“Emerging Threats” – Most “emerged” a long time ago….Emerging Responses?

Posted on March 8th, 2010 by Drazen Drazic

A bit quiet lately. Sometimes I wonder if there’s more to say that I haven’t covered in the 500+ posts in Beast or Buddha. (The really interesting stuff, you can’t write about for obvious reasons). What do you do? Continue to rehash the old stuff? Sometimes!….which brings me to an interesting discussion.

We were asked to do a presentation recently on “emerging threats” at a business forum for IT Security and Risk Management professionals. Seems straightforward enough but when looking back over previous such presentations we’ve been doing over the years, nothing much was changing – in particular our recommendations on how organisations should be dealing with “emerging threats”. We could have almost just pulled out “Emerging Threats” presentation, (circa 2002) and done it word for word, (with only a few very minor wording and definition changes, eg; “Cloud”, “APT” etc :) ).

Should we be calling these presentations; “Emerging Responses”? It’s the response part that is in most cases yet to “emerge” effectively! The “threats” (most of them), emerged a long time ago. In many cases, we just call them different things now because we’ve failed to deal with them properly at the time, so it’s easier to rename something – makes it all seem that little bit new, and covers up to a degree for failures in the past.

Am I being unfair? Keen on your thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | 6 Comments »

What’s your “checklist of choice” for an Enterprise State of Security review?

Posted on March 2nd, 2010 by Drazen Drazic

Just wondering how some people would and/or do approach an Enterprise State of Security assessment? Obviously given the plethora of standards, regulatory “guidelines” etc, there’s no right answers. (Including size and scope of such an exercise…assume it is possible of course!). Do you see it as something impossible? Would you use something like PCI DSS? Do you have your own framework/methodology? Keen to hear people’s thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Research, Risk Management, governance | 4 Comments »

Core Security Skill Requirements

Posted on December 2nd, 2009 by Drazen Drazic

There’s always a load of articles talking about the “core security skills” that security professionals and companies will need to develop. With 2010 approaching, we’re starting to get the typical 2010 recommendations and predictions articles on this topic.

I wonder if many of these articles are written by, and targeted at people and organisations who might just be waking up out of their slumber into the real world that we, (security people), have lived in for the last 2 or more decades. The alarm’s on snooze still though in my opinion.

I find this interesting. Aside from keeping up with technical/researcher type knowledge, (which most of these articles rarely refer to), what are these new “core skills” that we should all be developing? Keen to know if I have missed anything.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Dumb Security, Research, Risk Management, WTF, governance | 7 Comments »

Repost: The 7 Reasons why Businesses are Insecure

Posted on December 1st, 2009 by Drazen Drazic

This is a post from 2007. The theories and concepts date well before that. Taking technologies themselves aside, nothing much has changed in the last decade, (and one can argue that the technologies themselves haven’t either). Basic foundation principles, or rather the lack thereof in our strategic approaches/(thinking in regards) to Information Security and Risk Management are rarely addressed and thus we fail without even properly beginning the defence…or is that the offence?

Anyway, please read on and I would welcome your thoughts on whether you think anything has changed to make this any less effective.

Read the rest of this entry »

Posted in Research, Risk Management, governance | 3 Comments »

New ACS “Centres of Excellence” – Security and Advanced Computing

Posted on November 28th, 2009 by Drazen Drazic

From the Western Australian branch of the Australian Computer Society; they are launching two new “Centres of Excellence”. Information here. Information supplied by Philip Argy. Thank you to the ACS for passing this to us. We look forward to hearing more about this initiative.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Research, news | 8 Comments »

Australian Bloggers Roundup

Posted on September 25th, 2009 by Drazen Drazic

While the Information Security blogging scene is relatively small here in Australia, the guys in it are always bringing out interesting things. Here’s a brief roundup of what’s been happening lately:

