Brad on Security

Quality Software is Secure Software

2012-01-02T17:33:00.001-08:00

The focus on software development is usually getting the system completed on time and hopefully at or under budget. Some organizations may even add a requirement that few known bugs may ship with the product, though the amount of testing and validation of that can vary greatly.

The security of those systems usually comes some position after that, especially if the organization doesn't have a regulatory requirement for that. In fact, even those organizations may only pay lip service to the need for secure software until they face a breach of their own.

Much of that is driven by business needs. The eyes of the leaders is on profit and loss (as it should be) and the new system needs to be available to help with the profit of raising income for the company.

This is as it should be, since a company without income and profits will soon be out of business, but it minimizes the impact of defects and security flaws on the business. Some organizations are starting to understand that defects can be costly, but only a few of those realize that security flaws are just another kind of dangerous defect.

Realizing this would help make educating people about the value of preventing or quickly fixing defects or security flaws more effective since only one message would need to go out.

I Passed the CISSP!

2011-12-24T20:11:00.000-08:00

I just found out that I passed the CISSP exam I took several weeks ago! I was surprised, but this turned out just like my CISM exam. I thought I failed that too, but now I have the key information security certification under my belt to go with all the other hands on ones I have completed!

FIrst CISSP Attempt

2011-11-22T00:49:00.001-08:00

I am often too much of a perfectionist and while I have passed several SANS certification tests and even ISACA's CISM test, I kept waiting to tackle the CISSP until I thought I knew enough. I finally decided to sign up for it a little more than a month ago, figuring I could retake it if needed. I suspect I will need to do so as several of the questions on the test were nothing like the material I jammed into my head in the last few weeks, in addition to all my hands-on time prior to that. I am annoyed that I even missed a PCI question that I should have known better on.Overall, a quite annoying test. Annoying in a different way than the CISM, but annoying nevertheless. I did feel I failed that when I took it, so perhaps the outcome will be better, but I won't know for a couple of weeks.

How Greedy and Stupid Can You Get?

2011-10-27T21:33:00.000-07:00

I knew it before, but I am finally digging through the latest Shon Harris' CISSP book. Instead of going with the standard Confidentiality, Integrity and Availability, the book calls it Integrity, Confidentiality and Availability (ICA). I suppose this is so they can trademark the term. How stupid.I suppose we are going to see the CPT-PI soon (Control Protocol for Transport - Protocol Internet)....Some smart people in the security training business, but too worried about locking off their own material and not enough about producing excellence. I guess that's what happens when you become a bunch of prima donnas. I have seen similar stupidity in many places.

2011-09-07T23:00:00.000-07:00

I attended the Dallas OWASP meeting earlier today. Charles Henderson from Trustwave was talking about their data breach report for 2010. Some notes I took with my comments:- Attackers are continually looking for the weakest link.Should be obvious, but we always need to keep this in mind.- Organized crime doesn't trust each other. This means they often use strong security in their own work.How ironic.- Attackers will normally try to use the existing infrastructure to get compromised data out of the organization and back to their control.- More targeted attacks today. Example given: Sally is pregnant. Attacker finds her direct reports, sends "baby pictures" about the time she is due. This is a very targeted phishing email.We still need to be very cautious, even with "expected" email.- Attacking requires customization today. Too many automated tools can find the "easy" stuff.- One wireless attack is to setup a wireless access point that a laptop with a hard connection to an internal network will automatically connect to. This could end up with a wireless connection directly into the "protected" network.I wasn't clear if the names of these potential WAPs can be learned from the traffic the laptop sends out or not. I will need to investigate this more.- The less you know about a device, the more you are likely to trust it.Very interesting. We will press "ok" the less certain we are. Scary.

Steganography Hits the Big Time

2011-08-09T14:59:00.000-07:00

An attacker has to figure out how to get information out of machines they have compromised. DLP filters sometimes work against this, though merely sending the data out in some fashion has a strong chance of providing a warning of the compromise.

Thus attackers are staring to use steganography to get data out of compromised computers.

Scary.

Android Security Flaw

2011-07-06T04:32:00.000-07:00

I recently had to adjust the settings on my Android phone to allow applications from "any source" so I could get some downloads from Amazon. While Amazon has complete instructions on how to do that and it frees me from only using the Android Store, why do I need to totally remove the limits to do so?

