Australian Government E-Security Review….

July 6th, 2008 Drazen Drazic

The AGD is leading a review of the Government’s e-security policy, programs and capabilities.
http://www.ag.gov.au/esecurityreview

Submissions are due by 31st July 2008.

The “key areas the ACS [Australian Computer Society] believes will present the major security threats to Australia in coming years” quoted in this SC Magazine article are interesting. Not sure what the ACS means with their last couple of suggestions though.

Personally, I would throw in the following as major security threats for consideration as opposed to what the ACS sees as a priority. Keen to hear what others think:

• Insecure and poorly developed software in critical infrastructure (and in general)
• Protection of critical infrastructure across all CI sectors (broad I know)
• Cyber-crime, cyber-espionage (further protection of state)
• Lack of any liability on software developers in general - hey, it all comes down to software doesn’t it? (inc false and misleading advertising by security product vendors)
• Web 2.0 and other new technologies - rapid deployment vs. business impact implications analysis (how do you stop this though?)
• Awareness and understanding across the business, government and consumer worlds - lack of regulation, establishment of base level requirements for security and looking at root cause

I know some of the above is broad in scope and I’m sure that we could develop a large list but at the same time analysis vs practical and realistic solutions to issues needs to be considered. There are many trains of thought - some believe we must just adapt and accept that we’ll always be living and working in an insecure IT world. Others have more hope and that we can turn things around with great effort. Is there a middle ground in the IT world as mirrored in society in general? Can we segment the good from the bad and acknowledge the “grey” areas will always be there?

Posted in Research, Risk Management, Vulnerability Management, cyber crime, governance | 2 Comments »

More on not logging - “Reverse Compliance”

May 8th, 2008 Drazen Drazic

Declan’s recent post on logging being a double edged sword started some interesting discussion. Anton Chuvakin follows-up further on his blog and writes:

“Reverse compliance” is a motivation to purposefully avoid technologies that have a chance of telling you that you are NOT in compliance. Sadly, logging is featured very high on the list of such technologies that a) tell you about all the problems with your compliance posture (e.g. direct violations of regulatory requirements, lack of controls, inefficient controls, policies not followed, etc) as well as b) are mandated by various regulations (e.g. PCI DSS) and c) actively used by auditors for finding compliance issues.

Read the rest of Anton’s post.

Posted in Disclosure Laws, Forensics, PCI, PCI DSS, Risk Management, cyber crime, governance | 3 Comments »

To regulate IT Security controls/practices or not?!

May 5th, 2008 Drazen Drazic

With little to no regulation around IT security practices and controls in Australia, have we fallen behind other major trading partners like the US and countries in Europe? I think the answer is most definitely yes but I welcome your thoughts on this.

This is not new…it’s something I have ranted about for a while here but as we see the landscape change elsewhere for tighter regulation(s), data breach disclosure laws for eg; coming into existence in other parts of the world, we seem to talk more than act. The PCI DSS has been the biggest thing to hit Australian business in terms of some form of enforcement of good practice and even that is operated outside of the bounds of government and local controls.

No one’s perfect, but have we really progressed much in the last few years? Sure, security awareness is higher than it has ever been, but are security issues being addressed at their core/root or does awareness just mean actioning the latest hot area/topic? I put it out there that that is the case.

Who’s addressing risk management properly? Who’s approaching security from a strategic perspective?

It’s more than just an IT security issue. It’s a business issue, it’s a shareholder value issue, it’s a national security issue..etc etc… Is regulation the key to change here? If not, what is?

Posted in Disclosure Laws, Risk Management, cyber crime, governance | 2 Comments »

“Big Kevin”…just doesn’t have the same ring to it but…

April 18th, 2008 Drazen Drazic

Darren Pauli puts it our there at CW with his new Vent IT section (good stuff Darren!):

You can see if you squint really hard what they are trying to do but gees, it seems like they are [the government], swinging a bat in dark room hoping to connect with the “target” - not that they really know what the target is. In the meantime, connecting with all else in the room and doing some big damage and creating a mess. Bad analogy?

Somewhat related:
http://beastorbuddha.com/2008/03/01/stuff-like-this-scares-me/

Posted in Bad Stuff, Dumb Security, WTF, cyber crime, governance | No Comments »

How tough will the Payment Card Industry and Acquiring Banks be on continued non-compliance with the PCI DSS?

