Norms are for those you believe in them, and the same counts for the results of the audits that are based on them. Meanwhile incidents show us now and than that the finance industry is no different from others and that much work still needs to be done, financial crisis or not.
At one side encryption is becoming ever more important and at the other side the cybercriminals find breaking it ever more important. So there is a ratrace that in 2008 gave way to some discoveries and thoughts that made many people work very hard in the ITsecurity business. You should nowadays give much more attention to the quality of your encryption and your certifications.
28/02/08 11:36 How are the encryption vendors reacting to the bypass before we throw their software out ?
By surfing around we found or received some hiccups that we published.
30/09/08 14:08 never has there been so many viruses unlashed on the internet in august and september shows no sign of changing that trend
It is all good and well to control code and access to information and rights but in the end it is only hardware that uses electricity that finds itself in a location. So you will always have to keep in mind that electricity, water and fire to name a few are being monitored, prevented and that you have back-up plans. You can't suppose to have always electricity.
05/08/08 16:54 Why an internal energy policy for your enterprise is the same as an ITsecurity policy
2008 was also a year of the network security in its most technical and basic form. One developed an exploit to get the DDOS back to only 9 pings to bring a networked device (router, server) but we have to see any use of it yet, while another went even more upstream and attacked the BGP infrastructure.
Closer to home was the discovery of a letter by Belgacom to their clients that there wireless routers were abused or was there something else at play. Another proof that Belsec can start interesting ITsecurity discussions. :)
2008 can be called for Belgium the year that the security of email went high up the agenda. No private or public institution can have a security policy in 2009 and not have put the legal and infrastructure planning in place to protect emails and to be able to find emails afterwards if a there is a legal question for them.
Spam is here to stay and we will have to learn to live with the ever changing tactics of the spammers. There were some arrests and take-downs that made a difference for a while but as long as there is money to be made by people who will believe anything, there will be lots of spam.
It is also important that your mailserver, ISP or domain isn't blacklisted because of an infection or overview because returning to normal ain't that simple.
2008 showed us that once in a while the security community could have big wins, for a while, by blocking or ending any connection with rogue ISP's or registrars. It seems to be an important step forwards as it can be used to pressure others to clean up their act before the same would happen to them.
14/07/08 13:03 Council of Europe will meet in October to meet next international conference on Internet Governance
DNS is just a bunch of code like any other code and so it has to be upgraded and patched from time to time, especially if one finds a bug that let any crook change the IP of any domainname in 9 second without being noticed.
It is just remarkable that in Belgium the DNS servers of the ISP's were only patched after being pushed to do it by a Belgian webforum that listed the Belgian non-patched DNS servers.
Typosquatting is something that some people on belsec have already been battling for years and it seems that in 2009 one can really start a clean-up operation on the .be domainspace. Meanwhile in 2008 we published some articles with information and tips and comments.
The good news in 2008 was that IDN won't be used in the .be domainspace, but for the rest there rest a whole lot of things to be done for that the .be domainspace would become safe enough to love it the way we love security.
26/11/08 16:46 the belgian at resellerclub who took over malwaredomainprovider estdomains portofolio
28/05/08 23:38 Register your telephone number as your .be domainname - if someone else didn't before you....
28/05/08 14:23 Why DNS and domainextension operators should have active policies against abuse and spammers
As risk managers in IT we are reading news about a crisis differently and find some details more important than others. So when the financial crisis broke out, we could only be amazed by the lack of investigative journalism and crisiscommunication and while the crisis developed we were even more amazed about the absence of risk appraisal. They were playing with others people money in a way that we wouldn't play with our own.
These are the links to free books and courses that we have published on this blog, even if most are now published in the links on furl next to this blog.
11/09/08 13:35 transatlantic consumer organisations and interoperability and open software standards
In June the parliament discussed and finally approved the e-health proposal on the basis of faith in the people responsable for the project. As we don't have faith but just want to see the facts, we studied it and had some attention for the subject. I am sure that we will have more attention for it in 2009 as this is a very important subject.
We also follow closely the phishing in Belgium, new techologies and the possibilities of protecting people by getting those sites noticed or taken out before they try to login.
29/10/08 17:13 Belgian phishing hosters : hostbasket, schendom Europe, Teledis, behostings and ulg.ac.be
As securitypeople we are in the first place securitypeople, our instincts and reflexes are security. Our mind and thinking is drilled for security and this is no different for IT as for physical security and terrorism. In 2008 we had first the debate over the high level security-alert in Brussels and the surprise of the arrest of a (double ?) agent/terrorist in Maroc. There were different antiterrorist sweeps and arrests but some important online terroristpropaganda sites where Belgians were involved stayed too long online. We also published some other terrorist news and views.
We hope that in 2009 they will continue the difficult work of being first and not cleaning up a mess afterwards.
27/11/08 12:02 second important lessons for anti terrorist operation centers from the terrorist campaign going on in India
Belsec is monitoring the hacking of the .be domain because it is a domainextension that falls under Belgian law and therefor is quite easy to follow up on.
Not that the .be domainextension is hacked more or less than others, but it is important that hacked domains are cleaned up again and secured before going online. This was not always the case. Also being hacked is a reminder that security is a situation that changes permanently and that you can never say that you are secure. It is therefor amusing to see that big sites, webshops, hosters and ITcompanies with a lot of publicity on their frontpage have new pages added that show a totally different image. Even more if those pages stay online for weeks or months afterwards, even if they are published here.
21/10/08 14:27 Website of Chastell (secretary of state) fixed, Suez site for big clients still hacked
Belsec is just a belgian part of a wider network of Belgian and international security bloggers even if this seems to be more or less the only place where the postings can go a bit further without that the writers have to fear for their careers or name. It is most often the pianist who is getting shot around here. In 2008 our first year, bloggers became the pianists that were being targeted in Belgium and in Europe. Freedom of speech online is not so evident anymore. Which is a pitty because - aside from the unnecessary personal attacks - it is the debate that has to be advanced, not the career.
Belsec has also tried to lobby for more important and widespread esecurity laws and discussion and has also tried to enlarge the debate.
It is still open for new input and helpers.
27/10/08 10:01 access to secure website of the belgian national police site and did the newspaper something illegal ?
10/08/08 18:30 Students refused the right by judge to present RFID transport card vulnerabilities (documents)