Saturday, July 30, 2005

Work and Personal

So I'd like to address 2 topics and what's going on with me right now, both somewhat technologically impacted ( and then of course some interesting links etc.. ):


I am having great fun right now with a mixture of PodCasting and the content @ . Free Buddhist classes for the masses, who said Podcasting wouldn't catch on. Today I sat in the sun on Manly beach for 2 hours learning and meditating :)


With no IT Security Strategy, comprehensive policy, budget, resources and incorrect internal reporting chains.... an outsource trying to drive the clients Information Security Policy and Information Security Management System; the emphasis has to be on initially enumerating information assets and classifying them as part of the companies risk profile / attack surface before engaging in anything else. This unfortunately means, in the absence of any current snapshot of information / physical assets or full knowledge of business processes, an independent audit is needed to achieve a baseline.. with subsequent scans / audits building upon this... with special focus paid to the ousourcing interface and contractual obligations on all parties. ( ...including the other outsourced services / interfaces from other companies / organisations.. )

It also denotes the need for a base level strategy and methodology. The most effective framework in information security right now is a subset of the Parkerian Hexad ( C.I.A. / Confideniality, Integrity and Availability ) ratings and also the OODA loop developed by John Boyd for gathering Intelligence and then Execution in Information Warfare.

General News:

I'd also like to mention a recently given speech at Blackhat by Michael Lynn an ex-ISS security researcher because many see it as a huge threat.... basically apart from the DNS root servers, everyone seems to forget about the routers(tm), as with Cisco's monopoly running IOS on most backbone infrastructure, why own 1000's of hosts.. when you can own the network? Ask yourself what else is ubiquitous... remember the SNMP issues and what about BGP or goofin' with the common implementations of the TCP/IP stack out there?

Some really cool people I admire in the Industry ( you gotta be known when you're in Wikipedia/ ):

Rob Thomas
Dan Kaminsky
Dan Geer
Bruce Schneier
Paul Graham

Some cool Penetration Testing / Information Security Consulting companies:


Information Security Testing Methodologies:


Back to the concept of network visualisation and graphing I have updated:

No comments: