How to Break Into Security

Excellent interview over at “Krebs on Security” with security rock star, Christian Schneier.

First, know that there are many subspecialties in computer security. You can be an expert in keeping systems from being hacked, or in creating unhackable software. You can be an expert in finding security problems in software, or in networks. You can be an expert in viruses, or policies, or cryptography. There are many, many opportunities for many different skill sets. You don’t have to be a coder to be a security expert.

In general, though, I have three pieces of advice to anyone who wants to learn computer security:

Read the entire interview:  How to Break Into Security, Schneier Edition — Krebs on Security.

Related articles

• Careers in Computer Security (volokh.com)
• 10 Biggest Computer Security Myths Busted (lifehacker.com.au)

Companies and Free Tools

From Room362:

Penetration Testing / Red Teaming requires the use of a lot of tools. I don’t mind getting called a “script kiddie” because I can accomplish more and faster when I don’t have to code every single task I need to do. This post is to point out companies that make this possible and give a small bit of thanks.

(If you’ve ever tried to convince a company to give something away for free, you can understand how big this really is) Some give a lot, some only one tool, but even one is more than some.

Get the list:  Companies that give back with free tools – Blog – Room362.com.

Related articles

• The Definitive Guide to Penetration Testing Reports (ivizsecurity.com)
• Metasploit => tips, tricks, hashes and tokens (spiderlabs.com)

How to Break Into Security

Great series starting over at Krebs on Security on how to get into the field.

At least once a month, sometimes more, readers write in to ask how they can break into the field of computer security. Some of the emails are from people in jobs that have nothing to do with security, but who are fascinated enough by the field to contemplate a career change. Others are already in an information technology position but are itching to segue into security. I always respond with my own set of stock answers, but each time I do this, I can’t help but feel my advice is incomplete, or at least not terribly well-rounded.

I decided to ask some of the brightest minds in the security industry today what advice they’d give. Almost everyone I asked said they, too, frequently get asked the very same question, but each had surprisingly different takes on the subject. Today is the first installment in a series of responses to this question. When the last of the advice columns have run, I’ll create an archive of them all that will be anchored somewhere prominently on the home page. That way, the next time someone asks how they can break into security, I’ll have more to offer than just my admittedly narrow perspectives on the matter.

Read the whole interview:  How to Break Into Security, Ptacek Edition — Krebs on Security.

Related articles

• Small businesses sitting ducks for hackers (charlotteobserver.com)
• Learning from History – The Importance of IT Security (blogs.gartner.com)
• Thomas Ptacek Interview – Episode 292 (pauldotcom.com)

Dirty little secrets …

As a IT security professional, do you think you learned everything in class?  Probably not.

In that case here’s a great presentation by security addict Rob Fuller on pentesting.

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class

View more presentations from Rob Fuller

Proof that in the IT security field one is constantly learning in order to mitigate the risks of new threats.

Related articles

• Ex HACKER: The unspoken, dirty little secret (glennroast.wordpress.com)
• Dirty Little Secrets Revealed By Ethical Hackers (pcworld.com)

 

Metasploit 4.0 means ….

more tools for IT security pros & penetration testers.

Security product provider Rapid7 has updated its widely used open-source Metasploit exploitation framework, expanding the software so it supports enterprise IT security staff as well as its core audience of penetration testers.

“Originally the framework was focused on just running exploits. Penetration testers were our core base,” said Rapid7 Metasploit chief architect H.D. Moore, referring to the security professionals who are paid by organizations to break into — and thereby document the weaknesses of — computer systems. “But now we are seeing a huge demand from organizations that just want to put all their existing vulnerability data in one spot and validate all those vulnerabilities.”

Not sure what Metasploit is?  Go to the source to learn more.

Related articles

• Metasploit 4.0 Sets the Stage for Mass Penetration Testing (pcworld.com)
• Metasploit 4.0 Released (liquidmatrix.org)
• How to update to Metasploit 4.0 (community.rapid7.com)

 

Garden Security

Check out what securing a garden from rabbits has to do with this?

The lesson, my friends, is that breaches are never truly over. You may have recovered and gone back to business, but there may still be a subtle back door in your network. The information that was lost still has to be accounted for and damages repaired. The lessons learned only build on previous lessons learned and contribute to the overall improvement of your security program. The recovery and lessons-learned stages may be the final stages of handling an incident, but, to borrow upon a favorite phrase of mine, eternal vigilance is the price of security.

Related articles

• Banks Face Ongoing Cyber Threats (informationweek.com)

 

Secrets of Successful Tech Contractors

Very interesting.  If you are an IT contractor what are your thoughts?  Would you agree?

Powered by ScribeFire.

Related articles

• Confessions of a really new blogger (e1evation.com)
• Trend Watch: TechInsurance Notes Increase in Contract Requirements for E&O Insurance (prweb.com)

 

Gain more clout with these security certifications

Want a premium salary as an ISS professional?  Make sure to obtain certifications in addition to the degree.

Security service providers and other channel partners who have invested in Global Information Assurance Certification (GIAC) training for their employees or who have hired employees who already have GIAC certifications will have a little more to advertise in 2010 with the announcement last week that three of the major GIAC tracks were accredited under the ANSI/ISO/IEC 17024 Personnel Certification program.

