Ask the Experts

Ask the Experts

• How to create an optional login for the same application

  In this SearchSecurity.com Q&A, application security expert Michael Cobb explains how to create optional logins for your applications.  Continue Reading

• How to configure and implement a DMZ

  Learn how to design and configure a DMZ in this network security Ask the Expert Q&A.  Continue Reading

• How do circuit-level gateways and application-level gateways differ?

  Learn how circuit-level gateways and application-level gateways differ in this network security Q&A.  Continue Reading

• How do proxy servers and proxy firewalls differ?

  In this network security Ask the Expert Q&A, SearchSecurity's resident expert Mike Chapple examines how proxy servers and proxy firewalls differ and explains how they work together.  Continue Reading

• Shareware applications vs. commercial software

  Considering using a shareware application? In this information security threats Ask the Expert Q&A, SearchSecurity's resident expert Ed Skoudis examines if commercial software product are more secure than shareware applications.  Continue Reading

• Phishing vs. Pharming attacks

  Learn how phishing attacks differ from pharming attacks and whether or not pharming attacks still threaten, in this information security threat Ask the Expert Q&A.  Continue Reading

• Should we use biometric authentication devices?

  Are more companies using biometrics? SearchSecurity's resident identity management and access control expert tackles this question and reviews five fundamental barriers that may limit the growth of biometric authentication.  Continue Reading

• Risk-based authentication vs. static authentication

  How does risk-based authentication methods differ from static authentication methods? SearchSecurity's resident identity management and access control expert tackles this question in this Ask the Expert Q&A.  Continue Reading

• One-time password tokens: Reliable authentication mechanisms?

  Thinking of purchasing a key fob? Read this identity management and access management Ask the Expert Q&A, and learn from our expert as he examines the pros and cons of this authentication tool.  Continue Reading

• Password-protecting removable media devices

  Safeguard your removable devices. Learn if any products can password-protect the entire device without requiring that the individual connections are encrypted, in this identity management and access control Q&A.  Continue Reading

• How to clean up dormant accounts in Active Directory

  Inactive or dormant Active Directory accounts can serve as a gateway for attackers. Learn how to identify and clean up inactive Active Directory accounts in this Identity Management and Access Control Ask the Expert Q&A.  Continue Reading

• Are there any patch management products that track the patching process?

  Before you dip into your IT budget to solve your patching problems, read this Q&A. Our platform security expert examines why security pros should consider using available freeware products to track and manage their patching process.  Continue Reading

• How to create an enterprise-wide portal policy

  Implementing a portal policy can protect an organization from legal woes. Learn the standards and guidelines to create an effective enterprise-wide portal policy.  Continue Reading

• Use SHA to encrypt sensitive data

  Complying with the PCI Data Security Standard is now on the forefront of many security practitioner's minds. Learn how using the Secure Hashing Algorithm can help you encrypt sensitive data and help you meet the PCI Data Security Standard ...  Continue Reading

• How to protect personal data

  Regulations like HIPAA, GLBA and California SB 1386 have made protecting personal data much more of a priority for the security industry. Learn tools and tactics to protect your personal data in this security management Ask the Expert Q&A.  Continue Reading

• Are smart cards tamper-proof?

  While choosing to use smart cards to authenticate users may seem like the smart move, know that they are not tamper-proof. Discover what industry standards are available to protect your organization if your smart cards are tampered with.  Continue Reading

• The pros and cons of PKI and two-factor authentication methods

  There are myriad authentication methods to choose from today; learn the pros and cons of two such methods, Public Key Infrastructures and two-factor authentication systems, and how each system helps validate user identities, in this identity and ...  Continue Reading

• Should employees have local admin rights?

  While it may save you time, granting users local administrator rights also puts your organization at risk. Discover why this practice is considered a risk and learn alternate access control methods you can use to safeguard your organization.  Continue Reading

• Should an organization design and use their own Certification Authority?

