While the Information Security blogging scene is relatively small here in Australia, the guys in it are always bringing out interesting things. Here’s a brief roundup of what’s been happening lately:

- Donal at Ockham’s Razor looks at Electronic Voting in his latest post and raises, (what to us), are valid points. He links to an article from Ireland which is interesting reading. Do yourself a favour and read some of D’s other posts. Worth scanning through for some thinking “outside the square”.
- Wade doesn’t focus that much on Information Security anymore but every so often, he’ll have a few gems there. Interesting reading at wadem anyway.
- The west’s biggest and best blogger, Christian at un-excogitate.org covers the latest OWASP meeting in Perth and also talks about Cloud Security in his latest posts.
- Jordan at Security Technology Science has started posting again. I like Jordan’s posts as he looks at the psychology of our industry and the people within it. He’s got extensive experience so for new guys coming up through the ranks (and those already there), it’s interesting to get that take from a “veteran”. (He’ll hate me saying that as he’s heaps younger than me!)
- Another BJJ/MMA exponent (gees, there’s a few in our industry), Jarrod at /DEV/NULL has posts on Cloud Security and Exemptions which are worth a read. Post your thoughts to Jarrod.
- The Big 4 man Matthew at Infamous Agenda has recently been getting hot over a few topics. Go see what’s been getting Matt worked up.
- Pat’s Risky.Biz continues to be one of the best Information Security podcasts out there. He’s got a heap of new stuff; forums, vids and the usual weekly Risky Business podcast.
- Eldar’s stuff at Just Another Hacker makes my old technical – now non-technical head spin, but for you techo dudes, go suss it out.
- James at Karter.Net while not a totally security focused blog, but Open Source and other things, plus his experience, is publishing a lot of good stuff. To narrow it down to one sentence would not do it justice. Click away.
- Philip at PhilipHall.com has been talking about Apple vulns in recent times. “CyberSecurity Junkie” and worth reading his archive of posts.
- Bradley at Inside Out continues his focus on forensics, digital evidence and legal issues. One of few in Australia blogging about this topic. Worth bookmarking!

I haven’t covered everyone, but if you are blogging in Australia or know of someone who is, let us know and we’ll add them to the Australian IT Security Blog Directory.

Posted in: Research, news

Transcripts from the 4 sessions. Interesting but a concern from the perspective that it seems Government does forget things it has done in the past and seemingly starts from scratch each time. Just my opinion. Light reading (and I mean that), but worth a skim through:


Thanks @cmlh for the link to this.

- I know this is an old one and has also been covered here in the Forums, but gees it’s worth another look and laugh; “Queensland Police plans wardriving mission“. ROFL at; “Detective Superintendent Brian Hay of the Queensland Police, who today was honoured by security vendor McAfee with an “International Cybercrime Fighter Award”. I need to get one of those. How do I apply McAfee? Gees, what can you say? ICFA for short? :)

- Thanks to Matthew Hackling for highlighting this link to APRA’s site and discussion paper on “Management of IT Security Risk“. Now this is interesting. Firstly, it seems to be pretty closely based on the Monetary Authority of Singapore (MAS) “Internet Banking and Technology Risk Management Guidelines“. Not a bad thing! Just 8 or 9 years behind the game in terms of Asia Pacific regulators APRA. (But hey, we already knew that). Wondering how they plan to enforce any of this or is it just a project to make them look like they’re on top of their game? Did I mention 8 or 9 years behind other regulators in Asia? Ah yes, I did. Who needs regulation in the Banking sector anyway?

- I’ve got an article posted at Tek-Tips; “Overcomplicating Information Security and Risk Management“. Keen on your thoughts and thanks to the guys on Twitter who’ve already sent through their comments.

- I’ll be reviewing the CFP responses for the Lightning Presentation session for the upcoming AISA National Annual Seminar Day on the 3rd of December, 2009. If you’ve done some really cool stuff or want to share some really interesting information about something in our industry (but don’t want to talk for 40 minutes), please send through your presentation overview.

