Information Security Certifications……

June 22nd, 2008 Drazen Drazic

At Securus Global (blatant marketing plug for all readers should you need our services), when I hire specialists to join the team, “certifications” to me, mean zip…nothing….zero! We get CVs all the time and we are in a proud and lucky position based upon our reputation that people want to work at SG! I feel honoured by that and every CV sent to us, makes me feel like SG, as an organisation, is somewhere, where real industry passionate dudes want to work!

If you’ve seen my latest stuff on Twitter, you will know that I am having a go at BS certification. (Yes, I know I do PCI DSS but you know my thoughts on that!).

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, Research, WTF | 4 Comments »

Data Classification - Effective? Has it ever been or really worked?

June 2nd, 2008 Drazen Drazic

I was talking to a colleague to the other day and we started on “data classification”. Yeah, must have been an interesting conversation to be sitting in on. :-)

Neither of us could recall ever seeing what could be termed a successful implementation, if that is the right word for it. How would you judge one anyway? That’s a big question in itself.

Read the rest of this entry »

Posted in Disclosure Laws, Dumb Security, Risk Management, Vulnerability Management | 11 Comments »

More on not logging - “Reverse Compliance”

May 8th, 2008 Drazen Drazic

Declan’s recent post on logging being a double edged sword started some interesting discussion. Anton Chuvakin follows-up further on his blog and writes:

“Reverse compliance” is a motivation to purposefully avoid technologies that have a chance of telling you that you are NOT in compliance. Sadly, logging is featured very high on the list of such technologies that a) tell you about all the problems with your compliance posture (e.g. direct violations of regulatory requirements, lack of controls, inefficient controls, policies not followed, etc) as well as b) are mandated by various regulations (e.g. PCI DSS) and c) actively used by auditors for finding compliance issues.

Read the rest of Anton’s post.

Posted in Disclosure Laws, Forensics, PCI, PCI DSS, Risk Management, cyber crime, governance | 3 Comments »

To regulate IT Security controls/practices or not?!

May 5th, 2008 Drazen Drazic

With little to no regulation around IT security practices and controls in Australia, have we fallen behind other major trading partners like the US and countries in Europe? I think the answer is most definitely yes but I welcome your thoughts on this.

This is not new…it’s something I have ranted about for a while here but as we see the landscape change elsewhere for tighter regulation(s), data breach disclosure laws for eg; coming into existence in other parts of the world, we seem to talk more than act. The PCI DSS has been the biggest thing to hit Australian business in terms of some form of enforcement of good practice and even that is operated outside of the bounds of government and local controls.

No one’s perfect, but have we really progressed much in the last few years? Sure, security awareness is higher than it has ever been, but are security issues being addressed at their core/root or does awareness just mean actioning the latest hot area/topic? I put it out there that that is the case.

Who’s addressing risk management properly? Who’s approaching security from a strategic perspective?

It’s more than just an IT security issue. It’s a business issue, it’s a shareholder value issue, it’s a national security issue..etc etc… Is regulation the key to change here? If not, what is?

Posted in Disclosure Laws, Risk Management, cyber crime, governance | 2 Comments »

On the panic bandwagon?…..

March 26th, 2008 Drazen Drazic

The recent St. George Bank story shows how something can grow and become a bit blown out of proportion relative to the originally reported story. Some of the responses to the story on the News site demonstrates a lack of understanding some people have that drives fear in the community about doing business on the Net. Is this one a storm in a teacup? (I know I am critical at times about things we see, but on the flipside, sometimes perspective is tainted by underlying fears that have no direct correlation to the topic at hand).

Posted in Disclosure Laws, Risk Management, Vulnerability Management, Web Application Security, cyber crime | 3 Comments »

Oops….another big one…..

March 18th, 2008 Drazen Drazic

Everyone is reporting it now but here’s one feature from the SMH. You gutsta love the spin put on the announcement:

http://www.hannaford.com/Contents/News_Events/News/News.shtml

Somehow they make the following sound like it’s not too bad at all! Good luck guys:

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, PCI, PCI DSS, Vulnerability Management, Web Application Security, cyber crime | 11 Comments »

How to jeopardise a good business by not thinking, not talking to the right people and trying to save a few bucks…

March 17th, 2008 Drazen Drazic

We’re seeing this so much lately as more and more organisations are either realising they should, or are being forced into thinking about their IT security practices (eg; through the likes of PCI DSS) more.

