00:20:27 Richard Craig: Hello from South Africa! 00:20:45 Jeremy Koster: Hi Richard from South Africa 00:20:48 Al: @Scott_T i used to work for Idemia in Canberra 00:21:04 Jeremy Koster: Hello to Nigeria as well 00:21:09 Gerard Tangey: Hi from Collingwood! 00:21:15 chris: Hi from Canberra 00:21:38 Jeremy Koster: Hi to CFLI from Hong Kong 00:22:10 Anita: Hi from Sydney exurbia 00:22:51 Uche O: Sure 00:22:59 Scott_T: Hey Al, been doing fort about 1 1/2 years 00:24:06 TALIA: Hi 00:24:20 Andrew Dixon-Hughes: Hi all 00:24:21 Pratap Sewak: Good evening to ALL 00:25:11 Pete: Good old Australian internet……soooooo sloooow 00:26:20 Andrew Dixon-Hughes: Jeremy has always been passionate about this topic 00:28:40 Andrew Dixon-Hughes: I have a masters 00:28:46 Andrew Dixon-Hughes: ftrom you guys 00:28:54 Ross %: is that all?? 00:28:57 Andrew Dixon-Hughes: just keeping up to speed 00:29:42 Guy Coward: haha, as if these courses have the budget for that, Ross 00:30:47 Andrew Dixon-Hughes: haha Ross - highly recommend doing study here and come back to short courses to keep your knowledge current 00:30:59 Ross %: Yep -- my budget is $0... and I needed somebody talking at me 00:31:00 Guy Coward: that said, if anyone wants to send me a Dorothy dixer, go for it. 00:31:21 chris: Just one? 00:31:36 Guy Coward: one each. 00:31:38 Andrew Dixon-Hughes: Govt will pay and you can pay them back over years to come when you get that pay rise 00:31:47 Guy Coward: g2g and focus on Jez. 00:32:11 chris: :) 00:32:41 Ross %: Who is the "Leadership Team"?? 00:32:44 Scott_T: OK you have peaked my curiosity what is a “Dorothy Dixer”? 00:33:26 Camille: I have a 2 questions 00:33:29 Camille: how would you deal with a Cybersecurity incident as opposed to a normal security breach? similarly, do you have a slide or a ppt on how to deal with smartphone breach (data thief) in corporate? 00:34:07 IT Masters: Hey Camille, pop them in the Q&A just so they don’t get lost in the chat 00:34:30 Camille: I will - thank you 00:35:02 Andrew: something like wannacry. 00:35:17 Andrew Dixon-Hughes: In Australian politics, a Dorothy Dixer is a rehearsed or planted question asked of a government Minister by a backbencher of their own political party during Parliamentary Question Time 00:35:39 Andrew Dixon-Hughes: credit wikpedia 00:35:47 Scott_T: Ahh OK. I have learnt something new today :-p 00:35:51 Ross %: https://en.wikipedia.org/wiki/Dorothy_Dix 00:36:14 Scott_T: Thanks Ross :-) 00:37:20 Ross %: Also,...it was rumoured that she asked the questions of herself, then answered them. 00:37:52 Ross %: A similar occurrence happened in the early days at Apple (by Togs) 00:39:00 Scott_T: Dorothy Dixer - The Fixer, love it 00:39:46 Agbolade Omowole: Hello everyone. Greetings from Lagos, Nigeria 00:41:00 chris: There’s nothing worse than knowing you don’t have a log in IR when you know it could have been turned on (but wasn’t) 00:41:20 Scott: SIEM suggestions? 00:41:41 Scott_T: Any suggestions on systems that do this best? 00:41:52 Scott_T: Sorry Scott, from the other Scott 00:41:53 allen: SPLUNK 00:41:56 NickM: Discussion of open source SIEM here: https://news.ycombinator.com/item?id=22686913 00:42:04 Scott: Yep 00:42:09 Richard Craig: Most of our customers are running Splunk 00:42:17 Richard Craig: With some ELK 00:42:52 Andrew: it depends on your company needs and skillset of IT team 00:43:00 Marise: Why don't you like Kibana Jeremy? 00:43:02 Scott_T: Soooo much data to sort through 00:43:48 Pete: our work is still deciding between greylog or splunk 00:43:50 chris: IBM QRadar 00:44:02 chris: ‘best’ 00:44:06 chris: :) 00:44:11 Darren: ALienvault ? 00:44:28 Darren: yep agree with you there 00:44:42 chris: Sumologic 00:44:48 chris: Devo 00:45:02 chris: yep 00:45:15 Richard Craig: Anybody seen/used Securonix? 00:46:03 Pete: we need logging for both windows and linux 00:46:23 Andrew: netflow as well 00:46:29 Scott_T: Managed Services, like Solarwinds and Kaseya 00:46:31 Andrew Dixon-Hughes: are you ffeding logs from O365 to greylog then?? 00:46:56 Andrew Dixon-Hughes: excellent 00:48:44 Andrew: reporting to external bodies as well 00:49:15 Andrew: timings and which orgs you need to report to 00:49:51 Pete: or the logs get accidentally deleted 00:50:01 Ross %: Make notes during the incident so your report to the Royal Commission is accurate 00:50:05 stephen w: Some Reports need to be inline with insurer's requirements if you have cyber insurance so you can make a claim 00:51:55 Andrew: then archiving of old data. lol 00:54:01 chris: Aka Trump press releases 00:54:09 Ross %: Scotty from Marketing said "I'm going to the football..." 00:56:05 Andrew Dixon-Hughes: ot Corona proof however 00:56:09 Andrew Dixon-Hughes: not 00:56:17 Scott: That's great 00:56:33 Andrew: have oxygen tanks so their safe 00:58:43 Scott_T: Great techs make lousy people people and people people that are great techs is rare. 00:59:26 Scott_T: Not always, generalising a bit :-) 00:59:54 Ross %: Yep - some techs need an "agent" or advocate to help them get the message across 00:59:55 chris: It’s definitely a Venn diagram 01:00:45 Robbie Kershaw: Beer 01:02:08 Ross %: Tech delivers message.... :-( ….and the people get upset! Do you want me to sing it to you? 01:06:21 Scott_T: I don’t want to sprout external vendors especially when there is nothing in it for me - FDR (Fast Data Recovery) did an encryption recovery for me for a client that was encryptyed. About a week to crack the key, no bitcoin was traded. Costs a bomb, approx $30k - Thank goodness for cyber insurance. 01:07:24 Ross %: ouch!! 01:07:27 Guy Coward: it'd probably help Ross. Maybe just hum a few bars?btw, we are definitely running long tonight. stick with us if you can, no worries if you can't. (time management vs communication?) 01:08:32 Scott_T: Stick with it like a fat kid on a mars bar 01:09:06 Scott_T: Sorry my favourite Onto it Like a statement 01:11:19 Andrew: helps provide justification for tooling 01:11:34 chris: And budget... 01:11:49 Bernard: yes financial cost of incident! 01:13:32 Andrew Dixon-Hughes: How do we eradicate users??? 01:13:53 Andrew: block ports and ip with acl etc 01:14:16 Darren: Isolate machines to stop spread 01:17:07 Scott_T: But you can’y block all ports and even they have some sort of vulnerability 01:17:19 Scott_T: The ones open I mean 01:17:24 Andrew: or adapting them to current crisis 01:17:44 stephen w: One thing to remember is while the incident/event may have finished for IT once normal operations have been restored.The incident may not have ended for the organisation. Litigation, brand damage etc can continue for years afterwards 01:18:04 Scott_T: I can guarantee my 486DX running MS DOS 6.22 is safe :-) 01:18:13 Andrew: if you have a machine trying to probe out you can target ip/port to block it 01:18:16 Uche O: @stephen Ouch!! 01:18:43 Scott_T: But Andrew DDOS is doing it from many source IP 01:19:01 Andrew: more thinking inside org if something has got in 01:19:29 chris: infected... 01:19:33 Bernard: so recovery site "Recovery" top to bottom > hot = most expensive is that correct? 01:19:34 Andrew: DDOS you would use other techniques / products to try mitigate that 01:19:59 Scott_T: Brand awareness can be an interesting one, do we think Target still today have a brand awareness problem due to their hack a couple of years back, compared to say a Uni? 01:20:02 stephen w: @Bernard depends on the industry 01:20:15 Bernard: thanks stephen 01:20:55 stephen w: For example utilities like electricity. how costly would it be for the grid to go down if you didn't have a fully operational DR site? 01:21:16 Andrew: DDos - block all ip's not from your country to start with. It does reduce the nasty traffic 01:21:52 Bernard: cyber insurance is a developing industry 01:22:02 anoop sud: some participants just want to show off that they know tooooo…. much & keep typing. They are more of a distraction then being contributors 01:22:48 stephen w: Bruce Schneier had a good post a year or 2 ago on the usefulness of cyber insurance 01:23:01 Scott_T: I can say it’s worth it 01:23:06 Scott_T: First hand experience 01:23:25 Andrew Dixon-Hughes: There are lot of brokers hawking cyber policies to small business with often only 3 questions anti virus, patches, backups. Often $1m for the same as a luxury car premium 01:23:35 stephen w: Cyber insurance won't protect you but it help offset recovery costs 01:24:08 Scott: The insurance checklists can be a great conversation starter for a healthy security budget 01:24:16 Andrew Dixon-Hughes: insurance companies often have their own cyber eecovery teams that take over as well 01:24:21 Scott_T: That’s what it did for my client Andrew, we got recovery eventually but got some return on lost productivity 01:24:27 Lanre Ojurongbe: Cyber insurance won't protect you but it help offset recovery costsSO TRUE!!! 01:24:49 Lanre Ojurongbe: Insurance can not recover lost data...sad 01:25:27 Scott_T: Fidelity Diddly, as Ned Flanders would say Insurance is just a form of gambling!! :- 01:25:59 chris: A bunch of monkeys typing on keyboards will eventually get your data back though! 01:26:13 stephen w: Include testing from your physical DR sites 01:26:21 Darren: Fidelity Coverage is the protection against theft of money / proprerty / fraud from an employee 01:26:27 Anita: fidelity coverage covers losses sustained to the organisation - looks like from insider threat 01:26:41 Scott_T: RTO Chris, what’s you recovery time objective, could you go 12 months without your data. They were best of times they were the blurts of times 01:26:43 Scott_T: :-) 01:26:56 Anita: I think many of us are testing our BCPs right now 01:26:56 Scott_T: Sorry about my Simpsons references! 01:27:05 chris: Add one million monkeys typing! 01:27:11 Guy Coward: fidelity basically covers losses incurred in white collar crime by employees, btw. 01:27:19 Pete: testing should be done in pre-prod systems which is as close to prod as it can be 01:27:25 chris: And the more Simpsons references the better... 01:27:34 Darren: You have pre-prod systems ???? wow ! 01:27:41 chris: Lol “pre-prod" 01:27:43 Pete: yep 01:27:51 Andrew Dixon-Hughes: Fidelity is related to fraud, theft or dishonesty committed by employees 01:28:32 Andrew: Testing in a pre-prod system takes time - not minutes hours or even days before it becomes prod. Can not do this on an intrusion 01:28:33 Scott_T: And here I was thinking fidelity has something to do with Music :-\ 01:30:19 Scott_T: Some great content in the forum, can I please ask make sure you change the subject that seems to populate with your email 01:31:08 Gaz ...: any recommendations for books please 01:31:46 Scott_T: Google and subscribe join https://www.isaca.org 01:31:46 Lanre Ojurongbe: CISM Certified Information Security Manager All-in- One Exam Guide 1st Edition 01:32:07 Peter: excellent book that is 01:32:24 Scott_T: Who was the publisher? 01:32:33 Scott_T: McGraw Hill did you say? 01:33:04 chris: Similar to CISSP 01:33:34 Scott_T: You know it’s new when it’s still first Ed 01:34:07 Andrew Dixon-Hughes: You can take them online as of APRIL 01:34:08 Pete: rhodes 01:34:15 Andrew: Harold Park 01:34:17 steve: arold park 01:34:17 Peter Page: Harold Park 01:34:26 Pete: harold park trots 01:34:43 steve: Yes they are 01:34:49 Andrew: They used to have harness racing there 01:34:58 Lanre Ojurongbe: Amazon: https://www.google.com/url? sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=2ahUKEwiYlYqfusnoAhVIyhoKHa zKBHMQFjABegQIAhAB&url=https%3A%2F%2Fwww.amazon.com%2FCertified-Information- Security-Manager-Guide-ebook%2Fdp%2FB079Z1J87M&usg=AOvVaw00upBllXPvKVUvPF6mzuTi 01:35:13 Scott_T: I remember doing a law exam at a yacht club in Fremantle a few years back 01:35:16 Andrew Dixon-Hughes: https://www.isaca.org/credentialing/remote- testing?icid=bani_2003725&Appeal=bani 01:36:33 Andrew Dixon-Hughes: I did all my CSU exams at my local church hall so I got to prey for good marks 01:37:14 Andrew: No church gatherings allowed now :( 01:37:23 Uche O: HAhaha 01:38:30 Pete: what will come after cyber security? 01:38:57 Ross %: Bio Security!! 01:38:58 Andrew Dixon-Hughes: hmmm how are CSU doing their final exams then 01:39:00 Andrew: cyber implants 01:40:19 Anita: yes 01:41:29 Anita: cool. thanks 01:41:52 Evangitz: thanks you all 01:42:35 anoop sud: Thanks for a wonderful evening of learning 01:42:37 Andrew Dixon-Hughes: cyber security incident is potentially a subset of information security 01:44:09 emersongarcia: in 2018 there was a pandemic rehearsal in the US and look now, what went wrong 01:44:24 chris: Rehearsal is very different to reality 01:45:04 Mishal Alhassan: Thanks to you all! 01:47:30 Andrew: is there a date the exam ha to be taken by? 01:48:19 Scott_T: Ah MS Exams where the right answer was neccesarily the right answer (in the real world) :-) 01:48:38 Andrew Dixon-Hughes: greylog is forth 4 weeks for m 01:48:44 chris: Thankyou everyone for a great course, particularly Jeremy and the guys at CSU 01:48:46 Ross %: Thanks everyone 01:48:51 IT Masters: Thanks for attending everyone, we hope you've enjoyed the CISM Prep short course! We'll have the webinar materials (slides, video, etc.) available within 24 hours at http://learn.itmasters.edu.au 01:48:58 Scott: Thanks 01:49:00 BRUNO: Thank you for the great webinars 01:49:01 IT Masters: Jeremy Koster’s "full version" of the subject is called ITE533 Cyber Security Management and goes for 14 weeks. https://www.itmasters.edu.au/subject2/ite533/ It runs Session 2 – 202060 (Starts 13th July 2020) as part of the Master of Cyber Security https://www.itmasters.edu.au/course/master-of-cyber-security/ 01:49:01 Darren: thank you everyone, especially Jeremy 01:49:01 Bernard: Thank you Jeremy, Guy and Hanna 01:49:02 TALIA: Thank you so much guys 01:49:06 mjyule: Many thx for a great course. Stay well and stay safe. 01:49:08 Scott_T: Thankyou all those at IT Masters, well worth the cost to do :-) 01:49:10 ASUS: Thank you all. CSU and ITMasters 01:49:23 Andrew: Thanks so much 01:49:36 Andrew Dixon-Hughes: Thanks Jeremy 01:49:39 Pete: Thank Jeremy, Guy and Hanna for a fun night