security

Vulnerability management metrics

Dave Farquhar security
Vulnerability management metrics

I am 75% confident your vulnerability management metrics are too complicated. I’m 75% confident because I’d need to see examples from about twice as many organizations than I’ve seen in order to be 95% confident. But I’ve probably seen 150 more samples than most people. But I have bad news for you. I’m 75% confident your vulnerability management metrics are too simplistic. How can you be both? Measuring the wrong things puts you in situations like that. So let’s talk about NIST’s recommended vulnerability management metrics, and how to more closely align with their recommendations.

Read more

How long it takes to get a security job with no experience

Dave Farquhar security
How long it takes to get a security job with no experience

I was involved in an interesting discussion about how long it takes to get a security job. But here’s an even more important question. How long does it take to get a security job with no experience? That’s a tougher question. I’ll also argue there’s no such thing as no experience. But to keep the search engines happy, here’s how long it takes to get a security job with no experience (except there’s no such thing as no experience!).

Read more

Automatic updates vs managed updates

Dave Farquhar security
Automatic updates vs managed updates

Just turning on automatic updates is one of those bumper sticker-style solutions to IT problems that won’t go away. It sounds really good, and of course it would be cheap. And since nobody’s doing it, it sounds like a new idea. As someone who’s been working in this space more than 20 years, I can tell you there’s a reason nobody does it. And it’s a good reason. It’s even a reason most proponents of bumper sticker-style solutions love to cite as a reason not to do something: unintended consequences.

While allowing systems to auto update seems like a cheap way to solve a difficult IT problem, the unintended consequences can be devastating. There are reasons to do automatic updates in limited circumstances, but it’s easy to cause bigger problems than you solve.

Read more

Windows vulnerabilities on Macs in Qualys scans

Dave Farquhar security

Alien vulnerabilities are the kiss of death for any vulnerability scanner. There’s no faster way to lose credibility with a sysadmin than to show them a scan of Linux or Mac hosts with Windows vulnerabilities in it. Recently I had to troubleshoot one such issue. Here’s how you can end up with Windows vulnerabilities on Macs in Qualys scans.

Read more

Gmail subscriptions flooding? How to deal.

Dave Farquhar security
Gmail subscriptions flooding? How to deal.

One Wednesday a little after 8:30 AM, my phone dinged. And it dinged four more times that minute. Some bot was signing me up for subscriptions at the speed of light, and my inbox was floding. Here’s how to deal with Gmail subscriptions flooding.

Read more

Make a simple pivot table in Python

Dave Farquhar security
Make a simple pivot table in Python

One of the first things I do when I open a vulnerability scan is make a pivot table on the title of the vulnerability and the count of that title. Then I do the same for all the systems. It’s easy to do in Excel once you’ve seen someone do it once, but if you have a lot of data it can be crash prone. Here’s how to make a simple pivot table in Python.

This example is for Qualys data but it’s easy to adapt it to another scanner. Just change the names of the columns. Python is so much faster and more reliable for this that I rarely make pivots in Excel anymore. I make them in Python, then load the output file in Excel for viewing.
Read more

Cattle vs pets in IT security

Dave Farquhar security
Cattle vs pets in IT security

Cattle vs pets refers to two philosophies of server management. As an IT veteran who’s worked in the field since 1995, I’ve seen the transition. I’m very familiar with the problems of pet servers, and also familiar with the trickiness of replacing them with cattle servers.

Read more

Is Bittorrent safe? A security pro’s take

Dave Farquhar security
Is Bittorrent safe? A security pro’s take

While the legality of Bittorrent, or at least what people typically use Bittorrent for, is questionable, there’s another question. Is Bittorrent safe? Let’s dig into that question, with something more than unsubstantiated claims.

Read more

CIA triad of security

Dave Farquhar security
CIA triad of security

The CIA triad of security has become controversial. I think this is due to a lack of understanding of what it means. The CIA triad remains a good fundamental model of why security exists and what it protects. Here’s what the CIA triad is all about, and what’s wrong with the trendy model some say should replace it.

The CIA triad refers to three things: the confidentiality, integrity, and availability of computer systems and data. Although it is an old model, it is also enduring.

Read more

Are password managers a good idea?

Dave Farquhar security
Are password managers a good idea?

No matter what I say in response to this question, someone’s going to say I’m wrong. But I’ll bite. Are password managers a good idea? I’ll hedge and say they solve more problems than they cause. We need a better idea, but no one has found it yet.

The problem with password managers is there’s always the danger they’ll get breached. But the alternatives are people using weak passwords, reusing passwords, or both–and that’s worse.

Read more