Monday, January 26, 2009

Building a vulnerability scanning laptop with XP

I'm building a new laptop that will be used to conduct vulnerability analysis scanning. Due to the constraints, this will be an XP laptop. I have a laptop in use that uses linux, so this laptop is meeting a different set of needs. I've been compiling a list of applications to load on the laptop, and this is what I've come up with so far:
  • A network vulnerability scanner - TBD - I'm looking at SAINT, Nessus, and Retina
  • Microsoft Network Monitor - I've never used this, but I could see scenarios where it would be useful.
  • Wireshark - a great open source packet capture and analysis tool
  • Oval - for host base vulnerability checking
  • I'll have a couple of SRR scripts on the laptop (unix, SQL Server, and Oracle)
  • NMAP - for scanning
  • Netcat - because it is the Swiss Army Knife of network tools
  • NetStumbler - for war-walking
  • TruCrypt - for data at rest protection
Yes, you will have noticed that the majority of the applications are open source. The scaner will probably be a commercial application as I need something to do the heavy lifting.

If you can think of something I'm missing or something that might be useful, let me know.

Friday, January 23, 2009

Send the Interview Questions to the Client, pre-test

I just had a client ask for some clarifying information regarding non-technical controls. It seems that the documentation did not fully enumerate those results. In order to ensure I have that information before leaving the client site, I will ensure the clients have the interview questions before I arrive. I believe it will allow the interview to run quicker in that the client will already know the questions. Also, if they've filled out answers, I'll have a hard copy I can take back to accompany what I've documented myself.

I'll see how this goes shortly, as my next testing engagement is scheduled for a couple of weeks.

Thursday, January 22, 2009

The Hacking of Congress

I had heard this story in the past, the article isn't new. However, it was linked on Slashdot yesterday, and I don't want to lose it.

There are so many points in the article. I think one of the best points was summed up in the summary on Slashdot:

The article notes the difficult work of the House Information Systems Security Office, which must set security policies and then try to enforce them on a population of the equivalent of C-level executives.

Saturday, January 17, 2009

Woohoo!! Passed the Security+


I'll have a post in a few days reviewing the book that I used in preparation for this attempt at the exam. I went into the exam pretty confident, with a goal of acing it. I signed up for the exam during the holiday break. The test center nearest to me had appointments on Monday (MLK Jr. day) and since my office would be closed that day, I figured that would be a good time. It gave me almost three weeks to really prepare for it. Then, yesterday (Friday,) I get a call from Pearson/Vue telling me that the test center was going to be closed for the holiday and how did I want to reschedule my exam.

I thought about the next Saturday, but I didn't want to wait that long. And, I thought about Tuesday, but I really didn't want to take a day off from work. So, I asked if there were any centers that were open on Saturday. There was, and it was a drive, but I figured what the heck. If I passed, I'd have a great weekend. If I didn't.....well, I didn't want to go there. And I was still pretty confident.

But, as I confident as I was, and knowing the information, I still thought the exam was pretty hard. There were some questions dealing with technologies that I had never heard of before, and I was pretty surprised. Sure, I know there are questions that they use on the exam that are un-scored. But it was pretty unsettling. There were a couple of times that I had to rally myself as there were some questions I didn't think worded well. But to see the "CONGRATULATIONS" on the screen after filling out the survey was absolutely the best feeling. I had to sit in my car for ten minutes before texting home to let them know I was on my way.

So, the exam knocks off a DoD requirement; one less certification to worry about.


Monday, January 12, 2009

Still Alive - Just Studying

I'm still around.
There's been a big push for certifications with the government job. Some of the guys in my group are in a month-long CISSP class. Due to other issues, I wasn't able to take the class. So, I'm pushing myself to pass Security +.

Hopefully, you'll hear from me soon. With positive news.

Friday, January 2, 2009

Vista rant

I have to preface this post with the following fact: for my governmental contracting position, the laptop provisioned to me has Vista Business Ultimate. And it seems to work ok. There are some limitations, but there are enough work-arounds.

However, my consulting business has a machine that runs Vista Home on it. The machine's sole purpose is to run Quickbooks. I'm learning Quickbooks, which is no big deal; but the task is made infinitely harder by Vista. For almost every action I make in Quickbooks, I get a "Server Busy" message and I have to switch tasks. The machine runs Zone Alarm, and I'm constantly getting alerts that Windows Mail is trying to access the trusted zone. Huh? Windows Mail? I'm to the point where I just want to downgrade so that I can run the one application I need to run and get on with it. Because of these issues, I really don't recommend Vista to clients when they ask. I generally recommend XP when asked, or, if I feel they can handle it, Ubuntu.

It's just so mysterious because I'm having a (relatively) good experience (knock on wood) with the laptop provisioned for me for governmental contracting.

There, I feel a little better.