“Emerging Threats” – Most “emerged” a long time ago….Emerging Responses?

Posted on March 8th, 2010 by Drazen Drazic

A bit quiet lately. Sometimes I wonder if there’s more to say that I haven’t covered in the 500+ posts in Beast or Buddha. (The really interesting stuff, you can’t write about for obvious reasons). What do you do? Continue to rehash the old stuff? Sometimes!….which brings me to an interesting discussion.

We were asked to do a presentation recently on “emerging threats” at a business forum for IT Security and Risk Management professionals. Seems straightforward enough but when looking back over previous such presentations we’ve been doing over the years, nothing much was changing – in particular our recommendations on how organisations should be dealing with “emerging threats”. We could have almost just pulled out “Emerging Threats” presentation, (circa 2002) and done it word for word, (with only a few very minor wording and definition changes, eg; “Cloud”, “APT” etc :) ).

Should we be calling these presentations; “Emerging Responses”? It’s the response part that is in most cases yet to “emerge” effectively! The “threats” (most of them), emerged a long time ago. In many cases, we just call them different things now because we’ve failed to deal with them properly at the time, so it’s easier to rename something – makes it all seem that little bit new, and covers up to a degree for failures in the past.

Am I being unfair? Keen on your thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance | 6 Comments »

Symantec Customers Immune to Rising Security Threats! (Late Update: Maybe Not!)

Posted on February 23rd, 2010 by Drazen Drazic

Symantec Press Release 22 February, 2010: Symantec 2010 State of Enterprise Security Study……

(Time to pump out another piece of marketing to get people thinking about buying Symantec. Here’s the report if you are interested in wasting a few minutes).

Just reading this now…….wooo…..hang on……what I don’t see anywhere in this report is a proud statement that Symantec customers are the lucky few that are safe from malicious attacks that other businesses are facing.

Why is this not in there Symantec? Surely you should be beating your own drums given you so proudly told us all some time ago that your product(s), and I quote; will provide “…proactive protection against unknown and zero-day threats”. It’s the Symantec Guarantee!

As such, surely Symantec customers do not have the same concerns as those poor businesses you mention in your study. Let us know if this was just an error on your part, or Symantec just not wanting to show off here because, surely you would not use bullshit marketing in the past?! :)

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in Bad Stuff, Dumb Security, Too cool, Vulnerability Management, WTF, cyber crime | 20 Comments »

Looking at what makes good Application Security knowledge.

Posted on January 7th, 2010 by Drazen Drazic

It’s always interesting reading about larger scale fraud like this one recently with the Bank of Queensland. You wonder in cases like this, had the accused pulled the pin earlier, would he ever have gotten caught? You wonder how many do get away with it – stopping before obvious alarm bells start to ring?

There’s no generic solution/strategy for fraud detection to critique, as each organisation addresses it’s own internal security and risk management practices differently, but there is a scary pattern of misguided thought in regards to securing systems and actually defending against, and detecting fraud. It’s “security” by definition but are many blinkered in regards to what the full definition of “security” encompasses? I think so.

Many in the security industry are focussed to the point of obsession on only vulnerabilities and technical attack vectors (new attack type X, new attack type Y – all generally old stuff just re-invented in different ways but promoted as new big things by many in the industry). It’s such a narrow focused view that stops at the technical exploit. That’s not where the role of a security professional should stop. Read on:

Read the rest of this entry »

Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Forensics, IDS, IPS, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime, governance | 6 Comments »

Outsourced (unauthorised) Vulnerability Assessment – Testing for Porkies!

Posted on August 28th, 2009 by Drazen Drazic

Looking at data like this from the Conficker Working Group and talking to many Information Security Managers/CSOs still having to deal with outbreaks in their organisations, you have to wonder what’s going on? The general theme seems to be; “Infrastructure lead told us this was under control….they patch (always!)…..they now tell us [post infection], they “sometimes” patch!….Now it’s out of control!”

LOL…usually same guys who see no merit in vulnerability assessment/management systems and penetration testing (plus security in general?). Why buy something like QualysGuard when you can get a pretty thorough test for free I suppose? (If you can deal with the repercussions). From the CSO perspective; Automated Porkie Testing…no client-side input required. :)

Posted in Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, WTF | 1 Comment »

Macs, Snow Leopard, Malware etc….

Posted on August 27th, 2009 by Drazen Drazic

I suppose having some form of detection “engine” at the ready even if it’s just sitting idle, (if that is really what Apple is considering and it’s not just speculation waffle), makes sense in the longer term…..if that one day comes where all us Mac users come under attack!? Quicker to download a signature than a complete application when time could be of the essense. But if gameovered….doesn’t matter anyway, Hmm….Nothing new here.

