Welcome to another edition of our Weekly Rewind – where we summarize all our posts from the last week. The top stories this week were 3) “NSA Crytolog Archives Declassified”, 2) “The Basics – CVSS”, and 1) “Steal of a Deal – VPS for $30/Year”. If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference.
A la Schneier … you can also use this rewind post to talk about the security stories in the news that we haven’t covered.
FISMA Reform Bill Progresses in House: The newly-proposed Federal Information Security AmendmentsAct has been accepted by the Oversight Committee and will now go before the entire House for approval. What changes to you think might come into play as the bill traverses the House? Let us know in the comments below. (continued here)
New Event Announcements, Buy/Sell/Trade Gear & Security Gigs Community Forums: In order to try to expand the local community a bit we are experimenting with a forum. Why a forum over a mailing list or something? Well, there’s already a lot of local mailing lists out there so we didn’t feel there was a need to create another one. Plus forums seem to work pretty well for Defcon. What do you think of this forums idea? Excellent start to a great local community? Waste of time and redundant? Let us know in the comments below. (continued here)
Eradicating Cyber Crime with Herd Immunity: I’m a big fan biological analogies when discussing information security. Obviously, it doesn’t always work out but it’s usually an interesting analysis. Last week I came across this article by Lysa Myers in which she related vaccination theory to the eradication of cybercrime based on a talk at Black Hat EU. In the article she specifically discussed herd immunity. The common theory is that as long as some percentage of people are vaccinated against a virus, the remaining non-vaccinated people are automatically protected. Scientists typically throw around a percentage of 80%. (continued here)
The Basics – CVSS: Dark Reading recently posted an article about upcoming updates for the Common Vulnerability Scoring System (CVSS) so we thought it was time for another “The Basics” post to introduce this popular tool. CVSS basically provides an open standard for rating the severity of software vulnerabilities. Organizations often use CVSS as a foundation for prioritizing vulnerability remediation … at least that’s how we first came across it. Know of any good Version 2 spreadsheet templates out there? Let us know in the comments below. (continued here)
Kickstart a Documentary about Hackers in Uganda: We just wanted to help get the word out about this great project by Jeremy Zerechak. His goal is to produce a documentary that raises awareness of Johnny “@ihackstuff” Long’s Hackers for Charity (HFC) effort in Uganda … and now worldwide. You may remember Johnny from his best-selling Google Hacking books and no-tech hacking presentations from around the con circuit. For those that aren’t familiar with HFC, it is a non-profit organization that provides technical support for other charitable organizations in some of the poorest areas of the world. As part of this mission, they are often involved in related efforts such as providing food as well as job and computer training. (continued here)
Steal of a Deal – VPS for $30/Year: Not really a newsy story or some how-to but definitely something useful for those that are looking for a Linux-ish server to have off premises for security testing. The offer is from ChicagoVPS.net and for only $30 or $40 per year (and each year thereafter) you get a virtual private server (VPS). Do you have any experiences with ChicagoVPS? Let us know in the comments below. (continued here)
Extending the 20 CSCs to Gap Assessments & Security Models: At the ShmooCon Firetalks this year John “@pinfosec” Willis gave an interesting talk where he discussed the 20 Critical Security Controls (CSC) and how it could be adapted into a security maturity model using the Software Engineering Institute Capability Maturity Model Integrated (SEI CMMI) Maturity Levels (ML). This post is the accompanying article he wrote for that talk. (continued here)
NSA Cryptolog Archives Declassified: Very interesting… Looks like the NSA has recently declassified archives of its internal super-secret newsletter titled Cryptolog. The highly redacted issues span from the newsletter’s beginning in August of 1974 through the summer of 1997. Can’t wait to dig into this at some point… Check out their Cryptolog declassified information page for more details. And in case their site is down or they suddenly disappear, here’s a direct link to a merged PDF hosted on GovernmentAttic.org. Find any good tidbits in the archives? Let us know in the comments below. (continued here)
Security Awareness: To Train or Not to Train?: Several months ago I was listening to episode 300 of the PaulDotCom security podcast and I actually had my first exposure to someone arguing against security awareness in the panel titled “End User Security Awareness Training Hot or Not?” Prior to hearing this debate, the answer was obvious to me, and generally across most of the industry, that of course security awareness training was absolutely needed. No questions asked… But in the panel on the podcast I was quite taken aback by the excellent points several of the panelists made against blindly accepting this type of training. What is your stance on security awareness training? Let us know in the comments below. (continued here)
Hope everyone had a wonderful week. Have a great weekend!