Events Held

• 3rd Dec 2003
  >> Risk Assessment: Know Your Risks
  
  
• 11th Jun 2003/22nd Sept 2003
  >> Email Security Awareness
  
  
• 3rd- 4th Jun 2003
  >> Ethical Hacking Training
  
  
• 13th Mar 2003
  >> Risk Assessment for Business and Security
  
  
• 8th Oct 2002
  >> Business Computing Roundtable Dialogue
  
  
• 21st Mar 2002
  >> "Security Insights 2002"
  
  
• 19th - 20th Mar 2002
  >> How to Manage a Network Vulnerability Assessments
  

Risk Assessment: Know Your Risks

Managing security risks is a continuing challenge because of the growing reliance on information technology. Although information technology brings benefits of improved information processing and communication, however, it also increases the risks of computer intrusion, fraud and disruption. Organizations have been struggling to find efficient ways to ensure that they fully understand the information security risks affecting their operations and to implement appropriate controls to mitigate these risks.

Poor security program management is one of the major underlying problems. Serious and thorough planning is required to develop and manage effective security program. Assessing risk is one of the elements in security management. Other elements include establishing a central focal point, implementing policies and controls, promoting awareness, and monitoring and evaluating the policy and control effectiveness.

The first step organizations should take in developing an effective security program is to identify and rank the information security risks to their operations. Risk assessments ensure that all risks are identified and to determine what actions are appropriate to mitigate them. The result of the risk assessment can be used as a basis for establishing appropriate policies and controls. All risk assessments generally include the following elements:

1. Identify and estimate all critical and sensitive assets and operations, potential losses and costs if a threat materializes.
2. Identify threats that could harm the organization and its assets.
3. Estimate the likelihood that such threats will materialize.
4. Identify cost-effective actions to mitigate or reduce the risk.

The result of the risk assessment is used to develop an action plan and will provide decision-makers with information needed to understand factors that can negatively impact the organization and make informed judgments concerning the controls and safeguards needed to reduce risk.

This talk is intended to help you to implement an ongoing information security risk assessment process by providing examples, or case studies, of practical risk assessment procedures that have been successfully adopted by the industry.

Email Security Awareness

With the advent of the Internet, companies are now taking advantage of cost-effective and time-efficient email as a tool for business communication. While email provides a low cost means of communicating with customers, suppliers and partners, there are a number of security issues related to the use of email as the above-mentioned.

This talk describes the weaknesses of using email and to discover how to issue policies to define acceptable use of email for business purposes. By attending this talk, you will be aware of security issues related to the use of email and how to overcome them.

To help you on managing and using your email effectively, the following issues will be discussed:

1. What is Electronic Mail?
2. Weaknesses in Electronic Mail- Authentication, Integrity, Confidentiality and Repudiation.
3. Sending Electronic Mail.
4. Receiving Electronic Mail.
5. Housekeeping your inbox.
6. Receiving Misdirected Information by Email.
7. Forwarding Email.
8. Example Email Policy

Ethical Hacking Training 2003

The challenge of securing our information is increasing due to the coding ability of experienced hackers. These experts are able to create automated applications that contribute to the exploitation of network systems. Other hackers who may not possess such knowledge to code these applications are able to use them and launch attacks automatically. These exploit applications can be run easily by anyone with sufficient guidance.

These applications can be used by system administration and security personnel to assess whether vulnerabilities present in their systems can be exploited. When they conduct checks on their own systems or other systems that they are asked to do so, they are conducting what is called a penetration test.

This course gives you the knowledge needed to utilize the mentioned applications to conduct successful penetration tests. Participants will also learn the different stages of conducting a penetration test and knowing how to select the appropriate penetration testing tools. There will be live demonstrations of how these applications are utilized.

Course Content:

1. Fundamentals of Network Security
2. Vulnerabilities and Type of Attacks
3. Penetration Test Methodology
4. Building a Pen Test Toolkit
5. Penetration Tools Demonstration
6. Practical Demonstration on Conducting a Penetration Test
7. Guided Session
8. Evaluation and Exercise Session

Risk Assessment for Business and Security

Please email Mr Ian Wong (ian@SecureTangent.com) for presentation slides.

Topic of discussions:-

1. The Definition of Risk
   - What is Risk?
   - Ways to manage Risk
2. Risk Assessment
   - What Is Risk Assessment?
   - FAQ on Risk Assessment
3. Key Components in Risk Assessment
   - Risk Analysis
   - Asset Valuation
   - Safeguard Selection
4. Getting Started in Risk Assessment
   - Identify your Assets
   - Ascertain your Risks
   - Prioritize your Vulnerabilities
   - Identify your Safeguards
5. Demonstration of a Quantitative RA Tool
6. Questions & Answers

Risk Assessment - Assess Risk & Determine Needs

Managing security risks is a continuing challenge because of the growing reliance on information technology. Although information technology brings benefits of improved information processing and communication, however, it also increases the risks of computer intrusion, fraud and disruption. Organizations have been struggling to find efficient ways to ensure that they fully understand the information security risks affecting their operations and to implement appropriate controls to mitigate these risks.

Poor security program management is one of the major underlying problems. Serious and thorough planning is required to develop and manage effective security program. Assessing risk is one of the elements in security management. Other elements include establishing a central focal point, implementing policies and controls, promoting awareness, and monitoring and evaluating the policy and control effectiveness.

