Ask the Experts

Ask the Experts

• Can OAuth 2.0 strengthen authentication?

  Security expert Michael Cobb explains what Open Authorization or OAuth 2.0 is, its pros and cons, and how it is different from bring your own identity.  Continue Reading

• Protecting PHI: Does HIPAA compliance go far enough?

  Fully protecting personal health information needs more than just HIPAA compliance. Expert Mike Chapple explains what kind of data is left unprotected under HIPAA.  Continue Reading

• How can forged certificates from trusted vendors be stopped?

  Unauthorized certificates from trusted vendors have become a big Internet security concern. Expert Michael Cobb discusses how to stay protected against this threat.  Continue Reading

• Can setting a cache-control header improve application data security?

  Application security expert Michael Cobb reviews the cache-control header codes that can help prevent a Web application from storing sensitive data.  Continue Reading

• Are LibreSSL and BoringSSL safe OpenSSL alternatives?

  Since the revelation of the Heartbleed flaw, OpenSSL security has been put into question. Expert Michael Cobb discusses whether LibreSSL and BoringSSL could serve as OpenSSL alternatives.  Continue Reading

• Will the Sarbanes-Oxley whistleblower update affect compliance?

  Sarbanes-Oxley Act compliance is important for firms to maintain. Expert Mike Chapple explains how to keep up with the new whistleblower update.  Continue Reading

• Can NIST 800-115 help with penetration testing?

  Compliance with NIST 800-115 is important for enterprises to maintain while testing systems. Expert Mike Chapple explains the best way to do that.  Continue Reading

• How can vishing attacks be prevented?

  Enterprise threats expert Nick Lewis explains what vishing attacks are and offers best practices for defending against them.  Continue Reading

• How can flash heap spray attacks be detected?

  Enterprise threats expert Nick Lewis explains how the new Flash heap spray attack technique works and discusses methods researchers are using to detect and mitigate the risk.  Continue Reading

• How vulnerable is Silverlight security?

  Microsoft Silverlight has been in the spotlight due to an increase in the number of exploit kits it is included in. Expert Nick Lewis explains the threat's severity and how to mitigate it.  Continue Reading

• VoIP vulnerabilities: Can VoIP data exfiltration be prevented?

  Malicious actors can exfiltrate sensitive data over VoIP, creating a security hole for enterprises. Expert Kevin Beaver explains how this attack is carried out and how to protect against it.  Continue Reading

• What's the best way to sell security strategies to executives?

  Selling security strategies to C-levels isn't always an easy task. Expert Joseph Granneman gives some advice on convincing execs of the importance of security.  Continue Reading

• What to expect from the new CompTIA Security+ certification exam

  With the new version of the CompTIA Security+ exam adding some necessary changes, expert Joseph Granneman explains how they affect the relevance of the exam.  Continue Reading

• How to detect fraudulent certificates that look real

  Malware using seemingly real digital certificates is becoming more prevalent. Expert Nick Lewis discusses how to detect fraudulent certificates.  Continue Reading

• SHA-2 algorithm: The how and why of the transition

  Is it time to make the move to the SHA-2 algorithm? Application security expert Michael Cobb discusses and offers tips to ease the transition.  Continue Reading

• Microsoft SQL Server 2008 end of life: When's the time to migrate?

  Microsoft SQL Server 2008 reached the end of its mainstream support on July 8, 2014. Michael Cobb explains what this means to enterprise security, as well as how -- and when -- organizations should migrate from the software.  Continue Reading

• Can open source cryptography libraries be trusted?

