“Human progress is neither automatic nor inevitable… Every step toward the goal of justice requires sacrifice, suffering, and struggle; the tireless exertions and passionate concern of dedicated individuals.” — Martin Luther King, Jr.
While Dr. Martin Luther King Jr. was born on January 15th, his birthday is observed on the third Monday of January each year. That would be today. I wanted to take a moment to recognize Dr. Martin Luther King Jr. and all those great people who sacrifice tirelessly, even giving up their very life, to advance our society. Abraham Lincoln once said, “America will never be destroyed from the outside. If we falter and lose our freedoms, it will be because we destroyed ourselves.” Lincoln also said, “A house divided against itself cannot stand.” Dr. Martin Luther King Jr., by helping America face and deal a little with the societal injustices of his time, made America a bit more secure. Since security is what this blog is about, it seemed appropriate to recognize the day.
If you have a moment, head over to the Internet Archive site and listen to Dr. Martin Luther King Jr. give the “I Have a Dream” speech (August 28, 1963). It is very powerful to listen to the original speech given by the man himself. If you are unfamiliar with the Internet Archive site, take a look around the site. It is a non-profit organization whose purpose is to build an Internet library, with the purpose of offering permanent access for researchers, historians, and scholars to historical collections that exist in digital format. It is also the site that maintains the Wayback Machine, which provides an archive of snapshots of the Web since 1996.
With that said, I wanted to point to a few additional security documents added to the “Bookshelf” page of Security Monks. I am afraid pulling and reading those documents have taken up my time this weekend. I have also been working on some technical issues that I hope to write up and post soon. And I may have spent a little too much times watching the Giants win their spot in the Super Bowl. We are a product of our past.
One final thought. This week, I attended a security meeting where the CIO, as part of his talk, played a video clip from YouTube taken from one of the news channels on the cyber threat of China. I found it to be a fluff piece. That started me thinking. Sometimes people need things simple. I personally really enjoyed Noah Gift’s posting on O’Reilly ONLamp Blog titled, “Random YouTube Techie Gold.” While I enjoyed those videos, I can see how most folks might not find the videos as funny as I did. If you are looking to direct your manager to something he/she might enjoy, send them over to the National Public Radio (NPR) site. NPR has been running a 4 part series on cybercrime on its Weekend Edition Sunday program. It is not video, but the programs are under ten minutes. Your manager can listen to these short clips while rushing to meetings. If you must have video, SANS has begun posting to YouTube. For example, “Eavesdropping on Bluetooth Headsets” by Josh Wright might interest a few people. As of today, there are 27 videos posted.
Below are a few documents recently released that might be of interest. They will be added to my bookshelf.
10th Annual Global Information Security Survey 2007 of Ernst & Young
Here is a basic description, “The 10th Annual Global Information Security Survey examines the current state of information security, and the major factors shaping the future. The report looks as how organizations are aligning information security with their business objectives, what is driving the need for and improvements in information security, how organizations are managing their information security function, and how organizations are staffing information security.”
NIST SP 800-53A: DRAFT Guide for Assessing the Security Controls in Federal Information Systems
Here is a basic description, “This final public draft provides comprehensive assessment procedures for all security controls in NIST Special Publication 800-53 (as amended) and important guidance for federal agencies in building effective security assessment plans.”
Mapping of NIST SP800-53 Rev 1 With COBIT 4.1
Here is a basic description, “This document contains a detailed mapping of NIST SP800-53 Rev 1 with COBIT 4.1 and also contains the classification of the standards discussed in this paper as presented in the overview document COBIT® Mapping: Overview of International IT Guidance, 2nd Edition.”
Here is a basic description, “It is intended to aid organizations in the installation, configuration, and maintenance of secure public Web servers. It presents recommendations for securing Web server operating systems, applications, and content; protecting Web servers through the supporting network infrastructure; and administering Web servers securely. SP 800-44 version 2 also provides guidance on using authentication and encryption technologies to protect information on Web servers.”
Here is a basic description, “The draft revision to Volume I contains the basic guidelines for mapping types of information and information systems to security categories. The appendices contained in draft Volume II include security categorization recommendations and rationale for mission-based and management and support information types.”
Here is a basic description, “It seeks to assist organizations in planning and conducting technical information security testing, analyzing findings, and developing mitigation strategies. The publication provides practical recommendations for designing, implementing, and maintaining technical information security testing processes and procedures. SP 800-115 provides an overview of key elements of security testing, with an emphasis on technical testing techniques, the benefits and limitations of each technique, and recommendations for their use. Draft SP 800-115 is intended to replace SP 800-42, Guideline on Network Security Testing, which was released in 2003.”
Here is a basic description, “The Benchmark is a compilation of security configuration actions and settings that “harden” MySQL databases. It recommends Level 1 Benchmark guidance, representing the prudent level of minimum due care for operating system security.”
Center for Internet Security Benchmark for Apache Web Server v2.1 edited by Ryan Barnett
Here is a basic description, “The Benchmark is a compilation of security configuration actions and settings that “harden” Apache web servers.”
Apache Security by Ivan Ristic
Richard Bejtlich wrote, “AS includes better coverage of several topics which I believe are core to securing Apache. I liked AS’ discussion of chroot environments and jails, although the author should distinguish between chroot on Linux or BSD and jail on BSD alone. AS features a whole chapter on proper PHP deployment (Ch 3), and a whole chapter on SSL/TLS (Ch 4). AS devotes another chapter to explaining how to host multiple Web sites on one host (Ch 6), which is critical to many Apache environments.”
Here is a basic description, “ModSecurity is an Apache module that adds intrusion detection and prevention features to the Web server. In principle it is similar to an IDS you would use to analyse your network traffic, except that it works on the HTTP level and understands it really well. Because of this it allows you to do things that are normal from the HTTP point of view but are difficult to do from an classical IDS.”
