Blog (Default)

Dec 22nd, 2008

Comments: 0
Category: Penetration Testing
Read More

Penetration Test Scoping

Got a reminder I’ve not blogged in a while, so here’s the next part of what I was going to talk about.. So, following on from my first post in this series I thought I’d go on to talk about penetration test scoping. Getting the scope right is one of the most important parts of […]

Dec 14th, 2008

Comments: 1
Category: Penetration Testing
Read More

What is Penetration Testing?

I’m planning to do a series of posts about penetration testing over the next couple of weeks so I thought I should start in the obvious place of defining what it actually is. You’d think this would be relatively straightforward, but the term “penetration testing” is mis-used all over the place. Some people use it […]

Dec 10th, 2008

Comments: 0
Category: Uncategorized
Read More

Death of Pen Testing?

http://riskmanagementinsight.com/riskanalysis/?p=532 Very interesting post over at Riskanalysis.is on penetration testing and what it may turn in to. There’s some good reasons to do penetration testing in there and I’d agree that targeted testing to prove or disprove theories about the security environment is a smart way to use penetration testing. My feeling though is that, […]

Dec 10th, 2008

Comments: 1
Category: Security Policy
Read More

Catching out dodgy security policies

Here’s a question to ask your security policy people, to see whether their recommendations are actually risk based or just “best guesses”… “Have you updated the minimum password length/complexity requirements due to recent advances in password cracking speeds?” I was reading a couple of posts on the Red Database Security blog (here and here, and […]

Sep 6th, 2008

Comments: 0
Category: Off Topic
Read More

Why eBook Readers won’t succeed for now…

I really like the idea of eBook readers and I’ve been following the progress of a number of them for a while now (There’s an excellent resource over at the MobileRead site). But there’s one glaringly obvious reason why they won’t succeed for recreational book readers… which is the absurd pricing of eBooks. The most […]

Jul 1st, 2008

Comments: 0
Category: Uncategorized
Read More

More virtualization fun..

There’s an interesting post at Hoffs blog around virtualization and DMZs and to what level it’s “ok” to virtualize a given DMZ environment, following on from a white paper by VMware on the subject As Hoff mentions you need to understand the wider context in any risk assessment, but I actually think that in the […]

Jun 23rd, 2008

Comments: 0
Category: General Security
Read More

Avoiding controls which are “designed to fail”

One of the great problems and frustrations of working in security is when those darned users don’t follow the nice policies that people have spent so much time working on. But here’s the thing, security professionals actually indoctrinate users not to follow policies! How do they do this? Well people like following patterns, and so […]

May 15th, 2008

Comments: 0
Category: Vulnerability Management
Read More

When is a debian user not a debian user?

So lots of people have commented on the potentially very nasty crypto bug in OpenSSL on debian Linux (and derivatives, including Ubuntu) with the good advice of patching and regenerating your SSH keys… Only thing is, what if you don’t have access to the shell to do exactly that….? What if you don’t even know […]

May 4th, 2008

Comments: 0
Category: General Security
Read More

Are we Secure yet? (Part 1)

One of the questions that a Information Security person dreads most is someone from the business asking “Are we secure?”. You can be torn between the urge to explain in detail why that question can’t be easily answered and the details of the controls in place and residual risks (and sending them to sleep) or […]