T3H Blog

We ate a fine galbi and Jeju black pork dinner at the Lotte Hotel Jeju Korean restaurant. In Korea, beef is the most prized of all meats. Beef is prepared in numerous ways including roasting or grilling (gui, Galbi), boiling in soups, or drying. It is worth noting that the cattle itself holds an important cultural role in Korea; in days of old, cattle were regarded and seen as an equal to human servants.
Galbi (갈비), pictured here, can be pork or beef ribs, cooked on a metal plate, and normally over charcoal.
Pork is more likely to be consumed than beef. Pigs, I am told, have been a part of the Korean diet from ancient times. Koreans use all parts of the pig in a variety of cooking ways including steaming, stewing, boiling, and smoking. Until recently, pigs on Jeju (or Cheju) Island were raised in pens built around raised privies that held human excrement, which these pigs consumed. These pigs were considered a delicacy and were known as Ddong dwaeji (똥돼지).
Finally, one cannot consume Korean food without Kimchi (김치). It is made out usually of cabbage, daikon, or cucumber fermented in a brine of ginger, garlic, scallions, and chili pepper. There are endless varieties of kimchi, and it is served at every meal as a side dish, or cooked into soups and rice dishes.
All this is to say, Korean food was succulent and better yet when served with good company and a nice Korean beer. Along with our galbi and Jeju black port, I ate a very nice and spicy cold wheat flour noodles dish called Bibim guksu (비빔국수); extremely popular during the summer season and intriguing seafood and corn cake (picture here with the variety of pickled vegetables).

Enough said… or maybe not!

Well the 9^th ICCC ended this morning – next week will be back to the grindstone in Yokohama. However, after lunch Hiroki Nonoyama-san, Dr Christian Tobias, and I went for a couple of hour walkabout, although it was a little humid. The little we have seen is neat, with much greenery, clean beaches, and lost of walkways and trails to explore this island, with maybe a little too many stairs to climb, for me..

We return just ahead of a rain/thunder storm, great time for a refreshing break, before a night on the town (village)…

Here is another slideshow, enjoy!

The 9^th ICCC is likely one of the best and largest conferences related to serious ICT security remediation; it delivers loads of useful information and challenging thoughts – in short, it stimulates the flow of synapses. Hence, the need to relax some, so our Korean hosts laid out a scrumptious dinner; of course accompanied with the customary speeches from above. This dinner in company of friends and colleagues from the CC international community was capped with superb entertainment. We had the pleasure to view the elegant Jeju Provincial Dancers and comical Nanta.

The dances were lively, yet graceful – especially the butterfly dance includes some stylish fans work.

Nanta’s chefs present a cutting hedge (I could not resist the punt) and original nonverbal performance integrating Korean traditional “Samulnori” rhythm with comical and dramatic delivery… The drumming of knives, accompanied with music, is pleasing to the ears. The final drum performance was surely energetic, just watching made one perspire!!!

Stimulating discussions, great company, succulent food, and fantastic entertainment, what is next? Maybe a few hours off before returning to the office grind, for a change to take in a little of the majestic scenery of Jeju Island – now that’s a conference.

Here is a slideshow of the evening entertainment, enjoy!

From September 23 to 25, I am attending the 9th International Common Criteria Conference held at the Shilla Jeju Hotel, in Jeju, Korea with my colleague from TÜV Rheinland Japan, Hiroki Nonoyama. This year our host is the Republic of South Korea’s National Intelligence Services (NIS).

The Common Criteria for Information Technology Security Evaluation is an international standard for ICT security; it is now recognized and implemented in 25 major countries around the world. This is one of the best information and communication technology (ICT) security conference around. The Common Criteria standard addresses security issues at the fundamental level – and, normally (hopefully) before the system hits the open market.

Common Criteria is based on a framework in which ICT system users can specify their security requirements (with Protection Profiles); vendors can then implement and/or make claims about the security attributes of their products (with Security Targets); evaluating laboratories can evaluate the products to determine if they actually meet the claims (through Evaluation Technical Reports); and, receive certification by one of the CC Scheme certification body for worldwide recognition. In other words, Common Criteria provides assurance that the process of specification, implementation, and evaluation of an ICT security product has been conducted in a rigorous and standard manner.

The world’s dependence on ICT systems simply will not abate – as will not the threats, risks, and vulnerabilities to systems – hence users of all kinds need confidence in the security of ICT they are using every day. CC ensures that common criteria are applied uniformly.

A fitting motto for CFSRS Old Timers, and it holds true. It is amazing that within minutes as much as 35 years can be wiped away to yesterday. I had not seen David Pickering in over 28 years and yet within minutes we were up to date on each other lives and doings. However, it was not with all – many names were familiar but not the faces that when with it, or vice versa, where the face was familiar but the name for some reason appeared to have changed…

David (Pickles) still instructs young officers at CFSCE at CFB Kingston in the misterious art and science of C&E.

It was a worthwhile 6.5K km trip to meet old classmates and friends with whom I stood on guard for thee!

