Monday, September 29, 2008

Good security awareness program at the royal show

Get them young ! My child had fun throwing bean bags at effigys of internet and regular scam artists and becoming a deputy scam buster. Well done consumer affairs victoria !


---- 
Sent using a Sony Ericsson videophone

Saturday, September 20, 2008

Mobile phone products to invent

Mobile device sanitisation software.

An application that provides a day by day bar graph of mobile phone usage in minutes and if you enter your plan details or select them from a pre-populated list, $ cost per day and running total.

Thursday, September 18, 2008

How to raise the profile of your information security department

As Australian CIOs see information security as a lower priority than reducing costs maybe it is time for us to go on the charm offensive? Some ideas follow : Try an end user security awareness program in a handy tips flavor focusing on social engineering and malware; look at your branding esp your motto ; provide communications to stakeholders on your organisations most critical apps and what you are protecting then from and business process impact if there is an incident ; benchmark your operations against your peers; produce easy to understand risk based management reporting supported by a security metrics program

---- 
Sent using a Sony Ericsson videophone

Tuesday, September 16, 2008

First jobs

I was thinking about my first job in security, and was kind of thankful for the opportunity. I was a security guard at a police HQ on the night shift and the criminal investigation branch during the day.

Man, I had some interesting encounters with the general public, well the very sketchy portions of the general public.

It was kind of cool to roll in unmarked police cars on occasion and tote some sort of police ID. The responsibility sort of gave me some direction when I needed it.

Thanks for giving me the opportunity, you know who you are!

Saturday, September 13, 2008

info-sec car analogies

from the user perspective - you are driving the car - you are driving along the information super highway and take a look at a shiny billboard and next thing you know you are stuck in a ditch (DoS) or being mugged (malware). you need some lane markings (security awareness training).

from the administrator perspective - you are maintaining others cars, you need to know what makes a car roadworthy.

from the architect perspective - you are designing cars and roads, you need crash test results

speedo = SEIM ?
air bags = incident response capability?
accelerator = take more risk?
brakes = take less risk?
road signs = security awareness training

Wednesday, September 10, 2008

challenges with vulnerability management

Recent information leakage studies (verizon one) identify that intrusions occur from vulnerabilities that are more than a year old and often easily fixed by patching. The poorly informed would cry "just apply the patches" well here are some of the challenges:

- it's easy to test, if you aren't running apps, umm but aren't all partner facing or internet facing systems.hhmmm
- you need to test, sometimes patches break things, especially poorly coded legacy apps. Sometimes those apps aren't supported and you may have a situation where you can't turn off the vulnerable functionality or apply the patch.
- testing, proper testing involves functional and non functional testing, maybe even performance and volume testing. No surprises that costs big bucks, and which app owners are going to cough up for testing on apps already in production that are not cashed up with capex approvals etc.


Approaches:

-risk assess systems, focus on most critical
-have a regular patch schedule aligned with testing, that also updates the SOE.
-deploy IPS/WAF/reverse proxy/in listen only mode ready to help block an exploit that has pwned you, so that after you have rebuilt you can protect again re=pwnage.

Sunday, September 7, 2008

The simple things in inosec are often the most effective

data classification - classify the say 10% of information assets that really matter and you can:

secure only the systems that really manner.

enable users to apply information asset handling procedures to prevent data leakage

Former federal privacy commissioner addressing AISA

Bumper session:-PB-);-)

---- 
Sent using a Sony Ericsson videophone

Saturday, September 6, 2008

my first security haiku

5,7,5

some patience required
when writing security
policy framework

large it project
so near to finish lets test
security requirements ?

Wednesday, September 3, 2008

Security governance - launching the offensive

1. Tender, employ, buy, build, educate in as small a chunk at a time as you can manage
2. Test security activities have addressed KPIs and KRXs they were planned to improve as part of regular compliance testing cycle (just delay testing cycle until project completed)


Security Governance: The First battle

1. Security awareness campaign (we are coming hide your skeletons in the closet) state grace period and requirement for lodgement of exemptions
2. commence compliance testing of KPIs (from metrics in endorsed security standards)
3. no-one is compliant with standards, umm, oooer
4. put KPIs into KPXs and into KRXs and into KRIs
5. Suprise Suprise, the Key Risks and fixes are pretty much what you expect user access management, secure configuration of nfrastructure, secure application development processes
5. present shocking KRIs to executive, along with plan of activities to improve KRIs, include dates of which KRIs will improve and cost/effort estimates
6. Cajole and Educate executive
7. Budget approved!
8. Drink beer


Security governance: The Initial Skirmish

1. Get executive commitment to a security charter with a principle for each of the ten ISO 27002 domains and appoint yourself to act on behalf of the executives in accordance with charter.
2. Do a sing and dance you have cracked the hardest piece of the puzzle
3. Write up security governance docs to establish an Information Security Management System (include exemption management, metrics, compliance testing, sanctions for non-compliance and a document map)
4. Create draft security policy statements for the key security policies
5. Workshop draft policies with anyone who will listen (HR, IT ops, IT architecture, risk, internal audit etc.)
6. Record and refine stakeholder input (and put in version history of docs)
7. Issue security policies as draft for comment on Intranet
8. Take in feedback and refine (if any)
9. Get security policies endorsed
10. draft security standards and include KPIs
11. workshop with stakeholders
12. refine
13. issue as draft
14. get endorsed
15. execute security awareness campaign
16. write processes
17. write procedures
18. write baselines and use these to guide construction of SOEs

Monday, September 1, 2008

Reflections on the Australian Infosec market

Size of information security department
Manufacturers - 1-2 FTE in security
Insurers - 2 -10 FTE in securty
Small Banks - 2-5 FTE in security
Large Banks - 50- 100 FTE in security

Typical activities
Testing new projects
Closing audit issues
Developing security policies
Managing vulnerabilities
Testing compliance with policy

Challenges
Implementing management reporting/metrics
Developing expertise in web application security testing
Producing standards for application developers
Figuring out a pragmatic approach to security logging



Infamous Agenda © 2008. Design by :Yanku Templates Sponsored by: Tutorial87 Commentcute
This template is brought to you by : allblogtools.com Blogger Templates