Ask the Experts

Ask the Experts

• Is paying the ransom the only way to remove ransomware?

  Should organizations pay the money to save their attacker-encrypted data and remove ransomware? Expert Mike O. Villegas advises enterprises on the best approach.  Continue Reading

• How can health organizations prepare for HIPAA audits?

  The long-awaited HIPAA audits conducted randomly by HHS are finally supposed to happen in 2015, but with stricter requirements. Here's how organizations can get ready.  Continue Reading

• How can HIPAA security risk analysis help with compliance?

  HHS recommends security risk analysis as an early step to become HIPAA compliant, so how should organizations put this tip into practice?  Continue Reading

• BSA updates: What's new in the Bank Secrecy Act?

  The Bank Secrecy Act (BSA) updates will help firms prepare for the 2015 bank examinations. Here are some of the basics from this lengthy guidance.  Continue Reading

• Can the Wyvern programming language improve Web app security?

  A new programming language called Wyvern is helping developers use multiple languages in one app securely. Application security expert Michael Cobb discusses.  Continue Reading

• Are HTML5 mobile apps an enterprise security concern?

  Gartner predicts more than half of all mobile apps will use HTML5 by 2016, but what threats will this cause the enterprise? Expert Michael Cobb discusses.  Continue Reading

• Can public key pinning improve Mozilla Firefox security?

  Public key pinning aims to reduce the lack of trust associated with digital certificates and certificate authorities. Expert Michael Cobb explains how it works and its benefits.  Continue Reading

• Is global email an enterprise email security risk?

  Ubiquitous global email is right around the corner. But what effect will it have on enterprises? Expert Michael Cobb explains.  Continue Reading

• Samsung KNOX security: Does NSA approved equal enterprise approved?

  The Samsung KNOX platform has been approved by the NSA to protect classified data, but it's not without risks. Expert Michael Cobb explains.  Continue Reading

• Is the Open Wireless Router project applicable in the enterprise?

  The Open Wireless Movement's Open Wireless Router project can reportedly improve privacy and security, but is it enterprise safe? Network security expert Kevin Beaver explains.  Continue Reading

• The Third Network: What are the security risks for Ethernet as a service?

  Ethernet as a service, or the Third Network, aims to deliver faster services to users across carriers and providers, but what are the risks? Network security expert Kevin Beaver explains.  Continue Reading

• When is a breach detection system better than an IDS or NGFW?

  Breach detection systems are gaining steam, but when would they be more appropriate to use than an IDS or NGFW? Expert Kevin Beaver explains.  Continue Reading

• Are enterprise devices vulnerable to NAT-PMP security threats?

  Network Address Translation - Port Mapping Protocol implementations may cause vulnerabilities on networking devices. Expert Kevin Beaver offers pointers for testing and mitigating such risks.  Continue Reading

• How should we hire for specialized information security roles?

  A rise in specialized roles puts extra pressure on security hiring. Expert Mike O. Villegas explains how to meet this demand and find talented security professionals.  Continue Reading

• What are the benefits of a having a CISO title in an organization?

  Is a CISO title really necessary in an organization? Expert Mike O. Villegas explains why the title matters, as well as the qualities CISOs need to have to assert their importance.  Continue Reading

• The CEO refuses cybersecurity best practices: Now what?

  Some executives don't think cybersecurity best practices apply to them. Expert Mike O. Villegas explains how to handle that situation.  Continue Reading

• How can security pros cope with a limited information security budget?

  Many security professionals have to operate within a small information security budget. Expert Mike O. Villegas reviews some tips to maximizing the budget and persuading management to increase it.  Continue Reading

• Are one-day wonders enterprise Web security risks?

  One-day wonders are websites that persist for 24 hour or less. Should these phenomena be an enterprise security concern? Expert Michael Cobb explains.  Continue Reading

• Are mobile persistent cookies a threat to enterprise data security?

  While cookies can be helpful, mobile persistent cookies can pose a serious threat to users and enterprises. Expert Michael Cobb explains how to mitigate the risk and eliminate the threat.  Continue Reading

• How does public key pinning improve website security?

  Certificate authority confidence is waning, but the emergence of public key pinning can help keep websites secure. Expert Michael Cobb explains how.  Continue Reading

• Is PGP security still strong or is it time for a new encryption standard?

  Pretty Good Privacy is nearly 25 years old and still widely used -- but is it as effective as it once was? Application security expert Michael Cobb explains the past, present and future of PGP.  Continue Reading

• Is homomorphic encryption the answer to enterprise encryption issues?

  Homomorphic encryption can be used to bypass encryption, but it's for the good of all. Application security expert Michael Cobb explains.  Continue Reading

• Should an OpenSSL-reliant product risk assessment be performed?

  Many organizations are still vulnerable to the Heartbleed flaw. Expert Kevin Beaver explores the merits of an OpenSSL-specific risk assessment.  Continue Reading

• Can behavioral detection improve enterprise network security?

  Expert Kevin Beaver explains how behavioral detection and traffic analysis helps combat advanced malware, as well as whether it is a more effective enterprise protection than perimeter security.  Continue Reading

• What is the best VPN traffic monitoring tool for enterprises?

  Monitoring VPN traffic is a critical task. Expert Kevin Beaver explains what to look for in a VPN traffic monitoring tool and offers a few free and open source options for enterprises to consider.  Continue Reading

• How will the Named Data Networking project affect Internet architecture?

  Expert Kevin Beaver discusses the possibility of the Named Data Networking architecture taking over the Internet and the challenges that may ensue should it come to fruition.  Continue Reading

• How can malware using bulletproof hosting sites be stopped?

  Expert Nick Lewis explains what bulletproof hosting is and how enterprises can best defend against malware that uses it as part of its attack scheme.  Continue Reading

• What is the best super-sized cookie denial-of-service attack defense?

  Super-sized cookies are behind an innovative new denial-of-service attack. Enterprise threats expert Nick Lewis discusses how to prevent these cookies from getting onto your network.  Continue Reading

• Malvertising: How can enterprises defend against malicious ads?

  Malicious ads are becoming an increasing threat vector. Expert Nick Lewis explains how to defend your enterprise against the risks of malvertising.  Continue Reading

• Advanced persistent threat detection: Can it find custom malware?

  Signature-based antimalware tools can't always detect custom malware and advanced persistent threats. Expert Nick Lewis explains how to combat these menaces.  Continue Reading

• Are there new spam rules to mitigate spam techniques?

  Expert Nick Lewis explores the latest spam defense methods and products that will help enterprises defend against new and emerging spam techniques.  Continue Reading

• How will Android encryption by default affect enterprise BYOD?

  Google is beginning to encrypt data by default on its Android devices. Expert Michael Cobb explains how this change will affect enterprise BYOD security.  Continue Reading

• How does the Melbourne Shuffle prevent data access pattern recognition?

  Access pattern recognition in the cloud is becoming an enterprise risk. Expert Michael Cobb explains how the Melbourne Shuffle can improve access pattern security.  Continue Reading

• Android browser security: How can AOSP browser flaws be fixed?

  While Google fixed the issue on its Android OS, many browsers still fall victim to a known same-origin bypass AOSP browser flaw. Expert Michael Cobb discusses how to avoid the risk.  Continue Reading

• What are the Windows Phone 8.1 security improvements?

  Microsoft hardened its Windows 8.1 update to make it enterprise- and government-worthy. Expert Michael Cobb outlines the new and improved features.  Continue Reading

• How does Pretty Easy Privacy secure online communications?

  The open source Pretty Easy Privacy project is a user interface that helps users secure communication channels. Expert Michael Cobb outlines how it works.  Continue Reading

• Should enterprises encrypt audio for secure headset communications?

  Encrypting communications between a headset and an audio jack may be crucial in certain situations to mitigate attacks. Enterprise threats expert Nick Lewis explains.  Continue Reading

• How can tokenization and encryption help payment card security?

  Tokenization and end-to-end encryption are the new big technologies for payment care security. Expert Mike Chapple explains how they may also ease compliance burdens.  Continue Reading

• Algorithm substitution attacks: Ensuring encryption algorithm security

  Algorithm substitution attacks can decrypt secure communications and potentially expose enterprise data in plaintext. Learn how to mitigate the threat.  Continue Reading

• How to detect malware that leaves no file on disk

  Malware that leaves no file on disk can throw enterprises' malware-detection capabilities for a loop. Learn how to detect and defend against fileless malware.  Continue Reading

• How can organizations prepare for a HIPAA audit?

  HIPAA audits are finally on the way, and organizations need to be ready. Expert Mike Chapple reveals the best way to prepare your company for a HIPAA audit.  Continue Reading

• Do HIPAA compliance requirements change during health crises?

  Outbreaks of Ebola caused widespread fear, but should enterprises be worried about the effect on HIPAA compliance requirements? Compliance expert Mike Chapple explains.  Continue Reading

• Repackaged apps: Defending against fake apps in the enterprise

  Repackaged applications can present multiple enterprise security risks. Expert Nick Lewis explains what these fake apps are and how to defend against them.  Continue Reading

• Why is the CISO role necessary to enterprises?

  A chief information security officer is becoming a necessity to organizations. Expert Mike O. Villegas explains why and how to communicate this need to other executives.  Continue Reading

• Login credential security: How to defend against tabnapping

  Tabnapping can be used to capture user login credentials. Enterprise threats expert Nick Lewis explains how to defend against the risk.  Continue Reading

• How is distributed reflection denial of service different from DoS?

  A jump in multi-vector attacks highlights the threat of distributed reflection denial-of-service attacks. Enterprise threats expert Nick Lewis explains how these threats differ from traditional DoS attacks and offers prevention techniques.  Continue Reading

• How can a follow-on training program improve security awareness?

  A continual security awareness training program is important for an enterprises' culture. Expert Mike O. Villegas gives some key topics to focus on.  Continue Reading

• What are the benefits of hiring a chief privacy officer?

  What exactly is a chief privacy officer, and what can one do to help your organization? Expert Mike O. Villegas explains how a CPO could help improve security.  Continue Reading

• Can a smartphone gyroscope be an eavesdropping tool?

  Smartphones with gyroscopes can be exploited to serve as an eavesdropping tool. Expert Nick Lewis explains how to mitigate smartphone gyroscope risk.  Continue Reading

• Man-in-the-email vs. man-in-the-middle attack: What's the difference?

  Learn the difference between man-in-the-middle and man-in-the-email attacks, and get tips on how to prevent becoming a victim.  Continue Reading

• Should companies share data breach information with the public?

  Data breach information sharing between CISOs is a helpful security tool, but expert Mike O. Villegas explains why sharing with the public may be detrimental.  Continue Reading

• Can remote wipe completely erase mobile phone data?

  Remote wipe is the option most people think of when looking to erase data on mobile phones, but it isn't always the most effective. Expert Nick Lewis explores how to fully remove data from a device.  Continue Reading

• Which controls can prevent multifunction printer security risks?

  Hackers are infiltrating the enterprise through multifunction printers. Expert Kevin Beaver explains how to mitigate the threat and improve printer security.  Continue Reading

• How can malicious apps posing as real apps be detected?

  Malware masquerading as legitimate applications is a rising problem. Enterprise threats expert Nick Lewis outlines how to detect and mitigate this type of malware.  Continue Reading

• What are the secrets to SIEM deployment success?

  Many organizations deploy security information and event management systems without the proper planning and therefore can't reap the proper rewards. Expert Kevin Beaver offers tips for a successful implementation.  Continue Reading

• NAS security: How to combat network-attached storage device risks

  Network-attached storage devices can present a plethora of security issues to an enterprise. Expert Kevin Beaver explains how to detect and mitigate the risks.  Continue Reading

• How can mobile broadband modem security be ensured?

  Mobile broadband modems are becoming popular vectors for attack. Expert Kevin Beaver outlines how to defend against the threat.  Continue Reading

• How should agencies prepare for federal security scanning?

  What do agencies need to consider before going through the Department of Homeland Security's network security scanning? Expert Mike Chapple answers.  Continue Reading

• How does an organization know if it's a HIPAA business associate?

  HIPAA business associates must be HIPAA-compliant, but it's often difficult for organizations to figure out if they fit under that umbrella. Expert Mike Chapple explains how.  Continue Reading

• How will Shellshock affect PCI DSS audits for enterprises?

  PCI DSS audits are sure to include a look at Shellshock mitigation. Expert Mike Chapple discusses how organizations can prepare.  Continue Reading

• How can shortened URLs carrying malicious links be detected?

  While shortened URLs are convenient and space-saving, they can potentially lead users to malicious websites. Enterprise threats expert Nick Lewis explains how to avoid the threat.  Continue Reading

• How can drive-by download attacks be prevented?

  Expert Nick Lewis offers some strategies that enterprises can use to avoid the threat of drive-by download attacks and improve employee awareness of the risks.  Continue Reading

• Can the NSCAP improve enterprise security with the CIRA certification?

  Expert Nick Lewis discusses the Cyber Incident Response Assistance certification from the NSA's National Security Cyber Assistance Program and what the accreditation means for an enterprise.  Continue Reading

• How can outdated ActiveX controls be blocked?

  Outdated ActiveX controls can pose serious security risks. Enterprise threats expert Nick Lewis discusses how to block them in the enterprise.  Continue Reading

• Can compliance as a service cloud hosting benefit enterprises?

  Is compliance as a service a good option for compliance outsourcing? Expert Mike Chapple explores this new option for enterprises.  Continue Reading

• What are HIPAA's mobile app requirements that developers should know?

  There's a lot of confusion surrounding the HIPAA compliance requirements for mobile health apps. Expert Mike Chapple finally clears it up for health app vendors.  Continue Reading

• Should enterprises enforce harsher penalties for phishing victims?

  The consequences of phishing attacks could fall on the victims as enterprises start to punish employees who fall for this age-old scam. Expert Joseph Granneman discusses why this approach may have merit.  Continue Reading

• What are the benefits of CERT's ITPM certification?

  CERT's ITPM certification is designed to help enterprises with their insider threat programs. Expert Joseph Granneman discusses the certification and its relevance.  Continue Reading

• How can enterprises alleviate the threat of privileged users?

  Privileged users pose a growing threat to organizations. Expert Joseph Granneman looks at this insider threat and shares ways to mitigate it.  Continue Reading

• What are the benefits of Netflix's threat monitoring tools?

  Netflix released its own threat monitoring tools: Scumblr, Sketchy and Workflowable. Expert Joseph Granneman looks at these tools and their benefits to enterprises.  Continue Reading

• How can macro malware and macro virus threats be prevented?

  Macro viruses are back in the form of macro malware, creating a potentially major issue for enterprises. Expert Nick Lewis explains how to ensure your organization doesn't fall victim.  Continue Reading

• Can Vawtrak malware block enterprise security software?

  Emerging malware, like the Vawtrak banking malware, has the ability to block enterprise antimalware measures. Expert Nick Lewis explains how to mitigate the risk.  Continue Reading

• How does snowshoe spam evade spam blockers?

  Spam can use a process called 'snowshoe' to evade spam filters. Enterprise threats expert Nick Lewis explains how to block snowshoe spam.  Continue Reading

• Can internal threats be distinguished from outside malware coders?

  Differentiating between insider and non-insider malware threats can be challenging. Expert Nick Lewis offers pointers for distinguishing malware coders from internal threats.  Continue Reading

• Emotet: How can traffic-sniffing banking malware be thwarted?

  A new variety of banking malware can sniff traffic from APIs. Enterprise threats expert Nick Lewis outlines how to mitigate the risk.  Continue Reading

• HTTP/2: Is it the next HTTP?

  Security expert Michael Cobb discusses the next iteration of HTTP -- HTTP/2 -- including how it's different from HTTP and how enterprises should prepare for its release.  Continue Reading

• What's new with Mac OS X Yosemite security?

  Security expert Michael Cobb outlines new Yosemite features -- and the security risks posed by them -- that enterprises should be aware of, including Handoff, iCloud drive, Mail Drop and more.  Continue Reading

• Are security seals a worthwhile website security check?

  Security seals were created to help convey trust and protection to website users, but can they really be trusted? Security expert Michael Cobb explains.  Continue Reading

• Skype vs. Tox: Which is better for secure communications?

  Securing enterprise communications has become a top concern lately. However, finding the application that best suits your enterprise security needs can be challenging. Michael Cobb advises.  Continue Reading

• How can jailbroken devices be detected within the enterprise?

