For the past few months, so much has been written, reported and said over the issues involving the misuse of pork barrel funds (PDAF) and the legitimacy of the government’s DAP allocations.
With the sheer scale of the ongoing investigations against these issues, as well as the large number of personalities involved, some of the said personalities have taken advantage of the confusion and found ways muddle the issue and deflect the charges hurled against them. This is a classic case of crab or “talangka” mentality.
The point is, regardless of how much money was thrown at a government official, either by way of PDAF, DAP or by any other means, the question that should be answered is how much of that money was properly spent and accounted for.
In the end, the issue of the amount that was given and the reason why it was given would be moot, if we know that it was well spent and not pocketed.
If a lawmaker is given one billion pesos and he spends it all, and if he is able to show us 100% where the money went in a well documented manner, then we have ourselves a hero. But, if another lawmaker is given, say, just one thousand pesos and he spends it all, but if he can’t show us how and where he spent it, even for such a small amount, then we have ourselves a zero. This is how we can tell the pigs and crocodiles from the men.
The scale and complexity of attacks on websites and applications have significantly increased over the years. What started out as simple hacking attacks from private individuals have morphed into more complex and persistent threats of massive scale coming from large organizations and nation-states.
One of the main challenges faced by organizations today is how to ensure that their website and application assets are protected from these threats.
One method attackers use when targeting a website or application is to check for vulnerabilities to a particular attack or exploit. Once a vulnerability is detected, they just have to run the appropriate exploit attack for that vulnerability. Hacking tools are now relatively easy to obtain and download over the internet. In fact, you can now search for so-called hacking services providers and outsource all the grunt work to them.
So how do you protect your system from these kinds of attacks? For starters, you can adopt application security testing solutions into your IT security framework.
Application Security Testing – DAST or SAST?
There are two kinds of Application Security Testing (AST) tools available, Dynamic (DAST) and Static (SAST).
DAST applications test a website’s security posture by:
- connecting to a site
- crawling it
- creating a map of all discovered web components
- analyzing each component for vulnerabilities
- generating a report of the security findings,
- giving the appropriate mitigation steps for each detected anomaly.
Some of the more common vulnerabilities include SQL-injection and Cross Site Scripting vulnerabilities. A DAST tool is most commonly used on a live production or test web environment. A DAST tool is therefore a form of penetration testing tool.
SAST on the other hand is used by developers, analysts or security auditors to scan for application software vulnerabilities at the source code level. It can be a standalone application or can be an extension or plugin to an existing development or IDE tool such as Eclipse or Visual Studio.
Ideally, you should include security assessments early into your software development life cycle (SDLC) process. The further you are into your SDLC process at testing your application, the more expensive it is to mitigate the threat and plug up holes in your system.
It’s cheaper for you to fix errors in the QA or testing portion of your web system before you publish it to your production environment, but it’s cheaper still if you fix errors on the development phase prior to having it tested by your QA team.
Avoid PR Nightmares
What happens if your website is compromised? If an attack is successful and is made known publicly, then you will be faced with a huge PR nightmare. This usually leads to a loss of face, poor customer confidence levels, and ultimately, lost business. The money you have to spend on PR buildup and gaining back clients might be staggering.
IBM Security AppScan
A good example of an application security testing tool is the IBM Security AppScan solution suite. For their DAST solution, you can check out IBM Security AppScan Standard. On the SAST side, there’s IBM Security AppScan Source.
Regardless of what vendor or product you choose, the added security layer and good return on investment makes for a good business case if you want to include application security testing tools for your company’s security infrastructure.
I have seen a few Security Information and Event Management (SIEM) Proof-of-Concept (POC) activities with different end-users where IBM QRadar SIEM went head-to-head against other SIEM systems.
The competing POC systems are subjected to the same set of use cases or evaluation criteria, which usually cover the following:
- Support for different log or event sources
- Ease of configuring correlation rules
- Query and report performance (How fast are results generated?)
- Ease of management
- Deployment time metrics
Here are some of the things to note:
- Given a 4-week window to complete a specified set of use cases, QRadar was deployed and met all evaluation requirements in less than a week. The others took longer to to deploy and configure (about 3-4 weeks). Interestingly enough, some were still not able to meet all of the requirements within the allotted time frame. The time discrepancy and compliance was glaring for the end-users not to notice the differences.
- Apart from the basic log collection/management functionality, there usually is enough time to showcase QRadar’s other functions such as network flow (layer 4 and layer 7) analysis using the same POC box. This all-in-one feature is seen as one of the key selling points of QRadar.
- Some end-users particularly noted how relatively easy it was to configure rules and alerts on the fly compared to the other solutions.
I used to deploy and manage some of the competing solutions and was completely blown away by what QRadar could do. From a personal opinion (Yes, disclaimer here!), and based on experience, the relative ease by which QRadar can be deployed compared to the others, and the excellent security intelligence coverage that it provides, has made a convert out of me.
Here are five reasons why networks are breached:
1. The end user didn’t think before clicking
This usually happens when the user opens a malware-infected email or browses a compromised website. Some of the security measures that you can use to prevent the threat from spreading are antivirus software and gateway security solutions such as firewall proxies.
2. Weak password / default password in use
There are a lot of website resources out there that publish the default usernames and passwords for popular products such as routers, firewalls and other software.
