It’s that time of the week again: The time where we take a look at what local security bloggers have been up to.

If you can’t get enough of the local security scene, be sure to check out our NovaInfosec Twits list for even more great security blogs and people to follow on Twitter. Be sure to follow us on Twitter @grecs if you want to know more about what’s going on in the local security community during the week.

#3 -  Security Metrics: It seems that no matter what’s going on in the world, there’s always a hot new topic. According to @geminisecurity, the hot new topic in security seems to be security metrics. Quoting an NIST study that says there is almost no research about security metrics currently available, @geminisecurity comments on what’s currently wrong with the security business as a whole. Saying that “[o]ne of the problems with security as a business process is that managers are being taught process improvements is the way to save money,” @geminisecurity goes on to say that “with security, there are no obvious metrics to measure to improve the process. Security is subjective, based on the person and the situation, and measurements tend to the objective side of things.” This is one of those posts that everyone should read and pass along to a friend.

#2 – Short Circuit: It seems that we have @electricfork to thank for alerting us to newly added NoVA Blogger @moranned who wrote an excellent post this week entitled “How to short-circuit the US power grid.”  Responding to a study by Paul Marks from the New Scientists that discusses the best way to short-circuit the US power grid, @moranned provides some insightful commentary. Saying that “[t]he researchers found that the best way to attack the power grid was to attack the least loaded nodes on the grid,” and that “[a]ttacking these lightly loaded nodes was the best way to cause cascading failures throughout the grid,” @moranned promises to go into more detail during the coming weeks. Definitely and interesting read worth checking out.

#1 – Complianciness:  While @cyberhiker doesn’t post often, when he does, it’s always awesome. That’s why we’re honoring him with this week’s number one slot for his post “Which brings me to tonight’s word: Complianciness.” Starting out by describing what he means by the term “Complianciness,” @cyberhiker uses the example of the recent debacle at Heartland Payment Systems to make his point, saying “[w]here’s the complianciness? Heartland Payment Systems – based on my research of the situation Heartland may have been PCI compliant at the point in time that they were assessed. It could be that security was a little more lax when the assessors were not inbound to conduct testing. It also might have been that a very elaborate show was put on for the assessors and they were not actually compliant, but perhaps practicing complianciness.” Not only should you read this post for the awesome information it has, but @cyberhiker has a great sense of humor. Be sure to check out the full post here.

Well, that’s all this week. Be sure to check back next week for more great blog posts from local security bloggers.

Another week, another wave of great blog posts from local security bloggers in the DC, MD, and NoVA area.

In addition to having three awesome posts for our top picks week, we also have a bonus post and the ever-popular tweet of the week.

grecs: RT @danphilpott @cyberhiker @jack_daniel I prefer to think of it as outsourcing my competence to focus on core incompetence. #totw

But enough with the fun and games; on to the posts!

#3 – OMB Goes Paperless – Local blogger and security professional @danphilpott took some time this week to write about what’s going on with the OMB. Besides the awesome fact that the OMB is now paperless, @danphilpott noted some other important changes to the OMB in his post “OMB Wants a Direct Report.” You can read the full post here, on the Guerilla CISO.

#2 – Layered Security: Speaking of the Guerilla CISO, that brings us to our second pick of the week: A post entitled “A Layered Model for Massively-Scaled Security Management” by one of our frequently featured local bloggers, @rybolov. Starting off by discussing the OSI model of technology management, @rybolov goes on to explain his own model of technology management. And if that hasn’t captured your interest, you really should take a look at his post for the cake if nothing else. No, really; there’s cake!

#1 – Pass the Hash: Ever since Marcus J. Carey went into blog semi-retirement (we miss your v-blog posts Marcus!) it’s been rare to have any v-blog or video related posts crop up in our top picks. That all changed this week when @mubix made a post entitled “Pass the Hash Metasploit Demo.” A PTH video he made for the guys over at SecurityAegis, the entire video is really well done. You really should check it out sooner rather than later.   

Ready for that bonus post yet?

Well, it just so happens that Wade Woolwine has started what we hope will be a weekly commentary post. You can check out his first post in the series here.

Well, that’s all for this week. Don’t forget to follow us @grecs for more great posts during the week!

In this week’s post you’ll find the usual suspects (and by that, we mean the usual bloggers) as well as one of our favorite bloggers to come out of blog semi-retirement. Can you guess who it is?

Don’t forget to follow us during the week @grecs to learn about great security blog posts as they happen. You can also check out the NovaInfosec Twits for even more great people to follow.

