Joat posted this, so I'm going to copy it over:

Just keep in mind the general rules of thumb for security:

• It's not "if" someone is going to break in, it's "when"...
  
• in the real world the best you can hope for is fifteen minutes of fame, in the virtual world, the best you can hope for is fifteen minutes of obscurity... (quote mine)
  
• there's no such thing as a secure online system...
  
• and adding technology rarely adds security.
  

The general rules of thumb for countering attacks:

• Log as much as practical
  
• review your logs automatically AND manually
  
• employ a consistent backup schedule
  
• use your metrics, be able to recognize what's normal and what isn't
  
• the most expensive investment in security is also the one you'll get the best return on: knowledge
  

Regardless of what personnel and what cool toys you have guarding your network, someone, somewhere, sometime will break into your network.

Scott,

I read the "Scott's 10 Steps for Becoming a CCIE" article (Sept. 14, 2004), but what about getting into security? I want to get into security, but I don't know where to start. Do you have a list of 10 ways to accomplish the five more marketable security certifications in IT?

-- Alex

Alex,

Getting into security is a rewarding experience, but like other IT fields, it requires a lot of work!

First, I'm not sure which you consider the "five more marketable" of the various security certifications out there. I suppose that would all depend on which specific area of security you want to do work in. Here are a couple certifications to consider:

- CISSP/SSCP -- From ISC2, http://www.isc2.org
- SCNA/SCNP -- From Security Certified Program, http://www.securitycertified.net
- CISA/CISM -- From ISACA, http://www.isaca.org
- GIAC/GSEC Series -- From SANS, http://www.sans.org
- Security+ -- From CompTIA, http://www.comptia.org
- CCSA/CCSA -- From CheckPoint, http://www.checkpoint.com
- CCSP/CCIE Security -- From Cisco Systems, http://www.cisco.com/go/certification
- JNCIA-FWV/JNCIS-FWV -- From Juniper networks (formerly NetScreen's
NCSA/NCSP certifications), http://www.juniper.net/training/certification/netscreen

There are others, but the certs above are the primary ones that I can think of. The marketability of any of them certainly depends on your location and surrounding market environment.

Similar to what we, at my company, tell our clients regarding Internet security, it really isn't a matter of "if" you will be attacked but rather a matter of "when." As a security professional, you need to be thinking in this way, but you also need to balance it with a healthy dose of business sense. Being completely paranoid does make for good security, but it also leads to some decisions that make no sense, business-wise, or do not offer sufficient economic incentive. Therefore, consulting in security is concerned with costs as much as performance.

The things I recommend to keep in mind when approaching security certifications are similar to steps in previous guides I've provided in my regular column. Here's how to become a security consultant in 10 simple steps:

1. Give up your social life -- really. If you had one before, you will soon not have one, unless all of your friends like to talk about really esoteric topics and argue on the best way to protect against Internet attacks. But if you have friends like these, ask yourself serious questions about the quality of your social life.

2. Read, read, read, read and read some more! There are plenty of security books and magazines out there, but if you're relying on these for your sole sources of security information, then you're already behind the times. Don't get me wrong -- not that magazines are bad, but you need to stay more up-to-date than that!

Read things other than security magazines. Become familiar with your market and the businesses in your market. Get a sense of how they think and why. The better you can relate network security to any particular business and demonstrate your business sense (rather than technical paranoia), the more accepted you will be.

3. Learn about the bad people that keep security professionals busy. Don't idolize them, but try to think like they do. Attacks that can be anticipated are easier to defend against. You need to know the latest attacks as well as the latest strategies against them.

4. Set up your own network at home, preferably over a broadband connection from a popular provider. Do not a place a firewall at the outer edge of your network. Try to defend against various attacks with your computer alone. Don't keep anything critical on this machine, as it may frequently need to be trashed and recreated. Despite the agony, you will learn a lot from these exercises.

5. Invest in equipment. Since money may be an issue, however, what to get and where to get it is a different story. Check out eBay and used equipment resellers. Depending on which of the certifications you go after, equipment may or may not be necessary, but at some point, you'll need hands-on experience playing with actual equipment to see how things work. No matter how meticulous you are and know your books inside-out, implementing any security product for the first time in real life when a client is watching you, or in response to a security breach, is a really bad idea.

6. Realize that any of the certifications listed above are merely starting points. Each of them is different in focus and detail. Some are technical and some are managerial. Some are vendor-specific and others are broad in scope. Each of them may highlight different areas of your experience or specialties, so one is not necessarily better than the other.

I know people with only the Security+ certification, which keeps them plenty busy at work. On the other hand, I know others with a CISSP as well as some of the more technical certifications who are doing a less-than-stellar job, in my opinion. It largely comes down to your market and how well you can convey your understanding of security to your customer base.

7. Learn to be anal-retentive. Perhaps dating a librarian would help here. Whatever method you use (and believe me, being meticulous in security design and concepts does not have to translate into how you live or organize your personal life), the more structured your approach to security is, the better. The best security design is one of "no more, no less," which gives users the abilities they need to do their jobs without granting them too much access. The more separated things are in your network, the easier it will be to quarantine any bad elements that may invade your system. But don't forget that the best security arrangement is transparent to your users.

8. Depending on which certifications you are working on, purchase as much varied equipment as you can. Performing firewall designs and integration exercises requires a completely different mindset from deploying VPN integrations. Both of these are completely different thinking processes from intrusion detection or prevention implementations.

Remember that home network I told you about? Install an IDS/IPS device or software facing your broadband connection. Watch all the entertaining things people will try to do to you, and to think you aren't even a "popular" target! But research the attacks that come in and be familiar with them. Just when you think you know enough, go back and look again! Things change! Conceptually, there aren't a lot of truly new attacks out there, but every once in a while, something will strike you as being original or creative, at which point, you should take notes. But be careful that you don't emulate these attackers!

9. Keep a journal. You may need three or four of these. Note your progress: your good points and your bad points. Keep separate notes organized on different technologies. Add to them as you learn something new. There are many evolving technologies, and many different areas of theory and technical configuration. The more repetition in writing, analyzing, rewriting, compiling and configuring you do, the better the information will stick in your long-term memory.

10. Attend a class, if possible. After you have been doing this all on your own for a while and are cruising through things, try to attend a class. There are many offered throughout the world with some better than others. Make sure to take the time to evaluate the class and its instructor. There is a huge variance in the quality of instructors out there, and the knowledge learned or not learned is often due to factors like this.

The more technical the certification you pursue, the more important taking a class is. There are different classes for the myriad of different certifications out there. A training course, however, should not be the first time you are subjected to a particular set of technologies or concepts. The first time you learn something, you won't know enough to ask questions or assimilate the information yet. After you've been working with a concept for a while, you'll have developed a basic grasp to be able to handle more advanced information. Of course, the quality of instructor you learn under will determine the quality of additional information you will add to your knowledge.

Becoming a security professional is a stimulating experience, and like with many things, the more you know, the more you realize you don't know. Security is a never-ending learning experience. As long as you realize that no matter how bright you are, there is always someone out there who is smarter than you, you'll do just fine.

Enjoy the educational journey and try not to lose yourself too much in the fray. Decide what aspect of security you want to accomplish first, and then narrow your choices from there!

-- Scott

Scott Morris, quadruple CCIE and Uber-Geek can often be seen traveling around the world consulting and delivering CCIE training. For more information on him check out http://www.uber-geek.net or for CCIE training check out http://www.ipexpert.com.

One of my favorite blogs, Security Monkey (or A Day in the Life of an Information Security Investigator), made a post about how to increases your chances of getting into the lucrative and fun field of penetration testing. The comments are nearly as good as the post itself and I definitely wanted to keep this around.

Here is a list of Top 10 books as suggest by the Information Security magazine.

Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition by William R. Cheswick, Steven M. Bellovin, Aviel D. Rubin
This perimeter security text is perfect for serious security professionals. The authors have mastered the art of applying the theoretical to actual working applications; the result is pragmatic advice from some of the finest minds in the field.

Hacking Exposed, Fifth Edition by Stuart McClure, Joel Scambray, George Kurtz
The original edition ushered in a new era of computer security publishing, offering unabashed, technically detailed and fully documented instructions on how to subvert the security of a multitude of systems. Although some scoff at the series, perhaps they just hate to see some of their secrets published.

Applied Cryptography by Bruce Schneier
Any book that the National Security Agency prefers to remain unpublished is bound to make great reading. Anyone doing serious work with cryptography needs a copy. With a comprehensive and excellent explanation of encryption of all kinds, this book is second to none.

Practical Cryptography by Bruce Schneier, Niels Ferguson
Schneier's sequel to Applied Cryptography will help you apply your newfound cryptographic skills successfully and securely. Think of them as volumes one and two of the same book.

Practical Unix & Internet Security by Simson Garfinkel, Gene Spafford, Alan Schwartz
The authors deliver an excellent introduction to a wide variety of computer and network security issues within UNIX.

Security Engineering by Ross Anderson
This book details security design and implementation strategies employed in real-world systems. Although many publishers employ strategies attempting to inflate the page count (and price) of a book, this 600-page masterpiece could only result from the dedication of an extremely knowledgeable veteran of the field.

The Tao of Network Security Monitoring by Richard Bejtlich
"Tao" means "The Way," and that's what this book is: the way to evolve IDS operations. The network security monitoring philosophy is both obvious and completely revolutionary.

The Art of Computer Virus Research and Defense by Peter Szor
Szor's mastery of virus/antivirus technology is unparalleled, and this comprehensive tome is the definitive work on the subject. Although parts are inaccessible to all but experienced assembly language programmers, antivirus is such a critical technology that every professional should read this book, if only to understand the problem.

A Guide to Forensic Testimony by Fred Chris Smith, Rebecca Gurley Bace
As security pros, we stand a higher-than-average chance of being called into court to testify about the results of our investigations. The authors do a good job of explaining the challenges associated with information security cases and how to give the best testimony possible.

Spam Kings by Brian McWilliams This behind-the-scenes account of real-life spammers and spam fighters is a must-read for anyone trying to squelch junk e-mail. There's a freak show in here, but also a lot of good intelligence on the inner workings of the spam kings.


And Richard Bejtlich's Top 10.

Dan Morrill posted a list of his top 10 information security skills to have. I really like this list, and it certainly gives me something to use as a benchmark than just what appears on my resume or certs I might hold. Considering Dan manages teams like this make him the best opinion out there, really.

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more

Law #5: Weak passwords trump strong security

Law #6: A computer is only as secure as the administrator is trustworthy

Law #7: Encrypted data is only as secure as the decryption key

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

Law #9: Absolute anonymity isn't practical, in real life or on the Web

Law #10: Technology is not a panacea

NetworkWorld posted a rather good series of articles on the six worst security mistakes.