As a matter of best practice: Always change the default account usernames and passwords (if applicable) of applications or devices to ensure that they won’t be easily breached.
3. Insecure configuration
It’s always good to introduce secure ways of accessing your resources over the network. Some of the methods include adding access control mechanisms (ACLs) for key systems and providing a secure communication layer (such as SSL and other encryption methods) between the user and the target service.
4. Use of legacy / unpatched hardware or software
Legacy or unpatched hardware or software often have known vulnerabilities (either published or unpublished) that can be exploited. Patching or updating these systems will help improve your overall security posture.
5. Lack of basic network security protection or segmentation
At a minimum, consider investing on gateway solutions, such as firewalls, intrusion prevention systems (IPS) and VPN gateways, to protect your network. It’s also good to introduce network segmentation, such as adding DMZ’s or honeypot segments to your network.
It’s always a good idea to take these things into consideration when designing or managing your IT network.
To extract unknown or unparsed logs for an unknown device in RSA enVision, you can run the following at the command prompt of the D-Srv:
%_ENVISION%binlsdata.exe -events syslog -devices unknown:<ip_address> -time <starttime> <endtime> > <outputfile>
For example, if you have an unknown device with IP address 10.10.10.5 and you want to extract 2 days worth of logs and store it in a file called unknown_logs.unx on the root of Drive E:, then you can run the following at the command prompt:
%_ENVISION%binlsdata.exe -events syslog -devices unknown:10.10.10.5 -time -2D end > e:unknown_logs.unx
The resulting unknown_logs.unx file will contain the unknown log messages (in syslog format) that were collected by enVision.
You can then use this output logfile to develop the enVision event log parser for this device.
I was supposed to fly home on Christmas Day, but an unfortunate set of events forced me to fly back home today, a few days earlier than planned.
It turns out that we live just a couple of houses away from an idiotic, perverted foreigner masquerading as a respectable businessman.
Know this, Mr. “S”, you messed with the wrong people. You ought to be ashamed of yourself. It would be my utmost satisfaction to see you put in place or behind bars.
I couldn’t help but smile while browsing through my blog archives. I forgot that the very first blog I wrote was about Conne’s pregnancy with CJ! This was back in 2005, when I was still using Blogspot’s services.
The inspiration for that very first post came after we heard CJ’s heartbeat for the first time, which was during one of Conne’s early pregnancy checkups.
As we eagerly await for a new chapter to be written into our lives, one which sees our Julianna on board, the current chapter ends with a special twist and on a high note — because it ends with a scene depicting CJ, with childlike amazement, hearing his unborn sister’s heartbeat for the first time as well.
Yes, CJ, it does sound like a train.
Time is a luxury that most of us don’t have, but it’s a luxury that we should appreciate and value dearly.
It took me forever to realize that, when life knocks us down or throws us a curve ball or two, the wisdom and experience gained from overcoming adversity are built up in trickles throughout the course of our lives.
Backtrack six years ago, I was struggling on a personal, professional and emotional level. But I now find myself a husband to a loving wife, father to an amazing son, stakeholder to a good company, and in control of my emotions (well, at least most of the time!). To top everything off, I woke up one day, while on an overseas trip almost 9 months back, to a blissful SMS message from my wife – telling me that I was to be a dad for the second time around!
One of the first questions that popped up in my mind: Was I ready for this new challenge?
Backtrack again, those six years saw four job changes (with odd jobs in between some), three house transfers, a thousand arguments with the wife, countless temper tantrums (with the occasional gadget “collateral damage”, to boot), questions on faith, a slew of loan payments that needed to be settled, forays into the business world, an investment gamble, and frequent, lonely, extended trips overseas.
Fast forward: I have a good job, we’re saving up for our dream house, arguments are few and far between, temper is in check (with zero collateral damage!), I have a strengthened belief in God, loans are settled, business is good, and investments are paying off. As for staying abroad, the loneliness didn’t kill me but only made me strong.
In retrospect, time allowed courage, wisdom, experience and a bit of luck to eventually stack up on my side. It allowed me and my wife to grow – as a couple and as parents.
So to answer my question, I can say with optimism that I’m up for the challenge.
And the geek in me says that the ongoing upgrade to Parent2.0 (ergo Daddy2.0) is on track.
Did you know that the Philippine Department of Foreign affairs recently decided to adopt PH (or PHL) as the official acronym of the Republic of the Philippines, instead of the ‘RP’ moniker?
The DFA Secretary issued an order last October 20 directing all Philippine embassies and consulate offices around the world to drop the ‘RP’ tag and use ‘PH’, or ‘PHL’, instead.
This directive finally makes us ‘standards compliant’ with regards to the country code standard defined by the International Organization for Standardization, or ISO.
This is a welcome change although it might take a while for most people to get used to. (In sports, try to imagine cheering for our Filipino athletes/contingent while shouting “Go Team PH!” or “Go PH Team!”, instead of the usual “Go RP Team!”)
But…. come to think of it, on a broader scale, you’ll probably notice that the ‘RP’ tag isn’t used much anyway — particularly in the internet. If you take a look at social media sites such as Facebook and Twitter — or even in daily email correspondence — people actually do tend to use ‘PH’ more. You’ll see “PH-time”, “PHP”, and in its most obvious form — in internet domain names, where we use .ph, instead of .rp as a top level domain name.