#3 – To Your Health: While many people make out electronic health records to be a good thing, are they healthy security-wise? @geminisecurity tackles this question and more in their post “Electronic Health Records.” Talking about the overwhelming pros but frightening cons of electronic health records, this is one of the best posts we’ve ever seen about electronic health records and how—with the proper preventions in place—those who use electronic health records and those who work in security can come together. Be sure to check out the full post and find where you stand on security and electronic health records.

#2 – More Than Just Slushiness: When people think of 7-Eleven, they think of slushies, not security. But all of that changed recently when 7-Eleven was one of the many retailers to take a hit when their security was breached. @carnal0wnage did one of his awesome technical posts, “Thoughts on Heartland/Hannaford/7-eleven breaches” to explain the attacks in detail. And as the title implies, 7-Eleven wasn’t alone in being attacked; it turns out that Hannaford and Heartland were also unlucky enough (or should we say, not secure enough?) to have their security breached as well. And you might just be surprised how the hackers did it. You’ll have to read the full post to find out.   

#1 – Homegrown Security: Coming out of his semi-blog retirement (we kid Wade, we kid), one of our favorite local bloggers Wade Woolwine (@wadew) tackles how to create effective security during an economy of shrinking budgets. Saying that “[i]n this time of shrinking budgets, reduced staff, and other various financial constraints, security departments world wide are looking for ways to justify the expense of a well rounded application security program,” Wade responds to the ideas in this article, which suggests something called a “security working group.” While we don’t want to steal Wade’s thunder by giving the whole thing away, he does have this to say about the security working group presented in the article: “get out there, talk to people both within and outside of your company, not only will you expand your social network and improve your companies application security program, but you’ll also be giving new opportunities to those who join the security working group.” You can real the full article here.

Well, that’s all for this week; be sure to check back next Monday for more NoVA Blogger goodness.

While we love security news sites as much as the next person, we really love hearing from people in the local security community. That’s why we started our “Top 3 NoVA Infosec Blog Posts of the Week” feature; it lets us highlight the best of local security bloggers, and gives you the opportunity to read awesome security material produced by members of the local community.

If you’re a local security blogger that would like to be considered for this feature, please feel free to shoot us an email or send us a tweet @grecs. We also have a handy list of local bloggers, so be sure to contact us if you aren’t already on the list!

#3 – Election Woes: Just when you thought the election headache was over, @geminisecurity proves you wrong. Because while the election itself might be over, the controversy over voting machines is just beginning. In their post “AVC Advantage Attack,” @geminisecurity points out the fact that you can learn to hack a voting machine for around $20, and it’s a fairly simple task. That’s right: We are voting on machines that are not only easy to hack, but aren’t even regulated! Something tells us that George Washington is rolling over in his grave. Be sure to check out the full post here. 

#2 – Simple Security: We’ll be honest; this post got our attention before we even read it. With a title like “Simplicity is Security,” how could it not? Taking an interesting look at security by examining the use (or lack thereof) of debit and credit cards in Japan, @mubix makes some excellent points about how our desire to jump on every technological advance that comes along is making it harder to have good security. After talking about how people in Japan usually don’t have credit cards, debit cards, or do any of their banking online, @mubix poses the following question to his readers: “Should we continue down the path of “MORE SECURITY” or should we deviate a bit for simpler, possibly non-technical practices?” While we can’t say that we totally agree with the route of non-technical practices, we do believe that there is a happy medium. To answer the question for yourself, why not check out the full post?

#1 – Careers in Security: With the current economy being what it is, career advice had become rather popular as of late. Richard Bejtlich of TaoSecurity jumped on the career advice train this week in his post “Thoughts on Security Careers.” Quoting a number of different posts that deal with popular career trends and career advice for security professionals, Bejtlich gives his own insight, tips, and tricks. Even if you’re not interested in leaving your current job for another, this post is a must-read.

Well, that’s all for this week. Be sure to check back next week for more great reads from security professionals in your community.

It’s that time of the week again when we bring you the best of local security blogs. But before we get to that, we thought we’d share our tweet of the week along with a #totw that deserves honorable mention to get your afternoon started with a few laughs.

Our official #totw was a RT by @mubix:

grecs RT @mubix RT @secureideas: “When pen tester tells U they luv something, get it off yr network.” @agent0x0: “I luv Sharepoint.” #defcon #totw

Honorable mention belongs to this tweet by @technogeezer because it’s so true!

grecs LOL.. RT: @technogeezer: Someone here at CSC now refers to physical meetings as getting together in ‘meatspace’ #totw

Now, on to the posts!

