If you read just one security article this week, make it Ryan McGeehan’s Learning From A Year of Security Breaches. It’s the best, most actionable security advice I’ve read in a long time.
An article by Troy Hunt on the Certified Ethical Hacker certification kicked off an interesting discussion on getting started in infosec and the value of a cert. Troy’s article strongly suggests the CEH course he developed for Pluralsight; here are some other takes:
- How to become a pentester (Corelan Team)
- Starting an infosec career (Lesley Carhart)
- How to build a successful information security career (Daniel Miessler)
- How to break into security, Ptacek Edition (Thomas Ptacek, interviewed by Brian Krebs)
FWIW, I tend to agree that certification doesn’t help nearly as much as hands- on experience. That said, a good course that teaches real skills (and doesn’t just teach to the test) might be the forcing function that some people need to help themselves learn. I wouldn’t necessarily write off a course just because it’s leading to a cert. But I also would caution anyone from thinking that a certification is really going to help land a job. Good security team care about experience, not certifications.
Mylar is an experimental web framework that attempts to implement a sort of zero-knowledge system: sensitive data is stored encrypted on the server, and only can be decrypted in the user’s browser. There’s a research paper, Building web applications on top of encrypted data using Mylar, that goes into more detail on how it works.
Risk and Anxiety: A Theory of Data Breach Harms tries to build up a legal framework for assessing the harm caused by a data breach. I don’t see companies really changing their approach to infosec because real harm of breaches tend to be externalized, so companies have no real incentive to try to do better. If courts (or the FEC?) find ways to start making those changes internal, perhaps we’ll see some change.
And speaking of driving security at companies, Josh Bressers makes a compelling argument that compliance-based security is actually a good place to focus our efforts. I can’t really argue with his logic, and I think I agree (though I’m pretty sad to say that).
This is a weekly roundup of interesting infosec related links, inspired by Geek Feminism’s linkspam tradition.
If you’d like to suggest a link for a future roundup, post it to Pinboard tagged with securitylinkspam and I’ll find it there.