If you've been in the information security field for more than six months, then you know it's vital to stay on top of the latest threats, tools, and news to be effective at your job. That's why many of us love the field so much--it's always changing. And it challenges us.

One of the key differences in military theory between Internet warfare and kinetic warfare is whether defense or offense are stronger. Here's a shortened version of an argument I am formulating about this matter following years of debate.

Last week I looked at some creative uses of log analysis for detecting malware, and ways to acquire Windows physical memory for analysis. What I've seen time and time again is where those in charge of security don't even bother to log information from their systems and applications, leading them to a much larger incident response scenario than if they could detect it sooner.

My company Secure Network has been performing a variety of penetration tests that leverage information derived from sites such as MySpace and Facebook.

It was a busy week. Some of you made the annual trek out to San Francisco, while the rest of you were stuck working diligently in your office. Me...well, I'm in the latter group.

Following a Facebook update from a soldier on an upcoming operation, the Israeli Defense Forces (IDF) canceled an operation into the West Bank, illustrating how the connected world makes maintaining operational security (OPSEC) all the more difficult.

Cyberwar and advanced persistent threats (APT) are fun terms thrown around a lot lately. Everyone seems to have their own slightly varied opinion on what they each mean. Personally, I don't care all that much what the different nuances of each are as long as I can understand the associated threats and deal with them appropriately.

Good news for Department of Defense folks. They can now start using USB flash drives again -- provided there's absolutely no other way to transfer the data from point A to point B. OK, so maybe it isn't time to rejoice just yet.

The wave of phishing attacks against Twitter users continues to catch unwary surfers.

Let's face it: Users love the concept of adding free plug-ins and apps to customize and empower the base software tool, whether it's in a smartphone or browser. Doing so is fun, it's cool, and it lets them personalize their software to augment or shape how they use it. Even firewall management has joined the plug-in party.

The average computer user (a.k.a. most of my family) doesn't have a fighting chance. I hate to say it, but the malware we're seeing on a daily basis makes this scary fact evermore true. There is absolutely no way that most home users are going to be able to protect themselves against modern malware like Zeus. Malware authors have become extremely good and proficient at what they do because it's making them money.

Twitter users are being warned not to click on messages saying, "lol, this is funny." Doing so can lead to their account details being stolen.

With March Madness coming up, I recently spent the morning in some rather distinguished company simulating the effect of a March Madness smartphone app that turned out (within the confines of the simulation) to be malware.

I've been using FlashGot on and off for years. It is a useful plug-in that helps you download multiple files from the same Web page "automagically." So when Firefox informed me about a new update for an add-on I've used for years, I clicked "OK" and updated it, only to find a surprise the next time I used Google.

The buzz generated from Core Security's move to integrate with the Metasploit Framework has left me a little puzzled. Don't get me wrong: I love Metasploit. It's a fantastic tool that has certainly been put through its paces as a pen-testing tool -- it's free, open source, and extremely accessible to aspiring security professionals. And, of course, I've heard great things about Core's flagship product, Impact Pro. But the deal just seems like an odd move.

How much does it cost to secure your database, and how do you calculate that? One of the more vexing problems in security is the lack of metrics models for measuring and optimizing security efforts. Without frameworks and metrics to measure the efficiency and effectiveness of security programs, it's difficult both to improve processes and to communicate our value to nontechnical decision makers.

During BlackHat, David Litchfield disclosed a security issue with the Oracle 10g and 11g database platforms. The vulnerability centers on the ability to exploit low security privileges to compromise Oracle's Java implementation, resulting in a total takeover of the database. While the issue appears relatively easy to address, behind the scenes this disclosure has raised a stir in database security circles. The big issue is not the bug or misconfiguration issue, or whatever you want to call it. The issue is ethical disclosure -- a topic over which the security research community remains hotly divided.

There are hacker conferences, and then there's ShmooCon. The annual East Coast convention was held during a major snowstorm in Washington, D.C., but that didn't stop researchers from sharing their latest exploits, hardware, and software inventions, and huddling over discussions about the latest security issues.

Last month an international team of researchers announced they had managed to factor a 768-bit RSA key. This raises interesting questions about handling encryption and planning ahead in your security strategy.

One of the things we've learned in publishing Dark Reading is that a pretty wide range of people work under the title of "security professional." There are techies and managers, risk managers and privacy people, white hats and black hats. Not surprisingly, they aren't all interested in the same news and information.

Advanced persistent threat: I like the term -- it sounds evil, and it is...well, at least I think it is. There has been a lot of news, opinions, and genuine FUD on APT since Google went public with news of its breach several weeks ago. Until then, I really don't think anyone ever paid much attention to what APT was, even though well-respected people, like Richard Bejtlich and the folks at Mandiant, have been talking about it for a while.

Several cloud providers offer databases specifically designed for cloud deployment. Amazon's SimpleDB, while technically a database, deviates from what most of us recognize as a database platform. Although SimpleDB is still in prerelease beta format, developers have begun designing applications for it.