SecuritySkeptic.COM: Dave Piscitello's Security Journal

This page uses style sheets created by Ruthsarian Labs

Thu, 20 Dec 2007 00:00:00 00, 664

Podcast on SMTP egress filtering at Radio Free Security

In this podcast, I discuss security measures one can implement using SMTP proxies. Here, turnaround is fair play: Steve Fallin, Director of WatchGuard's Rapid Response Team, is the skeptic, and I'm the advocate of applying the power of a proxy to filter spam that originates from (bots on) your network; to control distribution of sensitive attachments, and to prevent certain kinds of information leaks. Since the audience for RFS, I use examples of features I've configured on Firebox X Core and Peak models, but the security principles and measures can be implemented on other proxy firewalls and secure messaging appliances as well.

Archived at http://www.securityskeptic.com/arc20071201.htm#BlogID664 by Dave Piscitello

Fri, 02 Nov 2007 00:00:00 00, 658

Podcast on Fast Flux

At Scott Pinzon's invitation, I joined Radio Free Internet to chat about fast flux networks. Fast flux is an attack method that uses evasion techniques to frustrate law enforcement and anti-phishing responders by constantly changing the hosts at which bogus web sites and the name servers fluxers use to lure you to them operate. Scott Pinzon's done a terrific job of making Radio Free Internet an informative and entertaining medium for learning security basics. Advanced topics are covered as well. The production of the podcasts and the personalities of both interviewers and guests are impressive. I'm excited with the results and hope to do more!

Archived at http://www.securityskeptic.com/arc20071101.htm#BlogID658 by Dave Piscitello

Thu, 17 May 2007 00:00:00 00, 617

Improve your branch office security, one "A" at a time

Many networking and security practitioners are familiar with the triple A - authentication, authorization, and accounting. I've mentioned in previous blogs that we actually need more As than three. I recently recorded a podcast for searchNetworking.com where I examine how the popular three-legged stool of security keeps growing legs.

This podcast is also part of the Securing the Branch Office series, available at searchNetworking.com.

Archived at http://www.securityskeptic.com/arc20070501.htm#BlogID617 by Dave Piscitello

Fri, 06 Apr 2007 00:00:00 00, 607

Ethical Hacking, Redux

I received an email from a malware analyst who disagreed with my written and podcasted criticisms of "ethical hacking". For the record, I've said on many occasions that Ethical hacking is the perceived high road of cracking, an organized and sanctioned practice of identifying vulnerabilities in software. In practice, "open community" ethical hacking is a train wreck, widely practiced outside these parameters, by people with ambiguous motives, using few if any formal methodologies and acceptance criteria (note how I carefully qualified my claim).

I've tried to create the illusion of a verbal debate in a podcast.

Archived at http://www.securityskeptic.com/arc20070401.htm#BlogID607 by Dave Piscitello

Fri, 09 Mar 2007 00:00:00 00, 602

Endpoint Security: necessary but not sufficient

Determining whether a device is actively protected from malicious code, running personal firewall software and correctly configured to use VPN adapters before admitting that endpoint to a network are common features of endpoint security. Many WLAN, switch and security system vendors are implementing variations on this theme today. These, however, are merely mile markers along the endpoint security highway. Future incarnations of admission control may check to see that an appropriate seurity policy is enforced at the endpoint, that critical files have not been altered, that no restricted access files have been copied to the endpoint, and that any sensitive data that resides on the endpoint are encrypted.

Read the full article at endpoint security or listen to the 5 minute podcast.

Archived at http://www.securityskeptic.com/arc20070301.htm#BlogID602 by Dave Piscitello

Mon, 05 Mar 2007 00:00:00 00, 598

Ethical Hacking re-visited

Ethical hacking is the perceived high road of cracking, an organized and sanctioned practice of identifying vulnerabilities in software. In practice, "open community" ethical hacking is a train wreck, widely practiced outside these parameters, by people with ambiguous motives, using few if any formal methodologies and acceptance criteria.

To learn why I have such a dubious opinion of ethical hacking listen to this 8 minute podcast.

Archived at http://www.securityskeptic.com/arc20070301.htm#BlogID598 by Dave Piscitello

Sat, 03 Mar 2007 00:00:00 00, 597

Am I a Security Expert?

Frequently quoted, well and not so well known members of the security community are referred to as security experts, practitioners, and professionals, with no real rigor or discrimination applied. In this podcast, I ask, "Am I a security expert?"

Archived at http://www.securityskeptic.com/arc20070301.htm#BlogID597 by Dave Piscitello

Dave Piscitello is president and principal consultant at Core Competence, Inc.. A 30-year network, Internet and security veteran, Dave provides advisory and consulting for security and broadband access companies, *SPs, and Fortune 100 companies. An enthusiastic writer, Dave has published books on Internetworking and VoIP Security, and has written hundreds of articles, product reviews, and editorials for print and online publications, including BCR, Network World, Infoworld, WatchGuard Technologies' Live Security, SecurityPipeline, Network World, ISSA Journal, ENISA, and Information Security Magazine. Dave is currently a Senior Security Technologist at ICANN. He serves on ICANN's Security and Stability Advisory Committee and is a member of the APWG. Dave maintains a personal security blog at www.securityskeptic.com .

The Security Skeptic