Professional Information Security Association
MAR-2018
PISA Journal
Smart Contract != Secure Contract Security in using Cryptocurrency and Blockchain InfoSec Workshops for Kids www.pisa.org.hk
Issue
27
Special Topics 05 Smart Contract != Secure Contract 12 Security in using Cryptocurrency and Blockchain 22 Inforsec Workshops for Kids
Page 2 of 38
An Organization for Information Security Professionals
Editor: editor@pisa.org.hk
Copyright
ďƒ“ 2018
Professional Information Security Association
Intranet 04 21 28 38
Page 3 of 38
Message from the Chairperson The Editorial Board Event Snapshot Joining PISA
A Publication of Professional Information Security Association
Message from the
Chairperson
PISA
Journal
Professional Information Security Association
M
ay 26, 2018 is an important day to information security professionals. It is the date set for PISA Jam 2018, and also marks the commencement of the General Data Protection Regulation (GDPR) of European Union, the most tough regulation on data protection and privacy. Like the U.S. Foreign Corrupt Practices Act (FCPA), the impact of GDPR is beyond the European Union countries. There are explicit compliance requirements for organizations in non-EU jurisdictions. Companies with businesses dealing with EU organizations or processing personal data of EU citizens are expected to adhere to the GDPR requirements. What this meant to PISA members or information security professionals? Recall the PISA vision statement, “to be the prominent body of professional information security practitioners, and utilize our expertise and
Page 4 of 38
knowledge to help bring prosperity to the society in the Information Age.� We, as information security practitioners, are obliged to assist the industry to cope with the challenges of GDPR. The challenge brings about new opportunity to information security professionals. We can see more job openings are created to help organizations to handle GDPR compliance. Let us stay on top of and surf on the new GDPR waves!
An Organization for Information Security Professionals
Ando Ho
MAR-2018
Smart Contract
!= Secure Contract
Sam Ng CISSP CISA Sam NG is an experienced software security expert . He researches and develops new defense mechanism by runtime analysis technique. He had contributed to PISA Journal on buffer overflow, SQL injection, and software development life-cycle.
Page 5 of 38
A Publication of Professional Information Security Association
PISA
Journal
Professional Information Security Association Smart Contract != Secure Contract
As of this writing, the total market capital for Bitcoin is $180B USD (in compare to HSBC, which is about $140B USD). The second biggest crypto-currency is Ethereum, some people call it Crypto 2.0, with total market capital around $77B USD. And in case you don’t know, most of the ICO assets are built on top of Ethereum (see Fig. 1). If the most important technology breakthrough by Bitcoin is Blockchain, then the most important technology breakthrough by Ethereum must be Smart Contract.
Fig 1 Image credit: https://techcrunch.com/2017/06/08/how-ethereum-became-the-platform-ofchoice-for-icod-digital-assets/
Page 6 of 38
An Organization for Information Security Professionals
MAR-2018
Issue
27
What is Smart Contract? You can say Smart Contract in cryptocurrency is like JavaScript in web browsers. It brings “scripting” capability to Blockchain. Don’t mix up, a Smart Contract is not a legal contract, it is a program code that is executed on the Blockchain, and I mean it is executed by all the nodes on the Blockchain, when triggered. And because the code is published to the immutable Blockchain, everybody can inspect the code but no one can modify it after creation. It is 100% guaranteed the Blockchain will execute the code as it is written. In Ethereum, the most widely used language for writing a Smart Contract is Solidity (with syntax somewhat similar to JavaScript). You need to compile Solidity source file into binary
bytecode, sign the code and then send it to the Ethereum Blockchain (a bit like sending crypto-coins to another user) and then it will be executed in Ethereum Virtual Machines (a.k.a. EVM, a sub-module inside the Ethere-
Fig. 2 Image credit: http://solidity.readthedocs.io/en/v0.4.20/introduction-tosmart-contracts.html
Page 7 of 38
A Publication of Professional Information Security Association
PISA
Journal
Professional Information Security Association Smart Contract != Secure Contract
um node client). See Fig. 2 for a sample Smart Contract written in Solidity. For example, I can create a Smart Contract with initially zero balance, and if someone deposit some amount of ETH into the contract (i.e. to the contract address), I will keep track of each individual account balance within the contract. The contract code can be written in such a way that you and only you will be able to withdraw your own fund, or you can transfer this fund to another user if you want to. Now if I call the balance within the contract a “Token”, does this sounds like an ICO contract to you?
Fig. 3A: a typical contract vulnerable to Reentrancy attack
Page 8 of 38
Security Problems in Smart Contract As a security professional, I bet when you heard me saying “Smart Contract is like JavaScript”, you immediately think of many different security problems. And yes, there are many different security problems in Smart Contract. To give you an idea, a team from NUS did a study back in 2016 and flagged 8,833 out of 19,366 Ethereum contracts as vulnerable [1]. Reentrancy Vulnerability One of the deadliest yet common security vulnerability in Smart Contract is called Reentrancy Vulnerability. Refer to Fig. 3, when the VictimContract.get () is executed, it will transfer the Ether back to the caller (i.e. it is supposed to let you get your own money back).
Fig. 3B: a typical contract for Reentrancy attack
An Organization for Information Security Professionals
MAR-2018
Issue
27
However, the caller can be a contract by itself!!! And if the attack contract calls the victim contract in the middle of VictimContract.get() again, and because the code clears the balance after msg.sender.call and not before it, the AttackContract can withdraw the same amount multiple times (basically getting other people’s money). Integer Overflow Vulnerability Another common vulnerability in Smart Contract is Integer Overflow. Integers in Ethereum Smart Contract, by default, is 256 bits which is extremely large. But no matter how large it is, it is still susceptible to integer overflow. A very large number plus another very large number can cause an overflow to happen (i.e. high bits being truncated) and become a very small number. While not related to Smart Contract, just a few weeks ago, a high profile Japan based cryptoexchange Zaif experienced exactly this particular problem, “… allowed customers to temporarily ‘buy’ trillions of dollars worth of bitcoin for free” according to thebitcoinnews.com. [2] Image credit: zaifbug/fun-tech/
Page 9 of 38
Fig. 4 https://unwire.hk/2018/02/18/
A Publication of Professional Information Security Association
PISA
Journal
Professional Information Security Association Smart Contract != Secure Contract
What should we do? The Short Answer is — Secure SDLC. Luckily, there are already best practices we can follow [3,4], the tool used by the NUS team I have talked about, which is called Oyente, is OSS, and there are some other tools listed in [3] that we can use to analyze our Smart Contract before production. Likewise, there are already some companies providing Smart Contract auditing service -- Zeppelin, IOSiro, Experfy, to name a few. Besides code analysis, there are also frameworks that allow Smart Contract developers to write less (and hence fewer bugs) and to do unit test easier and faster (and hence find more bugs) -- Truffle (from ConsenSys) and OpenZeppelin (from Zeppelin) are two of those. I would say these frameworks are almost a must for professional Smart Contract development.
Page 10 of 38
An Organization for Information Security Professionals
MAR-2018
Issue
TL;DR
Reference
Smart Contract is awesome, but writing a bug free contract is very difficult (and you have to do it right for the first time because there is no way to upgrade your contract). Luckily, the techniques we have learned from Secure SDLC are mostly applicable to Secure Smart Contract Development as well.
[1] Making Smart Contracts Smarter Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, Aquinas Hobor http://www.comp.nus.edu.sg/~loiluu/ papers/oyente.pdf
Finally, if I have to speculate, I would expect to see more research around applying formal verification on Smart Contracts. Smart Contract code is usually relatively short and it is usually about money. These two characteristics made Smart Contract a good candidate for applying the very rare formal verification to the SDLC. Let’s wait and see.
