Author: ricciieong

Cyber-Dependent Crimes and Jurisdictional Issues (HKLRC Consultation Paper) Discussion Forum

The consultation paper on Cyber-Dependent Crimes and Jurisdictional Issues was published by the Cybercrime Sub-committee of the Law Reform Commission on July 20, 2022.  

https://www.hkreform.gov.hk/en/publications/cybercrime.htm

The purpose of the consultation paper is to make preliminary proposals for law reform on addressing the issues of the protection of individuals’ rights as well as the criminal activities carried out by the rapid developments of information technology, the computer and the internet.

This consultation is affecting our future view in CyberSecurity area. The proposed five cyber-dependent crimes mentioned in the paper will definitely impacts all of us including CyberSecurity practitioners and even IT practitioners.

Thus, Cloud Security Alliance Hong Kong & Macau Chapter is working with HKU Computer Science Department, as well as Information Security and Forensics Society (https://www.isfs.org.hk), Hong Kong Computer Society (https://www.hkcs.org.hk) and other IT organisations to jointly organise a Tech Forum to discuss on the topic.

Online Discussion will be held on September 14, 2022:

DATE: September 14, 2022 (Wednesday)
TIME: 18:30 – 20:30 (HK Time)
FORMAT: Online Zoom
TOPIC: HKU-CS Online Tech Forum and Discussion:  the Consultation Paper on Cyber-Dependent Crimes and Jurisdictional Issues

Agenda

  • Opening Remarks
  • Brief Introduction – The Purpose Of This Forum
  • Brief Introduction – The Consultation Paper
  • Q&A Session
  • Closing Remarks

Free registration at https://forms.gle/eJtEsxGZkrMPFQ5HA

Certificate of Cloud Auditing Knowledge (CCAK) – First local class in Hong Kong and Macau

Auditing of Cloud Computing Environment is getting more important than ever. More application and infrastructure already implemented in the Cloud Environment.

In last month, Cloud Security Alliance and ISACA jointly promoted the Certificate of Cloud Auditing Knowledge (CCAK) virtual class with discount.

In this month, after we got the confirmation from VTC for the RTTP approval, we can start to offer our first CCAK class in Hong Kong locally. In order to catch this training for yourself or your company, Cloud Security Alliance (HK & Macau) chapter and Hatter Company Limited offer this CCAK evening (Hybrid Class) from 23 August 2022 to 20 Sep 2022 on every Tuesday from 19:00 – 22:00.

If you are interested in registering the first ever CCAK class, you can register and check the link in RTTP web site and apply directly.

CSA (HK and Macau) Chapter members will be entitled to membership discount. For non-CSA (HK&M) Chapter member, you will also be granted with the CSA (HK and Macau) Chapter membership, after taking the class.

CSA HKM Knowledge Sharing Event – June 2022

Securing cloud computing environment is more than just protecting data and workloads in the cloud and cloud management platform. When more and more cloud-based applications were developed in shared model, vulnerabilities in shared environment could fall between the cracks. Thus, supply chain risk already become a serious issue to many companies.

In the Knowledge Sharing Event organised by Cloud Security Alliance Hong Kong & Macau Chapter on June 9, we will look into how to detect and mitigate supply chain risks.

Checkmarx Engineer, Richard Lee, will bring us to the practice world of security review through demonstration. He will cover:

  • The types of risks associated with open source libraries  
  • How to test the libraries you’re using for safety 
  • Tools you can use to protect your business
  • New reputational and behavioral analysis techniques to overcome obfuscation attempts

Please do not miss this opportunity to learn from the expert and get connected with your peers.

Participants will claim 1 CPE.

DATE: June 9, 2022 (Thursday)
TIME: 12:30 – 01:30 pm
FORMAT: Webinar
TOPIC: Open Source Software Supply Chain: Risks and Mitigation
SPEAKER: Richard Lee, APAC Channel Sales Engineer, Checkmarx

CONTENT:

Open source libraries have become an essential part of almost all modern applications.  Without open source, software development would be stuck in the slow lane. Not “reinventing the wheel” each time you need a certain functionality in an app saves time and effort, and as a result, open source isn’t going away anytime soon. If anything, it’s becoming more and more widespread.     

