Ask the Experts

Ask the Experts

• FFIEC security requirements: Physical security management and logging

  In this expert response from Ernie Hayden, learn about FFIEC security requirements for creating physical security logs.  Continue Reading

• Penetration test methodology: Creating a network pen testing agreement

  Network pen testing can be very useful when it comes to detecting vulnerabilities, but it's important to work with the IT department to prevent network downtime. In this expert response, learn how to draw up pen testing rules of engagement for ...  Continue Reading

• Using fuzzing for internal application security testing

  Superstar security researchers often use fuzzing to find flaws in major vendors' applications, and you can use fuzzers to find vulnerabilities during internal software development. Expert Michael Cobb explains how.  Continue Reading

• Using a digital signature, electronic signature and digital certificate

  While they may seem similar, a digital signature, electronic signature and digital certificate all have unique functions. In this IAM expert response from Randall Gamby, learn the differences and how each is used.  Continue Reading

• Privacy laws in the workplace: Creating employee privacy policies

  Are your employees aware of their workplace privacy rights? More specifically, are they aware of what privacy rights they don't retain? Learn how to create effective employee privacy policies in this expert response.  Continue Reading

• HTML 5 features present new security risks

  Find out why new HTML 5 features are going to represent a new opportunity for malware writers.  Continue Reading

• Detecting kernel intrusion attacks through network monitoring

  Learn how to detect kernel intrusion attacks by monitoring your network closely and thoroughly.  Continue Reading

• How to determine the net value of an asset for risk impact analysis

  Asset valuation and impact analysis are two different but equally important aspects of risk analysis. Expert Ernie Hayden explains.  Continue Reading

• Proxy server security: Defending against DoS and other attacks

  In this expert response, find out how to boost proxy server security in the enterprise.  Continue Reading

• Is the 3DES encryption algorithm the best choice for S/MIME protocol?

  The triple DES encryption algorithm was originally designed for the S/MIME protocol, but is it still the best choice for encryption? In this expert response, Randall Gamby describes the advantages and disadvantages to using 3DES.  Continue Reading

• Creating a user account management policy to delete old accounts

  If you're not deleting orphaned accounts, you may be leaving the door wide open to attackers. In this expert response from Randall Gamby, learn how to create an effective user account management policy for getting rid of old accounts.  Continue Reading

• Is an SMTP TLS certificate the same as an FTP SSL certificate?

  Are all security transportation-level certificates (TLSes) the same, or are there different certificates for different protocols? In this expert response, Randall Gamby discusses SMTP and FTP certificates.  Continue Reading

• Is a touchscreen virtual keyboard good for keeping passwords secure?

  Recently, touchscreen virtual keyboards have been showing up on sites as an added security measure. What are the pros and cons of these virtual keyboards, and are they capable of stopping keylogging?  Continue Reading

• The difference between a digital signature and digital certificate

  A digital signature and a digital certificate, while both security measures, are different in the ways they are implemented and what they are implemented for. In this expert response, Randall Gamby explains the difference.  Continue Reading

• Gap analysis methodology for IT security and compliance

  If your enterprise is faced with multiple-standard compliance, having a set gap analysis methodology can save a lot of time and effort. Learn more in this expert response from Ernie Hayden.  Continue Reading

• SANS Top 25 programming errors: Application security best practices

  Learn the SANS Top 25 programming errors and the best practices for application security.  Continue Reading

• Separation of duties: Internal user account controls

  If your user account administration is dispersed among different departments, you might be looking into centralizing it. This can work, provided you have a trustworthy administrator and separation of duties controls.  Continue Reading

• DBMS security: Data warehouse advantages

  Are there data warehouse advantages in regard to security? Without question. Michael Cobb explains.  Continue Reading

• OpenOffice security: Concerns when moving from Microsoft Office

  What are the major OpenOffice security concerns when transitioning from Microsoft Office? Security expert Michael Cobb explains the potential vulnerabilities between open source and commercial software.  Continue Reading

• How to decode a cipher: Identifying a cryptographic hash algorithm

  While it is possible to identify a cryptographic algorithm by way of cipher bit sequences, it can be difficult, and is sometimes illegal. IAM expert Randall Gamby gives advice and a warning.  Continue Reading

• The benefits of application proxy firewalls

  Michael Cobb explains the benefits of application proxy firewalls as compared to other firewall technologies including packet filtering firewalls and stateful inspection firewalls or circuit-level gateways.  Continue Reading

• How to update a disaster recovery, contingency planning strategy

  Have your disaster recovery plans fallen woefully behind the current state of your business? In this expert response, Ernie Hayden discusses how to conduct tabletop exercises to get your plans back on track.  Continue Reading

• Advanced Encryption Standard and AES ciphers: Can they be cracked?

  No encryption standard is unbreakable, but Advanced Encryption Standard may come close. Michael Cobb discusses why AES ciphers are so tough to beat.  Continue Reading

• Digital signature implementation: How to verify email addresses

  When implementing digital signatures in Outlook, learn what pitfalls to avoid and how to verify the email addresses and digital signatures of the senders.  Continue Reading

• Smart card security: Disable a lost smart card and track with GPS?

  Is it possible to track a lost or stolen smart card with GPS? In this IAM expert response, Randall Gamby gives advice on enhancing smart card security in such a situation.  Continue Reading

• A written information security policy (WISP) example for compliance

  Looking for a Written Information Security Policy (WISP) example for compliance with the Massachusetts data protection law? In this expert response, Ernie Hayden gives readers just that.  Continue Reading

• Can secure FTP services protect sensitive data from hackers?

  Does secure FTP services protect against hackers and attacks? In this expert response, Michael Cobb explains why using a secure FTP service is vital for handling sensitive data transfers.  Continue Reading

• Best practices: Separation of duties for security administrators

  In this Q&A, expert Michael Cobb explores separation of duties for security administrators with access to domain controllers and servers running Windows, UNIX and Linux.  Continue Reading

• Remote webcam security surveillance: Invasion of privacy?

  Using remote webcam security surveillance to check the whereabouts of stolen laptops might seem like a good idea, but is it an invasion of privacy? In this expert response, Ernie Hayden discusses the best ways to maintain privacy and keep laptops ...  Continue Reading

• How to grant local admin rights with Global Policy Objects

  When granting local admin rights, it's important to do it securely. Learn how to use Global Policy Objects and global security groups to do it correctly.  Continue Reading

• Is a PCI DSS report on compliance confidential?

  Learn about the confidentiality of a PCI report on compliance, and a compliance audit report in general in this expert response from Ernie Hayden.  Continue Reading

• Electronic access control system and biometrics authentication

  Biometrics authentication and an electronic access control system can be closely related, but they're not the same thing. In this IAM expert response, Randall Gamby explains the difference.  Continue Reading

• Tips for writing secure SQL database code

  Writing secure code is always a challenge, but it is particularly necessary for SQL databases that would otherwise be vulnerable to SQL injection attacks. Get tips on how to write secure SQL database code in this expert response.  Continue Reading

• Security report template: How to write an executive report

  Writing a security report for executives doesn't have to be difficult or extensive, but security management expert Ernie Hayden describes how to make it comprehensive and clear.  Continue Reading

• Is it possible to crack the public key encryption algorithm?

  Is it possible to create a PKI encryption key that is unbreakable? IAM expert Randall Gamby weighs in.  Continue Reading

• HIPAA and Social Security numbers in a hospital computer network

  Learn when Social Security numbers can be used for patient identification without violating HIPAA patient confidentiality requirements.  Continue Reading

• What are the top three network intrusion techniques?

  Nick Lewis reviews the top three technologies used by hackers to cover their tracks after a network intrusion.  Continue Reading

• PKI vulnerabilities: How to update PKI with secure hash functions

  Learn how to prevent PKI vulnerabilities recently announced by Dan Kaminsky from being exploited at your enterprise with advice from IAM expert Randall Gamby.  Continue Reading

• Disaster recovery and business continuity tabletop exercises

  When disaster strikes, will your enterprise be ready? In this security management expert response, David Mortman explains what questions to ask during disaster recovery and business continuity tabletop exercises.  Continue Reading

• Personally identifiable information guidelines for U.S. passport numbers

  Do U.S. passport numbers count as personally identifiable information? Learn more about guidelines for PII in this security management expert response from David Mortman.  Continue Reading

• How to protect a laptop: Biometrics vs. encryption

  How has biometrics changed the laptop security landscape? Is full disk encryption even necessary on a laptop with a biometric scanner? Learn more in this expert response.  Continue Reading

• Manage access to social networking sites with an acceptable use policy

  Social networking sites can cause security issues, but sites like Twitter and Facebook can also open up significant business opportunities. Learn how to manage employee access to social networking sites to make sure only those employees who need ...  Continue Reading

• FERPA regulation guidelines to email student personal data unencrypted

  In order to protect student personal data, FERPA was enacted in 1974. But does protecting that data allow for FERPA educational records to be sent unencrypted via email? Find out in this expert response.  Continue Reading

• PCI DSS questions: Should full credit card numbers be on a receipt?

  Are merchants that fall under PCI DSS allowed to print full credit card numbers on a receipt? Learn more in this response from security management expert David Mortman.  Continue Reading

• How do hackers bypass a code signing procedure to inject malware

  In this expert Q&A, Michael Cobb reveals how malicious applications can actually be approved by Symbian's Express Signing procedure.  Continue Reading

• How to encrypt passwords using network security certificates

  Learn the most secure way to transfer passwords to applications using network security, identity management, and application security certificates.  Continue Reading

• Prevent meet-in-the-middle attacks with TDES encryption

  Don't let meet-in-the-middle attacks decrypt your sensitive data. Learn how to use the triple DES encryption algorithm to prevent such attacks, with expert Randall Gamby.  Continue Reading

• How to use single sign-on (SSO) for a server configuration

  Using SSO for a server configuration can be done a few different ways. Learn more in this expert response from Randall Gamby.  Continue Reading

• Disaster recovery risk assessment for cyberterrorism attacks

  In recent days, the threat of cyberterrorism attacks seems to loom darker. In this expert response, learn whether cyberterrorism threats should be feared and how to prepare for them.  Continue Reading

• How to protect employee information in email paystubs

  Many companies are moving to a system of paperless paystubs. Learn how to protect the information contained in these email paystubs with the use of secure email in this expert response.  Continue Reading

• LDAP signing requirements for various directory configurations

  While there is no longer a standard directory configuration, it is still possible to implement LDAP signing in most environments. Learn more about LDAP signing requirements from IAM expert Randall Gamby.  Continue Reading

• How to secure USB ports on Windows machines

  A readers asks expert Michael Cobb about which product can best secure USB ports.  Continue Reading

• What is an encryption collision?

  Michael Cobb reviews how encryption collision attacks on cryptographic hash functions could compromise the security of all kinds of digital systems.  Continue Reading

• What is the best database patch management process?

  Michael Cobb reviews how to handle database patches in the enterprise.  Continue Reading

• The pros and cons of implementing smart cards

  Most infosec pros agree that smart cards create a higher level of enterprise security than passwords alone. Learn how to weigh the pros and cons of smart cards to know if they're right for your enterprise?  Continue Reading

• IT business justification to limit network access

  Are you hoping to limit network access at your organization, but aren't sure how to go about creating an IT business justification for a proxy server? In this expert response, Randall Gamby explains what a proxy server can do, including how to ...  Continue Reading

• Prevent password cracking with password management strategies

  Passwords can be the weak link in any organization's security strategy. Learn how to protect your passwords from unauthorized users with these password management strategies from IAM expert Randall Gamby.  Continue Reading

• How to choose the best IT security certification for pen testing jobs

  Looking to get into the world of penetration testing, and you're not sure which certification might help? In this expert response, David Mortman explains how to know if pursuing a certification is right for your career.  Continue Reading

• How to prevent ActiveX security risks

  Application expert Michael Cobb explains why ActiveX security relies entirely on human judgment.  Continue Reading

• How serious is (ISC)2 about its code of ethics?

