Welcome to cissp CISSP training Certified Information Systems Security Professional
Search
Nickname Password Security Code Security Code Type Security Code  

CompTIA Security+ Tutorial CBT quiz cram

Become a Cyber Warrior get the CEH V8 now

Rated #1 Training

Best hacking and penetration testing  magazine in the world

Surveys

Where do you find the best price for books?

Amazon.Com
Bookpool.Com
The ISC2 webstore
CISSPS.COM
Cheapbooks.com
Ecampus.com
Other (Please leave a comment with name of site)



Results
Polls

Votes 2103

Who's Online

There are currently, 76 guest(s) and 2 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
cissp CISSP training Certified Information Systems Security Professional: Vulnerabilities

Search on This Topic:   
[ Go to Home | Select a New Topic ]

OWASP Long Island Chapter
Posted by boss on Saturday, 14 January 2012 @ 10:43:00 CET (2958 reads)
Topic Vulnerabilities

cdupuis writes "

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

All Long Island chapter meetings are free. Please water our calendar for up coming events.

For more info contact:  Helen Gao  (helen.gao@wasp.org)

https://www.owasp.org/index.php/Long_Island

"

(Read More... | Score: 0)


St. Cloud State University wins OWASP AppSec USA 2011 University Challenge
Posted by boss on Wednesday, 19 October 2011 @ 08:20:17 CEST (2162 reads)
Topic Vulnerabilities

cdupuis writes "

Students win prestigious challenge

Monday, October 17, 2011

Seven St. Cloud State students won the Open Web Application Security Project AppSec USA 2011 University Challenge held at the Minneapolis Convention Center Sep. 21-22. The winners are majoring in Network Information Security at the Computer Networking and Applications (IT) program.

"This is another great achievement by students in the CNA (IT) program after winning the Minnesota Cyber Defense competition in March," said Tirthankar Ghosh, associate professor at the Department of Computer Science and Information Technology. "This is a moment of pride for all of us, a moment of pride for SCSU."

The St. Cloud State team not only won the overall competition but also scored the highest on the "attack portion" of this application security university challenge.  The competition was divided into two challenges – security penetration and security defense. In the first challenge, the students had to break into a number of websites provided to them, identify their security vulnerabilities and suggest solutions to fix them.  In the second challenge, the teams had to set up a virtual store, identify any weaknesses in the code and resolve them by providing new programming changes to the code. 

"These challenges gave us a well-rounded experience of a security professional, both with being able to attack as well as to defend web applications," said junior Joshua Platz, St. Cloud.

The other members of the winning team were senior Jake Soenneker, Clear Lake, senior Derek Winter, Champlin, senior Eric Kluthe, Apple Valley, junior Ryan McDougall, Monticello, junior Matthew Sitko, Mahtomedi and junior George Massawe, Mason City, Iowa

http://www.stcloudstate.edu/news/newsrelease/default.asp?pubID=3&issueID=31494&storyID=36589

Contact
University Communications
St. Cloud State University
            (320) 308-2284      
jcwood@stcloudstate.edu
"

(Read More... | Score: 0)


DataLossDB Weekly Summary -- Another busy week
Posted by boss on Tuesday, 02 November 2010 @ 07:52:52 CET (1249 reads)
Topic Vulnerabilities

cdupuis writes "

NOTE FROM CLEMENT:
Another busy week for DataLossDB,  see below mistakes done by companies that lead them to be facing negative publicity, huge losses, and other colateral damage.  It seems the list is not getting any smaller.  The threat is real and you must address issues such as internal employees, human errors, and other soft issues that can make you loose a large amount of money.   See the lates email sent by DataLossDB below:

Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, October 24, 2010

10 Incidents Added.

==============================================

DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The Open Security Foundation asks for contributions of new incidents and new data for existing incidents. For any questions about the project or the data contained within this email or the website (http://www.datalossdb.org), please contact us at
curators@datalossdb.org.

