Ask the Experts

Ask the Experts

• Windows Phone 8 security: An enterprise alternative to BlackBerry?

  Expert Michael Cobb assesses Windows Phone 8 security to determine whether WP8 devices are safe enough to replace the BlackBerry in the enterprise.  Continue Reading

• Assessing the impact of a Windows 8 bootkit on UEFI security

  With the release of a proof-of-concept bootkit for the Windows 8 platform, expert Michael Cobb assesses the potential threat to UEFI security.  Continue Reading

• Windows RT security: Does Microsoft's mobile OS differ from Windows 8?

  How should enterprises prepare for securing Windows RT devices? Expert Michael Cobb discusses the security differences between Windows RT and 8.  Continue Reading

• What risk does the Apple UDID security leak pose to iOS users?

  Expert Michael Cobb details Apple's Unique Device Identifiers, plus why iOS users should be concerned about the Anonymous UDID security leak.  Continue Reading

• Adjust security policies to combat Windows password hint attacks

  Researchers have revealed potential Windows user password hint vulnerabilities. Expert Michael Cobb discusses how to address such attacks in policies.  Continue Reading

• Choosing an external auditor: What to look for in an auditing firm

  Expert Mike Chapple advises enterprises on how to choose an external auditor, focusing on four major qualities to look for in an auditing firm.  Continue Reading

• Complying with MasterCard's new PCI Level 2 assessment requirements

  Expert Mike Chapple breaks down how Level 2 merchants can comply with MasterCard's new requirement for PCI self-assessments.  Continue Reading

• COBIT 5 certification: What training is necessary for accreditation?

  Expert Mike Chapple offers advice for understanding COBIT and what it takes to acquire COBIT 5 certification.  Continue Reading

• Preventing a distributed denial-of-service attack: Is hardware needed?

  Expert Matthew Pascucci suggests four key questions to ask yourself when developing distributed denial-of-service attack mitigation tactics.  Continue Reading

• How to implement firewall policy management with a 5-tuple firewall

  Matt Pascucci explains how to implement firewall policy management for 5-tuple firewalls when ports must be kept open for business reasons.  Continue Reading

• Exploring the security risks of network management outsourcing

  Is network management outsourcing the future of network security or too great a risk? Matthew Pascucci discusses the risks and rewards.  Continue Reading

• Why companies still use the insecure WPA and WEP protocols

  Expert Matthew Pascucci weighs in on why so many enterprises still use the insecure wireless encryption protocols -- WPA and WEP.  Continue Reading

• What is 'big data'? Understanding big data security issues

  In this Ask the Expert video, Ernie Hayden answers the question of what 'big data' is and outlines big data security issues in this video.  Continue Reading

• How should NFC security risks affect a BYOD security policy?

  Security expert Nick Lewis explores the emerging security risks posed by NFC technology and discusses their effect on enterprise BYOD policy.  Continue Reading

• Why a security conscience is key among CISO responsibilities

  Every firm needs a security conscience, according to expert Ernie Hayden, who says it is critical among key CISO responsibilities.  Continue Reading

• Cleaning a compromised server: How to detect booter shells, remnants

  Expert Nick Lewis discusses the importance of fully cleaning a compromised server and how to detect and remove booter shells and other remnants.  Continue Reading

• Avoiding the invisible: How to defend against iFrame attacks

  How can enterprises and users protect themselves from malicious content embedded in iFrames? Expert Nick Lewis explores iFrame attack mitigations.  Continue Reading

• How to protect users exposed to cache poisoning attacks by HTML5

  Expert Nick Lewis explains how the HTML5 offline application cache exposes users to the threat of cache poisoning and provides mitigation options.  Continue Reading

• Conducting APT detection when Elirks, other backdoors hide traffic

  Is it possible to detect APT attacks when malicious traffic is hidden? Expert Nick Lewis details how the Elirks backdoor connection hides APT traffic.  Continue Reading

• Four compliance IT management tips to improve employee engagement

  Mike Chapple offers four tips for improving employee collaboration and creativity with an enterprise's compliance program.  Continue Reading

• Mobile payment networks: What are the PCI compliance requirements?

  Mike Chapple discusses what the PCI compliance requirements might look like for mobile payment networks such as Merchant Customer Exchange (MCX).  Continue Reading

• HITRUST C-TAS: Is it the new compliance mandate?

  Mike Chapple discusses the new HITRUST C-TAS information-sharing consortium and clarifies whether it relates to the HIPAA compliance mandate.  Continue Reading

• How to reduce PCI scope with credit card tokenization

  It's possible to reduce PCI scope with credit card tokenization if it is implemented properly. Expert Mike Chapple explains in this Q&A.  Continue Reading

• How an assessor validates the PCI DSS scope of compliance

  Expert Mike Chapple explains the four tests a QSA performs to validate that an organization has properly defined their PCI DSS scope of compliance.  Continue Reading

• How to determine if you're using a PCI-compliant cloud provider

  Small business credit card processing from a PCI-compliant cloud provider can help reduce the burden of PCI compliance. Expert Mike Chapple explains.  Continue Reading

• Does the iOS Security Guide reveal any Apple iOS security issues?

  Expert Michael Cobb digs into the Apple iOS Security Guide to see if any iOS security issues are revealed.  Continue Reading

• How enterprises should address the latest Skype security concerns

  A Web-based tool has exposed some serious Skype security concerns. Expert Michael Cobb discusses the options for organizations that rely on Skype.  Continue Reading

• How to address gTLD security as ICANN accepts more applications

  Expert Michael Cobb provides advice on addressing gTLD security as ICANN accepts more and more domain extension applications.  Continue Reading

• Implement software development security best practices to support WAFs

  WAFs aren't a panacea for all Web security woes. Software development security best practices are still vital. Expert Michael Cobb discusses why.  Continue Reading

• Establish a screen timeout period as part of a BYOD security policy

  Expert Michael Cobb provides advice on why and how enterprises should establish a screen timeout period as part of any BYOD security policy.  Continue Reading

• How to protect sensitive data when executives travel abroad

  Concerned about data theft when enterprise executives travel? Security expert Nick Lewis details how to protect sensitive data when execs go abroad.  Continue Reading

• Review wireless network security after Google Street View controversy

  Expert Nick Lewis explains the Google Street View controversy and why enterprises should be anxious about their wireless network security, not Google.  Continue Reading

• How Android users can overcome LeNa malware, slow carrier updates

  Android users can't rely on slowly deployed carrier updates to protect them from the LeNa malware. Expert Nick Lewis explains.  Continue Reading

• Will Firefox security improve with browser plug-in check?

  Will Mozilla's possible support of a browser plug-in check improve Firefox security? Expert Nick Lewis discusses the pros and cons of the feature.  Continue Reading

• Consider disabling Java as malware targets JRE vulnerabilities

  Expert Nick Lewis advises enterprises to disable Java to defend against cross-platform malware that targets JRE vulnerabilities.  Continue Reading

• Can ISO 27002 be used as a standalone guide for security management?

  Learn the difference between ISO 27001 and ISO 27002, and how the latter can be used to build an infosec program.  Continue Reading

• Submitting a report on compliance from an old PCI assessment provider

  Can companies submit a report on compliance to a new credit card transaction processor via a PCI assessment provider? Mike Chapple discusses.  Continue Reading

• Regulatory compliance requirements of a cryptographic system

  Mike Chapple discusses what to look for in a cryptographic system from a legal and regulatory compliance standpoint.  Continue Reading

• Company-wide compliance: How to choose a PCI awareness training program

  Expert Mike Chapple offers options for companies seeking a PCI awareness training program for employees.  Continue Reading

