Have we made any real and measurable progress in 2008?

Posted on November 25th, 2008 by Drazen Drazic

The year is slowly winding up and I got to thinking if much changed in 2008. PCI DSS compliance continued to raise awareness of good practice more than anything else out there, but aside from that, did many organisations, our industry and the IT Industry as a whole make much headway into the IT security problems we face? Looking at my December 2007 post, I could almost just repeat everything word for word and just change the dates.

Read the rest of this entry »

Posted in Bad Stuff, PCI, PCI DSS, Research, Risk Management, Vulnerability Management, Web Application Security, governance | 5 Comments »

Securus Global working with Immunity, GLEG and Square Security

Posted on November 25th, 2008 by Drazen Drazic

http://www.securusglobal.com/products/canvas.html

We’ve been working with Immunity for a while and are their only listed local reseller. We’ve recently added GLEG VulnDisco and Square Security’s D2 Exploitation Pack to our list of preferred solutions.

Posted in news | No Comments »

What is “Beast Hot Jobs”?

Posted on November 25th, 2008 by Drazen Drazic

http://www.beastorbuddha.com/bhj/

Great timing I am told for me to have setup a job ads site, all my mates in recruitment have been telling me with a sarcastic tone. “12 months ago, it would have been a brilliant idea to tap into the community around the site to promote jobs within the industry”. Oh well….we can only hope that things do pick up again for everyone.

Anyway, that’s not going to stop us for now so please do check out the site (link above and off main page here) and until the end of January, all job postings are free of charge. If you have a role going, do send the details through on the contact form.

Posted in news | No Comments »

Supporting iiNet - The test case?

Posted on November 21st, 2008 by Drazen Drazic

We’re going to post a more detailed analysis of this shortly. Background: iiNet is in some bad legal action as reported here at ZDNet, and some support for iiNET as reported here at ComputerWorld. One wonders if the dudes going after them don’t have the balls to go after the bigger guys and are hoping to win against someone without the billions behind them to be able to set a legal precedent. (And thereby, law sets the rules for the bigger guys to then comply later). It just smells. I wish iiNet all the best with this and hopefully you kick some arse.

As an aside, iiNET have been open with their anti-filtering stance and cred to them to have put their name and reputation on the line in support of things that are wrong!

(Open disclosure: yes, they are a client of ours but our position would be the same regardless!)

Posted in Bad Stuff, Dumb Security, WTF | 2 Comments »

ACS planning to take a “leadership” role for e-security

Posted on November 20th, 2008 by Drazen Drazic

Just saw this on SC Magazine: ACS establishes e-security taskforce. Media release here.

I don’t know much about the ACS (have read about them but never really had any urge to join - if they’d even have me), but any initiatives if done well can only help. I am not aware of their expertise in the field of Information Security so it’ll be interesting to follow. Anyone here part of the ACS or know much about them and this new initiative?

Posted in Research, Risk Management, cyber crime | 9 Comments »

So we own your client database and everything important to you…

Posted on November 19th, 2008 by Drazen Drazic

Web Developer: “Just because you can do that doesn’t mean we have a major problem like you say it is. It’s just you that did it!”

SG dude: “Well more than likely, others have….we didn’t do anything fancy…”.

Web Developer: “Well nothing has ever happened so it’s just you guys!”

SG dude: “You have no logging”.

Web Developer: “We’ve never been hacked!”

What do you do? Scenario repeats every week - new developer, next website, next web app. See you then!

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Vulnerability Management, WTF, Web Application Security, cyber crime, governance | 7 Comments »

PCI DSS Compliance Projects - The road to nowhere….

Posted on November 17th, 2008 by Drazen Drazic

It’s getting to that time of year where we are seeing an influx of PCI business and a constant stream of phone calls and emails from organisations who are only now either hearing about it or have realised that they’ve dropped the ball on it and their compliance deadlines are only a few months away.

The majority of the people we talk with for the first time are shocked to say the least when we explain how tough compliance is going to be if you’re starting from a base of pretty much nothing. (As an aside, this highlights how bad business IT security practices have been all along - across all sectors and all sizes of business). Bottom line is that any business who has had good security practices in place should find PCI DSS compliance relatively not that daunting, as there is not much in the standard itself that is not just plain good ol’ security practice. Why many are under the misconception that the PCI DSS is some radical set of requirements imposed upon poor businesses is still beyond me!

Read the rest of this entry »

Posted in PCI, PCI DSS, Risk Management, governance | 6 Comments »

PM and Opposition Leader on Twitter

Posted on November 14th, 2008 by Drazen Drazic

Following in the footsteps of Malcolm Turnball, Kevin Rudd seems to have signed up also.