  While using a unique Certification Authority may improve an organization's defense-in-depth strategy, using a commercial CA might save you time and money in the long run. Weigh the pros and cons of each, in this Ask the Expert Q&A.  Continue Reading

• How to protect the network from DoS attacks

  In this Ask the Expert Q&A, our security threat expert, Ed Skoudis, discusses how a new type of DoS attack operates and what you can do to protect your network.  Continue Reading

• How to create and enforce employee termination procedures

  In this Ask the Expert Q&A, Shon Harris, our security management expert, reviews how the the security group, HR and management should work together to define and enforce employee termination policies, and reviews what should be done during each ...  Continue Reading

• Gap analysis procedures

  In this Ask the Expert Q&A, Shon Harris, SearchSecurity's security management expert advises what should be done before a gap analysis is performed, and, provides six common steps of a gap analysis, so organizations will know what to expect before ...  Continue Reading

• How can I open a closed port so my application can access the Internet?

  In this network security Ask the Expert Q&A, Mike Chapple, our resident expert, reveals what should be done if you need to re-open a closed port to allow an application to work.  Continue Reading

• Employee termination procedures

   Continue Reading

• What is the best method to determine whether email messages are transmitted as clear text?

  In this application security Ask the Expert Q&A, Michael Cobb disccuses how to use a network analyzer tool to determine whether email exchanges are transmitted as clear text.  Continue Reading

• Data integrity authentication schemes.

  In this Ask the Expert Q&A, Joel Dubin, our identity and access mangement expert examines various data integrity authentication schemes.  Continue Reading

• How hackers can bypass two-factor authentication systems

  In this Ask the Expert Q&A Joel Dubin, our identity and access management expert, discusses whether network systems can still be exploited if they are protected by two-factor authentication systems.  Continue Reading

• How PKI systems work

  Learn how PKI systems work and whether there are any potential user problems enterprises should be aware of.  Continue Reading

• How to securely distribute one-time password tokens

  In this Ask the Expert Q&A, our identity and access management expert examines how to properly distribute one-time password (OTP) tokens to your employees so they don't leave your systems open to an attack.  Continue Reading

• Bingo card authentication systems

  In this Ask the Expert Q&A, our identity and access management expert explains what a "bingo" card authentication system is, how it works and how secure it is.  Continue Reading

• Outsourcing: Understanding the business risks

  In this Ask the Expert Q&A Shon Harris, our security management expert reviews business risks associated with outsourcing security jobs to developing countries and learn how security managers can reduce these risks.  Continue Reading

• Application development best practices

  Michael Cobb, SearchSecurity.com's application security expert, discusses best practices for specific application development procedures in this Ask the Expert Q&A.  Continue Reading

• Patch management techniques

  In this Ask the Expert Q&A, our platform security expert provides techniques to use when testing, installing and deploying a patch to your network.  Continue Reading

• How e-mail message components are used

  Learn what happens when someone's e-mail address differs from the certificate e-mail field value, in this application security Ask the Expert Q&A.  Continue Reading

• How VPNs interact with instant-messaging applications

  In this Ask the Expert, application security expert Michael Cobb reviews how an enterprise-wide VPN works and whether it encyrpts and protect instant-messaging communications.  Continue Reading

• The pros and cons of proxy firewalls

  In this Ask the Expert Q&A, our application security expert reviews the pros and cons of proxy firewalls.  Continue Reading

• How to detect rogue DHCP servers, routers and NICs on a network

  In this Ask the Expert Q&A, our identity and access management expert identifiies techniques and tools that help detect rogue DHCP servers, routers and network interface cards on a network.  Continue Reading

• Intermediate-level security certifications

  In this security management Ask the Expert Q&A, certification specialist Shon Harris provides an overview of intermediate-level security certifications.  Continue Reading

• The pros and cons of FTP over SSL

  Compare and contrast the pros and cons of having hosts send PGP-encrypted files to an existing FTP site against building an ad hoc FTP server using SSL, in this Ask the Expert Q&A  Continue Reading

• Web application variable manipulation

  Learn what happens to a Web application that uses two certificates: a client-side SSL certificate and a server-side certificate, and whether this certificate combination prevents Web application manipulation.  Continue Reading

• Synching passwords between an iSeries and Windows network

  Learn whether it is possible to synch passwords between an iSeries and a Windows network, and, if there a way to synch password between multiple iSeries, in this Ask the Expert Q&A.  Continue Reading