But there’s a certain amount of risk that comes with using open source components, modules, and libraries. Today, it’s increasingly important to protect yourself from these risks.

In this session, we discussed the importance and prevalence of open source software as well as the ways you can protect yourself from its attendant risks and licensing issues. The goal is to catch issues early, before they can become a problem or a liability. We’ll cover best practices to secure the software supply chain against errors and bad actors, along with what steps to avoid.

THE SPEAKER:
Richard Lee is currently the Checkmarx Channel Sales Engineer for the Asia Pacific Region with over 10 years’ experience in the IT, IT security and Application Security industry. He has held various positions in manufacturing, software companies and information security companies.

Richard is currently responsible for AST Platform, SAST (Static Application Security Testing), IAST (Interactive Application Security Testing), SCA (Software Composition Analysis) and CodeBashing technologies. Prior to joining Checkmarx he held various positions at Intel, Microsoft, HP and SafeNet.

Richard holds a bachelor’s degree in Computer Science from the University of Kansas, USA.

View the presentation: https://youtu.be/LY8Tkisq2Zs

CSA HKM Knowledge Sharing Event – May 2022

Covid-19 situation is less severe these days. Work from home is not strictly required now. Life is now back to normal. Under the new normal situation, Cloud Computing become a critical component in our daily work. One of the main concern in using Cloud Computing environment is the security.

How can we store secret across multiple cloud environment for secure cloud workflow? In this knowledge sharing session, we invited HashiCorp Cloud Platform to provide us with some insights.

Shohei Maeda, Developer Advocate for HashiCorp APJ will share with us how secret could be and should be stored in cloud and container environment. He will also bring us to the Zero Trust Security model to secure our workflow environment.

Please do not miss this opportunity to learn from the expert and get connected with your peers.

Participants will claim 1 CPE.

DATE: May 19, 2022 (Thursday)
TIME: 12:30 – 01:30 pm
FORMAT: Webinar
TOPIC: Managing Secrets at scale for a Secure Cloud workflow
SPEAKER: Shohei Maeda, Developer Advocate for HashiCorp APJ

CONTENT:
Traditionally, people, applications, and services with access to resources are given their own set of long-lived, scoped credentials.  As your organization, teams, and systems scale, the number of these credentials and the access to them will only increase over time, and are used everywhere which causes what is called “Secret Sprawl”.  Static credentials that exist in your workflows are always at risk of leakage and introduce a large attack surface.

This session will show you how you can apply a Zero Trust Security model that secures your workflows by leveraging dynamic and short-lived credentials.
With this, you are able to avoid managing static, long-lived secrets across systems, and giving direct access to these secrets is no longer required.

THE SPEAKER:
Shohei is a developer advocate at HashiCorp who loves learning new technologies. He lives in Tokyo, Japan.

With his broad experience in Infrastructure, security, and web engineering, he focuses on building new tools and tackling complex problems that developer communities run into to make their life easy and happy.

View the Presentation: https://www.youtube.com/watch?v=RZ3-rKiAEvY

CSA HKM Knowledge Sharing Event – April 2022

Covid-19 brings us a lot of challenges but at the same time with Work / Study at Home opportunity. We have secure a number of new study opportunities and learning opportunities to our members.

Firstly, as a CSA HKM Chapter member, you can enjoy our knowledge sharing session and claim CPE. Besides, if you are our member and have attended 3 of our knowledge sharing event sessions, you can then entitle to register for our CCSK course and CCAK course with special member discount (Membership – Associate Member).

In April we invited Mr Ken Zhang, Head of Security Hong Kong, Google Cloud, to join us again to share the new topic on Security Framework SLSA for CI/CD pipeline. Ken has delivered a talk for us on Cloud Infrastructure Continuous Compliance in November last year.

