Manage

Cloud Data Storage Encryption and Data Protection Best Practices

• Internal auditors and CISOs mitigate similar risks

  Internal audit and information security may often find themselves at odds, but in the end, their respective goals are the same. Continue Reading

• CISOs, human resources cooperation vital to security

  CISOs work closely with human resources to investigate potential Web or email policy violations by employees, develop security policies and procedures, and plan for disaster recovery. Continue Reading

• Security steering committee force CISOs to connect with the business

  Security steering committees provide a forum for security managers and business leaders to discuss security and privacy issues and explore compliance implications of new projects and technology purchases. Continue Reading

• Information security steering committee best practices

  Security steering committees bring HR, finance, legal, IT and audit to the same table, helping facilitate the integration of information security into lines of business. Continue Reading

• How to configure a firewall to communicate with an upstream router

  When incorprating a new firewall product, configuration problems can occur between the network device and the router. Mike Chapple reviews some common implementation problems. Continue Reading

• How to prevent cross-site scripting (XSS) session hijacking

  Cross-site scripting and SQL injections still providing hackers with plenty of opportunities to successfully access data or take control of a compromised machine. MIchael Cobb explains how you can improve your application defenses.Continue Reading

• Deleting user accounts: How to manage users during a layoff

  When budgets get cut across the enterprise, it's likely that employees will get cut, too. So what's the best way to handle a large number of user account modifications or deletions? IAM expert David Griffeth offers a step-by-step process for ...Continue Reading

• Using a managed file transfer for secure data transmission, exchange

  Managed file transfer (MFT) products meet the increasing security, compliance and operational demands of data in motion.Continue Reading

• Host-based intrusion prevention addresses server, desktop security

  HIPS is used for everything from traditional signature-based antivirus/antispyware and host firewalls to behavior analysis.Continue Reading

• The 100-day plan: Achieving success as a new security manager

  One of the top priorities of any newly minted information security manager is to implement a new enterprise security strategy. In this tip, security management expert Mike Rothman explains what needs to happen in the first 100 days of a security ...Continue Reading

• Cloud compliance: How to manage SaaS risk

  While Software as a Service (SaaS) can cut costs, there are definite security concerns to be aware of, including compliance issues. What's the best way to make sure that data is safe and audit-ready on the provider's server? Expert Joel Dubin gives ...Continue Reading

• How to manage guest user authentication when building a wireless network

  Joel Snyder reviews your different access policies and how to deal with the threat of unauthenticated users.Continue Reading

• The value of application whitelists

  Although some may find Windows Vista's User Account Control feature annoying, it is really a variation of a security mechanism that is now re-emerging: the application whitelist. Michael Cobb explores application whitelist benefits and drawbacks, ...Continue Reading

• ID and password authentication: Keeping data safe with management and policies

  Learn how to improve authentication and avoid password hacking with management policies that enforce password expiration, length and complexity requirements.Continue Reading

• What are best practices for secure password distribution after a data breach?

  After an information security data breach, it might seem like a good idea to create new user IDs and passwords for all employees in the user directory. But is there an easier way to handle the aftermath of a data breach? Find out more in this IAM ...Continue Reading

• Best practices for merging with a company that is not PCI compliant

  Learn how to make sure you and your partner are compliant with PCI DSS while you prepare for the merger process.Continue Reading

• Comparing access control mechanisms and identity management techniques

  In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well as some best practices for both access control mechanisams and identity management.Continue Reading

• What are effective ways to stop instant messaging (IM) spam?

  In this expert Q&A, Michael Cobb reveals what techniques and tools can be used to stop instant messaing spam, or spim, in the enterprise.Continue Reading

• Is it impossible to successfully remove a rootkit?

  In this expert Q&A, Michael Cobb takes a closer a look at the nature of rootkits to see why they can be so difficult to remove.Continue Reading

• Can software tools automate the server hardening process?

  Michael Cobb explores the Windows Server 2003 Hardening Guide and how you can tighten the security on your servers.Continue Reading

• How to detect system management mode (SMM) rootkits

  Rootkits were once a system administrator's best friend. Now they have evolved to become an admin's worst nightmare: well-known, surreptitious malware that can provide super user access to an infected machine. Michael Cobb explains how to get rid of...Continue Reading

• Product Review: Application Security Inc.'s AppDetectivePro

  Application Security Inc.'s AppDetectivePro does deep inspections of database configurations to identify security issues. It's ideal for internal and external auditors, security professionals, consultants and others who need to perform on-the-fly ...Continue Reading

• Encryption no longer an optional technology

  Unravel the ins and outs of how your organization should deploy encryption.Continue Reading

• How to configure NAP for Windows Server 2008

  The arrival of Windows Server 2008 ushers in a big portion of Microsoft's long-awaited Network Access Protection (NAP) initiative. In this tip, David Strom uses words and pictures to explain how to get started with NAP using the Network Policy ...Continue Reading

• Sophos Endpoint Security and Control 8.0 product review

  Sophos Endpoint Security and Control 8.0 is a comprehensive endpoint security product, offering antivirus, antispyware, host intrusion prevention, firewalling, application control, device control, and network access control.Continue Reading

• Mix of Frameworks and GRC Satisfy Compliance Overlaps

  Three organizations reveal how they use a combination of frameworks such as COBIT or ISO 27001 along with GRC tools satisfy overlapping industry and federal regulatory demands.Continue Reading

• CISSP Essentials Lesson 1: Security management practices

  In this CISSP lesson, learn about security management practices.Continue Reading

• How to lay the foundation for role entitlement management

  Role entitlement management is a daunting task, however, there are steps you can take to lay the foundation for a successful management process. In this tip, expert Rick Lawhorn details these seven steps.Continue Reading

• What are the benefits of identity managed as a service?

  How do Software as a Service (SaaS) and IAM interact? Identity and access management expert Joel Dubin weighs in on how to approach the integration of the two.Continue Reading

• The steps of privileged account management implementation

  Privileged accounts have always been difficult to secure, and they remain the focal point for the insider attack. Luckily, an emerging class of privileged account management products is here to help. Identity management pro Mark Diodati discusses ...Continue Reading

• Key management challenges and best practices

  Key management is essential to a successful encryption project. In this tip, expert Randy Nash explains the challenges financial organizations face when implementing key management and some of the best practices to overcome them.Continue Reading

• Why is backscatter spam so difficult to block?

  When an email address is comandeered by a malicious hacker to send spam, the backscatter can quickly fill an inbox and clog bandwidth. Is there any way to prevent this? Expert Michael Cobb gives advice.Continue Reading

• Windows Server 2003 hardening services ensures better security

  Shutting down unneeded services, ports and accounts makes Windows Server 2003 tough to beat.Continue Reading

• Information Security and Business Integration

  INTEGRATION Security professionals can rely on the same models and frameworks used by traditional business to earn a seat at the table.Continue Reading

• Data Lifecycle Management Model Shows Risks and Integrated Data Flow

  Information flows through business processes in an orderly fashion; security must flow right along with it.Continue Reading

• Enterprise role management: Trends and best practices

  Enterprise role management technology is intended to help an enterprise keep tabs of who has access to various network resources, and also makes it easier to define groups of users. Joel Dubin explains how the technology integrates with RBAC and IAM...Continue Reading

• Results Chain for Information Security and Assurance

  Continue Reading

• Information Security Blueprint

  Continue Reading

• Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities

  For anyone who doesn't speak NASL, network security expert Mike Chapple has a firm handle on the Nessus Attack Scripting Language. In this brand-new addition to our Nessus 3 Tutorial, Chapple provides examples of NASL scripts that can find known ...Continue Reading

• Database patch denial: How 'critical' are Oracle's CPUs?

  A recent survey found that a considerable number of users are outright rejecting Oracle's Critical Patch Updates, perhaps suggesting database administrators feel comfortable with their security defenses or find Oracle's patches to be more of a ...Continue Reading

• Protecting exposed servers from Google hacks (and Google 'dorks')

  Search engines are now routinely used to find ways of gaining unauthorized access to servers. Michael Cobb explains how to avoid exposing your important data to 'Google dorks.'Continue Reading

• Learn from NIST: Best practices in security program management

  Security success means sweating the small stuff, like ensuring proficiency in implementing patches and configuring systems. Security management expert Mike Rothman offers advice on how certain NIST guidelines can help an organization highlight ...Continue Reading

• Best practices for IDS creation and signature database maintenance

  Mike Chapple offers an alternative to creating an intrusion detection system as well as advice on maintaining a signature database.Continue Reading

• Perimeter eSecurity acquisition shapes managed security services

  Small businesses are turning to managed security service providers. The industry is growing and Perimeter eSecurity's aggressive acquisition spree is shaping the market.Continue Reading

• What are the top five concepts or lessons on security management?

  Many security managers wish their company executives understood more about the importance of information security. Security management expert Mike Rothman lists the top five things every executive should be informed of.Continue Reading

• Password management best practices for financial services firms

  Password management is a fundamental tenet of effective information security, but it's harder than it seems to manage passwords correctly, and far too easy to mess it up. In this tip, contributor Tony Bradley shares best practices for effective ...Continue Reading

• Is a Master Boot Record (MBR) rootkit completely invisible to the OS?

  Whether or not we see widespread attacks that use MBR rootkits will depend upon two factors. Platform security expert Michael Cobb explains them both.Continue Reading

• How to install and configure Nessus

  Nessus, an open source vulnerability scanner, can scan a network for potential security risks and provide detailed reporting that enables you to remediate gaps in your corporation's security posture. This tip, the first in a series of three on ...Continue Reading

• Best practices for application-level firewall selection and deployment

  Application-level firewalls are an essential aspect of any organization's multi-layered defense strategy, but the implementation process has some security pros scratching their heads. In this tip, contributor Joel Dubin discusses the contrasting ...Continue Reading

• Virtualization server security best practices

  Avoid server virtualization security bad practices with these dos and don'ts. Get info on virtualization products, segmentation, implementation, avoiding malware, and staging, deploying and patching virtual machines, segmentation and implementation.Continue Reading

• Product review: Klocwork Insight 8.0

  SOFTWARE SECURITYContinue Reading

• What are the pros and cons of zero-knowledge penetration tests?

  A penetration tester with no previous knowledge of the site being tested may be able to give some insight unavailable to other forms of penetration testing, but there are pros and cons. Expert Michael Cobb weighs in.Continue Reading

• Security breach management: Planning and preparation

  All organizations face the risk of an information security breach. While it can be a gut-wrenching ordeal, learning how to manage a breach can make it much easier to contain the damage. In this tip, contributor Khalid Kark unveils several key ...Continue Reading

• Webmail security: Best practices for data protection

  Webmail has become a popular choice for enterprises looking to provide users with email access outside the office, but deployment of any Web-based email system presents a unique set of security challenges. In this Messaging Security School tip, ...Continue Reading

• PCI compliance and Web applications: Code review or firewalls?

  The Payment Card Industry Data Security Standard is about to get a new wrinkle involving Web applications. As of June 30, 2008, to achieve PCI compliance, enterprises must either have their custom Web application code reviewed or install Web ...Continue Reading

• Are Internet cafe users' email credentials at risk?

  Most browsers store all Web pages, including a user's message and other information, in a cache from which it is retrievable with relative ease. Expert Michael Cobb explains how to keep the personal data from getting into the wrong hands.Continue Reading

• Secure Computing SafeWord 2008 product review

  Secure Computing SafeWord 2008 delivers identity management and access control for Windows systems using tokens that generate secure single-use passcodes. Information Security magazine reviews these capabilities.Continue Reading

• Face-Off: Is vulnerability research ethical?

  Bruce Schneier and Marcus Ranum debate the ethics of vulnerability researchContinue Reading

• 7 Security Questions to Ask Your SaaS Provider

  Outsourcing software as a service (SaaS) puts control over an organization's applications in the hands of others. Learn what questions to ask your provider, how to define security policies, how to understand how service providers handle security and...Continue Reading

• 5 Steps for Developing Strong Change Management Program Best Practices

  Poor change control and configuration management can affect the security of your systems and networks. Follow these five steps for a strong change management program.Continue Reading

• Worst practices: Bad security incidents to avoid

  Some of information security's worst practices are just best practices ignored. And those guilty of today's big infosec mistakes range from chief security officers to network firewall managers to security staffs at giant financial firms and ...Continue Reading

• Which operating system can best secure an FTP site?

