Maybe I find PCI DSS so much easier than other things…it’s all relative!

Posted on January 29th, 2009 by Drazen Drazic

Maybe some of my thoughts on PCI DSS (that I have posted here before) can be attributed back to past experiences in tougher regulatory environments I have been exposed to. For those dudes whinging about how tough PCI DSS is on the business, try working in an IT Security / IT Risk Management role in an Investment Bank in the likes of Japan and Singapore for example!

You poor dears! Would hate to see how you would deal with the regulators in those countries with their Government run “compliance” audits! Makes PCI DSS compliance look like a piece of piss (so to speak). Be careful some people what you wish for!

Do I need to expand upon why?

Posted in Dumb Security, PCI, PCI DSS | 2 Comments »

Okay, I’ll add my 2 cents to the Heartland breach….(Talking PCI DSS)

Posted on January 27th, 2009 by Drazen Drazic

I was directing all to Anton’s site here where he has done the most thorough analysis of what’s been posted on the Net about this breach. It’s worth having a look at his site. After TJX, I thought I was all talked out about these topics – for a while at least…..okay, it’s big but it’s all now becoming quite common and things like this will continue to happen due to poor on-going security practices, inherently insecure software etc etc. So is there more to say on that front that I haven’t talked/preached about in this blog for a number of years?

PCI DSS has copped quite a bit of criticism from many “experts” on the Net over the events at Heartland. I do understand why. There have been many against the standard from the outset and any breach/security issue in an organisation that is using PCI DSS as the framework for their security practices is going to have these people questioning the purpose and overall benefits of the standard. Read on…..

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, Dumb Security, PCI, PCI DSS, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | 7 Comments »

PCI Compliance for Dummies from Qualys

Posted on January 27th, 2009 by Drazen Drazic

Qualys has recently published a simple “PCI Compliance for Dummies” book. It’s free to download here.

Worth a read if you are new to PCI DSS compliance.

Posted in PCI, PCI DSS | No Comments »

Microsoft and DRM – Is this interview for real? :)

Posted on January 24th, 2009 by Drazen Drazic

Surely this interview from PC Pro with Microsoft is for a laugh?! Maybe not……
:-)

Thanks Dec.

Posted in Bad Stuff, Dumb Security, WTF | 3 Comments »

Unauthorised access to company websites/information/systems…..

Posted on January 22nd, 2009 by Drazen Drazic

We don’t get asked this question very much anymore but every so often, it’ll come up; “Do you guys look for vulns in websites that are not your clients and do you contact those companies to tell them?” (ie; read sometimes as; do you market your services in this way?). The answer is No and I don’t know of any of our competitors who work this way. To me, it’s akin to dodgy anti-malware operators.

This does leave you between a rock and a hard place at times. Let me explain. Our team specialises in network and web application penetration testing. It’s one of our core services and we do it well, as our clients know. When someone is good at something, there are times then through normal web browsing where a team member will see something that just doesn’t look right (read: probable vuln). So what do we do?

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Research, Vulnerability Management, WTF, Web Application Security, cyber crime | 11 Comments »

Australian IT Security Bloggers and Twitters

Posted on January 21st, 2009 by Drazen Drazic

I’m keeping a blog directory here of Australian IT Security Bloggers but the list is still so small. Is this all we have? Please send me (or reply here) any updates you have.

Also, if you are on Twitter, add that also. I will add Twitters to that list soon for a central point of reference/contact.

Posted in Uncategorized | 4 Comments »

Intellectual Property Rip-Off – But Who Cares?….I do….

Posted on January 21st, 2009 by Drazen Drazic

When my business partner sold off Security-Assessment.com NZ to Datacraft and I re-branded Security-Assessment.com Australia/Asia Pacific to Securus Global, Datacraft were asked, by me, over and over again in the last 12 months to acknowledge (ie; just reference – no more) on their website the IP in regards to services and approaches to those services that I had developed. (Including correction of any claims in regards to local certifications and Australian government panels – false advertising?).

My requests were not unreasonable. Use the website I developed – I don’t care (which they still use) and use anything else you want in there, but just reference the IP to me for what I developed and you want to continue to market as your approach to IT Security services, even though you have no idea what it is.

Promise after promise to do that  hasn’t eventuated, and we’re in 2009! Thus my rant now. I think I have been more than patient with it and it is time to question their use of my IP and approach to services, eg; use of the “Strategic Security Management Framework” – termed CSAP on the website (in one definition).

Just think if I was the “small” guy using their stuff what their legals would have done to me a long time ago? It’s been a typical; “you’re a small business and we’re BIG so we can do what we like!” scenario.

Posted in Bad Stuff, Dumb Security | 2 Comments »

The start of outsourced CSOs and Security Specialists?

Posted on January 20th, 2009 by Drazen Drazic

I thought about using the term (and have many times in the past), “virtual” CSO, but that sounded a bit wanky. This is something that I thought would take off a while ago, but like all else in our industry, things move slowly and little has happened.

With this “economic downturn” (yeah, I know…it’s been overdone also but reality is reality), I do think organisations are going to start to think about this. Staff are being laid off, sadly, but key aspects of the business still need to be in place – for regulatory requirements and moreso, just for the security and viability of the business.

I think in 2009, many companies are going to look for “specialists” (outside consultants from specialist firms – hopefully not, the usual mobs who’ve milked them of money for years for no result….yeah yeah….we know who I am talking about), in this field to replace people who have been made redundant – many who also were promoted to senior security roles that they were not capable of doing, nor ready for, ie; being able to work to a level that would be to the real benefit of the organisation. Read on….

Read the rest of this entry »

Posted in Bad Stuff, Forensics, Risk Management, Vulnerability Management, cyber crime | No Comments »

How Porn kickstarted Intranets in a Large Global Business….

Posted on January 15th, 2009 by Drazen Drazic

Bit of an off-topic but remembered this story the other day and it made me chuckle to myself. Thought I would share it here and see if others have stories about how some successful projects came to fruition in a weird or funny way. Here we go:

There’s a large and very successful global business that to this day doesn’t know that their first Intranet was a porn site, and because of that porn site, a global business Intranet came into existence – it wasn’t going to happen without it (ie; the porn site) at that time. (Aside from about 4 people, though probably many more as the story has been passed on and is now probably considered just a myth). Click on:

Read the rest of this entry »

Posted in Ford Falcon, Too cool, WTF, Web Application Security | 4 Comments »

What is “Penetration Testing”? Dead? Not yet!

Posted on January 14th, 2009 by Drazen Drazic

Interesting article talking about the death of penetration testing written by Bill Brenner – also referenced and discussed here at Jeremiah’s site.

We’re (Securus Global) getting to the stage of a more generic description of just plain old “security testing”. I can’t see it being “dead” anywhere in the short term future. What’s the real workable alternative for testing of “production” software against known and in many cases unknown types of attacks and vulns? (Still surprises me in regards to the latter how many “specialists” believe 0days only exist when reported publicly. :-) ) Code-level reviews while good are too expensive for most companies and do hinder delivery dates (regardless of the value they provide) – business realities.

Is it dead when it’s barely started across the business world? Where’s the starting point for the “new” (already lacking/wanting) approaches?

Posted in Applications, Bad Stuff, Risk Management, Vulnerability Management, Web Application Security, cyber crime | 1 Comment »

Modus Operandi

Posted on January 12th, 2009 by Drazen Drazic

If every security person put down their tools today and did nothing non-reactive, would anyone hear that tree falling down? Sounds like a stupid question, but have a good think about it? In your organisation, if you just shut your mouth and/or left everyone to their own devices, would anyone care or even notice in the short term that they had no security “expertise” protecting their business?…….A criminal’s paradise (maybe)!

Seriously…..for most organisations, this is their MO. It is!

That would sound crazy I reckon to senior business management when put in those terms. But hey, that’s how you operate now…..have a good think about that Mr CIO. Gees, I wish more CEOs would read security blogs. This is how it is Mr CEO in your business. What?! No one told you?

Context: Talking to a CEO mate of mine who gets no updates on security from his IT Manager. Offered a free “test” of their Internet security (as a start) by Securus Global after talking about numerous “generic” case studies of what we see every day. He’s now nervous (after hearing them)….as he should be. :-) He’ll be okay though……if he’s in the <5% of companies we’ve tested for the first time who have come out “okay”.

Posted in Bad Stuff, Dumb Security, Risk Management, WTF, cyber crime | No Comments »

Sucking corporate security budgets dry…..

Posted on January 9th, 2009 by Drazen Drazic

I’ve lost track of all the posts I’ve written on this topic and it never ceases to amaze me that it continues on through good and bad economic times. (Not just in our industry, which is just a small part of overall IT spend). Regardless of sector – critical infrastructure and every sector in general, the larger the business, the more gullible (for want of a better expression) they sometimes seem to be when determining what they spend money on, and with whom.

There’s a heap of exceptions and we work with some great people and organisations, but for every good company who thinks about what they do, there’s at least 20 others who continue to blow good money on bad product and bad services that add little to no value to them. You hear about them year after year and wonder when will someone in there will wake up to the fact that they are being duped?

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, WTF | No Comments »

Calling a Spade a Spade….I Hate that term “Political Correctness”…

Posted on January 7th, 2009 by Drazen Drazic

I laugh at times when someone tells me an email I sent, or something I said in a meeting or teleconference was “too blunt”, and I should have maybe said it in a different way. When someone says; “Maybe that was not the politically correct way….”, that offends me and I cringe. With our clients, there’s obviously a slightly different approach you take to getting the message across than you would when working with colleagues internally in your own business. i.e; You work within the boundaries they [the client] have to work in, and you communicate the message within those boundaries but still aimed at getting the desired result – understanding and reaction to issues that may impact their business negatively.

Security people always seem to be in that quandary as to how best communicate what they know about the security issues their organisation faces – Who will I upset? Should I be blunt with it? Should I sugar coat it? Should I downplay it? Should I just not say anything?

So what’s right?

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Risk Management | 2 Comments »

Security Implications for Internet Filtering (Censorship)

Posted on January 5th, 2009 by Drazen Drazic

Looking at the interest from around the world for Matt’s interview published on Ban.This.Url last month regarding the Australian Government mandatory Internet filtering plan. Not surprisingly, no calls to Securus Global from Senator Conroy’s department to discuss our position. But who are we anyway?

Matt took a different approach to most of the anti-filtering arguments and what should have raised some concerns with the government has been brushed like all other arguments before it. One wonders if Conroy is planning to play this out until he gets the result he wants – ie; trying to outstay the critics. Common sense would say this is a ridiculous position to take (as mentioned over and over here) but who knows what their real plans are. This hasn’t been a transparent exercise from the start. A few of the links worth a look. Heaps more on Google.

Beyond the Fringe
Somebody Think of the Children
The Inquirer
Government Security
Overclockers
Hack in the Box

Latest update here. I wonder if it will continue to be “delayed”? :-)

Posted in Internet Filtering | 6 Comments »

Wireless Broadband Woes……

Posted on January 5th, 2009 by Drazen Drazic

Happy New Year to you all who visit Beast or Buddha. 2009!….gees, 2008 went quick. I suppose everyone is saying that though. I’m still in Townsville and will probably be here until the end of January….a bit of holiday mixed in with a load of work. Securus Global has never been busier.

Optus isn’t making it easy for me though and you really begin to appreciate Internet access speeds in the bigger cities (though far from being world leading in Australia as I’ve mentioned before). I hear from others here that Telstra’s wireless broadband offering is not much better.

I don’t know why or how they can even sell it. It’s not reception that is the killer but rather the load. Most times you get bumped off and at best, you’re working with speeds slower than dial-up. Try loading a web page and you’re in for a 2 minute wait most of the time. The lady at the Optus shop quite openly mentioned; “Yeah…there’s only one tower servicing area X and it can’t cope with the load…pretty much the same everywhere!”. I suppose you’d have to ask; “Why do you keep selling this service up here then?” but you know it’s not going to help much. Given there’s only one other choice and that’s not that good either, what’s their incentive to improve things in the short term?

Big deal?! Not really….actually, I’m more worried about Australia’s slide from the top of the cricket world but that’s another story. Anyway, there’s worse things happening in the world and we’re in a lucky country so we should count our blessings. Normal transmission resumes soon……..

Posted in Uncategorized | 2 Comments »