Manage

Cloud Data Storage Encryption and Data Protection Best Practices

• Ten questions to ask endpoint security vendors

  Evaluating endpoint security vendors and their products can be a challenging task. Expert Karen Scarfone outlines 10 must-ask questions to start your list. Plus, check out a list of comprehensive endpoint security vendors Continue Reading

• How often should businesses conduct pen tests?

  Depending on whom you talk to, pen tests should be done annually or monthly. Expert Kevin Beaver discusses how to find your organization's answer. Continue Reading

• ICS security training needed to boost awareness, response

  Video: Expert Ernie Hayden says before industrial control systems security can improve, the industry must be taught that security is just as important as availability. Continue Reading

• How can Microsoft XML vulnerabilities be mitigated?

  A reported 43% of Microsoft XML users are running vulnerable versions of the software. Security expert Michael Cobb discusses how to mitigate the risks. Continue Reading

• Protecting PHI: Does HIPAA compliance go far enough?

  Fully protecting personal health information needs more than just HIPAA compliance. Expert Mike Chapple explains what kind of data is left unprotected under HIPAA. Continue Reading

• Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 8, Fourth Edition

  In this excerpt of Windows Forensic Analysis Toolkit, author Harlan Carvey discusses what Volume Shadow Copies are and how they affect forensic analysis in Windows 8.Continue Reading

• Targeted Cyber Attacks

  In this excerpt of Targeted Cyber Attacks, authors Aditya Sood and Richard Enbody outline the cyberattack model and different vectors used to attack targets.Continue Reading

• Social Engineering Penetration Testing

  In this excerpt of Social Engineering Penetration Testing, the authors outline what phishing attacks are and outline how these attacks work using multiple real-world examples.Continue Reading

• IPv6 extension headers and security: Analyzing the risk

  IPv6 security expert Fernando Gont explains why IPv6 extension headers can inadvertently subvert security controls or foster denial-of-service conditions.Continue Reading

• Python Forensics: A Workbench for Inventing and Sharing Digital Forensic Technology

  In this excerpt of Python Forensics, author Chet Hosmer offers some ground rules for using the Python programming language in forensic applications.Continue Reading

• The Basics of Information Security

  In this excerpt of The Basics of Information Security, author Jason Andress outlines methods for improving operating systems security.Continue Reading

• Using secure network tiers to bolster network security rules

  If your enterprise struggles to manage network security rules effectively, expert Eric Cole explains why a tiered network may simplify rules management and protect sensitive assets.Continue Reading

• Malware defense: How to detect and mitigate advanced evasion techniques

  Expert Nick Lewis explores a number of techniques used by advanced malware to evade detection and explains how to detect and mitigate the threats.Continue Reading

• 10 good security habits for keeping your organization secure

  Enterprises that succeed in information security share a number of good security habits. Expert Steven Weil reviews the top ten best practices that are essential to success.Continue Reading

• Ranum Q&A: Security strategy with Richard Bejtlich

  Keeping up to speed on new adversaries may require a change in tactics.Continue Reading

• Can setting a cache-control header improve application data security?

  Application security expert Michael Cobb reviews the cache-control header codes that can help prevent a Web application from storing sensitive data.Continue Reading

• Before and after: Don't neglect incident response management

  Incident response planning will define a CISO's -- and the company's -- survival after a breach, says legal counsel and CSO Chris Pierson.Continue Reading

• Will the Sarbanes-Oxley whistleblower update affect compliance?

  Sarbanes-Oxley Act compliance is important for firms to maintain. Expert Mike Chapple explains how to keep up with the new whistleblower update.Continue Reading

• Can NIST 800-115 help with penetration testing?

  Compliance with NIST 800-115 is important for enterprises to maintain while testing systems. Expert Mike Chapple explains the best way to do that.Continue Reading

• The fundamentals of FDE: The business case for full disk encryption

  Expert Karen Scarfone outlines the benefits of FDE to help businesses decide if the storage encryption technology is right for their organization.Continue Reading

• Basing incident response management on NIST SP 800-61

  Incident response management can trip up both government agencies and enterprises alike. Expert Joseph Granneman looks at incident response techniques based on NIST SP 800-61.Continue Reading

• Does your system design eliminate the top 10 software security flaws?

  Marcus Ranum chats with Gary McGraw about secure system design and the IEEE Computer Center for Secure Design’s top 10 list of what to avoid.Continue Reading

• Beyond the Page: Next-generation SIEM

  In this edition of Beyond the Page, Anton Chuvakin offers Information Security magazine readers a multimedia presentation that discusses strategies that you can use to take advantage of next-generation SIEM for internal and external threat ...Continue Reading

• Does your enterprise need a data loss prevention system?

