Managing Geeks

Not specifically security-related, but a friend recently posted a link to a old (2009) article about managing IT Staff that is one of the best I have read.

From personal and anecdotal experience it really hit the nail on the head in a few areas about how 'geeks' respond to authority and management and the currency of respect.

National Cyber Security Week

Next week is National Cyber Security Week here in Australia.

Click on the image to go to the Government site for details and great resources such as factsheets, security quizzes and a small business security assessment tool

So-oh no-ny

Sony's woes continue, as although they have restored their PSN network, they are being accused of still having plenty to do with flaws in their password reset function and multiple vulnerabilites being discovered by researchers in their other websites.
Adding salt into the very public wound, an investigation into Sony's data protection measures by the UK Information Commissioner's Office mirrors the announced investigation by the Australian Privacy Commissioner. It will be interesting to see the findings.

Sony are learning the hard way a lesson that many other organizations should be heeding, computer networks are incredibly complex and difficult and defending them is even more complex and difficult. If your business is providing online services to a large customer base, security needs to be part of the culture of the company - it needs to be evaluated, implemented and questioned at every level with every developer, every DBA, every sysadmin, every network engineer taking responsibility to proactively secure their area and every project manager and every business manager understanding the importance of security and the potential damage of a significant breach. Maybe it's too much to ask...?

 To my mind it is quite a surprise that Sony did did not have a CISO and unfortunate that it took such a major incident for them to appoint one. It seems it may have been a typical 'it can't happen to us' attitude that many managers and executives adopt.

Hopefully the major publicity surrounding this breach will lead to other organizations to reassess their data security efforts.

Breach, breach, baby...

Data breaches are big news recently and it seems no-one is immune...

From Sony Online Entertainment's huge breach (and criticized response) to the Australian Government and the (slightly less recent) incredible embarrassment of Security Vendor RSA's breach and the Epsilon breach, which was largely publicized in Australia as the 'Dell Australia' breach.

Will the sheer number of high-profile data breaches provide some more motivation for businesses to employ better security safeguards and to demand vendors provide more secure products? Will they wake up the general populace to the importance of not using the same password for everything and opening every attachment that promises dancing pigs?

I won't hold my breath, but I will cross my fingers and hope.

The always interesting Verizon Annual Data Breach report [pdf] is out for 2011 and is (as always) as interesting as it is depressing. A big upswing (+22%) in externally-sourced attacks and a change of targets from Financial institutions to hospitality and retail are interesting. The fourth-highest number of breaches resulting from default or easily-guessable passwords is depressing.
Download it as it is well worth a read.

Cloud Concerns

The cloud has arrived down under! Well at any rate it has registered on the radar (weather radar?) of our Government officials.

Last month the Defence Signals Directorate (DSD) has issued a paper on Cloud Computing considerations [pdf] that aims to “assist agencies to perform a risk assessment to determine the viability of using cloud computing services.”

This came hot on the heels of the Federal Privacy Minister voicing his concerns with the compatibility of cloud services and the National Privacy Principles and has been followed up by the Victorian Privacy Commissioner releasing a Cloud Computing information sheet to give "a brief overview of how the Information Privacy Act 2000 (Vic) applies to cloud computing technologies"

Personally, I'm happy to see privacy concerns are getting some serious consideration. I'm certainly not anti-cloud, in many ways it is very cool, but I don't want to see businesses running headlong into a potentially disastrous (security & privacy-wise) situation without giving the consequences due consideration. Firm Cloud standards and Government guidelines (and industry guidelines -eg: ASIC) will go a long way to helping any move to the Cloud be successful in the long run (again from a security & privacy perspective).
Assuming you cloud service is up and running that is! (sorry for the cheap shot Amazon!)

Finally on privacy, this week is Privacy Awareness Week, so go and check your facebook privacy settings (because they change pretty often!)

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme