To follow up with Friday’s post re getting a lot of the other awesome ShmooCon Firetalks out there, here is the complete line up from Saturday night. And if you are interested in seeing all the talks from each night, IronGeek has just put out a post with two longer videos from each evening.

I again wanted to thank The Shmoo Group and our generous sponsors. Lastly, thanks to our awesome volunteers that made this year’s Firetalks the best so far. Thanks!

• CFP Review: @jack_daniel, Sarah “@dystonic” Clarke, @jasonmoliver, Nathi “@nathiet” Thwala
• Judges: @DaKahuna2007, Rob “@mubix” Fuller, Nicolle “@rogueclown” Neulist, @soapturtle
• Streaming/Recording: @georgiaweidman, Adrian “@irongeek_adc” Crenshaw
• Security: Boris “@JadedSecurity” Sverdlik, Casey “@caseydunham” Dunham, @judykavuo

And finally be sure to check back to the master Firetalks post. It provides the core content as well as quick links to all update blog posts.  Well on to the videos…

“Cracking WiFi Protected Setup For Fun and Profit”

by Craig Heffner

This talk will detail the recently disclosed vulnerability in WiFi Protected Setup which allows wireless attackers to recover plain text WPA/WPA2 pass phrases in just a few hours, as well as my WPS brute force attack tool, Reaver.

“Passive Aggressive Pwnage: Sniffing the Net for Fun & Profit”

by John Sawyer

There has been very little public research into passive fingerprinting over the last few years, and the best and most well-known tool for that (p0f) hasn’t been actively developed in 6 years. While a recent a project is using the clever technique of identifying OS’s through DHCP options, it isn’t looking beyond simple OS identification. Why not? If you’ve ever been responsible for IDS monitoring in a large environment, you know there’s a huge amount of juicy data waiting to be snarfed up–interesting information that could be collected passively to identify vulnerable targets in a pen test. Some commercial solutions have these passive vulnerability detection capabilities already, but it’s never trickled down into the free, open source world.

In this presentation, we will look at some of the data that can be gleaned passively, how it can be used for offensive (and defensive) purposes, and announce a new project designed to use existing open source IDS engines (Snort & Suricata) and IDS rules to enhance penetration tests through passive fingerprinting. The project will utilize existing rules from projects like Emerging Threats, develop new rules to address gaps in detection, and give back to the community by contributing newly developed rules back to similar projects. A focus will be on identifying bleeding edge devices, vulnerable applications, and passively gathering sensitive information (SSNs, CCNs, passwords, etc.).

“Ressurecting Ettercap”

by Eric Milam

In December 2011 Ettercap had its first official release in almost 6 years. This talk will discuss how I went from the creation of a simple bash script to taking over one of the world most loved penetration testing tools. Topics will include, easy-creds, communications with Alor & Naga and the new team charged with moving the project forward.

“Security Onion: Network Security Monitoring in Minutes”

by Doug Burks

Traditional Intrusion Detection Systems (IDS) can be costly, difficult to install, and may not provide all the capabilities that you need to defend your network. Network Security Monitoring (NSM) combines traditional IDS alerts with additional data to give you a more complete picture of what’s happening on your network. This presentation will demonstrate how to deploy NSM in just a few minutes using a free Linux distro called Security Onion.

“Remotely Exploiting the PHY Layer”

by Travis Goodspeed

Packet-in-Packet injections are a new type of in-band signalling attack, one which allows a packet to be injected into a remote wireless network through the body of any other type of packet. The attacker never needs a radio, and no software or hardware bugs are necessary for the injection to occur. The attack works on perfectly standard-compliant implementations of 802.15.4, 802.11B, and most other wireless protocols.

#####

This will be the final ShmooCon 2012 FireTalks post. It’s been a blast! See ya…Today’s post image is brought to you from Wikipedia.org.

Last night we put out a post with the ShmooCon 2012 FireTalks winners so this morning we thought we’d follow up with a quick article on some of the other talks that occurred last weekend. This post is dedicated to the talks on Friday night. Thanks to Bulb Security and IronGeek for recording and processing the videos so fast!

And finally be sure to check back to the master Firetalks post. It provides the core content as well as quick links to all update blog posts.  Well on to the videos…

“Exploiting PKI for Pentesters”

by Thomas Hoffecker

Based upon my hour long talk presented at DerbyCon and HackerCon. This 15 minute version is specifically aimed at pentesters. PKI provides a large source of information to pentesters. Signed and encrypted email establishes a level of trust. Many organizations employ PKI but do not provide much public information about it. Pentesters are already trained to find this information using the recon phase of pentesting. Analysis of public PKI certificates can provide information on the internal infrastructure of the target. While the target may have deployed a split DNS architecture many times only a single PKI system is deployed. If public certificates are be accessed then potential servers and other interesting equipment can be identified since the PKI cert will contain the fully qualified domain name. While phishing success rates remain high, utilizing encrypted or signed email makes an email that much more trust worthy. It also ensures that spam and virus scanners at the mail server cannot read the email contents. Encrypting the email provides assurance that only the targeted subject can open and read the email. User security awareness training teaches users that signed and encrypted email is absolutely safe. Beyond my existing talks’ content I will demonstrate means to find information of specific corporate PKI implementations. Provide examples to obtain PKI email certificates from public sources for those that do not publish or otherwise distribute PKI email certificates. I will also discuss recently publicly revealed attack against smartcards that store PKI certificates, examples of these smart cards include the DoD CAC and the HSPD-12 PIV cards.

“Bending SAP Over & Extracting What You Need!”

by Chris John Riley

At the heart of any large enterprise, lies a platform misunderstood and feared by all but the bravest systems administrators. Home to a wealth of information, and key to infinite wisdom. This platform is SAP. For years this system has been amongst the many “red pen” items on penetration tests and audits alike… but no more! We will no longer accept the cries of “Business critical, out-of-scope”. The time for SAP has come, the cross-hairs of attackers are firmly focused on the soft underbelly that is ERM, and it’s our duty to follow suit. Join me as we take the first steps into exploring SAP, extracting information and popping shells. Leave your Nessus license at the door! It’s time to scrub this SAP system clean with SOAP!

“ROUTERPWN: A Mobile Router Exploitation Framework”

by Pedro Joaquin

Routerpwn is a mobile exploitation framework that helps you in the exploitation of vulnerabilities in network devices such as residential and commercial routers, switches and access points. It is a compilation of ready to run local and remote web exploits. Programmed in Javascript and HTML in order to run in all “smart phones” and mobile Internet devices, including Android, iPhone, BlackBerry and all tablets. You can even store it off line for local exploitation without Internet connection.

“Security Is Like An Onion, That’s Why it Makes You Cry”

by Michele Chubirka

Why is the security industry so full of fail? We spend millions of dollars on firewalls, IPS, IDS, DLP, professional penetration tests and assessments, vulnerability and compliance tools and at the end of the day, the weakest link is the user and his or her inability to make the right choices. It’s enough to make a security engineer cry. The one thing you can depend upon in an enterprise is that many of our users, even with training, will still make the wrong choices. They still click on links they shouldn’t, respond to phishing scams, open documents without thinking, post too much information on Twitter and Facebook, use their pet’s name as passwords, etc…. But what if this isn’t because users hate us or are too stupid? What if all our complaints about not being heard and our instructions regarding the best security practices have more to do with our failure to understand modern neuroscience and the human mind’s resistance to change?

“Five Ways We’re Killing Our Own Privacy”

by Michael Schearer

At DEFCON, I talked about how our privacy rights are under attack. Our sea of liberty is drying up due to the ever-encroaching power of the government. A litany of abuses continue to chip away at the historical foundations of privacy: administrative searches as pretexts to avoid search warrants, national security letter, and suffocating public surveillance just to name a few. Yet the government alone is not the only source of our ever-diminishing privacy. In this talk, I turn my attention…to you. Yes, believe it or not, you (and me) and the other 310 million of us in this country are also responsible for our diminished expectation of privacy. Why are we responsible? Who wants our information, and why is it so valuable? Is there anything we can do to stem the tide?

