As a vulnerability management professional, I talk about vulnerability scanning best practices a lot. There’s a lot more to vulnerability management than just scanning, but if you don’t get scanning right, the rest of the program suffers.
I’m going to talk about a lot of technical controls here, but don’t forget the nontechnical side. People and processes have to support all technology.
I saw this new headline regarding Edward Snowden, discussing his NSA hacking training. Don’t be impressed.
For several years, I lived in that same world Snowden lived in. I’ve gone out of my way to avoid mentioning this, but from 2005-2012, I was a consultant. I worked for several different companies, due to contracts changing hands and companies merging, but my client was the United States Air Force. And from 2011-2012, I even had direct dealings with the NSA. I attended NSA meetings in the Washington, D.C. area. I received NSA training–in person–in a security discipline called threat modeling. My job was to represent NSA to the Air Force three weeks out of the month, and represent the Air Force to the NSA on the fourth week.
Just don’t ask me anything about UFOs. Unlike some people, I didn’t snoop around on classified networks. Whenever possible, didn’t look at the data at all. If I had to look at data, I preferred to look at dummy data. If I actually did look at real, honest-to-goodness classified data, it was because I needed to know that information to do my job. I was a pretty good contractor, I think.
I also know about this training that Snowden put on his resume. Read more
Longtime reader/commenter Joseph asked two questions yesterday: What’s the boundary between gray and black-hat hacking, and is it moral to pick and choose between moral and immoral laws?
The first question is easier than the second. So I’ll tackle that one first. Read more
One of my coworkers invited me to watch a webinar with him today that promised to compare CompTIA’s new high-end certification with the CISSP.
I was skeptical at first, especially when I heard it was an 80-question, 150-minute test. But by the end, I mostly liked what I heard.
Another question from the big box o’ Google search queries: What are the real benefits of having a CISSP?
I don’t want to be flip, but here it is in two words: job security. Read more