Looking at what makes good Application Security knowledge.
January 7, 2010

It’s always interesting reading about larger scale fraud like this one recently with the Bank of Queensland. You wonder in cases like this, had the accused pulled the pin earlier, would he ever have gotten caught? You wonder how many do get away with it – stopping before obvious alarm bells start to ring?

There’s no generic solution/strategy for fraud detection to critique, as each organisation addresses it’s own internal security and risk management practices differently, but there is a scary pattern of misguided thought in regards to securing systems and actually defending against, and detecting fraud. It’s “security” by definition but are many blinkered in regards to what the full definition of “security” encompasses? I think so.

Many in the security industry are focussed to the point of obsession on only vulnerabilities and technical attack vectors (new attack type X, new attack type Y – all generally old stuff just re-invented in different ways but promoted as new big things by many in the industry). It’s such a narrow focused view that stops at the technical exploit. That’s not where the role of a security professional should stop. Read on:

(more…)

Comments (6)
Posted in: Applications, Bad Developers, Bad Stuff, Dumb Security, Forensics, IDS, IPS, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime, governance


Core Security Skill Requirements
December 2, 2009

There’s always a load of articles talking about the “core security skills” that security professionals and companies will need to develop. With 2010 approaching, we’re starting to get the typical 2010 recommendations and predictions articles on this topic.

I wonder if many of these articles are written by, and targeted at people and organisations who might just be waking up out of their slumber into the real world that we, (security people), have lived in for the last 2 or more decades. The alarm’s on snooze still though in my opinion.

I find this interesting. Aside from keeping up with technical/researcher type knowledge, (which most of these articles rarely refer to), what are these new “core skills” that we should all be developing? Keen to know if I have missed anything.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Comments (7)
Posted in: Dumb Security, Research, Risk Management, WTF, governance


Repost: The 7 Reasons why Businesses are Insecure
December 1, 2009

This is a post from 2007. The theories and concepts date well before that. Taking technologies themselves aside, nothing much has changed in the last decade, (and one can argue that the technologies themselves haven’t either). Basic foundation principles, or rather the lack thereof in our strategic approaches/(thinking in regards) to Information Security and Risk Management are rarely addressed and thus we fail without even properly beginning the defence…or is that the offence?

Anyway, please read on and I would welcome your thoughts on whether you think anything has changed to make this any less effective.

(more…)

Comments (3)
Posted in: Research, Risk Management, governance


HOUSE OF REPRESENTATIVES STANDING COMMITTEE ON COMMUNICATIONS – Subject: CyberCrime
September 24, 2009

Transcripts from the 4 sessions. Interesting but a concern from the perspective that it seems Government does forget things it has done in the past and seemingly starts from scratch each time. Just my opinion. Light reading (and I mean that), but worth a skim through:

http://www.aph.gov.au/house/committee/coms/cybercrime/hearings.htm

Thanks @cmlh for the link to this.

Comments (1)
Posted in: Research, Risk Management, cyber crime, governance


A Question of Control
September 11, 2009

By Declan Ingram

There has been a lot of discussion on here about 3rd party/cloud computing etc security (or lack there of). For many, this didn’t seem hugely relevant at the time as there was always a choice (or people just didn’t think it was going to be something that affected them). Recently however, the choice seems to be getting smaller.

The 3rd party management model is becoming…or should I say, has become, so popular now, that it is hard to keep control. (Control? Yes, of your information!).

Think about it. How much of your security is technically enforced by a 3rd party appliance? (And, how secure are they?) How much of your data is housed, managed, monitored, etc by a 3rd party? Professionally and personally we are giving ourselves away. More importantly, has this been looked at during your last Threat Risk Assessment? (Has you organisation even done one?)

From my experience, so many organisations that we audit have core data and systems housed and managed by 3rd parties, and nearly all of them have dangerously one sided contracts……Dangerously favouring the 3rd party.

(more…)

Comments (11)
Posted in: Bad Stuff, Dumb Security, Industry Specialists Talk, Risk Management, governance


Police Checks on Employees – Important Considerations
August 10, 2009

By SGirl:

An interesting question came across our desk this week to do with police checks on current employees and potential new employees.

Things like PCI and the increasing awareness of the human factor of security threats means more and more organisations are getting police checks done on candidates and as part of an ongoing assurance program.

So what happens if you get a report returned that shows a conviction?  What do you do? Sack the employee? Not hire them? Perhaps, perhaps not.

While some organisations have a legal requirement not to employ anyone with a criminal history (working with children, issuing licences to name a few), for others the requirements and boundaries that need to be considered are a little greyer.

Essentially there are basic human rights that prevent discrimination in the workplace, including whether or not a person has a criminal conviction. The Human Rights and Equal Opportunity Commission have a discussion paper on it:

http://www.hreoc.gov.au/human_rights/criminalrecord/summary.html

To avoid discrimination on the basis of criminal record, an employer can only refuse to employ a person if their criminal record prevents them from being unable to perform the ‘inherent requirements’ of the job.