1. Not having a security architecture- I like this overview, but I would add the need for logging and reviews of logging, from syslog/snmp stuff to web logs, OS logs, etc. Sadly, none of the companies I have worked for have been big enough to trouble themselves with spending money on formal security architectures beyond what is done when the environments are built or enhanced. Policy and protections have been second place, at best, to functionality and getting the needs taken care of.

2. Not investing in training- This discussion was awesome and a lot of poignant stuff was mentioned. I liked the contrast of the benefit of employee training and what happens when untrained people make decisions.

3. Neglecting identity management- Since I've not worked in environments over with over 500 employees, I've not had to worry much about identity management. Sadly, gaining any type of knowledge here is difficult, as so many sources pretty much say, "you need identity management, here's kinda what it is" but never discuss what products work, what don't, pros and cons of each, or even how to properly implement it from user acceptance to technical specs. This is one of my biggest issues with a lot of trade mags, especially vendor/ad supported mags that otherwise get sent free. They talk in general terms without actually giving me, an IT doer, much substance. Someday I'd like to examine identity management systems, but so far I've not seen a need for it in current environments. If I could make my own home-brew setup with little costs (maybe a USB fob and open source software), I would love to add that to my projects list.

4. Ignoring the insider threat- Most articles talk about how the insider threat needs attention, but never explain what to do, even in the most elementary terms. This piece goes one step further than most by saying one should monitor employee network use, harden the internal network, use internal network IPS to filter at the switch level, review and test internal access controls, and limit explicit trust in pretty much everyone. This is a good start, but spending money on this can be difficult as not many people really want to think about insider attacks. HR and management like to trust their employees while IT security tends to distrust pretty much everyone. This is just a matter of having different viewpoints, and can be a hard topic to effectively discuss. I think I would add in that not just empoyee use should be monitored, but all internal system logs as well, especially for odd connections, failed authentications, IPS/IDS alerts, and mysterious local account creation. Internal routers and firewalls can help segment things quite nicely and put off the bear of hardening all systems, at least for a while.

5. Not protecting web appliances- This was a shaky article, but I like the identification of three levels to protect when it comes to web servers: the host (OS), the server infrastructure (IIS/Apache I believe he meant), and the web application. The host and the infrastructure or no-brainers, really. The web app is the dicey part. In my experience, infrastructure (network and sysadmin roles) is not married with application development, in fact, these teams tend to work in opposition to each other. Likewise, security tends to fall in the middle somewhere. Infrastructure may bring it up and even test it, but typically we are hands-off when it actually comes to code changes. Whenever talking about web site security strategies from an infrastructure viewpoint, defense in depth must always be used. Assume there will be vulnerabilities in the web app, and plan to mitigate them. If development and infrastructure work well together, it will be a cold day in hell... :(

6. Buying products with the most bells and whistles- This is an interesting item, and I think is a product of poor training, lack of time to make accurate assessments and decisions in the face of sales propoganda, and lack of having a security architecture or plan. Sadly, I often hear about how appliances are purchased and forced into an environment because some senior manager read about it in a magazine and demanded it, all without truly evaluating the needs, the best solutions, or determining if there is a need for more staff to properly manage. A spiffy buzzword logging device is useless if no one is looking at the log reports or investigating the reported issues.

Tate over at ClearNet Security made a post about a friendly debate over the top 5 things a start-up company (read: small company) can do to start out the right way in regards to a safer computing environment. I thought this would be a good exercise in determining what my own top 5 recommendations to a similar fictional company would be. Granted, doing a top 5 instead of a top 6 or however many top picks it takes to do security right is a little limiting for no real reason, but this limit does help focus a bit more. This can also act as a general checklist for consultants or any outsourcing of solutions a start-up does, especially ones without in-home IT staff. I also try recommend free solutions as a starting point, especially for small companies without IT budgets.

1. Backups. This is the #1 thing to do to keep a business alive and running. My underlying assumption is that incidents will occur. If you don't have data backups, you will not survive many larger incidents. A requirement would be offsite backups, even if it is just at the CEOs home and maybe the CFOs home. Everything else for security should be dropped until this is done. Backups can be as simple as some batch files like Robocopy dumping data onto firewire or USB drives every night, with manual swapping of cables every day or week. Desktop systems can be set to perform regular system backups to a central storage if need be. Test backups regularly, test restore procedures regularly to ensure that they are working and to keep someone knowledgable about the process. Make sure workers copy important data to central servers every night or Friday, or a location that is backed up. Having even an elaborate file server and backup scheme is defeated internally if users keep their data on their systems and those systems are not backed up themselves.

2. Network firewall on the Internet link. Put up a network firewall on the Internet link and be draconian in the rules. Default Deny, and limited access elsewhere, even if it means nearly zero access from the outside. Small start-ups might be able to contract out to a local Linux expert or friend of the company to throw in a largely free Linux solution. Something like SmoothWall/IPCop may be better, as a slightly tech-savvy worker may be able to understand and work the web-based configs better than Linux iptables and such. But, if possible, invest in a Cisco Pix or Juniper NetScreen or Windows SMS/ISA solution and contract someone to set it up for you.

3. Desktop Antivirus. Evaluate some robust and light-weight products for Antivirus protection. For the most protection, I would not pick Norton of McAfee (most malware that is truly dangerous looks for and disables them anyway), but rather look into Kaspersky or F-Secure instead. For freeness, AVG and ClamWin are decent enough. A good case can be made for network-based Antivirus on the gateway in a smaller company, but most new desktop/laptop systems come with host-based AV anymore, so may already get half done without the extra burden. Obviously, the apps should be set to regularly scan the systems, automatically clean/delete, provide realtime scanning and stopping of virus execution, and be set to update no more than daily, every 8 hours if possible.

4. Patch Management. Turn on your Windows Automatic Updates to force installation upon a subsequent reboot. Try to do this with Office if at all possible. Updates should be done as soon as possible, preferably once a week on a Thursday or Wednesday. Workers should regularly do manual updates, even if it just verifies that automatic updates are working just fine.

5. Man, the dreaded last spot. Do I use physical security here, as losing the time and equipment for a small company can cost dearly? I guess when it comes down to such a short list, I have to look at what will best help the company survive and prosper to a point where the luxuries of security can be afforded. I would side with physical security here. Make sure doors are locked properly and possibly invest in an alarm system. If the company is in a business park, get to know the security stance of the business park owners and possibly work with them to provide for alarms or anything else they may do for you. If possible, lock down all systems at the desktop and secure any server equipment behind another locked door or at least out of sight behind some other door. The costs of these protections far outweighs the loss incurred in their absence.

I will cheat and put in a 5.5, since it is not only dealing with security, but insurance purposes as well. Inventory all systems and keep that up to date. This can just be some spreadsheet available with dates of purchase, serials, hardware details, software licenses, etc. Starting this early helps. Inventory can be morphed into talking about baselining an environment. Know what you have and what is normal in your environment. What systems are expected, what software is expected, what sort of traffic levels you expect, what log entries are normal. This baseline effort can then lead to quickly recognizing when something is abnormal and needs investigating.

A really close next consideration is to acquire desktop/security help either with some low-cost outsourcing or just hire a guy internally to manage systems, clean spyware, try out new software, help test new products, etc. This can help provide a company with someone to turn to for slightly more authority than your average user, and help a budding IT professional get his chops cut on some real experience. There are plenty of IT professionals out there who would be glad to consult either on the side of their daytime gig (be open to only getting support outside business hours) or add you as part of their already established clientele.

Lastly, if the small company insists on a wireless network, then I have to include wireless security as part of the list. The wireless network must not remain open and needs to be protected using WPA. Yes, this might be a hassle with visiting guests and potential clients, but the consequences of some high school kid driving by and mucking in your network can be dire.

Companies and home users are definitely different entities with different approaches to computer security. Not only are some of the items different, but the solutions as well. What is important to a business may not be important at all to a home user, and the reverse is true as well. Home users value system performance, ease of use, stability, security of their personal data, and security with their identities. Home users can both be the hardest to break into and the easiest to break into, from a security standpoint.

Not every home user is technically inclined or even wants to learn to use new programs and such for being secure. For this reason, many of the best pieces of advice for home users is behavioral. Rather than "learn Linux and implement a highly guarded firewall" most users will read that and not even try. That's just too much effort to ask of most people.

You can also go crazy trying to keep up with the latest security news, updates, vulnerabilities, and patches. But why bother? Unless you're a geek or an IT professional, there is no reason to spend personal time being paranoid. Instead, home users can benefit from education and careful habits when working or playing on their computers.

For homes user, I assume the user is just operating one or a couple systems for the primary purpose of surfing the web, gaming, entertainment, and personal uses. No servers, web servers, mail servers, etc, are assumed. Once you get real servers with open services, the game changes quite a bit, and most home users do not do those things anyway.

1. Backups. Always back up important data to a second hard drive or system. If possible, do it twice and keep one set offsite somewhere. Windows has built-in mechanisms for automatic backups, but if you don't mind doing it, at least just drag-n-drop all the important stuff over. Imagine if your hard drive dies in the next hour and no data is recoverable. What is your pain? What will you miss? What cannot be recreated? Back that up. USB or Firewire drives are cheap and easy to get. Buy a spacious one and use it for backing up data regularly. If you can back your data up to a drive stored offsite or in a fireproof safe, that is even better.

2. Firewall or NAT the Internet link. Actually, it is much easier and more common for home users to simply operate behind a NAT device such as a typical cable router or wireless router from Best Buy. That is typically enough, but if the opportunity is there, run behind a Linux firewall, either iptables or SmoothWall/IPCop or something. This one step is enough to stop any curious Internet-side parties from getting into your systems. If you're not sure if you are protected by a NAT device, ask someone you know to check, or call your ISP and ask their support if they know. Be ready to let them know what your cable modem or DSL router model is. If you are not behind a NAT device, ask about how you can implement one. Most ISPs have recommendations and instructions on this.

3. Turn on Windows Automatic Updates. Every now and then perform a manual Windows Update, but otherwise just turn on Automatic Updates to automatically download and install on at least a weekly basis at a time when the computer will be on (like 8pm or something). Not only will this apply necessary patches, but can enhance or fix features like wireless options.

4. Practice safe computing. Do some common sense things to stay safer online. First, don't install every new and neat free program that tells you to install something or that you need something. Chances are, there is a reason it is free and enticing. Treat it like you would any advertising on television or radio and just be wary. Second, do not open any email attachments that are not sent from known people and are expected. Just delete those emails. Likewise, do not click on any links in emails unless from known people and the email is expected. when in doubt, just delete the message or type in the address to your web browser as opposed to copying it or clicking it. Third, do not frequent questionable sites, especially when using IE. If you are visiting a site you wouldn't want your parents or kids to know you were visiting, chances are you shouldn't be there. Avoid that darker and more dangerous side of the web. Fourth, always close pop-up windows. Never click inside them or respond to ads on sites. Just never do it. Fifth, if possible, use only one credit card for online purchases, keep the credit limit as low as you can while allowing you to do what you need, and always go over the monthly statements.

5. Protect your passwords. Write down all your passwords and put them someplace safe, but easy to get to while at your computer. I know, many security people will look aghast at this suggestion, but when it comes to home users, there is little real reason to trouble people with anything more complicated. Get an envelope and write down your passwords on paper inside it, and keep it tucked safely into a drawer or even inside a book. I suggest making two copies of this and storing it somewhere offsite, especially if you do lots of banking and other monetary things online. You don't want to lose your accounts because you lost your passwords in a fire or something. I do suggest not sharing passwords amongst spouses, roommates, or even your kids. Don't let them find or use those logins. Also, do not use the same password for everything. I find it best to have 3-7 different passwords. For anything you don't care about, use your first password. For more sensitive things, use other passwords. You can use multiple, but just think if one password is swiped by a hacker and is linked to your email account which has the same password. You can't usually protect yourself from lost accounts on various websites or even forums. They may be run be unethical people or they may be victims themselves of a break-in that divulges your personal information. More technically inclined users can look into using a program like PasswordSafe to store their passwords securely on their computer. Be sure to make a backup of the storage file.

6. Don't use Outlook or IE. Yes, IE and Outlook are easy to use and everyone uses them, making getting informal support painless. But just like ease of use is high for users, ease of use for malware is even higher. IE has had holes for years, unpatched, deep holes, and will continue to have them because it is so deeply married into Windows itself. Ask any IT pro to uninstall IE for you, and you will get the wide-eyed response that they can't. To make an analogy, IE is so deeply rooted into Windows, you cannot separate it out. That's dangerous, and Outlook is no better. Instead, use something less mainstream and exploitable. I recommend Firefox as default web browser and Thunderbird as an email client. Both are free, easy to use once someone opens their mind up and accepts a little bit of change, and suffice for 98% of everything users do with email and web surfing. This software switch will nearly eliminate the risk from email worms (although will not stop spam or malware attachments designed for the user to execute as opposed to running from a preview pane or through Outlook's tools) and drastically lower adware and spyware infections from web surfing.

7. Run antivirus software. Many new computers for most users come with antivirus software. Be sure it is set to update automatically, and pay for the protection if required. For somewhat technically inclined home users that practice safe common sense computing, this software may not be entirely necessary, but I suggest it for decent protection, detection of most malware, and peace of mind. I suggest F-Secure or Kaspersky as opposed to Norton or McAfee, but chances are the latter two came with the new PC. If so, stick with what is pre-installed. And yes, make sure it downloads new updates or signatures on a daily basis.

8. For wireless at home: secure your wireless. If you run wireless at home, be sure it is secured by at least WEP encryption. If available, use WPA encryption. This will prevent a huge majority of neighbors from hopping onto your wireless connection. Not only can they use your Internet link for their own traffic (legal or illega), but they can also probe at your network and computers and sniff your traffic if they get on. And yes, trust me, young adults and kids are curious creatures and will try these things if they have that sort of knowledge. Turning on encryption will prevent any but the most determined attackers.

9. For laptop users: be paranoid when at hotspots. Lots of people get fancy with recommending Tor even SSH proxying for secure access at wireless hotspots. But lets face it, only the technically inclined bother with such things. For all other users, just assume the wireless hotspot is not a safe network. Do not stay on wireless hotspot networks for too long. Do not log into email through Outlook or Thunderbird when at a hotspot. Do not log into a website that is not SSL-enabled. If you use IM, assume your conversations are being read by someone sitting near you, and, in some cases, assume they now have your login account and password. If you do not go to hotspots very often or you had to chat in IM or check email, once you get home immediately change your passwords for those systems. Hotspots are fun places for geeks like me who are curious about other people, and for people who would love to do you harm or mischief. Be safe when not at home. Now, what counts as a wireless hotspot? Any wireless network that is not your home network.

10. Get help. Like mentioned for small businesses, home users will benefit the most by befriending technically inclined friends and family, or even paying for the service of a home consultant or contractor to help you out. Always be nice to your experts, though, as we do tend to get tired of high maintenance users, especially if we're not being compensated for our time. I strongly suggest just asking your technical friends questions as opposed to asking them to actually do things for you. You can get really good return, though, for paying someone a little bit of money to spend an evening or some hours tuning your system and giving you some education on what the best things to do are. All the steps above are either behavioral (education), one-time deals where you set it up and that is it, or a few that require some additional changes or on-going action. Spend some money, hire up someone on the side that knows their stuff. If nothing else, befriend them and make a night of it with pizza, beer, and maybe hang out for a movie or something while they do their wizardry.

PS: I added a "1/2" extra step in a later post on getting to know how to reinstall your operating system.

I know this is ComputerWorld, one of the ad-driven free mags that tend to review products and state the obvious, but this quick article on 10 tips to secure VPNs is a pretty good and quick read with some specific technical details as well as common sense items that are sometimes hard to get management levels to listen to (such as only opening the VPN to those who truly need it). I like that some of the points are actually alternatives, such as secured mail or SSL/passworded web sites when, really, the need is smaller than the justification for a full VPN solution. Unfortunately, in other instances like jailing users from the rest of the network are a bit more advanced and complicated.

Of note, this response was given on Infosec News and deserves to be read in conjunction with the original article as the author makes some excellent points.

