While we love security news sites as much as the next person, we really love hearing from people in the local security community. That’s why we started our “Top 3 NoVA Infosec Blog Posts of the Week” feature; it lets us highlight the best of local security bloggers, and gives you the opportunity to read awesome security material produced by members of the local community.

If you’re a local security blogger that would like to be considered for this feature, please feel free to shoot us an email or send us a tweet @grecs. We also have a handy list of local bloggers, so be sure to contact us if you aren’t already on the list!

#3 – Election Woes: Just when you thought the election headache was over, @geminisecurity proves you wrong. Because while the election itself might be over, the controversy over voting machines is just beginning. In their post “AVC Advantage Attack,” @geminisecurity points out the fact that you can learn to hack a voting machine for around $20, and it’s a fairly simple task. That’s right: We are voting on machines that are not only easy to hack, but aren’t even regulated! Something tells us that George Washington is rolling over in his grave. Be sure to check out the full post here. 

#2 – Simple Security: We’ll be honest; this post got our attention before we even read it. With a title like “Simplicity is Security,” how could it not? Taking an interesting look at security by examining the use (or lack thereof) of debit and credit cards in Japan, @mubix makes some excellent points about how our desire to jump on every technological advance that comes along is making it harder to have good security. After talking about how people in Japan usually don’t have credit cards, debit cards, or do any of their banking online, @mubix poses the following question to his readers: “Should we continue down the path of “MORE SECURITY” or should we deviate a bit for simpler, possibly non-technical practices?” While we can’t say that we totally agree with the route of non-technical practices, we do believe that there is a happy medium. To answer the question for yourself, why not check out the full post?

#1 – Careers in Security: With the current economy being what it is, career advice had become rather popular as of late. Richard Bejtlich of TaoSecurity jumped on the career advice train this week in his post “Thoughts on Security Careers.” Quoting a number of different posts that deal with popular career trends and career advice for security professionals, Bejtlich gives his own insight, tips, and tricks. Even if you’re not interested in leaving your current job for another, this post is a must-read.

Well, that’s all for this week. Be sure to check back next week for more great reads from security professionals in your community.

It’s that time of the week again when we bring you the best of local security blogs. But before we get to that, we thought we’d share our tweet of the week along with a #totw that deserves honorable mention to get your afternoon started with a few laughs.

Our official #totw was a RT by @mubix:

grecs RT @mubix RT @secureideas: “When pen tester tells U they luv something, get it off yr network.” @agent0x0: “I luv Sharepoint.” #defcon #totw

Honorable mention belongs to this tweet by @technogeezer because it’s so true!

grecs LOL.. RT: @technogeezer: Someone here at CSC now refers to physical meetings as getting together in ‘meatspace’ #totw

Now, on to the posts!

#3 – Lessons From the Sandbox: If you are  looking for great technical posts, @geminisecurity should be your first stop. Their latest post, “Protect Your Computer By Running Applications in Sandboxie” talks about the Windows utility Sandboxie—a program that allows you to run “applications in an isolated environment on your computer so you can protect yourself from malware, surf the web, and maintain your registry without affecting your host system.” They also note that “Sandboxie is a good alternative to setting up a virtual machine, especially if you just want to run a quick test or two without having to wait for an entire operating system to boot up.” Be sure to read the post and learn more about Sandboxie here.

#2 – The Bureaucracy Is Down: In his post “Blast From the Past,” TaoSecurity’s Richard Bejtlich uses an example from his own life that illustrates the sometimes ridiculous nature of tasks given by large organizations. In Bejtlich’s case, it was the Air Force that had given him and his co-workers what seemed to be an impossible mission: Centralize Air Force email within the course of a few months. Needless to say, such a feat was impossible in such a small amount of time. But now, nearly 11 years later, Bejtlich says that it is finally happening; that Air Force email will be starting the centralization process at Keesler Air Force Base, Miss. But as he says at the end of his post, “[s]o, about 11 years after being told to accomplish the same task, the effort will be done! I think there are lessons here for anyone with a similarly large, bureaucratic, turf-centric, distributed, decentralized, global organization.” Be sure to read the full post here.

#1 – Help Isn’t Coming: Leave it to @rybolov to hit the nail on the head when it comes to the Cybersecurity Coordinator position and why, even after two months, it still hasn’t been filled. In his post “Help Wanted,” he poses the following question: “So let me give you a hypothetical job: You have to give up your high-paying private-sector job to be a Government employee. You have tons of responsibility. You have no real authority. You have no dedicated budget. You have no staffers. The job has had half a dozen people filling it in the last 7 years. The job has been open longer than it’s been staffed over the past 7 years.” Does that sound like a job that any of you would want? Didn’t think so. By being blunt (unlike government officials), @rybolov makes excellent points as to why the Cybersecurity Coordinator position is still empty, and will likely remain that way unless something changes. Be sure to read his full post here.

Well, that’s all for this week. Be sure to follow us @grecs for more great posts throughout the week!

While things were a little quiet on the local blogging front this past week due to the awesomeness that is BlackHat, Richard Bejtlich, @rybolov and @geminisecurity came to the rescue with three excellent posts that discuss everything from the importance of sanitizing web apps to what we need in a CyberArmy.

As everyone slowly recuperates from BlackHat, expect a large influx of must-read posts about the event. If you’d like to catch most of these posts, be sure to follow us @grecs during the week.

#3 – The Real CyberArmy: In his post “The CyberArmy You Have…” @rybolov opens with the military saying, “[y]ou go to war with the army you have, not with the army you wish you had.” This is especially true for the US as it charges ahead with its national Cybersecurity strategy without having having the proper skill set or the proper leadership. While Cyberwar is a top skill to have, @rybolov notes that “the existing contractor skillset is based on procedural offerings,” and that, “[t]o be honest, I see lots of people with cybersecurity offerings, but what they really have is rebranded service offerings because the skills sets of the workforce haven’t changed.” As much as we might think that we have a CyberArmy that can handle anything, @rybolov makes the excellent point that we need to see the CyberArmy that we actually have. To learn more about the CyberArmy we have and what we can do to make it better, read @rybolov’s full post here.

#2 – FUD for Thought: In his guest post for fudsec.com (the fud comes from fear, uncertainty and doubt), security expert Richard Bejtlich talks about threat-centric thinking being on the rise. Bejtlich makes the excellent observation that over the past few years, there has been a shift in perspective when DoS attacks occur. It used to be that when a DoS attack occurred, people would ask “how did it happen?” Now, the primary concern when a DoS attack occurs is “who did it?” But is the shift from “how” to “who” good or counterproductive? You’ll just have to read the full post to find out; Bejtlich’s answer might surprise you.

#1 – Sanitize Those Apps: A few weeks ago we featured the @geminisecurity post “Sanitizing Input in Web Apps (Part 1).” We ranked it at number one to emphasize the importance of sanitizing input for the web (and anything else, for that matter). That’s why when @geminisecurity rolled out with part two of their “Sanitizing Web Apps” article, we knew that it needed to fill the number one slot again. Sanitizing input for web apps is one of the basic tenants for securing web apps. When we forget to sanitize input, or skip what might seem to be a rather minor step, we’re doing ourselves and users a huge disservice. It goes back to our motto of doing the basics and doing them well; it saves you, and everyone else, a lot of headache in the end. More than that though, it helps keep everyone safer. And at the end of the day, isn’t that what we all want? While we step off our soapbox, head over to @geminisecurity to read the full post.

Well, that’s all for this week. Expect some interesting BlackHat posts this upcoming week!

If ever there was a week of controversial posts, it would be this one. While the posts we usually cover follow trends and topics without coloring outside the lines too much, this week you can expect to read some thought-provoking posts about sexism in information security, what white hat could do with a million bucks (far less than black hat, by the way), and the way that Federated Management should be run.

In other words, the perfect reading material to go with your morning coffee.

Now, on to the posts!

#3 – Plan for BSOFH Happiness: Half sarcasm, half advice, @rybolov’s post “Federated Vulnerability Management” gives the nitty-gritty on government patch and vulnerability management. After talking about what’s wrong with government patches and vulnerability management, he recommends using SCAP to ‘fix’ the mess. While the post is a little longer than usual, it’s definitely worth the read.