  One of the many security certification requirements for the CISSP is signing the (ISC)² code of ethics, but how seriously does (ISC)² take certificate holders' adherence to that code? David Mortman weighs in.  Continue Reading

• How to log in to multiple servers with federated single sign-on (SSO)

  Single sign-on is a rapidly evolving technology that, when partnered with federation tools, can offer a greater and greater level of granularity for access control. Learn how from expert Randall Gamby.  Continue Reading

• How to confirm the receipt of an email with security protocols

  Many websites try to ensure secure registrations by sending email confirmations. But how is it possible to confirm receipt of that email by the correct recipient? Identity and access management expert Randall Gamby weighs in.  Continue Reading

• What are Google Chrome's security features?

  In this expert response, Michael Cobb reviews the security features of Google Chrome.  Continue Reading

• Does an EULA make it truly illegal to decompile software?

  Michael Cobb explores a legal minefield: the legality of software decompilation.  Continue Reading

• Are there still Google Desktop security problems?

  Expert Michael Cobb explains why Google Desktop's "search across computers" feature has been so controversial.  Continue Reading

• Can an IP spoofing tool be used to spam SPF servers?

  Michael Cobb explains what the Sender Policy Framework can and cannot protect against, including IP spoofing attacks.  Continue Reading

• What are new and commonly used public-key cryptography algorithms?

  Expert Michael Cobb breaks down a variety of encryption algorithms and reviews the use cases for several types of cryptography.  Continue Reading

• Is a separate partition needed for OS and data files?

  You may have always been taught to install applications on a different partition than the OS, but do you actually know why?  Continue Reading

• How to set up a split-tunnel VPN in Windows Vista

  Setting up a split-tunnel VPN in Vista can help quicken network flow in the enterprise. In this expert response, Mike Chapple explains the steps to create a split-tunnel VPN.  Continue Reading

• How can URL-shortening services be manipulated?

  Expert Michael Cobb explains why URL-shortening services are another avenue of attack.  Continue Reading

• What are the export limitations for AES data encryption?

  Although AES is free for any use public or private, commercial or non-commercial programs that provide encryption capabilities are subject to U.S. export controls. Expert Michael Cobb reviews the limitations.  Continue Reading

• What is the difference between static and dynamic network validation?

  Network data analysis is essential to understanding the security configuration of your network. But what is the difference between static data validation and dynamic data validation? Find out in this expert response.  Continue Reading

• Verifying the security of software with static and dynamic verification

  Secure software is critical to all businesses, and security verification is an important part of that process. In this expert response, learn the difference between static and dynamic verification of security in software engineering.  Continue Reading

• Port scan attack prevention best practices

  While it's impossible to prevent against all port scanning attacks, there are best practices for port scanning security (such as a port scanning firewall) that can keep your network secure. Expert Mike Chapple weighs in.  Continue Reading

• A recovery point objective (RPO) vs. a recovery time objective (RTO)

  When making business continuity and disaster recovery plans, it's essential to come up with a recovery point objective (RPO) and a recovery time objective (RTO), but what is the difference between the two? Find out more in this expert response.  Continue Reading

• Securing the intranet with remote access VPN security

  Connecting remote offices with the main branch can be done many ways, but for those companies looking at tightly securing their intranet, they may need to consider remote access with VPN security. Learn more in this expert response.  Continue Reading

• How to prepare for a FERPA audit

  Does your educational institution have to comply with FERPA? David Mortman, security management expert, explains what FERPA requires for school records and what to do when your FERPA audit is right around the corner.  Continue Reading

• How to manage network bandwidth with distributed ISP bandwidth

  As enterprises grow, demand for bandwidth can increase exponentially. In this expert answer, Mike Chapple explains different techniques for managing network bandwidth with ISP distribution.  Continue Reading

• How to edit group policy objects to give a user local admin rights

  Giving a user local admin rights to his or her computer alone can be a tricky prospect. In this expert answer, Mike Chapple explains what Group Policy objects can and can't do to make this happen.  Continue Reading

• When to use the service features of the Metasploit hacking tool

  In this expert response, Michael Cobb explains why offloading resource-intensive penetration testing tasks to Metasploit may be an attractive option.  Continue Reading

• How to ensure the security of a shopping cart application

  In this expert response, Michael Cobb explains how threat modeling can help you secure your shopping cart application.  Continue Reading

• Preventing cross-site request forgery attacks

  Application security expert Michael Cobb explains how to stop cross-site request forgery attacks.  Continue Reading

• Steganography techniques: MD5 implementation or RC4 encryption?

