Wednesday, May 20, 2009

Emergency Testing engagement

So, I walked into work today and found out I have to go out testing next week. We've been in the middle of a huge effort to certify web applications before they move off base. There is one application that is house at a base in Virginia. Supposedly, one of the other guys was going; but once the date got changed, I was next in line.

The application is a big financial application, and what gets me is they want me to test in production. Which is nuts. The tool we use to find SQLi's and XSS vulnerabilities will litter the database with garbage data. So, I have my work cut out for me to figure out how to test this application.


I forgot to post that I've signed up for the SANS 508, Computer Forensics, Investigation and Response; in the @Home format. This is the same format as the 504 class I took. As a bonus, Rob Lee, the course author is teaching the class.

I am thinking about using it at work, maybe opening an IR or a forensics "division."

Forensics, and IR, are probably my favorite disciplines in the security field.

Policies? What Policies?

At the company, we have weekly meetings to hear various tidbits that apply to the whole company: Nuances like filling out time sheets, travel requests, and other bits of "administrivia." At this past week's meeting, it was brought up that a "rouge" server was pulled off the network as it was not installed and configured per the "corporate polices." The offending party complained that there ARE NO policies. Certainly, on our intranet page, there is a link to the policies. But, upon clicking the link, there are no actual policies listed. Interesting.

Recently, we've had a new email and records retention policy put in place. This policy was distributed as a .pdf, but is still not linked on the intranet page of policies. I'm certainly not a lawyer, but I would think the company would want to get those polices up in a public place, pronto. It's only a matter of time before the company gets tested on them.

And for the record, I had nothing to do with the server.

Sunday, May 17, 2009

A backup strategy that does not work

I preach to my clients that backing up is crucial. And, they should think out their backup strategy so that there is not one single point of failure. The school system I work with used to round-robin their backups between their servers. They have since moved to a backup vendor that stores their backups off site. Good thing, as problems like what I've snipped from Slashdot can occur:

"Flight Simulator community website Avsim has experienced a total data loss after both of their online servers were hacked. The site's founder, Tom Allensworth, explained why 13 years of community developed terrains, skins, and mods will not be restored from backups: 'Some have asked whether or not we had back ups. Yes, we dutifully backed up our servers every day. Unfortunately, we backed up the servers between our two servers. The hacker took out both servers, destroying our ability to use one or the other back up to remedy the situation.'"

Sunday, May 10, 2009

Security Content Automation Protocol from NIST

The other day, our ACA sent us an email with directions to start reading up on SCAP from NIST. There was not much guidance, or further recommendations; just that we should start reading up on it. I took a quick gander at it, and I'm not quite sure what it means for me, yet. However, I did find some cool documents to start reading:

Cell Phone Forensic Tools: An Overview and Analysis Update

Cell Phone Forensic Tools: An Overview and Analysis

Forensic Filtering of Cell Phone Protocols

Guidelines on Cell Phone Forensics

Guide to Integrating Forensic Techniques into Incident Response

Guide to Malware Incident Prevention and Handling

Computer Security Incident Handling Guide

There were lots of other documents there, I've just linked to the ones that caught my attention and have my interest. Looks like I have some reading to do.

Friday, May 8, 2009

GCFA - thinking about it

I'm pretty sure I want to go for my GCFA. SANS is running a great deal. First, Rob Lee is teaching the class in the @Home format. I took the GCIH with Ed Skoudis in that format. The format is great (@Home is a great learning environment) and I like taking the course taught by the course author. And second, I received a voucher for 25% off. That seems like a great deal, if not a sign I should be taking the class. All that said, computer forensics (and IR) is where my heart lays, in the security field.

I've gotten my manager's approval. It will mean putting off studying for the CISSP, which I don't really have my heart in right now. And, I may need to push for a "career-path" so to speak at the job. Would I do inside incident response and forensics? Or, would the company start exploring IR and forensics for its normal clients?

Either way, it's looking like I'm going to go for it.