Annual Security Surveys/Reports – Central Log for Reference/Access?

Posted on March 15th, 2010 by Drazen Drazic

(Also posted this as a question on Twitter; @ddrazic).

Does anyone know a website that documents and posts links to all the more well known Annual Security Surveys and Reports? So many come out, it’s hard to keep track of them all these days.

While I take most with a grain of salt, some do have some decent substance in there. Which ones do you read and which ones do you brush aside? Keen on your thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime | No Comments »

“Emerging Threats” – Most “emerged” a long time ago….Emerging Responses?

Posted on March 8th, 2010 by Drazen Drazic

A bit quiet lately. Sometimes I wonder if there’s more to say that I haven’t covered in the 500+ posts in Beast or Buddha. (The really interesting stuff, you can’t write about for obvious reasons). What do you do? Continue to rehash the old stuff? Sometimes!….which brings me to an interesting discussion.

We were asked to do a presentation recently on “emerging threats” at a business forum for IT Security and Risk Management professionals. Seems straightforward enough but when looking back over previous such presentations we’ve been doing over the years, nothing much was changing – in particular our recommendations on how organisations should be dealing with “emerging threats”. We could have almost just pulled out “Emerging Threats” presentation, (circa 2002) and done it word for word, (with only a few very minor wording and definition changes, eg; “Cloud”, “APT” etc ).

Should we be calling these presentations; “Emerging Responses”? It’s the response part that is in most cases yet to “emerge” effectively! The “threats” (most of them), emerged a long time ago. In many cases, we just call them different things now because we’ve failed to deal with them properly at the time, so it’s easier to rename something – makes it all seem that little bit new, and covers up to a degree for failures in the past.

Am I being unfair? Keen on your thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | 7 Comments »

Symantec Customers Immune to Rising Security Threats! (Late Update: Maybe Not!)

Posted on February 23rd, 2010 by Drazen Drazic

Symantec Press Release 22 February, 2010: Symantec 2010 State of Enterprise Security Study……

(Time to pump out another piece of marketing to get people thinking about buying Symantec. Here’s the report if you are interested in wasting a few minutes).

Just reading this now…….wooo…..hang on……what I don’t see anywhere in this report is a proud statement that Symantec customers are the lucky few that are safe from malicious attacks that other businesses are facing.

Why is this not in there Symantec? Surely you should be beating your own drums given you so proudly told us all some time ago that your product(s), and I quote; will provide “…proactive protection against unknown and zero-day threats”. It’s the Symantec Guarantee!

As such, surely Symantec customers do not have the same concerns as those poor businesses you mention in your study. Let us know if this was just an error on your part, or Symantec just not wanting to show off here because, surely you would not use bullshit marketing in the past?!

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Stuff, Dumb Security, Too cool, Vulnerability Management, WTF, cyber crime | 20 Comments »

Door to Door Spam Chaser Style

Posted on February 21st, 2010 by Drazen Drazic

Classic Chaser work:

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Too cool, cyber crime | No Comments »

China, Google, Marketing etc etc…..

Posted on January 25th, 2010 by Drazen Drazic

Random thoughts: News?, OMG really?….nah!, Awesome marketing move Google!, Using the Net for spying…you naughty boys China…you’re the only ones and need to be punished , Hang on, he who controls the pipes…controls it all? It’s okay as long as it’s not someone other than us doing it!, yawn…..news?, Great marketing….I’m pulling out of China too! Write it up journos, I need more business!

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Stuff, Dumb Security, WTF, cyber crime | 1 Comment »

Looking at what makes good Application Security knowledge.

Posted on January 7th, 2010 by Drazen Drazic

It’s always interesting reading about larger scale fraud like this one recently with the Bank of Queensland. You wonder in cases like this, had the accused pulled the pin earlier, would he ever have gotten caught? You wonder how many do get away with it – stopping before obvious alarm bells start to ring?

There’s no generic solution/strategy for fraud detection to critique, as each organisation addresses it’s own internal security and risk management practices differently, but there is a scary pattern of misguided thought in regards to securing systems and actually defending against, and detecting fraud. It’s “security” by definition but are many blinkered in regards to what the full definition of “security” encompasses? I think so.

