Category: Security

CISSP

There was a defcon talk about CISSP. Here is a summary of the talk as well as the actual slides:

https://b10w.wordpress.com/2012/08/01/regarding-the-cissp/

http://attrition.org/security/conferences/why_you_should_not_get_a_CISSP-public.pdf

http://attrition.org/security/rant/cissp_convenient_ethics/

 

I am not sure why this is necessarily a controversial topic, though it does seem to come up almost every year. Certs are a problem in IT generally and InfoSec in particular. I am not sure if CISSP is any different from any other cert out there. There are a handful that I consider worthwhile: GSE, different flavors of CCIE and maybe a handful of others, like MCA, RHCA and VCDX. The common thread that runs across all of these is the hands on test and demonstration of real world experience.

Everything else is really just resume fluff. It’s good enough for demonstrating that you have some concept of fundamentals for a junior position, but not much else. No certs, and CISSP in particular, demonstrate the expert level knowledge that they purport to do. Ultimately, it’s almost always about showing a body of work and years of experience. I do think it’s a more pressing problem in the InfoSec field, simply because it’s such a broad domain and it’s more difficult to validate someone’s skillset.

 

 

BlackHat 2012, part II

As I’ve mentioned before, I didn’t make it out to the BlackHat this year. These are the top 5 ways to tell you’re not at a Vegas Con.  🙁 Some of the other notable things that I saw coming out from BlackHat/Defcon:

1. A significant vulnerability in MSCHAPv2 and by extension PPTP Microsoft VPN. The keys are too small at 56-bit DES. If you’re are still using it: don’t. The tool is here

2. A long paper about intrusion kill chains and a short summary of it. Here is one more for good measure. It boils down to the fact that you want to be able to detect and respond to an attack as early as possible. The only way to do that is to be able to look at events in context and be able to correlate disparate event streams into a single attack.

3.  A very neat attack tool. Could be excellent for pen testing.

4. Javascript attacks on SOHO routers.

5. Vulnerabilities in payment terminals.

6. How to attack poorly configured Apache servers. A new tool has been released for this. Vulnerability isn’t new; lazy admins with bad .htaccess files have been doing this for a while. This automates the process.

7. Possibly a nice extension to one of my favorite tools: Maltego.

8. A fairly significant 0-day against Oracle.

 

Securing users

I was reading an edition of PenTest Magazine (attached here for convenience). They’ve had a few decent articles in there, but one was talking specifically about securing your users. That’s an interesting topic. An attack against your company is very likely to come through the “meatware” vector. It’s often much easier then trying to find the latest 0-day or buffer overflow. Of course you have your security policies and user training, but even the security pros fall for a well crafted phishing attack. Your expectation of the extent that you’ll be able to harden and train your userbase should be limited. You need to be prepared for a breach to come through that direction.

A lot of defenses should be focused on isolating the user population from critical systems, so that when a breach does occur, the impact is limited. Of course users do need some access in order to perform their jobs and that’s where it’s critical to focus on granular access controls, specifically RBAC. You also need to have the capacity to detect and respond to any anomalies in user behavior. That’s what ultimately will allow you to contain the threat and limit it’s impact.