• How to secure C-level support for ongoing PCI compliance

  Expert Mike Chapple offers advice on how security professionals can obtain C-level support for ongoing PCI compliance.  Continue Reading

• Most common IT audit findings and how to remediate them

  Expert Mike Chapple uncovers some of the most common -- and embarrassing -- IT audit findings and explains how to remediate each one.  Continue Reading

• How to ensure secure remote access to shield enterprise clients, users

  Expert Nick Lewis explains why remote access software is such a common attack target before providing simple steps to achieve secure remote access.  Continue Reading

• Replace technical debt-laden Adobe Reader with alternative PDF readers

  Adobe Reader's technical debt may pose too great a security risk for some enterprises. Security expert Nick Lewis advises turning to alternative PDF readers.  Continue Reading

• Advice on IT security for users when the BYOD security policy fails

  Security expert Nick Lewis suggests how each individual enterprise can deal with mobile security risk by instituting a BYOD security policy to fit its needs.  Continue Reading

• Defend against iPad exploit, rogue access point attacks

  An iPad exploit that attacks a rogue access point is dangerous for enterprises and home users. Expert Nick Lewis explains how to defend against it.  Continue Reading

• How to reassess privacy settings in wake of Facebook cloaking issues

  Expert Nick Lewis discusses how Facebook cloaking exposed users' personal info and why it's important to control social media security settings.  Continue Reading

• Defend against the SQL injection tool Havij, other SQL injection tools

  Expert Nick Lewis discusses the dangers of the SQL injection tool Havij and provides tips to protect the enterprise against other SQL injection tools.  Continue Reading

• Assessing Pinterest security and defending against Pinterest spamming

  Expert Nick Lewis discusses the state of Pinterest security and provides info on preventing Pinterest spamming and other social engineering attacks.  Continue Reading

• H.264 vs Flash: Using the H.264 codec as a secure Flash alternative

  Can the H.264 video codec serve as a more secure Flash alternative? Expert Nick Lewis provides a security breakdown of H.264 vs Flash.  Continue Reading

• BYOD security policy: Mitigate BYOD risk with device requirements

  How can enterprises mitigate the BYOD risk? Expert Michael Cobb suggests some device requirements to include in a BYOD security policy.  Continue Reading

• Does Flashback malware show need for more Mac hardening?

  The recent Flashback malware proved attackers are targeting Macs, too. Learn how to improve Mac hardening against future Mac malware.  Continue Reading

• Use cybercrime statistics to combat organized cybercrime

  Expert Michael Cobb provides some cybercrime statistics and discusses how organized cybercrime is using free Web analytics tools to plan attacks.  Continue Reading

• Software-defined networking: Anticipating SDN security for enterprises

  Software-defined networking is set to transform networking technology, but what about security? Expert Michael Cobb provides an SDN security primer.  Continue Reading

• Preparing for Windows 8 BYOD: Security features on Windows 8 tablets

  How should enterprises be preparing for Windows 8 BYOD tablets? Expert Michael Cobb breaks down the security features for Microsoft's upcoming OS.  Continue Reading

• Verizon DBIR 2012: On Web app security, basics still lacking

  Expert Michael Cobb analyzes takeaways from the Verizon DBIR 2012 report regarding Web app security and the need for more basic security measures.  Continue Reading

• The SSL handshake process: Public and privates keys explained

  Expert Michael Cobb details the SSL handshake and the role of public and private keys in a C2B transaction.  Continue Reading

• What are the costs and benefits of Good Mobile Access for Android?

  Expert Michael Cobb details the costs and benefits of Android GMA, which raises the bar for mobile browser security.  Continue Reading

• The security benefits of silent updates: Timing is everything

  In light of the increasing popularity of silent updates, expert Michael Cobb examines their security and application-compatibility implications.  Continue Reading

• How to choose secure Android lock patterns

  Get advice from expert Michael Cobb on how to secure your Android device with good Android lock patterns.  Continue Reading

• Sharing security intelligence: How to build a strong network

  Expert Nick Lewis explains how enterprises can forge strong security networks that support sharing security intelligence.  Continue Reading

• Picking the best enterprise antivirus product: Does AV research count?