#3 – Lessons From the Sandbox: If you are  looking for great technical posts, @geminisecurity should be your first stop. Their latest post, “Protect Your Computer By Running Applications in Sandboxie” talks about the Windows utility Sandboxie—a program that allows you to run “applications in an isolated environment on your computer so you can protect yourself from malware, surf the web, and maintain your registry without affecting your host system.” They also note that “Sandboxie is a good alternative to setting up a virtual machine, especially if you just want to run a quick test or two without having to wait for an entire operating system to boot up.” Be sure to read the post and learn more about Sandboxie here.

#2 – The Bureaucracy Is Down: In his post “Blast From the Past,” TaoSecurity’s Richard Bejtlich uses an example from his own life that illustrates the sometimes ridiculous nature of tasks given by large organizations. In Bejtlich’s case, it was the Air Force that had given him and his co-workers what seemed to be an impossible mission: Centralize Air Force email within the course of a few months. Needless to say, such a feat was impossible in such a small amount of time. But now, nearly 11 years later, Bejtlich says that it is finally happening; that Air Force email will be starting the centralization process at Keesler Air Force Base, Miss. But as he says at the end of his post, “[s]o, about 11 years after being told to accomplish the same task, the effort will be done! I think there are lessons here for anyone with a similarly large, bureaucratic, turf-centric, distributed, decentralized, global organization.” Be sure to read the full post here.

#1 – Help Isn’t Coming: Leave it to @rybolov to hit the nail on the head when it comes to the Cybersecurity Coordinator position and why, even after two months, it still hasn’t been filled. In his post “Help Wanted,” he poses the following question: “So let me give you a hypothetical job: You have to give up your high-paying private-sector job to be a Government employee. You have tons of responsibility. You have no real authority. You have no dedicated budget. You have no staffers. The job has had half a dozen people filling it in the last 7 years. The job has been open longer than it’s been staffed over the past 7 years.” Does that sound like a job that any of you would want? Didn’t think so. By being blunt (unlike government officials), @rybolov makes excellent points as to why the Cybersecurity Coordinator position is still empty, and will likely remain that way unless something changes. Be sure to read his full post here.

Well, that’s all for this week. Be sure to follow us @grecs for more great posts throughout the week!

While things were a little quiet on the local blogging front this past week due to the awesomeness that is BlackHat, Richard Bejtlich, @rybolov and @geminisecurity came to the rescue with three excellent posts that discuss everything from the importance of sanitizing web apps to what we need in a CyberArmy.

As everyone slowly recuperates from BlackHat, expect a large influx of must-read posts about the event. If you’d like to catch most of these posts, be sure to follow us @grecs during the week.

#3 – The Real CyberArmy: In his post “The CyberArmy You Have…” @rybolov opens with the military saying, “[y]ou go to war with the army you have, not with the army you wish you had.” This is especially true for the US as it charges ahead with its national Cybersecurity strategy without having having the proper skill set or the proper leadership. While Cyberwar is a top skill to have, @rybolov notes that “the existing contractor skillset is based on procedural offerings,” and that, “[t]o be honest, I see lots of people with cybersecurity offerings, but what they really have is rebranded service offerings because the skills sets of the workforce haven’t changed.” As much as we might think that we have a CyberArmy that can handle anything, @rybolov makes the excellent point that we need to see the CyberArmy that we actually have. To learn more about the CyberArmy we have and what we can do to make it better, read @rybolov’s full post here.

#2 – FUD for Thought: In his guest post for fudsec.com (the fud comes from fear, uncertainty and doubt), security expert Richard Bejtlich talks about threat-centric thinking being on the rise. Bejtlich makes the excellent observation that over the past few years, there has been a shift in perspective when DoS attacks occur. It used to be that when a DoS attack occurred, people would ask “how did it happen?” Now, the primary concern when a DoS attack occurs is “who did it?” But is the shift from “how” to “who” good or counterproductive? You’ll just have to read the full post to find out; Bejtlich’s answer might surprise you.

#1 – Sanitize Those Apps: A few weeks ago we featured the @geminisecurity post “Sanitizing Input in Web Apps (Part 1).” We ranked it at number one to emphasize the importance of sanitizing input for the web (and anything else, for that matter). That’s why when @geminisecurity rolled out with part two of their “Sanitizing Web Apps” article, we knew that it needed to fill the number one slot again. Sanitizing input for web apps is one of the basic tenants for securing web apps. When we forget to sanitize input, or skip what might seem to be a rather minor step, we’re doing ourselves and users a huge disservice. It goes back to our motto of doing the basics and doing them well; it saves you, and everyone else, a lot of headache in the end. More than that though, it helps keep everyone safer. And at the end of the day, isn’t that what we all want? While we step off our soapbox, head over to @geminisecurity to read the full post.

Well, that’s all for this week. Expect some interesting BlackHat posts this upcoming week!

With all of the information available on the internet, it’s sometimes hard to decide what you should spend your time reading. That’s why we started our handy “Top 3 NoVA Infosec  Blog Posts of the Week” feature; we tell you about the best blog posts written by local security bloggers each week, and you spend less time wading through the internet trying to find something good to read.

So, without further adieu, let’s get on to the posts.

#3 – Messy Malware: For those of you who become gleeful at the thought of learning about new malware (you know who you are) you will definitely want to check out the post “Microsoft DirectShow MPEG2TuneRequest Stack Overflow P0C” on the @carnal0wnage blog. While the malware may no longer be ‘brand new’ per say (as pointed out in the post, this malware has been floating around on some Chinese forums for awhile), it’s still interesting to read about. You can check out the full post here.

#2 – The Meaning of APT: Can you imagine a topic that only retrieves 34 results from Google? According to Richard Bejtlich of TaoSecurity, Advanced Persistent Threat (APT) is one of those things. Says Bejtlich in his post “You Down with APT?,” “APT is one of those subjects that is very important but not well understood outside the defense industry.” He ends the post by saying “[i]f you’re not down with APT, you need to be.” To ‘get down with APT’ and learn more about it, check out Bejtlich’s full post on APT here.

#1 – Destroy That Data: In their post “Darik’s Boot and Nuke (DBAN),” @geminisecurity tackles a topic that you don’t hear about often enough: Destroying data before retiring, selling, or destroying computer systems. While @geminisecurity says that you can use DBAN for newer systems, what do you do with the older systems? Other than using “a chainsaw and a hammer” to get rid of the data, @geminisecurity suggests the words that make all of the do-it-yourselfer’s cringe: “pay someone else to do it.” While it’s tempting to think that you can handle the complete destruction or removal of data from an older system, sometimes it ‘pays’ to pay a specialist to do it. But for those of you who have the newer systems and would like to know more about DBAN, check out the full post by @geminisecurity here.

Well, that’s all for this week. Be sure to follow me @grecs during the week for more great posts from local bloggers.

o o o o o

Speaking of great local bloggers… we’re looking for some great guest bloggers to feature on NovaInfosecPortal. If you’re interested, feel free to contact us or send us a tweet.

It’s time for one of our favorite posts of the week… the post where we get to spotlight some great bloggers who are involved in the local infosec community.

If you, or someone you know should be added to the list of bloggers we consider each week, please contact us or send us a tweet.

#3 – iPhone Apps: We’re always looking for good apps for the iPhone (especially with the release of 3.0) so luckily for us, @geminisecurity had a post that covered 4 of the best apps for the iPhone. But @geminisecurity didn’t just cover regular iPhone apps; no, they covered security apps for the iPhone, which is definitely needed if all the recent rumors swirling around Apple’s security are true. You can check out the full post for more information.

#2 – Security for a Million: Writer and speaker Richard Bejtlich posed an interesting question this week, asking what a black hat could do with a $1 million budget. But instead of just leaving it as a question, Bejtlich actually wrote out a tentative breakdown of what a black hat organization could do with a $1 million budget.  I’m not sure what was scarier; the fact that he created a potential financial plan for a black hat organization to follow, or that $1 million could go a lot further in a black hat organization than it could in most of the organizations we work for. Really makes you question how much money is wasted on unimportant things. Definitely read the post for yourself and let me know what you think.

#1 – Cyberwarfare and the Spanish Civil War: According to guest poster ian99 of the The Guerilla CISO, “Perhaps the most interesting model of development and Cyberwarfare activity today would be based on the pre-WW II example of the Spanish Civil War.” Tracing the historical origins of cyberwarfare, ian99′s post is like attending a ShmooCon talk and a history lesson all in one. Check out the full post here.

Well, that’s all for this week. Be sure to follow me @grecs during the week for more great posts from local bloggers.

o o o o o

Speaking of great local bloggers… we’re looking for some great guest bloggers to feature on NovaInfosecPortal. If you’re interested, feel free to contact us or send us a tweet.

This week we are featuring a new NoVA Blogger, @geminisecurity. Please take a moment to check out their Twitter feed and welcome them to the local infosec community.

While he doesn’t have a post featured this week, we would also like to introduce local NoVA blogger @bobgourley. Please take a moment to visit his Twitter feed or his blog and welcome him to the local infosec community.

Now, to the posts!

#3 – The Mystery of SSL: The post “How does SSL work anyway?” post published by @geminisecurity this week was not only useful, but witty. Likening SSL to a handshake—“[i]t’s like the secret handshake you used in grade school to get into your clubhouse”—@geminisecurity had some useful tips and tricks about Server Authentication, Client Authentication, References, and other SSL protocols. You can check out the full post here.

#2 – Resources Galore: It seems that @mubix is the man to talk to if you’re looking for great security resources. Posting what he described as “Getting your fill of Security,” this week, @mubix is now keeping a running list of security podcasts, security bloggers, security-related Twitter accounts, and sites that you’re free to hack. You can check out the list here. You can also check out our list of security resources for additional information.

#1 – 60 Day Surprise: After President Obama gave his remarks on Cyber Security earlier in the week, Richard Bejtlich wasted no time before blogging his own thoughts about the President’s controversial speech. While we read a lot of tweets and blog posts this week that dealt with Obama’s ultimate stance on Cyber Security, we felt that Bejtlich’s was by far the best. Not only did he provide an intelligent commentary about what President Obama said, he also created an ‘imaginary’ speech of “what I would have liked to have heard [from President Obama].” This is a must-read post for anyone in the field, as the President’s stance on Cyber Security will affect all of us in some way. You can read the full post here.

Well, that’s all for this week. As always, we’d love to know if there are any other NoVA bloggers out there would would like to be considered for our “Top NoVA Infosec Blog Posts of the Week” feature. If so, leave a comment below or send us a tweet @grecs.

o o o o o

How Ironclad is your information?

Who needs coffee when you have the best of this week’s local security bloggers at your fingertips?

The featured blog post by Richard Bejtlich is sure to give you a jolt that’s espresso-worthy as he bashes the ISC’s take on incident response verses incident handling, and our favorite v-blogger Marcus J. Carey will have you seeing (and maybe even singing) the ‘grapevine’ in a whole new way.

#3 – Don’t Trust the Grapevine: In his typical style, Marcus J. Carey opened his v-blog post “Heard It Through The Grapevine” with a real-life object/scenario (in this case, Marvin Gaye), and told his audience how it applies to security. It turns out that Gaye’s “Grapevine” has some hidden truths for security professionals about how to best deal with vendors. Drawing from the famous “Grapevine” lines, “people say believe half of what you see, son, and none of what you hear,” Marcus says the same should go for vendors: While they might show you a shiny new program that works perfectly on their network or equipment, there’s no guarantee that it’s going to work on yours. Our advice? Take the ‘bake sale’ approach; pick the top three technologies you’re considering, ask for demos, set those demos up, and see how they actually work on your network and your equipment. But don’t just believe “what you hear;” be sure to watch the post for yourself. 

#2 – Ready, Set, Enumerate: In his post “Maltego Part II – Infrastructure Enumeration,” Chris Gates (on the Ethical Hacker Network) discusses Infrastructure Footprinting, which he says is “essential for identifying possible systems for remote attacks.” While Gates has a lot of great text about how to successful carry out Infrastructure Footprinting, it’s the detailed screenshots that accompany the text that make this article worth the read. While it’s always nice to have clear instructions on how to do something, pictures are always a definite plus (especially for those of us who are visual learners). But before you read Part II of Gate’s post, you might want to check out “Maltego Part I – Intro and Personal Recon” for background information.

#1 – ISC Smack Down: Okay, so it’s really more of a ‘bashing,’ or a ‘difference of opinion.’ But no matter what you call it, we like it; it’s nice to see strong opinions now and again. And in his post “Speaking of Incident Response,” Richard Bejtlich certainly has a difference of opinion when it comes to a recent article published by the ISC entitled “Incident Response vs. Incident Handling.” Bejtlich disagrees with the part of the ISC article that states “Incident Response is all of the technical components required in order to analyze and contain an incident,” and “Incident Handling is the logistics, communications, coordination, and planning functions needed in order to resolve an incident in a calm and efficient manner.” According to Bejtlich, “[t]hat’s not right, and never was.” While Bejtlich tried pointing this out to the ISC moderators, he didn’t get very far. If you’d like to learn more about the real definitions of Incident Response and Incident Handling, you can check out Bejtlich’s article here.

Well, all good things come to and end, and so does these posts. But no worries: We’ll be back next week to make sure that your Monday starts of with something a little more interesting than the pile of work in your inbox.

If you think that we missed a post that should have been in our top 3, be sure to leave a comment below or send us a tweet @grecs.

###

It’s not too late! If you’re looking to get back to the heart of security basics, SANS has the perfect event for you in the form of their Application Security Workshop — What Works? workshop on April 29th. The workshop will cover the best ways to counter common attacks through general know-how, products, services, and configurations. If you’re interested, visit the SANS section of our Help Us Help You page to sign up for this workshop.