The line between Black and White is often understood to be the law itself, i.e. if you’re a hacker, cracker or even a “skidie”, your hat changes colour the minute you go from having permission to do something to not having permission.  I however wager that if we were to exact that understanding on every security expert in this field of expertise, today, it would be a near 100% perfect sea of Black Hats.

So the question becomes, if that’s the case, are we all really the “bad guys”? I put to you a different concept, I different way of thinking about this that, personally, I think fits much better.

First of all let’s forget about hats and the law and look at a couple of basic concepts. Motivation is the activation or energization of goal-oriented behaviour and  is defined as intrinsic or extrinsic. Intrinsic motivation comes from rewards inherent to a task or activity itself – the enjoyment of a puzzle or the love of playing whereas Extrinsic motivation comes from outside of the performer. Money is the most obvious example, but coercion and threat of punishment are also common extrinsic motivations.

Another point of consideration is Goal orientation, often seen as an aspect of an individual’s motivation. An individual’s goal orientation describes the goals that they choose and the methods used to pursue those goals. One of the most common conceptualizations of goal orientation is the three factor model, that is, individuals can be described in terms of goal orientation based on three factors:

• mastery,
• performance-approach, and
• performance-avoid.

Individuals with a mastery goal orientation seek challenging tasks and value learning. Highly performance-approach oriented individuals seek tasks that allow them to demonstrate the skills they already possess, and highly performance-avoidant tend to avoid tasks where they may fail and thus appear incompetent.

The final aspect to consider in this equation is an agent’s intention in performing an action. In so much as his or her specific purpose in doing so, the end or goal that is aimed at, or intended to accomplish. In recent years, there has been a large amount of work done on the concept of intentional action in experimental philosophy. This work has aimed at illuminating and understanding the factors which influence people’s judgments of whether an action was done intentionally. For instance, research has shown that unintended side-effects are often considered to be done intentionally if the side-effect is considered bad and the person acting knew the side-effect would occur before acting. Yet when the side-effect is considered good, people generally don’t think it was done intentionally, even if the person knew it would occur before acting. The most well-known example involves a chairman who implements a new business program for the sole purpose to make money but ends up affecting the environment in the process. If he implements his business plan and in the process he ends up helping the environment, then people generally say he unintentionally helped the environment; if he implements his business plan and in the process he ends up harming the environment, then people generally say he intentionally harmed the environment. The important point is that in both cases his only goal was to make money. While there have been many explanations proposed for why the “side-effect effect” occurs, researchers on this topic have not yet reached a consensus.

So now we understand a little about motivation, goals & Intentions, what really makes the “bad guy” bad? Well its worth adding into themix that the “good guys” and “bad guys” all have the same level of skill, they all learned it the same way and they all have the same aptitude (loosely speaking of course). In fact during the learning process its probably fair to wager that on occasion everyone ended up, purely through exploration, somewhere they shouldn’t have been.  Does this make us all “bag guys”?

I certainly do not think so. In my opinion, motivation, goals & intent are what separate the good from the bad, and in this context the “White Hats” from the “Black Hats”. Let’s look at an example. the CERT Coordination Centre came up with an interesting classification matrix, which I have provided below as a diagram:

In the above diagram, we see six types of attacker (as well as a virtual 7th type that could be all 6 in a different context), six types of motivation and four goals.  It is assumed in  this classification, as insinuated by the word “Attacker”, that we are dealing with the “bag guys” or Black Hats here, however, I would argue that the first type, “Hacker” has a motivation and goal that is not negative or in fact malicious in any way, so should they also be considered a “bad guy”?  Its fair to say, someone hell bent on the quest for knowledge in that particular classification may take a devil may care approach that could have a negative impact on the systems they are exploring, but again, is this malicious intent, or just carelessness?

In summary I put it to you that there are no White Hats, or Black hats in the world today, just Shades of Grey, and that only motivation, goals and intent separate those of us trying to help from those who have a more nefarious purpose.

Like

Unlike

                          

Related posts

• PenTest Straw Poll (0)
• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)

Malware has come along way since its anarchistic pre-pubescent   beginnings, and is now a fully fledged teenager, displaying all the fire, passion and unpredictability you would expect from one. Once upon a time, you could be sure your malware was simple in its intention, written by an unorganised person or persons, with the typical agenda of notoriety or malicious damage. Although bad, quite easy to deal with.