People have questioned recently whether it really is Malcolm Turnball here: http://twitter.com/TurnbullMalcolm. If it’s not, the guy’s going to a lot of trouble. If it is, and I believe it is, he’s doing well. Even exchanged a few posts with him recently. Good on him!

Now is this our PM here: http://twitter.com/KevinRuddPM?

May have to test how he responds soon. Well we have a direct forum on issues like Internet Filtering. (http://twitter.com/big_galoot).

Posted in Ford Falcon | No Comments »

Dumb Bosses…

Posted on November 11th, 2008 by Drazen Drazic

The danger here is that I may well cop some posts here myself (though hopefully I rarely fall into this category).

Talking to a friend who I know is an awesome Infosec guy and also delivers. He’s been marked down somewhat in his performance appraisal because he’s; “not putting in above and beyond….”. (Read: he’s not coming in at 7am and leaving at 7pm). But all his work is delivered on time and quality. Colleague X whose projects are always late and generally troubled receives a good appraisal (as usual). Yeah, he’s one of those guys who’s in at 7am, leaves after the boss, and talks up his “successes”.

I always wonder what some of these bosses are thinking. Is it just their own belief that you need to be spending half your life in the office to show your worth or are they part of a monkey delivery system (where each link works on this premise)? (No relationship to the monkeynet). Saw a damn lot of this in my time in the Big 4 and investment banking world.

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Ford Falcon, WTF | 12 Comments »

Managing Security Effectively in the Enterprise

Posted on November 5th, 2008 by Drazen Drazic

I don’t normally get into quotes, but I like this one:

“As to methods there may be a million and then some, but principles are few. The man who grasps principles can successfully select his own methods. The man who tries methods, ignoring principles, is sure to have trouble.” - Ralph Waldo Emerson.

It’s no different to looking at managing Information Security in an enterprise. (Gees, this is deep).

The Strategic Security Management Framework approach for example can be considered the guiding “principles”. The “methods” - how those guiding principles are used in the development of methods is key. Flipping it the other way is always a guarantee of ongoing systematic failure.

Some related posts:
- The 7 Reasons why Businesses are Insecure
- Good document to pass to senior business managers about cyber risks and implications to business
- Risk Management Posts

Posted in Risk Management, governance | 1 Comment »

MIS Leadership Series - Eugene Kaspersky

Posted on November 4th, 2008 by Drazen Drazic

Our old friend at MIS, Michael Crawford has kicked off his “MIS Leadership Series” videocasts with an interview with Eugene Kaspersky:
http://www.misaustralia.com/multimedia/leadership.aspx?vidID=4162

I thought I was going to be the first interview but seems Eugene has trumped me. Probably for the best for MIS.

Bookmark this site and good luck to Michael and team with this new series. We’ll post links here also as new ones are produced.

Posted in Research, To cool, Vulnerability Management, cyber crime, news | 2 Comments »

Off Topic: Saving Jerrys Plains

Posted on November 3rd, 2008 by Drazen Drazic

This is one I have been following for a while. A classic case study of the large corporate(s) trying to do as they choose while a small community (that most people have never heard of) tries to protect what is theres. They’ll probably lose like most of them do but that shouldn’t have to be the case. Have a read and show your support to the Big Galoot and the people of Jerrys Plains:

http://jerrysplains.blogspot.com/

If you want to do more, contact the Big Galoot at the website above.

Posted in Bad Stuff | 3 Comments »

The value of million dollar security audits….

Posted on November 2nd, 2008 by Drazen Drazic

I mentioned recently a client of ours was supposedly quoted over $1M for nothing more than an ISO27001 scoping engagement by a Big consultanting firm. (The real work came later!) My recent post in the forum about the ATO’s latest problems made me think about how many of these “big” consulting engagements still happen. You know the ones; Big firm comes in, spends months “auditing”, creates large report with a handful of high-level recommendations and gets a couple of million for it!

I can’t for the life of me see even a small blip on the bang-for-buck monitor from these audits. Had you told me some of these reports were created in a few weeks, I might say, “okay”, but seeing the results, recommendations, levels of detail and moreso, what they more than likely missed, just has me shaking my head. It’s 2008 and we’re still seeing big bucks being paid to Big name firms by people in business who should really know better than to just trust names and wild proposals in terms of time-frames, price but most importantly, what the hell is going to be delivered.

It’s a whole other story as to what companies do with reports they’re given and left for another post, (though there’s probably a score of posts in BorB that more than cover it already!). Sour grapes…nah!? Double-standards - sure…..I wouldn’t bitch if the ATO offered Securus Global a couple of million to hang around for a while and tell ‘em what they should so.

Pretty confident we would add a lot more value and bang-for-buck than any of the Big guys! But it’s all a game at some levels - who you know, how well you know them and what you know you can get away with!….It really is!

Posted in Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, WTF, governance | No Comments »