A better design would be to allow me to have a limited set of sites that could install applications on the phone, limiting installations to only those sites. Then I could add Amazon to the "approved list" and keep a lot more security without opening the barn door for anyone to walk in.

I would report this somewhere, but it is not clear at all where to do so. A search for "android feedback" just takes you to a Google page to give feedback on their market, without any ability to add comments. Not very helpful.

Compliance or Information Security

2010-12-16T01:19:00.000-08:00

Some in the information security field argue that compliance requirements like PCI and SOX are ultimately harmful to true information security, since it places so much of the focus on just meeting the requirements, rather than on really being secure.

While this may be true for a limited number of organizations, I am convinced that that most companies that only take a "checkoff" approach to these regulations would not have strong overall information security efforts even if the compliance requirements did not exist. In fact, I suspect that many of them would be doing much less in the area of information security.

I did have someone state that PCI worked against true security at one point, though I can't remember the precise argument now. I wasn't convinced then nor am I now. Some of the specific requirements may be squirrely, but the overall direction is great.

I do believe an organization with a strong information security practice would not have problems meeting related regulations. They may have to do a few more things, but strong information security will already be dealing with the related concerns.

I am not sure such an organization exists though, so this may just be a pipe dream!

Defense Has Value

2010-11-30T11:20:00.000-08:00

It is quite common to here "defense is dead" when thinking of information security today. This trite phrase has some truth, but is also off target in some ways.

The idea of defending a single point and being "secure" is definitely dead, though it was really never alive in the first place.

The idea of improving defenses to the point that your network or enterprise is harder than others to attack is a worthwhile effort and remains quite alive.

Work on improving your defenses. Don't stop because a vendor promises a tool that is a "completely new approach". Solomon really was right, even when applied to information security. "There is nothing new under the sun." :)

Brad

Are the Threats Really Different?

2010-11-30T11:08:00.000-08:00

I am currently watching a webinar about the current Internet threats. One thing that immediately jumps out to me is that it doesn't really seem all that different, just more of the same. We aren't watching actions on the systems with sensitive data sufficiently.

Everyone still wants a silver bullet, a single chokepoint where we can put defenses and relax. While this would be a great thing to have, it doesn't exist and we need to clue in and realize that.

This truth has been around for a long time, we are just now realizing it. It is quite common to hear "perimeter defense doesn't work anymore," but I am not sure it ever really did. It just blocked some low-level threats, which "worked" without really solving the problem. The low-hanging fruit is always going to be the simplest and easiest. What we consider "low-hanging" varies over time. Thus we will always be strengthening things, but it ultimately comes back to the same thing: Protecting systems with access to sensitive data. The methods will get better over time, Avoid mere vendor hype, realize this is a fact of our lives in the information security field.

Getting People to Think Securely

2010-11-23T01:14:00.000-08:00

One of the most enjoyable parts of my previous work for a large airline was working on the security awareness efforts. While it was not as large as I would like, I did get to write up a monthly mini-article/hint/tip and I enjoyed finding ways to use real-life things to help readers be more secure in the things they did.

This did take more time than I think many realized and writing effective communications is often more like creating art than performing an engineering task. Finding the proper "muse" to express a meaningful point in the allowed space is a major challenge.

I would encourage all organizations that do not have any awareness efforts to at least start copying or creating some basic awareness articles. SANS has some great tips as do other sources.

Even small tips helping employees be safe in their own computer use can flow over to the workplace and make everyone more secure!

Brad

Viewing Information as an Asset

2010-08-01T11:43:00.000-07:00

One of the most important principles underlying effective information security is to get those involved to see information as a valuable item. Even those of us who know this have to actively work to keep ourselves properly focused on this basic fact.

It is easy to get caught up with the methods and practices and forget the reason for what we are doing. The methods and practices are very good and necessary, but we need to make sure they are properly scaled (effort/cost/etc.) to the information they are aimed at protecting!

Learning Security and the iPad

2010-05-15T23:43:00.001-07:00

I just purchased an iPad. You can see some quick comments in my companion blog here, but I wanted to comment in this blog about the interesting potential the iPad has for me as a learning tool, including in the field of information security. Its form factor makes it much easier to take with you or view in places a traditional computer or even laptop would not be as comfortable. I hope to be producing some tools, videos and other neat stuff in this area in the future. :)

Brad

The Value of Certifications

2010-03-18T22:12:00.000-07:00

I see two basic camps in the security realm when it comes to certifications.

