SecurityCenter – Asset list trap

The Trick of Dynamic asset lists, and avoiding the trap

So someone asked me what seemed to be a simple question:

“Can I create an asset list of hosts that have a port responding between 100 and 200.”   A perfectly reasonable question.   The “off the cuff” response would be:

“Sure with the following rules:

  • ALL
    • Port is greater than 100
    • Port is less than 200

On its face it looks like it should do the job,  but it doesn’t evaluate the way we’d think.

Take the following example, a host that has only port 80 and port 201 responding.  This host, based upon the original requirements would not be in this asset list.

Now lets look how its evaluated:

  1. Does the host have a port open greater than 100? (Answer=TRUE, port 201)
  2. Does the host have a port open that is less than 200? (Answer=TRUE, port 80)

1 AND 2 are true, therefore we have fulfilled both requirements of the ALL clause, and therefore the host is placed in the list.

It’s a very tricky trap, something to watch for.

Source: Nessus and SecurityCenter

The Gods give us what we deserve and need, not what we ask for (a Between The Worlds/Sacred Space retrospective)

I need to remember that.   So last week I made the decision to go to the Gala at BTW/SS on Saturday night.   I felt the need to get out of Germantown, and there was someone I had been … Continue reading

The post The Gods give us what we deserve and need, not what we ask for (a Between The Worlds/Sacred Space retrospective) appeared first on The Modern Heathen.

Source: Modern Heathen

Handling being a student in a MOOC

It’s been age’s since I’ve written in this blog, because honestly, between work, and working on two certificates in education at Coursera, I haven’t had a lot of time to write about education.

But, with me finishing up my first certificate, and working on a second a third (just started one in Data Analytics), I realized I’ve got a lot to say about being a student in a MOOC. (A Massive Open Online Course).

MOOC’s if you’ve never taken one, are online courses with an instructor that have 1000’s of students in them.   The ones I’ve encountered are largely on a timeline, and you have quizzes and assignments that are due on specific dates, so they can be peer reviewed (normally, there are a couple of exceptions), and grades can be issued.

Now the challenge with a MOOC, when compared with a self directed course, or alternatively a “small” online course are deadlines and motivation.  Whenever you consider taking a MOOC look at the syllabus, and look at the deadlines, and keep a calendar of what is due when.    Typically with these classes if you miss a deadline on an item, it becomes difficult to pass the class.

Some MOOC’s do allow for “late days” on quizzes, but I’ve found when it comes to papers and assignments, those are hard deadlines, and if you fail to meet the deadline, you get a zero for that  item.   Since a class may have 4-8 different quizzes and components, missing one puts you in a position where you have to get a perfect score on every other item in order to achieve a passing grade.

So, calendar calendar calendar.   Also be sure to effectively manage your time.   Many times I’ll look at a course and say “Ok, I know that I can’t assignment X until this date, but that week I’m going to be out of town, jammed up, sick, whatever, so I’ll do the assignment ahead of time, so when the submission time does open up, I can just upload a file.

Lets take an example of this.   I’m in a class right now where there are five quizzes, one written assignment, and I have to review  three papers.   The assignment is due the third week of class.   I looked at my work calendar and my personal calendar, and realized that week I was going to be very busy.   So I sat down the week before, and completed the assignment.   Now I know when that assignment is due, I can just grab the assignment and upload it (It’ll take five minutes or less) and I’ve got it done.

Also, if you can “get ahead” in these classes, do it!  Some classes only roll out materials as the weeks of the class progress.   This is particularly true for new classes.   For well established classes, all the materials go up on day one.   If they do, and you have time to “get ahead”  do it.   That way if something does interfere with your schedule, you don’t get hopelessly behind.

But if you do get ahead, and have questions, be aware asking a question about week three material during week one is considered “bad form” and you should wait to post your question until the appropriate week appears.

 

Source: Edublogs

Critical mass in a virtual classroom

Over the last couple of years class sizes in the virtual classroom have grown in my job.   When we started we were at a maximum of 12 students per class, and we’re now at a point where we allow 30 students per class.   (This is with multiple instructors and assistants to help students).

There’s something I found which is worthy of note in virtual classrooms, and its the concept of critical mass.

When you talk to people about social networking, there is this concept of critical mass.   That is a minimum # of participants required in order for regular interaction to occur.   You see this a lot on public forums.   You’ll start with one person, and there are just a few postings, then you add a few more, and there are a few more postings, and a few more, etc, and you see linear growth.

Then at some point in your growth cycle you hit a “magic” threshold, and activity starts to grow exponentially.

What we discovered was the same rule was true for questions in virtual classes.   In a class size of 12 you might get 2-3 questions in a one hour lecture.   With a class size 20, you’d expect to see around 3-4.   However, when you hit 30, you don’t get the 6-9 questions, you’re more likely to get 15-20 questions.

Why is this important?

