Professional Information Security Association
SEP-2016
PISA Journal How to Secure the Pokemon Go And Others ExeFilter — Strip away macros in your email attachment SSO Program in Hong Kong
www.pisa.org.hk
Issue
24
Securing the Infrastructure 06 How to Secure the Pokemon Go And Others 15 ExeFilter — Strip away macros in your email attachment
Community Work 20 SSO Program in Hong Kong — Giving Back to the Society
Page 2 of 40
An Organization for Information Security Professionals
Editor: editor@pisa.org.hk
Copyright
ďƒ“ 2016
Professional Information Security Association
Intranet 04 23 24 32
Page 3 of 40
Message from the Chair The Editorial Board Event Snapshot Joining PISA
A Publication of Professional Information Security Association
PISA
Journal
Professional Information Security Association
Message from the
Chair Y
our Participation is the key to PISA’s Success
Cyber security is still a hot topic in the government, organizations and communities. Recent security news and breaches indicate that threats are evolving. They become more sophisticated and diversified. Ransomware, DDoS attacks, and Zero-Day exploit, for examples, are difficult to monitor, detect and response. Moreover, with the common of the Internet of Things (IoTs), more physical devices are connected to the Internet, including smart watches, smart refrigerators, and smart cars. Such technologies enhance our experience and provide ways to improve and add value to our lives. Meanwhile, the concept of cyber security is expanded from the digital world to physical world. It is a great challenging to the traditional cyber security ap-
Page 4 of 40
proaches. Highlight - PISA 2015/2016 Professional Information Security Association (PISA) organizes or supports various seminars, workshops and conferences, with the aims of promote information security awareness and best practices. In 2015/2016, PISA held 33 events, in which 20 events were hosted or co-organized and 13 events were as supporting organization. They covered latest security technologies or issues, including Security Operation Center (SOC), Advanced Mobile Phone Analysis, Contactless Credit Card Security, and Ethical Hacking Workshop. PISA also successfully organized a one-day
An Organization for Information Security Professionals
SEP-2016
security conference, namely PISA Security Jam 2016, in May 2016. Over 100 participants joined this conference. They not only obtained latest security trends from experts and recent research results from PISA special interest group (SIG), but also had indepth discussion and workshop with PISA SIG members. More sharing and inspiration among PISA members were made.
ing year were discussed. We will continually promote security best practices to security practitioners and the public, through organizing seminars, site visits, workshops and conferences. We will also explore collaboration among other security organizations, with the aims of providing more sharing from different security experts, different countries.
Besides, PISA has published this PISA Journal to the public since March 2005. It is a biannual publication. It aims for PISA members to share their knowledge, security research and recent security issues. Many good articles were found in recent PISA Journals, including transaction security of mobile apps, security of industrial IoT and home automation IoT, and domain spoofing.
Moreover, we will expand the promotion to students and teachers at primary, secondary schools and tertiary education institutes in Hong Kong. Through the Safe and Secure Online (SSO) Program, they will learn basic security knowledge and techniques to stay safe and protect their information online.
I would like this opportunity to thank you 2015/2016 PISA Executive Committee (EXCO), SIG leaders and members, PISA Journal Editorial Board, PISA Security Jam 2016 Organizing Committee. With your dedication and contributions, PISA obtained great achievements in 2015/2016.
Your participation is important to the success of PISA. For any suggestion, please feel free to share with us via email info@pisa.org.hk.
Way Forward - PISA 2016/2017 2016/2017 PISA EXCO was established in end of August 2016. Two EXCO meetings were held. Plans and activities in the com-
Page 5 of 40
A Publication of Professional Information Security Association
Joyce Fan Chairperson
Professional Information Security Association
HOW TO SECURE THE
POKEMON GO AND OTHERS
Wallace Wong CISM, CISSP, CISA Wallace Wong has different IT exposure in private and public sectors. He is currently working in the Government for security, audit and project management.