The first would include those with an alphabet soup behind their name. CISSP, CISM, CISA, GSEC, GIAC, GSE, CEH, CCNA, CCIE, etc. I suspect I could keep typing for days and not list them all. Organizations that promote these will definitely push that they add value and validate that the holder knows something of value to an organization and is worth more. This may or may not be true, but certifying organizations do make a substantial income on people maintaining their certifications, so they definitely have a vested interest in believing that certifications are valuable and promoting them.

I would note that I am not convinced that certifications are always a cash machine, but they do fund the employment of many people, so the amounts are significant. Those people are probably needed for solid certification programs. This means that large sums are involved in the process, whether or not those involved make a lot of money personally.

The other end of the spectrum argues that certifications are completely worthless and work experience is all that matters. They often look in disdain on those with certifications. They tend to view certifications as creating "paper tigers," people who can pass a test, but who don't really know much practically. I suspect having a certification is a bad thing if one of these people is in charge of the hiring process.

What spurred me thinking on this again was an OWASP podcast with Mark Curphy. (Yeah, I am a little behind - the show was from last July.) He expressed the second view and seemed to disdain certifications in general.

I am more in the middle of both camps and see merit in both positions. I have personally acquired many certifications because I felt like it, not because I wanted some letters to add to my name. Even though experience is still more valuable, I would rate my M.S. in C.S. from Illinois as more valuable than them all (along with a B.S. in C.S. from their Engineering College) as far more valuable, since it laid a firm groundwork for all the many things I have dug into.

That said, my certifications, especially the SANS ones I hold (GSEC, GCFW, GCIH, GCIA, GPCI) helped me really master the material in this area. My background is more in programming/development than system administration, so having to have studied the material for those courses has helped me absorb a lot more than I would have with just reading a book. Of course I need to put things to practice, but that is true of anything.

My main point would be to not worship certifications, but don't disparage them out of hand either. Don't get any if you don't see the need, but don't automatically assume someone with several is really incompetent either!

The Insider Threat to Drivers

2010-03-18T22:07:00.000-07:00

This article shows that the human factor is always going to be a major factor in any overall security stance. A disgruntled downsized employee used a former coworker's account to access a system for tracking and disabling cars that they now use frequently at "buy here, pay here" auto sales places. A bunch of people had unworking cars until they reserved this. It kind of makes you concerned for what the future could hold as we place more and more computerized control devices in cars and other electronic equipment.

http://www.dailytech.com/Disgruntled+Former+Employee+Wirelessly+Bricks+100+Cars+in+Texas/article17918.htm

I am reminded of a recent Onstar commercial where they remotely disable a stolen car so the police can catch it. While that sounds great, what would happen if a disgruntled employee got access to that system? It is very important that we make sure companies with that kind of control have very secure development processes. In this case, making it harder for a single employee to disable so many vehicles so quickly would have been a reasonable development limitation and would have limited the possible damage in a case like this.

Sausage and Security Standards

2010-02-06T21:49:00.000-08:00

Most of us have heard the statement that you never want to see 2 things being made: sausage or laws. Both are quite revolting when you get a close insight into the process.

I would probably add security standards to that list. I got to spend most of this week working with a standards group that was doing just that. This was my second time attending their meetings and while I found it very interesting, it is definitely a messy process.

People can very easily get on each others nerves in such an atmosphere, though I did find everyone remarkably cordial overall. Much of the week was outside my direct area of interest and the part that really fit my background seemed to get a bit bogged down in issues I was not as passionate about.

That said, I am still planning on attending the next meeting. I am working with a friend toward a valuable goal in this area and think it is both worth my time to go and a good part of my own learning process.

I do hope to be even more informed before my next meeting, though others have told me this is the normal pattern. The first few meetings you just listen and learn. Then, as you get more comfortable and can put more of the pieces together, you can be more involved in the debate/discussion/coordination.

Worth checking out if you are interested, but I will warn you that it can be boring! It can also be scary if you think of who the many good standards we have must have been made.... :)

Brad

More Secure with Age?

2010-01-26T04:55:00.000-08:00

I was reading a column from CIO Insight magazine last night that made a very good point. The context was testing, but it applies to security as well. In Testing, Testing, John Parkinson discusses how complex systems are today and that this means that testing can never cover the entire system in the time allowed. His main point was that good practices up front are far more important than trying to find problems later.

This certainly applies to secure development as well. It is much better if we actively design systems to be secure than if we go through it later and try to test for all possible security vulnerabilities. Getting to this state is much harder than it sounds though, since most developers primarily focus on getting things to work, not giving much thought to making them secure, since that is often not even covered in the requirements. Developers will aim at what they are testing on and companies are only at the start of doing a good job integrating secure functionality as part of the requirements of new systems.

So far so good. This is the common message of those working in the secure development area today and it is even starting to take hold, though we have a long ways to go.

He made one good point that jumped out at me. He noted that we commonly think that code that has been around a long time is often more robust, since no problems have been found. This attitude is wrong though! Older code gets patched repeatedly during its life and those patches can have unexpected impacts on the system. Testing rarely covers as much of the system for changes than for a brand new system. Thus the older system is much more likely to have undiscovered problems.

The same is true with security. We think systems that have been around a long time and that have not been breached are secure, but all the ongoing changes are more likely to have caused security vulnerabilities we don't know about. Older systems are not necessarily more secure, even if we haven't found the problems yet!

This is certainly not a comforting thought, though it makes a lot of sense.

Brad

Making Security a Game

2010-01-07T01:05:00.000-08:00

One of the things I enjoy doing is playing Euro games. These are games like The Settlers of Catan and Ticket to Ride (though the get more complex). These are generally fairly easy to learn, with rules closer to Monopoly than the older more complicated wargames I grew up with (from Avalon Hill, SPI and such). These games also almost always have good fiddly bits that make playing an enjoyable tactile as well as mental experience.

I have been thinking that this would be a great format to teach people about information security, especially the basic principles. While I have not had the dedicated time to think about this beyond some basic thought, figuring out how to make it fun an interesting, while keeping it accurate, is a big challenge.

I realize that someone else could take this and make their own game, but that would be great for me. If it is any good, I would be sure to buy it!

Otherwise, I am going to keep thinking about this and seeing what I can think up. Having experience with a many of the games on the site I linked to should give me some ideas on mechanics that might work, so I should just have to figure out how to put it all in a fun format that accomplishes my learning goal, hopefully without people realizing that is even a goal!

Brad

What Does It Mean to Be Secure?

2010-01-06T01:54:00.000-08:00

That is a key question we must address in our attempts to seek security for the information we work with. Knowing where you are going or at least having a good idea what you are aiming at is an important part of knowing when you are there.

How many really have an idea of what they are aiming for in their information security programs? Of course "compliance" or "meeting outside requirements" is a powerful driver in some form for many. I haven't seen many, outside of information security professionals, who wanted to make things secure "because it was the right thing to do."

If that is the goal, then information security will be pushed aside once management thinks they have reached the checkoff. Even if the checkoff is not a spoken goal, other needs will push the priority of other actions, making the checkoff the goal in effect.

A better approach is to raise awareness, especially in management, of the value and therefore desirability for secure operations. While this will still not be a "get there and rest" goal, it will help keep the motivation for work up over the long run, rather than just lasting long enough to reach the compliance doorknob.

Yes, information security is a process, not a goal, but we all work toward goals, not processes. We need to make sure everyone has a better goal in mind if we want to keep the process going.

Getting Management to Understand the Principels of Information Security

2009-12-15T11:35:00.000-08:00

I teach information security classes at the college level and one of the things that always comes up is the need to get management to understand the necessity and value of information security. At a root level, it is vitally important for management to understand the core principle - that information is an asset and needs to be protected as such.

I am convinced that many leaders have not really understood this principle. They often do more to protect the office furniture in their organization than the do the social security numbers of employees! While some may do this intentionally, I think most do it out of ignorance, since they don't really realize how valuable some information is.

While the cost of protecting that can get high, many simple things are completely "free." That would include not using SSNs (or the last 4 digits of an SSN) as a default password or reset code for an internal system, especially if it will be stored somewhere in plaintext.

I am on a quest to educate management in this, though I have to figure out how to get through to them. That is the $64,000 question, as they used to say (based on the old game show). How can you get an audience with them and then make them see the importance of the basics of securing information using terms and phrasing they can relate to and that is compelling.

Hopefully I can work more of that in my future efforts.

Brad

Which is Easier?

2009-10-13T00:51:00.000-07:00

I am way behind on my security podcast listening and I just listened to an OWASP podcast that discussed Gunnar Peterson's post recommending the book Enterprise Application Architecture by Martin Fowler. A former manager who is now an enterprise architect thought it was a good book, but it was interesting to see it recommended by a security professional.

This raised the thought in my mind about whether it was easier for a developer to learn security or a security professional to learn development. I am definitely biased (since I come from a strong development background), but I think training a developer is easier. I have taught so many programming classes where people struggled with simple loops and conditional structures that I am convinced it takes a mindset to understand development.

I do have a hard time understanding how people can't understand it, since I took right too it, but I know not everyone finds it as straightforward as I did. It is like the struggles I had with chemistry lab in college. I did well, but I never could get the results within the "A" range (though I could ace the tests) no matter how much effort I put into it. Physical chemistry is not my strength. In the same way, some people struggle with understanding key programming concepts.

I did have some experience with system administration; including work on Mac, Windows and Unix, though I never worked as a sysadmin. Putting in your own ISDN line did take some technical chops, since it required so much manual configuration at the time, so perhaps I am not the "pure developer" I think.

Interesting question, though we probably need to focus on training developers on security regardless, since a lot more developers are out there. We don't have enough security people to go around to get really strong application security, if we can ever reach that goal as a society.

Brad

Independent Security Researcher

2009-09-25T10:15:00.000-07:00

At the end of August I took a generous buyout package from my employer and I am now an independent security researcher, whatever that means. I am planning on focusing on development security, since that fits really well with my background, but I am also quite interested in compliance issues and I believe my PCI experience is worth using in the marketplace today.

I am not looking for anything specific now, enjoying a slightly longer break than I have had in some time, but I am now starting to dig into things. I plan on doing some work with OWASP in some manner, but let me know if you have an ideal opportunity.

I would love to get my PhD now, so also let me know if you know of a good place I could craft a unique program, learn some more, contribute and have fun. I am hoping to not relocate from the Dallas area anytime soon, but I am open to travel as needed.

Brad

CISM Passed

2009-09-25T10:10:00.000-07:00

I took this test in June and I was not at all sure I passed. The questions are much less clear cut than I prefer, carrying a lot of thought underneath what is written. At least that is my opinion.

My CISM test reminded me of a Probability and Statistics test I took in college. I had gotten A grades in math through Differential Equations prior to that, so math was not the problem (for me). I was just having a harder time wrapping my mind around the concepts in the class, which went beyond basic "rolls of the die" probability. I came out of a 4 question test knowing I missed 2 questions and feeling I had only partially passed 1. I figured I failed my first math test. I ended up getting a B on the test, likely because everyone else struggled.

That is what my CISM felt like. I passed, even though it didn't feel like I would at the time. Lots of people knew I would do well, since passing tests is fairly easy for me, but I suspect it is my hatred of not doing excellently that threw me off. :)

Now I just need to get all the paperwork into them. I was waiting for confirmation of my degree, which I just got in a letter from my college. I will get that out soon and just have to wait for everything to process.

Brad

I Passed My GCIA Exam!

2009-09-25T10:08:00.000-07:00

It took me much longer than it should have, but the wait was worthwhile! I still want to master the material more, but I scored a 94% on the test!

I am now studying for the G7799 and GSNA, which I got the books for almost 2 years ago. I think they should be up to date enough to pass the test and I want to get that wrapped up. Hopefully I can challenge the GSE-C next year, but that depends on whether it is offered or not. :)

Brad

Took the CISM Today!

2009-06-13T14:17:00.000-07:00

I took the CISM today. I almost had a "stupid tax" and would remind everyone to sign up for the CISA/CISM/CGEIT with your name exactly as it is on your government ID. I go by my middle name and that almost bit more for the test. Fortunately, I passed the id check fine.

The test itself is a real pain. I primarily used the computer-based questions they sell. I was doing really well on those prior to the test, but the test has too many that are fairly different that it is dangerous to rely just on those.

In fact, I found many of the questions to be very vague and hard to nail down. My experience with the computer-based questions was that they sometimes leave clarifying words out, making for a fuzzy meaning at times. I learned which questions did this, but several on the real test seemed to repeat this pattern, making this a very frustrating experience.

This makes me uncertain whether I passed or not. I finished it in less than 2 hours, but I was uncertain about enough of them that I am not sure how well I did. I could see just going on either side of the pass and fail line or failing spectacularly based on my trouble with reading their intent with many of the questions.

In addition to the fuzziness, I found that I disagreed with some of the questions in the computer practice. I hope I had their mindset when I was taking the test today, but I am not sure.

