Entries by System Experts

Virtual server selection

I have been muddling through the “Hype”r-V blogs and emailing that have innundated me over the past couple weeks. I have also taken another look at the free ESXi server from VMWare, and the XenServer 4.2 beta. Being in the midst of looking at all of these, one thing struck me about all of them […]

PCI-DSS Compliance is different than validation

An interesting discussion that I have been having of late, is the fact that many people do not really comprehend the difference between PCI-DSS compliance and validation requirements. Here it is in a nutshell: – Compliance: Everyone has to be compliant to 100% of the PCI-DSS standard 100% of the time, regardless of “level”. There […]

You get what you pay for: QSA Selection

Having recently come from my annual QSA re-certification class, it was obvious to me that there are some very large chasms in the interpretation and service level of offerings by QSA vendors. There are some very large companies that are basically selling you a check-box, and in reality are doing nothing to meet the intent […]

IPv6 and a Practical Security Ramification

I was reading a number of the recent Usenix papers on IPv6 transition, and the one thing that sparked a thought was the fact that there really is no “RFC 1918” space in the IPv6 world. I was wondering how many security architectures have a fundamental assumption that “you can’t get there from here”? I […]

War Dialing: The Forgotten Security Threat

The absolute root of hacking tools, techniques, and software is something called War Dialing: that is, dialing a phone number and trying to exploit the service on the other end. In the early 90’s, a small community of people developed software that would automatically scan phone numbers and categorize the answering system types. These programs […]

Web Application Identity Theft

Almost every company has some type of Web presence – ranging from simple brochure sites to sophisticated transaction-oriented applications – and therefore has some type of conduit from the general Internet to company resources and or company data. The fact is that identity theft and access to confidential or private information through Web applications is […]

Hacking Insight

Mentioning the word hacker usually elicits a strong response, no matter who you talk to. The Chief Security Officer and virtually anybody on the street will each have something specific to say. The problem with this word is that it detracts from the real issue of making Internet resources more secure because of the emotional […]

Public Domain Tools

There are literally thousands of tools available to help you evaluate, analyze, or manipulate resources in your IT environment. Some do protocol manipulation or are protocol analyzers (to look at or “sniff” traffic on the network) and some focus on your critical network servers like the name service or the Web server. Some of the […]

Security Skill Certificates

The Internet community needs to have security skill certifications that are meaningful. Right now, there are a hodgepodge of organizations that offer certifications in a wide variety of areas. Last year there were at least 150 vendor-neutral information security certifications and 20 vendor-sponsored or vendor-specific security certifications. The fact is, most of these certifications are […]