“How Do You Know Your Colo Isn’t ‘Inside’ Your Cabinet, A Simple Alarm Using Teensy”

by David Zendzian

As everyone knows, the security of your equipment starts with securing it physically. To accomplish that many will lease cabinet or cage space within the a commercial colo. However, all colos require access to your equipment (in case of fire, or other emergency). Even withstanding the emergency access I have seen colo’s enter cages and cabinets to run cables or to shorten their walk around a row in the facility. Other than installing a commercial alarm or a motion sensor camera, both of which are expensive solutions, what can be done to monitor access into your cabinet or cage. This talk will show how we have used a Teensy board from PJRC to build a simple alarm system that can be easily integrated into whatever host / network monitoring system already configured for your network.

#####

An interesting thing happened this year … none of the talks on Friday night won. Maybe this gave the Saturday presenters time to pay the judges off. This post’s featured image is from Babble.com. See ya…

Well you’ve probably already heard by now but just in case you didn’t … here are the winners for this year’s ShmooCon 2012 Firetalks. Also, be sure to check back to the master Firetalks post. It provides the core content as well as quick links to all update blog posts.

Well on to the winners…

Win: “Remotely Exploiting the PHY Layer”

by Travis Goodspeed

Packet-in-Packet injections are a new type of in-band signalling attack, one which allows a packet to be injected into a remote wireless network through the body of any other type of packet. The attacker never needs a radio, and no software or hardware bugs are necessary for the injection to occur. The attack works on perfectly standard-compliant implementations of 802.15.4, 802.11B, and most other wireless protocols.

Travis won a Parrot AR.Drone Quadricopter along with an iPod Touch to control it. Thanks to Milton Security Group supplying this awesome prize!

Place: “Cracking WiFi Protected Setup For Fun and Profit”

by Craig Heffner

This talk will detail the recently disclosed vulnerability in WiFi Protected Setup which allows wireless attackers to recover plain text WPA/WPA2 pass phrases in just a few hours, as well as my WPS brute force attack tool, Reaver.

Craig picked up a netbook with the latest version of BackTrack pre-installed. Thanks to Dirty Security, Lares Consulting, and Leverage Consulting & Associates for supporting this prize. [Oh and Craig ... please contact us so we can arrange to ship the netbook to you.]

Show: “Ressurecting Ettercap”

by Eric Milam

In December 2011 Ettercap had its first official release in almost 6 years. This talk will discuss how I went from the creation of a simple bash script to taking over one of the world most loved penetration testing tools. Topics will include, easy-creds, communications with Alor & Naga and the new team charged with moving the project forward.

Eric took home the “Sad Trombone” award, basically one of Apple’s new iPad Minis. Thanks to Liquidmatrix Security Digest for supplying the third place prize!

#####

Congratulations to all the winners! Today’s featured image is from Sasatien.Blogspot.com. See ya!

Yes, the day is finally upon us … ShmooCon there will be! I’ve been lucky enough to attend the past five or six years of this awesome conference. You could almost call me a veteran attendee … and as such I wanted to pass on a bit of advice for anyone heading down to DC today. In honor of the movie Fight Club I present to you the …

“The Rules of ShmooCon”

1st RULE: You do not talk about SHMOOCON.

… unless it’s on Twitter and you use the #shmoocon hashtag …

2nd RULE: You DO NOT talk about SHMOOCON.

(see the 1st Rule for details)

3rd RULE: Only three talks to a day.

And on a bit more serious side… The first time I attended ShmooCon, I over-scheduled myself by focusing too much on the scheduled talks. Overall, I probably attended about 20 talks. At the end each day, I was exhausted and just headed home to recover. What I hadn’t realized was that I only took part in a small portion of what the conference had to offer.

Instead I’m suggesting that you attend just three talks each day (no cheating here) and spend the rest of the time taking in everything else ShmooCon has to offer … Firetalks, Hack Fortress, Lockpick Village, Shmooganography, … and most of all … networking with other hackers and just enjoying yourself.

4th RULE: If there is a party in the executive suite and someone breaks the genitalia-shaped vase, the party is over.

… or maybe not.

5th RULE: Turn off what you don’t need.