Page 6 of 40
An Organization for Information Security Professionals
SEP-2016
Introduction After this mobile app, Pokemon GO, initially launched in Australia, New Zealand and United States on 6 July 2016, as well as in Hong Kong on 24 July, most people have installed this app to play with their families, friends, colleagues or themselves as soon as possible in order to catch up with this trend aroused from Nintendo or Niantic Inc.
Fig. 1: Pokemon Go Screens (Niantic Inc., Jun.)
When I am writing this article, we may be able to use the Pokemon GO Plus device to play with this mobile app also in a week and then use the Apple Watch later. However, this interesting app has already aroused at least three security and privacy issues in the last two months.
Fig. 2: Apple Watch Screens for Pokemon Go (Apple Keynote, Sep.)
1. “Full Account Access� Before you can start to play this game, most people should select Google account to sign the game which they already have one or they know what it is (instead of another Pokemon Trainer Club account which has not used by general public and also me before).
Page 7 of 40
A Publication of Professional Information Security Association
Professional Information Security Association
How to Secure the Pokemon Go and Others
Figure 2 : IoR applications/solutions that the respondents implemented/were planning to implement
Fig. 3: Sign up screens for Pokemon Go (Chitraparna, Jul.) Since you have granted the access for Pokemon Go to use the Google account for authentication, it has been discovered or reported that the Pokemon Go has the “Full Account Access” of your personal or company Google account as follows:
Fig. 4a: “Sign-in & security >> Connected apps & sites” of Google account (Mike, Jul.) According to many findings and reports in websites after the launch of Pokemon Go on 7 July, the “Full Account Access” has become a huge security risk and a big privacy concern to individuals or companies that Pokemon Go or related companies may be able to "read all your email, send email as you, access all your Google Drive documents, delete documents, access any private photos you may store in Google Photos, and a whole lot more" (Chitraparna, Jul).
Page 8 of 40
An Organization for Information Security Professionals
SEP-2016
Fig. 4b: “Users >> Security >> Authorized access” of Google Apps Admin (Rich, Jul.)
In response to this critical security problem, Niantic and the Pokemon Company have pushed an update for Pokemon Go on 12 July and fixed this Google account scope issue (i.e. Version 1.0.1 on iOS). After that, the permission has been changed from “Full Account Access” to “Basic account info”.
Fig. 5: “Sign-in & security >> Connected apps & sites” of Google account
2. “OAuth Implementation” Following the previous security issue, we should know more why this Pokemon Go “Client” can use our existing Google account to access our basic account information but without knowing our password. Based on previous findings and reports, OAuth have been used. OAuth is an open standar d or pr otocol for author ization. It is commonly used for Inter net user s to log into thir d party “Client” using their existing accounts (e.g. Google, Facebook, Microsoft, Twitter, etc.) without exposing or sharing their passwords. OAuth pr ovides to the “Client” a specified access (e.g. “Basic account info” in cur r ent case) to ser ver r esour ces on behalf of a “Resource Owner”. It allows access tokens to be issued to the third-party “Clients” by an “Authorization Server”, with the approval of the “Resource Owner”. Then, the third party “Client” uses the access token to access the protected resources (e.g. Email address and basic profile info of Google account in current case), hosted by the “Resource Server”.
Page 9 of 40
A Publication of Professional Information Security Association
SEP-2016
How to Secure the Pokemon Go and Others
Fig. 6: “Abstract Protocol Flow” and “Access Token” for OAuth (Yu, 2013) If the access token has expired or the specified access is not sufficient, a refresh token without the need of “Resource Owner” can be used for efficient client processing.
Fig. 7: Refreshing an Expired Access Token” and “Refresh Token” for OAuth (Yu, 2013)
A Publication of Professional Information Security Association
Page 10 of 40
SEP-2016
As a result, the security for OAuth (e.g. specified access or scope, encryption of related credentials or tokens in current case) should be properly defined and implemented (e.g. RFC 6819). Otherwise, some common attacks (e.g. brute force attack, phishing, cross-site request forgery, clickjacking or program code injection) may become the threats for this standard.
