If you’re an IT auditor or security analyst and you don’t know how to ping a server, then I have some words for you:
So let’s do it.
I’m assuming most of my readers already know how to do this. If so, please answer the poll question at the bottom. If not, please read on, then answer the poll question. Thanks!
During an audit, I had a vendor provide me with access to data I shouldn’t have, no questions asked. I didn’t ask for the access, I just needed some information for my audit.
The audit involved checking some vendor software to determine whether it is patched by IT on a regular basis. I obtained from IT a screenshot of the version number of software that was installed, but needed to know the last couple of versions released by the vendor. The admin was going to send me the URL because he said I probably wouldn’t find it the info on the vendor’s site. After a couple days of waiting for the URL, I took matters into my own hands and went to the vendor’s website.
I recently stumbled across an article discussing how to choose an outside IT auditor by Kevin Beaver that stated, “With a few exceptions, auditors aren’t highly technical”–and may not need to know the difference between firewalls and fire hydrants.
If you know me, you know non-technicality of many IT auditors really bangs my keyboard (see the CISA posts listed below). An IT auditor who doesn’t have technical knowledge about IT is like a person who washes dishes without water.
Shon Harris is offering FREE Certified Ethical Hacking (CEH) videos for online viewing. According to Harris, all the videos together are over 25 hours long.
The videos are listed below and can be viewed at www.logicalsecurity.com/resources/resources_videos.html.
So what’s the catch? Make sure you read this entire post before you leap!
Greg Shipley, founder of Neohapsis, wrote an article in Information Week magazine, this time about how ineffective most of the money spent on security defenses is against the attacks we’re facing. It’s not a short article, but as I’ve said before, Shipley is always worth reading. Here’s what I found most interesting in the article:
- “Deficiencies, even in our security technologies, are an unfortunate fact of life,” says Shipley.
While reading a job description for an IT security analyst recently, I noticed that the details were somewhat vague. The position required so many years of the usual security requirements and experience with routers, firewalls, IPS, but it didn’t mention which ones.
Then I saw this statement, which explained the vagueness:
Matasano Security has released an upgrade to Flint, a FREE web application that examines firewall configurations. “Flint examines firewalls, quickly computes the effect of all the configuration rules, and then spots problems.”
According to Matasano, once you upload a firewall configuration, Flint:
Filed under Free, Security
A couple of weeks into a new job, I was told that I was now in charge of the Internet firewall. I suddenly realized I had two major problems:
- I did not know squat about firewalls.
- I did not know the firewall password.