Posted in: Uncategorized

By Declan Ingram

There has been a lot of discussion on here about 3rd party/cloud computing etc security (or lack there of). For many, this didn’t seem hugely relevant at the time as there was always a choice (or people just didn’t think it was going to be something that affected them). Recently however, the choice seems to be getting smaller.

The 3rd party management model is becoming…or should I say, has become, so popular now, that it is hard to keep control. (Control? Yes, of your information!).

Think about it. How much of your security is technically enforced by a 3rd party appliance? (And, how secure are they?) How much of your data is housed, managed, monitored, etc by a 3rd party? Professionally and personally we are giving ourselves away. More importantly, has this been looked at during your last Threat Risk Assessment? (Has you organisation even done one?)

From my experience, so many organisations that we audit have core data and systems housed and managed by 3rd parties, and nearly all of them have dangerously one sided contracts……Dangerously favouring the 3rd party.


- Have been following this thread at Risky.Biz about “VulnDisco bug list made public“. I think through flagg’s comments, our position on it has been made. Yes, we are their local representatives as we are with Immunity and D2. Not that any of this is news as Securus Global has been for a while (see link). Personally, I don’t think this is story is news here as Flagg mentioned for some in the industry but it does make for good awareness for a majority of the industry who may be oblivious to markets outside of “mainstream” security products. Interesting reading some of the comments though in terms of thoughts on effectiveness, impact and moreso about people’s thoughts on difficulty (or lack of thereof) in reproducing exploits based upon a knowledge now of the vulnerabilities.

- With Cloud Security being such a popular topic of discussion now, good unbiased sources of news and information about Cloud Security can be hard to find. (Vendor waffle vs. reality for example). My favourite site is Craig Balding’s cloudsecurity.org. If you want information that is honest, informative and asks serious questions about the topic, bookmark this one! Craig has also recently kicked off the Cloud Security podcast here with Chris Hoff of Rational Survivability. Highly recommended.


Posted in: news

I reckon Scott Adam’s chapter on “Management Consultants”, (in his book, “The Dilbert Principle*”) is still the best I have read on this topic. If you are consultant and you haven’t read this chapter about your job, go out and do it right now! You may learn quite a bit.

It still amazes me that there is still an attitude of elitism amongst many consultants and consulting firms that if you haven’t been a “consultant” before, you are not worthy of consideration for a role within a consulting organisation – regardless of a person’s actual expertise and experience.

I know a lot of people who have tried to crack into consulting – coming from an internal role, and who have hit a brick wall.


Lets cut to the chase and get rid of the waffle and sales talk, and the plethora of client marketing and sales methodologies. (And, I have seen a heap of them). Remove technical superiority, cost-effectiveness and best ROI (whether that be financial and/or business improvements)….oh and I forgot, “security” itself. In the majority of cases, these are irrelevant in most sales opportunities. i.e; The best does not win out in the majority of cases.

Final decisions in most cases are not based on deep analysis to determine the best solution, service or product. They’re not in most cases based upon expert advice/opinion, and certainly less so in a democratic way…..though we know the latter also doesn’t produce the best outcome. (Critical thinking within more than 50% of the population involved aside).

Business in the majority of cases is won 2 ways: (1) Sell the easiest option that provides the decision maker with backside coverage in the event of solution, service or product not working. ie; the old IBM story, Big 4, Cisco etc; (2) Through relationships and friendships – looking after your mates. Forget comparing “apples with apples”…… don’t blame a lack of technical expertise of the decision maker on why you didn’t win the business. Look to (1) and (2) and position yourself there if you want to be competitive.

The best solutions, services and products overall if not falling within either of these categories battle for the crumbs left. It’s a large reason that the Information Security industry hasn’t really progressed far in the last 10 years.

I know this is not new to many but keen on your thoughts, flames and war stories (but leave the names out). Just brain dumping. :)

Posted in: Uncategorized