Tag Archives: application

How to Audit User Access

How to Audit User AccessWhen checking system access, make sure you look at all the different items that affect the user’s access. For example, the user might need one or more of the following:

  • Application ID
  • Application role or group
  • Membership in an local server group, Active Directory (AD) group, or UNIX Group
  • Access to the application’s share and/or folder on the server
  • Database ID
  • Database role, including access permissions (read/write)
  • Other permission (from a home-grown application code or enterprise identify management system)

Continue reading

5 Comments

Filed under Audit, How to..., Security, Technology

Application Hacking Playground

handcuffsThe Taddong Security Blog has a great list of vulnerable web applications you can play with to learn and test your web hacking knowledge and pen-testing tools, handcuffs not included. In other words, you can enter and stay at the playground without going to jail.

Some of them you download and install on your own systems, some of them you run as virtual machines (VMs) or ISOs on your systems, and others are available on the web for your malfeasance pleasure.

Continue reading

2 Comments

Filed under Free, Security

Top 10 Reasons NOT to Virtualize

Trend Micro’s Dave Asprey has posted 10 reasons not to virtualize.

I generally disagree with all of them (as I’ll explain later), but I think he missed the REAL #1 reason not to virtualize…

Continue reading

Leave a comment

Filed under Technology, Top 10

Web Hacking 101

If you want to learn about web hacking, Security Monkey* highlights 2 videos and 2 books on the subject.  The videos are very basic and over an hour long, and are free for the viewing.

The videos were presented by Dan Guido at Polytechnic Institute of New York University, a private technology university in Brooklyn, New York.

Continue reading

Leave a comment

Filed under Free, Security, Technology

Shipley on Security Spend

Greg Shipley, founder of Neohapsis, wrote an article in Information Week magazine, this time about how ineffective most of the money spent on security defenses is against the attacks we’re facing.  It’s not a short article, but as I’ve said before, Shipley is always worth reading. Here’s what I found most interesting in the article:

  • “Deficiencies, even in our security technologies, are an unfortunate fact of life,” says Shipley.

Continue reading

Leave a comment

Filed under Security

What Needs to be on a GOOJ Card?

If you probe networks, systems, and applications, you need a GOOJ card to protect yourself and your job.

In How to Stay Out of Jail, I recommended that anyone who scans, probes, or pokes networks, systems, or devices should always carry a get-out-of-jail (GOOJ) card. I also provided some reasons why such a card is critical.

Continue reading

9 Comments

Filed under Audit, How to..., Security, Technology

5 Security Steps for Non-Big Businesses

Lenny Zeltser suggest 5 steps that mid-market organizations can take down the security path:

  1. Identify key data flows
  2. Understand user interactions
  3. Examine the network perimeter
  4. Assess the servers and workstations
  5. Look at the applications

Continue reading

Leave a comment

Filed under Security