Skip Ribbon Commands
Skip to main content
Home > Insights > White-Papers
White Papers

INSIGHTS

​White Papers

Attack Vectors

This report is an analysis of SecureState’s attack vector data collection. SecureState’s Attack and Defense team conducts hundreds of penetration tests each year in multiple industries. SecureState tracks the attack vectors our penetration testers use during our assessments. During the analysis of our data, SecureState has determined the top five attack vectors that attackers will use to break into an organization.

» Download White Paper

Security Spending

This report analyzes the spending habits of a select number of clients as they relate to security. Spending is broken down into three categories: products, assessments, and personnel. Security spending is also compared to a company’s size, as determined by its revenue.

» Download White Paper

The Hands-Off Approach: Using Cisco's VMDC to Reduce Pain While Achieving FISMA Compliance

This white paper discusses how Cisco’s Virtualized Multiservice Data Center (VMDC) validated architecture can help organizations reduce the overhead costs and implementation complications as they become compliant with the Federal Information Security Management Act (FISMA).

» Download White Paper

The Problem With Privacy

From maintaining relationships to sparking revolutions, popular networks like Facebook, Twitter, and Instagram allow people to connect across borders and language barriers. For all of its benefits, however, Internet-based Social Media is not without dangers.

» Download White Paper

Assess Your Security Risk With SecureState's Simple iRisk Equation

SecureState's free iRisk Equation whitepaper discusses a simple method for assessing your organization’s security risk within frameworks such as ISO27005, and which can be implemented at virtually any organization regardless of size.

» Download White Paper
» iRisk Wiki Page

"We're Under Attack!" Incident Response Testing and How it Applies to You

Systems are compromised every day. How do we respond to these attacks and compromises? Do we simply throw our hands up and concede defeat? Do we ‘wipe and reload’ every time a toolbar gets installed? How do we even know what our response capabilities are? In this white paper, we will discuss one of the best ways to validate your organization’s ability to respond to an attack – through Incident Response Testing.

» Download White Paper

All is MIFARE in Love and War

While the external network may be impenetrable, what keeps an attacker from walking in the front door and plugging his laptop into the network, or removing sensitive files from an employees’ desks?

» Download White Paper

Cash Is King: Who's Wearing Your Crown? Accounting Systems Fraud in the Digital Age

Project Mayhem, a proof of concept tool that makes accounting fraud easy and potentially undetectable, was released in December, 2012 at the esteemed Black Hat Abu Dhabi briefings. The research behind Project Mayhem is thoroughly documented in this whitepaper.

» Download White Paper

Penetration Tester Assessment Worksheet

Worksheet designed with the intent of assisting an auditor in the selection process of a penetration tester.

» Download White Paper

Data Discovery: Identify, Protect, Classify and Control

Data is an important part of an organization, as well as its business partners and customers.

It is crucial to develop Data Classification, Data Security Controls, Storage and Destruction Controls, and Incident Impact Plans in an organization. Data Discovery assessments are an excellent way to identify data and establish these plans.

» Download White Paper

Top 9 ½ Signs Your Vulnerability Management Program is Failing

Performing hundreds of Vulnerability Assessments for clients I encountered many Vulnerability Mgmt Programs which provided little value to the organization. The problems in some Programs were so severe they easily could be placed in the following list.

» Download White Paper

The Importance of Firewalls and Segmentation: Using a Firewall Ruleset Review to Assess Your First Line of Defense

This whitepaper discusses the basics of firewalls, and the relationships between firewalls, segmentation, and the PCI DSS. Also presented is a step-by-step discussion of firewall ruleset reviews; as well as discussion about tight firewall rules, PCI scope, security levels, and bastion hosts.

» Download White Paper

How to Get From Scans to a Vulnerability Management Program

Many organizations falsely equate a vulnerability scanner with a Vulnerability Management Program. A scanner is important to the overall program, but can only help with a few processes on its own. This paper discusses the processes involved in a Vulnerability Management Program, while focusing on tasks that vulnerability scanners like Qualys and Nexpose can either directly perform or assist with.

» Download White Paper

PA-DSS Validation Requires Technical Expertise

When a payment application must be PA-DSS Validated, the following are needed: technical expertise to interpret the PCI SSC's PA-DSS accurately; forensics experience to begin the PA-DSS Validation properly, and technical writing skills to develop the PA-DSS Implementation Guide smoothly.