Remember … this is a hacker conference so be cautious with our usual array of electronic goods we carry around. You need to be very careful of how your devices will interact with anything at the conference. With that in mind, I recommend that you disable any and all connections to your devices (Bluetooth, WiFi, NICs, USB ports, etc.) and only turn them on when needed.

6th RULE: Don’t f*ck with the con’s secure wifi, local ATMs, or the hotel’s information kiosks.

We want the good folks at the Hilton to have us back next year (and maybe improve cellular coverage for us) so please don’t ruin it for the rest of us. Of course as I write this late Thursday night, I see we’ve already broken the kiosks part of this rule.

7th RULE: Always wear a cheap “Hello I am …” sticker with your your Twitter name and avatar.

This is not so people recognize you … but for you to recognize others. I know … most of us are pretty introverted but this is a great time to get out from behind our computers and meet many of those we regularly interact with online. Here’s the magic move to start a conversation with anyone at the con. Find someone with a familiar avatar and say, “Hi, I’m [name] from [location]. How’d you get your ShmooCon ticket?”

8th RULE: Talks will go on as long as they have to.

… unless it’s a Firetalks … those only last 15 minutes. For all other talks you might risk getting pelted by a barrage of spongy darts from modded Nerf guns if you go over time. Of course that could happen at the Firetalks too.

9th RULE: Always connect securely.

If you absolutely need to connect to the Internet, the secure ShmooCon network is a good start but it’s probably better to use a cellular network. Of course cellular signal is another issue as I mentioned above so you may want to invest in two or three other mifi pay-as-you-go access points. I’ve heard Virgin Mobile/Sprint, T-Mobile and Clear usually work well. And just to be safe you might want to VPN out as well (think the DEFCON allegations we had back in August). For those that don’t have VPNs provided through their company, I’ve looked at a few options before (see the comments there for other suggestions too).

10th RULE: If this is your first time attending SHMOOCON, you HAVE to get on your buddy’s shoulders during the opening or closing ceremonies and yell “Bow to my firewall!” at the top of your lungs.

#####

Well that’s all I got… Can you think of any additional “Rules of ShmooCon?” Let us know in the comments below. Today’s image came from DiggingForFire.net (and they also have the original Fight Club rules reprinted there).

Well … we are withing two days of ShmooCon and the first night of Firetalks and I’m actually a little ahead this year. I don’t think I got last year’s schedule out until late Thursday night! Anyway, below you’ll find the schedule for the talks.

Also some people might have heard that you can attend the Firetalks without a ShmooCon badge. Unfortunately, this is not true. You MUST have a badge to attend due to all those contracts, insurance, and other fun biz stuff associated with holding an event as big as ShmooCon.

If you want to keep up with all the Firetalks going-ons throughout the weekend, you might want to check back to the master Firetalks post or subscribing to one of our “feeds” (@novainfosec on Twitter, our FaceBook Page, or RSS). But given the craziness of cons I’d recommend just following my tweets (@grecs) or the #firetalks tag.

Finally, I want to put out one last reminder for the ShmooCon Epilogue event that is being held the Monday after ShmooCon. If you are from out of town and can still grab one of the free tickets, why not extend your stay an extra day and get another dose of great talks and networking with fellow hackers. See the NoVA Hackers post for all the details.

Well and onto the schedule…

Friday

Note 1: The times for Friday are currently tentative as we noticed the regular con schedule will probably push these times back. I’ll be keeping this post updated so please check back or follow me (@grecs) or the official #firetalks tag on Twitter.

Note 2: Updated the times below…

8:30: Opening

8:40: “How Do You Know Your Colo Isn’t “Inside” Your Cabinet, A Simple Alarm Using Teensy” by David Zendzian

9:00: “Bending SAP Over & Extracting What You Need!” by Chris John Riley

9:20: “ROUTERPWN: A Mobile Router Exploitation Framework” by Pedro Joaquin

9:40: “Security Is Like An Onion, That’s Why it Makes You Cry” by Michele Chubirka

10:00: “Five Ways We’re Killing Our Own Privacy” by Michael Schearer

Saturday

6:30 Opening

6:40 “Cracking WiFi Protected Setup For Fun and Profit” by Craig Heffner

7:00 “Passive Aggressive Pwnage: Sniffing the Net for Fun & Profit” by John Sawyer