Mostly posting this here just to save this link for myself. This is a nice list of some of the more dangerous things users do online. This is not everything, but hits many points, in order of descending severity:

- Clicking on email attachments from unknown senders
- Installing unauthorized applications
- Turning off or disabling automated security tools
- Opening HTML or plain-text messages from unknown senders
- Surfing gambling, porn, or other legally-risky Websites
- Giving out passwords, tokens, or smart cards
- Random surfing of unknown, untrusted Websites
- Attaching to an unknown, untrustworthy WiFi network
- Filling out Web scripts, forms, or registration pages
- Participating in chat rooms or social networking sites

Somethings I would add: participating in P2P or IM services at work; not evaluating information that they send out via email whether their audience should be reading it or not; purchasing and installing random devices on their computers (ipod, wireless APs, mobile handhelds...); and the list can go on...

This article (found via Hardocp.com of all places) explains two important things. First, the difference between hygiene and motivational workplaces. Second, the nine things that developers want. Honestly, this can be expanded beyond developers and into network engineers, security professionals, and IT staff in general.

Sadly, I work for a company that is only about 450 employees small, but is firmly of the "hygiene only" mindset. The benefits are excellent, the pay is more than competitive, and everyone is just pretty comfy in their jobs. The company does not score even one point in the motivational items. Even more sadly, those are the points I value the most.

Fred Avolio posted this excellent list of security admin errors last year. It has been languishing in my bookmarks and I thought I'd post it here for posterity. Some of these are excellent issues, although some are not necessarily the security admin's fault.

Here is a list of 20 things most people don't know about Windows XP. Honestly, I didn't know a lot of these other! A lot of them won't mean as much to me right now since I don't do much desktop support, but XP is gonna be around for a lot longer. (Do some soul-searching on whether your company really has a reason to move to Vista? Seriously, do you? Other than MS dropping support someday, I doubt it.)

Snagged this from Sean's blog. I swear I have seen this before or maybe even posted about it, but couldn't find it. Either way, it's a nice set of "laws" and in the same vein as the 10 immutable laws of security.

Law #1: Nobody believes anything bad can happen to them, until it does
Law #2: Security only works if the secure way also happens to be the easy way
Law #3: If you don't keep up with security fixes, your network won't be yours for long
Law #4: It doesn't do much good to install security fixes on a computer that was never secured to begin with
Law #5: Eternal vigilance is the price of security
Law #6: There really is someone out there trying to guess your passwords
Law #7: The most secure network is a well-administered one
Law #8: The difficulty of defending a network is directly proportional to its complexity
Law #9: Security isn't about risk avoidance; it's about risk management
Law #10: Technology is not a panacea

Lists by IT guys cum journalists can be pretty interesting things. Either they're obvious junk or sometimes just plain wrong. I eagerly checked out this link Marcin sent me about 7 things sysadmins forget to do thinking it would be pretty stupid. I was pleasantly surprised with a few of the items. Here's some of my comments.

1. Forgetting to Delete a Former User's Account - This is one of those obvious ones, but I will defend poor sysadmins like myself and say that we don't just willy-nilly disable user accounts, even if we hear gossip that someone left. Too often, account disabling is not a breakdown of sysadmins, but a breakdown in the process of notifying sysadmins that someone has left. I really hate hearing someone "left 3 weeks ago" through the grapevine. (Or conversely, that "I have someone started tomorrow morning...") Maybe in huge environments things like identity management should be looked at to solve this issue, but in smaller or medium environments, I really think HR and IT just need to make sure there is a process for account notification that is followed. In the end, all the sysadmin lists and processes are naught if no one says so-and-so is gone.

2. Forgetting to Regularly Search for Rootkits - Ok, this is just kind of a weird one. I don't think I've ever "forgotten" to search for a rootkit so much as I just don't look for them, or if a system is so obviously overrun it gets reformatted rather than spend more time on it.

I think the author has good points about how to mitigate rootkits and detect them, but seriously, how many admins put forth that much effort? Rootkits are the Harry Potters of the corporate IT household. They want to be kept under the stairs or up in their room and ignored and not dealt with...and for good reason. It is almost like having mice in your building. You can put out some traps, but really, no one is going to bother much with tearing up the walls trying to find their homes.

I sound kinda defeatist here, but the effort to find and protect against rootkits is a big investment, really. I just think this isn't so much forgotten as it is just chosen not to be done.

3. Forgetting to Use a Trouble Ticket Tracking System - Here's a personal bit about me: I'm a stickler about documentation and the sharing of information. There is too often a HUGE amount of organizational knowledge that leaves when an IT worker leaves a position. That shouldn't be the case, they should keep things documented for someone else to reference.

A trouble ticket system is part of that. If I know I've worked on something before, I want to be able to search the tickets and see what remediation occurred previously. I think some of this comes from my science background where experiments have to be documented such that someone else can recreate your findings. That''s a big part of what a ticket system is to me.

Not only that, but it can be used to audit changes and requests. If Sally requested file server permission changes and was authorized to do so, but made a stupid request that caused data loss, that can be traced back to her ticket and the information in it. I also feel that, as a heavily-worked IT guy (and later on in my career, likely a manager of some sort), the ticket system is a natural means to track work loads and inefficiencies and reduce forgetfulness. Unless a ticket system has no means for internal notes (things not sent back to the requester) I really hate, hate, HATE to see tickets answered with, "Done," and absolutely no details on what was done...

There is one caveat to this, however, and would be Needy Users who have Stupid Questions but they insist on asking in person or calling in about them when their deadline is 1 hour away. Often, it might not be sysadmins who forget to use the ticket system, but users who bypass the ticket system to saddle IT with work requests. Sysadmins are then left to hopefully remember to put in the ticket themselves.

