Hmmmm? Google?

Putting aside the movie thing… Today’s national infrastructures are in desperate need for red team testing.

We know they run ancient software that it’s exploitable. We know they are relatively easy to penetrate. We know the vendors (such as Siemens) have no plans of upgrading anything because they still sell the old, security-lack software.

"People, Process, and Technology" | Schneier on security →

Back in 1999 when I formed Counterpane Internet Security, Inc., I popularized the notion that security was a combination of people, process, and technology. Back then, it was an important notion; security back then was largely technology-only, and I was trying to push the idea that people and process needed to be incorporated into an overall security system.

This blog post argues that the IT security world has become so complicated that we need less in the way of people and process, and more technology

He’s right. People and process work on human timescales, not computer timescales. They’re important at the strategic level, and sometimes at the tactical level — but the more we can capture and automate that, the better we’re going to do.

The problem is, though, that sometimes human intelligence is required to make sense of an attack, and to formulate an appropriate response. And as long as that’s the case, there are going to be instances where an automated attack is going to have the advantage.

Escaping Restricted Linux Shells | SANS →

Here’s a neat and informative article about shells. Really useful when pentesting Linux box.

Hacking Critical Infrastructure | Bruce Schneier →

He writes:

A otherwise uninteresting article on Internet threats to public infrastructure contains this paragraph:

At a closed-door briefing, the senators were shown how a power company employee could derail the New York City electrical grid by clicking on an e-mail attachment sent by a hacker, and how an attack during a heat wave could have a cascading impact that would lead to deaths and cost the nation billions of dollars.

Why isn't the obvious solution to this to take those critical electrical grid computers off the public Internet?

I often ask myself the same question. Especially when I show a customer how relatively easy is to gain access to the innermost network in the organization: it was directly plugged to the network connected to the public internet.

“Show Me Maxim: No serious security vulnerability, including blatantly obvious ones, will be dealt with until there is overwhelming evidence and widespread recognition that adversaries have already catastrophically exploited it. In other words, “significant psychological (or literal) damage is required before any significant security changes will be made”

HRT to APT - Lessons I learned in the FBI and how they apply to network security

Shawn Henry Prior to joining CrowdStrike, Henry was with the FBI for 24 years, most recently as Executive Assistant Director, where he was responsible for all FBI criminal investigations, cyber investigations, and international operations worldwide.

I Am Certified - You Are Secured →

A terrific article and must read for all the people that believe certifications are more important that actual field experience.

"Security? I don’t care for it. I learned a long time ago that companies do not want security. They do not want assurance, they simply want a framework to ensure that they did no wrong. My goal is simplified ten-fold and my aim, ensure that someone on the C-level can cross their T’s dot their I’s and get on with their game of golf. Obviously golf is the only association to the word Ping [1] many will ever come to know."