7:20 “Ressurecting Ettercap” by Eric Milam

7:40 “Security Onion: Network Security Monitoring in Minutes” by Doug Burks

8:00 “Remotely Exploiting the PHY Layer” by Travis Goodspeed

If you are a speaker and cannot make the scheduled slot, please let me know ASAP via mentioning it to me at @grecs on Twitter. Also if you are an alternate you’ll need to be present both nights. And just to make things run smoothly, we ask that all speakers be present at least two talks prior to your scheduled time slot. We will have reserve seats for you in to the first row to the left of the podium if you are facing the stage.

#####

Can’t believe ShmooCon is almost here! See ya all on Friday… Today’s post picture is from Harvard.edu.

Looks like SecureState is actively seeking a Security Specialist to provide security test & evaluation assistance. This is definitely not a starter position however if you are mid-career and have been working in the fed sector for several years, it just might be that right fit. Oh and if you are just trying to get into infosec, they seem to also be continuously looking for infosec interns. Not sure about the location on that one though…

And don’t forget … if your organization is interested in posting their career opportunities here, head on over to our Job Board page for all the details. Well anyway … on to the job post.

Job Duties

• Assist with evaluating the overall IT C&A process for the client and its customers
• Program assessment report that meets FISMA reporting requirements. It is intended that this report will be provided to the CIO for use in preparing FISMA reports
• Recommendations for improvements to the IT security program and its customers, including specific actions that will result in successful implementation of the recommendations
• Implementation of those recommendations/actions from deliverable (3) specified by the client for initial implementation
• Assessment and assistance with improving with the client’s C&A process and procedures
• Assessment of the client and its customers’ risk assessments of its mission critical systems, including recommendations for corrections if needed
• Assessment of the security plans for the client and its customer

Required Skills/Knowledge

• Demonstrated IT security experience in the Federal arena (certified information systems security professional (CISSP), Certified Information Security Manager (CISM) or Certified Information Security Auditor (CISA) by a recognized and reputable organization preferred).
• In-depth knowledge laws, directives, orders, etc., pertaining to IT security and directing Federal government agencies.
• Understanding of security requirements in a non-classified, collegial environment
• Familiarity with IT security products (hardware, software, and services), technologies, protocols, and best practices.
• Working knowledge of organizations concerned with Federal IT security, such as FedCIRC, CERT, NIPC, and NIST.
• Prior experience writing material to satisfy FISMA, FISCAM, SAS-70 requirements for non-DOD Federal agencies.
• Excellent written and oral communications skills.

For additional details and how to apply for this position, please head over to SecureState’s posting.

#####

You can find more career opportunities over on our Job Board. Head on over there for all the details. Today’s post image is from DataConnectors.com.

Just a short post to announce the second round speakers for this year’s ShmooCon Firetalks… With several more submissions between our last post and the CFP due date, the selection committee has been hard at work trying to pull together a diverse program with the most interesting talks combined with a good mix of established and new speakers.

But before we get on to the talks I just wanted to thank the selection committee for all the hard work they put in over the last few weeks. Since some may not want their full names out there, I’ll just list them all by their Twitter handles … @dystonic, @jack_daniel, @jasonmoliver and @nathiet. And I would again like to thank our generous sponsors for not only providing some awesome prizes but also other contributions that are going to make this year’s Firetalks the best so far. Thanks!

• Milton Security Group
• Dirty Security
• Lares Consulting
• Leverage Consulting & Associates
• Liquidmatrix Security Digest
• Bulb Security

And finally if you want to keep up with all the Firetalks going-ons, be sure to check back to the master Firetalks post periodically. It is the home for any and all information relating to the ShmooCon 2012 FireTalks. You can also subscribe to receive these updates through any of our “feeds” if you wish (@novainfosec on Twitter, our FaceBook Page, or RSS) to keep up with things. And as usual … I’ll be regularly updating my Twitter stream at @grecs with all the information using the #firetalks tag.

And without further ado … we are pleased to announce the second round speakers!!!