Posted in Bad Stuff, MAC Security, Vulnerability Management | No Comments »

Randon Links and Rants…….

Posted on August 22nd, 2009 by Drazen Drazic

- Didn’t the 4 Corners Episode; “Fear in the Fast Lane” generate some discussion and debate this week? I didn’t post anything about it myself here for a couple of reasons; (1) I didn’t think anything new and worthwhile was worth highlighting, and, (2) People were “twittering up a storm” over it – some of it very over the top. (Refer to #4corners on Twitter search for more on that). Interestingly, from within our own industry, the discussion was more personal – questioning people’s credentials as “experts” as opposed to the actual content itself in many cases. Some fair questions raised and some not so in my opinion. I welcome your thoughts here.

-Which leads me to discussions and analysis on who are the “experts”. Anton Chuvakin, our Qualys and PCI friend ponders the question here; “A Myth of an Expert Generalist“. The same question was also raised in the Beast or Buddha forums a little while ago in the post titled; “Internet Security ‘Expert‘”. I had some thoughts on this topic (and the 4 Corners episode) on my twitter; here and here. Chris Gatford, an industry colleague in Australia and one of the people heavily featured during the 4 Corners episode responded to this here.

- Hackers vs Federal Police was a big story this week here as reported in the SMH; “Hackers break into police computer as sting backfires“. Some things get reported and some don’t: http://r00tsecurity.org/files/zf05.txt. No more to add. Everyone’s a target and everyone’s ownable (well at least you’d bet on it it being the case). Kind of makes a mockery of some of the talk on the conference circuit. Waffle vs substance…what do people want to listen to? Can most even judge?

- I’ve recently been invited to write for Tek-Tips Forums. Yep, that’s my mug. I’ll link the posts from here also when I remember to do so. After coming back from a holiday, the inspirational juices aren’t really flowing but I expect things will start to annoy me and then I’ll be back to normal. :)

- Had to repost this one: “How not to setup a Hotel Safe”; I took this photo recently in a hotel in Croatia. At first I thought I must be missing something here (like being able to program the code) but no, this is it. Needless to say, I didn’t use the “safe”. :)

- And finally, off the Information Security topics. The latest issue of Top Gear magazine (which I thought was not the Australian one – yuk….but seems now like some sort of a combination of Aus and UK) has a home fridge magnet Cool Wall – most cool! Here’s my “Cool Wall“.

Posted in Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, Web Application Security, cyber crime, news | No Comments »

A CIO and CEO Guide to improving corporate security today – it is possible.

Posted on August 10th, 2009 by Drazen Drazic

Just got back and saw this was confirmed:
http://www.iirme.com/securecon/workshops/c.html

CEOs, CIOs and Middle East Gov and Gov Security seems to be the audience.

Should be fun…..there is no slides…….just talk…..they accepted that….(somewhat I think). :) I prefer to just talk……

This will be an all-out session and I hope Bruce S (Keynote) will be there….Pass this link to 20 of your friends and you will receive…magically a new notebook.

Posted in Applications, Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Firewalls, Forensics, PCI, PCI DSS, Research, Risk Management, Securus Global, Too cool, Vulnerability Management, Web Application Security, cyber crime, governance, news | No Comments »

Evaluating Automated Assessment Tools

Posted on August 5th, 2009 by matthew

By Declan Ingram

Over the past few years we have seen more and more automated scanning tools being used as the primary source of application assessment. A couple of years ago, when we were S-A.com, one of the guys did a very comprehensive test of all the available scanners, and the results were mediocre at best. In fact, as a result of these tests, we decided at the time that they added little to no benefit to our testing tool-chain.

Recently, with the enforcement of PCI Web Application Security Assesment requirements, clients need to have the coverage for all of their applications and do not have the funds available for full manual testing.

The three that we have been looking at recently are AppScan, Acunetix, and Burp Professional. Burp is a little bit different, in that it’s primarily a manual assessment tool with some scanning features.

We have been judging the quality of these products based on false positives, false negatives, and code coverage. The applications have all been web apps: HTML, JSP, ASP, PHP, old, new, good, bad, ugly, etc.

The results were……interesting:

  • All scanners needed a lot of manual work to get any reasonable amount of code coverage.
  • There were a huge amount of false positives.
  • There were many false negatives. (Probably more than we know :-) )

However, these flaws can all generally (possibly excepting false negatives) be negated with a qualified person running the scans, and verifying the results. So this is really not a problem, right? I mean, it’s how the vendors advertise their low false-positive and false-negative rates.

The big problem, as I see it, is that these applications are not sold or targeted to specialist testers anywhere near as much as they are marketing to coders and auditors that do not have the skills to use them effectively. This negates the whole idea and provides a false sense of security!

The outstanding product here is burp, it’s a semi-automatic scanner, so it requires a skilled tester to use, but it’s a fraction of the cost and is targeted at the right market to get results.

Posted in Applications, Vulnerability Management, Web Application Security | 9 Comments »

Busting IDS/IPS/WAFs/Firewalls Revisited……..

Posted on July 7th, 2009 by Drazen Drazic

It’s been almost 2 years since Declan Ingram did this presentation at Kiwicon that looked at perimeter security – IDS/IPS/WAFs/FWs etc and “Managed Services”.

Listen to the start of the podcast for the introduction….some good stuff…..and then the full presentation starts at 14:50. As Patrick Gray of Risky Business says; “If you are a Chief Security Officer, this is a must listen”:
http://risky.biz/netcasts/risky-business/risky-business-49-your-shiny-new-ips-wont-save-you

Talking recently to a client who is about to go into RFP for a “managed services” solution highlighted to me that many organisations are still struggling to understand what it is they actually want vs. what they will actually get/end up with. Accountability hand-balled? Better Security? Meeting Compliance? What do they want? Read on:
Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Firewalls, IDS, IPS, Risk Management, Vulnerability Management, Web Application Security | 4 Comments »

Review of Information Security and Risk Management Strategy – Complex or Straightforward Exercise?

Posted on June 12th, 2009 by Drazen Drazic

In any strategic planning cycle, performance and strategy re-assessments are a vital component in keeping a strategy effective and up to date.

One way to measure the performance of the Information Security strategy is to develop a set of metrics that include benchmarks across the various phases and sub-phases of the strategy. The goal of the metrics is to help; define the strategy framework, communicate the strategy (by specifying performance measures), track performance (by collecting valuable information pertinent to the phase of strategy), increase accountability (by linking metrics to performance appraisals and business plans) and to align objectives of individuals, teams and the organisation itself.

In most cases this is easier said than done but investigation should still be undertaken into the creation of a metrics and strategy re-assessment process that covers at a minimum (thanks Rayport and Jaworski for the inspiration):

•    Articulation of the Security Strategy.
•    Translating Strategy into Desired Outcomes.
•    Devising Metrics.
•    Linking Metrics to Leading and Lagging Indicators.
•    Calculating Current and Target Performance.

How complex an exercise is this? In recent weeks I have done a couple of presentations to boards and senior management of organisations who are keen to evaluate the effectiveness of their current strategy(s)?

Are exercises like this 12 month+ plus projects ala Big 4 massive undertakings (costing millions) or can an experienced eye provide the same end results in a fraction of the time? Read on.

Read the rest of this entry »

Posted in Bad Stuff, Risk Management, Vulnerability Management, governance | 10 Comments »

Crime Insurance – Implications of bad business IT security practices……

Posted on May 25th, 2009 by Drazen Drazic

Interesting looking at the latest Crime Insurance Renewal forms I’ve been sent. A hot topic from a discussion perspective a few years ago in regards to being a potential driver of better IT security practices in business, but it fell off the radar somewhat in recent years. I have to ask, has it finally seriously arrived (at least here in Australia)? Has this quietly snuck up on us and is now about to be the next “PCI DSS”?

Obviously if you had good IT security practice before, PCI DSS compliance wasn’t a pain, and if you’re PCI DSS compliant now, then Crime Insurance requirements won’t be a pain….but if you haven’t got the first and second ones under control, well here’s another concern to add to the list. And, for those of you that were not required to be PCI DSS compliant, you’re now probably going to feel the pain you thought you were lucky to miss out on.

Now this one could be the biggest of the lot. Read on…..

Read the rest of this entry »

Posted in Bad Stuff, Risk Management, Vulnerability Management, Web Application Security, cyber crime, news | 7 Comments »

Application Security Reviews – Pitfalls, Dangerous Mistakes and Assumptions

Posted on May 24th, 2009 by Drazen Drazic

Reposted (post accidental deletion).

On the phone last week to a CIO friend of mine discussing his organisation’s new “critical” business application that ties together much of their business into one, somewhat central entity (ERP if you like to a degree). He wanted to talk about securty testing the “application” before it went live.

I asked the obvious and was told it was due to go into production in 4 weeks. He knew what my response would be so pre-empted it with; “I know, I know…we should have done more security homework and testing sooner than this, but with the business pushing it, and they ["the business"] not really wanting to listen to concerns about security, but rather focus on deployment deadlines to fit in with business marketing strategy, my hands were tied!”. (Typical I thought and no need for further comment from me here, as you know what my thoughts are).

