NetSPI White Papers

An Approach to Enterprise Vulnerability Management

Author: NetSPI

Every day researchers and security testers uncover technical vulnerabilities that pose risks to the critical systems, processes, and data at organizations around the world. Some of these vulnerabilities are in operating systems, common services, and commercial applications.

However, with the proliferation of custom web applications and internally-developed client-server applications, more and more vulnerabilities relate to custom code.

Regardless of the origin, security stakeholders and asset owners must ensure that effective processes are in place to identify, analyze, and mitigate these vulnerabilities.

Benefits and Approaches to Developing a Best-Practice Vulnerability Management Program

Author: NetSPI

Vulnerability Management is a core information security discipline into which every organization should be investing substantial time and resources. This whitepaper provides an overview of the key elements of a well-developed Vulnerability Management Program, with an emphasis on the importance of extracting more value from proactively identified security vulnerabilities than simply creating piece-meal trouble tickets. Upon reading this paper, security and compliance administrators will have a best-practice approach to audit their present programs against; or if the topic is new to them, the paper will help them take their first steps to begin creating their own Vulnerability Management Program.

Care and Feeding of your PCI DSS Compliance Program

Author: NetSPI

The DSS does little to protect your cardholder data and systems if you think of it as something that you only have to do once a year. Maintaining your program should be like maintaining your house: don’t wait to fix that leaky pipe, repair the broken window, fix the lock on the door, and take out all of the trash right before your mother-in-law shows up - you don’t want to deal with it all at once, and neglect can lead to increased effort, expense, security gaps, and non-compliance. Similarly, following a scheduled maintenance routine can help you purge unnecessary accounts and data, provide visibility into your processes, train personnel, and ensure that different business units are aware of and performing their expected duties.

The cheat sheet in the following whitepaper was developed to help you prioritize, schedule, and assign responsibility for the tasks that must be performed on a periodic basis to meet DSS 2.0 requirements. Throw this in a spreadsheet, update your group calendar, or transfer this to your GRC tool, and then off to the beach for a Mai-Tai!

Clarifying Penetration Testing: A Commonly Misunderstood Discipline

Author: NetSPI

What you don't know can put your company at risk.

All organizations should aspire to have the people, processes and tools necessary to effectively execute an on-going penetration testing program. Failure to do so may result in poor tool selections, testing mistakes, and faulty interpretation of results that often lead to a false sense of security putting the enterprise at risk.

IT security and audit staff, along with their managers and directors, should read this paper to clarify any misunderstandings about penetrating testing from the true purposes and goals, to important process considerations, to tools and tester selection issues, and finally to safe and effective ethical hacking approaches.

Common PCI Audit Mistakes

Author: NetSPI

One auditor's perspective on what it means to soundly meet the gray requirements which include firewall rulesets, system hardening, SDLC, penetration testing, service party due diligence, auditing and logging.

Even if NetSPI isn't your auditor, some general guidance on these topics will better prepare you for your next discussion with your QSA.

Dark Harvest - Active Directory Credentials on Mobile Devices

Author: NetSPI

Since the advent of the Blackberry, mobile devices have had a place in most workplaces. Most users access their work email and calendars using Active Sync via Exchange. Unfortunately, Active Sync requires that credentials are sent with base64 encoding.

This requirement exposes the credentials to two primary risks: first of all, the devices must store the credentials locally, allowing users or malicious apps with excessive privileges to extract them from the OS. Second, an attacker who can perform a MiTM (man-in-the-middle) against the user can extract the base64 encoded credentials from the POST requests to the Exchange server.

It is important to note that while this paper focuses on Android, it is the default behavior of Active Sync itself that creates the risk in these situations. iOS or other mobile platforms will have similar issues.

Dealing with Mobile Devices in a Corporate Environment

Author: NetSPI

Mobile computing technology is hardly a recent phenomenon but, with the influx of mobile devices such as smartphones and tablet computers into the workplace, the specter of malicious activity being initiated by or through these devices looms large.

In truth, it is not the mobile devices themselves that represent the real threat; companies have had, and continue to have, good options available for controlling company-owned mobile assets and preventing other devices from accessing corporate resources. The paradigm shift that is occurring with mobile technology is really due to the convergence of corporate and personal use onto a single device.

