tillw

Welcome to the weekly post where I take the opportunity to expound on just about anything. Never fear, there is always a dedicated Infosec portion for those that don't care about anything else 🙂

Here are a few links if you'd like to skip to a particular part of the post.

Thoughts
Infosec Stuffs
Non-Infosec Stuffs

Thoughts

"It is not necessary to change. Survival is not mandatory.”Zombie Survival Guide
- W. Edwards Deming

I'm going to go a step further than Mr. Deming and say that flourishing is not mandatory. The issue at stake is often not one of survival, but one of taking that next step that can lead to new knowledge, new experience, new growth...flourishing.

We've talked about courage and failure already. Both are part and parcel of change. Not every change is going to be successful or even good, but, in many cases, maintaining the status quo results in stagnation or just isn't an option.

Some embrace change. They thrive on it. The allure of the new is irresistible to them.

Some don't.

If you fall into the second category you might get something out of the book Who Moved my Cheese?.

Don't avoid change. It is going to happen whether you want it to or not. Being ready to deal with it and making the best of it will go a long way towards making it a whole lot easier when said change does happen.

Infosec Stuffs

Not a lot caught my eye last week. Probably due to the number of folks that were on vacation or just general year-end slow-downs, like me not paying much attention 🙂 However, I do have a couple things for you.

OWASP Secure Coding Practices Quick Reference Guide

This is a handy 17 page document that boils down the OWASP Secure Coding Practices to the nitty gritty. Definitely a reference to keep close by.

OWASP_SCP_Quick_Reference_Guide (PDF)

PC in a Plug

This is very very nifty project, particularly if you happen to be performing a physical penetration test. It doesn't appear that the actual hardware is available yet. When it is, it will be fun to play with.

Covert Penetration

Non-Infosec Stuffs

I don't have much to talk about here this week either. The only thing I want to mention relates to the architecture that I use for the different blogs and websites I manage.

I use a combination of WordPress or Drupal served by a Nginx web server/PHP/PHP-FPM/MySQL stack. Recently, I needed to increase the maximum file size that could be uploaded to one of my sites.

Should have been simple.

Wasn't.

Actually, it was. I was just a bit dense.

Turns out that some of the settings in the php.ini file are updated when you restart Nginx and some require you to restart PHP-FPM. The Nginx restart script doesn't do that bit for you. Oops.

The specific setting I was trying to modify was upload_max_filesize. I finally a) remembered about PHP-FPM and b) restarted it and, after a bunch of silliness, wah-lah, uploads of large files worked. Sheesh.

Keep it Simple StupidMoral of the story? If you aren't getting the result you expect when making changes to your web publishing stack, make sure you have restarted the whole mess before looking for other culprits.

Closing

That's it for this week. I hope you found something that piqued your interest.

As always, comments welcome below or you can email me at kriggins@infosecramblings.com if you prefer.

If you are interested in getting my content regularly, go ahead and subscribe to my RSS feed. You can also subscribe to have posts emailed to you if you prefer.

-Kevin

Photo Atribution:
KISS: Jegi
Zombie Survival Guide: jronaldlee
http://www.owasp.org/index.php/File:OWASP_SCP_Quick_Reference_Guide_v2.pdf

{ 0 comments }

Things I Learned Last Week: 12/19/2010 – 12/26/2010

by kriggins on December 27, 2010

in TILLW

Welcome to the weekly post where I take the opportunity to expound on just about anything. Never fear, there is always a dedicated Infosec portion for those that don't care about anything else 🙂

Here are a few links if you'd like to skip to a particular part of the post.

Thoughts
Infosec Stuffs
Non-Infosec Stuffs

Thoughts

"Failure defeats losers, failure inspires winners."
~Robert T. Kiyosaki

Last week we talked about courage. We didn't say that courage meant we were not afraid, we said that courage is doing something in spite of fear.

But what if something bad happens...like failure?

There are two ways to look at failure. The first is to say we can't do it. Admit to ourselves we got beat, tuck our tail between our legs, and slink off, hoping that nobody saw us go down in flames.

In other words, BE A LOSER!

Ouch. That was harsh.

Let's try the second way. Let's look at our failures as inspirations. Let's take our failures, learn from them, and then try again...as often as necessary, until we succeed.

In other words, BE A WINNER!

Infosec Stuffs

Cost of a Security Breach

One of my friends, Javvad, pointed this out last week. It is a very nice infographic on the cost of a security breach. While the data and numbers are UK specific, I think it gives a picture that all of us should be aware of.

Cost of a Security Breach

Sysadmin Mantras

You may be a sysadmin or you may not be. However, anybody involved in security will benefit from giving these a read. They apply as well to any security effort as they do to system administration.

Sysadmin Mantras

Your 2011 Infosec Marketing Plan: FUD?

Dave is speaking a bit tongue in cheek here, but you really do need to sell your efforts to make your organization more secure. 'Just because' is not going to get it done.

Your 2011 Infosec Marketing Plan: FUD?

Tips for Submitting and Security Conference Proposal

Have you decided it's time to start your speaking career? Have you already been submitting, but haven't gotten accepted yet? Either way, you should give Lenny's tips a read.

Tips for Submitting and Security Conference Proposal

Non-Infosec Stuffs

This week for the non-infosec stuff, we have a couple of completely unrelated topics.

Copyediting

First is a site that will help you be a better writer. It's a site called CopyEditing:because language matters. There are a number of resources there for you to use, both paid and free. I particularly like the blog that has free tips. Check it out.

Net Nuetrality

The other bit I have for you is a graphical representation of what a non-open internet could mean. For more information on Net Neutrality, see this link. After reading that, check out this graphic for a bit clearer idea of what it could mean 🙂

http://www.theopeninter.net/

Closing

Last week I received a nice note from a reader who expressed appreciation for the blog. That meant the world to me. One of those every once in awhile is plenty of fuel to keep blogging.