  After the Heartbleed fiasco, the future of OpenSSL and open source cryptography libraries is up in the air. Application Security Expert Michael Cobb discusses whether they can -- and should -- be trusted.  Continue Reading

• Preventing VPN security risks for mobile employees

  Expert Kevin Beaver offers VPN security best practices, including how to prevent risks and secure VPN access for mobile employees.  Continue Reading

• How to prevent preinstalled malware on mobile devices

  Preinstalled malware has become a major mobile security risk. Expert Nick Lewis explains how to detect malicious apps and defend against them.  Continue Reading

• Wireless access point security: Defending against Chameleon malware

  Chameleon malware targets insecure wireless access points. Enterprise threats expert Nick Lewis explains how to defend against the malware.  Continue Reading

• Applying insider threat detection during the hiring process

  Starting the insider threat detection process when hiring new staff members can put your company ahead of the curve. Expert Joe Granneman explains what to look for to prevent insider threats.  Continue Reading

• The importance of an IT security governance body

  An IT security governance board is a key feature in security budgeting, but who makes up this body? Expert Joseph Granneman outlines the best structure for security governance boards.  Continue Reading

• How to meet PCI DSS requirement 6.6 and keep down costs

  PCI DSS requirement 6.6 demands application security compliance through one of two options: an application firewall or a code review. Expert Mike Chapple analyzes which is the better option for cost efficiency.  Continue Reading

• How can the OWASP Top Ten reduce Web application vulnerabilities?

  The OWASP Top Ten Proactive Controls can reduce Web application vulnerabilities, but are they difficult and expensive to implement?  Continue Reading

• The key to assigning risk values in an IT security risk assessment

  Security expert Michael Cobb offers pointers on how to assign risk values during a security risk assessment.  Continue Reading

• Can FIPS 140-2 certification improve enterprise mobile security?

  FIPS 140-2 is a federal mobile security certification, so does it have any relevance in an enterprise setting? Michael Cobb explains.  Continue Reading

• Using metadata tagging tools for PCI DSS compliance

  Metadata tagging is not just for security. Expert Mike Chapple explains how tagging tools can be used to achieve PCI DSS compliance.  Continue Reading

• Google's HIPAA-compliant cloud: what you need to know

  Before using the HIPAA-compliant cloud services from Google, there are some things companies need to know, according to expert Mike Chapple.  Continue Reading

• RTF security: Avoiding embedded malware

  The Zeus malware is threatening RTF security by embedding itself in the file, which is commonly seen as safer than other file formats such as PDFs. Learn how to prevent the threat.  Continue Reading

• How to detect Android malware that leverages TOR

  A new variety of Android malware is using TOR for C&C communications. Expert Nick Lewis explains how to mitigate the threat.  Continue Reading

• Turla spyware: Defending against undetectable malware

  Is there a way to detect malware that's designed to avoid detection? Nick Lewis explains how the Turla spyware works and how to defend against it.  Continue Reading

• Updating network diagrams for PCI DSS 3.0 compliance

  Compliance with the PCI DSS 3.0 requirements means enterprises need to update their network diagrams. Mike Chapple outlines how to make these changes.  Continue Reading

• Vulnerability management: Benefits of a vulnerability scoring system

  What are the pros and cons of using a universal vulnerability scoring system from a vendor? Nick Lewis explains.  Continue Reading

• How to remove malware on Android devices that reinstalls itself

  A variant of malware on Android devices removes and reinstalls itself when a device powers on or off. Learn how to completely eradicate the threat.  Continue Reading

• Pretexting: How to avoid social engineering scams

  Expert Nick Lewis explains how to keep call center employees from getting duped by social engineering scams and pretexting.  Continue Reading

• Third-party application security evaluation tools and services

  Learn about the tools and services available that enterprises can use to determine the security of their third-party applications.  Continue Reading

• The best free vulnerability risk assessment tools

  Application security expert Michael Cobb discusses three free vulnerability risk assessment tools you should consider leveraging in the enterprise.  Continue Reading

• Mobile keyloggers and touchscreen detection attacks

  A recent proof of concept shines new light on the future of mobile keyloggers. Michael Cobb reviews how to keep touchscreen devices safe from attack.  Continue Reading

