You are viewing 'vulnerability'
Working from a strong foundation is the key to a successful security program
When a major security vulnerability is disclosed, everyone stops what they are doing and takes notice, especially when that vulnerability comes with its own logo. Now don’t get me wrong, newly disclosed vulnerabilities are important. They provide exciting opportunities for researchers and they do, if only temporarily, focus management’s attention on the often overlooked information security.
Don’t worry, this isn’t another blog about the pros and cons of vulnerability hype. Instead, I’d like to focus on the importance of keeping one eye on the basics, while the other is scrolling through the Twitter feed for the next upcoming disclosure. Because all too often, it is not the latest security vulnerability, but a failure to properly secure and deploy systems that is the root cause of a costly network breach.
Below are several recommendations to help keep your network more secure, and your company safe from new vulnerabilities (or old... read more >
Hack the vote blog series: part 3
We reiterate that there have been no known malicious attacks against voting machines actively being used in an election in the United States. This doesn’t mean that such attacks aren’t possible, but simply that it hasn’t happened yet (or if it has happened nobody has noticed). Still, we should take the attacks against political parties and the voter rolls as a warning that somebody is interested in affecting U.S. elections.
As long as electronic voting machines have been around there have been security researchers finding vulnerabilities in them including one disclosed yesterday, the day before the election. The primary concern is that with the move to electronic voting systems the votes and even the ballots themselves are just bits in a database that can be easily flipped. It has become much more feasible for a malicious actor to have a large impact than in the days of paper ballots. While these technical vulnerabilities are a threat and should be... read more >
Ways to safeguard against gift card exploitable vulnerabilities
In my previous blog, Hacking Gift Cards, I outlined how you can get free food by enumerating valid gift cards with Burp Intruder. This blog continues that narrative, but adds in other types of cards and attack vectors. In addition, I’ll illustrate some problems with gift card balance checking, and how gift cards can be easily enumerated without the card holder’s knowledge or permission. In some cases, the security surrounding a gift card is so bad you don’t even need to use Burp Intruder.Prerequisites:
Burp Suite Professional
In Hacking Gift Cards Part 1, I discussed six gift cards that had a discernible pattern. Identifying the pattern allowed us to find values on cards that were already sold and had value. In searching for more targets, I... read more >
With consulting work comes travel. Over the years, I have traveled extensively and stayed in a variety of hotels and suites. Through this experience, I have noticed several issues with hotel (specifically room) security. In this blog, I am going to walk you through some of the consistent issues that I notice in hotel room security, due diligence and awareness.
As many of you probably know, you never want to leave your valuables laying around your hotel room when you aren’t in it. This is one of the reasons hotels provide a safe, a lock on the door and hotel staff. At least one of these should stop a criminal, as well as keep me, my valuables and my room safe, right?Replacement Room Keys
I cannot tell you how many times I have observed people casually walk up to the front desk and ask for a replacement room key. Depending on how you deliver this request will probably land you a room key without having to say anything but the room number. Just... read more >
As an organization’s security posture grows, a number of responsibilities may fall under the umbrella of information security, whether it is under direct control of an information security program or delegated to another supporting IT department. One such responsibility is a vulnerable management program.
Vulnerability management is an important part of a matured information security program. At a high level, the objective of vulnerability management is to find and remediate all issues as they are identified. However, as you start examining the matter in-depth, you’ll find that you:
- Need to have a process in place to determine priorities
- Need to have more information than what a vulnerability scanner can provide
- Won’t always be able to fix vulnerabilities; fix what you can and mitigate the rest
As with any good story, we’ll leave that last item for a bit and focus on the top two for now. After all,... read more >