Security Watch

Speaking at the 2nd Annual Data Protection Conference

February 8th, 2010

The Second Annual Data Protection Conference which is run by the Irish Computer Societywill be held this year on Thursday the 25th of March in the Radison BLU Hotel, Golden Lane, Dublin 8. I will be speaking at the conference as will

Billy Hawkes – Data Protection Commissioner
Bruce Scheier – BT
Linda Ni Chualladh – An Post
Las Kelly – Bank of Ireland
Murieann O’Dea – BearingPoint

Registration for the event is now open and those who register before February 25th can avail of the early bird pricing which is €170 for members of the Irish Computer Society and €295 for non-members. After February 25th the registration fee increases to the standard fee of €200 for members of the Irish Computer Society and €350 for non-members.

For more information and to register please visit the ICS website.

Posted in Events | No Comments »

Boards.ie Hacked

January 26th, 2010

On Thursday the 21st of January Boards.ie announced that they were the victims of an external attackwhich may have led to the compromise of their user database. As that database contained more than 280,000 users it was potentially a major issue. Details of what happened are available on Boards.ie’s website where they give a good summary of the main points that happened during the attack. What was really impressive was the way that the management and staff of Boards.ie managed the communications throughout the event. Damien Mulley has a good post on the whole area of crisis communication, a key element many overlook in their incident response plans. I was also interviewed on the late news on Network 2 that night and make a brief appearance on the news item which starts are 12 minutes or so into the bulletin.

Posted in InfoSec | No Comments »

Next IISF Meeting

January 22nd, 2010

The next meeting of the Irish Information Security Forum will be held on the 28th of January at 14:00 in the Oak Room in Buswells Hotel on Molesworth St. Dublin 2. The topic for the meeting will be “What’s hot in Information Security in 2010″.

I will be addressing the meeting with what I think will be hot for 2010 as will speakers from RITs, Grant Thornton, Espion, Deloitte and Ernst & Young.

It promises to be an interesting event and I look forward to seeing some of you there.

Posted in InfoSec | No Comments »

Morning Ireland Interview

January 20th, 2010

I was interviewed by RTE Radio 1’s Morning Ireland show about the latest vulnerability in Microsoft’s Internet Explorer. The interview focused on the calls by the French and German governments for people not to use Internet Explorer until a patch is released and to move to a different browser instead. The full interview is available on RTE’s website.

Since the interview Microsoft announcedthey will release an out of cycle patch to address this issue. Also it is interesting to note that the Australian CERT, AusCERT, has a different view to the French and German governments on this issue and claim that the issue has been overblown. The Trend Micro Countermeasures blog also has some good guidance regarding how to deal with this vulnerability and indeed any other vulnerabilities that have no patches available.

Posted in InfoSec | No Comments »

Snow Go

January 5th, 2010

A few people have asked me about what they should do regarding business continuity as a result of the recent heavy snow falls. I have pointed many of them to the excellent business continuity plan template that the Department of Enterprise Trade and Employment published recently for the H1N1 flu virus and which is equally applicable to the current weather conditions.

Also the following post from February of last year is also worth reading;

Weather wise it has been an interesting week in Dublin to say the least. We had our first major snow fall in many years. While the volume of snow we got may not be anything compared to what some of you get in more continental climes, it was still large enough to make life uncomfortable for us Irish people who are used to our winters being windy and wet (kind of like our summers).

As a child I remember when snow would fall heavily enough for the schools to close and we ended up with free time on our hands thanks to a “snow day”.

So it was interesting to see how businesses were impacted by the weather this week and how they were impacted by the grown up version of “snow day”. While these businesses did not close their doors, I know of many people who decided to work from home rather than face the chaotic traffic resulting from Irish drivers’ inability to deal with snow on the road. Quite a few meetings were cancelled as people could/would not travel to attend.

This made me wonder how many companies have their Business Continuity Plans updated to include how to deal with adverse weather conditions impacting on their staff not being able to get to work or to attend meetings with clients. Most companies I have audited regarding their Business Continuity Management System seem to focus solely on the IT aspect of their company and what would happen if a disaster were to make those systems unavailable. Very few include in the Business Continuity Plans what to do if key staff are suddenly unavailable.

So why not take a look at your own organisation and try and figure out what would you need to have in place should some of your key staff be unable to get to their place of work? Some key questions to ponder;

How many concurrent remote users can your VPN support?
If a large number of staff were to try to work from home on the same day would the VPN be able to cope with the traffic?
Should you have a VIP VPN that can only be used by those staff in such scenarios?
Do your staff have work laptops or PCs to work from home? If not how will you secure any data they may have on them while working from home?
Can staff use alternative mean to meet with clients such as online conferences or conference call facilities?
Is your support desk prepared for the increased number of calls that they will get from remote workers who may not have tried to connect remotely for a while?
Do they have appropriate tools to diagnose VPN issues and problems or indeed to remotely take over a PC to help troubleshoot it?
Will you have people on your support desk to support your users or will they too be victims of the snow day?

When it comes to Business Continuity planning you need to look beyond the availability of the systems and think of the impact different circumstances can have on them. You should look closely at the ISO 27001 Information Security or the BS 25999 Business Continuity Standard to ensure that you have taken a structured and business focuses approach to your business continuity planning.

Lets not make a snow day a no business day.

Posted in InfoSec | No Comments »

Christmas Wishes

December 24th, 2009

I would like to take the time to wish you all a very Happy Christmas and that the New Year will bring you health, happiness and prosperity.

Given the weather we are currently having and it being the time of year it is the following expresses how we all at BH Consulting feel;

Posted in InfoSec | No Comments »

Latest Issue of Security Watch Now Available

December 22nd, 2009

The December 2009 edition of our sister publication, the Security Watch Newsletter, is now available online. For those of you who do not subscribe to our newsletter, you may find it a useful read as we highlight issues and stories that may not be applicable to our Blog

Posted in InfoSec | No Comments »

Information Security D-List Interview of Brian Honan

December 18th, 2009

Andrew Hay is a gentleman I became acquainted with thanks to twitter. Andrew is a modest chap who describes himself as a “devastatingly handsome author, sporadic blogger, bbq junkie, and security strong man”. He has an excellent blog and has recently decided to run a series of interviews of people in the information security industry. I was very honoured and humbled when he asked if I would take part and the results are available over at his blog. Enjoy !!

Posted in Brian Honan | No Comments »

SANS Coming to Dublin in 2010

December 17th, 2009

I am delighted to see that SANS are running their training event again in Dublin in 2010. The event will run from March the 15th until March the 20th, perfect timing for those of you who want to come to Ireland to celebrate St. Patrick’s day.

The courses that will be held are;

It should be one of the more interesting SANS training events given that St. Patrick’s day will be celebrated during it.

Posted in InfoSec | No Comments »

Sometimes You Do Not Need to Outrun the Lion

December 2nd, 2009

Last night I gave a talk to students studying the Bachelor of Science in Computing in Information Security and Digital Forensics degree course in the Institute of Technology in Blanchardstown. The purpose of my talk was to paint a picture of what they could expect once they moved their careers into the field on information security. It was a very interesting session and I enjoyed it immensely.

It was interesting to speak to people who are starting on their journey into the world of information security and to point out some of the challenges they face.

One of the key skills I highlighted to them that they will need is to be able to clearly communicate to management the risks certain activities will bring to the organisation and what security controls would need to be put in place to manage those risks. This also means being able to accept that management may not always agree or understand what you are trying to tell them. Which in turn will mean that you will not always get the approval to implement all the changes that you want to put in place.

The key skill to develop therefore is to understand what the important controls are that you need to implement and those that may not be so important. As criminals prefer to take the easiest option, (after all that is why they make their living from crime and not from hard work), making your systems that little bit harder to break into than those of your neighbours may be all that you need to do. So in the majority of cases that means that most of us simply need to ensure that we can protect our systems from the automated and less sophisticated attacks that are out there.

It reminds me of the classic joke from Billy Connolly about the two camera men filming a lion. The lion sees the two camera men and proceeds to chase after them. One camera man stops and puts on a pair of running shoes. His colleague tells him “You will never outrun the lion in those”. He replied, “I don’t need to outrun the lion, I just need to outrun you!!”.

So remember, you don’t always need to outrun the lion, just outrun the rest of the menu.

Posted in InfoSec | No Comments »

About Security Watch
BH Consulting Links
- BH Consulting’s Website
- Security Watch Newsletter
Blogs I read
More Security Resources
Other Interesting Links
- ICT Law in Ireland
- IT Law in Ireland
Privacy Resources
Infocon Status
- Infocon: green
  Oracle has an unscheduled security alert and patch for CVE-2010-0073. The issue affects WebLogic Server and is remotely exploitable. Details and patch are here http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0073.html […]
- Oracle has an unscheduled security alert and patch for CVE-2010-0073. The issue affects WebLogic Server and is remotely exploitable. Details and patch are here http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0073.html, (Tue, Feb 9th)
  ...(more)... […]
Admin

Add your feed to this box

Security Catalyst

©Viralinks

Recent Comments

Brian Honan:Thanks for that Mark. Grea

MH:Brian, The Scarewar

Brian Honan:LOL Well spotted Do

Donald McLachlan:Re: SANS Newsbites 28/08/20

Brian Honan:Pat You are right i

pat mckenna:Hi Brian. We live in a pro

Brian Honan:Joe Bloggs Yes it i

joe bloggs:Big if in that pos

Andrew Hay:This is no small undertaking.

Brian Honan:Pete Thanks for dropping by a
Recent Post

About Security Watch

BH Consulting Links

Blogs I read

More Security Resources

Other Interesting Links

Privacy Resources

Admin

Recent Comments

Recent Post