Successful mitigation of today’s security threats requires an approach that is both on the offensive and on the defensive. Here, we give our take on how to approach and handle specific security challenges, as well as our reaction to some of the latest industry topics.
10.15.14Boy what a year 2014 is turning out to be. First we had Heartbleed turn the Internet upside-down. Last month, we had Shellshock shock the industry. And now we have POODLE. POODLE, unlike Heartbleed and Shellshock, is going after clients and not servers this time. More specifically, POODLE is taking advantage of the fifteen year… Read more »
07.28.14In our previous segment (Bridging Your Gaps – Part 1), we covered network segmentation and egress filtering. Now let’s focus on some of the gaps that can directly lead to access to your sensitive data. Social Engineering and Browser Security The attackers in the Lockheed Martin breach of 2011, leveraged social engineering along with stolen… Read more »
07.15.14As part of our “Bridging Your Gaps” presentation series, we cover some of the more common gaps that we see and exploit while performing penetration testing for our clients. These gaps have also been leveraged in many of the high profile breaches that occurred during 2013-2014, so this helps to highlight the importance of addressing… Read more »
04.09.14We (the Internet) are about 48 hours into the active response of the OpenSSL HeartBleed vulnerability (CVE-2014-0160). While there has been a lot of news on the topic and a few limited discussions on dealing with the threat, only a handful of articles are approaching the discussion on how to prioritize the threat posed by… Read more »
12.09.13We are almost to the end of another year, and it has been a busy one for us here at DirectDefense. In addition to performing our normal engagements, such as performing network and application penetration tests, we have also enjoyed a lot of positive feedback from our presentation series – Catch me if you Can. During… Read more »
12.02.13From time to time, application developers implement strong security controls. A “strong control” might not capture exactly what we will be talking about today, but it does pose a huge problem for most application scanners. We have all seen a wide usage of one-time tokens in applications (aka nonce values) that are used to deter… Read more »
10.29.13So the topic of your password policy is still weak is nothing new. Just doing a quick search for the phrase “your password policy is stupid” or “your password policy sucks” will result in numerous presentations and articles on the subject. While each of these articles and presentations have their merits, they all seem to… Read more »
06.18.13Hi There – First, apologies for the lack of updates as of late. We have been swamped, but I saw this news article last week about the new FDA recommendations for Cybersecurity for Medical Devices and Hospital Networks, and could not let this go. If you read my last blog entry – Top Five Security Threats to… Read more »
02.25.13Last month a new omnibus HIPAA privacy and security rule was released that increased the number of items to be audited as well as the potential penalties if compliance is not adhered to. You can read the new rules here – http://www.hhs.gov/news/press/2013pres/01/20130117b.html What is interesting to note is while the requirements or things to audit for… Read more »
12.19.12So like many, it is that time of year to look back on the year’s events and reflect on things, while looking forward to the coming new year. What is interesting in our industry is the fact this is the time of year that everyone does their “Top 5,10,15, 20” events/gadgets/moments blogs/news articles about security… Read more »