3. “Unofficial Release� Since the Pokemon Go had not been officially released globally at the same time, some gamers wishing to access the game before it was released resorted to downloading (APK) from third parties. One of those APKs was discovered to be infected and carrying the DroidJack remote-access tool as follows:
Fig 8a: Malicious permissions for that Pokemon GO APK (Proofpoint, 2016)
Page 11 of 40
A Publication of Professional Information Security Association
SEP-2016
How to Secure the Pokemon Go and Others
Fig 8b: Malicious classes in that Pokemon GO APK (Proofpoint, 2016)
Fig 8c: Malicious domain in the class of that Pokemon GO APK (Proofpoint, 2016)
Before the release of app update for new features (e.g. Buddy Pokemon as captures), some gamers have also started to download some unofficial releases (again) and this issue may not be easily resolved to reduce the spread of infection.
Fig. 9: Buddy Pokemon Go Screens (Niantic Inc., Sep.)
A Publication of Professional Information Security Association
Page 12 of 40
PISA
Journal
Professional Information Security Association
Recommendations (for individuals) ●
●
●
Reference
Create and use a new Google account (or a Pokemon Trainer Club account): Do not use the original Google account from own or company. Only login with the new Google account dedicated for this app and disabled other unnecessary services (e.g. Gmail or Google Drive) and logging (e.g. Location Service). For Trainer Club account, it shall be of course dedicated. Do not use the company devices or connect to the networks: Risky to the cor por ate secur ity and also your job security. Update from official sources: Since the developer of Pokemon Go has started to handle cheating and bans as well as eliminate bots and scrappers, rooted or jailbroken devices will also not be supported. Reminder has also been issued to download from Google Play Store or iTunes App Store.
1. Justin, R. “User Authentication with OAuth 2.0”. Available https://oauth.net/articles/authentication/ 2. IETF. (2013). “RFC6819 - OAuth 2.0 Threat Model and Security Considerations” on January 2013. Available https://tools.ietf.org/html/rfc6819 3. Yu. (2013). “Notes of OAuth 2.0 (Chinese Version)” on 30 September 2013. Available https://blog.yorkxin.org/2013/09/30/oauth2-1introduction; and https://blog.yorkxin.org/2013/09/30/oauth2-7security-considerations https://blog.yorkxin.org/2013/09/30/oauth2implementation-differences-among-famous-sites 4. Niantic, Inc. (2016). “Pokemon GO Privacy Policy” on 1 July 2016. Available
Conclusion
https://www.nianticlabs.com/privacy/pokemongo/ en
Copyright & Disclaimer
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
Page 13 of 40
In fact, the above security and privacy issues are not limited to Pokemon Go and Google account. But they are also applicable to all mobile apps and other OAuth implementation (e.g. Facebook, Microsoft and Twitter). Different parties other than individuals (e.g. companies and developers) should also follow other best practices or recommendations in order to protect from the latest or potential security threats.
