close

Need Help Right Away?

Been hacked? Lost your data? We can help.
Incident Control and Response - Our team can act quickly to locate the breach in your systems and secure it against future incursions. With our specialized tools and expertise, there's no system we can't secure!
Forensics and e-Discovery - Our experts have performed investigations in some of the most sensitive environments in the world.  We will handle your case quickly, professionally and discreetly.
24x7 Product Support - We offer a range of Extended Support Service contracts to support you. Call us for details!
Call 1-703-266-6006 or email support@prometheus-group.com
Top Panel
Need Help Now?
Top Panel
ASL

30

Jun

2008
So You Say You Want a Penetration Test… PDF Print E-mail
Written by Casey Priester   
Penetration Testing has been a part of information security since the early 1990’s, yet it is still a very much misunderstood practice – many consider it something of a ‘black art’. Many CIOs and ISOs get excited at the thought of hiring a firm to perform a penetration test, because they imagine the very act of commissioning one somehow validates the idea that they and their organization are serious about security. This notion, combined with a lack of understanding of the realities of penetration testing and misconceptions about what penetration testing entails, tends to distort expectations about the penetration testing process, means and results.

 

In practice, there are a number of very real, very important considerations concerning scope, risk and goals which must be carefully evaluated by any organization who wishes to commission, engage in or conduct ‘penetration testing’.
Read more...
 

23

Jan

2008
Virtual Patching PDF Print E-mail
Written by Michael Shinn   

The dreaded patching treadmill

In today's IT shops, patching systems to mitigate security vulnerabilities is a regular ongoing activity, fraught with the dual risk of installing either a bad patch or the system becoming compromised because a patch has not been installed. The calculation of whether to patch or not , is governed by the trade off between the risk of a installing a bad patch, versus the risk of a penetration, which pits two equally important issues against each other. Patching a critical system may break it and failing to to do so may leave it open to a security vulnerability. We are therefore forced to choose between two bad outcomes we do not want.

For example, let's say you have a critical production system that must be patched due to a security problem. You find yourself unable to install the security patch for any number of reasons, such as needing more time to test it to make sure it will not break your system, needing to wait for a maintenance window to install it, or simply not having any patch to install because it doesn't exist yet. Imagine another scenario where you receive a warning from your security guys telling you how serious the vulnerability is and your operations personnel's concern that the patch is going to break your critical system.

 
Read more...