Please do not miss this opportunity to learn from the expert and get connected with your peers.

Participants will claim 1 CPE.

DATE: April 21, 2022 (Thursday)

TIME: 12:30 – 01:30 pm

VENUE: Webinar

SPEAKER: Ken Zhang, Head of Security Hong Kong, Google Cloud

TOPIC: Supply chain Levels for Software Artifacts (SLSA) – Open-source Security framework for Serverless and CI/CD Pipeline.

CONTENT:

SLSA is a security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises. The solution takes the conceptual framework and turns it into a reference architecture and actual implementation on GCP using native, serverless GCP CI/CD toolchain and Binary Authorisation.

You can directly borrow the solution demo setup & code to start their GCP based CI/CD pipeline design and build. You can also leverage the reference architecture to build out their own pipeline leveraging GCP Binary Authorisation and GKE, or your own pipeline on-premises or on other cloud.

THE SPEAKER:

Ken led multi-cloud security and transformation projects in Australia and the Greater China Region. He has experience helping organisations with their security and transformation journeys in banking, insurance, retail, health service and manufacturing industries

View the Presentation: https://youtu.be/C8h6mfM_VhY

CSAHKM Additional Sharing on Log4j on 17 December 2021

Log4j exploit is definitely the hottest topic over this week. Many of the IT company or IT support person said it is the Log4j week. We definitely do not want to be inert or reactive about this hot topic, but we should also not be over reactive by the incident.

So on top of our scheduled regular monthly knowledge sharing session event on this week 17 Dec 2021, CSA (HK & Macau Chapter) consider that it would be a good time that we squeeze 20 minutes from our sharing session and seize this time to pull in a panel to talk about this Log4j exploit attack method, defense mechanism, solutions by cloud service provider for cloud users and current trend detected about the attack in the wild and next step that we could do.

So we will have the following speakers in the panel this friday 17 Dec 2021. You just need join in the event by registering at the same knowledge sharing session link, https://csahkmkse2112.eventbrite.hk

Samuel NG (ASTRI and CSA HKM Vice Chairman of Programs & Research) will cover the attack method of Log4j exploits.

Otto LEE (HKCERT and CSA HKM Vice Chairman – Secretarial & Treasurer) will highlight the alerts and updates about the Log4j vulnerability.

Pike WONG (Data Voyager) will cover the observed current and changes of attack pattern of Log4j related attack in this week.

Vincent IP (PISA, Hon. Secretary & Treasurer) will share the mitigation solutions that corporate and SME can use to reduce the attack currently.

Harry PUN (Microsoft and Deputy Chairman) will give us some input and advises how cloud service provider did to manage the incident and what solutions they provide to cloud user.

Also join our organisation CSA HKM for more benefits and more event in the coming year. You can have discount in our CCSK, CCAK and CCSP training.

DATE: December 17, 2021 (Friday)

TIME: (New time) 13:15 – 13:45 pm

VENUE: Webinar

View the presentation: https://youtu.be/FuFB13MgXX4

(start from 00:47:46)

CSA HKM Knowledge Sharing Event – December 2021

It is coming to the end of 2021 and it is time for CSA HKM to organise the last knowledge sharing event for this year. Instead of technical hardcore topics, CSA HKM would like to hold a legal and compliance event hosted by our Macau Chapter.

The Macau Cyber Security Law was legislated since December 2019. In the past 2 years, how is this law affecting the security posture of Macau? How are the related organizations reacted to this law? In this seminar, Terry Cheung, Deputy Chairman – Macau of CSA HKM, will highlight the requirements of the law and the related guideline and review the work that the related organizations, the governing bodies have been contributed for compliance and the reduction of security risks and the privacy requirements will also be discussed. 

Participants will claim 1 CPE.

DATE: December 17, 2021 (Friday)

TIME: 12:30 – 01:15 pm (Updated)

VENUE: Webinar

SPEAKER: Mr. Terry CHEUNG, President of the ISACA Macao Chapter, the Deputy Chairman of Macau of CSA HKM Chapter and Managing Director of TopSOC Information Security Limited

TOPIC: Macau CyberSecurity in Action

LANGUAGE: Cantonese

THE SPEAKER:

Terry has been in IT and Information Security sectors for over 25 years. He has been working in various industries including banking, government, telecommunications, hospitality and gaming and cyber security consultancy. He has experiences in security policy development, forming new security team, design and deploy various security systems including two tiers DDoS protection service, central logging system and SIEM, ISO27001 implementation, etc. Heparticipated in the development and implementation of many systems including core banking systems, converged billing systems, ERP, HR, CRM, Call Center system, gaming and hospitality systems, etc. In the past few years, he has provided security professional services related to the Macau Cyber Security Law.

Apart from work, Terry is also the founder of the Information Systems Audit and Control Association (ISACA) Macao Chapter and the Cloud Security Alliance (CSA) Hong Kong & Macau Chapter. Currently, he is serving as the President of the ISACA Macao Chapter and the Deputy Chain of Macau of CSA HKM. He is working as the Managing Director of TopSOC Information Security Limited.

Terry holds professional qualifications such as CISP CISI CISSP CCSP CISM CISA CDPSE CITP CEng ACA MVP.

View the presentation: https://youtu.be/FuFB13MgXX4

CSA HKM Knowledge Sharing Event – August 2021

DevOps, DevSecOps, CI/CD Pipeline are definitely hot topics within the Cloud Computing industry. In the forthcoming knowledge sharing session, we will address issues on DevOps and CI/CD security protection, this time from the perspective of a security vendor.

In our August event, Cloud Security Alliance Hong Kong & Macau Chapter has invited Kev Hau from CheckPoint Software Technologies Ltd to talk about Modern Cloud Application Security.

Protecting applications has always been challenging. As applications grow in number, size and complexity. Cloud application are made up of multiple layers – from the cloud infrastructure, to the DevOps pipelines, the microservices (containers, serverless functions and virtual machines), the application layer and the APIs.

Today, application developers are directly provisioning applications to the cloud by using cloud platforms like AWS, Google and Azure without any additional assistance from IT or platform teams. Developers release and update software on demand in the cloud using continuous integration and continuous deployment (CI/CD) for rapid software releases and updates. In addition, modern applications are more open and connected with an increased number of APIs, which further expands the attack surface where legacy application security approach is ineffective.

To protection the modern cloud application, we need a new approach – shifting security responsibilities to those creating software, the developers, and it shifts it to the beginning of the process when the developers are provisioning infrastructure.

Please do not miss this opportunity to learn from the expert and get connected with your peers.

Participants will claim 1 CPE.

DATE: 19 Aug, 2021 (Thursday)

TIME: 12:30 – 01:30 pm

VENUE: Webinar

SPEAKER: Kev Hau, Head of Security Engineering, Hong Kong and Taiwan, Check Point Software Technologies

TOPIC: Modern Cloud Application Security

THE SPEAKER:

Kev Hau is the Head of Security Engineering, Hong Kong and Taiwan at Check Point Software Technologies and the Cyber Security Evangelist, a member of the CTO office. Kev has over 10 years of experience in cyber security industry. 

In Check Point, he works closely with all the Check Point partners and customers through his team of security experts by providing consultation and advice on how to deal with the cyber threat. He is also the leadership point of contact between partners, strategic customers and channels, as well as
Check Point’s product research and development team.

Kev holds a Bachelor of Science in Computer Science from Brunel University.

View the Presentation: https://youtu.be/aPU4yeME8O8

Presentation File: https://bit.ly/37Wk28b

CSA HKM Knowledge Sharing Event – June 2021

Cloud Computing is already considered to be part of the “New Normal” solution. In our last event, our speaker from Cloud Product Vendor Palo Alto Networks introduced the concept on automate multi-cloud and container security environments. If you missed the previous event, you can go back to our previous event recordings and listen to the talk as well.