Wallace Wong ■
5. Chitraparna, S. (2016). “3 Security Measures Before Playing Pokemon Go” on 6 July 2016. Available http://www.business2community.com/mobileapps/3-security-measures-playing-pokemon-go01600020 6. Michal, A. (2016). “Pokemon Go Has Full Access to Your Google Gmail and Documents” on 11 July 2016. Available http://fortune.com/2016/07/11/pokemon-gosecurity/ 7. Rich, C. (2016). “How To Remove Pokemon Go From Google Apps For Work” on 12 July 2016. Available
An Organization for Information Security Professionals
SEP-2016
Issue
How to Secure the Pokemon Go and Others
http://www.business2community.com/mobile-apps/ remove-pokemon-go-google-apps-work-01594751 8. Sean, K. (2016). “What's Behind Pokémon Go's Permissions Issue - Pokemon Go Privacy Issues Bring to Light Challenge of Permissions” on 12 July 2016. Available http://www.eweek.com/blogs/securitywatch/ pokemongoprivacyissuesbringtolightchallengeofpermissions.html 9. Mike, F. (2016). “[Update] Pokémon Go Update Fixes Google Account Security Issue” on 12 July 2016. Available http://www.gameinformer.com/b/news/ archive/2016/07/11/pokemon-go-has-access-to-your -entire-google-account.aspx 10. Peter, L. (2016). “Pokémon GO reveals full account access flaw for Google authentication” on 13 July 2016. Available http://searchsecurity.techtarget.com/ news/450300257/Pokemon-GO-reveals-fullaccount-access-flaw-for-Google-authentication 11. Hacked (2016). “Research: Pokemon GO is a Huge Security Risk” on 13 July 2016. Available https://hacked.com/pokemon-go-security-risk/ 12. Adrien, C. and Ben, J. (2016). “Unbundling Pokemon Go” and “從原始碼了解 Pokemon Go” be on 17 and
24
http://www.foxbusiness.com/features/2016/07/21/ pokemongosecuritynightmareforbyod.html 14. Brandon, V. (2016). “Pokemon Go - Is it a BYOD security nightmare?” be on 26 July 2016. Available http://www.techrepublic.com/article/ pokemongoisitabyodsecuritynightmare/ 15. Richard, S. (2016). “Pokemon Go and other apps are putting your privacy at risk” be on 1 August 2016. Available http://www.cnbc.com/2016/08/01/ pokemongoandotherappsareputtingyourprivacyatrisk.html 16. E-zone (2016). “<<Pokemon GO>> 保安漏洞!公司 網絡中門大開 ?” on 23 August 2016. Available http://www.ezone.com.hk/channelnews.php? id=17580 17. Nintendo News. (2016). “Pokémon GO Update History” on 23 August 2016. Available http://nintendonews.com/pokemon-go-updatehistory-ios/ http://nintendonews.com/pokemon-go-updatehistory-android/ 18. Alvaro, H. (2016). “Gotta Hack em' All: Pokemon Go, Security and Privacy Awareness” on 29 August 2016. Available
31 July 2016. Available https://applidium.com/en/news/ unbundling_pokemon_go/; and https://medium.com/@benzwjian/從 原 始 碼 了 解 pokémon-go-25516e9ead59 13. ITBusinessEdge.com. (2016). “Pokemon GO - Security Nightmare for BYOD” be on 21 July 2016. Available
Page 14 of 40
http://www.infosecurity-magazine.com/blogs/gottahack-em-all-pokemon-go 19. Proofpoint. (2016). “DroidJack Uses Side-Load…It's Super Effective! Backdoored Pokemon GO Android App Found”. Available https://www.proofpoint.com/us/threat-insight/post/ droidjack-uses-side-load-backdoored-pokemon-goandroid-app
A Publication of Professional Information Security Association
Professional Information Security Association
EXEFILTER STRIP AWAY MACROS IN YOUR EMAIL ATTACHMENT
Sam Ng CISSP CISA
Sam NG is an experienced software security expert . He researches and develops new defense mechanism by runtime analysis technique. He had contributed to PISA Journal on buffer overflow, SQL injection, and software development life-cycle.
Page 15 of 40
An Organization for Information Security Professionals
SEP-2016
ExeFilter—Strip away macros in your email attachment
“ExeFilter is an open-source tool and python framework to filter file formats in emails, web pages or files. It detects many common file formats and can remove active content (scripts, macros, etc.) according to a configurable policy.”
