Advanced Persistent Threat…APT…WTF!?

Posted on February 28th, 2010 by Drazen Drazic

I know it has taken me a while to catch up, but I relegated it low priority when I first heard of this “APT” business. Bad of me? Who made this stuff up? This is something you’d only make up for a laugh. But, all of the sudden, my industry is talking about it. FFS. Is this an American thing?

….if I had to mention that to a client. “Stand back…..you have an APT!!!”…… “Thanks Draz…awesome we hired you to save us!”

I have nothing! If this makes Wikipedia, (which it may have by now (Ed: yeah, I know it’s there), I’d love to chat (Ed: modified to not scare people), with that genius  who invented the term, (for our industry).

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Stuff, Disclosure Laws, WTF | 15 Comments »

A CIO and CEO Guide to improving corporate security today – it is possible.

Posted on August 10th, 2009 by Drazen Drazic

Just got back and saw this was confirmed:
http://www.iirme.com/securecon/workshops/c.html

CEOs, CIOs and Middle East Gov and Gov Security seems to be the audience.

Should be fun…..there is no slides…….just talk…..they accepted that….(somewhat I think). I prefer to just talk……

This will be an all-out session and I hope Bruce S (Keynote) will be there….Pass this link to 20 of your friends and you will receive…magically a new notebook.

Posted in Applications, Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Firewalls, Forensics, PCI, PCI DSS, Research, Risk Management, Securus Global, Too cool, Vulnerability Management, Web Application Security, cyber crime, governance, news | No Comments »

Credit Card Data Breaches………What care factor?

Posted on June 20th, 2009 by Drazen Drazic

Everyone (schemes, banks, press etc) tries to spread the care factor for any significant data breach of cardholder information.

Reality is that from an individual’s perspective, it really doesn’t matter whether it’s 20 million cards “exposed” or 1. As long as that “1″ does not belong to the individual…….And if does, in most cases, the individual is protected against their losses.

Just a philosophical question/view.

Posted in Bad Stuff, Disclosure Laws, PCI, PCI DSS, cyber crime | 5 Comments »

Regulation vs. Market Forces – A collection of recent posts….

Posted on June 2nd, 2009 by Drazen Drazic

I’ve seen a few discussions around the Net recently on this topic of “market forces” being the drivers of better IT security practice versus “regulation” so I thought I would resurrect some recent posts for discussion.

- Crime Insurance – Implications of bad business IT security practices: Could swing to either side of the debate.
- Regulating IT Security Practices – PCI DSS too tough?: It doesn’t have to be seen as impossible.
- Workaround, accepted mediocrity and questionable future benefits/improvements: Giving up and taking the “easier” paths?
- Regulation is Bad! Let the market solely dictate things!….What a load of BS!: A response to some recent posts posted a few months before the recent posts.

Keen to get your thoughts.

Posted in Disclosure Laws, Research, Risk Management, governance | 9 Comments »

Wanted – Web Developer: Must Understand Security

Posted on April 3rd, 2009 by Drazen Drazic

By Declan Ingram

An interesting thing happened today. Someone asked me to find a Australian web development company who advertise themselves as developing secure code. (Editor Note: Surely that goes without saying Decman? LOL)

Simple Google search, I thought…Well guess how many web development companies I found who specify that they write secure code?

NONE. Yep! That’s right. Of course if you ask them, “Hey are the sites that you develop secure?”. You know the response is going to be “Oh Definitely!”, until they hand you the completed site, all shiny and new……you perform some security testing and BAM – the response becomes “Oh CRAP!”

So, if there are any developers out there who want a niche – learn to write good code and advertise it…..but first, let me know….there may well be a job in it for you!

PS. It is possible that all web developers write secure code, so it isn’t a differentiator worth advertising…..in which case next time I go flying, I’ll take a screaming pig and not a Robin 2160!

Editor Note: This can be done but “security” costs extra on websites – or so many of our clients have been told by dev shops in the past after our testing for them has broken the sites To be fair as you know, we’ve spent a good deal of time with dev shops after such events to help train their developers and credit to those guys. They should be using this as a differentiator. Sad that something like this which should be standard is considered such.

