<div dir="ltr">As someone who's been on both sides of this particular fence, can we please PLEASE start doing away with using SMS as a second factor? Also, it might be time to start looking at policies on information collection and storage through some different lenses, previously we've been paranoid about collecting identity information for signing up to services, largely pushed by anti-terrorism laws... But the focus was always on collection and immediate verification, not whether or not this information should be stored nor how or why.<div><br></div><div>Too many businesses at this point have a "eh, she'll be right" sort of attitude towards customer data security which leaves room for misuse and abuse wide open... I remember asking back when the My Health Record opt-out was happening what happened to the information collected for the opt-out. It consisted of the same sort of critical identity documentation, yet there was no policy described which explained the data lifecycle of information collected for the purpose of actioning the opt-out. This is depressingly common, heaps of places and things collect information, but never actually define what they're going to do with it once the purpose of its collection is complete.<div><br></div><div>In my position (formal and informal) I know full well these sorts of breaches are constant and pervasive, and the only reason we're seeing all the noise about Optus is because its in the media... Nobody mentions the dozen other breaches which never got detected!</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Sep 27, 2022 at 10:49 AM Damien Gardner Jnr <<a href="mailto:rendrag@rendrag.net" target="_blank">rendrag@rendrag.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Personally, I find putting Authentication on my API endpoints to be a FANTASTIC first step towards API security. And then not even using public IP addresses in test environments is a pretty good second step.. </onlyhalfsarcasticherewhydoesthiskeephappening></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 27 Sept 2022 at 10:46, Bevan Slattery <<a href="mailto:bevan@slattery.net.au" target="_blank">bevan@slattery.net.au</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<div lang="EN-AU">
<div>
<p class="MsoNormal">Hi everyone,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Obviously a big week in telco and cybersecurity. As part of my work I am on the Australian Cyber Security Industry Advisory Committee as an industry representative.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I am keen to look at opening up a dialogue with more and more telco, DC and Cloud CISO’s on what they are doing around this issue and looking to take a proactive step towards best practice on customer data and system security.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">There will be some pretty serious consequences of this hack on the industry and importantly we need to make sure we are as best placed to help each other continually increase in security posture through best practice, but also working with
each other as an industry.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Are people keen on having a online/VC session sometime in the next few weeks where like-minded industry participants get together and discuss security, retention, encryption, threat detection etc.? If so, just ping me directly and if there
is enough interest I will send out an invitation to the list for a call.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Cheers<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">[b]<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@ausnog.net" target="_blank">AusNOG@ausnog.net</a><br>
<a href="https://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">https://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</div></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr">
<p>Damien Gardner Jnr<br>VK2TDG. Dip EE. GradIEAust<br><a href="mailto:rendrag@rendrag.net" target="_blank">rendrag@rendrag.net</a> - <span><a href="http://www.rendrag.net/" target="_blank">http://www.rendrag.net/</a><u><br></u></span>--<br>We rode on the winds of the rising storm,<br> We ran to the sounds of thunder.<br>We danced among the lightning bolts,<br> and tore the world asunder</p></div></div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@ausnog.net" target="_blank">AusNOG@ausnog.net</a><br>
<a href="https://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">https://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote></div>