Wednesday, February 18, 2009

The Importance of Patching

I listened to my first podcast tonight. Ever. I never really thought I had the time to listen to them. But, the Network Security Podcast had Brian Krebs on, and I since I follow Brian's blog, I wanted to hear what he had to say. I'll admit, it took me a bit to figure out how to subscribe, sync, and generally manage the podcasts. However, I got it figured out, and I look forward to listening to future podcasts.

Brian, Rich and Martin got me thinking. Towards the end of the podcast, they were discussing ways to mitigate the current threats, and even what we'll have to do in the future with potentially more determined threats. As an auditor (and an incident responder for my own clients) I think one of the biggest opportunities we have as a security community is to patch, patch and patch. Yes, it's easier said than done in some instances. But look at at Conficker. Here's a worm that arrives on a system because a specific patch is not installed. Installing the patch, which was released out of cycle none-the-less, goes a long way to preventing infection. I understand that businesses need to test out patches to ensure that the patch itself will not cause more harm. But certainly, home users should have Microsoft Update actively and automatically fetching these patches and installing them after downloading.

And while we (ourselves) can not physically patch these machines, we can be evangelistic about spreading the message. I know that every time I respond to incident, one of the big lessons I try to impart on my client is for the client to actively keep the machine patched to the best of their ability. Clients are thankful for ways they can proactively keep their machines safe. And I see in many of these clients pride when they learn that they can do it themselves.

I was glad to listen to the podcast and I look forward to future podcasts. Especially if they will be as engaging and get me to think.

Air Force darkens base

According to this Wired article, the Air Force has cut the internet access to Maxwell Air Force base. The article did not explicitly say what caused the loss of internet access; I'm suspecting there were multiple reasons, and multiple failures from their security vulnerability testing.

Yep, this is what I do. I never really thought I would see this, though. I've been to a few bases where our results indicated that they should be darkened, but I never actually thought it would occur. It's interesting because I remember the Air Force was trying to deploy a "cyber command" or something like that.

Tuesday, February 10, 2009

New Testing Engagement

It appears that at the end of the month I will be going to test a system that was missed by my co-workers. It's all part of a large effort, and these two servers were missed. One server is an Oracle Web Application Server, and one server is a MS SQL Server. I'm not too worried about the SQL Server, however, I've never tested an Oracle Web Application server. I could not find a SRR that would help, so I read through the Application Server STIG and parsed out the questions. I'm going to have to sit with an SME to guide me through finding the answers. Tedious at best. Of course, I'll also hit the server with nmap, and our new web vulnerability scanner, NTOSpider. I've never used NTOSpider.

So, if you have any pointers on either Oracle Web Application Server or NTOSpider, I would love to hear them.

Security+ certificate arrived

A fear of mine partially came true. All along, I suspected there might be issues with the fact that my initial attempt at the Security+ exam was canceled, and rescheduled for another date. Sure enough, after waiting the requisite five business days, no information was posted to my CompTIA account. I emailed an incident, and was told I had to send proof of my taking the exam (the score sheet.)

I got back a response that because my exam attempt was canceled and rescheduled, the results had "gotten lost." However, it was quickly rectified, and my certificate finally arrived.

Which is good, as I can now update the DoD.

Thursday, February 5, 2009

Testing Canceled - and Guard Dogs with Lasers

Testing was just canceled for a trip I had been looking forward to. That, and I was supposed to train a new employee.

In a meeting today with a different client, they proposed a method of meeting physical security requirements:
They proposed getting guard dogs with lasers mounted on their heads.

We actually laughed out loud.