Ask the Experts

Ask the Experts

• How can enterprises prevent same-origin policy XSS vulnerabilities?

  Researchers warned about the rise of a new cross-site scripting flaw involving same-origin policy. Expert Nick Lewis explains the vulnerability and how to prevent falling victim.  Continue Reading

• How can malicious software wrapping be avoided?

  Malware authors are adopting software wrapping to hide malicious code and avoid detection. Expert Nick Lewis explains how to defend against the threat.  Continue Reading

• How can enterprises defend against digitally signed malware?

  Malicious software using legitimate digital certificates is reportedly on the rise. Expert Nick Lewis explains how to mitigate the risks of digitally signed malware.  Continue Reading

• How can power consumption-tracking malware be avoided?

  Malware authors are using power consumption tracking-malware to eavesdrop on and attack mobile devices. Expert Nick Lewis explains the threat and how to defend against it.  Continue Reading

• Should security funds be dedicated to hiring or tools?

  Security funds can be tough to come by, so when managers get them should they focus on strengthening security through hiring or through purchasing tools?  Continue Reading

• How can security leaders create a positive work environment?

  It's the responsibility of security leaders to create a positive work environment for security teams, which can be tough to do in such a demanding field. Here's how.  Continue Reading

• How is the NIST Cybersecurity Framework being received?

  The NIST Cybersecurity Framework gets mixed reviews, but it could be a good starting point for organizations looking to better manage cybersecurity.  Continue Reading

• How will the Cybersecurity Information Sharing Act affect enterprises?

  The Cybersecurity Information Sharing Act has ruffled some feathers in the security industry. What is the CISA and what is the debate around it?  Continue Reading

• What cybersecurity spending strategies will best help enterprises?

  Increased cybersecurity spending budgets don't happen very often, but when they do CISOs should take advantage of it. Here's how to strategize spending an increased security budget.  Continue Reading

• Can a thermal sensor pull data from an air-gapped computer?

  An air-gapped computer is supposed to be safe from over-the-air attacks, yet new research exposed a vulnerability that allows heat and thermal sensors to extract data. Expert Nick Lewis explains how to address the threat.  Continue Reading

• What is domain shadowing and how can enterprises defend against it?

  Exploit kits and malware attacks have adopted a technique called domain shadowing to stay ahead of the game. Learn what domain shadowing is and how to defend against attacks using it.  Continue Reading

• How can the Dridex banking Trojan's new features be detected?

  The Dridex banking Trojan has adopted new functionality to bypass virtual machines. Expert Nick Lewis discusses the enterprise controls to help detect and defend against the threat.  Continue Reading

• njRAT: How can .NET malware be detected and mitigated?

  A Trojan called njRAT has emerged that is written in .NET rather than the traditional C/C++. Expert Nick Lewis explains how to detect and avoid the threat.  Continue Reading

• What do merchants need to know about PCI tokenization guidelines?

  New guidance from the PCI SSC includes some essential aspects of tokenization security and what merchants need to know about tokenization products.  Continue Reading

• How can phishing emails spoofing TLDs be avoided?

  Attackers have found a loophole in SPF verification and are using the .gov top-level domain to trick users with phishing emails. Expert Nick Lewis explains how to defend against the threat.  Continue Reading

• Does the HHS Web portal affect data breach reporting?

  HIPAA data breach reporting now uses an electronic Web portal, so what does this mean for covered entities? Expert Mike Chapple explains.  Continue Reading

• How can a compliance management plan help enterprises avoid fatigue?

  Complex compliance mandates can lead to compliance fatigue. Expert Mike Chapple explains how to develop an effective compliance management plan.  Continue Reading

• What are the security benefits of self-healing networks?

  How do self-healing networks function? Expert Kevin Beaver looks at the benefits such a network has to offer, as well as the key concepts self-healing networks bring to an enterprise security strategy.  Continue Reading

• Is a DNSSEC implementation an enterprise necessity?

  While there are numerous security benefits to a DNSSEC implementation, there are drawbacks as well. Expert Kevin Beaver explains.  Continue Reading

• Should the Netdump flaw deter enterprise ODL SDN use?