Copyright & Disclaimer
â– Sam Ng
[2] SA glitch in Japan's ZaIF exchange gives out Free Bitcoins https://article.wn.com/ view/2018/02/23/ A_glitch_in_Japans_Zaif_exchange_g ives_out_Free_Bitcoins/ (new link) [3] Ethereum Smart Contract Security Best Practices https://consensys.github.io/smartcontract-best-practices/ [4] Security Considerations http://solidity.readthedocs.io/en/ v0.4.20/security-considerations.html
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
Page 11 of 38
27
A Publication of Professional Information Security Association
Professional Information Security Association
Security in using
Cryptocurrency and Blockchain
Wallace Wong CISM, CISSP, CISA Wallace Wong has different IT exposure in private and public sectors. He is currently working in the Government for security, audit and project management.
Page 12 of 38
An Organization for Information Security Professionals
MAR-2018
Introduction Most people associate “Bitcoins� with WannaCry ransomware or extortion hacking attacks as to them the main application of Bitcoin was for the victim to pay a ransom in order to recover data being encrypted by ransomware, or for hacker to transfer money anonymously in the underground world without the fear to be tracked.
Fig. 1: WannaCry ransomware Screens (Newsweek., May 2017)
Page 13 of 38
A Publication of Professional Information Security Association
PISA
Journal
Professional Information Security Association Security in using Cryptocurrency and Blockchain
What are the changes? Around September 2017, China announced to stop the initial coin offering (ICO) of cryptocurrencies. This move made the price of Bitcoin dropping around 40 percent from USD$5000 to $3000 in two weeks. However, this policy seemed to spread the trend of purchasing cryptocurrencies from China to other areas as purchasing residential properties and lands as before.
Fig. 2 China Ban ICOs (Forbes., Sep 2017)
Fig. 3: Bitcoin Price (Coin desk., Sep 2017)
Page 14 of 38
An Organization for Information Security Professionals
MAR-2018
Issue
27
Moreover, the Hong Kong Monetary Authority (HKMA) has established a Fintech Facilitation Office (FFO) to facilitate the healthy development of fintech ecosystem in Hong Kong. The first whitepaper on Distributed Ledger Technology (DLT), or Blockchain, was released in 2016 with Applied Science and Technology Research Institute (ASTRI). The second one released in 2017 has involved more professionals, such as consultancy firms and law professors, for compliance, governance and legal considerations.
Fig. 4a, b and c: Whitepapers on Distributed Ledger Technology (HKMA., Dec 2016 & Oct 2017)
Since the usages of DLT or blockchain have been promoted as FinTech globally, it becomes more and more companies, organizations and people beginning to study this technology. For example, our Professional Information Security Association (PISA) have also arranged two related seminars as follows:
Page 15 of 38
A Publication of Professional Information Security Association
Security in using Cryptocurrency and Blockchain
PISA
Journal
Professional Information Security Association
Fig. 5a and b: Seminars related to Blockchain technology (PISA., Sep 2017 & Jan 2018)
What are the risks? In fact, the most attractive part behind the Blockchain is the financial value built or assumed on it. The most famous cryptocurrency is back to Bitcoin even the financial institutions have also launched the futures for indirectly buying or sell-
Fig. 6: First US Bitcoin Futures (CBOE, Dec 2017)
Fig. 7: Futures (CME Group., Dec 2017)
Page 16 of 38
An Organization for Information Security Professionals
MAR-2018
Issue
27
ing the Bitcoin. However, people have to face the new security risks if they are using these cryptocurrencies or blockchains as follows:
Fig. 8: Hackers stole $530M (CNN, Jan 2018)
Fig. 9: Trojan Modifies Address (Jim., Jan 2018)
Page 17 of 38
A Publication of Professional Information Security Association
PISA
Journal
Professional Information Security Association Security in using Cryptocurrency and Blockchain
Measures to Secure Cryptocurrencies and Blockchain Since cryptocurrencies and blockchain are decentralized in nature, people need to take extra care to secure them. Some security measures refined from one of the TV programmes, are listed as follows: 1. Set up unique email(s) and different passwords to sign up the cryptocurrency exchanges, cloud mining and digital wallets to avoid being compromised for all your assets. 2. Put maximum protection on your mobile device, personal computer, wireless controller and internet gateway with latest firmware or software updates before the transactions. 3. Do not use text messages for twofactor authentication (2FA). Use a software authenticator like Google Authenticator or even hardware authenticator like Universal 2 Factor (U2F).
