What we are up against…

March 31, 2011 · Posted in Information Security, Information Systems · Comment 

There is much ballyhoo on the importance of information security to an organization. There is significant focus on the threats posed by hackers, intruders, cyber-terrorists, foreign actors, viruses, Trojan horses, spyware.  etc. to the information held by a particular organization. Laws have been enacted to ensure that these actors if caught will face significant punishment under the law and organizations spend millions of dollars to ensure that their systems and infrastructure are hardened to protect themselves from this threat. Read more

Tags: , , , ,

Why Information Security: D-UH!

February 8, 2011 · Posted in Information Security, Information Systems · Comment 

 I almost always feel like saying “D-uh!” every time I see a text heading for an article or book topic that says “Why information security” or “Why Security”.  I feel that it is almost a nonsensical question as “why do I need to breathe”. However, stepping back and looking at the big picture, that is really a wrong assumption. It is almost an internal bias that akin to me being surprised at meeting someone who still doesn’t have an e-mail or a broadband connection. It boggles my mind that in this day and age of information security exploits and regulatory liabilities, I still meet programmers and developers who still continue to spit out commercial products that are filled with so many holes that a 13-year old script kiddie can easily slice through it like it was Swiss cheese.

That being said, the nature of my profession makes me a little bit more attuned to information security issues than perhaps the next guy (maybe not guys sitting right next to me as I write this considering that they do the same work as I do, but perhaps the next guy in the mall or something) and whether I like it or not it becomes part of my nature. To me, thinking about threat, vulnerabilities and risks is about as natural as breathing. This fact, however, is not true to majority of digital innovators and users out there. Read more

Tags: , , , , , , ,

From the Geek Mail: Facebook Pushes the Privacy Envelope with Data Sharing

February 8, 2011 · Posted in Geek Mail, Information Security · Comment 

by Lora Bentley

Score one more for Facebook’s “act first, apologize later” strategy.

Last month the company announced it would make user information – including phone numbers – available to application developers. But they wouldn’t get access to the data until after they got express permission “through the usual permission dialogues,” according to the INQUIRER.

After only three days, however, Facebook suspended the program, indicating it had received feedback that users weren’t exactly clear on when they would and would not be giving up access to their information, even with the standard permissions dialogue boxes. At the time, Facebook said: Read more

Tags: , , ,

From the Geek Mail: 2011 Top Tech Jobs

February 1, 2011 · Posted in Geek Mail, Information Security, Information Systems, Information Technology, Project Management · Comment 

Received from: Daily Edge at IT Business Edge

CyberCoders, a worldwide recruiting firm, has analyzed hiring statistics from a pool of more than 12,000 CyberCoders job listings to determine the top 10 tech jobs for 2011 — focusing on which job types offer the most open positions, career growth and compensation. CyberCoders finds that technical candidates often make more, are in higher demand, and have a better chance for career growth versus candidates who apply for marketing or health care positions.

Matt Miller, Chief Technology Officer of CyberCoders, says, “There is a resurgence of companies hiring tech candidates caused in part by industries which need to automate their business systems.” Miller says, “Automating business systems often results in an increased need for software engineers and technical specialty positions, especially among start-ups.” At the beginning of 2011, CyberCoders had more than 1,400 available positions in technology, up 196 percent from the previous year. Read more

Tags: , , ,

Information Security Management in the Wild Wide Web

January 19, 2011 · Posted in Information Security, Information Systems, Information Technology · Comment 

Back in 2004, I prefaced a thesis that I wrote back then by  stating at how our global connectivity has drastically changed the way we live and do business. The technology advances, I noted, particularly the improvement in personal computing had been so profound that it has revolutionized our culture, education, commerce and the global economy opening all of us to new horizons and new opportunities. Because of these advancements, useful data that can make or break a business transaction or data that can significantly save lives now travels widely and quickly. We have all become very dependent on technology and the convenience that it provides to all of us.

I then added that the gift of interconnectivity does not come for free, it has opened all of us to threats to our privacy, identity, intellectual property and other confidential information that our society never have to face before. Read more

Tags: , , , , , , , ,

Simple Math: Maybe the Difference in your Cert Exam Pass/Fail Chances

January 13, 2011 · Posted in Information Security, Information Systems, Information Technology, Project Management · 1 Comment 

Picture this. You locked yourself up in a room for two months or so with no social interaction. You’ve excommunicated your family for that time period. You even missed the Super Bowl and the birth of your first child (okay maybe a little too dramatic, I know you would not dare miss the Super Bowl). In any case, you did all this because you have a goal. You wanted to be certified. You studied and studied. You read the book cover-to-cover. You paid top money for a class. You joined study groups. You took countless of practice exams and even bought several brain dump resources for good measure. You studied ’til the cows came home.

On the day of the exam you were as confident as a porcupine with extended twills (imagine that ;-) …). You know in your heart you’ve done what you could. You are anxious. You are ready. Then here comes the first question. You think to yourself, “WTF is this? I don’t remember reading about this.” Then the next question was so vague you wondered if it was actually written in English. The third question, seemed like there are two answers instead of one. The fourth was no easier. By the fifth question, all that confidence went down the toilet and by the sixth you are in a near panic. Read more

Tags: , , , , , ,

IT / InfoSec Management through the A.R.M. Framework (no arm twisting necessary)

January 10, 2011 · Posted in Information Security, Information Systems, Information Technology · Comment 

I will post a more detailed entry on this framework at a later date. A.R.M. stands for Assess-Resolve-Manage. It was a little simplified concept that I put together back in 2004 as part of my MBA thesis on Information Security for Small Businesses. The framework is actually adaptive enough that it can be implemented for effective IT management or any other form of management for that matter. Read more

Tags: , , , , , , , ,

To CISSP or Not to CISSP – Part 2

December 30, 2010 · Posted in Information Security, Information Systems · 6 Comments 

Continued from: To CISSP or Not to CISSP – Part 1

Let’s look at what another non-fan of the cert thinks about the cert. In his blog entry he quoted another blog that stated:

“I chose a self study route, and devoted around 2 months for the preparation. Locked myself in and had very little to no time for the family, I’d told them what I was up to, both my wife and son were very supporting. Every weekday I would dedicate 3 to 4 hours, and on weekends 5 to 6 hours for preparation. The last week before exam, I took leave from work and dedicated around 12 hours straight everyday for 7 days. To cope with the physical and mental tensions I did 45 minutes yoga in the morning and 20 minutes meditation in the afternoon. I took a break or stretched for 5 to 15 minutes after every 1 or 2 hours of studies.”

He then followed up by stating:

That is ridiculous. I would expect someone who wants to be considered as a “security professional” to be well-enough versed in the CISSP material to not require seven straight days of 12 hour studying sessions, beyond the previous seven weeks of study.”

Read more

Tags: , , ,

To CISSP or Not to CISSP – Part 1

December 30, 2010 · Posted in Information Security, Information Systems · 5 Comments 

I had a discussion with a current co-worker over lunch one day on the importance of higher education. Just a week prior, two contractors working with us left without notice and somehow claimed the workplace was pretty hostile to them. Being also a contractor and working with the same group of folks, I (along with the rest of the team) found the claim to be pretty odd. We simply did not see the place as being a hostile one. It was actually a tad dull and boring if you ask me. However, whatever the case may be, this is the reason that they gave their contracting office.

One of the contractors was actually not making the cut. Meaning he fails to meet even the simplest objective that is given to him by our manager and team leads. The other contractor was the one who recommended him for the job and also this contractor apparently has another gig that he believes will bring him tons of cash. So believing that the writing is on the wall, they decided to leave. Why they left without notice and also giving out a false statement as to the reason why left has no viable explanation. The only word that comes to mind is, unprofessional.

These two stories came to mind today as I was searching for ideas for acquiring Continuing Professional Education (CPE) credits to maintain my CISSP (Certified Information Systems Security Professional) certification. Somehow the search landed me into pages asking if whether CISSP is worth it. There are several bloggers who simply believe that the accreditation is nothing but a piece of paper that is not worth the ink it was printed with.