Posted in Applications, Bad Developers, Bad Stuff, Disclosure Laws, Industry Specialists Talk, Web Application Security | 2 Comments »

Random thoughts….Is it just me?

Posted on March 10th, 2009 by Drazen Drazic

- Centralised password management tool here. Vuln free delusions – be fun to “test” this one. Consolidated risk. Nice!

- Data Breach Disclosure update in the US here. Fundamentals still missing to make this a fair and workable law for all. Wrote about this in Risk Management Magazine pp 14-15 in the September 2008 Edition. (May have to sign-in now to read it).

- My costs to maintain PCI QSA status to top 30K in 2009. Add another 20 odd K if we decide to become an ASV also again. PCI SSC doesn’t really care about my thoughts on why some of the costs are just money making grabs on their part. Danger for all is that if only the Big guys eventually are the only ones who can afford this, the level of QSA expertise and subsequent advice/service to merchants, service providers and the industry as a whole is going to become weaker so who wins? Do I battle these guys again or just suck it? No appetite at present for another battle with them. Read on:

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, Dumb Security, Ford Falcon, PCI, PCI DSS, Research, Risk Management, Too cool, Vulnerability Management, WTF, Web Application Security, cyber crime, news | No Comments »

Surveys, Statistics, Hearsay, Breach Disclosures….Painting an Accurate Picture?

Posted on March 2nd, 2009 by Drazen Drazic

No. Not even close. I’ve posted before about the limitations of the surveys etc we’re fed almost daily, but add the rest I’ve included in the title, and you’re still not close to the reality of badly developed and insecure software. Some things you just cannot blog about for various reasons. (Makes some blogs probably less interesting..hmm..yeah..I know). Not hard to work out what I am talking about – client confidentiality. That’s why, any of the above [views "from the trenches"] can be taken with a grain of salt. Sample if you like and if you can, but the figures you arrive at will still be the tip of the iceberg in regards to accuracy. (Note: taking aside anti-badware vendor surveys and statistics, which will always scare the pants off anyone if taken for real).

Who’s listening to the guys working it vs. the script kiddie BS in the press?

Posted in Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Research, WTF, Web Application Security, cyber crime | 2 Comments »

Okay, I’ll add my 2 cents to the Heartland breach….(Talking PCI DSS)

Posted on January 27th, 2009 by Drazen Drazic

I was directing all to Anton’s site here where he has done the most thorough analysis of what’s been posted on the Net about this breach. It’s worth having a look at his site. After TJX, I thought I was all talked out about these topics – for a while at least…..okay, it’s big but it’s all now becoming quite common and things like this will continue to happen due to poor on-going security practices, inherently insecure software etc etc. So is there more to say on that front that I haven’t talked/preached about in this blog for a number of years?

PCI DSS has copped quite a bit of criticism from many “experts” on the Net over the events at Heartland. I do understand why. There have been many against the standard from the outset and any breach/security issue in an organisation that is using PCI DSS as the framework for their security practices is going to have these people questioning the purpose and overall benefits of the standard. Read on…..

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, Dumb Security, PCI, PCI DSS, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | 7 Comments »

Looking at reasons why data breach notification could fail – Risk Management Magazine story

Posted on September 17th, 2008 by Drazen Drazic

This is a topic I’ve covered quite a bit and I was asked recently to write an article for Risk Management Magazine on this topic.

http://www.riskmanagementmagazine.com.au/

You can read it online pp 14-15. I would be interested in your thoughts and comments.

Posted in Disclosure Laws, Risk Management | 4 Comments »

ALRC – Data Breach Notification Recommendation……Flawed Approach?

Posted on August 13th, 2008 by Drazen Drazic

Unless I’ve missed something and it’s certainly not in section “51. Data Breach Notification” of this 2600 plus page Australian Law Reform Commission document, we’re still lacking some fundamental basics to any data breach notification law being successful.

As it currently sits and is proposed, the organisations that stand to be impacted the most are the ones that probably have the better Information Security and Privacy policies in place.

In basic terms, if you’ve got good practices and controls in place, you’re more likely to detect a breach and/or disclosure of private and confidential information. Thus, you will have to openly disclose. No need to drill down into the potential business and reputational implications to the organisation.

