OWASP Releases 2010 - Top 10 Web Application Security Risks

OWASP (Open Web Application Security Project) released the preliminary version of the Top 10 Web Application Security Risks in a Request for Comment format.

According to OWASP they plan "to release the final public release of the OWASP Top 10 -2010 during the first quarter of 2010 after a final, one-month public comment period ending December 31, 2009. This release of the OWASP Top 10 marks this project’s eighth year of raising awareness of the importance of application security risks. This release has been significantly revised to clarify the focus on risk. To do this, we’ve detailed the threats, attacks, weaknesses, security controls, technical impacts, and business impacts associated with each risk. By adopting this approach, we hope to provide a model for how organizations can think beyond the ten risks here and figure out the most important risks that their applications create for their business."

The full document can be found on the OWASP web site.

The OWASP Top Ten has been a key driver in improving the security of Web applications across many industries. If you have any questions please ask Arthur, who is an active OWASP member.

HP Laserjet 3100 on Vista or Windows 7

I have a wonderful HP Laserjet 3100 that is still working reliably after seven years of use. I recently added a new laptop that is running Vista Business (no choice in the matter) to my stable of machines. I still want to use this printer with the Vista machine, but HP has no drivers for the printer. What to do?

The printer is connected to a machine on my network running Windows XP Professional.

1) I added a new printer on the Windows XP machine without using Plug and Play. It was set up as an HP LaserJet II Series printer connected to LPT1 (The parallel port).
2) I shared out the printer as \\Machine\HPLJII
3) I went to the Vista laptop and added a network printer. Of course it didn't discover it so I clicked on the option "The printer I want isn't listed."
4) I manually entered the Share \\Machine\HPLJII, which the Vista machine recognized as a LaserJet II and bingo I was up and running.

This solution should work for a Windows 7 machine as well.

AIIM Garden State Chapter Meeting - November 12th

I am attending the AIIM Garden State Chapter meeting on November 12, 2009.

The topic is "Social Media All You Need To Know: A to Z"

The meeting is at the Woodbridge Hilton, 120 Wood Avenue South -- Iselin, NJ

Key Takeaways:

• Learn how to setup Twitter, LinkedIn and Facebook


• Learn how to use Social Media to be found, find talent and promote your company


• Learn what and how enterprise tools are utilizing Twitter, LinkedIn and Facebook
  

Speaker(s)

• Michael Potters, The Glenmont Group
• Rahul Nirula, OpenText
  

Meet with some of New Jersey's top IT recruiters at this event
Event Time Registration & hors d'oeuvres / Networking opportunities: 5:30 - 6:30 pm Presentation: 6:30 – 8:00 pm Dessert / Networking opportunities: 8:00- 8:30 pm
Fees* AIIM Members $30Non-Members $35On-Site + $10

REGISTER ONLINE

I hope to see you there!

The Hacker Turned Serial Killer

Just finished a very entertaining book, The Scarecrow, by Michael Connelly. I am not regularly a reader of crime fiction, but a friend who knew about my interest in information security suggested it to me. I really enjoyed it and was spooked by the effectiveness of the hacker. WIthout giving away any of the story, the hacker uses social engineering, trojan horses, viruses, and other nefarious techniques to further his criminal activities. I highly recommend it; you may just take better care of your personal information after reading it.

Restoring Deleted Permissions with Varonis

This afternoon a hedge fund client called with a high profile problem. One of the system admins from their outsourcer had deleted all of the Active Directory permissions of the General Counsel. Not a great person to prevent from accessing the system. Since they are a Varonis DatAdvantage user, I was able to help them solve this problem.

We ran a query from the log area and selected "History of differences" as the data source. The keys were to set the "File Server" to "IDU" and set the "Change Description" to start with his fully defined domain account. Then we got a list of all of the groups that he belogned to and my client was able to restore them all and get the General Counsel up and running ASAP.

DatAdvantage to the rescue.

Kudos to the Department of Justice for the indictment of Albert Gonzalez and two of his coconspirators. With all of the high profile data breaches occurring we need to take a deeper look at what is going on here. While TJX and Heartland may have been PCI compliant, they were still breached. The issue with most security approaches is that they focus primarily on “preventative” controls. There are not enough “detective” controls in place to make sure that if one of the preventative controls fails, there is someone or something there to notice. No defense is impenetrable and that is why we practice “defense in depth.”

In the case of Heartland Payments Systems, it is alleged that the hackers were siphoning off data for months and it wasn’t until Visa and MasterCard noticed the fraud, that Heartland found the breach. Some questions that companies should be asking themselves include:

• Do you have in place a process to review audit logs from your firewalls and core routers on a regular basis?
• Do you have a process in place to monitor the activities of privileged users and system accounts?
• Do you have a formal entitlement review to verify that security is granted in a “least privilege” model?
• Do you audit database and file system activity?
• If any user was accessing an unusual amount of data, would anyone notice?

I would appreciate hearing your thoughts on these questions.

AIIM SharePoint Event - September 17, 2009

On September 17 , 2009 the AIIM International Garden State Chapter is hosting a Panel Discussion and Networking Event and I will be one of the panelists. Here is some info in case you are interested in attending.

Register Here!
--------------------------------------------------------------------------------
Panel Topic: MS SharePoint – where is it headed?

· How is MS SharePoint different from traditional ECM products
· How well does MS SharePoint integrate with other ECM products
· What are the top ECM products being integrated with MS SharePoint
· How are companies leveraging MS SharePoint
· What are the "hot skills" in demand around the MS SharePoint

Panel Members:

· Allan Schweighardt, Senior Technology Strategist, Microsoft
· Joe Giegerich, President / Managing Partner, Gig Werks
· Kenneth Shea, Former Executive Director of Enabling Technology, KPMG
· Arthur Hedge III, President, Castle Ventures

Networking:

· Network, Network, Network!!
· Meet and talk with individuals from the industry
· Meet some top New Jersey's recruiters in the MS SharePoint space

Meeting Agenda

5:30 - 6:30 pm - Registration & hors d'oeuvres Networking opportunities
6:30 - 7:30 pm - Panel Discussion
7:30 - 8:30 pm - Dessert: Networking opportunities

Location:

The Woodbridge Hilton
120 Wood Avenue South
Iselin, NJ 08830
Tel: 732-494-6200

Fees:*

AIIM Members $30
Non-Members $35
On-Site + $10

*$10 discount for early registration (September 10th deadline)

Register Here!

Hope to see you there.