Modern malware however is a whole new ball game. Written to order, with a menu of “features” available from stealing data to placing a sleeper inside the system, all with standard issue mass infection mechanisms anti malware detection programming, the latest in self defence techniques and with the underlying drive of a typically well organised or at least very motivated source.

Yet despite this significant step change in what we are seeing as the attack, as a world of experts I am still not seeing a change in the controls, strategies or defence tactics of many organisations. This I find astounding. How anyone who is considered a responsible person in an organisation can sleep at night thinking that a firewall and a few layers of Anti-Virus is going to cut it as the total form of protection is seriously miss-informed. Equally, those companies out there pedalling the silver bullets of the security world “[insert vendor name here] ultimate anti-malware solution (TM)” are doing nothing but compound a problem that will continue to evolve and get more sophisticated.

The simple fact is that ANY malware solution on the planet today from any vendor works on the same detection methods. They look for something they have seen before or something that looks like something they have seen before and block it, It’s that simple. And for that reason alone, you cannot rely on that control alone as the only form of defence. Equally, the firewall and all that other perimeter based paraphernalia you invested in, don’t get me wrong, all well and good, but its not going to stop this stuff. Why? Web 2.0, Social Networking, Unified Communications, Chat, Mail, you name it. Any medium of communication that can facilitate the transfer of a file, and that includes just good old browsing of the web, will bring malware to your door, invited in so to speak, through all that perimeter protection, and straight to the desktop.

The truth is, the only way to protect yourself against this stuff is to stop thinking it’s “the good old days” and get with the times. The only way you’re going to stand a chance of surviving one of these incidents is by thinking about the entire control landscape and how they interact with each other. A good model for this is Defence in Depth as that provides a very good method of visualising the controls at each layer of your environment and allows you to map attacks through the controls to see if they would be successful or not.

This simple visualisation strategy can bring value beyond your wildest dreams, giving you the opportunity to stop, think and adjust what you’re doing, justify investment, demonstrate control and rationalise spend. All very important concepts for the times. There is a world of products, vendors control choices and equipment with pretty flashing LED’s on it. The only way to figure out which ones will help you is to understand what you have, what you need and why.

Like

Unlike

                          

Related posts

• Chip & Pin Attack (1)

Jay Abbott, director in charge of Threat & Vulnerability Management, PricewaterhouseCoopers LLP (PwC), said:“Essentially, what the scientists have come up with is a very effective and simple way of exploiting weaknesses in the system.

However, it is important to bear in mind that the fraud requires a very specific scenario to become effective.

“A simple process change by the retailer of asking for the card holder to hand over the card would break the circuit, although this isn’t always possible as sometimes the card reader is fixed to a point on the other side of the counter.

“At present, the customer is accountable for the fraud as banks argue that PIN verified transactions are secure. Given this attack demonstrates a clear method of bypassing the PIN system, this assertion by the banks stands on shakier ground.”

With the original comment came a caveat, which as you would normally expect, was not quoted by the media, this caveat was that the process change suggested brought with it the opportunity for cards to be skimmed, which was in fact one of the original reasons behind the Chip & Pin changes. In fact, the change works in the favour of the retailer rather than the consumer, however, before you hang me, allow me to demonstrate the rationale behind this.

Consider first that Chip & Pin is in fact “two factor” authentication, which anyone in the security business will explain is more secure than “one factor” authentication. The first factor is the card itself or the “chip” in this instance, the second factor is the “Pin” which in this context operates as a pass code. Given both elements are authenticators in their own right, both are required, and as such any attack must include them both. The attack designed by Prof Ross Anderson targets the Pin aspect of the authentication, and relies on the original card accessed through a series of technology components that have to be connected together in some way. The method shown in this attack makes use of concealment to hide these components on the person of the attacker, and relies on a custom built “attack” card with wires hidden up the sleeve of the attacker, back to the other components involved. The obvious way to therefore detect and prevent this attack at the retailer is by separating the card from the attacker, thus showing the wires and revealing the ruse.

The cloning of cards must be treated separately as the current methods of cloning (that I am aware of at this point in time) only create “yes cards” which would not work in this attack scenario as they are not true copies and would be detected by the PoS equipment as fraudulent. As I understand it, there is no economically viable way of cloning Chip & PIN Cards effectively at this time. Any cloning would still focus on the magnetic stripe data, which can be easily cloned, but is not accepted by the retailers (usually) when a Chip & PIN card is presented. This of course is at the discretion of the retailer and out of the control of the consumer or the banks.

