GOVERNMENTWARE 08

Security and reliability are inextricably intertwined in today’s complex applications. We cannot rest assured that our application security efforts will protect ourselves unless we know that the application will operate reliably. For instance, a “secure” login process will be inconsequential if an application happens to skip it under exceptional conditions. Likewise, we cannot be confident that an application will operate reliably unless we have put in place measures to ensure that security attacks cannot hijack or crash it. Although security and reliability problems have distinctly different manifestations and impact, the underlying methods used to identify and prevent them have much in common - static and dynamic analysis, runtime analysis, and other testing technologies are hardly new. With the same method comes the same obstacle to sustain adoption: they tend to disrupt the development process and overwhelm the development team. Through this session, the speaker aims to impart knowledge on how developers can establish a continuous security process in developing complex applications.

The presentation provides some background on the landscape and trends of the online threat and the potential impact of these perceived and real threats for the customer.  With this in mind, there are a few questions that we need to ask.  For example, what are the forces that are driving the needs and demands from the market?  What is most at risk for individuals and enterprises in a world of online threats?  How do we adapt to be a positive influence in the current and evolving situation?  With all this in mind, how can we actively involve the end user in defining and sustaining the key security solutions through world class products and services?  A key objective is to share the methodologies that can be used to answer these questions and define a customer friendly and positive approach to online security.  In conclusion, the presentation will focus on the next evolution for online security, providing an insight into what we believe will be the next big online security theme.

Information is at the heart of every organization and is often its most critical asset in this age of digital data. Technology has given companies the ability to store massive information assets conveniently, securely, and at minimal cost. 

Through accident or malice, this data can sometimes be exposed to unauthorized parties, presenting risk to compliance, business continuity, and an organization's competitive advantage. While most companies focus on securing against external attacks, few are prepared, or even aware of the close proximity danger posed by malicious employees or spying by vendors and suppliers. Added to this are the flawed operations that can cause routine errors leading to your confidential data leaving the company. 

To address the growing problem of information security risks, it is crucial for enterprises - especially for data-centric businesses, to put in place an Information Security Management System (ISMS) based on the industry best practices.  Don't wait for crisis to hit you before you take action.

Gartner has identified four strategies that CIOs should pursue: technical excellence; enterprise agility; information effectiveness; and innovation. The third strategy involves using analytics and applying information to how business decisions are made.  The primary problem is not that they lack data. It is that they must contend with dirty data. The challenge is that they do not know which data is trustworthy — “clean” — and which contains duplicates, outdated records and erroneous data entries. Analytics focuses on extracting information by looking at the data in many different ways. Companies pay extra attention to results when they are supported by data. Data Analysis answers the "What happened?" but not the "Why did it happen?" question. The "What" question is answered by industry experts who understand the data side as well as the Business and Customer side, the "Why" question is answered by talking to the customers.  This presentation introduces an analytics solution that delivers a breakthrough user experience that speeds the discovery of new threats and opportunities while systematically improving and accelerating the enterprise’s ability to take action with confidence and consensus. Its unprecedented flexibility enables organizations to scale analytics to a wide range of business professionals across multiple business functions.  Audiences will gain insights on potential deployment scenarios for this analytics solution such as analysis of large email collections, structured data analysis, social network analysis, and identifying suspicious credit card holders.

This session focuses on the challenges faced by public sector enterprises when striving to achieve maximum security of classified information, operational efficiency across mission-critical applications, and service continuity for critical government services.  Learn more about the real-world obstacles encountered by other government entities when faced with the challenge of protecting sensitive data with the strongest encryption technologies to address data privacy requirements - including regulatory compliance, storage consolidation, backup and disaster recovery, intellectual property protection and information sharing - and how they each achieved success.

Identity Management (IDM) has gone through several iterations over the last decade.

Single Sign On was considered until recently as leading edge and combined with self-service functionality offered users great advancement in ease of use for access to corporate applications.  IT departments have enjoyed the ability to provision user accounts and run reports on who has access to what. These backend technologies have reduced costs due to automation, enabled easier reporting for compliance and lifted the internal service levels.  So IDM has touched the IT organisation and the end user, but has it created a more agile infrastructure for businesses?  This session provides an overview of what’s around the corner for IDM and covers technologies like:

• Enterprise Role Management which bridges the IT and business community within an organisation.
• Real time, non-intrusive access controls offer greater flexibility for fraud monitoring and prevention.
• Service Oriented Security (SOS) offers a flexible new architecture so you can reuse security assets just like SOA reuses code today.

Whilst encryption as a means of enforcing confidentiality is well-understood in the networking domain, its application at the database level has been more recent.  Today, several options are now available to those organisations that need to encrypt large amounts of their stored business information.  These include choosing between selective and indiscriminate encryption, the use of dedicated hardware for key management and the extension of database encryption into backup regimes.  This session aims to introduce a technological solution that provides such high-end security capabilities for encrypting databases.

With the expansion of communication networks, broadcasting has become a major way of distributing digital content to a large audience over public communication channels such as the Internet.  Video-conferences, air traffic control, software updates, digital television and stock quotes are examples of applications based on broadcast.  Since many multicast protocols transfer private or sensitive information, one needs to cryptographically protect those transmissions.  In order to achieve secure communication, we need to provide data secrecy and authentication of the source of information.  In this talk, we examine issues related to data origin authentication and present protocols for achieving security under different threat models.

This session will explore the various means that can be taken to compromise Unified Communications Security and the features that can be enabled to detect, remediate, and repudiate them. The session attempts to peek into the various threats and to discuss the possibilities that network professionals may overlook.  It is also imperative for telecommunications managers to understand the cryptographic features used to secure Unified Communications deployments.

In this presentation, we demonstrate how covert communication channels exploiting temperature can be established between machines.  In a typical scenario, two PCs, sitting in the same rack and not connected to each other, will establish a communication by modulating the temperature inside the rack.  Temperature can be increased by launching intensive calculations and sensed by monitoring the fan speed or using one of the on-board temperature sensors (e.g. the hard drive's SMART sensor).  The covert channel was implemented between processes running on PC and Macintosh machines and also within FPGAs thereby defeating an NSA-approved security scheme for IP protection and isolation.

Corporations spend millions of dollars to build an IT Security infrastructure with "fortress and firewall" to safeguard themselves against any intrusion. Yet, they often overlook or do not see the need for data sanitization before disposing their obsolete or retired servers and computers. Many people tend to believe that they have destroyed information permanently when they erase a computer file via the simple Delete key, overwriting or formatting the storage media. The reality is that the information has not been permanently (sanitization) and completely destroyed. This session aims to shed light on how corporations can protect themselves against information leakage.

This presentation aims to demonstrate how organisations can have complete knowledge and control over the content of its email servers and other electronic data - enabling them to immediately and effectively respond to compliance, regulatory and internal investigations.  The Federal Rules of Civil Procedure rules in the US continue to impact non-US companies which are often required to comply with US discovery rules.  Attend this presentation to discover how to capture critical information you need for e-Discovery requirements and use it to protect and serve your organisation.

The 2008 Global Information Security Workforce Study is the fourth annual study conducted for (ISC)² in order to help guide decisions regarding careers, hiring, budgeting, governance, etc. of IT security professionals around the world. This year, Frost & Sullivan has compiled U.S. government-specific data from the global study and has provided the key findings from the government-specific results. This presentation will review these findings and will highlight one in particular finding that pertains to the impact that the U.S. DoD Directive 8570.1 is having on the federal information assurance profession. Since the implementation of the DoD Directive 8570.1, significant accomplishments have been recognized in the federal government’s effort to further professionalize the IT security workforce. The presentation will also cover the impact of the DoD’s efforts with 8570 on global standards of certification, how government workforce initiatives will drive workforce professionalization and which government agencies will be the next to follow suit.

Network encryption products are widely used today to create virtual private networks within a public network infrastructure.  Large amounts of information, some highly sensitive, are encrypted using these devices and transmitted to other sites through untrusted networks such as the Internet.  As such, the security of these devices is of utmost importance to any organisation.  However, the selection criteria of these devices usually weigh heavily towards ease of operation and maintenance.  Unknown to many, it is relatively simple to defeat a network encryption device, especially if it is poorly designed and this has been demonstrated in the recent Princeton research.  In this presentation, we will be describing a self-defending architecture that enables governments and organisations to securely protect the confidentiality of the data on their critical networks.  With the recent trends of cyber warfare and cyber terrorism, preserving the security of these networks is paramount, to enable the country to continue functioning in the face of these attacks.

This presentation is targeted at enabling IT managers and network administrators to investigate ways to take advantage of newer, simpler technology for both Fibre Channel and iSCSI.  It draws upon practical, customer experiences to offer insights on how SAN Management tools and other cost effective resource management toolkits can assist IT managers in “making the IT environment simple and reducing the cost of management”.  Discussions also cover special considerations for SAN migration, storage virtualization and enhanced security policies to support the growing storage requirements in an exploding digital era.

The Web has entered a new era usually referred to as Web 2.0.  Security managers have found it extremely challenging to provide their users access to these applications since traditional security tools developed for the Web 1.0 era do not adequately mitigate risks associated with Web 2.0 applications.  Yet there are vast business drivers demanding access to these new applications, making them at odds with traditional Web 1.0 security policies based on “blocking” access.  The good news is that a Positive Security paradigm now exists for the security manager to safely allow users access to Web 2.0 applications.

Confidence is the essential component in today’s digital world.  Consumers need to feel confident that their information is safe and their online interactions are secure.  Otherwise, the digital lifestyle will not be as exciting or dynamic, and we will not realise the full potential that new technologies will bring to the connected world.  While the current endpoint security products offer significant defensive capabilities, the state of the art is not at the level where it offers a sufficient level of resilience against the attackers.  The challenge is in figuring out how to close this gap.  What happens if this is a problem going forward and people have bad experiences?  This presentation offers insights on achieving maximum security online.

Today's government organisations increasingly support the use of mobile (wireless) devices by their employees. Executives, managers, contractors, suppliers and other employees are connecting their wireless devices to corporate email servers.  Across organizations, users seek to improve their productivity through the access of corporate data from mobile devices.

At the same time, government organizations often underestimate the potential security risks of using wireless devices. Organizations need to approach securing wireless devices in the same way that they approach securing the wired components of the local area network (LAN), such as servers, desktop computers and laptop computers. Organizations can establish an overall infrastructure for security that includes wireless devices by installing security features on the devices and implementing appropriate security policies. While implementing security solutions is critical, the unique challenge facing those tasked with wireless security is the direct impact of security measures on the user experience. Creating a secure environment on a mobile device often requires additional device processing power, storage, and battery life. This means that, as a mobile device becomes more secure, it places greater strain on its resources, which affects the performance of the device. This presentation will discuss on mobile device security and address questions like “What is mobile security?”, “What is the point of authentication?”, “Why does it matter for mobility?”, “How is mobility different?”, “What are the options?” and “Where do we go from here?”

Biometrics is a preferred method to provide Positive Security.  Biometrics has been utilised in applications such as border control, building access control, video surveillance, PC logon, etc.  But what is a correct way to incorporate biometrics into a Positive Security model?  This presentation highlights the security principles of biometrics, implementing Positive Security with biometrics and intelligent video surveillance.

Find out how technology can help a person with a busy and hectic lifestyle achieve her desire for more time despite being occupied with meetings, performing, hosting, socializing, etc. This standup comedy will also share on the advantages of having an e-ID and how it can help to solve the inconveniences associated with carrying different cards (identity card, driving licenses, EZ-Link card, cash card, credit cards etc).

As digital identities span across enterprises through web applications and services, it becomes essential to easily create, prove and manage those identities. Enterprises understand that automating e-business processes with trusted digital identities can be a catalyst for competitive advantage. This presentation will share how next generation security can help enterprises better manage their e-business environment, making it more secured and increase user confidence.

Find out how to enhance infrastructural management and protection with backup, restore, and disaster recovery solutions for VMware virtual server environment.  Companies are able to address inherent virtual machine challenges to achieve better data availability, reliability and system scalability.  Highlights of this session include approaches on how companies can automate backups of data stores and granular recovery of virtual machines and create cost-effective disaster recovery solutions through replication of data stores to a secondary site.

The speaker will cover some of the key themes from the PwC 9th Annual Global State of Information Security study in this presentation, as well as share his perspectives on the following key themes:

• Are companies paying sufficient attention to data privacy?
• Do companies know if their security and privacy policies and measures are actually working?
• What business issues are driving security spending?
• Where does funding for information security come from?

This session will also touch on the similarities and differences between China, India and North America when it comes to privacy, security safeguards and security incident impact.

Threats of various sorts can reduce the functionality, reliability, performance, availability, security and integrity of IT systems.  These characteristics are considered critical enough that they are typically instantiated formally into service level agreements (SLAs).  As such, it is reasonable to state that there is a desire to reduce threats at least to a degree whereby one can satisfy the SLAs.  This presentation discusses a new perspective on the characteristics of a security architecture that is capable of not only reducing threats accordingly, but anticipating threats before they are manifested; including the capability to address zero day attacks.  The approach is to use adaptive security, which is based in part on complex adaptive systems.

Enterprise Architecture (EA) provides the framework for documenting the enterprise business strategy, business processes, supporting technologies, policies and infrastructures. An outcome of implementing an enterprise architecture framework is the attainment of a comprehensive blueprint of the business processes, applications, systems and interface diagrams, and network topologies, and the explicit relationships between them. It shall also provide a platform for IT security assessment, and enhancement. The presentation shall describe an EA methodology as implemented for a government agency, with an example of an EA repository framework, and offers suggestions on areas where IT security audits can utilise an EA framework.

Applications using Computer Vision technology are computational intensive in general.  Past attempts to circumvent this problem have ranged from specialised hardware, DSP, multi processors, hyper threading, and quite recently, multi-core processors.  They have enabled complex Computer Vision systems, such as video content analytics systems that analyse human behaviour, to run on a common PC.  However, there are still some constraints in terms of cost and operating conditions.  Latest advancements in GPU processing have made it possible for general developers to leverage on this high arithmetic intensity platform.  Proper management of GPU and CPU processing has resulted in efficiency that enables further value chain of Computer Vision applications.  In this session, the speaker discusses the implementation of key Computer Vision applications in security surveillance.

Biometric recognition systems are widely deployed in e-government systems and commercial applications.  This talk aims to highlight important characteristics of biometric recognition systems that could impact the effectiveness of their deployments in real world application systems.  Specifically, we need to understand clearly the role of biometric recognition in our application system i.e. whether it is positioned as an enforcement tool or simply as an assistance to human users.  When deploying biometric recognition systems, we also need to understand the nature of the application and determine a meaningful trade-off between false accept and false reject which are typical in biometric recognition technologies.  We use facial recognition as a case study to elaborate our views and summarize our experiences gathered from various government applications including authentication and border control.

This presentation gives an introduction to the Robotic Research Centre’s philosophy of collaborative efforts between humans and robotics systems and amongst machines, and in deskilling operators’ tasks in some operations.  Various types of unmanned systems will be shown, including conceptual design of security underwater systems.  Secondly, the presentation highlights Team Evolution’s experience and expertise in conceptualising and realising the Uni-Seeker.  Lastly, it attempts to demonstrate how such systems can be deployed to provide defence of sensitive and essential infrastructure.

Cryptography is often deployed as the basis of trust to protect the multitude of e-transactions and secure communications that take place over public networks like the Internet.  These cryptographic functions can be implemented in either software or dedicated hardware where a higher level of design and security assurance can be provided.  Standards such as FIPS-140 and Common Criteria are often used as design and certification criteria to ensure that these cryptographic implementations meet certain pre-defined assurance levels.

This session walks audiences through the design of a typical cryptographic module to highlight the additional engineering considerations and trade-offs involved in the design of such high-assurance cryptographic devices, e.g. tamper-resistance, access control, etc.  The discussion also covers how weak implementations and protection mechanisms may be strengthened.

The threat of terrorism today has heightened security awareness and spurred the deployment of automated biometric systems worldwide.  An automated biometric system aims to substitute humans in performing identity authentication through certain biological characteristics.  When an automated biometric system is put in the unsupervised mode, biometric samples with insufficient or contaminated features are expected to cause problems.  Nevertheless, many biometric systems lack the ability to verify whether the presented samples are carrying valid and sufficient features for authentication.  Samples which are quantified as low in quality are often the causes for the instability of biometric systems.  By empowering an Automated Fingerprint Identification System (AFIS) with the ability to analyse the quality of the captured fingerprint image during registration and query processes, we will be able to achieve an improvement in the overall matching accuracy.

IAM is part of DSTA’s security master plan and the security enabler for its businesses processes to be executed securely.  Processes and technologies such as PKI, Directory Service and Single Sign-On were implemented over the years to achieve Authentication, Authorisation and Accountability.  In the coming years, an Identity Management Solution will be implemented to automate manual processes to improve service delivery and accountability, as well as to reduce operational and support costs.  The presentation aims to share with the audience about the journey taken by DSTA to implement IAM, the challenges faced along the way, and the key success factors to ensure the technologies are well invested.

Today's governments require industry-leading technology to control costs, improve efficiency, and secure electronic communications. Across all levels of government, they are searching for solutions that increase interoperability and interagency communications. However, sensitive information must be protected against potent threats to ensure that it is only accessed by authorized parties.

With such dilemma, governments are struggling between efficient communications while maintaining high security level on data transmission. 

This presentation will address how to drive tomorrow's security technology to mitigate evolving threats and enable compliance, in particular on data protection. Various kinds of data in databases, hard disks, files, thumb drives, applications etc. are critical and have to be protected in a highly secure way. Check out this presentation and experience how encryption technologies help to achieve the above.

The enterprise security landscape is shifting with unprecedented insider crime and sophistication - attacks are moving up the stack with a precision and complexity that has never been seen before while insider crime is skyrocketing.  With the crime landscape shifting, are you shifting too?  Are you monitoring and collecting pertinent data such as configuration files, application logs and transaction logs?  Do you know what is happening in your network right now?  Are you collecting all the data today that you might need in 6 months when you discover that there was a breach 6 months ago?  IT Search is a way to combat this security threat proactively.  Collect your data today and be prepared.  Your traditional security use-case data is no longer sufficient.

As the world becomes more connected by networks, the significance of network security has certainly continued to grow vis-à-vis the frequency of attacks and also as the modus operandi of attacks have become more intense and complex.  Security issues have now become more visible and important, and their analyses have become more difficult and time consuming.  However, we still see common flaws being found with these “standardised systems”, and these exploits are being used over and over again with devastating effect.  This presentation highlights some of the network security lessons we can learn from history.

In this presentation, the speaker introduces a solution that addresses the entire database security and compliance lifecycle with a unified Web console, back-end data store and workflow automation system, enabling you to locate and classify sensitive information, assess database vulnerabilities and ensure configurations are locked down.  As a multi-scale architecture, this solution also provides 100% visibility and granularity into all database transactions, inspects and monitors Encrypted Database Traffic and enforces policies, automates the entire compliance auditing process and creates a single, centralised audit repository.

In modern day corporations, sensitive and critical data are frequently stored on file servers, desktops, laptops and removable storage devices.  Loss of mission-critical data may result when such machines and devices are lost or stolen.  Full disk encryption solutions and hardware-based disk encryption are good for protecting a machine when it is lost or stolen.  However, they do not prevent data from being copied out in plain.  An insider could accidentally or maliciously copy plain sensitive data over the network or to removable media.  Similarly, malware and remote attackers could steal sensitive data located on the desktops and file servers.  This presentation showcases an end-to-end data encryption solution that mitigates such risks by ensuring that all sensitive user data are always encrypted regardless of where they are located.  Deployed by some government agencies to secure their data without interfering with the normal usage of the computer systems, the solution ensures that data-at-rest and data on-the-move are always protected from accidental leakage and malicious attacks.

“In the IT Policy Compliance Group’s most recent annual report, a survey of 558 companies ranked only 12 percent as having “mature” GRC systems. That select number, however, also enjoyed 7 percent higher profits, 9 percent greater customer satisfaction rates, and far lesser financial losses from customer data theft than middling performers, the report found.”

Over the past 5 years, companies have explored Identity and Access Management (IAM) solutions in order to automate, simplify and streamline their user and access management. In many cases, the enormous project scopes as well as corresponding budget requirements have put off many organizations, and especially in Asia where adding additional headcount to deal with the increased number of business systems and users remain the most short/mid-term cost effective solution. Mainly FSI that are bound by various international and governmental regulations could justify or had to deploy such solutions. Over time, the IAM products have become more integrated and easier to deploy. The Governance world has matured; best practices and new products have surfaced to help maximize such IAM infrastructure.  With more regulations emerging in Asia, entities can proactively and progressively start moving onto the Governance track, benefit from it rather than scrambling to achieve Compliance.

