“The thing about quotes from the internet is that it’s hard to
verify their authenticity” -Abraham Lincoln.
If you have spent any amount of time on the internet than
you have undoubtedly seen a meme with some variation of this quote next to a
picture of Abraham Lincoln. While it is
meant to be funny, it really does capture a huge problem with the Internet.
Danny Bradbury writes about the issue on the Naked Security
blog by Sophos. In the article titled Fake News: Mozilla Joins the Fight to Stopit Polluting the Web, Bradbury quotes Phillip Smith from Mozilla who laments
that “Fake information is produced in exponentially larger quantities than
debunks can be produced”. That doesn’t
give a real warm fuzzy feeling to an IT professional who is trying to use the
Internet to find accurate and timely information on threats and vulnerabilities.
If you think about it, this really isn’t a new problem though. People have always had to be considerate of
the source of information, and the same criteria for evaluating a source still applies
to the mountains of information on the Internet. If you start with a few of the key ‘W’ questions
you can get a long way to finding a credible source.
Who – Who is the author of the information? Is it an anonymous source from a website, or
is it a respected professional in the security field?
When – When was the information published? If it is not recent does the information
still apply?
Why – Why did the author write the material? Are there any biases that need to be
considered?
What – What information can be independently verified?
So, with that in mind what are the best places to turn? Fortunately, there are still many great
sources of information on the Internet that can help keep IT professionals up
to date with threats, vulnerabilities, and just general news within the
industry as well. Here are some of the top sites that I go to for this information. The sites are a combination of government sites, well-known security professionals, and a few vendor websites. It is important to note that vendor sites are very unlikely to be critical of their own products, however, that does not mean they do not contain good information.
- US-CERT
- National Vulnerability Database
- Center for Internet Security
- Schneier on Security
- Krebs on Security
- Naked Security by Sophos
- Windows Defender Security Intelligence
- OWASP