Many in the security industry are focussed to the point of obsession on only vulnerabilities and technical attack vectors (new attack type X, new attack type Y – all generally old stuff just re-invented in different ways but promoted as new big things by many in the industry). It’s such a narrow focused view that stops at the technical exploit. That’s not where the role of a security professional should stop. Read on:

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Forensics, IDS, IPS, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime, governance | 6 Comments »

CERT Australia Announced

Posted on November 26th, 2009 by Drazen Drazic

Good luck to the AGD team with CERT Australia. Further reports:
- Australian IT mentions the role of AusCERT in this.
- AusCERT’s press release here.
*** Should have included this also in original post: http://www.ag.gov.au/cybersecurity

For those attending the AISA National Annual Seminar Day; David Campbell, (Director Australian Government Computer Emergency Readiness Team) will be talking about the new CERT. Should be an interesting presentation.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Risk Management, cyber crime, news | 4 Comments »

iPhone “worm” discussion….

Posted on November 12th, 2009 by Drazen Drazic

I enjoyed listening to Paul Ducklin on the latest Risky Business podcast that featured interviews on this iPhone “worm”. Worth a click through to Risky Business.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Developers, Dumb Security, cyber crime | 44 Comments »

Random Links and Rants……

Posted on November 9th, 2009 by Drazen Drazic

- We got a chance to do some Endpoint Security testing for ZDNet here: How effective is endpoint security? Thanks for the feedback on this one. We only had a very small window to get this done and given more time, the results in terms of scope of testing would have been much larger. It is what it is and we hope you liked it. Hopefully a part II, with some really cool stuff.

- Fionnbharr Davies from Securus Global (Thoth) will be presenting at Kiwicon 2009. Fionn’s talk synoposis: “Linux kernel rootkits are everywhere, but no modern (public) detection system exists. Linux rootkit checkers are currently woefully inadequate, often focusing upon mundane and outdated techniques that are only used by the lowest of the kiddies. I will briefly highlight common modern rootkit techniques as seen in real in-the-netz linux rootkits, and walk through my Antilulz tool, which is an LKM designed to be loaded at times of peak paranoia to give your kernel the once over. I’ll continue the conversation discussing what a rootkit would need to do to defeat these checks, and expand upon antilulz to continue the cold war. If I’ve time, I’ll talk a bit about the state of rootkit detection, and will discuss real-time kernel IDS techniques, and why they are extremely hard to do”.

- Thanks to Craig B and fudsec.com for having me on; Testing the Vendor Guarantees. Guaranteed Security….Just Show Us the Money.

- Some articles at Tek-Tips. Here’s a couple of the latest ones:

Clouding the Solution Landscape: Mediocrity vs Strategy – Going the Easy Path

Data Classification Policies – Forgotten Purpose

As always, keen on your thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in cyber crime, news | 4 Comments »

Australian Computer Society and Internet Filtering

Posted on October 12th, 2009 by Drazen Drazic

Thanks to Peter for the link to this one here:
http://www.itnews.com.au/News/158006,acs-gives-conditional-thumbs-up-to-internet-filtering.aspx

Get the splinters out of your backsides ACS. Did you need to create this piece of work to justify your existence or are you trying to come across as a voice of reason…or do you truly believe you’ve come up with something groundbreaking?

Regardless, you look dumb and as irrelevant as always. A personal opinion. Just my thoughts and as usual, opening myself up to flames.

Posted in Bad Stuff, Dumb Security, Internet Filtering, WTF, cyber crime | 16 Comments »

HOUSE OF REPRESENTATIVES STANDING COMMITTEE ON COMMUNICATIONS – Subject: CyberCrime

Posted on September 24th, 2009 by Drazen Drazic

Transcripts from the 4 sessions. Interesting but a concern from the perspective that it seems Government does forget things it has done in the past and seemingly starts from scratch each time. Just my opinion. Light reading (and I mean that), but worth a skim through:

http://www.aph.gov.au/house/committee/coms/cybercrime/hearings.htm

Thanks @cmlh for the link to this.

Posted in Research, Risk Management, cyber crime, governance | 1 Comment »

Randon Links and Rants…….