Cracking WiFi Protected Setup For Fun and Profit

by Craig Heffner

This talk will detail the recently disclosed vulnerability in WiFi Protected Setup which allows wireless attackers to recover plain text WPA/WPA2 pass phrases in just a few hours, as well as my WPS brute force attack tool, Reaver.

Passive Aggressive Pwnage: Sniffing the Net for Fun & Profit

by John Sawyer

There has been very little public research into passive fingerprinting over the last few years, and the best and most well-known tool for that (p0f) hasn’t been actively developed in 6 years. While a recent a project is using the clever technique of identifying OS’s through DHCP options, it isn’t looking beyond simple OS identification. Why not? If you’ve ever been responsible for IDS monitoring in a large environment, you know there’s a huge amount of juicy data waiting to be snarfed up–interesting information that could be collected passively to identify vulnerable targets in a pen test. Some commercial solutions have these passive vulnerability detection capabilities already, but it’s never trickled down into the free, open source world.

In this presentation, we will look at some of the data that can be gleaned passively, how it can be used for offensive (and defensive) purposes, and announce a new project designed to use existing open source IDS engines (Snort & Suricata) and IDS rules to enhance penetration tests through passive fingerprinting. The project will utilize existing rules from projects like Emerging Threats, develop new rules to address gaps in detection, and give back to the community by contributing newly developed rules back to similar projects. A focus will be on identifying bleeding edge devices, vulnerable applications, and passively gathering sensitive information (SSNs, CCNs, passwords, etc.).

Remotely Exploiting the PHY Layer

by Travis Goodspeed

Packet-in-Packet injections are a new type of in-band signalling attack, one which allows a packet to be injected into a remote wireless network through the body of any other type of packet. The attacker never needs a radio, and no software or hardware bugs are necessary for the injection to occur. The attack works on perfectly standard-compliant implementations of 802.15.4, 802.11B, and most other wireless protocols.

Ressurecting Ettercap

by Eric Milam

In December 2011 Ettercap had its first official release in almost 6 years. This talk will discuss how I went from the creation of a simple bash script to taking over one of the world most loved penetration testing tools. Topics will include, easy-creds, communications with Alor & Naga and the new team charged with moving the project forward.

Security Onion: Network Security Monitoring in Minutes

by Doug Burks

Traditional Intrusion Detection Systems (IDS) can be costly, difficult to install, and may not provide all the capabilities that you need to defend your network. Network Security Monitoring (NSM) combines traditional IDS alerts with additional data to give you a more complete picture of what’s happening on your network. This presentation will demonstrate how to deploy NSM in just a few minutes using a free Linux distro called Security Onion.

Beyond the formally announced talks we also chose a few alternates that just missed getting selected. These speakers should be ready to present either night.

• Georgia Weidman: Stopping Android Permission Leak
• Thomas Hoffecker: Exploiting PKI for Pentesters

#####

Look for the final schedule to be posted early next week. See ya!

Ever find yourself needing to do a quick security scan but are on a computer that doesn’t have the right tools? This happens to me periodically when we need a quick scan done from “outside.” Out of curiosity I searched around and found a few good options that I thought you may find useful.

Nmap-Online.com: Administered by MatouSec.com, a project started in 2006 run by a group of security experts concerned about user desktop security, this service offers almost the full capability of Nmap through a website! The earliest reference I could find was in November of 2006 so they’ve been around for awhile.

To use the service just pick between “Quick Scan” and “Full Scan” that scans your own detected IP address or a “Custom Scan” that gives you almost full access to Nmap’s set of options (including scanning a range of IPs). Finally, agree to their ToS and hit Scan. You have the option of waiting for the results in the browser or entering an email and password to have them emailed to you. Keep the email and password handy as you can use these credentials to retrieve all your recent scans. Note that no registration is required though. It seems to track users with just your specific email and password combination.

Unfortunately, limitations there are… You can only scan IP addresses and ranges within your externally detected class C address space. Additionally, they have rules controlling the amount of scans you are permitted to perform within various time periods (e.g., a max of 8 scan requests from one IP per 24 hours). See their ToS for all the restrictions.

Check out Nmap-Online here.

