Overview
In keeping with our transparent approach to sharing knowledge, Corsaire invests time writing white papers in order to help share best-practice principles and proven information security techniques.
From time to time some of our research is not released to the general public and is instead only extended to our most valued clients. The papers detailed below serve as good examples.
Security Terminology Explained
By Glyn Geoghegan, March, 2009
IT and in particular Information Security is a minefield of ambiguity, terminology and confusing acronyms. This paper provides a brief overview of those that matter in layman’s terms.
Hardening Oracle
By Daniel Cuthbert, September, 2008
Oracle has made significant changes to their database products, which make it easier for customers to configure and deploy the Oracle database securely. Since Oracle9i, Oracle has provided functionality which has allowed customers to lock and expire most of the default accounts found in the databases as well as ensuring that stringent password controls are in place to match the company’s security policy. This paper draws on published Oracle guidelines as well as experience gained whilst performing security assessments against Oracle databases.
The paper aims to explain where security holes might be discovered and how to prevent security implementation issues within the Oracle 9i and 10g platforms. It does not cover Operating System hardening procedures. It is assumed that the necessary steps have been taken to harden the host platform before installing the Oracle database.
Hardening OWA
By Daniel Cuthbert, May, 2008
Microsoft Outlook Web Access (OWA) is a front-end web application interface to the Microsoft Exchange Server application. OWA provides access to e-mail, calendars, contacts, tasks and other mailbox content through a web interface. There are certain configuration changes, which are required in order to ensure that OWA is deployed in a secure manner. This hardening guide applies to Microsoft Exchange 2003 and assumes that security hardening of the operating system and Exchange server itself has already been completed. The implementation and configuration of anti-spam and/or anti-virus solutions are not within the scope of this document.
Financial Web Application Insecurity and How to Mitigate Risk
By Glyn Geoghegan, February, 2008
this guide discusses the threats and implications affecting financial web applications, and presents a testing methodology for identifying those threats and mitigating the associated risks.
XML Security Gateways
By Daniel Cuthbert, June, 2007
Traditional firewalls are designed to restrict access to certain ports, or services that are deemed unauthorised by the security administrator. Additionally, they may perform some level of inspection of the network traffic. With the rise of web applications, traditional firewalls have provided no protection from malicious activity because HTTP port 80 and 443 were opened to allow access to the application. The response to this issue was the creation of Inline Protection Systems, which were based upon the successful network Intrusion Detection Systems.
Third Party Hosting Services
By Glyn Geoghegan, June, 2007
This paper looks at the security of data and hosting centres of most of the large telecommunication companies (both historic phone operators and specialised IP carriers), many mid-sized organisations and divisions focussed on specific services and small, specialised outfits offering specific application or infrastructure requirements, such as elements off payroll, HR and finance, and AS/400/iSeries or other hardware platforms.
As with all areas of IT, the quality of the providers varies enormously, but there are certainly common threats and risks associated with these third party services. While specific findings relating to named providers are obviously subject to NDA, this report details the typical general risks, reasons and potential mitigation. This paper does not take into account the clear benefits and motivations for outsourcing elements of the IT service and infrastructure, and should be taken in context. There a number of strong reasons to use TTP services, but these risks should be considered while making those business decisions.
Security Technology Review: Solaris Containers (Zones)
By David Ryan, May, 2007
This paper aims to provide a high-level review of Sun’s Container (Zone) technology and the potential security concerns that a company should consider if/when such technology is adopted and deployed in a production environment.
IIS 6.0 Security Guide
By Janne Sarendal, December, 2005
This guide is designed to cover a secure underlying system configuration for a stand-alone public-facing IIS 6.0 instance with strictly on-the-box administration, considerations and consequences when enabling other available features and other issues relating to maintaining the security of IIS 6.0. This guide is aimed at administrators and system operators of IIS 6.0 systems who wish to harden the platform in conjunction with the specific requirements of their environment.
