Blog

GuidePoint Security Presents on The Benefits of Leveraging Maltego With Existing Security Tools

If you are in the Boston area this weekend, be sure to catch GuidePoint Security’s David Bressler present “Maltego in The Enterprise” at the BSides Boston security event this Saturday, May 18th at 4:40 PM.

Presentation Abstract: Maltego in The Enterprise

Organizations face an overwhelming number of threats on a day to day basis, the detection and analysis of these threats can be an overwhelming task at times. Having the ability to conduct a visual high-level analysis on specific threats detected within an organization can point security teams to the exact data that should be further analyzed or issues such as vulnerabilities that should be validated and remediated. Maltego is a well-known information-gathering tool used to gather information from external data sources about specific organizations, domains, people, etc. This talk will highlight the advantages of leveraging Maltego within an enterprise internal network environment and the benefits of integrating existing security tools into Maltego. In addition, several use cases and demonstrations on how to leverage Maltego within an enterprise infrastructure to identify threats, vulnerabilities, and exploits within an organization based on the collection of internal data from existing security tools will be presented.

For more details, click here.

GuidePoint Security Presents on Web Application Hacking and Defenses

In the Tampa Bay area? Be sure to catch GuidePoint Security’s Principal, Bryan Orme, present How to Hack Web Applications for Profit (And How to Prevent Yours From Being Hacked) at the Tampa Bay ISSA Chapter Meeting this Friday, May 17th at 9 a.m.

Presentation Abstract: How to Hack Web Applications for Profit (And How to Prevent Yours From Being Hacked)

The constant barrage of breaches that we’ve seen over the past several years have made two things very clear—every organization is at risk and every web application is a target. As a security professional, it does not matter whether breaches are brought about by hacktivists such as LulzSec or Anonymous, the acts of criminally minded hackers or nation state sponsored attacks, the consequences of vulnerable web applications can wreak havoc on your company. Attackers are determined, inventive and patient, while your organization’s application portfolio is dynamic, vulnerable and always connected to the Internet. This presentation will discuss why web applications are vulnerable, why they’re under attack, and provide an overview of the most common vulnerabilities found in web applications. Attendees will leave with an understanding of how web applications are attacked, the most common vulnerabilities found in web applications, and how to prevent these vulnerabilities from being identified and exploited in your web applications.

For more details, click here.

GuidePoint Security Presents Encore to Defending Attacks and Securing Applications

Based on the success of GuidePoint’s presentation to Federal agencies last month, Matt Darlage, VP of Technology Integration, will present an encore presentation open to all government agencies on Tuesday, December 11 from 11AM to 1PM at The Caucus Room in Northwest Washington, DC.

Presentation Abstract

Organizations targeted by hacktivist groups need to be able to detect and proactively apply countermeasures that are not only part of their tactical incident response capability, but are also enforced by their operational security architecture. These advanced solutions help defend targeted organizations with common-sense, practical approaches, avoiding unnecessary complexity. As a result, GuidePoint Security and F5 are hosting a technical discussion for Federal agencies that focuses on the realities of defending and securely delivering their applications.

During this discussion, attendees will learn about:

• Layered and protocol centric approaches for resource exhaustion-based attacks
• Web application delivery applications that create explicit access paths and leverage diverse inline content inspection mechanisms
• Why encryption is your best friend, but can also be your worst enemy
• Leveraging advanced security technologies and methodologies against modern web application attacks
• Making security an enabler, not a disabler

Click here to register for this free event.

GuidePoint Security Presents to Federal Agencies on Defending Attacks and Securing Applications

Organizations targeted by hacktivist groups need to be able to detect and proactively apply countermeasures that are not only part of their tactical incident response capability, but are also enforced by their operational security architecture. These advanced solutions help defend targeted organizations with common-sense, practical approaches, avoiding unnecessary complexity.  As a result, GuidePoint Security and F5 are hosting a technical discussion for Federal agencies that focuses on the realities of defending and securely delivering their applications.

During this discussion, attendees will learn about:

• Layered and protocol centric approaches for resource exhaustion-based attacks
• Web application delivery applications that create explicit access paths and leverage diverse inline content inspection mechanisms
• Why encryption is your best friend, but can also be your worst enemy
• Leveraging advanced security technologies and methodologies against modern web application attacks
• Making security an enabler, not a disabler

Click here to register for this free event.

GuidePoint Security Proudly Supports OWASP Tampa Day 2012

GuidePoint Security is proud to announce its sponsorship of OWASP Tampa Day 2012. The 2nd annual OWASP Tampa Day will take place on Thursday, June 7th at HealthPlan Services in Tampa. This free event will feature presentations aimed at providing developers and Information Security professionals with an introduction to application security. Attendees will leave the event with a greater understanding of how and when to integrate application security principles into their daily processes and procedures. Additionally, attendees will learn how common attacks are performed and how to mitigate them.

Visit OWASP Tampa Day 2012 to learn more about and register for this free event.

GuidePoint Security is now a PCI Approved QSA Company

GuidePoint Security is pleased to announce that it is now a Payment Card Industry (PCI) Qualified Security Assessor (QSA). QSA companies are organizations that have been qualified by the PCI Security Standards Council to have their employees assess compliance to the PCI DSS standard. Qualified Security Assessors are employees of these organizations who have been certified by the Council to validate an entity’s adherence to the PCI DSS.