HackerTarget.com: This is another service that I came across that offers several free online scanners. Currently, they provide 10 scans that include the likes of Nmap, OpenVas, Nikto, and WordPress Security Scan. Just checking out their Nmap service … it only performs a “Fast Scan with Service Identification” (i.e., nmap -sV -F your.ip.address.com). Most of their other services didn’t have any customizable options so I assume it’s just the default scans. For specifics you’d have to research the default scans for these tools. The WordPress scan however mentions 13 specific checks.

Just like Nmap-Online.com there are limitations… You only get four scans per day and can’t use free web email accounts to get the results. Additionally, you can’t scan IP ranges … just individual IPs. HackerTarget does offer a membership program that lifts these restrictions. Prices for individuals are $5 on a month-to-month basis or $30 a year. Corporations are $50 per month or $400 a year. Regardless if you use the free or paid versions, there doesn’t seem to be a way to view sessions online; you must enter an email for them to send results to.

Check out the HackerTarget.com Online Security Scan page here.

#####

Do you know of any other online security scanner for quick one-off assessments? Let us know in the comments below. Today’s post image is from AttackResearch.com.

There’s been some talk about cyber insurance lately. How it’s a great business strategy … how it’s a rip-off … how you should approach it cautiously… The first thing that comes to my mind when I think of cyber insurance are companies purchasing it as a replacement for actually implementing any security at all. Instead of being pessimistic about it, the other day I was contemplating of ways cyber insurance could actually motivate companies to take infosec more seriously.

The first thought that came to mind was car insurance. You know how you get a discount on insurance for having a car with “best practices” like anti-theft devices, anti-lock brakes, air bags, a good driving record, etc. Insurance agencies could also offer lower premium rates based on similar infosec “best practices.” Although agencies already offer such discounts, I haven’t heard of many professionals using cyber insurance as a motivator to raise infosec’s profile within their organizations.

As an example say a company is in the market for some cyber insurance because of increasing attacks against competitors. If this is their first foray into the infosec realm, insurance agencies would offer relatively high rates. They could also offer their set of “best practices” so that companies would have something to work towards to get lower rates. As the company applies these controls, their rate decreases. Furthermore the longer they go without any incidents, their rate goes down.

That’s about as far as the car insurance analogy goes. It falls apart based on the fact that currently state governments do not mandate cyber insurance. But there are other considerations as well.

As many will argue this motivator could turn into a compliance issue and the difficult part there is determining the “best practices” to measure against. Whatever baseline set of controls a state or insurance agency chooses, people will argue that traditional compliance programs don’t actually make companies more secure. I’ve even been in this camp before.

And as with all baseline control arguments … the discussion often leads into something about risk management. So you do an entire risk assessment and at least only have to apply and monitor the relevant controls. Of course risk programs may become flawed despite their best intentions. Increased bureaucracy, high budgets, and implementation complexity could all play a role decreasing it’s effectiveness into a paperwork intensive exercise that, again, doesn’t improve security.

So in the end there is no perfect solution however I feel it’s an interesting thought on how cyber insurance could add another technique to help professionals raise infosec’s prominence.

via PCAdvisor.co.uk

If your company were hit with a cyber attack today, would it be able to foot the bill? The entire bill, including costs from regulatory fines, potential lawsuits, damage to your organization’s brand, and hardware and software repair, recovery and protection?

It’s a question worth careful consideration, given that the price of cyber attacks is rising at an alarming rate.

The second annual Cost of Cyber Crime study, released last August by the Ponemon Institute, reported that the median annualized cost of detection of and recovery from cyber crime per company is $5.9 million — a 56% increase from the 2010 median figures. The costs of cyber crime range from $1.5 million to $36.5 million per company.

A growing number of insurance companies are offering cyber protection in the event of breaches and other malicious data attacks. But so far, they’re having some difficulty making their case. Surveys show companies have yet to embrace these policies, whose costs can be staggering.

Continued here.

#####

What are your thoughts? Could cyber insurance actually help security? Today’s post image was brought to you by Investopedia.com.

The good folks over at Akamai are looking to hire two security architect positions based out of Reston. Below is the first one. It looks a little more on the “salesy” side than I’d normally go for but you might get to work with @rybolov!

