Parkinson’s Law

Posted on January 22, 2012 by Brad

Here’s an interesting tidbit from my Project+ studies. Parkinson’s Law states:

Work expands so as to fill the time available for its completion.

In other words, if you schedule “extra” time for work to be completed it will magically take exactly that long to do. People naturally pad to fill the available time. They might do this by wasting time and resources, or making a simple task overly complex, etc. The law was posited in a humorous essay for the Economist, but it really rings true. Be careful to manage any float time carefully, lest you or others fill it just because it’s there!

Posted in /dev/random | Leave a comment

Passed Security+

Posted on December 21, 2011 by Brad

I scheduled my Security+ exam last minute after getting my voucher late Monday to take the exam the very next morning. I was eager to get it out of the way before the holidays hit and I was sitting and spinning my wheels waiting for new appointments at the testing centers. So I woke up early and hit the road this morning,  sat for the exam, and passed it only missing about 2-3 questions. Now it’s on to the next task, Project+!

Posted in Certification, Technology | Leave a comment

Waiting…virtually speaking

Posted on December 18, 2011 by Brad

I’m on the wait list for a VMWare class online. I’m planning to take a vSPHERE 5: Configuration and Management class soon so I can go take the VCP exam. Virtualization has always fascinated me, but especially now that you can do some really powerful things with it. The idea that you can live migrate a virtual machine from one piece of hardware to another is just mind blowing. I’m sure those of you who see this all the time probably don’t think so anymore, but it still amazes me. Maybe someday it won’t, but come on…this is so cool!

This video is a little old now, but still a cool demo none the less. It shows how (in theory) you can switch off servers when load on your VMs is low to save energy but then spin them up in response to demand. From some quick research it looks like it wasn’t very feature complete in VMWare at first but they improved it to add iLO and IPMI wake up as well as scheduled spin up for when know when demand will increase and want to get out ahead of it. Not only does it allow you to save money and be more agile, but you can be greener too. What’s not to like? (yeah yeah, expensive VMWare licenses and support contracts…but still if the ROI is there, fantastic)

Posted in Certification, Technology | Leave a comment

Security+ Exam Prep

Posted on December 18, 2011 by Brad

I’m currently studying for the Security+ exam. Well, I’m done studying. I’m waiting to get my exam voucher from WGU now and go take the exam. Most of it is pretty straight forward stuff. If you have even a passing interest in infosec, most of it should be review. What I found most interesting while studying was disaster recovery and cryptography.

The DR was interesting just because I haven’t really given it a lot of thought before. I make onsite and offsite backups of my personal data and have read and (try to) live the Tao of Backup, but formal DR plans and procedures aren’t something I’ve done. I find it really interesting, especially from mindset of availability being one of a security officer’s responsibilities in conjunction with general IT staff.

My study also included some brush up on cryptography. I’ve always enjoyed learning about cryptography. I read Simon Singh’s “The Code Book” when I was younger and really enjoyed it (great book if you’re interested in learning about crypto and its impact on history). Even though math hasn’t always been my favorite subject, I always enjoyed reading about crypto and how it worked. Of course I knew about symmetric vs asymmetric cryptography and RSA/PGP, but I learned things like the differences between block and stream ciphers, how RC4 is used securely in SSL and insecurely in WEP, Twofish being beat by Rijndael for the AES standard, Blowfish was designed by Bruce Schneier (who I love), etc.

People on the Techexams forums have been singing the praises about Darril Gibson’s Security+ book. Though WGU provided adequate learning resources and only a dead tree edition is available, I decided to just go ahead and buy Darril’s book anyway. I wasn’t at all disappointed that I did, even if I bought it just before Amazon decided to drop the price from list price. :-( Hopefully a Kindle edition will be available soon. Last I heard from Darril in a blog post was sometime in the next 3 months. Anyway, you’ll find an excerpt from my review below.

I just finished reading Darril Gibson’s updated Security+ exam preparation guide “CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide“. The book is well written and seems to throughly cover the exam objectives of the SY0-301 as posted by CompTIA. I haven’t sat for the exam yet, but feel completely confident I will pass due in part to this guide.

As with most exam prep guides, this book contains practice questions and exams. The one thing that sets this book apart from others is the inclusion of detail explanations as to the correct answer for each question. Sometimes you’re left wondering about the rationale behind a certain answer being correct or the “best” answer, but this book leaves no mystery with its detailed answer keys. This is one feature I’d definitely like to see in more exam prep books.