Blech.

Brad

I Helped Someone Earn Their GSEC Certification!

2009-06-06T23:39:00.000-07:00

I was very excited to find out recently that one of the students in my SANS SEC 401 class passed the GSEC certification that is tied to the course! While I loved our interaction throughout the course, it is great to know that not only did we all learn something over the course of our time together, someone learned enough to earn a very challenging certification!

I won't announce their name here, but I would say an open congratulations and encourage everyone else to consider that same path. The course material is great by itself, but studying for the certification is a great way to solidify the material and also earn something to prove your knowledge at the same time!

Brad

SANS 401 - Security Essentials - Mentored Course in December 2009

2009-06-06T23:36:00.000-07:00

While it is not completely official yet, I believe I will be doing another SANS Mentored class covering their Security Essentials material late this 2009 and early 2010. It is great material that covers things anyone working in the information security field should know.

Contact me if you live in the Dallas-Fort Worth area and would be interested in attending this course. Also let me know if you have a group that would be interested in a more custom approach. I would be open to doing a more targeted class once I am back on my own in the fall!

This stuff is fun and I love working with others to master it.

Brad

I WIll Be Striking Out On My Own

2009-06-06T23:31:00.000-07:00

I probably haven't written enough here for anyone to really care, but I have decided to take a buyout/departure offer from my current employer and it looks like I will be back to working for myself/RBA Communications as of this September. I will be figuring out my exact path along the way, but I expect it will include a lot of work on Secure development and especially secure code review. In fact, I think this is an area I am gong to start really pursuing in depth.

I know I am not the only one in that area, but it fits well with my background in both development and now information security/secure development. It is an areas that really needs solid evangelization, instruction and understanding. Since I really do well at communicating, this should be a good fit!

I will be writing more about this in the coming weeks. I am not sure how much posting I will be doing before September, but I am going to try and build up toward very regular advancement of the subject by that point.

I certainly don't claim to be the only voice in the field, but it looks like one that I can be really good at, so it is my aimpoint for now. :)

Brad

CSSLP for Me!

2009-05-10T23:26:00.001-07:00

I don't think I have mentioned it here yet: I qualified for the CSSLP, the new secure development cert from ISC2, the "makers" of the CISSP. (I still need to get going on that. Too many SANS certs have gotten in the way....)

Whether it is worthwhile may be questionable, but I figure it fits a significant part of what I am working on now (secure development) and is worth adding to my list.

Now I finally have to keep track of all the CPEs for ISSA and other such meetings!

Brad

OWASP Source Code Flaws Top 10 Project

2009-05-03T19:42:00.000-07:00

I have made my first contribution to OWASP! I tweaked the language for the OWASP Source Code Flaws Top 10 Project last week. I came across this while following the general OWASP Code Review email list and figured I could help make it read better. It feels a bit arrogant to say, "I know how to say it better," but I believe that is the way things work.

I haven't heard anything either way, but I am assuming it is OK. :)

Hopefully this is the start of a good trend!

Brad

A Security Career

2009-05-03T19:36:00.001-07:00

I have been thinking more about the future career options I have. I don't want to move now, but I want to make sure I am ready for whatever I do want to go in the future. It is a common problem in any field: Once you get near the top you have a harder time advancing further.

Some career paths are obvious. If you want to go into a specific operation security area, like network security or related things, you should probably focus on enhancing the skills that help you be better at whatever you are doing.

Unfortunately, I didn't come to security from the sysadmin route. I had over 20 years of software development (and general analysis) before I started full time in information security. This may be placing me really well for working in the growing area of application security, but even that has a lot of possible different focus areas.

I am also very interested in risk, compliance, policy and security awareness. While these all could relate to development security, they are not necessarily tied to that. Figuring out the route is my challenge now. I want to know everything, but I can only learn so many things.

This is not as refined as I would like, but I wanted to put out some thoughts to build on later. I plan on writing about this more and I have thought of working in this area with either the local ISSA chapter or OWASP.

Brad

The Value of Certifications

2009-04-11T00:15:00.000-07:00

If you want some entertaining, look at the arguments against certifications in the information security field. I can completely understand someone not wanting to pursue a certification, but the open hostility they generate, including the classic information security certification, the CISSP. People belligerent in many cases against those who achieve them as well.

