BitLocker vs Third Party FDE

Like many organizations, we skipped Vista. So with Windows 7 we are facing the question “is Windows 7 good enough” or do we still need to pay for a third-party full disk encryption (FDE) product. This question was asked back in 2006 at the SANS Desktop Encryption Summit. The FDE vender’s felt their product was …

Continue reading ‘BitLocker vs Third Party FDE’ »

Dumb Ideas in Pentesting

Today’s SANS Diary reminded me of something that happened a while back. The SANS entry New Risks in Penetration Testing was concerned that reputation scoring for an IP could be effected by pen testing from that IP address. I guess someone is taking the old Senderbase concept and applying it to all traffic. The helpdesk received an …

Continue reading ‘Dumb Ideas in Pentesting’ »

Enterprise Windows Application Patching

SANS Top Cyber Security Risks report shows application patching is much slower than Operating System patching. Why does this occur? Is patching applications more difficult? In some cases patching JAVA may be cause issues with internal applications. But I haven’t seen a case yet where a Flash or Adobe Reader update has caused an issue. …

Continue reading ‘Enterprise Windows Application Patching’ »

Enterprise Vulnerability Management

The Gorilla CISO has a blog post about vulnerability management that is worth reading. It sounds really familiar, though I’m dealing with it on a much much smaller scale. ” The way we manage patch and vulnerability information is something out of the mid-80’s.” Tell me about it. Today I read RSS feeds (US CERT, …

Continue reading ‘Enterprise Vulnerability Management’ »

#sansforensicssummit Day1

I’m taking SEC508 at #sansforensicssummit in Washington DC through next Tuesday. Day one covered basics of the file system. I had some serious flashbacks to dealing with hexadecimal in the JMU Masters level Infosec program. In that program we had plenty of classes using Internetworking with TCP/IP Vol.1 by Comer. Actually one of my worst …

Continue reading ‘#sansforensicssummit Day1’ »

CAG Critics

SANS has a course coming up in a few weeks in DC on implementing the Consensus Audit Guidelines. That caused me to take another look at www.sans.org/cag. Looks like they published an updated draft on May 9th. 2009. The name seems to have morphed from Consensus Audit Guidelines to 20 Critical Security Controls. What really …

Continue reading ‘CAG Critics’ »

iPhone and CIS Secure Config Guide

The Center for Internet Security released a secure configuration benchmark for the iPhone. SCMag touts this as a good thing “For the first time, enterprises can apply security configuration best practices to Apple iPhones being used by their employees.” I would argue that there are a couple things wrong with this statement. First it seems …

Continue reading ‘iPhone and CIS Secure Config Guide’ »

Zero Day in Adobe Acrobat and Reader Part 3 Oh Crap

Secunia has verified disabling javascript does not provide full protection against the zero day in all supported versions of Adobe Acrobat and Adobe Reader. The current exploit seen in the wild uses javascript to perform a heap spray for code execution. The vulnerability is in in a non-javascript function call. The original alert put out …

Continue reading ‘Zero Day in Adobe Acrobat and Reader Part 3 Oh Crap’ »