Posted in Books, Certification, Reviews, Security, Technology | Leave a comment

Hello world!

Posted on April 16, 2011 by Brad

Working to restore old content. Please stand by. There will be cake.

If at first you don’t succeed, you fail.

Posted in Site News | 3 Comments

Hullo

Posted on June 21, 2010 by Brad

That’s right, this site is back from the dead. I feel rather bad for not having written anything here for awhile. That and WordPress 3.0 has just been released, and I figured that was just the impetus I needed to start blogging again. Check out some of the cool new features:

I can’t promise how active it will be in the immediate future as I’m going to be busy with a cross country move shortly, but rest assured I’ll do my best to keep the cobwebs here at bay. Thanks for dropping by.

Posted in Site News | Leave a comment

The New Insider Threat

Posted on February 16, 2009 by Brad

It’s not a new threat really. People inside an organization can always be a threat. It’s just that many people, some of them prominent security professionals, have been downplaying the insider threat lately in order to hype other emerging threats. I’m of the opinion that we’ll see insider threats rise through the year and probably into next. As the economy worsens, people who are becoming financially stressed may turn to corporate crime, or may retaliate for being laid off.

Prime example, news this week of a former Fannie Mae contractor leaving a malicious script designed to wipe out thousands of computers after he was fired for…a scripting error he made earlier in the month. Luckily they stumbled upon the script before it was set to execute. They might not have been so lucky though. Bruce Schneier has some good tips about reducing the threat trusted individuals can pose.

In the end, you can take several measures to reduce your insider risk but you can never eliminate it entirely. At the end of the day the weakest link always comes down to people. People are sometimes dishonest, it’s simply a fact of life. Luckily for the rest of us, they seem to be a pretty small minority.

Posted in Security | Tagged , | Leave a comment

Rubber Hose Cryptanalysis

Posted on February 15, 2009 by Brad


via xkcd

Posted in Humor, Security | Tagged , | Leave a comment

Nmap Network Scanning Review

Posted on February 5, 2009 by Brad

Nmap Network Scanning by Fyodor
Title: The long winded title for this book is Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning, but I’ll just be calling it NNS.
Author: Gordon “Fyodor” Lyon
Rating: *****
Bottom Line: The definitive nmap book, for all your network scanning needs.

From the moment you start to read NNS, it is engaging and informative. The wealth of information contained in this book will have even hardcore nmap experts learning a thing or two about the preeminent network scanner. Of course, I expected nothing less from NNS because the author is nmap’s chief architect and programmer, Fyodor. Inside you’ll find his 11 years of network scanning experience distilled down into the ultimate nmap guide.

The material is presented in an engaging way, and wherever possible examples are given where the techniques described are applied in real world scenarios. The book is also littered with command line and output examples as well as diagrams. These items in addition to the text allow one to enjoy and learn from the book without having to sit in front of a command line and try every single command yourself. That said, it took me a bit of time to get through the book because I kept stopping to play with new options I’d learned. :)

From introductory network scanning (What’s a stealth SYN scan?), to scan optimization (Why is it taking so long?!), to advanced techniques (Learn how to write your own nmap plug ins!), NNS covers the gamut. Anyone who does even occasional network scanning with nmap (And you are scanning your network on a regular basis aren’t you?) owes it to themselves to pick this one up.

Posted in Books, Networking, Security | Tagged , , , , | Leave a comment

Bookmark Backup?

Posted on February 2, 2009 by Brad

Are you backing up your bookmarks? Oh, you don’t store local bookmarks? You use a social bookmarking website you say? Well I hope you weren’t using Ma.gnolia. They announced on Friday morning that they’ve experienced a catastrophic data loss. Wired is reporting Ma.gnoalia has lost both their production database and backups of user data. Bye bye bookmarks!

So my question to you is, do you have backups? Ma.gnolia didn’t. If they did have backups, my guess is they failed step 5 on the path to the tao of backup. While I have both local and off site backups (that yes, I test on a frequent basis…it’s all about restores!), I had overlooked my bookmarks. Luckily, they are safe and sound on del.icio.us. I might not be so lucky next time though. If you’re a del.icio.us user as well, I suggest you export a copy for safe keeping. Then take a moment to think about what else you have stored, and stored solely, in the cloud. Make sure you add those things to your backup procedures.

Posted in Technology | Tagged , , | Leave a comment