  Not every business needs a data loss prevention system. Security expert Rich Mogull offers clues to help your organization decide if DLP will suit its business needs.Continue Reading

• McGraw on why DAST and RASP aren't enterprise scale

  Expert Gary McGraw thinks the way to get software security right is to keep the testing close to the developer environment.Continue Reading

• How to take a measured approach to automated penetration testing

  Automated penetration testing can play a pivotal role in improving the pen testing process while reducing the resources required, yet without the proper approach it may be a complete waste of time. Expert Kevin Beaver explains.Continue Reading

• Endpoint protection: Using whitelisting as a tactic

  Many security technologies have been developed to help organizations secure application use on endpoints, yet few have achieved their goal.
  
  When application control first became important to the market, it seemed endpoint application ...Continue Reading

• SIEM evolution: Is your SIEM security stuck in a rut?

  Even the best SIEM deployments need to sometimes come unglued to reach higher levels of success.Continue Reading

• VoIP vulnerabilities: Can VoIP data exfiltration be prevented?

  Malicious actors can exfiltrate sensitive data over VoIP, creating a security hole for enterprises. Expert Kevin Beaver explains how this attack is carried out and how to protect against it.Continue Reading

• What's the best way to sell security strategies to executives?

  Selling security strategies to C-levels isn't always an easy task. Expert Joseph Granneman gives some advice on convincing execs of the importance of security.Continue Reading

• SHA-2 algorithm: The how and why of the transition

  Is it time to make the move to the SHA-2 algorithm? Application security expert Michael Cobb discusses and offers tips to ease the transition.Continue Reading

• Microsoft SQL Server 2008 end of life: When's the time to migrate?

  Microsoft SQL Server 2008 reached the end of its mainstream support on July 8, 2014. Michael Cobb explains what this means to enterprise security, as well as how -- and when -- organizations should migrate from the software.Continue Reading

• Mainframe security best practices for compliance with PCI DSS

  Mainframe security is a largely overlooked topic by QSAs assessing compliance with PCI DSS, but expert Mike Villegas explains why enterprises can't ignore the key security controls to ensure mainframe compliance.Continue Reading

• Hacking forensics: Windows command-line tools for the modern era

  It's a fact of life: Windows systems get hacked. In this tip, expert Nick Lewis discusses multiple Windows command-line tools to help enterprises discover if their system has been compromised.Continue Reading

• Preventing VPN security risks for mobile employees

  Expert Kevin Beaver offers VPN security best practices, including how to prevent risks and secure VPN access for mobile employees.Continue Reading

• CISSP training video: Cryptography algorithms and encryption keys

  In this CISSP Essentials Security School presentation, Shon Harris explains the basics of the Cryptography domain, including definitions, cryptography algorithms, encryption keys and more.Continue Reading

• CISSP quiz: Cryptography CISSP certification practice test

  Test your knowledge of the CISSP exam's Cryptography Domain by taking this practice quiz, which covers topics including public and private keys, encryption algorithms, digital certificates and more.Continue Reading

• Has the CISO role changed under the spotlight?

  The career is only now defining itself.Continue Reading

• The anatomy and physiology of APT attacks

  Building on what cybercriminals began, security services from many countries have the capability to attack and steal for their national interests.Continue Reading

• How to prevent preinstalled malware on mobile devices

  Preinstalled malware has become a major mobile security risk. Expert Nick Lewis explains how to detect malicious apps and defend against them.Continue Reading

• Wireless access point security: Defending against Chameleon malware

  Chameleon malware targets insecure wireless access points. Enterprise threats expert Nick Lewis explains how to defend against the malware.Continue Reading

• CISSP quiz: Access control models and components

  Test your knowledge of the CISSP exam's Access Control Domain by taking this practice quiz, which covers topics including access control models, one-time passwords, IPS/IDS and more.Continue Reading

• The importance of an IT security governance body

  An IT security governance board is a key feature in security budgeting, but who makes up this body? Expert Joseph Granneman outlines the best structure for security governance boards.Continue Reading

• CISSP training video: Access control models, administration, IPS/IDS

  In this CISSP Essentials Security School presentation, expert instructor Shon Harris explains different types of access control models, access control administration and IPS/IDS technologies.Continue Reading

• How to conduct a next-generation firewall evaluation

  Before buying a next-generation firewall, read this essential guide that will walk your business through the process, from evaluation to purchase.Continue Reading

• CISSP online training: Information security governance, risk management

  Spotlight article: Shon Harris offers an in-depth look at the topics covered in the CISSP domain on infosec governance and risk management.Continue Reading

• CISSP training video: Security enterprise architecture

  In this CISSP Essentials Security School presentation, expert Shon Harris discusses security enterprise architectures and their importance to the CISSP Information Security Governance and Risk Management domain.Continue Reading

• CISSP quiz: Information security governance and risk management

  Test your knowledge of the Information Security Governance and Risk Management domain of the CISSP exam by taking this practice quiz.Continue Reading

• CISSP Essentials: Domain 1, Information Security Governance and Risk Management

  In this CISSP Essential Security School lesson, learn about security management practices for securing information and assets.Continue Reading

• Hacking with Kali: Practical Penetration Testing Techniques

  In this excerpt of Hacking with Kali: Practical Penetration Testing Techniques, authors James Broad and Andrew Bindner outline the five phases of the penetration testing lifecycle.Continue Reading

• Ranum Q&A with Renee Guttmann: Thriving in the CISO role

  A Fortune 500 veteran chats with Marcus Ranum about her management career and what it takes to reach the top of the security pyramid.Continue Reading

• Open source software security: Who can you trust?

