Our official #totw was a RT by @mubix:

grecs RT @mubix RT @secureideas: “When pen tester tells U they luv something, get it off yr network.” @agent0×0: “I luv Sharepoint.” #defcon #totw

Honorable mention belongs to this tweet by @technogeezer because it’s so true!

grecs LOL.. RT: @technogeezer: Someone here at CSC now refers to physical meetings as getting together in ‘meatspace’ #totw

Now, on to the posts!

#3 – Lessons From the Sandbox: If you are  looking for great technical posts, @geminisecurity should be your first stop. Their latest post, “Protect Your Computer By Running Applications in Sandboxie” talks about the Windows utility Sandboxie—a program that allows you to run “applications in an isolated environment on your computer so you can protect yourself from malware, surf the web, and maintain your registry without affecting your host system.” They also note that “Sandboxie is a good alternative to setting up a virtual machine, especially if you just want to run a quick test or two without having to wait for an entire operating system to boot up.” Be sure to read the post and learn more about Sandboxie here.

#2 – The Bureaucracy Is Down: In his post “Blast From the Past,” TaoSecurity’s Richard Bejtlich uses an example from his own life that illustrates the sometimes ridiculous nature of tasks given by large organizations. In Bejtlich’s case, it was the Air Force that had given him and his co-workers what seemed to be an impossible mission: Centralize Air Force email within the course of a few months. Needless to say, such a feat was impossible in such a small amount of time. But now, nearly 11 years later, Bejtlich says that it is finally happening; that Air Force email will be starting the centralization process at Keesler Air Force Base, Miss. But as he says at the end of his post, “[s]o, about 11 years after being told to accomplish the same task, the effort will be done! I think there are lessons here for anyone with a similarly large, bureaucratic, turf-centric, distributed, decentralized, global organization.” Be sure to read the full post here.

#1 – Help Isn’t Coming: Leave it to @rybolov to hit the nail on the head when it comes to the Cybersecurity Coordinator position and why, even after two months, it still hasn’t been filled. In his post “Help Wanted,” he poses the following question: “So let me give you a hypothetical job: You have to give up your high-paying private-sector job to be a Government employee. You have tons of responsibility. You have no real authority. You have no dedicated budget. You have no staffers. The job has had half a dozen people filling it in the last 7 years. The job has been open longer than it’s been staffed over the past 7 years.” Does that sound like a job that any of you would want? Didn’t think so. By being blunt (unlike government officials), @rybolov makes excellent points as to why the Cybersecurity Coordinator position is still empty, and will likely remain that way unless something changes. Be sure to read his full post here.

Well, that’s all for this week. Be sure to follow us @grecs for more great posts throughout the week!

As everyone slowly recuperates from BlackHat, expect a large influx of must-read posts about the event. If you’d like to catch most of these posts, be sure to follow us @grecs during the week.

#3 – The Real CyberArmy: In his post “The CyberArmy You Have…” @rybolov opens with the military saying, “[y]ou go to war with the army you have, not with the army you wish you had.” This is especially true for the US as it charges ahead with its national Cybersecurity strategy without having having the proper skill set or the proper leadership. While Cyberwar is a top skill to have, @rybolov notes that “the existing contractor skillset is based on procedural offerings,” and that, “[t]o be honest, I see lots of people with cybersecurity offerings, but what they really have is rebranded service offerings because the skills sets of the workforce haven’t changed.” As much as we might think that we have a CyberArmy that can handle anything, @rybolov makes the excellent point that we need to see the CyberArmy that we actually have. To learn more about the CyberArmy we have and what we can do to make it better, read @rybolov’s full post here.

#2 – FUD for Thought: In his guest post for fudsec.com (the fud comes from fear, uncertainty and doubt), security expert Richard Bejtlich talks about threat-centric thinking being on the rise. Bejtlich makes the excellent observation that over the past few years, there has been a shift in perspective when DoS attacks occur. It used to be that when a DoS attack occurred, people would ask “how did it happen?” Now, the primary concern when a DoS attack occurs is “who did it?” But is the shift from “how” to “who” good or counterproductive? You’ll just have to read the full post to find out; Bejtlich’s answer might surprise you.