• Proxy server functions

  In this Ask the Expert Q&A, our platform security expert details how proxy servers work and determines whether they protect personal and sensitive information safe from hacker exploits.  Continue Reading

• How to build a user registration form

  Learn how to build a secure user registration form and some general Web-based system guidelines to guide you through the process.  Continue Reading

• How buffer-overflow vulnerabilities occur

  Learn about buffer-overflow vulnerabilities; how they occur, types of buffer-overflow attacks, and how hackers exploit them to gain access to secure and sensitive files.  Continue Reading

• How RSA keys differ from DH/DSS keys

  In this Ask the Expert Q&A, Michael Cobb, our application security expert explains how RSA and DH/DSS differ, examines the strengths and weaknesses of each, and, explains how to use the compression library Zlib.  Continue Reading

• How to prevent application attacks and reduce network vulnerabilities

  In this Ask the Expert Q&A, our application security guru discusses how hackers exploit network vulnerabilities to attack your applications and what you can do to mitigate this risk.  Continue Reading

• Verifying legitimate help desk requests

  Learn how to to defeat social engineers and measures help desk staff should take to protect the network after password resets.  Continue Reading

• How different DBMSes implement Internet database security

  Learn what it takes to achieve comprehensive DBMS security, in this application security Ask the Expert Q&A.  Continue Reading

• How an attacker cracks a symmetric key-based system

  Learn how an attacker cracks a symmetric key-based system.  Continue Reading

• How Kerberos, PKI and IPsec interoperate

  In this Ask the Expert Q&A, our identity and access management expert explains how these three unrelated systems interoperate to authenticate and manage digital certificates.  Continue Reading

• How IPsec and SSL/TLS use symmetric and asymmetric encryption

  In this Ask the Expert Q&A, our identity and access management expert explains how IPsec and SSL/TLS use these two authentication methods to establish secure Web sessions.  Continue Reading

• How to keep your data and database secure

  In this Ask the Expert Q&A, Michael Cobb discusses why having a Web-based application that resides on the same server as the database can be problematic, and, what you can do to keep your data safe.  Continue Reading

• Developing an incident response plan

  In this Ask the Expert Q&A, Shon Harris provides resources you can use to devise an effective incident response plan.  Continue Reading

• MD5 vs. RC4

  In this Ask the Expert Q&A our application security expert compares the MD5 encryption algorithm against its competitor RC4 and examines the security features of each.  Continue Reading

• ISO/IEC 17799 vs. COBIT: How do they differ?

  Shon Harris looks at the origins of the ISO/IEC 17799 and COBIT security management standards, and discusses the differences between them.  Continue Reading

• P2P availability, confidentiality and authentication vulnerabilities

  Learn tactics you can employ to reduce common P2P vulnerabilities.  Continue Reading

• How to create a secure password system

  In this Ask the Expert Q&A, Joel Dubin examines the security risks associated with using a password system that includes employee identifiers.  Continue Reading

• How to store and protect captured data on the back end of a biometric application

  In this Ask the Expert Q&A, our identity and access management guru discussses how to store and protect biometric data that is placed on database servers.  Continue Reading

• Authentication Header vs. IKE

  In this Ask the Expert Q&A, Joel Dubin discusses how and when the Authentication Header encryption protocol is used.  Continue Reading

• How to protect a LAN from unauthorized access

  In this Ask the Expert Q&A, web access control guru Joel Dubin outlines steps to take to protect a LAN.  Continue Reading

• The pros and cons of reformatting a hard drive

  In this Ask the Expert Q&A, our platform security expert discusses the pros and cons of reformatting a hard drive after an attack.  Continue Reading

• Patch deployment timeline

  In this Ask the Expert Q&A, our platform security expert discusses how long a mid- to large company should expect to wait before they are able to deploy a patch.  Continue Reading

• The future of Telnet and FTP

  In this Ask the Expert Q&A, our application security expert discusses what he believes what will happen to the Telnet and FTP application layer protocols as the industry prepares for the future.  Continue Reading

• What is network snooping? Can it be used for good?

