Certificate of Cloud Auditing Knowledge (CCAK) – More classes in Hong Kong and Macau

After announcing our first local class on Certificate of Cloud Auditing Knowledge (CCAK) class in Hong Kong, we received more official supports from VTC that more of our CCAK class are now officially accepted RTTP approved training programs (That is, 66% off from the listed price of the course).

In the coming 2 months, we will have 4 available CCAK classes that available for interested parties at different pace. 2 days, 3 days and weekly evening classes are available for different participants to take the class online.

In order to catch this training opportunity for yourself or your company offered by Cloud Security Alliance (HK & Macau) chapter and Hatter Company Limited, you can check the list of courses within the schedule CCAK class schedule.

If you are interested in registering the class, you can register in the RTTP web site or in Hatter Company CCAK class site.

More cloud security and audit class will be available soon.

Happy Learning.

Cyber-Dependent Crimes and Jurisdictional Issues (HKLRC Consultation Paper) Follow-up Discussion

The consultation paper on Cyber-Dependent Crimes and Jurisdictional Issues was published by the Cybercrime Sub-committee of the Law Reform Commission on July 20, 2022.  

https://www.hkreform.gov.hk/en/publications/cybercrime.htm

We have a fruitful discussion at our forum on September 14, 2022 when we touched on the terms “to acquire certification” and “accrediting cybersecurity practitioners” in the consultation paper. As the paper referred to Cyber Security Agency (CSA) of Singapore, we believe it would be better for us to understand what is CSA of Singapore’s objectives and how they define the program before we define how our future direction to be.

Cloud Security Alliance Hong Kong & Macau Chapter has invited our CSA APAC ex-colleague Anthony Lim to share his view and provide highlights to us on the Cyber Security Agency (CSA) of Singapore accreditation program.

Participants will claim 1 CPE.

DATE: September 27, 2022 (Tuesday)
TIME: 12:30 – 01:30 pm
FORMAT: Webinar
TOPIC: Learn our way to accreditation and qualification of CyberSecurity Professions from Singapore CSA
SPEAKER: Anthony Lim, Fellow, Cybersecurity, Governance & FinTech, School of Business, Singapore University of Social Sciences 

AGENDA:

  • Objectives behind accreditation and qualification of CyberSecurity Professions in Singapore
  • What is the roles and authority of CSA?
  • What is the qualification and accreditation process and requirement?
  • What is the advantages and disadvantages of the qualification scheme?
  • How to align with existing international qualifications?
  • How to align with university CyberSecurity training program?
  • What is the current status of the accreditation program?
  • How to shape similar program in Hong Kong?

THE SPEAKER: 

Anthony is a pioneer and veteran in cybersecurity and governance in Singapore and the Asia Pacific region, with over 25 years’ professional experience, as consultant, advocate, instructor, auditor and business leader.  His current interests include application security, cloud security, GRC (governance, risk management & compliance), policy & audit, smart cities and operational technology (OT).

He has held key inaugural Asia Pacific cybersecurity business leadership roles, IBM, CA and Check Point, was regional principal consultant at Fortinet and project CISO at NCS.

Anthony is a long-time well-known speaker and content provider for many business, industry, government and academic conferences, workshops, committees, executive roundtables and media (print, broadcast, internet), and has been interviewed often on national news.  He has also been a judge at national and regional industry awards, and himself has won some industry awards, and also is charter member of a government cybersecurity committee.

He was a co-developer of an acclaimed international cloud security professional certification, and was a pioneer and advocate of application security certification in the region.  He has presented on matters of cyber-security and governance at seminars at Washington DC, NATO, Stanford University, Tsinghua University and RSA Asia Pacific.He is a guest and adjunct module developer and instructor at some universities (Master’s and adult-executive programs), professional training institutes and certification programs in the region, an ISO-27001 lead auditor, and life alumni member of the University of Illinois, Urbana-Champaign.    