This presentation attempts to cover the latest challenges in the area of Identity and Access Management (IDM) across enterprises and public sectors, and examine case studies of how these challenges were tackled. This presentation will include examples on how enterprises and government agencies can use IDM to define, manage and control users’ access to their organization’s information and applications while conforming to legal and compliance regulations as well as supporting secure and efficient integration of external partners (identity federation) and security of Web services in Service-Oriented Architectures (SOAs).

Nearly every business process requires information printed on a piece of paper at some point.  However, the increase in paper flow can affect the efficiency of business processes.  Gartner suggests that an effective, comprehensive output strategy, in conjunction with a sound corporate policy and governance, can provide an organisation with the framework to squeeze a potential 20% to 40% savings from their output fleet and business processes.  This talk examines how organisations can develop a comprehensive output strategy that aligns their business strategies with output mechanisms. This will enable them to reduce costs related to paper-intensive processes and maximise productivity in moving information quickly, effectively and securely.

Recent cases of information disclosure and corporate fraud as well as the seemingly endless parade of public data breaches have highlighted the need for a more advanced level of IT controls to support information risk management.  One key area of such IT controls lies in the prevention of fraud and abuse inside sensitive databases.  This session will review the basics of database fraud and attack prevention (visibility & independence) and cover more advanced topics related to forensics and near real-time data governance.  It will also include a demonstration of database security techniques including data change tracking, threshold and type change alerting, and advanced database activity monitoring and correlation.

Opening remote access for employees, partners and customers to more applications and services is no longer a luxury or option for many organizations.  The demands for rapid service and information-at-your-fingertips anytime, anywhere means that IT departments within the organizations are under tremendous pressure to allow more applications for remote access.  Is the use of VPNs sufficient to ensure that valuable data is kept securely within the bounds of the organization?   Sadly the answer is no.  In this presentation, the speaker will show where VPNs will fail and how new architectures and deploying thin-client technology with strong authentication, is the way forward for Convenient, yet Secure Remote Access with Data Leak Protection both for the Intranet and the Internet.

The world would have been a much bigger place, if not for your mobile phone.  With full-key strength cryptography and secure protocols to send/receive information via SMS/GRPS/3G, we are able to expand the intelligent use of mobile phones to cater to new business usage, not supported with the traditional channels.  The demonstration-centric presentation will show how the health-care, law-enforcement and ministries can use secure mobile applications to enhance their level of service to their users and customers.

RadianTrust has developed an alternative 2nd factor authentication (2FA) that addresses the issues that plague the use of mainstream 2FA solutions such as OTP tokens and SMS. The new innovation aims for high usability, user convenience and lower operating cost for companies, whilst maintaining secure authentication of credentials and even a certain level of anti-phishing capability. With RadianTrust’s latest innovation, secure authentication is a snap.

Building on its past success of award-winning Optical Document Security solution, Phidelity, RadianTrust has developed ID-Trace, utilizing a technique known as steganography, to insert a covert but traceable “electronic fingerprint” into printed documents. This allows information, such as the identity of the user who initiated the printing or the date of the printing, to be embedded within the print-out without being visually detected and therefore not easily removed.

Without having to invest in special ink, paper or printing equipment, corporations can now inject traceability at the point when data becomes hardcopy – an understated threat that most Data Leak Protection solutions tend to overlook (and hence, ignore) once electronic data is converted into physical form.

Current authentication systems verify the user only at the beginning of a transaction or a login session, and assume that the same user is present throughout the entire session.  This assumption is inadequate for environments in which it is desirable to ensure that the legitimate user is always present, and has not been "hijacked" by an imposter after the initial login.  Authentication must, therefore, be performed continuously.  Biometrics is most suitable for this task, because it can be unobtrusively acquired and verified without inconveniencing the user.  This talk describes the implementation of a multimodal biometric continuous authentication system which uses fingerprint and facial patterns to protect a PC.  The system responds very quickly to an imposter, yet tolerates the failure of any single modality, and is much harder to spoof.  System overhead is also reasonable: the authorised user does not perceive any degradation in the response of the computer. 
Continuous authentication systems are, therefore, eminently feasible, and can be deployed in applications where high assurance of the authorised user is needed.