I am not bringing this up to ask for more of such from you, although that would be nice 🙂

I bring it up so that I can urge you to drop one or more of your favorite bloggers a quick note or comment of appreciation. They spend a good bit of time providing us with food for the mind or with things that tickle our fancy. A simple note of thanks really makes a difference.

That's it for this week. I hope you found something that piqued your interest.

As always, comments welcome below or you can email me at kriggins@infosecramblings.com if you prefer.

-Kevin

XRAE is a web based search engine (from the company 'Rolling Solutions') that allows the BGA/Broker to answer a list of underwriting questions that are then matched against the supported carriers’ underwriting rules  to determine the “best case” underwriting classification for multiple carriers. It also allows BGA’s to submit and track ‘quick quote’ request to the carriers that include all of the required questions answered and helps carrier evaluate the simple ones quickly.

The site also offers Metric reports that can provide the carrier with information about competitiveness of underwriting requirements, types of quotes submitted, etc.

{ 1 comment }

Things I Learned Last Week: 12/12/2010 – 12/18/2010

by kriggins on December 20, 2010

in TILLW

Welcome to the weekly post where I take the opportunity to expound on just about anything. Never fear, there is always a dedicated Infosec portion for those that don't care about anything else 🙂

Here are a few links if you'd like to skip to a particular part of the post.

Thoughts
Infosec Stuffs
Non-Infosec Stuffs

Thoughts

"Courage is being scared to death, but saddling up anyway."
~John Wayne

I came across this quote earlier this week and it hit me again as I contemplated last Tuesday's Crossfit workout. Crossfit is an exercise regimen that is based on constantly varied, high intensity efforts across broad time and modal domains.

What in the world does that mean?

It means workouts are always changing and always intense. The changes are in the exercises performed and the time they are performed in.

That being said, there are certain defined workouts that are used to gauge progress. Tuesday's was just such a workout. It is affectionately named the "Filthy Fifty". If you are interested in the details of what that entails, you can check out this post from my gym's blog, but essentially it is 50 repetitions of 10 different exercises done for time.

Yup, that's a total of 500 reps.

It hurts...A LOT.

I knew it was going to hurt when I looked at it that morning.

I. Did. It. Anyway.

When faced with something frightening, hard, outside our comfort zone, or just plain intimidating we can be scared and hide from the challenge or, as Lady Macbeth said

Macbeth:
If we should fail?

Lady Macbeth:
We fail?
But screw your courage to the sticking place,
And we'll not fail.

Macbeth Act 1, scene 7, 59–61

Put your foot in the stirrup, grab a hold of the horn, and get yourself in that saddle. The only way to assure yourself of failure is to not try.

Infosec Stuffs

IPv6

IPv6 is coming whether we want it to or not. Here is a quick cheatsheet for some things IPv6.

Don't write it if you don't want it read

There was quite the bruhaha a week or so ago when it was learned that there had been a massive breach of Gawker's systems. So bad, that the individuals responsible were able to get access to quite a bit of really important information, like source code, internal usernames and passwords, chat logs, etc. This post at Forbes is an excellent synopsis of what happened.

There are a bunch of lessons in this post, but the one that we really need to take away is that putting usernames and password into clear text communications like chat and email is really really not a good idea. You never know when that type of stuff will become available to those you don't want to read it.

Open Source Security Testing Methodology Manual (OSSTM)

Version 3 of the OSSTMM (PDF)  has been released. From the introduction:

The Open Source Security Testing Methodology Manual (OSSTMM) provides a methodology for a thorough security test, herein referred to as an OSSTMM audit. An OSSTMM audit is an accurate measurement of security at an operational level that is void of assumptions and anecdotal evidence. As a methodology it is designed to be consistent and repeatable. As an open source project, it allows for any security tester to contribute ideas for performing more accurate, actionable, and efficient security tests. Further it  allows for the free dissemination of information and intellectual property.

The OSSTMM has been in development for quite a few years and this is the latest version. I am still reading through it, but you can't go wrong by giving it a read.

Get over it

Rich, over at Securosis, has a post up titled Get Over It. Go read it. I'll wait.

.

.

.

Back? Good.

That post sparked the following thoughts which are only loosely related.

Think about the last time you were meeting with some business people and they just didn't understand how dire the situation was.

Now, stop and think about this.

Was it really dire?

We as professionals in the information security realm tend to go straight to worst possible outcome. I think this is often a function of the mindset that Rich talks about. What happens if somebody keeps hearing about the worst possible outcome over and over, but it never happens? They will likely stop listening to you.

Try to see things from a space outside your own experience and you may find ways to both step back from the worst possible outcomes trap and communicate with your "outsiders" in a manner that breeds collaboration as oppose to ignoration. < Ha! That isn't a word, but it sure should be.

Non-Infosec Stuffs

Not a whole lot on the non-infosec front this week other than to say that I was introduced to an instrument I had never heard of this past weekend, the piccolo trumpet.

My wife and I, along with some friends, went to a chamber music concert where J.S. Bach's Brandenburg Concerto No. 2 was played. The piccolo trumpet is used during that concerto is absolutely wonderful to listen to, as are Bach's Brandenburg Concertos.

If you have never heard Bach's Concerto No. 2, you should really give it a listen.

J.S. Bach, Brandenburg Concerto II BWV 1047, Freiburg Baroque Orchestra

I. Allegro

II. Andante

III. Allegro Assai

Closing

That's it for this week. I hope you found something that piqued your interest.

As always, comments welcome below or you can email me at kriggins@infosecramblings.com if you prefer.

-Kevin

{ 1 comment }