By Robert J. Shaker II, CISSP, CCSK, CGEIT, CRISC

Since the dawn of man there has been intelligence. Hunter gatherers would venture out and learn from the world around them what each sound, smell, and taste meant. The growl of a large predator would alert them to prepare for a defensive effort or to change paths. The smell of smoke meant other humans were nearby, and the taste of bitter meant something wasn’t edible. As time marched forward, needing to learn more about the other packs of humans around them became more important. There was competition or cooperation for resources but this required getting to know the other pack. Sometimes the best way to do that was to spy on them, to gather intelligence about the way they behaved, the way they interacted with each other and to determine how strong or weak they were.

Regardless of the point in history, this has always proven to be true. We can see it as we progress through our modern era. In fact, this became so important that commercial intelligence companies began forming. The Age of Exploration saw a boom in this industry as the colonial armies grew. Their need for intelligence required outside parties, whether to help with the sheer volume of work, geographic disbursement or to give plausible deniability.  Is it so different now?

Today, we are up against countless adversaries. They’re nameless, faceless and shrouded behind false information. The ships that are on the horizon, the spies in our midst and the fortress we protect are all in the digital domain. The virtual skies are foggy and visibility is low. Today’s environment is much more difficult to navigate. The one commonality between these two vastly different times is the importance of human intelligence, and I’d argue that today it’s even more important than ever. A couple scenarios below will illustrate just how important it is for our innately human talents to remain a vital part of cyber security.

By Todd Kendall

Security professionals are often tasked with the unenviable position of wading through millions of bits of data, the review of thousands of systems, or the evaluation of hundreds of applications.  At the end of the day it is their job to provide the ten thousand foot view of an organization and the highest rated findings that put it at risk.  Information overload is a common theme in today’s society, and management requires the presentation of this material in a digestible manner of typically one page or less.  The ability to provide this service requires what is often referred to as “seeing the forest for the trees.”  In other words, don’t get distracted or bogged down by the minutiae of your discoveries at the risk of overlooking the big picture.

When it comes to computer forensics, however, the tables are flipped.  When an event turns into an incident and management must answer to a board or the company’s shareholders, the ten thousand foot level is no longer adequate.  At this point, every packet that ever crossed your company’s domain becomes suspect, and expectations are set whereby the answers to the questions such as, how did it happen, what damage did it do, where did it come from, when exactly did it occur, and who did it, requires the puzzle to be unravelled and presented in such excruciating detail it would make Melville  take up skim-reading.

In a slight twist but not completely out of the ordinary, I have an announcement. As most of you know, I pick the winners not only based on participation but also on the ability to utilize the prize. I have also in the past taken special requests and rearranged winners to meet the needs of those who contribute the most. This usually takes place behind the scenes and is often the reason it looks as though someone who didn't participate the most wins. Because many others couldn't utilize the prize, and I thus had to keep going down the list. That being said, I want to continue to be fair. Last month's winner was absolutely deserving but couldn't use the prize. So I'm making an executive decision and announcing that UNIX will receive the seat at SANS CyberCon beginning April 22 with his choice of the following:

   - SEC401: Security Essentials Bootcamp Style ($4,645)
   - SEC504: Hacker Techniques, Exploits & Incident Handling ($4,845)
   - SEC575: Mobile Device Security and Ethical Hacking ($4,845)
   - FOR408: Computer Forensic Investigations - Windows In-Depth ($4,845)
   - MGT414: SANS +S Training Program for the CISSP Certification Exam ($3,995)
   
   SANS is also offer two NEW Audit courses at CyberCon, running back-to-back.
   - AUD444: Auditing Security and Controls of Active Directory and Windows ($2400)
   - AUD445: Auditing Security and Controls of Oracle Databases ($2400)

So yes, this means that there's still a chance to win last month's prize of a full version of Metasploit Pro with 1 year of support. I will be contacting deserving EH-Netters very soon to give this prize away. I'll make the announcement in the forum thread for the Holiday Giveaway. Congrats and good luck to all of you as the prizes continue throughout 2013.

Love it or hate it, crowdsourcing is here to stay. While it’s been mostly confined to development and design, eventually it was going to come to security.  Two such gentlemen trying to pioneer the space are Casey Ellis and Sergei Belokamen. Being long-time hackers and having seen how the security space works, they decided to start Bugcrowd. Here’s a description directly from the source:

“Bugcrowd is by far the most comprehensive and cost-effective way to secure websites and mobile apps. We’ll do a brief consultation and help you set the budget, the duration, and which websites or apps you’d like our curated crowd of researchers to test. The Bugcrowd researchers get to work finding security flaws in your applications. All testing can be routed through Bugcrowd’s crowd-control system, providing control and accountability. Any bugs are submitted to our Secure Operations Centre as soon as they are found. We validate the flaws and, at the end of the bounty, reward the first researcher to find each unique flaw. We provide you with an easy to understand report for you to hand to your developers… We can even recommend partners to help you fix what we find!”
   
Join me as I interview them both about their new venture and uncover some interesting information about security testing on a massive scale, as well as how to start. For example, if you are a tester looking to participate, it couldn’t be easier. Fill out the “Ninja” form and create an online profile (public or private) in which you provide Bugcrowd with your PayPal email address. Then you wait until you receive an email message announcing a new bounty… and it looks a little something like this…