During the second weekend of September, celebrations for the 50th anniversary of CFS Alert were held at CFS Leitrim (Ottawa). CFS Alert has been a rallying point of sort for many people, especially 291ers, since 1957. Just about every military occupation support the station since it first opened, but 291ers had to tour on the northeastern tip of Ellesmere Island, at 82°30′N, 62°19′W for 6 months about every four years while serving with the Canadian Forces Supplementary Radio System charge with SigInt duties.

I spent a total of two and a half year of my life at CFS Alert over a period of 18 years, without any regrets – 4 tours (CommCen, TEBO, SigDev [x2]) and 2 3-month stints for special projects (TRILS, the beta version).

Last Sunday (September 14, 2008) I return to the site of CFS Gloucester, which closed 1972. The visit, consisting of a hardy brunch held in the old station gym for CFS Alert old timers, was part of celebration associated the station’s 50th anniversary.

CFS Gloucester was the site for SigInt training in Canada from 1943 to 1972. I was among the last few to train there and help move the school to its new home (E Squadron) at CFB Kingston that year, where I went on to finish my training. Today all that remains is the cairn, in the picture, the Greely Legion, and a Sigs Cadet Corp gathering site.

Both in my mind, it is still a launching pad to a 38 years career in ICT Security, where ‘Knowledge through Discipline’ as played a large role, and try as I may I can remember one bad thing about the place…

– Plaque Information –

NRS 1943 – 1950
HMCS 1950 – 1966
CFS 1966 – 1972

GLOUCESTER
CGI (spelled out in Morse code)
Knowledge Through Discipline

Opened in 1943 as a Naval Radio Station utilizing High Frequency Direction Finding (HFDF) to aid in the combat against German U-boats in WWII, Gloucester evolved into a military Signals Intelligence (SIGINT) communication and training establishment.

This monument is dedicated to the men and women who trained and served at this site. Their many contributions to the security of this nation must never be forgotten.

In War or Peace, it matters not, the mission does not change.

OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.

OpenVAS products are Free Software under GNU GPL and a fork of Nessus.

There is an excellent compendium, which was compiled by people involved in the OpenVAS project. The intention is to provide a comprehensive documentation for all aspects of network vulnerability scanning with OpenVAS — OpenVAS Compendium.

The Open Web Application Security Project (OWASP) Testing Project has been in development for many years. This project is to help people understand the what, why, when, where, and how of testing their web applications, and not just provide a simple checklist or prescription of issues that should be addressed. The outcome of this project is a complete Testing Framework, from which others can build their own testing programs or qualify other people’s processes. The Testing Guide describes in details both the general Testing Framework and the techniques required to implement the framework in practice. There are three different OWASP Guides. They are full of useful information about how to perform application security activities.

1. The OWASP Guide to Building Secure Web Applications and Web Services: This OWASP Guide has hundreds of articles about all the major security issues you’ll encounter when designing or building a secure web application or web service.
2. The OWASP Testing Guide: This OWASP Guide has articles specifically about performing security penetration testing on web applications and web services.
3. The OWASP Code Review Guide: This OWASP Guide covers all the same vulnerabilities and security mechanisms as the Testing Guide, but provides guidance on finding the problems in the source code.

Here is a short list of reading material one should read, and keep handy, especially if one’s network is a celestial body in cyberspace.

• Risk Management Guide for Information Technology Systems – NIST SP 800-30

Every organization has a mission. In this digital era, as organizations use automated information and communication technology (ICT) systems to process their information for better support of their missions, risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, from IT-related risk.

• Creating a Patch and Vulnerability Management Program – NIST SP 800-40 v2

Patch and vulnerability management is a security practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. The expected result is to reduce the time and money spent dealing with vulnerabilities and exploitation of those vulnerabilities. Proactively managing vulnerabilities of systems will reduce or eliminate the potential for exploitation and involve considerably less time and effort than responding after exploitation has occurred.

• Guidelines on Firewalls and Firewall Policies – NIST SP 800-41

This document does a very good job of covering firewall definitions, best practices, policies, etc. It provides introductory information, recommendations, and guidelines about firewalls and firewall policy primarily to assist those responsible for network security. It addresses concepts relating to the design, selection, deployment, and management of firewalls and firewall environments. It is not intended to provide a mandatory framework for firewalls and firewall environments, but rather to present suggested approaches to the topic.

There are many other relevant documents from the NIST SP-800 Series pertaining to network security, most are free. Additionally, there are many good publications from the International Standard Organization, such as ISO/IEC 18028 series (which will revised by ISO/IEC 27033 series currently under development), ISO/IEC TR 19791:2006, ISO/IEC 27002:2005, ISO/IEC 27005:2008, and ISO/IEC 38500:2008, unfortunately they are not free, as these books below.

1. The Book of PF – A No-Nonsense Guide to the OpenBSD Firewall, by Peter N. M. Hansteen, ISBN-10: 1593271654 or ISBN-13: 978-1593271657, December 2007, 184 pp.

2. Building Firewalls with OpenBSD and PF [2nd edition], by Jacek Artymiak ISBN 83-916651-1-9, October 2003, 320 pp.

3. The OpenBSD PF Packet Filter Book, published by Reed Media Services ISBN 0-9790342-0-5, August 2006, 193 pp

4. Secure Architectures with OpenBSD, by Brandon Palmer, Jose Nazario ISBN 03-21193-66-0, April 2004, 520 pp.

Just visit the OpenBSD bookstore and O’Reilly Media for many more excellent ICT related books.

Here is where I live – the Information Assurance, Security, and Governance Lab within TUV Rheinland’s Global Technology Assessment Center (GTAC). The two racks of machines in the back were fabricated by eRacks for a fraction of what our regular supplier could have. All the machines are populated with open source applications – such as OpenBSD, OpenSSH, OpenBGPD, OpenNTPD, OpenCVS, Puppet, OCS Inventory NG, phpMyAdmin, Webmin, PostgreSQL, and many more open source software obtain after hours spend navigating SourceForge.Net pages, NIST publications, and help from the Open Source community.

We get our fair share of attempts malicious penetrations from our neighbours, especially to the West of us – but so far with little ingenuity, log analysis, good intelligence, attention to details, frequent updates, and solid reactive implementations the lab’s networks holds it own; and, undoubtedly, within the good graces of the cyberspace gods, also. However, the assistance of Mark Toraki Uemura, Tomoyuki Sakurai, and Ryan McBride at OpenBSD Support Japan kept the machines purr securely away 24/7 for the last two years.

Anyway, this was suppose to be a post about getting recognized as a Payment Cart Industry Data Security Standard (PCI DSS) Qualified Security Assurance (QSA) auditor, along with becoming an ISACA’s Certified Governance of Enterprise IT (CGEIT) professional. We are readying the lab to support vulnerability assessment and penetration testing services; of course, we will be using predominately, but not exclusively, Open Vulnerability Assessment System (OpenVAS) for network vulnerability tests (NVTs). In time, we will become a PCI Approve Scanning Vendor (ASV), also.

Awhile back I got together with some of Now, on the Spot (NOT$) supporters at Captain in Yokohama. It is always great to have a pint or two with good friends. In the left side picture is Gregory Olowu (Nigeria) the proud owner of Captain. In the other picture you are looking at Fares Naouri (Jordan), myself (Canada), Lynette Bracken (New Zealand), and Rachid Sehb (France).

Except for Greg, whom I see regularly, Fares spends most of his time in Kuwait, where he works hard to expand TUV Rheinland’s business. Rachid escaped to TUV’s Osaka offices, and Lynette just returned, hopefully for good, from a long stay in Australia, where she worked to established one of TUV’s newest branch office down-under.

I was in Fukuoka (福岡市, Fukuoka-shi), the capital city of Fukuoka Prefecture. It is situated on the northern shore of the island of Kyūshū in Japan, across the Korea Strait from South Korea’s Busan. I was there to participate in an ISO 27001 Stage 2 audit. The client (victim) was a small, yet successful, Japanese software development firm. This was a 100% Microsoft centric development outfit, all the machines had a Microsoft OS and their main working tools was MS Virtual Basic.

This is the first time I audit a software development firm. The other two audits were a Web content development and a printing company. All had a relatively small number of employees, less than 25. However, all took their Information Security Management Systems (ISMS) very seriously, not only because it is the right think to do, but they needed to demonstrate to their clientèle how important all information was to their operation.

ISO/IEC 27001:2005 covers all types of organizations (e.g. commercial enterprises, government agencies, not-for profit organizations). ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.

ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.

ISO/IEC 27001:2005 is intended to be suitable for several different types of use, including the following:

• use within organizations to formulate security requirements and objectives;
• use within organizations as a way to ensure that security risks are cost effectively managed;
• use within organizations to ensure compliance with laws and regulations;
• use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;
• definition of new information security management processes;
• identification and clarification of existing information security management processes;
• use by the management of organizations to determine the status of information security management activities;
• use by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives and standards adopted by an organization;
• use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons;
• implementation of business-enabling information security;
• use by organizations to provide relevant information about information security to customers.

Reference: http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=42103

Recently, at TUV Rheinland’s Global Technology Assessment Center in Yokohama, I attended TUV’s first Lead Auditor course for ISO 28000:2007 Security Management Systems for the Supply Chain.

ISO 28000:2007 specifies the requirements for a security management system, including those aspects critical to security assurance of the supply chain. Security management is linked to many other aspects of business management. Aspects include all activities controlled or influenced by organizations that impact on supply chain security. These other aspects should be considered directly, where and when they have an impact on security management, including transporting these goods along the supply chain.

ISO 28000:2007 is applicable to all sizes of organizations, from small to multinational, in manufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to:

a) establish, implement, maintain and improve a security management system;

b) assure conformance with stated security management policy;

c) demonstrate such conformance to others;

d) seek certification/registration of its security management system by an Accredited third party Certification Body; or

e) make a self-determination and self-declaration of conformance with ISO 28000:2007.

There are legislative and regulatory codes that address some of the requirements in ISO 28000:2007.

It is not the intention of ISO 28000:2007 to require duplicative demonstration of conformance.

Organizations that choose third party certification can further demonstrate that they are contributing significantly to supply chain security.

Reference: http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=44641