Welcome to cissp CISSP training Certified Information Systems Security Professional
Search
Nickname Password Security Code Security Code Type Security Code  

Best training in the world

CCCure Quiz Engine

Rated #1 Training

Library of Documents

Forum Postings

CISSP's Blogs

Here is a list of Blogs maintained by CISSP's.

SECURITY JOBS

- Information Security Jobs

ISC2 BLOGS

- Official ISC2 Blog

CISSP's BLOGS

- Allen Baranov
- Andy Willingham
- Anton Aylward
- Benjamin Tomhave
- Bob Johnston
- Chad McDonald
- CSCI Blog
- Daniel Accioly Rosa
- Dave Lewis
- Donald Glass
- Gary Hinson
- Martin McKeay
- Michael Ehart
- Michael Santarcangelo Security Catalyst
- Peter Gregory
- Rebecca Herold
- Shaun Balkum
- Vijay Upadhyaya
- Vincent Arnold 

LEGAL INFO BLOGS

- Bow Tie Law's Blog
- Chilling Effects Clearinghouse
- Cyber Law Update
- Digestible Law
- Law.Com Daily Alerts
- Law.Com Technology News
- Law.Com
- International Legal News
- Lessig Blog
- Michael Overly
- NCSL info site
- The Gray Blog

ISO 27001 & BS 25999

- Dejan Kosutic

You know of a blog that is not listed, please Click Here to send us the link

Recommended Podcasts

MISC Menu

Security Books

Surveys

Where do you find the best price for books?

Amazon.Com
Bookpool.Com
The ISC2 webstore
CISSPS.COM
Cheapbooks.com
Ecampus.com
Other (Please leave a comment with name of site)



Results
Polls

Votes 1758

Top10 Links

Top10 Downloads

Who's Online

There are currently, 49 guest(s) and 12 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
cissp CISSP training Certified Information Systems Security Professional: Awareness Info

Search on This Topic:   
[ Go to Home | Select a New Topic ]

Microsoft's Security Development Lifecycle (SDLC) under Creative Commons Li
Posted by boss on Sunday, 29 August 2010 @ 22:30:18 EDT (865 reads)
Topic Awareness Info

cdupuis writes "

As seen on the great H-Online web site at http://www.h-online.com/:

Microsoft's Security Development Lifecycle under Creative Commons License

Microsoft is to change the license for its process for developing secure software. In future, the company's Security Development Lifecycle (SDL) will be available under a Creative Commons license (Attribution-NonCommercial-ShareAlike 3.0 Unported). This should make it easier for others to use and distribute the principles behind SDL and for programmers to integrate SDL components into their own development processes. This has not previously been possible, as documentation and other SDL materials were under an exclusive Microsoft license which precluded such use.

The company hopes that the change will lead to more developers utilising the Microsoft process for developing software more securely across the entire product lifecycle. SDL can trace its origins back to a 2002 Bill Gates memo on "trustworthy computing". The resulting programme was intended to make security an integral part of the company's software development process and make its products more persistently secure. All Microsoft software since Windows Vista has been developed in accordance with SDL.

David Ladd, Principal Security Program Manager at Microsoft, has announced that the first two documents to be placed under the new license will be a white paper entitled "Simplified Implementation of the Microsoft SDL" and "Microsoft Security Development Lifecycle (SDL) – Version 5.0", a guide to how the company uses SDL in its product development. These can be expected within the next few weeks. According to Ladd, the company will also be going through other content on the SDL portal and relicensing it as appropriate. SDL tools are not affected by the licensing change, but will continue to use Microsoft licenses.

"

(Read More... | Score: 0)


SQL Injection and Parameter Manipulation video clips
Posted by boss on Wednesday, 03 March 2010 @ 11:17:55 EST (1359 reads)
Topic Awareness Info

cdupuis writes "

 

NOTE FROM CLEMENT:
These two videos are very nice videos that demonstrate in simple terms what SQL Injections are and also what is Parameter Tampering.  It is not for the purpose to learn everything there is to know about the subject,  that would take weeks,  the goal is to educate people and developers on the issue.   They are great because of their short length and I like the animations as well.   One picture is worth a thousand words they say.  In this case on minute of video clip is worth 10 minutes of talks.    I will most certainly use them in some of my classes.  Job well done.   Clement

One of the biggest challenges of the security community is to build true SDLC (Secure development Life Cycle).

The biggest obstacle is that application developers at large lack the know-how and motivation to address application risk. 

At Checkmarx labs we thought that a new approach to application developers might help them cross the barrier.
We have developed as a pilot including two short animated clips that should help developers understand security flaws, how they can be detected and consequently prevented.

We built one clip for SQL Injection and another for Parameter Tampering - limited up to 5 minutes each.

We would appreciate feedback from the OWASP community whether the effort is meaningful and should it be extended.

Please feel free to use the clips freely.