Posted on August 22nd, 2009 by Drazen Drazic

- Didn’t the 4 Corners Episode; “Fear in the Fast Lane” generate some discussion and debate this week? I didn’t post anything about it myself here for a couple of reasons; (1) I didn’t think anything new and worthwhile was worth highlighting, and, (2) People were “twittering up a storm” over it – some of it very over the top. (Refer to #4corners on Twitter search for more on that). Interestingly, from within our own industry, the discussion was more personal – questioning people’s credentials as “experts” as opposed to the actual content itself in many cases. Some fair questions raised and some not so in my opinion. I welcome your thoughts here.

-Which leads me to discussions and analysis on who are the “experts”. Anton Chuvakin, our Qualys and PCI friend ponders the question here; “A Myth of an Expert Generalist“. The same question was also raised in the Beast or Buddha forums a little while ago in the post titled; “Internet Security ‘Expert‘”. I had some thoughts on this topic (and the 4 Corners episode) on my twitter; here and here. Chris Gatford, an industry colleague in Australia and one of the people heavily featured during the 4 Corners episode responded to this here.

- Hackers vs Federal Police was a big story this week here as reported in the SMH; “Hackers break into police computer as sting backfires“. Some things get reported and some don’t: http://r00tsecurity.org/files/zf05.txt. No more to add. Everyone’s a target and everyone’s ownable (well at least you’d bet on it it being the case). Kind of makes a mockery of some of the talk on the conference circuit. Waffle vs substance…what do people want to listen to? Can most even judge?

- I’ve recently been invited to write for Tek-Tips Forums. Yep, that’s my mug. I’ll link the posts from here also when I remember to do so. After coming back from a holiday, the inspirational juices aren’t really flowing but I expect things will start to annoy me and then I’ll be back to normal.

- Had to repost this one: “How not to setup a Hotel Safe”; I took this photo recently in a hotel in Croatia. At first I thought I must be missing something here (like being able to program the code) but no, this is it. Needless to say, I didn’t use the “safe”.

- And finally, off the Information Security topics. The latest issue of Top Gear magazine (which I thought was not the Australian one – yuk….but seems now like some sort of a combination of Aus and UK) has a home fridge magnet Cool Wall – most cool! Here’s my “Cool Wall“.

Posted in Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, Web Application Security, cyber crime, news | No Comments »

CERTs in Australia….and the saga continues….

Posted on August 18th, 2009 by Drazen Drazic

From Australian IT; “AusCERT sidelined in CERT revamp“. Sadly the big question that most will raise from this is; “What will happen to the yearly junket, (I mean conference), on the Gold Coast?” Be shocked if anyone even responds to this post.

Positive to see the Government doing things. Hopefully it’s being well planned and thought out.

Posted in Risk Management, cyber crime, news | 17 Comments »

Police Checks on Employees – Important Considerations

Posted on August 10th, 2009 by Drazen Drazic

By SGirl:

An interesting question came across our desk this week to do with police checks on current employees and potential new employees.

Things like PCI and the increasing awareness of the human factor of security threats means more and more organisations are getting police checks done on candidates and as part of an ongoing assurance program.

So what happens if you get a report returned that shows a conviction?  What do you do? Sack the employee? Not hire them? Perhaps, perhaps not.

While some organisations have a legal requirement not to employ anyone with a criminal history (working with children, issuing licences to name a few), for others the requirements and boundaries that need to be considered are a little greyer.

Essentially there are basic human rights that prevent discrimination in the workplace, including whether or not a person has a criminal conviction. The Human Rights and Equal Opportunity Commission have a discussion paper on it:

http://www.hreoc.gov.au/human_rights/criminalrecord/summary.html

To avoid discrimination on the basis of criminal record, an employer can only refuse to employ a person if their criminal record prevents them from being unable to perform the ‘inherent requirements’ of the job.

Read the rest of this entry »

Posted in Industry Specialists Talk, Risk Management, cyber crime, governance | No Comments »

A CIO and CEO Guide to improving corporate security today – it is possible.

Posted on August 10th, 2009 by Drazen Drazic

Just got back and saw this was confirmed:
http://www.iirme.com/securecon/workshops/c.html

CEOs, CIOs and Middle East Gov and Gov Security seems to be the audience.

