When checking system access, make sure you look at all the different items that affect the user’s access. For example, the user might need one or more of the following:
- Application ID
- Application role or group
- Membership in an local server group, Active Directory (AD) group, or UNIX Group
- Access to the application’s share and/or folder on the server
- Database ID
- Database role, including access permissions (read/write)
- Other permission (from a home-grown application code or enterprise identify management system)
Continue reading →
Like this:
Like Loading...
Filed under Audit, How to..., Security, Technology
Tagged as access, active, AD, admin, application, Audit, batch, confidential, contractor, data, database, directory, employee, file, financial, folder, format, generic, group, hipaa, HR, ID, LDAP, log, membership, new, non-personal, OS, PCI, permission, personal, role, script, setup, share, sox, system, Unix, user
The Taddong Security Blog has a great list of vulnerable web applications you can play with to learn and test your web hacking knowledge and pen-testing tools, handcuffs not included. In other words, you can enter and stay at the playground without going to jail.
Some of them you download and install on your own systems, some of them you run as virtual machines (VMs) or ISOs on your systems, and others are available on the web for your malfeasance pleasure.
Continue reading →
Like this:
Like Loading...
Filed under Free, Security
Tagged as application, free, GOOJ, hack, handcuffs, iso, jail, list, online, taddong, VM, vulnerable, web
Trend Micro’s Dave Asprey has posted 10 reasons not to virtualize.
I generally disagree with all of them (as I’ll explain later), but I think he missed the REAL #1 reason not to virtualize…
Continue reading →
Like this:
Like Loading...
Filed under Technology, Top 10
Tagged as 10, application, blog, chris chesley, cloud security, configure, cost, Dave Asprey, environment, expertise, manage, money, not, reasons, red flag, Security, smoke, top, trend micro, vendor, virtual
If you want to learn about web hacking, Security Monkey* highlights 2 videos and 2 books on the subject. The videos are very basic and over an hour long, and are free for the viewing.
The videos were presented by Dan Guido at Polytechnic Institute of New York University, a private technology university in Brooklyn, New York.
Continue reading →
Like this:
Like Loading...
Filed under Free, Security, Technology
Tagged as application, cryptography, dan guido, free, hack, security monkey, video, vunerability, web, xxs
Greg Shipley, founder of Neohapsis, wrote an article in Information Week magazine, this time about how ineffective most of the money spent on security defenses is against the attacks we’re facing. It’s not a short article, but as I’ve said before, Shipley is always worth reading. Here’s what I found most interesting in the article:
- “Deficiencies, even in our security technologies, are an unfortunate fact of life,” says Shipley.
Continue reading →
Like this:
Like Loading...
Filed under Security
Tagged as application, assessment, attack, custom, database, defense, endpoint, fail, firewall, greg shipley, information week, layered, malware, neohapsis, old flaw, outgunned, patch, Security, verizon, vulnerability, waf, web
If you probe networks, systems, and applications, you need a GOOJ card to protect yourself and your job.
In How to Stay Out of Jail, I recommended that anyone who scans, probes, or pokes networks, systems, or devices should always carry a get-out-of-jail (GOOJ) card. I also provided some reasons why such a card is critical.
Continue reading →
Like this:
Like Loading...
Filed under Audit, How to..., Security, Technology
Tagged as administrative access, application, audit committee, configuration, cracking, dumpster diving, encryption, exploits, forced entry, GOOJ, impersonation, investigations, logging, monitoring, network, probe, scanner, Security, sniffer, social engineering, system, tools, vulnerabilities, weaknesses
Lenny Zeltser suggest 5 steps that mid-market organizations can take down the security path:
- Identify key data flows
- Understand user interactions
- Examine the network perimeter
- Assess the servers and workstations
- Look at the applications
Continue reading →
Like this:
Like Loading...
Filed under Security
Tagged as application, Audit, baby steps, check the box, checklist, classify, configuration, crash, customer information, data flow, database, famous recipe, hack, home computer, insider, internet facing, lenny zeltser, mitigation, outsider, patch, perimeter, plan, risk, Security, server, sox, Technology, time card, USB drive, users, vendor, workstation
The lead security study group (group 17) from the International Telecommunication Union provides a paper containing general suggestions for writing secure applications. In the paper, each item is hyperlinked to additional information.
Continue reading →
Like this:
Like Loading...
Filed under Security
Tagged as algorithm, application, boundary condition, buffer overflow, business, change management, code, complexity, cryptography, digital certificate, fuzzer, International Telcommunication Union, ITU, program, resource allocation, secure, Security, software, telecommunication, testing, vulnerabi, vulnerability