Infosec Island: Year One Staff Picks - Part 2

Monday, September 20, 2010

Infosec Island Admin



A continuation of our Top 10 articles from our first year, listed in the order in which they were published:



Why Everyone Should Learn to be a Hacker

Author: Robert Siciliano
May 11, 2010

"I know enough about hacking to make all of my software un-usable, mess up my operating system, and crash my PC. I also know enough about hacking to re-install my operating system, re-install all my software and get my PC running fresh and relatively secure. I’m no criminal hacker. And I am not suggesting that. Nor can I program; I don’t know code but I do know enough to hack in a way that keeps me running, and again, secure.

Hacker isn’t a bad word and hacking isn’t a bad thing to do. It’s something that if everyone who plugs into a PC every day did, they’d be a heck of a lot more versed in the functionality and security of a computer."

Robert is a regular contributor on the site and always has interesting (sometimes controversial) topics to discuss. In this article, he stirs up the hornet's nest about what exactly a "hacker" is. 


Compliance or Security?

Author: Mark Gardner
May 25, 2010

"In recent days I have read a few comments like "that's compliance, not security." This has puzzled me. When did the two become divorced?

I genuinely don't understand these comments, made when referring to a number of elements of information security. My first riposte is to pose a question. If you architect, design and build a superbly secure solution on a Tuesday, how is that security maintained on Wednesday when the services go live? Once live, I imagine that the architects and build team focus is on other projects, therefore the run and maintain of the security falls squarely into a Compliance function."

Compliance and its role in IT and Information Security is another on-going debate on this site. In this article, Mark poses some questions on how the two might be more intertwined than often thought. 


Top 10 Reasons Your Security Program Sucks

Author: Amrit Williams
June 29, 2010

"In the security industry we like to fool ourselves into thinking that we can materially impact an organizations security posture.

We believe that new tools, a new framework, a new regulation, a new school of thought will lift the veil of organizational ignorance and enable us to attain the state of enlightened security practitioner.

But as we trudge through the mud and haste of our increasingly digital lives we embrace the continuity of failure that is security, only we have more of it…more threats, more tools to deal with the threats, more people to deal with the tools, more process to deal with the people, more adoption of technology leading to more threats, which of course leads to more of the same – more fail."

A humorous, but exacting look at the state of Information Security programs at many organizations. 


Full Disclosure is Irresponsible

Author: Andy "IT Guy" Willingham
July 1, 2010

"I’ve always said that Full Disclosure is irresponsible and usually hurts more people than it helps and I still believe that is the case. The full disclosure crowd says that it is the only way to get the vendors to respond and release a patch and from time to time they are right but by and far today that is NOT the case. Most vendors, especially the big ones, will work with the researcher and release a patch in a timely manner. If they don’t then I’m much more amiable about releasing PoC or even a full exploit but even then there has to be responsibility. Releasing vulnerability details puts people in danger of having their lives screwed with by others in ways that can drastically impact them in negative ways."

This is a great article from Andy surrounding the really controversial concept of full disclosure vs private (responsible) disclosure. This article got some great comments and interaction from our members.


Better Security Through Sacrificing Maidens

Author: Pete Herzog
August 18, 2010

"Now, whether or not you agree with what is said here, and some may have fundamental problems with our reasons for taking the OSSTMM 3 in the direction which we have, you cannot dispute the value of the information provided by an OSSTMM 3 test. Some of you may be wondering what the Risk would be to give up on Risk and try such a strange, new method. You can only answer that for yourself. Only you know if your Risk method of security will scale indefinitely with you, if the costs of speculation and response products and processes is greater than the actual losses for you, and if you have enough maidens in your organization to feed all the dragons who show up during the full moons."

Pete Herzog, Founder of ISECOM, discusses the thought process behind the new Open Source Security Testing Methodology Manual (OSSTMM), with a focus on Trust rather than Risk. As usual, the concepts presented by Pete are thought-provoking and often controversial.



Well, that does it for our wrap-up. Thanks again to all of our contributors and to our readers for helping make Infosec Island a vibrant, healthy community.
Possibly Related Articles:
Infosec Island
Infosec Island
Post Rating I Like this!
Robert Siciliano Thank you Michael!
Allan Pratt, MBA Great list, Michael!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.