Security

The Eight Rules of Security

Submitted by jbreland on Fri, 02/20/2004 - 22:08

This is an article I've been wanting to post on here for quite a while. This article discusses the major fundamental security rules, based on processes and policies rather than technology. A lot of this, honestly, is common sense, but unfortunately it's the simple things like this that are so often overlooked.

Traditionally, people look at the infosec field as something to do about firewalls and antivirus. They treat technology as THE solution, instead of simply the enabler. And it’s this fallacy that weakens any security implementation. Security is a process, not a product… and should be treated as such. Through the security lifecycle, policy and procedure needs to take precedence over implementation. It’s a bigger part of the circle for a reason.

Overall, this is a concise, well thought out, and well written security article, and is definitely a must-read.

The Eight Rules of Security

The Evolution of a Cryptographer

Submitted by jbreland on Mon, 10/27/2003 - 01:12

Anyone with experience in the IT security field should be familiar with the name Bruce Schneier. Author of Applied Cryptography, he's one of the definitive experts on cryptography, and he's recently been expanding his expertise into the wider world of security in general.

He recently granted an interview to CSO Magazine, in which he discusses various issues facing security professionals, concerns in a post-09/11 world, and several other topics. He also discusses/plugs his new book, Beyond Fear, which seems like it should be a very interesting read.

Here's the full interview.

OpenSSL Security Advisory

Submitted by jbreland on Wed, 10/01/2003 - 14:47

A DoS vulnerability exists in all versions of OpenSSL prior to 0.9.6k and 0.9.7c. Upgrading as soon as possible is recommended. Read the full advisory for more information.

Also, on an unrelated note, two recent vulnerabilities in OpenSSH were discovered. This is a couple weeks old now, but definitely important enough to mention here. Short story: upgrade to OpenSSH 3.7.1p2 ASAP. For more information, read the original advisory, as well as the newer portable advisory.

Security Expert Geer Sounds Off on Dismissal

Submitted by jbreland on Wed, 10/01/2003 - 09:17

For those not up to speed on this story, last week Dan Greer (CTO of security consultant @stake) and several others released a report entitled "Cyber Insecurity: The Cost of a Monopoly," in which they discussed the security issues related to Microsoft's market dominance (actual report can be found on the CCIA homepage).

Surprisingly, Greer was fired from his position as CTO of @stake one day after releasing the report. Why? Although @stake denies any involvement, Microsoft is one of their largest customers. Hmm... piss off a client in legitimate research and get fired? Wonderful.

So now, one week later, Greer himself has finally been interviewed about this. You can read the full story here. Although it's nothing earth-shattering, it does sum up the incredulity of the whole situation. Definitely worth a read.

Two Security Articles

Submitted by jbreland on Fri, 06/13/2003 - 09:15

I recently came across a couple good security-related articles that's well worth reading.

The first is an introduction to firewalls and backdoors, describing each type, listing examples, and providing tips. Also contains links to some very useful external resources. http://securityfocus.com/infocus/1701

The second article disusses real-time alerting with snort, the most popular open-source IDS (Intrusion Detection System). http://newsforge.com/article.pl?sid=03/06/09/1939256. It does not cover installation or initial configuration, however; check out the snort documentation for details on this.

Human Error Is Greatest Security Risk

Submitted by jbreland on Wed, 03/19/2003 - 15:11

According a new security survey released by the Computing Technology Industry Association, human error, rather than technology, is the most significant cause of security breaches.

Of course, anyone that's worked in the security field can certainly tell you this. Social Engineering, anyone?

More info can be found at the PCWorld article below:

http://www.pcworld.com/news/article/0,aid,109872,00.asp