Improving Email Filtering against Ransomware Recently, I attended a few talks around APT and ransomware. I can’t stop thinking about how to improve our existing email filtering. Yes, while some APT attacks utilize 0-Day attacks that we simply cannot protect against, the majority of these attacks still rely on known vulnerabilities and come from emails. Therefore, if we properly implement patch management across the whole organization, and if we implement a good email filtering strategy, we
should be able to block most not-so-advanced and not-so-persistent attacks. Having said that, we are already doing email scanning, right? Yes, but I have never heard any organization blocking Microsoft Word/ Excel/PowerPoint attachments. If malware is embedded as a specially crafted macro in a MS Office document, I believe most anti-virus programs are not going to be very effective in preventing such customized malware. But what if we allow Word/Excel/PowerPoint but strip away macros? Anyway, not too many people use macros nowadays, at least we don’t send Office documents with macros very often. And
A Publication of Professional Information Security Association
Page 16 of 40
Professional Information Security Association
Page 17 of 40
An Organization for Information Security Professionals
SEP-2016
ExeFilter—Strip away macros in your email attachment
Before cleanup
if you do, we can have some other way to allow it. I will talk about that later in this document.
Document Active Content Filtering
After cleanup
In the journey of looking for APIs that allow me to manipulate MS Office documents, I found a pretty promising solution called ExeFilter [1] which does basically what I wanted to do. What’s more, ExeFilter does more than just removing macros in MS Office documents, it removes “active content” in HTML, PDF, and RTF formats too. According to one of their conference presentations [2], ExeFilter was developed by DGA/ CELAR (French MoD) since 2004, open sourced in 2008, and is currently maintained by both DGA/CELAR and NATO/NC3A. Ok, everything looks very good. Let’s download and try it. The installation was painless because they provide a portable version of ExeFilter so that I don’t even need to install Python on my Windows box. The only problem I had was when I
A Publication of Professional Information Security Association
Page 18 of 40
SEP-2016
Issue
24
unziped the file to a temp directory. My anti-virus program immediately popped up an alert message because of the malware samples in the zip files, but except for that the whole process was extremely smooth. I executed Portable_ExeFilter.bat, scanned the demo_files, everything worked like a charm. Awesome! Then, I manually created a simple Book1.xls [3] with a harmless button that pops up “Hello World” when clicked. Obviously, my anti-virus did not flag it as a threat. And of course ExeFilter successfully removed the script content.
Integrating ExeFilter Ok, but how to integrate this into an email gateway? ExeFilter has already documented how to integrate into Clearswift MailSweeper, which is a commercial software so I can’t download and try it. But I believe it won’t be extremely difficult to integrate ExeFilter to some other open source MTAs. Finally, what if you really need to send/receive email attachments with macros? I think the best way is to have those macros digitally signed, then customize ExeFilter to ignore digitally signed macros (I don’t think it has this feature at the moment). Better still, we only allow signed macros if they are signed by some trusted users. Alternatively, we can setup a web page with authentication and Captcha protection, and user can upload files with “sample” macros. The system then calculates the SHA-512 hash and store it in the system. The system should then ignores any macros if it matches any of these hashes. Sam Ng ■
References Copyright & Disclaimer
[1] http://www.decalage.info/exefilter [2] http://cansecwest.com/csw08archive.html
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
Page 19 of 40
[3] For your information, the extension “.xlsx” does not allow embedded macro. If you want to embed macro in excel spreadsheet, it has to be either “.xlsm”, or as “.xls”
A Publication of Professional Information Security Association
Professional Information Security Association
THE SSO PROGRAM IN
HONG KONG
GIVING BACK TO THE SOCIETY
Frankie Leung CISSP, CISA, CISM, CRISC President, (ISC)2 HK Chapter Mr. Frankie Leung has over 30 years well-rounded IT management experience in Technical Product Marketing, Business Information Management, Software Development as well as Information Security Consulting. He is now working as an independent Security Consultant for his own company.
