Tuesday, May 20, 2008
Why are we doing this?
What's the goal of putting this security control in place?
Are there any risks associated?
What is the expected outcome?
Is the way we're deploying this technology, the "best" that we can do? (Without impacting business efficiency of course.)
I know it's simple in nature, but seriously, asking those questions is where the real securitah lies.
Wednesday, February 27, 2008
"I want to get into a security role within IT."
My advice? Know your fundamentals. Know the core of what makes the world go round in systems, software, or networking technology.
Now please, don't start with the "C'mon dude, are you serious?" after reading this list. Let me esplain. No, there is too much, lemme sum up.
- Understand DNS, in and out. It's been around since the beginning of time.
- Understand TCP/IP, TCP flags & communication, and packets (at least at a level that you can use Wireshark or tcpdump.) I'm not talking about decoding packets in hex and chewing gum at the same time.
- Learn how to administer and troubleshoot issues with Windows Server, and pick-your-flavor of UNIX/Linux. Start small. Think performance monitoring, network monitoring, and service monitoring tools for each platform.
- Understand dynamic routing and networking topology protocols. Spanning-tree and BGP can get very deep – at least know how they function, and primary causes for them to not function properly.
- Learn what viruses, Trojans, and rootkits are, at a high level. Know how some of the primary penetration and propagation techniques occur.
There are a lot more. I know. But I'm more and more surprised by how many technology professionals do not understand core fundamentals like DNS. Or how to break down a TCP traffic flow between two hosts.
Let's not forget this fact: you'll become a stronger security professional by being a great systems/software/networking professional first.
Respect the securitah by knowing and applying your base skills.
Thursday, February 7, 2008
For those that didn't see the diary posting at the Internet Storm Center yesterday/today:
"On February 12, 2008 Microsoft will release the Windows Internet Explorer 7 Installation and Availability update to Windows Server Update Services (WSUS). Windows Internet Explorer 7 Installation and Availability Update is a complete installation package that will upgrade machines running Internet Explorer 6 to Windows Internet Explorer 7. Customers who have configured WSUS to "auto-approve" Update Rollup packages will automatically upgrade machines running Internet Explorer 6 to Windows Internet Explorer 7 after February 12, 2008 and consequently, may want to read Knowledge Base article 946202 to manage how and when this update is installed. For more on the Windows Internet Explorer 7 Installation and Availability Update, read Knowledge Base article 940767."
Moral of the story:
As much as Microsoft wants to extend their QA department into your corporation, don't let them. I'm not a fan of any "auto-updating" service. True, most of the time, everything will work out just peachy, you'll be patched/updated/band-aided/snug-as-a-remedied-software-bug-in-a-rug....BUT....there's always the chance that the new shiny update will PUNCH YOU IN THE FACE.
So, test, test, test.
And if you're screaming at me - "We don't have the money for a test environment!" - there are virtual PC/server options. And they're free. And they work.
I'm pretty sure Matt Neely over at Security Second Thoughts knows a thing or two about virtualization. And believe me, he definitely knows three or four things about mobile commerce...
On another note...I'll be adding a section that shows the security blogs I like reading. I'll keep it limited to 10 - a lot of them tend to repeat what others are saying.