---- Sent using a Sony Ericsson videophone
About Me
- Matthew Hackling
- Matt runs his own security consultancy called Ronin Security. His focus is information security management and he has a keen interest in infrastructure and web application security. He's a CISSP and the current Branch Executive of the Melbourne chapter of the Australian Information Security Association.
Labels
- AISA (1)
- australian information security market (1)
- career advice (1)
- causes (1)
- DoS (1)
- economics (1)
- FUD (1)
- futurism (1)
- information security governance (4)
- IPS (1)
- privacy (2)
- sacred cows (1)
- security patching (1)
- vulnerability management (1)
- webappsec (1)
Thursday, January 29, 2009
Tuesday, January 27, 2009
Tool Kit
So you want to be an information security professional? Well what do you carry around? Here's my list:
Backpack - sign of a pro, you may need to carry two laptops down George St in the rain. (I prefer Crumpler).
Mobile phone - you need to be in touch. Turn off the push email to save your sanity.
3G card - so you can type proper emails on a proper keyboard.
Laptop - smaller and lighter is better, you need a CDRW
Blank CDs and DVDs - never know when you may need to give someone something
USB Key - big, bootable and encrypted. We have a web app toolkit that runs off a USB key.
Backtrack DVD - just in case you have a hard drive crash.
Folio - to put reports in to transport securely and crumple free.
Green tea bags - you don't know what they might have at the client
Water bottle - Sigg, so you're not drinking wacky plastic.
Pen - not too expensive
Notebook - it's a bit rude to take notes in a folio sometimes, esp in a casual setting.
Business Card Holder - the cards get crumpled in your wallet and you don't take your folio to the pub :)
Backpack - sign of a pro, you may need to carry two laptops down George St in the rain. (I prefer Crumpler).
Mobile phone - you need to be in touch. Turn off the push email to save your sanity.
3G card - so you can type proper emails on a proper keyboard.
Laptop - smaller and lighter is better, you need a CDRW
Blank CDs and DVDs - never know when you may need to give someone something
USB Key - big, bootable and encrypted. We have a web app toolkit that runs off a USB key.
Backtrack DVD - just in case you have a hard drive crash.
Folio - to put reports in to transport securely and crumple free.
Green tea bags - you don't know what they might have at the client
Water bottle - Sigg, so you're not drinking wacky plastic.
Pen - not too expensive
Notebook - it's a bit rude to take notes in a folio sometimes, esp in a casual setting.
Business Card Holder - the cards get crumpled in your wallet and you don't take your folio to the pub :)
Friday, January 23, 2009
PCI-DSS
PCI-DSS is a practical standard if you comply with the spirit of the standard you will be well placed . By that i mean by implementing the controls in the standard so they are effective . For example monitor and tune the IDS and trip wire that the standard asks you to wack in instead of "set and forget" , update your SOE quarterly and modify systems to suit etc .
---- Sent using a Sony Ericsson videophone
---- Sent using a Sony Ericsson videophone
Tuesday, January 20, 2009
Access to security tools
Security tools (port scanners,vulnerability assessment software, exploit development frameworks,web proxies,fuzzers and debuggers etc) are like hammers . You can use them to beat your shields into shape or you can use them to wack someone on the head . Just like you need to be a lock smith before you can buy lock picks maybe we need a self regulation system ? Require a permit number before download and finger print the tool with the permit number . Make the tools send the permit number with each packet and maybe we will have a method of b*tch slapping script kiddies?
---- Sent using a Sony Ericsson videophone
---- Sent using a Sony Ericsson videophone
Thursday, January 15, 2009
Builders vs breakers
In my humble opinion this pen testing is dead meme and this builders vs breakers thing is coming from the same source.
Improve security by implementing key security controls in applications and building these key controls so they are secure themselves . By doing "stupid human tricks" and demonstrating that controls are not implemented we are just demeaning the profession. Poking holes in key security controls such as input validation functions and authentication functions in network protocols and providing patches (if source code available) or at least suggestions is valuable and a worthy pursuit
Improve security by implementing key security controls in applications and building these key controls so they are secure themselves . By doing "stupid human tricks" and demonstrating that controls are not implemented we are just demeaning the profession. Poking holes in key security controls such as input validation functions and authentication functions in network protocols and providing patches (if source code available) or at least suggestions is valuable and a worthy pursuit
Pen testing is dead? Part two
There aren't that many IT security literate people in organisations so when they need some assurance they are doing the right thing they ask a 3rd party with specialist experience for testing . The reality of the situation is that if someone is looking for assurance that they are doing a good job security wise they probably aren't . Some questions that security people often dont dare to ask or ask pretty much knowing the answers when approached to conduct a pen test include
% do you have a security policy
% do you have up to date technical security standards for the kit in use ?
%has someone been tasked with applying the standards ?
%has someone checked that the standards have been applied?
%is someone monitoring for intrusion?
%is there a risk assessment for this project ?
%there any security requirements for this project ?
%is there a security architecture document and detailed design docs for the key security controls ?
% has functional testing of the key controls been undertaken to check they work in the intended manner ?
---- Sent using a Sony Ericsson videophone
% do you have a security policy
% do you have up to date technical security standards for the kit in use ?
%has someone been tasked with applying the standards ?
%has someone checked that the standards have been applied?
%is someone monitoring for intrusion?
%is there a risk assessment for this project ?
%there any security requirements for this project ?
%is there a security architecture document and detailed design docs for the key security controls ?
% has functional testing of the key controls been undertaken to check they work in the intended manner ?
---- Sent using a Sony Ericsson videophone
Wednesday, January 14, 2009
Pen testing is dead?
Incident near miss "compliance requirement " from some where + lack of visibility of security posture= client looking for security testing = pen test request, as this is what is commonly known in IT land as security testing. Can anyone get in ? Is the most commonly asked question
---- Sent using a Sony Ericsson videophone
---- Sent using a Sony Ericsson videophone
Monday, January 12, 2009
Ah, I figured out twitter. Its facebook-lite. Its just the status tag of facebook. I now have a java twitter client on my phone. Kind of weird. I'm now stalking Jerimiah Grossman, HD Moore, Marty Roesch, Adrian Lamo, Dave Aitel and Kevin Rose (just for humour value).
See the link to the right for my twitter feed if you too like to stalk people in a friendly kind of way.
See the link to the right for my twitter feed if you too like to stalk people in a friendly kind of way.
Friday, January 9, 2009
Ask a question
Hello,
I now am offering the following service via Infamous Agenda. Ask a question, get an answer! Free!
I'll post the questions and the answers.
For sort of serious questions email goodquestions at infamousagenda com An example below:
- If I have expired credit card numbers in a database, is the database in or out of the scope for PCI-DSS compliance?
For the questions you are almost embarrassed to ask email stupidquestions at infamousagenda com
- What's a HSM?
Then there is dearmatty at infamousagenda com my Agony Aunt column, an example below.
Dear Matty,
I'm a CISO but I'm getting no love from our CFO. We have had some lovely trysts in the past, I fondly remember wooing him with our Identity Management business case. Oh how he swooned with the return on investment calculations. Recently he has cooled to me and I just can't get his attention. Dear Matty what can I do to recapure his affections and clinch that lunch date?
Desperate and Dateless.
Dear Desperate and Dateless,
Your CFO is cooling to you with the cooling economic climate. Present to him some examples of how security can enable and support business initiatives. Good examples could include:
- virtualisation security standard development - enabled virtualisation to be used on a new project resulting in capital expenditure reduction.
- establishing a VPN - now an outsourcer in India can access systems from the internet securely without WAN costs, saving ongoing operational expenditure
Make sure there is a theme of enabling cap e and op ex cost reductions and the CFO will be courting you!
Good Luck from Dear Matty.
I now am offering the following service via Infamous Agenda. Ask a question, get an answer! Free!
I'll post the questions and the answers.
For sort of serious questions email goodquestions at infamousagenda com An example below:
- If I have expired credit card numbers in a database, is the database in or out of the scope for PCI-DSS compliance?
For the questions you are almost embarrassed to ask email stupidquestions at infamousagenda com
- What's a HSM?
Then there is dearmatty at infamousagenda com my Agony Aunt column, an example below.
Dear Matty,
I'm a CISO but I'm getting no love from our CFO. We have had some lovely trysts in the past, I fondly remember wooing him with our Identity Management business case. Oh how he swooned with the return on investment calculations. Recently he has cooled to me and I just can't get his attention. Dear Matty what can I do to recapure his affections and clinch that lunch date?
Desperate and Dateless.