• Building the business case for a formal patch management program

  Delaying security patches is a huge risk. Michael Cobb explains how to build the business case for a formal patching program for a variety of systems.  Continue Reading

• Mobile keyloggers: Defense measures against mobile keystroke logging

  Application security expert Michael Cobb explains how companies can defend themselves against the growing threat of mobile keystroke logging.  Continue Reading

• P2P malware detection techniques

  The amount of malware using peer-to-peer communications has increased dramatically. Enterprise threats expert Nick Lewis explains how to detect P2P malware.  Continue Reading

• Sandbox evasion: How to detect cloaked malware

  Cloaked malware, like DGA.Changer, can reportedly evade sandbox detection. Nick Lewis explains how to handle the risk.  Continue Reading

• Whaling attacks: Taking phishing attacks to the next level

  Whaling attacks take phishing to the next level with much bigger targets. Enterprise threats expert Nick Lewis explains how to mitigate the risk.  Continue Reading

• Choosing PCI DSS-compliant service providers

  Learn how hiring the right PCI DSS-compliant service providers, especially payment services providers, can reduce your compliance burden.  Continue Reading

• Security validation for cloud-based applications

  Adopting cloud-based applications can be a security headache. Michael Cobb explains how to perform tests that validate cloud app security.  Continue Reading

• How sandboxes benefit network protection and malware defense

  Nick Lewis discusses the concept of sandboxing and how vendors are using network appliance sandboxes to boost network protection and malware defense.  Continue Reading

• The truth about USB malware and safety best practices

  A strain of malware can steal data from a USB device itself rather than infect a network or system. Nick Lewis explains how to mitigate the threat.  Continue Reading

• The anti-sandbox malware that threatens sandbox security

  An anti-sandboxing malware variant is defeating on-premises sandbox protection. Is sandbox security a thing of the past? Expert Nick Lewis discusses.  Continue Reading

• HCISPP certification: What are the benefits?

  (ISC)2's HCISPP certification has many potential benefits for health information privacy and security. Expert Joseph Granneman examines them.  Continue Reading

• How to explain information security concepts to business executives

  Conveying complex information security models to business executives isn't easy. Here's how IT pros can improve their communication skills.  Continue Reading

• A broader definition of identity governance

  The definition of identity governance has evolved to include a tool that could prove challenging for enterprises to implement.  Continue Reading

• When single sign-on fails, is a second SSO implementation worthwhile?

  After a failed SSO implementation, is there any benefit to an enterprise trying again? Expert Michele Chubirka discusses.  Continue Reading

• How to decide if a cloud firewall is better than a traditional firewall

  Before replacing a traditional firewall with a cloud firewall, keep these considerations in mind. Kevin Beaver shares his list of concerns.  Continue Reading

• How to secure a wireless router to ensure remote admin service safety

  Network security expert describes how to secure a wireless router and prevent the router's remote administration feature from being hacked.  Continue Reading

• Regulatory compliance requirements for security awareness programs

  Employees play an important role in achieving and maintaining regulatory compliance, explains compliance expert Mike Chapple.  Continue Reading

• How to use the Metasploit Framework to test for new vulnerabilities

  The open source Metasploit Framework is an essential tool to help enterprises detect new vulnerabilities. Michael Cobb explains why.  Continue Reading

• Defense best practices for a man-in-the-middle attack

  Man-in-the-middle attack defense requires careful, layered security. Michael Cobb reviews the tactics enterprises should employ to stay secure.  Continue Reading

• Best practices for employer monitoring of social media

  Expert Joseph Granneman explains the best way for employers to approach social media monitoring as part of a social media policy for employees.  Continue Reading

• Strategic security staffing: Generalist or specialist?