  Although it is difficult to decipher encrypted data, steganography itself is relatively easy to detect. Expert Michael Cobb reviews which encryption algorithm is best to use when hiding important data.  Continue Reading

• Security comparison: Mac OS X vs. Windows

  The Mac OS X vs. Windows debate will likely never be resolved, but that won't stop expert Michael Cobb from giving it his best shot. Our platform security expert explains how each operating system combats malware.  Continue Reading

• Risk management strategy for an information technology solution provider

  Looking to create an enterprise risk management strategy for an information technology solution provider? Security management expert David Mortman weighs in.  Continue Reading

• How to prevent brute force webmail attacks

  Expert Sherri Davidoff explains why brute-force attacks on webmail accounts are such a popular hacking technique.  Continue Reading

• How to prevent mobile phone spying

  Your cell phone conversations and wireless activity are not private, says resident threat expert Sherri Davidoff, and it's important to remember that mobile phone spying is far too easy.  Continue Reading

• How to securely connect a LAN POS to a remote point-of-sale device

  Looking to connect your LAN POS securely to your remote point-of-sale device? Mike Chapple, network security expert, explains how to use encryption and a VPN to lock down this connection.  Continue Reading

• HHS HIPAA guidance on encryption requirements and data destruction

  Complying with HIPAA is only becoming more challenging. Fortunately, the Department of Health and Human Services has recently released some preliminary guidelines on how to deal with HIPAA's encryption requirements and data destruction.  Continue Reading

• A short enterprise VPN deployment guide

  When deploying a VPN in your enterprise, first check out this guide for some basic best practices, including how to define authentication requirements for the VPN and create a written user access policy.  Continue Reading

• What is the difference between a VPN and remote control?

  Mike Chapple reviews VPNs, remote controls, and how the two security technologies can be used in tandem.  Continue Reading

• Should enterprises be running multiple firewalls?

  While there may be scenarios where a single firewall is an appropriate architecture for an organization, it's equally true that many environments may benefit from the use of more than one network device  Continue Reading

• What are the disadvantages of proxy-based firewalls?

  Network security expert Mike Chapple explains why he strongly recommends the use of proxy-based firewalls.  Continue Reading

• What are best practices for fiber optic cable security?

  Mike Chapple compares the security of fiber optic cables to copper ones.  Continue Reading

• Are Web application penetration tests still important?

  Web application penetration tests continue to be an important part of the secure software development lifecycle process in order to reduce the number and severity of security-related design and coding errors.  Continue Reading

• The requirements needed to make an external penetration test legal

  Rule number one of pen testing: Make sure you have permission in hand before you begin. But there's much more than this needed to perform a successful penetration test on a wireless network.  Continue Reading

• Creating an SSL connection between servers

  Learn the most secure way to create and SSL connection between servers with this advice from network security expert Mike Chapple.  Continue Reading

• Comparing an application proxy firewall and a gateway server firewall

  There are many types of firewalls in use in today's enterprises, so it's easy to get confused about the functions of each. In this expert response, learn the difference between a proxy server firewall and a gateway server firewall.  Continue Reading

• How to set up a DMZ

  Looking to set up a DMZ? Look no further. In this expert response, Mike Chapple explains the steps to creating a demilitarized zone.  Continue Reading

• IPS and IDS deployment strategies

  Deploying an IDS and an IPS system may seem like two different tasks, but really the two are closely related. Mike Chapple weighs in on the similarities of the deployment strategies.  Continue Reading