After learning a bit about this application from him, I directed him to this post: “System” view security vs. “Application” view security and suggested he have a read. (He did recall reading it before but I think it didn’t sink in). Read on…

Read the rest of this entry »

Posted in Applications, Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, Web Application Security | 4 Comments »

Vulnerability Disclosure. Keen on People’s Thoughts.

Posted on May 23rd, 2009 by Drazen Drazic

I’ve posted quite a few times on this topic over the years but things change over time and I don’t think we’ve (the industry) ever been more fragmented in terms of what we think is right or wrong about this topic? I am really keen to hear what people think, in their opinion, is right and what is wrong about vulnerability disclosure. Please post your thoughts.

Posted in Vulnerability Management | 10 Comments »

Hiring Convicted “Hackers”……

Posted on April 20th, 2009 by Drazen Drazic

Just reading the latest thread here in the Forum. It’s a fair point raised. Something we’ve talked about for a while…..

In my opinion, it [hiring convicted hackers] demonstrates something deeper than just the face-value story of convicted hacker being hired and the ethical issues associated with that. (I’ll leave discussion on that part as it’s been done to death before).

What it really demonstrates in my opinion is seriously dumb senior management who seem to have a belief that rogue “hackers” bring to the table something special…..something they have no idea that they can already get in the scores in the mainstream professional Information Security industry. (eg; As I have said before, I believe pound for pound NZ has some of the best IT Security researchers in the world….If I was TelstraClear, I’d have about 20 others on the list before hiring the kid they did). Look, good luck to the guys being hired. You have to make a living and if someone wants to offer you money/job etc well….

Read the rest of this entry »

Posted in Bad Stuff, Dumb Security, Research, Vulnerability Management, WTF, Web Application Security, cyber crime | 12 Comments »

Where did the Role of the CIO go wrong? Part I

Posted on April 13th, 2009 by Drazen Drazic

This is far from my first post on the role of the CIO. While most posts have been focused on the [CIO] failures to fully understand the role of Information Security professionals and the industry in general, many [posts] have also looked at the fundamental failures of CIOs and their roles in business. The two are interdependent.

Somewhere around the late 90s, this “CIO” title started to became the role “title” of choice for the most senior IT person in the organisation. Out went “IT Director”, “IT General Manager” and similar titles, and in came the trend of “CIOs” starting to consider themselves business people. Now at the time, most CIOs were IT people and drawing that long bow to be now viewed by their own staff as “business people”, created one of the major turning points.

This has been a catalyst for leading our industry into more than 10 years of little change in regards to significant IT development, better security, and to an extent, relatively effective control of IT in a business, any potential, and most importantly, understanding and forceful commitment to the emerging Information Security industry and the rising impacts of the latter to business. Is this the reason good information security adoption has lagged, and to many extents, is just plainly non-existent in many organisations?

Taking this deeper, without that critical mass of acceptance at that senior level – the representative voice of IT to the business and flow-on effects to society as a whole has failed. Accountability means little to nothing in the overall scheme of things pertaining to longer term strategy – “Governance” in IT security overall would be deemed a failure. Risk Management across an enterprise from a holistic view is a failure. (In silos, there are some successes but what overall benefit if the business as a whole has no business-wide understanding of itself). Without this review and the most basic and potential root cause analysis and planned treatment of the root causes, we have the lack of progress, (though some would call total failures)….should we expect to be in a better position now or in the short term future?

Part II will look at more detailed analysis of the CIO in business and their relation to IT Security. Thanks to Donal for this one:
http://chucksblog.emc.com/chucks_blog/2009/04/thoughts-on-the-state-of-the-cio.html

Why aren’t CIO’s competences being analysed from within their own departments? While I know so many good CIOs, I’ve met far more who are out of the their league and you wonder what they really know. If they want to be “C-level” people, they need to be more scrutinised in the same way as CEOs and CFOs (even though we know that is also far from ideal a lot of the time)..

Stay tuned for Part II

Posted in Bad Stuff, Dumb Security, Risk Management, Uncategorized, Vulnerability Management, WTF, cyber crime, governance | 1 Comment »

Workarounds, accepted mediocrity and questionable future benefits/improvements….