  Jailbroken devices pose significant enterprise risks in BYOD environments. Security expert Michael Cobb discusses how to detect and mitigate the risks of jailbroken BYODs.  Continue Reading

• How important is an early SMAC security policy?

  Enterprises should prepare a SMAC security policy, since the strategy is on the rise. Expert Joseph Granneman explains some SMAC security implications to be aware of.  Continue Reading

• Why is the Certified Ethical Hacker certification suddenly popular?

  The Certified Ethical Hacker certification gained in popularity recently. Expert Joseph Granneman explains the CEH and why it's relevant again.  Continue Reading

• Is cybersecurity insurance valuable to enterprises?

  Cybersecurity insurance is used as a fallback after data breaches, but does it really cover everything an organization needs? Joseph Granneman provides some answers.  Continue Reading

• How should organizations make a cybersecurity policy a top priority?

  Supporting a cybersecurity policy should be a priority for executive boards. Expert Joseph Granneman explains how CISOs can effectively communicate its importance.  Continue Reading

• What are the Sarbanes-Oxley requirements for social media?

  Enterprise social media policies should be sure to meet Sarbanes-Oxley requirements. Expert Mike Chapple explains the specific requirements.  Continue Reading

• What advice does the PCI Special Interest Group have for compliance?

  A new PCI Special Interest Group document gives advice to enterprises on staying PCI DSS compliant after audits. Expert Mike Chapple highlights the key takeaways.  Continue Reading

• Which network security certification is best to pursue?

  With a number of new network security certifications available, knowing which one will best help your career can be confusing. Expert Kevin Beaver discusses the options.  Continue Reading

• What are the security implications of multipath TCP?

  Multipath TCP could soon bring improved redundancy and uptime to a network near you, but what does it mean for network security? Expert Kevin Beaver explains.  Continue Reading

• Wi-Fi 2.0: What is 802.11u and how can it improve security?

  Network security expert Kevin Beaver discusses the reality of the 801.11u standard and its ability to both improve the ease of Wi-Fi access and boost security.  Continue Reading

• What's driving executive turnover for CISOs?

  A number of experienced CISOs have left their positions recently. Expert Joe Granneman looks at where they are going, and what's behind the trend.  Continue Reading

• Are third-party security awareness training programs effective?

  Security awareness training can be effective, but how should enterprises select the right third-party program? Expert Joe Granneman offers some advice.  Continue Reading

• Are cybersecurity degrees helpful for career advancement?

  What's the best way for cybersecurity professionals to bolster their resumes? Expert Joseph Granneman discusses how to forge the right career path.  Continue Reading

• What are the best approaches for security budgeting?

  Finding dollars for information security in the enterprise can be challenging. Expert Joseph Granneman offers advice on strategic security budgeting.  Continue Reading

• What's the best way to find enterprise compliance tools?

  Looking for compliance tools? Expert Mike Chapple explains why the best place to start the search is within your own information security infrastructure.  Continue Reading

• Should mobile fitness apps be HIPAA-compliant?

  Mobile fitness apps can contain personal data, so should they be HIPAA-compliant? Expert Mike Chapple explains why that's not the right approach.  Continue Reading

• Can video surveillance improve PCI DSS 3.0 compliance?

  Requirement 9.9 of PCI DSS 3.0 focuses on physical security of point-of-sale systems. Expert Mike Chapple looks at whether or not video surveillance can help in that regard.  Continue Reading

• How often should businesses conduct pen tests?

  Depending on whom you talk to, pen tests should be done annually or monthly. Expert Kevin Beaver discusses how to find your organization's answer.  Continue Reading

• What's the best firewall for cloud, SDN and mobile environments?

  As the enterprise grows more mobile and virtualized, finding the best firewall can be challenging. Expert Kevin Beaver advises how to find your enterprise's most effective option.  Continue Reading

• Can the PORTAL travel router improve traffic security?

  A pocket-sized travel router can reportedly keep Internet traffic secure. Is it too good to be true? Expert Kevin Beaver discusses.  Continue Reading

• How can Microsoft XML vulnerabilities be mitigated?

  A reported 43% of Microsoft XML users are running vulnerable versions of the software. Security expert Michael Cobb discusses how to mitigate the risks.  Continue Reading