“On Monday 21 June 2010, the Standing Committee on Communications tabled its report on the inquiry into Cyber Crime entitled Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime.” Full details and report here.
There’s always been a discrepancy between banks in their approach to getting their merchants and service providers PCI DSS compliant.
Some have had a very strong focus on PCI DSS compliance while others have been relatively quiet. In theory, there should not have been such a discrepancy. Merchants and service providers should always have had a consistent message so that changing banks to defer PCI DSS compliance was never an option. Was it? Did many or any do it? For some, it definitely would have bought them time in my opinion.
It’s interesting that in 2010 – after deadline after deadline for compliance has passed, that there are so many organisations out there where PCI DSS compliance is just not a priority, (but where you know it should have been – a long time ago). Where you have to further question things is why a company down the road, in the same industry, about the same size, but with a different bank, has been investing heavily and working hard on compliance for 2 years with constant pressure on them from their bank?
To paraphrase a contact of mine in an aforementioned organisation where their bank is doing little; “We know that we should be PCI compliant. We were prepared for some pain a couple of years ago, but it never came. It’s gone cold now. No one’s chasing us and for most parts, it’s been forgotten. It may come back but I can’t see it in the short term”.
Where is the consistency that will bring the greater credibility? It’s only fair that some will question the overall program. How hard are the Card Brands fighting to maintain an interest from the banks?
I’ve talked about this before so I won’t rant on again too much about my position….gees, did I have a definitive one?
I agree with the last comments on the last post here from GoogleHack. If the research community hasn’t been able to nail this, then you have issues. If a Google takes a stand – regardless whether “official” or not, it will impact heavily on the debate. It’s Google! This is a really bad thing in my opinion. A “standard” has been set….at least for the time being.
Securus Global has taken the position that we judge all vuln research findings on a case by case basis. The upshot, to the detriment of our marketing is that we’re rarely publishing vulnerability advisories. This may upset some, but we’ve almost come to the conclusion that as a business, it’s no longer a cool thing to do (all the time).
Now please don’t get me wrong……independent researchers publishing stuff, come from a different angle and we respect that fully. We do. They don’t have the backing of a “business” in many cases, but they have a passion and other drivers…..good, bad or looking for a way. We did.
We respect our own team doing this and publishing as “independents” if they choose too. We just see, as a team, another way is working for us, and the companies who engage us directly to work with them.
In the last 12-24 months, it’s been great to be recognised more and more by large security vendors and other major software and hardware developers as an organisation they can trust to get their appliances, software and overall systems tested before going to market. We’ve built a reasonably good reputation through word-of-mouth and there’s now a lot of systems out there that have been fixed up due to our work.
Given these direct relationships, it has been a slight negative though from a broader marketing perspective for Securus Global in that public advisories are not there. Saying that, it does though align with why we started in the first place and it aligns with our approach to the industry overall…..always has had – to improve, to make things better than they were.
- The Google vs MS vuln stuff is funny. “People in glass houses…..”. I like this post at RSnake’s Blog. Covers it well but follow some of the comments where it gets more interesting.
- What’s the Australian Government doing now? ISP’s to cover browsing history? From ZDNet and Ben Grubb. I think there’s more to this story and I’m doing some research on it. Just doesn’t click in reference to some things.
- #OwaspGate has been a laugh….if you’re not following some of local Infosec guys on Twitter, you’re missing out. I know, it’s serious also but…
- AusCERT and the Government CERT part ways after a courtship gone wrong as reported here by AusCERT. Lots of “AusCERT” mentions. Not so many “CERT Australia” mentions. Yawn……#AusCERT….few really give a rats to be honest. Put something together that gets into the industry’s critical path and you may get more supporters. (And not just a conference). Take that as constructive criticism and not Draz again having a go. “Why does Draz hate us?”. I don’t! I could be your biggest supporter guys.
- One of my favourite local bloggers, Jarrod Loidl, and who posted here recently, responds to my post on Commoditising Specialist Penetration Testing Services. Nice post and I think we’re pretty much on the same wavelength for most.
Commodity: (from Wikipedia): A commodity is a good for which there is demand, but which is supplied without qualitative differentiation across a market. It is fungible, i.e. the same no matter who produces it. Examples are petroleum, notebook paper, milk or copper.
Would you classify; hacking, security testing, targeted vulnerability analysis and research, etc – activities that in one form or another come under the banner of “penetration testing”, as a commodity? Many do…..wrongly!
It seems to be a pattern that the larger the consulting organisation, the greater the drive to rapidly “commoditise” those activities that are; not core to the business, stress* resource capabilities and have less profit margin, (but are a necessary part of their business to compete). The end result is generally an attempt to outsource these capabilities to cheaper labour to relieve the “stress” and to increase profit margins. (*“stress”, in the above scenario: issues, pressures and costs associated with attaining and maintaining exceptional quality people).
Is the assumption, that with a little bit of training and the right tools, anyone can deliver this [penetration testing] work, insulting to the people who are experts in this field? Of course it is. (Even outside the context of “commoditisation”, the topic at hand – you can argue validity on skillset alone for individuals and/or organisations, who don’t view it as a commodity service, but rather market themselves as experts when they are not).
I can see an argument for the commoditisation of penetration testing – but only in a world where nothing is changing, tools mature to cover most likelihoods and scenarios, and a general awareness/expertise level where such knowledge is no longer the differentiator it once was. This is not the world we live in.
Historically we have learned that “outsourcing” can have a detrimental impact upon quality of service, reduced ownership/awareness/oversight/visibility…and security. Valid points in this discussion in my opinion.
The other day I read somewhere someone promoting; “Penetration Testing from the Cloud”? WTF is that? If a client of mine is rolling out a new technology – hardware, software or both, is some outsourcing mob going to be able to effectively test the security of this new system for my client? I doubt it! For businesses dealing with organisations that have self-determined that penetration and other security testing can be done by sweatshops, will they know that their business is being serviced by such sweatshops, (fronted by a reputable name)?
I acknowledge you can commoditise certain things – well to a degree at least…..and even then, you still have to have the caveats in place. As an industry, we are still young and struggling to get even the basics/fundamentals across of Information Security to the broader community. Commoditisation in most cases for our industry is detrimental to the cause. Taking the intelligence out of things is just plain stupidity. Realising it [commoditisation] is being done in most cases to increase the profitability of a company whose focus is purely to make money from you should make you question and thoroughly assess what it is you are buying and whether it really is providing benefits to you.
You can’t run an F1 car on dirty 91 RON. (And if you want to argue that your business is not an F1 car, but rather a Toyota Camry, ask the owner or CEO if he agrees).
By Jarrod Loidl.
At present, I am reading “Enterprise Security Architecture: A Business-Driven Approach“, in anticipation of sitting the SABSA Foundation course. Based on the title and many people’s view the content, it isn’t the most thrilling read. While this book is certainly not perfect, I actually am enjoying it at the moment, but I think that’s because I have begun to appreciate the beauty of good architecture. To explain;
In my previous role, (and to a lesser extent current role), I reviewed a lot of solution architecture designs. I really got a buzz reviewing and helping to build a given solution and make it as secure and robust as possible.
In was during this time I really developed an appreciation for architecture as a distinct discipline in its own right. I got to work alongside many IT architects of various backgrounds and capabilities. I attended Architecture Forums where the roadmaps were presented to the CIO. What was interesting was seeing how many of the technical decisions either directly benefited through cost saving, business enablement or supported future company growth and expansion. Growing up in IT, I had often heard how IT exists to support the business. This was truly my first experience seeing the truest extent in which IT could enable the enterprise.
It is also what made me truly realise that many security professionals lack an architectural focus in what we do. Now this is not something limited to our profession is alone. There are plenty of people passing themselves off as “architects” when in fact they are really “designers”. This happens in construction all the time.
It seems intuitive to both “designers” and “architects” that “form follows function”. But what is the distinction between the two? There are application security architectures, infrastructure security architectures, heck once you start getting into SABSA, there is a model for policy security architecture! So what are all these different architectures? What do they mean? Are they just ‘fluff’? Or is there something more?
I’ve got a close mate. He works for a large US/Global “security” vendor. I may have mentioned him before.
He’s been working in the security industry for 10 years. (Sales).
He doesn’t know anyone we know in the security community. Never has. Never had a need to. Can’t see a reason to.
What he sells is the best! He tells me. He tells his clients. They buy from him.
He gets disenchanted with his company and moves on every 2 years.
Now the new company sells the best shit! He tells me the last place was the worst and their offerings were crap.
Goto 2 sentences above.
He tells me the company “doesn’t care about security”. He doesn’t care. He’s honest….with me. “Meet my targets and life is good!”
You’ve probably met him. He’s a top bloke. You’ve probably bought from him because his stuff is the best.
He doesn’t care I post this stuff. He doesn’t read my stuff. Why would he?
He knows it’s here and it doesn’t stop us sharing a beer or 10.