==============================================

Incidents Added

Reported Date: 2010-10-29
Summary: Students names, grades and Social Security numbers of 40,101 left exposed on a server for nearly a year
Organizations: University of Hawaii
http://datalossdb.org/incidents/3230
---------------------

Reported Date: 2010-10-27
Summary: Student list containing names and Social Security numbers posted on the internet
Organizations: University of Connecticut
http://datalossdb.org/incidents/3229
---------------------

Reported Date: 2010-10-27
Summary: Telstra sends misaddressed letters to over 200,000 customers
Organizations: Telstra
http://datalossdb.org/incidents/3221
---------------------

Reported Date: 2010-10-18
Summary: Boxes of employee's personal info including W-2, drivers licenses, Social Security numbers, and tax information found by dumpster
Organizations: Jackson Hewitt
http://datalossdb.org/incidents/3226
---------------------

Reported Date: 2010-10-16
Summary: Patient information stolen from a courier service, exposing patient insurance information and partial/full SSN
Organizations: UC Davis Medical Center
http://datalossdb.org/incidents/3223
---------------------

Reported Date: 2010-10-14
Summary: A credit union employee stole customers names and credit card details
Organizations: Fairwinds Credit Union, RBC
http://datalossdb.org/incidents/3224
---------------------

Reported Date: 2010-10-12
Summary: Employee steals credit card numbers from bank customers, sentenced to pay $1,071,871.33 in restitution
Organizations: Citibank
http://datalossdb.org/incidents/3225
---------------------

Reported Date: 2010-10-01
Summary: Personal information including names, addresses and Social Security numbers left exposed on a desk by a federal investigator
Organizations: Federal Prison Industries Inc, Lexington Federal Medical Center
http://datalossdb.org/incidents/3222
---------------------

Reported Date: 2010-07-26
Summary: Equipment stolen from facility exposes current and former employees name, SSN and fingerprints
Organizations: Trade Center Management Association, LLC
http://datalossdb.org/incidents/3227
---------------------

Reported Date: 2008-05-05
Summary: Desktop computer containing 180 patient details including names, dates of birth and clinical information was stolen
Organizations: North West London Hospitals NHS Trust
http://datalossdb.org/incidents/3228

"

(Read More... | Score: 5)


Malware Contributed To Plane Crash
Posted by boss on Tuesday, 24 August 2010 @ 09:25:03 CEST (1810 reads)
Topic Vulnerabilities

cdupuis writes "

Investigation into Spanair flight 5022 finds that monitoring server had been disabled by Trojan application.

By Mathew J. Schwartz,  InformationWeek
--> Aug. 23, 2010
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=226900089

Spanish authorities investigating the crash of Spanair flight 5022 in Madrid have found that malware may have contributed to the accident, which occurred two years ago, killing 154 people on board. Only 18 survived the crash and subsequent fire.

The Spanish agency charged with investigating the accident has listed the official cause as pilot error, because the pilots failed to extend the MD-80 airplane's takeoff flaps and slats, which would have helped the airplane to rise. Instead, the plane stalled just seconds after takeoff.

But the agency also found that a warning alarm meant to ensure that the pilots didn't leave the flaps and slats retracted failed to sound, and that the warning had failed to sound on two previous occasions.

According to Spanish daily El Pais, those failures, which were non-trivial, should each have been immediately logged in a maintenance system, which would have spotted the recurring fault and triggered an alarm at the airline's headquarters in Palma de Mallorca, keeping the plane grounded until the issue was fixed.

But authorities say that the maintenance system had been infected by a Trojan application, rendering the monitor useless. In addition, two engineers currently under investigation for manslaughter apparently failed to log the device faults, even though under company policies they were required to do so immediately. When they did attempt to enter the faults, the plane had already crashed, at which point they found that the monitoring system apparently wasn't working.

The judge, Juan David Perez, has demanded that the airline turn over copies of all entries in the maintenance system from the days before and after the crash.

"I am not a pilot, so I cannot speak with authority on how to fly a passenger airliner, but it seems clear to me that this accident was caused by the failure of a number of controls leading to a disastrous outcome," wrote Rick Wanner of the SANS Internet Storm Center, on his blog. "Clearly the SpanAir diagnostic system (a detective control) designed to detect anomalies in the airliners system failed, possibly due to a Trojan. Also it appears the pilots bypassed part of their pre-takeoff checklist, leaving the flaps and slats in a position not recommended for takeoff."

"This one all boils down to inadequate training and a lack of professional behavior," said a responder to Wanner's post, citing 25 years of jet avionics experience. "They had to have had ample indications that certain systems were not working, they didn't follow the checklists and they didn't abort when they failed to reach certain speeds at certain points during the takeoff roll."

