Australian Government E-Security Review….

July 6th, 2008 Drazen Drazic

The AGD is leading a review of the Government’s e-security policy, programs and capabilities.
http://www.ag.gov.au/esecurityreview

Submissions are due by 31st July 2008.

The “key areas the ACS [Australian Computer Society] believes will present the major security threats to Australia in coming years” quoted in this SC Magazine article are interesting. Not sure what the ACS means with their last couple of suggestions though.

Personally, I would throw in the following as major security threats for consideration as opposed to what the ACS sees as a priority. Keen to hear what others think:

• Insecure and poorly developed software in critical infrastructure (and in general)
• Protection of critical infrastructure across all CI sectors (broad I know)
• Cyber-crime, cyber-espionage (further protection of state)
• Lack of any liability on software developers in general - hey, it all comes down to software doesn’t it? (inc false and misleading advertising by security product vendors)
• Web 2.0 and other new technologies - rapid deployment vs. business impact implications analysis (how do you stop this though?)
• Awareness and understanding across the business, government and consumer worlds - lack of regulation, establishment of base level requirements for security and looking at root cause

I know some of the above is broad in scope and I’m sure that we could develop a large list but at the same time analysis vs practical and realistic solutions to issues needs to be considered. There are many trains of thought - some believe we must just adapt and accept that we’ll always be living and working in an insecure IT world. Others have more hope and that we can turn things around with great effort. Is there a middle ground in the IT world as mirrored in society in general? Can we segment the good from the bad and acknowledge the “grey” areas will always be there?

Posted in Research, Risk Management, Vulnerability Management, cyber crime, governance | 2 Comments »

Internet Banking in NZ - Will be interesting to see some test cases….

July 4th, 2008 Drazen Drazic

The Kiwis have had this on the table for a while. Computerworld NZ and MIS Australia amongst others have covered it recently with changes being made to the rules governing online banking in New Zealand.

The Computerworld NZ story has a quote that doesn’t seem to make that much sense but in context of the history of this and what could have been, is now a bit more understandable; “The move is expected to boost customer confidence that losses from online fraud will be covered by the banks”.

While the motives are clear, regardless of spin put on the reasons, it does raise more questions than it answers and is something I suppose will be tested eventually in a legal scenario.

Mac and Linux users I suppose need to be worried. Will basic firewalls on those systems constitute “security software”? This will be an interesting one to follow. I am sure banks in other countries that don’t throw liability back as a general rule are also watching this.

Posted in Risk Management, Vulnerability Management, Web Application Security, cyber crime, news | 1 Comment »

Another consortium formed to “enhance global IT security”…

June 28th, 2008 Drazen Drazic

Is this a reaction to the monkeynet project? You have to wonder.

We had SAFECode announced last year and now comes ICASI, (Industry Consortium for Advancement of Security on the Internet). Release:
http://www.icasi.org/articles/art_001.htm

How they’re going to; “enhance global IT security by proactively driving excellence and innovation in security response” is something I think we all look forward to hearing more about.

I was just thinking to myself the other day, we’re about due for another consortium!

Recent update on SAFECode.

Posted in Dumb Security, Research, Risk Management, WTF | 6 Comments »

I missed the National E-Security Awareness Week…..

June 21st, 2008 Drazen Drazic

Why didn’t someone remind me! Was it good?
http://www.staysmartonline.gov.au/latest_news

I also missed the Over the Horizon forum, but it was for experts…..but I don’t know any experts who attended. Feeling very unloved at the moment. (Thanks Nick for this link)

Posted in Risk Management | 4 Comments »

No care factor on liability and no pressure to change……

June 14th, 2008 Drazen Drazic

A lot of recent posts here and in the forum talk about responsible and true representation of services and products being marketed. The focus though has been on security products and vendors, but why restrict it to just them? The whole software industry thrives under a no liability market that no or few other industries enjoy. There is something wrong with that!

They’ve been in that lucky position since day 1 pretty much. Produce flaky products (but with a heap of features to sell and continue to sell) and have no liability should your product cause problems to those people that buy it! If problems occur, NO LIABILITY AND LEGAL REPURCUSSIONS ON THE PEOPLE WHO CREATED THE PROBLEM!

The problem always sits with those who purchased and use that software!

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime | 8 Comments »

The Common Configuration Scoring System - NIST Draft

June 12th, 2008 Drazen Drazic

By Donal O Duibhir

Donal looks at “The Common Configuration Scoring System” draft from NIST:

http://csrc.nist.gov/publications/drafts/nistir-7502/Draft-NISTIR-7502.pdf

Initial thoughts: It would be nice to see CCSS as an output metric generated by the tools here: http://www.cisecurity.org/index.html, but further investigation leads me to believe the initiative hasn’t been
as well thought through as CVSSv2 or the OSSTMM Risk Assessment Values here: http://www.isecom.org/research/ravs.shtml perhaps.

Read the rest of this entry »

Posted in Industry Specialists Talk, Research, Risk Management, Vulnerability Management, cyber crime | No Comments »

Stay Smart Online - Latest Australian Government Initiative…

June 6th, 2008 Drazen Drazic

I wonder what the old teams and program developers at NOIE/AGIMO etc think about the latest re-branding of government’s effort to demonstrate care about individual’s and businesses use of IT. (As reported here). I remember the old NOIE site. It was pretty good; rich full of information and a great source of help and knowledge. It was a shame relatively very few people were aware of it.

The latest incarnation with a few added “features” comes at a cost of $1.2M (just on the contract alone to AusCERT as reported by the Australian Newspaper). Will be interesting to see how it all goes…….

Posted in Risk Management, Vulnerability Management, Web Application Security, cyber crime, news | 6 Comments »

Cyber-Terrorism: I love this quote from Geekonomics

June 4th, 2008 Drazen Drazic

From David Rice’s book “Geekonomics: The Real Cost of Insecure Software”:

“The sad irony is a ‘cyber-terrorist attack’ would be largely indistinguishable from routine software failure. Was it Al Qaeda or another hiccup in the software we are using?”

Posted in Bad Stuff, Dumb Security, Risk Management, To cool, Vulnerability Management, Web Application Security, cyber crime | 9 Comments »

Data Classification - Effective? Has it ever been or really worked?

June 2nd, 2008 Drazen Drazic

I was talking to a colleague to the other day and we started on “data classification”. Yeah, must have been an interesting conversation to be sitting in on.

Neither of us could recall ever seeing what could be termed a successful implementation, if that is the right word for it. How would you judge one anyway? That’s a big question in itself.

Read the rest of this entry »

Posted in Disclosure Laws, Dumb Security, Risk Management, Vulnerability Management | 11 Comments »

More on not logging - “Reverse Compliance”

May 8th, 2008 Drazen Drazic

Declan’s recent post on logging being a double edged sword started some interesting discussion. Anton Chuvakin follows-up further on his blog and writes:

“Reverse compliance” is a motivation to purposefully avoid technologies that have a chance of telling you that you are NOT in compliance. Sadly, logging is featured very high on the list of such technologies that a) tell you about all the problems with your compliance posture (e.g. direct violations of regulatory requirements, lack of controls, inefficient controls, policies not followed, etc) as well as b) are mandated by various regulations (e.g. PCI DSS) and c) actively used by auditors for finding compliance issues.

Read the rest of Anton’s post.

Posted in Disclosure Laws, Forensics, PCI, PCI DSS, Risk Management, cyber crime, governance | 3 Comments »

To regulate IT Security controls/practices or not?!

May 5th, 2008 Drazen Drazic

With little to no regulation around IT security practices and controls in Australia, have we fallen behind other major trading partners like the US and countries in Europe? I think the answer is most definitely yes but I welcome your thoughts on this.

This is not new…it’s something I have ranted about for a while here but as we see the landscape change elsewhere for tighter regulation(s), data breach disclosure laws for eg; coming into existence in other parts of the world, we seem to talk more than act. The PCI DSS has been the biggest thing to hit Australian business in terms of some form of enforcement of good practice and even that is operated outside of the bounds of government and local controls.

No one’s perfect, but have we really progressed much in the last few years? Sure, security awareness is higher than it has ever been, but are security issues being addressed at their core/root or does awareness just mean actioning the latest hot area/topic? I put it out there that that is the case.

Who’s addressing risk management properly? Who’s approaching security from a strategic perspective?

It’s more than just an IT security issue. It’s a business issue, it’s a shareholder value issue, it’s a national security issue..etc etc… Is regulation the key to change here? If not, what is?

Posted in Disclosure Laws, Risk Management, cyber crime, governance | 2 Comments »

If you’re in the business of providing IT services to customers, ignorance of good security is negligence!

April 22nd, 2008 Drazen Drazic

Talking today to a very successful business that came from the bricks and mortar ranks a few years back and now 90%+ of their business is online: the worry and real concern on management’s faces as to why they are now in a pretty scary position really made angry about so many “IT” businesses who supply “IT” services to these types of businesses.

Sometimes I am hard on the businesses themselves (and they deserve it), but there are times where they just do rely, depend and trust people in our profession to do the right thing by them….and they don’t!

What blows me away is:

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Dumb Security, Risk Management, Web Application Security, cyber crime | 6 Comments »

Clouding Log Analysis - Anything New worth a Look?

April 17th, 2008 Drazen Drazic

“The cloud…..so pretty!”….thanks Wade for pointing me to this one at loglogic. This opened up a bit of discussion between a group of us on this “security in the cloud” business. Thought some of the comments would be worth putting together.

Some of my thoughts were previously covered here also. Anyway, the following are some of our ramblings. Feel free to add your comments.

Read the rest of this entry »

Posted in Firewalls, Forensics, IDS, IPS, Research, Risk Management, Vulnerability Management | No Comments »

Further on the MS End to End Trust…..

April 12th, 2008 Drazen Drazic

Our friend Donal posts his thoughts in some detail at Ockham’s Razor. As with most of D’s stuff, well worth clicking the link!

Posted in Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime | No Comments »

“End to End Trust” - funky name for what?

April 11th, 2008 Drazen Drazic

It will be interesting to follow the response to this on the net:

http://www.microsoft.com/mscorp/twc/endtoendtrust/default.mspx

Posted in Research, Risk Management, cyber crime | 3 Comments »

Secure Security Appliances? - Making Assumptions can be Risky.

April 7th, 2008 Drazen Drazic

I wonder how many organisations question their “security appliance” vendors about the actual security of the security appliances themselves. ie; what testing is done, how often, patch release testing, security in their own SDLC etc. From experience, we see most organisations make the assumption that since this is a “security” appliance, it must be secure.

Making assumptions that these systems are secure and thereby not including them in security tests and reviews as part of the organisation’s security assurance program can potentially open up and organisation to security compromises.

We work with security appliance vendors and do testing for them on their systems. These guys we trust because we know they care and are committed to providing secure systems to their clients.

Are they all doing that? We know that these systems are just as open to vulnerabilities as anything else in the corporate IT environment. Don’t assume your security appliance is secure. Ask questions and include these systems in your testing programs.

Posted in Research, Risk Management, Vulnerability Management | 4 Comments »

Auditing for security - not just for compliance

March 31st, 2008 Drazen Drazic

It used to be a standout and bold new statement; “Compliance vs. Security - one goes one way and the other goes the other way and rarely the two meet - as they should!” People would think about it and go; “Yeah….wow…that is so true now that I think about it!”. How times change and this has now almost become accepted as fact?!

PCI DSS compliance is somewhat heading down this path. I am hesitant to say it is totally but the indications are not good. Given recent news about Hannaford and ongoing news about TJX and other breaches plus things we see in the industry ourselves, I thought it might be good to re-hash this one:

http://beastorbuddha.com/2007/09/05/pci-choosing-your-auditors-carefullypart-ii/

Posted in Bad Stuff, PCI, PCI DSS, Risk Management, cyber crime | No Comments »

On the panic bandwagon?…..

March 26th, 2008 Drazen Drazic

The recent St. George Bank story shows how something can grow and become a bit blown out of proportion relative to the originally reported story. Some of the responses to the story on the News site demonstrates a lack of understanding some people have that drives fear in the community about doing business on the Net. Is this one a storm in a teacup? (I know I am critical at times about things we see, but on the flipside, sometimes perspective is tainted by underlying fears that have no direct correlation to the topic at hand).

Posted in Disclosure Laws, Risk Management, Vulnerability Management, Web Application Security, cyber crime | 3 Comments »

How to jeopardise a good business by not thinking, not talking to the right people and trying to save a few bucks…

March 17th, 2008 Drazen Drazic

We’re seeing this so much lately as more and more organisations are either realising they should, or are being forced into thinking about their IT security practices (eg; through the likes of PCI DSS) more.

Good businesses that have been around for 10-20+ plus years and then moving almost everything on-line…..(fair enough reasons and business opportunities need to be taken and competitive moves must be made), but gees, many do it so wrong and put a successful bricks and mortar business into enormous risk.

Read the rest of this entry »

Posted in Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Risk Management, Web Application Security, cyber crime | 3 Comments »

Intelligent patching programs….blind best effort patching…what do you do?

February 25th, 2008 Drazen Drazic

The number of organisations that rely on patching as their main or only measure against security vulnerabilities still amazes me. The relatively small percentage of organisations that run a proactive vulnerability assessment/management program to understand their environment and actual risks they may face is a concern.

This Computerworld US story follows on the usual theme of organisational struggles to patch patch patch. (How often do we read stories like this? Is this really news?)…I was amazed that VA got a line or two for a change.

Posted in Bad Stuff, Dumb Security, Risk Management, Vulnerability Management | 2 Comments »