The clips can be found at:

SQL Injection : http://www.youtube.com/watch?v=vjDrseRLyuA&hd=1

Parameter Tampering: http://www.youtube.com/watch?v=l5LCDEDn7FY&hd=1

Yours,

Maty Siman, CISSP
CTO
Checkmarx

 

"

(Read More... | Score: 0)


Join SecurityVibes and exchange information with your peers!
Posted by boss on Tuesday, 16 February 2010 @ 09:44:44 EST (1130 reads)
Topic Awareness Info

Anonymous writes "

 

DLP, Cybercrime, Vulnerabilities, Malware, Compliance, Cloud Security... How does this relate to you? Want to share your opinion? Interested in knowing what your peers have experienced? 

Easy, ask for an invite today and join SecurityVibes!

Security Vibes is an online community for CSOs to exchange information, share thoughts and opinions and learn from your peers.  With 100 existing UK members, as well as similar active communities in France and the US, we are looking to increase the number of participants by inviting CIO and CSO level executives to join this exclusive community.  Security Vibes is the first closed community dedicated to infosec professionals. It operates under strict Chatham House rules and a strict no-vendors policy, which means that members can share views and insights amongst those with similar interests and concerns in complete confidence.  

Membership is by invitation only and benefits of membership include: online discussion forums, access to cutting edge multi-media content and analysis such as videos, podcasts as well as real life networking events, called CSO Interchanges, where members can meet in person and swap ideas and learn from each other and hear from industry experts and fellow members. 

CISSPs belonging to Security Vibes can also earn CPE credits for their significant SecurityVibes content contributions. In line with (ISC)2’s CPE Guidelines, CISSPs earn 10 CPE credits for their first published article and one additional credit for every subsequent hour spent posting content to the SecurityVibes.com site.

If you’d like to find out more about joining please visit the website at: http://www.securityvibes.com or to apply for membership at http://www.securityvibes.com/request_invite.php

 

"

(Read More... | Score: 0)


IEEE Computing Now magazine -- Special issue on Biometric
Posted by boss on Wednesday, 03 February 2010 @ 17:28:44 EST (942 reads)
Topic Awareness Info

cdupuis writes "

IEEE COMPUTING NOW SPECIAL ISSUE ON BIOMETRICS

Learn about biometric technology, what's next for traditional techniques such as fingerprint and iris recognition, and new modalities that could soon be available commercially.—Ron Vetter and Karl Ricanek Jr., Guest Editors

Iris Recognition: The Path Forward
By Arun Ross

Fingerprint Matching
By Anil K. Jain, Jianjiang Feng, and Karthik Nandakumar

Face Recognition by Computers and Humans
By Rama Chellappa, Pawan Sinha, and P. Jonathon Phillips

Unconstrained Biometric Identification: Emerging Technologies
By Karl Ricanek Jr., Marios Savvides, Damon L. Woodard, and Gerry Dozier

News
Biometrics Could Streamline Border Crossings
By Greg Goth

Evaluating Biometric Systems
The Biometric Menagerie
By Neil Yager and Ted Dunstone

"

(Read More... | Score: 0)


Researchers criticise 3D Secure credit card authentication
Posted by boss on Monday, 01 February 2010 @ 06:48:42 EST (1210 reads)
Topic Awareness Info

cdupuis writes "
26 January 2010, 19:01


An example of 3DS phishing sites Researchers at the University of Cambridge Computer Laboratory, say the 3D Secure (3DS) authentications system branded as the "Verified by Visa" and "MasterCard SecureCode" schemes are "a text book example of how not to design an authentication protocol". The researchers, Steven J Murdoch and Ross Anderson, make their criticisms in a paper[1]PDF being presented today at the Financial Cryptography and Data Security '10 (FC10) conference. It examines the failings of the credit card verification scheme which was introduced by banks as a response to the rise in fraud for card-not-present transactions.

In the paper, they identify a number of weaknesses, for example, the mechanism used to display the 3DS form is embedded within an iframe or pop-up with no address bar, so there us no indication of where the form has come from. This goes against banks advice to their customers to avoid phishing sites by only entering bank passwords into sites they can identify as the bank's own site. When one of the researchers initially encountered 3DS, he found the content was being served by securesite.co.uk and contacted his bank who informed him that this was a phishing site. In fact, securesite.co.uk belongs to Cyota, who are owned by RSA and handles the 3DS authentication process for many UK banks.

The researchers also criticise the initial password entry process which occurs the first time a card holder uses a 3DS enabled card to shop online. The user is asked to enter a new password as part of the process of making the purchase, which the researchers feel is a bad time to ask for the password as the user is probably more interested in shopping and more likely to choose a weak password. They also note that the process of entering the new password also signs the user up to new terms and conditions which shift liability onto the customer despite the bank having made "many poor security choices". Other problems included inconsistent authentication methods, weak mutual authentication with a memorable phrase having to be chosen when a new password is entered and concerns about privacy.