- Donal at Ockham’s Razor looks at Electronic Voting in his latest post and raises, (what to us), are valid points. He links to an article from Ireland which is interesting reading. Do yourself a favour and read some of D’s other posts. Worth scanning through for some thinking “outside the square”.
- Wade doesn’t focus that much on Information Security anymore but every so often, he’ll have a few gems there. Interesting reading at wadem anyway.
- The west’s biggest and best blogger, Christian at un-excogitate.org covers the latest OWASP meeting in Perth and also talks about Cloud Security in his latest posts.
- Jordan at Security Technology Science has started posting again. I like Jordan’s posts as he looks at the psychology of our industry and the people within it. He’s got extensive experience so for new guys coming up through the ranks (and those already there), it’s interesting to get that take from a “veteran”. (He’ll hate me saying that as he’s heaps younger than me!)
- Another BJJ/MMA exponent (gees, there’s a few in our industry), Jarrod at /DEV/NULL has posts on Cloud Security and Exemptions which are worth a read. Post your thoughts to Jarrod.
- The Big 4 man Matthew at Infamous Agenda has recently been getting hot over a few topics. Go see what’s been getting Matt worked up.
- Pat’s Risky.Biz continues to be one of the best Information Security podcasts out there. He’s got a heap of new stuff; forums, vids and the usual weekly Risky Business podcast.
- Eldar’s stuff at Just Another Hacker makes my old technical – now non-technical head spin, but for you techo dudes, go suss it out.
- James at Karter.Net while not a totally security focused blog, but Open Source and other things, plus his experience, is publishing a lot of good stuff. To narrow it down to one sentence would not do it justice. Click away.
- Philip at PhilipHall.com has been talking about Apple vulns in recent times. “CyberSecurity Junkie” and worth reading his archive of posts.
- Bradley at Inside Out continues his focus on forensics, digital evidence and legal issues. One of few in Australia blogging about this topic. Worth bookmarking!

I haven’t covered everyone, but if you are blogging in Australia or know of someone who is, let us know and we’ll add them to the Australian IT Security Blog Directory.

Posted in Research, news | 1 Comment »

HOUSE OF REPRESENTATIVES STANDING COMMITTEE ON COMMUNICATIONS – Subject: CyberCrime

Posted on September 24th, 2009 by Drazen Drazic

Transcripts from the 4 sessions. Interesting but a concern from the perspective that it seems Government does forget things it has done in the past and seemingly starts from scratch each time. Just my opinion. Light reading (and I mean that), but worth a skim through:

http://www.aph.gov.au/house/committee/coms/cybercrime/hearings.htm

Thanks @cmlh for the link to this.

Posted in Research, Risk Management, cyber crime, governance | 1 Comment »

Amazing People doing Amazing Things…..Soon :)

Posted on August 26th, 2009 by Drazen Drazic

Stay tuned….

Getting asked by people all the time why I do things like “Twitter” for example. As if it is something not so worthy. Background: here and here.

So have decided I would look at some of the real benefits of such applications in relation to our industry (and wider) in a much longer post. Who’s wasting their time or missing out? Is it that uncool? LOL……we’ll see.

DD

Posted in Bad Stuff, Dumb Security, Ford Falcon, Research, Securus Global, Too cool, UFOs, WTF | 1 Comment »

Me Presenting at Conferences. Laying Down Conditions…..I’m Laid Back but…

Posted on August 14th, 2009 by Drazen Drazic

Coincidental timing….seeing a discussion on Twitter and forum here between a few people on why I don’t do presentations at large conferences.

Nice to know that people give me that cred worth discussing…thank you.

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Research, Risk Management, Too cool, WTF | 1 Comment »

A CIO and CEO Guide to improving corporate security today – it is possible.

Posted on August 10th, 2009 by Drazen Drazic

Just got back and saw this was confirmed:
http://www.iirme.com/securecon/workshops/c.html

CEOs, CIOs and Middle East Gov and Gov Security seems to be the audience.

Should be fun…..there is no slides…….just talk…..they accepted that….(somewhat I think). :) I prefer to just talk……

This will be an all-out session and I hope Bruce S (Keynote) will be there….Pass this link to 20 of your friends and you will receive…magically a new notebook.

