Hiring a Security Manager and then not letting them do their job….

August 28th, 2007 Drazen Drazic

The following is borrowed from www.hipaadvisory.com, in particular, from the section on Information Security Manager’s Role Description. Why from here? No reason….it covers it just as good as most other places.

Above all others, the information security manager’s primary goals are to protect the confidentiality and integrity of information, and maintain the technical mechanisms of legitimate access to it. To achieve these goals, the information security manager’s responsibilities typically include:

• Documenting the information security policies and procedures instituted by the organization’s Information Security Committee
• Implementing the organization’s information security policies and procedures
• Coordinating the activities of the Information Security Committee
• Providing direct information security training to all employees, contractors, alliances, and other third parties
• Monitoring compliance with the organization’s information security policies and procedures among employees, contractors, alliances, and other third parties, and referring problems to appropriate department managers or administrators
• Monitoring internal control systems to ensure that appropriate information access levels and security clearances are maintained
• Performing information security risk assessments and serving as the internal auditor for information security processes
• Preparing the organization’s disaster recovery and business continuity plans for information systems
• Serving as an internal information security consultant to the organization Monitoring advancements in information security technologies
• Monitoring changes in legislation and accreditation standards that affect information security
• Initiating, facilitating, and promoting activities to foster information security awareness within the organization
• Serving as the information security liaison for users of clinical, administrative, and behavioral systems
• Reviewing all system-related information security plans throughout the organization’s network, and acting as liaison to the Information Systems Department

Looks pretty standard for most IT Security Manager roles doesn’t it? Looks like a lot of ads placed for roles in organisations?

Why is then that when the IT Security Manager comes on board, the objectives/role changes and every step of progress made by the new guy in the organisation is as tough as pulling teeth. Why is that organisations post this as what they want to achieve but then don’t?

It’s no wonder most security dudes are cynical about the IT industry. It takes a special breed who can deal with the lip service day in and day out, listen to the latest company rants about how they take security seriously, read about the latest government initiatives on cybercrime etc etc etc…yet the realities as we know are far different.

As a community, we are too insular. We spend too much time ranting to each other and sharing war stories…….who wants to listen to a bunch of paranoid techs?

There’s enough posts in here that cover my thoughts on this but I’d be keen to hear from anyone that disagrees?

Posted in Bad Stuff, Dumb Security, WTF, governance | 4 Comments »

There’s just too many things wrong here…..

August 28th, 2007 Drazen Drazic

http://www.news.com.au/dailytelegraph/story/0,22049,22304224-5005941,00.html

Good initiatives…what? Election year? Snotty nosed kids? Why am I even giving this space? What else has happened today?

Posted in WTF | No Comments »

Revenge of the Hacked……

August 28th, 2007 Drazen Drazic

http://justinsomnia.org/2007/08/search-engine-marketeers-are-the-new-script-kiddies/

Posted in Dumb Security, Research, Vulnerability Management, WTF, Web Application Security, cyber crime | No Comments »

Top 10 IT Security Failings in US Government Departments

August 26th, 2007 Drazen Drazic

This paper, titled: “Common Risks Impeding the Adequate Protection of Government Information” sponsored by the the US Department of Homeland Security and the Office of Management and Budget isn’t rocket science and does highlight the concerns that most organisations themselves face.

Nothing new in here and nothing that should not be in place or rather have already been in place as standard. It is a worry to think that in 2007, we’re still talking about security and risk management basics.

You have to wonder how many millions and billions are wasted on security products around the world for little to no benefit to organisations? Actually….we know…..millions and billions.

Posted in Bad Stuff, Dumb Security, Vulnerability Management, cyber crime, governance, news | 1 Comment »

Choose your PCI Auditors Carefully…….

August 24th, 2007 Drazen Drazic

I wrote a little while ago about seeing the results of some “Big” guy’s PCI Audits at clients, only to be called out in another PCI site that “Big” guys don’t do PCI audits. Most don’t……anymore and it was nice to get some follow-up responses on the site supporting facts.

Lets not pick on these guys directly though remnants of their work still remain. We know….we see it! Aside: How some of these guys ever signed off on some audits, giving clients a compliance pass, makes it clear why many are no longer in the game. Negligence and dangerous to clients.

If you’re a merchant or service provider, let me explain something called “Safe Harbour”.

A Report on Compliance that gives you all the ticks means jack should you be compromised and then found non-compliant by an independent review undertaken by an authorised party engaged by the PCI dudes post your compromise. Yep…..you’ll be deep in it potentially even though that PCI Auditor told you all was well!

So, was it worth going with the guys that quoted 4 days for the PCI Onsite Audit when another company quoted 4 weeks?! Did that difference not ring alarm bells? Did you not ask questions? Did you really think that the ticks in the boxes discharged your responsibilities? Did you know what “safe harbour” meant?

Companies need to get smarter and realise the risks that they face by not spending some time to ask questions. Saving a few thousand bucks today could equate to being up for millions in damages later…. and trust me, it does and will happen.

Posted in Bad Stuff, PCI, PCI DSS | 1 Comment »

Kiwicon 2007 - Presentations starting to be announced…

August 21st, 2007 Drazen Drazic

https://kiwicon.org/presentations

Also covered in the press: http://www.smh.com.au/news/security/hackers-do-the-haka/2007/08/20/1187462175403.html

Nice write-up from Patrick Gray.

Posted in Research, news | 1 Comment »

Kiwicon 2007 - Call for papers

August 18th, 2007 Drazen Drazic

Just another notice about Kiwicon 2007. This will be an awesome event…hopefully the first of many.

For further information, go to: https://kiwicon.org/

Posted in Research | No Comments »

Germany goes extreme on “hackers”

August 18th, 2007 Drazen Drazic

Interesting news out of Germany that will impact the research community:

http://www.theregister.co.uk/2007/08/13/german_anti-hacker_law/

Posted in Bad Stuff, Dumb Security, Research, WTF, cyber crime, news | No Comments »

Now working for guitars……

August 17th, 2007 Drazen Drazic

Hey, I love my guitars as some of you know……so I have decided that if any guitar manufacturer or distributer needs some vulnerability assessments, PCI scans or Web Application security testing done, I will do it for guitars instead of money.

- Fender: Telecaster….love the strat also but the tele kills it.
- Gibson: Les Paul…love it but the SG has the nicer neck and rocks harder. Probably why I like the tele.
- Dean: Nuff said…current owner and daily player!
- PRS: Any US model…Nuff said
- BC Rich: Gave away a “Bitch” in 1987 and still regret it!
- Maton: Home brand…great rep!
- Washburn: Paul Stanley….nuff said!

etc etc….just call….the list above is just a start!

Line 6 Spider 3…..also most cool!

Posted in Uncategorized | 4 Comments »

PCI - the costs of non-compliance….more than just fines.

August 17th, 2007 Drazen Drazic

This recent story from Information Week tracks the TJX saga: The TJX Effect. Well worth a read for all organisations - not just those required to be compliant under the PCI DSS program.

This story is far from done and also further highlights implications of non-compliance to good practices and PCI DSS. As also covered in:

http://beastorbuddha.com/2007/06/27/implications-of-non-compliance-with-pci-dss/

Posted in Bad Stuff, PCI, PCI DSS, Vulnerability Management, Web Application Security, cyber crime | 1 Comment »

More on Disclosure Laws in Australia….

August 14th, 2007 Drazen Drazic

This recent story from Computerworld: Australia’s data privacy landscape called into question, provides a further good insight into proposed data disclosure laws being introduced into Australia.

Yes, as you know, I think this is a good thing. See previous posts.

But, lets not kid ourselves and think a law like this on its own is going to quickly make big changes. It has been stated many times that this law in the US has improved Information Security practices greatly, but, how is this being measured? A few major news stories do not make for across the board better practices having been deployed. All it highlights is that now when someone is openly compromised, they have to lay the cards on the table.

The biggest problem in this respect that we see is that most companies would not know if they have been compromised. I hate to keep referring to TJX but they are a classic case study. How long had the compromise been going on for before it was detected? From our experience, the problem is far more widespread than most people believe.

Unless any such law is supported by strong supporting laws around Information Security practices and controls, the 3 monkey approach will remain the leading Information Security practice in existence! ie; we know nothing therefore we have nothing to disclose.

In which case, bet your house, that even if the law comes into existence, you won’t see too many “disclosures”. And, based upon that, business will continue to think that the IT Security industry just hypes the risk to make and keep themselves in business.

Standards like PCI DSS drive better Information Security practices but even combined with disclosure laws, still don’t fully get around the 3 monkeys approach. Just throwing it out there, but maybe something along the lines of:

Standard x.x: In the event of major / critical vulnerability detected on Internet facing system, organisation must undertake investigation to determine whether vulnerability has been compromised and to what extent.

Posted in Bad Stuff, Disclosure Laws, Vulnerability Management, Web Application Security, cyber crime, governance | 1 Comment »

Security Bingo…..

August 14th, 2007 Drazen Drazic

http://bsdosx.blogspot.com/

Posted in WTF | No Comments »

Anti-Badware…..who has the “upper hand”?

August 12th, 2007 Drazen Drazic

Things can change quickly if you believe everything you read on the topic of bad guys vs. antivirus developers:

The battle is being lost and the bad guys have the upper hand: Network World 31/01/07.

The battle is being won and the antivirus developers have the upper hand: SC Magazine 10/08/07.

I find the latter story a bit hard to fathom. It seems to go against everything else we’re reading, seeing and hearing about. Virus specific? Maybe? But the story doesn’t just focus on that.

Posted in Research, Vulnerability Management, WTF, cyber crime | 8 Comments »

Mind-blowingly awesome ideas, music and great things (off topic)

August 10th, 2007 Drazen Drazic

Not IT security but maybe to a degree. I’ve often been accused of posting the most controversial rants here late at night - insinuations being along the lines of in vino veritas. Sometimes, but far from regular. I note the same in other blogs where some amazing thoughts seem to be presented at a late hour. Some recent responders to posts here….well, yeah, I reckon.

I wonder sometimes if alcohol, drugs, depression/misery and other mental conditions were given to mankind to help us evolve, be creative and make life what it is today?

I’m really going to generalise and present bugger all figures of nothing….just throwing out a few things: Read the rest of this entry »

Posted in WTF | 3 Comments »

Disclosure Laws in Australia

August 8th, 2007 Drazen Drazic

As reported in ComputerWorld, it seems Disclosure Laws are now on the agenda for Australia.

Related posts: http://beastorbuddha.com/category/disclosure-laws/.

Okay….some progress but lets hope we do get this right by ensuring that the framework and processes around monitoring and reporting are in place in organisations for them to be in a position to be able to detect and report. The real danger as we continue to document in here is organisations having no clue as to what is going on in their organisation. In such cases, what is there to report?….. the 3 monkey strategy beats all!

Posted in Disclosure Laws, cyber crime | 1 Comment »

“Ethical Hacking”….that term is a worry….

August 7th, 2007 Drazen Drazic

Courses that teach under-skilled individuals the basics of “hacking” are a worry to me. Companies that teach “ethical hacking” courses are worry…….most I know I would not hire to review a static one page site. What is that they are trying to achieve? I read the course objectives for pretty much all of these courses and they worry me.

So….big company that can afford to send netadmin to one of these courses now thinks netadmin can do network and web app pen test…..saving bucks now by not hiring a third party?!?! Akin to me reading the “Idiots Guide to Accounting” and professing to be able to manage the financial books of News Limited.

Come on….WTF….give the professionals some credit!

Posted in Applications, Bad Stuff, Disclosure Laws, Dumb Security, Ford Falcon, Vulnerability Management, WTF, Web Application Security, cyber crime, governance | 15 Comments »

You got to love Elton John’s suggestion…

August 4th, 2007 Drazen Drazic

From the SMH, Elton John’s war on the web.

Maybe 1 week a month?

Posted in news | No Comments »

Masterclass….be there or just be lost…..yeah right

August 4th, 2007 Drazen Drazic

I’m booked in to do the following….just saw this link…so if you are in town and free, or rather you have the money…… (the second one…not the usual 7799 will set you free):

I was just about to bag most Security Conferences and then remembered this……I’ll make my mind up then…..after this. I can’t vouch for this one….there’s so many of these things now during the year…..and most are BS. What I can guarantee is a laugh and you already have that now seeing my old ugly rugby head. The content? God knows……..I will probably make it up as I go……they caught me at a bad time…………you can get this from SA for free most times anyway.

http://www.terrapinn.com/2007/srm_au/Custom_17307.stm

Posted in Uncategorized | No Comments »

The Bad Web Developer Fighting Back…..

August 3rd, 2007 Drazen Drazic

I’m going to turn BorB into a soap opera for the next week or so. I’m going to report on our “discussions” with the web developer that was a leading player in:

Web Applications more secure these days? Not from where we stand!

Securing Web Applications……choose your developers carefully

It seems that the “developer” believes that they have done nothing wrong and continue to argue the point with the business that they are under no obligation to fix anything because what they have delivered is good. (Or so we are told). As a background, we have, until now, been kept out of this by the business who have assumed that the developer would be reasonable. Not the case…..thus, next week…we have been asked to meet with them. The shotgun is ready and the fish have been loaded into the barrel. Stay tuned.

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, WTF, Web Application Security, cyber crime | 3 Comments »

No way…?

August 3rd, 2007 Drazen Drazic

http://www.smh.com.au/news/games/gamers-get-to-execute-corrupt-officials/2007/08/03/1185648104916.html

Is it just me that finds this so weird?

Posted in WTF | 2 Comments »