February 27th, 2008 Drazen Drazic
I do enjoy reading some of the stuff I get from Symantec. Today, they again announced to me that they have the security problem thing under control if I buy their stuff.
Posted in Bad Stuff, Dumb Security, WTF, cyber crime | 27 Comments »
February 25th, 2008 Drazen Drazic
The number of organisations that rely on patching as their main or only measure against security vulnerabilities still amazes me. The relatively small percentage of organisations that run a proactive vulnerability assessment/management program to understand their environment and actual risks they may face is a concern.
This Computerworld US story follows on the usual theme of organisational struggles to patch patch patch. (How often do we read stories like this? Is this really news?)…I was amazed that VA got a line or two for a change.
Posted in Bad Stuff, Dumb Security, Risk Management, Vulnerability Management | 2 Comments »
February 23rd, 2008 Drazen Drazic
I’ve had the following posted on IT Security Link:
The Great Managed Perimeter Security Services Swindle
Good luck to the team there with their new site.
Posted in Bad Stuff, Dumb Security, IDS, IPS, Risk Management, Vulnerability Management, Web Application Security | 2 Comments »
February 20th, 2008 Drazen Drazic
From straxd - an unassuming dark horse
I have always had a bit of a fascination with the concept of group psychology. It’s at the same time the most evil and the most successful marketing tactic that a company can launch.
Take De Beers’ creation of the diamond industry as an example. By giving the right general impression the entire psyche of society can change (and the diamond cartel made billions as a result). Coke has converted a version of caffeinated carbonated sugar water into a drink pretty much everyone has every day. The records and movie industries have converted copyright infringement into theft, and created the previously alien idea that artists would stop creating new art if they weren’t millionaires.
Posted in Bad Stuff, Industry Specialists Talk, PCI, PCI DSS, Risk Management, cyber crime | 8 Comments »
February 18th, 2008 Drazen Drazic
An ongoing vulnerability assessment/management program is probably the most proactive tool-based measure an organisation can take to identify weaknesses in infrastructure, OS and mainstream applications, (with web application testing abilities of such systems still developing). It amazes still that many organisations still don’t do this but that’s another story.
The toughest part of VA as any organisation that has implemented VA will tell you is not in selection of a solution (QualysGuard is the standout choice :-)) nor implementing it…nor even the initial scanning - it is dealing with the deluge of vulnerabilities reported and where to start to fix them?! That first report is an eye-opener for most organisations! And, this is where 90% of organisations get bogged down! It’s here that many organisations stall and some stall big time!
We’ve been working with organisations on vulnerability assessment/management programs for years so I thought I would talk about the most effective approach that we have seen to implementing a program that works. The following is not for everyone, but if you can make it happen, it will make your life easier and your organisation more secure in the quickest time.
Posted in Risk Management, To cool, Vulnerability Management, governance | 8 Comments »
February 16th, 2008 Drazen Drazic
This is somewhat of a follow-on from BG’s last post, that came about from a conversation we were having about how much forensics and investigations work Securus Global actually did. To be honest, the answer was not much and I did not know of too many other organisations that did much either. The odd job here or there but nothing to sustain a dedicated business unit.
I’m not sure what it is like in other regions of the world, but the BG Ostrich RM 101 pretty much covers it and that is scary! (Obviously the banking sector is different but even then, some do it better than others in that sector).
This is nothing new. I’ve been ranting about this for a long time but things haven’t really changed much.
Posted in Bad Stuff, Disclosure Laws, Dumb Security, Forensics, Risk Management, Vulnerability Management, Web Application Security, cyber crime | 3 Comments »
February 16th, 2008 Drazen Drazic
We did not predict it at first….but seriously, ORM (Ostrich Risk Management) has taken on a life of it’s own. I have had so many emails promoting its success that we now need to call this acronym (and program) our own!
Can anyone say it is not the world’s leading and most successful IT risk management program. Seriously?!
We now aim for this to become a “defacto” standard framework right now, and will be submitting it, to help you guys out, to the ISO and PCI dudes as a start! This is getting silly. 
Posted in Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, cyber crime | 2 Comments »
February 13th, 2008 Drazen Drazic
The rantings of Craig Chapman, IT Security Legend.
BG’s Ostrich Risk Management 101: A Case Study of Organisational Behaviour in Most Enterprises:
1. We don’t know if we’re being ripped off.
2. We don’t want to know if we’re being ripped off.
3. If we acknowledge there’s a problem, we’re obliged to do something about it.
4. If we acknowledge there’s a problem, we might get blamed for the problem occurring in the first place.
5. Don’t measure the problems, therefore, there are no problems.
6. If there’s no problems, we must all be doing a great job at preventing problems.
7. Lets all give ourselves a big pat on the back for preventing problems!
No problems!
