Yes as Veracode says: https://www.veracode.com/blog/2015/07/application-security-assessment-reviewing-your-testing-program-sw They list 3 misconceptions: QA (Quality Assurance) is when development is done. Third party software does not need testing Developers don’t care about security We have to perform QA during development as well as after. All software needs security testing and not just functional testing. Sio what should you … Read more
I want to highlight 2 current articles: http://www.infosecurity-magazine.com/news/pawn-storm-serves-malware-via-fake/ and http://googleonlinesecurity.blogspot.com/2015/07/new-research-comparing-how-security.html It is best to use good passwords, 2factor authentication, and patch your systems The first article points to how a fake website was set up and delivers a zero-day java exploit attack onto unsuspecting users as they come in the website, and you … Read more
Threatpost has the story: https://threatpost.com/court-rules-ftc-has-authority-to-punish-wyndham-over-breaches/114390 From the court brief http://www2.ca3.uscourts.gov/opinarch/143514p.pdf are some interesting snippets: Let’s list the cybersecurity problems that Wyndham had: Stored CC data (which is a violation of PCI standard) Passwords were simple (Example: “micros” in a Micros computer default pw) Did not use firewalls between their corporate network, property management system, … Read more
Grant Bugher with perimetergrid.com had a talk on the DEFCON101 track. “Obtaining and Detecting Domain Persistence” As the slide above states, it is not about _how_ to hack a domain. But assuming someone has – now what? 1st Process start command line logging and PowerShell logging enabled on all systems. 2nd SysMon(Sysinternals Monitoring Service) … Read more
There are many sites with security policies on the Internet, such as Universities recommending what to do and not do. http://sites.gse.harvard.edu/its/top-10-security-dos-and-donts http://www.feinberg.northwestern.edu/docs/mis/General_Security_Policy.pdf A security policy is a guideline to employees and users of network and computing resources for the safety and security of data and resources. It is good to know what one is supposed … Read more
