Random Links and Rants…….

Posted on May 30th, 2009 by Drazen Drazic

- I enjoyed following the AusCERT conference over the Net – mainly on Twitter. How long before we can attend conferences from all over the world without having to leave home? As raised also by @Kinshasha on Twitter. Just pay for the sessions you want to view from the world’s best conferences and away you go. (I suppose in Australia it would help to have a better network but it could still work). I don’t think it would kill attendances at conferences. In fact, it would open up whole new potentially large revenue streams for the organisers. Only a matter of time I suppose before this becomes standard. While on the subject of AusCERT, photo time!

- Craig Balding at cloudsecurity.org with his thoughts on Sun creating a UK cloud security group. You really have to wonder if there is any substance to this once you scratch the surface. Craig raises some valid points.

- The best PCI DSS roundup on the worldwide web for those of you that want the latest news and opinions consolidated into one site. Anton’s commentary as always is interesting: http://chuvakin.blogspot.com/

- Seriously take some time out and have a look at nodecity. It is a not for profit organisation. The video in the link is Donal speaking with the CEO of Deloitte Digital and the Chair of Future Summit 2009. More on what nodecity is all about here.

- Patrick at Risky.Biz has a heap of AusCERT 2009 presentation podcasts plus his usual weekly Risky Business podcast. Check it out.

- A few people have asked how this one is progressing. We’re getting there and thanks for the feedback from everyone – those who posted and the score of emails I got about this.

- Latest updates to the Australian IT Security Blog Directory.

Posted in news | 3 Comments »

Australian Government CNVA Program to be “suspended” from 1 July, 2009.

Posted on May 30th, 2009 by Drazen Drazic

“It is likely to be re-activated in the future, however no decision has been made on timing” I have been told.

While the intentions were good as documented here, it never really picked up a critical mass of support by non-government critical infrastructure sectors. According my sources, attention is now focused on the “CERT within Government” program. Any potentianl impact to AusCERT with this current “focus” you have to ask? For most, as long as the annual Gold Coast conference remains, all is good.

Posted in news | 4 Comments »

Crime Insurance – Implications of bad business IT security practices……

Posted on May 25th, 2009 by Drazen Drazic

Interesting looking at the latest Crime Insurance Renewal forms I’ve been sent. A hot topic from a discussion perspective a few years ago in regards to being a potential driver of better IT security practices in business, but it fell off the radar somewhat in recent years. I have to ask, has it finally seriously arrived (at least here in Australia)? Has this quietly snuck up on us and is now about to be the next “PCI DSS”?

Obviously if you had good IT security practice before, PCI DSS compliance wasn’t a pain, and if you’re PCI DSS compliant now, then Crime Insurance requirements won’t be a pain….but if you haven’t got the first and second ones under control, well here’s another concern to add to the list. And, for those of you that were not required to be PCI DSS compliant, you’re now probably going to feel the pain you thought you were lucky to miss out on.

Now this one could be the biggest of the lot. Read on…..

Read the rest of this entry »

Posted in Bad Stuff, Risk Management, Vulnerability Management, Web Application Security, cyber crime, news | 7 Comments »

Application Security Reviews – Pitfalls, Dangerous Mistakes and Assumptions

Posted on May 24th, 2009 by Drazen Drazic

Reposted (post accidental deletion).

On the phone last week to a CIO friend of mine discussing his organisation’s new “critical” business application that ties together much of their business into one, somewhat central entity (ERP if you like to a degree). He wanted to talk about securty testing the “application” before it went live.

I asked the obvious and was told it was due to go into production in 4 weeks. He knew what my response would be so pre-empted it with; “I know, I know…we should have done more security homework and testing sooner than this, but with the business pushing it, and they ["the business"] not really wanting to listen to concerns about security, but rather focus on deployment deadlines to fit in with business marketing strategy, my hands were tied!”. (Typical I thought and no need for further comment from me here, as you know what my thoughts are).

After learning a bit about this application from him, I directed him to this post: “System” view security vs. “Application” view security and suggested he have a read. (He did recall reading it before but I think it didn’t sink in). Read on…

Read the rest of this entry »

Posted in Applications, Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, Web Application Security | 4 Comments »

Cracking PCI DSS Compliance – Thanks CIO Magazine!

Posted on May 23rd, 2009 by Drazen Drazic

How to get PCI DSS compliance right! This is the most awesome piece of journalism that has hit the Internet for a while. If you are one of the thousands of organisations hit by the burden of becoming PCI compliant, look no further than this article for the hot tip on kicking it. For those that have been through it, I bet you wish you had something like this when you were doing it:
http://www.cio.com.au/article/304081/how_get_pci_dss_compliance_right

Many thanks to Mike for highlighting this one.

Posted in Bad Stuff, Dumb Security, PCI, PCI DSS, Too cool, WTF, cyber crime | No Comments »

Vulnerability Disclosure. Keen on People’s Thoughts.

Posted on May 23rd, 2009 by Drazen Drazic

I’ve posted quite a few times on this topic over the years but things change over time and I don’t think we’ve (the industry) ever been more fragmented in terms of what we think is right or wrong about this topic? I am really keen to hear what people think, in their opinion, is right and what is wrong about vulnerability disclosure. Please post your thoughts.

Posted in Vulnerability Management | 10 Comments »

Big conference hangovers….Is the message lost? Is there a message anymore?

Posted on May 22nd, 2009 by Drazen Drazic

Some of us had to work so AusCERT was out of the question this year for me as I mentioned. Well actually, I had made my mind up a long time ago that I wasn’t going to go this year. A personal choice based solely on the fact that while I have a great time at each AusCERT (from a catch-up/networking perspective), I am left feeling a bit flat after the event. I’m not the only one – many people tell me the same but, I also acknowledge that for many, they’re feeling the exact opposite.

The reason I do feel this way post event is that it’s a downer seeing that we’re not progressing much as an industry (in terms of what we’re in this for). You walk out of a great presentation, excited by what you’ve heard, straight into a wall of vendor stalls, most filled with sales people who have little interest in our industry and whose only focus is to flog their products – generally not really caring or knowing themselves much about those products. It’s a case of extremes at events like this and you wonder when things will start to make some headway into actual value and improvements from what we as an industry are trying to accomplish.

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Research, Risk Management | 8 Comments »

AusCERT 2009: Day 3

Posted on May 21st, 2009 by Drazen Drazic

A big thank you to all those people who took the time out to post on Twitter during AusCERT 2009. For those of us not there, it was great to hear about the presentations and goings on. Even remote correspondents in Poland were involved and kept the laugh factor at high for most of the time. No updates from Day 3 from Pete and The Knuckle as yet as I believe they are still hiding under their beds from the storms…..Can someone go and knock on their doors to make sure they’re okay.

Twitter: https://twitter.com/#search?q=%23auscert

Posted in news | 4 Comments »

Vendors vs. Me

Posted on May 21st, 2009 by Drazen Drazic

Let’s start here: https://twitter.com/DDrazic/status/1852928932

If you’ve been a reader of Beast or Buddha for a while, I’d like to think that you think I am somewhat fair in my assessment of “security” product vendors. I call a spade a shovel where required and I am happy to save my client’s money vs. snake oil BS.

I look at it this way; if you know I am not talking about you with my comments (i.e; you know you’re good and you know you are supporting our industry), you’re not going to be offended because you know I am talking about other organisations, (that could be your competition), that you know yourself they are dodgy!…..And, I know this, because you tell me. So….let’s talk about those insecure sales/pre-sales/marketing….hey, why not add some AusCERT vendor stand dudes. Click to read on…..maybe worth a laugh:

Read the rest of this entry »

Posted in Dumb Security, WTF | 5 Comments »

AusCERT 2009: Day 2

Posted on May 20th, 2009 by Drazen Drazic

This is what happens when you have guys in the field getting into the spirit of the conference with little regard for deadlines. Late or no submissions. At least Pete finally got something to me. No sign of Knuckle as yet and it’s 3:00pm.
—————————————————————————————————–

Good value following the Twitter updates here. A few interesting posts during last night’s awards also. Some not so happy people with some of the winners, but overall, seemed like a great night for those in attendance:
https://twitter.com/#search?q=%23auscert
Read the rest of this entry »

Posted in Research, cyber crime, news | 3 Comments »

AusCERT 2009: Day 1

Posted on May 19th, 2009 by Drazen Drazic

The Twitter phenomenon has finally reached AusCERT in some force with the number of people posting tweets growing as the day progressed. For those of us not in attendance, it was a good way to get some of the latest news, (like the almost instantaneous reports that Senator Conroy was not going to talk about the Internet Censorship plan). As the day went on, the Twitter postings became more and more interesting, wrapping up well into the early morning with people talking about a variety of things including once again, local content and male vs female speaker numbers. Follow the Twitter postings here: http://twitter.com/#search?q=%23auscert

So, did AusCERT 2009 – Day 1 follow Conroy’s lead and be a dud? Click on…..

Read the rest of this entry »

Posted in Internet Filtering, Research, cyber crime, news | 1 Comment »

AusCERT 2009: Pre-conference Roundup

Posted on May 18th, 2009 by Drazen Drazic

While I’m not there myself, I was told it would be remiss of me to not somehow provide coverage of the events at Australia’s largest Information Security conference. Which blog would organisers be stressing about if we didn’t talk about the event?

So, a team has been formed and they’ll be providing a daily wrap-up of events as seen through their eyes. (Obviously to protect their anonymity and safety, names have been changed). Yeah, you know not all of this is going to be 100% serious but if you are offended, post your thoughts – flame away. Click on to begin….

Read the rest of this entry »

Posted in Research, news | No Comments »

Approach and position on IT, Information Economy, Security II (By SGirl)

Posted on May 16th, 2009 by Drazen Drazic

By SGirl:

It is not just the government. The whole industry doesn’t care enough to pay sufficient attention to the message that is being sent in regards to IT Security to business. (I am not even going to bother with the national IT Agenda – that is a whole other rant). It is largely cultural. And I don’t know if it will change. Let’s start with the government.

You have local, state and federal government and within this, a plethora of agencies, departments, bodies and statutory authorities that have their own areas of responsibility. Pretty much at every level and at every segment they are putting out a message about IT security.

Some push a dedicated IT security message, others push a particular message for a particular sector or area of industry….and many are pushing the same message to the same segment in different areas of the country.  Their intentions vary too, and this also plays a part in what message is sent.

For some the root intent is social responsibility – for others it is purely political (eg; Internet Filtering anyone?), jumping onto topical interest bites or even just using up budget allocations pointlessly to keep jobs and play the games that governments play.

Not one though in my opinion gives sufficient information for a business of any size (small, medium and large) to understand and appreciate all that they should be knowing and doing to target new threats of doing business facilitated by technology. And few ever and consistently say things in alignment with each other. You have to wonder….

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Industry Specialists Talk, Risk Management, WTF, cyber crime, governance | 11 Comments »

APRA releases discussion paper on IT security risk management

Posted on May 11th, 2009 by Drazen Drazic

Thanks to Matthew Hackling who spotted this one: “APRA releases discussion paper on IT security risk management“.

Reading on, and we’re no further down the track seemingly of some serious enforcement of good practice. Another set of “guidelines”?…..Or is it something potentially that APRA could selectively use as the working requirements for audits of “regulated institutions”? Should that be the case, a level of consistency will be critical – something that has not been a pattern of the past.

If it remains solely as a set of “guidelines”, you can add them to the scores of other good practice “guidelines” out there that never really achieved much and have fallen into the Information Security black hole.

Related posts:
- Australian Government approach and position on IT, Information Economy and Security
- Various posts over the years on related and some not so related topics

My thoughts on this aren’t new as people who read Beast or Buddha know. Am always optimistic though but hard not to be cynical.

Posted in Risk Management, cyber crime, governance | 5 Comments »

Australian Government approach and position on IT, Information Economy, Security

Posted on May 9th, 2009 by Drazen Drazic

I admit to being somewhat confused in terms of what our government’s true strategy is in regards to IT, the Information Economy, IT security and related areas. I felt I somewhat understood what the government was trying to do many years ago when NOIE (National Office for the Information Economy) was the “department” covering all of government strategy. It then became AGIMO and from there, it seemed to get a bit lost for me. http://www.noie.gov.au/

In recent times, I have totally lost track of where our single point of reference to links and pointers to all else is (re: our strategy). If someone could guide me to it, that would be great. I am aware of things like Stay Safe Online and http://www.dbcde.gov.au/ but there seems to also be a few legacy sites (still relevant?) or am I just not understanding how everything links together?

More concerning is our government’s seeming lack of long term strategy and planning. Is anything really being “worked” at for any period of time greater than that coinciding with the next election? In addition, where and why have we lost the plot? See section in this related post; What does the digital economy encompass? Where did all the work from the past go? Does each new government just wipe the slate clean…..conveniently forgetting/rubbing out the past (1984 style)?

What are the longer term strategies (of substance)? Where is the “source” of information? What happened to the previous government’s projects and longer term strategy(s)? Are the broader issues being neglected as the government battles with the NBN and Internet censorhip? Does the government have any real idea of what it should be doing or is skirting around the edges of core problems and issues we have? From where I sit, I don’t see it. I just see a bunch of failed and forgotten projects. I am keen to hear others thoughts on this. Set me straight if I am just lost and missing it!

