Feeds:
Posts
Comments

Posts Tagged ‘Compliance Auditing’

Military Level Compliance Auditing

Paws Studio is the compliance auditing tool for workstations and servers which enables organizations to produce intelligent compliance reports.  It includes pre-defined policies for industry standards such as PCI, NERC, STIG and NSA and is fully automatable & customizable.
Titania’s latest release includes exciting new features which solve many of the issues associated with STIG (Security Technical Implementation Guide) audits

The STIG Converter has been inspired by feedback from our military customers. Organisations wanting to check their workstations and servers against the STIG compliance policy can now self-update the STIG definition file within Paws Studio using only the XCCDF & OVAL documents. Our programming team provides regular updates to the pre-defined policies, but this option gives organisations the security of knowing they are checking against the most up to date information possible.

The Manual Checking function has been updated so that reports are now able to produce a fuller view of compliance policies. Manual checks allow you to include the physical security aspects of compliance rather than just being able to assess registry checks against your compliance requirements. Now you can add a title, description and fix for physical security issues which are included in compliance policies, such as locking doors and disposing of documents. These will then appear in your compliance report, providing the organisation with a more thorough overview of your compliance status.

Plus you can still benefit from the classic features of the software:

With Paws Studio you can:

1.       Perform compliance audits through either remote network auditing or manual access to the audit data in secure environments
2.       Produce advanced and easy to action reports with comprehensive summaries
3.       Audit against pre-defined policies such as PCI, NSA, STIG and NERC
4.       Define your own customised policy to suit your organisation
5.       Write it into your current processes as it is fully scriptable

Feel free to contact E-SPIN and discuss on your audit compliance requirement.

Advertisements

Read Full Post »

What is SQL Injection?

sqlinjection

The most common type of hack attack seen these days, however, involves SQL injection. Attackers including hacktivists favor SQL injection attacks because they allow attackers to “inject” their own commands into databases.

When databases aren’t configured to properly screen inputs for signs of attack, attackers have an easy-to-use, remote technique for obtaining any information stored by the database. The specially crafted user data tricks the application into executing unintended commands or changing data.

SQL Injection allows an attacker to create, read, update, alter, or delete data stored in the back-end database. In its most common form, a SQL Injection attack gives access to sensitive information such as social security numbers, credit card number or other financial data.

What is a SQL Injection Attack?

A SQL Injection attack is a form of attack that comes from user input that has not been checked to see that it is valid. The objective is to fool the database system into running malicious code that will reveal sensitive information or otherwise compromise the server.

There are four main categories of SQL Injection attacks against databases

  1. SQL Manipulation: manipulation is process of modifying the SQL statements by using various operations such as UNION .Another way for implementing SQL Injection using SQL Manipulation method is by changing the where clause of the SQL statement to get different results.
  2. Code Injection: Code injection is process of inserting new SQL statements or database commands into the vulnerable SQL statement. One of the code injection attacks is to append a SQL Server EXECUTE command to the vulnerable SQL statement. This type of attack is only possible when multiple SQL statements per database request are supported.
  3. Function Call Injection: Function call injection is process of inserting various database function calls into a vulnerable SQL statement. These function calls could be making operating system calls or manipulate data in the database.
  4. Buffer Overflows: Buffer overflow is caused by using function call injection. For most of the commercial and open source databases, patches are available. This type of attack is possible when the server is un-patched

How to prevent SQL injection attacks?

An attacker uses SQL injection to manipulate a site’s Web-based interfaces and force the database to execute undesirable SQL code, enabling data manipulation and spreading malware. Organizations must not only build defenses and practice secure coding best practices, but also develop an in-depth understanding of how SQL injection attacks work and how the threat has evolved — the earlier SQL injection attacks didn’t have the vulnerability detection capabilities of contemporary attacks — as well as learn how to find, isolate and address webpages infected with malware on a website.

Defending Against SQL Injection Attacks

The good news is that there actually is a lot that web site owners can do to defend against SQL injection attacks. Although there is no such thing as a 100 percent guarantee in network security, formidable obstacles can be placed in the path of SQL injection attempts.

1. Comprehensive data sanitation.

Web sites must filter all user input. Ideally, user data should be filtered for context. For example, e-mail addresses should be filtered to allow only the characters allowed in an e-mail address, phone numbers should be filtered to allow only the characters allowed in a phone number, and so on.

2. Use a web application firewall.

A popular example is the free, open source module ModSecurity which is available for Apache, Microsoft IIS, and nginx web servers. ModSecurity provides a sophisticated and ever-evolving set of rules to filter potentially dangerous web requests. Its SQL injection defenses can catch most attempts to sneak SQL through web channels.

3. Limit database privileges by context.

Create multiple database user accounts with the minimum levels of privilege for their usage environment. For example, the code behind a login page should query the database using an account limited only to the relevant  credentials table. This way, a breach through this channel cannot be leveraged to compromise the entire database.

4. Avoid constructing SQL queries with user input. 

Even data sanitation routines can be flawed. Ideally, using SQL variable binding with prepared statements or stored procedures is much safer than constructing full queries.

Any one of these defenses significantly reduces the chances of a successful SQL injection attack. Implementing all four is a best practice that will provide an extremely high degree of protection. Despite its widespread use, your web site does not have to be SQL injection’s next victim.

Read Full Post »

Retina CS enables IT Security professionals to centrally manage organization-wide IT security – physical, virtual, mobile and cloud – from a single, web-based console. It is the only unified vulnerability and compliance management solution that integrates security risk discovery, prioritization, remediation, and reporting, which dramatically decreases the time and effort required to manage IT security. 

Retina Insight: Get actionable reporting, analytics, and trending across the vulnerability lifecycle via this powerful reporting engine, included with Retina CS at no additional cost.

– Configuration Compliance: A Retina CS Add-on Module: Simplify how you audit and report on common industry configuration guidelines and best practices.

– Regulatory Reporting: A Retina CS Add-on Module: Choose from Regulatory Reporting packs to automate how you navigate through the increasingly complex regulatory landscape.

– Patch Management: A Retina CS Add-on Module: Close the loop on vulnerabilities by providing integrated, automated, agent-less patching from a single console

Retina CS Dashboard

E- EYE SOLUTION SUITE

1. Retina Network Security Scanner

Identify known and zero-day vulnerabilities using the industry’s most mature and effective vulnerability scanning technology.

2. Retina.GOV
Rely on integrated end-to-end vulnerability and compliance management designed specifically for Government departments and agencies.

3. Retina Web Security Scanner

Rapidly and accurately scan large, complex websites and web applications to assess web-based vulnerabilities.

ADDITIONAL SECURITY PRODUCTS

1. Blink Endpoint Protection

Augment existing security products with integrated multi-layered endpoint protection in a single, lightweight client.

2. Iris Network Traffic Analyzer

See analysis and integrated forensics reporting on network security traffic.

3. SecureIIS Web Server Security

Ensure protection for Windows IIS Servers by preventing known exploits, zero day attacks, and other harmful web server traffic.

Retina CS from eEye provides a lot of functionality – beyond just vulnerability scanning – in an easy-to-use format. It is a great value for almost any environment.

As a sole Retina Solution distributor in the Asia-Pac region, Please feel free to contact E-SPIN for your inquiry and requirement, so we can assist you on the exact requirement in the packaged solutions that you may required for your operation or project needs.

Read Full Post »

retinanetworksecurityscanner

Here are the reasons on why you should use Retina Network Security Scanner :

1.Department or enterprise-wide vulnerability assessment

Retina scales to meet the requirements of any size organization and supports scanning in distributed environments using software or appliances.

2. Compliance with industry or federal regulations
Retina helps companies comply with Payment Card Industry (PCI), Federal Desktop Core Configuration (FDCC), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes Oxley (SOX), Gramm-Leach-Bliley Act, Federal Information Security Management (FISM) Act, European Union Data Directive, and others by providing customizable security policies and extensible reports.

3. Identify security risks and eliminate business interruptions
Less sophisticated scanners can crash a server or device as a result of their scanning methods that include running partial or full exploit code. Retina does not run any type of exploit code to conduct a scan and can accurately identify vulnerabilities without compromising a host.

4. Asset and risk identification
Retina can accurately detect and classify all assets within an environment and determine rogue, wireless, and virtual devices connected to the infrastructure. Vulnerability assessment determines which devices pose the greatest risk to the environment from malware to hackers to unauthorized computing devices.

Retina Key Features

  • Reliable, Non-Intrusive Scanning Technology

Most scanners rely on exploit code to test network vulnerabilities, which frequently crashes servers, devices, or even networks in the process. Retina tests without using exploit code and harming your devices and network.

  • Comprehensive and Current Database

The most advanced, comprehensive database available. Critical vulnerabilities are updated within 48 hours of public disclosure. This is three times faster than the leading competition.

  • Superior Research Team

No security vendor can match the expertise of the eEye Research Team. Over the last 10 years, eEye has discovered more critical vulnerabilities than any other research group.