  The benefits of the ODL SDN platform are promising, but what about the recent Netdump flaw it experienced? Expert Kevin Beaver discusses why you may not want to pass on OpenDayligh just yet.  Continue Reading

• Is network port security a worthwhile enterprise security strategy?

  The benefits of network port security as it relates to network access control has come under the microscope. Expert Kevin Beaver explains the benefits of this approach as well as its drawbacks.  Continue Reading

• How can mobile certificate security risks be reduced?

  According to recent research, mobile certificate usage is riddled with security issues. Expert Michael Cobb explains how to best control and secure mobile certificates in the enterprise.  Continue Reading

• Is Project Shumway a viable enterprise option to replace Flash?

  Mozilla's Project Shumway was designed to replace the security-troubled Flash Player, so should it be on an enterprise's radar? Expert Michael Cobb discusses.  Continue Reading

• How can geofencing improve an enterprise security strategy?

  Geofencing technology creates a virtual fence on employee devices, adding a crucial extra layer of security. But do privacy concerns negate the benefits of this feature? Expert Michael Cobb explains.  Continue Reading

• Do third-party DNS providers pose security risks?

  Third-party DNS providers claim to improve browsing times and speeds, but are they a secure enterprise option? Expert Michael Cobb explains.  Continue Reading

• What's the best way for enterprises to avoid shelfware?

  Shelfware is an increasing concern for enterprises, but expert Mike O. Villegas has some suggestions to help combat the problem.  Continue Reading

• Wearables security: Do enterprises need a separate WYOD policy?

  Wearable technology is infiltrating the enterprise, much like BYOD has. Expert Michael Cobb discusses the security concerns of wearables and outlines how to create a WYOD policy.  Continue Reading

• Should risk management planning include root cause analysis?

  Incorporating root cause analysis in risk management planning could be beneficial to developing a security plan, but is it the best time for it?  Continue Reading

• What's the best way to protect sensitive information while traveling?

  Security professionals often have to travel with important data, but that introduces many security risks. Here are some tips to protect sensitive information while traveling.  Continue Reading

• Are cybersecurity certifications a key requirement for new hires?

  Cybersecurity certifications are attractive qualifications in a candidate, but hiring managers should always look for other traits when hiring security professionals.  Continue Reading

• What are the compliance requirements for Web application firewalls?

  Web application firewalls may be a way to better security, but organizations need to be aware of the compliance implications of WAFs.  Continue Reading

• What are the key takeaways from the SEC financial security report?

  An SEC financial security report shows over three-quarters of financial institutions were subject to at least one cybersecurity attack. Expert Mike Chapple looks at common trends.  Continue Reading

• What happens if the Data Accountability and Trust Act becomes a law?

  The Data Accountability and Trust Act is likely to become a law this year. Expert Mike Chapple advises organizations on how to prepare.  Continue Reading

• If mobile remote wipe isn't an option, will selective wipe do?

  Remote wipe isn't always an option when it comes to securing enterprise BYOD use. Learn how selective wipe and enterprise wipe technology can help erase corporate data on lost devices without compromising personal data.  Continue Reading

• Can a walled garden approach help secure Web browsers?

  While a walled garden can help secure Web browsers, they are not seen as beneficial by all. Expert Michael Cobb explains why.  Continue Reading

• Can a new encryption trick prevent reverse engineering?

  Expert Michael Cobb explains how reverse engineering can be made more difficult with an approach called Hardened Anti-Reverse Engineering System or HARES.  Continue Reading

• How is a smart sandbox different from traditional sandbox technology?

  Expert Michael Cobb explains what a smart sandbox is, how it differs from traditional sandbox technology, and when one should be considered for enterprise use.  Continue Reading

• How can I mitigate the risks of alternative Android browsers?

  Expert Michael Cobb explains the security risks surrounding alternative Web browsers, as well as approaches enterprises can take to prevent BYOD employees from using them.  Continue Reading

• Email security gateways vs. Web security gateways: Do you need both?

  When replacing an email security gateway, should a Web security gateway be used or another email gateway? Expert Kevin Beaver explains.  Continue Reading

• What do end-of-software development dates mean for security?

