00:20:07 Scott_T: Idemia

00:20:13 Bernard: hello to all

00:20:27 Richard Craig: Hello from South Africa!
00:20:45 Jeremy Koster: Hi Richard from South Africa
00:20:48 Al: @Scott_T i used to work for Idemia in Canberra
00:21:04 Jeremy Koster: Hello to Nigeria as well
00:21:09 Gerard Tangey: Hi from Collingwood!
00:21:15 chris: Hi from Canberra
00:21:38 Jeremy Koster: Hi to CFLI from Hong Kong
00:22:10 Anita: Hi from Sydney exurbia
00:22:51 Uche O: Sure
00:22:59 Scott_T: Hey Al, been doing fort about 1 1/2 years
00:24:06 TALIA: Hi
00:24:20 Andrew Dixon-Hughes: Hi all
00:24:21 Pratap Sewak: Good evening to ALL
00:25:11 Pete: Good old Australian internet……soooooo sloooow
00:26:20 Andrew Dixon-Hughes: Jeremy has always been passionate about this
topic
00:28:40 Andrew Dixon-Hughes: I have a masters
00:28:46 Andrew Dixon-Hughes: ftrom you guys
00:28:54 Ross %: is that all??
00:28:57 Andrew Dixon-Hughes: just keeping up to speed
00:29:42 Guy Coward: haha, as if these courses have the budget for that, Ross
00:30:47 Andrew Dixon-Hughes: haha Ross - highly recommend doing study here
and come back to short courses to keep your knowledge current
00:30:59 Ross %: Yep -- my budget is $0... and I needed somebody talking at
me
00:31:00 Guy Coward: that said, if anyone wants to send me a Dorothy dixer, go
for it.
00:31:21 chris: Just one?
00:31:36 Guy Coward: one each.
00:31:38 Andrew Dixon-Hughes: Govt will pay and you can pay them back over
years to come when you get that pay rise
00:31:47 Guy Coward: g2g and focus on Jez.
00:32:11 chris: :)
00:32:41 Ross %: Who is the "Leadership Team"??
00:32:44 Scott_T: OK you have peaked my curiosity what is a “Dorothy Dixer”?
00:33:26 Camille: I have a 2 questions
00:33:29 Camille: how would you deal with a Cybersecurity incident as opposed
to a normal security breach?
similarly, do you have a slide or a ppt on how to deal with smartphone breach (data
thief) in corporate?
00:34:07 IT Masters: Hey Camille, pop them in the Q&A just so they don’t get
lost in the chat
00:34:30 Camille: I will - thank you
00:35:02 Andrew: something like wannacry.
00:35:17 Andrew Dixon-Hughes: In Australian politics, a Dorothy Dixer is a
rehearsed or planted question asked of a government Minister by a backbencher of
their own political party during Parliamentary Question Time
00:35:39 Andrew Dixon-Hughes: credit wikpedia
00:35:47 Scott_T: Ahh OK. I have learnt something new today :-p
00:35:51 Ross %: https://en.wikipedia.org/wiki/Dorothy_Dix
00:36:14 Scott_T: Thanks Ross :-)
00:37:20 Ross %: Also,...it was rumoured that she asked the questions of
herself, then answered them.
00:37:52 Ross %: A similar occurrence happened in the early days at Apple
(by Togs)
00:39:00 Scott_T: Dorothy Dixer - The Fixer, love it
00:39:46 Agbolade Omowole: Hello everyone. Greetings from Lagos, Nigeria
00:41:00 chris: There’s nothing worse than knowing you don’t have a log in
IR when you know it could have been turned on (but wasn’t)
00:41:20 Scott: SIEM suggestions?
00:41:41 Scott_T: Any suggestions on systems that do this best?
00:41:52 Scott_T: Sorry Scott, from the other Scott
00:41:53 allen: SPLUNK
00:41:56 NickM: Discussion of open source SIEM here:
https://news.ycombinator.com/item?id=22686913
00:42:04 Scott: Yep
00:42:09 Richard Craig: Most of our customers are running Splunk
00:42:17 Richard Craig: With some ELK
00:42:52 Andrew: it depends on your company needs and skillset of IT team
00:43:00 Marise: Why don't you like Kibana Jeremy?
00:43:02 Scott_T: Soooo much data to sort through
00:43:48 Pete: our work is still deciding between greylog or splunk
00:43:50 chris: IBM QRadar
00:44:02 chris: ‘best’
00:44:06 chris: :)
00:44:11 Darren: ALienvault ?
00:44:28 Darren: yep agree with you there
00:44:42 chris: Sumologic
00:44:48 chris: Devo
00:45:02 chris: yep
00:45:15 Richard Craig: Anybody seen/used Securonix?
00:46:03 Pete: we need logging for both windows and linux
00:46:23 Andrew: netflow as well
00:46:29 Scott_T: Managed Services, like Solarwinds and Kaseya
00:46:31 Andrew Dixon-Hughes: are you ffeding logs from O365 to greylog
then??
00:46:56 Andrew Dixon-Hughes: excellent
00:48:44 Andrew: reporting to external bodies as well
00:49:15 Andrew: timings and which orgs you need to report to
00:49:51 Pete: or the logs get accidentally deleted
00:50:01 Ross %: Make notes during the incident so your report to the Royal
Commission is accurate
00:50:05 stephen w: Some Reports need to be inline with insurer's requirements
if you have cyber insurance so you can make a claim
00:51:55 Andrew: then archiving of old data. lol
00:54:01 chris: Aka Trump press releases
00:54:09 Ross %: Scotty from Marketing said "I'm going to the football..."
00:56:05 Andrew Dixon-Hughes: ot Corona proof however
00:56:09 Andrew Dixon-Hughes: not
00:56:17 Scott: That's great
00:56:33 Andrew: have oxygen tanks so their safe
00:58:43 Scott_T: Great techs make lousy people people and people people that
are great techs is rare.
00:59:26 Scott_T: Not always, generalising a bit :-)
00:59:54 Ross %: Yep - some techs need an "agent" or advocate to help them
get the message across
00:59:55 chris: It’s definitely a Venn diagram
01:00:45 Robbie Kershaw: Beer
01:02:08 Ross %: Tech delivers message.... :-( ….and the people get upset!
Do you want me to sing it to you?
01:06:21 Scott_T: I don’t want to sprout external vendors especially when
there is nothing in it for me - FDR (Fast Data Recovery) did an encryption recovery
for me for a client that was encryptyed. About a week to crack the key, no bitcoin
was traded. Costs a bomb, approx $30k - Thank goodness for cyber insurance.
01:07:24 Ross %: ouch!!
01:07:27 Guy Coward: it'd probably help Ross. Maybe just hum a few bars?btw, we
are definitely running long tonight. stick with us if you can, no worries if you
can't. (time management vs communication?)
01:08:32 Scott_T: Stick with it like a fat kid on a mars bar
01:09:06 Scott_T: Sorry my favourite Onto it Like a statement
01:11:19 Andrew: helps provide justification for tooling
01:11:34 chris: And budget...
01:11:49 Bernard: yes financial cost of incident!
01:13:32 Andrew Dixon-Hughes: How do we eradicate users???
01:13:53 Andrew: block ports and ip with acl etc
01:14:16 Darren: Isolate machines to stop spread
01:17:07 Scott_T: But you can’y block all ports and even they have some sort
of vulnerability
01:17:19 Scott_T: The ones open I mean
01:17:24 Andrew: or adapting them to current crisis
01:17:44 stephen w: One thing to remember is while the incident/event may have
finished for IT once normal operations have been restored.The incident may not have
ended for the organisation. Litigation, brand damage etc can continue for years
afterwards
01:18:04 Scott_T: I can guarantee my 486DX running MS DOS 6.22 is safe :-)
01:18:13 Andrew: if you have a machine trying to probe out you can target
ip/port to block it
01:18:16 Uche O: @stephen Ouch!!
01:18:43 Scott_T: But Andrew DDOS is doing it from many source IP
01:19:01 Andrew: more thinking inside org if something has got in
01:19:29 chris: infected...
01:19:33 Bernard: so recovery site "Recovery" top to bottom > hot = most
expensive is that correct?
01:19:34 Andrew: DDOS you would use other techniques / products to try
mitigate that
01:19:59 Scott_T: Brand awareness can be an interesting one, do we think
Target still today have a brand awareness problem due to their hack a couple of
years back, compared to say a Uni?
01:20:02 stephen w: @Bernard depends on the industry
01:20:15 Bernard: thanks stephen
01:20:55 stephen w: For example utilities like electricity. how costly would it
be for the grid to go down if you didn't have a fully operational DR site?
01:21:16 Andrew: DDos - block all ip's not from your country to start with.
It does reduce the nasty traffic
01:21:52 Bernard: cyber insurance is a developing industry
01:22:02 anoop sud: some participants just want to show off that they know
tooooo…. much & keep typing. They are more of a distraction then being contributors
01:22:48 stephen w: Bruce Schneier had a good post a year or 2 ago on the
usefulness of cyber insurance
01:23:01 Scott_T: I can say it’s worth it
01:23:06 Scott_T: First hand experience
01:23:25 Andrew Dixon-Hughes: There are lot of brokers hawking cyber policies
to small business with often only 3 questions anti virus, patches, backups. Often
$1m for the same as a luxury car premium
01:23:35 stephen w: Cyber insurance won't protect you but it help offset
recovery costs
01:24:08 Scott: The insurance checklists can be a great conversation
starter for a healthy security budget
01:24:16 Andrew Dixon-Hughes: insurance companies often have their own cyber
eecovery teams that take over as well
01:24:21 Scott_T: That’s what it did for my client Andrew, we got recovery
eventually but got some return on lost productivity
01:24:27 Lanre Ojurongbe: Cyber insurance won't protect you but it help offset
recovery costsSO TRUE!!!
01:24:49 Lanre Ojurongbe: Insurance can not recover lost data...sad
01:25:27 Scott_T: Fidelity Diddly, as Ned Flanders would say Insurance is
just a form of gambling!! :-
01:25:59 chris: A bunch of monkeys typing on keyboards will eventually get
your data back though!
01:26:13 stephen w: Include testing from your physical DR sites
01:26:21 Darren: Fidelity Coverage is the protection against theft of
money / proprerty / fraud from an employee
01:26:27 Anita: fidelity coverage covers losses sustained to the
organisation - looks like from insider threat
01:26:41 Scott_T: RTO Chris, what’s you recovery time objective, could you go
12 months without your data. They were best of times they were the blurts of times
01:26:43 Scott_T: :-)
01:26:56 Anita: I think many of us are testing our BCPs right now
01:26:56 Scott_T: Sorry about my Simpsons references!
01:27:05 chris: Add one million monkeys typing!
01:27:11 Guy Coward: fidelity basically covers losses incurred in white collar
crime by employees, btw.
01:27:19 Pete: testing should be done in pre-prod systems which is as close to
prod as it can be
01:27:25 chris: And the more Simpsons references the better...
01:27:34 Darren: You have pre-prod systems ???? wow !
01:27:41 chris: Lol “pre-prod"
01:27:43 Pete: yep
01:27:51 Andrew Dixon-Hughes: Fidelity is related to fraud, theft or
dishonesty committed by employees
01:28:32 Andrew: Testing in a pre-prod system takes time - not minutes hours
or even days before it becomes prod. Can not do this on an intrusion
01:28:33 Scott_T: And here I was thinking fidelity has something to do with
Music :-\
01:30:19 Scott_T: Some great content in the forum, can I please ask make
sure you change the subject that seems to populate with your email
01:31:08 Gaz ...: any recommendations for books please
01:31:46 Scott_T: Google and subscribe join https://www.isaca.org
01:31:46 Lanre Ojurongbe: CISM Certified Information Security Manager All-in-
One Exam Guide 1st Edition
01:32:07 Peter: excellent book that is
01:32:24 Scott_T: Who was the publisher?