  Fears of backdoors and heightened concerns about encryption software are running rampant.Continue Reading

• Operational challenges as cybersecurity gets sensored

  As networking technologies move onto the factory floor, security executives bridge the gap between IT and industrial network security.Continue Reading

• CISSP introduction: A video guide to the CISSP exam

  In this CISSP Essentials Security School presentation, expert instructor Shon Harris offers a CISSP introduction. Learn about the 10 domains of the Common Body of Knowledge, typical exam content and what to expect after you pass the test.Continue Reading

• The key to assigning risk values in an IT security risk assessment

  Security expert Michael Cobb offers pointers on how to assign risk values during a security risk assessment.Continue Reading

• Next-generation firewall benefits: Is an NGFW best for your company?

  A next-generation firewall won't meet the security needs of every single organization. Before making the move to next generation, be sure your enterprise understands these key decision criteria.Continue Reading

• CISSP self-assessment quiz: Check your CISSP test knowledge

  Take this CISSP self-assessment quiz to check your general knowledge of CISSP test topics and learn where you need to hone your skills.Continue Reading

• Using metadata tagging tools for PCI DSS compliance

  Metadata tagging is not just for security. Expert Mike Chapple explains how tagging tools can be used to achieve PCI DSS compliance.Continue Reading

• The gaping hole in your vulnerability management program

  Authenticated vulnerability scanning may be just what your organization needs to complete its vulnerability management program. In this video, expert Kevin Beaver offers pointers for performing an authenticated vulnerability scan.Continue Reading

• RTF security: Avoiding embedded malware

  The Zeus malware is threatening RTF security by embedding itself in the file, which is commonly seen as safer than other file formats such as PDFs. Learn how to prevent the threat.Continue Reading

• How to detect Android malware that leverages TOR

  A new variety of Android malware is using TOR for C&C communications. Expert Nick Lewis explains how to mitigate the threat.Continue Reading

• Next-generation tools for next-generation network security

  The next-generation network -- one that must encompass the cloud, mobility and Internet of Things devices -- requires a different standard of network monitoring tools. Learn about new and improved tools that conquer those challenges.Continue Reading

• Turla spyware: Defending against undetectable malware

  Is there a way to detect malware that's designed to avoid detection? Nick Lewis explains how the Turla spyware works and how to defend against it.Continue Reading

• GICSP: Deconstructing SANS Institute's new ICS security cert

  A new SANS Institute certification, GICSP, could prove useful to industrial control system (ICS) security professionals. Expert Ernie Hayden explains the certification and how to prepare for the exam.Continue Reading

• Updating network diagrams for PCI DSS 3.0 compliance

  Compliance with the PCI DSS 3.0 requirements means enterprises need to update their network diagrams. Mike Chapple outlines how to make these changes.Continue Reading

• Network security: Threat intelligence feeds parse a sea of data

  Threat intelligence feeds help you prioritize signals from internal systems against unknown threats. Security intelligence takes it a step further.Continue Reading

• Is FedRAMP the cloud security standard we've been waiting for?

  FedRAMP raises the bar for security among applicable cloud providers, but can it influence broader cloud computing contracts and standards?Continue Reading

• The NoSQL challenge: What's in store for big data and security

  Big data offers horizontal scalability, but how do you get your database security to scale along with it?Continue Reading

• Vulnerability management: Benefits of a vulnerability scoring system

  What are the pros and cons of using a universal vulnerability scoring system from a vendor? Nick Lewis explains.Continue Reading

• Developing a compliance awareness training program

  Developing a compliance awareness training program is key to preventing accidental internal compliance breaches. Expert Mike Chapple explains the steps to follow when starting such a program.Continue Reading

• Non-malicious insiders: The biggest insider threat of all?

