Conrad Reynolds, CISA - IT Audit and Consulting

Providing risk-based security solutions
for your IT applications

Security News

Greg Patton to speak at Louisville InfoSec Conference

11 April 2014

Greg will be a featured speaker at this year's conference. His topic is "What your Web Vulnerability Scanners Aren’t Telling You" Today’s dynamic and static web vulnerability scanners are capable of analyzing complex web applications for security weaknesses. They automate testing of many common vulnerabilities. What are they not reporting? In this session, Greg will explore several critical web vulnerabilities that are not easily identified through automation. Greg Patton is a Sr. Security Consultant with HP Fortify on Demand based in Houston, TX. Greg specializes in application security with a focus on dynamic web and iOS mobile assessments. Greg started his career in software development, and he discovered a natural talent and interest in breaking applications. Today Greg assists customers with building secure applications and developing secure coding programs. Away from his lab, Greg enjoys making noise on his drums and quiet moments with his family.

Louisville InfoSec Conference 2 Oct 2014

11 April 2014

The 2014 Louisville Metro InfoSec Conference will be held Thursday 2 October. Check the Facebook page for speakers, updates, etc.

Vint Cerf does know how the Internet works

3 April 2014

In this YouTube video, Vint Cerf talks about how the Computer Science community is going to have to teach programmers how to write more secure code before the "Internet of Things" becomes a good idea.

The S in SSL doesn't mean secure

28 März 2014

The FTC has settled with Fandango and Credit Karma after they were charged with claiming that user's transactions were being sent over a secure connection, but in reality the apps didn't validate those connections. You can read more at threatpost.

Programmers who don't understand how the Internet works

24 März 2014

Several sources are reporting that Amazon Web Services is asking users not to post their login credentials in publicly accessible Github repositories. Apparently thousands of programmers have done so, and their AWS accounts get billed, naturally, when someone else uses those credentials.

White Hat's new browser promises super security

21 März 2014

White Hat Security has released the Windows (beta) version of their super secure browser, known as Aviator. They claim it has greater defenses against malvertising than any of the other major browsers. If you'd like to give it a try (what have you got to lose?), you can read the FAQ or download it from the Aviator page.

Are Credit Monitoring Services Worth It?

19 März 2014

Brian Krebs has a article about "Identification theft prevention/insurance" companies and offers. As you might expect, there really isn't a lot you can do to prevent this sort of attack. Read his report: Krebs On Security

Improve Your Applications

Risk Assessments

You can't protect your organization's critical information resources if you don't know what they are or where they are.  A risk assessment will identfy and prioritize your information assets, allowing you to:

  • Effectively and efficiently deploy your limited resources
  • Improve communication between IT, business users, and management
  • Develop and execute a business continuity/disaster recovery plan
  • Prepare for an audit
  • Improve security and regulatory compliance
  • Benchmark, measure, and track your security efforts

Don't identify Risks!   

In order to discuss risk, we need to establish some terms that you and your users can understand, and you can agree on common definitions.

Accountants figured this out a long time ago, and for the most part, IBIT, EBDIT, NPV, IRR, etc, are well enough defined that they don't lead to misunderstandings about their meanings. "Risk" and "vulnerability" have not (yet) achieved such clarity.

Just using the words “Threat”, “Vulnerability”, and especially “Risk” without defining them first is just asking for misunderstanding and a lack of effective communication. Threats, vulnerabilities, and risk mean different things in the world of IT application security, and it is important to understand the distinction between them.

A threat is defined as who or what might attack what asset, when, where, why, and how. They can be deliberate or accidental. Accidental attacks happen all the time - people forget to log off, they send confidential reports to the wrong printer, or they assign the wrong role level to a user.

A vulnerability is something that a threat could exploit. This is true even if it is already controlled, as the control could fail.

An executed threat against a vulnerability is an attack. The consequence of this definition is that you don't have to worry about threats against vulnerabilities you don't have, nor vulnerabilities for which there is no credible threat. This seems obvious, but sometimes people get lost in the analysis process and forget. Or they just follow some list of vulnerabilities published on the internet.

Risk is then calculated as a function of the effect of a successful attack and the likelihood of that attack. One of the most common confusion that I see is that the effect and/or the likelihood is also called "the risk". So you do not "identify risks"; you calculate risk. You identify threats and vulnerabilities.