Slashdot Mirror

You didn't answer the question: what CSO training programs exist out there? None.

Well I'd start by expecting professional qualifications such as CISSP or at least one or more GIAC certifications...

Particularly GIAC Security Leadership or GIAC Strategic Planning, Policy, and Leadership.

-- Pete

You didn't answer the question: what CSO training programs exist out there? None.

Well I'd start by expecting professional qualifications such as CISSP or at least one or more GIAC certifications...

Particularly GIAC Security Leadership or GIAC Strategic Planning, Policy, and Leadership.

-- Pete

You didn't answer the question: what CSO training programs exist out there? None.

Well I'd start by expecting professional qualifications such as CISSP or at least one or more GIAC certifications...

Particularly GIAC Security Leadership or GIAC Strategic Planning, Policy, and Leadership.

-- Pete

Operating System Security and Secure Operating systems

The foundations of a provably secure operating system (PSOS)

"Why the hell don't you have port knocking enabled for SSH?"

Because http://www.giac.org/paper/gsec... maybe.

Have you even read it? Or did you "think" no one else would?.

Was that the only thing you could find about portknocking in your Google rush?

It only says three "bad" things about portknocking:-

• Portknocking is bad because malware might install some form of portknocking
• portknocking is bad because it's security through obscurity - which is stupid as saying running ssh on a non-standard port is security through obscurity. i.e. obscurity is only bad if it's the only security.

• . Which is irrelevant because not installing portknocking doesn't affect in any way whether malware might install it's own portknocking.

• Knowing the knock can open your system. If it's the only system authentication you use. It shouldn't be.

There are other, more valid risks with port knocking which your "security powerslide presentation for n00bs from 2004 overlooked":-

• The knock sequence could be captured. Only if you don't enforce sequence rotation. Or better, use SPA
• It's another piece of software that could go wrong. Maybe, it's pretty well time tested and audited.
• It's hard to log. Not really. But if you find it hard you can do the same thing with iptables or authpf.

Portknocking is not a perfect solution - it's a way to lower your profile, just like using a non-standard port, which it very effectively does - which is why it's one way of meeting the mandatory requirements for ASD privileged networks. Keeping the hordes from the gates is just as important as securing the gates.
Employ it using default settings is not recommended, I'd increased the time outs (port knock fails, the port is locked out for a few minutes).

There are alternative solutions (I've already mentioned using iptables to achieve the equivalent of kernel level portknocking, and authpf) but there are also others. But you're the expert.

Allowing ssh passwords is certainly not Best Practise security. TFA is.

fail2ban? It works with IPv6 does it? (try sshguard it does). With passwords enabled, your ssh port visible and protected from bruteforce attacks only by fail2ban you must chew a shitload of bandwidth and log space. Given that, and your earlier post, you're definitely not in a position to decide whether I'm a security professional. I don't claim to be - that'd be a full-time job in itself, but the people who work for me are, as are the clients. Just about every client here is defence or directly connected, failing an audit would be to costly to rely on the sort of citations you supply to justify using well documented Bad Practice security.

"Why the hell don't you have port knocking enabled for SSH?"

Because http://www.giac.org/paper/gsec... maybe.

You mean something like this? http://www.giac.org/certifications/dodd-8570/

A couple years ago I wrote a paper for SANS [PDF] about a similar technique I used to fight recurring problems with zero-day attacks. This technique could be modified somewhat for the needs of an ISP. For example, instead of moving them onto a quarantine VLAN, the redirect rule could be created on a per-IP-address basis. It could present the page to a user informing them of their problem, and upon user acknowledgement, it could drop a cookie in their browser that would allow them to surf uninterrupted from that host from some period of time (after which it would remind them again). That way, every user on every computer behind that IP address would be able to see that there is likely an infected system on their network.

I'm currently studying for my Java certification. Why? Because I love Java?

Nope. Because it's good to have something to fall back on. I'll get a .NET cert too, as icky as that sounds. I have a family and I have to think of them first.

