System Advancements at the Monastery

Albert Einstein once said, “I never teach my pupils; I only attempt to provide the conditions in which they can learn.” While my last posting may have concerned the Einstein program, I really am not obsessed with all things Einstein. Einstein’s quote is just so appropriate for today’s post. I am attempting to follow Einstein’s advice and try to provide the conditions by which we may all learn. There are four sites that I have found particularly interesting: Purdue’s Center for Education and Research in Information Assurance and Security (CERIAS), Carnegie Mellon University’s Software Engineering Institute CERT Coordination Center (CERT/CC), the Academy, and Google Video. I may be cheating on Google Video, since it is the gateway to many other sites that have started putting training material online. I will go over how to access some of this informative material.

The Center for Education and Research in Information Assurance and Security (CERIAS)

CERIAS provides a very informative area for finding information on security. The information can ranges from purely technical issues (e.g., intrusion detection, network security, etc) to ethical, legal, educational, communicational, linguistic, and economic issues, and the subtle interactions and dependencies among them. The research available on the site is centered on eight subject areas:

• Risk Management, Policies, and Laws
• Trusted Social and Human Interactions
• Security Awareness, Education, and Training
• Assurable Software and Architectures
• Enclave and Network Security
• Incident Detection, Response, and Investigation
• Identification, Authentication, and Privacy
• Cryptology and Rights Management

The site offers news, blogs, papers, and podcasts. Of particular interest to me are the podcasts, because mostly they are vidcasts. Here are a few recent postings:

• “What are CSO’s thinking about? Top information security initiatives for 2008 and beyond …” by Anand Singh, Target Corporation
• “Electronic Voting: Danger and Opportunity” by Edward W. Felten
• “Tor: Anonymous communications for government agencies, corporations, journalists… and you” by Paul Syverson & Roger Dingledine
• “Security in a Changing World” by Eric Cole
• “CANDID: Preventing SQL Injection Attacks using Dynamic Candidate Evaluations” by Ventkat Venkatakrishnan
• “Wireless Router Insecurity: The Next Crimeware Epidemic” by Steve Myers
• “Security, Soft Boundaries, and oh-so-subtle Strategies:How to Play Chess While the Board is Disappearing” by Richard Thieme

The research conducted through CERIAS includes faculty from six different colleges and 20+ departments across campus, all being made available for free. CERIAS offers a great opportunity to keep well informed on all security subject areas.

CERT Coordination Center (CERT/CC)

Off the CERT site, you can find the most up-to-date material on security issues. Like CERIAS, information is available in whatever form you prefer (documents, podcasts, video, research tools). In short, it is a fantastic source for security information. I wanted to draw particular attention to the CERT Virtual Training Environment (VTE). It is a resource for information assurance and incident response and computer forensic training. The site contains over 500 hours of material. Some of the VTE material requires membership or affiliates to certain organizations. Still, there is a great deal of video content available for free. VTE “blends classroom instruction with self-paced online training, delivering training courses, anytime access to answers, and hands-on training labs all through the Internet“. Here are a few of the most recent publicly available courses:

• FAA 2008 IT/ISS Conference presentation slides
• IPv4-IPv6 Comparison
• IPv6 Addresses
• Vulnerability Remediation
• Vulnerability Assessment Reporting
• Best Practices for VA Tools
• Vulnerability Assessment Best Practices
• Errors During Vulnerability Analysis
• Vulnerability Analysis
• Vulnerability Assessment Methodology
• Vulnerability Assessment Basics
• DEMO: Hack Calculations

I cannot help by point out that CERT also provides some great podcasts in the areas of governing for enterprise security, measuring security, privacy, risk management and resilience, security education and training, threat, trends and lessons learned, and tips from the trenches: areas of practice. I have posted links off this site on a few of these top notch security podcasts.

The Academy

Andrew Hay, a Canadian security professional and co-author of the upcoming book OSSEC Host-Based Intrusion Detection Guide, recommended I check out the Academy. I am glad he did. Registration is required to view the videos. The site brings together videos from various security sources, such as TippingPoint, SANS, IronPort, OSSEC, Cisco, Insecure, Tenable, Nokia, and FortiNet. The Academy current videos cover the following security subjects:

• Anti-Spam - contributions by IronPort
• Content Filtering - contributions by FortiGate
• DLP - contributions by McAfee DLP
• Firewall - contributions by CheckPoint, Cisco PIX & ASA, Nokia, FortiGate
• IDS/IPS - TippingPoint, OSSEC
• Network Access Control (NAC) - Insecure
• SANS Institute
• VA/Pen Testing - contributions by Nessus, Nmap
• Wireless - FortiGate

Key contributors are Peter Giannoulis, Adam Winnington, Andrew Hay, and Jason Ingram. SANS is sponsoring the site. The academy does request that “if you have an idea for a video please forward it to us or simply make the video yourself and send it through. Contact peter@theacademy.ca for a list of guidelines to follow when creating your contribution. If you believe you have something to say please send in an article submission for posting on the website. Any security related topic will do.” The site has some talented security professionals and a great security organization backing it. To quote Andrew, “The Academy is a user driven community and videos are created at the request of its members. Vendors can also leverage the site to showcase the features and capabilities of their products. The Academy is an ideal place to find and share knowledge with others practicing or interested in the information security field. The Academy is an ideal place to find and share knowledge with others practicing or interested in the information security field.”

Google and the Rest of the Web

Of course, I should point out that SecurityMonks does have a presentation area where slides and videos done by experts in the field are posted. On the LifeHacker site, Wendy Boswell has done a posting “Technophilia: Get a free college education online” in case you are interested in subject matters other than IT security. For each his own, though I can see taking a break now and then. In which case, the University of California, Berkeley has posted a few their classes on Google Video. There are plenty more from various universities. To access, simply type “lecture genre:educational” into the video search box. Google has several genres, if you have a specific interest.

To return to the more geeky side of life, if you are interested in lectures given at the Googleplex, Google have made those available. There are TechTalks, designed to “disseminate a wide spectrum of views on topics ranging from Current Affairs, Science, Engineering, Humanities, Business, Law, Entertainment, Medicine, and the Arts.” Authors@Google is a “speaker series where thought-provoking, Zeitgeist-making, trend-setting authors come to the Googleplex to read from their works and share their thoughts.” You can view those videos on Google Video, or YouTube Talks@Google area. Finally, there are also miscellaneous videos that include marketing videos, recruiting videos, lectures, and more.

To return to the genres of educational security, type into the video search box: “genre:EDUCATIONAL IT security.”

Google, to help folks learn how to use Google Code, has posted some courses under “Google Code for Educators.” There are a few security video lectures:

• “Introduction to Web Security” by Neil Daswani
• “How to Break Web Software” by Mike Andrews
• “What Every Engineer Needs to Know About Security and Where to Learn It” by Neil Daswani

Of course there are many more fine sites. SecurityDistro, started by Spyro contains a tutorial section that has some very good material. Of course there is the SANS Webcasts archive area. I just came across the “Learn Security Online” site that offers free and paid membership levels. Even TechVidSite has video presentations on security topics, if you can navigate through the site. A search on “IT” and “Security”, for example returned over 7k matches, while “metasploit” returned 25. The above information and links are meant only as a starting place. I hope I have managed to stay true to Einstein and provided the conditions in which we may all learn a little more about the world of information security.