Risk Management and Compliance» Website security http://blog.kraasecurity.com Risk Assessment, Vulnerabilities, Website Security Wed, 26 May 2010 02:45:39 +0000 http://wordpress.org/ en hourly 1 Web Security Testing has come of age http://blog.kraasecurity.com/2009/07/20/web-security-testing-has-come-of-age/ http://blog.kraasecurity.com/2009/07/20/web-security-testing-has-come-of-age/#comments Tue, 21 Jul 2009 04:30:31 +0000 admin http://blog.kraasecurity.com/?p=86 Website security is the one of the most dangerous places for a company. If you look at a layered security approach, we start out with the internal network. There we have host security, patch management, host IDS and other server based technologies. Next we have the network security layers, network intrusion detection, network monitoring and firewall protection. So if we have the internal servers secured, the network protection place, what is left is that an attacker can possibly get into a secure environment?

The website is the open frontdoor to many companies. Security education for both the developers of website applications and the users of web sites is sadly lacking. If we look at most of the compliance regulations such as HIPAA or PCI, there is a component of education required, but most companies do not spend the time to provide more than a written manual that no one reads. In those same regulations, there are requirements for a Secure Development Lifecycle strategy, but how many web application developers actually follow a strict methodology?

So on Linkedin, I asked the quesion “what are the Web security tools” that are favored by the security community (www.linkedin.com/gbaha). These can provide some help and insight for those looking to conduct some security testing. Some are paid and some are free. Here is the list in no particular order.

1) Foundstone             http://www.foundstone.com
2) Acunetix WVS        http://www.acunetix.com
3) Scrawlr                      https://h30406.www3.hp.com/
4) N-Stalker                  http://www.nstalker.com/
5) Nikto                          http://cirt.net/nikto2
6) Scarab                       http://www.owasp.org
7) WebInspect            http://www.hp.com
8) Fiddler -                   http://www.fiddlertool.com
9) Samurai Web Testing Framework – http://samurai.inguardians.com/
10) FireCAT -               http://www.security-database.com
11) W3af                         http://w3af.sourceforge.net/
12) CORE Impact        http://www.coresecurity.com/content/web-app-pro
13) Appscan                 http://www-01.ibm.com/software/awdtools/appscan/

Having listed these and of course there a re a number of other tools, we can begin to secure the environment. (Please send me any comments on other tools you like). Running a tools is a first and easy step you can take to close that open web door (Webdoor, I am going to try and coin that phrase). If you can target tactical prablems, get them fixed quickly, you can then tackle the strategic problems that led to your web vulnerabilities.

The basic steps you want to take in website security are:
1) Vulnerability testing
2) Secure Code Review
3) Architecture review
4) Monitoring and Logging
5) Consistent Testing (monthly) and Validation of Controls

Do not get lax when it comes to Web security. Its a bit black magic and a lot of hard work but as its the “webdoor” try and keep it closed.

Gary Bahadur

baha@kraasecurity.com

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

Security penetration test (http://www.kraasecurity.com/freewebsitetest)
]]> http://blog.kraasecurity.com/2009/07/20/web-security-testing-has-come-of-age/feed/ 0 HIPAA Assessments are the next wave http://blog.kraasecurity.com/2009/07/12/hipaa-assessments-are-the-next-wave/ http://blog.kraasecurity.com/2009/07/12/hipaa-assessments-are-the-next-wave/#comments Sun, 12 Jul 2009 21:06:10 +0000 admin http://blog.kraasecurity.com/2009/07/12/hipaa-assessments-are-the-next-wave/ In February, CVS was ordered to pay a fine of 2.5million dollars by the FTC. This fine was because their employees threw out personal information about patients. Who knew poor recycling programs could cost so much? HIPAA has been around for a number of years but not until recently did we see that it has teeth and companies are going to be held accountable.  CVS has to have an assessment every other year now for 20 years. And assessments are not cheap! Assessments based on the Security Rule cover many areas of technology controls such as Firewall protection, Antivirus, Encryption, Vulnerability Scanning and much more. I am sure conducting an assessment rather than getting fines would have been much cheaper for CVS.

The definition of a Covered Entity for HIPAA compliance really reaches out to more companies than just hospitals and doctors offices. Not only companies like CVS will get fined but business partners of hopsitals and doctors offices storing patient data will be in trouble if they do not conduct Risk Assessments.

There are a number of ways to conduct these assessments, make them practical and stay out of trouble with “The Man”. One company that is pretty helpful in this regard is RiskWatch, http://www.riskwatch.com  Their software allows you to conduct HIPAA, PCI, Red Flag Rule and other types of assessments.

For security professional, these regululations provide a strong insentive for companies to get their act together regarding privacy and security of data. Its unfortunate they have to be fined first to get them to the ball rolling. But hopefully, more will take a proactive stance for compliance but also to get an ongoing security program in place.

Regards
Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

]]> http://blog.kraasecurity.com/2009/07/12/hipaa-assessments-are-the-next-wave/feed/ 0 Vanguard Security Conference – Supplier Security http://blog.kraasecurity.com/2009/06/02/supplier-security/ http://blog.kraasecurity.com/2009/06/02/supplier-security/#comments Tue, 02 Jun 2009 15:44:29 +0000 admin http://blog.kraasecurity.com/?p=48 I spoke yesterday at the Vanguard Security Conference (http://www.go2vanguard.com) Vanguard has been doing this conference for a number of years. The focus is on Mainframe security. Most security professionals these days have never worked on MF security. I am proud to say I have back in the mid-90’s. We perhaps I shouldnt be do happy, it was over a decade ago.

The point being, that there are so many areas of security out there that most of us will never touch yet there is a dire need for professionals. The conference was less attended, as are most conferences this year, but I found the folks here are REALLY interested in learning and excited about the classes.

My topic was on Supplier Risk Management processe. You are asking yourself, what is that? I asked myself that same question in coming up with some good processes to target Supplier security. We have to go way beyond a SAS70 if you want real security over the hundreds or thousands of vendors that a large company may work with.

The Problem:

  1. No framework for managing vendor risk
  2. Inconsistent processes for tracking vendors
  3. Lack of enforcement capabilities

The Opportunity:

  1. Provide practical steps to manage vendor access/management
  2. Provide cost effective solution for risk mitigation
  3. Provide numerical risk analysis of vendor/partner security issues
  4. Risk reduction or risk acceptance
  5. Documented exposure
  6. Iterative process for risk management
  7. Happy CIO

So a Supplier Security assessment follow 4 main steps:

  1. Analyze current vendor database, catageorize each
  2. determine risk of each supplier, determine threats posed by each supplier
  3. Perform assessment tests of each supplier, their processes of interaction, and data access
  4. develop risk mitigation plan, update processed, monitoring processes

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

]]> http://blog.kraasecurity.com/2009/06/02/supplier-security/feed/ 0 Ways to Maintain Website Security http://blog.kraasecurity.com/2009/04/10/website-security/ http://blog.kraasecurity.com/2009/04/10/website-security/#comments Fri, 10 Apr 2009 14:33:45 +0000 admin http://blog.kraasecurity.com/?p=3 With the advancement in technology comes the heavy responsibility of monitoring an organization’s sensitive and valuable information. The use of the Internet has become a necessity in organizations to exchange their data and various other business details with their business partners, vendors and clients. In many cases, during transmission of datahackers compromise a network or transmission medium and illegally gain the data. It maligns not only the market value of the company but also the number of clients that place trust in the company and the company’s infrastructure or website.

There are preventive measures that every company can adopt to maintain the value of the company as well as the client base. It is very important for any company to maintain the data securityase and safeguard the internal information of the company. The clients and business partners share their data only after confirming that the partner company will keep it safe and intact under the safety norms of the company.

By taking a few cautionary measures, one can easily secure the sensitive information of the company. Installing a firewall in the network system keeps the security intact and safe. Earlier, this was a bit expensive for companies but with the advent of technology, this has become an easily accessible tool for the organization. Affordable monthly subscriptiuons are available for firewalls, Intrusion detection systems and host intrusion prevention systems. hey need not spend a lot of money in availing these services now.

A firewall is the main defense. A firewall carries out routine security checks and blocking techniques at particular time intervals and this helps stop attacks. It will sound an alert in case of any threat posed to the data and will automatically start blocking and reporting.  on it. It never compromises on your company’s security and safety and always keeps the information safe. Firewall protection can be easily availed from various online sources at quite reasonable rates but one must always cross-check the credentials of the source company as well and only then purchase it from experts in the field.

Other than installing these tools to maintain web security, companies are also hiring third parties to review the policies and procedures of the organization and also to keep track of the online process of distribution of data of the company. These third parties install web applications that thoroughly review the codes installed in the process and provide valuable feedback to update and upgrade the quality of network systems. hough it is somewhat expensive to employ third-parties but they really keep a detailed track of the security system of their clients’ information.

Many network systems of very renowned companies are getting hacked and misused these days by the hackers. It is high time that the companies take proper action against such activities and thefts as the number of incidents are growing day-by-day. Otherwise, people will start losing their trust in sharing their personal information through web sites.

A web security expert of application security risk assessment has written this article.

Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning

Related articles by Zemanta
Reblog this post [with Zemanta]
]]> http://blog.kraasecurity.com/2009/04/10/website-security/feed/ 0