Page 18 of 38
4. Diversify. Buy cryptocurrencies across multiple exchanges. Of course, the amounts should also be evenly distributed to avoid putting your eggs in a basket. 5. Keep your cryptocurrencies offline. Software wallet, e.g. blockchain app, is quick and easy to spend for micro-payment but weak in security due to centralized nature. Using hardware wallet, e.g. Trezor or Ledger, to store or hold your crypto assets by yourself and responsible for yourself. More importantly, do not take photo or make softcopy for the recovery / private key of your hardware wallet. 6. Never trust anyone on Blockchain which do not require to build on trust. It is uncommon for the websites or posts about cryptocurrencies, cloud mining and initial coin offerings (ICO) are scam, spam or fraud. You have to study in depth
An Organization for Information Security Professionals
MAR-2018
Issue
27
and counter-check with different sources against their past records before testing and then further proceed.
The last advice I would like to use the reminder from Vitalik Buterin, co-founder of Ethereum blockchain and Ether cryptocurrency, in February 2018, as the conclusion:
“Cryptocurrencies are still a new and hyper-volatile asset class, and could drop to near-zero at any time. Don't put in more money than you can afford to lose. If you're trying to figure out where to store your life savings, traditional assets are still your safest bet.”
■ Wallace Wong
Page 19 of 38
A Publication of Professional Information Security Association
PISA
Journal
Professional Information Security Association Security in using Cryptocurrency and Blockchain
Reference (in chronological order) HKMA (2016). “W hitepaper on Distributed Ledger Technology” on 7 Dec 2016. Available http://www.hkma.gov.hk/media/eng/doc/key-functions/finanical-infrastructure/ Whitepaper_On_Distributed_Ledger_Technology.pdf Anthony, C. (Newsweek, 2017) “Ransomware A ttacks Rise 250 Percent In 2017, Hitting U.S. Hardest” on 23 May 2017. Available http://www.newsweek.com/ransomware-attacks-rise-250-2017-us-wannacry-614034 Kenneth, R. (Forbes, 2017). “China's ICO Ban Doesn't Mean It's Giving Up On CryptoCurrencies” on 6 Sep. 2017. Available https://www.forbes.com/sites/kenrapoza/2017/09/06/chinas-ico-ban-doesnt-mean-its-givingup-on-crypto-currencies/#796e69697aeb Coin desk (2017). “Bitcoin (USD) Price” on 30 Sep. 2017. Available https://www.coindesk.com/price/ HKMA (2017). “W hitepaper 2.0 on Distributed Ledger Technology” on 25 Oct 2017. Available http://www.hkma.gov.hk/media/eng/doc/key-functions/finanical-infrastructure/ infrastructure/20171025e1.pdf http://www.hkma.gov.hk/media/eng/doc/key-functions/finanical-infrastructure/ infrastructure/20171025e1a1.pdf ●
●
