Home

Support Portal

Management Team

Our History

Employment

Security Strategy, Framework & Policy

Risk Assessment

Control Implementation

Security Education

Maintenance, Monitoring and Support

Information Security Consulting

Security Integration

Managed Services

Licensing and Maintenance

Security Information and Event Management

Identity and Access Management

Remote Access

Data Leakage Prevention

Threat Management and Mitigation

Partner News

Past events

Security Capabilities

Approach

Security Strategy, Framework & Policy

Risk Assessment

Control Implementation

Security Education

Maintenance, Monitoring and Support

Services

Information Security Consulting

Security Integration

Managed Services

Licensing and Maintenance

Solutions

Security Information and Event Management

Identity and Access Management

Remote Access

Data Leakage Prevention

Threat Management and Mitigation

Security News

eNEWSLETTER SIGNUP
Sign up here to receive our quarterly newsletter.

REGISTER FOR EVENTS
See which security events are happening in your area.

SUPPORT PORTAL
Log a support ticket or login to view an existing support case.

AUSCERT 2010: The highlights

AUSCERT 2010: THE FUTURE OF SECURITY
The AusCERT conference this year was held on the Gold Coast from 16th - 19th May and Loop Technology was again a proud sponsor of APAC's premier IT Security event.

Daniel Hooper, Loop's Lead Information Security Consultant attended as a delegate to find out what the trends and major discussion points were at this year's conference. There were 2 major themes this year: The first being the vendors take on security “in the cloud” and the second was really to “bake security in”.

While there were lingering threads around last years topic of data leakage/loss, this year seemed to be more along the lines of getting back to basics and concentrating on the people aspect of information security. The following areas were touched on across different presentations:

1. Governance

The topics of regulatory requirements such as SOX, FISMA, PCI, etc were touched on in quite a few sessions. It was noted that there is a requirement to develop information security governance frameworks, information security policies, processes, procedures etc. to assist companies in the effective management of information security risk.

“Policies define goals and responsibilities”… “enforce the ‘what if people don’t comply’” – Maria Corpuz.

2. Accountability

Identity Management (IDM), role based access controls and monitoring of use of online identities and accounts was a subject discussed and workshopped during the session titled “Identity Management – methodologies and tools to make user self service a reality” – Paul Conroy.

Also interestingly was the topic of accountability in shared services. Providing accountability in outsourcing agreements, who is responsible for data breach in the “cloud”?

“How do we manage risk in managed service offerings? Who is responsible for a breach?” – James Turner in “What’s on a CISO’s Mind in 2010?”.

3. Identify Critical Assets

It was thought at AusCERT 2010 that many organisations are not classifying and protecting information effectively.

Organisastions must discover what are the company’s critical information assets and the supporting information technology assets?

Are critical systems under desks, not in server rooms? Do people know what information is considered sensitive?

“People are putting private information on public servers to make life easier.” – Bob Maley in “Using Vulnerability Management to Thwart Data Loss”.

4. Education and Awareness & Training

Richard Beach from InLand Revenue NZ presented the session titled “Training Your Pigs to Dance on a Shoestring – How to run a security awareness programme” with an overwhelming response from the audience.

People, education, awareness and communication was a common thread through the sessions at the conference. Richard Beach provided the audience with some lessons learned when deploying an awareness programme:

• Find the right people to deliver the education,
• Use existing communication and training methods,
• Plan the topics,
• Theme your campaigns, newsletters, competitions,
• Create a brand, and,
• Leverage culture.

“Policy alone will not influence people. People influence people” – Richard Beach.

5. Prevention and Monitoring

Many companies are seeing an increase in the complexity of their information security related IT systems. Anti-virus, anti-malware, patch management, firewalls, intrusion detection systems, content filters etc.

Scott McIntyre used a “Whack-a-mole” metaphor in his “Security FAIL: We’re doing it wrong” presentation to describe the implementation of too many point solutions which become difficult to manage and monitor.

Reviewing of event logs from servers, desktops, security devices etc can become a burden to the security team and/or the information technology teams.

James Turner in “What’s on a CISO’s Mind in 2010” discussed the topics of managing complexity and managing information including record retention, reporting and Security Information Event Management.

Developing a strategy for security spend, implementing the right tools and having processes for monitoring and pro-active alerting helps to manage complexity.

Conclusion

With all the confusion of various products and services, IT and Information Security Managers need to get back to basics. Concentrate on the business requirements, educating the users and implementing technology required to meet regulatory and business requirements.

Recommendation

1. Conduct on-going and/or scheduled Risk Assessments to identify risks to sensitive information and critical business systems,

2. Develop a Security Governance Framework (and policy) to define ownership, accountability, responsibility and controls,

3. Deploy a Security Awareness Program,

4. Manage changes in the information technology environment. Patching, Change Management etc.

5. Employ monitoring tools to pro-actively detect and alert on information security related events.

Loop Technology's Dean Plant (left) and Claire Bellenger (right) with Whitfield Diffie (centre) a US cryptographer and one of the pioneers of public-key cryptography at AusCERT 2010.

Loop Technology's Daniel Hooper (left) and Dean Plant (centre) speak with IT Security legend Whitfield Diffie (right) at the Loop Technology stand at AusCERT 2010.

Some of the Loop Technology team at AusCERT 2010 (from left): Daniel Hooper, Carrie Gurr, Sarah Harris, Louis Rabon and Rob Clarke.