Home
IT-Security
People
- Bruce Schneier, Author of 'Applied Cryptography' und 'Secrets & Lies', Gründer von Counterpane
- Ross Anderson, Eternety Service, Krypographie (Serpent), Tempest, 'Programming Satan's Computer'
- Eugene Spafford, UseNet, CERIAS
- Markus J. Ranum: Autor von DEC SEAL, TIS Gauntlet, TIS Internet Firewall Toolkit. Founder of Network Flight Recorder (NFR)
- Philip R. Zimmermann, PGP author
- Wietse Zweitze Venema TCP Wrapper, SATAN, Coroners Toolkit, Postfix
- Lance Spitzner, Solaris-Security, Honeynet Project
- Whitfield Diffie, Public Key Cryptography, Diffie-Hellman-Key Exchange. Interview: "[...] the important thing about a free society is the distinction between being held to account for your actions and being forced to do what society wants."
- Ronald L. Rivest, Krypto-Algorithmen (RSA, MD4, MD5, RC4, RC5, RC6...)
- Steven M. Bellovin, Firewalls, RFCs
- Markus Kuhn, Tempest, Tamper Resistance
- John Gilmore, Co-Founder of the Electronic Frontier Foundation, alt-newsgroups, Cypherpunks, Cygnus Solutions and FreeSWAN (Linux IPsec Implementation)
- Matthew Blaze, Cryptographic File System, Trust Management, Politik (Clipper-Chip, Exportkontrollen)
- Martin Roesch: Snort authort, Founder and CTO of Sourcefire...
- Fred Cohen, computer viruses, risk analysis
- Ron Gula, Dragon IDS
- Mudge (Peiter Zatko), L0phtcrack
- Daniel E. Geer, Ex-CTO of @Stake, Verdasys Chief Scientist, MIT-Project Athena (Kerberos)
- Felix Lindner (FX): Phenoelit, n.runs consultant
- Fyodor, Nmap. Zone-H interview, Slashdot interview, AvatarCorp interview
Photos
More Links
Companies
- IT-Verlag: IT-Security-Firmenverzeichnis
- Liste deutscher Firewall-Anbieter, zusammengestellt vom DFN-CERT
- IT-Security Forum
- IT-Audit: Unternehmen IT-Security
- Andere: @Stake, Bindview, Bitterli Consulting, cirosec, Counterpane, Ernst & Young, Foundstone, GeNUA, ISS, KPMG
Faculties in Germany
- Uni Freiburg, Institut für Informatik und Gesellschaft, Abteilung Telematik: Mehrseitige Sicherheit
- TU Darmstadt, Fachgebiet Sicherheit in der Informationstechnik unter Leitung von Claudia Eckert
- TU Darmstadt, Fachbereich Informatik Theoretische Informatik Kryptographie und Computeralgebra unter Leitung von Johannes Buchmann: PKI, ECC
- TU Dresden, Andreas Pfitzmann: Professur für Datenschutz und Datensicherheit: Kryptographie, Steganographie, Anonymität
- TU Cottbus, Lehrstuhl Rechnernetze und Kommunikationssysteme. Schwerpunkt: Intrusion Detection Systeme
- Uni Bonn, Arbeitsgruppe IT-Sicherheit und Kryptographie am Institut für Informatik III
- FU Berlin, Arbeitsgruppe IT-Sicherheit am Institut für Informatik unter Leitung von Hannes Federrath
- Uni Bochum, Horst Görtz Institut für Sicherheit in der Informationstechnik, Studiengang "Sicherheit in der Informationstechnik"
Conferences
Texts
Classics
Books
Humor
Things to think about
Standards and Guidelines
- IT-Grundschutzhandbuch: Online beim BSI, Grundschutzhandbuch.de
- ISO / IEC 17799: BS 7799
- CobiT: ISACA, deutsch, Einführung
- Österreichisches IT-Sicherheitshandbuch, basiert z. T. auf dem GSHB des BSI, klar strukturiert
- ISO TR 13335: Guidelines for the management of IT Security
- Common Criteria, Auf Deutsch beim BSI.
- OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation, vom CERT
-
- SSE-CMM Systems Security Engineering - Capability Maturity Model
- EISA, Enterprise IT-Security Analysis
- IT-Sicherheitshandbuch (html/zip, 676kB) des BSI über die Durchführung von Risikoanalysen
- The Standard of Good Practice for Information Security by the Information Security Forum
- Vergleiche: IT-Sicherheitskriterien im Vergleich, Leitfaden einer Projektgruppe der D21-Initiative. Marion, BSI-GSHB, CoP und CobiT. BSI-GSHB vs. BS7799, inhaltliche Zuordnung des BSI
- More security standards: FFIEC Resources
Best Practice / Guidelines
References
Please also take a look at my Python Tools collection.
- Glossaries: Internet Security Glossary (RFC 2828), anderes Glossar, netsys.com Security Glossary, Glossary of communications-electronics terms (pdf, 1.7MB)Collection of several glossaries
- IDS glossary: Teil 1 (A-H), Teil 2 (H-Z)
- RFCs: RFC-Editor.org, Netsys.com, RFC Search
- TCP/IP: IP Protocol Suite, TCP/IP Pocket guide, von Richard Stevens aus TCP/IP-Illustrated Vol. 1., IP-Card, der IPv4-Header als Referenz für den Palm, incl. Sourcecode
- Ports: Open Protocol Resource Project, The Internet Ports Database. Liste von Kurt Seifried. Offizielle Liste bei der IANA
- DNS-Server: Liste von FLI4L, T-Online DNS-Server, CCC-Liste, Liste der Root Server
- Linux: LinuxSecurity Quick Reference Card
- Man-Pages: Unix-Manpages
- SNMP: SNMP MIB Browser
-
Other Texts
Quotations
Security
- "Security is a chain; it's only as secure as the weakest link." (Bruce Schneier, Secrets & Lies, xii)
- "Security is a process, not a product." (Bruce Schneier, Secrets & Lies, xii)
- "Security, like correctness, is not an add-on feature." (Andrew S. Tanenbaum) Link
- "Good system administration is good security, and vice versa" (Douglas Gerdin, System Administrator, AI Center, SRI International) Link
- "A secure computer is one you've insured." (Schneier, Secrets & Lies, 385)
- "But if you think technology can solve your security problems [...] then you don't understand the problems and you don't understand the technology." (Bruce Schneier) Link
- "Die Sicherheit MEINER Site hängt zumindest zum Teil von der Sicherheit DEINER Site ab." (Stephen Northcutt: IDS - Intrusion Detection Systeme, 459)
- "There is no security for any of us unless there is security for all. (Howard Koch) Link
- "No one can build his security upon the nobleness of another person. (Willa Cather) Link
- "A secret that cannot be readily changed should be regarded as a vulnerability." (Whitfield Diffie) Link
- "We spend our time searching for security, and hate it when we get it." (John Steinbeck) Link
Risk
- "The key to successful risk assessment is to identify all of the possible threats to your system, but only to defend against those attacks which you think are realistic threats." (Gene Spafford, Simson Garfinkel)
- "You can identify and reduce risks, but you can never eliminate risk entirely." (Gene Spafford, Simson Garfinkel, 34)
- "People do not know how to analyse risk. They can't look at a vulnerability and make an intelligent decision about how bad it is. They can't look at an attack and make an intelligent decision about how likely it es. They can't look at a security situation and make an intelligent decision about what to do." (Bruce Scheier, Secret's & Lies, Seite 256)
- "Nobody to my knowledge has ever performed a full risk analysis of a substantial network, and I doubt that anyone ever will. People that claim to do network risk analysis tend to make sweeping assumptions." (Fred Cohen)
- "The basic idea is that everything in life is risky. You win some and you lose some. The object is to make the wins bigger than the losses. Instead of trying to micro-manage technical protection, risk management seeks to make decisions about whether and when to take, avoid, or mitigate risks and how much to spend in the process." (Fred Cohen) Link
- "Too many people are thinking of security instead of opportunity. They seem to be more afraid of life than death." (James F. Bymes) Link
People
- "People in general are not interested in paying extra for increased safety. At the beginning seat belts cost $200 and nobody bought them." (Gene Spafford) Link
- "The user's going to pick dancing pigs over security every time. (Bruce Schneier) Link
- "Indeed, people are usually cheaper and easier to compromise than advanced technological safeguards." (Gene Spafford, Simson Garfinkel, 34)
- "The wire protocol guys don't worry about security because that's really a network protocol problem. The network protocol guys don't worry about it because, really, it's an application problem. The application guys don't worry about it because, after all, they can just use the IP address and trust the network." (Marcus J. Ranum) Link
- "Never underestimate the time, expense, and effort an opponent will expend to break a code." (Robert H. Morris) Crypto '95 conference
Intrusion detection
- "Business is about taking risks, which is why in the real world much more focus is put on detection and reaction than on prevention." (Schneier, Secrets & Lies, 384)
- "Most existing systems have security flaws that render them susceptible to intrusions, penetrations, and other forms of abuse." (Dorothy Denning) (in: Amoroso: Intrusion Detection: An Introduction to Internet Surveillance, S.15)
- "Even with the best security mechanisms, we must expect that a determied adversary will be able to penetrate our defenses." (Teresa Lunt) (in: Amoroso: Intrusion Detection: An Introduction to Internet Surveillance, S.15)
- "The state of the IDS art requires that for every single attack signature, I should understand whether it is relevant to my network, which ports it should be looking on, and where I care that it look. [...] An IDS that makes me know all that is simply dumb; it's not doing its job." (Joel Snyder) Link
Other quotations
- "The first fact to face is that UNIX was not developed with security, in any realistic sense, in mind; this fact alone guarantees a vast number of holes." -- Dennis Ritchie Link
- "In the context of the Cold War, the worst possible thing was to imagine two blind men in a room with machine guns. Intelligence was a stabilizing phenomena in international relations in a way that I thought liberals were blind to." (Whitfield Diffie. Interview CISO Magazine)
- "But anytime you have the ability to automate something, there's always the potential for misuse" (Scott Culp) Link
- "The cure shouldn't be worse than the disease." (Chuck Cole) Link
- "The number of errors in computer code is proportional to the square of the size of the program. Many are potential security leaks." (David Kahn) Link
Miscellaneous
More links
Home
© 2003-2007 Dirk Loss - Last Changed: 2007-07-07