Friday 17 November 2017

Dummies Guide to Bossing Men Around !


by Sheena Downey - one of the AWSN Brisbane Chapter Leadership Team
The IT world has, to date, been hugely dominated by men, from the likes of Steve Jobs, Woz and Bill Gates to the modern, young, stereo-typical hairy, girl-shy developers hiding away in mum’s basement, hacking into government secure servers trying to uncover who really shot JR.

Whilst there has been any number of strong successful women beating down the doors and breaking through the glass ceilings, many more women have simply walked away and found other careers, different directions or alternate industries.

We’ve been advised to dress and act like men in order to fit in and succeed.  Then been accused of being aggressive and bossy.    We’ve been advised to use our “womanly wiles” then accused of dressing inappropriately or worse !
I was accused of being “scary” after an argument with a junior team member repeatedly failed to do his job whilst he was blameless.

But, throughout my career, I have done 1 thing, and 1 thing only

I have been me !!!!

If I was “scary” when I argued with my team member, at least he actually did his job after our conversation.

I wear trouser suits – I like trousers,  I’ve even been known to wear cufflinks – they’re pretty and a little bit “different” – I like that too !   I swear – a lot and have long, painted nails  - And I look after the people in my care, my team, my customers, my stakeholders.

So, if you want to succeed in a man’s world -   Be yourself, it’s the best thing you can be !

 This post has been written by Sheena Downey
An 18 year old rebel trapped in a significantly older body, Sheena has been a PPM professional for almost 20 years and has a passion for all things Business Continuity Management focussed. Ex-RAF, working mother and specialising in IT, Sheena has made a career out of telling men what to do and holding them accountable when they don’t do it.

(c) AWSN 2017

Disclaimer: The views and opinions expressed in this article are those of the author/s and do not necessarily reflect the official policy or position of any agency, organisation or association.

Friday 10 November 2017

Simple use of Twitter to access world class malware advice

___________  by Mary-Jane Phillips___________________

I had just finished a course on ransomware when Wanna Cry hit. This ransomware was not typical in the way it was delivered, so I spent time reading media articles and tweets about the 'outbreak'. Experts on Twitter led me to Malware Tech's botnet tracker which sadly, is not currently available.  At the time, I was able to see the map of Wanna Cry infections over time.  (Including in Australia).
I also saw the famous tweet from Marcus Hutchins of Malware Tech about the Wanna Cry 'kill switch' domain name being registered.  Mass media was much slower to report information than Twitter and was often incorrect.  So Twitter has become my source of information on rapidly spreading, malware. 
Now, I use malware events on Twitter to fine tune my feed of malware information.  This is the simple process. 
  • Find the relevant trending hash tags on Twitter.  E.g. #wannacry #wannacrypt or #expeta #expetya #notpetya or #bad rabbit #badrabbit ransomware
  • Scan through the tweets to see which ones get a large number of likes, re-tweets or comments (or are liked by experts).
  • Critically assess the tweets (E.g. Large numbers of comments can mean it is controversial).
  • Follow people that give you valuable information on the level of risk, prevention methods, short and long term fixes. (or whatever you are looking for in particular)
  • Think hard before clicking a link.  During an incident, a certain percentage of malicious links will appear.  People who care about the security of society will communicate as much information as possible within the tweet and not just have a hook for you to click.
  • Expand and refine your list with every malware incident. 
  • Identify your favourites.  (You will see who collaborates and who is marketing). 

I particularly like Hasherezade on reverse malware engineering.  She is scientific and has a great network of people she calls on for rapid help. 
With a relatively small amount of work over time, Twitter gives you fast access to a diverse range of experts on malware risk, as well as short and long term fixes. The method  would probably work for most areas in cybersecurity but it works particularly well for malware due to the speed of communication and collaboration required in the community.
Have a look to see the reverse malware experts I follow. This is the link to my Twitter profile. And please connect with me on LinkedIn.  I look forward to meeting you all. 
Have a great day.
Mary-Jane Phillips

Mary-Jane Phillips BSc GDip Eng MBA

Mary-Jane began her career in scientific equipment sales, then moved into environmental management and assisted with ISO14001certifications.  Mary-Jane is currently working on her micromasters in cybersecurity at Rochester Institute of Technology, and CISSP associate certification. Mary-Jane is highly skilled with risk and compliance management systems and is actively looking for a cyber security role in Brisbane, part time in 2018 and full time in 2019.

(c) AWSN 2017

Disclaimer: The views and opinions expressed in this article are those of the author/s and do not necessarily reflect the official policy or position of any agency, organisation or association.

Friday 3 November 2017

Cyber Security Risk Management in Context

by Robyn Bailey

A good cyber security program requires good management of risk, usually in accordance with Risk Management Standard ISO31000, although there’s almost always one critical step that is overlooked.

Setting the context of a risk assessment is the first and one of the most important steps – if all participants of the assessment are not working and analyzing at the same context then there is bound to be a mismatch and incorrect risk ratings assigned. This can lead to over-application of controls (and a lack of return on security investment leading to reputational issues for the cyber security specialists) or under application.

The following diagram represents the multi layered approach to cyber security risk management and examples of key stakeholders for input to a risk assessment within each context.   

Each layer should then be further broken down into vulnerabilities and threats.

An example I often use to explain these layers and contextual awareness (or lack of) is the identification of a vulnerability in a browser on a server by an operational staff member. Whilst industry vulnerability ratings (eg may identify the vulnerability as High, the threat may be low (no or minimal human threat actors as there is very minimal use of the browser) therefore the risk, even at the Operational context, is not High. Once we “roll-up” the risk to the layer layers, this particular risk should get consumed within more important business cyber risks – the CEO and Audit and Risk are not concerned with one vulnerability on a server. 

Delving deeper into individual risks, as a risk practitioner of many years, I often see a lack of contextual alignment in the likelihood and impact. For instance, using a basic risk of Weather event causes data centre outage, we can assume that a weather event may be Possible and a data centre outage could have a Severe impact when the factors of the risk are treated separately – perhaps giving a Very High risk rating. However, when the full context of the risk is documented – for example, Weather event causes data centre outage beyond 3 days, we can see that the likelihood is probably Rare, the Impact remains as Severe, giving a Medium risk rating (depending on your risk matrix of course).

Robyn has worked as a technologist and strategist in the cyber security industry for over 20 years. She established the first Australasian Chapter of the Information Systems Security Association (ISSA) around the year 2000, and bought the first CISSP exam to Australia in 2002. She has worked for Business Aspect for the past 10 years as a Principal Consultant and she also leads their Security Testing team. A quiet achiever, Robyn constantly challenges the status quo through analyzing and asking the right questions.   Largely self-educated, she has a passion for learning about technology and has extensive technology knowledge including communications, app dev, databases, cloud and integration platforms. In her “spare” time, Robyn is a mother of two teenage boys and a pre-teen girl and also volunteers for (teaching coding to teachers and students in Primary schools); Mensa (co-ordinating events for, and teaching technology and cyber security skills to gifted children); CSIRO STEM Professionals in Schools (explaining Comp Sci to teachers); Tech Girls are Superheroes; and various other non-profit organisations.  Robyn’s experience of 25 years as a female technologist drives her to especially provide support to other analytical girls and women with outstanding capacity to succeed as a technologist.

(c) AWSN 2017

Disclaimer: The views and opinions expressed in this article are those of the author/s and do not necessarily reflect the official policy or position of any agency, organisation or association.