Our research initiatives shape into papers and articles published at various security-related and IT audit-related sites.K.K.Mookhey, July 2013
Full report of our findings of a malware analysis done, which had a number of common points with the Norman “Hangover” Report.
K.K.Mookhey, June 2013
The RBI constituted the Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, which produced its report in January 2011. The Working Group was headed by Mr. G. Gopalakrishna and is popularly known as the Gopalakrishna Committee Report. The presentation below highlights some of the salient points, with special emphasis on Chapters 1 (IT Governance), 3 (IT Operations) and 4 (IT Outsourcing). The original report is available here http://rbidocs.rbi.org.in/rdocs/PublicationReport/Pdfs/WREB210111.pdf. Our analysis of this is available here http://www.niiconsulting.com/innovation/RBI%20Guidelines_Summary.pdf
This article sheds light on the extent and scope of IT Act 2000 (amended vide IT Amendment Act 2008) and the factors that led to its development. We also look into various cyber-crime case studies which were prosecuted under penalties and offences as defined in the Act.
This article sheds light on the concepts of Mobile Device Management(MDM); its deployment in organization, challenges faced and risk mitigation(s) possible. It also puts forward the guidelines for selecting the right MDM vendor for your business.
With all the buzz surrounding the term Advanced Persistent Threats (APTs), we decided to de-mystify the jargon and present the view from the trenches.
An article on Distributed-Denial-of-Service (DDoS) attacks, their various types and our methodology for testing the robustness of your network against them.
An article on our Spear Phishing Testing Methodology which can be used in social engineering exercise to determine organization wide susceptibility to an APT style attack.
An article on Information Rights Management (IRM) and our methodology for its proper implementation in achieving secure flow of sensitive information within and beyond the organizational boundaries.
This article focuses on common pitfalls when implementing a DLP solution to secure your organizational information assets. The article also lists out our practical insights; lessons learnt and recommended process to achieve an effective and efficient DLP implementation.
This article discusses Microsoft Office's OLE Structured Storage and the nature of recent dropper programs and other exploit agents, in an effort to scrutinize the workings of some of the recent MS Office exploits. The second part of this article then collates some forensic investigation avenues through different MS Office features. Parts of the article sample different MS Office vulnerabilities to discuss their nature and the method of exploitation.
This article discusses Alternate Data Streams feature of the NTFS filesystem. It underlines the importance of this feature from a hacker's perspective and a forensic investigator's perspective.
This article looks at five common Web application attacks, primarily for PHP applications, and then presents a short case study of a vulnerable Website that was found using Google and was easily exploited.
This article brings to light various strategies involved in implementing ISO 27001 - from identifying business objectives to preparing for the final audit.
This article discusses IDS evasion techniques in addition to the frag3 preprocessor and fragment reassembly in a multihost environment.
This is the first part of a two-part article that discusses securing the SQL Server. It covers secured SQL Server installation from an IT Auditor's perspective.
This article discusses a methodology to assess the security posture of an organization's IPsec based VPN architecture. It discusses blackbox penetration testing of a VPN server, and then a full configuration and architecture review.
One evaluation methodology that provides an excellent framework for Application Security Assessment is the Common Criteria for Information Technology Security Evaluation, also known as the Common Criteria or CC. This article provides an overview of the Common Criteria covering the Functional and Assurance Requirements.
This is a three part article that talks in-depth about the Metasploit Framework - installation, configuration, and development of custom exploits using the framework.
This article discusses common attacks and vulnerabilities in e-commerce shopping cart systems, with reference to SecurityFocus vulnerability reports where relevant.
This article discusses various aspects of Oracle security that must be considered, including secured installation, initialization parameters, users and profiles, roles, object and system privileges, logging, listener security, etc.
This article discusses techniques to detect SQL Injection and Cross Site Scripting (CSS) attacks against your web applications using regular expressions with the open-source IDS, Snort
On our website
SAP R/3 Approach Paper: SAP R/3 Security Assessment Framework
This approach paper describes a security assessment framework for SAP R/3 implementations. It covers various aspects of the SAP system and the database along with the underlying operating system.
The Unix Auditor's Practical Handbook
This handbook is meant to be a practical step-by-step guide to auditing Unix. It covers the various aspects of UNIX security and gives the reader the commands and techniques to carry out the audit.
Guide to Sybase Security
This document provides details on security and auditing of the Sybase database server.