In recent times, Internet banking has become one of the most efficient and popular electronic channels for financial services in many advanced countries in the world.   PINs alone have been inadequate for protecting online access to Internet banking accounts.   In response to a guideline issued by the Monetary Authority of Singapore (MAS) in November 2005, banks in Singapore had completed their deployment of two factor authentication for online access mostly in early 2007. 

Following the full implementation of 2FA at login and for high-risk transactions, Internet banking attained a new landmark in Singapore. In 2007, there were no Internet banking fraud losses. From 2006 to 2007, the number of retail and commercial Internet banking customers grew 20%, while dollar transaction volumes for payments and funds transfers increased more than 70%.

IDC reports that inadvertent data loss has moved to the top of the list of threats to organisation network security with malicious code, spam, data stolen by employees or business partners, and hackers rounding out the list.  Today’s threats have two things in common: they target sensitive data, and they use the Internet as an attack vector.  Cross-channel threats convergence using a combination of email, the Internet, and applications and the real-time experience of the Web, have made accurate, timely detection and response to threats impossible for limited point solutions.

In this session, we examine how you can build an integrated threat defence and effective data loss prevention strategy by adopting a policy-based control over your organisation’s sensitive data and by managing the “who, what, how, and where” of your essential information.

Information is the organisation's most important asset.  Protection of information assets is necessary as an organisation’s earnings and reputation can be adversely affected if information becomes known to unauthorised parties, is altered, or is not available when it is needed.  Organisations have invested heavily in deploying information security measures and technologies to protect and secure electronic information that is vital to their operations.  This talk explains why organisations should not neglect the protection of paper-based documents.  Attend this talk to discover the risks of today's paper-based processes, why paper document security is important and how you can improve your document security with the latest document security technologies.

Protecting against leakages from within your organisation is becoming more relevant in today's well-connected world.  Common examples of leakages are loss of laptops, USB storage devices and even employees copying competitive information to their personal email accounts.  This talk explains the growing importance of Information Leakage Detection and Prevention (ILDP), including discussions on the relevant Singapore statutes.  Learn about (in)famous examples of information leakages worldwide and possibly the world's first implementation framework for ILDP.

Electronic ID (eID) documents allow a holder to access electronic services with very high level of confidence. At the moment, only the microchip technology is used to ensure total privacy and security of data stored in the electronic ID. As it is a new domain, compared to the other microchip applications (e.g. banking, GSM) and as the requirement for security is very high, very sophisticated features are used: contactless communication, security evaluation, and very strong cryptography. In particular, there is an increase in reliance on the elliptic curve cryptography, which is much more efficient than the RSA.

The European approach focuses on two different subjects: the travel document storing biometrics and ensuring a high level of security for the holder (EAC passport), and the eServices cards, giving access to a large set of eServices (European Citizen Card). These approaches were initiated by a political momentum, and built from the bottom to the top (what are the user’s needs?) and to fit the market’s needs through standardisation groups and gathering the European industry.

Transmitting data streams over public networks is a common requirement in e-government applications.  The protection of stream data is typically provided by means of pseudo-random sequences.  The security of the stream protection depends on the linear complexity and period of the sequences. This talk sheds light on a method that produces sequences with large linear complexity whilst preserving a large period at the same time.  The sequence generated by a LFSR is controlled by the other two LFSR sequences.  On the other hand, the generated sequence also controls the LFSR clock.  The period and the linear complexity of the generated sequence are discussed.

Fingerprint is still the most dominant biometrics in use today.  However, there is growing threat to circumvent such a system, especially using the fake finger attack.  This talk examines the security vulnerability of a fingerprint system and discusses some of the known fake finger attacks and the recent proposed methods to overcome such attacks.

This session presents the latest findings from the Symantec Internet Security Threat Report.  Alerting attendees to current trends and impending threats that Symantec has observed for the last six-month period, the presentation provides an update of Internet threat activity in the Asia Pacific region and worldwide .  It includes analysis of network-based attacks, a review of known vulnerabilities, and highlights of malicious code. It also assesses trends in phishing and spam activity.