NetSPI Blog

Scott Sutherland
October 5th, 2009

Windows Privilege Escalation Part 2: Domain Admin Privileges

Introduction This is the second part of a two-part series that focuses on Windows privilege escalation. The previous post (Part 1) provided an overview of 10 vectors that could be used to obtain local SYSTEM and administrative privileges from an unprivileged user account. This post focuses on obtaining domain administrative privileges from a local administrator […]

Deke George
October 1st, 2009

Mergers & Acquisitions in the Information Security Field

The news about the sale of the VeriSign consulting team to AT&T suggests that there will be many similar transactions in the near term within the information security market. The investment being made in this market is great, but based on previous experience, a positive outcome is less than certain. From my point of view […]

Deke George
September 28th, 2009

Maturity and Convergence at the PCI-SSC Community Meeting

I attended the PCI-SSC community meeting this past week (September 22-24). There were three key issues discussed that showed that the PCI program is maturing and that a number of standards and regulations are converging (both in and outside the PCI world). The first issue signaled that the council’s view of IT risk is maturing. […]

Alex Crittenden
September 21st, 2009

Security, Compliance, and the New Retail Economy

As the PCI Community Meeting is set to start tomorrow, I have been thinking about the current state of the retail marketplace and what that means for NetSPI’s focus–security and compliance. During the down economic times no retailer really came through unscathed. Everyone suffered to some degree, but even during the most difficult periods of […]

Deke George
September 17th, 2009

Cyber Security and Nuclear Energy

I attended the Nuclear Information Technology Strategic Leadership (NITSL) conference last week, which featured some very interesting discussions on cyber security. One of the keynote speakers described the state of the industry’s physical security, which, when compared with information security, is in very good shape.  She discussed the quite substantial investment that her organization had […]

Yan Kravchenko
August 21st, 2009

You Cannot Outsource the Consequences of a Breach

Mozilla is known to most people for its open-source and free software, most notably Firefox. However, starting around August 4th, it also became known as yet another company whose merchandise store was breached. Following the announcement on the company’s blog and closure of Mozilla’s store, the following headlines filled trade pubs and the blogosphere: “Mozilla […]

Seth Peter
August 11th, 2009

Social Media and Corporate Guidance

One of the common themes I took away from the 2009 Blackhat Briefings was the inherent security risks associated with using social media and networking sites. (These concerns have also received some coverage in trade pubs; see, for example a recent Computerworld article: http://tinyurl.com/mc7yb8) Using social media applications is not just a personal computing trend; […]

Deke George
August 11th, 2009

Healthcare Organizations and Tighter Security Requirements

Because of increasing threats, high-profile data breaches, and increased awareness of the damage they cause, we anticipate a substantial tightening of regulations and contractual requirements that will significantly impact information security in healthcare. Today, HIPAA, CCHIT, and state breach notification laws are the main standards that govern security within healthcare systems that deal with protected […]

Alex Crittenden
August 6th, 2009

The Far-Reaching Impact of the PCI DSS

The last few years have seen a great deal of discussion, arguing, hand-wringing, and posturing within the retail / hospitality community regarding the PCI DSS.  It has also driven a lot of investment in technology–and a lot of investment by technology companies. Then PA-DSS came along. The PCI Council took a voluntary program (PABP) and […]