un-earthed

I just had a meeting with the Finance Manager and Security Manager of a State government agency and I recommend that if you are responsible for providing security or signing off requests for security budget in your organisation it will be well worth your time to read about my experience.

I was attempting to better understand their business, assets, risks, likely threats and their potential impact so one of the questions I asked the Finance Manager was “What is your ability to detect and respond to threats before your assets are compromised?”.

Continue reading »

When a recent customer asked how he would justify security spending and demonstrate security ROI, I answered his question with another question. “When you last purchased your home alarm system did you first stop to calculate its ROI?” I don’t think so. So security is a lot like buying that alarm system. These expenditures don’t have a P&L associated with them. It is simply about risk management. You can’t expect to turn your security department into a profit and loss entity. It’s just not going to happen. However, there are more creative means to communicate with business leaders using analogies and basic English combined with graphical representation of your assets and risks mapped against the impact and likelihood of threats against those assets.

Continue reading »

A good security expert likes to get right down into the root cause of an issue, and though I am not as technical as I once used to be, I still feel a burning sensation to satisfy curiosity and delve in as deep as I can to learn the answer to the age old question – Why?

Today’s mission was to understand the underpinning reason for why so many CIOs seem to be compelled to be compliant with regulatory requirements rather than the need to be secure. PCI compliance is the quintessential example of compliance budgets being signed off and security budgets being turned down.

Continue reading »

Shawn Henry, the FBI's executive assistant director

It seems the FBI have come up with the solution to the cyber threats posed by all the bad forces on the Internet!

Sounds promising, one would think the US’s Federal Bureau of Investigation ‘an intelligence-driven and a threat-focused national security and law enforcement organization’ would have a good handle on this but I think they have missed the mark with this solution suggested by Shawn Henry, the FBI’s executive assistant director. Henry suggests that in order to protect critical utility and financial systems a separate and highly secure internet should be set up.

Continue reading »

If IT Managers and CIO’s (asset custodians tasked with protecting corporate data) genuinely fear for their jobs over data breaches, why don’t they demand the resources they believe necessary to mitigate the risk, or assign the risk to the asset owners.  If the CIO’s well-structured business case is rejected, it is clear that the board has implicitly decided to take the risk, so why not ask them to make it an explicit agreement.

Continue reading »

It’s a natural human reaction that when things are bad we turn to humour! I believe things are REALLY bad now, I’m deeply concerned for the security of all of our digital assets! So to help us get over that I’m presenting the following comedy gold that a kind, star gazing, friend shared with me.

It’s official the source of Stuxnet has been revealed! No, it wasn’t the Americans nor the Israeli’s. No, in fact, it was … ET!?

Continue reading »

It’s an ugly metaphor but ‘putting Dracula in charge of the blood bank’ highlights the issue of choosing an inappropriate custodian of a valuable asset.

In the IT world, the custodians of valuable assets may not have a penchant for syphoning the reserves and may in fact have the very best intentions.
Conflicts of interest will however drive behaviors that you may not have considered.

We regularly see the monthly executive reports offered up by IT departments and outsourced service providers proudly announcing a clean bill of health.
“No critical incidents, policy breaches or data loss this month Mr. Client!”

What a lot of rubbish.

Continue reading »

The Contagion movie marketing machinery is thrashing all the media channels at the moment and there is clearly no room for subtle puns about viral marketing here.

It is hard to avoid the movie trailer that rattles off the stats of what we do with our hands and the likelihood of infection..it is enough to give you the heebeegeebees.

We earlier explored the parallel of the human immune system for critical detection and response once protection had failed, but have not yet drawn the hygiene parallel.

Washing your hands is not hard, and can simply be one of the most effective preventive measures you can take to avoid literally being brought to your knees as a result of simply touching your mouth.

No matter how large, small, global or local, it is now possible to reach in to the cloud for security-as-a-service for as little as err.. um. an apple a day!

My son has no concept of the perils that arise from smearing his hands along every handrail in the train station and then pushing the food that lurks around his mouth in with his fingers.

Likewise your user community is not aware of the bandwidth burning, network clutter that delivers the platform from which criminals can reach in, view, copy, change or damage your information assets.

BUT you need to help them.  User education is simply not practical anymore, as telling my son not to touch door handles or handrails at the train station is not practical.

You now have the ability to help your users, as I do with my son.  Reach in to the cloud, like reaching for the soap dispenser, and get that one shot hygiene hit for them all.

Nothing spreads like fear – but nothing beats a simple solution.

Infamous social engineer, Kevin Mitnick

The IT helpdesk of XYZCorp in Sydney receives a call. A help desk operator by the name of Joe picks up the phone. Though the caller’s number is not displayed, it is clear it is an international call.

The caller says “Hi, this is Larry Smith”.

Joe quickly replies with “Hi Larry, how can I assist you?” Joe knows that Larry is the CEO and understands that the call is important and gets straight to the point rather than the usual pleasantries.

“I’m currently staying in the Sheraton Hotel in Seattle and am having problems accessing the VPN because I forgot my password”. Joe knows that Larry is in Seattle due to a companywide email that went out earlier in the week.

Joe responds with “OK, I’ll reset your password, but first I have to ask you two security questions”. This is part of the procedure to avoid social engineering attacks.

“Larry – first question: What is your date of birth?”

Continue reading »

A flu sufferer could have taken a preventive strategy with a ten dollar bottle of multivitamins and a three dollar face mask from the local supermarket but instead opted for a more costly visit to a doctor and a course of antibiotics. Likewise, a sun bather could have applied a fifteen dollar bottle of sunscreen but instead chose to pay for permanent scars created by the surgery necessary to remove the melanoma resulting from the sun’s deadly ultraviolet rays, and finally a restaurant owner could have installed a fire suppression system for the price of one week of profits but instead looked on speechless and contemplating financial ruin as the footage on TV showed his restaurant burnt to the ground after an unexpected explosion in the kitchen.

I was always taught that prevention was better than cure, but seldom do I see prevention being exercised. But why? It seems counterintuitive to accept such a risk and pay a huge price for it at a later stage, when a simpler and lower cost preventive action could have been put in place. Well, the answer is simple. The curse of being overly optimistic… often expressed by the infamous Aussie attitude “She’ll be right mate” and there it is – the ultimate recipe for procrastination.

Continue reading »