March 3rd, 2008 Drazen Drazic

In 2008, PCI DSS finally seems to have some good traction (in Australia and New Zealand at least). Most organisations that should be compliant are now aware of the requirements imposed upon them - many still though are at the early stages. Compliance levels in terms of percentage of compliant organisations are still low from what we see but progress is being made - albeit slowly.

But, there are some organisations who are not budging and have decided that they will not be doing it. They have stated they see no business value in it, with costs of compliance not being worth their investment. As a rule, these organisations have been large companies who believe their value to the acquiring bank gives them the right to say no. (Under threat of taking business elsewhere should the bank push the point).

Read the rest of this entry »

Posted in PCI, PCI DSS, governance | 6 Comments »

The Big Bang Approach to Vulnerability Management

February 18th, 2008 Drazen Drazic

An ongoing vulnerability assessment/management program is probably the most proactive tool-based measure an organisation can take to identify weaknesses in infrastructure, OS and mainstream applications, (with web application testing abilities of such systems still developing). It amazes still that many organisations still don’t do this but that’s another story.

The toughest part of VA as any organisation that has implemented VA will tell you is not in selection of a solution (QualysGuard is the standout choice :-)) nor implementing it…nor even the initial scanning - it is dealing with the deluge of vulnerabilities reported and where to start to fix them?! That first report is an eye-opener for most organisations! And, this is where 90% of organisations get bogged down! It’s here that many organisations stall and some stall big time!

We’ve been working with organisations on vulnerability assessment/management programs for years so I thought I would talk about the most effective approach that we have seen to implementing a program that works. The following is not for everyone, but if you can make it happen, it will make your life easier and your organisation more secure in the quickest time.

Read the rest of this entry »

Posted in Risk Management, To cool, Vulnerability Management, governance | 8 Comments »

Internal vs. External Security Threats

February 10th, 2008 Drazen Drazic

It’s always stated that the majority of potential threats to an organisation are “internal” threats. (Check out most surveys, polls etc - they all state the same thing). Unfortunately, these internal threats don’t in many cases get the same attention or recognition as those threats posed by bad guys on the Internet.

I’ve lost track of the number of times a critical weakness has been brushed aside because it’s supposedly on the safe side of the network and not accessible to the bad guys. (Is it really?….Oh, it must be, there’s a firewall on our perimeter that keeps us secure). If internal threats as we are told, present the biggest risk to organisations why is this the case?

Posted in Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, cyber crime, governance | 1 Comment »

Ethical Dilemma of Client Confidentiality…..Reporting on Risks to Organisations

February 1st, 2008 Drazen Drazic

Just like the posts I have written about before concerning the issues that internal security people have to deal with on a daily basis in terms of trying to get recognition of security issues their organisations face, the role of consultants is very much overlooked at times when viewed from a similar perspective.

In most cases, the consultant is engaged on a job, does the job, creates the report, presents it and then leaves. Most good consultants will try to maintain a relationship that allows for the client to follow-up at anytime on questions regarding the work and remediation advise recommended. Most good consultants will also, as part of their work, be able to identify issues outside of the scope of the engagement…ie; you just see things that are wrong….an experienced eye will! That information is also passed onto the client. End of the day, “root cause” is evident as to why the issues exist and based upon that, it’s clear that the root cause will and does affect other areas outside of the engaged scope. (Something that the client should also be addressing).

Now, if you’re still following, how does a good consultant switch off so to speak to a client that is clearly in a bad way and is doing nothing about it?

Read the rest of this entry »

Posted in Disclosure Laws, Risk Management, cyber crime, governance | 18 Comments »

US goes big on network surveillance…

January 28th, 2008 Drazen Drazic

This from the Washington Post is some serious business. In the old days, you’d be a raving conspiracy theorist to say this was going on. Nowadays, it’s just done and reported.  Double-edged sword or what? Billions of dollars? Gees….that is one big investment. How this is managed is going to be interesting to follow if we ever hear much about it again.

Posted in WTF, governance, news | No Comments »

Securing critical infrastructure

January 25th, 2008 Drazen Drazic

Michael Crawford at MIS raises some valid questions about the usefulness of the government producing yet another guide on IT security for CEOs and CIOs in his post; Critical infrastructure in the crosshairs.

A few of these things were produced in the last 18 months around various security topics, but I haven’t met one person who had actually seen them or was aware of them. I suppose by producing something like this, they can always say that they’re onto it! (ie; the protection of our critical infrastructure). How good is the focus needs to be asked.

Posted in Dumb Security, Risk Management, cyber crime, governance | No Comments »

Media Management Policies - Who has them and who follows them?

