David L. Farquhar on technology old and new, computer security, and more
Sometimes we end up with deep scratches and gouges in wood that we need to repair. The solution is wood putty, but what if the wood putty doesn’t match? Here’s how to make color match wood putty, and/or make wood putty match stain.
One of my most frequent topics of discussion in my time as a vulnerability management architect was the question of a Qualys vulnerability vs discovery scan. It’s especially confusing because Qualys is completely silent on the topic. There’s a reason for that. Let’s talk about the types of Qualys scans and what they can do for you.
Officially, Qualys discovery scans don’t exist. That said, you can implement something very close to what Qualys’ competitors call a discovery scan, and reap numerous benefits from it.
A former colleague contacted me some time ago with an interesting conundrum. I thought his problem in the solution would be worth sharing, because it’s not at all uncommon. He manages a network of, let’s say, 22,000 computers. But he has licenses to scan 8,800 of them. The question is, what can he do?
What happened to Southwestern Bell? The once prominent name disappeared, but the company itself still exists.
Southwestern Bell didn’t go out of business, it’s just changed its name twice since 1995. In its current incarnation, it’s worth $229 billion.
Reading and analyzing a Nessus vulnerability scanner report is an underrated skill. Frankly, I see a lot of misuse and abuse surrounding Nessus scans. So let’s talk about how to read and analyze a Nessus scan for the purpose of understanding and solving problems.
You can read it in the user interface but I recommend exporting a CSV so you can sort and filter. The exact CSV format has changed a bit over the years so they may not be in this exact order. But this will get you started. The most important columns are all here. You’ll find it very similar to reading a Qualys scan report.
For reference, I used the sample file here: https://github.com/derekmorr/nessus-csv/blob/master/nessus_test.csv
The Lockheed Martin Cyber Kill Chain is a popular model in information security. The model illustrates the typical cyber attack. Like the CIA triad, the Cyber Kill Chain is a fundamental concept that helps people understand what motivates security professionals. Understanding it and being able to explain it makes us more effective at our jobs.
Here’s an explanation of the Cyber Kill Chain, along with a couple of examples, one real, and one imagined.
Word got out this weekend that a fairly prominent member of my profession is a pedophile. Fortunately I don’t know the guy. But this is hardly the first time this happened. A fairly prominent tech journalist turned out to be a pedophile a couple years ago too. Unfortunately this happens, and unfortunately I came into some experience in this area early in life.
I know from experience, you don’t always know until afterward. If it were easy to know, these people wouldn’t get away with it for so long.
I had a discussion with somebody this week about vulnerabilities that don’t have CVEs. I learned from this conversation that there are a lot of misconceptions about those. So let’s talk about vulnerabilities without CVEs, and what to do about them.
I remember when a 2×4 cost $3. And before you tell me I’m a grumpy old man, that was less sometime in 2019 or 2020. At the moment I’m writing this, a 2×4 costs $8. So what’s going on? Why is lumber so expensive? And will prices ever come back down to normal?
I am 75% confident your vulnerability management metrics are too complicated. I’m 75% confident because I’d need to see examples from about twice as many organizations than I’ve seen in order to be 95% confident. But I’ve probably seen 150 more samples than most people. But I have bad news for you. I’m 75% confident your vulnerability management metrics are too simplistic. How can you be both? Measuring the wrong things puts you in situations like that. So let’s talk about NIST’s recommended vulnerability management metrics, and how to more closely align with their recommendations.