#2 – Sexism, Religion, and Hackers: This is a topic that isn’t discussed enough. While DojoSec’s Marcus J. Carey did a v-blog post about sexism in the security field a little over two months ago, there hasn’t been much discussion about it since. That’s why it was refreshing to see @mubix respond to a post by @shazzzam and others about females in information security. Let’s be honest: it’s not fair, and there is a bias. But as @mubix points out, “[s]exism, and for that matter, any “-ism” is flawed on both sides.” This is a highly controversial post, but one that should be read. You can read the full post here.

#1 – White Hat for a Million: After his post “Black Hat Budgeting” got a fair amount of response last month, author and speaker Richard Bejtlich decided to revisit the million dollar security question this month by figuring out what white hat security could do with a million dollars compared to what black hat could do. The results? Not exactly pretty. As Bejtlich says at the end of his post, “I am much less comfortable building out this team, compared to the Black Hat Budgeting exercise. There are way too many variables involved in defending any enterprise.” With roughly $850,000 spent on staff, there’s only $150,000 left for technology. How does Bejtlich break it all down? Read the full post to find out.

Well, that’s all for this week. Be sure to follow me @grecs during the week for more great posts from local bloggers.

o o o o o

Know a blog that should be considered for our “Top 3 NoVA Infosec Blog Posts of the Week” feature? If so, send us a tweet with a link to the blog and the request for us to check it out.

It’s time for one of our favorite posts of the week… the post where we get to spotlight some great bloggers who are involved in the local infosec community.

If you, or someone you know should be added to the list of bloggers we consider each week, please contact us or send us a tweet.

#3 – iPhone Apps: We’re always looking for good apps for the iPhone (especially with the release of 3.0) so luckily for us, @geminisecurity had a post that covered 4 of the best apps for the iPhone. But @geminisecurity didn’t just cover regular iPhone apps; no, they covered security apps for the iPhone, which is definitely needed if all the recent rumors swirling around Apple’s security are true. You can check out the full post for more information.

#2 – Security for a Million: Writer and speaker Richard Bejtlich posed an interesting question this week, asking what a black hat could do with a $1 million budget. But instead of just leaving it as a question, Bejtlich actually wrote out a tentative breakdown of what a black hat organization could do with a $1 million budget.  I’m not sure what was scarier; the fact that he created a potential financial plan for a black hat organization to follow, or that $1 million could go a lot further in a black hat organization than it could in most of the organizations we work for. Really makes you question how much money is wasted on unimportant things. Definitely read the post for yourself and let me know what you think.

#1 – Cyberwarfare and the Spanish Civil War: According to guest poster ian99 of the The Guerilla CISO, “Perhaps the most interesting model of development and Cyberwarfare activity today would be based on the pre-WW II example of the Spanish Civil War.” Tracing the historical origins of cyberwarfare, ian99′s post is like attending a ShmooCon talk and a history lesson all in one. Check out the full post here.

Well, that’s all for this week. Be sure to follow me @grecs during the week for more great posts from local bloggers.

o o o o o

Speaking of great local bloggers… we’re looking for some great guest bloggers to feature on NovaInfosecPortal. If you’re interested, feel free to contact us or send us a tweet.

This week we are featuring a new NoVA Blogger, @geminisecurity. Please take a moment to check out their Twitter feed and welcome them to the local infosec community.

While he doesn’t have a post featured this week, we would also like to introduce local NoVA blogger @bobgourley. Please take a moment to visit his Twitter feed or his blog and welcome him to the local infosec community.

Now, to the posts!

#3 – The Mystery of SSL: The post “How does SSL work anyway?” post published by @geminisecurity this week was not only useful, but witty. Likening SSL to a handshake—“[i]t’s like the secret handshake you used in grade school to get into your clubhouse”—@geminisecurity had some useful tips and tricks about Server Authentication, Client Authentication, References, and other SSL protocols. You can check out the full post here.

#2 – Resources Galore: It seems that @mubix is the man to talk to if you’re looking for great security resources. Posting what he described as “Getting your fill of Security,” this week, @mubix is now keeping a running list of security podcasts, security bloggers, security-related Twitter accounts, and sites that you’re free to hack. You can check out the list here. You can also check out our list of security resources for additional information.

