December « 2007 « Beast or Buddha

Lip Service or a real call on action…….Has much changed in 2007 really?

December 16, 2007

The amount of information coming out of US Government bodies on cybercrime, Information Security and the real and immediate danger faced by all businesses has grown remarkably in the last 12-24 months. Just one recent example; ‘We’re all at risk’ of attack, cyber chief says. (In Australia, Government action, as Borat would say, “Not so much!”). Online and paper copy IT Magazines and journals have dedicated IT Security sections now. We even read more about the issues in the standard press. More and more universities now offer IT Security courses. (Though quality of many is questionable but it’s a start).

But has anything really changed that much in reality in 2007 where it matters – ie; in the minds and actions of business and individuals?

(more…)

Comments (0)

Posted in: Disclosure Laws, Research, Risk Management, Vulnerability Management, cyber crime, governance

You no longer even have to sign Credit Card purchases……when you are there!

December 14, 2007

In recent times, we’ve had proud announcements from some banks that you will no longer even have to sign for purchases on your credit cards. Just swipe it and that will be it!

I know at places like Sydney Airport carpark, amongst many, as long as you hold a card, you’re sweet! Swipe and Go!

Are we going backwards or what?

Some banks even in the last 2 weeks here are marketing “smart card” (yeah right) technology and promoting the ease of how good this is…so simple for the consumer……swipe and go! These are not pre-paid cards……these are credit and debit cards!

So let me get this right? You give us a credit card…we decide to purchase something…..we swipe it…..the cashier acknowledges there are funds and we move on?! WTF?!

We work with PCI DSS on the backend and on the other side we have this? It’s not normal!

Carl G passed me this some time ago…..well worth a read and laugh…..Makes it all irrelevant doesn’t it:

http://www.zug.com/daily/journal/archive/2002_05_05_index.html

Comments (3)

Posted in: Bad Stuff, Dumb Security, PCI, PCI DSS, Risk Management, WTF, cyber crime

Starting a new job – you've only got 2-3 months to make a big difference…any longer and it's tough!

Following on in the series of posts about being an internal IT Security Head, I was talking to a mate today who’s about to start soon as the Regional IT Security Manager for a large global entity.

My thoughts are that you only have 2-3 months max to lay the foundations for how the rest of your time there will be.

Where I am coming from is this:

1. No one knows you yet and what you plan to do and how you do things.
2. Because of this, it’s greenfields and you can assert your position and plans (to a degree within the bounds of good professionalism obviously)
3. Because you are the new IT Security dude and because most in the organisation will have no idea about what you do or what your role is, you can develop the “role” to a large degree yourself. You can get people to buy-into you early.
4. For the first few months, you are treated like an external consultant – the expert brought in to make a difference….so people will listen!

If you spend the first few months just settling in, trying to work in around everyone else, being everyone’s mate and worrying about how you’ll do things in the future – you’re lost…..game over and you’ll be in that miserable job where you complain that no one listens, cares or gives little attention to you. Assert your role upfront and the chances of it being that better job are good! The chance of you making a difference will be much better! Wait, and the ability to make change and a difference will be tougher. People settle into other people and this sets how they deal with each other for the future. Becoming a proactive go-getter after people have “settled” in with you is a tougher assignment.

Hey….sounds like I am preaching but it’s close to fact from my experience. (This is for all jobs – not just our industry) . Have a think about it. As usual, open to your thoughts, comments and criticisms.

Comments (1)

Posted in: governance

Toys R Us Australia….good charity or good business (non IT related side topic)

December 12, 2007

Is it just me that finds something wrong with the Toys R Us approach to charity and their support of the Childrens Hospital?

For those of you who have no idea what I am talking about, and have never been into a Toys R Us, when you purchase an item, the standard line from the cashier before you pay is; “Would you like to buy a balloon in support of the Children’s Hospital?”. The balloons sit next to the cash register. Now the first few times, I did, thinking; yeah, good cause….happy to!
(more…)

Comments (10)

Posted in: WTF

Security-Assessment.com Australia/Asia Pacific is not part of the Datacraft purchase of SA NZ

December 11, 2007

You may have read this morning that Datacraft NZ has purchased Security-Assessment.com in New Zealand.

I just wanted to highlight that this is just Security-Assessment.com NZ and not Security-Assessment.com Australia/Asia Pacific. We have not sold out and our business operations, team and approach to the IT Security industry remain the same. We wish NZ all the best but it’s business as usual for us here in this region.

If you have any questions, please don’t hesitate to call or email me.

Comments (0)

Posted in: news

Facebook? Have fun with it!

December 8, 2007

As the latest hot topic in the mainstream press for “security” issues, Facebook has copped quite a bit!

FFS, is Facebook really the biggest problem we have? (Aside: FFS...I thought I invented a new one but I did not…found this link).

As usual, mainstream IT press diverts the attention from the real issues to the hot topic of the day. YES….Facebook can be a BIG problem BUT…..gees…..we’ve got much larger ones! Facebook security is something in the hands of those participating – ie; in their control! Supposed press awareness is good, but who are you kidding?