The arguments usually boil down to whether you would hire someone who has experience or someone with a certification. While this might be a valid question, it is a very incomplete one. It leaves out those with both, as well as avoiding any serious discussion of those with different strengths in each.

I am an interesting example of this. I have been in software development for over 20 years, though I only came into information security full time 3 years ago. I knew many of the core principles and topics, but I did not have a comprehensive foundation. Studying for the SANS/GIAC certifications I have achieved so far (GSEC, GCFW, GCIH, GPCI) has helped me not only get good training, but reinforce the principles in the training.

Do the certifications prove anything by themselves? Of course not, but they were quite useful and showed that I did master the material to at least some extent. They don't prove I would be an expert on everything, but they show that I do know at least a few things.

While I am usually quite confident in my own skills and abilities, I am not dumb enough to think I know everything. I try to let my actions prove my knowledge and abilities, rather than relying on something "on paper" to do that.

I am quite proud of having gotten a Computer Science degree from Illinois and I have used that in interviews, but even that is just an outward item that must be backed up by my own performance.

I will write more later, but I thought this was worth noting.

Brad

GCIH Conquered!

2008-11-11T22:08:00.000-08:00

My best score yet! A 97% on the GCIH exam!

I think that having taken the GCFW less than a month before certainly helped since both courses have a lot of overlapped. I certainly questioned having taken them both that close together, but it ultimately worked out really well.

Now I am studying for the rest of the requirements for the GSE-C platinum level exam. I want to reach that before taking a break and keeping my focus on that while it remains fresh in my head is a good idea.

I don't currently face any deadlines though, since I haven't paid for the challenges yet though. Ironically, not having that pressure can make it more challenging to keep things at a high priority. I am going to finish the other two (G7799 and GSNA) this year though, if at all possible!

I plan on working on the gold papers after I clear those out of the way. I have already started the shell of one (on secure development). I figure I can find someplace to publish it if the topic isn't accepted. One key thing will be limiting myself to just 4 papers. :)

Brad

Brad

How to Learn it All?

2008-11-04T22:13:00.000-08:00

The biggest challenge I am facing now is that I am trying to learn everything, a definite impossibility. I have gotten a big urge to know many different useful things, but I only have so many hours in the day. Balancing this all out is turning out to be a serious challenge!

I would rather have this challenge than one of apathy though, so I will keep working it. Ironically, it can be frustrating at times.

Brad

2008-11-01T17:30:00.000-07:00

I have been listening through the OWASP 2008 session videos recently and some of it is downright scary. I would have to agree with Ed Skoudis, a SANS instructor, who noted in a class I listened through (SEC 504) that this is the Golden Age of Hacking. The OWASP video was talking about a new phishing engine someone was creating. While this could be great for testing, it has a lot of things that would make it a powerful tool in the hands of script kiddies and even those with more experience.

It is kind of like the Metasploit Framework. It is a powerful tool for doing harm on systems, but it can also be used to test your own systems for possible vulnerabilities. I am not a pen tester, so perhaps these tools scare me even more. Still, it is better to know what is out there than to have the only tools circulate with only the bad guys knowing what is going on.

Brad

Another SANS Certification Complete!

2008-10-28T18:10:00.000-07:00

I forgot to post earlier, but earlier this month I completed my GIAC GCFW certification. I am currently aiming at the GSE-C (and possibly the GSE), so this is one step along the way. Now I am jamming the GCIH material in my head that I had in a Community SANS even earlier this year.

BTW, I will be leading a mentored SEC 401 (GSEC) class in the Dallas area starting in December. Check the SANS sight for more details if you are interested in attending. You will get my focused attention over a 10 week period to help you learn a wide range of great basic security information! The course really does live up to its Security Basics title.

I recommend it even if you can't take it from me. :)

Brad

OWASP 2008 New York Conference Online

2008-10-28T18:07:00.000-07:00

OWASP recently published the full set of videos, accessible via their website at http://www.owasp.tv. I didn't get to attend this year, but I have enjoyed listening to a few of the sessions so far. One was a bit slow, but overall I am glad I can listen to them at no cost! They are posted in both Flash and iPod (mp4) format.

I highly recommend watching or listening to them, with the latter probably being the best. You do miss the slides, but a talking head is not all that entertaining.

Brad

OCC Builletin on Application Security

2008-10-28T18:05:00.000-07:00

The US Office of the Comptroller of the Currency recently released a bulletin on application security: http://occ.treas.gov/ftp/bulletin/2008-16.html. It is written more in business language than in tech speak, so it may be good in running by your business counterparts.