"

(Read More... | Score: 0)


Fyodor Nmap Network Scanning Book Released!
Posted by boss on Tuesday, 09 December 2008 @ 08:24:46 CET (3315 reads)
Topic Vulnerabilities

NOTE FROM CLEMENT:

Nmap is really the mother of all port scanners.  It can help you on the defensive side to identify ports that are currently open, new IP's that have just shown up in your production environment, ports that are either added, deleted, or modified on your hosts.  Find what is happening to your servers as soon as changes manifest themselves.  This is really a great tool for regular scanning and discovery of port and services that should or should not be on your servers.  This book is written by Fyodor the author of Nmap, there is nobody else that knows Nmap better then Fyodor.  I highly recommend it to all.  See announcement below from Fyodor:

Nmap Hackers:

After promising you a book on Nmap for years, I'm delighted to finally announce the release of Nmap Network Scanning! It contains everything I've learned about network scanning from more than a decade of Nmap development, plus some bad jokes and (over Time Warner's written objections) pictures of Trinity hacking the Matrix :) . Here is the abstract:

Nmap Network Scanning is the official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals. The reference guide documents every Nmap feature and option, while the remainder demonstrates how to apply them to quickly solve real-world tasks. Examples and diagrams show actual communication on the wire. Topics include subverting firewalls and intrusion detection systems, optimizing Nmap performance, and automating common networking tasks with the Nmap Scripting Engine.

The planned release date was January 1, but Amazon beat the deadline and is now shipping in time for Christmas! Imagine your loved one's surprise when she (or he) finds nearly 500 pages of port scanning
bliss in her stocking!

You can find reviews, sample chapters, and a detailed summary at:

http://nmap.org/book/

Or you can pick the book up at Amazon for $33.71:

Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning

It is available on the International Amazon sites too, as well as other online retailers. Your local book store probably doesn't have it yet, but can likely order it for you.

About half of the content is available free online at http://nmap.org/book/toc.html . Chapters exclusive to the print edition include "Detecting and Subverting Firewalls and Intrusion Detection Systems", "Optimizing Nmap Performance", "Port Scanning Techniques and Algorithms", "Host Discovery (Ping Scanning)", and more.

If you enjoy the book, please help spread the word! While my previous books were published by Addison-Wesley and Syngress, this one was self-published. While that allowed me to post half the book online before it was even released, it also means I lose the marketing budget and clout of a major publisher. So if you like the book, please post a review to your blog/site/Amazon or tell your friends about it!

Apparently there was some pent-up demand for the book, as it is currently the 11th best-selling computer book on Amazon. Maybe it will be even higher by the time you read this:

http://www.amazon.com/gp/bestsellers/books/5/ref=pd_zg_hrsr_b_1_2&tag=secbks-20

I'd like to thank the many people who helped make this book possible by reviewing drafts, contributing stories, brainstorming ideas, etc. In particular, I'd like to thank David Fifield, Raven Alder, Matt Baxter, Saurabh Bhasin, Mark Brewis, Ellen Colombo, Patrick Donnelly, Brandon Enright, Brian Hatch, Loren Heal, Lee "MadHat" Heath, Dan Henage, Tor Houghton, Doug Hoyte, Marius Huse Jacobsen, Kris
Katterjohn, Eric Krosnes, Vlad Alexa Mancini, Michael Naef, Bill Pollock, David Pybus, Tyler Reguly, Chuck Sterling, Anders Thulin, Bennett Todd, Diman Todorov, and Catherine Tornabene!

And most importantly, I want to wish you all happy holidays!

Cheers,

Fyodor

Get your copy now:

Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning


(Read More... | Score: 0)


Used device bought on Ebay allowed full remote VPN access
Posted by boss on Monday, 29 September 2008 @ 20:01:59 CEST (2468 reads)
Topic Vulnerabilities

NOTE FROM CLEMENT:

We do get trained on remnants left of storage devices and how to sanitize them before reusing them for other purposes, however it seems the training should include sanitizing devices as well.  See a great story below from the UK below, I am sure we could do just as well in the states:

A security expert discovered a VPN device bought on Ebay automatically connected to a local council's confidential servers.

Andrew Mason bought the Cisco VPN 3002 Concentrator - a device on which he has written a tutorial book - on Ebay for only 99 pence, with the intention of using it at work.

However, when he plugged it in it automatically connected him directly to Kirklees Council's central servers, circumventing security with the login details which had been carelessly left on the device.