  Is your enterprise conducting an anti-malware comparison? Expert Nick Lewis provides metrics to find the best fit for your enterprise's needs.  Continue Reading

• Avoiding a breach by a third-party data recovery services provider

  Expert Nick Lewis discusses the security requirements enterprises should establish when selecting a third-party data recovery services provider.  Continue Reading

• Enterprises must help identify secure mobile apps, define malware

  Expert Nick Lewis explains the role enterprises should play in helping BYOD users define malware and identify secure mobile apps.  Continue Reading

• Prevent the threat of the Low Orbit Ion Cannon tool, Web-based malware

  Recent DDoS attacks by Anonymous show why enterprises must avoid the Low Orbit Ion Cannon tool and other Web-based malware. Expert Nick Lewis explains.  Continue Reading

• PCI DSS lessons learned from Global Payments data breach

  Expert Nick Lewis discusses the Global Payments data breach, focusing on lessons to be learned for PCI DSS-compliant enterprises.  Continue Reading

• Remote access audit: Assessing remote desktop access software

  Is your remote desktop access software really secure? Randall Gamby offers advice for conducting a remote access audit to validate security.  Continue Reading

• Enterprise risk-based authentication: Has it finally arrived?

  Expert Randall Gamby discusses risk-based authentication, and whether that type of user identification system is right for the enterprise.  Continue Reading

• Types of SSO: Comparing two vendors' approaches to single sign-on

  Expert Randall Gamby discusses various types of single sign-on, specifically the approaches of Ping Identity's SSO and Symplified SSO.  Continue Reading

• Is IDaaS viable for a hybrid enterprise identity management system?

  Is IDaaS a wise choice for managing access to cloud and on-premise systems? Randall Gamby discusses hybrid identity management systems.  Continue Reading

• How to manage feedback in the compliance review process

  The compliance review process can be complicated, especially when getting input from others. Mike Chapple offers advice to streamline the process.  Continue Reading

• Security vs. compliance: Moving beyond a 'checkbox security' mentality

  Mike Chapple discusses the compliance vs. security challenge and why a "checkbox security" mentality may actually be a good thing.  Continue Reading

• Do I need GRC or compliance management software?

  Is it necessary to purchase pricey GRC or compliance management software to meet PCI DSS and HIPAA compliance requirements? Mike Chapple discusses.  Continue Reading

• Monitoring P2P activity by tracking corporate IP addresses

  Mike Chapple discusses whether you should be monitoring P2P activity with site crawling and info gathering websites like YouHaveDownloaded.com.  Continue Reading

• Video Ask the Expert: Ernie Hayden on big data information security

  Ernie Hayden answers questions about big data security in this Ask the Expert video.  Continue Reading

• Purchasing a next-gen firewall: Buying from vendors in legal battles

  Mike Chapple discusses whether enterprises should purchase next-gen firewall products from allegedly patent-infringing vendors.  Continue Reading

• Preventing Web database access with a triple-homed firewall

  Mike Chapple discusses database security best practices and how to protect against unauthorized Web access by using a triple-homed firewall.  Continue Reading

• Securing big data: Architecture tips for building security in

  Expert Matt Pascucci advises a reader on securing big data with tips for building security into enterprise big data architectures.  Continue Reading

• How to build C-level support for the benefits of penetration testing

  Matt Pascucci offers advice on how to justify the value and present the benefits of penetration testing to corporate executives.  Continue Reading

• Network perimeter security: How to audit remote access services

  Matt Pascucci discusses the best tools to audit Internet-facing remote access services and boost network perimeter security.  Continue Reading

• VPN troubleshooting: Isolating VPN session timeout issues

  Expert Matt Pascucci offers VPN troubleshooting advice, specifically best practices for troubleshooting VPN session timeout and lockout issues.  Continue Reading

• PCI compliance in the cloud: Can cloud service providers manage PCI?

