Thursday, September 26, 2013

#06: 'Checkbox security', and security tube, and milestones

<rant> I am so tired of hearing 'checkbox security'.  For me, that term means we aren't doing enough, and just trying to get by.  When I was in the Navy, you could just get by just doing the minimum, and people notice. Were there days when I felt like doing the minimum? Heck yes, but not when it came to my job protecting my network.

I need to switch that term back to what it should be called... 'Compliance'.  COMPLIANCE !== SECURITY.  It's the bare minimum to start with if you want security.  Or at least be more secure.  I'm tired of just getting by doing the minimum, and I'm gonna change that next week.  I'm gonna rise up and make some shit happen.

I finished with the excellent C|EH All-in-one book, written by Matt Walker (ISBN: 978-0-07-177228-0).  If you're a n00b to the arena of ethical hacking and pentesting, like me, then you'll want to check this book out, especially if you're working toward getting your C|EH.  I was dismayed to find the C|EH test is just another multiple choice test.  You regurgitate what you 'know' and pass.  Much like the CISSP.  I think I am a little confused by how you go about taking the exam.  I've read the All-in-One, did fairly well on the practice tests in the back, and have attended a week-long ethical hacking course given by our local ISSA chapter.  Plus, there are tons of practice tests and questions that are free on the Internet.  Guess I just need to sit down, fill out the form and take the exam.

Now that I'm done reading the CEH book, I've started in earnest on learning Python.  Using the excellent 'Wood Rat' (Neotoma Muridae) book from O'Reilly, I usually read at night as I am going to bed. I can usually knock out about 10-12 pages a night.  To augment this, I saw that Vivek Ramachandran over at SecurityTube ( has started the "Pentester Academy" which allows you to take advantage of all of his excellent video training.  I have started the "Securitytube Python Scripting Expert" megaprimer/track that has Vivek explaining concepts like tuples, immutable strings, and if/when type loops.  The loops are nothing new, but I've not worked with scripting to the level I am about to learn with this.  Python is a freaking powerful language, and very VERY flexible.

I initally balked at the cost. It's $99 for the first month, plus $39/month thereafter.  But I figure with the book I'm reading and this, I can learn a lot.  Vivek does a good job of explaining concepts and I am fairly confident that I can/will learn Python using him and the O'Reilly book as an augment to the training.  You can find Vivek on Twitter @securitytube.  He doesn't pay me to say any of this, and his site really has a lot of great content, even Metasploit training.  And I heard on last week's Pauldotcom security weekly podcast that he is working on a Burp Suite series, which I'm highly excited about. You can find his interview with @pauldotcom here:

Lastly, we made our PCI milestones this quarter.  While I abhor the concept of 'compliance' frameworks, it's nice not to have that 500 pound gorilla on our collective backs, at least for a few days (that gorilla being 'management').  A lot of the stress was learning the processes for submitting reports to Tenable, our new QSA and inital setup of Nessus.  If you haven't find a good QSA, or are looking for a good vulnerability scanner, Nessus is very easy to learn, and the reporting is nice, concise, and easy to parse, and Tenable's QSA's are very knowledgeable and very efficient at explaining what is needed for the burden of proof.

Thanks for reading this.  You might be the only one.

No comments: