#3 – The Art of Persuasion: In his post “Recognizing False Arguments,” @electricfork outlines the familiar arguments that many of us hear when we try to convince our employers that a gaping vulnerability won’t just fix itself or go unnoticed by attackers. While employers tend to come up with all kinds of arguments—many of them ranging from slightly absurd to completely ridiculous—the reality is that we must be prepared to show our employers why vulnerabilities cannot remain unfixed. @electricfork does a great job of outlining basic responses to some of the most common arguments used against fixing vulnerabilities. You can check them out here.

#2 – What the Hex: For those of you who haven’t used a hex editor before, or are looking for a new one, you’re in luck. In their post “XVI32: Hex Editor of Champions,” @geminisecurity talks about hex editors (the XVI32 hex editor specifically), and why we should use them. Calling the hex editor “an essential tool for anyone in the computer security field,” @geminisecurity says that hex editors are especially good for looking at the nitty-gritty details of data. The XVI32 is no exception. Describing the XVI32 hex editor “a very robust, stable, and easy-to-use hex editor for Windows,” @geminisecurity says that some of its best features include a built-in scripting engine, bit manipulation capabilities, and numerous ways to interpret and display data. You can check out all the details here.

#1- Think Outside the Toolbox: The PaulDotCom post “Find Time to Put the Tools Away” opens with an interesting comparison of pen testing eerily resembling airport security. Both pen testers and TSA professionals are trained to look for very specific things, often overlooking other potential problems because they neglect to see the big picture. For example: Instead of looking for certain vulnerabilities like XSS, XSRF and SQLi, PaulDotCom encourages security professionals to look at how an application works instead of looking at the parts that make it work. He also gave one of the most profound pieces of advice that we’ve heard in awhile: “Trying to understand how something worked used to be the goal and definition of hacking.” And on that note, I hope that you’ll read the post yourself.

Don’t forget to follow me during the week @grecs to get more recommendations on the blog posts you should be reading.

o o o o o

Wanna hack your career?

#5 – Be Hyper: Marcus J. Carey always has a lot of great things to say in his v-blog posts, but his “Hyper-Local Security Communities” post is one of his best posts to date. Noting that “[s]o many people are obsessed with national level attention,” Marcus makes the excellent point that if those same people would “handle their business locally[,] their name would blow up.” Marcus also adds, “[i]t’s the locals that can make the biggest impact on your life.” But to be honest, we’re a little biased about this post because the ‘hyper-local security communities’ Marcus talks about in his post fits right in with the goal of NovaInfosecPortal. So if we haven’t been able to convince you that strong, local security communities are important, maybe Marcus can. Be sure to watch the “Hyper-Local Security Communities” post here.

#4 – Couches Are Career Killers: In his “Couch to Career – Follow Up” post (he gave a presentation entitled “From Couch to Career in 80 Hours or Less” at DojoSec in April), @mubix provides a goldmine of great links and tutorials for getting the career you want in the security field. He even offers some information about one of the most nerve-wracking aspects of interviewing: How to ask for the right salary. Whether you already have the job you love or you have a career goal you’re working toward, this post is definitely worth checking out.     

#3 – Intruders Beware: With a take on the classic “Defender’s Dilemma” concept—where the intruder only needs to exploit one victim to compromise the enterprise—Richard Bejtlich explains why intruders are just as vulnerable. According to Bejtlich, “[t]he defender only needs to detect one of the indicators of the intruder’s presence in order to initiate incident response within the enterprise.” Referring to this as the “Intruder’s Dilemma,” Bejtlich made a handy diagram to go along with it. You can check out the post with accompanying diagrams on the TaoSecurity blog.

#2 – Management Should Read This: In his “Cheap IT Is Ultimately Expensive” post, Richard Bejtlich makes the point that we all wish management could understand—that it is “ultimately cheaper to design, code, sell, and support a more secure software product than a more insecure software product.” Bejtlich makes other excellent points in this post, including the fact that it isn’t cheaper to “run legacy platforms, operating systems, and applications because ‘updates break things,’ that “[i]t is not cheaper to leave compromised systems operating within the enterprise because of the ‘productivity hit’ taken when a system must be interrupted to enable security analysis,” and that “[i]t is not cheaper to delay patching because of ‘business impact.’” You can read the rest of the post here.

#1 – History Repeating: Vlad the Impaler opened his “When Standards Aren’t Good Enough” post with the sentence “[o]ne of the best things about being almost older than dirt is that I’ve seen several cycles within the security community. Just like fashion and ladies’ hemlines, if you pay attention long enough, you’ll see history repeat itself, or something that closely resembles history.” Definitely one of the best openings we’ve ever seen, because it’s totally true that history repeats itself. Even in the relatively ‘new’ field of security, there have been trends that have fallen into obscurity only to become the latest rage in a few years time. As Vlad points out, one of those things is standards. While they have improved over time, they still have a long way to go. I highly encourage you to take a “short trip ‘down memory lane,’” (as Vlad puts it) and see how the past is still impacting the present by reading Vlad’s post.

Well, that’s all for this week. You know the drill: Leave a comment below or send me a tweet @grecs if you have any questions or suggestions.

o     o     o     o     o

Be our guest—guest blogger, that is. Contact us to learn how you can get your ideas on NovaInfosecportal.