4. Forgetting to Set Up Technical Documentation and Creating a Knowledge Base - Based on my notes above, it's pretty obvious this is a sticking point with me as well. I deeply believe in the need for clear, effective documentation and maybe even a knowledge base. This should occur in IT shops of 1 person or 1,000 people. Even if I don't plan on leaving a job, there are always systems and processes that occur every 6 months or longer, and I hate to get to those points and not remember what to do. Referencing documentation helps speed up memory, get the tasks done efficiently, and improves consistency by not forgetting steps or retracing old mistakes. This can even be part of a DR/BCP or backup strategy, where network diagrams, IP distributions, config files, and other settings are documented somewhere for use in continuing the business in the case of large of small issues.

5. Forgetting the Risks of Flash Memory Drives - This also falls into "I didn't forget it, we just don't do this" category. By now, I really think everyone knows the issues with USB drives. They can introduce things not wanted and are a vehicle for data egress. You'll notice the author gives not even a single sentence on how to address this or what approach could be taken. There's likely a reason for that. Many people either don't know how to manage USB devices (do you know how to stop USB drives but allow USB mice/keyboards?) or can't get senior management to back the blocking of ports. Ever try to block USB/Firewire ports and have all the ipod users mutiny? Ever try to justify buying a certain USB brand for "official" use and tell people their personal ones won't work? This isn't so much forgotten as it is just not a battle to be fought or teams lack the knowledge to truly tackle it. There are far easier fires for most sysadmins to fight right now. The coming years should hopefully make tools to do these things easier for us admins, but they won't be getting cheaper or easier on the workforce at large, unfortunately.

Of note, for anyone who wants to limit USB drives, did you also limit floppy drives back in the day? Do you limit CD drives now? What is your basis for managing those differently? Honestly, USB drives can be argued to simply be part of our culture now, just like cell phones and the compact disc. Just be aware of that when trying to limit them and how that might affect employee happiness aka productivity, especially if your business is not subject to stringent regulations about tracking data egress.

6. Forgetting to Manage Partial Root Access - I don't really have anything to say here.

7. Forgetting Courtesy - This is a mixed bag with me. I agree, courtesy needs to be extended in a company, not just from IT, but from everyone. Each company is really just one big team trying to work together to do Great Things, but too often that courtesy breaks down somewhere, and that little ghost of rudeness gets passed around like a flatulence cloud hovers and moves unexpectedly.

Yes, some IT guys are just rude and give evil looks when asked to assist with something. But I've often seen and felt that some of that rudeness is not something IT guys inherently do, but have been trained to do by poor management or abusive users. How many IT guys have tried to do the right thing by helping people, only to get sucked into tasks that aren't their responsibility just because they happened to make eye contact at the wrong time or try to help someone else?

At my last job, we had an HR director who needed regular help with her computer. I gladly stepped up and enthusiastically helped her early on. But she was one of those people who cannot be satisfactorily helped unless you do her job for her. Sadly, I couldn't do that, and some of the things she wanted were simply not even possible. She became the "oh god, don't help her, don't get involved because you can't win! Even if you win, she'll eventually get you to do things that you just can't do and then you're in the shitter!" IT support nightmares. In fact, I think every IT guy at that company who has tried has either left that company or is still in the shitter with her (and being in HR, you know what that means...). (Hell, I even got in trouble once because she asked me to rewire an electrical outlet and I said that needed to be done by a qualified outside contractor that the CFO would set up...)

Too often I really think IT guys are conditioned to be evil eye guys and this is as much a reflection on the corporate culture and their managers as it may be their inherent personality. Some people are assholes, but a lot of us are not.

(By the way, a lot of us IT guys have a ton of things to think about as we walk the halls to get from one place to another; we're often thinking about some problem or improvement, so if you stop us in the middle of the hall with some Stupid User Question and get a queer look, that just might be us trying to switch into help mode or tie off our internal thoughts to properly come back to them later. Or we know that Needy User has just circumvented the aforementioned ticket system by asking us in person, and will give us his own Evil Look when we plead that he make a ticket request since we're currently in the middle of something for More Important Needy User...it's a no win situation for us sometimes.)

In late 2006, DarkReading published the 10 most overlooked aspects of security, which I think will end up holding true for a very long time.

A list of 5 essential laptop security tips leaves an important one out and includes a rather dubious entry. Tip #5, install tracking software on your laptop in case it gets stolen. While a neat, feel-good type of geeky thing to install, this is pretty lame for inclusion on a top 5 list. Then again, maybe this list was meant as more of a physical security list, in which case, top 5 is really "the 5 things to do."

Instead, I'd replace #5 with the suggestion to keep backups of all your data on the drive. It is great to not have it stolen, or offer password and encryption options in case it is stolen, but what about the data on the laptop? How much is it worth to you personally? If your laptop is stolen, minimize the damage to only the cost of the hardware and your own stress, not also to the only surviving copies of your son's little league digital pictures or those important sales emails.

Love me tools; love me tool lists as well, especially with new things. The Security Mentor himself was right, this list is pretty cool and has some things I didn't know about! If you look closely, pretty much under each of the ten entries are links to MORE similar free tools. Here are the ones that caught my eye. Note that the list is centered on Windows.

Secunia Personal Software Inspector - Holy crap! This is an awesome-sounding tool because trying to keep up with what is patched and what is out of date is one of the least-talked about futile and frustrating efforts in the IT back room! I think this one is going to be a priority to try out this weekend. I don't know about licensing, but I bet you can buy just one copy for business and use it on a base workstation image that has all your applications installed, then use it as your reference. That's money right there!