"It instantly connected me, and I had full network access," explains Mason. "I understand the law extremely well and at that point disconnected," adds the intrusion-detection professional.

Despite contacting the council about the matter, no action was taken. "They ignored me at first," says Mason, before explaining that following coverage on the BBC website, access from the device has been shut off.

He admits that there could well be more devices out there, from which access is still possible, and exceedingly simple. "The whole selling point of the device was that it was extremely easy to configure. It's pretty horrific really," says Mason.

The council says it is "deeply concerned" by the news, but is confident that "multiple layers of security have prevented access to systems and data."

"In the meantime the disposal process has been suspended until an investigation can be carried out and appropriate action taken," says a council spokesman.

 


(Read More... | Score: 0)


National Vulnerabilties Database and Hardening Checklists
Posted by boss on Saturday, 19 January 2008 @ 13:36:09 CET (2961 reads)
Topic Vulnerabilities

cdupuis writes "

All,

The National Checklist Repository (NCP) now contains the SCAP checklists previously listed at http://nvd.nist.gov/scapchecklists.cfm. The SCAP checklists are grouped by product category; Each product category has checklist bundles associated with it. Each bundle contains multiple checklists, with each checklist representing different SCAP content (e.g. Configuration Content, Oval Patches, Prose Guide).

- The NCP SCAP Checklist page is located at http://nvd.nist.gov/ncp.cfm?scap.

- The NCP FDCC Checklist page is located at: http://nvd.nist.gov/ncp.cfm?fdcc_chklst.

The legacy page (http://nvd.nist.gov/scapchecklists.cfm ) is still available, however future updates to SCAP content will be made to the NCP pages.

Respectfully,

Paul Cichonski

 

BELOW YOU WILL FIND MORE INFORMATION AND LINKS FROM THE WEBSITE:

National Vulnerability Database Version 2.0 NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics. NVD supports the Information Security Automation Program (ISAP).

Federal Desktop Core Configuration settings (FDCC)
NVD contains content (and pointers to tools) for performing configuration checking of systems implementing the FDCC using the Security Content Automation Protocol (SCAP).
FDCC Checklists are available here (to be used with SCAP FDCC capable tools).
SCAP FDCC Capable Tools are available here.

NVD Primary Resources

"

(Read More... | Score: 1)


Do you backup ALL of you data? It could cost you Billions if you don't
Posted by boss on Thursday, 29 March 2007 @ 11:41:41 CEST (2481 reads)
Topic Vulnerabilities

cdupuis writes "Alaskan orphaned server responsible for $38B data loss
Jim Damoulakis

March 28, 2007 (Computerworld) Anyone remotely associated with IT has by now read at least one account of the data loss suffered by the state of Alaska relating to their Permanent Fund Dividend. As more details emerge (see "Oil revenue gets baked in Alaska "), I am beginning to feel a bit like Bill Murray in "Ground Hog Day". Or, to quote this Red Sox fan's favorite Yankee, Yogi Berra, "it's déjà vu all over again."

This story, or a similar variant, has been repeated numerous times in organizations of all shapes and sizes, albeit usually without the number $38 billion linked to it. I just feel sorry for the poor guys involved - most of the time this type of screw-up isn't covered by Fox News, CNN, and the Associated Press. Giga-dollars aside, identical exposures exist today within many data centers.

One particular facet of the story caught my eye. Initial reports suggested that after the primary and secondary disk information was lost, attempts to recover from tape were unsuccessful because the "backup tapes were unreadable." Here we go again - blame tape! If only they had backed up to disk. Wrong. It turns out that the backup tapes were NOT unreadable because there were NO backup tapes. It seems that due to a process glitch, this particular data set was not being backed up.

With today's backup reporting tools, there is no excuse for repeated failed backups being undetected. However, there still remains a major gap in many data protection strategies: unknown or orphan systems. For a backup to "fail," it has to at least have been scheduled to run. If a system is brought online and never entered into the backup pool, or additional volumes are allocated to a system, but never added to the backup "include" list, there is technically no failure from the backup application's perspective. As appears to have been the case here, and we have seen elsewhere, this omission went undetected until it was too late.

Accounting for orphan systems is an arduous task. Some reporting applications attempt to provide information through activities such as network probing (often to the chagrin of the network security folks as this looks like an intrusion), but even this requires significant effort to filter out "noise" (i.e. printers and other non-server devices, multiple NIC cards in a given device) and then to manually reconcile what is and isn't being backed up and why. Finding orphan volumes is even harder, which is why, at a minimum, we typically recommend configuring backup applications to include all local volumes.