Glad your thinking of your family first, but realize this - a certification is nothing to fall back on. All it does is please a PHB. In the long run, it won't help you in your career, and it won't test you in any meaningful way. So save your money if you can. It won't make one lick of difference in how much money you make.

That said, there is one certification I would recommend - the GIAC Secure Programming certification. Not so much for your employer as to train you and help you realize what you need to do to write secure programs. So it would be well worth it. They do have it for Java too.

Applied Security Technology will always meet the expectations of experience.

http://en.wikipedia.org/wiki/Pretty_Good_Privacy
http://en.wikipedia.org/wiki/OpenPGP#OpenPGP
http://en.wikipedia.org/wiki/Public_key_infrastructure
http://en.wikipedia.org/wiki/Certificate_authority
http://en.wikipedia.org/wiki/Philip_Zimmermann
http://en.wikipedia.org/wiki/Secure_Sockets_Layer
http://en.wikipedia.org/wiki/Secure_Sockets_Layer#TLS_handshake_in_detail
http://en.wikipedia.org/wiki/Hardware_token
http://en.wikipedia.org/wiki/Biometric_authentication

https://www2.sans.org/reading_room/
http://www.giac.org/certified_professionals/practicals/gsec/4993.php
http://www.giac.org/certified_professionals/
http://www.linkmatrix.de/index.php?education=home
http://www.linkmatrix.de/tutorials.php?q=PGP

Those that can DO, read. Those who can read, but not DO, preach.
Readers, fakers, and test-takers always manage to fail.
Hands-On experience and continuous-learners always work for tale (or is that rep).

To many PGP/PKI/CA/TSL... comments are cross-BS technology application comments. Only in politics does mixed pieces of BS function properly or as expected.

In technology as in science it either does, or it don't do. There is working properly or working poorly (with a problem) until troubleshot and fixed. If it never worked or ain't working at all (cannot be made to function fully and consistently as expected) then someone fycked-up bad (miss-applied technology application) perhaps the brown-nose wannabe manager that can only read made a decision.

Applied Security Technology will always meet the expectations of experience.

http://en.wikipedia.org/wiki/Pretty_Good_Privacy
http://en.wikipedia.org/wiki/OpenPGP#OpenPGP
http://en.wikipedia.org/wiki/Public_key_infrastructure
http://en.wikipedia.org/wiki/Certificate_authority
http://en.wikipedia.org/wiki/Philip_Zimmermann
http://en.wikipedia.org/wiki/Secure_Sockets_Layer
http://en.wikipedia.org/wiki/Secure_Sockets_Layer#TLS_handshake_in_detail
http://en.wikipedia.org/wiki/Hardware_token
http://en.wikipedia.org/wiki/Biometric_authentication

https://www2.sans.org/reading_room/
http://www.giac.org/certified_professionals/practicals/gsec/4993.php
http://www.giac.org/certified_professionals/
http://www.linkmatrix.de/index.php?education=home
http://www.linkmatrix.de/tutorials.php?q=PGP

Those that can DO, read. Those who can read, but not DO, preach.
Readers, fakers, and test-takers always manage to fail.
Hands-On experience and continuous-learners always work for tale (or is that rep).

To many PGP/PKI/CA/TSL... comments are cross-BS technology application comments. Only in politics does mixed pieces of BS function properly or as expected.

In technology as in science it either does, or it don't do. There is working properly or working poorly (with a problem) until troubleshot and fixed. If it never worked or ain't working at all (cannot be made to function fully and consistently as expected) then someone fycked-up bad (miss-applied technology application) perhaps the brown-nose wannabe manager that can only read made a decision.

Ethics is an interesting concept - first thing that may come a person's mind :

"good and bad"
"wrong or right"
"black and white"

Personally, when one finds themselves in IT related predicaments, I'm guessing it's not that usual to land in a black or white situation, but one of a million shades of gray.

A few more:

"the way one lives"
"actions that land you on the right (good?) side of the fence"
"oath"
"creed"
etc . . .

