CERT

Do I have enough CISSP work experience?

Dave Farquhar security , , , , ,

It seems like about once a month an aspiring coworker asks me how to get enough CISSP work experience. I think this shows a misunderstanding of the requirement, so I’m going to try to clear it up.

You don’t have to get your five years of work experience in one big lump. And that’s a good thing, because that would be hard to do. Sometimes you can get a security job without a cert and work your way toward it, but a lot of employers want you to come in with the certification already.

But that’s OK. As long as you’re doing something more than selling computers at retail, odds are you have some security experience that can count toward the requirement.

Read more

How to become an Info Assurance Analyst

Dave Farquhar security , , , , , , , , , , , ,

So, CNN/Money ran a story on the best 100 jobs in the United States, based on pay, projected job growth over the next 10 years, and quality of life ratings. And there was my job title, at #9. I think you should want to become one, so here’s how to become an Info Assurance Analyst.

The field desperately needs more of us, so I’m happy to share with you how to become someone like me. Read more

Takeaways from Patrick Gray’s AusCERT coverage

Dave Farquhar security , , , , ,

I’ve been listening to Patrick Gray’s coverage of the AusCERT security conference, and I walked away with two major takeaways, one for security professionals and one for everyone.

Everyone first: Use SSL (https) everywhere you possibly can. Generate superfluous https traffic if you can.

Network professionals: Block as much UDP at the firewall as you can.

Read on for more. Read more

A treasure trove of training material

Dave Farquhar security , , ,

Need to improve your security skills? Need a refresher course to brush up on some skills you haven’t used in a while? Or are you just looking for some CPEs or CEUs to keep your certification valid?

The United States Department of Defense offers a great deal of security training, much of which is freely available to all comers. Your tax dollars paid for it, so don’t feel bad about using it. Besides, if you use it to improve your networks, then your networks are less likely to become a source of attack on government networks, so they’re happy for you to use most of it.

Here’s a hint: Anything that isn’t viewable by the general public is marked ” *(DoD PKI Cert req’d).” If you don’t see that marking, then it’s free for you to view. Just click the link marked “Launch Training.” Read more

What I did since I (temporarily) need Java

Dave Farquhar security ,

I’ve been seeing the same question over and over in my search logs lately: Is Java safe to run in 2013?

Generally speaking, the answer is no.
I have little choice but to run Java right now, though. I’m studying for a certification exam, and the best quiz program that I know of is written in Java. Its user interface is in Polish, a language I don’t speak, but that bothers me less than it being written in Java. Google Translate can help me with the Polish, but it can’t make Java safe. That’s up to me.

So here’s what I did.
Read more

One road to the CISSP: Do SSCP first

Dave Farquhar security , , , , , , ,

As my crazy week wound down, I had a number of visitors, including someone who’s been on the fence about taking the CISSP. She wanted some advice. The (ISC)² Code of Ethics says to give generously of such things when asked, so we talked for about 30 minutes. Read more

What browser should I use?

Dave Farquhar Software , ,

Mozilla downloads are spiking since, among other people, US-CERT issued what amounted to a plea for people to use some browser, any browser, other than Microsoft Internet Explorer.

Several well-known computer columnists have been trumpeting Mozilla for months now. At least one has stated repeatedly and publicly that he’s staying with IE. So what should you do?Interestingly, IE only has about 50% of my readership. That doesn’t surprise me; I’ve long been an IE critic, and blogs tend to attract readers who agree with them. So I don’t pretend that my readership is representative of anything.

As far as alternatives to IE, I’ve been running some flavor or another of Mozilla as my workaday browser since about version 0.7, using IE just for running Windows Update and not much else. Why? Well, while IE usually loads faster than Mozilla, once it’s up and running, I think Mozilla is the faster browser. I love tabbed browsing, and I love how you can search web pages by hitting the ‘/’ key and then typing the phrase you’re looking for. To me, those reasons alone are reasons to switch; it just lets me work so much faster.

But I’ve overlooked possibly the best reason to switch, because it’s been so long since I’ve noticed the problem. Are you tired of popup and popunder ads? Mozilla browsers block them. No extra software needed. This weekend, when I used a computer that only had IE on it, I got so sick of popups I was about ready to download and install Firefox to get some relief. Microsoft’s been promising this functionality for months, maybe even a year, and still hasn’t delivered. Honestly, I’ll be surprised if it’s ever delivered as anything other than part of the next version of Windows.

But besides that, it’s a matter of security. So this most recent security hole has been patched. It’s been known for weeks and they’ve just now gotten around to patching it? What about next month’s exploit? I’m confident there’ll be another, and soon, just because IE has nearly as many security patches as Windows itself.

Besides keeping out hackers, it’s been known for some time that people who run something other than Internet Explorer have fewer problems with spyware.

So what about sites that require Internet Explorer? Actually not a whole lot of them do, these days. Most remaining compatibility issues with Mozilla are resolved as soon as you install Sun’s J2SE Java library.

And if you want some more tips on living with Mozilla Firefox, you’ve come to the right place.

I switched to IE at version 5.01 for a simple reason. At that point, IE was the better browser. Mozilla caught up again sometime around version 0.7. That was when I switched back. And it’s done nothing but get better since.

Patch your Linux distros

Dave Farquhar Linux , , , ,

There’s a nasty vulnerability in recent SSL libraries that an Apache-based worm is currently exploiting. The patch is obviously the most critical on machines that are running secure Apache sites. But if you don’t like vulnerabilities, and you shouldn’t, go get your distribution’s latest updates.
This is why I like Debian; a simple apt-get update && apt-get upgrade brings me right up to speed.

CERT pointed out that Apache installations that contain the ServerTokens ProductOnly directive in their httpd.conf file aren’t affected. (I added it under the ServerName directive in my file–it’s not present at all in Debian by default.) This will hurt Linux’s standings in Netcraft, but are you more interested in security or advocacy? Increasingly, I’m more interested in security. No point in bragging that you’re more secure than Windows. Someone might make you prove it. I’d rather let someone else prove it.

While you’re making Apache volunteer as little information as possible, you might as well make the rest of your OS as quiet as possible too. You can find some information on that in an earlier post here.

Update your BIND servers

Dave Farquhar Linux , , , , ,

A buffer overflow vulnerability exists in a large number of versions of BIND. CERT released an advisory over the weekend. I haven’t seen this on most news sites yet. Read more