"Emerging Threats" – Most "emerged" a long time ago….Emerging Responses?
March 8, 2010

A bit quiet lately. Sometimes I wonder if there’s more to say that I haven’t covered in the 500+ posts in Beast or Buddha. (The really interesting stuff, you can’t write about for obvious reasons). What do you do? Continue to rehash the old stuff? Sometimes!….which brings me to an interesting discussion.

We were asked to do a presentation recently on “emerging threats” at a business forum for IT Security and Risk Management professionals. Seems straightforward enough but when looking back over previous such presentations we’ve been doing over the years, nothing much was changing – in particular our recommendations on how organisations should be dealing with “emerging threats”. We could have almost just pulled out “Emerging Threats” presentation, (circa 2002) and done it word for word, (with only a few very minor wording and definition changes, eg; “Cloud”, “APT” etc :) ).

Should we be calling these presentations; “Emerging Responses”? It’s the response part that is in most cases yet to “emerge” effectively! The “threats” (most of them), emerged a long time ago. In many cases, we just call them different things now because we’ve failed to deal with them properly at the time, so it’s easier to rename something – makes it all seem that little bit new, and covers up to a degree for failures in the past.

Am I being unfair? Keen on your thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Comments (9)
Posted in: Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, Web Application Security, cyber crime, governance


What's your "checklist of choice" for an Enterprise State of Security review?
March 2, 2010

Just wondering how some people would and/or do approach an Enterprise State of Security assessment? Obviously given the plethora of standards, regulatory “guidelines” etc, there’s no right answers. (Including size and scope of such an exercise…assume it is possible of course!). Do you see it as something impossible? Would you use something like PCI DSS? Do you have your own framework/methodology? Keen to hear people’s thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Comments (4)
Posted in: Research, Risk Management, governance


Core Security Skill Requirements
December 2, 2009

There’s always a load of articles talking about the “core security skills” that security professionals and companies will need to develop. With 2010 approaching, we’re starting to get the typical 2010 recommendations and predictions articles on this topic.

I wonder if many of these articles are written by, and targeted at people and organisations who might just be waking up out of their slumber into the real world that we, (security people), have lived in for the last 2 or more decades. The alarm’s on snooze still though in my opinion.

I find this interesting. Aside from keeping up with technical/researcher type knowledge, (which most of these articles rarely refer to), what are these new “core skills” that we should all be developing? Keen to know if I have missed anything.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Comments (7)
Posted in: Dumb Security, Research, Risk Management, WTF, governance


Repost: The 7 Reasons why Businesses are Insecure
December 1, 2009

This is a post from 2007. The theories and concepts date well before that. Taking technologies themselves aside, nothing much has changed in the last decade, (and one can argue that the technologies themselves haven’t either). Basic foundation principles, or rather the lack thereof in our strategic approaches/(thinking in regards) to Information Security and Risk Management are rarely addressed and thus we fail without even properly beginning the defence…or is that the offence?

Anyway, please read on and I would welcome your thoughts on whether you think anything has changed to make this any less effective.

(more…)

Comments (3)
Posted in: Research, Risk Management, governance


New ACS "Centres of Excellence" – Security and Advanced Computing
November 28, 2009

From the Western Australian branch of the Australian Computer Society; they are launching two new “Centres of Excellence”. Information here. Information supplied by Philip Argy. Thank you to the ACS for passing this to us. We look forward to hearing more about this initiative.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Comments (8)
Posted in: Research, news


Australian Bloggers Roundup
September 25, 2009

While the Information Security blogging scene is relatively small here in Australia, the guys in it are always bringing out interesting things. Here’s a brief roundup of what’s been happening lately:

- Donal at Ockham’s Razor looks at Electronic Voting in his latest post and raises, (what to us), are valid points. He links to an article from Ireland which is interesting reading. Do yourself a favour and read some of D’s other posts. Worth scanning through for some thinking “outside the square”.
- Wade doesn’t focus that much on Information Security anymore but every so often, he’ll have a few gems there. Interesting reading at wadem anyway.
- The west’s biggest and best blogger, Christian at un-excogitate.org covers the latest OWASP meeting in Perth and also talks about Cloud Security in his latest posts.
- Jordan at Security Technology Science has started posting again. I like Jordan’s posts as he looks at the psychology of our industry and the people within it. He’s got extensive experience so for new guys coming up through the ranks (and those already there), it’s interesting to get that take from a “veteran”. (He’ll hate me saying that as he’s heaps younger than me!)
- Another BJJ/MMA exponent (gees, there’s a few in our industry), Jarrod at /DEV/NULL has posts on Cloud Security and Exemptions which are worth a read. Post your thoughts to Jarrod.
- The Big 4 man Matthew at Infamous Agenda has recently been getting hot over a few topics. Go see what’s been getting Matt worked up.
- Pat’s Risky.Biz continues to be one of the best Information Security podcasts out there. He’s got a heap of new stuff; forums, vids and the usual weekly Risky Business podcast.
- Eldar’s stuff at Just Another Hacker makes my old technical – now non-technical head spin, but for you techo dudes, go suss it out.
- James at Karter.Net while not a totally security focused blog, but Open Source and other things, plus his experience, is publishing a lot of good stuff. To narrow it down to one sentence would not do it justice. Click away.
- Philip at PhilipHall.com has been talking about Apple vulns in recent times. “CyberSecurity Junkie” and worth reading his archive of posts.
- Bradley at Inside Out continues his focus on forensics, digital evidence and legal issues. One of few in Australia blogging about this topic. Worth bookmarking!

I haven’t covered everyone, but if you are blogging in Australia or know of someone who is, let us know and we’ll add them to the Australian IT Security Blog Directory.

Comments (1)
Posted in: Research, news


HOUSE OF REPRESENTATIVES STANDING COMMITTEE ON COMMUNICATIONS – Subject: CyberCrime
September 24, 2009

Transcripts from the 4 sessions. Interesting but a concern from the perspective that it seems Government does forget things it has done in the past and seemingly starts from scratch each time. Just my opinion. Light reading (and I mean that), but worth a skim through:

http://www.aph.gov.au/house/committee/coms/cybercrime/hearings.htm

Thanks @cmlh for the link to this.

Comments (1)
Posted in: Research, Risk Management, cyber crime, governance


Amazing People doing Amazing Things…..Soon :)
August 26, 2009

Stay tuned….

Getting asked by people all the time why I do things like “Twitter” for example. As if it is something not so worthy. Background: here and here.

So have decided I would look at some of the real benefits of such applications in relation to our industry (and wider) in a much longer post. Who’s wasting their time or missing out? Is it that uncool? LOL……we’ll see.

DD

Comments (1)
Posted in: Bad Stuff, Dumb Security, Ford Falcon, Research, Securus Global, Too cool, UFOs, WTF


Me Presenting at Conferences. Laying Down Conditions…..I'm Laid Back but…
August 14, 2009

Coincidental timing….seeing a discussion on Twitter and forum here between a few people on why I don’t do presentations at large conferences.

Nice to know that people give me that cred worth discussing…thank you.

(more…)

Comments (1)
Posted in: Bad Stuff, Dumb Security, Research, Risk Management, Too cool, WTF


A CIO and CEO Guide to improving corporate security today – it is possible.
August 10, 2009

Just got back and saw this was confirmed:
http://www.iirme.com/securecon/workshops/c.html

CEOs, CIOs and Middle East Gov and Gov Security seems to be the audience.

Should be fun…..there is no slides…….just talk…..they accepted that….(somewhat I think). :) I prefer to just talk……

This will be an all-out session and I hope Bruce S (Keynote) will be there….Pass this link to 20 of your friends and you will receive…magically a new notebook.

Comments (0)
Posted in: Applications, Bad Developers, Bad Stuff, Disclosure Laws, Dumb Security, Firewalls, Forensics, PCI, PCI DSS, Research, Risk Management, Securus Global, Too cool, Vulnerability Management, Web Application Security, cyber crime, governance, news


« Newer PostsOlder Posts »