Page 20 of 40
An Organization for Information Security Professionals
SEP-2016
S
ince 2008, the Office of the Government Chief Information Officer (OGCIO) of Hong Kong has teamed up with the (ISC)² APAC Office and the Professional Information Security Association (PISA) to localize and present the Safe and Secure Online program (basic cybersecurity education and information security awareness training) to students and teachers at primary, secondary schools and tertiary education institutes in Hong Kong.
We joined forces to localize the Safe and Secure Online materials for the Hong Kong Market. (ISC)² members who are based in Hong Kong delivered free information security talks to students, parents, teachers and adult end-users as part of their community service to the society. The SSO HK program has reached over 46,000 teachers, parents and students since 2008. For the outreach of adult computer end-users, members also presented at the government employees awareness training on mobile security, social media security, and email security. Currently, more than 100 CISSP credential holders in Hong Kong have joined this SSO program as speakers and helpers for the seminars and school visits. As the Safe and Secure Program evolves from a delivery focused model to content development, the
Page 21 of 40
A Publication of Professional Information Security Association
Professional Information Security Association
Giving Back to the Society - SSO Program in Hong Kong
(ISC)² Hong Kong Chapter will take greater ownership in the localization of the new content and delivery coordination in Hong Kong with the continued support of the APAC regional office. Mr. Frankie Leung, President of (ISC)² Hong Kong Chapter and Mr. Otto Lee, Chairman of PISA reiterated their commitment to running and supporting this program as the SSO evolves for a wider reach. They will recruit new speakers, inform previous SSO members, design new materials and arrange new "Train the SSO Speakers" sessions for all registered speakers with the updated content on August 24th. There are nice SSO visits planned for September and October and more sessions are in the process of being scheduled. For the whole year, we expected over 35 school visits will be carried out.
Frankie Leung ■
Page 22 of 40
An Organization for Information Security Professionals
SEP-2016
PISA Journal The Editorial Board
SC Leung CISSP CCSP CISA CBCP
Joyce Fan CISSP CRISC CISA
Ian Christofis CISSP
Alan Ho CISSP CISA CISM CGEIT
You can contribute to PISA Journal by: ●
●
Joining the Editorial Board Submitting articles to the Journal
SC Leung, Chief Editor editor@pisa.org.hk Next Issue: Issue 25 (Mar-2017)
Page 23 of 40
A Publication of Professional Information Security Association
Professional Information Security Association
Event Snapshot We Share. We Progress.
PISA Security Jam (21-May-2016) PISA organized an 1-day conference to gather with security buddies to share their knowledge and information
Page 24 of 40
An Organization for Information Security Professionals
SEP-2016
Event Snapshot We Contribute. We Achieve.
Security Seminar on Security Operation Center (SOC) 3.0 and Cyber Threats (28-Jun-2016) Mr. Shai Gabay, Chief Innovation Officer of CYBERBIT, shared his experience in building & managing an SOC
Mr. Rick Tam introduced cyber security training and simulation
Page 25 of 40
A Publication of Professional Information Security Association
Professional Information Security Association
Event Snapshot We Share. We Progress.
PISA 15th Anniversary Dinner (28-Jul-2016) PISA members, friends & guests gathered together to celebrate PISAâ&#x20AC;&#x2122;s 15th anniversary day. It was a joyful and memorable night!
Page 26 of 40
An Organization for Information Security Professionals
SEP-2016
Event Snapshot We Contribute. We Achieve.
Open Discussion on "Professional Development Programme for Cybersecurity Practitioners to Enhance the Cyber Resilience of Banks" (6-Aug-2016) (ISC)2, ISOC HK Chapter, OWASP HK Chapter, PISA, (ISC)2 Hong Kong Chapter, ISFS, DragonThreatLab and VXRL jointly organized an open discussion on HKMAâ&#x20AC;&#x2122;s Cybersecurity Fortification Initiative (CFI) with infosec professionals in the industry. We exchanged the comments and suggestions for response to HKMAâ&#x20AC;&#x2122;s consultation paper about the new initiatives and framework.
