Video Screencast Help

Cyber Readiness and Response

Showing posts in English
franklin-witter | 15 Mar 2013 | 0 comments

Last month, Symantec hosted its 2nd annual internal CyberWar Games and I had the privilege of joining Efrain Ortiz, Ben Frazier, and JR Wikes as part of team Avengers. For five days, we worked on limited sleep, grinding our way through the process of hacking systems and applications to capture flags and rack up enough points to secure our team a spot in the finals. Along the way, I made a couple of observations that I thought would be worth passing alone.
 
Lesson #1: Vulnerability Scanners LIE!!!
 
…or at least they don’t always tell the full story. If we had believed the results we got back from the vulnerability scans we ran against the systems in the CyberWar environment, we would not have made it very far. You see, our scans showed that there were no “Critical” or high-risk vulnerabilities present on the systems scanned and there were no useful “Medium” or “Low” vulnerabilities. What was...

franklin-witter | 13 Mar 2013 | 0 comments

With the continued uncertainty lingering in the global economy, I think it is likely that spending on new information security initiatives will continue to be highly scrutinized.  This isn’t to say that security initiatives won’t go forward, just that CISOs and Security Directors will probably have to do more to justify the need for their organization to part with precious capital resources needed to fund these projects.  As a result, security leaders will have to be very intentional in their approach to security in order to secure funding needed to improve or expand security operations. As I thought about how I might approach this challenge if I were back in the role of CISO, there are three key actions I would recommend to lay a foundation for justifying any new security initiatives.
 
Take Inventory
 
Before embarking on any new initiatives, I think that it is very important for organizations to take...

PaulTobia | 11 Mar 2013 | 3 comments

Over the past few months I’ve noticed a disturbing trend in our industry to talk more about “offensive security.” People are writing and tweeting about “active defenses” or “strikeback capabilities” but it all points to a movement that is at best a confusing use of terminology and at worst a dangerous allocation of resources for almost any organization.

I get the appeal though. Offense is much sexier than defense. Competitions are won by scoring more points than your opponent, not having your opponent score fewer points than you. The hero in almost every action story will eventually make the bad people pay in some violent fashion. Even within security the amount of discussion around successful hacks, the results of scans and pen-tests, and what’s the latest vulnerability still dominates what we write and read.

With the increase in targeted attacks we know that there’s someone behind the attacks. There’s a...

Phil Harris | 07 Mar 2013 | 0 comments

I came across this article (see link below) not too long ago and it really got me thinking about not only the places where I put my information on the Internet, but the reasons I put my information out there.  Most sites we put our information seem really innocuous and quasi-safe because we don’t think the site is very interesting to anyone but ourselves and a hand full of others with similar interests.  It seems like it almost becomes a “second nature” activity to just blindly assume that Internet sites that don’t ask for your credit card are okay cause well, it’s just my name, and maybe my phone number and/or address. 

When it comes to using ecommerce sites we all expect a certain level of security to protect our financial data.  When it comes to non-ecommerce sites, it seems like there’s less thought given about the ramifications of what happens when you provide your personal information.  For example, job...

rshaker2 | 05 Mar 2013 | 0 comments

Authored by Kevin Riggins, Enterprise Security Architect, Fortune 500 Financial Services Organization

Thanks to Kevin for allowing us to cross post his article. Visit his blog for the article with its images.

On Friday, March 1st, 2013, I delivered my first RSA USA talk. It was a 20 minute talk on the need for and the value of an Enterprise Security Architecture. In addition to extolling the benefits of an EISA, I also provided a high level description of what one should look like and a quick blue print of how we go about starting down the path of developing one. Below is the text of the talk. I tend to wing it a bit during my talks so it is not a verbatim transcript, but all the thoughts and ideas are there. You can download the...

Joseph.Rogalski | 05 Mar 2013 | 0 comments

So what is the big deal if a few of my corporate PCs are infected with malware, what’s the worst that can happen? In this post I want to cover what can be done with a compromised PC and why it is a big deal. Many Security Managers minimize the importance of having clean PCs on their networks and comment what is the worst that can happen. We will walk though why it is extremely important to be diligent about protecting your endpoints.
 
Some “What ifs” to think about, these are the more obvious risks if a user’s PC is infected?
 
What if account credentials were harvested and used to access internal corporate information, or place fraudulent orders within your internal systems?   How would you know and what could you do about it?
 
What if access was granted to the user corporate email? Sending phishing emails internally or external from what is a trusted email address and further...

Joseph.Rogalski | 28 Feb 2013 | 0 comments

While managing Operational Risk for a large IT organization, one of my responsibilities was to work with Corporate Operational Risk to define Key Risk Indicators (KRIs) KRIs were monitored at a corporate level.  We took the easy route by using canned reports that were already in production rather than taking the time to evaluate what may be useful to measure. We looked at things such as spam activity and external firewall activity.  These KRIs provided very little value, as they were not actionable.  If blocked spam activity went up or down, what could be done about it? If the firewalls were being scanned more frequently, was there much, if anything, we could do?   When I speak with clients today about reporting and KRIs, I encourage them to measure and report on areas where action can be taken and is useful to the organization.
 
I recently dealt with a number of customers who experienced MAJOR Severity 1 issues.  The impact and...

vince_kornacki | 26 Feb 2013 | 0 comments

Ready for one last slick web application penetration test trick? In this installment we'll explore a subtle and often overlooked vulnerability related to web application authentication. In response to the login request containing posted authentication credentials the web application should return a "302 Found" redirect with a corresponding "Location" header specifying the next page within the application workflow. However, many web applications instead return a "200 OK" response without including this intermediate redirect. So what’s the problem?

In essence, browsers choose whether to resubmit posted data back to web applications based on the response codes returned by the web application. When a "200 OK" response code is received, the information originally submitted to the web application will be resubmitted when the "Back" button is clicked. However, when a "302 Found" redirect is received, the...

vince_kornacki | 22 Feb 2013 | 0 comments

Ready for another cool web application penetration test trick? In this installment we'll cover clickjacking, also known as "UI redressing". Clickjacking is an instance of the classic "confused deputy" problem, and occurs when attackers leverage framesets and stylesheets in order to create opaque bottom and transparent top layers within the victim's browser. The target web application is loaded within the transparent top layer, while a dummy web application is loaded within the bottom opaque layer. By aligning elements between the transparent top and opaque bottom layers, attackers entice the victim to click on something within the opaque bottom layer, but the transparent top layer hijacks the click and performs some unintended action.

For example, the dummy web application loaded within the opaque bottom layer could inform the victim that they have won $1,000 and they simply need to click the "Claim Prize" button in order to cash in....

vince_kornacki | 19 Feb 2013 | 2 comments

Performing a web application penetration test is not voodoo magic, but rather an exercise in knowledge, prioritization, and efficiency. During years of hard work penetration testers hone their methodology and develop efficient ways of applying their knowledge in order to identify specific vulnerabilities. The "Web Application Penetration Test Tricks" blog series will examine simple methods for testing some interesting web application vulnerabilities. In other words, we'll take a look at some tricks of the trade that you can implement while performing penetration tests against your own web applications!

Many web applications implement file upload functionality using an <input type=" file"> field. The file is uploaded to the server where the web application does something with it, often storing the file for subsequent download by other application users. What if a file containing a virus could be uploaded? Could the virus be spread to other...