A colleague of mine likes to talk of strategic use of policy and tactical use of technology. All too often organizations, try to make the strategy about the technology. Once again, we see that it is no substitute for well thought out policy and process.

Jim Damoulakis is chief technology officer of GlassHouse Technologies Inc., a leading provider of independent storage services. He can be reached at jimd@glasshouse.com

Original article at:
http://cwflyris.computerworld.com/t/1396846/171754/57106/2/
"

(Read More... | Score: 0)


DOD bars use of HTML e-mail, Outlook Web Access
Posted by boss on Wednesday, 27 December 2006 @ 11:03:42 CET (3218 reads)
Topic Vulnerabilities

Anonymous writes "Original Article at: http://www.fcw.com/article97178-12-22-06-Web

Due to an increased network threat condition, the Defense Department is blocking all HTML-based e-mail messages and has banned the use of Outlook Web Access e-mail applications, according to a spokesman for the Joint Task Force for Global Network Operations.

An internal message available on the Internet from the Defense Security Service (DSS) states that JTF-GNO raised the network threat condition from Information Condition 5, which indicates normal operating conditions, to Infocon 4 “in the face of continuing and sophisticated threats” against Defense Department networks.

Infocon 4 usually indicates heightened vigilance in preparation for operations or exercises or increased monitoring of networks due to increased risk of attack.

The JTF-GNO mandated use of plain text e-mail because HTML messages pose a threat to DOD because HTML text can be infected with spyware and, in some
cases, executable code that could enable intruders to gain access to DOD networks, the JTF-GNO spokesman said.

In an e-mail to Federal Computer Week, a Navy user said that any HTML messages sent to his account are automatically converted to plain text.

The JTF-GNO spokesman declined to say why the command raised the threat level except to say that Infocon levels are adjusted to reflect worldwide social and political events and activities. He said the current threat level does not bar the use of attachments, including Power Point slides used for briefings.

He also declined to tell FCW what other restrictions on e-mail that JTF-GNO has imposed. But a December 2006 newsletter of the Colorado National Guard said that under Infocon 4, Guard members receiving e-mails from any unknown source, including “mail received from unrecognized Department of Defense accounts,” should be viewed as potentially harmful.

The Colorado Guard newsletter also alerted personnel to be vigilant against e-mail “phishing” attempts to gain personal information.

The ban on use of Outlook Web mail will hit thousands of users at Robins Air Force Base, Ga., according to an internal message available on the Internet. The ban on the use of Outlook Web Access “will significantly impact the way we presently conduct business,” due to the fact that that Web mail is the primary means of e-mail access for 4,500 employees at the base, according to the message.

Robins has developed a work-around for these users to access Outlook directly by logging on to government computers with their common access cards, the internal message said.

JTF-GNO raised the DOD network threat level to Infocon 4 in mid-November after an attack on the networks at the Naval War College (NWC) required NWC to take its systems offline. The JTF-GNO spokesman said at the time that the increase in threat conditions had no relation to the attack against NWC"

(Read More... | Score: 0)


Interesting tool to fight bugs such as the WMF bug
Posted by boss on Wednesday, 04 January 2006 @ 12:02:24 CET (2399 reads)
Topic Vulnerabilities

Anonymous writes "For those interested, Core FORCE its a free endpoint security software currently in Beta stage. With it users can configure access control permissions to file system objects independently of the operating System's ACLs and security policy enforcement mechanisms.

The default security profiles of IE and FireFox included the package distribution prevented exploitation of the WMF bug through those vectors. Simply because they denied execution of rundll32.exe from within IE or Firefox. The same applies to the MSN Messenger profile submitted to the profiles repository site.

Furthermore you can explicitly configure permissions to deny & log read/exec access to shimgvw.dll system wide or on per application basis.
This is functionally equivalent to Microsoft's suggested workaround of unregistering the DLL but the advantage is that it does not matter if some program registers it back or if somehow a program tries to load and execute the DLL in anyway.

Core Force is available at http://force.coresecurity.com

As I said, it is still beta make sure you read the software compatibility and known issues list and the docs.

