You can't secure what you don't acknowledge.SM

Thursday, September 2, 2010

Crunch risk numbers or fix the obvious?

My colleague Ben Rothke (@benrothke) recently wrote a good piece on basing information security decisions on good data. I like his approach - it'll make you think. It's true we do need good data so we can make better decisions. Sadly, we often don't have the data or, if we do, we're not qualified to interpret it.

Maybe it's just me but I don't believe my degrees in computer engineering and management of technology qualify for "enterprise statistician". That still doesn't make information security oversights okay. The dilemma reminds of something that Gilbert Arland once said: "Failure to hit the bullseye is never the fault of the target." We do need good data. It's just not that simple in the world of information security.

The problem is similar to the underlying principle of goal setting and leadership: how are you going to know where to go if you don't know where you're going, much less how to get there?

The reality is, we're never - at least for the foreseeable future - going to have all the right data to make good information security decisions. We have to do the best with what we've got. But that shouldn't keep us from focusing on what's obviously important. Case in point I can say based on experience that the majority of organizations I've seen (both small and large) haven't even addressed the basics of information security. Why burden ourselves with complex risk calculations when the bleeding and the cure are right before our eyes?

Don't get me wrong. Quantifiable risk calculations have their place in our industry. But unless and until we get the basic stuff under control, what's the point of making things even more complicated? I'm just saying.

Staying tuned for Part 2 of Ben's article...

The case for zero-day testing

Here's a good piece by David Maynor regarding penetration testing and whether or not zero day exploits should be used. I agree with David. With penetration testing, ethical hacking, vulnerability assessments - whatever you want to call them - anything should be fair game. That is if you want a real-world view of what's at risk. Limiting your tests could skew the results and you'll end up with a false sense of security when nothing big turns up.

Tuesday, August 31, 2010

NetScan Tools LE - a must-have for investigators

Have you ever had a need to run a program and get a relatively small amount of data just to do your job but end up getting caught in the complexity of the application and not getting what you need after all? That's happened to me a bunch.

Well, NorthWest Performance Software (makers of a long-time favorite of mine: NetScanTools Pro) has a new tool that helps resolves this problem called NetScanTools LE. Designed for law enforcement investigators (hence the "LE"), prosecutors, corporate security folks and the like, NetScanTools packages the ability to gather information on IP addresses, domain names, hostnames, and email addresses all in one concise program. It's for the non-technical types who just want the basics...get in and get out. Given its investigative approach, the tool is case driven and includes timestamps and even packet capturing to help investigators prove they did what they say they did while gathering their data. It's really inexpensive to boot.

Included functions are:
  • ping sweeping
  • port scanning
  • IP to country mapping
  • email validation
  • Whois lookups
  • RBL checks
  • text-only Web page grabber (I really like this)
The following screenshot shows the clean interface of NetScanTools LE:






























While I'm on the subject of cool tools, if you've never checked out NetScanTools Pro, you really should. It's chock full of even more utilities (all in one place, albeit bordering on the complex) those of us in IT and security can benefit from. I have a need for such tools on practically a daily basis.

Furthermore, Kirk Thomas who heads up NorthWest Performance Software is very attentive and eager to get feedback on his products in order to make them better. And based on our conversations I like how he thinks.

Monday, August 30, 2010

"New" Web security content to check out

Here are several new links to some recent (and, due to my crazy year, not so recent) articles I've written for various TechTarget sites on the subjects of Web application and server security:

Web server weaknesses you don't want to overlook
(the "rest of the story" of Web flaws)

SQL injection tools for automated testing (a must-have for your toolkit)

Beefing up SSL to ensure your applications are locked down (good for some of those often-reported PCI DSS compliance gotchas)

Common security flaws to check for on your Linux-based Web systems
(overlooked Linux systems are a great facilitator of Web vulnerabilities)

Enjoy!