#1 – Sanitize Those Apps: A few weeks ago we featured the @geminisecurity post “Sanitizing Input in Web Apps (Part 1).” We ranked it at number one to emphasize the importance of sanitizing input for the web (and anything else, for that matter). That’s why when @geminisecurity rolled out with part two of their “Sanitizing Web Apps” article, we knew that it needed to fill the number one slot again. Sanitizing input for web apps is one of the basic tenants for securing web apps. When we forget to sanitize input, or skip what might seem to be a rather minor step, we’re doing ourselves and users a huge disservice. It goes back to our motto of doing the basics and doing them well; it saves you, and everyone else, a lot of headache in the end. More than that though, it helps keep everyone safer. And at the end of the day, isn’t that what we all want? While we step off our soapbox, head over to @geminisecurity to read the full post.

Well, that’s all for this week. Expect some interesting BlackHat posts this upcoming week!

Besides breaking down the basic information of AppSec DC in his post, @rybolov also mentioned the need for sponsors. As much as we all love conferences like AppSec DC, the reality is that they can’t happen without financial backing. If you, or someone you know, would be interested in sponsoring the AppSec DC conference, please email me or send me a tweet @grecs and I will forward your information to the people who can make it happen.

If you’d like a little more information about why you should attend, sponsor, or volunteer at this conference, check out the information below.

• Who: OWASP
• What: AppSec DC 2009
• When: 11-10 – 11-13-2009
• Where: Washington Convention Center (801 Mount Vernon Place NW Washington, DC 20001)

For more information on AppSec DC, see its description in our Infosec Conferences section. View our Calendar for a list of similar infosec events in and around the NoVA area. See the OWASP wiki for more information.

o o o o o

Don’t forget, if you’re interested in sponsoring this conference, email me or send me a tweet @grecs.

In other words, the perfect reading material to go with your morning coffee.

Now, on to the posts!

#3 – Plan for BSOFH Happiness: Half sarcasm, half advice, @rybolov’s post “Federated Vulnerability Management” gives the nitty-gritty on government patch and vulnerability management. After talking about what’s wrong with government patches and vulnerability management, he recommends using SCAP to ‘fix’ the mess. While the post is a little longer than usual, it’s definitely worth the read.

#2 – Sexism, Religion, and Hackers: This is a topic that isn’t discussed enough. While DojoSec’s Marcus J. Carey did a v-blog post about sexism in the security field a little over two months ago, there hasn’t been much discussion about it since. That’s why it was refreshing to see @mubix respond to a post by @shazzzam and others about females in information security. Let’s be honest: it’s not fair, and there is a bias. But as @mubix points out, “[s]exism, and for that matter, any “-ism” is flawed on both sides.” This is a highly controversial post, but one that should be read. You can read the full post here.

#1 – White Hat for a Million: After his post “Black Hat Budgeting” got a fair amount of response last month, author and speaker Richard Bejtlich decided to revisit the million dollar security question this month by figuring out what white hat security could do with a million dollars compared to what black hat could do. The results? Not exactly pretty. As Bejtlich says at the end of his post, “I am much less comfortable building out this team, compared to the Black Hat Budgeting exercise. There are way too many variables involved in defending any enterprise.” With roughly $850,000 spent on staff, there’s only $150,000 left for technology. How does Bejtlich break it all down? Read the full post to find out.

Well, that’s all for this week. Be sure to follow me @grecs during the week for more great posts from local bloggers.

o o o o o

Know a blog that should be considered for our “Top 3 NoVA Infosec Blog Posts of the Week” feature? If so, send us a tweet with a link to the blog and the request for us to check it out.

# 3 – Hack This Book Again: It turns out that @carnal0wnage isn’t the only one who decided to review Chained Exploits: Advanced Hacking Attacks from Start to Finish; Richard Bejtlich of TaoSecurity also reviewed Chained Exploits and arrived at a slightly different conclusion than @carnal0wnage. As you can see in our post from last week, @carnal0wnage felt that overall, the book wasn’t of particular use to professionals already in the security field. In contrast, Bejtlich says that while he agrees with some of the negative comments about Chained Exploits, he feels that many of the comments are unduly harsh. As he says in his review, “I don’t think it’s strictly necessary for a book to contain brand new security techniques in order to qualify for publication,” and that Chained Exploits does a good job of providing both old and new information. You can read the full review here.