COBE (2017). “The First U.S. Bitcoin Futures” on Dec 2017. Available http://cfe.cboe.com/cfe-products/xbt-cboe-bitcoin-futures CME Group (2017). “Trading in our Bitcoin futures begins tomorrow. Follow, trade & learn more here: ……” on 16 Dec 2017. Available https://twitter.com/CMEGroup Copyright & Disclaimer
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
Page 20 of 38
PISA (2018). “The Era of BlockChain and Smart Contract Development” on 20 Jan 2018. Available https://www.pisa.org.hk/past-events/518-isc-2-hk-chapter-agm-cum-feature-talk-the-era-ofblockchain-and-smart-contract-development-20-jan-2018 Daniel, S. (CNN, 2018). “$530 million cryptocurrency heist may be biggest ever” on 29 Jan 2018. Available http://money.cnn.com/2018/01/29/technology/coincheck-cryptocurrency-exchange-hack-
An Organization for Information Security Professionals
MAR-2018
PISA Journal The Editorial Board
SC Leung CISSP CCSP CISA CBCP
Joyce Fan CISSP CRISC CISA
Ian Christofis CISSP
Alan Ho CISSP CISA CISM CGEIT
You can contribute to PISA Journal by: ●
●
Joining the Editorial Board Submitting articles to the Journal
SC Leung, Chief Editor editor@pisa.org.hk Next Issue: Issue 28 (Sep-2018)
Page 21 of 38
A Publication of Professional Information Security Association
Professional Information Security Association
Infosec Workshops for KIDS
Peter Cheung Honeynet HK Chapter Members
Page 22 of 38
An Organization for Information Security Professionals
MAR-2018
背景 台灣 Honeynet 分會在 2015 年舉辦了一埸専為兒童的資安冬令營,主題是⌈一起來創 造一個屬於孩童的不一樣的假期生活⌋。目標是通過多元化的實驗活動,讓兒童體驗互聯 網安全的重要性,希望他們能夠將學習成果應用於日常生活,在互聯網上保護自己。 我們 Honeynet SIG 覺得舉辦一個營的挑戰太大了,反而工作坊會比較可行。我向 PISA 的委員提出意見,得到他們支持,並且給我介紹了 Andy Li 老師。我跟老師經過數次的 討論,定下了工作坊的形式和內容。這樣,第一次的工作坊就開始了。
Page 23 of 38
A Publication of Professional Information Security Association
Infosec Workshops for Kids
PISA
Journal
Professional Information Security Association
第一次工作坊
Page 24 of 38
第一次工作坊 (2017 年 6 月) 是由三名成
快找出密碼。過程中,他們盡顯創意,例如
員 (Eric, Roland 和我)負責, 對象是兩班小
把紙條反轉,上下倒轉紙條,刪去一些文字
五學生。這次的特點是參加的學生來自一
等等。突然,一位學生大叫:”我揾到啦!”
間男校,我們預料學生的興趣和反應會比
答案就是把紙條卷在鉛筆上,密碼就是其
男女校更積極。第一個遊戲是關於一種古
中打橫的一行文字。他告訴我原來他曾經
代的加密術:密碼棒。每組學生都得到一
在卡通片中看過這種方法,所以才想到。老
支鉛筆和一條藏了密碼的紙條,他們要鬥
師也得承認適當看電視也可以學習其他知
An Organization for Information Security Professionals
MAR-2018
Issue
27
第二次工作坊 識。之後,彵們已經熱身好準備挑戰其餘的
第二次工作坊 (2017 年 6 月) 由另外三名
難題。其中一些遊戲是關於加密法的概念, 成員(Kelvin, Ting 和我) 負責。這次參加的 例如凱撒密碼法和轉置密碼法等。我們會
學生來自一間男女校,我們預期女生的投
先介紹了加密法的運作方法,然後學生運
入會比男生小,但是結果卻相反。女生不但
用方法把密文解密。
積極參與,而且成績絕不比男生差。 其中一個遊戲是在網頁中找出隱藏的密 碼。開始時他們嘗試了不同的方法,包括調 查整瀏覽器的大小,放大/縮小字體,甚至
Page 25 of 38
A Publication of Professional Information Security Association
Infosec Workshops for Kids
PISA
Journal
Professional Information Security Association
從不同角度望向屏幕,幾乎試盡了毎個功
後,一個學生大叫: “我揾到啦!” 原來他
能,但是仍毫無頭緒。於是我給了提示: ” 是用開發工具來查看混淆了的 Javascript 源代碼“,結果不用一分鐘就有人找到答
而得到答案。事後他也認為是運氣,因為他
案。這名學生是逐行逐行源代碼檢視而找
實際上不知道什麼是開發工具。由此可見,
到答案。他解釋開始時沒有想過在源代碼
勇於嘗試是學習的一個重要態度。
