---- Sent using a Sony Ericsson videophone
About Me
- Matthew Hackling
- Matt runs his own security consultancy called Ronin Security. His focus is information security management and he has a keen interest in infrastructure and web application security. He's a CISSP and the current Branch Executive of the melbourne chapter of the Australian Information Security Association.
Blog Archive
Labels
- AISA (1)
- australian information security market (1)
- career advice (1)
- causes (1)
- DoS (1)
- economics (1)
- FUD (1)
- futurism (1)
- information security governance (4)
- IPS (1)
- privacy (2)
- sacred cows (1)
- security patching (1)
- vulnerability management (1)
Monday, September 29, 2008
Good security awareness program at the royal show
---- Sent using a Sony Ericsson videophone
Saturday, September 20, 2008
Mobile phone products to invent
Mobile device sanitisation software.
An application that provides a day by day bar graph of mobile phone usage in minutes and if you enter your plan details or select them from a pre-populated list, $ cost per day and running total.
An application that provides a day by day bar graph of mobile phone usage in minutes and if you enter your plan details or select them from a pre-populated list, $ cost per day and running total.
Thursday, September 18, 2008
How to raise the profile of your information security department
As Australian CIOs see information security as a lower priority than reducing costs maybe it is time for us to go on the charm offensive? Some ideas follow : Try an end user security awareness program in a handy tips flavor focusing on social engineering and malware; look at your branding esp your motto ; provide communications to stakeholders on your organisations most critical apps and what you are protecting then from and business process impact if there is an incident ; benchmark your operations against your peers; produce easy to understand risk based management reporting supported by a security metrics program
---- Sent using a Sony Ericsson videophone
---- Sent using a Sony Ericsson videophone
Tuesday, September 16, 2008
First jobs
I was thinking about my first job in security, and was kind of thankful for the opportunity. I was a security guard at a police HQ on the night shift and the criminal investigation branch during the day.
Man, I had some interesting encounters with the general public, well the very sketchy portions of the general public.
It was kind of cool to roll in unmarked police cars on occasion and tote some sort of police ID. The responsibility sort of gave me some direction when I needed it.
Thanks for giving me the opportunity, you know who you are!
Man, I had some interesting encounters with the general public, well the very sketchy portions of the general public.
It was kind of cool to roll in unmarked police cars on occasion and tote some sort of police ID. The responsibility sort of gave me some direction when I needed it.
Thanks for giving me the opportunity, you know who you are!
Saturday, September 13, 2008
info-sec car analogies
from the user perspective - you are driving the car - you are driving along the information super highway and take a look at a shiny billboard and next thing you know you are stuck in a ditch (DoS) or being mugged (malware). you need some lane markings (security awareness training).
from the administrator perspective - you are maintaining others cars, you need to know what makes a car roadworthy.
from the architect perspective - you are designing cars and roads, you need crash test results
speedo = SEIM ?
air bags = incident response capability?
accelerator = take more risk?
brakes = take less risk?
road signs = security awareness training
from the administrator perspective - you are maintaining others cars, you need to know what makes a car roadworthy.
from the architect perspective - you are designing cars and roads, you need crash test results
speedo = SEIM ?
air bags = incident response capability?
accelerator = take more risk?
brakes = take less risk?
road signs = security awareness training
Wednesday, September 10, 2008
challenges with vulnerability management
Recent information leakage studies (verizon one) identify that intrusions occur from vulnerabilities that are more than a year old and often easily fixed by patching. The poorly informed would cry "just apply the patches" well here are some of the challenges:
- it's easy to test, if you aren't running apps, umm but aren't all partner facing or internet facing systems.hhmmm
- you need to test, sometimes patches break things, especially poorly coded legacy apps. Sometimes those apps aren't supported and you may have a situation where you can't turn off the vulnerable functionality or apply the patch.
- testing, proper testing involves functional and non functional testing, maybe even performance and volume testing. No surprises that costs big bucks, and which app owners are going to cough up for testing on apps already in production that are not cashed up with capex approvals etc.
Approaches:
-risk assess systems, focus on most critical
-have a regular patch schedule aligned with testing, that also updates the SOE.
-deploy IPS/WAF/reverse proxy/in listen only mode ready to help block an exploit that has pwned you, so that after you have rebuilt you can protect again re=pwnage.
- it's easy to test, if you aren't running apps, umm but aren't all partner facing or internet facing systems.hhmmm
- you need to test, sometimes patches break things, especially poorly coded legacy apps. Sometimes those apps aren't supported and you may have a situation where you can't turn off the vulnerable functionality or apply the patch.
- testing, proper testing involves functional and non functional testing, maybe even performance and volume testing. No surprises that costs big bucks, and which app owners are going to cough up for testing on apps already in production that are not cashed up with capex approvals etc.
Approaches:
-risk assess systems, focus on most critical
-have a regular patch schedule aligned with testing, that also updates the SOE.
-deploy IPS/WAF/reverse proxy/in listen only mode ready to help block an exploit that has pwned you, so that after you have rebuilt you can protect again re=pwnage.
Sunday, September 7, 2008
The simple things in inosec are often the most effective
data classification - classify the say 10% of information assets that really matter and you can:
secure only the systems that really manner.
enable users to apply information asset handling procedures to prevent data leakage
secure only the systems that really manner.
enable users to apply information asset handling procedures to prevent data leakage
Former federal privacy commissioner addressing AISA
---- Sent using a Sony Ericsson videophone
Saturday, September 6, 2008
my first security haiku
5,7,5
some patience required
when writing security
policy framework
large it project
so near to finish lets test
security requirements ?
some patience required
when writing security
policy framework
large it project
so near to finish lets test
security requirements ?
Wednesday, September 3, 2008
Security governance - launching the offensive
1. Tender, employ, buy, build, educate in as small a chunk at a time as you can manage
2. Test security activities have addressed KPIs and KRXs they were planned to improve as part of regular compliance testing cycle (just delay testing cycle until project completed)
Security Governance: The First battle
1. Security awareness campaign (we are coming hide your skeletons in the closet) state grace period and requirement for lodgement of exemptions
2. commence compliance testing of KPIs (from metrics in endorsed security standards)
3. no-one is compliant with standards, umm, oooer
4. put KPIs into KPXs and into KRXs and into KRIs
5. Suprise Suprise, the Key Risks and fixes are pretty much what you expect user access management, secure configuration of nfrastructure, secure application development processes
5. present shocking KRIs to executive, along with plan of activities to improve KRIs, include dates of which KRIs will improve and cost/effort estimates
6. Cajole and Educate executive
7. Budget approved!
8. Drink beer
Security governance: The Initial Skirmish
1. Get executive commitment to a security charter with a principle for each of the ten ISO 27002 domains and appoint yourself to act on behalf of the executives in accordance with charter.
2. Do a sing and dance you have cracked the hardest piece of the puzzle
3. Write up security governance docs to establish an Information Security Management System (include exemption management, metrics, compliance testing, sanctions for non-compliance and a document map)
4. Create draft security policy statements for the key security policies
5. Workshop draft policies with anyone who will listen (HR, IT ops, IT architecture, risk, internal audit etc.)
6. Record and refine stakeholder input (and put in version history of docs)
7. Issue security policies as draft for comment on Intranet
8. Take in feedback and refine (if any)
9. Get security policies endorsed
10. draft security standards and include KPIs
11. workshop with stakeholders
12. refine
13. issue as draft
14. get endorsed
15. execute security awareness campaign
16. write processes
17. write procedures
18. write baselines and use these to guide construction of SOEs
2. Do a sing and dance you have cracked the hardest piece of the puzzle
3. Write up security governance docs to establish an Information Security Management System (include exemption management, metrics, compliance testing, sanctions for non-compliance and a document map)
4. Create draft security policy statements for the key security policies
5. Workshop draft policies with anyone who will listen (HR, IT ops, IT architecture, risk, internal audit etc.)
6. Record and refine stakeholder input (and put in version history of docs)
7. Issue security policies as draft for comment on Intranet
8. Take in feedback and refine (if any)
9. Get security policies endorsed
10. draft security standards and include KPIs
11. workshop with stakeholders
12. refine
13. issue as draft
14. get endorsed
15. execute security awareness campaign
16. write processes
17. write procedures
18. write baselines and use these to guide construction of SOEs
Monday, September 1, 2008
Reflections on the Australian Infosec market
Size of information security department
Manufacturers - 1-2 FTE in security
Insurers - 2 -10 FTE in securty
Small Banks - 2-5 FTE in security
Large Banks - 50- 100 FTE in security
Typical activities
Testing new projects
Closing audit issues
Developing security policies
Managing vulnerabilities
Testing compliance with policy
Challenges
Implementing management reporting/metrics
Developing expertise in web application security testing
Producing standards for application developers
Figuring out a pragmatic approach to security logging
Manufacturers - 1-2 FTE in security
Insurers - 2 -10 FTE in securty
Small Banks - 2-5 FTE in security
Large Banks - 50- 100 FTE in security
Typical activities
Testing new projects
Closing audit issues
Developing security policies
Managing vulnerabilities
Testing compliance with policy
Challenges
Implementing management reporting/metrics
Developing expertise in web application security testing
Producing standards for application developers
Figuring out a pragmatic approach to security logging
Subscribe to:
Posts (Atom)
Twitter Updates
Handy Links
Matt's list of blogs
-
Cloud Security Threats Survey2 weeks ago
-
What DevOps means to me…3 weeks ago
Lijit
InterSec - ISC2 CISSP networking portal