877.791.9571 |

Monthly Archives: March 2011

How to Learn the IT Skills of a Security Professional

In the comments to an earlier article, Ideal Skill Set For the Penetration Testing, a reader, Nicole, asked, “Does anyone have any suggestions on where I should start building practical skills?” I originally wrote this as an answer to her comment. But it’s a question I get a lot […]

CISA Domain 4 Information Systems Operations, Maintenance and Support

For 2011, ISACA has updated the domains reducing them from 6 to 5.  Domain 4 now includes Disaster Recovery from the old Domain 6.  This section has six areas that you need to understand for the CISA exam.

1)      Information Systems Operations

One of the management control functions is to ensure […]

CISSP Domain – Application Development Security

Application development security requires an awareness of how different environments demand different security. For example, the security for running a mainframe application that is not accessible by anything except the mainframe would be considerably different than the security for a web based application that anyone on the internet has […]

Finding Security Vulnerabilities in PHP Using Grep

Description: Using grep to find common web application vulnerabilities within your applications.

Introduction

It is a common misconception that companies need to purchase complicated and expensive software to find security vulnerabilities (bugs) within their applications. These specialized software applications, whether they be black-box or white-box, open-source or commercial, do make the […]

CISA Domain 3 Information Systems Acquisition, Development and Implementation

It’s interesting to notice how ISACA is aligning itself with the International Organization of Standards ISO/IEC 27002.  The title for Domain 3 is Information Systems Acquisition, Development and Implementation and the title for Section 12 of ISO/IEC 27002 is Information Systems Acquisition, Development and Maintenance.

There are 14 areas that […]

Joanna Rutkowska Reveals Her Process for Security Research

In our ongoing series of interviews, Joanna Rutkowska answered a few questions and pulled back the curtain a bit on the methods, tools and motivation for the work she does.

Joanna Rutkowska is a strange combination of a security researcher and a system-level architect. She is the Founder of Invisible […]

CISSP Domain – Legal, Regulations, Investigations and Compliance

There are several topics we need to look at when we discuss the Legal domain of CISSP.  First you need some background and a couple of important distinctions:

Civil Law and Common Law — The most significant difference is in civil law judicial precedents and particular case rulings do not […]

CISSP – Steganography, An Introduction Using S-Tools

An Introduction to S-Tools

Steganography (as we discussed in our coverage of the CISSP Cryptography Domain) is the hiding of information within a picture, say a *.bmp file or a *.gif file.  To demonstrate steganography’s simplicity this article will cover a brief demonstration of hiding information within a BMP picture […]

iPhone Security: 10 Tips and Settings

The iPhone is one of the most popular mobile devices on the market with an array of downloadable apps for users to do any number of things. Its popularity and the users’ habit of downloading apps make it a popular target for malware developers and data thieves.

As I demonstrated […]

CISA Domain 2 – Governance and Management of IT

CISA – Domain 2 – Governance and Management of IT

ISACA has revamped the CISA material and this domain now contains the Business Continuity section from the old Domain 6.  There are 13 areas that you need to understand in Domain 2.

1)      Corporate Governance

Know the definition for corporate governance
Know what ISO 26000 […]

iPhone Security: iPhone Forensics

In this video, we will review the wealth of forensic data stored on an iPhone 3Gs using Paraben’s Device Seizure software.

The iPhone is one of the most popular mobile devices on the market and that makes it a popular target for malware developers and data thieves.

Some of the types […]

CISA – Domain Mapping for 2011 Exam

Several of you have been asking for a mapping of the new CISA 5 domains to the previous year’s six domains.  The new mapping is as follows:

The major change is the old Business Continuity and Disaster Recovery domain has been split into two parts and merged into Domain 2 […]

HD Moore Reveals His Process for Security Research

In our ongoing series of interviews, we got HD Moore to answer a few questions and pull back the curtain a bit on the methods, tools and motivation for the research he does discovering security exploits.

HD Moore is Chief Security Officer at Rapid7 and Chief Architect of Metasploit, the […]

OWASP Top 10 Tools and Tactics

Description: A tool for each of the OWASP Top 10 to aid in discovering and remediating each of the Top Ten

Introduction

If you’ve spent any time defending web applications as a security analyst, or perhaps as a developer seeking to adhere to SDLC practices, you have likely utilized or referenced […]

Standards for Penetration Testing

The cost and quality of penetration tests vary wildly between different vendors. As a response to those differences, a group of security professionals have been developing the Penetration Testing Execution Standard (PTES). We solicited some comments about this standard, and standards in general, from several people including:

Christopher Nickerson of […]

CISSP Domain – Business Continuity and Disaster Recovery

You only have to turn on the TV and watch some of the footage of the destruction caused by the tsunami in Japan to realize the importance of business continuity and disaster recovery planning or think back to the September 11 attacks and remember the destruction in New York City […]

CISA Domain 1 – The Process of Auditing Information Systems

First, Get a copy of the CISA Review Manual and a copy of the Q&A CD

Second, Read one Domain then answer all the questions on the Q&A CD for that Domain until you can answer everyone correctly.  As you answer the questions look in the Review Manual for that […]

The CISA Domains – An Overview

ISACA’s 2011 CISA Exam material has been revised from six domains to five domains.  Prior to 2011 Domain 6 was Business Continuity and Disaster Recovery.  That old Domain 6 has been separated into two parts with Business Continuity being included in Governance and Management of IT which is Domain 2 […]

Charlie Miller Reveals His Process for Security Research

As the first in an ongoing series of interviews, we got recent Pwn2Own winner Charlie Miller to answer a few questions and pull back the curtain a bit on the methods, tools and motivation for the research he does discovering security exploits.

Charlie Miller is currently Principal Analyst at Independent […]

CISSP Domain – Cryptography and Security

There are books upon books about cryptography and this article will not attempt to regurgitate all of the historical background about the subject. However, there are some specific definitions and concepts that you need to understand in order to successfully navigate the CISSP exam and, for that matter, to […]