Posts

Showing posts from 2016

Examiner Article

Image
A short article by  Trish Dromey on how/why edgescan and what's next 24/7 Security

Dynamic Auto Assessment - Simple but effective

Image
edgescan provides our clients with #fullstack security assessments but what does #fullstack mean? #fullstack covers may layers in the OSI  inter-connectivity diagram . From "the top down......" Deep Coverage Web Applications : Technical vulnerabilities (Injection attacks, scripting, error based attacks) Logical vulnerabilities Component Security (end-of-life components/plugins, insecure config) Host Security : Patching Enabled services (Type, version, known vulnerabilities etc) Operating System Known vulnerabilities Weak protocols Weak configuration So unlike many application-only or Host-only  assessment services,  edgescan discovers more possible weaknesses as a result of either via poor maintenance, configuration mistakes, deployment security, patching and also developer code....#fullstack Wide Coverage The holistic approach also covers ranges of IP's such as say a /24 or /16 cidr block. Automatic Assessment : edge...

Continuous Asset Profiling - What is your attack surface?

Image
At edgescan we have a solution called HIDE (Host Index Discovery and Enumeration) which is in effect a continuous asset profiling function it does the following: HIDE query's entire IP ranges for our clients. This "blanket" covering of ranges gives our clients the ability to see whats "Alive" and whats enabled in seconds. If an endpoint is decommissioned or newly deployed, HIDE detects the change and can alert users. Detection of the state of all endpoints exposed to the public Internet Identification the endpoint and tries to resolve any DNS associated with it Enumeration the services and open ports enabled on the endpoint. Automated alerts based on user defined criterion (e.g. New host discovered,  HOST dies etc). Detection is via cloud API's and/or port enumeration (TCP/UDP). Via the HIDE console you can query say across 10,000 endpoints, what system is running Linux and has port 25 open etc. Why is HIDE "a hit" with our client...

edgescan - Virtual Patching and WAF integration - Reducing "time-to-fix"

Image
What is a Virtual Patch? The idea of virtual patching is to apply a rule on a perimeter endpoint which mitigates/reduces the risk of the vulnerability being exploited. This can be performed without changing any application source code and is in effect applying a rule to an IDS/IPS or WAF such that it is aware and can defend against a particular attack vector and protect a system from exploitation or breach. When you consider the numerous use cases when organizations can’t simply edit and fix the source code, the benefits of virtual patching becomes apparent. It is a scalable solution as it is implemented in a single location (the firewall) vs. installing patches on all hosts. It reduces/mitigates risk of breach or exploitation until a vendor-supplied patch is released or while a patch is being tested and applied. The source code is not altered and hence it reduces the likelihood of code conflicts or introducing errors. It provides timely pr...

Web Application security for CISO's - 6 things to consider

Image
At edgescan we assess 1000's of systems globally across both the web site & application layers.  We assess both pre-production and production environments deployed to data centres and the cloud alike. From experience the job of a CISO involves much more than cybersecurity but the CISO is required to set strategic direction for many aspects of security and be an oracle of knowledge.... Many of my CISO friends and colleagues understand the need to security across the entire systems development and maintenance lifecycle and have a large list of areas to cover off and secure not to mention maintaining compliance... Measuring the security maturity Level, and building an integrated approach to maintain posture Balancing cost/budget and risk prioritization Consolidation of metrics and trends to make informed decisions Maintaining clear channels of communication with the business Helping to keep security promises made to users by the business. Th...

AppSec Training

Building Secure Apps... We did a bunch of Application Security development training over the past 6 months. You can find it here On the 6th April we have a Secure Ruby development class running in conjunction with the IISF ( iisf.ie ) which is all but sold out. Link to the event in April is here: https://www.eventbrite.ie/e/secure-ruby-on-rails-development-for-the-cloud-tickets-20842524552 There is also a bunch of editable stuff to use in your own classes here: https://www.owasp.org/index.php/Education/Free_Training Which I delivered in 2014/2015 at RSA, LASCON and RSA (EU). http://www.slideshare.net/eoinkeary/ Stuff delivered over the years in the EU and USA.

Dr StrangeLove (How I Learned to Stop Worrying and Love Managed Services),

Image
Convergence of data, economies, supply chains & critical infrastructure and it all needs to be secure...welcome to the Internet. As a practitioner in the software development and security industries for over 15 years, I've got to say it has never felt like a job. For people to like their jobs it's a blessing, particularly as my skillset is in demand.  Demand is based on need and  given the proliferation of internet technologies for literally anything (finance, military, energy, mobile, IoT) is does not see to be getting any less busy. As with anything if there is a demand for something there comes a tipping point. Be it energy, clean water, food security or even Internet security.  As a result there are some knock-on effects and many are the result of a capacity to deliver . Given so many different industry verticals are all converging into a single approach to delivery (the Internet) the responsibili...

5 Tips To Keeping Hackers Out Of Your Business in 2016

Image
So, to start off 2016 on a secure footing here are 5 tips that can radically reduce your risk profile.... We recently released the edgescan 2015 Vulnerability stats report to positive feedback You can find it here:  edgescan - resources page The tips below are based on the vulnerability stats report. So they are in effect a result of 1000's of security assessments in 2015 and what we believe are simple but effective tips to help you consider some of the right things.  Sometimes focus on  "doing the right things" and not "doing things right" is what matters. The findings were not too surprising for 2015 covering off the volume of high profile cyber attacks, the root cause and how we can improve our security?.  Here's my Top 5 based on the most common issues discovered in the stats report and effective fixes which could dramatically improve your security posture. Patch Or Recycle Your Servers!! In 2015 63% of vulnerabilities d...