As a CISO/CSO/Security Manager, you were hired by your organisation to perform a role. How many people go back to the advertisement they responded to and check-off what you are actually doing now, versus what the original role description stated the role would/should be?

I know talking with many people out there that this is one of their biggest issues in their role today – either the role not being as it was promoted/advertised and/or you not having the support to perform the role your were hired to do.

It’s made cynics of so many people in our industry and in a weird way, has also kept people, albeit unhappy in organisations longer, given the fact that there’s a belief that wherever security people go, it will be much of the same…..so at least, “better the devil you know”. This blog is full of posts, (since day 1 about the trials and tribulations of Information Security people) trying to do their job and battling every step of the way for even small gains. I won’t link to these posts….to many but have a search here if you want further references.

I’m not going to go over all the old issues again here. What I am going to put forward is another idea, that at a minimum, may provide Information Security professionals with a sense of worth, accomplishment and within their organisation, a position whereby an organisation can choose to accept professional opinion, views and recommendations – or not, but at least the Information Security professional can rest secure in a position of having at least gone on record from an overarching management, governance and strategic perspective. (The following need not only relate to the most senior Information Security person in the organisation – but anyone who holds to a belief that things should be better than they are now). Read on……

(more…)



Release from ANSI. (I’ve included this as an FYI for Australian Information Security people). This link below has the content of the email sent out recently.

Related post regarding recent Australian Government activity here. Coordination? Focus? Lessons?

———————————————————————————————
White House Releases National Strategy for Trusted Identities in Cyberspace
http://www.ansi.org/news_publications/news_story.aspx?menuid=7&articleid=2576

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



“On Monday 21 June 2010, the Standing Committee on Communications tabled its report on the inquiry into Cyber Crime entitled Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime.” Full details and report here.

We covered the updates to this inquiry last year: October 2009 post, September 2009 post.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



I’ve talked about this before so I won’t rant on again too much about my position….gees, did I have a definitive one? :)

I agree with the last comments on the last post here from GoogleHack. If the research community hasn’t been able to nail this, then you have issues. If a Google takes a stand – regardless whether “official” or not, it will impact heavily on the debate. It’s Google! This is a really bad thing in my opinion. A “standard” has been set….at least for the time being.

Securus Global has taken the position that we judge all vuln research findings on a case by case basis. The upshot, to the detriment of our marketing is that we’re rarely publishing vulnerability advisories. This may upset some, but we’ve almost come to the conclusion that as a business, it’s no longer a cool thing to do (all the time).

Now please don’t get me wrong……independent researchers publishing stuff, come from a different angle and we respect that fully. We do. They don’t have the backing of a “business” in many cases, but they have a passion and other drivers…..good, bad or looking for a way. We did.

We respect our own team doing this and publishing as “independents” if they choose too. We just see, as a team, another way is working for us, and the companies who engage us directly to work with them.

In the last 12-24 months, it’s been great to be recognised more and more by large security vendors and other major software and hardware developers as an organisation they can trust to get their appliances, software and overall systems tested before going to market. We’ve built a reasonably good reputation through word-of-mouth and there’s now a lot of systems out there that have been fixed up due to our work.

Given these direct relationships, it has been a slight negative though from a broader marketing perspective for Securus Global in that public advisories are not there. Saying that, it does though align with why we started in the first place and it aligns with our approach to the industry overall…..always has had – to improve, to make things better than they were.

Marketing follows. :)

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



By Jarrod Loidl.

At present, I am reading “Enterprise Security Architecture: A Business-Driven Approach“, in anticipation of sitting the SABSA Foundation course. Based on the title and many people’s view the content, it isn’t the most thrilling read. While this book is certainly not perfect, I actually am enjoying it at the moment, but I think that’s because I have begun to appreciate the beauty of good architecture. To explain;

In my previous role, (and to a lesser extent current role), I reviewed a lot of solution architecture designs. I really got a buzz reviewing and helping to build a given solution and make it as secure and robust as possible.

In was during this time I really developed an appreciation for architecture as a distinct discipline in its own right. I got to work alongside many IT architects of various backgrounds and capabilities. I attended Architecture Forums where the roadmaps were presented to the CIO. What was interesting was seeing how many of the technical decisions either directly benefited through cost saving, business enablement or supported future company growth and expansion. Growing up in IT, I had often heard how IT exists to support the business. This was truly my first experience seeing the truest extent in which IT could enable the enterprise.

It is also what made me truly realise that many security professionals lack an architectural focus in what we do. Now this is not something limited to our profession is alone. There are plenty of people passing themselves off as “architects” when in fact they are really “designers”. This happens in construction all the time.

It seems intuitive to both “designers” and “architects” that “form follows function”. But what is the distinction between the two? There are application security architectures, infrastructure security architectures, heck once you start getting into SABSA, there is a model for policy security architecture! So what are all these different architectures? What do they mean? Are they just ‘fluff’? Or is there something more?

(more…)



We’ve talked quite a bit about PCI DSS compliance here; (http://beastorbuddha.com/category/pci/). Generally, we’ve looked at what is going wrong, what can go wrong and from there, what organisations should be considering to do it better. Looking at it from a slightly different perspective here but not wholly new either – we’ve touched on and skirted around this a few times.

While PCI DSS has been a good wake up call for many organisations, there’s a negative side also which doesn’t get much attention – lost in all the talk about the benefits that PCI DSS has provided organisations who’ve previously had weak to non-existent security practices – security strategy based solely on compliance.

It doesn’t work.

(more…)



Patrick Gray delivers Australia’s best Information Security Podcast here at Risky Business.

In this podcast, he talks with regular guest, Securus Global’s, Declan Ingram:
http://risky.biz/RB2-declan-forrester

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



The APRA “prudential practice guide”, (PPG234) hasn’t really come out all guns a blazing so far has it? (Press release and document here). Or has it?

It would be interesting to know from readers if anyone has yet been involved with PPG 234 and APRA. ie; Are you talking about it? Are you adopting the “principles”? Are you dealing with APRA in any sense regarding the “principles”?

We mentioned in a previous post that it’s very similar to the Monetary Authority of Singapore’s “Internet Banking and Technology Risk Management Guidelines“, only seems to have no teeth and is a decade behind.

Lets hope not. I talk in this post here recently about regulation and the impacts of enforcing stronger controls and practices on organisations – in particular, the financial sector. APRA has never really given us any indication of heading down this path like the MAS and other regulators in the region have. You have to wonder why not? Seriously. (The simplest answer probably is that it’s all too hard, lack of funding and support etc etc). So what’s the point of it you may ask? And, that would be a fair question.

I welcome your thoughts on this.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



(Also posted this as a question on Twitter; @ddrazic).

Does anyone know a website that documents and posts links to all the more well known Annual Security Surveys and Reports? So many come out, it’s hard to keep track of them all these days.

While I take most with a grain of salt, some do have some decent substance in there. Which ones do you read and which ones do you brush aside? Keen on your thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



A bit quiet lately. Sometimes I wonder if there’s more to say that I haven’t covered in the 500+ posts in Beast or Buddha. (The really interesting stuff, you can’t write about for obvious reasons). What do you do? Continue to rehash the old stuff? Sometimes!….which brings me to an interesting discussion.

We were asked to do a presentation recently on “emerging threats” at a business forum for IT Security and Risk Management professionals. Seems straightforward enough but when looking back over previous such presentations we’ve been doing over the years, nothing much was changing – in particular our recommendations on how organisations should be dealing with “emerging threats”. We could have almost just pulled out “Emerging Threats” presentation, (circa 2002) and done it word for word, (with only a few very minor wording and definition changes, eg; “Cloud”, “APT” etc :) ).

Should we be calling these presentations; “Emerging Responses”? It’s the response part that is in most cases yet to “emerge” effectively! The “threats” (most of them), emerged a long time ago. In many cases, we just call them different things now because we’ve failed to deal with them properly at the time, so it’s easier to rename something – makes it all seem that little bit new, and covers up to a degree for failures in the past.

Am I being unfair? Keen on your thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



Older Posts »