One drawback is that is aimed at financial institution, but the points it makes are applicable to any company writing/using custom applications!

Brad

I Don't Want to Be an Auditor!

2008-06-21T22:03:00.001-07:00

Audits are fun things. I have been sitting in on parts of an audit to meet government requirements for the past two weeks and it has reinforced that I don't really want to go over to that side of the fence.

In some ways, it is funny watching the process, as some auditors find ways to make black and white rules to evaluate somewhat vague requirements. I had thought PCI requirements were vague at one point, but these have even more areas where they could use clarity. At least we have the auditor's notes version with the PCI standard, but these were missing even that.

It does demonstrate that sometimes such audits are needed to get the necessary pressure to do all the right things. Getting strong security in place is a big challenge in many areas. No one wants to be insecure, but people often don't realize it until they have the shortcomings put forth so clearly.

An unfortunate part of this is that the requirements being evaluated are not always clear. While auditors deal with the black and white I mentioned above, the requirements don't always clarify exactly what should be covered by the audit, no matter how much the auditor may want it to be cut and dried.

It is ironic that I plan on achieving my GIAC GSE-Complaince in light of this, but I still plan on pursing that. Hopefully having some solid audit knowledge will help me be an even stronger information security professional.

SANS SEC 401 Mentored Class in Dallas!

2008-06-15T13:54:00.000-07:00

It is official! I will be mentoring a SANS SEC 401 class this fall in Dallas.

The official information is at http://www.sans.org/mentor/details.php?nid=13229

It is a great class to get a solid overview of the basics of security. I highly recommend it!

Ironically, I would prefer the 6 day class since that is a better way to get the massive amounts of information. That said, this format is great for anyone who cannot afford 6 work days (really 5) or who wants to get the information in an even more compact format. You will have to do a lot of studying on your own, but you will get an outstanding mentor (me!) and lots of great material.

Do let me know if you want to sign up. I hope to post a special link for that soon. Mention that I "referred you" if you sign up based on this post or some other contact with me. :)

SANS Security Essentials Mentored in Dallas?

2008-02-07T00:09:00.000-08:00

I have been approved to be a SANS mentor for the SEC 401 - Security Essentials class. I am working on setting up my first session in the Dallas area sometime later this year.

I will setup a way soon to let me know if you would be interested going through the course with me over a 10 week period (2 hours one night per week).

Keep your eyes here for ways to indicate your interest!

Brad

Another One Down!

2008-01-08T21:51:00.000-08:00

I decided to tackle the GIAC/GPCI after passing my GSEC last fall. This was partially because I have been working on PCI issues for the last year and a half and partially because I am considering trying for the GIAC/GSE-Compliance Platinum cert sometime in the future. This is complicated by the fact that all the costs will be born by me, but I figure it may be worth it if it helps me get a lot better.

Well, after waiting for the holiday break (and then wasting it), I took the test last Saturday and passed with a very good score. I even got one technically incorrect question updated (though I didn't get the credit back). Not a bad cert, though a few questions were certainly tricky.

I do think this cert might have been dropped, so this might have been a waste, but I am going to keep my eyes open and see.

I plan on passing the CISSP next, but I think I need to learn a bit more first. I have enough experience related to security, but I want the breadth of knowledge that requires.

1 Cert Down, 10 Million to Go....

2007-11-14T17:19:00.000-08:00

I may as well start this blog by announcing that I am now GIAC/GSEC certified. I passed the test a few weeks ago (a few days before time to do so ran out). I agree with the idea to do this right away. I would have probably done just as well if I had been serious about that this summer after taking the associated SANS class. I know I would have used up a lot less personal vacation time trying to study at home. :)

One of the keys is to have a really good index to the course books. It is really good to know where to look things up quickly. I used the search feature in Excel a lot to search the crude index I made, but I will clearly need something a bit more exhaustive for any future certs since they are not going to allow electronic materials when all the exams are proctored in the near future.

I did sign up for the GPCI cert, hoping that my day-to-day work with the PCI standard for over a year will make it easy, but I am now concerned that the course may have some information I really need. Someone suggested that the information in my GSEC course manuals may have all the information I need there, so I may be OK. :)

I will know one way or another soon. I am planning on trying this either over Thanksgiving or the Christmas holiday.

Brad