The paper concludes that the "single sign-on" model that the 3DS system implements is the wrong model and that what should replace it is a transaction authentication system where, for example, a user would receive an SMS message saying "You are about to pay $X to Merchant Y" and requesting an authorisation code from the customer, at least as a stop-gap until a more trustworthy payment device could be brought into use. The motivation for this, the researchers feel, should come from regulators intervening on behalf of consumers.

URL of this Article:
http://www.h-online.com/security/news/item/Researchers-criticise-3D-Secure-credit-card-authentication-914144.html

Links in this Article:
  [1] http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf

"

(Read More... | Score: 0)


Is your Anti-Virus worth the price you paid for?
Posted by boss on Friday, 08 January 2010 @ 10:02:57 EST (993 reads)
Topic Awareness Info

cdupuis writes "

NOTE FROM CLEMENT:

AV-Comparatives.org is an interesting site that regularly conduct benchmark on leading Anti-Virus software.  Do visit their website to keep yourself informed about who is who in the world of protection today.  They are one source of tests being conducted and there ar ea few other sites such as PC Magazines that regularly conduct such tests as well.  Your product might have been the best for a few years but is it still the best to use today?   See below an extract from their website:

 

Welcome to AV-Comparatives.org

On this site you will find independent comparatives of Anti-Virus software. All products listed in our comparatives are already a selection of some very good anti-virus products. In order to get included in our main tests, vendors must fulfill various conditions and minimum requirements.

The following products are tested in the current main comparatives:

avast! Free 5.0
AVG Anti-Virus 9.0
AVIRA AntiVir Premium 9
BitDefender Antivirus 2010
eScan Anti-Virus 10
ESET NOD32 Anti-Virus 4.0
F-Secure Anti-Virus 2010
G DATA AntiVirus 2010

Kaspersky Anti-Virus 2010
Kingsoft Antivirus 2009+
McAfee VirusScan Plus 2010
Microsoft Security Essentials 1.0
Norman Antivirus & Anti-Spyware 7.30
Sophos Anti-Virus 9.0
Symantec Norton Anti-Virus 2010
TrustPort Antivirus 2010

Look into the Comparatives section to find out additional tests and reviews.

If you plan to buy an Anti-Virus, please visit the vendor's site and evaluate their software by downloading a trial version, as there are also many other features (e.g. firewall, HIPS, behaviorblocker, etc.) and important things (e.g. price, graphical user interface, compatibility, etc.) for an Anti-Virus that you should evaluate by yourself. Even if quite important, the data provided in the test reports on this site are just some aspects that you should consider when buying Anti-Virus software.

Their main site is at:  http://www.av-comparatives.org/

"

(Read More... | Score: 0)


ATM Scam Bank ATMs converted to steal bank customer IDs
Posted by boss on Tuesday, 08 December 2009 @ 16:21:09 EST (3577 reads)
Topic Awareness Info

cdupuis writes "

Original article at: http://www.utexas.edu/police/alerts/atm_scam/

A team of organized criminals is installing equipment on legitimate bank ATMs in at least two regions to steal both the ATM card number and the PIN. The team sits nearby in a car receiving the information transmitted wirelessly over weekends and evenings from equipment they install on the front of the ATM (see photos). If you see an attachment like this, do not use the ATM and report it immediately to the bank using the 800 number or phone on the front of the ATM.

The equipment used to capture your ATM card number and PIN is cleverly disguised to look like normal ATM equipment. A “skimmer” is mounted to the front of the normal ATM card slot that reads the ATM card number and transmits it to the criminals sitting in a nearby car.

At the same time, a wireless camera is disguised to look like a leaflet holder and is mounted in a position to view ATM PIN entries.

The thieves copy the cards and use the PIN numbers to withdraw thousands from many accounts in a very short time directly from the bank ATM.


Equipment being installed on front of existing bank card slot.

scam graphic1


The equipment as it appears installed over the normal ATM bank slot.

scam graphic2


The PIN reading camera being installed on the ATM is housed in an innocent looking leaflet enclosure.

scam graphic3


The camera shown installed and ready to capture PINs by looking down on the keypad as you enter your PIN.

scam graphic4

 

Original Article at: http://www.utexas.edu/police/alerts/atm_scam/

"

(Read More... | Score: 0)


Security Service Strategies for Small and Medium size firms
Posted by boss on Monday, 30 November 2009 @ 09:19:36 EST (843 reads)
Topic Awareness Info

Anonymous writes "

InformationWeek

Feds To Sharpen Cybersecurity Job Policies

The Office of Personnel Management seeks to develop a framework for the classification, hiring, performance management, and development of federal cybersecurity pros.

By J. Nicholas Hoover,  InformationWeek
--> Nov. 24, 2009
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=221900984

On the heels of a report that raised concerns about the competency of cybersecurity pros at the Department of the Interior, the Office of Personnel Management plans to develop better ways to ensure that the federal cybersecurity workforce is up to snuff.

In a recent memo to federal HR directors, OPM director John Berry said the effort will include developing policies and guidance on job classification, hiring, performance management, and workforce education and development. He implied that the work was brought on by a consensus among OPM, the federal CIO Council, and federal Chief Human Capital Officers Council that cybersecurity workforce development required a government-wide framework.