  PCI compliance in the cloud is controversial, so can a company really trust cloud service providers to manage their PCI DSS compliance?  Continue Reading

• Privilege access management: User account provisioning best practices

  Broad user account provisioning can give users too much access. Randall Gamby offers privilege access management advice to prevent 'privilege creep.'  Continue Reading

• Online password security: Are Verified by Visa-like programs enough?

  Randall Gamby offers additional security measures enterprises can employ to supplement their existing password-reset process.  Continue Reading

• Secure remote access best practices: Guidelines for the enterprise

  Remote access threats are on the rise. Use expert Randall Gamby's secure remote access best practices to help users make good security decisions.  Continue Reading

• Prepare your enterprise network for the DSN Changer botnet takedown

  Expert Nick Lewis details the DNS Changer botnet takedown and its impact on enterprise security. Learn how to search for DNS Changer on client machines.  Continue Reading

• IMEI authentication: OK as a mobile authenticator?

  Is IMEI authentication a secure choice when considering a mobile authenticator? Randall Gamby explains why it may not be a wise choice.  Continue Reading

• MDM architecture considerations for enterprise identity management

  Randall Gamby details which enterprise identity management features to look for when evaluating products as the basis for an MDM architecture.  Continue Reading

• SCIM identity management and SCIM provisioning options

  SCIM identity management and identity provisioning have increased in their implementation. Learn how a company can assess these technology options.  Continue Reading

• Password compliance and password management for PCI DSS

  Can poor password management lead to PCI DSS non-compliance? Mike Chapple outlines key password compliance best practices.  Continue Reading

• Does reducing data storage improve PCI credit card compliance?

  Mike Chapple discusses whether reducing customer credit card data storage is better, worse or ineffective for improving PCI credit card compliance.  Continue Reading

• Does BEAST SSL tool represent an SSL threat?

  Expert Nick Lewis analyzes the potential SSL threat that the BEAST SSL tool poses and discusses whether enterprises should be concerned.  Continue Reading

• Revisiting JRE security policy amid new ways to exploit Java

  Expert Nick Lewis analyzes the increasing ability by hackers to exploit Java and the need to perform a JRE security policy analysis in response.  Continue Reading

• Can XML encryption thwart XML attacks?

  Expert Nick Lewis discusses proof-of-concept XML attacks and possible steps for defending data protected by XML encryption.  Continue Reading

• Threat of SSL malware highlights SSL security issues

  Expert Nick Lewis highlights SSL security issues and the threat of SSL malware being transmitted via HTTPS. Is this a serious blow to SSL security?  Continue Reading

• Adobe and HTML 5: Safer than Flash mobile development?

  Expert Nick Lewis determines whether the combination of Adobe and HTML 5 will be safer for enterprises than Flash mobile development.  Continue Reading

• Does accelerometer research portend keyboard-vibration attacks?

  Expert Nick Lewis examines smartphone accelerometer research that may lead to keyboard-vibration attacks via a smartphone on a nearby computer.  Continue Reading

• Using social engineering testing to foster anti-social engineering training

  Worried your users could easily be pwned? Learn about improving social engineering testing to foster anti-social engineering training.  Continue Reading

• How to detect and mitigate Poison Ivy RAT malware-style attacks

  Learn how to prevent malcode like the Poison Ivy RAT malware, sophisticated malware that has been crafted especially for an enterprise take-down.  Continue Reading

• Can a malware 'pressure chamber' provide effective malware containment?

  Infosec threats expert Nick Lewis discusses the viability of an antimalware "pressure chamber: to help bolster enterprise malware containment.  Continue Reading

• How acceptable use agreements can combat BYOD security issues

  Is your organization facing BYOD security issues? Learn how the implementation of acceptable use agreements can help contain these issues.  Continue Reading