Basic Security Principles/Information
Table of Contents
- How to Suck at InfoSec
- Getting Started with InfoSec
- Being the First Security Person
- Careers in Information Security
- Cognitive Bias
- Critical Thinking
- Common Vulnerability Scoring System
- Fundamental Papers
- Helping Others
- Asking Better Questions
- Normalization of Deviance
- Problem Solving
- Regular Expressions
- To Do:
- Add 'Day 0' Stuff - First member of the security team
- Learning the Ropes 101: Introduction - zsec.uk
- InfoSec Newbie List by Mubix
- A collection of resources/documentation/links/etc to help people learn about Infosec and break into the field.
- One week of bugs - danluu.com
- I could do that in a weekend! - danluu.com
- Zero-One-Infinity Rule - catb.org
- Every TED Talk Ever, In One Brutal Parody - FastCompany
- Improving Infosec (or any Community/Industry) in One Simple but Mindful Step - Matt Graeber
- 40 Key Computer Science Concepts Explained In Layman’s Terms - carlcheo.com
- Software Engineering Body of Knowledge (SWEBOK) - IEEE
Infra Living Standard — whatwg.org
- Last Updated 30 August 2019; The Infra Standard aims to define the fundamental concepts upon which standards are built.
- The Most Important Productivity Lesson I Ever Learned - Daniel Messler
- How to exit Vim
Every Security Team is a Software Team Now - Dino Dai Zovi(Black Hat USA 2019 Keynote)
- As software is eating the world, every company is becoming a software company. This doesn’t mean that every company is shipping software products, it means that services and products in every field are becoming increasingly driven, powered, and differentiated by software. Let’s explore what that will do to how cybersecurity is practiced in enterprises of all types. Peter Drucker famously said that “Culture eats strategy for breakfast.” There have been two large cultural shifts in software engineering over the last 20 years that created the successful strategies behind how software is eating the world. First, there was Agile (2001). In response to the inefficiencies of classic “waterfall” software development, Agile focused on breaking down the barriers between software requirements, development, and testing by having software development teams own their roadmaps as well as their quality. Separate product management organizations evolved into product owners working directly with the software team. Similarly, separate quality assurance organizations evolved into a focus on building quality into the software development process. This should remind us of how we talk about needing to build security in, but most importantly, this change was effected by software teams themselves vs. forced onto them by a separate security organization. There is a lesson to be learned there. Next came DevOps (2009), which brought the agile mindset to server operations. Software teams now began to own their deployment and their uptime. Treating software teams as the end-user and customer has driven the replacement of traditional ops with the cloud and replacing the traditional stack with serverless models. Ops teams evolved into software teams that provide platforms, tools, and self-service infrastructure to internal teams. They provide value by increasing internal teams’ productivity while reducing costs to the entire organization through economies of scale and other efficiencies. When a cross-functional team owns their features, their quality, their deployment, and their uptime, they fully own their end-to-end value stream. Next, they will evolve to also own their own risks and fully own their end-to-end impact. There are two big shifts involved as teams begin to own their end-to-end impact: software teams need to own their own security now and security teams need to become full-stack software teams. Just as separate product management and quality assurance organizations diffused into cross-functional software teams, security must now do the same. At his re:Invent 2018 Keynote, Amazon’s CTO Werner Vogels proclaimed that “security is everyone’s job now, not just the security team’s.” But if security is every teams’ job, what is the security team’s job? Just like how classic ops teams became internal infrastructure software teams, security teams will become internal security software teams that deliver value to internal teams through self-service platforms and tools. Security teams that adopt this approach will reduce the risk to the organization the most while also minimizing impact to overall productivity. In this talk, we’ll explore how this is already being done across high-performing companies and how to foster this security transformation at yours.
Real Software Engineering - Glenn Vanderburg(Software Art Thou)
- The idea is spreading that perhaps software development is simply incompatible with engineering; that software developers are not, and never will be, real engineers. Glenn Vanderburg, VP of Engineering at First, takes a fresh look at what that really should mean for this field. With an extra 45 years of experience about the task of programming, and a broad survey of the varied different engineering disciplines, can we envision a future for a field of “software engineering” that is worthy of the name?
Real Software Engineering by Glenn Vanderburg(Lone Star Ruby Conference(2010)
- Software engineering as it's taught in universities simply doesn't work. It doesn't produce software systems of high quality, and it doesn't produce them for low cost. Sometimes, even when practiced rigorously, it doesn't produce systems at all. That's odd, because in every other field, the term "engineering" is reserved for methods that work. What then, does real software engineering look like? How can we consistently deliver high-quality systems to our customers and employers in a timely fashion and for a reasonable cost? In this session, we'll discuss where software engineering went wrong, and build the case that disciplined Agile methods, far from being "anti-engineering" (as they are often described), actually represent the best of engineering principles applied to the task of software development.
- Software Security Field Guide for the Bewildered - zwischenzugs
- Akin's Laws of Spacecraft Design - David L. Akin
- Types of Authentication
- Access control best practices
- Information Theory - Wikipedia
- Encoding vs. Encryption vs. Hashing vs. Obfuscation - Daniel Messler
- Safety with Dignity Booklist - Sidney Dekker
- 10 Immutable Laws of Security (Microsoft TechNet) Non-original
- Ten Immutable Laws Of Security (Version 2.0) - docs.ms
- Classes/Types of Vulnerabilities
- How to Suck at InfoSec
Getting Started with InfoSec
infosec_newbie.md - mubix
- List of links on getting started in InfoSec/Starting a career.
- Breaking Into Information Security A Modern Guide - 0xsha
- Passwords in a file - erratasec
- infosec_newbie.md - mubix
Being the First Security Person
Startup security: Starting a security program at a startup - Evan Johnson(AppSecCali 2019)
- There's no blueprint for how to be successful at a small startup. Startups are quirky, ambiguous, and full of challenges and broken processes. Startups also have a high risk tolerance and rarely introduce security from the beginning. This talk will discuss different approaches to introducing security at a company, how to be successful as a security professional at a startup, and how to integrate your security team with the rest of the company.
- Startup security: Starting a security program at a startup - Evan Johnson(AppSecCali 2019)
- Cognitive Bias
- Critical Thinking
- Common Vulnerability Scoring System(CVSS)
- Crowdsourced catalog of security breaches.
END-TO-END ARGUMENTS IN SYSTEM DESIGN - J.H. Saltzer, D.P. Reed and D.D. Clark
- This paper presents a design principle that helps guide placement of functions among the modules of a distributed computer system. The principle, called the end-to-end argument, suggests that functions placed at low levels of a system may be redundant or of little value when compared with the cost of providing them at that low level. Examples discussed in the paper include bit error recovery, security using encryption, duplicate message suppression, recovery from system crashes, and delivery acknowledgement. Low level mechanisms to support these functions are justified only as performance enhancements.
Ceremony Design and Analysis - Carl Ellison
- Abstract. The concept of ceremony is introduced as an extension of the concept of network protocol, with human nodes alongside computer nodes and with communication links that include UI, human-to-human communication and transfers of physical objects that carry data. What is out-of-band to a protocol is in-band to a ceremony, and therefore subject to design and analysis using variants of the same mature techniques used for the design and analysis of protocols. Ceremonies include all protocols, as well as all applications with a user interface, all workflow and all provisioning scenarios. A secure ceremony is secure against both normal attacks and social engineering. However, some secure protocols imply ceremonies that cannot be made secure.
- How Complex Systems Fail (Being a Short Treatise on the Nature of Failure; How Failure is Evaluated; How Failure is Attributed to Proximate Cause; and the Resulting New Understanding of Patient Safety) Richard I. Cook, MD
- No Silver Bullet - fmiljang.co.uk
- A Mathematical Theory of Communication - Claude E. Shannon
- The Diamond Model of Intrusion Analysis - Sergio Caltagirone, Andrew Pendergast, Christopher Betz
- How Google Adopted BeyondCorp
BeyondCorp: A New Approach to Enterprise Security - Rory Ward, Betsy Beyer
- Virtually every company today uses firewalls to enforce perimeter security. However, this security model is problematic because, when that perimeter is breached, an attacker has relatively easy access to a company’s privileged intranet. As companies adopt mobile and cloud technologies, the perimeter is becoming increasingly difficult to enforce. Google is taking a different approach to network security. We are removing the requirement for a privileged intranet and moving our corporate applications to the Internet.
- END-TO-END ARGUMENTS IN SYSTEM DESIGN - J.H. Saltzer, D.P. Reed and D.D. Clark
- Mozilla Enterprise Information Security
- Rating Infosec Relevant Masters Programs - netsecfocus
Salted Hash Ep 34: Red Team vs. Vulnerability Assessments - CSO Online
- Words matter. This week on Salted Hash, we talk to Phil Grimes about the differences between full Red Team engagements and vulnerability assessments
General Good Stuff
- C2 Wiki - Security
- Not Even Close, The State of Computer Security w/ slides - James Mickens
- [Words Have Meanings - Dan Tentler - CircleCityCon 2017]
- (Deliberate) practice makes perfect: how to become an expert in anything - Aytekin Tank
- Information Security Mental Models - Chris Sanders
- The Submarine (Article)- Paul Graham
- Satya Nadella ‘Reads’/‘Games’ Hacker News - KicksCondor
- Art as a Methodology for Security Research - Leigh-Anne Galloway
- The Natural Life Cycle of Mailing Lists - Kat Nagel
- Helping Others
- Collections: The Siege of Gondor, Part II: These Beacons are Liiiiiiit - Bret Devereaux
- Defense in depth aint new
- CyberInsecurity: The Cost of Monopoly - How the Dominance of Microsoft's Products Poses a Risk to Security - Daniel Geer, Charles P. Pfleeger, Bruce Schneier, John S. Quarterman, Perry Metzger, Rebecca Bace, and Peter Gutmann
- Ford Pinto - Engineering.com
- A Case Study of Toyota Unintended Acceleration and Software Safety - Phil Koopman
The Hacker Crackdown - Wikipedia
- The book discusses watershed events in the hacker subculture in the early 1990s. The most notable topic covered is Operation Sundevil and the events surrounding the 1987–1990 war on the Legion of Doom network: the raid on Steve Jackson Games, the trial of "Knight Lightning" (one of the original journalists of Phrack), and the subsequent formation of the Electronic Frontier Foundation. The book also profiles the likes of "Emmanuel Goldstein" (publisher of 2600: The Hacker Quarterly), the former assistant attorney general of Arizona Gail Thackeray, FLETC instructor Carlton Fitzpatrick, Mitch Kapor, and John Perry Barlow.