That bears out with other findings. Earlier this year, Booz Allen Hamilton surveyed 69 officials from 18 federal agencies and concluded that among other challenges to federal cybersecurity, "fragmented governance and uncoordinated leadership" hinder the ability to meet the government's cybersecurity needs.

A report issued this month by the Department of the Interior highlights the problems Barry and OPM plan to address. Among cybersecurity staff, Interior requires only self-certified training, and the inspector general found that only 13.5% of self certifications were relevant and complete.

Furthermore, the report found a pipeline coordinator officer and a supervisory land examiner among many with non-security titles whose jobs were entirely focused on cybersecurity. Among the other problems identified in the report: several Interior CISOs don't hold top-security clearances as policy requires.

In the memo, Barry asked federal HR directors to send OPM information about cybersecurity job descriptions, vacancies, accreditation, training, performance management, and any governance frameworks they have in place, as well as details of the challenges they face.

It's unclear when final policies might be released, but OPM plans to organize the models around three categories of cybersecurity pros: IT operations, law enforcement, and specialized operations that include classified work on "collection, exploitation and response."

NOTE FROM CLEMENT:

LOOK AT THE FOLLOWING REPORT WHICH IS INTERESTING:

Finding the flaws in your operating systems and applications is only the beginning. You then need to plot a path to security and ensure that no new weaknesses find their way onto your network. This Dark Reading report focuses on how to do that. Download the report here (registration required)

"

(Read More... | Score: 0)


Microsoft Security Intelligence Report for first half of 2009
Posted by boss on Tuesday, 10 November 2009 @ 21:00:44 EST (1334 reads)
Topic Awareness Info

cdupuis writes "

Microsoft Security Intelligence Report provides an in-depth perspective on malicious and potentially unwanted software, software exploits, security breaches and software vulnerabilities (both in Microsoft software and in third-party software). Microsoft developed these perspectives based on detailed analysis over the past several years, with a focus on the first half of 2009.

The latest Microsoft Security Intelligence Report shares security best practices from countries that have consistently exhibited low malware infection. These best practices and security intelligence provide a valuable resource for business leaders who need to make accurate decisions based on the threats that are most pressing today.

Infection rates and threats vary geographically, and the report contains proven best practices from countries with the lowest infections. For example, infection rates in Japan, Austria and Germany remained relatively low during this period.

Comments from Prakash: This is a detailed report of 232 pages from Microsoft with inputs from Microsoft Malware Protection Center & Microsoft Security Engineering Center. It gives complete overview of threats around the world.

Download Report
http://www.microsoft.com/downloads/details.aspx?FamilyID=037f3771-330e-4457-a52c-5b085dc0a4cd

Hope Security Community finds it useful

- Prakash

"

(Read More... | Score: 0)


Replicating the Gonzalez Cyber Attacks through Penetration Testing
Posted by boss on Wednesday, 26 August 2009 @ 21:18:31 EDT (1626 reads)
Topic Awareness Info

cdupuis writes "
YOU’RE INVITED: IT SECURITY WEBCAST
 
“Replicating the Gonzalez Cyber Attacks through Penetration Testing"
 
Date: Thursday, September 3, 2009
Time:  2pm EDT / 11am PDT (GMT -4:00, New York)
Register: http://www.coresecurity.com/Form/generic/campaign/gonzalez
 
*** A recording of the webcast will be sent to everyone who registers, so be sure to sign up even if you can’t attend the live session. ***
---------------------------------------------------------------------------------
 
Last week saw the indictment of cybercrime kingpin Albert Gonzalez, one of the accused masterminds behind high-profile data breaches at Heartland Payment Systems, Hannaford Bros. Supermarkets, 7-Eleven, and TJX. Next week, Core Security Technologies will present a hands-on look at the attacks Gonzalez and his co-conspirators are believed to have used in breaching these organizations.
 
Leveraging the actual indictment document as a guide, Core Security senior product manager Alex Horan will use CORE IMPACT Pro penetration testing software to demonstrate the techniques by which Gonzales allegedly stole millions of credit card numbers* – showing you how to identify IT exposures in your own environment before cybercriminals do.
 
 
During the webcast, you’ll see a step-by-step depiction of an attack similar to that described in the Gonzalez indictment, including the following critical stages:
 
• the initial web application compromise via SQL Injection
• the use of a well-known backend database command to make the attacks even more invasive
• the planting of malware on the backend database server
• the collection and transmission of credit card transactions to the attackers
 
Through the demonstration, you’ll also learn how commercial-grade penetration testing software enables you to see your IT systems as an attacker would -- not only by determining if the kinds of issues that Gonzalez reportedly leveraged are present in your environment, but also by …
 
• assessing how deployed defenses react to specific threats
• revealing what systems and data would be exposed by a breach
• depicting how chains of vulnerabilities open paths to mission-critical systems and information
• providing actionable data for immediately mitigating critical exposures
• repeating tests to ensure the effectiveness of remediation efforts
 
This webcast is ideal for anyone interested in proactively assessing their security posture against real-world cyber threats.
 
 
*Core Security has no specific knowledge of the Gonzalez case other than the information described in the indictment and other public sources. By presenting this technical information, Core Security is in no way prejudging, or presenting a position or opinion on, the allegations made against any of the parties named in the indictment.

Best Regards,
 
Core Security Technologies
41 Farnsworth Street
Boston, MA 02210
"

(Read More... | Score: 0)


Social Engineering
Posted by boss on Sunday, 16 August 2009 @ 22:05:44 EDT (1745 reads)
Topic Awareness Info

Anonymous writes "

At a time when the economy demands all our attention, information and the intelligence of systems, processes and organizations that use it are at the heart of corporate change strategies. These changes are necessarily accompanied by protection measures; however, a silo approach is still evident which benefits a resurgence in social engineering. Nevertheless, the means to counter social engineering are within the reach of corporations, but they must be integrated within a holistic approach to information security.

 

Good news!... There is growing talk about protecting informational assets and this is a significant development because scarcely four years ago, we were far from hearing the discourse held today by corporations and experts in the field. Indeed, for too long, security has been consigned to a technological level, generally information technology, without managing to tie it effectively and coherently to the overall framework of corporate management.

Have we entered the era of change?

I am not specifically referring to an impending exit from the economic crisis, although this situation is strongly influencing our practices, but everything leads us to believe that the position of corporations with regard to good security practices is evolving positively. At least we can agree that good intentions exist to adopt a protection model centred on the only asset truly at the heart of our activities: information. This development brings its set of changes, of course, particularly since other major projects are already under way that aim essentially to consolidate and transform information systems in regard to new trends (e.g., computing cloud).

Information, the source of knowledge and understanding, supports business intelligence

The importance of the information legacy cannot be overstated, especially in the type of crisis we are living through. Paradoxically, the present situation is conducive to envisaging the changes that will accompany the evolution of the business world in coming years. In this context, it is easy to understand that information directly feeds knowledge and understanding, and consequently represents an obvious competitive advantage for corporations when it is well mastered. This particularly affects the “intelligent planet” model introduced by IBM, and which accompanies the holistic approach that it has been developing for its customers for years in the area of information protection[1]. This global concept is based on the fact that intelligence today occupies a place of growing importance in working methods in the world— the systems and processes by which goods are designed and services provided and circulated, and finally how billions of people and corporations work and live around them.

What underlies this thinking?

Clearly the business world is strongly interconnected, with increasingly sophisticated means. One direct consequence is the quantity of information created by all these interactions, which is growing exponentially. All these goods and services provided thus become an essential part of the intelligence, particularly at the basis of development of corporations. In this evolution, organizations, individuals and information systems can analyze these mountains of data and transform them into decisions and real measures capable of making the world better – more intelligent.

What place for protection measures?

Having made this first observation, let’s look at it more closely to see how information security is affected.  We see that corporations are still far from moving from words to concrete actions even though a few isolated initiatives have been carried out. Consequently, the nature of these initiatives does not give an overall view of the challenge presented by information protection for which corporations are responsible.

A question of culture?

On the one hand, the current culture has not yet reached sound management of sensitive information, but has embarked on this road. In addition, several by-products can be observed when looking at the exponential growth of social networks (e.g., Facebook), the increasingly asserted advent of the competing cloud, the consolidation and virtualization of information processing environments, the delocalization of information itself, and the accelerated adoption of new work models (e.g.,. telework, increased mobility) which pushes us to rethink the way we use and access information.

Protection initiatives confined to legal and regulatory constraints

On the one hand, the protection measures implemented by corporations are essentially aimed at complying with laws and regulations in force and not really attempting to redefine the scope of their needs in this area. This poses a problem given the fuzziness suggested by the current legal and regulatory framework (e.g.,  little emphasis on the behavioral approach and identity management integrated with corporate realities).

Click on Read More... below to read the full article

 

"

(Read More... | 25682 bytes more | Score: 0)


It's all about people, process, and technology.
Posted by boss on Tuesday, 10 March 2009 @ 22:44:30 EDT (1266 reads)
Topic Awareness Info

stealthiss writes "

It's all about people, process, and technology. Technology is dead last in the order of importance when it comes to security.

The recent and explosive growth of the Internet and technology has brought many good things such as e-commerce, collaborative computing, online markets and new avenues of sharing and distributing information. But each side has its counterpart, and with the technological advances came hackers. With this dark side and the many security breaches that are associated with it, companies, governments and individuals are afraid of hackers breaking into their servers or networks, stealing valuable data, collecting passwords and intercepting financial and credit card information.