And don’t forget … if your organization is interested in posting their career opportunities here, head on over to our Job Board page for all the details. Well anyway … on to the job post.

About the Job

Enterprise Security Architects (ESA’s) are technical professionals supporting both presales and post sales security activities. They employ industry vertical and technical expertise to diagnose customer business challenges and technical needs and prescribe solutions that address customer security needs. ESA’s help scale Akamai’s global security expertise by establishing good tactics, techniques and procedures (TTP’s) for mitigating security challenges with Akamai solutions. ESA’s train Akamai security subject matter experts around the globe on these good practices in order to drive consistency, scale capability, and grow security acumen in order to better serve customer needs.

As a Senior ESA in Akamai’s Global Security Center of Excellence, you will partner closely with Sales and field service and support personnel in an overlay role to acquire new customers, expand our positions within existing customers, drive consistency in Akamai’s global delivery of security solutions, and grow the Akamai business as it relates to Akamai’s Security portfolio of products and services.

You will support the field integrated account teams to engage prospects on security issues throughout the customer lifecycle, providing our customers with insight into Akamai’s security practices, technologies, and solutions. You will work independently and with small teams in satisfying individual customer requests, including Executive Briefings, contract discussions, technical design, and product requirements. This includes partnering with a cross-functional set of Akamai teams, including Sales, Engineering, Product Development, Finance, Legal, and Professional Services.

Responsibilities

• Work closely with direct and channel sales representatives to educate existing and prospective customers on how they can incorporate Akamai Security products and services into their architecture and operations to derive business value.
• Support the technical pre-sales process for field teams and evangelize Akamai Security solutions and services to customers by participating in conference calls, site visits, presentations, product demonstrations, technical trial evaluations, technical objection handling, proposals, and any needed customer follow up activities.
• Define the technical/security aspects of customer proposals, meeting customer requirements and Akamai quality control standards.
• Coordinate with Sales and other parts of Global Services and Support to transition customers from the pre-sales to implementation phase, provide post sale product and service consultation, and capitalize on post sale “value confirmation” opportunities.
• Work closely with Product Management and related subject matter experts to understand and influence Security product roadmaps, providing valuable input from the field/customer perspective.
• Document and establish good tactics, techniques, and procedures to enable consistent, best in class security solution sales and delivery around the globe.
• Create, update, deliver, and maintain security related training for audiences such as existing or potential customers, Akamai direct Sales, Akamai internal services and support, or Akamai Channel partners to meet the needs of the business.
• Exhibit high standards of proficiency and leadership, including the ability to act as a subject matter expert, brief executives and/or developers, mentor junior staff, and deliver effective training.
• Must be willing to travel (approximately 25-50%).

Basic Qualifications

• Education: Bachelor’s Degree or equivalent experience
• Overall Experience: Minimum of 9 years
• Minimum of 3 years experience in technical pre-sales/sales engineering and/or other customer facing role consulting on, delivering and/or supporting technical products or services
• Minimum of 5 years experience with security technologies, processes, and concepts such as PKI, SSL, Identity Management, firewalls, NIST 800-53, FIPS-140-2, Authentication & Authorization, Client Certificates, OCSP, web application security, etc.

Desired Qualifications

• Industry security certifications such as CISSP, GIAC and CEH.
• Must be able to convey a powerful security narrative.
• Must be enthusiastic, action oriented, capable of independently solving complex technical problems and able to communicate clearly and effectively to both technical and business audiences.
• Deep experience with fundamental Internet protocols: TCP/IP, SSL/TLS, HTTP, FTP, DNS.
• Programming experience – C, C++, J2EE, .NET, Flash/Flex, Web services and website development.
• Experience with applied Web Application security technologies, Internet technologies, including ecommerce, online marketing, online advertising, digital media, video streaming, content management systems, content publishing systems, Web analytics and Internet security.
• Experience with enterprise and data center networks, system design and operation, infrastructure design and build out, caching proxies, routing, switching and load balancing.
• Project management experience.

For additional details and how to apply for this position, please head over to it’s official posting. The other architect position can be found here.

#####

You can find more career opportunities over on our Job Board. Head on over there for all the details. Today’s post image is from ZDNet.com.