The Irrational Security Monologue

Top Articles

1413. ISM2018 September Release - The Good, the Bad and the Ugly
1412. ASD Seeking Consultation for ISM
1376. ISM2016 May Release - The Good, the Bad and the Ugly
1327. ISM2017 September Release - The Good, the Bad and the Ugly
1070. ISM Controls Checklist Builder
979. ISM2016 Draft Release
841. Ionize IRAP Checklist Builder
811. The PSPF Update for INFOSEC 4
810. Puff-Puff-Pass the Hash
798. The bad ju-ju of X11
781. ISM2014 February Release
756. The ISM Word Cloud

The 2016 edition of the ISM has been out of a solid month now and I have managed to transcribe the entire document in record time thanks to ASD releasing a PDF and an XML version of the document.

Since I published the new edition to my website over here I also needed to give the comparison tool a massive overhaul....

Yesterday the ISM2016-Draft was released for comment by ASD via onSecure for review before the 21st of April. So over the next few days before and after the ACSC 2016 conference, I'll do my best to review mainly the ISM Controls themselves and highlight any issues I find....

Good news, after toying about with a manual-programatical XLS builder (for the past several months) to replace the manual sheets I've been creating for the last two revisions of the ISM. I decided to simplify the build-script and add a simple web-form and make it public....

Amost one month ago now I started transcribing the 2015 edition of the ISM, back into my (somewhat dated now) XML source format.

Today I finished, and I give you the new Freshly-minted ISM2015-04 for your consumption pleasure....

As many of you would be no-doubt aware, the 2015 edition of the Information Security Manual was released on the 21st of April; to much a deflated balloon of fanfare before the inaugural ACSC2015 kicked off....

After a 'discussion' involving brewed liquids with some colleagues over my ISM project there was a suggestion I should make a word-cloud, since everybody is on the word-cloud bandwagon these days I couldn't see a reason not to....

So you have over a thousand servers in your fleet, how do you make sure your passwords are secure for each of them? An even scarier thought is, what if a malicious actor doesn't even need your password to move horizontally within your environment? A malicious actor may have access to one of your low-value assets and without knowing your passwords, authenticate to higher-value assets - Game over....