REGISTRATION: https://CSAHKM-220927.eventbrite.hk

Cyber-Dependent Crimes and Jurisdictional Issues (HKLRC Consultation Paper) Discussion Forum

The consultation paper on Cyber-Dependent Crimes and Jurisdictional Issues was published by the Cybercrime Sub-committee of the Law Reform Commission on July 20, 2022.  

https://www.hkreform.gov.hk/en/publications/cybercrime.htm

The purpose of the consultation paper is to make preliminary proposals for law reform on addressing the issues of the protection of individuals’ rights as well as the criminal activities carried out by the rapid developments of information technology, the computer and the internet.

This consultation is affecting our future view in CyberSecurity area. The proposed five cyber-dependent crimes mentioned in the paper will definitely impacts all of us including CyberSecurity practitioners and even IT practitioners.

Thus, Cloud Security Alliance Hong Kong & Macau Chapter is working with HKU Computer Science Department, as well as Information Security and Forensics Society (https://www.isfs.org.hk), Hong Kong Computer Society (https://www.hkcs.org.hk) and other IT organisations to jointly organise a Tech Forum to discuss on the topic.

Online Discussion will be held on September 14, 2022:

DATE: September 14, 2022 (Wednesday)
TIME: 18:30 – 20:30 (HK Time)
FORMAT: Online Zoom
TOPIC: HKU-CS Online Tech Forum and Discussion:  the Consultation Paper on Cyber-Dependent Crimes and Jurisdictional Issues

Agenda

  • Opening Remarks
  • Brief Introduction – The Purpose Of This Forum
  • Brief Introduction – The Consultation Paper
  • Q&A Session
  • Closing Remarks

Free registration at https://forms.gle/eJtEsxGZkrMPFQ5HA

Certificate of Cloud Auditing Knowledge (CCAK) – First local class in Hong Kong and Macau

Auditing of Cloud Computing Environment is getting more important than ever. More application and infrastructure already implemented in the Cloud Environment.

In last month, Cloud Security Alliance and ISACA jointly promoted the Certificate of Cloud Auditing Knowledge (CCAK) virtual class with discount.

In this month, after we got the confirmation from VTC for the RTTP approval, we can start to offer our first CCAK class in Hong Kong locally. In order to catch this training for yourself or your company, Cloud Security Alliance (HK & Macau) chapter and Hatter Company Limited offer this CCAK evening (Hybrid Class) from 23 August 2022 to 20 Sep 2022 on every Tuesday from 19:00 – 22:00.

If you are interested in registering the first ever CCAK class, you can register and check the link in RTTP web site and apply directly.

CSA (HK and Macau) Chapter members will be entitled to membership discount. For non-CSA (HK&M) Chapter member, you will also be granted with the CSA (HK and Macau) Chapter membership, after taking the class.

CSA HKM Knowledge Sharing Event – June 2022

Securing cloud computing environment is more than just protecting data and workloads in the cloud and cloud management platform. When more and more cloud-based applications were developed in shared model, vulnerabilities in shared environment could fall between the cracks. Thus, supply chain risk already become a serious issue to many companies.

In the Knowledge Sharing Event organised by Cloud Security Alliance Hong Kong & Macau Chapter on June 9, we will look into how to detect and mitigate supply chain risks.

Checkmarx Engineer, Richard Lee, will bring us to the practice world of security review through demonstration. He will cover:

  • The types of risks associated with open source libraries  
  • How to test the libraries you’re using for safety 
  • Tools you can use to protect your business
  • New reputational and behavioral analysis techniques to overcome obfuscation attempts

Please do not miss this opportunity to learn from the expert and get connected with your peers.

Participants will claim 1 CPE.

DATE: June 9, 2022 (Thursday)
TIME: 12:30 – 01:30 pm
FORMAT: Webinar
TOPIC: Open Source Software Supply Chain: Risks and Mitigation
SPEAKER: Richard Lee, APAC Channel Sales Engineer, Checkmarx

CONTENT:

Open source libraries have become an essential part of almost all modern applications.  Without open source, software development would be stuck in the slow lane. Not “reinventing the wheel” each time you need a certain functionality in an app saves time and effort, and as a result, open source isn’t going away anytime soon. If anything, it’s becoming more and more widespread.     

But there’s a certain amount of risk that comes with using open source components, modules, and libraries. Today, it’s increasingly important to protect yourself from these risks.

In this session, we discussed the importance and prevalence of open source software as well as the ways you can protect yourself from its attendant risks and licensing issues. The goal is to catch issues early, before they can become a problem or a liability. We’ll cover best practices to secure the software supply chain against errors and bad actors, along with what steps to avoid.

THE SPEAKER:
Richard Lee is currently the Checkmarx Channel Sales Engineer for the Asia Pacific Region with over 10 years’ experience in the IT, IT security and Application Security industry. He has held various positions in manufacturing, software companies and information security companies.

Richard is currently responsible for AST Platform, SAST (Static Application Security Testing), IAST (Interactive Application Security Testing), SCA (Software Composition Analysis) and CodeBashing technologies. Prior to joining Checkmarx he held various positions at Intel, Microsoft, HP and SafeNet.

Richard holds a bachelor’s degree in Computer Science from the University of Kansas, USA.

View the presentation: https://youtu.be/LY8Tkisq2Zs

CSA HKM Knowledge Sharing Event – May 2022

Covid-19 situation is less severe these days. Work from home is not strictly required now. Life is now back to normal. Under the new normal situation, Cloud Computing become a critical component in our daily work. One of the main concern in using Cloud Computing environment is the security.

How can we store secret across multiple cloud environment for secure cloud workflow? In this knowledge sharing session, we invited HashiCorp Cloud Platform to provide us with some insights.

Shohei Maeda, Developer Advocate for HashiCorp APJ will share with us how secret could be and should be stored in cloud and container environment. He will also bring us to the Zero Trust Security model to secure our workflow environment.

Please do not miss this opportunity to learn from the expert and get connected with your peers.

Participants will claim 1 CPE.

DATE: May 19, 2022 (Thursday)
TIME: 12:30 – 01:30 pm
FORMAT: Webinar
TOPIC: Managing Secrets at scale for a Secure Cloud workflow
SPEAKER: Shohei Maeda, Developer Advocate for HashiCorp APJ

CONTENT:
Traditionally, people, applications, and services with access to resources are given their own set of long-lived, scoped credentials.  As your organization, teams, and systems scale, the number of these credentials and the access to them will only increase over time, and are used everywhere which causes what is called “Secret Sprawl”.  Static credentials that exist in your workflows are always at risk of leakage and introduce a large attack surface.

This session will show you how you can apply a Zero Trust Security model that secures your workflows by leveraging dynamic and short-lived credentials.
With this, you are able to avoid managing static, long-lived secrets across systems, and giving direct access to these secrets is no longer required.

THE SPEAKER:
Shohei is a developer advocate at HashiCorp who loves learning new technologies. He lives in Tokyo, Japan.

With his broad experience in Infrastructure, security, and web engineering, he focuses on building new tools and tackling complex problems that developer communities run into to make their life easy and happy.

View the Presentation: https://www.youtube.com/watch?v=RZ3-rKiAEvY

CSA HKM Knowledge Sharing Event – April 2022

Covid-19 brings us a lot of challenges but at the same time with Work / Study at Home opportunity. We have secure a number of new study opportunities and learning opportunities to our members.

Firstly, as a CSA HKM Chapter member, you can enjoy our knowledge sharing session and claim CPE. Besides, if you are our member and have attended 3 of our knowledge sharing event sessions, you can then entitle to register for our CCSK course and CCAK course with special member discount (Membership – Associate Member).