Read more

Tags: , , , ,

CISSP Exam Note (Telecommunications and Networking Security Domain) – LAN/WAN Devices, Types and Speeds of Leased Lines, etc.

April 26, 2010 · Posted in Don's eBook Report, Information Security, Information Systems, Information Technology, eBooks, etc... · Comment 

LAN Devices

Repeaters (Layer 1) – amplify signal, no added intelligence, no filtering

Hubs (Layer 1) – used to connect multiple LAN devices, no added intelligence

Bridges (Layer 2)

  • Amplifies signal and adds some intelligence
  • Forwards the data to all network segments if the Media Access Control (MAC) or hardware address of the destination computer is not on the local network segment
  • Automatically forwards all broadcast traffic

Read more

Tags: , , , , , , , , , , , , , ,

Next Page »

  • Your Shopping Cart

    Your cart is empty

  • Calendar

    February 2012
    M T W T F S S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    272829  

  • RSS From the National Vulnerability Database

    • CVE-2012-1034 (episerver_cms) February 7, 2012
      Multiple cross-site scripting (XSS) vulnerabilities in the admin interface in EPiServer CMS through 6R2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. […]
      nvd@nist.gov
    • CVE-2011-5076 (hdwiki) February 6, 2012
      SQL injection vulnerability in model/comment.class.php in HDWiki 5.0, 5.1, and possibly other versions allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to index.php. NOTE: some of these details are obtained from third party information. […]
      nvd@nist.gov
    • CVE-2012-1021 (4images) February 6, 2012
      Cross-site scripting (XSS) vulnerability in admin/categories.php in 4images 1.7.10 allows remote attackers to inject arbitrary web script or HTML via the cat_parent_id parameter in an addcat action. […]
      nvd@nist.gov
    • CVE-2012-1031 (episerver_cms) February 6, 2012
      Unspecified vulnerability in EPiServer CMS 5 and 6 through 6R2, in certain configurations using Forms Authentication, allows remote authenticated users to obtain WebAdmins access by leveraging Edit Mode privileges, a different vulnerability than CVE-2011-3416 and CVE-2011-3417. […]
      nvd@nist.gov
    • CVE-2012-1008 (officesip_server) February 6, 2012
      OfficeSIP Server 3.1 allows remote attackers to cause a denial of service (daemon crash) via a crafted To header in a SIP INVITE message. […]
      nvd@nist.gov
    • CVE-2012-0992 (openemr) February 6, 2012
      interface/fax/fax_dispatch.php in OpenEMR 4.1.0 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the file parameter. […]
      nvd@nist.gov
    • CVE-2012-1004 (foswiki) February 6, 2012
      Multiple cross-site scripting (XSS) vulnerabilities in UI/Register.pm in Foswiki before 1.1.5 allow remote authenticated users with CHANGE privileges to inject arbitrary web script or HTML via the (1) text, (2) FirstName, (3) LastName, (4) OrganisationName, (5) OrganisationUrl, (6) Profession, (7) Country, (8) State, (9) Address, (10) Location, (11) Telephon […]
      nvd@nist.gov
    • CVE-2012-1019 (xwiki_enterprise) February 6, 2012
      Multiple cross-site scripting (XSS) vulnerabilities in XWiki Enterprise 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) XWiki.XWikiComments_comment parameter to xwiki/bin/commentadd/Main/WebHome, (2) XWiki.XWikiUsers_0_company parameter when editing a user profile, or (3) projectVersion parameter to xwiki/bin/view/DownloadCode/D […]
      nvd@nist.gov
    • CVE-2012-1002 (openconf) February 6, 2012
      Unspecified vulnerability in OpenConf 4.x before 4.12 has unknown impact and attack vectors. […]
      nvd@nist.gov
    • CVE-2012-1029 (tube_ace) February 6, 2012
      SQL injection vulnerability in mobile/search/index.php in Tube Ace (Adult PHP Tube Script) 1.6 allows remote attackers to execute arbitrary SQL commands via the q parameter. NOTE: some of these details are obtained from third party information. […]
      nvd@nist.gov
Get Adobe Flash playerPlugin by wpburn.com wordpress themes