I do enjoy reading some of the stuff I get from Symantec. Today, they again announced to me that they have the security problem thing under control if I buy their stuff.


The number of organisations that rely on patching as their main or only measure against security vulnerabilities still amazes me. The relatively small percentage of organisations that run a proactive vulnerability assessment/management program to understand their environment and actual risks they may face is a concern.

This Computerworld US story follows on the usual theme of organisational struggles to patch patch patch. (How often do we read stories like this? Is this really news?)…I was amazed that VA got a line or two for a change.

I’ve had the following posted on IT Security Link:

The Great Managed Perimeter Security Services Swindle 

Good luck to the team there with their new site.

From straxd – an unassuming dark horse

I have always had a bit of a fascination with the concept of group psychology. It’s at the same time the most evil and the most successful marketing tactic that a company can launch.

Take De Beers’ creation of the diamond industry as an example. By giving the right general impression the entire psyche of society can change (and the diamond cartel made billions as a result). Coke has converted a version of caffeinated carbonated sugar water into a drink pretty much everyone has every day. The records and movie industries have converted copyright infringement into theft, and created the previously alien idea that artists would stop creating new art if they weren’t millionaires.


An ongoing vulnerability assessment/management program is probably the most proactive tool-based measure an organisation can take to identify weaknesses in infrastructure, OS and mainstream applications, (with web application testing abilities of such systems still developing). It amazes still that many organisations still don’t do this but that’s another story.

The toughest part of VA as any organisation that has implemented VA will tell you is not in selection of a solution (QualysGuard is the standout choice :-) ) nor implementing it…nor even the initial scanning – it is dealing with the deluge of vulnerabilities reported and where to start to fix them?! That first report is an eye-opener for most organisations! And, this is where 90% of organisations get bogged down! It’s here that many organisations stall and some stall big time!

We’ve been working with organisations on vulnerability assessment/management programs for years so I thought I would talk about the most effective approach that we have seen to implementing a program that works. The following is not for everyone, but if you can make it happen, it will make your life easier and your organisation more secure in the quickest time.


This is somewhat of a follow-on from BG’s last post, that came about from a conversation we were having about how much forensics and investigations work Securus Global actually did. To be honest, the answer was not much and I did not know of too many other organisations that did much either. The odd job here or there but nothing to sustain a dedicated business unit.

I’m not sure what it is like in other regions of the world, but the BG Ostrich RM 101 pretty much covers it and that is scary! (Obviously the banking sector is different but even then, some do it better than others in that sector).

This is nothing new. I’ve been ranting about this for a long time but things haven’t really changed much.


We did not predict it at first….but seriously, ORM (Ostrich Risk Management) has taken on a life of it’s own. I have had so many emails promoting its success that we now need to call this acronym (and program) our own!

Can anyone say it is not the world’s leading and most successful IT risk management program. Seriously?!

We now aim for this to become a “defacto” standard framework right now, and will be submitting it, to help you guys out, to the ISO and PCI dudes as a start! This is getting silly. :-)

The rantings of Craig Chapman, IT Security Legend.

BG’s Ostrich Risk Management 101: A Case Study of Organisational Behaviour in Most Enterprises:

1. We don’t know if we’re being ripped off.
2. We don’t want to know if we’re being ripped off.
3. If we acknowledge there’s a problem, we’re obliged to do something about it.
4. If we acknowledge there’s a problem, we might get blamed for the problem occurring in the first place.
5. Don’t measure the problems, therefore, there are no problems.
6. If there’s no problems, we must all be doing a great job at preventing problems.
7. Lets all give ourselves a big pat on the back for preventing problems!

No problems!


Related Post:
Risk Management – Great in meetings, not so much in practice

Declan Ingram, Securus Global Practice Manager talks about IDS/IPS security at Kiwicon 2007. Broadcast here at Patrick Gray’s excellent weekly IT Security broadcast, Risky Business.

Synopsis: “When you consider the system as a whole, there are plenty of ways to bust an IDS / IPS. From the wire to the incident response team we will work through various limitations and examples of potential mischief.”

Declan Ingram talks about the news article on Rise Security and the Eee PC:

News this morning of the remote vulnerability in the ASUS EeePC (http://eeepc.asus.com/global/) doesn’t really come as a surprise. Vulnerabilities in default installs are really nothing new.

As an avid EeePC fanboi, this one does annoy me. (FYI – It took us about 4 seconds to do it when I purchased mine a few weeks back…..well a little more, I only slightly exaggerate). The guys at RISE are attacking a vulnerability in Samba – (http://www.zerodayinitiative.com/advisories/ZDI-07-033.html) which was released May 15, 2007.

It’s now Feb 11th, 2008, and as I check the EeePC software update program there is still no update.

C’mon guys – get it together. You can’t ship a custom OS and then not update it. You are using non-open-driver hardware so I can’t easily roll my own choice of OS (which, of course is www.openbsd.org) The Samba team have made the patches, you have even setup the update channels – this is just being lazy.

Older Posts »