J Wolfgang Goerlich's thoughts on Information Security
Insurance

By wolfgang. 29 June 2010 07:31

In InfoSec risk management, one area that does not get much press is risk transference. That is, using insurance (or agreements) to transfer the risk to a third party. Brian Krebs makes the case, anecdotally, on his blog.

 

After an incident in which the attackers raided a company’s bank for $750K, “The company managed to recover three of the fraudulent transactions, and its total loss now stands at just shy of $100,000. Golden State Bridge is confident that after paying its $10,000 deductible, the insurance company will cover the rest…” 

http://krebsonsecurity.com/2010/06/the-case-for-cybersecurity-insurance-part-i/

Tags:

Risk Management | Security

Pentetration testing lab

By wolfgang. 4 June 2010 06:08

Security Information Management systems are meant to catch and report anything suspicious, right? So how do we test them? Creating a vulnerable network and exploiting it. The following tools can be used to create a testing lab to validate network security and web application security controls


Attack systems:

Back|Track -- The most widely used and well developed penetration distro. The main disadvantage is bloat and lack of Hyper-V support. (Live disc; Slax; netsec)
http://www.backtrack-linux.org/

Matriux -- The new kid on the block, with a faster and leaner distro than Back|Track and native Hyper-V support. (Live disc, Hyper-V; Kubuntu; netsec)
http://www.matriux.com/

Neopwn -- A penetration testing distro created for smart phones. (Debian; netsec)
http://www.neopwn.com/

Pentoo -- Gentoo meets pentesting. (Live disc; Gentoo; netsec).
http://pentoo.ch/

Samurai Web Testing Framework -- Specifically targeted towards web application security testing. (Live disc, Ubuntu, appsec)
http://samurai.inguardians.com/


Target systems:

Damn Vulnerable Linux (DVL) -- The classic vulnerable Linux environment. (Live disc; netsec)
http://www.damnvulnerablelinux.org/

De-ICE -- A series of systems to provide real-world security challenges, used in training sessions. (Live disc; netsec)
http://heorot.net/livecds/

Metasploitable -- Metasploit’s answer to the question: now that I have Metasploit installed, what can I attack? (VMware; Ubuntu; netsec)
http://blog.metasploit.com/2010/05/introducing-metasploitable.html

Damn Vulnerable Web App (DVWA) -- A preconfigured web server hosting a LAMP stack (Linux, Apache, MySQL, PHP) with a series of common vulnerabilities. (Live disc; Ubuntu; appsec;)
http://www.dvwa.co.uk/

Moth -- From the people that brought you w3af, Moth is a preconfigured web server with vulnerable PHP scripts and PHP-IDS. (VMware; Ubuntu; appsec)
http://www.bonsai-sec.com/en/research/moth.php

Mutillidae -- An insecure PHP web app that implements the OWASP Top 10. (Installer; appsec)
http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10

WebGoat -- An insecure J2EE web app that OWASP uses for security training. (Installer; appsec)
http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

Tags:

Security | Security Information Management

    Log in