找答案,因為他不懂編程和代碼。接下一個 遊戲也是在網頁中找出隱藏的密碼,但是 密碼是用 Javascript 被混淆了的,所以學 生單單檢視源代碼也找不到答案。幾分鐘
Page 26 of 38
An Organization for Information Security Professionals
MAR-2018
Issue
27
下一步 我們會和 資訊科技教育領袖協會 (AiTLE) 合作,希望開發一套教材給老師在工作坊上 使用。亦可能舉辦老師工作坊,先讓老師了解教材內容和基本理論。
最後,我代表團隊多謝 Andy Li 老師的意見和分享,同時感謝慈幼學校和保良局王賜豪 (田心谷)小學的支持,才能夠試行這兩次的工作坊。 ■ Peter Cheung
Page 27 of 38
A Publication of Professional Information Security Association
Professional Information Security Association
Event Snapshot We Share. We Progress.
Cyber Security Professionals Awards (CSPA) 2017 (23 October 2017) Congratulations!! Seven PISA members received the Awards in 2017.
(from left) Frank Chow, Martin Chan, Mike Lo, Frankie Leung, Eric Moy and Eric Fan.
Ricci Ieong (on the right hand side)
Page 28 of 38
An Organization for Information Security Professionals
MAR-2018
Event Snapshot We Contribute. We Achieve.
Sharing Session with (ISC)2 Safe and Secure Online (SSO) UK Lead Volunteer (12 January 2018) Tim Wilson, (ISC)2 Safe and Secure Online (SSO) UK Lead Volunteer visited Hong Kong and met PISA and (ISC)2 Hong Kong Chapter Executive Committee members, and SSO trainers. He shared many valuable experience in promoting online security to children.
Page 29 of 38
A Publication of Professional Information Security Association
Professional Information Security Association
Event Snapshot We Share. We Progress.
Safe Wife War Driving 2017 (17 December 2017) PISA joined Hong Kong Wireless Technology Industry Association (WITA) to conduct Safe Wi-Fi War Driving 2017. We took a tram from Kennedy Town to Shau Kei Wan, and then returned to Kennedy Town. Much wireless network signals were captured for analysis. Before got on a tram, we took a group photo first. We were ready to go!!!
We sat at the back of a tram for signal capture.
Our mobile devices with war driving tools were capturing wireless network signals.
Page 30 of 38
An Organization for Information Security Professionals
MAR-2018
Event Snapshot We Contribute. We Achieve.
Seminar: Understanding What is New in China Cybersecurity Law and What We Cannot Do (26 April 2018) China Cybersecurity Law is effect on 1 June 2017. PISA is happy to invite two legal professional to share our members some key requirements, including safeguards for national cyberspace sovereignty, protection of critical information infrastructure and data and protection of individual privacy. The Law also
100+ registration was received. Various questions were raised and discussed in the Q&A session.
Page 31 of 38
A Publication of Professional Information Security Association
Professional Information Security Association
Event Snapshot We Share. We Progress.
(ISC)2 HK Chapter AGM 2017 cum Feature Talk: The Era of BlockChain and Smart Con-
(ISC)2 HK Chapter, one of PISA Special Interest Groups (SIGs) ,had the AGM at PolyU with many members actively participated.
Dr. Daniel Luo (left) and Dr. Allen Au (right) shared us latest blockchain and smart contract development. Our Chairperson presented gifts to thank you their sharing and continued support to PISA.
After a competitive election, the (ISC)2 Hong Kong Chapter Executive Committee (EXCO) 2018 was formed.. Welcome Ricci Ieong and Vincent Ip to join us. Thank you Eric Moy, Karson Chan, and Martin Chan for your time and support. This is a group photo for 2017 and 2018 (ISC)2 Hong Kong Chapter Executive Committee Members.
Page 32 of 38
An Organization for Information Security Professionals
MAR-2018
Event Snapshot We Contribute. We Achieve.
PISA Spring Dinner 2018 (26 March 2018) We had a great evening with our members. Besides social networking PISA members and having a nice dinner, Chester Soong, our Honorary Advisor shared us his recent status. PISA Chairman and Executive Committee shared updates and coming events.
Page 33 of 38
A Publication of Professional Information Security Association
Professional Information Security Association
Event Snapshot We Share. We Progress.
Seminar: Tackling System Security from the Perspective of Non-digital Components (9 Dr. Kehuan Zhang delivered an interesting security topic to us.
Seminar: The Integration of "Human + Machine" - The biggest security challenges in Mr. Dixon Ho shared us the future trend of enterprise security service, the biggest security challenges for the integration of “human + machine� and security measures.
Page 34 of 38
An Organization for Information Security Professionals
MAR-2018
Event Snapshot We Contribute. We Achieve.
PISA Speakers in the local community.
Frankie Leung spoke in the Office of Communication Authority public seminar on 8 November 2017.
Frankie Wong spoke in the Office of Communication Authority public seminar on 27 October 2017.
Eric Moy spoke in the Office of Communication Authority public seminar on 13 December 2017.
Page 35 of 38
A Publication of Professional Information Security Association
Professional Information Security Association
Event Snapshot We Share. We Progress.
Various talks to schools under (ISC)2 Safe and Secure Online Program
Page 36 of 38
An Organization for Information Security Professionals
MAR-2018
Event Snapshot We Contribute. We Achieve.
Various talks to schools under (ISC)2 Safe and Secure Online Program
Page 37 of 38
A Publication of Professional Information Security Association
Professional Information Security Association
Professional Information Security Association Vision to be the prominent body of professional information security practitioners, and utilize expertise and
Successful Career
Be up-to-date and be more competitive in the info-sec community – line up yourself with the resources you need to expand your technical competency and move forward towards a more successful career.
Many Ways
Networking
Continued Education
Enjoy networking and collaboration opportunities with other in-the-field security professionals and exchange technical information and ideas for keeping your knowledge up to date
Check out job listings information provided by members. Get information on continuing education and professional certification
Sharing of Information Find out the solution to your technical problems from our email groups and connections with our experienced members and advisors.
Enjoy the discounted or free admissions to association activities - including seminars, discussions, open forum, IT related seminars and conferences organized or supported by the Association.
You Can Benefit
Membership Information
Realize Your Potential
Professional Recognition
Develop your potentials and capabilities in proposing and running project groups such as Education Sector Security, Mobile Security, Cloud Security, Honeynet, Public Policy Committee and others and enjoy the sense of achievement and recognition of your potentials
Benefit from the immediate access to professional recognition by using post-nominal designation
Membership Requirements Enquiry email: membership@pisa.org.hk
Membership Application Form: http://www.pisa.org.hk/ membership/member.htm
Code of Ethics: http://www.pisa.org.hk/ ethics/ethics.htm Page 38 of 38
• •
Relevant computing experience (post-qualifications) will be counted, and the recognition of professional examinations / membership is subject to the review of the Membership Committee. All members must commit to the Code of Ethics of the Association, pay the required fees and abide by the Constitution and Bylaws of the Association An Organization for Information Security Professionals