#2 – 60 Days And Counting: With the 60-day security review nowhere in sight, @rybolov sums up our feelings perfectly when he says “I’m trying hard to be understanding here, I really am.  But isn’t the administration pulling the same Comprehensive National Cybersecurity Initiative thing again, telling the professionals out in the private sector that it depends on, ‘You can’t handle the truth!’” With the review supposedly turned into President Obama on the 17th, @rybolov makes the astute observation that “our information sharing from Government to private sector really sucks right now.” @rybolov then goes on to talk about how the government can’t seem to decide whether they’re a partner or a regulator, and why they need to choose one or the other instead of trying to (rather unsuccessfully) be both.  Because as @rybolov points out, the ‘are we a regulator or a partner’ conundrum is making it hard for the private sector to do their job. You can read the full post here.

#1 – Verizon in 5 Minutes or Less: If you didn’t get a chance to read our take on this year’s Verizon report, Bejtlich has a great summary of it that will take you about 5 minutes or less to read. Taking screenshots from the report and adding a small commentary to each of them, what he had to say seemed to spark quite a discussion with readers. You can view the full post here.

Well, that’s all for this week. Be sure to check out our Blogs/Podcasts page for more great security bloggers in and around the NoVA area. Also be sure to drop us a line if you know of a blog or podcast that should be added to the list.

###

In addition to registering for SANS events through NovaInfosecPortal, you can also help keep the site going by becoming a subscriber.

While the three posts below are all very interesting, one of them was written on April Fool’s day. See if you can guess which one it is from our descriptions and then check the posts out for yourself to see if you guessed correctly.

We’re always looking for great blogs by local infosec bloggers to consider for this feature, so if you know of one, please feel free to comment below or send us a tweet @grecs. You can also check out what other local infosec bloggers have to offer on our Infosec Blogs/Podcasts resource page.

#3 – Fortify to Save Security: Known as “the guys with the cool FUD movie about how code scanning is going to save the world,” according to rybolov, he had a lot to say about why Fortify is good, and why it needs improvement. Rybolov’s biggest problem with Fortify? “Fortify has been trying to step up to the Government feed trough over the past year or so.  In a rare moment of being touch-feely intuitive, from their marketing I get the feeling that Fortify is a bunch of Silicon Valley technologists who think they know what’s best for DC–digital carpetbagging.” And that’s just the beginning of the post. You can read the rest of Rybolov’s commentary about Fortify and what they are—and aren’t—doing to “fix” the government security problem on the The Guerilla CISO blog.

#2  – Obama’s Cybersecurity Plan Revealed: Well, sort of anyways. According to rybolov, an undisclosed source deep inside the 60-day cybersecurity review gave him the information that he wrote about in his post. The highlights? FISMA is failing, the Payment Card Industry standards do work, there is a cheaper way to meet PCI-DSS standards, and Scanless PCI can reduce the audit burden. Rybolov also contacted the NIST’s Computer Security Resource Center and got what he called an “unofficial opinon” about what the Obama administration is trying to do with cybersecurity. If nothing else, you should read the post for the “unofficial opinion;” it’s hilarious stuff.

# 1 – The Public is Infected: Okay, so maybe the public isn’t “infected,” in the typical sense of the word, but it is “infected” with incorrect knowledge about the internet. While a recent special report by 60 Minutes entitled —what else—“The Internet is Infected” helped raise public awareness about security issues, it also propagated incorrect stereotypes about “hackers” and cybersecurity. Local NoVA blogger Richard Bejtlich looked at what the 60 Minutes program got right, what it got wrong, and what needs to change in the future for general security awareness to be more effective. You can read all about what he calls his “humble point of view” (which in his case is actually a very expert opinion; you can check out his many books as proof), making the post an especially interesting read. You can check out the full post here.

Bonus: While it might not qualify as a top “post” per say, the classic “TomBot” diagram posted by rybolov last week is something that will start your day off on a good note. You can check out the diagram here.

Well, since all good things must come to an end, that’s it for this week. Be sure to check back next Monday for more of NoVA’s best.

###

We love being part of the local security community, and we would for you to be involved as well. There are two ways that you can get involved here at NovaInfosecPortal: You can purchase a subscription to the site, or you can be a guest poster. If you are interested in being a guest poster for NovaInfosecPortal, please drop us a line and we’d love to talk to you. 

Overall, Rybolov is right on point! We really need to stop stressing being compliant and start focusing on risk management. Compliance should be a by-product of risk management, not the other way around.