With lesson planning, and particularly live lectures, you plan for a give lecture + questions to take a specified period of time.   Lets take my job as an example.   Our “magic number” is that a lecture + demo should take 30 minutes, with 5 minutes at the end for questions.   So with my 12 students, that gave me roughly 36 seconds per question.

When we increase our class size to 30, we’d expect to see roughly 9 questions, at 36 seconds per question it only take 5.4 minutes to answer all those questions, so its still within our target range.

Instead, we don’t have 9 questions, we have 20.  This now takes 12 minutes total for the lesson.

No big deal right?

Wrong, now lets take our typical class, where we have that 35 minute lecture, followed by a 30 minute lab, and we do 4 lectures in a class. That’s a total of 260 minutes, or 4.3 hours.   That’s about as long as you can expect someone to retain information in a virtual setting spread across time.

When we got to 30 students, it’s now 288 minutes, coming in at 4.8 hours.  That’s a 27% increase in total time for delivery.   And that’s of course assuming that you only get those 30 questions.   We’ve seen instances where we have twice that after a  lecture due to this critical mass.

So if you’re a virtual instructor, the next time you get asked (and you will) to increase class size, remember there are pieces of the time equation that are linear, and other pieces, due to the concept of critical mass in social networks, that will increase geometrically.

 

Source: Edublogs

Nessus Host Summary Report in SecurityCenter

This is available as a SecurityCenter report template.

host_summary_report

While SecurityCenter has extensive reporting features, sometimes we just want to replicate a report type that we’d previously generate using Nessus™.

One of the useful report chapters that can be generated is the Host Summary.

This report chapter generates the following:

A table of vulnerability counts sorted by severity like this:

IP Address Informational Low Medium High Critical

Then a table for each host with the following:

Severity Plugin ID Name

Here’s how this type of report can be generated in SecurityCenter

GENERAL

NAME Host Summary (Nessus)

DESCRIPTION

TYPE PDF

REPORT STYLE Tenable, Letter

INCLUDE COVER PAGE no

COVER LOGO default

INCLUDE HEADER no

INCLUDE FOOTER no

FOLDER LOGO default

WATERMARK default

INCLUDE TABLE OF CONTENTS yes

INCLUDE INDEX no

ENCRYPT PDF no

DEFINITION

CHAPTER Host Summary

GROUP Host Summary

ITERATOR Host Summary

NAME Host Summary

LOCATION -Group Host Summary

STYLE Default

DATA TYPE Vulnerability

SOURCE Cumulative

QUERY (As needed)

ITERATOR TYPE IP

RESULTS DISPLAYED

DISPLAY ALL RESULTS yes

SORT COLUMN IP Address

SORT DIRECTION Ascending

HEADER INFORMATION IP Address

TABLE

NAME Host Summary

DESCRIPTION

LOCATION -Iterator Host Summary

STYLE Default

DATA TYPE Vulnerability

SOURCE Cumulative

QUERY Tool: IP Summary

RESULTS DISPLAYED

DISPLAY ALL RESULTS yes

SORT COLUMN IP Address

SORT DIRECTION Ascending

DISPLAY COLUMNS IP Address, Info, Low, Medium, High, Critical

TABLE

NAME Vulnerability List

DESCRIPTION

LOCATION -Iterator Host Summary

STYLE Default

DATA TYPE Vulnerability

SOURCE Cumulative

QUERY Tool: Vulnerability Summary

RESULTS DISPLAYED

DISPLAY ALL RESULTS yes

SORT COLUMN Severity

SORT DIRECTION Ascending

DISPLAY COLUMNS Severity, Plugin ID, Name

This report is very similar to the one provided in Nessus, however the latter table has Plugin ID first, then severity, as opposed to Nessus, which has severity first, and Plugin ID second.

You can download this template in zip format.

host_summary_report

Source: Nessus and SecurityCenter

Two styles of Education – Coursera vs. Udemy/Khan academy

I just finished completing two courses at Coursera, and boy do I have a sense of accomplishment.   Following one of these courses from beginning to end is quite a challenge.    Since I’ve now taken classes through Udemy, Khan academy, and Coursera I thought I’d take the time to comment on them.

But first I want to reference a couple of topics I’d discussed in previous blogs.   The first is levels of understanding.   When it comes to levels of knowledge, we can break it down into several levels:

  1. Mimicry -Here a person can take a set of explicit directions and repeat them.
  2. Adaptation – The person can take a set of instructions and adapt them to similar situations.
  3. Understanding – A person understands a set of instructions, including the knowledge surrounding each step.
  4. Knowledge – The person fully understands the topic, and take that knowledge and adapt it to other topics.

 

In addition, when performing education there are two “significant” approaches.  Using the bottom up approach, we teach an individual a series of increasingly complicated tasks, and when enough tasks have been learned, a person begins to “move up” the education ladder.

Alternatively, a top down approach can be taken.   With this model we teach a person broad categories of knowledge with respect to the topic, and eventually they learn enough to perform individual tasks.

