“Emerging Threats” – Most “emerged” a long time ago….Emerging Responses?

Posted on March 8th, 2010 by Drazen Drazic

A bit quiet lately. Sometimes I wonder if there’s more to say that I haven’t covered in the 500+ posts in Beast or Buddha. (The really interesting stuff, you can’t write about for obvious reasons). What do you do? Continue to rehash the old stuff? Sometimes!….which brings me to an interesting discussion.

We were asked to do a presentation recently on “emerging threats” at a business forum for IT Security and Risk Management professionals. Seems straightforward enough but when looking back over previous such presentations we’ve been doing over the years, nothing much was changing – in particular our recommendations on how organisations should be dealing with “emerging threats”. We could have almost just pulled out “Emerging Threats” presentation, (circa 2002) and done it word for word, (with only a few very minor wording and definition changes, eg; “Cloud”, “APT” etc :) ).

Should we be calling these presentations; “Emerging Responses”? It’s the response part that is in most cases yet to “emerge” effectively! The “threats” (most of them), emerged a long time ago. In many cases, we just call them different things now because we’ve failed to deal with them properly at the time, so it’s easier to rename something – makes it all seem that little bit new, and covers up to a degree for failures in the past.

Am I being unfair? Keen on your thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | 7 Comments »

What’s your “checklist of choice” for an Enterprise State of Security review?

Posted on March 2nd, 2010 by Drazen Drazic

Just wondering how some people would and/or do approach an Enterprise State of Security assessment? Obviously given the plethora of standards, regulatory “guidelines” etc, there’s no right answers. (Including size and scope of such an exercise…assume it is possible of course!). Do you see it as something impossible? Would you use something like PCI DSS? Do you have your own framework/methodology? Keen to hear people’s thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Research, Risk Management, governance | 4 Comments »

APRA releases “guidance on the management of security risk in information and information technology “

Posted on February 5th, 2010 by Drazen Drazic

APRA has released what they dub as a “prudential practice guide” – “on the management of security risk in information and information technology (IT) by institutions supervised by APRA”. Press release and document here.

It will be interesting to see how the “guideline” adoption will go. Similar to the Monetary Authority of Singapore’s “Internet Banking and Technology Risk Management Guidelines“, but a decade behind, and packing what seems to be no real regulatory push nor enforcement like that in Singapore.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Risk Management, governance | 3 Comments »

Looking at what makes good Application Security knowledge.

Posted on January 7th, 2010 by Drazen Drazic

It’s always interesting reading about larger scale fraud like this one recently with the Bank of Queensland. You wonder in cases like this, had the accused pulled the pin earlier, would he ever have gotten caught? You wonder how many do get away with it – stopping before obvious alarm bells start to ring?

There’s no generic solution/strategy for fraud detection to critique, as each organisation addresses it’s own internal security and risk management practices differently, but there is a scary pattern of misguided thought in regards to securing systems and actually defending against, and detecting fraud. It’s “security” by definition but are many blinkered in regards to what the full definition of “security” encompasses? I think so.

Many in the security industry are focussed to the point of obsession on only vulnerabilities and technical attack vectors (new attack type X, new attack type Y – all generally old stuff just re-invented in different ways but promoted as new big things by many in the industry). It’s such a narrow focused view that stops at the technical exploit. That’s not where the role of a security professional should stop. Read on:

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Forensics, IDS, IPS, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime, governance | 6 Comments »

Core Security Skill Requirements

Posted on December 2nd, 2009 by Drazen Drazic

There’s always a load of articles talking about the “core security skills” that security professionals and companies will need to develop. With 2010 approaching, we’re starting to get the typical 2010 recommendations and predictions articles on this topic.

I wonder if many of these articles are written by, and targeted at people and organisations who might just be waking up out of their slumber into the real world that we, (security people), have lived in for the last 2 or more decades. The alarm’s on snooze still though in my opinion.

I find this interesting. Aside from keeping up with technical/researcher type knowledge, (which most of these articles rarely refer to), what are these new “core skills” that we should all be developing? Keen to know if I have missed anything.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Dumb Security, Research, Risk Management, WTF, governance | 7 Comments »

Repost: The 7 Reasons why Businesses are Insecure

Posted on December 1st, 2009 by Drazen Drazic

This is a post from 2007. The theories and concepts date well before that. Taking technologies themselves aside, nothing much has changed in the last decade, (and one can argue that the technologies themselves haven’t either). Basic foundation principles, or rather the lack thereof in our strategic approaches/(thinking in regards) to Information Security and Risk Management are rarely addressed and thus we fail without even properly beginning the defence…or is that the offence?

Anyway, please read on and I would welcome your thoughts on whether you think anything has changed to make this any less effective.