What is a creed? One definition in an online dictionary defines it as ( http://dictionary.reference.com/browse/creed ) : " . . .any system or codification of belief or of opinion. . ."

eek . . . the entertainment industry (I'm guessing a person can come up with centuries or more worth of examples there) would have us believe in "good" creeds or "bad" creeds - religions, knights, assassins and more.

One might also ask - will your ethics lead you to copy chunks of the comments to the slashdot article above? Ethics in research and writing papers - that's a fought over issue as well. (people often hate to look in this mirror :)

Several professional groups have published "ethics" . . .

American Chemical Society ( http://pubs.acs.org/meetingpreprints/ethics.html )
American Institute of Aeronautics and Astronautics ( http://www.aiaa.org/content.cfm?pageid=198 )
American Institute of Architects ( http://www.aia.org/about_ethics )
American Institute of Chemical Engineers ( http://www.aiche.org/About/Code.aspx )
American Society of Landscape Architects ( http://www.asla.org/about/codepro.htm )
Instutute of Electronics and Electrical Engineers ( http://www.ieee.org/portal/pages/iportals/aboutus/ethics/code.html )

To pick a few. Look kind of like science/fantasy fans might see as guild rules :)

IT is no different.

People who strive for SANS/GIAC certification agree to their ethics as part of completing the certification process. ( http://www.giac.org/overview/ethics.php )

SAGE, LOPSA & USNIX share the same code of ethics - http://lopsa.org/CodeOfEthics

ACM - http://www.acm.org/about/se-code

CISA, CISM, CGEIT - ( http://www.isaca.org/Template.cfm?Section=Code_of_Professional_Ethics&Template=/ContentManagement/ContentDisplay.cfm&ContentID=20454
)

SSCP, CAP & CISSP (certification) ethics - ( https://www.isc2.org/cgi-bin/content.cgi?category=12 )

I'm sure there are plenty more.

I'm guessing there are very few if any CS or IT related courses that don't include some kind of ethics class or section.

Personally - when I was growing up - with a lot of computer enthusiasts in the neighborhood - some slided one way or the other (ethics wise) and some stood fairly firmly on one side or the other (usually the "old guys").

I've been in the professional IT industry for several years - and doing semi-professional IT stuff on and off years before that. Seeing I'm still there - I hope I'm on the an acceptable side of the fence :)

I've been involved in a few ethics dust-ups over the years . . . never got a horrible

That's the great part about Free Software -- no advertisement or marketing is necessary! You either use it and get something out of it...or use it, don't get anything out of it, and move on to the next candidate.

I love it when ACs make suspiciously laudatory comments about a particular piece of commercial software. Makes the developer look bad, even if they aren't the ones posting.

PS, Helix is good enough for...

NW3C: Linux Forensics
SANS Track 508: System Forensics, Investigation and Response
InfoSec Institute: Computer Forensics Training
SEARCH: Basic Investigators Training

And to this I say, Simple Formula for Strong Passwords. It's great. I'm gradually phasing out my library of old, weak passwords and generating SFSP passwords to replace them. SFSP-generated passwords are easy to remember and strong at the same time. The only problem is most places don't allow special characters such as (,),&,% and such.

SFSP: http://www.giac.org/certified_professionals/practi cals/gsec/4394.php (PDF! Sorry)

As mentioned before, Tripwire does this very well.

The Knoppix Security Tools Distribution provides a free alternative. It includes FTimes [File Topography and Integrity Monitoring on an Enterprise Scale] to record and monitor file signatures. This is a cheap and fairly painless way to keep an eye on those critical files.

SANS Reading Room has some good papers on system baselines. This one discusses using FTimes as part of a Windows box baseline.

I think certification would do more to bolster your career. How about SANS GIAC?