Either approach works, it depends entirely upon the topic, students, and educator as to which model works best.   However with both models, the objective is generally to move a person from #1 on the list to #4.

So how does this apply to Udemy/Khan Academy vs. Coursera?   The former tends to use a bottom up approach, while the latter tends to use the top down approach.   So when considering what path to take for courses, keep this in mind.

In addition, Udemy/Khan academy courses can be taken in small chunks.   You can tell yourself “today I’m going to learn _____.”  Whereas Coursera courses involve significant commitments of time (typically 5-10 hours per week for 2-3 months).

The advantage, however, is that Coursera has a solid path to moving an individual up the knowledge scale.   Udemy/Khan Academy require a bit of self direction.   Khan Academy has done some experimentation with developing a “list” of classes to be taken in sequence with respect to mathematics, but it is still in its infancy.

Which leaves me to the question, is any method better?   I do have to admit after taking a Coursera course, I do feel like I’ve got a comprehensive knowledge on the subject.   Udemy/Khan Academy don’t leave me feeling that way.   However, sometimes I don’t want comprehensive knowledge, particularly when trying to solve specific issues.   In those cases the shorter approach is the most expedient solution to the challenge I am facing.

 

Source: Edublogs

An interesting take on passwords on the Internet

I’m currently taking a course on Internet History at Coursera. We are currently discussing the very basics of encryption, and the instructor had an interesting idea.   He was talking about the fact that it seems like for every web site we have to create a user name and password.   Most users get to the point where they don’t create a unique password for every web site, they use a common one.   On top of that, it seems like every week there’s some web site that we’re using that has their password file hacked.   The result is we don’t just compromise our account on one web site, but on several.  Gawker was an excellent example of this, but there have been several.

Clearly two factor authentication is one solution to this problem, and Google, in their wisdom, has set up a reasonably easy to use two factor authentication API.   However, the instructor posed an alternative solution, that is quite elegant.

Whenever you go to log into the web site, you put in your user name, and a unique link is sent to your email address.   You go to your email, open up the link, and you’re logged in.   No passwords stored on a million servers, no worrying about keeping different passwords, it’s all done through a unique link system.

Now this does depend upon your email being secure, however, remember, most web sites have a “reset password” option that you can use where it emails you a link to reset your password, so if your email has been compromised, an intruder can reset your password on the web site you have an account on anyway,  so we haven’t really reduced security much.   There is an additional layer of annoyance, but it is an interesting approach to the question of passwords and security.

 

Source: Nessus and SecurityCenter

The future of post secondary education

I had a friend the other day come to me and ask me about what I thought about courses with respect to online college X.  College X was a reasonably traditional online college, with degree and certificate programs, etc.    I talked to her about the institution for awhile, and then I finally asked the question “what is it you’re looking to achieve?”   I realized that we attend post secondary education for a variety of different reasons:

  1. Certification/Accreditation for work related items – This is particularly important in technical fields, but also in government.   Government agencies at all levels are increasing their requirements that you have specific certifications in order to perform certain jobs.
  2. Collecting “initials” – I have a friend that accuses me of this.  Completion of certificate programs or degrees allows us to pad our resume, and put a various set of initials after our name (I’ve got so many that I no longer reference them all).
  3. Specific work related knowledge – Absent work requiring us to have specific certifications, we may feel that our skill set is insufficient with respect to a given work requirement.   We may take courses to improve our knowledge of a given subject area.
  4. Mind candy – This is one we don’t think of very often.  Studies have shown that effective intellectual stimulation not only improves our critical thinking skills, but also “fends off” mentally debilitating conditions and may increase longevity.  In addition, it allows us to feel like we’re keeping our intellectual skills “sharp.”

So why take the time to break out these categories?    Because certain objectives lend themselves to different types of institutions and approaches to learning.

Take for example a relative, who decided they wanted to take a series of courses at a local community college  in order to provide intellectual stimulation (i.e. Mind Candy).   I realized that rather than pay the local college for the course, alternatively they could have gone to udemy and taken almost any course they wanted, for free.

I had another friend who wasn’t looking for a degree, but was looking to enhance their reputation within a given community.   For them, udemy wasn’t the right approach, but a certificate program at Cherry Hill Seminary would fill their needs.

Another friend said “I’m working for the government and regulation X  requires that I be certified in Y”  For them. they weren’t particularly interested in acquiring knowledge (they felt they had enough about Y), but they needed a certification.   For them, I pointed them to resources that would allow them to effectively pass the certification exam for Y.

Another person said “I want to enter into profession Z.”   They had started with one institution, and discovered that this institution really had no “path” that would give them the necessary skills and certifications to enter that profession.   So, they changed institutions to one that would.

So as we think about proceeding down a path of learning, we need to not just think about the subject, but also what are our motivations.   By examining both we can determine what approach, and what institution best suits our needs.

Source: Edublogs