Nov
29
Following an article posted on
networkworld.com titled
Which certifications are worth your time? it seems that project management certs are in vogue; tech less so, but security, storage certifications have the pull. Amongst a host of certifications, the article states that
Security certifications (also) are in demand, particularly the Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA).
Security is "certainly a hotbed," says Matt Colarusso, branch manager for Sapphire National Recruiting in Woburn, Mass. "Our clients are looking for hands-on technical people who understand firewalls, VPN set-ups and router controls."
What really stands out in the article are the following comments which I tend to agree with...
Most employers would say that technical certifications are like a great academic record: They may get you noticed and in the short stack of resumes being considered, but it’s what roles you’ve played and what you’ve done on previous jobs that will get you hired," Colarusso says. "We see technical certifications making the most difference in employers filling entry-level positions."
Technical certifications may help you get hired, but "experience matters more," says Henry Eckstein, senior vice president and CIO of York Insurance Services Group in Parsippany, N.J. "People can cram for their certifications and get their certifications. So it’s not just certifications but how long have they had them and how have they used them that matters. Technical certifications are less valuable than experience."
... "When it comes to hiring, if you have everything else -- experience with customers, functional experience -- and if you’re not certified, who cares? A lot of people never got certified because they were so busy doing [implementations]."
So the question remains --
which certifications are worth your time? Before you answer, as much as they add value to your resume, take your time and do some research. Google
adverts for security analysts actively state:
CISSP not required. Relevant experience must be hands-on
... something to bear in mind
Posted by Donald Tabone
Nov
27
This might sound funny, but we're at a stage where you
need to protect your AV software. SecurityFocus has published
an article on the research done
Sergio Alvarez and Thierry Zoller (for N.runs), which concludes that while AV software is protecting clients against malware (running at userspace), the AV software (typically running at kernel level) is itself vulnerable to exploitation.
Best part:
"N.runs plans to release a product to protect against antivirus parsing vulnerabilities, and the contact information at the end of the presentation includes the e-mail address of the company's director of software sales."
.. don't get carried away with the argument that these guys are marketing their software through research. I think that's only appropriate - the problem is real and there's little FUD involved. There's a huge difference between security software and secure software.
The question then is .. will we need protection for the software that protects your AntiVirus?
Posted by Sandro Gauci
Nov
20
Here's a quick roundup of recent security leakages and identity theft news:
And those are just the ones that make news.. a lot of
incidents do not.
Posted by Sandro Gauci
Nov
19
Talk about the conflicts between security and usability --- here's
Dilbert's interpretation of Confidentiality and Integrity ...
Echoing
this post.
Posted by Donald Tabone
Nov
16
An article that surfaced
here by Bruce Schneier caught my attention as Bruce talks about this new standard recently released by the US Government for random number generators. Out of the four different techniques described in this document, one in particular called
Dual_EC_DRBG apparently seems carry an anomaly. In a nut shell
This is how it works: There are a bunch of constants -- fixed numbers -- in the standard used to define the algorithm's elliptic curve. These constants are listed in Appendix A of the NIST publication, but nowhere is it explained where they came from.
... to put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG.
... this is scary stuff indeed
Dramatisized or not, coming from Bruce this makes me raise an eyebrow as he continues to discuss the possible logic behind the NSA's decision to run with this algorithm.
If this story leaves you confused, join the club. I don't understand why the NSA was so insistent about including Dual_EC_DRBG in the standard. It makes no sense as a trap door: It's public, and rather obvious. It makes no sense from an engineering perspective: It's too slow for anyone to willingly use it. And it makes no sense from a backwards-compatibility perspective: Swapping one random-number generator for another is easy.
You can already imagine that Bruce does not recommend this random number generator, rather he advises to got with either one of these algorithms
CTR_DRBG or Hash_DRBG.
Posted by Donald Tabone
Nov
13
Around 45000 MySpace passwords were leaked on the net recently. While it might seem like leaking such passwords is a major security threat, these passwords were already collected by phishing sites and possibly abused by the wrong people. The good thing is that this gives security folks a chance to see how effective or ineffective password policies can be.
The people behind the-interweb.com
published an article called A brief analysis of 40,000 leaked MySpace passwords. What is interesting is that MySpace apply a password policy which says that you have to use at least a non-alphabetic character in the password. So from the analysis we get the top 10 passwords - top password being "password1". What we learnt (or already knew):
- Half the passwords start with a dictionary word and have at least one digit/non-alphanumeric after that
- The most popular suffix after an alphabetic password is obviously "1", followed by "2" and then "123"
- The most popular prefix after an alphabetic password is "1", followed by "123" and then "2"
- Most popular password when the non-alphabetic characters are stripped off is "password", followed by "iloveyou" and "love".
How does this help us make better security decisions?
A lot of security is based on passwords nowadays, despite being the most abused form of security (or I would argue - lack of). By applying security policies, a password attack will change a little but not much. The chosen passwords in most cases are still the same: "password", "love", and so on, but with an additional character (usually "1") at the end. This means that such passwords are still pretty guessable and can be guessed via a wordlist attack.
So how does the systems administrator make an educated security password policy?
In my opinion, one has to keep in mind the following before setting a password complexity policy:
- Password age
- Number of attempts before account lockout
- What kind of passwords are going to be common with a given password complexity policy
The longer the password age, more at ease end users will be at choosing complex and unique passwords. A shorter password age will make end users think twice before choosing a password that they have to remember for 2 weeks only until the system starts nagging them to change their password again!
Say users are required to include 1 non-alphabetic character in their password, and the account lockout is after 10 attempts. That gives an attacker a high chance of finding users on the system who started their password with the word "password" and included a numeric digit at the end. If, on the other hand, end users are required to use 2 non-alphabetic characters, then that decreases the chance of a password.
Having a blacklist of known common passwords for the specific password complexity policy might be an idea to limit usage of common passwords.
Posted by Sandro Gauci
Twitter