01:32:33 Scott_T: McGraw Hill did you say?
01:33:04 chris: Similar to CISSP
01:33:34 Scott_T: You know it’s new when it’s still first Ed
01:34:07 Andrew Dixon-Hughes: You can take them online as of APRIL
01:34:08 Pete: rhodes
01:34:15 Andrew: Harold Park
01:34:17 steve: arold park
01:34:17 Peter Page: Harold Park
01:34:26 Pete: harold park trots
01:34:43 steve: Yes they are
01:34:49 Andrew: They used to have harness racing there
01:34:58 Lanre Ojurongbe: Amazon: https://www.google.com/url?
sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=2ahUKEwiYlYqfusnoAhVIyhoKHa
zKBHMQFjABegQIAhAB&url=https%3A%2F%2Fwww.amazon.com%2FCertified-Information-
Security-Manager-Guide-ebook%2Fdp%2FB079Z1J87M&usg=AOvVaw00upBllXPvKVUvPF6mzuTi
01:35:13 Scott_T: I remember doing a law exam at a yacht club in Fremantle a
few years back
01:35:16 Andrew Dixon-Hughes: https://www.isaca.org/credentialing/remote-
testing?icid=bani_2003725&Appeal=bani
01:36:33 Andrew Dixon-Hughes: I did all my CSU exams at my local church hall
so I got to prey for good marks
01:37:14 Andrew: No church gatherings allowed now :(
01:37:23 Uche O: HAhaha
01:38:30 Pete: what will come after cyber security?
01:38:57 Ross %: Bio Security!!
01:38:58 Andrew Dixon-Hughes: hmmm how are CSU doing their final exams then
01:39:00 Andrew: cyber implants
01:40:19 Anita: yes
01:41:29 Anita: cool. thanks
01:41:52 Evangitz: thanks you all
01:42:35 anoop sud: Thanks for a wonderful evening of learning
01:42:37 Andrew Dixon-Hughes: cyber security incident is potentially a subset
of information security
01:44:09 emersongarcia: in 2018 there was a pandemic rehearsal in the US and
look now, what went wrong
01:44:24 chris: Rehearsal is very different to reality
01:45:04 Mishal Alhassan: Thanks to you all!
01:47:30 Andrew: is there a date the exam ha to be taken by?
01:48:19 Scott_T: Ah MS Exams where the right answer was neccesarily the
right answer (in the real world) :-)
01:48:38 Andrew Dixon-Hughes: greylog is forth 4 weeks for m
01:48:44 chris: Thankyou everyone for a great course, particularly Jeremy
and the guys at CSU
01:48:46 Ross %: Thanks everyone
01:48:51 IT Masters: Thanks for attending everyone, we hope you've enjoyed the
CISM Prep short course! We'll have the webinar materials (slides, video, etc.)
available within 24 hours at http://learn.itmasters.edu.au
01:48:58 Scott: Thanks
01:49:00 BRUNO: Thank you for the great webinars
01:49:01 IT Masters: Jeremy Koster’s "full version" of the subject is called
ITE533 Cyber Security Management and goes for 14 weeks.
https://www.itmasters.edu.au/subject2/ite533/
It runs Session 2 – 202060 (Starts 13th July 2020) as part of the Master of Cyber
Security
https://www.itmasters.edu.au/course/master-of-cyber-security/
01:49:01 Darren: thank you everyone, especially Jeremy
01:49:01 Bernard: Thank you Jeremy, Guy and Hanna
01:49:02 TALIA: Thank you so much guys
01:49:06 mjyule: Many thx for a great course. Stay well and stay safe.
01:49:08 Scott_T: Thankyou all those at IT Masters, well worth the cost to do
:-)
01:49:10 ASUS: Thank you all. CSU and ITMasters
01:49:23 Andrew: Thanks so much
01:49:36 Andrew Dixon-Hughes: Thanks Jeremy
01:49:39 Pete: Thank Jeremy, Guy and Hanna for a fun night