» Download White Paper

It Takes a Team: Building a Resilient Information Security Program

This Whitepaper presents the concept of organizations working toward resiliency, aided by information security professionals in five distinct teams. Advisory Services, Profiling & Penetration, Audit & Compliance, Risk Management, and Business Preservation Services professionals combine their skills and expertise to foster and support organizational resiliency. The paper uses an analogy of a boxer whose corner people help him to become resilient by managing, training, and sparring with him.

» Download White Paper

Don't Drop the SOAP

This whitepaper will discuss the new security issues with web services, describe a new web service testing methodology, discuss new Metasploit modules and exploits for attacking web services, and introduce a collection of open source vulnerable web services designed to be used within the Damn Vulnerable Web Application (DVWA) that can be used by penetration testers to test web service attack tools and techniques.

» Download White Paper

Exploiting WebPAM for Remote Access

This white paper discusses and illustrates how to exploit a vulnerability in certain versions of Promise Technology's Web based Promise Array Management (WebPAM) Software in order to obtain remote command execution on the server on which WebPAM is running. The WebPAM software is used to "simplify RAID storage management". The attack takes advantage of a publicly accessible interface which allows SQL commands to be run on the underlying HSQL database. Using this interface it is possible to create a stored procedure which allows an attacker to compromise the underlying operating system.

» Download White Paper

Building Security into Your Software Development Life Cycle

This Whitepaper discusses the necessity and process of building security into your Software Development Life Cycle (SDLC). The steps needed to undertake the process while avoiding any pitfalls and we look at where security needs to fit in to the SDLC.

» Download White Paper

SiteScape TCL Code Injection

SiteScape Enterprise Forum is a web application that provides a large scale collaborative environment. It is used by many organizations for communication and documentation. The application itself is capable of running on both IIS and Apache, making it an attractive solution to a variety of companies. Part of the power behind SiteScape Forum is the ability for it to be extended with custom code by the developers. It is through this functionality that it can be exploited to ultimately compromise the server. This white paper will discuss practical exploitation of a vulnerability within a specific resource of the SiteScape Forum web application.

» Download White Paper

An Army of Bots

This white paper delineates the threats that botnets pose and goes over the history and proliferation of botnets. In addition, it outlines security controls that can mitigate the risk.

» Download White Paper

Profiling User Passwords on Social Networks

This is a whitepaper on how to determine passwords for social network accounts through information posted on the profiles of social network users.

» Download White Paper

Security Gaps in Social Media Websites Open Door to Attackers Who Prey On Children

This is a case study of an information security analysis of many leading social media websites designed for children. This paper presents the findings of Web application security reviews of multiple sites, and discusses where the sites are proficient and, more importantly, gaps identified which could allow an attacker to prey on children.

» Download White Paper

Why Many Banks Are Not PCI Compliant

SecureState's Matt Davis discusses many of the business challenges for bank in getting PCI compliant with their many roles and thus how likely it is that most are out of compliance.

» Download White Paper

Mainframes: The Ticking Time Bomb

SecureState's Matt Davis discusses why Mainframe systems aren't as robust in information security as many think. He discusses how they are the core of processing all critical data and transactions and how they can easily be breached in most environments.

» Download White Paper

Web App Encryption The Next Security by Obscurity

SecureState discusses a manufacturing company's Internet facing media portal and its use of encryption on top of the Web application in an attempt to thwart attacks from hackers.

» Download White Paper

Social Media Guidelines

Official guidelines for social media at Company XYZ.

» Download White Paper

Small Business, Big Security

In this paper, SecureState President and CEO Ken Stasiak explains in detail the simple, cost effective steps small organizations can take to keep their information secure.

» Download White Paper

HIPAA Compliance and Security

SecureState's Matt Davis discusses HIPAA and those individuals who must abide by it to understand the current state of compliance. In addition, he discusses what needs to change to avoid involving FEMA or DHS.

» Download White Paper

Bypassing Hardware based Data Execution Prevention

SecureState's own Dave Kennedy has released another Windows Exploit, Bypassing Hardware Based Data Execution Prevention (DEP) on Windows 2003 Service Pack 2.

» Download White Paper