January 21st, 2008 Drazen Drazic

Based upon my experience, the J.C.Penny problem as reported here TechNewsWorld (and all other IT news sites) is more prevalent than some would imagine. I’ve lost track of the number of times I have seen and heard about missing storage media.

Most of the lost media does not get into the wrong hands. It just gets lost and probably gets tossed and destroyed due to the finders of it not having the means to read what is there. Saying that, it only takes one episode of someone finding the means to read it to cause big damage to the organisation that mis-placed their data.

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, governance | 1 Comment »

New Face of Cybercrime Trailer

January 12th, 2008 Drazen Drazic

Picked this up from RSnake’s site. Worth a look…this is part of a larger 20 minute documentary he says.

Posted in Bad Stuff, Dumb Security, Firewalls, IDS, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | No Comments »

Security Specialists in product decision making….

January 5th, 2008 Drazen Drazic

The old adage, you get what you pay for I reckon comes back to haunt us security people more than many. It’s still more the rule than the exception so to speak in many organisations that IT security specialists don’t have a say or even better, the final say on what products or services are implemented into an organisation. We see it all the time.

Why did you buy that product or service? Response from IT Security Manager; “It was not our call in the end. We gave our strong recommendation but the CIO went with something else!”

Let’s call it how it is. Many CIOs and major decision makers/stakeholders outside of Information Security make a call on price vs. quality. They also make decisions on how well they have been “treated” and “sold” by sales guys. (Not saying our own IS guys don’t also fall into that category…but most times, many IS dudes don’t make the final call).

Let me expand.

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, governance | 1 Comment »

Australia moving towards Internet filtering…..

January 2nd, 2008 Drazen Drazic

You have to wonder about how successful such initiatives like this to filter “inappropriate” content to Australians is likely to be:

http://www.news.com.au/heraldsun/story/0,21985,22989008-662,00.html
http://www.abc.net.au/news/stories/2007/12/31/2129471.htm

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Research, WTF, cyber crime, governance, news | 6 Comments »

Lip Service or a real call on action…….Has much changed in 2007 really?

December 16th, 2007 Drazen Drazic

The amount of information coming out of US Government bodies on cybercrime, Information Security and the real and immediate danger faced by all businesses has grown remarkably in the last 12-24 months. Just one recent example; ‘We’re all at risk’ of attack, cyber chief says. (In Australia, Government action, as Borat would say, “Not so much!”). Online and paper copy IT Magazines and journals have dedicated IT Security sections now. We even read more about the issues in the standard press. More and more universities now offer IT Security courses. (Though quality of many is questionable but it’s a start).

But has anything really changed that much in reality in 2007 where it matters - ie; in the minds and actions of business and individuals?

Read the rest of this entry »

Posted in Disclosure Laws, Research, Risk Management, Vulnerability Management, cyber crime, governance | No Comments »

Starting a new job - you’ve only got 2-3 months to make a big difference…any longer and it’s tough!

December 14th, 2007 Drazen Drazic

Following on in the series of posts about being an internal IT Security Head, I was talking to a mate today who’s about to start soon as the Regional IT Security Manager for a large global entity.

My thoughts are that you only have 2-3 months max to lay the foundations for how the rest of your time there will be.

Where I am coming from is this:

1. No one knows you yet and what you plan to do and how you do things.
2. Because of this, it’s greenfields and you can assert your position and plans (to a degree within the bounds of good professionalism obviously)
3. Because you are the new IT Security dude and because most in the organisation will have no idea about what you do or what your role is, you can develop the “role” to a large degree yourself. You can get people to buy-into you early.
4. For the first few months, you are treated like an external consultant - the expert brought in to make a difference….so people will listen!

If you spend the first few months just settling in, trying to work in around everyone else, being everyone’s mate and worrying about how you’ll do things in the future - you’re lost…..game over and you’ll be in that miserable job where you complain that no one listens, cares or gives little attention to you. Assert your role upfront and the chances of it being that better job are good! The chance of you making a difference will be much better! Wait, and the ability to make change and a difference will be tougher. People settle into other people and this sets how they deal with each other for the future. Becoming a proactive go-getter after people have “settled” in with you is a tougher assignment.

Hey….sounds like I am preaching but it’s close to fact from my experience. (This is for all jobs - not just our industry) . Have a think about it. As usual, open to your thoughts, comments and criticisms.