GuidePoint’s QSAs bring a unique blend of consulting, auditing and operational experience with the PCI DSS to our clients. Becoming a Qualified Security Assessor company completes GuidePoint’s PCI DSS service offerings. Read more about these PCI services here.

GuidePoint Sponsoring RVAsec 2012 – June 16 in Richmond, Virginia

GuidePoint Security is pleased to announce its bronze-level sponsorship of the first annual RVAsec security conference to be held in Richmond, Virginia on Saturday, June 16th. The conference will bring together security professionals from the mid-Atlantic region and will feature both technical and management presentations. The event is limited to 200 attendees, so be sure to register soon. We look forward to seeing you there. Check out the RVAsec website for more information and to register.

GuidePoint Security Presents on Mobile Security Abroad at AppSec DC

Heading to AppSec DC next week? Be sure to catch GuidePoint Security’s Co-Founder and Principal, Justin Morehouse, present Behind Enemy Lines Practical Triage Approaches to Mobile Security Abroad 2012 Edition on Thursday, April 5 at 11 a.m.

If you are unable to make it to the conference, we will post Justin’s slides after the presentation. If you would like more information about the presentation, leave a comment below.

Abstract: Having traveled over 100K miles internationally during the past 9 months, the topic of mobile security while abroad was on my radar. I took some precautions myself and jotted down some ideas to discuss with my peers. Then one of my clients asked me to come up with a solution for their executives while traveling to locations that would benefit greatly from their intellectual property. This presentation covers the lessons learned while securing mobile devices for both the enterprise and consumer while outside the 50 states. Areas of particular interest will be common threats and attacks and the REALISTIC steps you can take to reduce your attack surface and return your IP home safely. We’ll also cover what to do when your primary safeguards fail or end up in a toilet somewhere…

Egress Controls in Amazon’s AWS Virtual Private Cloud (VPC)

I recently had an in-depth conversation with a client discussing security best practices in Amazon’s Web Services (AWS) Infrastructure-as-a-Service (IaaS). Specifically, the client was interested in applying egress controls to their web, application, and database tiers. Given the sensitivity of the data contained within their AWS application, my client’s largest concern was limiting a potential breach to prevent a successful attacker from exfiltrating their application’s data.

Before diving into my recommendations, it’s important to understand two key security controls provided by AWS. Those who’ve worked with AWS EC2 instances should be familiar with Security Groups. For those of you who aren’t, Security Groups equate to firewall rules that are applied to a specific (or group of) EC2 instances. What some of you may not know is that Security Groups actually perform stateful inspection (this is important to those of you with PCI implications). When your application is architected directly in EC2 (not within a Virtual Private Cloud or VPC), Security Groups can only be applied to inbound traffic. Obviously, this doesn’t help with my client’s objective of implementing egress controls.

The second security control provided by AWS is Network Access Control Lists or Network ACLs. Network ACLs differ from Security Groups in that they are only available within VPCs and are generally intended to be applied to networks rather than individual EC2 instances within a VPC. For example, with Network ACLs it is common that you would say that only 1433/tcp (MS SQL) is allowed from your public subnet to your private network. While utilizing a /32 netmask will allow you to implement Network ACLs for specific hosts, you should note that Network ACLs are NOT stateful (again, remember Security Groups are). This requires you to implement matching inbound and outbound Network ACL rules.

So back to egress controls. Regardless of your application’s architecture within AWS (just EC2 instances or utilizing a VPC), you can apply egress controls directly on your EC2 instances (on the OS itself). However, this often increases the overhead of the EC2 instances to levels unacceptable to development teams. So what other options do we have? A lesser-known feature of VPCs is the ability to apply outbound rules to your Security Groups. For example, you can say that your MS SQL server is not allowed to communicate directly with the Internet, but is only allowed access to 80/tcp and 443/tcp for Windows Updates through a NAT server in your public subnet. Such a setup accomplishes the goal of implementing egress controls on your EC2 instances while not increasing their overhead.

After explaining the enhanced security features of an AWS VPC, my client made a case to his development team in support of re-architecting the application inside of a VPC. Fortunately for my client, the security team was engaged during the design phase of their organization’s AWS application and implementing such a change was a lot less painful than re-designing an existing application. That isn’t to say that such a redesign can’t be successfully performed on an established application, but we all know it’s a lot easier to do earlier in the game.

To recap what we’ve discussed…

• Security Groups are analogous to firewall rules and can be applied to specific EC2 instances (or groups of instances)
• Security Groups provide stateful inspection
• Standard EC2 instances (those not part of a VPC) allow only inbound Security Group rules
• Network ACLs can only be applied to entire networks (subnets)
• Network ACLs do NOT provide stateful inspection
• Network ACLs are only available within VPCs
• VPCs enable outbound rules to be added to Security Groups and can be applied directly to individual or groups of EC2 instances that are part of a VPC
• Inbound and outbound Security Groups do NOT add overhead to the EC2 instances they are applied to

Hopefully you found this information helpful and it results in your further investigation into VPCs when looking at how to apply egress controls to your AWS applications.