Good stuff in the SCC

I just wanted to take a minute and point you to a couple of good conversations going on in the Security Catalysts Community.

• What are the ethical standards/requirements for security bloggers? This one has taken an interesting twist to include the disclosure of the DNS by Matasano.
• What should you do about software updates that are not critical? Managing software updates and patches can be a nightmare if not done right. Here are a few good tips to ensure that you keep things under control.
• Linux user account upgrade or migration checklist. Here's one for those of you who are faced with upgrading or migrating several linux boxes.
• Is Management the real security problem? Hmmmm, I'll let you decide. :)

Stop by and check these and the other posts out. This is a great place to get information, interact with other security professionals and stay on top of your game.

Learning Security

There is an interesting conversation going on over at the Security Catalysts Community that I wanted to point you to. It's about employees using ICMP tunneling to get around web filters. It is just an example of the many different topics that are discussed in the SCC.

For those of you who may not be familiar with the SCC it is a gathering of passionate security professionals who want to have a place to interact with others who are of like mind. It consist of forums, a silc channel for secure chat and other resources to help you do security better. There are other things in the works also that will be coming down the pike soon. The best part is the interaction that goes on between the members of the community. We have people from all different industries. Financial, educational, government, private industry, the public sector. Our members work in different disciplines in security. Beginner Techs, programmers, researchers, penetration testers, administrators, managers, policy and compliance, and even CIO's, CSO's and CTO's. Many of these men and women have become my friends and I value what I have gained from the community.

I say all of this to invite you to stop by and take a look. You can spend time just looking around or apply for membership. It's all up to you. If you have a passion for security and want to join a group of people who are working towards changing the way we practice security then you are the type of person the SCC wants and the SCC is probably the place for you.

Tip of the Day - Write it down

I don't plan on making this a daily habit, but a few things have crossed my mind and keyboard lately that has made me want to write about something that is often overlooked. One of the things that started this was a thread on the Security Catalyst Community about password policies. A comment was made about the need to use different passwords for different service accounts, the need for complexity, using things such as PWSafe to keep them organized etc... Then the comment was made

Need I say that you should NOT write them down anywhere.

I replied that writing them down is a good idea as long as they were secured in case of emergency. In this particular case the guy who started the thread is the only IT guy for his company. The loss of these passwords could prove costly to the company. I know of a couple of instances where the lone IT guy left under bad circumstances and refused to tell anyone the passwords for the systems. They were able to recover them, but it wasn't easy or cheap.

Then this morning I was looking at the SANS @Risk Newsletter and it listed all the vulnerable apps. As I was looking at the list it occurred to me that many of these were small apps that are often installed unknowingly w/ other software or they are small apps that you install and forget about. If these do not have auto update features then when they become vulnerable you are at risk and won't even know it. Having a list of ALL apps on your system and doing regular Google searches for updates or checking their web sites for them is a good idea. If you don't write them down then you won't remember them and they will remain unremembered or at least you won't think of checking for updates.

Using things such as the freeware Belarc Advisor (free for personal use only) will greatly simplify your search for installed apps. There are also others out there that will give you a good snapshot of just exactly you have installed.