#1 – 60 Day Surprise: After President Obama gave his remarks on Cyber Security earlier in the week, Richard Bejtlich wasted no time before blogging his own thoughts about the President’s controversial speech. While we read a lot of tweets and blog posts this week that dealt with Obama’s ultimate stance on Cyber Security, we felt that Bejtlich’s was by far the best. Not only did he provide an intelligent commentary about what President Obama said, he also created an ‘imaginary’ speech of “what I would have liked to have heard [from President Obama].” This is a must-read post for anyone in the field, as the President’s stance on Cyber Security will affect all of us in some way. You can read the full post here.

Well, that’s all for this week. As always, we’d love to know if there are any other NoVA bloggers out there would would like to be considered for our “Top NoVA Infosec Blog Posts of the Week” feature. If so, leave a comment below or send us a tweet @grecs.

o o o o o

How Ironclad is your information?

This week, local bloggers tackle the ’80 percent’ myth, the end of the interwebs as we know it, and why FDCC isn’t just cool, but magical.

#3 – The Magic of FDCC: Responding to a post by Bruce Schneier, @rybolov sets out to discover the real ‘magic’ of FDDC in the midst of all the controversy. According to @rybolov, “[t]he magic of FDCC is not in the fact that the Government used its IT-buying muscle to get Microsoft to cooperate,” but that “FDCC is getting the application vendors to play along.” @rybolov goes on to note that if your software works with FDCC, it is most likely built to run on security-correct operating systems. But before you decide whether FDCC really is the holy grail of desktop security, be sure to read @rybolov’s post, as well as the initial post by Schneier, to see what the hubbub is all about. (If nothing else, read them for the comments—they’re priceless!)

#2 – The Myth of 80 Percent: In his “Insider Threat Myth Documentation” post this week, author and local security blogger Richard Bejtlich provided an excerpt from his 2004 book The Tao of Network Security Monitoring with recently added annotations. Posting an excerpt from the book that deals with the ’80 percent’ myth, Bejtlich documents what the 80 percent myth means for insider verses outsider threats. To do that, Bejtlich first ‘debunks’ the 80 percent myth by quoting a response from Dr. Eugene Schultz: “There is currently considerable confusion concerning where most attacks originate. Unfortunately, a lot of this confusion comes from the fact that some people keep quoting a 17-year-old FBI statistic that indicated that 80 percent of all attacks originated from the [inside]…” While the 80 percent myth might not be accurate, Bejtlich says that’s no reason to underestimate insider attacks, as they still pose the largest vulnerability. You can read the full excerpt here.

#1 – Conspiracy of the Month: If all the buzz on the internet is correct, S.773 is the end of the web as we know it. Lucky for us however, we have @rybolov to keep us grounded in the midst of would-be conspiracies. The basic premise of the S.773 conspiracy is that the Government would be given the ability to view private data and the President would be able to censor internet content. (Noes, not the interwebs!) Needless to say, this has caused quite a few people to panic since there’s nothing that people hate more than the idea of censorship. But @rybolov does an excellent job of wading through the real purpose of S.773 and why we might still have a usable internet at the end of it. You can read the full post here.

Well, that’s all for this week. It’s been a bit of a quieter week on the local blogosphere, so we would love to know if you write or read a local blog that we should consider for our “Top 3” every week. Be sure to leave a comment about it below, or send us a tweet @grecs.

o     o     o     o     o

Be our guest—guest blogger, that is. Contact us to learn how you can get your ideas on NovaInfosecportal.

Where can you find a book review, information about the 60-day security review, and humorous commentary about the Verizon report all in one place? This post, of course. Finding the best posts by local security bloggers, we do our best to make your Mondays a little more interesting.

# 3 – Hack This Book Again: It turns out that @carnal0wnage isn’t the only one who decided to review Chained Exploits: Advanced Hacking Attacks from Start to Finish; Richard Bejtlich of TaoSecurity also reviewed Chained Exploits and arrived at a slightly different conclusion than @carnal0wnage. As you can see in our post from last week, @carnal0wnage felt that overall, the book wasn’t of particular use to professionals already in the security field. In contrast, Bejtlich says that while he agrees with some of the negative comments about Chained Exploits, he feels that many of the comments are unduly harsh. As he says in his review, “I don’t think it’s strictly necessary for a book to contain brand new security techniques in order to qualify for publication,” and that Chained Exploits does a good job of providing both old and new information. You can read the full review here.

#2 – 60 Days And Counting: With the 60-day security review nowhere in sight, @rybolov sums up our feelings perfectly when he says “I’m trying hard to be understanding here, I really am.  But isn’t the administration pulling the same Comprehensive National Cybersecurity Initiative thing again, telling the professionals out in the private sector that it depends on, ‘You can’t handle the truth!’” With the review supposedly turned into President Obama on the 17th, @rybolov makes the astute observation that “our information sharing from Government to private sector really sucks right now.” @rybolov then goes on to talk about how the government can’t seem to decide whether they’re a partner or a regulator, and why they need to choose one or the other instead of trying to (rather unsuccessfully) be both.  Because as @rybolov points out, the ‘are we a regulator or a partner’ conundrum is making it hard for the private sector to do their job. You can read the full post here.

#1 – Verizon in 5 Minutes or Less: If you didn’t get a chance to read our take on this year’s Verizon report, Bejtlich has a great summary of it that will take you about 5 minutes or less to read. Taking screenshots from the report and adding a small commentary to each of them, what he had to say seemed to spark quite a discussion with readers. You can view the full post here.

Well, that’s all for this week. Be sure to check out our Blogs/Podcasts page for more great security bloggers in and around the NoVA area. Also be sure to drop us a line if you know of a blog or podcast that should be added to the list.

###

In addition to registering for SANS events through NovaInfosecPortal, you can also help keep the site going by becoming a subscriber.

Who needs coffee when you have the best of this week’s local security bloggers at your fingertips?

The featured blog post by Richard Bejtlich is sure to give you a jolt that’s espresso-worthy as he bashes the ISC’s take on incident response verses incident handling, and our favorite v-blogger Marcus J. Carey will have you seeing (and maybe even singing) the ‘grapevine’ in a whole new way.

#3 – Don’t Trust the Grapevine: In his typical style, Marcus J. Carey opened his v-blog post “Heard It Through The Grapevine” with a real-life object/scenario (in this case, Marvin Gaye), and told his audience how it applies to security. It turns out that Gaye’s “Grapevine” has some hidden truths for security professionals about how to best deal with vendors. Drawing from the famous “Grapevine” lines, “people say believe half of what you see, son, and none of what you hear,” Marcus says the same should go for vendors: While they might show you a shiny new program that works perfectly on their network or equipment, there’s no guarantee that it’s going to work on yours. Our advice? Take the ‘bake sale’ approach; pick the top three technologies you’re considering, ask for demos, set those demos up, and see how they actually work on your network and your equipment. But don’t just believe “what you hear;” be sure to watch the post for yourself. 

#2 – Ready, Set, Enumerate: In his post “Maltego Part II – Infrastructure Enumeration,” Chris Gates (on the Ethical Hacker Network) discusses Infrastructure Footprinting, which he says is “essential for identifying possible systems for remote attacks.” While Gates has a lot of great text about how to successful carry out Infrastructure Footprinting, it’s the detailed screenshots that accompany the text that make this article worth the read. While it’s always nice to have clear instructions on how to do something, pictures are always a definite plus (especially for those of us who are visual learners). But before you read Part II of Gate’s post, you might want to check out “Maltego Part I – Intro and Personal Recon” for background information.

#1 – ISC Smack Down: Okay, so it’s really more of a ‘bashing,’ or a ‘difference of opinion.’ But no matter what you call it, we like it; it’s nice to see strong opinions now and again. And in his post “Speaking of Incident Response,” Richard Bejtlich certainly has a difference of opinion when it comes to a recent article published by the ISC entitled “Incident Response vs. Incident Handling.” Bejtlich disagrees with the part of the ISC article that states “Incident Response is all of the technical components required in order to analyze and contain an incident,” and “Incident Handling is the logistics, communications, coordination, and planning functions needed in order to resolve an incident in a calm and efficient manner.” According to Bejtlich, “[t]hat’s not right, and never was.” While Bejtlich tried pointing this out to the ISC moderators, he didn’t get very far. If you’d like to learn more about the real definitions of Incident Response and Incident Handling, you can check out Bejtlich’s article here.