Demystifying the Confusing Landscape of Healthcare IT Security and Compliance

Author: NetSPI

The landscape of information security in healthcare is a complicated one. There are federal laws and regulations such as HIPAA to safeguard patient privacy, physicians organizations and other groups have formed CCHIT to promote and certify standardized EHR, and healthcare companies have formed the HITRUST Alliance to develop and promulgate security standards for systems and networks handling healthcare data.

This paper serves as a brief guide to this confusing and changing landscape.

Encoded Automated SQL Injection Attacks

Author: NetSPI

Millions of web pages are infected every year by SQL injection attacks. This paper gives you a brief overview of these types of attacks as well as their impact.

We'll give you tips on detecting and containing a compromise as well options to reduce or prevent your exposure from injection attacks.

Fighting Multi-Vector Attacks with Multiple Scanning Tools

Author: NetSPI

Threats to IT security keep evolving as criminals figure out new ways to steal valuable information. One of the more dangerous developments has been the rise of multi-vector attacks. Countering these attacks means shoring up your defences and one of steps required is to run vulnerability scans on your environment.

This papers serves to give you an overview of these tools and what they offer.

Going Mobile Without Going Nuclear

Author: NetSPI

Threats related to mobile device usage range from relatively benign—the loss or theft of the devices themselves, which can be replaced—to potentially massive fraud, theft of company or customer data, disruption of company operations, and damage to reputation, the costs of which are hard to estimate.

Hardening Critical Systems at Electrical Utilities

Author: NetSPI

Securing our nation’s critical power infrastructure and assuring a dependable electrical supply has never been more important. Faced with 21st century threats ranging from hacker groups to state-sponsored terrorist organizations, power utilities are being required to design and implement solutions that will address weaknesses in their aging systems and ensure safe and reliable power generation.

This paper provides an overview of the landscape and introduces a solution that could help harden the critical plant systems on which we all ultimately depend.

Passing the PCI Test in Higher Education

Author: NetSPI

Higher education institutions share unique compliance challenges, especially related to the interpretation and implementation of the Payment Card Industry Security Standard (PCI DSS).

This paper is intended to assist key stakeholders in understanding and responding to the challenges that they face when applying the Standard to their environment.

Role of FTC in Data Breaches

Author: NetSPI

If you run or work in a business that keeps people's Social Security number, addresses, and other personal information, and that information is lost or stolen, you may get a visit from the FTC.

A well-developed and mature security program can not only provide better protection for company assets, but it can also assist with incident investigation, putting the organization in a better position to withstand the scrutiny of an FTC inquiry.

Understanding the New HIPAA Rules

Author: NetSPI

The American Recovery and Reinvestment Act (ARRA) includes a portion known as the Health Information Technology for Clinical and Economic Health Act, or HITECH.

Enforcement of the security rules is a priority and penalties for non-compliance are substantial. This white paper lays out the basics and offers suggestions to help you stay compliant.

Why You Need an Incident Response Plan

Author: NetSPI

It’s not yet 8:00 A.M on a Monday morning. One of the IT staff has just called, saying that the firewall audit logs and server connection logs indicate that there was a possible data breach over the weekend. As you feel the knot in your stomach tightening, you need to decide what to do to respond to this incident. Do you put a statement on your web site? Distribute a press release because of disclosure requirements? Quarantine the affected servers? Rebuild them? Power them down? Tell the IT group to see what they can find out about the source and nature of the breach? Call in outside computer forensic experts? Call the FBI to have them investigate?

Actually, if your organization had previously developed an Incident Response Plan, your first steps would be clear. Without a plan, it is easy to get the response wrong, which can damage your reputation and your business. And once trust in your organization is undermined, it is very hard to win back.

Windows Vista - Ease of FULL SYSTEM Access

Author: NetSPI

There is no doubt that Vista brought gobs of new security features to the Windows line of operating systems. However, in spite of all of its newly polished armor, it shares a small weakness that has been around in NT based operating systems since Windows 2000. This local weakness can be leveraged by security professionals and hackers alike to manipulate users and files in Windows Vista with Local System privileges. The focus of this article will be to identify the weakness and share basic exploitation methods.