  Expert Kevin Beaver explains how organizations should address end-of-software development dates, and what they ultimately mean to enterprise security.  Continue Reading

• Can a read-only domain controller maximize DMZ security?

  Are read-only domain controllers a more secure option for setting up domain services in a DMZ than using a separate domain? Expert Kevin Beaver explains.  Continue Reading

• Do enterprises need an internal firewall?

  Internal firewalls are on the market, but how do they differ from traditional firewalls? Expert Kevin Beaver explains the benefits and drawbacks.  Continue Reading

• How has enterprise SSO technology evolved?

  Enterprise SSO products have matured over the years, so what's the state of eSSO today? Expert Randall Gamby discusses.  Continue Reading

• The FIDO authentication framework: What do enterprises need to know?

  Enterprises need a full understanding of the FIDO authentication framework before switching to its technology. Expert Randall Gamby looks at the most important points of the UAF.  Continue Reading

• Which is safer: an HSM appliance or a virtual appliance?

  A self-managed HSM appliance may be the safer external key management system to use with your organization's encryption keys. Here's why.  Continue Reading

• Which authentication method is better: 2FA or MFA?

  Which authentication method is better for securing enterprise devices and systems: two-factor authentication or multifactor authentication?  Continue Reading

• How should enterprises react to compromised biometric information?

  Securing biometric information is a crucial step for enterprises to take, but what happens if the data is still compromised? Expert Randall Gamby discusses biometric data security.  Continue Reading

• What VoLTE security risks should enterprises be aware of?

  Mobile devices are coming enabled for VoLTE for voice and video calling, but what are the risks? Network security expert Kevin Beaver explains.  Continue Reading

• How can the Border Router Security Tool improve enterprise security?

  The Border Router Security Tool aims to improve router security to boost Internet safety. Expert Kevin Beaver explains its place in the enterprise.  Continue Reading

• Security alerts: What's the best way to reduce false positives?

  False positive security alerts are troublesome, costly and time-consuming. Expert Kevin Beaver explains how to reduce the number of false positives  Continue Reading

• How can the SSDP protocol be secured to prevent DDoS attacks?

  Attackers are targeting the SSDP protocol to amplify the effects of DDoS attacks. Learn what this protocol does and how to secure it.  Continue Reading

• How can the Angler exploit kit's latest capabilities be mitigated?

  As the Angler exploit kit evolves and adopts new functionality, it's becoming harder to detect and defend against. Enterprise threats expert Nick Lewis advises how to mitigate the threat.  Continue Reading

• How can the Siri attack, 'iStegSiri,' be mitigated?

  A proof-of-concept attack on Apple's Siri allowed researchers to steal data from iOS. Learn more about the iStegSiri attack and how to defend against such threats.  Continue Reading

• How can enterprises prevent man-in-the-email attacks?

  A new global email scam has cost enterprises millions. Expert Nick Lewis explains how to defend against man-in-the-email attacks with proper training and little technology.  Continue Reading

• How does user behavior analytics compare to security awareness training?

  User behavior analytics is emerging as a technology to prevent malware infections and end-user attacks, but how viable is it? Expert Nick Lewis outlines the pros and cons.  Continue Reading

• How does the PFP Cybersecurity power consumption tool detect malware?

  A new tool claims to detect malware by monitoring power consumption -- but is it good for enterprise use? Enterprise threats expert Nick Lewis explains.  Continue Reading

• How can an HTTP referer header help maintain user Web privacy?

  Expert Michael Cobb explains how an HTTP referer header affects user privacy and outlines changes that can be made to ensure sensitive data is not leaked.  Continue Reading

• Block ciphers: REESSE3+ vs. International Data Encryption Algorithm

  Expert Michael Cobb explains the difference between the REESSE3+ and IDEA block ciphers and explores when each is applicable in an enterprise setting.  Continue Reading

• Bloom cookies: Privacy without prohibiting Web personalization?

  While cookies are critical to delivering personalized Web content, they are a privacy concern. Learn how adding Bloom filters to cookies can help enhance privacy while maintaining personalization.  Continue Reading

• Does Peerio offer secure enterprise messaging and file sharing?

  A new app for end-to-end encrypted messaging and file sharing is available, but is it ready for enterprise use? Expert Michael Cobb explains.  Continue Reading

• How can we secure enterprise email at home and abroad?

  Emails often contain sensitive information, yet the proper measures are not always taken to secure them. Learn how to keep corporate email safe both at home and in foreign countries.  Continue Reading

• Can application whitelisting help retailers improve POS security?

  POS security continues to be a pain point for retailers. Whitelisting can help, but it can't fix the problem alone.  Continue Reading

• How can CISOs promote interdepartmental cooperation?

  CISOs should take on the responsibility of encouraging interdepartmental cooperation between the security team and IT operations. Here are five ways to accomplish this lofty task.  Continue Reading

• Can thinking like cyberattackers improve organizations' security?

  Getting in the minds of cyberattackers can help organizations mount better defenses against attacks. Here are some ways to accomplish this.  Continue Reading

• How should CSIRTs respond to email extortion schemes?

  The 2014 Sony Pictures hack highlights the importance of responding appropriately to email extortion. Learn what steps executives should take to best manage the situation.  Continue Reading

• What privacy controls are in the HITRUST Common Security Framework?

  The updated HITRUST Common Security Framework allows organizations to manage privacy, security and compliance with one framework. Here's how it works and what the update includes.  Continue Reading

• What do organizations need to know about privacy in a HIPAA audit?

  A HIPAA audit covers privacy compliance, and organizations need to be prepared. Expert Mike Chapple discusses privacy in the audits.  Continue Reading

• Is a data breach warranty worth the investment?

  A data breach warranty may seem like a tempting way to survive a costly attack, but it may not be all it's hyped up to be. Expert Mike Chapple examines.  Continue Reading

• What's the difference between extortionware and ransomware?

  Enterprise threats expert Nick Lewis explains the difference between extortionware and ransomware in terms of what they are and how to defend against them.  Continue Reading

• WordPress security: How can the SoakSoak malware be stopped?

  Enterprise threats expert Nick Lewis offers advice on how to defend against the SoakSoak malware targeting insecure WordPress sites.  Continue Reading

• What's the best defense against BlackEnergy malware?

  The BlackEnergy malware has evolved from DDoS launching to a crimeware tool to an APT. Learn more about its changes and new defense measures for combatting the threat.  Continue Reading

• How can I ensure a rootkit removal was successful?

  A rootkit was found and you think you've removed it, but how do you confirm it? Enterprise threats expert Nick Lewis explains the next steps to ensure rootkit removal.  Continue Reading

• How can we detect and uninstall bloatware?

  Unwanted preinstalled software -- also known as bloatware -- has made its way onto PCs and mobile devices alike. Expert Nick Lewis explains how to detect and uninstall the potential threat.  Continue Reading

• What's the best way to provide Wi-Fi guest network security?

  Expert Kevin Beaver explains the steps enterprises should take to ensure secure guest wireless networks for visitors and the enterprise alike.  Continue Reading

• What's the best way to secure VPN access for teleworkers?

  The U.S. Postal Service suspended teleworking following a recent breach. Expert Kevin Beaver explains why teleworkers aren't always to blame in the event of a breach and explores methods for secure VPN access.  Continue Reading

• How can the Misfortune Cookie router vulnerability be avoided?

  While the Misfortune Cookie router flaw can only be fixed by hardware vendors, there are several things enterprises can do to minimize the impact of such a vulnerability. Expert Kevin Beaver explains.  Continue Reading

• Can eavesdropping over the SS7 protocol be prevented?

  Recently revealed insecurities in SS7 have left many unsure about the well-used protocol needed for phone connections. However, the answer to achieving security is not easily obtained.  Continue Reading

• Can simple photography beat biometric systems?

  Simple photography cracking biometric systems highlights the need for two-factor authentication in enterprises according to expert Randall Gamby.  Continue Reading

• What does bimodal IAM mean for user credentials?

  Bimodal IAM may be a new term, but this new way to use user credentials should probably already be in practice among secure organizations.  Continue Reading

• Can reviewing credential dumps protect identity information?

