Doug Vitale Tech Blog

Posts Tagged ‘assessment

Browser-based penetration testing with Firefox and Chrome

With the proper extensions installed, you can hack from the comfort of your Firefox or Chrome browser. Within Firefox, add-ons are divided into three categories: extensions, appearance themes, and plugins. Extensions extend the functionality of Firefox past simple web browsing. Appearance themes change the way Firefox looks, and plugins are necessary for Firefox to display specialized non-HTML Web content such as Flash, Java script, multimedia, etc.

The Firefox add-ons interface, accessible via Tools-->Add-ons in the menu bar

The Firefox add-ons interface, accessible via Tools–>Add-ons in the menu bar

Google Chrome labels all add-ons as “extensions”. The Chrome website lists them in the same column as “Apps” and “Themes”.

The Chrome extensions interface, accessible via Chrome Menu-->Tools-->Extensions

The Chrome extensions interface, accessible via Chrome Menu–>Tools–>Extensions

Read the rest of this entry »


Written by Doug Vitale

December 28, 2012 at 3:07 PM

Create and implement a vulnerability management program

If you, as an information security professional, are tasked with maintaining the cyber defenses of an information system (IS), this is a responsibility that you cannot carry out in a haphazard manner. Given the complexity of modern computer networks, a standardized approach to IT security is necessary to ensure that all facets of the IS are protected to the utmost. As with network connectivity troubleshooting, it is simply better to follow a plan of defined steps rather than attempt to achieve your goal in an unorganized way.

As you are aware, threats to the security posture of an IS come in many forms. Unpatched software, default software settings, unnecessary software installations, weak user account policies, porous physical access control, and the absence of effective emergency response plans can all be exploited by human attackers, malicious software (malware), or unfavorable (possibly disastrous) circumstances. All of these vulnerabilities (weaknesses which could be exploited by adversaries to compromise the security posture of an IS) are what you try to eliminate in the field of information security (also known as information assurance, or IA).

To help prevent occurrences of unauthorized IS access or data breach, a systematic methodology for identifying and remediating security weaknesses is required. Vulnerability management, when implemented in such a precise and thorough manner, becomes a vulnerability management program (VMP).

Benefits of a vulnerability management program

The main aim of any VMP is to ensure that current vulnerabilities within an IS are identified, evaluated, and resolved in a timely and cost-effective manner. This goal is achieved by successfully carrying out the following steps:

  • Accurately identify vulnerabilities in the overall network infrastructure;
  • Monitor and verify the remediation of the vulnerabilities;
  • Examine the root causes of the vulnerabilities; and
  • Modify standards, policies, and processes to fix those root causes to reduce the occurrence of future vulnerabilities.

A properly functioning VMP also brings about the following desirable results:

  • Prevents the loss and/or unauthorized modification of sensitive data;
  • Maintains client and partner confidence in the enterprise and upholds its reputation by preventing embarrassing incidents;
  • Demonstrates compliance with legal regulations and industry best practices, and consequently enables the IS to better pass audits and certification & accreditation efforts.

As an effective VMP matures, it becomes increasingly efficient and streamlined while the quantity and severity of discovered issues decrease. In other words, the CIA operational standards are strengthened and the overall resiliency of the IT infrastructure is increased. “CIA” in the information security field stands for:

  • Confidentiality – the prevention of unauthorized data access.
  • Integrity – the maintenance of data in a trusted state.
  • Availability – the ease of IS access and operation for authorized parties.

Read the rest of this entry »

Written by Doug Vitale

July 11, 2012 at 12:25 AM

%d bloggers like this: