ALRC – Data Breach Notification Recommendation……Flawed Approach?
August 13, 2008

Unless I’ve missed something and it’s certainly not in section “51. Data Breach Notification” of this 2600 plus page Australian Law Reform Commission document, we’re still lacking some fundamental basics to any data breach notification law being successful.

As it currently sits and is proposed, the organisations that stand to be impacted the most are the ones that probably have the better Information Security and Privacy policies in place.

In basic terms, if you’ve got good practices and controls in place, you’re more likely to detect a breach and/or disclosure of private and confidential information. Thus, you will have to openly disclose. No need to drill down into the potential business and reputational implications to the organisation.

If your practices and controls around information protection are weak, you’re probably clueless as to whether a breach has occured so what you don’t know doesn’t get reported. Practice the 3 monkeys approach to Information Security and proposed data breach disclosure laws will have little impact upon you.

These laws will never be succesful without supporting legislation/regulation around basic and minimum security practices and controls. See previous post on this topic:

Regulation does not need to be considered bad. See discussion on regulation here.

We can debate whether high-level statements of requirements in the Privacy Act will cut it, but in my opinion, they won’t……they haven’t so far, so what would change things now?

Comments (2)
Posted in: Disclosure Laws, Risk Management, cyber crime, governance


Responsible Disclosure Debates……What about No Disclosure?
July 27, 2008

This topic has been hot again in recent times and we’ve been asked a few times on what our position to this is. In the past, and with our previous relationships, we’ve been in the “responsible disclosure” camp. Advisories went out after the vendors had announced patches to the vulnerabilities announced, (and in some cases exploits developed in parallel to confirm the proof of concept). It seems the camps are divided in two as described here but is the third option of no-disclosure outside of vendor/client a major consideration that hasn’t had much discussion (relatively)? What percentage of vulns in systems and applications are never disclosed? Why isn’t this seen as potentially a major part of how vulns are dealt with? How skewed are figures in yearly stats and surveys due to this area, (and I don’t mean sales of vulns to organisations who buy them – I mean those vulns discovered in vendor systems and applications and those detected in personal engagements for clients for home grown systems and applications)?

(more…)

Comments (9)
Posted in: Applications, Bad Stuff, Disclosure Laws, Research, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime


Information Security Certifications……
June 22, 2008

At Securus Global (blatant marketing plug for all readers should you need our services), when I hire specialists to join the team, “certifications” to me, mean zip…nothing….zero! We get CVs all the time and we are in a proud and lucky position based upon our reputation that people want to work at SG! I feel honoured by that and every CV sent to us, makes me feel like SG, as an organisation, is somewhere, where real industry passionate dudes want to work!

If you’ve seen my latest stuff on Twitter, you will know that I am having a go at BS certification. (Yes, I know I do PCI DSS but you know my thoughts on that!).

(more…)

Comments (4)
Posted in: Bad Stuff, Disclosure Laws, Research, WTF


Data Classification – Effective? Has it ever been or really worked?
June 2, 2008

I was talking to a colleague to the other day and we started on “data classification”. Yeah, must have been an interesting conversation to be sitting in on. :-)

Neither of us could recall ever seeing what could be termed a successful implementation, if that is the right word for it. How would you judge one anyway? That’s a big question in itself.

(more…)

Comments (11)
Posted in: Disclosure Laws, Dumb Security, Risk Management, Vulnerability Management


More on not logging – "Reverse Compliance"
May 8, 2008

Declan’s recent post on logging being a double edged sword started some interesting discussion. Anton Chuvakin follows-up further on his blog and writes:

“Reverse compliance” is a motivation to purposefully avoid technologies that have a chance of telling you that you are NOT in compliance. Sadly, logging is featured very high on the list of such technologies that a) tell you about all the problems with your compliance posture (e.g. direct violations of regulatory requirements, lack of controls, inefficient controls, policies not followed, etc) as well as b) are mandated by various regulations (e.g. PCI DSS) and c) actively used by auditors for finding compliance issues.

Read the rest of Anton’s post.

Comments (3)
Posted in: Disclosure Laws, Forensics, PCI, PCI DSS, Risk Management, cyber crime, governance


To regulate IT Security controls/practices or not?!
May 5, 2008

With little to no regulation around IT security practices and controls in Australia, have we fallen behind other major trading partners like the US and countries in Europe? I think the answer is most definitely yes but I welcome your thoughts on this.

This is not new…it’s something I have ranted about for a while here but as we see the landscape change elsewhere for tighter regulation(s), data breach disclosure laws for eg; coming into existence in other parts of the world, we seem to talk more than act. The PCI DSS has been the biggest thing to hit Australian business in terms of some form of enforcement of good practice and even that is operated outside of the bounds of government and local controls.

No one’s perfect, but have we really progressed much in the last few years? Sure, security awareness is higher than it has ever been, but are security issues being addressed at their core/root or does awareness just mean actioning the latest hot area/topic? I put it out there that that is the case.

Who’s addressing risk management properly? Who’s approaching security from a strategic perspective?

It’s more than just an IT security issue. It’s a business issue, it’s a shareholder value issue, it’s a national security issue..etc etc… Is regulation the key to change here? If not, what is?

Comments (2)
Posted in: Disclosure Laws, Risk Management, cyber crime, governance


On the panic bandwagon?…..
March 26, 2008

The recent St. George Bank story shows how something can grow and become a bit blown out of proportion relative to the originally reported story. Some of the responses to the story on the News site demonstrates a lack of understanding some people have that drives fear in the community about doing business on the Net. Is this one a storm in a teacup? (I know I am critical at times about things we see, but on the flipside, sometimes perspective is tainted by underlying fears that have no direct correlation to the topic at hand).

Comments (3)
Posted in: Disclosure Laws, Risk Management, Vulnerability Management, Web Application Security, cyber crime


Oops….another big one…..
March 18, 2008

Everyone is reporting it now but here’s one feature from the SMH. You gutsta love the spin put on the announcement:

http://www.hannaford.com/Contents/News_Events/News/News.shtml

Somehow they make the following sound like it’s not too bad at all! Good luck guys:

(more…)

Comments (11)
Posted in: Bad Stuff, Disclosure Laws, PCI, PCI DSS, Vulnerability Management, Web Application Security, cyber crime


How to jeopardise a good business by not thinking, not talking to the right people and trying to save a few bucks…
March 17, 2008

We’re seeing this so much lately as more and more organisations are either realising they should, or are being forced into thinking about their IT security practices (eg; through the likes of PCI DSS) more.

Good businesses that have been around for 10-20+ plus years and then moving almost everything on-line…..(fair enough reasons and business opportunities need to be taken and competitive moves must be made), but gees, many do it so wrong and put a successful bricks and mortar business into enormous risk.

(more…)

Comments (1)
Posted in: Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Risk Management, Web Application Security, cyber crime


Forensics and Investigations Work on IT Security Breaches
February 16, 2008

This is somewhat of a follow-on from BG’s last post, that came about from a conversation we were having about how much forensics and investigations work Securus Global actually did. To be honest, the answer was not much and I did not know of too many other organisations that did much either. The odd job here or there but nothing to sustain a dedicated business unit.

I’m not sure what it is like in other regions of the world, but the BG Ostrich RM 101 pretty much covers it and that is scary! (Obviously the banking sector is different but even then, some do it better than others in that sector).

This is nothing new. I’ve been ranting about this for a long time but things haven’t really changed much.

(more…)

Comments (3)
Posted in: Bad Stuff, Disclosure Laws, Dumb Security, Forensics, Risk Management, Vulnerability Management, Web Application Security, cyber crime


« Newer PostsOlder Posts »