…

The most recent GIAC tracks to get the check-mark from ANSI were the GIAC Certified Incident Handler (GCIH), GIAC Certified Intrusion Analyst (GCIA) and GIAC Certified Forensics Analyst (GCFA) programs.
One of the most well-known incident-handling certifications in the security world, GCIH was recently ranked as the No. 1 security certification that organizations pay a salary premium for according to the IT employment analysts with Foote Partners. Those certified with GCIH have proven they know about common attack techniques and tools used to penetrate enterprises and small businesses alike. The certification attests to their knowledge about how to defend against and respond to these attacks, as well as incidents caused by both innocently inept and malicious insiders.

Unique within the security industry, GCIA is designed to show that recipients understand how to manage any Intrusion Detection System, regardless of vendor. Those who hold this certification have shown they understand the fundamentals of network protection and are able to analyze traffic patterns well enough to spot and analyze anomalies.

The third program ANSI accredited last week, GCFA, is one of the most recognized digital forensic certifications. Those bestowed with this vendor-neutral certification have proven that they understand a panoply of computer forensics tools and know the most common criminal forensic analysis techniques to complete Windows- and Linux-based investigations.

It seems security skills are not only in demand but result in greater pay.

Though the premium for most IT industry certifications generally went down over the past year, security certifications such as those offered by GIAC, (ISC)2 and ISACA all managed to buck the trend.

“Unlike other technology job segments, pay and demand for security skills have risen steadily since 2007 and neither budget nor headcount has diminished in economic hard times,” wrote Foote Partners principal, David Foote. “Driving continued momentum for steady jobs investment and career safety is the ‘perfect storm’ of more regulation; constant fear of increasing threats; greater customer expectations and demands aimed at vendors; and the splitting of business/strategic risk and operational security activities, which has been accelerated by market forces.”

This demand for such skills could prove profitable for channel partners who are able to hire and retain personnel on their consulting staff in order to market to those customers who don’t have the wherewithal or resources to maintain their own cadre of full-time security experts. (Source: Channel Insider)

Will be pursuing certifications following graduation in June.

Related articles by Zemanta

• Security through diversity (cdixon.org)
• Upcoming webinar: “Cloud Security for Dummies” hosted by SIIA (aws.typepad.com)
• BBB’s Data Security – Made Simpler Initiative (pindebit.blogspot.com)

Security starts with infrastructure assessment

Interesting article on cloud computing security.

Security professionals are facing the difficult challenge of extending security requirements to take advantage of cloud computing and software-as-a-service applications.

Particularly difficult is finding ways to secure the new boundaries between the enterprise, the cloud service and the end user while managing dependencies on off-premise infrastructure and privileged operators. And they have to do all this without inhibiting flexibility and agility.

It’s a challenge that security professionals have to overcome when considering this.

Research firm IDC predicts that 76% of U.S. organizations will use at least one SaaS-delivered application for business use by the close of 2009. Cloud-based services adoption is being driven by the business performance benefits and realized cost efficiencies. This isn’t new for those of us in IT. Mission critical information already is handled in the cloud for companies that outsource email services or maintain customer information in CRM systems such as Salesforce.com. The challenge for security teams is to safely integrate extended cloud capabilities into corporate policies and procedures.

The best approach?

Forrester recommends the usual checklist of cloud security requirements that any enterprise would have for internally hosted applications. Authenticate users and control access to applications, tightly log and audit privileged operations, protect sensitive data to prevent loss and meet compliance mandates, and reduce risk with rigorous vulnerability management, according to Forrester. Take into account differences in the SaaS vendor’s infrastructure and business practices when evaluating the sensitivity to security. For instance, expect the cloud vendor to be replicating data between data centers for performance and business continuity and expect to have a degree of shared resources with virtualized application environments. (Source: Cloud security begins with infrastructure assessment – Search Security.com)

Click the source to read the whole thing.

Related articles by Zemanta

• There’s no escaping the cloud (theregister.co.uk)
• Developing Guidelines For Cloud Usage, Lessons From Social Media Gaffes (cloudave.com)
• Unisys Looks to Safely Move Business Apps to the Cloud (techcrunchit.com)
• Way beyond the edge and de-perimeterization (deurainfosec.com)

Organizations ignoring security …

as they move to cloud services.

Companies are under increased pressure to cut costs and are turning to a variety of Web-based services, from online collaboration tools to social networking platforms, without considering the increased risks they pose and in some cases failing to inform IT security.

Two studies released today from EMC‘s RSA security division address the increased risks posed by cloud-based services and social networking. The 2009 IDG Research Services survey, commissioned by RSA, surveyed 100 security executives at companies with revenues of $1 billion or more. It found that many organizations lack a security strategy to address the risks associated with cloud-based services.

Nearly half of those surveyed either have enterprise applications or business processes running in the cloud or are beginning migration in the next 12 months. Yet, two-thirds do not have a security strategy in place for cloud computing, the survey found.

“The rapid adoption of nascent Web, social and mobile technologies combined with the rising use of outsourcing is quickly dissolving what remains of the traditional boundaries around our organizations and information assets,” Art Coviello, executive vice president at EMC and president at RSA said in a statement.

It is the third study in recent months that address the risks associated with the growing use of Web-based services. (Source: RSA council addresses growing security risks in the cloud – Search Security)

Very troubling.  Read the whole thing.

Related articles by Zemanta

• If In Doubt, Choose an Emotive Headline (cloudave.com)
• Cloud Computing Security Framework May Nudge The Enterprises Towards Clouds (cloudave.com)
• Be careful putting your trust in the clouds (guardian.co.uk)
• Introducing the Cloud Security Alliance (not by ruv) (elasticvapor.com)