837/http://www.f-secure.com/2007/2/
[11] http://www.symantec.com/connect/blogs/flamer-highly-sophisticated-and-discreet-threat-targets-
middle-east; http://www.crysys.hu/skywiper/skywiper.pdf
[12] Cyber-warfare – The new battlefront for Defence Forces by Dr. Peter Holliday
[13] http://www.forbes.com/sites/simonmontlake/2012/10/08/u-s-congress-flags-chinas-huawei-zte-as-
security-threats/;
http://online.wsj.com/article/SB10000872396390443615804578041931689859530.html;
http://www.reuters.com/article/2012/10/08/us-usa-china-huawei-zte-idUSBRE8960NH20121008
[14] Guide to Intrusion Detection and Prevention Systems - http://csrc.nist.gov/publications/nistpubs/800-
94/SP800-94.pdf
[15] http://www.wired.com/beyond_the_beyond/2011/12/42-major-countries-ranked-by-smartphone-
penetration-rates/; http://www.thinkwithgoogle.com/mobileplanet/en/
[16] CyberSecurity Challenges in Developing Nations –Dissertation by Adam C. Tagert 12/1/2010,
Carnegie Mellon University
[17] ―Russian Underground 101‖ by Max Goncharov, Trend Micro Incorporated Research Paper 2012 -
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russian-
underground-101.pdf
[18] ―2012 Programs‖ Presentation of the Undersecretary Louis Casambre, Executive Director of the
Information & Communications Technology Office of the Department of Science and Technology on 21
June 2012 at the Chancery Hall of the US Embassy Manila.
[19] IT-BPO Road Map 2011-2016 Business Processing Association of the Philippines
www.bpap.org/publications/breakthroughs?download
[20] http://www.phcert.org/
[21] http://www.ncc.gov.ph/default.php?a1=2&a2=5&a3=1&a4=PQRS&a5=114
ABOUT THE AUTHORS
Simoun is the current Vice Chairman of the Overseas Security Advisory Council of the U.S. Embassy
Manila, a federal advisory committee under the State Department. He also serves as the Chairman of the
Security Disaster Resource Group of the American Chamber of Commerce of the Philippines. He was a
Consultant to the Office of International Policy and Special Concerns of the Department of National
Defense and an Advisor to the Supreme Court. He was formerly with the Philippine Coast Guard
Auxiliary 101st Squadron, where his last rank was Commander prior to retirement. He holds a Master of
Business Administration from the Ivey School of Business, University of Western Ontario, Canada, and a
Bachelor of Arts degree in Psychology and Economics from the University of British Columbia. He is
currently the CEO and President of PVB Card Corporation, and the Vice Chairman of Bastion Payment
Systems in the Philippines, and serves at the boards of several listed firms, both in the Philippines and
United States. Simoun has also been tapped as the speaker and lecturer for many engagements, including
the Federal Bureau of Investigation and the National Defence College of the Philippines.
Wilfred is the founding CEO and President of Bastion Payment Systems. He formerly worked at Unisys
for over a decade, where he was involved deeply as a senior systems architect on several notable IT
projects of the Philippine government including the National Statistics Office Census Registry System
(CRS-ITP), Land Transportation Office, Philippine Ports Authority, and others. Beyond this, Wilfred
also worked on many international, government and financial sector projects in the United States, China,
Singapore, Hong Kong, Sri Lanka, Vietnam and Australia. Wilfred holds a Master of Science in
Computer Science degree from De La Salle University, Manila (with high distinction), and a Bachelor of
Science in Computer Science from the same school. He is a Certified Rational Unified Process
Consultant.
Carlos is the current Chief Security and Operating Officer of Bastion Payment Systems. He was formerly
the assistant director at the Computer Center of the University of Santo Tomas, where he continues today
as a senior instructor for computer science. Carlos holds a Bachelor of Science in Computer Science from
Chiang Kai Shek College Philippines and Masteral units from De La Salle University. He is a certified
Cisco Networking Academy Instructor, and a Microsoft Certified Professional.
