Looking for a Job in Security?

Through the years I have mentored people looking to break in to the security industry (mostly other former Nortel employees). One of the things I have always told them is to get your name out there. Whether through joining local associations, writing papers, or volunteering...or all of the above...if you lack relevant experience it is best to show competency and interest.

On that note, compliments of The Security Monkey, a somewhat tongue-in-cheek guide for those looking to break into the security industry.

Rick

Top 10 Security Myths decomposed.

In reference to Pete Lindstrom's Top 10 Security Myths, I am not sure I agree, but here they are:

1. Security through obscurity is a bad idea.
   
2. Strong passwords are strong.
3. Altruistic bugfinding is beneficial.
4. You can't quantify risk.
5. You can't get ROI from security.
6. Security is about process, not product.
7. SSNs are secret.
8. Program x is more secure than program y.
9. Stand up to your boss and "just say no."
10. Security is failing.

What do you think?

Rick

PHPSecInfo - What a great idea!

One of my biggest frustrations as a pentester is convincing web developers that their environment is set up incorrectly. PHPSecInfo is a tool you load directly on the server that validates the security of the environment and suggests improvements.

From the web page...
"The idea behind PHPSecInfo is to provide an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach."

Good on ya!
Rick

NIST Guide to Integrating Forensic Techniques into Incident Response

Somehow I missed this when it came out in August, but complements of the smart guys at NIST is a document on "NIST Guide to Integrating Forensic Techniques into Incident Response". Had a quick look and it looks useful.

Rick

Finally a map I can read! (-8

Compliments of Joel Cort via cccure.org is a document mapping the old ISO 17799:2000 standard to the new ISO 17799/27001:2005 standard. It looks like good work. Available in PDF and Word format here.

Rick

Hilariously Funny?

Complements of Bruce Schneier...Although the book "A Million Random Digits with 100,000 Normal Deviates" is not my type of bedtime reading...the reader comments to the book are worth every second. What a way to liven up a really dull topic!

http://www.amazon.com/Million-Random-Digits-Normal...

I understand that in 1955 when this book was originally published that generating random numbers was near impossible, but what prompted the publisher to republish it in 2002, when generating random numbers is pretty easy, is beyond me. Somebody smarter than me must know the answer. Please bring me into the loop.

Rick

Payment Card Industry Standards Changes

The PCI (Payment Card Industry) has just recently announced changes to the standards for companies utilizing credit card changes via ecommerce.

The changes are here.

The full standard is here.

Rick

Reminder: End of XP SP1 support

Just a reminder that the set of patches released by Microsoft on Tuesday October 10th were the last of the patches for XP SP1. From now on if you haven't upgraded to SP2 you are SOL when it comes to support from Microsoft.

I have great trepidation in saying this, but if you have a compelling reason you need to stay on SP1 I suggest you become familiar with ZERT.

Rick

NIST Guide to Log Management is final

The long awaited NIST guide to Computer Security Log Management (SP800-92) is out in it's released version. This document has a few flaws, but this is an excellent document and should be required reading for every security professional.

Rick

More Security Stupidity

A geologist on his way to a convention of geologists has a rock sample declared a "dual-use item" in other words a potential low-tech weapon. The scary part is I sort of understand this one...but that doesn't make it right!

Rick