  In this expert Q&A, platform security expert Michael Cobb explains how a secure FTP protocol can improve websites and Web services.Continue Reading

• Varonis DatAdvantage product review

  Varonis DatAdvantage data governance software is evaluated on its configuration and management, effectiveness, policy control and reporting.Continue Reading

• Companies Collecting Too Much Customer Data Increase Exposure

  If the risk of losing customer or partner information outweighs its value, why collect it in the first place?Continue Reading

• Worst Practices: Three big identity and access management mistakes

  Simple IAM mistakes such as writing down passwords and unaudited user accounts can allow malicious access into corporate networks. In this tip, contributor Joel Dubin exposes the most common identity management and access control blunders, and ...Continue Reading

• What ports should be opened and closed when IPsec filters are used?

  In this SearchSecurity.com Q&A, application security expert Michael Cobb explains how to set up separate branch IPsec filters that connect with a head office.Continue Reading

• Is Triple DES a more secure encryption scheme than DUKPT?

  Both DES and TDES use a symmetric key, but Michael Cobb explains their separate and distinct roles in protecting financial transactions.Continue Reading

• Misconfiguration issues could have contributed to Hannaford breach

  Hannaford takes heat from officials who believe the supermarket chain was slow in disclosing its breach. Meanwhile, one of Hannaford's security vendors gets defensive.Continue Reading

• Web scanning and reporting best practices

  Implementing a solid Web scanning routine is a key way to avoid corporate Web application attacks. And with industry requirements such as PCI DSS, performing vulnerability scans are also required to stay compliant. In this tip, contributor Joel ...Continue Reading

• DMVPN configuration: Should a firewall be between router and Internet?

  Cisco's Dynamic Multipoint VPN (DMVPN) product allows the configuration of site-to-site VPNs across WAN connections. Security expert Mike Chapple explains how a firewall fits into this particular network setup.Continue Reading

• Misconfigured networks create huge security risks

  Security experts say IT pros should be more concerned about the risks created by misconfigured networks than all the flaws and exploit code they read about.Continue Reading

• How secure is online banking today?

  Most banks take the security of their online services seriously. In this expert Q&A, Michael Cobb explains why online banking is relatively safe -- with the exception of one particular mistake.Continue Reading

• SonicWALL NSA E5500 product review

  Product review of SonicWALL NSA E5500 security tool basic and advanced firewall features, setup, pricing, VPN and wireless security.Continue Reading

• Case Study: Company deploys full disk encryption policy on laptops

  One billion-dollar company isn't taking chances with data stored on its laptops. It deployed full disk encryption on every machine, an increasingly popular security strategy.Continue Reading

• Comparative Product Review: Six Web Application Firewalls

  No longer can security managers focus only on perimeter and host security. The application has become the prime target for hackers. We review six leading Web application firewalls from Barracuda, Bee Ware, Breach Security, Citrix, F5 and Imperva ...Continue Reading

• How to protect DNS servers

  The DNS database is the world's largest distributed database, but unfortunately, DNS was not designed with security in mind. Application security expert Michael Cobb explains how to keep a DNS server from being hijacked.Continue Reading

• How should the ipseccmd.exe tool be used in Windows Vista?

  Ipseccmd is a command-line tool for displaying and managing IPsec policy and filtering rules. Expert Michael Cobb explains how to get the scripting utility to work with Vista.Continue Reading

• Are encrypted Microsoft Word files safer in transit than PDF files?

  In this expert Q&A, Michael Cobb demonstrates how a misconfigured firewall makes it easy for some Microsft Word and PDF files to be sniffed in transit.Continue Reading

• Data loss prevention (DLP) tools: The new way to prevent identity theft?

  Despite advances in perimeter technologies, data theft has become common in today's enterprises. To protect their confidential information, some security professionals are turning to an emerging technology category: data loss prevention. But don't ...Continue Reading

• How would you define the responsibilities of a data custodian in a bank?