  Expert Joseph Granneman explains whether a midsize company should hire security specialists or generalists and why.  Continue Reading

• Preparing for a firewall failure: Firewall best practices

  Is your enterprise ready for a firewall failure? Uncover firewall best practices to help you prepare.  Continue Reading

• Audit concerns when migrating from traditional firewall to NGFW

  Learn about a potential audit concern when transitioning from a traditional firewall to a next-generation firewall.  Continue Reading

• Does TCP/IP reassembly pose a TCP/IP packet format risk?

  An obscure process called TCP/IP reassembly may pose an enterprise network security risk. Learn about this TCP/IP packet format security issue.  Continue Reading

• Addressing the security vulnerabilities of IPMI-enabled systems

  The Intelligent Platform Management Interface (IPMI) protocol presents a number of security vulnerabilities. Uncover how to mitigate the risks.  Continue Reading

• UTM vs. NGFW: Comparing unified threat management, next-gen firewalls

  What's the difference between unified threat management (UTM) products and next-generation firewalls (NGFW)? Brad Casey discusses.  Continue Reading

• Using whitelisting technology to defend against POS malware

  Learn how whitelisting technology can help protect point-of-sale terminals from being compromised by POS malware.  Continue Reading

• Introduction to iCloud Keychain: Security for password synchronization

  ICloud Keychain can supposedly sync passwords across devices without using iCloud. But is it secure? Security expert Michele Chubirka explains.  Continue Reading

• Authentication caching: How it reduces enterprise network congestion

  Michael Cobb explores the pros and cons of authentication caching and whether the practice can truly calm network strain.  Continue Reading

• Incident response planning for DNS attacks against enterprises

  Practicing incident response for a DNS attack will help enterprises recover faster. Nick Lewis offers incident response planning best practices.  Continue Reading

• C&C infrastructure explained: Tilon malware lessons learned

  Expert Nick Lewis details how the Tilon malware strain utilizes a unique communication protocol with its C&C infrastructure.  Continue Reading

• To protect privileged users, consider using least privilege principle

  To defend against "laterally" moving attackers, consider granting privileged users the least privileges necessary. Expert Nick Lewis explains how.  Continue Reading

• Web browser protection for users: Adapting to new Web security threats

  Expert Nick Lewis explains how to provide a secure Web browsing experience for users when threats are no longer contained to certain parts of the Web.  Continue Reading

• Java patching: Lost cause, or an enterprise security necessity?

  After a plethora of Java and JRE security flaws, threats expert Nick Lewis weighs in on whether Java patching is now an exercise in futility.  Continue Reading

• Attack obfuscation: How attackers thwart forensics investigations

  Expert Nick Lewis explains how attackers utilize offensive forensics techniques to thwart forensics investigations.  Continue Reading

• HSTS: How HTTP Strict Transport Security enhances application security

  Many websites are using HTTP Strict Transport Security (HSTS) to enhance application security, but is it really more effective than HTTPS?  Continue Reading

• Developing a continuous security monitoring program for 24/7 security

  Developing a continuous security monitoring program to ensure 24/7 security is no easy task. Michael Cobb offers key advice for completing the task.  Continue Reading

• How Google Chrome Canary improves malware defense, prevents infection

  The forthcoming Google Chrome Canary browser boasts the ability to boost malware defense and prevent malware infection. Michael Cobb explains how.  Continue Reading

• Choosing an SSL decryption appliance for enterprise SSL monitoring

  SSL monitoring is becoming critical to enterprise network security. Learn the key criteria for choosing an SSL decryption appliance.  Continue Reading

• Making the case: Mobile IDS/IPS vs. traditional IDS/IPS

  What's the difference between mobile IDS/IPS and traditional IDS/IPS? Expert Brad Casey discusses the value proposition for enterprise deployment.  Continue Reading

• The benefits of subscription-based penetration testing services

  Should an enterprise opt for subscription-based services or conduct their pen testing in-house? Network security expert Brad Casey discusses.  Continue Reading

• Is cloud-based DDoS mitigation better than in-house DDoS protection?