  Reviewing credential dumps could potentially save identity information from being stolen and used in a data breach. Expert Randall Gamby explains why it's worth the extra work.  Continue Reading

• What do organizations need to know about the final FFIEC guidance?

  The final FFIEC guidance covers a wide range of security subjects, but there are specific takeaways regarding authentication that enterprises should pay attention to.  Continue Reading

• How can organizations get control over privileged identity management?

  Doling out too many admin privileges can lead enterprises astray when it comes to privileged identity management, but there are ways they can take back control.  Continue Reading

• Browser and device fingerprinting: Undeletable cookies of the future?

  Browser and device fingerprinting create cookies that users cannot prevent nor delete. Expert Michael Cobb explains how to address the threat.  Continue Reading

• Will Certificate Transparency solve certificate authority trust issues?

  Explore how Certificate Transparency can help resolve certificate and certificate authority issues plaguing enterprises today.  Continue Reading

• Why are software bundles an enterprise software security issue?

  Third-party software bundling is not uncommon, but can present many issues to enterprise software security. Expert Michael Cobb discusses.  Continue Reading

• How can a cross-certificate make Android devices crash?

  Cross-signed certificates are causing Android devices to crash, and it's not the first time there's been a problem. Learn more about this issue and its potential security risks.  Continue Reading

• Is the Boeing Black self-destructing phone enterprise-grade?

  The Boeing Black self-destructing phone puts security first, but does it fit into an enterprise's mobile security scheme? Expert Michael Cobb explains.  Continue Reading

• Can Detekt identify remote administration Trojans and spyware?

  State-sponsored malware and commercial surveillance software can be difficult to identify. Expert Nick Lewis explains how the Detekt tool can help.  Continue Reading

• Man-in-the-mobile attack: Can DoubleDirect be mitigated?

  Man-in-the-middle attacks are now targeting smartphones in man-in-the-mobile attacks. Expert Nick Lewis explains how to defend against the threat.  Continue Reading

• Password malware: Can Trojans that capture passwords be mitigated?

  A variant of the Citadel malware emerged that compromises password management and authentication products. Enterprise threats expert Nick Lewis explains how to prevent and overcome the threat.  Continue Reading

• How can phishing attacks that use proxy programs be stopped?

  Phishing attacks are adopting new functionality to avoid detection, including the use of proxy programs to simplify the attack process. Learn how to defend against this type of risk.  Continue Reading

• What is the best mobile malware protection against NotCompatible.C?

  A sophisticated variant of the NotCompatible malware has emerged that is difficult to detect and defend against. Expert Nick Lewis offers tips for handling NotCompatible.C.  Continue Reading

• How can CISOs avoid executive turnover after a data breach?

  The executive turnover at enterprises after a data breach is fairly high. Expert Mike Villegas gives some advice on how CISOs can avoid losing their job.  Continue Reading

• Should privacy professionals be legal minds or techies?

  Hiring privacy professionals for your enterprise can be a daunting task. Expert Mike O. Villegas explains the role and what qualities to look for in candidates.  Continue Reading

• Should information security assessments be done by consultants?

  Information security assessments can be performed by consulting firms, but is that a better option than handling assessments with in-house staff? Expert Mike O. Villegas discusses.  Continue Reading

• Is paying the ransom the only way to remove ransomware?

  Should organizations pay the money to save their attacker-encrypted data and remove ransomware? Expert Mike O. Villegas advises enterprises on the best approach.  Continue Reading

• How can health organizations prepare for HIPAA audits?

  The long-awaited HIPAA audits conducted randomly by HHS are finally supposed to happen in 2015, but with stricter requirements. Here's how organizations can get ready.  Continue Reading

• How can HIPAA security risk analysis help with compliance?

  HHS recommends security risk analysis as an early step to become HIPAA compliant, so how should organizations put this tip into practice?  Continue Reading

• BSA updates: What's new in the Bank Secrecy Act?

  The Bank Secrecy Act (BSA) updates will help firms prepare for the 2015 bank examinations. Here are some of the basics from this lengthy guidance.  Continue Reading

• Can the Wyvern programming language improve Web app security?

  A new programming language called Wyvern is helping developers use multiple languages in one app securely. Application security expert Michael Cobb discusses.  Continue Reading