Through the years I have mentored people looking to break in to the security industry (mostly other former Nortel employees). One of the things I have always told them is to get your name out there. Whether through joining local associations, writing papers, or volunteering...or all of the above...if you lack relevant experience it is best to show competency and interest.
On that note, compliments of The Security Monkey, a somewhat tongue-in-cheek guide for those looking to break into the security industry.
Rick
Thursday, October 26, 2006
Monday, October 23, 2006
Top 10 Security Myths decomposed.
In reference to Pete Lindstrom's Top 10 Security Myths, I am not sure I agree, but here they are:
Rick
- Security through obscurity is a bad idea.
- Strong passwords are strong.
- Altruistic bugfinding is beneficial.
- You can't quantify risk.
- You can't get ROI from security.
- Security is about process, not product.
- SSNs are secret.
- Program x is more secure than program y.
- Stand up to your boss and "just say no."
- Security is failing.
Rick
Friday, October 20, 2006
PHPSecInfo - What a great idea!
One of my biggest frustrations as a pentester is convincing web developers that their environment is set up incorrectly. PHPSecInfo is a tool you load directly on the server that validates the security of the environment and suggests improvements.
From the web page...
"The idea behind PHPSecInfo is to provide an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach."
Good on ya!
Rick
From the web page...
"The idea behind PHPSecInfo is to provide an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach."
Good on ya!
Rick
Thursday, October 19, 2006
NIST Guide to Integrating Forensic Techniques into Incident Response
Somehow I missed this when it came out in August, but complements of the smart guys at NIST is a document on "NIST Guide to Integrating Forensic Techniques into Incident Response". Had a quick look and it looks useful.
Rick
Rick
Finally a map I can read! (-8
Compliments of Joel Cort via cccure.org is a document mapping the old ISO 17799:2000 standard to the new ISO 17799/27001:2005 standard. It looks like good work. Available in PDF and Word format here.
Rick
Rick
Sunday, October 15, 2006
Hilariously Funny?
Complements of Bruce Schneier...Although the book "A Million Random Digits with 100,000 Normal Deviates" is not my type of bedtime reading...the reader comments to the book are worth every second. What a way to liven up a really dull topic!
http://www.amazon.com/Million-Random-Digits-Normal...
I understand that in 1955 when this book was originally published that generating random numbers was near impossible, but what prompted the publisher to republish it in 2002, when generating random numbers is pretty easy, is beyond me. Somebody smarter than me must know the answer. Please bring me into the loop.
Rick
Thursday, October 12, 2006
Payment Card Industry Standards Changes
Reminder: End of XP SP1 support
Just a reminder that the set of patches released by Microsoft on Tuesday October 10th were the last of the patches for XP SP1. From now on if you haven't upgraded to SP2 you are SOL when it comes to support from Microsoft.
I have great trepidation in saying this, but if you have a compelling reason you need to stay on SP1 I suggest you become familiar with ZERT.
Rick
I have great trepidation in saying this, but if you have a compelling reason you need to stay on SP1 I suggest you become familiar with ZERT.
Rick
NIST Guide to Log Management is final
The long awaited NIST guide to Computer Security Log Management (SP800-92) is out in it's released version. This document has a few flaws, but this is an excellent document and should be required reading for every security professional.
Rick
Rick
Friday, October 06, 2006
More Security Stupidity
A geologist on his way to a convention of geologists has a rock sample declared a "dual-use item" in other words a potential low-tech weapon. The scary part is I sort of understand this one...but that doesn't make it right!
Rick
Rick
Subscribe to:
Posts (Atom)