Like many organizations, we skipped Vista. So with Windows 7 we are facing the question “is Windows 7 good enough” or do we still need to pay for a third-party full disk encryption (FDE) product. This question was asked back in 2006 at the SANS Desktop Encryption Summit. The FDE vender’s felt their product was …
Today’s SANS Diary reminded me of something that happened a while back. The SANS entry New Risks in Penetration Testing was concerned that reputation scoring for an IP could be effected by pen testing from that IP address. I guess someone is taking the old Senderbase concept and applying it to all traffic. The helpdesk received an …
People tend to not prioritize their risk correctly. SANS Top Cyber Security report in September 2009 pointed out that people are not patching third party applications or taking care of web servers correctly. I recently ran across the image below (click for full size) that showed the number of deaths in the last 300 days …
SANS Top Cyber Security Risks report shows application patching is much slower than Operating System patching. Why does this occur? Is patching applications more difficult? In some cases patching JAVA may be cause issues with internal applications. But I haven’t seen a case yet where a Flash or Adobe Reader update has caused an issue. …
Continue reading ‘Enterprise Windows Application Patching’ »
“Step back, I’m certified.” I just passed the test for the GIAC Certified Forensic Analyst (GCFA). So I’m certified at the Silver level. I was happy to pass and happy to get the score I was shooting for. The GIAC certifications now have a Silver and Gold level. Back when I first received my GCWN …
The Gorilla CISO has a blog post about vulnerability management that is worth reading. It sounds really familiar, though I’m dealing with it on a much much smaller scale. ” The way we manage patch and vulnerability information is something out of the mid-80′s.” Tell me about it. Today I read RSS feeds (US CERT, …
I’m taking SEC508 at #sansforensicssummit in Washington DC through next Tuesday. Day one covered basics of the file system. I had some serious flashbacks to dealing with hexadecimal in the JMU Masters level Infosec program. In that program we had plenty of classes using Internetworking with TCP/IP Vol.1 by Comer. Actually one of my worst …
SANS has a course coming up in a few weeks in DC on implementing the Consensus Audit Guidelines. That caused me to take another look at www.sans.org/cag. Looks like they published an updated draft on May 9th. 2009. The name seems to have morphed from Consensus Audit Guidelines to 20 Critical Security Controls. What really …
The Center for Internet Security released a secure configuration benchmark for the iPhone. SCMag touts this as a good thing “For the first time, enterprises can apply security configuration best practices to Apple iPhones being used by their employees.” I would argue that there are a couple things wrong with this statement. First it seems …
Secunia has verified disabling javascript does not provide full protection against the zero day in all supported versions of Adobe Acrobat and Adobe Reader. The current exploit seen in the wild uses javascript to perform a heap spray for code execution. The vulnerability is in in a non-javascript function call. The original alert put out …
Continue reading ‘Zero Day in Adobe Acrobat and Reader Part 3 Oh Crap’ »