An Interesting Penetration Testing Guide provided by corsaire.
Has some good points about choosing Pen Testing consultantcies and also some good resources at the end...
Over at RouterGod there's a very informative series of articles about various Cisco topics. They're in the News Archives section and they've got an..... interesting way of presenting the information ...
A Good List of Linux Live CDs, there are quite a few useful ones from the Security point of view, including the very useful Local Area Security distro .
Anyone who's not had time to play with Linux LiveCD's, really should, as they are immensly useful tools for work like forensics and system administration....
New evidence points to Cisco network hack
An article providing some more info on the Cisco code theft, over at Network World. One point mentioned in it that I would disagree with though is the comment that
"Unlike open source software products, the security of Cisco's systems, like those of other proprietary software vendors, depends on the source code being kept out of public view, he said"
This is a bit on the sweeping side really... Although it is a salutory lesson that companies shouldn't rely on the secrecy of their code to provide security.
Redmond enlists security vendors to automate policy compliance
An interesting idea talked about over at Network world, is Microsoft working with A-V vendors on the idea of security policy compliance software. If I'm reading it correctly, the idea is that when an machine tries to log onto a Microsoft network it's agent software will transmit information about things like it's A-V pattern files and patch level and if these don't meet defined standards it will not be able to connect, until it was updated.
It's a good idea for things like laptop users, who perhaps aren't in the office often enough to get updates. That said I like the idea of this being tied into the network switch/router infrastructure more.
The reason being is that even if a PC can't log onto a windows domain it can still connect to other client-server applications, whereas if the switch the PC is connected to, won't let it communicate with anything other than the update server untill it is patched, it will be a more effective control.
Martin McKeay's Network Security Blog: How to get into Network Security
A link to an interesting article at securityfocus talking about the prerequisites for getting into network security. My path was train as an accountant, get lucky and move over to IT before having to do any accounts, spend 5 years in Networking and general IT, then move into IT security. I've found my background in IT to be very useful when having security related conversations with IT staff, it definately helps to understand where they're coming from and also if they might be being "economical" with the truth...
There's another reference to this story over at Joat's blog , which mentions coding as a required skill. I've picked up bits of a couple of languages over the years, and I'd like to learn more, but I've never been sure which language would be best to focus on, with the inevitable result that I've not really learned any of them....
An interesting link over at Michael Howard's blog to a column on Security Management
There's a article which runs though a good example of social engineering here . The methods used give examples of how easy it is to gain access to information or goods without authorisation. It does require a talent for thinking on your feet though....
An interesting article over at vnunet.com quoting gartner on the levels of loss in the US from phishing scams. I'm definately suprised that it is as high as $1.2 billion, but if those figures are accurate, I'd hope to see the financial institutions involved moving to authentication schemes which are more resistant to this kind of attack, maybe like the ones I mentioned here
Diceware Passphrase Home Page
A link to an ... interesting ... method of generating passphrases