Dear Desperate and Dateless,
Your CFO is cooling to you with the cooling economic climate. Present to him some examples of how security can enable and support business initiatives. Good examples could include:
- virtualisation security standard development - enabled virtualisation to be used on a new project resulting in capital expenditure reduction.
- establishing a VPN - now an outsourcer in India can access systems from the internet securely without WAN costs, saving ongoing operational expenditure
Make sure there is a theme of enabling cap e and op ex cost reductions and the CFO will be courting you!
Good Luck from Dear Matty.
What is the next big thing?
®PCI-DSS - will mandatory breach reporting and information leakage/credit card theft make this blow up in Australia? ®Virtualisation security - will the drive to VMware everything to save capital expenditure result in more security incidents and a rash of secure configuration and architecture engagements in a knee jerk reaction ?
® Web application security ratings and certifications - will organisations get fed up with sub-standard application and want some assurances that OWASP level standards have been adhered to in development processes?
---- Sent using a Sony Ericsson videophone
® Web application security ratings and certifications - will organisations get fed up with sub-standard application and want some assurances that OWASP level standards have been adhered to in development processes?
---- Sent using a Sony Ericsson videophone
Affiliate program now online
Mostly out of curiosity to find out how this works, I have signed up for an affiliate program and selected a few vendors I recognised. Not sure if any of my readers will buy consumer AV off a link from my blog, but hey if someone does my domain name registration is pretty much paid for for the year :)
Thursday, January 8, 2009
What are the hard things to tackle that no one talks about in information security ?
There are some "elephants in the room" that aren't talked about because they don't involve selling shrink wrapped software or 19" rack mountable goodies. These are windmills to tilt against.
©Tackling the insider threat, how do you catch out fraudsters and information thieves BEFORE they rob you of your customer list and complete a fraudulent transaction on the company accounts ?
© the prevalence of XSS vulnerabilities across the web that allow malware deployment to users visiting "trusted" web sites forums etc
© signature anti virus is not cutting it these days with "crimeware" sold with update functions and money back guarantees to not be detected by the major anti virus vendors
---- Sent using a Sony Ericsson videophone
©Tackling the insider threat, how do you catch out fraudsters and information thieves BEFORE they rob you of your customer list and complete a fraudulent transaction on the company accounts ?
© the prevalence of XSS vulnerabilities across the web that allow malware deployment to users visiting "trusted" web sites forums etc
© signature anti virus is not cutting it these days with "crimeware" sold with update functions and money back guarantees to not be detected by the major anti virus vendors
---- Sent using a Sony Ericsson videophone
Mandatory Internet Filtering
Hey,
This mandatory internet filter is meant to restrict us from accessing illegal content. I spend my days looking at computer security research, some of which is exploit code, security testing tools etc. Is this illegal now? Will I be blocked from www.packetstormsecurity.com . Ah well just proxy out via our global WAN :)
AISA out out a press release and pretty much announced what a stupid idea this is. Well done Drazen!
This mandatory internet filter is meant to restrict us from accessing illegal content. I spend my days looking at computer security research, some of which is exploit code, security testing tools etc. Is this illegal now? Will I be blocked from www.packetstormsecurity.com . Ah well just proxy out via our global WAN :)
AISA out out a press release and pretty much announced what a stupid idea this is. Well done Drazen!
Wednesday, January 7, 2009
just registered www.infamousagenda.com
I'm going full on :) DNS replication happened overnight. Set up Google AdSense as well to help pay for the domain replication. Have to look into advertising.
Monday, January 5, 2009
2009 Predictions
Information security will become more integrated into business processes due to traction on identity management initiatives ( RBAC ,Provisioning and termination ) and implementing secure development practices into the SDLC. On the new and emerging threat side i predict we will see crimeware deployed in new ways via injection into web apps or installation at the factory by insiders potentially even in firmware , an escalation of what we have seen with USB devices with simplistic malware installed sometime between manufacture and receipt by the customer
---- Sent using a Sony Ericsson videophone
---- Sent using a Sony Ericsson videophone
Subscribe to:
Posts (Atom)
Handy Links
Twitter Updates
Matt's list of blogs
-
DDoS Vocabulary and Mathematics6 months ago
-
Screw It Just Do It7 months ago
-
Bunraku V0.0.31 year ago
Blog Visitors
Lijit
InterSec - ISC2 CISSP networking portal