In April we invited Mr Ken Zhang, Head of Security Hong Kong, Google Cloud, to join us again to share the new topic on Security Framework SLSA for CI/CD pipeline. Ken has delivered a talk for us on Cloud Infrastructure Continuous Compliance in November last year.

Please do not miss this opportunity to learn from the expert and get connected with your peers.

Participants will claim 1 CPE.

DATE: April 21, 2022 (Thursday)

TIME: 12:30 – 01:30 pm

VENUE: Webinar

SPEAKER: Ken Zhang, Head of Security Hong Kong, Google Cloud

TOPIC: Supply chain Levels for Software Artifacts (SLSA) – Open-source Security framework for Serverless and CI/CD Pipeline.

CONTENT:

SLSA is a security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises. The solution takes the conceptual framework and turns it into a reference architecture and actual implementation on GCP using native, serverless GCP CI/CD toolchain and Binary Authorisation.

You can directly borrow the solution demo setup & code to start their GCP based CI/CD pipeline design and build. You can also leverage the reference architecture to build out their own pipeline leveraging GCP Binary Authorisation and GKE, or your own pipeline on-premises or on other cloud.

THE SPEAKER:

Ken led multi-cloud security and transformation projects in Australia and the Greater China Region. He has experience helping organisations with their security and transformation journeys in banking, insurance, retail, health service and manufacturing industries

View the Presentation: https://youtu.be/C8h6mfM_VhY

CSAHKM Additional Sharing on Log4j on 17 December 2021

Log4j exploit is definitely the hottest topic over this week. Many of the IT company or IT support person said it is the Log4j week. We definitely do not want to be inert or reactive about this hot topic, but we should also not be over reactive by the incident.

So on top of our scheduled regular monthly knowledge sharing session event on this week 17 Dec 2021, CSA (HK & Macau Chapter) consider that it would be a good time that we squeeze 20 minutes from our sharing session and seize this time to pull in a panel to talk about this Log4j exploit attack method, defense mechanism, solutions by cloud service provider for cloud users and current trend detected about the attack in the wild and next step that we could do.

So we will have the following speakers in the panel this friday 17 Dec 2021. You just need join in the event by registering at the same knowledge sharing session link, https://csahkmkse2112.eventbrite.hk

Samuel NG (ASTRI and CSA HKM Vice Chairman of Programs & Research) will cover the attack method of Log4j exploits.

Otto LEE (HKCERT and CSA HKM Vice Chairman – Secretarial & Treasurer) will highlight the alerts and updates about the Log4j vulnerability.

Pike WONG (Data Voyager) will cover the observed current and changes of attack pattern of Log4j related attack in this week.

Vincent IP (PISA, Hon. Secretary & Treasurer) will share the mitigation solutions that corporate and SME can use to reduce the attack currently.

Harry PUN (Microsoft and Deputy Chairman) will give us some input and advises how cloud service provider did to manage the incident and what solutions they provide to cloud user.

Also join our organisation CSA HKM for more benefits and more event in the coming year. You can have discount in our CCSK, CCAK and CCSP training.

DATE: December 17, 2021 (Friday)

TIME: (New time) 13:15 – 13:45 pm

VENUE: Webinar

View the presentation: https://youtu.be/FuFB13MgXX4

(start from 00:47:46)

CSA HKM Knowledge Sharing Event – December 2021

It is coming to the end of 2021 and it is time for CSA HKM to organise the last knowledge sharing event for this year. Instead of technical hardcore topics, CSA HKM would like to hold a legal and compliance event hosted by our Macau Chapter.

The Macau Cyber Security Law was legislated since December 2019. In the past 2 years, how is this law affecting the security posture of Macau? How are the related organizations reacted to this law? In this seminar, Terry Cheung, Deputy Chairman – Macau of CSA HKM, will highlight the requirements of the law and the related guideline and review the work that the related organizations, the governing bodies have been contributed for compliance and the reduction of security risks and the privacy requirements will also be discussed. 