Posted in Applications, Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Firewalls, Forensics, PCI, PCI DSS, Research, Risk Management, Securus Global, Too cool, Vulnerability Management, Web Application Security, cyber crime, governance, news | No Comments »

Journalising, Journalism and Blogging…Restrictions on Posting

Posted on July 5th, 2009 by Drazen Drazic

I had a few comments sent to me about my last post. Some of the feedback; “It wasn’t inspirational”, “Its perspective wasn’t that unique”, “What was the point?” etc…. All fair points. My only response is that at times, I will use Beast or Buddha as my journal to write about things that aren’t necessarily meant to change anyone’s world or inspire, (though I did think the PCI post tried to do that)……just reflections on my day, week and thoughts going through my head about the good, and the bad in our industry, (though the latter motivates me far more to dissect and rant). I started Beast or Buddha for these reasons. Read on:
Read the rest of this entry »

Posted in Applications, Bad Stuff, Dumb Security, Research, Risk Management, Securus Global | 8 Comments »

Random Links and Rants…….

Posted on June 17th, 2009 by Drazen Drazic

Must have been a week or two for lists:
- Anton’s “Security Information Trust Pyramid“. Why? Why not! Related to this thread on Australian IT Security Media?
- Matt on “What do you need to know to work in infosec?” A view from inside a Big 4? What do you think?

Kiwicon 2K9 is in the planning. Follow the site for updates, or on Twitter @kiwicon if that floats your boat.

@SecurusGlobal has been setup on Twitter. Follow us for news, updates and goings on. Awesomely exciting…..Ha….but just as exciting as most of Twitter. :) See you also at @DDrazic.

AISA is also on Twitter: @AISA_National, @Melbourne_AISA, @Perth_AISA.

Discussion on Policy Frameworks here from the Forums section.

Some new updates to the Australian IT Security Blog Directory. Check it out and support the local guys. If we’re missing someone, please let us know.

Posted in Research, Too cool, WTF | 9 Comments »

Regulation vs. Market Forces – A collection of recent posts….

Posted on June 2nd, 2009 by Drazen Drazic

I’ve seen a few discussions around the Net recently on this topic of “market forces” being the drivers of better IT security practice versus “regulation” so I thought I would resurrect some recent posts for discussion.

- Crime Insurance – Implications of bad business IT security practices: Could swing to either side of the debate.
- Regulating IT Security Practices – PCI DSS too tough?: It doesn’t have to be seen as impossible.
- Workaround, accepted mediocrity and questionable future benefits/improvements: Giving up and taking the “easier” paths?
- Regulation is Bad! Let the market solely dictate things!….What a load of BS!: A response to some recent posts posted a few months before the recent posts.

Keen to get your thoughts.

Posted in Disclosure Laws, Research, Risk Management, governance | 9 Comments »

Big conference hangovers….Is the message lost? Is there a message anymore?

Posted on May 22nd, 2009 by Drazen Drazic

Some of us had to work so AusCERT was out of the question this year for me as I mentioned. Well actually, I had made my mind up a long time ago that I wasn’t going to go this year. A personal choice based solely on the fact that while I have a great time at each AusCERT (from a catch-up/networking perspective), I am left feeling a bit flat after the event. I’m not the only one – many people tell me the same but, I also acknowledge that for many, they’re feeling the exact opposite.

The reason I do feel this way post event is that it’s a downer seeing that we’re not progressing much as an industry (in terms of what we’re in this for). You walk out of a great presentation, excited by what you’ve heard, straight into a wall of vendor stalls, most filled with sales people who have little interest in our industry and whose only focus is to flog their products – generally not really caring or knowing themselves much about those products. It’s a case of extremes at events like this and you wonder when things will start to make some headway into actual value and improvements from what we as an industry are trying to accomplish.

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Research, Risk Management | 8 Comments »

AusCERT 2009: Day 2

Posted on May 20th, 2009 by Drazen Drazic

This is what happens when you have guys in the field getting into the spirit of the conference with little regard for deadlines. :) Late or no submissions. At least Pete finally got something to me. No sign of Knuckle as yet and it’s 3:00pm.
—————————————————————————————————–

Good value following the Twitter updates here. A few interesting posts during last night’s awards also. Some not so happy people with some of the winners, but overall, seemed like a great night for those in attendance:
https://twitter.com/#search?q=%23auscert
Read the rest of this entry »

Posted in Research, cyber crime, news | 3 Comments »

AusCERT 2009: Day 1

Posted on May 19th, 2009 by Drazen Drazic

The Twitter phenomenon has finally reached AusCERT in some force with the number of people posting tweets growing as the day progressed. For those of us not in attendance, it was a good way to get some of the latest news, (like the almost instantaneous reports that Senator Conroy was not going to talk about the Internet Censorship plan). As the day went on, the Twitter postings became more and more interesting, wrapping up well into the early morning with people talking about a variety of things including once again, local content and male vs female speaker numbers. Follow the Twitter postings here: http://twitter.com/#search?q=%23auscert

So, did AusCERT 2009 – Day 1 follow Conroy’s lead and be a dud? Click on…..