Posted on March 22nd, 2009 by Drazen Drazic

Setting the scene with recent somewhat provocative posts to generate some thinking, debate and discussion to get some interest before some context and substance in this post. Hopefully. And yes, a heap of emails, tweets, DMs and phone calls received today. (Gees, not bad for a Sunday. Do infosec dudes ever switch off and have a break?). To be honest, while most were supportive, a few were asking me what the hell I was basing my points on, and was I shooting myself in the foot with some vendors now and in the future? (Hey, big assumption that anyone actually reads this stuff I write). For the latter, I probably was/am but as most people know, I am not scared to put my opinion out there for critique, flames, but most importantly, as mentioned, to generate thoughts and discussion. It’s not a glory boy thing and it is what it is and I don’t profess it to be anything it is not. (Refer to top right corner of home page for the disclaimer).

So getting to the point of this (…finally you’re probably thinking). WAFs are an easy target to generate discussion (polarising more than most other technical topics at present), but I’m not just talking about WAFs here. They’re just the example. It could be anything from technology entrenched into our industry, through to strategic thinking and approaches that look at where our industry is, where it should be and most importantly, the steps to make valuable, and most importantly, significant steps to improve IT, business, home and society in general. Read on:

Read the rest of this entry »

Posted in Applications, Bad Stuff, Dumb Security, Firewalls, IDS, IPS, Internet Filtering, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime | 3 Comments »

Random Things – Busy Few Weeks

Posted on March 20th, 2009 by Drazen Drazic

- Just got back from New Zealand. As always, great to get over there but wish I had more time. NZ has to be the pound for pound world leader in researchers and research. So many good guys there! And there’s also Kiwicon.

- Pat’s kicked off a new site at Risky.Biz. Some really cool stuff now and a heap of new things coming up. Good luck with it all Pat!

- Been following the SPSP/PCI SSC latest here at Mike’s site.

- New jobs posted at Beast Hot Jobs. Still working to get this going. Yeah, I know, wrong time but hopefully we’ll get there. Check it out.

- Internet Filtering/Censorship in Australia: Trying not to post too much on this because I keep hoping it will just die, but everytime I start to think it is going away, it comes back. Example here. Things in NZ are not much better, potentially worse. All really scary stuff.

- I wonder what I could have seen if I plugged my laptop into the cable poking out at Sydney Airport where another parking payment machine should have been. Nah…probably not much.  :)

Posted in Dumb Security, Internet Filtering, PCI, PCI DSS, Risk Management, Too cool, Vulnerability Management, WTF, Web Application Security, news | No Comments »

Random thoughts….Is it just me?

Posted on March 10th, 2009 by Drazen Drazic

- Centralised password management tool here. Vuln free delusions – be fun to “test” this one. Consolidated risk. Nice!

- Data Breach Disclosure update in the US here. Fundamentals still missing to make this a fair and workable law for all. Wrote about this in Risk Management Magazine pp 14-15 in the September 2008 Edition. (May have to sign-in now to read it).

- My costs to maintain PCI QSA status to top 30K in 2009. Add another 20 odd K if we decide to become an ASV also again. PCI SSC doesn’t really care about my thoughts on why some of the costs are just money making grabs on their part. Danger for all is that if only the Big guys eventually are the only ones who can afford this, the level of QSA expertise and subsequent advice/service to merchants, service providers and the industry as a whole is going to become weaker so who wins? Do I battle these guys again or just suck it? No appetite at present for another battle with them. Read on:

Read the rest of this entry »

Posted in Bad Stuff, Disclosure Laws, Dumb Security, Ford Falcon, PCI, PCI DSS, Research, Risk Management, Too cool, Vulnerability Management, WTF, Web Application Security, cyber crime, news | No Comments »

On my list……

Posted on March 9th, 2009 by Drazen Drazic

Anton tells me he will be mind-blowingly awesome here so I have no choice but to listen into this one:  :)
——————————————————————————-

PCI Myths: Common Mistakes and Misconceptions About PCI
Presented by Anton Chuvakin and Terry Ramos of Qualys.
Date: Thursday, March 19, 2009
Time: 2:00PM EST/11:00AM PST
Register here.

——————————————————————————–

Unethical Hacking – by Immunity
June 22-26, 2009
Duration: Five 8-hour class days
Location: Canberra, Australia
For more details about the class, please click here.
———————————————————————————

Yes, (open disclosure), both companies have business relationships with Securus Global.

Posted in PCI, PCI DSS, Vulnerability Management, Web Application Security, news | 3 Comments »

Not Patching Oracle – Risky Business

Posted on March 5th, 2009 by Drazen Drazic

Patrick Gray interviews Securus Global’s Declan Ingram on Risky Business 98. Make sure you listen to the end of the podcast. :)

Posted in Bad Stuff, Dumb Security, PCI, PCI DSS, Risk Management, Securus Global, Vulnerability Management, Web Application Security, news | 3 Comments »

« Previous Entries