Participants will claim 1 CPE.

DATE: December 17, 2021 (Friday)

TIME: 12:30 – 01:15 pm (Updated)

VENUE: Webinar

SPEAKER: Mr. Terry CHEUNG, President of the ISACA Macao Chapter, the Deputy Chairman of Macau of CSA HKM Chapter and Managing Director of TopSOC Information Security Limited

TOPIC: Macau CyberSecurity in Action

LANGUAGE: Cantonese

THE SPEAKER:

Terry has been in IT and Information Security sectors for over 25 years. He has been working in various industries including banking, government, telecommunications, hospitality and gaming and cyber security consultancy. He has experiences in security policy development, forming new security team, design and deploy various security systems including two tiers DDoS protection service, central logging system and SIEM, ISO27001 implementation, etc. Heparticipated in the development and implementation of many systems including core banking systems, converged billing systems, ERP, HR, CRM, Call Center system, gaming and hospitality systems, etc. In the past few years, he has provided security professional services related to the Macau Cyber Security Law.

Apart from work, Terry is also the founder of the Information Systems Audit and Control Association (ISACA) Macao Chapter and the Cloud Security Alliance (CSA) Hong Kong & Macau Chapter. Currently, he is serving as the President of the ISACA Macao Chapter and the Deputy Chain of Macau of CSA HKM. He is working as the Managing Director of TopSOC Information Security Limited.

Terry holds professional qualifications such as CISP CISI CISSP CCSP CISM CISA CDPSE CITP CEng ACA MVP.

View the presentation: https://youtu.be/FuFB13MgXX4

CSA HKM Knowledge Sharing Event – August 2021

DevOps, DevSecOps, CI/CD Pipeline are definitely hot topics within the Cloud Computing industry. In the forthcoming knowledge sharing session, we will address issues on DevOps and CI/CD security protection, this time from the perspective of a security vendor.

In our August event, Cloud Security Alliance Hong Kong & Macau Chapter has invited Kev Hau from CheckPoint Software Technologies Ltd to talk about Modern Cloud Application Security.

Protecting applications has always been challenging. As applications grow in number, size and complexity. Cloud application are made up of multiple layers – from the cloud infrastructure, to the DevOps pipelines, the microservices (containers, serverless functions and virtual machines), the application layer and the APIs.

Today, application developers are directly provisioning applications to the cloud by using cloud platforms like AWS, Google and Azure without any additional assistance from IT or platform teams. Developers release and update software on demand in the cloud using continuous integration and continuous deployment (CI/CD) for rapid software releases and updates. In addition, modern applications are more open and connected with an increased number of APIs, which further expands the attack surface where legacy application security approach is ineffective.

To protection the modern cloud application, we need a new approach – shifting security responsibilities to those creating software, the developers, and it shifts it to the beginning of the process when the developers are provisioning infrastructure.

Please do not miss this opportunity to learn from the expert and get connected with your peers.

Participants will claim 1 CPE.

DATE: 19 Aug, 2021 (Thursday)

TIME: 12:30 – 01:30 pm

VENUE: Webinar

SPEAKER: Kev Hau, Head of Security Engineering, Hong Kong and Taiwan, Check Point Software Technologies

TOPIC: Modern Cloud Application Security

THE SPEAKER:

Kev Hau is the Head of Security Engineering, Hong Kong and Taiwan at Check Point Software Technologies and the Cyber Security Evangelist, a member of the CTO office. Kev has over 10 years of experience in cyber security industry. 

In Check Point, he works closely with all the Check Point partners and customers through his team of security experts by providing consultation and advice on how to deal with the cyber threat. He is also the leadership point of contact between partners, strategic customers and channels, as well as
Check Point’s product research and development team.

Kev holds a Bachelor of Science in Computer Science from Brunel University.

View the Presentation: https://youtu.be/aPU4yeME8O8

Presentation File: https://bit.ly/37Wk28b