  What is network snooping? Can it be used for good?  Continue Reading

• Hacking smart cards and biometric security systems

  In this Ask the Expert Q&A, our identity and access management guru explains how biometrics and smart cards can be fooled.  Continue Reading

• How hackers attack undetected

  Learn how hackers can attack a network and remain undetected.  Continue Reading

• Port searching

  In this Ask the Expert Q&A our network security expert dicusses whether it is possible to search for a port while it is in use.  Continue Reading

• The pros and cons of application firewalls

  In this Ask the Expert Q&A, our application security expert discusses the pros and cons of application firewalls. He also explains how they differ from packet filter and stateful inspection firewalls, and why they are not the preferred among some ...  Continue Reading

• How to prevent drive corruption in the event of power failure

  In this Ask the Expert Q&A, learn how a PDA device stores data and programs. Also learn how Compact Flash cards and hard drives differ and what some are doing to prevent drive corruption in the event of power failure.  Continue Reading

• Malware signature updates

  In this Ask the Expert Q&A our platform security expert discusses how the malware detection and virus detection processes differ. Also learn what some are doing to prevent spyware, rootkits, trojans and other types of malware from running on their ...  Continue Reading

• Digital certificates and webmail

  In this Ask the expert Q&A, our application security expert analyzes whether or not you can use digital IDs and certificates with webmail. He also discusses how and where to secure these devices to ensure your e-mail system is secure.  Continue Reading

• Encryption detection

  In the Ask the Expert Q&A, Michael Cobb, our application security expert discusses if it is possible to detect encryption. He also takes a closer look at steganography, explains what it is and how it is used to secure e-mail communications.  Continue Reading

• Risk management methodologies

  Expert advice regarding best practices for risk management methodologies. Also learn how vulnerability management and risk management tools differ and how they can help protect your environment.  Continue Reading

• How security audits, vulnerability assessments and penetration tests differ

  Learn how security audits, vulnerability assessment and penetration tests differ, and how these tests help promote a more secure environment.  Continue Reading

• Taking the CISSP exam without the required experience

  Learn about the Associate CISSP, a program offered by (ISC)2, that enables you to take the CISSP exam without the required experience.  Continue Reading

• Documenting how to handle confidential criteria

  Shon Harris, security management expert, suggests ways to draft an internal procedure on how to handle confidential data. She discusses data classification polices, steps to develop and roll out a data classification program, and what your ...  Continue Reading

• Designing an architecture for FTP file transfer

   Continue Reading

• How to configure an FTP server with SSL

  In this expert response, security expert Michael Cobb explains how to securely configure an FTP server with Secure Socket Layering (SSL).  Continue Reading

• Storing hashed, encrypted values in a database

  Expert advice on storing hashed and encrypted values in a database.  Continue Reading

• What is the most difficult thing about being a security specialist?

  Our expert discusses some of the challenges involved with being a security professional.  Continue Reading

• Testing a security patch

  Learn tool and techniques you can use to test a security patch prior to deployment.  Continue Reading

• Exam and experience requirements for CCSP

   Continue Reading

• How much time does it take to prepare for the CISSP?

   Continue Reading

• Physical security for a data center

   Continue Reading

• Implementing IDS in small- to medium-sized businesses

   Continue Reading

• Using a firewall vs. an IDS

   Continue Reading

• Firewall responsibilities and firewall timeout features

   Continue Reading

• Examining firewall logs for evidence of intrusions

   Continue Reading

• Where does Citrix fit into the SSL VPN landscape?

   Continue Reading

• How do I review audit logs for reverse shell traffic?

   Continue Reading

• Low-cost way to renew CISSP certification

   Continue Reading

• Can you recommend RC4 128-bit encrypted software?

   Continue Reading

• Are any security certifications available mainly for RACF?

   Continue Reading

• How can I authenticate a customer calling over the phone?

   Continue Reading

• How do we protect development code from being stolen over the Internet?

   Continue Reading

• What is the real threat of downstream liability?

   Continue Reading

• What percentage of security breaches originate internally vs. externally?

   Continue Reading

• Does a subsidiary need to conform with its parent company's security policies?

   Continue Reading

• How does 'arbitrary code' exploit a device?

   Continue Reading

• Examples of Sarbanes-Oxley violations

   Continue Reading