The first step organizations should take in developing an effective security program is to identify and rank the information security risks to their operations. Risk assessments ensure that all risks are identified and to determine what actions are appropriate to mitigate them. The result of the risk assessment can be used as a basis for establishing appropriate policies and controls. All risk assessments generally include the following elements:

1. Identify and estimate all critical and sensitive assets and operations, potential losses and costs if a threat materializes.
2. Identify threats that could harm the organization and its assets.
3. Estimate the likelihood that such threats will materialize.
4. Identify cost-effective actions to mitigate or reduce the risk.

The result of the risk assessment is used to develop an action plan and will provide decision-makers with information needed to understand factors that can negatively impact the organization and make informed judgments concerning the controls and safeguards needed to reduce risk.

This talk is intended to help you to implement an ongoing information security risk assessment process by providing examples, or case studies, of practical risk assessment procedures that have been successfully adopted by the industry.

Secure Tangent organized a roundtable dialogue with Business Computing on 8th October 2002 at the JW Marriot Hotel. The purpose of this roundtable dialogue is to raise awareness of and commitment to information and network security in the dynamic context of the emerging Internet economy.

The Roundtable addressed and tabled some of the issues faced by decision-makers in the delay of the implementation of a safer and more secure environment for their businesses.

This high profile dialogue featured key executives representing various industries in Malaysia; finance or service-oriented industry, IT security industry, SMIs, and the government. The participant shared and discussed their lessons learnt, challenges faced, best practices adopted and emerging trends on adoptions and implementations of IT and network security in Malaysia.

• IT and network security: Paranoia or Necessity.
• Identifying the IT and network security threats faced by businesses today.
• Talk of security has gone up, spending on IT security is still ? Why are CEOs not prioritizing IT security?
• How to adopt a balanced approach to IT and network security as we position ourselves to make full use of the internet for wider business opportunities.
• How to value amount of security required vis-à-vis measuring the Return Of Investment on security expenditure.

Secure Tangent held its inaugural security seminar, titled "Security Insights 2002" on Mar 21, 2002 at JW Marriot Hotel. We invited speakers from various security fields to share vital insights and knowledge on the latest issues and technologies on information security. The following were the individual seminar sessions provided by the respective speakers. Do feel free to download those slides permitted by the speakers.

Thomas Peltier, CISSP	"Why Security Fails"
Deepak Pillai, Partner, Raghavji & Pillai	"Legal, Forensics and Evidence Issues relating to Cybercrime"
Low Kok Leong, ISS, Inc. CISA.	"Protecting Your Assets"
Justin Peltier, CISSP	"Linux and WinX - Which is really more secure?"

* These documents require Adobe Acrobat Reader. Download Acrobat Reader if you do not have it. To view document pages in upright format, go to View/Rotate Clockwise or press Ctrl_Shift_+

Secure Tangent held a security training on "How to Manage a Network Vulnerability Assessment", on Mar 19-20, 2002 at JW Marriot Hotel, Kuala Lumpur. We invited our US Security Experts from Peltier & Associates, Thomas Peltiers & Justin Peltier to conduct the above course locally. Course overview is provided below:

• "How to Manage a Network Vulnerability Assessment"
  Any organization networking their computer systems has good cause to worry about intruders and other malicious activity. Intruders (both internal and external) are developing tools and sharing their knowledge with others that make protecting the network more difficult. Before implementing expensive barriers to protect the network, a network vulnerability assessment should be conducted.
  
  An effective assessment will evaluate the risks associated with your specific operating environment. The process should include an evaluation of existing control measures, the risks associated with process in the current environment and recommendations for improving the protection of your organization's network.
  
  
• Assessing Current Network Concerns
  The number of reported incidents to the Computer Incident Advisory Capability (CIAC) and the CERT Coordination Center has seen an increase each year since its founding in 1988. We will examine current trends in network incidents. Using the information discussed, the attendees will work an exercise to identify and prioritize their organizations' network concerns.
  
  
• Examining the Network Configuration
  Examining the network configuration will be reviewed next. We will concentrate on the assessing the network as a discrete entity as well as assessing the security needs of the individual components. Since the typical network is too big to examine each component in a timely manner, we will discuss how to use other employees to run tools to examine the security of network devices (routers, bridges, gateways, hosts, servers, and cabling).
  
  
• Policies to Protect the Network
  For most organizations, there will be a need to examine the existing security policies. Securing your organization begins with a security policy that articulates intrusions for protecting information and network assets in accordance with your business goals, good business practices, commonly-accepted security practices, and outside regulatory requirements. To reinforce the material, the attendees will develop and critique a network security policy.
  
  
• Project Scope Management
  Includes the processes required to ensure that the policy and/or procedure development project includes all the work required, and only the work required, to complete this specific project. We will review the contents of project scope statements and then the attendees will assemble into their groups and create a scope statement for their project. When the drafts are completed, the group will critique each of the scope statements.
  
  
• Developing a Network Security Checklist
  To conclude the first day, we will examine and expand on 100 or more checklist items related to network security issues. While checklists aren't the complete answer to network security problems, they will allow us to set the stage for what must be assessed and to identify areas that may have been overlooked.
  
  
• Tools of the Trade
  Saving precious staff time with tools and wide-spread automation is an excellent way to magnify staff capabilities. The first problem is identifying where tools are needed and the problems involved with their implementation. We will examine what to look for in an effective security assessment tool and where to get them as cheaply as possible.
  
  
• Typical Vulnerability Report
  At the completion of your vulnerability assessment it will be necessary to produce an assessment report. We will examine what elements make up an effective report document . We will discuss how to use the document to meet your objectives and how the document can be used by management to show their meeting their duty of care requirements.