NetSPI White Papers

Common PCI Audit Mistakes

Author: Seth Peter

One auditor's perspective on what it means to soundly meet the gray requirements which include firewall rulesets, system hardening, SDLC, penetration testing, service party due diligence, auditing and logging.

Even if NetSPI isn't your auditor, some general guidance on these topics will better prepare you for your next discussion with your QSA.

Dealing with Mobile Devices in a Corporate Environment

Author: Ryan Wakeham

Mobile computing technology is hardly a recent phenomenon but, with the influx of mobile devices such as smartphones and tablet computers into the workplace, the specter of malicious activity being initiated by or through these devices looms large.

In truth, it is not the mobile devices themselves that represent the real threat; companies have had, and continue to have, good options available for controlling company-owned mobile assets and preventing other devices from accessing corporate resources. The paradigm shift that is occurring with mobile technology is really due to the convergence of corporate and personal use onto a single device.

Demystifying the Confusing Landscape of Healthcare IT Security and Compliance

Author: Paul Johnson

The landscape of information security in healthcare is a complicated one. There are federal laws and regulations such as HIPAA to safeguard patient privacy, physicians organizations and other groups have formed CCHIT to promote and certify standardized EHR, and healthcare companies have formed the HITRUST Alliance to develop and promulgate security standards for systems and networks handling healthcare data.

This paper serves as a brief guide to this confusing and changing landscape.

Encoded Automated SQL Injection Attacks

Author: Seth Peter

Millions of web pages are infected every year by SQL injection attacks. This paper gives you a brief overview of these types of attacks as well as their impact.

We'll give you tips on detecting and containing a compromise as well options to reduce or prevent your exposure from injection attacks.

Fighting Multi-Vector Attacks with Multiple Scanning Tools

Author: Seth Peter

Threats to IT security keep evolving as criminals figure out new ways to steal valuable information. One of the more dangerous developments has been the rise of multi-vector attacks. Countering these attacks means shoring up your defences and one of steps required is to run vulnerability scans on your environment.

This papers serves to give you an overview of these tools and what they offer.

Going Mobile Without Going Nuclear

Author: NetSPI

Threats related to mobile device usage range from relatively benign—the loss or theft of the devices themselves, which can be replaced—to potentially massive fraud, theft of company or customer data, disruption of company operations, and damage to reputation, the costs of which are hard to estimate.

Hardening Critical Systems at Electrical Utilities

Author: Ryan Wakeham

Securing our nation’s critical power infrastructure and assuring a dependable electrical supply has never been more important. Faced with 21st century threats ranging from hacker groups to state-sponsored terrorist organizations, power utilities are being required to design and implement solutions that will address weaknesses in their aging systems and ensure safe and reliable power generation.

This paper provides an overview of the landscape and introduces a solution that could help harden the critical plant systems on which we all ultimately depend.

Passing the PCI Test in Higher Education

Author: Tony Fulda

Higher education institutions share unique compliance challenges, especially related to the interpretation and implementation of the Payment Card Industry Security Standard (PCI DSS).

This paper is intended to assist key stakeholders in understanding and responding to the challenges that they face when applying the Standard to their environment.

Role of FTC in Data Breaches

Author: Yan Kravchenko

If you run or work in a business that keeps people's Social Security number, addresses, and other personal information, and that information is lost or stolen, you may get a visit from the FTC.

A well-developed and mature security program can not only provide better protection for company assets, but it can also assist with incident investigation, putting the organization in a better position to withstand the scrutiny of an FTC inquiry.

Understanding the New HIPAA Rules

Author: Paul Johnson

The American Recovery and Reinvestment Act (ARRA) includes a portion known as the Health Information Technology for Clinical and Economic Health Act, or HITECH.

Enforcement of the security rules is a priority and penalties for non-compliance are substantial. This white paper lays out the basics and offers suggestions to help you stay compliant.

Why You Need an Incident Response Plan

Author: Scott St. Aubin

It’s not yet 8:00 A.M on a Monday morning. One of the IT staff has just called, saying that the firewall audit logs and server connection logs indicate that there was a possible data breach over the weekend. As you feel the knot in your stomach tightening, you need to decide what to do to respond to this incident. Do you put a statement on your web site? Distribute a press release because of disclosure requirements? Quarantine the affected servers? Rebuild them? Power them down? Tell the IT group to see what they can find out about the source and nature of the breach? Call in outside computer forensic experts? Call the FBI to have them investigate?

Actually, if your organization had previously developed an Incident Response Plan, your first steps would be clear. Without a plan, it is easy to get the response wrong, which can damage your reputation and your business. And once trust in your organization is undermined, it is very hard to win back.

Windows Vista - Ease of FULL SYSTEM Access

Author: Scott Sutherland

There is no doubt that Vista brought gobs of new security features to the Windows line of operating systems. However, in spite of all of its newly polished armor, it shares a small weakness that has been around in NT based operating systems since Windows 2000. This local weakness can be leveraged by security professionals and hackers alike to manipulate users and files in Windows Vista with Local System privileges. The focus of this article will be to identify the weakness and share basic exploitation methods.