GMER anti-rootkit - This tool looks really cool, and if it doesn't require an actual installation routine, will likely make it into my desktop toolkit alongside Spybot, Sysinternals tools, and so on. If it requires an install, it could still be useful as another incident response investigation tool. Now, someone needs to make Tripwire free on Windows...

File Shredder - I like the idea of File Shredder, but I'm not sure I really need it. It's not like I am storing illegal or hugely private junk on my systems, and I certainly have no intentions of selling or giving away my disks anytime soon (like any geek, I can and will find uses for everything). Still, it's nice to have one in the pocket if the need arises.

Other tools are iffy to me. I'm not a huge fan of loading my web browser with toolbars and plugins. Anything extremely useful really should get built into the browser eventually. I like seeing more options for IE, especially since my love for Firefix has dwindled as it has gotten bigger, slower, and buggier in the past year. Yes, loading up Firefox with testing/security plugins is awesome, but that's a special purpose and I don't need to browse with them always loaded. The only ones I use regularly are NoScript (only recently!), Tor, a client banner changer (I can't think of the damned name for it right now!), and a plugin that displays the target site IP address at the bottom.

For web privacy stuff, just learn how to empty the cache and where else stuff is stored along with browser and OS tracking options. Yeah, that's not enough, but I've got a bias against cleaners. For new system crapware, learn how to welcome your new system into your home with a quick enema (format and reinstall).

Peter Wood posted two lists to the SecurityFocus pen-test list recently, which I wanted to capture and reproduce here. Feel free to ignore this post.

First, Peter listed a bunch of tools and hardware he takes for on-site work:
1. Test laptop
2. Spare laptop
3. 4-way mains extension lead with regular plug and plug for computer room racks
4. Selection of Ethernet cables and couplers
5. Ethernet / Token Ring adapter (yes, there are still Token Ring users out there!)
6. Mini hub
7. Cisco console cable
8. Cross-over cable
9. External USB hard drive containing rainbow tables
10. USB key for backups
11. DOS bootable USB key
12. Selection of bootable CDs (Ophcrack Live, PasswordChangerPro, NTFSreader)
13. DVD containing copy of all my source files
14. Windows 2000 CD (for rebuilds!)
15. Swiss Army cyber tool
16. Spare laptop hard drive
17. Kensington lock (to comply with client policy if laptop left on site overnight)
18. Vodafone 3G card for Internet access if there's no wireless
19. Laptop mouse x2
20. Mini USB hub
21. Modem cable and adapters (just in case!)
22. Magic markers
23. Blank CDs
24. Wheelie bag to carry it all in!

Second, he listed the directories found on the above-mentioned DVD of tools:
Absinthe
AccessChk
AccessEnum
Achilles
Active-at
adminpak
Amap
APak
AppDetective
ARPsniffer
ATA HD password
Athena
ATK
Beat LM
Buffer Overflow Utility
Cachedump
cain and abel
Cerberus
C-Force
Checkpoint-Rules
Chntpw
Cisco IOS HTTP Vuln
Citrix clients
Cobra
CommView
CookieViewer
Copernic
Core Impact
CRACKERS
        aefsdr
        AOPB
        AOPR
        APDFPRP
        Brutus
        CacheDump
        CMOSpwd
        IPR (Lotus Notes)
        John the Ripper
        L0phtcrack
        LCP
        LMCrack
        Lotus Notes Key
        LSASecretsDump
        MBSA
        NTPWD
        Ophcrack
        Passwd - recovery FULL
        POPcrack
        PWLTOOL
        SAMInside
        AZPR
Crowbar
Crypto4
CUPASS
Data Thief
Dell laptop cmos erase
DHCP Find
Dictionaries
Dumpsec
EFSdump
Essential NetTools
Ethereal Windows Version
Exploits
FGdump
Flash Decompiler
GetAcct
GetUserInfo
GTwhois
Hydra
Hyena
IDserve
IKE-scan
iShadow
KarenWare
Katapulta
LAN Surveyor
LANguard
LDAP Miner
LG
Locksmith
Maestro
Member of
Metasploit
MingSweeper
MSRDP client
MySQL query browser
NBTdump
NBTscan
Nessus
Netalert
NetBiosSpy
Netcat
NetScanTools Pro
Network Protocols Handbook
NetworkView
niktoogle
Nmap
NT Recover
NTFS Reader
NTFSDOS
NTFSRead
Oat
ObiWaN
oracle-sql-injection
Paros
PasswordsPro
Protected Storage PassView
Protos
PsLogList
Putty
PwdChangerPro
pwdump
Rainbow crack
RegBrws
Rempass
RPC scan
RPC Tools
SAMdump
SamInside
SamSpade
ScoopLM
SecuRemote client
ShareEnum
SID
Siphon
SiteDigger
SiVuS
SmartWhois
SMB Audit Tool
SMBcrack
SNMPing
SNScan
SNSI
SOAPbox
SoapMonitor
SolarWinds
Somar
SPIKEproXy
SSL Proxy
Streams
Subnet Calculator
Superscan
SWB
Sysinternals
SysRQ2
Tamper
Tools4Ever
Trojans
twwwscan
UBCD
Ultimate Boot CD
Unicorn Scan
URL discombobulator
USB boot
USBAuditor
Visual Web Spider
VNC
VOIP TESTING
WAR DIAL
WebDAVExplorer
WebInspect
WebScarab
WebSleuth
WinSID
WIRELESS
Wireshark
WPI
Zlash

Just want to post a link to an article titled, The Top 10 Security Landmines.