Here's a list of things that are really handy to know for the day to day business of information security. Note, if you know how to do these things then learning to review them is simply applying "audit methodology". Hope this list will be useful for myself as a refresher and to others wanting to further their skills:
1. TCP/IP basics like OSI model, routing, protocols, ports, NAT
2. Construct a checkpoint firewall rule base
3. Construct a PIX firewall rule set
4. Configure a cisco router to CIS benchmark
5. Configure VLANs and port mirroring on a cisco switch
6. Deploy Microsoft security templates to a group policy object
7. Configure a WSUS server and run MBSA to check it is working
8. Use Solaris Security Toolkit
9. Administer a linux box, enable/disable services, use package managers etc.
10. Install oracle and mysql
11. Be able to construct an SQL query or two
12. Configure a web server or two (say apache and IIS)
13. Configure an application server or three (say tomcat, websphere application server, maybe BEA weblogic)
14. Be able to use a web proxy (burp, webscarab) and a fuzzer
15. Know how the following security controls of authentication, session management, input validation and authorisation are implemented securely for a number of application development frameworks
16. Configure an IDS or three (Snort, IBM solution set)
17. Know the ten domains in ISO27002 and their content
18. Be able to identify control gaps from ISO27002 in your operations
19. Be able to build a security plan to address control gaps (planned end state, costs and benefits, dates, actions and responsibilities)
About Me
- Matthew Hackling
- Matt runs his own security consultancy called Ronin Security. His focus is information security management and he has a keen interest in infrastructure and web application security. He's a CISSP and the current Branch Executive of the Melbourne chapter of the Australian Information Security Association.
Labels
- AISA (1)
- australian information security market (1)
- career advice (1)
- causes (1)
- DoS (1)
- economics (1)
- FUD (1)
- futurism (1)
- information security governance (4)
- IPS (1)
- privacy (2)
- sacred cows (1)
- security patching (1)
- vulnerability management (1)
Monday, June 8, 2009
Subscribe to:
Post Comments (Atom)
Handy Links
Twitter Updates
Matt's list of blogs
-
Dear America – How much is the tip?3 weeks ago
Blog Visitors
Lijit
InterSec - ISC2 CISSP networking portal
4 comments:
There are now 11 domains in ISO/IEC 27002 - Information Security Incident Management was added back in 2005.
@Dale:
What's extra funny about that is that none of the above advice appears to consider incident handling, forensics work, or e-discovery.
I was going to point out the obvious lack of interest in datasec and appsec, but idiots would point to IDS (#16) and web proxies (#14). Forget being able to read a line of source code and find a bug! That's for the application developers!
Others would cite #15 on "authentication, session management, input validation and authorisation", but really it's much more complicated than that, otherwise even the developers wouldn't make any mistakes. I would say more like "output encoding, parameterization, and implementation of multi-tier security patterns", but even that's not saying enough.
Oh -- don't forget #20: Configuring a Web Application Firewall with Vulnerability Assessment!
geez, everyone's a critic hey!
Yup there's twelve main sections in 27002. Eight of those are actually about controls, the others are about running the whole shooting match (risk assessment, security policy,organisation of information security and compliance).
http://en.wikipedia.org/wiki/Iso27002
IMHO you should outsource all comouter forensics work to an independent 3rd party who can investigate it and take it all the way to the witness box, hence that's why I havent really mentioned anything about evidence preservation etc.
Information security is the prevention where computer forensics/litigation support/dispute services etc is the painful cure that you want to avoid. Its almost a seperate discipline best suited to people with an ex law enforcement background.
Nice post Matt. Reminds me that I ought to brush up on WSUS, Snort and maybe Solaris when I get a chance.
Last time I installed WSUS, it was a chronic pain in the arse to say the least :-)
Post a Comment