White Papers
The Importance of Firewalls and Segmentation: Using a
Firewall Ruleset Review to Assess Your First Line of Defense
This whitepaper discusses the basics of firewalls, and
the relationships between firewalls, segmentation, and the
PCI DSS. Also presented is a step-by-step discussion of
firewall ruleset reviews; as well as discussion about tight
firewall rules, PCI scope, security levels, and bastion
hosts.
» Download White Paper
PA-DSS Validation Requires Technical Expertise
When a payment application must be PA-DSS Validated, the
following are needed: technical expertise to interpret the
PCI SSC's PA-DSS accurately; forensics experience to begin
the PA-DSS Validation properly, and technical writing skills
to develop the PA-DSS Implementation Guide smoothly.
» Download White Paper
It Takes a Team: Building a Resilient Information
Security Program
This Whitepaper presents the concept of organizations
working toward resiliency, aided by information security
professionals in five distinct teams. Advisory Services,
Profiling & Penetration, Audit & Compliance, Risk
Management, and Business Preservation Services professionals
combine their skills and expertise to foster and support
organizational resiliency. The paper uses an analogy of a
boxer whose corner people help him to become resilient by
managing, training, and sparring with him.
» Download White Paper
Don't Drop the SOAP
This whitepaper will discuss the new security issues with
web services, describe a new web service testing
methodology, discuss new Metasploit modules and exploits for
attacking web services, and introduce a collection of open
source vulnerable web services designed to be used within
the Damn Vulnerable Web Application (DVWA) that can be used
by penetration testers to test web service attack tools and
techniques.
» Download White Paper
Exploiting WebPAM for Remote Access
This white paper discusses and illustrates how to exploit
a vulnerability in certain versions of Promise Technology's
Web based Promise Array Management (WebPAM) Software in
order to obtain remote command execution on the server on
which WebPAM is running. The WebPAM software is used to
"simplify RAID storage management". The attack takes
advantage of a publicly accessible interface which allows
SQL commands to be run on the underlying HSQL database.
Using this interface it is possible to create a stored
procedure which allows an attacker to compromise the
underlying operating system.
» Download White Paper
9 1/2 Signs Your Vulnerability Management Program is
Failing
Performing hundreds of Vulnerability Assessments for
clients I encountered many Vulnerability Mgmt Programs which
provided little value to the organization. The problems in
some Programs were so severe they easily could be placed in
the following list.
» Download White Paper
Building Security into Your Software Development Life
Cycle
This Whitepaper discusses the necessity and process of
building security into your Software Development Life Cycle
(SDLC). The steps needed to undertake the process while
avoiding any pitfalls and we look at where security needs to
fit in to the SDLC.
» Download White Paper
SiteScape TCL Code Injection
SiteScape Enterprise Forum is a web application that
provides a large scale collaborative environment. It is used
by many organizations for communication and documentation.
The application itself is capable of running on both IIS and
Apache, making it an attractive solution to a variety of
companies. Part of the power behind SiteScape Forum is the
ability for it to be extended with custom code by the
developers. It is through this functionality that it can be
exploited to ultimately compromise the server. This white
paper will discuss practical exploitation of a vulnerability
within a specific resource of the SiteScape Forum web
application.
» Download White Paper
An Army of Bots
This white paper delineates the threats that botnets pose
and goes over the history and proliferation of botnets. In
addition, it outlines security controls that can mitigate
the risk.
» Download White Paper
Profiling User Passwords on Social Networks
This is a whitepaper on how to determine passwords for
social network accounts through information posted on the
profiles of social network users.
» Download White Paper
Security Gaps in Social Media Websites for Children Open
Door to Attackers Aiming To Prey On Children
This is a case study of an information security analysis
of many leading social media websites designed for children.
This paper presents the findings of Web application security
reviews of multiple sites, and discusses where the sites are
proficient and, more importantly, gaps identified which
could allow an attacker to prey on children.
» Download White Paper
Penetration Tester Assessment Worksheet
Worksheet designed with the intent of assisting an
auditor in the selection process of a penetration tester.
» Download White Paper
Why Many Banks Are Not PCI Compliant
SecureState's Matt Davis discusses many of the business
challenges for bank in getting PCI compliant with their many
roles and thus how likely it is that most are out of
compliance.
» Download White Paper
Mainframes A Ticking Time Bomb
SecureState's Matt Davis discusses why Mainframe systems
aren't as robust in information security as many think. He
discusses how they are the core of processing all critical
data and transactions and how they can easily be breached in
most environments.
» Download White Paper
Web App Encryption The Next Security by Obscurity
SecureState discusses a manufacturing company's Internet
facing media portal and its use of encryption on top of the
Web application in an attempt to thwart attacks from
hackers.
» Download White Paper
Small Business, Big Security
In this paper, SecureState President and CEO Ken Stasiak
explains in detail the simple, cost effective steps small
organizations can take to keep their information secure.
» Download White Paper
HIPAA Compliance and Security
SecureState's Matt Davis discusses HIPAA and those
individuals who must abide by it to understand the current
state of compliance. In addition, he discusses what needs to
change to avoid involving FEMA or DHS.
» Download White Paper
Bypassing Hardware based Data Execution Prevention
SecureState's own Dave Kennedy has released another
Windows Exploit, Bypassing Hardware Based Data Execution
Prevention (DEP) on Windows 2003 Service Pack 2.
» Download White Paper