Security Assessment Software - PCI DSS, Firewall Rulebase Analysis, AuditPro, Firesec, Security Assessment and Audit Software for all versions of Operating Systems, Databases, Routers, Switches, Windows, Unix, Linux, Oracle, MS SQL, IBM DB2, Cisco PIX, Cyberguard, Netscreen, Checkpoint Firewalls, GFI Languard, in India, Mumbai, Hyderabad, Delhi, Bangalore, Chennai, Kolkatta, UAE, Dubai, Kuwait, Bahrain, Qatar, Saudi Arabia, Malaysia, Singapore, Thailand, Far East, USA, Europe, North America.

	Comments and Feedback
I found the article that you wrote regarding Sybase security very informative, as I searched the whole world for something to this effect. - Faaizah Mohomed, KPMG
I have gone through your Unix Auditing handbook. I must say it is a very impressive and comprehensive document. Good work! - Shiv Aggarwal Chief Manager (Information Systems Audit), Global Trust Bank Ltd.
[Reference: Penetration Testing exercise] The project went off very well. The report was very good. We are impressed with the level and detail of the work. Thanks for completing the project on time and in such a short notice and in a tight schedule. I liked working with the team and look forward for more team work. Very talented bunch! - Sourav Banerjee, CISA, CISM, CISSP, ITIL SecureView Services Team.

Articles
Articles
Our research initiatives shape into papers and articles published at various security-related and IT audit-related sites. Auditing IT Project Management K. K. Mookhey, IT Audit, by the Institute of Internal Auditors, May 2008 Assessing Bandwidth Use as a Function of Network Performance Nikhil Wagholikar, IT Audit, by the Institute of Internal Auditors, Nov 2007 Essential Aspects of an Effective Network Performance Audit Nikhil Wagholikar, IT Audit, by the Institute of Internal Auditors, Dec 2007 Evaluating Application Security Controls K. K. Mookhey, IT Audit, by the Institute of Internal Auditors, June 2007 MS Office Security Khushbu Jithra, SecurityFocus Infocus article, August 2006 This article discusses Microsoft Office's OLE Structured Storage and the nature of recent dropper programs and other exploit agents, in an effort to scrutinize the workings of some of the recent MS Office exploits. The second part of this article then collates some forensic investigation avenues through different MS Office features. Parts of the article sample different MS Office vulnerabilities to discuss their nature and the method of exploitation. Dissecting NTFS Hidden Streams Chetan Gupta, Forensic Focus article, July 2006 This article discusses Alternate Data Streams feature of the NTFS filesystem. It underlines the importance of this feature from a hacker's perspective and a forensic investigator's perspective. Five Common Web Application Vulnerabilites Sumit Siddharth and Pratiksha Doshi, SecurityFocus Infocus article, May 2006 This article looks at five common Web application attacks, primarily for PHP applications, and then presents a short case study of a vulnerable Website that was found using Google and was easily exploited. Key Strategies for Implementing ISO 27001 K. K. Mookhey & Khushbu Jithra, the IIA's ITAudit article, February 2006 This article brings to light various strategies involved in implementing ISO 27001 - from identifying business objectives to preparing for the final audit. Evading NIDS, revisited Sumit Siddharth, SecurityFocus Infocus article, December 2005 This article discusses IDS evasion techniques in addition to the frag3 preprocessor and fragment reassembly in a multihost environment. SQL Server Security K. K. Mookhey, The IIA's ITAudit article, March 2005 This is the first part of a two-part article that discusses securing the SQL Server. It covers secured SQL Server installation from an IT Auditor's perspective. Penetration Testing of IPSec VPNs K. K. Mookhey & Rohyt Belani, SecurityFocus Infocus article, Feb 2005 This article discusses a methodology to assess the security posture of an organization's IPsec based VPN architecture. It discusses blackbox penetration testing of a VPN server, and then a full configuration and architecture review. Common Criteria - an overview K. K. Mookhey, Information Systems Control Journal by ISACA, Volume 1, 2005 One evaluation methodology that provides an excellent framework for Application Security Assessment is the Common Criteria for Information Technology Security Evaluation, also known as the Common Criteria or CC. This article provides an overview of the Common Criteria covering the Functional and Assurance Requirements. Metasploit Framework - 3 parts K. K. Mookhey & Pukhraj Singh, SecurityFocus Infocus article, 12th July 2004 This is a three part article that talks in-depth about the Metasploit Framework - installation, configuration, and development of custom exploits using the framework. Common security vulnerabilities in e-commerce systems Sumit Siddharth & Pratiksha Doshi, SecurityFocus Infocus article, 27th April 2004 This article discusses common attacks and vulnerabilities in e-commerce shopping cart systems, with reference to SecurityFocus vulnerability reports where relevant. Auditing Oracle Security K. K. Mookhey, The IT Audit, Vol. 7, April 15, 2004 This article discusses various aspects of Oracle security that must be considered, including secured installation, initialization parameters, users and profiles, roles, object and system privileges, logging, listener security, etc. Detection of SQL Injection and Cross-site Scripting Attacks K. K. Mookhey & Nilesh Burghate, SecurityFocus Infocus article, 18th March 2004 This article discusses techniques to detect SQL Injection and Cross Site Scripting (CSS) attacks against your web applications using regular expressions with the open-source IDS, Snort Open Source Tools for Security and Control Assessment K. K. Mookhey, Information Systems Control Journal by ISACA, Volume 1, 2004 Apache Security Controls and Auditing K. K. Mookhey, Information Systems Control Journal by ISACA, Volume 5, 2003
On our website
SAP R/3 Approach Paper: SAP R/3 Security Assessment Framework This approach paper describes a security assessment framework for SAP R/3 implementations. It covers various aspects of the SAP system and the database along with the underlying operating system. The Unix Auditor's Practical Handbook This handbook is meant to be a practical step-by-step guide to auditing Unix. It covers the various aspects of UNIX security and gives the reader the commands and techniques to carry out the audit. Guide to Sybase Security This document provides details on security and auditing of the Sybase database server.