Yes, the real issues get reported here and there in mainstream press….very ad hoc….but end of the day….they get replaced quickly by the latest large vendor product release announcements and something bad in Facebook (or similar) like Vampires striking into people.

Comments (5)

Posted in: Bad Stuff, Dumb Security, WTF, cyber crime

CSO's and IT Security Managers – Shouting Louder to Make Things Happen

December 7, 2007

One the biggest issues that we see facing CSO’s and IT Security Managers is the effective communication of business risks to those stakeholders ultimately accountable for the business. (Commonly referred to as the C-level team).

(There are quite a few posts in here about the tough job of being an IT Security person in any organisation and I’ve always been pretty blunt in my assessment of the state of the industry).

The recent Poll on Beast or Buddha (NB; no way a definitive sample mind you and done with as much context as most annual surveys, but I would not say being to far off on how things actually are) had over 70% of respondents stating that their organisation did not seem to care in addition to being in a bad way from a security exposure perspective.

I wonder how many Security Managers to an extent just give up and go with the flow – being careful not to upset the status quo and just believing this is how it has always been and this is how it will be…..(or at least until something really bad happens).

More than 50% of senior IT security people I speak with are not overly happy in their jobs. Most of these guys also believe that the chances of it being better elsewhere are remote. Is the industry really that low?
(Why would anyone be an IT Security Manager?)

If it is, how can we expect changes and finally getting those C-level guys to start listening?
(more…)

Comments (2)

Posted in: Bad Stuff, Risk Management, governance

Before I tell you the purpose of my call, can you tell me a few personal things….

December 4, 2007

I’ve always had a problem with these calls….in particular when you know they are from a Call Centre. The ones I get generally go this way:

Caller: “Hello. Is this Mr Drazic?”
Me: “Yes it is”
Caller: “I’m from Company X (generally a bank or telco), and before I start, can I get your full name and date of birth?”
Me: “And what’s the purpose?”
Caller: “I can’t disclose that until you confirm your name and date of birth (plus additional information I will ask after that)”
Me: “You just called my number where I live and I confirmed it was me”
Caller: “But I need confirmation by you telling me your full name and date of birth and further questions I will ask”
Me: “Well if you tell me what it’s about, I’ll consider it”
Caller: “I cannot until I confirm who I am speaking with”
Me: “Well it’s a good chance that you are speaking with me given you called my number”
Caller: “But I need this information to discuss something with you”
Me: “Well it is me but how do I know you are from Company X?”
Caller: “I am”
Me: “Okay, can I start with your full name, address and date of birth please plus a number I can call you back on?”
Caller: “I cannot give you that information sir!”
Me: “Why not?”
Caller: “It is against policy!”

And so it goes round and round.
(more…)

Comments (5)

Posted in: Bad Stuff, Dumb Security, WTF, cyber crime

"State Sponsored" attacks……more out in the open but were they ever not?

December 3, 2007

This one from the Times Online openly warns businesses that they are being targeted by state sponsored attacks. (Aside: “State Sponsored”? What a dumb term). (Also covered by Howard Dahdah in Computerworld Australia).

What is it with this softly softly response to these potential and real “attacks”? How many official responses to supposed evidence that this is occurring are being sent to the countries involved? Is it a case of governments just not being sure as to how to approach this subject? Probably.

Do we know how serious or what the implications can be? Of course we do.
(more…)

Comments (4)

Posted in: Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, WTF, cyber crime, news

Lessons to be learned from weak security practices…..

December 1, 2007

The great case study in what can go wrong, (TJX) continues as reported in TechNewsWorld, but are lessons being learned from this? I asked this question a while ago and the answer probably has not changed.

At the recent AISA Seminar day in Sydney, PCI DSS compliance was a big talking point and a presentation from “Sense of Security” covered the state of the industry in Australia. While the IT security community talks about it though, the feelings from the major players (PCI, Banks and IT Security people) is that there is a long way to go. There is progress….but it’s slow…really slow! Australia is reported as being leaders in Asia Pacific. Gees, how bad is everyone else in the region?!

Every step forward is a battle; PCI to the Banks. Banks to their own Account Managers. Account Managers to vendors and services providers. Security Managers to the business stakeholders. Why is the loop is large? Why isn’t the link to the CEO/CFO direct? Make sense? I ranted around this topic on ITSecurityLink and put the case for quicker progress out there but as usual, we (IT security people) are a very insular community in some respects – viewed from the inside and unfortunately from the outside.

2008 is now supposed to be THE year but we said that for 2006 and 2007 in regards to PCI. Are we then taking further steps away from what the core issues are that we are trying to address? Compliance vs. Security – heading in two different directions? (A topic also covered at the AISA day by Nick Ellsmore from SIFT – best presentation of the day).

Comments (0)

Posted in: Bad Stuff, PCI, PCI DSS, Risk Management, cyber crime, governance

« Newer Posts