This appears to be similar to the highly regarded SANS GIAC Certified Incident Handler (GCIH) Course, SEC-504: Hacker Techniques, Exploits & Incident Handling, which I attended a while back. The SANS course was excellent and is often taught by Ed Skoudis. Its challenging, but also very worthwhile. They cover how to create an Incident Handling team and then launch in to Reconnaissance, Scanning, Exploits, Keeping Access, and Covering Your Tracks. It would take too long to list out all of the different tools and tactics that they covered, but it's pretty comprehensive.
It's a great course, and I highly recommend it to anyone involved in computer security. The insight into how attackers target, gather information, compromise, and maintain access on systems has been invaluable in understanding how to then try and close the holes and mitigate the risks. You'll never be 100% invulnerable on a machine or network that you actually use for anything, but if you know how to think like an attacker and what the current tools are capable of, then you'll be able to fix most of it.

I took the SANS security boot camp when they first started. I found it valuable and very well done. A solid week of good, well presented, stuff that you won't find anywhere else.

However, even though I passed all the exams needed for GIAC certification, the follow on requirement to submit papers simply did not fit my work schedule. As the only system administrator for a small startup, I simply did not have time to write papers. So, the requirement they appear to be dropping was the requirement that blocked my certification.

Writing a good paper takes time and focus. Something that working system administrators often find short in supply.

I posted a clickable link to pass my POST (Posting on Slashdot Test).

I wrote an in depth analysis of the Blaster worm for my GIAC Certified Incident Handling Analyst (GCIH) practical:

I agree that not all certs are meaningless. Take for example (yes shameful plug) The SANS Institute. To pass the certs, you have to complete a practical before you take the test. The practicals are posted online. Each practical requires real output (packet sniffs, exploit code, screen shots, etc. ) to show you actually setup this firewall, NIDS, hardened *nix box, etc. Also since the practicals are posted online (along with your test scores) the potential employer can get a better idea of the work performed for the certification.

Most certifications are just passing a test. SANS is pass the practical, then two tests. I think this cert is worth the money.

D.A.R.
SANS: GSEC, GCFW, GCIH

Even the SANS GAIC GCIA (Intrusion Analyst) certification is try to evolve to meet this new IPS technology, but until TPTI releases the ability to let end-user customized filters, the certification would be essentially worthless. Just too many IPS technological-curves for the ordinary IA guys to keep up. Really!

It is tantamount to handing the wheel to a Formula 500 car over to a 15 1/2 year old testosterone-laden lad without supervision. This isn't your grandfather's car anymore. Its a whole new whole world of Intrusion Analysis out there.

Tee-hee.

For those not near a school offering a degree program, you can also get training and certs from GIAC:
www.giac.org

I've got a GSEC myself. If anyones wondering, most companies are not looking for this, but having this and explaining what it means during phone interviews got me into interviews I would not have gotten without it.

No, I'm not unemployed right now. HINT.

What part of "Windows XP encourages users to run as root" did you not understand, or do you continue to disagree with? I believe this is particularly true of the home edition. Whatever may be there under the hood, the setup of XP (especially home edition) apparently still encourages many novice users to run as root all the time instead of insisting on an unprivileged account with icons that are set up to prompt to elevate the password temporarily, as Mandrake and OSX do. Expect Windows to be more easily rooted, in that case. Eventually Windows may get it right if it looks at Mandrake or OSX long enough, which do not set up by default that way.

The default configuration is important. Expensive high-security OSes used to be compromised all the time just because a default password was set on a privileged account. This is a very similar issue. Sure someone with enough knowledge can secure the system, but if it is fundamentally insecure by default, then it is wasted on most users. It is silly to continue to argue that it is secure, when by default it often is not, according to those who have talked to me who use it.

To quote from a A Novices Guide to Securing Windows XP Home Edition "There are only two kinds of accounts in Windows XP Home Edition. First there is a computer administrator account. This type of account has unlimited power to modify the computer in any way and to vierw and alter the contents of all other accounts. All subsequently created accounts are initially computer administrator accounts also. But, you can change their account type after creation...".

So how is this secure if by default it is insecure and novices have to manually secure it and figure out how to survive in an insecure account, to the extent that many think it impossible?

A world with linux, apple, and microsoft--having the three of them is much better than having any two. New ideas, new flow, new users.