Public Awareness Seminar on WiFi Security 2016 (13 Aug-2016) A public seminar with sharing of Wi-Fi security trends, updates and tips
Page 27 of 40
A Publication of Professional Information Security Association
Professional Information Security Association
Event Snapshot We Share. We Progress.
Train the Trainer Session for (ISC)2 Safe and Secure Online (24-Aug-2016) A sharing session from (ISC)2 and experienced SSO trainers about the tips of how to better the talks to students and teachers.
PISA AGM, EXCO Election 2016 and Theme Talk (27-Aug-2016) Ms Clara Cheung of the Hospital Authority shared her experience and thoughts about application security from development to production. Also, in PISA AGM, new PISA Exco members were elected.
Page 28 of 40
An Organization for Information Security Professionals
SEP-2016
Event Snapshot We Contribute. We Achieve.
SecureHongKong 2016 (2-Sep-2016) A conference with security professionals in the industry. The theme this year was â&#x20AC;&#x153;People, Policy and Technologyâ&#x20AC;?.
Information Security Summit 2016 (12-13 Sep-2016) PISA, (ISC)2 Hong Kong Chapter co-organized with other organizations for Information Security Summit 2016. The theme this year was Achieving Business Value, Governance and Compliance -- Fighting Cyber Crime and Blended Threats
Page 29 of 40
A Publication of Professional Information Security Association
Professional Information Security Association
Event Snapshot We Share. We Progress.
Seminar on "Cloud, IoT and Security - Connect cloud security with the physical world through AWS IoT" (20-Sep-2016) An interesting sharing of IoT technology and security with a live demonstration by Dickson Yu of AWS
(ISC)2 ISLA Award Ceremony @ Thailand (27-Jul-2016) PISA members and friends who received the ISLA Award (From left) Awardees: Frankie Li, Joyce Fan, Albert Hui, Kelvin Captain, Otto Lee (From right) Review panel member: SC Leung
Page 30 of 40
An Organization for Information Security Professionals
SEP-2016
Event Snapshot We Contribute. We Achieve.
Various talks to schools under (ISC)2 Safe and Secure Online Program
Page 31 of 40
A Publication of Professional Information Security Association
Professional Information Security Association
Professional Information Security Association Vision to be the prominent body of professional information security practitioners, and utilize expertise and
Successful Career
Be up-to-date and be more competitive in the info-sec community – line up yourself with the resources you need to expand your technical competency and move forward towards a more successful career.
Many Ways
Networking
Continued Education
Enjoy networking and collaboration opportunities with other in-the-field security professionals and exchange technical information and ideas for keeping your knowledge up to date
Check out job listings information provided by members. Get information on continuing education and professional certification
Sharing of Information Find out the solution to your technical problems from our email groups and connections with our experienced members and advisors.
Enjoy the discounted or free admissions to association activities - including seminars, discussions, open forum, IT related seminars and conferences organized or supported by the Association.
You Can Benefit
Membership Information
Enquiry email:
Realize Your Potential
Professional Recognition
Develop your potentials and capabilities in proposing and running project groups such as Education Sector Security, Mobile Security, Cloud Security, Honeynet, Public Policy Committee and others and enjoy the sense of achievement and recognition of your potentials
Benefit from the immediate access to professional recognition by using post-nominal designation
Membership Requirements
membership@pisa.org.hk
Membership Application Form: http://www.pisa.org.hk/ membership/member.htm
Code of Ethics: http://www.pisa.org.hk/ ethics/ethics.htm
Page 32 of 40
• •
Relevant computing experience (post-qualifications) will be counted, and the recognition of professional examinations / membership is subject to the review of the Membership Committee. All members must commit to the Code of Ethics of the Association, pay the required fees and abide by the Constitution and Bylaws of the Association An Organization for Information Security Professionals