Good businesses that have been around for 10-20+ plus years and then moving almost everything on-line…..(fair enough reasons and business opportunities need to be taken and competitive moves must be made), but gees, many do it so wrong and put a successful bricks and mortar business into enormous risk.

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Risk Management, Web Application Security, cyber crime | 3 Comments »

Forensics and Investigations Work on IT Security Breaches

February 16th, 2008 Drazen Drazic

This is somewhat of a follow-on from BG’s last post, that came about from a conversation we were having about how much forensics and investigations work Securus Global actually did. To be honest, the answer was not much and I did not know of too many other organisations that did much either. The odd job here or there but nothing to sustain a dedicated business unit.

I’m not sure what it is like in other regions of the world, but the BG Ostrich RM 101 pretty much covers it and that is scary! (Obviously the banking sector is different but even then, some do it better than others in that sector).

This is nothing new. I’ve been ranting about this for a long time but things haven’t really changed much.

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, Dumb Security, Forensics, Risk Management, Vulnerability Management, Web Application Security, cyber crime | 3 Comments »

Ethical Dilemma of Client Confidentiality…..Reporting on Risks to Organisations

February 1st, 2008 Drazen Drazic

Just like the posts I have written about before concerning the issues that internal security people have to deal with on a daily basis in terms of trying to get recognition of security issues their organisations face, the role of consultants is very much overlooked at times when viewed from a similar perspective.

In most cases, the consultant is engaged on a job, does the job, creates the report, presents it and then leaves. Most good consultants will try to maintain a relationship that allows for the client to follow-up at anytime on questions regarding the work and remediation advise recommended. Most good consultants will also, as part of their work, be able to identify issues outside of the scope of the engagement…ie; you just see things that are wrong….an experienced eye will! That information is also passed onto the client. End of the day, “root cause” is evident as to why the issues exist and based upon that, it’s clear that the root cause will and does affect other areas outside of the engaged scope. (Something that the client should also be addressing).

Now, if you’re still following, how does a good consultant switch off so to speak to a client that is clearly in a bad way and is doing nothing about it?

Read the rest of this entry »

Posted in Disclosure Laws, Risk Management, cyber crime, governance | 18 Comments »

Lip Service or a real call on action…….Has much changed in 2007 really?

December 16th, 2007 Drazen Drazic

The amount of information coming out of US Government bodies on cybercrime, Information Security and the real and immediate danger faced by all businesses has grown remarkably in the last 12-24 months. Just one recent example; ‘We’re all at risk’ of attack, cyber chief says. (In Australia, Government action, as Borat would say, “Not so much!”). Online and paper copy IT Magazines and journals have dedicated IT Security sections now. We even read more about the issues in the standard press. More and more universities now offer IT Security courses. (Though quality of many is questionable but it’s a start).

But has anything really changed that much in reality in 2007 where it matters - ie; in the minds and actions of business and individuals?

Read the rest of this entry »

Posted in Disclosure Laws, Research, Risk Management, Vulnerability Management, cyber crime, governance | No Comments »

Another Security Survey - Who Reads this Stuff?

November 21st, 2007 Drazen Drazic

If you’ve read BorB for a while, you know my thoughts on security surveys. I’d put the Beast or Buddha polls up against most of these surveys for relevance and informational value most times. :-)

So another has now been announced. See this Computerworld Australia story. 10 questions, as like most surveys, very subjective and final results providing what real world value? Look, anyone raising awareness of security issues, I do in a way congratulate them but lets try not to lose focus of the issues and the root cause of the problems we have. Just read the previous interview with MjR and map that against the survey questions and objectives. See my point? Anything new we’ll learn?

Not sure what the following quote was based upon from the story?!?!

“The risk is to remain vigilant and to not become complacent,” Warrilow said, adding the success of denial-of-service attacks and/or unauthorized penetration appears low.”

Does “vendor hype” actually reflect what is going on out there? Come on!

Anyway, I’ve given it some publicity, have a look for yourselves and become part of the statistics.

Posted in Disclosure Laws, Dumb Security, Research, Risk Management, WTF, cyber crime | 1 Comment »

Australian Government Approach to Security

November 17th, 2007 Drazen Drazic

This is no BS….I don’t think anyone could make stuff up that would be this funny!

These are actual and real links to “the source”.

Start here: http://www.nationalsecurity.gov.au/ and then go link by link……as I said, even if you were trying to be funny, you could not make this shit up….

Link 1: Map of Australia - just so we know what the scope is….ie; “Australians….this is Australia!” :-)
Link 2: Not really sure what this link means but it talks about replacing something else that no one else has ever heard about and knows what it means. Here it is.
Link 3: “World-Leading Computer Program to Protect Critical Infrastructure” : WTF?!?! Since when? What? How? I must have missed something.

Check out the one on plastic explosives.….What?!?!

The ref has pushed me away and called the TKO…….he should have called it after the first link but then again, you have to give them a go………my fingers are tired……I skip now to this one about APEC. If you have not seen this video, please click here..it is well worth it!: http://beastorbuddha.com/2007/09/14/156/

To prove how serious the government is, click here; http://www.ag.gov.au/agd/WWW/MinisterRuddockHome.nsf/Page/Gallery

I can’t type anymore….each link could be a whole post to itself so I will leave it with you. You just could not make this stuff up!

Posted in Bad Stuff, Disclosure Laws, Dumb Security, Risk Management, WTF, cyber crime, governance, news | 3 Comments »

UK Government has its head in the sand….

November 4th, 2007 Drazen Drazic

http://www.computerworld.com.au/index.php/id;157139579;fp;4;fpid;16

You got to love the descriptions; “head in the sand”, “lip service”…so right and so typical of government approach in most countries to an area that they really still struggle to understand and come to terms with.

Posted in Bad Stuff, Disclosure Laws, Dumb Security, Research, Risk Management, cyber crime, governance | No Comments »

Disclosure Laws in Australia - Article from SA Australia Newsletter

October 31st, 2007 Drazen Drazic

Disclosure Laws in Australia – Things to think about for your company…

We’ve talked a bit about the benefits and potential impact of Disclosure Laws coming into effect in Australia and New Zealand. We’re proud to say that Security-Assessment.com in New Zealand played a part in getting the NZ government to put this on the agenda over there, and we have pushed discussion and debate about the merits of such legislation here in Australia:
http://www.security-assessment.com/news_room/index.html

But what is the impact and how will this affect your company if/when it comes into existence here in Australia? This article is one of many that gives you a good overview of what disclosure laws may mean to you. Do keep in mind, that any legislation in Australia may differ to what is in place in the US and other parts of the world:
http://www.workforce.com/section/03/feature/24/27/11/index.html

From an IT Security practitioners perspective, we cannot just accept that such legislation will improve corporate security and make our jobs easier. It should in theory, but the potential exists for things to go the other way if not done right. We cover some of the potential issues here:

http://beastorbuddha.com/2007/08/14/more-on-disclosure-laws-in-australia/.

This is a topic that will gather momentum in 2008. I think not much happens during elections, and then soon after them, but it’s something that will happen.

Posted in Disclosure Laws, Risk Management, cyber crime, governance | No Comments »

TJX saga continued….it just seems to get worse

October 25th, 2007 Drazen Drazic

It should almost be time to give this TJX saga its own category here. Just as we think it’s quieting down, the story unfolds further. See The Register; TJX breach was twice as big as admitted, bank says. Can there be a better case study for poor security management consequences?

But, are other organisations learning from the TJX experience? The answer is probably only a small percentage are. We see it every day.

Another PCI compliance deadline passed here in this region recently. I’ll put it out there and say that of all the organisations that must be compliant with the PCI DSS, I would be surprised if more than 5% are! Happy to be proven wrong but I just don’t think it’s the case.

So who’s pushing the rest of the business community that doesn’t come under PCI DSS compliance obligations?

Related Links:
Risky Business 35 (Patrick Gray talks PCI with Verizon Consultant)
Beast or Buddha PCI Archive

Posted in Bad Stuff, Disclosure Laws, Dumb Security, PCI, PCI DSS, cyber crime, governance | No Comments »

PCI - Retailers and the Storage of Credit Card Information

October 22nd, 2007 Drazen Drazic

The following is well worth a read if you are involved with PCI compliance within your organisation. Thanks to our PCI specialist, Fatemah Beydoun for the heads up and links.

The National Retail Federation recently sent a letter of concern to the PCI Security Standards Council discussing the storage of credit card information. This has drawn a lot of discussion across PCI related and other IT security sites. Some good points and interesting debate:

http://pcianswers.com/2007/10/11/retailers-do-not-need-to-store-credit-card-data/
http://www.schneier.com/blog/archives/2007/10/merchants_not_s.html

Posted in Disclosure Laws, PCI, PCI DSS, cyber crime | 1 Comment »

Arnie gets involved….

October 16th, 2007 Drazen Drazic

From California:

http://www.theregister.co.uk/2007/10/16/schwarzenegger_vetoes_data_bill/

The discussions that we see around data security is a positive step. More than lip service like we see in Australia in most cases.

Posted in Disclosure Laws, PCI, PCI DSS, cyber crime, governance | No Comments »

Law students being awesome hackers……what is going on?

October 11th, 2007 Drazen Drazic

The reason for the lack of posts recently is because I am away…..it’s harder looking after 2 young girls, 6 and 4 on school holidays in Noosa than it is running a business.

Pete Benson sent me this one yesterday and I have to admit, it blew me away on many levels. WTF:

http://www.computerworld.com.au/index.php/id;1057000875;fp;16;fpid;1

Being out of touch in paradise for the last 10 days, I have no idea where this went or whether there was a follow-up. I’ll add to this when I get back but if anyone has more to add now, please respond. This whole story sounds a bit suspect to me.

Posted in Bad Stuff, Disclosure Laws, Dumb Security, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime, governance | 12 Comments »

Big Galoot Diatribe - White Hats, Security Conferences and Boy Scout Meetings…….

October 11th, 2007 Drazen Drazic

The rantings of Craig Chapman, Computer Forensics Geek.

As funny as it sounds, a while back I asked the serious question on Beast or Buddha?

How many white hats are actually black hats in disguise ?
http://beastorbuddha.com/2007/08/07/ethical-hackingthat-term-is-a-worry/#comments

Since then, its been reported that the so-called ‘white hat’ security professional Max Butler, has been arrested & charged with hacking offences including running a carder portal. Ironically, Butler also worked for a reputable organisation who’s name suggested they are good guys. (I believe Christian Heinrich also spotted this report). They probably are.
http://www.securityfocus.com/news/11487

We shouldn’t be surprised in any way. After all, its not unheard of for criminals to enter a certain profession in society with the motivation (and relatively easy access) of undertaking their chosen nefarious activities.

It makes a lot of sense, in a criminal way.

For instance;

- Paedophiles who become scout leaders, teachers or church leaders.
- Fraudsters & corrupt persons who become polititians or public officials.
- Arsonists who become fire fighters.

All of which leads me to ask the following:

1. Would a country planning a war also invite their enemies along to their pre-war planning meeting ?
2. Are tactics for defeating hackers, latest research etc openly discussed at IT Security conferences ?
3. Is there a strong likelihood that amongst the hundreds of IT security professionals attending a conference, some may be highly experienced black hat hackers ?
4. Is the IT security industry deluding itself about the preventative value of such conferences ?
5. Rather than helping to put the flames out, are large conferences a mechanism fuelling the fire ?

I think we know the answers to most of these questions so do we kid ourselves that the industry is not rife with people who can easily sway into the dark side or are already firmly entrenched there?

Food for thought.

Posted in Bad Stuff, Big Galoot Diatribe, Disclosure Laws, Dumb Security, Industry Specialists Talk, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | 11 Comments »

TJX - trying to settle things down….

September 25th, 2007 Drazen Drazic

It will be interesting to see if this attempt to settle is the end of the TJX saga. Somehow I think not but who knows.

And, for “All Customers”, the following:

“TJX will hold a future, three-day Customer Appreciation special event in which prices at all T.J. Maxx, Marshalls, HomeGoods, A.J. Wright stores in the U.S. and Puerto Rico and all Winners and HomeSense stores in Canada will be reduced by 15%. “

I’m serious….have a read through the link……you couldn’t make this stuff up!

Posted in Disclosure Laws, PCI DSS, Research, Vulnerability Management, cyber crime | 3 Comments »