And many times this can become reality. Recently, there has been a flurry of security breaches among large organizations such as Western Union, that reported a security breach on their Web site that let loose the credit-and debit-card information for 15,700 customers. Another recent hacker case is a 16-year-old youth, who admitted hacking into military and NASA computer networks. His activities caused a three-week shutdown of NASA's systems and a security breach of a military computer network which protects against conventional, biological, chemical and nuclear-weapon attacks. That's just a small sampling of actual hacks. Most industry watchers agree that only a handful of security breaches are ever reported.

For a long time, most computer network crackers hacked a system for the same reason: "Because it's there." But that's no longer the only reason or even the dominant one. More hackers now do it because "It's where the money is." In the past decade, hackers have changed from script kiddies who hacked websites and spread worms to professionals sponsored by foreign governments and organized crime. Modern hackers want more than infamy. They exploit new technologies to crack systems or hack into computer systems and hold data for ransom. Hackers today commit real crimes, sometimes for significant financial gain.

To safeguard themselves from the modern hackers, most companies and government agencies that want to uncover network and system security vulnerabilities have two choices: they can hire a team of penetration experts to scan and probe their systems and uncover their vulnerabilities, or they can wait for a malicious hacker to come by and exploit them. Unfortunately, many times it is the latter. A security analysis or penetration test, performed by a security consultant, would produce a report or security posture assessment, detailing all vulnerabilities found and the actions needed to remedy them and minimize the risk of being the victim of a successful hack attack.

The security consultant or penetration expert can be a "white hacker", someone who uses ethical hacking to discover vulnerabilities within a network or a reformed "black hacker", who once was an active part of the dark side and used to exploit the identified security holes. The subject of whether it is ethical to use former hackers to evaluate a network’s security is a topic that is often hotly debated - and for many reasons.

Ethical hackers or security consultants typically have very strong programming and computer networking skills and have been in the computer and networking business for several years. Their base knowledge and expertise is augmented with detailed knowledge of the hardware and software, project management skills and methodology which are necessary for the actual vulnerability testing, as well as when reporting after the test was performed. In addition to that, ethical hacking seminars, courses and certifications are being offered to IT professional to broaden their horizon and skills in these fields. But many times these hacking courses and seminars only provide a very limited insight, outdated hacking or only basic hacking techniques. Their main purpose is to educate professionals but not to create a new generation of hackers. The goal is to fill security holes, not exploit them.

A disadvantage that white hackers or security consultants have over hackers is the real world experience and the insight knowledge. There are many things that cannot be taught in a seminar or learned from a book. The most obvious advantage former hackers have, is the real world hacking experience. As each network system differs based on various network defenses and configurations, the hack approach will be unique and only someone with plenty of real world hacking experience can efficiently go from using one technique to another as required by the present situation.

Another positive aspect of hiring reformed hackers as security consultants is that staying up on the latest security exploits, vulnerabilities and countermeasures is part of their job. A good hacker has a level of security knowledge that goes far beyond that of most other IT professionals. Keeping up with the latest exploits and countermeasures is a full time job and although the IT professional has an acceptable level of security knowledge, they must focus most of their attention on the day to day responsibilities of keeping the network up and running. To make up these "deficiencies" many white hackers and security consultants rely on automated and commercial vulnerability and penetration software, that can provide needed security reports, but their functions are limited. The huge differences can be seen when comparing the results from an automated scan and a hacker assessment or professional penetration test.

But before a company makes the decision to hire a reformed hacker, one needs to evaluate the negative sides. Certainly there are several types of hackers that can be found. One kind oft them are the "gray hats" - the unpaid tinkerers who find flaws to improve security for everyone. They are the best hackers, because their passion for tinkering drives their excellence and they do not break the laws. The black hat hackers - the criminals - break the law and feel justified doing it. They are the kind of hackers who seek to increase their fame in the hacker community, while others want to prove at any cost that their targets' security is vulnerable. Black hats wreak havoc not only by their own actions but also by drawing attention to weaknesses that they and cybercriminals can exploit. The last and worst kinds of hackers are the cybercriminals, who perpetrate the worst crimes. They are paid to use existing tools and techniques to steal confidential personal, government or industry information, and particularly financial data. Cybercriminals usually work for foreign governments, organized crime or independently.

The probably biggest negative in the decision making process is trust. Which hacker will you hire and how much can you trust them? The main premise of security is deciding who you trust and then locking out everyone else. When hiring a hacker as a security consultant, because of network’s security concerns, paradoxically the trust goes to the criminal. Not only is it the trust factor that plays a major role in the decision making process but also the impact the decision might have on customers and shareholder. How will the customers react, if they knew a former criminal was hired to test the security of a system or database that contains all personal and financial information? Someone with a questionable morale and judgment, is not someone who should have control of a corporate network with sensitive data. In most cases hackers, and that is what makes them hackers, do not appreciate or respect standard business processes and structures. A disgruntled hacker with inside knowledge of a company's networks could create a nightmare scenario.

Hackers are like adventurers, motivated by intellectual curiosity. "The more secure you make your systems, the more you attract them. The hacker mind-set is like exploring space, except they're exploring the network. If that essential curiosity on finding out how things work, which is what causes people to be hackers, goes away, then you don’t necessarily want that person as a hacker or security consultant. However, just because a hacker has the desire and capabilities to explore a network, does not necessarily make them prepared to build a secure network and fix identified vulnerabilities. Breaking into things, does not always mean knowing how to fix them. These are two different skill sets. Once security threats have been identified, these need to be communicated including the potential business processes affected by the vulnerability, along with a list of impact assessments and countermeasures. Besides technical knowledge, the hacker will need to have experience in business processes and management, to relay his findings to the company.

Another hey factor to consider before making a decision who to hire as a security consultant, is to know that no computer system is ever completely secure, especially when considering the human factor. Spending astronomical amounts of money pursuing total security, by hiring security consultants and eventually becoming dependent on them, is not going to help. Some corporations in some industries must guard against intrusions from tech-hungry foreign governments - in particular China, France, Israel, Japan, Germany and Russia - that converted their cold-war spy machinery into "economic espionage" units, but that does not apply to all businesses. A realistic set of goals of what to expect from a security consultant need to be set first.

But no matter what the decision is and if the company hires a professional security consultant or a reformed hacker, the real threat will be still there. Any hacker, who wants to exploit a system will always try to use the path of least resistance. This path of least resistance is often through the front door. The front to door can be "identified" as the area over which businesses may have the least control: people. People are the weakest but first link when it comes to security. With good social engineering skills and not very well trained employees, disgruntled workers and ex-employees, a hacker can get enough information to access a system, insert malicious codes that contain keystroke and network sniffers and other means to collect information. The hacker just "exchanged" his keyboard with social engineering. And this is a part of security where a highly educated security consultant or a reformed hacker will not be able to help you.

"

(Read More... | Score: 3.5)


Social Engineering - Probability & Uncertainty
Posted by boss on Wednesday, 24 December 2008 @ 10:37:59 EST (1900 reads)
Topic Awareness Info

rajapaul writes "

The most common question which has been asked again and again is  how do we stop social engineering. Is there any solution to stop social engineering, and the answer is always the same Educate People.

 

If we go with the definition of Social engineering according to wikipedia which is "In criminal activity, social engineering is the art of manipulating people into performing disclosure actions or divulging confidential information."

 

If we take a close look at the definition then Social Engineering is an Activity or Activities performed by an individual to get a desired result. Different types of activities may be carried out by different social engineers. But the desired result of all social engineers are more or less the same.

 

Let us consider a cricket match. A bowler balls with the probability that he is going to get a wicket. But its uncertain whether he is going to get a wicket or be hit for a six, but he tries his best to get a wicket, that’s his main goal. Similarly the batsmen are also uncertain what type of ball is going to come to him. But to face the uncertainty the batsmen takes all the probability (like guarding the wicket, going back foot or front foot will hitting the ball) into account. So the greater the number of probabilities taken into count by the batsmen it become easy for the batsmen to face the uncertainty. We can consider the bowler as a Social Engineer or Hacker who what to break through and the bats man being the one who is defending the social engineer at that particular time. Social engineers using all uncertain methods to break into. A Security Officer taking all the probabilities into account facing the uncertainty.

 

What mathematicians call probability is the mathematical theory we use to describe and quantify uncertainty. So we can safely say that 

 

probability = uncertainty

or probability is directly proportional to uncertainty.

 

So with the increase in probability the uncertainty also increases. So if we are able to decrease or minimize probability we can minimize uncertainty.

 

The Security Officers need to imagine and study the possible uncertainties. I have knowingly used the term imagine. It is said if you want to catch a criminal you have to think and act like a criminal. The same applies here also.

 

Click on Comments below to leave your opinion and feedback

"

(Read More... | Score: 0)


NoticeBored Newsletter, December 2008, Securing your IT Gizmos
Posted by boss on Friday, 28 November 2008 @ 22:27:17 EST (1753 reads)
Topic Awareness Info

cdupuis writes "
NoticeBored dot com Information security awareness newsletter
Click the poster thumbnail to see what we are providing to customers in this module
December 2008 - Securing IT gizmos
Dear Clement,

Portable IT devices such as cellphones, PDAs, USB memory sticks, GPS units, iPods and laptops are a ubiquitous part of modern life but, unfortunately, they are also commonly involved in serious information security incidents. Information security risks can undermine the personal and business benefits of gizmos.

As new gizmos and hacks are appearing all the time, it’s important for information security professionals to be alert to the emerging security risks. The trends toward lower prices, digital technologies, device miniaturization, increased memory and CPU capacity, and longer battery life, are all too clear from the advertisements. Strangely enough, the security risks associated with portable IT and teleworking are not quite so obvious.

Will Santa be bringing you gizmos for Christmas?

Enjoy the free newsletter and do let in touch if we can interest you in becoming a customer for the remaining NoticeBored awareness materials.