Posted in Dumb Security, Internet Filtering, Risk Management | 8 Comments »

Bruce the Rock Star of IT Security

Posted on May 9th, 2009 by Drazen Drazic

By SGirl1:

“The closest the security industry has to a rock star“. LOLs Bruce….love to see the quality of your groupies! Does Gene Simmons have anything to worry about?

Posted in Dumb Security, Too cool, WTF | 3 Comments »

Random Links and Rants…….

Posted on May 8th, 2009 by Drazen Drazic

- Great to see Qualys release a new “Laws of Vulnerabilities“. Waiting for a more detailed release which they tell me is coming that will have some context for those people who could not attend the presentation. I know full context is based upon just those that run VA to an extent but the data does makes for interesting analysis regardless.

- The Internet censorship video production by Donal and Wade, www.nodecity.com went global soon after the Beast or Buddha scoop (thanks guys). Check it out if you haven’t already.

- Small victory for iiNet in it’s current legal battle – reported here at ZDNet. Related posts here. Still wondering why iiNet is getting so little support from it’s fellow industry players. Weak!

- In Melbourne next week for business but also to do first round of interviews for Securus Global role. Penetration Testing expertise is key but just part of the criteria (yeah, for the benefit of Google that link….need to knock off a few in the order…LOL). More here.

- Nice to see a couple of our competitors merging. All the best with it guys. Awesome….one less competitor now! You’ll read about it…..

- Following @AISA_National, @Perth_AISA and @Melbourne_AISA now on Twitter.

- Seems to be award season at the moment with a few organisations running various industry awards. Good luck to those people and organisations nominated. Some truly deserve their awards and others, well…..somewhat related post here. Yeah, typical me. Have a great weekend all.

Posted in Uncategorized | No Comments »

Doing first round of Melbourne interviews next Thursday….

Posted on May 5th, 2009 by Drazen Drazic

As you may have seen here in this role advertisement, we’re looking for a new person to join Securus Global to be based in Melbourne. I’m going to be in Melbourne next Thursday and possibly Friday (14-15 May) on business but will also be conducting some interviews while there. (Not the final ones as the applications don’t close until 20 May, 2009). If you’re planning to apply and are keen to meet with me sooner rather than later, get your application in soon. I will be back in Melbourne soon after the 20th for the next round. (Fair playing field and no advantage either way).

Posted in Uncategorized | 2 Comments »

Aussie Press Finally Picks up on Security Implications of Internet Filtering…

Posted on May 4th, 2009 by Drazen Drazic

The Australian Internet filtering/censorship mainstream media releases about this topic have covered everything bar security until now. Finally, the local press has woken up to this issue in Computerworld: Web filters threaten national security. (Cred to Darren Pauli)

The work of nodecity Donal and Wade has now gotten local press interested/involved. But it took OS “experts” (as part of this) before anyone decided this was worth reporting. Smart and quality product…..interesting and well put together to support the cause!

We were there a long time ago but not so smart in our approach thinking the facts spoke for themselves:
http://beastorbuddha.com/2009/01/05/security-implications-for-internet-filtering-censorship/
http://beastorbuddha.com/2008/12/17/matt-talking-about-potential-internet-filtering-problems-on-banthisurl/

Cred to Ban.This.Url. (Though quiet lately). But we’re not “famous” so who would listen?

Thanks to Donal and Wade for giving BorB the scoop on this.

Aside: It’s sad to see so many (initially vocal) people and groups drop off this cause as it has dragged on. No longer web 2.0 “flavour of the month”?….you have to ask? Also interesting to see so few question why a trial of ~2000 sites would/could constitute a “true” trial?! Will it be a surprise that it’s successful? I am sure we could whip up a filter for 2000 odd sites in about an hour….but it’s all how you “sell” it.

Posted in Bad Stuff, Dumb Security, Internet Filtering, WTF | 1 Comment »

Industry/Business/Risk Management/Process – Failures and Search for Hope

Posted on May 1st, 2009 by Drazen Drazic

Banging on about the selectively forgotten root cause issues – that are glazed over for want of a prettier picture (alternative reality)…the ongoing “marketing” to sell millions/billions of dollars worth of magic (questionable) product that is; purchased by business without thought, implemented; without plan, committed strategy, effective process – through failed Risk Management methodologies….we go on and on. Let’s then celebrate mediocrity at each step.

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Risk Management, WTF, governance | 5 Comments »