More on Disclosure Laws in Australia….
August 14, 2007

This recent story from Computerworld: Australia’s data privacy landscape called into question, provides a further good insight into proposed data disclosure laws being introduced into Australia.

Yes, as you know, I think this is a good thing. See previous posts.

But, lets not kid ourselves and think a law like this on its own is going to quickly make big changes. It has been stated many times that this law in the US has improved Information Security practices greatly, but, how is this being measured? A few major news stories do not make for across the board better practices having been deployed. All it highlights is that now when someone is openly compromised, they have to lay the cards on the table.

The biggest problem in this respect that we see is that most companies would not know if they have been compromised. I hate to keep referring to TJX but they are a classic case study. How long had the compromise been going on for before it was detected? From our experience, the problem is far more widespread than most people believe.

Unless any such law is supported by strong supporting laws around Information Security practices and controls, the 3 monkey approach will remain the leading Information Security practice in existence! ie; we know nothing therefore we have nothing to disclose.

In which case, bet your house, that even if the law comes into existence, you won’t see too many “disclosures”. And, based upon that, business will continue to think that the IT Security industry just hypes the risk to make and keep themselves in business.

Standards like PCI DSS drive better Information Security practices but even combined with disclosure laws, still don’t fully get around the 3 monkeys approach. Just throwing it out there, but maybe something along the lines of:

Standard x.x: In the event of major / critical vulnerability detected on Internet facing system, organisation must undertake investigation to determine whether vulnerability has been compromised and to what extent.

Comments (0)
Posted in: Bad Stuff, Disclosure Laws, Vulnerability Management, Web Application Security, cyber crime, governance


Security Bingo…..

http://bsdosx.blogspot.com/
:-)

Comments (0)
Posted in: WTF


Anti-Badware…..who has the "upper hand"?
August 12, 2007

Things can change quickly if you believe everything you read on the topic of bad guys vs. antivirus developers:

The battle is being lost and the bad guys have the upper hand: Network World 31/01/07.

The battle is being won and the antivirus developers have the upper hand: SC Magazine 10/08/07.

I find the latter story a bit hard to fathom. It seems to go against everything else we’re reading, seeing and hearing about. Virus specific? Maybe? But the story doesn’t just focus on that.

Comments (7)
Posted in: Research, Vulnerability Management, WTF, cyber crime


Mind-blowingly awesome ideas, music and great things (off topic)
August 10, 2007

Not IT security but maybe to a degree. I’ve often been accused of posting the most controversial rants here late at night – insinuations being along the lines of in vino veritas. Sometimes, but far from regular. I note the same in other blogs where some amazing thoughts seem to be presented at a late hour. Some recent responders to posts here….well, yeah, I reckon.

I wonder sometimes if alcohol, drugs, depression/misery and other mental conditions were given to mankind to help us evolve, be creative and make life what it is today?

I’m really going to generalise and present bugger all figures of nothing….just throwing out a few things: (more…)

Comments (3)
Posted in: WTF


Disclosure Laws in Australia
August 8, 2007

As reported in ComputerWorld, it seems Disclosure Laws are now on the agenda for Australia.

Related posts: http://beastorbuddha.com/category/disclosure-laws/.

Okay….some progress but lets hope we do get this right by ensuring that the framework and processes around monitoring and reporting are in place in organisations for them to be in a position to be able to detect and report. The real danger as we continue to document in here is organisations having no clue as to what is going on in their organisation. In such cases, what is there to report?….. the 3 monkey strategy beats all!

Comments (1)
Posted in: Disclosure Laws, cyber crime


"Ethical Hacking"….that term is a worry….
August 7, 2007

Courses that teach under-skilled individuals the basics of “hacking” are a worry to me. Companies that teach “ethical hacking” courses are worry…….most I know I would not hire to review a static one page site. What is that they are trying to achieve? I read the course objectives for pretty much all of these courses and they worry me.

So….big company that can afford to send netadmin to one of these courses now thinks netadmin can do network and web app pen test…..saving bucks now by not hiring a third party?!?! Akin to me reading the “Idiots Guide to Accounting” and professing to be able to manage the financial books of News Limited.

Come on….WTF….give the professionals some credit!

Comments (14)
Posted in: Applications, Bad Stuff, Disclosure Laws, Dumb Security, Ford Falcon, Vulnerability Management, WTF, Web Application Security, cyber crime, governance


You got to love Elton John's suggestion…
August 4, 2007

From the SMH, Elton John’s war on the web.

Maybe 1 week a month? :-)

Comments (0)
Posted in: news


Masterclass….be there or just be lost…..yeah right

I’m booked in to do the following….just saw this link…so if you are in town and free, or rather you have the money…… (the second one…not the usual 7799 will set you free):

I was just about to bag most Security Conferences and then remembered this……I’ll make my mind up then…..after this. I can’t vouch for this one….there’s so many of these things now during the year…..and most are BS. What I can guarantee is a laugh and you already have that now seeing my old ugly rugby head. The content? God knows……..I will probably make it up as I go……they caught me at a bad time…………you can get this from SA for free most times anyway.

http://www.terrapinn.com/2007/srm_au/Custom_17307.stm

Comments (0)
Posted in: Uncategorized


The Bad Web Developer Fighting Back…..
August 3, 2007

I’m going to turn BorB into a soap opera for the next week or so. I’m going to report on our “discussions” with the web developer that was a leading player in:

Web Applications more secure these days? Not from where we stand!

Securing Web Applications……choose your developers carefully

It seems that the “developer” believes that they have done nothing wrong and continue to argue the point with the business that they are under no obligation to fix anything because what they have delivered is good. (Or so we are told). As a background, we have, until now, been kept out of this by the business who have assumed that the developer would be reasonable. Not the case…..thus, next week…we have been asked to meet with them. The shotgun is ready and the fish have been loaded into the barrel. Stay tuned.

Comments (2)
Posted in: Applications, Bad Developers, Bad Stuff, Dumb Security, WTF, Web Application Security, cyber crime


No way…?

http://www.smh.com.au/news/games/gamers-get-to-execute-corrupt-officials/2007/08/03/1185648104916.html

Is it just me that finds this so weird?

Comments (2)
Posted in: WTF


« Newer PostsOlder Posts »