(more…)

Comments (0)
Posted in: Industry Specialists Talk, Risk Management, cyber crime, governance


A CIO and CEO Guide to improving corporate security today – it is possible.

Just got back and saw this was confirmed:
http://www.iirme.com/securecon/workshops/c.html

CEOs, CIOs and Middle East Gov and Gov Security seems to be the audience.

Should be fun…..there is no slides…….just talk…..they accepted that….(somewhat I think). :) I prefer to just talk……

This will be an all-out session and I hope Bruce S (Keynote) will be there….Pass this link to 20 of your friends and you will receive…magically a new notebook.

Comments (0)
Posted in: Applications, Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Firewalls, Forensics, PCI, PCI DSS, Research, Risk Management, Securus Global, Too cool, Vulnerability Management, Web Application Security, cyber crime, governance, news


PCI DSS compliance – It's easy to make it tough on yourself….
July 2, 2009

It’s been an interesting few months as we’ve seen a rapid rise in the number organisations coming to talk to us about PCI DSS compliance. The really cool thing as mentioned here, is that we are seeing proof that if you approach your PCI DSS compliance projects like we suggested here in this post; “PCI Compliance Projects – The road to nowhere…“, you will have a greater chance for success!

We’ve worked with so many great companies in recent months who’ve taken the advice on-board seriously and have made awesome inroads in regards to their IT security position (and PCI DSS compliance) – most now “compliant”, (….well as compliant as you can get).

On the flip-side, and lets not dwell on this too much, we’ve also seen a few organisations prove that not approaching a PCI DSS compliance project, as recommended in our post, does make for an expensive and very much time-consuming/wasting exercise for all.

A PCI DSS compliance project is what you make of it. You can give up and claim it is impossible, (and close your eyes to the fact that there are others who have done it), or you can make it work. The principles of a successful PCI DSS compliance project are no different to the principles you would adopt to make any other project successful!

Related Links:
- Previous PCI Posts (Uncut)
- Six ways you can bork PCI
- PCI: Choosing your Auditors Carefully

Comments (3)
Posted in: PCI, PCI DSS, Risk Management, governance


CSOs becoming CIOs……A natural progression?
June 27, 2009

This is something I have talked about before.

Having been in roles in previous lives that has seen me oversee IT as a whole and IT Security (separate roles), I am of a firm belief that a good CSO has what it takes to be a good CIO, if not a better CIO than most out there. I went from the former to the latter (IT head to CSO) but I believe it can work effectively the other way. It’s not a regular thing though and I haven’t to be honest, seen it happen from memory in recent times – ie; a CSO becoming the CIO.

It’s horses for courses and case by case but more and more, I am seeing competent CSOs out there that have a better picture about IT within their business than the CIO does. Now this will upset some CIOs, but as you know, I don’t mind upsetting those that I think are not up to it. (A recent example here and here). And there’s a heap of CIOs out there, that really are not up to it. Can’t recall figures I have posted before but I’ll throw 80%+ out there as a starter now.

I’ve been working with the CSO of a relatively large business and good global brand in recent times. He’s been on board with his organisation for just over 12 months but in that time, has made some amazing inroads in regards to how this organisation views and works in regards to IT security and risk management overall. But, he’s now hit that time that body builders call the “plateau”, and every little “gain” now takes a mountain of effort – far more effort than gains took in his first 6 months at the organisation. He’s almost ready to move to “greener pastures”…..read on:

(more…)

Comments (5)
Posted in: Risk Management, governance


ACMA, Copyright, Privacy and other un-newsworthy things…….
June 25, 2009

By SGirl:

Who will I upset this time? Though the support far outweighed the few negative comments. But, I digress…..

It is interesting the information that you can find when you look really hard and spend a bit of time to get results.

As a bit of background, to me, IT security is not just all about technical solutions, hacking and latest marketing terms like the “Cloud”. It is also about management, strategy, compliance (not the dirty version). It’s many areas that for some reason, the media don’t really report nor focus upon (unless your compliance means PCI DSS). It’s the less “sexy” part of the industry, but for much, the parts that hit the coalface of the business.

In Australia, there are things happening that you hear little to nothing about – things that are affecting businesses and compliance considerations now. They aren’t being focused upon and far from hot topics like PCI DSS; “Ooh merchants might start being fined soon and let’s start talking about what PCI DSS is, and means to you and how vendor X is going to help you”! We only hear about what a few decide is “sexy” but for most part and as recent conversations here in this blog and forums have shown, what those individuals are deciding as “interesting” seems not to be what is floating the boats of many in the industry. Drazen Drazic gets most of his news from blogs he says.

Let have a look at a few things:

(more…)

Comments (9)
Posted in: Industry Specialists Talk, PCI, PCI DSS, Risk Management, governance


« Newer PostsOlder Posts »