Posted in governance | 1 Comment »

CSO’s and IT Security Managers - Shouting Louder to Make Things Happen

December 7th, 2007 Drazen Drazic

One the biggest issues that we see facing CSO’s and IT Security Managers is the effective communication of business risks to those stakeholders ultimately accountable for the business. (Commonly referred to as the C-level team).

(There are quite a few posts in here about the tough job of being an IT Security person in any organisation and I’ve always been pretty blunt in my assessment of the state of the industry).

The recent Poll on Beast or Buddha (NB; no way a definitive sample mind you and done with as much context as most annual surveys, but I would not say being to far off on how things actually are) had over 70% of respondents stating that their organisation did not seem to care in addition to being in a bad way from a security exposure perspective.

I wonder how many Security Managers to an extent just give up and go with the flow - being careful not to upset the status quo and just believing this is how it has always been and this is how it will be…..(or at least until something really bad happens).

More than 50% of senior IT security people I speak with are not overly happy in their jobs. Most of these guys also believe that the chances of it being better elsewhere are remote. Is the industry really that low?
(Why would anyone be an IT Security Manager?)

If it is, how can we expect changes and finally getting those C-level guys to start listening?
Read the rest of this entry »

Posted in Bad Stuff, Risk Management, governance | 3 Comments »

Lessons to be learned from weak security practices…..

December 1st, 2007 Drazen Drazic

The great case study in what can go wrong, (TJX) continues as reported in TechNewsWorld, but are lessons being learned from this? I asked this question a while ago and the answer probably has not changed.

At the recent AISA Seminar day in Sydney, PCI DSS compliance was a big talking point and a presentation from “Sense of Security” covered the state of the industry in Australia. While the IT security community talks about it though, the feelings from the major players (PCI, Banks and IT Security people) is that there is a long way to go. There is progress….but it’s slow…really slow! Australia is reported as being leaders in Asia Pacific. Gees, how bad is everyone else in the region?!

Every step forward is a battle; PCI to the Banks. Banks to their own Account Managers. Account Managers to vendors and services providers. Security Managers to the business stakeholders. Why is the loop is large? Why isn’t the link to the CEO/CFO direct? Make sense? I ranted around this topic on ITSecurityLink and put the case for quicker progress out there but as usual, we (IT security people) are a very insular community in some respects - viewed from the inside and unfortunately from the outside.

2008 is now supposed to be THE year but we said that for 2006 and 2007 in regards to PCI. Are we then taking further steps away from what the core issues are that we are trying to address? Compliance vs. Security - heading in two different directions? (A topic also covered at the AISA day by Nick Ellsmore from SIFT - best presentation of the day).

Related posts: http://beastorbuddha.com/category/pci-dss/

Posted in Bad Stuff, PCI, PCI DSS, Risk Management, cyber crime, governance | No Comments »

A SANS and Qualys View of Security Risks, 2007

November 28th, 2007 Drazen Drazic

The work produced by SANS and Qualys stands out as some of the best data produced on the state of security risks in most cases we allow ourselves to be exposed to. More on the data shortly. Just to clarify the statement, “we allow ourselves to be exposed to”; it is what it is. Organisations persist with doing the following:
Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | 3 Comments »

Australian Government Approach to Security

November 17th, 2007 Drazen Drazic

This is no BS….I don’t think anyone could make stuff up that would be this funny!

These are actual and real links to “the source”.

Start here: http://www.nationalsecurity.gov.au/ and then go link by link……as I said, even if you were trying to be funny, you could not make this shit up….

Link 1: Map of Australia - just so we know what the scope is….ie; “Australians….this is Australia!”
Link 2: Not really sure what this link means but it talks about replacing something else that no one else has ever heard about and knows what it means. Here it is.
Link 3: “World-Leading Computer Program to Protect Critical Infrastructure” : WTF?!?! Since when? What? How? I must have missed something.

Check out the one on plastic explosives.….What?!?!

The ref has pushed me away and called the TKO…….he should have called it after the first link but then again, you have to give them a go………my fingers are tired……I skip now to this one about APEC. If you have not seen this video, please click here..it is well worth it!: http://beastorbuddha.com/2007/09/14/156/

To prove how serious the government is, click here; http://www.ag.gov.au/agd/WWW/MinisterRuddockHome.nsf/Page/Gallery

I can’t type anymore….each link could be a whole post to itself so I will leave it with you. You just could not make this stuff up!

Posted in Bad Stuff, Disclosure Laws, Dumb Security, Risk Management, WTF, cyber crime, governance, news | 3 Comments »