Weekly Rewind – CISSP Value, Monthly Continuous Monitoring, Mobile Average Practices, & More

September 24, 2011
By

Post to Twitter Post to Facebook Post to Reddit

Icon of Rewind ButtonHere’s another addition of the Weekly Rewind, where we post out a quick summary of all our stories as well as the industry articles you seemed to like the most from the past week. If you missed anything or happened to be offline, we hope you find this post useful as a quick reference.

Our Blog Posts

Where You Want to Be This Week for 2011-09-19: Where do you want to be this week? Now you’ll always know with our “Where You Want to Be This Week” feature, which will tell you about infosec meetups happening in your local area as of Sunday night. If you would like your event listed in our Calendar and in this post, contact us or mention it to @grecs on Twitter. A very light schedule for this week, and all you need to do is just show up and be ready to talk shop. Anyway, here are your meetups for this week. (continued here)

The Value of a CISSP: Local blogger Laura Raderman put out a great post last week titled “(ISC)2 and the CISSP.” I think she’s right on point in expressing how a lot of us feel regarding the (ISC)2, the CISSP, and the value they add to the security profession. Basically … meh … but need it to keep the job… (continued here)

How to Win Followers & Influence Friends: I had the pleasure of presenting at the inaugural Reverse Space Conference (RSCon) this past Saturday. I hope everyone learned a few things… I also picked up a some additional tips from several of the attendees and am continuing to investigate other ways we can use Twitter more effectively to manage our careers. Thanks! For those that missed it, here is the title and abstract if you want to get a quick synopsis of what the talk was about. (continued here)

Will New Monthly “Continuous” Monitoring FISMA Requirements Work?: According to GovInfoSecurity as well as several other publications, starting next month federal agencies will be required to implement continuous monitoring as part of their obligations under FISMA. At a minimum “continuous” is defined as monthly. All of their reported data needs to be fed into the CyberScope system. Oh and for training and consulting on how to meet this new requirement, agencies are must attend CyberStat sessions. Just a things to ponder here… (continued here)

Mobile Security “Average” Practices: There have been a few articles over the past week describing some general suggestions on protecting mobile devices. Coincidentally, I’ve been doing some research on advice we could provide “average” everyday iPhone users on this topic and these articles confirmed much of what I’ve found. Yeah, we could consider using one of the newfangled commercial MDM solutions but for Mom and her personal iPhone this probably isn’t an option. Below you’ll find my favorite suggestions in priority order with some commentary. Note as with the original articles I’ve kept these suggestions high level as to not focus on any specific platform. (continued here)

Top 3 NoVA Infosec Blog Posts of the Week: It’s that time of the week again: the time where we take a look at what local security bloggers have been up to. You can take a look at what local security bloggers have been up to but if you can’t get enough of the local security scene, check out our NovaInfosec Twits listfor even more great security blogs and people to follow on Twitter. As always feel free to check out what local security bloggers have been up to and also be sure to follow myself (@nathiet), @grecs, and @novainfosec on Twitter if you want to know more about what’s going on in the local security community during the week. (continued here)

A Few News Items that Pissed Me Off: There were several stories this past few weeks that just sort of … well I’ll just say it … pissed me off. I know that’s not too professional of me but it just gets my blood boiling. Companies just seem to be doing the wrong thing lately. Whether it be changing their terms of service (ToS) or downplaying potential serious vulnerabilities, everyone is taking the sleazeball way out instead of standing up and fixing their security problems. (continued here)

Industry Articles

OS X Lion Passwords Can Be Changed by Any Local User: In OS X, user passwords are encrypted and then are stored in files called “shadow files” which are placed in secure locations on the drive. Based on system permissions, the contents of these files can then only be accessed and modified by the user, or by administrators provided they first give appropriate authentication. This means that only the user can change its password, or if needed, then an administrator can do this by first authenticating. Unfortunately, recent discoveries have shown that in OS X Lion this security structure is not intact, and any user on the system can modify the passwords of other local accounts quite easily. (continued here) [Grecs Note: OS X continues to have problems. That's why I'm waiting until 10.7.2.]

Hackers Break SSL Encryption Used by Millions of Sites: Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that’s passing between a webserver and an end-user browser. The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet’s foundation of trust. (continued here)

Skype for iPhone Makes Stealing Address Books a Snap: If you use Skype on an iPhone or iPod touch, Phil Purviance can steal your device’s address book simply by sending you a chat message. In a video posted over the weekend, the security researcher makes the attack look like child’s play. Type some JavaScript commands into the user name of a Skype account, use it to send a chat message to someone using the latest version of Skype on an iPhone or iPod touch, and load a small program onto a webserver. Within minutes, you’ll have a fully-searchable copy of the victim’s address book. (continued here) [Grecs Note: With two or three similar incidents this year, you'd think Skype would have cleaned all these up already.]

Infographic: Two Decades of Malware: In the last two decades, malware has evolved from a simple, contained software virus to an unstoppable plague that can spread to millions of smartphone users in one foul click. Last year, Trend Micro’s analysts found that consumers were being targeted by up to 100,000 threats–a number that has tripled to 300,000 threats this year. (continued here) [Grecs Note: I always love these infographics. Print them out and post them on your cube wall. They make great conversation starters.]

Security Duo Finds Another Pair of Vulnerabilities in Android: Remember the duo who released an Angry Birds spoof application last fall in effort to highlight some of Android’s vulnerabilities? If so, perhaps you also recall hearing that Google had to implement the remote kill feature in Android about the same time. Well, those guys are back and, judging by their latest finding, things still don’t look to be all that secure. (continued here) [Grecs Note: The article includes a nice video showing their exploits in action.]

OnStar Tracks Your Car Even When You Cancel Service: Navigation-and-emergency-services company OnStar is notifying its six million account holders that it will keep a complete accounting of the speed and location of OnStar-equipped vehicles, even for drivers who discontinue monthly service. OnStar began e-mailing customers Monday about its update to the privacy policy, which grants OnStar the right to sell that GPS-derived data in an anonymized format. (continued here) [Grecs Note: No need to comment here; check out my "A Few News Items that Pissed Me Off" post above.]

IPv6: The End of Security As We Know It: Many people have seen IPv6 as a simple addressing extension to the existing internet and see few changes to the way we secure systems. These people cannot be further from the truth. IPv6 will change the way we think about security. We need to start planning now or we will be left in the dust. This is another topic I will be addressing in the coming weeks and months (so many security topics, so little time). (continued here)

Tags: , , , , , , , , , , , , ,

One Response to Weekly Rewind – CISSP Value, Monthly Continuous Monitoring, Mobile Average Practices, & More

  1. Nathi Thwala (@Nathiet) (@Nathiet) (@Nathiet) on September 25, 2011 at 12:18 am

    Weekly Rewind – CISSP Value, Monthly Continuous Monitoring, Mobile Average Practices, & More http://t.co/Dl0y9zcE #novablogger

Leave a Reply

Your email address will not be published. Required fields are marked *


About Us

Founded in 2008, NoVA Infosec is dedicated to the community of Metro DC-based security professionals and whitehat hackers involved in the government and other regulated verticals. Find out more on our About Us page.