I'm too tired to put enough effort into several blog posts even though I really want to but next week is already looking painful so I'm going tho throw several different thoughts into this post.
First Thought: The CISSP CBK aint so bad...
After spending the last week explaining what I consider core security ideals to people that should know better, I found myself really feeling that a senior security person should understand those core ideals as a minimum level of competency. To be a keyboard guy, my opinion stands that CISSP not a measure of their ability, but I would expect a "hands-on" guy to know that material as well.
The latest TaoSecurity post mentions NIST 800-27 Engineering Principles for Information Technology Security (A Baseline for Achieving Security) maybe I'll start recommending that.
Second Thought: What should a CxO know?
I'm new to the whole CxO thing, but shouldn't your CIO/CTO/CISO jobs understand the things from the first thought? I am thinking yes, they should have more than a PMP to make smart security decisions but I'd like some feedback on that. Like I said I'm new to that kind of environment. Alot of the people on the SBN that hold those positions seem to understand those concepts.
Third Thought: How do you fix a "porous" network?
By porous I mean more than one security hole at any one time and usually a LARGE security hole. Back to the first thought people seem to think if you can fix one problem the rest magically put themselves on hold while you fix that one and you can "catch up"...not! I am also new to real Incident Handling and Response (in the past I've been the guy getting to cause all the trouble) but I'm finding more and more holes and issues as we try to mitigate and fix the first issue. How do you make people understand that the problems dont stop coming in if you have poor network security or poor network design.
Fourth Thought: Initial feeling on SIMs
My initial take on Security Information Management devices are that they are great concepts. I'm starting to play with Cisco MARS and thus far I am impressed on what it SHOULD be able to do. I'll let you know later how well it does.
Fifth Thought: Another unauthenticated full remote MS exploit...SCORE!
I love bugs that are on the level of MS03-026, MS04-011, and MS06-040. Mass pwnage on pentests is awesome. I hope this new MS08-067 ends up being that bad (and the msf module comes out at some point). We need a new DCOM or LSASS exploit. I love it when we get proof that network security isnt dead.
Last Thought: Really more of a "what would you do/recommend"
In our fictional example you found pwdump on your Domain Controller (not put there by one of your admins) and the registry keys point heavily that its been run successfully and results have downloaded. What do you or recommend to the customer?
The book/draconian answer is wipe everything and start over. In people's experience is that a real option for a real network without the ability for mass downtime? Is a mass password reset considered enough of a mitigation?
Would appreciate input from the people out there on our fictional scenario.