Interesting report and an increasingly mentioned trend:
The convergence of physical and information security might be likened to the early days of flight. While there have been some ambitious attempts at convergence by daredevil visionaries, as described in the case studies, progress, for the most part, has been slow and difficult. The truth remains that convergence, which is typically based on the vision of specific individuals rather than on a structured, well thought-out, repeatable model guided by a clear vision and road map, is still in its early stages.
For the visionaries of our case studies, there are some easy convergence wins in terms of efficiencies of scale gained by integrating information and physical security monitoring and video surveillance systems on a common organization network. But these advantages cater to technical people and are promoted by the security technology and communications companies of the world. The hard convergence wins ”the ones that will provide the largest benefit” require buy-in from senior executives. As it stands today, senior management typically sees security more as a tactical function than a necessary component of business processes or decision making.
When the authors talk about converged security in this publication, particularly as it relates to enterprise risk, they are talking about not only physical and information security, but also the wider areas of protection, including security responsibility found within human resources and crisis management as well as within businesses or operational lines of responsibility.
Continue reading "Test the right Controls"
For a cool R32mil (approx $4.5millon), what a bargain. I give them 6 months before they all start wearing suits and start using terms like "governance maturity model" ;)
But seriously, congratulations to the SensePost team. They have done spectacularly well in a short time and with a small team (this works out to over a million or two per employee I think).
A few weeks ago a post on our internal list pointed me at a tool called Evolution put together buy some company named Paterva. I've been playing with it quite a bit, and have even used it to demo some stuff to germalists.
Then today I say that there will be a 27dinner in Pretoria tomorrow. To my surprise Roelof Temmingh (previously of Sensepost) will be speaking, and what's more he is the founder of Paterva and one of the authors of Evolution!
I have high hopes this may be one of the best 27dinners yet (no offense to the marketing types) and if you will be in the Pta region tomorrow, come check it out.
If you won't be in the Pta region, then go check out Evolution anyway. The second beta of the standalone GUI was released last week and I am about to start playing with it. If it's anything like the last one, the web version is more functional (unless you decompile the java classes and modify the static search terms, but I would *never* do that), but the GUI gives you a good idea of it's functionality. A company and a tool to keep your eye on.
(P.S. Is it just me, or is South Africa rocking the information security party?)
Continue reading "Security and the Media"
All sorts of hype has been made about the big talks at Blackhat, but for those of us that weren't there, check out the side-channell coolness from the SensePost guys (straight out of SA). They have released a tool called Squeeza which provides a nice functional shell-like overlay for your SQL injections. Additionally, the demo'ed some very cool DXSRT which takes the JavaScript 'logged on' timing attacks to a new level.
However, what I thought was awesome were the side channel data leaks via DNS. Basically, by getting a machine behind a firewall to do a DNS lookup to <encoded data>.attackersdomain.com you can leak data out from behind a firewall. Simple and very cool.
While I'm at it, check out their blog, it's shaping up to be a great regular read.
Continue reading "Side Channel Coolness"