Link to MP3
So, we officially have our first lost episode. I recorded episode 18 a while back with Michael Santarcangelo, but we had some crazy technical problems. When I tried to get everything edited together to make it work, I started having some major problems. Without getting into all the details, the recording was not salvageable. Sorry to Michael for this since I know he took his valuable time to record with me.
So know we have episode 19. I guess we could have just said this one was episode 18 and went on, but we are honest people over here at An Information Security Place Podcast. And as far as episode 19 goes, Jim and I have been balls-to-the-wall busy lately, and I have had a crazy schedule for over a month. Jim got a break in his schedule (probably more like forced a break) and coerced Kirk Greene to help him out in my place. And then Jim had some technical problems as well and ended up recording the last 15 minutes by himself (or Kirk pissed him off – not sure which). Yes, it has been a crazy time for us. But we are back, and hopefully we will get back on a regular schedule.
Now, here are the show notes for episode 19:
InfoSec News Update –
- Warm Fuzzy Story – Many Users say they’d sell company info for the right price! – Link Here
- Another Twitter Admin Account Compromised – Link Here
- New Tools Emerge To Ease Enterprise Fear Of Firewall Swapping – Link Here
- Acrobat with Yet Another 0-day – Link Here
- Feb Bank Worker charged with Data Theft – Link Here
- More Federal Reg ‘a’ Coming for Power companies – Link Here
- Thats gonna leave a mark! – Multiple Vulns found on Mcaffee’s website – Link Here
- Hacker’s demand: $10M for Virginia prescriptions database – Link Here
- Economy Note – Security Suffers Cuts but fares better than most – Link Here
Geek Toys -
Consultants Corner - DIY Security Testing Lab
Music Notes:
Vet
I have been answering quite a few security assessment RFP’s lately, most specifically geared towards penetration testing of the external and internal environment (you guessed it – PCI). And what I have noticed is that the writers of the RFP typically do not include enough detail in the RFP for the organizations attempting to answer to give a solid response. Basically, if you need a good answer to your RFP, you have to give me enough to scope the amount of time it is going to take me to get it done.
- If you have 200 external IPs and you want to have those scanned for vulnerabilities, and then you want to have those vulnerabilities used for penetration testing, I have to know that in order to scope.
- If you have some applications on those servers, I need to know if I will have credentials or if this is going to be totally black-box testing. I also need to have SOME idea of how many apps I am going to run up against.
- If you want me to scan your internal network for vulnerabilities, I have to know how many machines I am going to be scanning.
- Etc, etc, etc
If you would provide this quantity type of information up front, I would not have to write up a bunch of questions and send them to you. You would not have to take the time to answer these questions (and probably send them to me 2 days before the responses are due). It really is simple: if I don’t have this information, I have to guess, and you are going to get an inaccurate response (of course, you might be looking for a completely black-box test where I am blind to any information – the effectiveness and efficiency of that is for another blog post on another day).
Of course, many people will tell you that RFP’s are often written in such a way to discourage responses because the company writing the RFP already has a partner in mind, and that partner probably already has the answers to any questions. The RFP writer is simply going through the motions because of company policy. I get that.
But if you are writing an honest RFP, one that is simply inspired by a need and is seeking multiple responses from which the best is chosen, then please include the information needed in the RFP itself so things can proceed smoothly. Thank you for your consideration.
Vet
Finally the day has come. I have been pushing to get this done internally at Accuvant for a while, and things just never lined up. But now we finally are there. Yes, the Accuvant blog is up and running. You can find it at http://insight.accuvant.com.
There are already some great posts up by some of our uber-smart assessment consultants. We have some very high-end research guys on our team, plus just some of the best all around assessment people. There is no weak link on that team, and they continue to amaze me.
Some of you may not be aware that Dave Maynor joined our team at the beginning of the year. I was fortunate enough to sit next to him at a client down here in Houston as he smacked around their AS400 environment. And not only is Dave smart, he is friggin’ hilarious as well.
So anyway, go take a gander at the blog. Look for more great stuff to pop up on there.
Oh, and Accuvant has a Twitter account as well at http://twitter.com/Accuvant. It will likely be mostly reflecting blog posts right now, but there might be more in the future.
Vet