Kind regards,
Gary Hinson
CEO, IsecT Ltd.
Download the newsletter (~106kb PDF)
Copyright © 2008 IsecT Ltd. Information in the newsletter is provided free, for information only and 'as is'. Whilst believed correct, it is in no way comprehensive. It is provided for interest only and is not intended to be relied upon as formal advice. No liability is accepted for any errors or for any losses that may be incurred if any such information is relied upon. You may freely distribute the PDF version of the newsletter intact (including the copyright notice and attribition) but please let us know if you intend to post it on the web.  Find out more about NoticeBored here.

"

(Read More... | Score: 0)


Keyboard emanation and security
Posted by boss on Wednesday, 26 November 2008 @ 14:22:07 EST (2219 reads)
Topic Awareness Info

cdupuis writes "

NOTICE FROM CLEMENT:
This is an article talking about very old attacks based on wave emanation. However, it is still very much a threat that could take place today. It is revisited to make people aware of the threat. See info below:

Hello,

An interesting article concerning the compromising of electrical
emanations (TEMPEST) of wired keyboards:

http://lasecwww.epfl.ch/keyboard/

Cheers,

kralor - HiC & [Crpt]

"

(Read More... | Score: 0)

Recommended Training

Login here

Nickname

Password

Security Code:
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Recommended

CCCure Partners

BRAZIL

Logical IT

Best Security Training in Brazil

São Paulo
Rio de Janeiro
Belo Horizonte
Fortaleza
Brasilia

USA

SecureNinja.Com

SecureNinja Dojo

CANADA

360 Security Experts

CISSP Montreal
CISSP Ottawa
CISSP Toronto
CISSP Quebec City
CISSP Vancouver
CISSP Winnipeg

MIDDLE EAST

CISSP Dubai
CISSP Abu Dhabi
CISSP Qatar
CISSP Kuwait
CISSP Oman

THE OISSG GROUP
The OISSG serving the Middle East security needs

EUROPEAN UNION

CISSP Dublin, Ireland
CISSP London, UK
ESPION

Best security training you can get in Ireland

AFRICA

Lagos, Nigeria
CISSP and Security Training
Digital Encode

The best security training in Lagos and Nigeria

----------------------------
Cameroon
Security Training
CISSP, CEH, Security+
GETSEC

Best Security Training in Cameroon

Most Active Members

· 1: side_winder
Total points: 15336
· 2: webplu9
Total points: 15228
· 3: Lopezco
Total points: 8514
· 4: cissp_newbie
Total points: 7593
· 5: cdupuis
Total points: 7381
· 6: mikeyoung_fla
Total points: 5526
· 7: Vladimir
Total points: 4611
· 8: damoose
Total points: 3374
· 9: MMM
Total points: 2969
· 10: educk
Total points: 2553

Today's Big Story

There isn't a Biggest Story for Today, yet.

Random Headlines

Past Articles

Tuesday, September 30
· NoticeBored Newsletter, October 2008, Ethics and Security
Thursday, July 31
· NoticeBored latest newsletter on governance
Wednesday, May 14
· enterprise security testing
Friday, May 02
· NoticeBored Newsletter, May 2008 - Trust, integrity and fraud
Wednesday, April 02
· Biometrics Man In The Middle (MITM) attacks
Friday, March 07
· NoticeBore Newsletter March 2008
Tuesday, January 29
· NoticeBored Newsletter February 2008
Wednesday, November 28
· Security Awareness Video on Strong Password
Tuesday, November 27
· NoticeBored Security Awareness Newsletter on Social Engineering
Sunday, November 18
· New Version of the SecureAnchor newsletter
Saturday, November 10
· DRM & Security
Friday, November 02
· AuditNet News for Auditors
Wednesday, October 31
· NoticeBored November Security Awareness Newsletter
Monday, October 01
· NoticeBored Security Awareness Newsletter
Saturday, September 01
· ID Card Management
Tuesday, August 07
· NoticeBored security awareness newsletter - August 2007
Tuesday, July 31
· Threats to a Growing World of Business Expansion
Thursday, July 19
· Corporate Prawns
Thursday, May 31
· NoticeBored security awareness newsletter - June 2007
Monday, April 30
· NoticeBored security awareness newsletter - May 2007

Older Articles

All logos and trademarks in this site are property of their respective owner.
The comments are property of their posters, all the rest © 2007 by CCCure.Org, and the site maintainers Clement Dupuis and Nathalie Lambert. Reuse is strictly prohibited without written permission of CCCure.Org or it's maintainers.

This web site is not associated directly or indirectly with ISC2, the SANS Institute, ISACA, or other certification authority. The GCFW, CISSP, SSCP, ISSEP, ISSMP, CISA, and CISM are all the property of their respecful owners. The content of this site is provided to you freely due to the generosity of our sponsors.


  • Career
  • Magazines
  • Conferences
  • Study Books
  • Certifications
  • Training
  • Tutorials
  • Quizzes
  • Forums

    • Page Generation: 0.97 Seconds