Read the rest of this entry »

Posted in Research, Risk Management, governance | 3 Comments »

CERT Australia Announced

Posted on November 26th, 2009 by Drazen Drazic

Good luck to the AGD team with CERT Australia. Further reports:
- Australian IT mentions the role of AusCERT in this.
- AusCERT’s press release here.
*** Should have included this also in original post: http://www.ag.gov.au/cybersecurity

For those attending the AISA National Annual Seminar Day; David Campbell, (Director Australian Government Computer Emergency Readiness Team) will be talking about the new CERT. Should be an interesting presentation.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Risk Management, cyber crime, news | 4 Comments »

HOUSE OF REPRESENTATIVES STANDING COMMITTEE ON COMMUNICATIONS – Subject: CyberCrime

Posted on September 24th, 2009 by Drazen Drazic

Transcripts from the 4 sessions. Interesting but a concern from the perspective that it seems Government does forget things it has done in the past and seemingly starts from scratch each time. Just my opinion. Light reading (and I mean that), but worth a skim through:

http://www.aph.gov.au/house/committee/coms/cybercrime/hearings.htm

Thanks @cmlh for the link to this.

Posted in Research, Risk Management, cyber crime, governance | 1 Comment »

A Question of Control

Posted on September 11th, 2009 by Drazen Drazic

By Declan Ingram

There has been a lot of discussion on here about 3rd party/cloud computing etc security (or lack there of). For many, this didn’t seem hugely relevant at the time as there was always a choice (or people just didn’t think it was going to be something that affected them). Recently however, the choice seems to be getting smaller.

The 3rd party management model is becoming…or should I say, has become, so popular now, that it is hard to keep control. (Control? Yes, of your information!).

Think about it. How much of your security is technically enforced by a 3rd party appliance? (And, how secure are they?) How much of your data is housed, managed, monitored, etc by a 3rd party? Professionally and personally we are giving ourselves away. More importantly, has this been looked at during your last Threat Risk Assessment? (Has you organisation even done one?)

From my experience, so many organisations that we audit have core data and systems housed and managed by 3rd parties, and nearly all of them have dangerously one sided contracts……Dangerously favouring the 3rd party.

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Industry Specialists Talk, Risk Management, governance | 12 Comments »

Outsourced (unauthorised) Vulnerability Assessment – Testing for Porkies!

Posted on August 28th, 2009 by Drazen Drazic

Looking at data like this from the Conficker Working Group and talking to many Information Security Managers/CSOs still having to deal with outbreaks in their organisations, you have to wonder what’s going on? The general theme seems to be; “Infrastructure lead told us this was under control….they patch (always!)…..they now tell us [post infection], they “sometimes” patch!….Now it’s out of control!”

LOL…usually same guys who see no merit in vulnerability assessment/management systems and penetration testing (plus security in general?). Why buy something like QualysGuard when you can get a pretty thorough test for free I suppose? (If you can deal with the repercussions). From the CSO perspective; Automated Porkie Testing…no client-side input required. :)

Posted in Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, WTF | 1 Comment »

Randon Links and Rants…….

Posted on August 22nd, 2009 by Drazen Drazic

- Didn’t the 4 Corners Episode; “Fear in the Fast Lane” generate some discussion and debate this week? I didn’t post anything about it myself here for a couple of reasons; (1) I didn’t think anything new and worthwhile was worth highlighting, and, (2) People were “twittering up a storm” over it – some of it very over the top. (Refer to #4corners on Twitter search for more on that). Interestingly, from within our own industry, the discussion was more personal – questioning people’s credentials as “experts” as opposed to the actual content itself in many cases. Some fair questions raised and some not so in my opinion. I welcome your thoughts here.

-Which leads me to discussions and analysis on who are the “experts”. Anton Chuvakin, our Qualys and PCI friend ponders the question here; “A Myth of an Expert Generalist“. The same question was also raised in the Beast or Buddha forums a little while ago in the post titled; “Internet Security ‘Expert‘”. I had some thoughts on this topic (and the 4 Corners episode) on my twitter; here and here. Chris Gatford, an industry colleague in Australia and one of the people heavily featured during the 4 Corners episode responded to this here.

- Hackers vs Federal Police was a big story this week here as reported in the SMH; “Hackers break into police computer as sting backfires“. Some things get reported and some don’t: http://r00tsecurity.org/files/zf05.txt. No more to add. Everyone’s a target and everyone’s ownable (well at least you’d bet on it it being the case). Kind of makes a mockery of some of the talk on the conference circuit. Waffle vs substance…what do people want to listen to? Can most even judge?

- I’ve recently been invited to write for Tek-Tips Forums. Yep, that’s my mug. I’ll link the posts from here also when I remember to do so. After coming back from a holiday, the inspirational juices aren’t really flowing but I expect things will start to annoy me and then I’ll be back to normal. :)

- Had to repost this one: “How not to setup a Hotel Safe”; I took this photo recently in a hotel in Croatia. At first I thought I must be missing something here (like being able to program the code) but no, this is it. Needless to say, I didn’t use the “safe”. :)

- And finally, off the Information Security topics. The latest issue of Top Gear magazine (which I thought was not the Australian one – yuk….but seems now like some sort of a combination of Aus and UK) has a home fridge magnet Cool Wall – most cool! Here’s my “Cool Wall“.

Posted in Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, Web Application Security, cyber crime, news | No Comments »

CERTs in Australia….and the saga continues….

Posted on August 18th, 2009 by Drazen Drazic

From Australian IT; “AusCERT sidelined in CERT revamp“. Sadly the big question that most will raise from this is; “What will happen to the yearly junket, (I mean conference), on the Gold Coast?” Be shocked if anyone even responds to this post.

Positive to see the Government doing things. Hopefully it’s being well planned and thought out.

Posted in Risk Management, cyber crime, news | 17 Comments »

Me Presenting at Conferences. Laying Down Conditions…..I’m Laid Back but…

Posted on August 14th, 2009 by Drazen Drazic

Coincidental timing….seeing a discussion on Twitter and forum here between a few people on why I don’t do presentations at large conferences.

Nice to know that people give me that cred worth discussing…thank you.

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Research, Risk Management, Too cool, WTF | 1 Comment »

Police Checks on Employees – Important Considerations

Posted on August 10th, 2009 by Drazen Drazic

By SGirl:

An interesting question came across our desk this week to do with police checks on current employees and potential new employees.

Things like PCI and the increasing awareness of the human factor of security threats means more and more organisations are getting police checks done on candidates and as part of an ongoing assurance program.

So what happens if you get a report returned that shows a conviction?  What do you do? Sack the employee? Not hire them? Perhaps, perhaps not.

While some organisations have a legal requirement not to employ anyone with a criminal history (working with children, issuing licences to name a few), for others the requirements and boundaries that need to be considered are a little greyer.

Essentially there are basic human rights that prevent discrimination in the workplace, including whether or not a person has a criminal conviction. The Human Rights and Equal Opportunity Commission have a discussion paper on it:

http://www.hreoc.gov.au/human_rights/criminalrecord/summary.html

To avoid discrimination on the basis of criminal record, an employer can only refuse to employ a person if their criminal record prevents them from being unable to perform the ‘inherent requirements’ of the job.

Read the rest of this entry »

Posted in Industry Specialists Talk, Risk Management, cyber crime, governance | No Comments »

A CIO and CEO Guide to improving corporate security today – it is possible.

Posted on August 10th, 2009 by Drazen Drazic

Just got back and saw this was confirmed:
http://www.iirme.com/securecon/workshops/c.html

CEOs, CIOs and Middle East Gov and Gov Security seems to be the audience.

Should be fun…..there is no slides…….just talk…..they accepted that….(somewhat I think). :) I prefer to just talk……

This will be an all-out session and I hope Bruce S (Keynote) will be there….Pass this link to 20 of your friends and you will receive…magically a new notebook.

Posted in Applications, Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Firewalls, Forensics, PCI, PCI DSS, Research, Risk Management, Securus Global, Too cool, Vulnerability Management, Web Application Security, cyber crime, governance, news | No Comments »

Busting IDS/IPS/WAFs/Firewalls Revisited……..

Posted on July 7th, 2009 by Drazen Drazic

It’s been almost 2 years since Declan Ingram did this presentation at Kiwicon that looked at perimeter security – IDS/IPS/WAFs/FWs etc and “Managed Services”.

Listen to the start of the podcast for the introduction….some good stuff…..and then the full presentation starts at 14:50. As Patrick Gray of Risky Business says; “If you are a Chief Security Officer, this is a must listen”:
http://risky.biz/netcasts/risky-business/risky-business-49-your-shiny-new-ips-wont-save-you

Talking recently to a client who is about to go into RFP for a “managed services” solution highlighted to me that many organisations are still struggling to understand what it is they actually want vs. what they will actually get/end up with. Accountability hand-balled? Better Security? Meeting Compliance? What do they want? Read on:
Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Firewalls, IDS, IPS, Risk Management, Vulnerability Management, Web Application Security | 4 Comments »

Journalising, Journalism and Blogging…Restrictions on Posting

Posted on July 5th, 2009 by Drazen Drazic

I had a few comments sent to me about my last post. Some of the feedback; “It wasn’t inspirational”, “Its perspective wasn’t that unique”, “What was the point?” etc…. All fair points. My only response is that at times, I will use Beast or Buddha as my journal to write about things that aren’t necessarily meant to change anyone’s world or inspire, (though I did think the PCI post tried to do that)……just reflections on my day, week and thoughts going through my head about the good, and the bad in our industry, (though the latter motivates me far more to dissect and rant). I started Beast or Buddha for these reasons. Read on:
Read the rest of this entry »

Posted in Applications, Bad Stuff, Dumb Security, Research, Risk Management, Securus Global | 8 Comments »

PCI DSS compliance – It’s easy to make it tough on yourself….

Posted on July 2nd, 2009 by Drazen Drazic

It’s been an interesting few months as we’ve seen a rapid rise in the number organisations coming to talk to us about PCI DSS compliance. The really cool thing as mentioned here, is that we are seeing proof that if you approach your PCI DSS compliance projects like we suggested here in this post; “PCI Compliance Projects – The road to nowhere…“, you will have a greater chance for success!

We’ve worked with so many great companies in recent months who’ve taken the advice on-board seriously and have made awesome inroads in regards to their IT security position (and PCI DSS compliance) – most now “compliant”, (….well as compliant as you can get).

On the flip-side, and lets not dwell on this too much, we’ve also seen a few organisations prove that not approaching a PCI DSS compliance project, as recommended in our post, does make for an expensive and very much time-consuming/wasting exercise for all.

A PCI DSS compliance project is what you make of it. You can give up and claim it is impossible, (and close your eyes to the fact that there are others who have done it), or you can make it work. The principles of a successful PCI DSS compliance project are no different to the principles you would adopt to make any other project successful!

Related Links:
- Previous PCI Posts (Uncut)
- Six ways you can bork PCI
- PCI: Choosing your Auditors Carefully

Posted in PCI, PCI DSS, Risk Management, governance | 3 Comments »

CSOs becoming CIOs……A natural progression?

Posted on June 27th, 2009 by Drazen Drazic

This is something I have talked about before.

Having been in roles in previous lives that has seen me oversee IT as a whole and IT Security (separate roles), I am of a firm belief that a good CSO has what it takes to be a good CIO, if not a better CIO than most out there. I went from the former to the latter (IT head to CSO) but I believe it can work effectively the other way. It’s not a regular thing though and I haven’t to be honest, seen it happen from memory in recent times – ie; a CSO becoming the CIO.

It’s horses for courses and case by case but more and more, I am seeing competent CSOs out there that have a better picture about IT within their business than the CIO does. Now this will upset some CIOs, but as you know, I don’t mind upsetting those that I think are not up to it. (A recent example here and here). And there’s a heap of CIOs out there, that really are not up to it. Can’t recall figures I have posted before but I’ll throw 80%+ out there as a starter now.

I’ve been working with the CSO of a relatively large business and good global brand in recent times. He’s been on board with his organisation for just over 12 months but in that time, has made some amazing inroads in regards to how this organisation views and works in regards to IT security and risk management overall. But, he’s now hit that time that body builders call the “plateau”, and every little “gain” now takes a mountain of effort – far more effort than gains took in his first 6 months at the organisation. He’s almost ready to move to “greener pastures”…..read on:

Read the rest of this entry »

Posted in Risk Management, governance | 5 Comments »

ACMA, Copyright, Privacy and other un-newsworthy things…….

Posted on June 25th, 2009 by Drazen Drazic

By SGirl:

Who will I upset this time? Though the support far outweighed the few negative comments. But, I digress…..

It is interesting the information that you can find when you look really hard and spend a bit of time to get results.

As a bit of background, to me, IT security is not just all about technical solutions, hacking and latest marketing terms like the “Cloud”. It is also about management, strategy, compliance (not the dirty version). It’s many areas that for some reason, the media don’t really report nor focus upon (unless your compliance means PCI DSS). It’s the less “sexy” part of the industry, but for much, the parts that hit the coalface of the business.

In Australia, there are things happening that you hear little to nothing about – things that are affecting businesses and compliance considerations now. They aren’t being focused upon and far from hot topics like PCI DSS; “Ooh merchants might start being fined soon and let’s start talking about what PCI DSS is, and means to you and how vendor X is going to help you”! We only hear about what a few decide is “sexy” but for most part and as recent conversations here in this blog and forums have shown, what those individuals are deciding as “interesting” seems not to be what is floating the boats of many in the industry. Drazen Drazic gets most of his news from blogs he says.

Let have a look at a few things:

Read the rest of this entry »

Posted in Industry Specialists Talk, PCI, PCI DSS, Risk Management, governance | 9 Comments »

« Previous Entries