Thanks to the data from the HITME, I interact with a lot of people and organizations that have compromised machines. Posted in General InfoSec | Tagged data theft, General InfoSec, hospitality, pci, security | Leave a reply Responding to a Compromised System Alert Partial security is very costly and, at least in my opinion, doing the minimum is pretty far away from being the “best defense”. This is a very dangerous position, indeed. When you set minimums and enforce them with a hammer, they quickly come to be viewed as the be-all, end-all of the process and the point at which the pain goes away so you can focus on other things. My main problem with PCI is not the DSS itself, but how it is quickly becoming the goal for organizations instead of the starting line. As an initial stab, just consider these items from our 80/20 approach to infosec left out of PCI: Formalized risk assessment (unless you count the SAQ or the work of the QSA), data flow modeling for data other than credit card information, threat modeling, egress controls, awareness, incident response team formation and even skills gap/training for your security team. There are so many gaps between PCI DSS as a baseline and “best defense” that it would take pages and pages to enumerate. However, there is, in most all cases, a severe gap between the minimum requirements for protecting data and what I would quantify as the “best defense”. They are the MINIMUM set of practices deemed to be acceptable to protect information. That is, they are the base of a good security program. PCI DSS and other standards are called security BASELINES for a reason. Making PCI out to be the “best defense” is pretty ridiculous. Now, I agree that hospitality folks should be PCI complaint, since they meet the requirements by taking credit cards, but setting PCI DSS as the goal is horrible enough. Below is a link to a mainstream media trade magazine for the hospitality industry in which the claim that PCI compliance is the “best defense” hotels and the like can have against attackers and data theft. I have seen a lot of hype in my day, but this one is pretty much - not funny. Posted in General InfoSec | Tagged scanners, security, SQL injection | Leave a reply The Media Makes PCI Compliance “Best Defense”? Of course, I wouldn’t say it was the only scanner you should have, but definitely consider adding it to your repertoire. Overall I think Netsparker is an excellent tool, especially effective at finding SQL injections and cross-site issues. On one vulnerability, I thought I may have made Netsparker report a confirmed false positive, but it turns out I was wrong after I used the built in query maker and ran one and got data back. On vulnerabilities, Netsparker did a great job of finding SQL injections, cross site scripting, and directory traversals. We noticed that Netsparker did a very good job at spidering and finding a high number of attack surfaces. We set Netsparker to scan our Web application lab which contains known vulnerabilities that cover the OWASP Top Ten Project. Directory traversal vulnerabilities can be exploited to download the whole source of the application since Netsparker already knows all the files, and other system files can also be retrieved and saved through the interface. You can run SQL queries, or even open a shell (depending on DB and configuration of it). A neat feature of identified SQL injection vulnerabilities is the ability for Netsparker to allow you to exploit them right through the scanner. If it’s exploitable, it’s definitely not a false positive. The confirmation engine takes the vulnerability and actually confirms that it’s exploitable. The main draw of Netsparker is the confirmation engine, which is how Netsparker claims to be false positive free. It’s possible to configure a form login through a very well designed wizard. There are also profiles you can configure and save. It is very easy for non-security professionals to setup and use. To start a scan, it can be as simple as just putting in a URL. Starting the application you are presented with a nice well designed gui, that shows quite a lot of information. Installation of the software was easy, and as Mavituna Security touts, the license is non-obtrusive. It can find a wide range of vulnerabilities including SQL injection, cross-site scripting, local and remote file inclusion, command injection and more. Netsparker Professional Edition, by Mavituna Security, is a web application scanner focused on finding unknown flaws in your applications.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |