Busting IDS/IPS/WAFs/Firewalls Revisited……..

Posted on July 7th, 2009 by Drazen Drazic

It’s been almost 2 years since Declan Ingram did this presentation at Kiwicon that looked at perimeter security – IDS/IPS/WAFs/FWs etc and “Managed Services”.

Listen to the start of the podcast for the introduction….some good stuff…..and then the full presentation starts at 14:50. As Patrick Gray of Risky Business says; “If you are a Chief Security Officer, this is a must listen”:
http://risky.biz/netcasts/risky-business/risky-business-49-your-shiny-new-ips-wont-save-you

Talking recently to a client who is about to go into RFP for a “managed services” solution highlighted to me that many organisations are still struggling to understand what it is they actually want vs. what they will actually get/end up with. Accountability hand-balled? Better Security? Meeting Compliance? What do they want? Read on:
Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Firewalls, IDS, IPS, Risk Management, Vulnerability Management, Web Application Security | 4 Comments »

Journalising, Journalism and Blogging…Restrictions on Posting

Posted on July 5th, 2009 by Drazen Drazic

I had a few comments sent to me about my last post. Some of the feedback; “It wasn’t inspirational”, “Its perspective wasn’t that unique”, “What was the point?” etc…. All fair points. My only response is that at times, I will use Beast or Buddha as my journal to write about things that aren’t necessarily meant to change anyone’s world or inspire, (though I did think the PCI post tried to do that)……just reflections on my day, week and thoughts going through my head about the good, and the bad in our industry, (though the latter motivates me far more to dissect and rant). I started Beast or Buddha for these reasons. Read on:
Read the rest of this entry »

Posted in Applications, Bad Stuff, Dumb Security, Research, Risk Management, Securus Global | 8 Comments »

PCI DSS compliance – It’s easy to make it tough on yourself….

Posted on July 2nd, 2009 by Drazen Drazic

It’s been an interesting few months as we’ve seen a rapid rise in the number organisations coming to talk to us about PCI DSS compliance. The really cool thing as mentioned here, is that we are seeing proof that if you approach your PCI DSS compliance projects like we suggested here in this post; “PCI Compliance Projects – The road to nowhere…“, you will have a greater chance for success!

We’ve worked with so many great companies in recent months who’ve taken the advice on-board seriously and have made awesome inroads in regards to their IT security position (and PCI DSS compliance) – most now “compliant”, (….well as compliant as you can get).

On the flip-side, and lets not dwell on this too much, we’ve also seen a few organisations prove that not approaching a PCI DSS compliance project, as recommended in our post, does make for an expensive and very much time-consuming/wasting exercise for all.

A PCI DSS compliance project is what you make of it. You can give up and claim it is impossible, (and close your eyes to the fact that there are others who have done it), or you can make it work. The principles of a successful PCI DSS compliance project are no different to the principles you would adopt to make any other project successful!

Related Links:
- Previous PCI Posts (Uncut)
- Six ways you can bork PCI
- PCI: Choosing your Auditors Carefully

Posted in PCI, PCI DSS, Risk Management, governance | 3 Comments »