Evaluate

Evaluate

Weigh the pros and cons of technologies, products and projects you are considering.

• Cloud computing risks and how to manage them

  Cloud computing alters enterprise risk. Here's what you need to know in order to safely navigate the cloud. Continue Reading

• Demystifying governance, risk and compliance

  GRC aims to bring together disparate compliance efforts in the enterprise, but the concept has been stymied by a lack of clarity. Developing a GRC program requires three key steps. Continue Reading

• The pros and cons of automated user provisioning software

  Automated user provisioning software can offer many benefits to enterprises, but its high cost and labor-intensive implementation may mean it's not right for yours. IAM expert Randall Gamby addresses the topic. Continue Reading

• Static source code analysis tools: Pros and cons

  Static source code analysis tools can greatly improve application security, but it takes knowledge and expertise to use them correctly. Expert Michael Cobb explains why. Continue Reading

• The real information security risk equation

  A simplified information security risk equation helps translate information security risk to users. Continue Reading

• Four steps toward a plan for a career in information security

  Having a long-term goal for a career in information security isn't enough. Here are four key steps for planning for a career in information security.Continue Reading

• Database activity monitoring keeps watch over your data

  Database activity monitoring can help with security and compliance by tracking everything going on in the database.Continue Reading

• Microsoft Windows 7 security features

  Microsoft Windows 7 security aims to improve security without the headaches of Vista.Continue Reading

• Removable storage device endpoint security and control

  Endpoint security and control for devices like thumb drives, SIM cards and mobile devices can no longer be ignored.Continue Reading

• Cloud computing legal issues

  Lawyers have a lot of concerns about cloud computing services. Learn about cloud computing legal issuesContinue Reading

• Develop an effective information security career plan

  A successful career in information security requires an effective information security career planContinue Reading

• HITECH Act increases HIPAA security requirements

  HIPAA security compliance has been a mixed bag but HITECH ups the anteContinue Reading

• Creating meaningful information security metrics

  Learn how to develop an effective information security metrics program and pitfalls to avoid.Continue Reading

• Endpoint DLP fills data protection gap

  Learn how endpoint data loss prevention technology complements network DLP and secures data that users interact with on laptops, mobile and portable storage devices.Continue Reading

• Considerations for buying and implementing DLP solutions

  Financial institutions are looking to data loss prevention solutions to prevent costly data security breaches. In this tip, Dave Shackleford explains key issues to weigh before buying and installing a DLP product.Continue Reading

• Weighing the pros and cons of end-to-end encryption and tokenization

  With PCI DSS and other compliance requirements, organizations are looking for surefire solutions to protect payment card and other sensitive data. Tokenization and end-to-end encryption have emerged as promising technologies, but as Dave Shackleford...Continue Reading

• Writing security policies using a taxonomy-based approach

  Forget structure-driven policy architecture; we'll show you how to build information security policy artifacts using a taxonomy approach that will help you build global policies in a snap.Continue Reading

• Carefully evaluate providers' SaaS security model

  Enterprises need to make sure a SaaS provider has the proper security controls to protect sensitive data before a contract is signedContinue Reading

• Basic Database Security: Step by Step

  Use this checklist to ensure you're following the basics for securing database systems.Continue Reading

• Multifactor authentication options to secure online banking

  Banks are required to deploy multifactor authentication to secure online banking and meet FFIEC requirements. In this tip, Dave Shackleford describes some of the pros and cons associated with traditional forms of multifactor authentication as well ...Continue Reading

• Integrated change management reduces security risks

  Unmanaged changes to IT systems and networks can recklessly increase risk to enterprises. The key is rolling out an accepted change management process, and sticking to it.Continue Reading

• Metasploit Project acquisition ups ante for penetration testing market

  Rapid7's acquisition of the Metasploit Project takes down one of the few remaining open source security projects. But expect a smooth transition; there have been many success stories and mistakes made to learn from.Continue Reading

• Nine ways to improve application security after an incident

  Application and information security teams work in silos and often meet only after an attack on a critical app. Here are nine tips you can use to prevent future costly incidents and improve application security after an attackContinue Reading

• Jerry Freese: Make Critical Infrastructure Protection a Priority

  Critical infrastructure protection must be addressed today to protect our country tomorrow.Continue Reading

• The pros and cons of implementing smart cards

  Most infosec pros agree that smart cards create a higher level of enterprise security than passwords alone. Learn how to weigh the pros and cons of smart cards to know if they're right for your enterprise?Continue Reading

• Security best practices in hotels

  Accountability for Internet security should be placed on users, not service providers such as hotels.Continue Reading

• Best Email Security Products

  Readers vote on the best antispam, antiphishing, email antivirus and antimalware filtering, software and appliance products, as well as hosted "in-the-cloud" email security services.Continue Reading

• Best Wireless Security Products

  Readers vote on the best wireless security products, including wireless firewalls and UTM devices, wireless access control products, WLAN intrusion and detection systems, and security-enabled wireless infrastructure productsContinue Reading

• Truth, lies and fiction about encryption

  Encryption solves some very straight-forward problems but implementation isn't always easy. We'll explain some of the common misperceptions so you'll understand your options.Continue Reading

• Privileged account management critical to data security

  Regulatory requirements and economic realities are pressuring enterprises to secure their privileged accounts.Continue Reading

• Risk management must include physical-logical security convergence

  If your organization is serious about managing risk and total asset protection, then physical-logical convergence is a necessary step.Continue Reading

• How to write a risk methodology that blends business, security needs

  One security professional describes a homegrown risk methodology currently being used by a large university and a private corporation.Continue Reading

• Do you need an IDS or IPS, or both?

  Cut through the hype and learn the differences and benefits of intrusion detection and prevention systems.Continue Reading

• Tabletop exercises sharpen security and business continuity

  Delaware's Dept. of Technology and Information conducts annual incident response exercises that test the readiness of state agencies to respond to real attacks. Learn how simulated cyberattacks and incident response exercises help organizations ...Continue Reading

• Data loss prevention benefits in the real world

  DLP promises strong data protection via content inspection and security monitoring, but real-world implementations can be complex and expensive; these eight real-world lessons help you use DLP to its fullest.Continue Reading

• How to Secure Cloud Computing

  On-demand computing services can save large enterprises and small businesses a lot of money, but security and regulatory compliance become difficult.Continue Reading

• How to secure use of Web 2.0

  How much information is too much information, and how will you monitor and manage the use of Web 2.0 inside your organization?Continue Reading

• Data classification best practices: Techniques, methods and projects

  Effective data classification in the enterprise requires a simple approach.Continue Reading

• What are common (and uncommon) unified threat management features?

  Unified threat management products have gained popularity because they bring multiple security tools together into one appliance. In this SearchSecurity.com Q&A, Michael Cobb reviews just what those security tools are.Continue Reading

• Vein-reader biometric authentication for health care, financials

  Health care facilities, along with financial institutions, are prime market targets for vein-reading technology, the latest in biometric applications.Continue Reading

• 10 tips to improve your network security strategy in a recession

  Here are 10 steps you can take to improve your threat management posture that require minimum investment, manpower and give you a fast return on your investment.Continue Reading

• Internal auditors and CISOs mitigate similar risks

  Internal audit and information security may often find themselves at odds, but in the end, their respective goals are the same.Continue Reading

• CISOs, human resources cooperation vital to security

  CISOs work closely with human resources to investigate potential Web or email policy violations by employees, develop security policies and procedures, and plan for disaster recovery.Continue Reading

• Security steering committee force CISOs to connect with the business

  Security steering committees provide a forum for security managers and business leaders to discuss security and privacy issues and explore compliance implications of new projects and technology purchases.Continue Reading

• Information security steering committee best practices

  Security steering committees bring HR, finance, legal, IT and audit to the same table, helping facilitate the integration of information security into lines of business.Continue Reading

• Using a managed file transfer for secure data transmission, exchange

  Managed file transfer (MFT) products meet the increasing security, compliance and operational demands of data in motion.Continue Reading

• Host-based intrusion prevention addresses server, desktop security

  HIPS is used for everything from traditional signature-based antivirus/antispyware and host firewalls to behavior analysis.Continue Reading

• Product Review: Application Security Inc.'s AppDetectivePro

  Application Security Inc.'s AppDetectivePro does deep inspections of database configurations to identify security issues. It's ideal for internal and external auditors, security professionals, consultants and others who need to perform on-the-fly ...Continue Reading

• Encryption no longer an optional technology

  Unravel the ins and outs of how your organization should deploy encryption.Continue Reading

• Sophos Endpoint Security and Control 8.0 product review

  Sophos Endpoint Security and Control 8.0 is a comprehensive endpoint security product, offering antivirus, antispyware, host intrusion prevention, firewalling, application control, device control, and network access control.Continue Reading

• Mix of Frameworks and GRC Satisfy Compliance Overlaps

  Three organizations reveal how they use a combination of frameworks such as COBIT or ISO 27001 along with GRC tools satisfy overlapping industry and federal regulatory demands.Continue Reading

• Windows Server 2003 hardening services ensures better security

  Shutting down unneeded services, ports and accounts makes Windows Server 2003 tough to beat.Continue Reading

• Information Security and Business Integration

  INTEGRATION Security professionals can rely on the same models and frameworks used by traditional business to earn a seat at the table.Continue Reading

• Data Lifecycle Management Model Shows Risks and Integrated Data Flow

  Information flows through business processes in an orderly fashion; security must flow right along with it.Continue Reading

• Results Chain for Information Security and Assurance

  Continue Reading

• Information Security Blueprint

  Continue Reading

• Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities

  For anyone who doesn't speak NASL, network security expert Mike Chapple has a firm handle on the Nessus Attack Scripting Language. In this brand-new addition to our Nessus 3 Tutorial, Chapple provides examples of NASL scripts that can find known ...Continue Reading

• Allowing select access to IP addresses using Windows Server 2003

  Switching from Zone Alarm 2000 to Windows Server 2003, a SearchSecurity.com reader asks expert Mike Chapple how to limit inbound connections.Continue Reading

• How to install and configure Nessus

  Nessus, an open source vulnerability scanner, can scan a network for potential security risks and provide detailed reporting that enables you to remediate gaps in your corporation's security posture. This tip, the first in a series of three on ...Continue Reading

• Best practices for application-level firewall selection and deployment

  Application-level firewalls are an essential aspect of any organization's multi-layered defense strategy, but the implementation process has some security pros scratching their heads. In this tip, contributor Joel Dubin discusses the contrasting ...Continue Reading

• Virtualization server security best practices

  Avoid server virtualization security bad practices with these dos and don'ts. Get info on virtualization products, segmentation, implementation, avoiding malware, and staging, deploying and patching virtual machines, segmentation and implementation.Continue Reading

• Product review: Klocwork Insight 8.0

  SOFTWARE SECURITYContinue Reading

• What are the pros and cons of zero-knowledge penetration tests?

  A penetration tester with no previous knowledge of the site being tested may be able to give some insight unavailable to other forms of penetration testing, but there are pros and cons. Expert Michael Cobb weighs in.Continue Reading

• Pros and cons of multifactor authentication technology for consumers

  Multifactor consumer authentication is a must-have for financial services firms, but there are a number of different types of multifactor authentication technology from which to choose. In this tip, contributor Judith M. Myerson addresses the pros ...Continue Reading

• Fact or fiction: Pros and cons of database encryption

  According to our latest survey of more than 608 enterprise security pros, 80% of enterprises say protecting data is more important in 2007 than last year, and 72% admit they need a better strategy. SearchSecurity.com is responding to this growing ...Continue Reading

• Secure Computing SafeWord 2008 product review

  Secure Computing SafeWord 2008 delivers identity management and access control for Windows systems using tokens that generate secure single-use passcodes. Information Security magazine reviews these capabilities.Continue Reading

• Face-Off: Is vulnerability research ethical?

  Bruce Schneier and Marcus Ranum debate the ethics of vulnerability researchContinue Reading

• 7 Security Questions to Ask Your SaaS Provider

  Outsourcing software as a service (SaaS) puts control over an organization's applications in the hands of others. Learn what questions to ask your provider, how to define security policies, how to understand how service providers handle security and...Continue Reading

• 5 Steps for Developing Strong Change Management Program Best Practices

  Poor change control and configuration management can affect the security of your systems and networks. Follow these five steps for a strong change management program.Continue Reading

• Varonis DatAdvantage product review

  Varonis DatAdvantage data governance software is evaluated on its configuration and management, effectiveness, policy control and reporting.Continue Reading

• Companies Collecting Too Much Customer Data Increase Exposure

  If the risk of losing customer or partner information outweighs its value, why collect it in the first place?Continue Reading

• The pros and cons of data breach insurance

  The security incident at the Hannaford supermarket chain and elsewhere have some wondering if it's time to purchase data breach insurance. But experts say there are drawbacks.Continue Reading

• What are the pros and cons of shaping P2P packets?

  Packet shaping, a technique used to control computer network traffic, really isn't a security issue; it's a policy matter, says network expert Mike Chapple. Learn why, in this SearchSecurity.com Q&A.Continue Reading

• SonicWALL NSA E5500 product review

  Product review of SonicWALL NSA E5500 security tool basic and advanced firewall features, setup, pricing, VPN and wireless security.Continue Reading

• Case Study: Company deploys full disk encryption policy on laptops

  One billion-dollar company isn't taking chances with data stored on its laptops. It deployed full disk encryption on every machine, an increasingly popular security strategy.Continue Reading

• Comparative Product Review: Six Web Application Firewalls

  No longer can security managers focus only on perimeter and host security. The application has become the prime target for hackers. We review six leading Web application firewalls from Barracuda, Bee Ware, Breach Security, Citrix, F5 and Imperva ...Continue Reading

• Examine Security Features and Tools of Microsoft Windows Server 2008

  Unwrap Windows Server 2008, the first server revision under Trustworthy Computing. Microsoft promises it is secure by design, default and deployment.Continue Reading

• Product review: Titus Labs' Message Classification

  DOCUMENT CLASSIFICATIONContinue Reading

• Data Loss Prevention Tools Offer Insight into Where Data Lives

  DLP tools help mitigate incidents and aid with data discovery.Continue Reading

• Product review: AlgoSec's AlgoSec Firewall Analyzer 4.0

  FIREWALL MANAGEMENTContinue Reading

• What are the pros and cons of using stand-alone authentication that is not Active Directory-based?

  Password managment tools other than Active Directory are available, though they may not be the best access control coordinators.Continue Reading

• How Sarbanes-Oxley changed the information security profession

  Sarbanes-Oxley empowered information security professionals with the clout they'd sought for so long.Continue Reading

• SIEM market, log management tools need a standardized log format

  Security information and event management (SIEM) systems and log management tools would benefit from standardized log formats.Continue Reading

• Honeyclients bring new twist to honeypots

  Honeyclients are unpatched web browsers that actively seek malicous websites.Continue Reading

• Web 2.0 application development techniques introduce new information security risks

  Ajax, Java and other dynamic application coding methods have pulled computing power over to the client, introducing new risks and resurrecting old ones.Continue Reading

• Guardium SQL Guard 6.0 product review

  Guardium SQL Guard 6.0 is evaluated on its ability to monitor access to SQL databases. SQL Guard ensures a system of checks and balances between the security and database engineering teams.Continue Reading

• Proofpoint On Demand Product Review

  In this product review, learn about Proofpoint On Demand antivirus and antispam features.Continue Reading

• What are the pros and cons of using keystroke dynamic-based authentication systems?

  In this SearchSecurity.com Q&A, security pro Joel Dubin discusses the positive and negative aspects of using keystroke dynamic-based authentication systems.Continue Reading

• Rootkit detection and removal know-how

  Get advice on how to detect malware and rootkits and the best ways to achieve rootkit removal and prevent hacker attacks.Continue Reading

• Viewpoint: Correlate SIMs and log management

  Continue Reading

• Logical, physical security integration challenges

  Integrating physical and IT security can reap considerable benefits for an organization, including enhanced efficiency and compliance plus improved security. But convergence isn't easy. Challenges include bringing the physical and IT security teams ...Continue Reading

• What are the pros and cons of outsourcing email security services?

  In this SearchSecurity.com Q&A, application security expert Michael Cobb explains whether it's right for your organization to hand off email security services to another provider.Continue Reading

• How to select a penetration tester

  Penetration testing tools can simulate attacks and help organizations get an idea of their security vulnerabilities. In this SearchSecurity.com Q&A, platform security expert Michael Cobb explains what you should be getting out of your penetration ...Continue Reading

• Editor's Desk: Freeing Julie Amero

  Justice ServedContinue Reading

• Protecting Your Brand

  Customer confidence is at risk when a breach occurs.Continue Reading

• M&A: Merging network security policies

  Company mergers often call for the consolidation of two different network policies. But before making any final decisions on technology, the staff members of both organizations need to be on the same page. In this tip, contributor Mike Chapple ...Continue Reading

• What are the pros and cons of using an email encryption gateway?

  In this SearchSecurity.com Q&A, security management expert Mike Rothman discusses the pros and cons of using an email encryption gateway to prevent data leakage.Continue Reading

• Product review: RedSeal Systems' RedSeal Security Risk Manager

  Red Seal Security Risk Manager allows security administrators to model and manage threats to corporate assets and networks. This product review looks at how the risk management tool rates in effectiveness, ease of setup, reporting and overall ...Continue Reading

• Product review: Unified threat management (UTM) devices

  Unified threat management devices consolidate several network security functions into one product. This article evalutes six UTM appliances; each had to act as a firewall and virtual private network and provide antivirus, Web content filtering, ...Continue Reading

• Using VMware for malware analysis

  Virtualization software like VMware helps ease the challenges of malware analysis. Malware expert Lenny Zeltser explains the steps enterprises must take to ensure malicious software doesn't leak out of their VMware-based labs and endanger production...Continue Reading