Well, all good things come to and end, and so does these posts. But no worries: We’ll be back next week to make sure that your Monday starts of with something a little more interesting than the pile of work in your inbox.

If you think that we missed a post that should have been in our top 3, be sure to leave a comment below or send us a tweet @grecs.

###

It’s not too late! If you’re looking to get back to the heart of security basics, SANS has the perfect event for you in the form of their Application Security Workshop — What Works? workshop on April 29th. The workshop will cover the best ways to counter common attacks through general know-how, products, services, and configurations. If you’re interested, visit the SANS section of our Help Us Help You page to sign up for this workshop.

NoVA Blogger rybolov was on a role this week as he took two of the slots for our “Top NoVA Infosec Blog Posts of the Week” feature. Richard Bejtlich also made our list again with an interesting response to the 60 Minutes Story: “The Internet Is Infected.”

While the three posts below are all very interesting, one of them was written on April Fool’s day. See if you can guess which one it is from our descriptions and then check the posts out for yourself to see if you guessed correctly.

We’re always looking for great blogs by local infosec bloggers to consider for this feature, so if you know of one, please feel free to comment below or send us a tweet @grecs. You can also check out what other local infosec bloggers have to offer on our Infosec Blogs/Podcasts resource page.

#3 – Fortify to Save Security: Known as “the guys with the cool FUD movie about how code scanning is going to save the world,” according to rybolov, he had a lot to say about why Fortify is good, and why it needs improvement. Rybolov’s biggest problem with Fortify? “Fortify has been trying to step up to the Government feed trough over the past year or so.  In a rare moment of being touch-feely intuitive, from their marketing I get the feeling that Fortify is a bunch of Silicon Valley technologists who think they know what’s best for DC–digital carpetbagging.” And that’s just the beginning of the post. You can read the rest of Rybolov’s commentary about Fortify and what they are—and aren’t—doing to “fix” the government security problem on the The Guerilla CISO blog.

#2  – Obama’s Cybersecurity Plan Revealed: Well, sort of anyways. According to rybolov, an undisclosed source deep inside the 60-day cybersecurity review gave him the information that he wrote about in his post. The highlights? FISMA is failing, the Payment Card Industry standards do work, there is a cheaper way to meet PCI-DSS standards, and Scanless PCI can reduce the audit burden. Rybolov also contacted the NIST’s Computer Security Resource Center and got what he called an “unofficial opinon” about what the Obama administration is trying to do with cybersecurity. If nothing else, you should read the post for the “unofficial opinion;” it’s hilarious stuff.

# 1 – The Public is Infected: Okay, so maybe the public isn’t “infected,” in the typical sense of the word, but it is “infected” with incorrect knowledge about the internet. While a recent special report by 60 Minutes entitled —what else—“The Internet is Infected” helped raise public awareness about security issues, it also propagated incorrect stereotypes about “hackers” and cybersecurity. Local NoVA blogger Richard Bejtlich looked at what the 60 Minutes program got right, what it got wrong, and what needs to change in the future for general security awareness to be more effective. You can read all about what he calls his “humble point of view” (which in his case is actually a very expert opinion; you can check out his many books as proof), making the post an especially interesting read. You can check out the full post here.

Bonus: While it might not qualify as a top “post” per say, the classic “TomBot” diagram posted by rybolov last week is something that will start your day off on a good note. You can check out the diagram here.

Well, since all good things must come to an end, that’s it for this week. Be sure to check back next Monday for more of NoVA’s best.

###

We love being part of the local security community, and we would for you to be involved as well. There are two ways that you can get involved here at NovaInfosecPortal: You can purchase a subscription to the site, or you can be a guest poster. If you are interested in being a guest poster for NovaInfosecPortal, please drop us a line and we’d love to talk to you.