un-earthed

A good security expert likes to get right down into the root cause of an issue, and though I am not as technical as I once used to be, I still feel a burning sensation to satisfy curiosity and delve in as deep as I can to learn the answer to the age old question – Why?

Today’s mission was to understand the underpinning reason for why so many CIOs seem to be compelled to be compliant with regulatory requirements rather than the need to be secure. PCI compliance is the quintessential example of compliance budgets being signed off and security budgets being turned down.

Continue reading »

Shawn Henry, the FBI's executive assistant director

It seems the FBI have come up with the solution to the cyber threats posed by all the bad forces on the Internet!

Sounds promising, one would think the US’s Federal Bureau of Investigation ‘an intelligence-driven and a threat-focused national security and law enforcement organization’ would have a good handle on this but I think they have missed the mark with this solution suggested by Shawn Henry, the FBI’s executive assistant director. Henry suggests that in order to protect critical utility and financial systems a separate and highly secure internet should be set up.

Continue reading »

If IT Managers and CIO’s (asset custodians tasked with protecting corporate data) genuinely fear for their jobs over data breaches, why don’t they demand the resources they believe necessary to mitigate the risk, or assign the risk to the asset owners.  If the CIO’s well-structured business case is rejected, it is clear that the board has implicitly decided to take the risk, so why not ask them to make it an explicit agreement.

Continue reading »

It’s a natural human reaction that when things are bad we turn to humour! I believe things are REALLY bad now, I’m deeply concerned for the security of all of our digital assets! So to help us get over that I’m presenting the following comedy gold that a kind, star gazing, friend shared with me.

It’s official the source of Stuxnet has been revealed! No, it wasn’t the Americans nor the Israeli’s. No, in fact, it was … ET!?

Continue reading »

It’s an ugly metaphor but ‘putting Dracula in charge of the blood bank’ highlights the issue of choosing an inappropriate custodian of a valuable asset.

In the IT world, the custodians of valuable assets may not have a penchant for syphoning the reserves and may in fact have the very best intentions.
Conflicts of interest will however drive behaviors that you may not have considered.

We regularly see the monthly executive reports offered up by IT departments and outsourced service providers proudly announcing a clean bill of health.
“No critical incidents, policy breaches or data loss this month Mr. Client!”

What a lot of rubbish.

Continue reading »

The Contagion movie marketing machinery is thrashing all the media channels at the moment and there is clearly no room for subtle puns about viral marketing here.

It is hard to avoid the movie trailer that rattles off the stats of what we do with our hands and the likelihood of infection..it is enough to give you the heebeegeebees.

We earlier explored the parallel of the human immune system for critical detection and response once protection had failed, but have not yet drawn the hygiene parallel.

Washing your hands is not hard, and can simply be one of the most effective preventive measures you can take to avoid literally being brought to your knees as a result of simply touching your mouth.

No matter how large, small, global or local, it is now possible to reach in to the cloud for security-as-a-service for as little as err.. um. an apple a day!

My son has no concept of the perils that arise from smearing his hands along every handrail in the train station and then pushing the food that lurks around his mouth in with his fingers.

Likewise your user community is not aware of the bandwidth burning, network clutter that delivers the platform from which criminals can reach in, view, copy, change or damage your information assets.

BUT you need to help them.  User education is simply not practical anymore, as telling my son not to touch door handles or handrails at the train station is not practical.

You now have the ability to help your users, as I do with my son.  Reach in to the cloud, like reaching for the soap dispenser, and get that one shot hygiene hit for them all.

Nothing spreads like fear – but nothing beats a simple solution.

Infamous social engineer, Kevin Mitnick

The IT helpdesk of XYZCorp in Sydney receives a call. A help desk operator by the name of Joe picks up the phone. Though the caller’s number is not displayed, it is clear it is an international call.

The caller says “Hi, this is Larry Smith”.

Joe quickly replies with “Hi Larry, how can I assist you?” Joe knows that Larry is the CEO and understands that the call is important and gets straight to the point rather than the usual pleasantries.

“I’m currently staying in the Sheraton Hotel in Seattle and am having problems accessing the VPN because I forgot my password”. Joe knows that Larry is in Seattle due to a companywide email that went out earlier in the week.

Joe responds with “OK, I’ll reset your password, but first I have to ask you two security questions”. This is part of the procedure to avoid social engineering attacks.

“Larry – first question: What is your date of birth?”

Continue reading »

A flu sufferer could have taken a preventive strategy with a ten dollar bottle of multivitamins and a three dollar face mask from the local supermarket but instead opted for a more costly visit to a doctor and a course of antibiotics. Likewise, a sun bather could have applied a fifteen dollar bottle of sunscreen but instead chose to pay for permanent scars created by the surgery necessary to remove the melanoma resulting from the sun’s deadly ultraviolet rays, and finally a restaurant owner could have installed a fire suppression system for the price of one week of profits but instead looked on speechless and contemplating financial ruin as the footage on TV showed his restaurant burnt to the ground after an unexpected explosion in the kitchen.

I was always taught that prevention was better than cure, but seldom do I see prevention being exercised. But why? It seems counterintuitive to accept such a risk and pay a huge price for it at a later stage, when a simpler and lower cost preventive action could have been put in place. Well, the answer is simple. The curse of being overly optimistic… often expressed by the infamous Aussie attitude “She’ll be right mate” and there it is – the ultimate recipe for procrastination.

Continue reading »

Is ignorance bliss? Not when it comes to data loss. Every organisation has lost sensitive data; most just don’t know which data, where, when, or how. But regulatory requirements for public notification of losses will mean Australian organisations will gain visibility the hard way—in the headlines. And bad news travels fast.

Data loss will become a big issue over the next few years due to the federal privacy commissioner’s draft guidelines for voluntary notification, and the forthcoming Australian Law Reform Commission recommendations on a mandatory scheme. Similar regulation such as the credit-card industry’s PCI and the various disclosure laws have been the best stick the industry has found to beat companies over the head with, and it works. Regulation forces companies to take security more seriously, and sells more products and services.

Continue reading »

From cod pieces to chess pieces the principle is the same and even if you haven’t played chess, you will know that it is a game of strategy based on two armies ultimately tasked with protecting the King.

If Chess had been invented in the current century the more politically correct objective may have been to protect the Queen, or the “royal couple,” but for historical purposes let’s stick with the game being won by the army that captures enough of his or her opponent’s army such that there is no longer adequate defense to protect the King.

Continue reading »