This brings us to the counter argument, specifically in relation to the increased risk of your card getting skimmed/cloned by the retailer when you hand it over. Een if it were viable to clone the chip cards, given that a card skimmed by a retailer would typically not get the pin as well (this of course is not always the case), using the now cloned card would have to make use of Prof Ross Anderson’s attack method, which if the aforementioned process change was implemented, would not work, so in effect increasing the risk of cloning, but decreasing the risk of a successful attack using the cloned card and “breaking the circuit”.

This of course relies on the premise that the use of the cards magnetic strip is in fact not viable, and therefore if anything, reinforces the use of Chip & PIN ironically. Of course in real life the Magstrip is regularly used, but that, again is outside the scope of this discussion and considered irrelevant in the face of the specific discussion around Prof Andersons attack.

There is always of course the argument for using a small form factor wireless transmission device to remove the need for wires, but given the form factor of a credit card and the inability to alter this form factor without raising suspicion, I am personally unsure that significant enough range for a TX/RX comms loop could be achieved given the power that could be implemented into a credit card sized device.

Again, in my original comments to the press I clearly stated that the system needed to be fixed, and that the attack was effective, so this is not me suggesting that we should brush this under the carpet, in fact it is simply looking at what we can potentially do NOW to protect the system, while its eventual upgrade is debated and planned.

Don’t forget, in this context I am just as much of a concerned consumer as you.

Like

Unlike

                          

Related posts

• Press Coverage – March 2009 (0)
• Press Coverage – July 2009 (0)
• Press Coverage – January 2010 (0)
• Press Coverage – February 2009 (0)
• Press Coverage – August 2009 (0)

Like

Unlike

                          

Related posts

• No related posts.

Like

Unlike

                          

Related posts

• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – March 2009 (0)
• Press Coverage – July 2009 (0)

First of all, lets define what we are talking about. There is a simple definition for Cloud Computing, and three models of operation as held by NIST, these are:

Definition:

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

Models of Operation:

Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.

Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).

Now, I am pretty sure that during my long career, I have seen a lot of companies doing IaaS and PaaS as a “Business as Usual” activity, haven’t you? In my experience, IaaS is nothing more than a traditional infrastructure outsourcing arrangement, as undertaken with IBM, HP/EDS or BT, while PaaS is just a simple hosting service offered by most ISP’s (I accept I am simplifying here). So what are we really talking about when the press pickup and pedal the term “cloud computing”. Looks to me like they are talking about SaaS, which again, has been around for a while, Hotmail anyone?, but not really taken off in the enterprise until it became “cloud computing”. So is this just a media spin to pedal Hotmail to the enterprise or just a natural progression from outsourcing boxes to apps? What is revolutionary here, I am yet to see.

                          

Related posts

• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)
• PenTest Straw Poll (0)

Accountancy Age – August 2009 – Dark Pools of Talent

Like

Unlike

                          

Related posts

• Press Coverage – March 2009 (0)
• Press Coverage – July 2009 (0)
• Press Coverage – January 2010 (0)
• Press Coverage – February 2009 (0)
• Press Coverage – April 2009 (0)

Sheffield Star Business Monthly – July 2009 – Hacking

Like

Unlike

                          

Related posts

• Press Coverage – March 2009 (0)
• Press Coverage – January 2010 (0)
• Press Coverage – February 2009 (0)
• Press Coverage – August 2009 (0)
• Press Coverage – April 2009 (0)

computing.co.uk – April 2009 – Malware
computing.co.uk – April 2009 – Risk in the recession
pcauthority.com.au – April 2009 – Microsoft
computing.co.uk – April 2009 – Microsoft
crn.com.au – April 2009 – Risk in the recession
whatpc.co.uk – April 2009 – Security
computing.co.uk – April 2009 – Malware
Searchsecurity.co.uk – April 2009 – Conficker & Patching

Like

Unlike

                          

Related posts

• Press Coverage – March 2009 (0)
• Press Coverage – July 2009 (0)
• Press Coverage – January 2010 (0)
• Press Coverage – February 2009 (0)
• Press Coverage – August 2009 (0)

