NetSPI Blog

Ryan Wakeham
March 30th, 2010

Common Compliance Hurdles Part 1: Increased PCI Scope

Looking over the findings of the last few dozen PCI gap assessments that NetSPI has performed, I am struck by the fact that today, well into version 1.2 of the Payment Card Industry Data Security Standard (PCI DSS, or just DSS), one of our most common findings remains increased scope due to lack of network […]

Scott Sutherland
March 26th, 2010

Penetration Testing: Stopping an Unstoppable Windows Service

Every penetration tester has a toolkit they use for escalating their privileges on the network. In some cases, the tester will copy the toolkit over to a target system once it has been compromised. However, anti-virus software has gotten pretty good at catching tools commonly included in such toolkits. To get around this problem, many […]

Deke George
March 10th, 2010

Observations from HIMSS

I was at the Healthcare Information and Management Systems Society (HIMSS) national conference last week in Atlanta. Overall, the conference wasn’t much different than past years. From an information security perspective the presentations and conversations were limited, but there were a number of interesting things that I took away from the conference.  First and foremost, […]

Seth Peter
January 22nd, 2010

Manual vs. Automated Testing

I’ve always been a firm believer in incorporating manual testing as part of any security assessment; after all, a human is the best judge of evaluating the contents of application output, and best able to truly understand how an application is supposed to function. But after attending Darren Challey’s (GE) presentation at the 2009 OWASP […]

Yan Kravchenko
January 13th, 2010

HITRUST Part 4 Looking Forward

In this conclusion of the HITRUST blog series, I would like to discuss some definite opportunities and challenges that HITRUST is likely to face. Putting together a single prescriptive framework for the healthcare industry is truly an ambitious effort. However, cross-referencing this framework with different regulatory requirements and then proposing a mechanism by which companies […]

January 7th, 2010

What’s Happening in the Application Security Arena?

Application security attacks are increasing According to Gartner, 75% of the attacks are coming though web applications and not through the network. This means greater emphasis needs to be placed on application security. However, this does not appear to be happening. Application security vulnerabilities are increasing For the first half of 2009, Cenzic identified about […]

Yan Kravchenko
December 30th, 2009

HITRUST Part 3 Certification Explained

As a continuation of the HITRUST blog series, in this post I would like to explore the concept of certification, and what it means. So, by now I hope you’ve followed my advice and have been browsing the framework up and down. Perhaps you generated a few reports that show you just how easy it […]

Scott Sutherland
December 9th, 2009

Vulnerability Alert: FCKeditor Arbitrary File Upload

The worst kind of vulnerability in your environment is the one you don’t know exists. The “FCKeditor Arbitrary File Upload” issue seems to be just such a vulnerability. The purpose of this blog entry is to increase awareness of this issue and provide companies with sources for remediation options. The “FCKeditor Arbitrary File Upload” vulnerability […]

Yan Kravchenko
December 7th, 2009

HITRUST Part 2: Taking a First Look at the CSF

As a continuation of the HITRUST blog series, in this post I would like to take a closer look at the Common Security Framework CSF, and what it’s all about. The CSF is designed based on the ISO/IEC 27001:2005 and ISO/IEC 27002:2005 standards. Additionally, the framework currently includes: NIST 800 series of standards ISO/IEC 27799:2008 […]