First of all, Richard Salgado has got to tell people to be very careful. He's a prosecutor for the government. He's got to say things that err on the side of safety, and of never condoning possible violations of the law. (He's a nice guy, and a good speaker. He's just very obviously in one corner, and has the party line to hew to).

Secondly, read 18 U.S.C. Section 2511. That lays out the _exceptions_ to the Wiretap Act, which includes the Provider exception, which boils down to: if you own the machine, and have appropriate banners, and the wiretap is done "while engaged in any activity which is a necessary incident to the rendition of [the rightful adminstrator's] service or to the protection of the rights or property of the provider of that service...". The reason the gov't is goosey about honeypots is, if it is a property laid out to be broken into, then is the wiretapping justfied? If you're doing it as part of the defense of your network, consensus tends to be yes. If you're doing it for shits and giggles, there tends to be less consensus. The gov't needs to be able to prosecute anyone, so without court cases telling them otherwise they're leaning to the stricter interpretation.

Thirdly, if you're interested, read the posted practical assignments for the SANS GCFA (Forensics) course/certification. The original assignment (the only one posted currently) has three parts, the third of which is Describe in detail your authority as a system administrator with regards to this statute. Keep in mind that none of those people are lawyers, but most of them sat through a course including Richard Salgado talking on this issue, and all of them worked their butt off to write the paper and pass the course. More work than goes into, say, a /. post 8).

First of all, Richard Salgado has got to tell people to be very careful. He's a prosecutor for the government. He's got to say things that err on the side of safety, and of never condoning possible violations of the law. (He's a nice guy, and a good speaker. He's just very obviously in one corner, and has the party line to hew to).

Secondly, read 18 U.S.C. Section 2511. That lays out the _exceptions_ to the Wiretap Act, which includes the Provider exception, which boils down to: if you own the machine, and have appropriate banners, and the wiretap is done "while engaged in any activity which is a necessary incident to the rendition of [the rightful adminstrator's] service or to the protection of the rights or property of the provider of that service...". The reason the gov't is goosey about honeypots is, if it is a property laid out to be broken into, then is the wiretapping justfied? If you're doing it as part of the defense of your network, consensus tends to be yes. If you're doing it for shits and giggles, there tends to be less consensus. The gov't needs to be able to prosecute anyone, so without court cases telling them otherwise they're leaning to the stricter interpretation.

Thirdly, if you're interested, read the posted practical assignments for the SANS GCFA (Forensics) course/certification. The original assignment (the only one posted currently) has three parts, the third of which is Describe in detail your authority as a system administrator with regards to this statute. Keep in mind that none of those people are lawyers, but most of them sat through a course including Richard Salgado talking on this issue, and all of them worked their butt off to write the paper and pass the course. More work than goes into, say, a /. post 8).

http://216.239.53.100/search?q=cache:Dmq6W8su71gC: www.cs.columbia.edu/~angelos/teaching/COMS4180/lec ture10.ps+Biometrics+Password+Timing&hl=en&ie=UTF- 8

http://ctl.ncsc.dni.us/biomet%20web/BMKeystroke.ht ml

http://www.giac.org/practical/GSEC/Patricia_Wittic h_GSEC.pdf

http://searchsecurity.techtarget.com/originalConte nt/0,289142,sid14_gci801112,00.html

I didn't see anyone mention any of the sans training or any of the GIAC certs. I attended the sans conference in SF last December. I was very impressed with the level of depth in the training and the level of knowledge all the instructors have.

First off, the reason your security is broken is that you probably don't have a policy and if you do nobody understands it and if they do there's no QA ensuring that they follow it.

Good security starts with the establishment of a security policy followed by education and regular awareness events. Please be aware that paying someone a ton of money to pen. test and inventory your assets will *not* result in a stronger security posture all on it's own. You must have a policy in place and you must compel your users to abide by it (primarily through education, secondarily through threat of penalty). Consider hiring a CISSP or other certified professional to help you through this process. You might be able to find one in your area by using the ISC2 directory. SANS is doing some ISO certification as part of the GIAC program now and they may be able to point you towards some appropriate people as well. The ISSA might be able to help as well. As has been mentioned already, you probably don't want to entrust this to someone selling countermeasures or management services.

