RSSOpinions

Backdoors at the Forefront

| March 30, 2014 | 0 Comments

Backdoors at the ForefrontBackdoors are once again thrust into the forefront with this week’s breaking news that the NSA allegedly hacked Chinese router company Huawei’s servers. Back in October 2012 the House Intelligence Committee accused Huawei, which claims to interconnect one third of the Internet, of embedding backdoors into routers and “posing a national security threat.” And thanks to another Edward Snowden bombshell, we now know that the NSA took their own measures to ensure perpetual access to Huawei routers.

Government espionage is nothing new. Although both sides in the example above dismiss the claims, these recent developments confirm that the location of the battlefield is forever changed. Instead of bullets and bombs, the new intelligence war is being fought with almost imperceptible bursts of electricity. Reminds me of the classic AC/DC song “Dirty Deeds Done Dirty Cheap,” where they poetically proclaim that, “For a fee I’m happy to be your backdoor man.”

Continue Reading

The Broken: Assessing Corporate Security in 2012 to Make a Better 2013

| December 19, 2012

brokenchain.jpgby Paul Jaramillo, CISSP, EnCE

So as we are about to close out 2012, many of us in the IT Security community look around and try to assess where we were, what we have accomplished this year, and what is next. I’ve been working in IT since the late 90s with a focus on security for much of that time. Most of my work has been in large private-sector companies with a brief but very rewarding stint working for the government. To me while much has changed, many of the core issues remain today as they were back then. Our security condition has actually worsened in many cases. While that is up for debate, no one can argue the pace, sophistication, and impact of major cyber events related to nation-sponsored, organized crime. Hacktivism threats have increased exponentially in the last 4-5 years as well. This new normal has been applicable to the government and defense industrial base for a long time but really surfaced in the private sector around 2007. You would assume that with all that increased attention, dollars and executive support at the highest levels, it would be making things happen. To a certain extent they are, but we as an industry are still losing in the never-ending cat and mouse game with our adversaries. Why?

Over the years, I have sat through countless “you’re doing it wrong” or “we’re screwed’ type of presentations. Some of them were very informative, and I absolutely respect anyone that publicly voices their opinions and ideas, knowing they will be criticized and nitpicked for things taken out of context. However, I often leaving conferences with a desire for a way to fix what we all know has been broken. So what is stopping us? That is where I would like to focus some energy. What are the key road blocks and stumbling points that are keeping the security industry from truly raising the bar as opposed to being stuck in a continual state of catch up?

The ideas that follow are not all my own, and I’m sure I have subconsciously absorbed them or unknowingly added them to my mantra. I have a set of wise men that I learn from constantly, however I won’t list them out or directly associate them to this article out of respect. These ideas shouldn’t be taken as a statement of fact either, as they are only my humble opinions. My goal is to start a real discussion and starting point for documenting and overcoming our greatest challenges to our broken system.

twitter-icon.png delicious.png

Discuss in Forums {mos_smf_discuss:Opinions}

Continue Reading

A Rant About Hacking Labs

| February 11, 2012

rant.pngBy Thomas Wilhelm, ISSMP, CISSP, SCSECA, SCNA 

One of the more frequent questions I see on EH-Net pertains to creating pentest labs. Individuals new to the topic of hacking often have a limited understanding of what type of equipment is required, or how to go about setting up a lab to practice all of the cool attacks they have watched on YouTube. Details on how to get started using a single system and virtual machines are numerous – including some I have done. However, I think there is one question not being asked enough when discussing hacking labs… “Why do you want a lab?”

Most people create a lab containing a single host system and include virtual images of various Operating Systems. Unknowingly they have just restricted themselves to a very finite portion of real-world hacking – system attacks. I’m not even sure I can classify these “system attacks” as internal (within the corporate network) or external (Internet-facing services), due to a lack of support systems typically found in corporate networks. Absent are the routers, firewalls, IDS/IPSes, windows networks, switches, etc. Without these, we don’t really have a good example of what someone might face during a real pentest, nor do we create an effective learning environment. 

twitter-icon.png delicious.png

Discuss in Forums {mos_smf_discuss:Opinions}

Continue Reading

InfoSec in the Boardroom

| December 29, 2011

boardroom.jpgEli Sowash, CISSP

As an information security professional, the task of communicating InfoSec concepts and concerns to executive management can sometimes be challenging. That security breaches like Sony, RSA, and Lockheed are grabbing mainstream media attention means security ideas and concerns are increasingly making their way to the boardroom. Since executive support can be one of the most valuable tools in the InfoSec professional’s toolbox, using these case studies with your own management can be a great starting point in letting them know that the security team understands the risks to the business.

It’s the job of an organization’s executive management to set the strategic direction, and building a relationship with the management team can mean incorporating proper security practices into the business process at the highest level. InfoSec professionals can then parlay this seat at the table with the baby step of an awareness program, which is a great way for management to lead by example.

We are all being called upon to answer to and collaborate with senior management differently than in years past. Here are three tips I’ve found that help to explain our world to the businesses we’re protecting. 

twitter-icon.png delicious.png

Discuss in Forums {mos_smf_discuss:Opinions}

Continue Reading

Insider’s View of Certified Expert Penetration Tester (CEPT)

| January 15, 2008

iacrb_logo.jpgWhen approaching security industry luminaries over the course of the last year about the CEPT certification, the typical first response I have received is usually quite blunt: "Oh great", "YET ANOTHER CERTIFICATION. Just what the security industry needs".  And, to this point, I do have to agree, the security industry does not need another certification that:

  • Tests a basic level of knowledge of INFOSEC subjects (ala the CISSP, SECURITY+, SCNP, ad infinitum.)
  • Only tests the ability to regurgitate memorized information over a 2-6 hour time period
  • Is easily compromised by cheaters downloading actual exam questions for $59.90 from "teh interwebs"
  • Or, even worse, cheaters that cheat the exam cheater companies by pirating a copy of exam questions from bittorrent

All of this results in a large group of people that have achieved a specific certification, but, in reality, have no real understanding of the subjects tested OR, more importantly, the ability to perform job duties that the certification is CERTIFYING in the first place!

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Opinions}

Continue Reading

Digital Forensics – Not Just for Cops

| July 24, 2006

Discuss in Forums {mos_smf_discuss:Opinions}

By Michael Roberts, Founder and President of Mile2

Having been involved in the IT Security Education space for some time I have found that it is a common misconception that Computer Forensics training is only for Law Enforcement. On the contrary, the FBI is currently so backlogged with computer related criminal cases related to terrorism and big crime that they will often pursue only serious felony cases.  If the FBI decides to take on a felony case it can be subsequently shut down by their local US Attorney whose case load is so heavy that they cannot handle additional cases despite FBI's willingness to pursue.

Continue Reading

Justifying Security Training

| July 2, 2006

digg this story

Discuss in Forums {mos_smf_discuss:Opinions}

By Michael Roberts, Founder and President of Mile2

I am probably preaching to the converted with respect to the distinguished visitors at this venue. Notwithstanding, please humor me for a few minutes and carefully read and consider the assertions below in the hope that it may give you some ideas to help “loosen the purse strings” of those in your organization who make training budget decisions.

Unlike “commodity” training such as commonly available Cisco and Microsoft certification courses, IT security training investments require a higher degree of due diligence on the part of the student and on the part of management personnel responsible for Information Assurance within their organization.

Continue Reading

Mile2′s Version of the CEH: A Review

| October 16, 2005

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Opinions}

By shavedlegs (Expanded version of a member post in CSP Mag Community Forums)

The Mile2 version of CEH is called CPTS, Certified Pen Testing Specialist, which consists of 5 days of instruction and labs. Overall, it was a good class. I learned a ton of stuff and enjoyed it.

Continue Reading