tag:blogger.com,1999:blog-15273796342112372272024-03-14T05:08:33.334-04:00SecureState Information Security BlogAt SecureState we help our clients obtain and maintain their desired state of security. Our consultants provide the very best physical, logical and personnel security services to your organization through audit and compliance, attack and penetration tests, data forensics, and security program building. Our clients span a variety of industries, giving us the experience of working in unique environments.SecureStatehttp://www.blogger.com/profile/14286904623344734622noreply@blogger.comBlogger164125tag:blogger.com,1999:blog-1527379634211237227.post-88500575493254856692012-01-12T17:15:00.001-05:002012-01-12T17:31:56.659-05:00SecureState Has A New Blog - Come See What You're Missing!Don't forget to check out SecureState's new blog site - we recently released a new tool update, take a look here and while you’re at it, visit SecureState's Company Website and see what's going on in our Media Center and browse through our recently released Tools!Marketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-56988975724678389882011-06-03T12:38:00.000-04:002011-06-03T12:38:03.773-04:00SecureState Releases New Tool for Footprinting 802.1x Wireless NetworksToday, SecureState is releasing a new tool for footprinting 802.1x wireless networks called EAPeak. EAPeak is a Python powered script that is meant to parse useful pieces of information for a Security Assessment of wireless networks that use the Enterprise Authentication Protocol. It relies on the Scapy libraries to parse both PCap files and live network captures.
Read more on our new blog siteMarketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-51354552255902781722011-05-14T12:47:00.014-04:002011-05-14T13:44:36.904-04:00But My Web Application Uses SSL...Of Course I’m SecureSecureState Auditor: What are you doing for web application security?Web Development Project Lead: We use SSL.The Setup: How You Protect Your Web Applications Says A Lot about the Maturity of Your Security Programs - In a meeting with a relatively well known third party web application development company, the question was asked as to what the company was doing for web application security. The Gary McCullyhttp://www.blogger.com/profile/16473916567691068286noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-2319432311174440792011-05-05T16:59:00.003-04:002011-05-05T16:59:57.545-04:00Quit HoardingEvaluate your security program’s maturity before dropping money on a quick-fix “hot” product.
Evidently, there is an increasing fascination within the American psyche with hoarding, the excessive collection of items, along with the inability to discard them. This is evident in the popularity of television shows such as “Buried Alive” and “Hoarders”.
Read more of this post on our new blog site Marketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-18454042883359233322011-05-05T16:58:00.003-04:002011-05-05T17:00:17.476-04:00Information Policies & Procedures, Part 7This is part of an ongoing series on documentation development.
Do words matter? Of course they do. There are few places where this statement is as true as in documentation. When developing policies and procedures, we must be very clear about the rules. Must and shall mean, as the name implies, that the action is not optional. May means that the action is allowed, but not required. This is an Marketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-89108464758003704292011-04-21T16:22:00.003-04:002011-04-21T16:22:52.231-04:00“We Have a Vulnerability Management Program…It’s in Our Data Center”From Running Scans to Building a Vulnerability Management Program
I perform the Vulnerability Assessments and Payment Card Industry Approved Scanning Vendor (PCI ASV) Scans at our information security firm. I have been running scans for over 100 different companies for the last year, and I see the same recurring vulnerabilities again and again. What I have also seen is that people do not Marketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-34744895430221785552011-04-19T10:38:00.000-04:002011-04-19T10:38:06.275-04:00Spring into a New Career!SecureState will be holding on-site open interviews on Thursday, April 21 from noon to 6:30 p.m.
at the SecureState Headquarters: 23340 Miles Road, Bedford Heights, OH 44128
http://blog.securestate.com/post/2011/04/19/Spring-into-a-New-Career!.aspxMarketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-6317691871115262472011-04-15T16:25:00.000-04:002011-04-15T16:25:53.032-04:00Let’s Go with the Web Application Scan… It is cheaperWhy a Manual Web Application Security Assessment is worth every penny over an automated tool.
Choosing the Assessment: As a Security Consultant for SecureState, I have performed my share of Web Application Security Assessments in the last couple of years, including both Assessments which relied heavily on Web Application Scanners to find vulnerabilities in the web application, as well as Marketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-83205780969556432772011-04-08T15:11:00.002-04:002011-04-08T15:11:53.253-04:00PCI DSS Applicability To Closed AccountsWe recently ran into some questions from multiple organizations regarding PCI DSS applicability to closed or inactive credit card account numbers. For example, when someone passes away, the disposition of their debts and assets may go through probate. What may happen during this process is the collection of all of the deceased’s debt accounts, including credit cards, to determine how claims will Marketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-57232242025432319622011-04-06T14:30:00.002-04:002011-04-06T14:30:42.400-04:00Penalty Double Ups: PCI Intersects with State Privacy LawsA lawsuit out of Massachusetts related to a breach of cardholder data by the Briar Group, LLC resulted in an $110,000 settlement by the company. This is some interesting news, as it shows that penalties for not protecting cardholder data can hit you from both the card brands and regional privacy lawsuits. Although the amount of the settlement is not extremely high, the other requirements coming Marketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-266615963705431052011-04-05T17:16:00.002-04:002011-04-05T17:16:49.223-04:00The Importance of System LoggingThis blog is more of a success story than anything else. I want to bring to light a small business with less than six employees who properly implemented auditing. As you may or may not know, Windows allows a user to audit Logon and Logoff events. This is extremely important especially when you are trying to figure out who is using, or has attempted to use, your system.
Read the entire post on Marketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-39924705159100109002011-04-01T17:30:00.002-04:002011-04-01T17:30:57.416-04:00Ten Ways to Fail at Information Security: Part 1Information Security is still an emerging discipline, with lots of loud voices expressing different opinions as to what is the absolute best way to secure your company. Rather than throw more noise into the echo chamber espousing “best practices”, in this series of blogs, I will be taking a different route. Every company does security differently, with varying degrees of success. No single Marketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-57037946925695061062011-03-24T14:08:00.000-04:002011-03-24T14:08:02.448-04:00Taking Data Loss Prevention To Data Loss Acceleration“OpenDLP is a free and open source, agent-based, centrally managed, massively distributable data loss prevention tool.” This is how creator Andrew Gavin defines OpenDLP. While this tool could be used to monitor sensitive data on hundreds of systems simultaneously, it could also be used to steal massive amounts of data very quickly.
Read more on SecureState's new blog site http://Marketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-1538185713998119492011-03-24T14:06:00.000-04:002011-03-24T14:06:16.374-04:00Is Your e-file Tax Return Secure?Find out how secure yours is by reading Ken Stasiak's post on our new blog site here http://blog.securestate.com/post/2011/03/14/Is-Your-e-file-Tax-Return-Secure.aspxMarketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-2341043050155522992011-03-24T14:05:00.000-04:002011-03-24T14:05:07.047-04:00New Vulnerability Alert by SecureState Now Available!Find the vulenrability reports each month on our new blog site
http://blog.securestate.com/post/2011/03/08/New-Vulnerability-Alert-by-SecureState-Now-Available!.aspxMarketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-19427305244443872222011-03-24T14:02:00.000-04:002011-03-24T14:02:41.425-04:00Cleveland OWASP Chapter Meeting AnnouncementSecureState is proud to sponsor the Cleveland chapter of OWASP and we are bringing back the quarterly meetings by bringing in some of the top speakers in the application security community. This quarter we have web application security ninja Kevin Johnson that will be speaking. The title of his talk is “Ninja Developers: Application Security Testing and Your SDLC”.
Read more on our new site Marketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-85143500536898491382011-03-24T13:55:00.003-04:002011-03-24T13:58:52.915-04:00HIPAA: Rx For End-User Device RisksHITECH breach notification requirements apply to breaches of “unsecured” Protected Health Information (PHI). Basically, if electronic PHI data is encrypted, purged, or physically destroyed before it is inadvertently disclosed, then it doesn’t count as a breach.
Read more at SecureState's new blog site http://blog.securestate.com/post/2011/03/03/Marketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-47936463554507119492011-03-01T11:34:00.002-05:002011-03-01T11:34:50.732-05:00Come Out; Come Out; Wherever You Are…The title of this blog is typically heard amongst children while playing the game “Hide and Seek.” I use it now as a reference to companies hiding from Privacy Regulations or at the very least avoiding the application of the best practices available when it comes to Privacy Principles.
Why Do Companies Hide From Privacy Regulations?
Read more on SecureState's new blog http://Marketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-36125271694606576112011-02-25T11:56:00.002-05:002011-02-25T11:56:51.882-05:00But It Was Developed By A Third Party… Of Course It’s Secure!Just as internally coded web applications should go through a standard Software Development Life Cycle {SDLC}, third party web applications should also be subjected to an SDLC. For example, an organization’s SDLC may dictate that all newly coded web applications must go through a grey box assessment before going live...
Read the rest on SecureState's new blog site http://Marketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-48888740885156129702011-02-25T11:55:00.002-05:002011-02-25T11:55:13.865-05:00Means, Opportunity, and Motive: Point Of Interaction AwarenessThere have been numerous news stories about employees stealing credit card information before it is even entered into your information systems. These are usually occurring out on the sales floor. You can be fully compliant with the PCI DSS, but most of the offenses we are talking about occur outside the scope of what those requirements are designed to protect against. The following types of Marketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-8073259783076782192011-02-25T11:54:00.002-05:002011-02-25T11:54:08.483-05:00New Module for the Metasploit Framework Released by SecureStateSecureState released a new module for the Metasploit Framework that allows users to brute force credentials on Microsoft OWA servers. The module, written in Ruby, forges HTTP requests (both GET and POST) to simulate a user logging into the web service. By checking the responses, the module determines whether the authentication succeeded and reports the information to the user. This is often Marketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-54645783519808286422011-02-25T11:53:00.000-05:002011-02-25T11:53:14.424-05:00Dispelling The Myths Of Facebook Privacy And SecurityThere are many misconceptions about the security of Facebook, Facebook applications, and the frequent scams that seem to plague the world’s largest social network. To help set the record straight, I would like to shed a bit of reality on the most common myths about Facebook security and privacy today. These are real examples of statements that I have encountered regarding Facebook and their Marketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-52382292267146049252011-02-25T11:51:00.002-05:002011-02-25T11:51:57.859-05:00Visa Introduces Technology Innovation Program (TIP) for MerchantsVisa announced on February 9, 2011 that as of March 31, 2011, Visa will allow qualifying merchants outside the U.S. to discontinue their annual Payment Card Industry (PCI) On-Site Assessment. Visa has introduced the Technology Innovation Program (TIP), which essentially will apply to those merchants that meet the following requirements...
Read more on SecureState's new blog http://Marketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-89851808079295712612011-02-25T11:50:00.002-05:002011-02-25T11:50:18.791-05:00FERPA, HIPAA’s Immature Cousin, Says ‘Happy Data Privacy Day!’Today I thought it would be interesting to compare HIPAA and FERPA.
Learn more at our new blog site http://blog.securestate.com/post/2011/01/28/FERPA-HIPAAe28099s-Immature-Cousin-Says-e28098Happy-Data-Privacy-Day!e28099.aspxMarketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0tag:blogger.com,1999:blog-1527379634211237227.post-22669942448311449242011-02-25T11:47:00.001-05:002011-02-25T11:48:10.944-05:00Small Goals Lead to Bigger ResultsWhy are there shelves, sometimes figuratively, sometimes literally, full of projects that money was spent on with little end result? Projects left incomplete, never verified as meeting their intended reasons for purchase?
Find out more at SecureState's new blog http://blog.securestate.com/post/2011/01/27/Small-Goals-Lead-to-Bigger-Results.aspxMarketinghttp://www.blogger.com/profile/08890211559548117312noreply@blogger.com0