Understand, however, that you don't need a firewall engineer right now and you don't need some krad ex-hacker to pen test either. You need someone to help you get your house in order on the administrative side and then you can look into some detailed engineering and assessment. That someone should probably be an independent consultant or at least one working with an infosec specializing firm. If you want a couple bigger names there's @Stake, Booz Allen Hamilton, and Predictive, however, I would encourage you to seek out a local independent with good references.

Any knucklehead can run Nessus and patch systems. This alone does not equal information security. If you want a secure environment, start by defining what "secure" means within your environment.

External audits are good because they bring in experts who focus on finding vulnerabilities in your network. These experts will come armed with a variety of vulnerability assessment tools to perform their audit. The only problem is that it will almost always happen less frequently than vulnerabilities are discovered, so this should only be 1 part of the overall solution.

You should adopt this practice internally, because if the tools are set up to check for vulnerabilities, you can be much more proactive about finding them than simply by scheduling consultants to come every few weeks, months, year. There are a variety of tools available, both freely and commercially.

A good tool will be updated frequently, check a lot of bugs, including the most critical (SANS Top 20, BugTraq, CERT.

Free Tools
SATAN -- Security Administrator Tool for Analyzing Networks
SAINT -- Security Administrator's Integrated Network Tool -- based on SATAN, GNU
SARA -- Security Auditor's Research Assistant -- similar to SATAN/SAINT check the Freshmeat page
NESSUS -- another free tool

Commercial Tools
ISS has a variety of tools avaiable depending on your needs
NeXpose -- try the free demo, great ui, demo only lets you assess 1 IP at a time though :( Here is a review
A Networking Computing article on Vulnerability Assessment tools. Reviews many of the major vendors (so I won't list them all). Includes some of the free tools.
Here is another overview of security tools to get you started.

The CISSP requires a minimum of three years professional security experience. The SSCP (Systems Security Certified Professional), sort of an entry-level CISSP, requires only one. The CISA (Certified Information Systems Auditor, IMHO the most respected security cert) requires four. IIRC, at least one of these may also require you to be 18, so be careful about age requirements. You might also look at the GIAC (Global Information Assurance Certification) family of certifications, which doesn't appear to have any experience requirements.

This article missed all the certs in the security field.

CISSP

CISA

SANS GIAC

In general, CISSP and CISA are more heavy on theory and SANS GIAC are more on practical knowledge (hands-on). Notice that GIAC actually offers many different certs in different area.

They are all hard to get. For example, CISSP requires a 6 hours exams (which isn't easy at all). GIAC requires a practical assignment (to show hands-on knownledge - require real world experience) as well as one or two 2 hours exam.

Posting anonymously because I moderated in this thread ("CISSP for me..." -- rated it Informative for the curious). -- Argel

I can vouch for the CISSP certification from (isc)2 as reinforcing this view of security. The CISSP is a significant valuator for businesses, who can be confident that candidates with this certification are literate in both technology and business considerations. This certification is exactly that: a CERTIFICATION. It is not a vendor technology program. It can be likened to a CPA designation for auditors and accountants.

The GIAC certifications from SANS are an excellent instruction in the working mechanisms of security technology. The curricula and basis for certification by SANS are under continous revision and are the most current in the industry.

The fact is that the CISSP is currently highly valued by employers as a valid assesment of domain awareness, best-practice assesment and professionalism. To combine this with specific GIAC tracks is a good way to identify formidable security personnel.

CISSP candidacy requires 3-5 years of work experience in one of the 10 domains identified. Additionally, (isc)2 will require a BS in an associated major, beginning in 2003. Studying for this is no piece of cake!
Some resources:

http://www.cissp.com/default.html
CISSP Library of Free Study References
The CISSP Open Study Guide