In the next Knowledge Sharing Event, we will look into another direction of Cloud aspects – Cloud Transformation.

The world has moved into a new paradigm, especially since COVID-19. In a post‑pandemic world, people are the new perimeter. Transformation is everywhere : Workspaces, Clouds, Threats and networks. How can we take advantage of the IT changes and new usages to improve security and cost efficiency? And how to find the right approach to build long‑term security strategies for change?

To help you better understand the topic, Cloud Security Alliance Hong Kong & Macau Chapter invited Security Solution Director of Orange Cyberdefense – Mr. Kevin Liu to bring us to the Intelligence-led security for Cloud Transformation. In this session, Kevin will share Orange Cyberdefense’s intelligence-led approach to help our customer to face the new reality of users and applications to the cloud, in the cloud and for the cloud..

Participants will claim 1 CPE.

DATE: 17 June, 2021 (Thursday)

TIME: 12:30 – 01:30 pm

VENUE: Webinar (in Cantonese)

SPEAKER: Kevin Liu, Security Solution Director, Orange Cyberdefense

TOPIC: Intelligence-led security for Cloud Transformation

THE SPEAKER:

Kevin Liu is a Security Solution Director for Orange Cyberdefense, a security business unit for Orange Group. He has more than 20 years’ experience in providing advisory and solution consultation in cybersecurity, infrastructure and cloud for large companies across Asia Pacific region. He is a speaker and demonstrator for major industry events in the region including HK ISS, APAC O2O digital resilience workshop and RSA Conference APAC. Kevin worked for many different major IT vendors including Microsoft, RSA Security, Symantec and Hewlett-Packard. Kevin is CISSP, CEH and ITIL certified.

VIEW THE PRESENTATION: https://youtu.be/pDz8WKkWpNs

PRESENTATION FILE: https://bit.ly/3h51kPz

CSA HKM Knowledge Sharing Event – May 2021

In April, we covered the Data Security in Cloud at our Knowledge Sharing Event. In the coming Knowledge Sharing Event in May, we will come back to cloud and container security again.

Developers and DevOps teams are building and deploying code at an increasing pace. Containers and other cloud native technologies enable digital transformation. In order to secure these growing cloud native environments, enterprises need to integrate security into the software development lifecycle and protect running applications

This time we invited Palo Alto Networks cloud security architect – Felix Cheng to bring us to their Prisma Cloud solution through in-depth technical knowledge sharing. He will look into the container solution from a technical view covering how to configure, implement necessary rules and analyze incidents through collected logs.

He will share:

  1. The best practices for container security to protect running containers in production as well as secure containers across the full application life
  2. Provide unified visibility & secure Cloud Native Workload
  3. Deliver an integrated set of capabilities to respond to threats and protect cloud-native applications.
  4. Automate the remediation of vulnerabilities and misconfigurations consistently across the entire build-deploy-run lifecycle.
  5. Demo 

Participants will claim 1 CPE.

DATE: 20 May, 2021 (Thursday)

TIME: 12:30 – 01:30 pm

VENUE: Webinar (in Cantonese)

SPEAKER: Felix CHENG, Cloud Security Architect of Palo Alto Networks

TOPIC: Automate your multi-cloud and container security environments with Prisma Cloud

THE SPEAKER:

Felix Cheng is the Cloud Security Architect for Hong Kong and Taiwan at Palo Alto Networks. He designed and deployed mission critical infrastructure for service providers, airports and casinos.  Over the last few years, he focused on software solutions such as application performance monitoring and analytics, cloud services and cyber security solutions.  In his spare time, he developed a simple mobile app that helped Wi-Fi engineers to perform quick site surveys.

VIEW THE PRESENTATION: https://youtu.be/iybIcVl0OHM