Matriux Security Distro

Matriux is a fully featured security distribution consisting of a bunch of powerful, open source and free tools that can be used for various purposes including, but not limited to, penetration testing, ethical hacking, system and network administration, cyber forensics investigations, security testing, vulnerability analysis, and much more. It is a distribution designed for security enthusiasts and professionals, although it can be used normally as your default desktop system. With Matriux, any system can turn into a powerful penetration testing toolkit, without installing any software into the hardisk. Matriux is designed to run from a Live environment like a CD / DVD or USB stick or it can easily be installed on a hard disk in a few steps. Matriux also includes a set of computer forensics and data recovery tools that can be used for forensic analysis and investigations and data retrieval.

Selected Sun Tzu Quotes for Security Managers

Selected quotes from the book "The Art of War for Security Managers: 10 Steps to Enhancing Organizational Effectiveness"

• For to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill.
• The Way means inducing the people to have the same aim as the leader-ship, so that they will share death and share life, without fear of danger.
• Warfare is the greatest affair of the state, the basis of life and death, the Way (Tao) to survival or extinction. It must be thoroughly pondered and analyzed.
• If you know others and know yourself, you will not be imperiled in a hundred battles.
• The one who figures on victory at headquarters before even doing battle is the one with the most strategic factors on his side. The one who figures on inability to prevail at headquarters before doing battle is the one who has the least strategic factors on his side. The one with many strategic factors in his favor wins, the one with few strategic factors in his favor loses—how much more so for the one with no strategic factors in his favor. Observing this matter in this way, I can see who will win and who will lose.
• So the important thing in a military operation is victory, not persistence.
• The superior militarist strikes while schemes are being laid. The next best is to attack alliances. The next best is to attack the army. The lowest is to attack a city. Siege a city only as a last resort.
• The terrain is to be assessed in terms of distance, difficulty or ease of travel, dimension, and safety.
• The unorthodox and the orthodox give rise to each other, like a beginning-less circle—who could exhaust them?
• A military operation involves deception. Even though you are competent, appear to be incompetent. Though effective, appear to be ineffective.
• Foreknowledge cannot be gotten from ghosts and spirits, cannot be had by analogy, cannot be found out by calculation. It must be obtained from people, people who know the conditions of the enemy.
• A victorious army first wins and then seeks battle. A defeated army first battles and then seeks victory.

The Art of War for Security Managers: 10 Steps to Enhancing Organizational Effectiveness

The classic book The Art of War (or as it is sometimes translated, The Art of Strategy) by Sun Tzu is often used to illustrate principles that can apply to the management of business environments. The Art of War for Security Managers is the first book to apply the time-honored principles of Sun Tzu's theories of conflict to contemporary organizational security. Corporate leaders have a responsibility to make rational choices that maximize return on investment. The author posits that while conflict is inevitable, it need not be costly. The result is an efficient framework for understanding and dealing with conflict while minimizing costly protracted battles, focusing specifically on the crucial tasks a security manager must carry out in a 21st century organization.

• Includes an appendix with job aids the security manager can use in day-to-day workplace situations
• Provides readers with a framework for adapting Sun Tzu's theories of conflict within their own organizations
• From an author who routinely packs the room at his conference presentations

Risk Management ISO/IEC 31000 Standard

ISO Standard for Effective Management of Risk - ISO/IEC 31000, provides principles, framework and a process for managing any form of risk in a transparent, systematic and credible manner within any scope or context. The standard recommends that organizations develop, implement and continuously improve a risk management framework as an integral component of their management system. ISO/IEC 31000 purpose is to help organizations:

• Increase the likelihood of achieving objectives
• Encourage proactive management
• Be aware of the need to identify and treat risk throughout the organization
• Improve the identification of opportunities and threats
• Comply with relevant legal and regulatory requirements and international norms
• Improve financial reporting
• Improve governance
• Improve stakeholder confidence and trust
• Establish a reliable basis for decision making and planning
• Improve controls
• Effectively allocate and use resources for risk treatment
• Improve operational effectiveness and efficiency
• Enhance health and safety performance, as well as environmental protection
• Improve loss prevention and incident management
• Minimize losses
• Improve organizational learning
• Improve organizational resilience

ISO 31000 can be applied to any public, private or community enterprise, association, group or individual.

