| Javascript Feeds RSS Feed Security Dashboard | SearchSecurity.com |
|
An Overview of Raw Sockets Programming with FreeBSD Raw socket coding is vital to compromising a system, it is a skill useful to both hackers and network admins.
03/23/2004
|
|
Using a Compromised Router to Capture Network Traffic This document details the approach, methodology and results of recent experimentation into the use of a captured perimeter router as a tool for network traffic capture. In penetration testing scenarios it is often possible to compromise the perimeter router of an organization. The routers are outside the corporate firewall and often poorly protected. In some cases the captured router may be useful as a launch point for further attack on the target network, but to be truly valuable it is desirable to use this captured router to sniff network traffic to and from the organization.
03/23/2004
|
|
Penetration Testing for Web Applications (Part Three) In the first installment of this series we introduced the reader to web application security issues and stressed the significance of input validation. In the second installment, several categories of web application vulnerabilities were discussed and methods for locating these vulnerabilities were outlined. In this third and final article we will be investigating session security issues and cookies, buffer overflows and logic flaws, and providing links to further resources for the web application penetration tester.
03/22/2004
|
|
Penetration Testing for Web Applications (Part Two) Our first article in this series covered user interaction with Web applications and explored the various methods of HTTP input that are most commonly utilized by developers. In this second installment we will be expanding upon issues of input validation - how developers routinely, through a lack of proper input sanity and validity checking, expose their back-end systems to server-side code-injection and SQL-injection attacks. We will also investigate the client-side problems associated with poor input-validation such as cross-site scripting attacks.
03/22/2004
|
|
Penetration Testing for Web Applications (Part One) This is the first in a series of three articles on penetration testing for Web applications. The first installment provides the penetration tester with an overview of Web applications - how they work, how they interact with users, and most importantly how developers can expose data and systems with poorly written and secured Web application front-ends.
03/22/2004
|
|
Exploiting Cisco Routers: (Part Two) The first article in this two-part series covered a few different methods of getting into the target router. This article will focus on what we can do once we've gotten in. For the remainder of this article, we'll assume that the only progress we've made is that we've gotten the below router config via the vulnerable HTTP server. At this point, Access Control Lists (ACLs) prevent us from logging in directly to the router.
03/22/2004
|
|
Exploiting Cisco Routers (Part One) This two-part article will focus on identifying and exploiting vulnerabilities and poor configurations in Cisco routers. We will then discuss the analysis of the router configuration file and will attempt to leverage this access into other systems. Additionally, we will cover the possibilities of what one may do once access to the device has been achieved. We chose to focus this article on Cisco routers due to their overwhelming market share.
03/22/2004
|
|
Demonstrating ROI for Penetration Testing (Part Four) Bringing business to the Web is in and of itself risky business, just through the act of taking data from the inside network to the outside network. Data that was once protected by routers and firewalls is brought through the layers of security with remote procedure calls and database queries and made available to the public network. Part one of this series provided a general discussion of ROSI (Return on Security Investment) and likened performing penetration testing to having a health physical. Part two focused on defining penetration testing as a subset of a security assessment, by introducing information asset valuation and risk management concepts. Part three discussed asset valuation, risk analysis, the need for layered security, the reality of today's complex information systems, and argued the value of Pen Testing. In this, the last article of the series, we will discuss a Pen Test process and make final assertions about how ROSI can be shown.
03/22/2004
|
|
Demonstrating ROI for Penetration Testing (Part Three) For this part of the series we will focus on defining terms related to the Risk Analysis process, and touch on Information Asset valuation methods. These concepts are critical to understand when justifying the necessity and expense of a Pen Test. Companies want sustainability and survivability. As the Blaster and Sobig worms taught companies in recent weeks, a single worm can shut down a network, congest mail servers, reboot servers, crash desktop systems and wreak havoc in the information systems environment. Loss of productivity for the general employee population, over-time pay for systems and network administrators, data loss, and the impact of loss revenue opportunity will not soon be forgotten. These types of events make justification for security initiatives more readily accepted, but let us not be distracted from the goal and fall back on the FUD factor.
03/22/2004
|
|
Demonstrating ROI for Penetration Testing (Part Two) In part one of this series we discussed the necessity of understanding financial terms in relationship to justifying security expenditures. We also discussed the idea of aligning security initiatives with productivity enhancing and revenue generating initiatives. In particular, we used the example of a VPN (Virtual Private Network) initiative and the example of a Pen Test piggybacked on a Web-based project initiative. For the purpose of this series we are going to focus on demonstrating ROI specifically for penetration testing, however it is important to understand that the ROSI (return on security investment) discussion can apply to to a broader range of security services and products.
03/22/2004
|
|
Page: 1 2 3 |