Read the rest of this entry »

Posted in Internet Filtering, Research, cyber crime, news | 1 Comment »

AusCERT 2009: Pre-conference Roundup

Posted on May 18th, 2009 by Drazen Drazic

While I’m not there myself, I was told it would be remiss of me to not somehow provide coverage of the events at Australia’s largest Information Security conference. Which blog would organisers be stressing about if we didn’t talk about the event?

So, a team has been formed and they’ll be providing a daily wrap-up of events as seen through their eyes. (Obviously to protect their anonymity and safety, names have been changed). Yeah, you know not all of this is going to be 100% serious but if you are offended, post your thoughts – flame away. Click on to begin….

Read the rest of this entry »

Posted in Research, news | No Comments »

Hiring Convicted “Hackers”……

Posted on April 20th, 2009 by Drazen Drazic

Just reading the latest thread here in the Forum. It’s a fair point raised. Something we’ve talked about for a while…..

In my opinion, it [hiring convicted hackers] demonstrates something deeper than just the face-value story of convicted hacker being hired and the ethical issues associated with that. (I’ll leave discussion on that part as it’s been done to death before).

What it really demonstrates in my opinion is seriously dumb senior management who seem to have a belief that rogue “hackers” bring to the table something special…..something they have no idea that they can already get in the scores in the mainstream professional Information Security industry. (eg; As I have said before, I believe pound for pound NZ has some of the best IT Security researchers in the world….If I was TelstraClear, I’d have about 20 others on the list before hiring the kid they did). Look, good luck to the guys being hired. You have to make a living and if someone wants to offer you money/job etc well….

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Research, Vulnerability Management, WTF, Web Application Security, cyber crime | 12 Comments »

Workarounds, accepted mediocrity and questionable future benefits/improvements….

Posted on March 22nd, 2009 by Drazen Drazic

Setting the scene with recent somewhat provocative posts to generate some thinking, debate and discussion to get some interest before some context and substance in this post. Hopefully. And yes, a heap of emails, tweets, DMs and phone calls received today. (Gees, not bad for a Sunday. Do infosec dudes ever switch off and have a break?). To be honest, while most were supportive, a few were asking me what the hell I was basing my points on, and was I shooting myself in the foot with some vendors now and in the future? (Hey, big assumption that anyone actually reads this stuff I write). For the latter, I probably was/am but as most people know, I am not scared to put my opinion out there for critique, flames, but most importantly, as mentioned, to generate thoughts and discussion. It’s not a glory boy thing and it is what it is and I don’t profess it to be anything it is not. (Refer to top right corner of home page for the disclaimer).

So getting to the point of this (…finally you’re probably thinking). WAFs are an easy target to generate discussion (polarising more than most other technical topics at present), but I’m not just talking about WAFs here. They’re just the example. It could be anything from technology entrenched into our industry, through to strategic thinking and approaches that look at where our industry is, where it should be and most importantly, the steps to make valuable, and most importantly, significant steps to improve IT, business, home and society in general. Read on:

Read the rest of this entry »

Posted in Applications, Bad Stuff, Dumb Security, Firewalls, IDS, IPS, Internet Filtering, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime | 3 Comments »

Cyber Security at the Crossroads

Posted on March 12th, 2009 by Drazen Drazic

I enjoy David’s writing and his analogies between insecure software and the issues we face from it today and those in other industries and other times.

He’s kicked-off a series of posts titled; “Cyber Security at the Crossroads” on his blog. Worth a read:

Cyber Security at the Crossroads: Introduction
Cyber Security at the Crossroads: Bad Treatment

This higher-level view vs. “otherworld” case studies – present and past, is often overlooked in our industry, but it is the way to opening up understanding, awareness and discussion on this topic to broader society. Is there a better way?

Posted in Applications, Bad Developers, Industry Specialists Talk, Research, Web Application Security, cyber crime | 1 Comment »

« Previous Entries