Author: Dave Farquhar

How to make color match wood putty

Dave Farquhar DIY
How to make color match wood putty

Sometimes we end up with deep scratches and gouges in wood that we need to repair. The solution is wood putty, but what if the wood putty doesn’t match? Here’s how to make color match wood putty, and/or make wood putty match stain.

Read more

Qualys vulnerability vs discovery scan

Dave Farquhar security
Qualys vulnerability vs discovery scan

One of my most frequent topics of discussion in my time as a vulnerability management architect was the question of a Qualys vulnerability vs discovery scan. It’s especially confusing because Qualys is completely silent on the topic. There’s a reason for that. Let’s talk about the types of Qualys scans and what they can do for you.

Officially, Qualys discovery scans don’t exist. That said, you can implement something very close to what Qualys’ competitors call a discovery scan, and reap numerous benefits from it.

Read more

What to do if you can’t scan your whole network

Dave Farquhar security
What to do if you can’t scan your whole network

A former colleague contacted me some time ago with an interesting conundrum. I thought his problem in the solution would be worth sharing, because it’s not at all uncommon. He manages a network of, let’s say, 22,000 computers. But he has licenses to scan 8,800 of them. The question is, what can he do?

Read more

What happened to Southwestern Bell

Dave Farquhar St. Louis
What happened to Southwestern Bell

What happened to Southwestern Bell? The once prominent name disappeared, but the company itself still exists.

Southwestern Bell didn’t go out of business, it’s just changed its name twice since 1995. In its current incarnation, it’s worth $229 billion.

Read more

How to read a Nessus scan report

Dave Farquhar security
How to read a Nessus scan report

Reading and analyzing a Nessus vulnerability scanner report is an underrated skill. Frankly, I see a lot of misuse and abuse surrounding Nessus scans. So let’s talk about how to read and analyze a Nessus scan for the purpose of understanding and solving problems.

You can read it in the user interface but I recommend exporting a CSV so you can sort and filter. The exact CSV format has changed a bit over the years so they may not be in this exact order. But this will get you started. The most important columns are all here. You’ll find it very similar to reading a Qualys scan report.

For reference, I used the sample file here: https://github.com/derekmorr/nessus-csv/blob/master/nessus_test.csv

Read more

Lockheed Martin Cyber Kill Chain explained

Dave Farquhar security
Lockheed Martin Cyber Kill Chain explained

The Lockheed Martin Cyber Kill Chain is a popular model in information security. The model illustrates the typical cyber attack. Like the CIA triad, the Cyber Kill Chain is a fundamental concept that helps people understand what motivates security professionals. Understanding it and being able to explain it makes us more effective at our jobs.

Here’s an explanation of the Cyber Kill Chain, along with a couple of examples, one real, and one imagined.

Read more

What to do when you know a pedophile (and what not to)

Dave Farquhar Uncategorized

Word got out this weekend that a fairly prominent member of my profession is a pedophile. Fortunately I don’t know the guy. But this is hardly the first time this happened. A fairly prominent tech journalist turned out to be a pedophile a couple years ago too. Unfortunately this happens, and unfortunately I came into some experience in this area early in life.

I know from experience, you don’t always know until afterward. If it were easy to know, these people wouldn’t get away with it for so long.

Read more

Why is lumber so expensive?

Dave Farquhar DIY
Why is lumber so expensive?

I remember when a 2×4 cost $3. And before you tell me I’m a grumpy old man, that was less sometime in 2019 or 2020. At the moment I’m writing this, a 2×4 costs $8. So what’s going on? Why is lumber so expensive? And will prices ever come back down to normal?

Read more

Vulnerabilities without CVE

Dave Farquhar security
Vulnerabilities without CVE

I had a discussion with somebody this week about vulnerabilities that don’t have CVEs. I learned from this conversation that there are a lot of misconceptions about those. So let’s talk about vulnerabilities without CVEs, and what to do about them.

Read more

Vulnerability management metrics

Dave Farquhar security
Vulnerability management metrics

I am 75% confident your vulnerability management metrics are too complicated. I’m 75% confident because I’d need to see examples from about twice as many organizations than I’ve seen in order to be 95% confident. But I’ve probably seen 150 more samples than most people. But I have bad news for you. I’m 75% confident your vulnerability management metrics are too simplistic. How can you be both? Measuring the wrong things puts you in situations like that. So let’s talk about NIST’s recommended vulnerability management metrics, and how to more closely align with their recommendations.

Read more