877.791.9571 |

Monthly Archives: June 2011

IT Auditing and Controls – Infrastructure General Controls

PORTIONS OF THIS ARTICLE INCLUDING MANY OF THE DEFINITIONS AND TERMINOLOGY HAVE BEEN SOURCED AND SUMMARIZED FROM ISACA.ORG and COURSE MANUALS PUBLISHED BY ISACA.

Infrastructure General Controls

For this last article on IT Auditing and Controls, I want to focus on information systems operations.  I’ll talk a little about Management of […]

Advanced Rootkit Exploit – Demonstrated

This is mainly post-expoitation demonstration, that first starts with a walk-through of exploiting a windows machine. Next, we walk through getting a copy of the web server’s home page and then modify it with an iframe that points to an exploit server. Anybody that browses to the victim webpage […]

Eyesight to the Blind – SSL Decryption for Network Monitoring

SSL and network monitoring aren’t the most compatible of partners – even with the most sophisticated detection infrastructure in the world, you’ll not derive many useful indicators from the barren randomness of encrypted traffic. Consider the plight of the Sguil sensor shown below:

The webserver’s use of SSL means that […]

Dave Aitel Reveals His Process for Security Research

In our ongoing series of interviews, this week Dave Aitel answered a few questions and pulled back the curtain a bit on the methods, tools and motivation for the work he does.

Dave Aitel is the CEO of Immunity, and can be found at @daveaitel on Twitter, dave@immunityinc.com by email, […]

How to deal with and alleviate CISSP exam anxiety!

As exam time approaches, everyone feels anxious about whether they’re ready to take the exam and to pass and thus to receive the CISSP certification.  For a lot of people, achieving this milestone in their career means verification of the knowledge they possess.  To some it means meeting the […]

Are your backup systems secure?

All seemed well with backup operations at my company, until I got a visit from an operations center engineer.  The lock already hanging open, he was holding one of the “secure” transports that our off-site tape storage vendor uses to move backup tapes.  But this time, the tapes inside […]

Securing Software with the Application and Front Controller Patterns

Securing software has always been an issue. Whether it be web, desktop or server applications, insecure coding practices can result in substantial data loss for the software users. Although vulnerabilities and exploits differ between technologies, the coding failure is still the same. A lack of input validation allows attackers […]

Malicious SOAP Requests as Web Service Attacks

Introduction
The recent Application Security Europe conference (www.appseceu.org) was one of the better conferences I have had the pleasure to attend. The talks were interesting and I came in third in a challenging Capture the Flag competition. This article is an overview of one of the more interesting talks given […]

Writing SEH Exploits

In these two videos, we will demonstrate how to write an exploit of the Structured Exception Handler. The video assumes you already understand how SEH and exploits work.

We will exploit an Easy Chat Server using OllyDbg. First we will use a skeleton of an exploit to find a SEH […]

Cracking WPA2 Tutorial

In this video we will demonstrate how to crack WPA2 using the Airmon-ng suite. We will do it by:

Identifying an access point
Capturing traffic from that access point
Attempt to capture the handshake. We have two options for doing this.

We can wait for a client to connect […]

Adobe Vulnerability Tutorial

In this video, we will demonstrate the adobe_utilprintf exploit. We will show how to set up a PDF within Metasploit that will deliver an exploit via an HTML link. That exploit will have a victim connect back to you with a reverse TCP connection to shell.

Once connected, we will […]

ISO27002 Security Framework – Audit Program Template

Several people have asked for an IT Audit Program Template for an audit based on the ISO/IEC 27002:2005(E) security standard.  This template (which can be found here and at the end of the article) will help you in your assessment of an organization’s information security program for CobiT Maturity Level 4.

CobiT […]

IT Auditing and Controls – A look at Application Controls

PORTIONS OF THIS ARTICLE INCLUDING MANY OF THE DEFINITIONS AND TERMINOLOGY HAVE BEEN SOURCED AND SUMMARIZED FROM ISACA.ORG and COURSE MANUALS PUBLISHED BY ISACA.

Application controls refers to the transactions and data relating to each computer-based application system and are, therefore, specific to each such application.  The objectives of application […]

Val Smith Reveals His Process for Security Research

In our ongoing series of interviews, this week Val Smith answered a few questions and pulled back the curtain a bit on the methods, tools and motivation for the work he does.

Val Smith is the CEO and owner of Attack Research, LLC. Val has been a frequent speaker at […]

Mutexes, part two: Using WinDbg to Begin Reverse Engineering Unknown Malware from Memory

Part Two in a multi-part series on holistic, multi-disciplinary analysis and reversing.

You can read part one of this series here.

The last post, “Mutex Analysis: The Canary in the Coal Mine,” started off showing how you can use mutexes to discover malware that is difficult to locate using more traditional […]

Mutexes, part one: The Canary in the Coal Mine and Discovering New Families of Malware

Part One in a multi-part series on holistic, multi-disciplinary analysis and reversing.

This post is based on a presentation I gave at the last Thotcon, but was really prompted by a case from a couple days ago. It’s an interesting example of how the same disciplined methodologies for finding malicious […]

OWASP Top 10 Deeper Dive – A8: Failure to Restrict URL Access

Description: Parsing the OWASP Top Ten with a closer look at Failure to Restrict URL Access
Introduction
Per our discussion of OWASP Top 10 Tools and Tactics, we continue our closer look at each of the Top Ten with deeper analysis and specific examples of these vulnerabilities. As I continue to […]

IT Auditing and Controls – Shared General and Application Controls

PORTIONS OF THIS ARTICLE INCLUDING MANY OF THE DEFINITIONS AND TERMINOLOGY HAVE BEEN SOURCED AND SUMMARIZED FROM ISACA.ORG and COURSE MANUALS PUBLISHED BY ISACA.

Shared General Controls
Later on in this article, we’ll talk about Business Impact Analysis (BIA) and its place within the organization.  At this point, when we want […]

ISC2 CISSP, CAP, ISSEP Exam Pricing

ISC2 CISSP, CAP, ISSEP Exam Pricing

 
CISSP or Associate
of
(ISC)² Exam (6-hour)*

CSSLP*
[…]

IT Auditing and Controls – Internet and Web Technology

PORTIONS OF THIS ARTICLE INCLUDING MANY OF THE DEFINITIONS AND TERMINOLOGY HAVE BEEN SOURCED AND SUMMARIZED FROM ISACA.ORG and COURSE MANUALS PUBLISHED BY ISACA.

Internet and Web Technology

This article is going to attempt to tread the fine line between IT Auditing and Penetration Testing.  Remember as an IT Auditor, it […]