  • Extensive Third-Party Integration Support

Retina’s open architecture allows for integration with third-party applications such as event managers, security information managers, network management systems, call centers and many framework based solutions

  • Best Practice Approach to Vulnerability Assessment

Retina guides users through the logical steps of discovering assets, auditing known vulnerabilities and configuration issues, recommending remediation actions and reporting on the entire vulnerability management process using industry accepted best practices.

  • Unrestricted Asset Discovery

Retina allows for the discovery of a network’s entire infrastructure without restrictions or separate licensing. At a glance, administrators can determine the number and type of hosts on the network and build policies and groups for vulnerability assessment based on the results.

  • Flexible Remediation Reporting

Within the workflow or Retina, users can create targeted reports to identify specific vulnerabilities for remediation by risk, vulnerability, host or even export the data to common file formats for inclusion in other reports and management systems.

  • Wizard Based Customizable Audits

Custom audits help ensure corporate policies with regard to anti-virus installations, file sharing programs, instant messaging,and third party applications are being correctly identified and mitigated.

  • Granular Job Scheduling and Job Duration Support

Administrators can schedule and run multiple scan jobs against multiple targets and groups (business groups, subnets, for example) for scanning at one time, and control when a job must terminate (scan windows) in order not to impact business
requirements like change control windows.

  • Adaptive High-Speed Scanning

Recognized as the fastest security scanner available, Retina can scan an entire Class C network in approximately 15 minutes. Retina scans every machine on your network, all types of operating systems, network devices and third-party or custom applications with extreme accuracy and speed.

Other eEye Solutions

RETINA ENTERPRISE
Do you need to centrally manage and report on distributed network
scanning and vulnerability assessment initiatives?

APPLIANCES
Do you want a turnkey appliance solution or to setup and license
servers on their own?

BLINK ENTERPRISE
Do you want an agent-based vulnerability assessment solution
in lieu of a network-based scanner?

Interested to know more on Retina Product Suites??Please feel free to contact E-SPIN for your inquiry and requirement, so we can assist you on the exact requirement in the packaged solutions that you may required for your operation or project needs.

Read Full Post »

Retina is a powerful unified vulnerability management and compliance solution designed to help organizations of all sizes with vulnerability assessment, mitigation and protection.

eEye Retina Vulnerability Management

Retina, founded from over a decade of technology innovation by eEye’s world renowned security research team, is an integrated end-to-end vulnerability and compliance solution designed to help organizations with protection and compliancy by defining and monitoring relevant IT controls. Retina monitors both patch and configuration vulnerabilities and compliance to pre-defined configuration baselines and provides automated notification of violations. The environment is assessed, capturing established security controls along with any vulnerabilities or configuration violations that impact the network.Detailed reports providing prescriptive guidance and recommendations are then forwarded and response is initiated to ensure that corrective action can be taken in a timely fashion.

Retina’s management console is a fully integrated and complete rich internet-enabled application for security and compliance management. Now you can simplify the management of distributed, complex infrastructures while protecting your mission critical assets from evolving threats with a single unified management system

Benefits and Features
1. Confidently identify all vulnerabilities with the lowest false positive rate in the industry; on average less than 1%

The eEye Research Team provides vulnerability audit update for US Government recognized critical vulnerabilities three times faster than the leading competition. Updates are provided with a service level of 48 hours from public disclosure and are automatically downloaded and incorporated by the solution.

2. Proactively guard against known and newly-identified vulnerabilities with frequent, automated updates from the unrivaled eEye Research Team

Retina can reliably and non-intrusively scan your environment to identify all systems and devices. Essentially, if the device has a TCP/IP address, Retina will scan it and classify it with the highest accuracy in the industry.
3. Quickly identify all machines on your network including rogue, virtual, and wireless devices 

Retina does not scan and test with exploit code and will not crash your systems during a scan. With Retina, you can scan an entire Class C network in approximately 15 minutes using our proprietary Adaptive Speed technology.
4. Safely scan your network without crashing system devices and causing business interruptions

Retina provides an extensive command line, and event forwarding through SNMP, Syslogs, email, and Windows Event Logs to integrate into virtually any network management solution, security information manager, or call center.

5. Extensive third party integration support into your existing infrastructure

Retina does not require high-end or high cost servers to perform vulnerability assessments.

6. The only network vulnerability scanner to be available as an appliance, managed service or software supporting Windows 2000, XP, 2003, Vista, and 2008

Retina does not require high-end or high cost servers to perform vulnerability assessments

Questions to Consider?
1. Do you currently perform network based vulnerability assessment scans?
2. Do you currently have, or are you planning to initiate a vulnerability assessment project as it relates to security or compliance?
3. Do you have resources and budget set aside for this project?
4. Do you have rogue and wireless assets appearing on your network? How do you know?
5. Have you been exploited or attacked due to a missing patch?
6. Do you know the financial impact of being hit with an attack?

As a sole Retina solution distributor in the asia-pac region, E-SPIN have actively in promoting eEye Digital Security full range of products and technologies as part of the company Vulnerability Management solution portfolio – for vulnerability assessment, unified unified vulnerability management and with E-SPIN, we have all the answers to provide the solution to suit your business needs and operation.

The enterprise range from university, government and enterprise IT security professionals on the vulnerability assessment, penetration testing, or IT security company on the security audit and security operation center (SOC) or cyber security / cyber warfare / military security defense operation center unified vulnerability management.

Please feel free to contact E-SPIN for your inquiry and requirement, so we can assist you on the exact requirement in the packaged solutions that you may required for your operation or project needs.

Read Full Post »

Web Application Security

How do you handle your web application testing, vulnerability scans, test data and related security assessment reports? I’ve found that this is something that doesn’t get a lot of attention in web application security circles but is still impactful to the business. It’s actually kind of ironic that those of us working in IT and security often forget about what’s at stake if web vulnerability information were to fall into the wrong hands. I should know – I used to take it too lightly and many others still do.

The thing is, everything from passwords to SQL injection requests to hard-coded encryption keys – practically anything imaginable related to web security flaws – is contained in the following files, screenshots and reports:

  • Web vulnerability scan files (the raw data such as .wvs files in Acunetix Web Vulnerability Scanner)
  • Web vulnerability scanner reports (i.e. PDF and HTML files)
  • Screenshots of exploits
  • Proxy log files
  • Username and password dictionaries
  • Final web application testing reports containing specific findings and methods of exploitation

The risk is increased when all of this information is scattered about on multiple systems – especially once it makes its way to unencrypted laptops and data backups, third-party email systems and under-protected mobile devices (and trust me, it will). Even hard copies of web application testing reports can create business risks. I see those being tossed around to third parties quite often like it’s no big deal at all.

In the end, you’re not going to have complete control of the information resulted from your web application testing. You’ll have to trust people to do the right things. Unfortunately, that’s where businesses often get themselves into trouble. Thus the cycle of information security and managing risks continues.

Read Full Post »

Ensure-your-Website-Security

Is the exploitation of web vulnerabilities worth the trouble? Does it create unnecessary risks that should be avoided? Why exploit flaws anyway? This is not a black and white circumstance. Every situation is unique. But here’s what I know. The exploitation of web security flaws such as Cross-Site Scripting, SQL injection and Cross-Site request forgery is arguably the most valuable part of my assessments. Web exploitation can provide actual data, screenshots and other evidence which are great for getting management, developer and user buy-in on the issues. Otherwise, you may simply be running scans and making dangerous assumptions about what can or cannot be taken advantage of.

In many situations, all it takes is exploiting one missing web server patch, one SQL injection flaw or cracking a set of web passwords to show that problems exist in the respective areas. You may not need to exploit every flaw on every system to demonstrate what’s weak and what can happen. For certain projects, exploiting every single flaw on every single page could take too long and cost too much.

You have to ask yourself what’s really needed? What’s the ultimate goal of your security assessment? Is it to find some basic issues running basic scans or is it to completely vet a website or application and show exactly what can happen when things go awry? There is a ton of value in web exploitation…if it meshes with the overall project goals.

Vulnerability “exploitation” seems like a bad word that’s going to leak data, crash servers and cause business continuity problems but it really doesn’t have to. I’ve found that exploitation of web flaws is actually less risky than running the actual scans themselves. Interestingly, I’ve never had a problem running web exploits but automated scans have certainly created issues. Then again, unless the specific requirements call for it, I only run exploits that are not designed to create denial of service conditions. Your situation may be different.

In the end, if a web exploit (or even a scan) knocks over an application or its associated server(s), that may be a good indicator that you need to look even deeper. In the interest of minimizing problems, some people will just pretend the server or application doesn’t exist and leave it be. Sure, the problems are minimized but the security flaws are still there! Two wrongs don’t make a right.

For some people – especially IT auditors or compliance managers – exploitation of web flaws may be new territory. That’s fine. I just encourage people to really think things through when scoping web security assessments projects. Know all the facts and the possible outcomes and then dig in as deeply as possible. That’s the only way you’re going to find the flaws that matter and get people on your side to do something about them.

Read Full Post »

Older Posts »