Does anyone want to talk about general security topics?

[Reel]

All I see so far are antivirus/spyware type questions. Anybody else hoping to discuss real security issues?

To get the ball rolling, we could talk about something from Bruce Schneier's newsletter: penetration testing. article and article

I did pen testing for a bit at my old job and the mentality was that we had to find a way in or we weren't doing our job. There were some times when we would just brute force passwords and get lucky and find a complex password. I just felt that the mentality of penetration testing rarely fixed problems since most of them were organizational and procedural problems to begin with. For example, hospitals never had secure passwords because doctors would say "I'm too busy saving lives to have to remember and spend the time typing a complex password".

 

[Woodie]

I agree that manual pen-testing is a waste of $$. It's a nice income stream for the "consulting" companies.

IMHO, automated pen testing (aka: input fuzzing, etc) is a useful tool to run against applications before they're put into production use. Shopping carts, etc... Good tool to make sure the applications are decently coded. Particularly valuable for internally developed applications, where the quality/quantity of code review may not match that of a vendor product.

 

[n0cmonkey]

Originally posted by: Reel
All I see so far are antivirus/spyware type questions. Anybody else hoping to discuss real security issues?

To get the ball rolling, we could talk about something from Bruce Schneier's newsletter: penetration testing. article and article

I did pen testing for a bit at my old job and the mentality was that we had to find a way in or we weren't doing our job. There were some times when we would just brute force passwords and get lucky and find a complex password. I just felt that the mentality of penetration testing rarely fixed problems since most of them were organizational and procedural problems to begin with. For example, hospitals never had secure passwords because doctors would say "I'm too busy saving lives to have to remember and spend the time typing a complex password".

http://www.rearguardsecurity.com/ episode 2 talks about the password thing specifically.

Organizational and procedural problems are real, and cause plenty of security vulnerabilities. They are definitely something that should be fixed, and sometimes it takes a penetration to do it.

BTW, I posted a non spyware/antivirus thread.

 

[ScottFern]

I have a general security question. I have started my career as a junior admin (if you want to call it that) and I am in charge of 70 WinXP workstations and 9 Win2003 Servers. However, looking ahead I was thinking about trying to get into security field as a specialization. But, what are the best certifications (yes I know the dreaded useless cert) and type of jobs that lead to bigger and better security roles. At my current employer its a smaller company with 9 people in the IT department total and no one is the security specialist per se.

Security+ ? -> CCNA -> CISSP?

 

[Reel]

Originally posted by: ScottFern
I have a general security question. I have started my career as a junior admin (if you want to call it that) and I am in charge of 70 WinXP workstations and 9 Win2003 Servers. However, looking ahead I was thinking about trying to get into security field as a specialization. But, what are the best certifications (yes I know the dreaded useless cert) and type of jobs that lead to bigger and better security roles. At my current employer its a smaller company with 9 people in the IT department total and no one is the security specialist per se.

Security+ ? -> CCNA -> CISSP?

CCNA is more for Cisco networking devices than general security. CISSP pays lots of money to try to position themselves as the top security certification and for some purposes it is required that a CISSP be involved in a project (thinking DoD here). Regardless, the best certs are the ones you can get your company to pay for. If you can write up a business case about how it will benefit your company, you may be able to get them to pay for them. Also, bring up your interest to your supervisor and tell them that you'd like to absorb that role as part of your career growth. The more you learn about security hands on, the more you will learn and the easier any security cert exams would be.

 

[n0cmonkey]

CISSP is for management. Look at Sans.

The best thing I think someone can do is to play with and learn about this stuff constantly. Setup a lab. Break it. Rebuild it.

Most of all, have fun.