A CIO and CEO Guide to improving corporate security today – it is possible.

Posted on August 10th, 2009 by Drazen Drazic

Just got back and saw this was confirmed:
http://www.iirme.com/securecon/workshops/c.html

CEOs, CIOs and Middle East Gov and Gov Security seems to be the audience.

Should be fun…..there is no slides…….just talk…..they accepted that….(somewhat I think). :) I prefer to just talk……

This will be an all-out session and I hope Bruce S (Keynote) will be there….Pass this link to 20 of your friends and you will receive…magically a new notebook.

Posted in Applications, Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Firewalls, Forensics, PCI, PCI DSS, Research, Risk Management, Securus Global, Too cool, Vulnerability Management, Web Application Security, cyber crime, governance, news | No Comments »

PCI DSS compliance – It’s easy to make it tough on yourself….

Posted on July 2nd, 2009 by Drazen Drazic

It’s been an interesting few months as we’ve seen a rapid rise in the number organisations coming to talk to us about PCI DSS compliance. The really cool thing as mentioned here, is that we are seeing proof that if you approach your PCI DSS compliance projects like we suggested here in this post; “PCI Compliance Projects – The road to nowhere…“, you will have a greater chance for success!

We’ve worked with so many great companies in recent months who’ve taken the advice on-board seriously and have made awesome inroads in regards to their IT security position (and PCI DSS compliance) – most now “compliant”, (….well as compliant as you can get).

On the flip-side, and lets not dwell on this too much, we’ve also seen a few organisations prove that not approaching a PCI DSS compliance project, as recommended in our post, does make for an expensive and very much time-consuming/wasting exercise for all.

A PCI DSS compliance project is what you make of it. You can give up and claim it is impossible, (and close your eyes to the fact that there are others who have done it), or you can make it work. The principles of a successful PCI DSS compliance project are no different to the principles you would adopt to make any other project successful!

Related Links:
- Previous PCI Posts (Uncut)
- Six ways you can bork PCI
- PCI: Choosing your Auditors Carefully

Posted in PCI, PCI DSS, Risk Management, governance | 3 Comments »

ACMA, Copyright, Privacy and other un-newsworthy things…….

Posted on June 25th, 2009 by Drazen Drazic

By SGirl:

Who will I upset this time? Though the support far outweighed the few negative comments. But, I digress…..

It is interesting the information that you can find when you look really hard and spend a bit of time to get results.

As a bit of background, to me, IT security is not just all about technical solutions, hacking and latest marketing terms like the “Cloud”. It is also about management, strategy, compliance (not the dirty version). It’s many areas that for some reason, the media don’t really report nor focus upon (unless your compliance means PCI DSS). It’s the less “sexy” part of the industry, but for much, the parts that hit the coalface of the business.

In Australia, there are things happening that you hear little to nothing about – things that are affecting businesses and compliance considerations now. They aren’t being focused upon and far from hot topics like PCI DSS; “Ooh merchants might start being fined soon and let’s start talking about what PCI DSS is, and means to you and how vendor X is going to help you”! We only hear about what a few decide is “sexy” but for most part and as recent conversations here in this blog and forums have shown, what those individuals are deciding as “interesting” seems not to be what is floating the boats of many in the industry. Drazen Drazic gets most of his news from blogs he says.

Let have a look at a few things:

Read the rest of this entry »

Posted in Industry Specialists Talk, PCI, PCI DSS, Risk Management, governance | 9 Comments »

Credit Card Data Breaches………What care factor?

Posted on June 20th, 2009 by Drazen Drazic

Everyone (schemes, banks, press etc) tries to spread the care factor for any significant data breach of cardholder information.

Reality is that from an individual’s perspective, it really doesn’t matter whether it’s 20 million cards “exposed” or 1. As long as that “1″ does not belong to the individual…….And if does, in most cases, the individual is protected against their losses.

Just a philosophical question/view. :)

Posted in Bad Stuff, Disclosure Laws, PCI, PCI DSS, cyber crime | 5 Comments »

Cracking PCI DSS Compliance – Thanks CIO Magazine!

Posted on May 23rd, 2009 by Drazen Drazic

How to get PCI DSS compliance right! This is the most awesome piece of journalism that has hit the Internet for a while. If you are one of the thousands of organisations hit by the burden of becoming PCI compliant, look no further than this article for the hot tip on kicking it. For those that have been through it, I bet you wish you had something like this when you were doing it:
http://www.cio.com.au/article/304081/how_get_pci_dss_compliance_right

Many thanks to Mike for highlighting this one. :-)

Posted in Bad Stuff, Dumb Security, PCI, PCI DSS, Too cool, WTF, cyber crime | No Comments »

Regulating IT Security Practices. PCI DSS too tough?

Posted on April 14th, 2009 by Drazen Drazic

The Introduction – Living it Easy

Having worked in more heavily regulated environments such as the banking and finance sector in many Asian countries (for example; Singapore and Japan), compliance pressures through something like the PCI DSS don’t seem nearly as onerous, nor as huge an immediate and ongoing effort on the part of businesses.

Coming from that world/perspective, something like the PCI DSS is not really new and not really that impossible/difficult as it seems to many people in countries like Australia, the US and other parts of the world where regulatory impacts upon IT and IT security have been relatively minimal to negligible.

It is all relative and comes down to the business environment you work in and you are used to. Read on:
Read the rest of this entry »

Posted in PCI, PCI DSS, Risk Management, cyber crime, governance | 5 Comments »

Not the first time rumours have been around lately re: PCI DSS demise….

Posted on March 22nd, 2009 by Drazen Drazic

http://www.securecomputing.net.au/News/140461,visa-risk-chief-reports-of-pcis-death-exaggerated.aspx

We hope any rumours are just that. Anything being announced later this week?

Interesting reference to Heartland being the “exception”. Reality? hmm…..

Posted in PCI, PCI DSS | No Comments »

“Six ways you can bork PCI”

Posted on March 21st, 2009 by Drazen Drazic

From Risky.Biz, Dec’s article on PCI: Six ways you can bork PCI

Makes a load of sense to me but then we’ve been talking this for a long time.

Posted in PCI, PCI DSS | No Comments »

Random Things – Busy Few Weeks

Posted on March 20th, 2009 by Drazen Drazic

- Just got back from New Zealand. As always, great to get over there but wish I had more time. NZ has to be the pound for pound world leader in researchers and research. So many good guys there! And there’s also Kiwicon.

- Pat’s kicked off a new site at Risky.Biz. Some really cool stuff now and a heap of new things coming up. Good luck with it all Pat!

- Been following the SPSP/PCI SSC latest here at Mike’s site.

- New jobs posted at Beast Hot Jobs. Still working to get this going. Yeah, I know, wrong time but hopefully we’ll get there. Check it out.

- Internet Filtering/Censorship in Australia: Trying not to post too much on this because I keep hoping it will just die, but everytime I start to think it is going away, it comes back. Example here. Things in NZ are not much better, potentially worse. All really scary stuff.

- I wonder what I could have seen if I plugged my laptop into the cable poking out at Sydney Airport where another parking payment machine should have been. Nah…probably not much.  :)

Posted in Dumb Security, Internet Filtering, PCI, PCI DSS, Risk Management, Too cool, Vulnerability Management, WTF, Web Application Security, news | No Comments »

Random thoughts….Is it just me?

Posted on March 10th, 2009 by Drazen Drazic

- Centralised password management tool here. Vuln free delusions – be fun to “test” this one. Consolidated risk. Nice!

- Data Breach Disclosure update in the US here. Fundamentals still missing to make this a fair and workable law for all. Wrote about this in Risk Management Magazine pp 14-15 in the September 2008 Edition. (May have to sign-in now to read it).