Should be fun…..there is no slides…….just talk…..they accepted that….(somewhat I think). I prefer to just talk……

This will be an all-out session and I hope Bruce S (Keynote) will be there….Pass this link to 20 of your friends and you will receive…magically a new notebook.

Posted in Applications, Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Firewalls, Forensics, PCI, PCI DSS, Research, Risk Management, Securus Global, Too cool, Vulnerability Management, Web Application Security, cyber crime, governance, news | No Comments »

Websites are under attack – Warning!!!

Posted on June 23rd, 2009 by Drazen Drazic

Still not convinced I haven’t missed the section that makes this article “for the laugh”: We’ve been blind to attacks on our websites from Computerworld. Checked date – current! Re-read article to look for the hints of sarcasm and potential wit beyond the means of my comprehension – nothing (….I would not have picked it up anyway in that case I suppose). So what have I missed?

Well okay, I’ll play along – pass it on……your website is probably under attack and may have been for a while. *Shock* Now what do we do Computerworld?

Posted in Bad Stuff, Dumb Security, WTF, cyber crime | 7 Comments »

Credit Card Data Breaches………What care factor?

Posted on June 20th, 2009 by Drazen Drazic

Everyone (schemes, banks, press etc) tries to spread the care factor for any significant data breach of cardholder information.

Reality is that from an individual’s perspective, it really doesn’t matter whether it’s 20 million cards “exposed” or 1. As long as that “1″ does not belong to the individual…….And if does, in most cases, the individual is protected against their losses.

Just a philosophical question/view.

Posted in Bad Stuff, Disclosure Laws, PCI, PCI DSS, cyber crime | 5 Comments »

E-security: Government Strategies?

Posted on June 10th, 2009 by Drazen Drazic

Almost missed it again…..E-Security Awareness Week. Here’s the details and awesome video with great security tip for all:
http://www.staysmartonline.gov.au/awareness-week

Computerworld reports that; “Govt preaches security to slack business“. Anyone have a copy of the presentations? Be interesting to find out what was spoken about.

Still keen to know what the Government itself is really doing as posted here. More probing into the Government’s role was this post by SGirl here. It copped a bit of criticism but more support than anything else.

CNVA Program “suspended” as reported here.

Movement on the E-Security strategy front I hear??!!….But how does it all relate to the above and what information is going to be provided to those who made submissions to this piece of work? Is it all finally coming together or just becoming more disjointed?

Posted in Bad Stuff, Dumb Security, cyber crime, news | 9 Comments »

Crime Insurance – Implications of bad business IT security practices……

Posted on May 25th, 2009 by Drazen Drazic

Interesting looking at the latest Crime Insurance Renewal forms I’ve been sent. A hot topic from a discussion perspective a few years ago in regards to being a potential driver of better IT security practices in business, but it fell off the radar somewhat in recent years. I have to ask, has it finally seriously arrived (at least here in Australia)? Has this quietly snuck up on us and is now about to be the next “PCI DSS”?

Obviously if you had good IT security practice before, PCI DSS compliance wasn’t a pain, and if you’re PCI DSS compliant now, then Crime Insurance requirements won’t be a pain….but if you haven’t got the first and second ones under control, well here’s another concern to add to the list. And, for those of you that were not required to be PCI DSS compliant, you’re now probably going to feel the pain you thought you were lucky to miss out on.

Now this one could be the biggest of the lot. Read on…..

Read the rest of this entry »

Posted in Bad Stuff, Risk Management, Vulnerability Management, Web Application Security, cyber crime, news | 7 Comments »

Cracking PCI DSS Compliance – Thanks CIO Magazine!

Posted on May 23rd, 2009 by Drazen Drazic

How to get PCI DSS compliance right! This is the most awesome piece of journalism that has hit the Internet for a while. If you are one of the thousands of organisations hit by the burden of becoming PCI compliant, look no further than this article for the hot tip on kicking it. For those that have been through it, I bet you wish you had something like this when you were doing it:
http://www.cio.com.au/article/304081/how_get_pci_dss_compliance_right

Many thanks to Mike for highlighting this one.

Posted in Bad Stuff, Dumb Security, PCI, PCI DSS, Too cool, WTF, cyber crime | No Comments »