- The Hacker Crackdown: Law and Disorder on the Electronic Frontier by Bruce Sterling - Project Gutenberg
- How to Ask Better Questions
- Effective learning: Twenty rules of formulating knowledge - SuperMemo
- Learning How to Learn: Powerful mental tools to help you master tough subjects - Coursera
- The Motivation Secret: How to Maintain Intense Motivation as a Hacker (or Anything) - Luke Stephens
- Deliberate Practice: What It Is and How to Use It - James Clear
- Continuous Skills Improvement For Everyone - Matt Scheurer(OISF19)
- The Importance Of Deep Work & The 30-Hour Method For Learning A New Skill - Azeria
- The idea of a difficulty curve is all wrong - David Strachan
- How to Read a Book, v5.0 - Paul N. Edwards University of Michigan
- How to Read a Book - Wikipedia
The Command Line
- explainshell is a tool (with a web interface) capable of parsing man pages, extracting options and explain a given command-line by matching each argument to the relevant help text in the man page.
- Keyboard shortcuts in Windows - support.ms
The art of the command line
- Master the command line, in one page
- Stupid Unix Tricks - Jeffrey Paul
- Linux Productivity Tools
Linux Command Line
- Introduction to Linux commands and Shell scripting
- Why Learn AWK? - Jonathan Palardy
- A little collection of cool unix terminal/console/curses tools
Structured Text Tools
- The following is a list of text-based file formats and command line tools for manipulating each.
- Don Libes' Expect: A Surprisingly Underappreciated Unix Automation Tool - Robert Elder
- Pexpect is a Pure Python Expect-like module
- Chepy is a python lib/cli equivalent of the awesome CyberChef tool.
- New Skills
Normalization of Deviance
The normalization of deviance in healthcare delivery - John Hanja
- Many serious medical errors result from violations of recognized standards of practice. Over time, even egregious violations of standards of practice may become “normalized” in healthcare delivery systems. This article describes what leads to this normalization and explains why flagrant practice deviations can persist for years, despite the importance of the standards at issue. This article also provides recommendations to aid healthcare organizations in identifying and managing unsafe practice deviations before they become normalized and pose genuine risks to patient safety, quality care, and employee morale.
- The normalization of deviance in healthcare delivery - John Hanja
- Software Problem Solving Cheat Sheet - Florian Roth
The XY Problem
- The XY problem is asking about your attempted solution rather than your actual problem. This leads to enormous amounts of wasted time and energy, both on the part of people asking for help, and on the part of those providing help.
The AZ Problem
- This website introduces the AZ Problem: a generalization of the XY Problem. To wit, if we agree that the XY Problem is a problem, than the AZ Problem is a metaproblem. And while the XY Problem is often technical, the AZ Problem is procedural. The AZ Problem is when business requirements are misunderstood or decontextualized. These requirements end up being the root cause of brittle, ill-suited, or frivolous features. An AZ Problem will often give rise to several XY Problems.
- Regular Expressions
Operation Luigi: How I hacked my friend without her noticing
- My friend gave me permission to "hack all her stuff" and this is my story. It's about what I tried, what worked, my many flubs, and how easy it is to compromise Non Paranoid People TM.
- Operation Luigi: How I hacked my friend without her noticing
- A collection of *nix Sysadmin Test Questions with Answers for Interview/Exam (2018 Edition).
- WALKOFF is a flexible, easy to use, automation framework allowing users to integrate their capabilities and devices to cut through the repetitive, tedious tasks slowing them down,
When to Test and How to Test It - Bruce Potter - Derbycon7
- “I think we need a penetration test” This is one of the most misunderstood phrases in the security community. It can mean anything from “Someone should run a vulnerability scan against a box” to “I’d like nation-state capable actors to tell me everything that wrong with my enterprise” and everything in between. Security testing is a complex subject and it can be hard to understand what the best type of testing is for a given situation. This talk will examine the breadth of software security testing. From early phase unit and abuse testing to late phase penetration testing, this talk will provide details on the different tests that can be performed, what to expect from the testing, and how to select the right tests for your situation. Test coverage, work effort, attack simulation, and reporting results will be discussed. Also, this talk will provide a process for detailed product assessments, i.e.: if you’ve got a specific product you’re trying to break, how do you approach assessing the product in a way that maximizes your chance of breaking in as well as maximizing the coverage you will get from your testing activity.
- When to Test and How to Test It - Bruce Potter - Derbycon7
- The Web
- Tools you should probably know exist