BG.
Related Post:
Risk Management - Great in meetings, not so much in practice
Posted in Big Galoot Diatribe, Industry Specialists Talk, Risk Management | 10 Comments »
February 11th, 2008 Drazen Drazic
Declan Ingram, Securus Global Practice Manager talks about IDS/IPS security at Kiwicon 2007. Broadcast here at Patrick Gray’s excellent weekly IT Security broadcast, Risky Business.
Synopsis: “When you consider the system as a whole, there are plenty of ways to bust an IDS / IPS. From the wire to the incident response team we will work through various limitations and examples of potential mischief.”
Posted in Firewalls, IDS, IPS, Industry Specialists Talk, Research, Vulnerability Management, cyber crime | 9 Comments »
February 11th, 2008 Drazen Drazic
Declan Ingram talks about the news article on Rise Security and the Eee PC:
News this morning of the remote vulnerability in the ASUS EeePC (http://eeepc.asus.com/global/) doesn’t really come as a surprise. Vulnerabilities in default installs are really nothing new.
As an avid EeePC fanboi, this one does annoy me. (FYI - It took us about 4 seconds to do it when I purchased mine a few weeks back…..well a little more, I only slightly exaggerate). The guys at RISE are attacking a vulnerability in Samba - (http://www.zerodayinitiative.com/advisories/ZDI-07-033.html) which was released May 15, 2007.
It’s now Feb 11th, 2008, and as I check the EeePC software update program there is still no update.
C’mon guys - get it together. You can’t ship a custom OS and then not update it. You are using non-open-driver hardware so I can’t easily roll my own choice of OS (which, of course is www.openbsd.org) The Samba team have made the patches, you have even setup the update channels - this is just being lazy.
Posted in Bad Stuff, Dumb Security, Industry Specialists Talk, Research, Vulnerability Management | 2 Comments »
February 10th, 2008 Drazen Drazic
It’s always stated that the majority of potential threats to an organisation are “internal” threats. (Check out most surveys, polls etc - they all state the same thing). Unfortunately, these internal threats don’t in many cases get the same attention or recognition as those threats posed by bad guys on the Internet.
I’ve lost track of the number of times a critical weakness has been brushed aside because it’s supposedly on the safe side of the network and not accessible to the bad guys. (Is it really?….Oh, it must be, there’s a firewall on our perimeter that keeps us secure). If internal threats as we are told, present the biggest risk to organisations why is this the case?
Posted in Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, cyber crime, governance | 1 Comment »
February 8th, 2008 Drazen Drazic
Interesting figures from ISS on vuln figures in 2007. “Reported vulnerabilities” should be the key consideration when reviewing these figures. Do I think vulns have gone down in numbers as the graph suggests? No way!
Statistics can be misleading. To many factors to take into consideration and ISS puts forward some in this blog post but this one; “The 5.4 percent decline in 2007 could simply be a statistical correction to the growth in vulnerabilities in 2005 and 2006″, reads like we’re working on a system like a stock exchange. We ain’t.
Posted in Bad Stuff, Research, Vulnerability Management, Web Application Security | 10 Comments »
February 8th, 2008 Drazen Drazic
The OWASP Australia AppSec 2008 Conference is on February 27-29th. Details here.
Looks like being a good event. Who’s going?
Posted in Research, Web Application Security, news | 1 Comment »
February 1st, 2008 Drazen Drazic
Just like the posts I have written about before concerning the issues that internal security people have to deal with on a daily basis in terms of trying to get recognition of security issues their organisations face, the role of consultants is very much overlooked at times when viewed from a similar perspective.
In most cases, the consultant is engaged on a job, does the job, creates the report, presents it and then leaves. Most good consultants will try to maintain a relationship that allows for the client to follow-up at anytime on questions regarding the work and remediation advise recommended. Most good consultants will also, as part of their work, be able to identify issues outside of the scope of the engagement…ie; you just see things that are wrong….an experienced eye will! That information is also passed onto the client. End of the day, “root cause” is evident as to why the issues exist and based upon that, it’s clear that the root cause will and does affect other areas outside of the engaged scope. (Something that the client should also be addressing).
Now, if you’re still following, how does a good consultant switch off so to speak to a client that is clearly in a bad way and is doing nothing about it?
Posted in Disclosure Laws, Risk Management, cyber crime, governance | 18 Comments »