- My costs to maintain PCI QSA status to top 30K in 2009. Add another 20 odd K if we decide to become an ASV also again. PCI SSC doesn’t really care about my thoughts on why some of the costs are just money making grabs on their part. Danger for all is that if only the Big guys eventually are the only ones who can afford this, the level of QSA expertise and subsequent advice/service to merchants, service providers and the industry as a whole is going to become weaker so who wins? Do I battle these guys again or just suck it? No appetite at present for another battle with them. Read on:

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, Dumb Security, Ford Falcon, PCI, PCI DSS, Research, Risk Management, Too cool, Vulnerability Management, WTF, Web Application Security, cyber crime, news | No Comments »

On my list……

Posted on March 9th, 2009 by Drazen Drazic

Anton tells me he will be mind-blowingly awesome here so I have no choice but to listen into this one:  :)
——————————————————————————-

PCI Myths: Common Mistakes and Misconceptions About PCI
Presented by Anton Chuvakin and Terry Ramos of Qualys.
Date: Thursday, March 19, 2009
Time: 2:00PM EST/11:00AM PST
Register here.

——————————————————————————–

Unethical Hacking – by Immunity
June 22-26, 2009
Duration: Five 8-hour class days
Location: Canberra, Australia
For more details about the class, please click here.
———————————————————————————

Yes, (open disclosure), both companies have business relationships with Securus Global.

Posted in PCI, PCI DSS, Vulnerability Management, Web Application Security, news | 3 Comments »

Not Patching Oracle – Risky Business

Posted on March 5th, 2009 by Drazen Drazic

Patrick Gray interviews Securus Global’s Declan Ingram on Risky Business 98. Make sure you listen to the end of the podcast. :)

Posted in Bad Stuff, Dumb Security, PCI, PCI DSS, Risk Management, Securus Global, Vulnerability Management, Web Application Security, news | 3 Comments »

Regulation is Bad! Let the market solely dictate things!….What a load of BS!

Posted on February 1st, 2009 by Drazen Drazic

I talked in a previous post about PCI DSS vs. regulatory requirements in some countries, (in some industries). Thought I would expand a bit more on the topic of “regulation”.

In many posts here, I’ve talked about the benefits of regulation (done right) being a big driver for better IT security practices. I was interviewed by Computerworld on this topic about 6 years ago and a representative from the Attorney-General’s Department disagreed with me, and suggested that “new standards” they were going to develop, (that showed businesses how to do things better), were sufficient, and no regulation was required. Gees, even then, we had plenty of “good practice” standards – we didn’t need more of them! (side note: none did come out from the AGD anyway that I am aware of). We need(ed) someone to say, you MUST be doing this. You have an obligation to your business, your employees, your shareholders, your business partners, the business community and society in general!

I still believe that, and I disagree with arguments that the “market” should drive this. WTF does “the market” actually mean? When has “the market” done anything of substance to improve IT security practices in the last 15 years? We’re not going forwards, so how is “the market” going to now dictate and improve this? Magic? Open to your comments as usual. Read on. I’ve added a section from a talk I had with with David Rice about regulation. I liked his thoughts on this:

Read the rest of this entry »

Posted in PCI, PCI DSS, Risk Management, cyber crime, governance | 1 Comment »

Maybe I find PCI DSS so much easier than other things…it’s all relative!

Posted on January 29th, 2009 by Drazen Drazic

Maybe some of my thoughts on PCI DSS (that I have posted here before) can be attributed back to past experiences in tougher regulatory environments I have been exposed to. For those dudes whinging about how tough PCI DSS is on the business, try working in an IT Security / IT Risk Management role in an Investment Bank in the likes of Japan and Singapore for example!

You poor dears! Would hate to see how you would deal with the regulators in those countries with their Government run “compliance” audits! Makes PCI DSS compliance look like a piece of piss (so to speak). Be careful some people what you wish for!

Do I need to expand upon why?

Posted in Dumb Security, PCI, PCI DSS | 2 Comments »

Okay, I’ll add my 2 cents to the Heartland breach….(Talking PCI DSS)

Posted on January 27th, 2009 by Drazen Drazic

I was directing all to Anton’s site here where he has done the most thorough analysis of what’s been posted on the Net about this breach. It’s worth having a look at his site. After TJX, I thought I was all talked out about these topics – for a while at least…..okay, it’s big but it’s all now becoming quite common and things like this will continue to happen due to poor on-going security practices, inherently insecure software etc etc. So is there more to say on that front that I haven’t talked/preached about in this blog for a number of years?