Insurance Times – March 2009 – Data Loss Issues

Like

Unlike

                          

Related posts

• Press Coverage – July 2009 (0)
• Press Coverage – January 2010 (0)
• Press Coverage – February 2009 (0)
• Press Coverage – August 2009 (0)
• Press Coverage – April 2009 (0)

Computer Fraud and Security – February 2009 – Ethics & Hacking

Like

Unlike

                          

Related posts

• Press Coverage – March 2009 (0)
• Press Coverage – July 2009 (0)
• Press Coverage – January 2010 (0)
• Press Coverage – August 2009 (0)
• Press Coverage – April 2009 (0)

North West Insider – August 2007 – IT Security
North West Insider – August 2008 – BERR Survey

Like

Unlike

                          

Related posts

• Press Coverage – March 2009 (0)
• Press Coverage – July 2009 (0)
• Press Coverage – January 2010 (0)
• Press Coverage – February 2009 (0)
• Press Coverage – August 2009 (0)

Consider these examples:

1. From an effort perspective, the effort required to secure a system is significantly less than that required to exploit it.
2. From a cost perspective, it is less expensive to prevent a serious data breach than it is to clean up and recover from one.

Point 1 above was illustrated very clearly to me on the IISP’s TopGun event I attended recently, and is a scenario that you have to step back from to fully appreciate. Eg. If you have a smallish network, with most modern services such as web, email, mobile, databases, websites etc, then the effort to secure that is quite mammoth. You have to consider the perimeter, the information, how its stored and used, what services are on offer and the impacts etc. Then you have to consider every conceivable vulnerability, patching strategies and stay on top and at least up to speed with the curve of change. All of these efforts equate to a team of people, but all it takes to break in, is 1 person with a brain, motive, and a few freely available tools.

Point 2 of course, was illustrated very well by a study by the Pnemon Instutue LLC in conjunction with PGP and Vontu (Symantec), this study evaluated the true cost of a breach of data security and considered factors such as direct and indirect costs, and has trended the data over the last few years with enlightening results.

Despite both of these points clearly illustrating that the best way to tackle the security conundrum is head on and proactively, those of us in the industry will all surely testify that getting the right backing, funding, and often, even the right audience with the business, is still a hard task. From my perspective, I will keep on trying, and keep on flying the flag in the hope that one day reality sets in and my job / life gets easier!

Like

Unlike

                          

Related posts

• IISP Top Gun event, Manchester, 30 June 2008 (0)
• Anything that can be engineered by mankind….. (0)
• ACME Supercomputing Inc – Roadrunner Beware (0)
• Snort Rocks! (2)
• Security as a Career (0)

The first thing I want to say on the subject is that Security is more of a state of mind than anything else. I have a saying, to be good in security you need to be sceptical with a healthy dose of paranoia! This point of view will serve you well when it comes to security as it will allow you to be objective and not accept things at face value. Secondly, you need an inquisitive nature and a thirst for knowledge, To be the best at security you simply need to be able to hunt out the truth and learn the latest concepts and techniques very quickly. Finally, you need to be a good generalist, I realise this point is contentious, but I truly believe that you need to have a good general grasp of everything technology related as well as your preferred specialism in order to cover the breadth of security. Of course you can be an expert in your chosen specialism, but you must have a grasp of how “everything” fits together in order to be good.

OK, so where do you begin? Well, for starters, you need to have a long hard think about what you want out of life. What I mean by this is, are you a “techy” or are you a “manager”? I realise you can be both (as I am), but when your starting out, the subject is so broad you need a direction to head. If your a techy,  then you probably heading down the threat, vulnerability and controls path, with topics such as ethical hacking, intrusion detection and firewalls on your learning list. if however, your more of a manager, your probably heading down the opposite path towards topics such as strategy, assurance and governance. Once you have figured this out, you can start to look at the material, courses and support networks available for each road to help you get going.

One important factor that should always be included however is your own personal growth and development. What I mean by this are the softer skills such as communication, empathy, leadership, coaching etc. All of these skills are fundamental to your success and should be developed in equal measure with your chosen subject specialisms. The biggest issues I face as an employer in this sector is finding good security people with excellent soft skills. Its too easy in this game to get trapped in a world of regulations or bits ‘n’ bytes, and forget that all your knowledge is pointless if you cannot make use of it and educate the world.

