“Emerging Threats” – Most “emerged” a long time ago….Emerging Responses?

Posted on March 8th, 2010 by Drazen Drazic

A bit quiet lately. Sometimes I wonder if there’s more to say that I haven’t covered in the 500+ posts in Beast or Buddha. (The really interesting stuff, you can’t write about for obvious reasons). What do you do? Continue to rehash the old stuff? Sometimes!….which brings me to an interesting discussion.

We were asked to do a presentation recently on “emerging threats” at a business forum for IT Security and Risk Management professionals. Seems straightforward enough but when looking back over previous such presentations we’ve been doing over the years, nothing much was changing – in particular our recommendations on how organisations should be dealing with “emerging threats”. We could have almost just pulled out “Emerging Threats” presentation, (circa 2002) and done it word for word, (with only a few very minor wording and definition changes, eg; “Cloud”, “APT” etc :) ).

Should we be calling these presentations; “Emerging Responses”? It’s the response part that is in most cases yet to “emerge” effectively! The “threats” (most of them), emerged a long time ago. In many cases, we just call them different things now because we’ve failed to deal with them properly at the time, so it’s easier to rename something – makes it all seem that little bit new, and covers up to a degree for failures in the past.

Am I being unfair? Keen on your thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | 7 Comments »

What’s your “checklist of choice” for an Enterprise State of Security review?

Posted on March 2nd, 2010 by Drazen Drazic

Just wondering how some people would and/or do approach an Enterprise State of Security assessment? Obviously given the plethora of standards, regulatory “guidelines” etc, there’s no right answers. (Including size and scope of such an exercise…assume it is possible of course!). Do you see it as something impossible? Would you use something like PCI DSS? Do you have your own framework/methodology? Keen to hear people’s thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Research, Risk Management, governance | 4 Comments »

APRA releases “guidance on the management of security risk in information and information technology “

Posted on February 5th, 2010 by Drazen Drazic

APRA has released what they dub as a “prudential practice guide” – “on the management of security risk in information and information technology (IT) by institutions supervised by APRA”. Press release and document here.

It will be interesting to see how the “guideline” adoption will go. Similar to the Monetary Authority of Singapore’s “Internet Banking and Technology Risk Management Guidelines“, but a decade behind, and packing what seems to be no real regulatory push nor enforcement like that in Singapore.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Risk Management, governance | 3 Comments »

Looking at what makes good Application Security knowledge.

Posted on January 7th, 2010 by Drazen Drazic

It’s always interesting reading about larger scale fraud like this one recently with the Bank of Queensland. You wonder in cases like this, had the accused pulled the pin earlier, would he ever have gotten caught? You wonder how many do get away with it – stopping before obvious alarm bells start to ring?

There’s no generic solution/strategy for fraud detection to critique, as each organisation addresses it’s own internal security and risk management practices differently, but there is a scary pattern of misguided thought in regards to securing systems and actually defending against, and detecting fraud. It’s “security” by definition but are many blinkered in regards to what the full definition of “security” encompasses? I think so.

Many in the security industry are focussed to the point of obsession on only vulnerabilities and technical attack vectors (new attack type X, new attack type Y – all generally old stuff just re-invented in different ways but promoted as new big things by many in the industry). It’s such a narrow focused view that stops at the technical exploit. That’s not where the role of a security professional should stop. Read on:

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Forensics, IDS, IPS, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime, governance | 6 Comments »

Core Security Skill Requirements

Posted on December 2nd, 2009 by Drazen Drazic

There’s always a load of articles talking about the “core security skills” that security professionals and companies will need to develop. With 2010 approaching, we’re starting to get the typical 2010 recommendations and predictions articles on this topic.

I wonder if many of these articles are written by, and targeted at people and organisations who might just be waking up out of their slumber into the real world that we, (security people), have lived in for the last 2 or more decades. The alarm’s on snooze still though in my opinion.