Hiring and Career Guides to the Information Security Profession

(ISC)² has published “Hiring Guide to the Information Security Profession”, a free reference guide for Human Resources (HR) professionals, hiring managers and recruiters, provides tips on how to best find, recruit, hire and retain qualified information security staff. Written with input from leading Human Resources, recruiting professionals and subject-matter experts, the Hiring Guide highlights the history and growth of the information security profession, typical job functions and career paths, and ideal candidate traits. In addition to that, Career Guide to the Information Security Profession is published as a free reference guide for Information Security professionals providing tips on how to best find and fill worth noticed Information Security vacancies.

Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition

Cryptographic techniques have applications far beyond the obvious uses of encoding and decoding information. For Internet developers who need to know about capabilities, such as digital signatures, that depend on cryptographic techniques, there's no better overview than Applied Cryptography, the definitive book on the subject. Bruce Schneier covers general classes of cryptographic protocols and then specific techniques, detailing the inner workings of real-world cryptographic algorithms including the Data Encryption Standard and RSA public-key cryptosystems. Bruce Schneier's Applied Cryptography is an excellent book for anyone interested in cryptology from an amateur level to actually being involved in the development of new encryption mechanisms. Schneier's book begins with a simple discussion of what is cryptography, and then he proceeds through the history of various encryption algorithms and their functioning. The last portion of the book contains C code for several public-domain encryption algorithms. The book includes source-code listings and extensive advice on the practical aspects of cryptography implementation, such as the importance of generating truly random numbers and of keeping keys secure.

Global IT-related Risk Framework

ISACA released Risk IT, the first global IT-related risk framework to provide a comprehensive view of the business risks associated with IT initiatives. Risk IT provides a single, comprehensive view of IT-related business risks, which can cost companies millions annually in lost revenues and opportunities. Risk IT complements and extends COBIT and Val IT, but also is highly effective as standalone guidance. A key aspect is that all enterprises using IT, whether one-person shops or multinational conglomerates, can benefit from Risk IT. It can also be customized for any type of enterprise in any geographic location. 

Ethical Hacker Job Description

An Ethical Hacker performs network and application-based security vulnerability assessments and penetration tests in accordance with industry-accepted methods and protocols.

Linux Firewalls

Linux Firewalls, authored by Michael Rash and published by No Starch Press, covers five main topics:

• traditional packet filtering with iptables
• port scan detection
• snort rule translation
• port knocking
• log visualization

Linux Firewalls discusses the technical details of the iptables firewall and the Netfilter framework that are built into the Linux kernel and presents valuable information right from the first chapter.

WiKID Strong Authentication System

The WiKID Strong Authentication System is a public-key based two-factor authentication system. It is a flexible, extensible, and secure alternative to tokens, certs and passwords.

The WiKID Strong Authentication System consists of three parts: the WiKID server, the WiKID token client and a network client (such as a VPN, website or other service requesting authentication). Application & API support exists for the following and more:

• Java
• ASP
• PHP
• Ruby
• OpenVPN
• TACACS+

Hackers != Crackers

It really pisses me off that when I discuss online with friends or colleagues and mention that I consider myself a happy hacker, then all of a sudden I’m some kind of wannabe corporate criminal mastermind. They seem to equate “hacker” with “cracker”. Just because of some over hyped stories, hackers have to endure snide remarks and are stereo-typed as crackers.

To quote the seminal teachings of How To Become A Hacker by Eric Steven Raymond:

These are people (mainly adolescent males) who get a kick out of breaking into computers and phreaking the phone system. Real hackers call these people ‘crackers’ and want nothing to do with them. Real hackers mostly think crackers are lazy, irresponsible, and not very bright, and object that being able to break security doesn’t make you a hacker any more than being able to hotwire cars makes you an automotive engineer. Unfortunately, many journalists and writers have been fooled into using the word ‘hacker’ to describe crackers; this irritates real hackers no end.