If your practices and controls around information protection are weak, you’re probably clueless as to whether a breach has occured so what you don’t know doesn’t get reported. Practice the 3 monkeys approach to Information Security and proposed data breach disclosure laws will have little impact upon you.

These laws will never be succesful without supporting legislation/regulation around basic and minimum security practices and controls. See previous post on this topic:

Regulation does not need to be considered bad. See discussion on regulation here.

We can debate whether high-level statements of requirements in the Privacy Act will cut it, but in my opinion, they won’t……they haven’t so far, so what would change things now?

Posted in Disclosure Laws, Risk Management, cyber crime, governance | 2 Comments »

Responsible Disclosure Debates……What about No Disclosure?

Posted on July 27th, 2008 by Drazen Drazic

This topic has been hot again in recent times and we’ve been asked a few times on what our position to this is. In the past, and with our previous relationships, we’ve been in the “responsible disclosure” camp. Advisories went out after the vendors had announced patches to the vulnerabilities announced, (and in some cases exploits developed in parallel to confirm the proof of concept). It seems the camps are divided in two as described here but is the third option of no-disclosure outside of vendor/client a major consideration that hasn’t had much discussion (relatively)? What percentage of vulns in systems and applications are never disclosed? Why isn’t this seen as potentially a major part of how vulns are dealt with? How skewed are figures in yearly stats and surveys due to this area, (and I don’t mean sales of vulns to organisations who buy them – I mean those vulns discovered in vendor systems and applications and those detected in personal engagements for clients for home grown systems and applications)?

Read the rest of this entry »

Posted in Applications, Bad Stuff, Disclosure Laws, Research, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime | 9 Comments »

Information Security Certifications……

Posted on June 22nd, 2008 by Drazen Drazic

At Securus Global (blatant marketing plug for all readers should you need our services), when I hire specialists to join the team, “certifications” to me, mean zip…nothing….zero! We get CVs all the time and we are in a proud and lucky position based upon our reputation that people want to work at SG! I feel honoured by that and every CV sent to us, makes me feel like SG, as an organisation, is somewhere, where real industry passionate dudes want to work!

If you’ve seen my latest stuff on Twitter, you will know that I am having a go at BS certification. (Yes, I know I do PCI DSS but you know my thoughts on that!).

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, Research, WTF | 4 Comments »

Data Classification – Effective? Has it ever been or really worked?

Posted on June 2nd, 2008 by Drazen Drazic

I was talking to a colleague to the other day and we started on “data classification”. Yeah, must have been an interesting conversation to be sitting in on.

Neither of us could recall ever seeing what could be termed a successful implementation, if that is the right word for it. How would you judge one anyway? That’s a big question in itself.

Read the rest of this entry »

Posted in Disclosure Laws, Dumb Security, Risk Management, Vulnerability Management | 11 Comments »

More on not logging – “Reverse Compliance”

Posted on May 8th, 2008 by Drazen Drazic

Declan’s recent post on logging being a double edged sword started some interesting discussion. Anton Chuvakin follows-up further on his blog and writes:

“Reverse compliance” is a motivation to purposefully avoid technologies that have a chance of telling you that you are NOT in compliance. Sadly, logging is featured very high on the list of such technologies that a) tell you about all the problems with your compliance posture (e.g. direct violations of regulatory requirements, lack of controls, inefficient controls, policies not followed, etc) as well as b) are mandated by various regulations (e.g. PCI DSS) and c) actively used by auditors for finding compliance issues.

Read the rest of Anton’s post.

Posted in Disclosure Laws, Forensics, PCI, PCI DSS, Risk Management, cyber crime, governance | 3 Comments »

To regulate IT Security controls/practices or not?!

Posted on May 5th, 2008 by Drazen Drazic

With little to no regulation around IT security practices and controls in Australia, have we fallen behind other major trading partners like the US and countries in Europe? I think the answer is most definitely yes but I welcome your thoughts on this.

This is not new…it’s something I have ranted about for a while here but as we see the landscape change elsewhere for tighter regulation(s), data breach disclosure laws for eg; coming into existence in other parts of the world, we seem to talk more than act. The PCI DSS has been the biggest thing to hit Australian business in terms of some form of enforcement of good practice and even that is operated outside of the bounds of government and local controls.

No one’s perfect, but have we really progressed much in the last few years? Sure, security awareness is higher than it has ever been, but are security issues being addressed at their core/root or does awareness just mean actioning the latest hot area/topic? I put it out there that that is the case.

Who’s addressing risk management properly? Who’s approaching security from a strategic perspective?

It’s more than just an IT security issue. It’s a business issue, it’s a shareholder value issue, it’s a national security issue..etc etc… Is regulation the key to change here? If not, what is?

Posted in Disclosure Laws, Risk Management, cyber crime, governance | 2 Comments »

On the panic bandwagon?…..

Posted on March 26th, 2008 by Drazen Drazic

The recent St. George Bank story shows how something can grow and become a bit blown out of proportion relative to the originally reported story. Some of the responses to the story on the News site demonstrates a lack of understanding some people have that drives fear in the community about doing business on the Net. Is this one a storm in a teacup? (I know I am critical at times about things we see, but on the flipside, sometimes perspective is tainted by underlying fears that have no direct correlation to the topic at hand).

Posted in Disclosure Laws, Risk Management, Vulnerability Management, Web Application Security, cyber crime | 3 Comments »

Oops….another big one…..

Posted on March 18th, 2008 by Drazen Drazic

Everyone is reporting it now but here’s one feature from the SMH. You gutsta love the spin put on the announcement:

http://www.hannaford.com/Contents/News_Events/News/News.shtml

Somehow they make the following sound like it’s not too bad at all! Good luck guys:

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, PCI, PCI DSS, Vulnerability Management, Web Application Security, cyber crime | 11 Comments »

How to jeopardise a good business by not thinking, not talking to the right people and trying to save a few bucks…

Posted on March 17th, 2008 by Drazen Drazic

We’re seeing this so much lately as more and more organisations are either realising they should, or are being forced into thinking about their IT security practices (eg; through the likes of PCI DSS) more.

Good businesses that have been around for 10-20+ plus years and then moving almost everything on-line…..(fair enough reasons and business opportunities need to be taken and competitive moves must be made), but gees, many do it so wrong and put a successful bricks and mortar business into enormous risk.

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Risk Management, Web Application Security, cyber crime | 3 Comments »

Forensics and Investigations Work on IT Security Breaches

Posted on February 16th, 2008 by Drazen Drazic

This is somewhat of a follow-on from BG’s last post, that came about from a conversation we were having about how much forensics and investigations work Securus Global actually did. To be honest, the answer was not much and I did not know of too many other organisations that did much either. The odd job here or there but nothing to sustain a dedicated business unit.

I’m not sure what it is like in other regions of the world, but the BG Ostrich RM 101 pretty much covers it and that is scary! (Obviously the banking sector is different but even then, some do it better than others in that sector).

This is nothing new. I’ve been ranting about this for a long time but things haven’t really changed much.

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, Dumb Security, Forensics, Risk Management, Vulnerability Management, Web Application Security, cyber crime | 3 Comments »

Ethical Dilemma of Client Confidentiality…..Reporting on Risks to Organisations

Posted on February 1st, 2008 by Drazen Drazic

Just like the posts I have written about before concerning the issues that internal security people have to deal with on a daily basis in terms of trying to get recognition of security issues their organisations face, the role of consultants is very much overlooked at times when viewed from a similar perspective.

In most cases, the consultant is engaged on a job, does the job, creates the report, presents it and then leaves. Most good consultants will try to maintain a relationship that allows for the client to follow-up at anytime on questions regarding the work and remediation advise recommended. Most good consultants will also, as part of their work, be able to identify issues outside of the scope of the engagement…ie; you just see things that are wrong….an experienced eye will! That information is also passed onto the client. End of the day, “root cause” is evident as to why the issues exist and based upon that, it’s clear that the root cause will and does affect other areas outside of the engaged scope. (Something that the client should also be addressing).

Now, if you’re still following, how does a good consultant switch off so to speak to a client that is clearly in a bad way and is doing nothing about it?

Read the rest of this entry »

Posted in Disclosure Laws, Risk Management, cyber crime, governance | 18 Comments »