Books

Wow, this has been a crazy busy week.

My apologies for not taking the time to get the daily bits posts out the door. However, don't despair. I have a bumper crop for you today because I have been keeping my eye on things.

Unfortunately you will have to do without my pithy (or so I'd like to believe) comments today. :)

Also, RSA Europe 2009, where I'll be speaking, is right around the corner along with some vacation time, so you will see fewer bits posts over the next couple weeks and they will probably be like this one.   I will be back in full gear after the conference. I will blog when I can on what I see at RSA though.

Anywho, here are today's (this weeks) Interesting Information Security Bits from around the web.

  1. Immutable Security >> Low and Slow SSH Brute Force Attacks
    Tags: ( ssh )
  2. Real World Stories: How Pen Tests Complement Vulnerability Scans << Core Security Technologies
    Tags: ( wepappsec pentest )
  3. Visa Announces New Data Encryption Practices
    Tags: ( pci )
  4. 'What's wrong with Smelly Widgets?' - Packet Challenge << I Smell Packets
    Tags: ( challenge packet )
  5. The Professional Security Testers Warehouse for the CEH GPEN QISP Q/ISP OPST CPTS - FRHACK01 copy of presentations
    Tags: ( conference presentations )
  6. Avert Labs Paper: Inside the Password Stealing Business:the Who and How of Identity Theft | Hackers Center Blogs
    Tags: ( passwords )
  7. AVG Stepping Up Consumer Anti-Virus Offerings | Darknet - The Darkside
    Tags: ( anti-virus avg )
  8. Man banished from PayPal for showing how to hack PayPal * The Register
    Tags: ( paypal )
  9. Book Review: The Rootkit Arsenal << McGrew Security Blog
    Tags: ( books reviews )
  10. Jeremiah Grossman: All about Website Password Policies
    Tags: ( infosce passwords )
  11. Digital Soapbox - Preaching Security to the Digital Masses: Things I Learned at SecTor 2009
    Tags: ( conference toorcon recap )
  12. TaoSecurity: Technical Visibility Levels
    Tags: ( avialability monitoring )
  13. SSL Still Mostly Misunderstood - DarkReading
    Tags: ( ssl )
  14. Anton Chuvakin Blog - "Security Warrior": Compliance != Security, Does Security = Compliance?
    Tags: ( compliance security )
  15. A Page from Singapore's Cybersecurity Playbook | Optimal Security: The Lumension Blog
    Tags: ( general )
  16. You Can't Always Be Proactive - Hacked Off - Dark Reading
    Tags: ( general )
  17. Security Uncorked >> Good, Bad and Ugly: On SecTor's Wall of Shame
    Tags: ( passwords wireless )
  18. CSS History Hack Used To Ban Torrent Users ha.ckers.org web application security lab
    Tags: ( css )
  19. Yahoo Best Jobs in America ranks infosec professional #8
    Tags: ( career )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Xavier has a script you can use with nmap to scan for IIS FTP servers that may be susceptible to the recent 0-day.
    /dev/random >> Detecting Vulnerable IIS-FTP Hosts Using Nmap
    Tags: ( nmap ftp iis )
  2. Chapter 2 of Michael's excellent book "Into the Breach" is now available for free in audio format.
    Into the Breach - Audio Series - Chapter 2 (People Just Want to Do Their Jobs) : The Security Catalyst
    Tags: ( books audio )
  3. Issue 22 is out of (IN)Secure. Good stuff inside. Direct link to PDF.
    INSECURE-Mag-22.pdf (application/pdf Object)
    Tags: ( magazine )
  4. I read the Farhad Manjoo piece that Ben is referencing and was amazed. Ben does a great job of speaking to the points that Farhad tried to make.
    innismir.net -- Why corporate IT chains your computers
    Tags: ( general )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well. Things look a little different below because Delicious's API appears to be having issues at the moment.  Anyway, here are today's Interesting Information Security Bits from around the web.

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. F-Secure has a great Q&A posted about Conficker. Short version: Like the good book [Hitchhiker's Guide to the Galaxy] says, "Don't Panic!"
    Questions and Answers: Conficker and April 1st - F-Secure Weblog : News from the Lab
    Tags: ( malware conficker )
  2. A very thoughtful and thought generating piece by Jeremiah. The comments are also worth reading. I am very interested to see where this goes and hope to be a part of it in some small way.
    Jeremiah Grossman: Website security needs a strategy
    Tags: ( webappsec )
  3. Some nice guidance for when you decide to develop that file upload utility.
    SecuriTeam Blogs >> File upload security recommendations
    Tags: ( secure-coding )
  4. Lorrie reviews Michael's book which I have also reviewed. I agree with everything she says.
    Why you must dive Into the Breach
    Tags: ( books reviews )
  5. Time to patch OpenSSL.
    OpenSSL patches three security holes | Zero Day | ZDNet.com
    Tags: ( vulnerability patches openssl )
  6. Daniel puts together a very good set of observations regarding information security as an enabler. Like Daniel, I am not a proponent of presenting information security as a enabler. Except for specific cases where information security related activities/products actually produce your revenue stream, it does not increase revenue, provide efficiencies, or other wise make it 'easier' to do business. It IS a vital part of doing all the above safely and responsibly however.
    The Problem With Selling Information Security as a "Business Enabler" | dmiessler.com
    Tags: ( opinion )
  7. More yummy goodness from Synjunkie on abusing Citrix servers.
    Syn: Abusing Citrix - Part 4
    Tags: ( hacking citrix )
  8. Andrew is tackling a topic that is near and dear to us all, being provided development opportunities by our employers.
    A Multipart Letter to Employers of Security Professionals : The Security Catalyst
    Tags: ( general )
  9. Go give your six words on security. I will be.
    6 words on Security: A Challenge : The Security Catalyst
    Tags: ( general )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. An interesting set of threats to think about in 2009.
    http://www.darkreading.com/shared/printableArticle.jhtml?articleID=212700328
    Tags: ( threats )
  2. Ax0n has posted a great article. Take a read if you manage or hire "geeks."
    HiR Information Report: Open Letter from Geeks to IT Recruiters and Hiring Managers
    Tags: ( general career )
  3. RUXCON presentations are on-line now.
    RUXCON Presentations | Infosec Events
    Tags: ( conferences presentations ruxcon )
  4. Like the link title says. The audio from Blackhat Japan 2008 is available now.
    Black Hat Japan 2008 Audio | Infosec Events
    Tags: ( conferences blackhat audio 2008 japan )
  5. An interesting perspective.
    Alex Payne | Why I Don't Work In Information Security
    Tags: ( general )
  6. Richards lists the favorites of the information security related books he reviewed last year. Good stuff in there.
    TaoSecurity: Best Book Bejtlich Read in 2008
    Tags: ( books )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Once more unto the breach…

by kriggins on October 7, 2008

in Books

Once more unto the breach, dear friends, once more,
Or close the wall up with our English dead!
In peace there's nothing so becomes a man
As modest stillness and humility;
But when the blast of war blows in our ears,
Then imitate the action of the tiger:
Stiffen the sinews, summon up the blood.

"Henry V" (5.3.44-51)

Michael J. Santarcangelo, II has written a little book titled Into the Breach. The preview copy I have has 91 pages of content, but I want to make something very clear, the ideas in this little book are big, very big.

The subtitle of the book is "Protect Your Business by Managing People, Information, and Risk."  Seems pretty straight forward, doesn't it? However, those of us in the information security profession are painfully aware that actually doing what that simple statement says is often far from straight forward.

Michael wants to help us with the issue and puts forth a process that can greatly increase our ability to satisfy that statement in a manner that brings engagement from all parts of the organization. At its root, Micahel's strategy makes protecting the data of our organizations everybody's job, not just information technologies job, but it does so in a way that re-energized everybody by giving them a voice in what is important and what is not.

He starts out the book by introducing and addressing three common myths that crop up when we start talking about protecting our organization's data from unauthorized access or "breach":

  1. "Outsiders pose the biggest threat to information."
  2. "Information protection needs a technology solution."
  3. "Protecting information costs too much."

Throughout the rest of the book, he walks us through a process that is simple in its execution, but profound in what it provides to those who participate in it. I'm not going to steal Michael's thunder. I am going to suggest that you pick up a copy of his book and read it...twice...at least. If you do and implement the strategies contained in it, you will be much better equipped to "Protect Your Business by Managing People, Information, and Risk" and reducing the chances that your data will go "Into the Breach."

Kevin

{ 1 comment }