Tuesday, May 29, 2012

Compliant or Complacent? A Security Pro's Viewpoint

Increased government regulations and industry requirements are forcing organizations to comply with standards that in the long run are actually very useful. Many of the required controls can seriously help improve your security posture – especially if your company is new to compliance. 
The compliance trap that many companies fall into is that they focus on passing an audit instead of ensuring a sound network security posture.  Being compliant is one thing, but being secure is a completely different level.

As we’ve seen in the news recently there have been multiple companies that were compliant (and possibly complacent), yet not secure. Achieving compliance should not be the end-all-be-all of your security program; it should be viewed as a minimum baseline.

Read the rest of my article for here:

Saturday, May 12, 2012

New Features in Nessus 5.0

In the new verion of Nessus you can filter by exploitable vulnerabilies, framework, pluggins, timeframe, MS-Bulletins, CVSS Score and free text. It also has an updated version of the scanning results and reporting capabilites. Looking pretty good.

Friday, May 11, 2012

An interview with a cybercriminal

There's a thread on where a cybercriminal operating a botnet of more than 10,000 nodes utilizing the Zeus banking trojan, DDoS capabilities and the ability to mine bitcoin takes questions from the reddit community.

A few take away's from this thread are as follows:

  • He's an engineering student potentially in the United States. His English is good and he makes references to American movies. 
  • He's aware of the law, cyberlaw in particular, in the way he doesn't use the credit card data, but only sells it. This doesn't mean that he's not stealing, but he does mention the loose laws in other countries, Spain in particular, in which cybercrime is easier to operate.
  • The criminal mentions the utter uselessness of anti-virus and ways that he gets around them. He did however plug Kapersky in being paranoid and giving him a hard time.
  • During questions he does understand that its wrong and he admits he's stealing, but he continues to grasp at straws to try and convince himself that its okay. This is greed.
  • He also admits to hacking other companies under the guise of "Anonymous". Which goes out of the realm of cybercrime and more along the line of mischief. This shows that he's not scared of authority and is fine with flexing his "cyber muscle".
  • He relies on encryption and polymorphic code to keep hidden.
  • His advice on how not to become a victim is very good, especially the use of a LIVE cd. 
All in all this is very interesting look into the mind of a cybercriminal, how they operate and their mindset on how they justify what they do. I'd highly recommend reading it.

Tuesday, May 1, 2012

MLB Security Fail (LOL Worthy)

CISPA explained graphically

CISPA Infographic by Lumin ConsultingInfographic designed by Lumin Consulting

Shifting Gears into Proactive Security

Webster’s dictionary defines being proactive as “acting in anticipation of future problems, needs, or changes”. From a security perspective this means taking the initiative to protect the organization before it’s too late. The future security problems are the loss of information and system outages due to being compromised or negligence.

So the questions to be asked are:
  • Why is it important to take a proactive security approach?
  • What are the challenges that we face in taking this stance? 
  • How do we become proactive security professionals?
Click here to read the rest of my post: