Internal vs. External Security Threats
February 10, 2008

It’s always stated that the majority of potential threats to an organisation are “internal” threats. (Check out most surveys, polls etc – they all state the same thing). Unfortunately, these internal threats don’t in many cases get the same attention or recognition as those threats posed by bad guys on the Internet.

I’ve lost track of the number of times a critical weakness has been brushed aside because it’s supposedly on the safe side of the network and not accessible to the bad guys. (Is it really?….Oh, it must be, there’s a firewall on our perimeter that keeps us secure). If internal threats as we are told, present the biggest risk to organisations why is this the case?

Comments (1)
Posted in: Bad Stuff, Dumb Security, Risk Management, Vulnerability Management, cyber crime, governance


Total Vuln Numbers Fall…..High Severity Vulns Rise
February 8, 2008

Interesting figures from ISS on vuln figures in 2007. “Reported vulnerabilities” should be the key consideration when reviewing these figures. Do I think vulns have gone down in numbers as the graph suggests? No way!

Statistics can be misleading. To many factors to take into consideration and ISS puts forward some in this blog post but this one; “The 5.4 percent decline in 2007 could simply be a statistical correction to the growth in vulnerabilities in 2005 and 2006″, reads like we’re working on a system like a stock exchange. We ain’t.

(more…)

Comments (9)
Posted in: Bad Stuff, Research, Vulnerability Management, Web Application Security


OWASP Australia AppSec 2008 Conference

The OWASP Australia AppSec 2008 Conference is on February 27-29th. Details here.

Looks like being a good event. Who’s going?

Comments (1)
Posted in: Research, Web Application Security, news


Ethical Dilemma of Client Confidentiality…..Reporting on Risks to Organisations
February 1, 2008

Just like the posts I have written about before concerning the issues that internal security people have to deal with on a daily basis in terms of trying to get recognition of security issues their organisations face, the role of consultants is very much overlooked at times when viewed from a similar perspective.

In most cases, the consultant is engaged on a job, does the job, creates the report, presents it and then leaves. Most good consultants will try to maintain a relationship that allows for the client to follow-up at anytime on questions regarding the work and remediation advise recommended. Most good consultants will also, as part of their work, be able to identify issues outside of the scope of the engagement…ie; you just see things that are wrong….an experienced eye will! That information is also passed onto the client. End of the day, “root cause” is evident as to why the issues exist and based upon that, it’s clear that the root cause will and does affect other areas outside of the engaged scope. (Something that the client should also be addressing).

Now, if you’re still following, how does a good consultant switch off so to speak to a client that is clearly in a bad way and is doing nothing about it?

(more…)

Comments (18)
Posted in: Disclosure Laws, Risk Management, cyber crime, governance


« Newer Posts