Author Archives: Darryl

About Darryl

IT Security guy. Husband. Dad. Not necessarily in that order.

Infosec Isn’t The Gated Community You Think It Is

Years ago I saw an online ad for the Security B-Sides Halifax conference in Halifax, Nova Scotia, Canada. I was working as an information security professional at the time, but I had never attended any “Infosec” conferences. The introvert in me didn’t like the idea.. “I wouldn’t fit in.”

Then I started thinking..

“If you want to get anywhere in this industry, you need to get yourself out there.”

So I did.

Upon further research, I discovered that Security B-Sides Halifax was happening the day after the first annual Atlantic Security Conference. I logged into LinkedIn, found the Atlantic Security Conference organizer, and connected with him via a mutual connection.

To make a very long story short, I now sit on the Board of Directors for the Atlantic Security Conference. I organize my own Security B-Sides event and other local technology user groups in my area. I’m working in a field that I only dreamed of a few short years ago.

Infosec professionals are actually a very sociable group once you take the time to reach out. The community is very welcoming, which is surprising because the majority of us are introverts.

Follow these simple steps to break into the community.

1. Twitter

If you don’t have a Twitter account, get one. Seriously, get one now! There’s a very large Infosec community on Twitter. Follow #infosec. Take part in the discussions. Follow the users who also take part in those discussions. Post relevant information, a link to a personal blog post, or just a link to an interesting Infosec story you found. If you have an Infosec question, ask it! You may be pleasantly surprised at the response time and quality of the answer(s).

The next thing you know, you will be sitting next to someone at an Infosec conference that you follow on Twitter. This still happens to me on a regular basis.

2. Network

We have all heard about networking over and over, but it actually does work!

Find local tech user groups in your area. If there are none, start one! The user groups don’t have to necessarily revolve around Infosec. Just get out and meet new people with an interest in tech.

If you can, volunteer at a conference. If you can’t volunteer, attend one, like DellWorld for example. Either way, you will meet industry professionals who may be willing to help you later on in your career. 

3. Present at conferences and user groups

If someone told me three years ago that I would be presenting at conferences, I would have said they were nuts.

I presented at a conference a few weeks ago.. my sixth in the last three years.

I actually hate presenting, but it gets easier each time. The more I push myself, the better I feel when the talk is done. I know plenty of speakers who feel the way I do, but they put on some awesome talks!

It doesn’t take much to get started. Start small with a lightning talk (5-15 minutes in length).

So get out there and push through that locked gate. You can thank me later when we meet in person at DellWorld.

This post is syndicated via Dell content channels. My opinions are my own and do not reflect those of Dell or my employer.

Penetration Testing Report Templates

Sample Penetration Test Report by Offensive Security— An excellent report by an excellent team.
www.offensive-security.com/offsec-sample-report.pdf

Writing a Penetration Testing Report — Probably one of the best papers on this subject. It was written by Mansour A. Alharbi for his GIAC certification. The author starts with report development stages, then describes the report format and ends it with a sample report.
http://www.sans.org/reading_room/whitepapers/bestprac/writing-penetration-testing-report_33343

Report  Template— A report template by vulnerabilityassessment.co.uk
www.vulnerabilityassessment.co.uk/report%20template.html
PDF version:
http://www.okdhs.org/NR/rdonlyres/EDC02492-637C-4C45-B305-35856EBEE8DF/0/SecurityPenetrationTestResultsRprttemp_EPMO_05052009.pd

Penetration Testing Report— Sample report by niiconsulting.com
http://www.niiconsulting.com/services/security_assessment/NII_Sample_PT_Report.pdf

Penetration Test Report— Another good sample report
www.besnard.org/biometrics/2BIO706_business_report.pdf

Penetration Test Report— Sample OSSAR report
www.digitalencode.net/ossar/ossar_v0.5.pdf

penetration testing report template— Template by logicallysecure.com
http://www.logicallysecure.com/resources/downloads/penetration%20testing%20report%20template.doc

Cross-posted from EthicalHacker.net

What is Security Posture?

What is Security Posture? It is your overall security plan – the approach your business takes to security, from planning to implementation. It is comprised of technical and non-technical policies, procedures and controls, that protect you from both internal and external threats. No business, large or small, is safe from potential security breaches. Anyone is fair game.

Why do you need to worry?

  • Hackers – Hackers scan networks for vulnerable systems that can be easily breached for malicious purposes. This can result in compromised data that, in turn, can cause lost customer confidence.
  • Disgruntled Employees – Employees bearing a grudge could easily walk out your door with company data on removable media. They could send internal company data to an external source (ie. FTP, SSH, or email server) or simply destroy company data from within.
  • Script Kiddies – Typically inexperienced hacker wannabes use tools which are freely available on the Internet (ie. LOIC – Low Orbit Ion Cannon or BackTrack 5). In the wrong hands, these tools can cause significant damage.
  • Spammers – Exploit vulnerable email systems to relay spam email through your network infrastructure, often resulting in a network outage due to the traffic generated from your compromised network.

What can you do to protect yourself?

Determine what needs to be protected. This could include credit card numbers, confidential customer data,  or corporate assets.

Figure out how your data might be acquired. A risk assessment should be conducted to determine any potential weak points in both your IT and physical controls.

Install controls to protect your data. This may be as simple as implementing a security awareness program for all employees, or as complex as installing a hardened network perimeter (ie. DLP or IDS systems). The scope of the controls will be determined by your financial situation and the likelihood of compromised data.

In the end, you need to decide how much risk you can accept. This will determine a security posture that suits the needs of your business.