Month: April 2011

SANS Top 20 Critical IT Controls. #13: Control Network Ports, Protocols and Services

You may think that since you have secured your network through firewalls and intrusion prevention devices, you must be secure. Not so fast! Attackers are constantly on the prowl, looking for any server or service they can exploit in your network. For example, a poorly configured web or mail server can be identified with an unauthorized external network scan. It’s not uncommon for a software package to automatically install an Apache server, for example, without the administrator or installer being […]

OWASP Top Ten Most Critical Web Application Risks. #1: Injection Flaws

The Open Web Application Security Project (OWASP) releases a list of the top ten web application vulnerabilities each year. OWASP is a non-profit open community dedicated to helping organizations develop and maintain trusty worthy web applications. The OWASP Top Ten represents the consensus option in the field about the most critical web application security flaws. Companies can perform web application vulnerability assessments to ensure they can find if those applications contain any of the vulnerabilities in the Top Ten list. […]

The Amazon cloud outage and the future of Cloud Computing

Amazon’s cloud service, which provides services to several well-known companies, such as Quora and FourSquare, suffered an outage for more than 24 hours between April 21-22, at its Northern Virginia Data Center. Amazon spreads out its data cloud infrastructure throughout the country, but the clients who were being supported from this center have experienced downtime – meaning their users couldn’t log into the company’s websites. This brings up the question as to whether one of the strongest selling points of […]

State of the Security Work Force 2011

Frost & Sullivan and the security professional group (ISC)2 recently conducted a survey on the state of security work force. The survey’s leader says that information security professionals are too busy with their day-to-day work to devote enough time for security related work. This inability to focus on security work leaves IT security professionals unprepared for major technological changes such as cloud computing and the increasingly sophisticated spectrum of application security threats. The survey’s report states that companies are potentially […]

SANS 20 Critical IT Security Controls: #12: Malware Defenses

One of the most vulnerable security areas is malicious software that hackers piggyback on to steal your data. Companies may suddenly find their E-Mail systems hacked because an employee unwittingly opened a malicious email attachment. Hackers target companies through malicious software that gains entry to your system though email attachments, web browser and mobile devices. To counteract malware, you must use antivirus and anti spyware software. Tools such as this can detect malware and block their execution. If you want […]

Microsoft Enterprise Agreement: Watch That True-up

If you have 250 computers in your organization, you probably have a Microsoft Enterprise Agreement (EA). A perpetual license, the EA is designed to standardize the Microsoft products enterprise-wide, while providing the most current version. Microsoft and its resellers love EAs because it brings recurring revenue with its three-year agreement and maintenance fees. Under an EA, the organization has a standard yearly “True-up”, where full payment is required for any new usage on products included in the EA for the […]

OWAP Top Ten – #3. Broken Authentication and Session Management

One of the most vulnerable areas of web applications is the authentication and session management. Weak authentication and session management enlaces hackers to steal passwords, session tokens, encryption keys and even assume the identity of legitimate users. Session IDs are frequently exposed without the SSL or TSL protection or revealed through the rewriting of URLs. The attackers could be external hackers or insiders who want to use other user’s accounts to perform malicious acts. The problem is caused mainly because […]

Big Brother made me do it!

Our personal favorite hacker, Albert Gonzalez, said that the government knew about his theft of 130 million credit and debit card numbers from Office Max, TJX, Heartland Payment Systems and Dave & Busters. In fact, he filed a 25-page petition seeking to overturn his 20-year sentence. The Secret Service declined to give comment. Within 5 years, Gonzalez collected $2.8 million. Now, he is saying that it was all government sanctioned. By all means, let’s pass the buck.

In Archive