I find this interesting. Aside from keeping up with technical/researcher type knowledge, (which most of these articles rarely refer to), what are these new “core skills” that we should all be developing? Keen to know if I have missed anything.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Dumb Security, Research, Risk Management, WTF, governance | 7 Comments »

Repost: The 7 Reasons why Businesses are Insecure

Posted on December 1st, 2009 by Drazen Drazic

This is a post from 2007. The theories and concepts date well before that. Taking technologies themselves aside, nothing much has changed in the last decade, (and one can argue that the technologies themselves haven’t either). Basic foundation principles, or rather the lack thereof in our strategic approaches/(thinking in regards) to Information Security and Risk Management are rarely addressed and thus we fail without even properly beginning the defence…or is that the offence?

Anyway, please read on and I would welcome your thoughts on whether you think anything has changed to make this any less effective.

Read the rest of this entry »

Posted in Research, Risk Management, governance | 3 Comments »

HOUSE OF REPRESENTATIVES STANDING COMMITTEE ON COMMUNICATIONS – Subject: CyberCrime

Posted on September 24th, 2009 by Drazen Drazic

Transcripts from the 4 sessions. Interesting but a concern from the perspective that it seems Government does forget things it has done in the past and seemingly starts from scratch each time. Just my opinion. Light reading (and I mean that), but worth a skim through:

http://www.aph.gov.au/house/committee/coms/cybercrime/hearings.htm

Thanks @cmlh for the link to this.

Posted in Research, Risk Management, cyber crime, governance | 1 Comment »

A Question of Control

Posted on September 11th, 2009 by Drazen Drazic

By Declan Ingram

There has been a lot of discussion on here about 3rd party/cloud computing etc security (or lack there of). For many, this didn’t seem hugely relevant at the time as there was always a choice (or people just didn’t think it was going to be something that affected them). Recently however, the choice seems to be getting smaller.

The 3rd party management model is becoming…or should I say, has become, so popular now, that it is hard to keep control. (Control? Yes, of your information!).

Think about it. How much of your security is technically enforced by a 3rd party appliance? (And, how secure are they?) How much of your data is housed, managed, monitored, etc by a 3rd party? Professionally and personally we are giving ourselves away. More importantly, has this been looked at during your last Threat Risk Assessment? (Has you organisation even done one?)

From my experience, so many organisations that we audit have core data and systems housed and managed by 3rd parties, and nearly all of them have dangerously one sided contracts……Dangerously favouring the 3rd party.

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Industry Specialists Talk, Risk Management, governance | 12 Comments »

Police Checks on Employees – Important Considerations

Posted on August 10th, 2009 by Drazen Drazic

By SGirl:

An interesting question came across our desk this week to do with police checks on current employees and potential new employees.

Things like PCI and the increasing awareness of the human factor of security threats means more and more organisations are getting police checks done on candidates and as part of an ongoing assurance program.

So what happens if you get a report returned that shows a conviction?  What do you do? Sack the employee? Not hire them? Perhaps, perhaps not.

While some organisations have a legal requirement not to employ anyone with a criminal history (working with children, issuing licences to name a few), for others the requirements and boundaries that need to be considered are a little greyer.

Essentially there are basic human rights that prevent discrimination in the workplace, including whether or not a person has a criminal conviction. The Human Rights and Equal Opportunity Commission have a discussion paper on it:

http://www.hreoc.gov.au/human_rights/criminalrecord/summary.html

To avoid discrimination on the basis of criminal record, an employer can only refuse to employ a person if their criminal record prevents them from being unable to perform the ‘inherent requirements’ of the job.

Read the rest of this entry »

Posted in Industry Specialists Talk, Risk Management, cyber crime, governance | No Comments »

A CIO and CEO Guide to improving corporate security today – it is possible.

Posted on August 10th, 2009 by Drazen Drazic

Just got back and saw this was confirmed:
http://www.iirme.com/securecon/workshops/c.html

CEOs, CIOs and Middle East Gov and Gov Security seems to be the audience.

Should be fun…..there is no slides…….just talk…..they accepted that….(somewhat I think). :) I prefer to just talk……

This will be an all-out session and I hope Bruce S (Keynote) will be there….Pass this link to 20 of your friends and you will receive…magically a new notebook.

Posted in Applications, Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Firewalls, Forensics, PCI, PCI DSS, Research, Risk Management, Securus Global, Too cool, Vulnerability Management, Web Application Security, cyber crime, governance, news | No Comments »

PCI DSS compliance – It’s easy to make it tough on yourself….

Posted on July 2nd, 2009 by Drazen Drazic

It’s been an interesting few months as we’ve seen a rapid rise in the number organisations coming to talk to us about PCI DSS compliance. The really cool thing as mentioned here, is that we are seeing proof that if you approach your PCI DSS compliance projects like we suggested here in this post; “PCI Compliance Projects – The road to nowhere…“, you will have a greater chance for success!

We’ve worked with so many great companies in recent months who’ve taken the advice on-board seriously and have made awesome inroads in regards to their IT security position (and PCI DSS compliance) – most now “compliant”, (….well as compliant as you can get).

On the flip-side, and lets not dwell on this too much, we’ve also seen a few organisations prove that not approaching a PCI DSS compliance project, as recommended in our post, does make for an expensive and very much time-consuming/wasting exercise for all.

A PCI DSS compliance project is what you make of it. You can give up and claim it is impossible, (and close your eyes to the fact that there are others who have done it), or you can make it work. The principles of a successful PCI DSS compliance project are no different to the principles you would adopt to make any other project successful!

Related Links:
- Previous PCI Posts (Uncut)
- Six ways you can bork PCI
- PCI: Choosing your Auditors Carefully

Posted in PCI, PCI DSS, Risk Management, governance | 3 Comments »

CSOs becoming CIOs……A natural progression?

Posted on June 27th, 2009 by Drazen Drazic

This is something I have talked about before.

Having been in roles in previous lives that has seen me oversee IT as a whole and IT Security (separate roles), I am of a firm belief that a good CSO has what it takes to be a good CIO, if not a better CIO than most out there. I went from the former to the latter (IT head to CSO) but I believe it can work effectively the other way. It’s not a regular thing though and I haven’t to be honest, seen it happen from memory in recent times – ie; a CSO becoming the CIO.

It’s horses for courses and case by case but more and more, I am seeing competent CSOs out there that have a better picture about IT within their business than the CIO does. Now this will upset some CIOs, but as you know, I don’t mind upsetting those that I think are not up to it. (A recent example here and here). And there’s a heap of CIOs out there, that really are not up to it. Can’t recall figures I have posted before but I’ll throw 80%+ out there as a starter now.

I’ve been working with the CSO of a relatively large business and good global brand in recent times. He’s been on board with his organisation for just over 12 months but in that time, has made some amazing inroads in regards to how this organisation views and works in regards to IT security and risk management overall. But, he’s now hit that time that body builders call the “plateau”, and every little “gain” now takes a mountain of effort – far more effort than gains took in his first 6 months at the organisation. He’s almost ready to move to “greener pastures”…..read on:

Read the rest of this entry »

Posted in Risk Management, governance | 5 Comments »

ACMA, Copyright, Privacy and other un-newsworthy things…….

Posted on June 25th, 2009 by Drazen Drazic

By SGirl:

Who will I upset this time? Though the support far outweighed the few negative comments. But, I digress…..

It is interesting the information that you can find when you look really hard and spend a bit of time to get results.

As a bit of background, to me, IT security is not just all about technical solutions, hacking and latest marketing terms like the “Cloud”. It is also about management, strategy, compliance (not the dirty version). It’s many areas that for some reason, the media don’t really report nor focus upon (unless your compliance means PCI DSS). It’s the less “sexy” part of the industry, but for much, the parts that hit the coalface of the business.

In Australia, there are things happening that you hear little to nothing about – things that are affecting businesses and compliance considerations now. They aren’t being focused upon and far from hot topics like PCI DSS; “Ooh merchants might start being fined soon and let’s start talking about what PCI DSS is, and means to you and how vendor X is going to help you”! We only hear about what a few decide is “sexy” but for most part and as recent conversations here in this blog and forums have shown, what those individuals are deciding as “interesting” seems not to be what is floating the boats of many in the industry. Drazen Drazic gets most of his news from blogs he says.

Let have a look at a few things:

Read the rest of this entry »

Posted in Industry Specialists Talk, PCI, PCI DSS, Risk Management, governance | 9 Comments »

Review of Information Security and Risk Management Strategy – Complex or Straightforward Exercise?

Posted on June 12th, 2009 by Drazen Drazic

In any strategic planning cycle, performance and strategy re-assessments are a vital component in keeping a strategy effective and up to date.

One way to measure the performance of the Information Security strategy is to develop a set of metrics that include benchmarks across the various phases and sub-phases of the strategy. The goal of the metrics is to help; define the strategy framework, communicate the strategy (by specifying performance measures), track performance (by collecting valuable information pertinent to the phase of strategy), increase accountability (by linking metrics to performance appraisals and business plans) and to align objectives of individuals, teams and the organisation itself.

In most cases this is easier said than done but investigation should still be undertaken into the creation of a metrics and strategy re-assessment process that covers at a minimum (thanks Rayport and Jaworski for the inspiration):

•    Articulation of the Security Strategy.
•    Translating Strategy into Desired Outcomes.
•    Devising Metrics.
•    Linking Metrics to Leading and Lagging Indicators.
•    Calculating Current and Target Performance.

How complex an exercise is this? In recent weeks I have done a couple of presentations to boards and senior management of organisations who are keen to evaluate the effectiveness of their current strategy(s)?

Are exercises like this 12 month+ plus projects ala Big 4 massive undertakings (costing millions) or can an experienced eye provide the same end results in a fraction of the time? Read on.

Read the rest of this entry »

Posted in Bad Stuff, Risk Management, Vulnerability Management, governance | 10 Comments »

Regulation vs. Market Forces – A collection of recent posts….

Posted on June 2nd, 2009 by Drazen Drazic

I’ve seen a few discussions around the Net recently on this topic of “market forces” being the drivers of better IT security practice versus “regulation” so I thought I would resurrect some recent posts for discussion.

- Crime Insurance – Implications of bad business IT security practices: Could swing to either side of the debate.
- Regulating IT Security Practices – PCI DSS too tough?: It doesn’t have to be seen as impossible.
- Workaround, accepted mediocrity and questionable future benefits/improvements: Giving up and taking the “easier” paths?
- Regulation is Bad! Let the market solely dictate things!….What a load of BS!: A response to some recent posts posted a few months before the recent posts.

Keen to get your thoughts.

Posted in Disclosure Laws, Research, Risk Management, governance | 9 Comments »

Approach and position on IT, Information Economy, Security II (By SGirl)

Posted on May 16th, 2009 by Drazen Drazic

By SGirl:

It is not just the government. The whole industry doesn’t care enough to pay sufficient attention to the message that is being sent in regards to IT Security to business. (I am not even going to bother with the national IT Agenda – that is a whole other rant). It is largely cultural. And I don’t know if it will change. Let’s start with the government.

You have local, state and federal government and within this, a plethora of agencies, departments, bodies and statutory authorities that have their own areas of responsibility. Pretty much at every level and at every segment they are putting out a message about IT security.

Some push a dedicated IT security message, others push a particular message for a particular sector or area of industry….and many are pushing the same message to the same segment in different areas of the country.  Their intentions vary too, and this also plays a part in what message is sent.

For some the root intent is social responsibility – for others it is purely political (eg; Internet Filtering anyone?), jumping onto topical interest bites or even just using up budget allocations pointlessly to keep jobs and play the games that governments play.

Not one though in my opinion gives sufficient information for a business of any size (small, medium and large) to understand and appreciate all that they should be knowing and doing to target new threats of doing business facilitated by technology. And few ever and consistently say things in alignment with each other. You have to wonder….

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Industry Specialists Talk, Risk Management, WTF, cyber crime, governance | 11 Comments »

APRA releases discussion paper on IT security risk management

Posted on May 11th, 2009 by Drazen Drazic

Thanks to Matthew Hackling who spotted this one: “APRA releases discussion paper on IT security risk management“.

Reading on, and we’re no further down the track seemingly of some serious enforcement of good practice. Another set of “guidelines”?…..Or is it something potentially that APRA could selectively use as the working requirements for audits of “regulated institutions”? Should that be the case, a level of consistency will be critical – something that has not been a pattern of the past.

If it remains solely as a set of “guidelines”, you can add them to the scores of other good practice “guidelines” out there that never really achieved much and have fallen into the Information Security black hole.

Related posts:
- Australian Government approach and position on IT, Information Economy and Security
- Various posts over the years on related and some not so related topics

My thoughts on this aren’t new as people who read Beast or Buddha know. Am always optimistic though but hard not to be cynical.

Posted in Risk Management, cyber crime, governance | 5 Comments »

Industry/Business/Risk Management/Process – Failures and Search for Hope

Posted on May 1st, 2009 by Drazen Drazic

Banging on about the selectively forgotten root cause issues – that are glazed over for want of a prettier picture (alternative reality)…the ongoing “marketing” to sell millions/billions of dollars worth of magic (questionable) product that is; purchased by business without thought, implemented; without plan, committed strategy, effective process – through failed Risk Management methodologies….we go on and on. Let’s then celebrate mediocrity at each step.

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Risk Management, WTF, governance | 5 Comments »

Regulating IT Security Practices. PCI DSS too tough?

Posted on April 14th, 2009 by Drazen Drazic

The Introduction – Living it Easy

Having worked in more heavily regulated environments such as the banking and finance sector in many Asian countries (for example; Singapore and Japan), compliance pressures through something like the PCI DSS don’t seem nearly as onerous, nor as huge an immediate and ongoing effort on the part of businesses.

Coming from that world/perspective, something like the PCI DSS is not really new and not really that impossible/difficult as it seems to many people in countries like Australia, the US and other parts of the world where regulatory impacts upon IT and IT security have been relatively minimal to negligible.

It is all relative and comes down to the business environment you work in and you are used to. Read on:
Read the rest of this entry »

Posted in PCI, PCI DSS, Risk Management, cyber crime, governance | 5 Comments »

Where did the Role of the CIO go wrong? Part I

Posted on April 13th, 2009 by Drazen Drazic

This is far from my first post on the role of the CIO. While most posts have been focused on the [CIO] failures to fully understand the role of Information Security professionals and the industry in general, many [posts] have also looked at the fundamental failures of CIOs and their roles in business. The two are interdependent.

Somewhere around the late 90s, this “CIO” title started to became the role “title” of choice for the most senior IT person in the organisation. Out went “IT Director”, “IT General Manager” and similar titles, and in came the trend of “CIOs” starting to consider themselves business people. Now at the time, most CIOs were IT people and drawing that long bow to be now viewed by their own staff as “business people”, created one of the major turning points.

This has been a catalyst for leading our industry into more than 10 years of little change in regards to significant IT development, better security, and to an extent, relatively effective control of IT in a business, any potential, and most importantly, understanding and forceful commitment to the emerging Information Security industry and the rising impacts of the latter to business. Is this the reason good information security adoption has lagged, and to many extents, is just plainly non-existent in many organisations?

Taking this deeper, without that critical mass of acceptance at that senior level – the representative voice of IT to the business and flow-on effects to society as a whole has failed. Accountability means little to nothing in the overall scheme of things pertaining to longer term strategy – “Governance” in IT security overall would be deemed a failure. Risk Management across an enterprise from a holistic view is a failure. (In silos, there are some successes but what overall benefit if the business as a whole has no business-wide understanding of itself). Without this review and the most basic and potential root cause analysis and planned treatment of the root causes, we have the lack of progress, (though some would call total failures)….should we expect to be in a better position now or in the short term future?

Part II will look at more detailed analysis of the CIO in business and their relation to IT Security. Thanks to Donal for this one:
http://chucksblog.emc.com/chucks_blog/2009/04/thoughts-on-the-state-of-the-cio.html

Why aren’t CIO’s competences being analysed from within their own departments? While I know so many good CIOs, I’ve met far more who are out of the their league and you wonder what they really know. If they want to be “C-level” people, they need to be more scrutinised in the same way as CEOs and CFOs (even though we know that is also far from ideal a lot of the time)..

Stay tuned for Part II

Posted in Bad Stuff, Dumb Security, Risk Management, Uncategorized, Vulnerability Management, WTF, cyber crime, governance | 1 Comment »

« Previous Entries