 |
|
 |
|
|
|
A Behind The Scenes Look Into Our Audits
Interested in some of the research, presentations and articles we have prepared? The following material was created by various members of the Redspin team and includes academic security research, articles for publication and presentations to the business community.
If you have any questions or comments about this material feel free to contact us at info@respin.com.
Masters Thesis | The Unifying Policy Hierarchy Model
Computer security policy plays a fundamental role in the definition and enforcement
of the security system. Unfortunately there is no widely used method for representing
and reasoning about the different types of security policies that exist. This has led
to ambiguity and inconsistency when referring to the security policy of a system. We
attempt to resolve this ambiguity by introducing the Unifying Policy HierarchyModel.
This model describes the relationship between four distinct types of policies that exist
for a system. This model also illustrates the role that each of those policies play in
the overall security of the system. The result of this research is the introduction of a
number of formal definitions and relationships, which will clarify and facilitate policy
research.
 Read Masters Thesis
White Paper | Top 10 Network Security Threats of 2008
Understanding the trends and patterns of the past is the key to understanding the future, and security is no exception. The following security threat trends for 2007/2008 have been compiled as a result of their frequency and growing prominence over the course of audits performed during the previous year. These common and fundamental security issues typically arise from the same categorical underlying cause. Most organizations have had enough compliance audits and posses enough intuition of best practices to understand that security controls are necessary to mitigate risk. However, there continues to be significant discrepancy between what management believes the controls are doing and what the controls are — in fact — actually doing from a security standpoint.
Read White Paper
The Greatest Risk to Your Website: 30% of Database-Driven Sites Vulnerable to SQL-Injection
SQL-injection refers to a set of methods and techniques designed to exploit an SQL
database server that sits behind web applications. While most firewalls block all
inbound traffic to the internal network, they typically allow traffic from the public
internet to web applications through HTTP/HTTPS. There are a range of SQL-injection
attack scenarios, all based around the insertion of simple characters into web-application
input forms.
Read White Paper
Eight Questions to Ask Your Security Auditor
Here at Redspin, Inc. we get asked all sorts of questions, most of which can be answered with, "Down the hall, take a left, second door on the right." After that, here are the eight most important questions we think you should be asking your independent security auditor.
Read Eight Questions
ATM Security: The Real Inside Man
The purpose of this effort is to elevate the awareness of the risks associated with automated teller machines (ATMs) connected to a bank's internal network. Given the number and severity of current debit/ATM card incidents, it is time to reexamine existing security controls.
 Download PDF (156K)
Laptop Security
Did you know that your company's confidential information is climbing over your corporate firewall and escaping from your fancy intrusion detection systems? Every day, gigabytes of information walk right out your front door—on your company's laptops. How expensive would it be if one of these laptops was stolen?
Read Article | Download PDF (91K)
Digital Forensic Reconstruction
This paper presents ViSe, a virtual security testbed, and demonstrates how it can be used to efficiently study computer attacksand suspect tools as part of a computer crime reconstruction. Based on a hypothesis of the security incident in question, ViSe is configured with the appropriate operating systems, services, and exploits. The attack is formulated as an event chain and replayed on the testbed. The effects of each event are analyzed in order to support or refute the hypothesis. The purpose of the approach is to facilitate forensic testing of a digital crime using minimal resources.
Read Article | Download PDF (292K)
Operational Integrity
Cost effective strategies for community bank security. This is a summary of a presentation to members of the banking and financial services industry.
Read Strategy Outline | Download PDF (238K)
Security Checklist
This is a summary checklist provided to bankers as part of the Operational Integrity presentation above. While this is by no means a complete checklist, it summarizes common issues we have repeatedly identified after completing hundreds of audits in the financial services industry.
Read Checklist | Download PDF (90K)
|
|
 |
Redspin Research