  Discover the benefits of cloud-based DDoS mitigation and uncover when a cloud service is more viable than in-house DDoS protection.  Continue Reading

• How ISP services can improve enterprise cybersecurity

  Uncover which ISP services enterprises should seek from their providers to improve cybersecurity and mitigate cyberattacks.  Continue Reading

• Network tap vulnerabilities: Network traffic security over the Internet

  Is there any viable way to mitigate the risks of a potential wide-area network tap and ensure network traffic security over the Internet?  Continue Reading

• Why TCP traffic spikes with source port zero should sound an alarm

  Are spikes in TCP traffic with source port zero warning signs that future attacks are imminent? Discover why enterprises should be concerned.  Continue Reading

• Best practices for implementing an enterprise network air gap system

  Learn best practices for implementing an enterprise network air gap system as a defense against advanced attacks.  Continue Reading

• Microsoft Office 2003: Staying safe after the security support stops

  Worried about Microsoft Office 2003 security after support ends April 8, 2014? Michael Cobb offers some pointers.  Continue Reading

• Preventing plaintext password problems in Google Chrome

  Plaintext passwords are risky business. Michael Cobb discusses what Google says about the Chrome password vulnerability and potential exploits.  Continue Reading

• Femtocell security: Defending against a femtocell hack

  The risk of a femtocell hack is a real enterprise concern. Nick Lewis explains why and explores how to defend against an attack.  Continue Reading

• KINS malware: Rootkit vs. bootkit

  The emerging KINS malware has been labeled a bootkit rather than a rootkit. Nick Lewis explains the difference and how to defend against it.  Continue Reading

• How to use the RACI matrix for a security risk assessment

  Expert Joseph Granneman explains how the RACI matrix can be used as part of an information security risk assessment.  Continue Reading

• The backdoor threat of Trusted Platform Module and Windows 8

  Does the combination of the Trusted Platform Module and Windows 8 create the threat of a backdoor? Michael Cobb discusses.  Continue Reading

• Elliptic curve cryptography: What ECC can do for the enterprise

  Is elliptic curve cryptography more effective than RSA or Diffie-Hellman? Security expert Michael Cobb details the pros and cons of ECC.  Continue Reading

• What is the MEHARI risk management framework and how can it be used?

  Expert Joseph Granneman details the MEHARI risk management framework and compares it to the ISO 27000 and NIST 800 series.  Continue Reading

• What are the top instant messaging security risks facing enterprises?

  Expert Michael Cobb explains the security risks of instant messaging (IM) and reveals why standardizing on one program can help mitigate them.  Continue Reading

• SSH security risks: Assessment and remediation planning

  Application security expert Michael Cobb details how to use a new free SSH security risk assessment tool to mitigate enterprise SSH risks.  Continue Reading

• How to identify and secure data egress points to prevent data loss

  Expert Michael Cobb discusses how to identify the data egress points in enterprise databases to prevent malicious data exfiltration.  Continue Reading

• Network security risks: The trouble with default passwords

  Network security expert Brad Casey explores the risks of putting devices on the network with default passwords, and spotting default password usage.  Continue Reading

• The risks of granting admin rights for Windows app management

  Brad Casey explores issues with giving Windows users admin rights to install and manage applications, and offers advice on mitigating inherent risks.  Continue Reading

• How to defend against a DOM-based XSS attack

  Learn how DOM-based XSS attacks differ from typical cross-site scripting attacks, and learn best practices for defending against them.  Continue Reading

• DLL preloading: Making malware detection more difficult

  DLL preloading makes malware detection difficult. Effective enterprise mitigation requires antimalware, Microsoft FixIt, and keeping programs current.  Continue Reading

• Using the Google Transparency Report to enhance website blacklisting

  Threats expert Nick Lewis explores whether Google's Transparency Report can be used to enhance blacklisting of malicious websites in the enterprise.  Continue Reading