Like

Unlike

                          

Related posts

• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Press Coverage – January 2010 (0)
• PenTest Straw Poll (0)
• PCI-DSS Is it dead? (0)

So what I hear you cry!

Well think of this, Cloud computing is here to stay and can yield some massive processing potential, but its still quite young and clouds tend to be privately owned and sold to the highest bidder. But what if we could all club together and build a cloud so big, so powerful it blew the Crays and IBMs of this world out of the water?

Again, I hear the crys of yeah right!

Well, ask yourself this, do I own a PS3? if the answer is yes, welcome to the “PSCloud”

The concept is simple, in a PS3 there is an IBM Cell Processor with 8 CPU cores, a very powerful CPU indeed! and guess what, IBM’s Roadrunner uses them too, yes, the Roadrunner has just short of 13,000 Cell Processors in it, of course it has quite a few AMD’s as well (6.4K), but the cells are the bulk of it.

So lets look at the facts, the same basic architecture used for the supercomputer market is in our homes, and cloud computing is here to stay, well I’m no rocket scientist but I reckon if we put these two concepts together, Roadrunner and Jaguar have a problem on their hands.

As of November 2008, over 16 million PS3’s have been sold around the world, of which we can assume by the design and nature of the unit, that nearly all of them are connected to the internet, so if we were able to join them into a single cloud, what sort of processing power could we achieve?

I ask you this….. If 13,000 Cells and 6K AMD’s get you 1.6 Petaflops, what would 16million Cells get you?

All we need to make this happen is a software/firmware update to turn the PS3 into a cloud member and a peer based command and control mechanism, any programmers out there?

Like

Unlike

                          

Related posts

• The Asymmetry of Security (0)
• Anything that can be engineered by mankind….. (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)

Its a simple mantra, but one that has served me well in security.

Think of of this way, it doesn’t matter how intelligent you are, someone, somewhere is more intelligent! When it comes to security this is never more true. As we all know, security is asymmetric, in so much that the effort required to secure something is significantly more than that required to break into it. Given this point, it makes the mantra even more relevant! If security was symetrical, you would have a 1:1 effort relationship, however, as its not, (we will for the purposes of this article assume its 2:1, i.e. double the effort required to secure), it would theoretically take less brain power than it took to create the control to break it.

Obviously I accept that this is a very simplistic representation of the point, but one I think is valid.

Like

Unlike

                          

Related posts

• The Asymmetry of Security (0)
• ACME Supercomputing Inc – Roadrunner Beware (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)

Which Penetration Testing Qualification is best from a Testing perspective:
Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.

(NB: I have deliberately excluded “accreditation schemes” such as CREST and CHECK)

Like

Unlike

                          

Related posts

• Black, White or Grey? What colour hat do you wear? (0)
• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)

lets put it into perspective. First of all, you have to accept that open source software is your friend, then accept that just because it doesn’t have a “GUI” doesn’t mean its any more complex. Ok, now that you have accepted an alternate reality, it is time to look at some comparisons. Lets look at some good, typically expensive security controls, typically, usually reserved for Banks, because “they have the budget for it”.

We will start with IDS “Intrusion Detection System”, specifically, the network variety (NIDS), deployed across the infrastructure, and designed to spot malicious traffic flowing across your network and highlight suspicious activity that may be happening under the radar. If you were to buy one of the very excellent and very expensive commercial solutions, on a medium size network, you could be spending 6 figures before breakfast. That’s a serious hole in a security budget, so what other options exist? Well, for a start, “snort” an open source, well maintained and mature project that’s been around for years. Its 100% free, and will only cost you the physical hardware and some administrative overhead getting it up and running. Its very scalable, equally configurable and its signatures are maintained by a community of experts in the field. What more could you ask for? Ok, so the reality is, in our scenario of 6 figures for the commercial solution, the free one would likely cost you 10-20K in hardware and specialist labour, but whats 20K compared to £200,000K, I know which one I would prefer to sign off.

Next, lets look at another hot topic, SIMS “Security Information Management Solution”. This is another typically large investment to essentially, analyse logs generated by the infrastructure. Again, the concept has been available in open source for years. Syslog servers shipping logs to each other with some sort of Perl analysis scripting has been around forever, and again, its just the labour and hardware costs to consider.

What about Firewalls? The staple diet of all organisations of any size. Now, these can be quite cheap or ridiculously expensive. I have built, deployed and managed most of the top end ones, and can after a career of using them, I can happily say, I would deploy a well configured “iptables” firewall in Linux over a Cisco or Checkpoint any day of the week. Ok, so you don’t get the nice gui with all your 200 firewalls in, but, there are options…. Gui’s exist, and again, a specialist can easily make this whole concept easily manageable for any organisation. Now, if a key control for limiting the impact of a hack is through network segregation, then the ability to deploy low cost firewalls can only improve the overall security of the network

So, if I had a 1000 user network to protect, a budget of 500K and full autonomy. I would spend 100K on every open source solution available, home grow some of my own, contract a team of top class Linux / security gurus to get it all up and running, then sit back in my SOC “Security Operations Centre” and wait for the siren to go off! Of course, I would take the other 400K as my bonus

Like

Unlike

                          

Related posts

• Snort Rocks! (2)
• Linux Defence Tweaks (0)
• The Asymmetry of Security (0)
• Security as a Career (0)
• Press Coverage – January 2010 (0)

C|EH (Certified Ethical Hacker). Anyone who has been in that area of work for a number of years will state that the C|EH is rubbish, and, of course, they are right. Having done the qualification, I can vouch for the fact that it is a tools based approach to hacking, with a heavy slant towards using windows as your attacking platform (which is wrong for so many reasons). It does however, give you the basics, and teaches you about basic methodologies etc. …..So, you might ask, why do I say I am a C|EH, if I know its pointless? Simple. To a purist hacker, its a waste of time, but commercially it has value as it is recognised by clients and companies alike as the de facto standard for hacking. This difference in perception is a prime example of how a qualification can bring credibility with the audience you want. All of my team are C|EH, because, when I write a proposal for a client, I can say, all my team are “Certified Ethical Hackers”. They of course understand this and as a bonus, the first two words add a level of “comfort” to what sounds like a venture into the dark side!

Now, let’s look at another qualification (CISSP) “Certified Information Systems Security Professional”. This is about the best baseline security qualification in play today. It is very broad in it’s syllabus and well maintained through its CPE “Continual Professional Education” requirement. This qualification really does work on both sides of the fence. Clients like it and so do the professionals What it doesn’t do is guarantee that the holder of the qualification is a deep specialist in a given area, but what it does very well, is mandate a baseline of knowledge with real width in the subject of security.

Here are my views on how they pin together:

Some example credentials that mean something to your peers:

• GIAC’s (Any of them!)
• CITP
• OSCP

Some example credentials That mean something to your clients or employers:

• ITiL
• PRINCE2
• C|EH
• CCNA

Some example credentials that mean something to everyone:

• CISSP
• CCNP

This is not the most exhaustive list, but is a start. The underlying piece of advice here is, when your picking a credential to study for and invest in, think how it will add value to you and your situation, and see if there is a better option available. Knowledge can be learned for free, credentials have to be bought!

Like

Unlike

                          

Related posts

• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)
• PenTest Straw Poll (0)

I can definatley say its come a long way. It was much easier to install, and only took a small amount of syntax debugging to figure out the configs. During my research / re-learning curve though it would seem that version 2.8 with the stream5 processor is not as good as version 2.4 with the flow processor at detecting portscans. This was certainley the concensus of the community, and after a bit of playing I can agree. However, I now have sfPortscan running with stream5 and its seems pretty accurate to me, so I am certainly happy with the results.

BASE is also a welcome move onwards from what used to be a very clunky interface. It seems light and intuitive, with decent features. I think it could do with the addition of some basic graphs, rather than having to use the graph engine to define your graphs each time, but on the whole i think it is certainly a good alternative to spending a large amount of money on a commercial product. Certainly the ability to abstract the managemnet interface, data storage and sensors from each other gives you a highly scaleable model to use a basis for a large scale deployment.

Of course, if you don’t fancy the pain of compiling code from scratch, or your just dam lazy, check out EasyIDS for a complete “IDS in a box” that gives you everything I just said with none of the hastle!

….You just can’t ingore the momentum that opensource has gained

Like

Unlike

                          

Related posts

• Linux Defence Tweaks (0)
• Free Security for All! (0)
• The Asymmetry of Security (0)
• Security as a Career (0)
• Press Coverage – January 2010 (0)