Random Things – Busy Few Weeks
March 20, 2009

- Just got back from New Zealand. As always, great to get over there but wish I had more time. NZ has to be the pound for pound world leader in researchers and research. So many good guys there! And there’s also Kiwicon.

- Pat’s kicked off a new site at Risky.Biz. Some really cool stuff now and a heap of new things coming up. Good luck with it all Pat!

- Been following the SPSP/PCI SSC latest here at Mike’s site.

- New jobs posted at Beast Hot Jobs. Still working to get this going. Yeah, I know, wrong time but hopefully we’ll get there. Check it out.

- Internet Filtering/Censorship in Australia: Trying not to post too much on this because I keep hoping it will just die, but everytime I start to think it is going away, it comes back. Example here. Things in NZ are not much better, potentially worse. All really scary stuff.

- I wonder what I could have seen if I plugged my laptop into the cable poking out at Sydney Airport where another parking payment machine should have been. Nah…probably not much.  :)

Comments (0)
Posted in: Dumb Security, Internet Filtering, PCI, PCI DSS, Risk Management, Too cool, Vulnerability Management, WTF, Web Application Security, news


Random thoughts….Is it just me?
March 10, 2009

- Centralised password management tool here. Vuln free delusions – be fun to “test” this one. Consolidated risk. Nice!

- Data Breach Disclosure update in the US here. Fundamentals still missing to make this a fair and workable law for all. Wrote about this in Risk Management Magazine pp 14-15 in the September 2008 Edition. (May have to sign-in now to read it).

- My costs to maintain PCI QSA status to top 30K in 2009. Add another 20 odd K if we decide to become an ASV also again. PCI SSC doesn’t really care about my thoughts on why some of the costs are just money making grabs on their part. Danger for all is that if only the Big guys eventually are the only ones who can afford this, the level of QSA expertise and subsequent advice/service to merchants, service providers and the industry as a whole is going to become weaker so who wins? Do I battle these guys again or just suck it? No appetite at present for another battle with them. Read on:

(more…)

Comments (0)
Posted in: Bad Stuff, Disclosure Laws, Dumb Security, Ford Falcon, PCI, PCI DSS, Research, Risk Management, Too cool, Vulnerability Management, WTF, Web Application Security, cyber crime, news


On my list……
March 9, 2009

Anton tells me he will be mind-blowingly awesome here so I have no choice but to listen into this one:  :)
——————————————————————————-

PCI Myths: Common Mistakes and Misconceptions About PCI
Presented by Anton Chuvakin and Terry Ramos of Qualys.
Date: Thursday, March 19, 2009
Time: 2:00PM EST/11:00AM PST
Register here.

——————————————————————————–

Unethical Hacking – by Immunity
June 22-26, 2009
Duration: Five 8-hour class days
Location: Canberra, Australia
For more details about the class, please click here.
———————————————————————————

Yes, (open disclosure), both companies have business relationships with Securus Global.

Comments (3)
Posted in: PCI, PCI DSS, Vulnerability Management, Web Application Security, news


Not Patching Oracle – Risky Business
March 5, 2009

Patrick Gray interviews Securus Global’s Declan Ingram on Risky Business 98. Make sure you listen to the end of the podcast. :)

Comments (3)
Posted in: Bad Stuff, Dumb Security, PCI, PCI DSS, Risk Management, Securus Global, Vulnerability Management, Web Application Security, news


Regulation is Bad! Let the market solely dictate things!….What a load of BS!
February 1, 2009

I talked in a previous post about PCI DSS vs. regulatory requirements in some countries, (in some industries). Thought I would expand a bit more on the topic of “regulation”.

In many posts here, I’ve talked about the benefits of regulation (done right) being a big driver for better IT security practices. I was interviewed by Computerworld on this topic about 6 years ago and a representative from the Attorney-General’s Department disagreed with me, and suggested that “new standards” they were going to develop, (that showed businesses how to do things better), were sufficient, and no regulation was required. Gees, even then, we had plenty of “good practice” standards – we didn’t need more of them! (side note: none did come out from the AGD anyway that I am aware of). We need(ed) someone to say, you MUST be doing this. You have an obligation to your business, your employees, your shareholders, your business partners, the business community and society in general!

I still believe that, and I disagree with arguments that the “market” should drive this. WTF does “the market” actually mean? When has “the market” done anything of substance to improve IT security practices in the last 15 years? We’re not going forwards, so how is “the market” going to now dictate and improve this? Magic? Open to your comments as usual. Read on. I’ve added a section from a talk I had with with David Rice about regulation. I liked his thoughts on this:

(more…)

Comments (1)
Posted in: PCI, PCI DSS, Risk Management, cyber crime, governance


Maybe I find PCI DSS so much easier than other things…it's all relative!
January 29, 2009

Maybe some of my thoughts on PCI DSS (that I have posted here before) can be attributed back to past experiences in tougher regulatory environments I have been exposed to. For those dudes whinging about how tough PCI DSS is on the business, try working in an IT Security / IT Risk Management role in an Investment Bank in the likes of Japan and Singapore for example!

You poor dears! Would hate to see how you would deal with the regulators in those countries with their Government run “compliance” audits! Makes PCI DSS compliance look like a piece of piss (so to speak). Be careful some people what you wish for!

Do I need to expand upon why?

Comments (1)
Posted in: Dumb Security, PCI, PCI DSS


Okay, I'll add my 2 cents to the Heartland breach….(Talking PCI DSS)
January 27, 2009

I was directing all to Anton’s site here where he has done the most thorough analysis of what’s been posted on the Net about this breach. It’s worth having a look at his site. After TJX, I thought I was all talked out about these topics – for a while at least…..okay, it’s big but it’s all now becoming quite common and things like this will continue to happen due to poor on-going security practices, inherently insecure software etc etc. So is there more to say on that front that I haven’t talked/preached about in this blog for a number of years?

PCI DSS has copped quite a bit of criticism from many “experts” on the Net over the events at Heartland. I do understand why. There have been many against the standard from the outset and any breach/security issue in an organisation that is using PCI DSS as the framework for their security practices is going to have these people questioning the purpose and overall benefits of the standard. Read on…..

(more…)

Comments (7)
Posted in: Bad Stuff, Disclosure Laws, Dumb Security, PCI, PCI DSS, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance


PCI Compliance for Dummies from Qualys

Qualys has recently published a simple “PCI Compliance for Dummies” book. It’s free to download here.

Worth a read if you are new to PCI DSS compliance.

Comments (0)
Posted in: PCI, PCI DSS


I also thought "Virtualization" was covered by the PCI DSS
December 10, 2008

From Mike Dahn’s PCI Blog:
http://pcianswers.com/2008/12/09/pci-already-addresses-virtualization/

Well worth a read.

Comments (2)
Posted in: PCI, PCI DSS


Have we made any real and measurable progress in 2008?
November 25, 2008

The year is slowly winding up and I got to thinking if much changed in 2008. PCI DSS compliance continued to raise awareness of good practice more than anything else out there, but aside from that, did many organisations, our industry and the IT Industry as a whole make much headway into the IT security problems we face? Looking at my December 2007 post, I could almost just repeat everything word for word and just change the dates.

(more…)

Comments (4)
Posted in: Bad Stuff, PCI, PCI DSS, Research, Risk Management, Vulnerability Management, Web Application Security, governance


« Newer PostsOlder Posts »