Upcoming Speaking Engagements

July 13th, 2010

We may be in the middle of the summer but already the calendar for the autumn is starting to fill up.   I will be presenting at Source Barcelona and also at BruCON in September.  For both of these seminars I will be talking about the lessons learnt from when I set up IRISS-CERT and how those lessons can be applied to those looking to set up their own incident response team.  While the topic may be similar the approach to each talk will be different. 

Source Barcelona has two tracks, one business and the other technical, and my presentation will be in the business track.  So the focus of that talk will be on the business aspects of setting up an incident response team.  Xavier Mertens gives a great overview of the different tracks in Source Barcelona over on his /dev/random blog.

BruCON is a more traditional technical security event and my presentation at that seminar will focus more on the technical aspects of setting up an incident response team and the tools, challenges and solutions one can face.

Also in September I will be speaking at the Cloud Computing Summit 2010 which will be held in Dublin.  I will be on a panel discussing issues surrounding the Security, Compliance and Regulatory requirements with cloud computing.

Then of course in November there is the IRISS-CERT Annual Cyber Crime conference.  Details have yet to be finalised regarding the speaker lineup but already it is looking excellent and it promises to be another exciting event this year.

Hopefully I will get to meet some of you at one of the above conferences.

Share This Post

Tags: , , , ,
Posted in Brian Honan, Events | No Comments »

Community SANS Event in Dublin

June 21st, 2010

Bob McCardle has made me aware of these upcoming community SANS events to be held in Dublin this coming September.  Bob and Owen are both very well regarded for their expertise and I highly recommend attending any, or both, of these courses. 

Bob also kindly offered a discount code for those of you wishing to attend.  Contact me on brian dot honan at bhconsulting dot ie and I will pass the code along to you.

The two upcoming coureses are;

  •  20-25 September for SEC504: Hacker Techniques, Exploits & Incident Handling
  • 27 September – 2 October for SEC542: Web App Penetration Testing and Ethical Hacking.

SEC504: Hacker Techniques, Exploits & Incident Handling

20-25 September

Instructor: Robert McArdle

Instead of merely teaching a few hack attack tricks, this course includes a time-tested, step-by-step process for responding to computer incidents; a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them; and a hands-on workshop for discovering holes before the bad guys do. Additionally, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. This challenging course is particularly well suited to individuals who lead or are a part of an incident handling team. Furthermore, general security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

SEC542: Web App Penetration Testing & Ethical Hacking

27 September – 2 October

Instructor: Owen Connolly

In this intermediate to advanced level class, you will learn the art of exploiting Web applications so you can find flaws in your enterprise’s Web apps before the bad guys do. Through detailed, hands-on exercises and training from an experienced instructor you will learn the four-step process for Web application penetration testing. You will inject SQL into back-end databases, learning how attackers exfiltrate sensitive data. You will utilize Cross-Site Scripting attacks to dominate a target infrastructure in our unique hands-on laboratory environment. And you will explore various other Web app vulnerabilities in depth with tried-and-true techniques for finding them using a structured testing regimen. Throughout the class, you will learn the context behind the attacks so that you intuitively understand the real-life applications of our exploitation. In the end, you will be able to assess your own organization’s Web applications to find some of the most common and damaging Web application vulnerabilities today.

For more details and to register please visit: http://www.sans.org/info/60323

About the Community SANS EMEA Program -

The Community SANS format in EMEA (Europe, Middle East and Africa Region) offers the most popular SANS courses in your local community and in your local language. The classroom setting is small with fewer than 25 students. The instructors are pulled from the best of the local mentor program or qualified security experts who have passed SANS rigorous screening process. The course material is delivered over consecutive days, and the course content is the same as ones provided at a larger training event. In addition to the excellent courseware, not only will you be able to use the skills that you learned as soon as you return to the office, but you will be able to continue to network with colleagues in your community that you meet at the training.

Share This Post

Tags: , ,
Posted in InfoSec | No Comments »

Proposed Data Security Breach Code of Practise

June 10th, 2010

As someone who has been campaigning for mandatory data breach disclosure laws in Ireland for a number of years I am pleased to see the proposed Data Security Breach Code of Practise from the office of the Data Protection Commissioner.  I have long argued that organisations need to realise that the data they hold on staff and customers is not theirs but rather has been entrusted to them by those individuals.  The purpose of breach notification should not be to punish the organisation that suffered a breach but rather to help the affected individuals take appropriate steps to protect themselves, especially nowadays with identity theft and financial fraud being so rife. 

The proposed code strives to reach a balance whereby organisations that have taken appropriate measures to protect sensitive data, e.g. encryption etc., need not notify anybody about the breach, nor if the breach affects non-sensitive personal data or small amounts of sensitive personal data.  Yet, companies who have not taken the appropriate measures will indeed be obliged to admit to their shortcomings and shoulder the responsibility for same.

The other benefit I see from this proposed code is how as an industry we all can learn from the mistakes or misfortunes of those who suffer a breach.  I believe we would not have as many encrypted laptops and other mobile devices that we do today were it not been for the widespread publicity of lost unencrypted devices in the past.  While you can argue that encryption alone is not the answer and may simply be a knee jerk reaction it is at least a step in the right direction.  Those attacking our systems are sharing the potential exploits and weaknesses amongst each other, having breach disclosure laws in place helps those of us tasked with defending those systems to better shore up those defences and potential weaknesses.

Ireland has shown itself to be a leader in introducing legislation to benefit its citizens, the smoking ban and plastic bag tax being two that come to mind.  The introduction of the Breach Code of Practise is another example of how Ireland can better protect her citizens and provide an effective information security governance framework for businesses to follow.

I would be interested in your thoughts on the matter.  Why not share them below in the comments or indeed submit your feedback to the Data Protection Commissioner.

Share This Post

Tags: , ,
Posted in InfoSec | 1 Comment »

Brian Honan Meets InfosecCynic

May 21st, 2010

I had the pleasure of finally meeting Javvad Malik, otherwise known as the infoseccynic, at the recent Infosec show in London.  Javvad takes a refreshing look at the issues we face in the information security profession and you should visit his site or follow him on twitter to get his view on things.

Javvad kindly took the time to meet with me and have a chat about some of the things happening in the world of information security.

Share This Post

Tags: ,
Posted in InfoSec | No Comments »

Google WiFi Sniffing SNAFU

May 20th, 2010

Recent investigations by German authorities discovered that the Google street car was recording information about Wireless Access Points it detected during its journeys.  More seriously it was revealed that the system recording that data was also gathering any data being transmitted over any unsecured wireless networks it detected.  Google claims that this was a mistake and has promised to delete all such data.

On Tuesday the 18th May the RTE news covered the story and I was interviewed as part of the piece which is available here.

Share This Post

Tags: , , , ,
Posted in InfoSec | No Comments »

Next ISSA Ireland Event – May 27th

May 11th, 2010

The next ISSA Ireland chapter event will be a lunchtime meeting (noon to 2:30) on Thursday May 27th at the Radisson Hotel, Golden Lane, Dublin 8.  This event is free to members and while it is open to non-members it should be noted that non-members will have to pay a cash entrance fee of €10.

This lunchtime seminar will include three presentations covering very timely subjects:

  • The first speaker will be Justin Clarke, co-founder and Director at Gotham Digital Science, who will speak about how SQL Injection attacks still pose a major security threat despite being first discovered over 10 years ago. Justin has over twelve years of experience in assessing the security of networks, web applications, and wireless networks for large financial, retail, technology and government clients in the United States, the United Kingdom and New Zealand. As author of a number of well regarded information security books, including “SQL Injection Attacks and Defense” and having spoken at various conferences on security topics including Black Hat USA, EuSecWest, RSA, and OWASP, Justin is a recognised authority on this topic and well placed to discuss some of the deeper and darker areas of SQL injection attacks.
  • The second presentation will be from Mathieu Gorge, CEO and founder of VigiTrust, who will discuss the impact data privacy laws and regulations are having on information security. Mathieu has been in the security industry for over 10 years and has focused on the areas around key legal aspects of corporate security such as compliance with international data protection legislation as well as industry security frameworks. He is a regular speaker at international security conferences (RSA, ENISA, ISACA) and a well respected figure in the security industry in EMEA and North America. Given the increasing requirements on information security professionals to understand the legal and regulatory impact privacy legislation has on information security Mathieu’s talk will be a timely and informative one.
  • The final speaker will be Owen Connolly, CTO of Veridian Applied Intelligence, who will give a practical demonstration of how privacy controls can be circumvented in many of the popular online social networking sites. Owen has over 18 years experience in the IT and telecoms industries having worked in a number of large blue chips across a range of industries as well as in consultancy and managed services. Owen holds many security certifications CISM, GCIH, GCFW, GPEN, GWAPT, CFIA and CPE and is a member of SANS’ Advisory Board and GIAC Mentor program. With the recent publicity surrounding privacy issues associated with many popular social networking sites Owen’s talk will be a timely reminder to us all of the potential dangers posed by such sites.

You can register for the event on the ISSA Ireland website.

Share This Post

Tags:
Posted in InfoSec | No Comments »

ISO 27001 In a Windows Environment

April 23rd, 2010

I am delighted to see that the revised version of my book has now been released.  The book is “ISO 27001 In a Windows Environment” and has been revised to include the security features in Microsoft’s Windows 7 operating system.

It is available to buy from the IT Governance’s website.    As the overview on the IT Governance website explains;

 

“The vast majority of ISO27001 implementations will, to one extent or another, take place in a Windows environment. ISO27001 project managers are not always Microsoft technical experts, but a large number of the ISO27001 controls require a technical implementation. Bridging the gap between non-technical ISO27001 project managers and IT specialists, this book explains what the controls are, and describes how to implement them in a Windows environment, equipping the ISO27001 project manager to succeed with the implementation.

MCSEs who have security training (MCSE Security), but who may not understand the ISO27001 approach to selecting and implementing controls, will also benefit from this book. It provides them with the necessary rationale and links their technical understanding of Microsoft information security controls into the international best practice framework for information security. This book should be a core part of the technical library of every MCSE and information security practitioner. If you have a CISSP, CISM, GIAC, or another professional certification, you should read this book.”

If you are looking to implement ISO 27001 in your organisation and wondering how to use the inbuilt security features within Windows to apply the standard’s technical controls then this book can help you.

Share This Post

Tags: , , , ,
Posted in InfoSec | No Comments »

Issue With McAfee VirusScan Update 5958 DAT

April 21st, 2010

An issue with the DAT 5958 update to the McAfee VirusScan Enterprise product causes PCs running Microsoft Windows XP Service Pack 3 to crash.  The DAT 5958 update incorrectly identifies the system file svchost.exe as containing malicious code belonging to w32/wecorl.a.  When the McAfee software tries to clean the mistakenly identified malicious code from the svchost.exe it causes the Denial of Service, Blue Screen of Death or DCOM error conditions rendering the affected PC unusable.

McAfee advise that the issue has been resolved in the 5959 DAT file release which is availble to download from the McAfee Security Update page at http://www.mcafee.com/apps/downloads/security_updates/dat.asp?region=us&segment=enterprise

McAfee also have a number of workarounds available at http://vil.nai.com/vil/5958_false.htm

Share This Post

Tags: ,
Posted in InfoSec | No Comments »

The Cost of Privacy

April 19th, 2010

I got an email today pointing me to this story in Time magazine, Trying to Escape the Surveillance State, where a journalist tries to live for a month without his privacy being impinged.   It led to a conversation about privacy and whether or not there is privacy on the Internet or will people pay the cost for the amount of personal information that they freely give to various sites such as Facebook, Twitter, LinkedIn etc.

I argue that there is privacy on the Internet depending on the choices you make.  In most cases an online transaction be that purchasing something online, joining a social network or sending emails has privacy as an element built into the cost of that transaction.  In order to buy those goods you surrender your privacy surrounding your personal details to receive those goods, you also probably use a credit card which means that your transactions are noted by your credit card issuer and finally sites may keep track of your activity to suggest recommended goods on your next visit.  This is no different from the physical world where you purchase items by credit card and perhaps use a loyalty card in the store. 

Joining a social network, e.g. Linkedin, also has its privacy transaction costs. You want the benefits of a social network then you need to surrender your personal details to become part of that network. In real life you join social clubs, meet friends in public places where you also trade part of your privacy to take part in the group.

Some will argue that governments monitoring of Internet usage is a breach of privacy, for example your Internet browsing and email history is retained under the EU Data Retention Directive and that your ISP knows all your activity from their system logs recently highlight by the Phorm controversy in the UK.

This is true but you can still take measures to protect your privacy online using various techniques such as anonymous proxies, never using your real name online, never purchasing items online and not joining any social networks or forums.

You can control your privacy on the web, the question needs to be asked, at what cost?

Share This Post

Tags: , ,
Posted in InfoSec | 2 Comments »

Implementing ISO 27001 in the Real World

April 14th, 2010

 SC Magazine UK recently published an article I wrote on “Implementing ISO 27001 in the Real World” on their blog today.   The article is an interview with three people who have experience in implementing and achieving certification against the ISO 27001:2005 Information Security Standard in organisations.  The people who kindly agreed to be interviewed were;

  • Peregrine Newton, the joint chairman and CEO for The Bunker, which provides secure, managed hosted and data centre solutions to its clients.
  • Han Van Thoor, managing director of Jumper CSIRT who provide clients with managed information security incident response services.
  • Michael Brophy, managing director of Certification Europe who provide assessment and certification services against international management system standards.

 The article, which can be found here, provides some great insight from people who have been through the process of implementing and certifying their Information Security Management Systems against the ISO 27001:2005 Information Security Standard.  If you are considering implementing ISO 27001 you should read the post and get some insight from their experiences.

Of course you should also purchase my book “Implementing ISO 27001 in A Windows Environment” to get even more useful information on how best to leverage the security features of Microsoft Windows to implement the technical controls outlined in the standard.

Share This Post

Tags: ,
Posted in InfoSec | No Comments »

« Older Entries