PCI DSS has copped quite a bit of criticism from many “experts” on the Net over the events at Heartland. I do understand why. There have been many against the standard from the outset and any breach/security issue in an organisation that is using PCI DSS as the framework for their security practices is going to have these people questioning the purpose and overall benefits of the standard. Read on…..

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, Dumb Security, PCI, PCI DSS, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | 7 Comments »

PCI Compliance for Dummies from Qualys

Posted on January 27th, 2009 by Drazen Drazic

Qualys has recently published a simple “PCI Compliance for Dummies” book. It’s free to download here.

Worth a read if you are new to PCI DSS compliance.

Posted in PCI, PCI DSS | No Comments »

I also thought “Virtualization” was covered by the PCI DSS

Posted on December 10th, 2008 by Drazen Drazic

From Mike Dahn’s PCI Blog:
http://pcianswers.com/2008/12/09/pci-already-addresses-virtualization/

Well worth a read.

Posted in PCI, PCI DSS | 2 Comments »

Have we made any real and measurable progress in 2008?

Posted on November 25th, 2008 by Drazen Drazic

The year is slowly winding up and I got to thinking if much changed in 2008. PCI DSS compliance continued to raise awareness of good practice more than anything else out there, but aside from that, did many organisations, our industry and the IT Industry as a whole make much headway into the IT security problems we face? Looking at my December 2007 post, I could almost just repeat everything word for word and just change the dates.

Read the rest of this entry »

Posted in Bad Stuff, PCI, PCI DSS, Research, Risk Management, Vulnerability Management, Web Application Security, governance | 5 Comments »

PCI DSS Compliance Projects – The road to nowhere….

Posted on November 17th, 2008 by Drazen Drazic

It’s getting to that time of year where we are seeing an influx of PCI business and a constant stream of phone calls and emails from organisations who are only now either hearing about it or have realised that they’ve dropped the ball on it and their compliance deadlines are only a few months away.

The majority of the people we talk with for the first time are shocked to say the least when we explain how tough compliance is going to be if you’re starting from a base of pretty much nothing. (As an aside, this highlights how bad business IT security practices have been all along – across all sectors and all sizes of business). Bottom line is that any business who has had good security practices in place should find PCI DSS compliance relatively not that daunting, as there is not much in the standard itself that is not just plain good ol’ security practice. Why many are under the misconception that the PCI DSS is some radical set of requirements imposed upon poor businesses is still beyond me!

Read the rest of this entry »

Posted in PCI, PCI DSS, Risk Management, governance | 6 Comments »

There’s a new credit card security standard called “PCI DSS”…

Posted on September 19th, 2008 by Drazen Drazic

And, if you read what is written in Australia’s “My Business” magazine, it; “demands your attention”.

Scroll down to this gem here but you’ll need the hardcopy to really get the gist of this awesomely stupid and poorly researched article. Where has “My Business” been for the last 3 years?

There is just so much in this article I could comment on, but it’s just not worth it and most people here would gain zero from anything I have to add. Worth a read for a sad laugh though!

One I will mention is that there is a table in there which I see is Visa’s (from somewhere…see later) and that’s described as; “See the handy at-a-glance table included in the article appearing in this month’s My Business for an indication of PCI DSS compliance chores in relation to the annual tally of credit card transactions”

The source is: http://www.visa.ca/en/merchant/fraudprevention/ais/merchlevels.cfm

For any readers of “My Business”, please skip over this article. Talk to your acquiring bank and QSA if you need further information. I can’t understand what message they have tried to convey. They seem confused by it all. Please “My Business”…you are a source of valuable information to small business….look at some quality control on what you publish.

Posted in Bad Stuff, PCI, PCI DSS, WTF | 4 Comments »

« Previous Entries