Hacking Exposed Chat Session
< Continued from page 3
<netsecurityadm> Not to kiss ass- but it is a staple of my library. I use it as a resource and find it invaluable
<netsecurityadm> I only read the first edition cover to cover. The other editions I mainly read the updates and tend to use it more as a reference than a novel
<HE_Real_McClure> Cool. It's that kind of feedback that fuels us for more editions. It is killer work and we don't always get to hear how the material comes across sometimes... That is good to hear!
<netsecurityadm> For web security, would you recommend your book Web Hacking over the Hacking Web Applications Exposed book from the Hacking Exposed series?
<HE_Real_McClure> Either Web hacking book would do. The ""Web Hacking"" book from Addison is more like case studies of hacking. And the HE-Web App book is more like an encylopedia like the prior HE books... Just depends.
<netsecurityadm> We talked earlier with Mr. Kurtz about knowledge and proper configuration being more important than the platform or application...
<netsecurityadm> but would you recommend one operating system or web server over another? Windows over Linux? IIS over Apache?
<HE_Real_McClure> Education is definitely everyone's best weapon. I always say that no product is secure. There are only degrees of security and it usually depends on the person setting it up. I can harden a Windows system and Linux system equally strong...
<netsecurityadm> How did you first get involved in information security?
<HE_Real_McClure> I first got involved in security back in college, around 1988. I was an administrator for a number of UNIX systems and was often asked to understand what security weaknesses I could find.
<netsecurityadm> Do you have a programming background? Did you write or help to write the tools and software at Foundstone?
<HE_Real_McClure> I programmed in college and for a number of years after that. I have not been involved in programming for years though. We have much smarter programmers than me now at Foundstone. I wrote a number of automated scripting tools that automated our pen test exercises but that is the last time I did any programming...
<netsecurityadm> Do you feel that security certifications are important? Would you recommend one over another?
<HE_Real_McClure> Ceritifications like CISA and CISSP are good to separate you from the crowd, but it doesn't prove too much. I like experience over certifications but that is just me. What training classes have you all taken recently?
<netsecurityadm> I haven't taken any classes recently- the company has zero budget for training and I can't personally afford the price tag of most courses
<HE_Real_McClure> But if you do want to get certified I recommend CISSP over any of them...
<netsecurityadm> I mainly read and teach myself as much as I can. I have CISSP, MCSE2k, MCSA and A+. I agree though that they are just letters and that being certified doesn't prove you know more
<netsecurityadm> I have become particularly interested in incident handling and forensics though and may pursue the SANS GIAC certifications for those specialties
<HE_Real_McClure> For those that have limited budgets, the book is probably your best bet. Try and get some test systems to test your skills... I think certifications definitely demonstrates a person's seriousness in performing this type of work and definitely sets them apart...
<netsecurityadm> how long did it take the 3 of you to write the book and get it published from the time you started?
<HE_Real_McClure> Incident Response and Forensics is definitely a growing field, esp. in the government...
<HE_Real_McClure> I pitched the first TOC to IDG Books (Dummies series) while working at Infoworld, then after they turned us down twice, we turned to Osborne. They first turned us down then came back to us later. While we had officially been writing the book for more than a year before we got a contract, once the contract was signed it took about 4-5 months to deliver the whole book.
<netsecurityadm> What antivirus software do you use for your personal computer?
<netsecurityadm> Not to kiss ass- but it is a staple of my library. I use it as a resource and find it invaluable
<netsecurityadm> I only read the first edition cover to cover. The other editions I mainly read the updates and tend to use it more as a reference than a novel
<HE_Real_McClure> Cool. It's that kind of feedback that fuels us for more editions. It is killer work and we don't always get to hear how the material comes across sometimes... That is good to hear!
<netsecurityadm> For web security, would you recommend your book Web Hacking over the Hacking Web Applications Exposed book from the Hacking Exposed series?
<HE_Real_McClure> Either Web hacking book would do. The ""Web Hacking"" book from Addison is more like case studies of hacking. And the HE-Web App book is more like an encylopedia like the prior HE books... Just depends.
<netsecurityadm> We talked earlier with Mr. Kurtz about knowledge and proper configuration being more important than the platform or application...
<netsecurityadm> but would you recommend one operating system or web server over another? Windows over Linux? IIS over Apache?
<HE_Real_McClure> Education is definitely everyone's best weapon. I always say that no product is secure. There are only degrees of security and it usually depends on the person setting it up. I can harden a Windows system and Linux system equally strong...
<netsecurityadm> How did you first get involved in information security?
<HE_Real_McClure> I first got involved in security back in college, around 1988. I was an administrator for a number of UNIX systems and was often asked to understand what security weaknesses I could find.
<netsecurityadm> Do you have a programming background? Did you write or help to write the tools and software at Foundstone?
<HE_Real_McClure> I programmed in college and for a number of years after that. I have not been involved in programming for years though. We have much smarter programmers than me now at Foundstone. I wrote a number of automated scripting tools that automated our pen test exercises but that is the last time I did any programming...
<netsecurityadm> Do you feel that security certifications are important? Would you recommend one over another?
<HE_Real_McClure> Ceritifications like CISA and CISSP are good to separate you from the crowd, but it doesn't prove too much. I like experience over certifications but that is just me. What training classes have you all taken recently?
<netsecurityadm> I haven't taken any classes recently- the company has zero budget for training and I can't personally afford the price tag of most courses
<HE_Real_McClure> But if you do want to get certified I recommend CISSP over any of them...
<netsecurityadm> I mainly read and teach myself as much as I can. I have CISSP, MCSE2k, MCSA and A+. I agree though that they are just letters and that being certified doesn't prove you know more
<netsecurityadm> I have become particularly interested in incident handling and forensics though and may pursue the SANS GIAC certifications for those specialties
<HE_Real_McClure> For those that have limited budgets, the book is probably your best bet. Try and get some test systems to test your skills... I think certifications definitely demonstrates a person's seriousness in performing this type of work and definitely sets them apart...
<netsecurityadm> how long did it take the 3 of you to write the book and get it published from the time you started?
<HE_Real_McClure> Incident Response and Forensics is definitely a growing field, esp. in the government...
<HE_Real_McClure> I pitched the first TOC to IDG Books (Dummies series) while working at Infoworld, then after they turned us down twice, we turned to Osborne. They first turned us down then came back to us later. While we had officially been writing the book for more than a year before we got a contract, once the contract was signed it took about 4-5 months to deliver the whole book.
<netsecurityadm> What antivirus software do you use for your personal computer?