  Video: Insider threats expert Randy Trzeciak explains why non-malicious insiders, particularly developers, pose as much risk to an enterprise as intentionally malicious insiders.Continue Reading

• Pretexting: How to avoid social engineering scams

  Expert Nick Lewis explains how to keep call center employees from getting duped by social engineering scams and pretexting.Continue Reading

• Mobile keyloggers and touchscreen detection attacks

  A recent proof of concept shines new light on the future of mobile keyloggers. Michael Cobb reviews how to keep touchscreen devices safe from attack.Continue Reading

• Building the business case for a formal patch management program

  Delaying security patches is a huge risk. Michael Cobb explains how to build the business case for a formal patching program for a variety of systems.Continue Reading

• Multifactor authentication key to cloud security success

  Following the collapse of an AWS-based cloud hosting provider, experts say enterprises should prioritize use of multifactor authentication.Continue Reading

• P2P malware detection techniques

  The amount of malware using peer-to-peer communications has increased dramatically. Enterprise threats expert Nick Lewis explains how to detect P2P malware.Continue Reading

• Sandbox evasion: How to detect cloaked malware

  Cloaked malware, like DGA.Changer, can reportedly evade sandbox detection. Nick Lewis explains how to handle the risk.Continue Reading

• Whaling attacks: Taking phishing attacks to the next level

  Whaling attacks take phishing to the next level with much bigger targets. Enterprise threats expert Nick Lewis explains how to mitigate the risk.Continue Reading

• On prevention vs. detection, Gartner says to rebalance purchasing

  At its annual security confab, the research giant said enterprises buy too much threat prevention and not enough detection and response technology.Continue Reading

• Choosing PCI DSS-compliant service providers

  Learn how hiring the right PCI DSS-compliant service providers, especially payment services providers, can reduce your compliance burden.Continue Reading

• Third-party vendor management security best practices

  Third-party vendor management is important for avoiding incidents like the Target breach. Joseph Granneman offers four must-have security controls.Continue Reading

• How to use TripWire SecureScan, a free vulnerability scanning tool

  Video: Learn how to use TripWire SecureScan, the free vulnerability scanning tool that helps enterprises detect Heartbleed on networks and devices.Continue Reading

• API gateways emerge to address growing security demands

  With mobile, cloud and the Internet of Things driving massive API growth, experts say now is the time for API gateway technology to shine.Continue Reading

• The top five employee responsibilities in a BYOD security strategy

  Behind any successful enterprise BYOD strategy are employees who do the right things.Continue Reading

• Are malicious mobile apps a mere inconvenience or a real threat?

  How big a security threat are the malicious mobile apps riding into your enterprise on employees' mobile devices?Continue Reading

• How to hone an effective vulnerability management program

  You must know your system's weak points to form an effective risk management program and a strong defense.Continue Reading

• John Pescatore: Critical Security Controls boost operational security

  John Pescatore on why the SANS Institute's Critical Security Controls make up for other security deficiencies; plus, secrets of working with Gartner.Continue Reading

• Cyberthreat intelligence is getting crowded

  As threat intelligence communities multiply, it may be time to revisit crowdsourcing security.Continue Reading

• Threat intelligence versus risk: How much cybersecurity is enough?

  Learn how threat intelligence plays into global risk assessment as more security officers are tasked with damage control.Continue Reading

• Command-and-control servers: The puppet masters that govern malware

  Are there shadow networks within your enterprise? Stop malware by shutting down command-and-control communication channels.Continue Reading

• How to explain information security concepts to business executives

  Conveying complex information security models to business executives isn't easy. Here's how IT pros can improve their communication skills.Continue Reading

• How to make penetration test results matter

  Voodoo Security founder Dave Shackleford details how enterprises can make penetration test results more meaningful than a compliance exercise.Continue Reading

• Should enterprises expect heightened risk on important dates?

  Does the date on the calendar have anything to do with the likelihood of an attack? Enterprise threats expert Nick Lewis provides his insight.Continue Reading

• How to use Kismet: A free Wi-Fi network-monitoring tool

  In this video, CBT Nuggets' Keith Barker shows how to use the free Wi-Fi network monitoring tool Kismet to find possibly malicious wireless networks.Continue Reading

• Stop attackers hacking with Metasploit

  Metasploit attacks may not be sexy, but they can stab through enterprise defenses. Learn how basic security controls can thwart Metasploit hacking.Continue Reading

• A broader definition of identity governance

  The definition of identity governance has evolved to include a tool that could prove challenging for enterprises to implement.Continue Reading

• When single sign-on fails, is a second SSO implementation worthwhile?

  After a failed SSO implementation, is there any benefit to an enterprise trying again? Expert Michele Chubirka discusses.Continue Reading

• Information security spending in 2014: The top enterprise priorities

  Video: Editorial Director Robert Richardson examines enterprises planned 2014 security spending and whether it will lead to long-term success.Continue Reading

• Don't get spoofed by distributed denial-of-service attacks

  Distributed denial-of-service attacks continue to use spoofing. But there are means to stop the practice.Continue Reading

• Regulatory compliance requirements for security awareness programs

  Employees play an important role in achieving and maintaining regulatory compliance, explains compliance expert Mike Chapple.Continue Reading