-ivan"

(Read More... | Score: 0)


NIST SP 800-68 Guidance for Securing Microsoft Windows XP Systems
Posted by boss on Monday, 07 November 2005 @ 13:08:54 CET (3499 reads)
Topic Vulnerabilities

Anonymous writes "
A NIST Security Configuration Checklist has just been released.

NIST is pleased to announce the release of Special Publication 800-68, Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist. The guide has been created to assist IT professionals, in particular Windows XP system administrators and information security personnel, in effectively securing Windows XP Professional SP2 systems.

For a description see: 
http://csrc.nist.gov/itsec/guidance_WinXP.html

To download the checklist visit: http://csrc.nist.gov/itsec/download_WinXP.html

To see all the checklist available visit: http://checklists.nist.gov/repository/category.html 

"

(Read More... | Score: 0)


IDC paper on Penetration Testing
Posted by cdupuis on Friday, 15 July 2005 @ 08:59:40 CEST (3267 reads)
Topic Vulnerabilities


CLICK ON THE FOLLOWING URL TO READ THE WHOLE PAPER:? www.coresecurity.com/idcwp


(Read More... | Score: 0)


Learn the five worst security practices in organizations
Posted by cdupuis on Tuesday, 05 April 2005 @ 08:04:53 CEST (2288 reads)
Topic Vulnerabilities

A great article was published at TechRepublic (http://techrepublic.com.com/5100-10595-5649211.html?tag=nl.e119).? See a synopsys below:

Regardless of an organization's size, they all face the same security?challenges?keeping intruders away from their private information. However, most companies have a tendency to make the same mistakes. John McCormick details the five worst security practices found in businesses both large and small.

An individual using a single workstation, a small business with two or three PCs connected to the Net through a high-speed cable modem, the team responsible for the security of an enterprise network: Regardless of an organization's size, they all face the same security challenges?keeping intruders away from their private information.

Unfortunately, people tasked with security keep making the same basic mistakes. Since it's once again been a relatively quiet week in the security world, I'm taking this opportunity to list the five worst security practices found in businesses both large and small.

1. Failing to enforce policies

2. Ignoring new vulnerabilities

3. Relying too much on technology

4. Failing to thoroughly investigate job candidates

Click on Read More... below to get the full article


(Read More... | 10661 bytes more | Score: 3.5)


Common Vulnerabilities an Exposure White Paper
Posted by cdupuis on Wednesday, 02 February 2005 @ 21:00:32 CET (2114 reads)
Topic Vulnerabilities

NOTE FROM CLEMENT:
Once in a while I come across a product that really get me going and gets me excited again about security.? Lately I ran into such a profuct called PredatorWatch,? it is a great tool to validate your compliance, monitor activities, and become compliant with the CVE.? What is even more interesting is the fact that the CEO is one of the students that I had on one of my CISSP class.? Here is some neat white paper that Gary from PredatorWatch has shared with cccure.org:

A. Proactive Network Security # Do you speak CVE
A nice presentation discussing? what CVE's are all about.??
Synopsys:
The most important information security question you need to answer is ?Do You Speak CVE?? If you do not, then no matter how much you spend on INFOSEC countermeasures, you?ll never fully understand why you are experiencing downtime and successful hacker attacks. Not to mention the regulatory compliance risk you face.

The Common Vulnerabilities and Exposures (CVE) is a list or dictionary that provides common names for publicly known information security vulnerabilities and exposures. Using a common name makes it easier to share data across separate databases and tools that until now were not easily integrated. This makes CVE the key to information sharing. If a report from one of your security tools incorporates CVE names, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.? The CVE is an industry standard funded by the department of Homeland Security and operated by MITRE.

Read it at:
http://www.cccure.org/Documents/predatorwatch/Do-You-Speak-CVE-WhitePaper.pdf?,?

also look at:
http://www.cccure.org/Documents/predatorwatch/Proactive-Network-Security-Do-You-Speak-CVE.ppt


B. How to achieve true proactive network security
This paper present a view of todays security complexity and where the real threats are.?? A nice overview.

Read it at: http://www.cccure.org/Documents/predatorwatch/HowToAchieveTrueProactiveNetSecurity.pdf

You can visit the?PredatorWatch web site at:? ?http://www.predatorwatch.com/? Do take a look at their appliance, they are really amazing and also offered at a price that is affordable for all.??

If you have questions, contact?Gary (garym@predatorwatch.com)?and he will be very happy to get you the information that you need.

Enjoy!

Clement


(Read More... | Score: 0)


Computer Misuse # Threats and Countermeasures
Posted by cdupuis on Wednesday, 07 July 2004 @ 10:48:04 CEST (2112 reads)
Topic Vulnerabilities

In today?s world, use of information systems has become mandatory for businesses to perform the day to day functions efficiently. Use of Desktop PC?s, Laptops, network connectivity including Internet, email is as essential as telephone at workplace. The employees and networked information systems are most valuable assets for any organization.

The misuse of Information Systems by employees however poses serious challenges to?organizations including loss of productivity, loss of revenue, legal liabilities and other workplace issues. Organizations need effective countermeasures to enforce its appropriate usage policies and minimize its losses & increase productivity. This paper discusses some of the issues related to Information System misuse, resulting threats and countermeasures.? Click on the link below to read this great document.


http://www.cccure.org/modules.php?name=Downloads&d_op=viewdownload&cid=57??

Enjoy!

Clement


(Read More... | Score: 5)


Recommended Training

Become a Cyber Warrior get the CEH V8 now

Login here

Nickname

Password

Security Code:
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

CCCure Partners

BRAZIL


Logical IT

Best Security Training in Brazil

São Paulo
Rio de Janeiro
Belo Horizonte
Fortaleza
Brasilia


USA


SecureNinja.Com

SecureNinja Dojo


CANADA


CISSP Montreal
CISSP Ottawa
CISSP Toronto
CISSP Quebec City
CISSP Vancouver
CISSP Winnipeg


MIDDLE EAST


CISSP Dubai
CISSP Abu Dhabi
CISSP Qatar
CISSP Kuwait
CISSP Oman

THE OISSG GROUP
The OISSG serving the Middle East security needs


EUROPEAN UNION


CISSP Dublin, Ireland
CISSP London, UK
CISSP Edinburgh, Scotland
ESPION

Best security training you can get in Ireland

 



Kudelski Security
Cyber Academy

CISSP Exam
Preparation Program

Lausanne, Switzerland

Geneva, Switzerland

Kudelski Security


AFRICA


Lagos, Nigeria
CISSP and Security Training
Digital Encode


The best security training in Lagos and Nigeria

Most Active Members

· 1: side_winder
Total points: 15456
· 2: webplu9
Total points: 15228
· 3: Lopezco
Total points: 8514
· 4: cdupuis
Total points: 8214
· 5: cissp_newbie
Total points: 7593
· 6: mikeyoung_fla
Total points: 5536
· 7: Vladimir
Total points: 4613
· 8: damoose
Total points: 3526
· 9: MMM
Total points: 2969
· 10: educk
Total points: 2619

Today's Big Story

There isn't a Biggest Story for Today, yet.

Past Articles

Friday, June 25
· Another IIS zero day vulnerability
Monday, October 21
· The biggest threat
Sunday, September 22
· The ICAT Vulnerability database from NIST
Wednesday, August 28
· P2P Security
Monday, March 11
· Distributed Reflection Denial of Service (DRDoS)
Thursday, February 07
· Standards for Penetration Testing
Wednesday, October 24
· Very sad day for the **FREE** security web site.
Wednesday, October 03
· Top 20 vulnerabilities document
Thursday, August 23
· The Center for IT Security
Wednesday, May 30
· CERT Hacking Information
Thursday, May 10
· Kerberos Denial of service
Friday, April 27
· Firethru - A tool to bypass your security
Tuesday, April 10
· Globbing Vulnerabilitites in multiple FTP Deamons
Monday, February 26
· Outlook VCARD vulnerability

All logos and trademarks in this site are property of their respective owner.
The comments are property of their posters, all the rest © 2007 by CCCure.Org, and the site maintainers Clement Dupuis and Nathalie Lambert. Reuse is strictly prohibited without written permission of CCCure.Org or it's maintainers.

This web site is not associated directly or indirectly with ISC2, the SANS Institute, ISACA, or other certification authority. The GCFW, CISSP, SSCP, ISSEP, ISSMP, CISA, and CISM are all the property of their respecful owners. The content of this site is provided to you freely due to the generosity of our sponsors.


  • Career
  • Magazines
  • Conferences
  • Study Books
  • Certifications
  • Training
  • Tutorials
  • Quizzes
  • Forums

  • Page Generation: 0.71 Seconds