  Data security is incredibly important for financial institutions, and it's the data custodian's job to make sure that data is safe. Security management expert Mike Rothman explains more.Continue Reading

• Challenges behind operational integration of security and network management

  The integration of security and network operations holds a great deal of promise thanks to today's security information management technology, but there are a number of hurdles to overcome when it's time to flip the switch. Sasan Hamidi outlines the...Continue Reading

• Examine Security Features and Tools of Microsoft Windows Server 2008

  Unwrap Windows Server 2008, the first server revision under Trustworthy Computing. Microsoft promises it is secure by design, default and deployment.Continue Reading

• Product review: Titus Labs' Message Classification

  DOCUMENT CLASSIFICATIONContinue Reading

• Data Loss Prevention Tools Offer Insight into Where Data Lives

  DLP tools help mitigate incidents and aid with data discovery.Continue Reading

• Product review: AlgoSec's AlgoSec Firewall Analyzer 4.0

  FIREWALL MANAGEMENTContinue Reading

• Five steps to building information risk management frameworks

  Implementing a successful enterprise risk management plan can be an overwhelming and harrowing process. In order to make the process work, many aspects need to examined, and all business areas need to be hands on. In this tip, contributor Khalid ...Continue Reading

• Developing a patch management policy for third-party applications

  Enterprises may push the latest critical Windows patches once a month, but here's a dirty little secret: Most organizations don't bother patching their third-party applications. The diversity of client-side software -- including everything from ...Continue Reading

• Information protection: Using Windows Rights Management Services to secure data

  Keeping confidential information under wraps is paramount in any business, but finding the right mix of tools or techniques is a common challenge. In this tip, contributor Tony Bradley explains how Windows Rights Management Services (WRMS) can help ...Continue Reading

• How Sarbanes-Oxley changed the information security profession

  Sarbanes-Oxley empowered information security professionals with the clout they'd sought for so long.Continue Reading

• Will one failed drive corrupt the rest of a RAID-5 array?

  In this expert Q&A, Michael Cobb explains when it is appropriate to keep a RAID-5 array's failed drive online.Continue Reading

• What security issues can arise from unsynchronized system clocks?

  Network administrators don't always pay enough attention to the issues of system clock accuracy and time synchronization. Michael Cobb explains why that can lead to security problems.Continue Reading

• Lessons learned from TJX: Best practices for enterprise wireless encryption

  The TJX data breach revealed all too well the weaknesses of the Wired Equivalent Privacy security model. The retailer's well-documented compromise of more than 94 million credit card numbers proved that intruders can easily take advantage of ...Continue Reading

• Preventing spam bots from hijacking an enterprise network

  According to security expert Michael Cobb, the likelihood of your enterprise being compromised by a botnet is not a question of if, but when. In this Messaging Security School tip, Cobb discusses how spammers use botnets to corrupt enterprise ...Continue Reading

• Sun acquiring Vaau for identity management

  To better serve customers preoccupied with regulatory compliance and identity management, Sun has agreed to acquire enterprise role-management vendor Vaau.Continue Reading

• Making the case for Web application vulnerability scanners

  If a Web application scanner can find common SQL injection flaws, cross-site scripting vulnerabilities, buffer overflows and dangerous backdoors, then why aren't more enterprises using them? In this tip, Michael Cobb not only examines where the ...Continue Reading

• SIEM market, log management tools need a standardized log format

  Security information and event management (SIEM) systems and log management tools would benefit from standardized log formats.Continue Reading

• Honeyclients bring new twist to honeypots

  Honeyclients are unpatched web browsers that actively seek malicous websites.Continue Reading

• Are challenge-response technologies the best way to stop spam?

  Challenge-response spam technology intercepts incoming emails and sends a challenge to the sender, asking him or her to confirm the message's validity. Though the antispam mechanism has gained popularity, there may be more secure alternatives, says ...Continue Reading

• Web 2.0 application development techniques introduce new information security risks

  Ajax, Java and other dynamic application coding methods have pulled computing power over to the client, introducing new risks and resurrecting old ones.Continue Reading

• How to test an e-commerce Web site's security and privacy defenses

  Assessing the security of e-commerce sites means checking up on their associated servers, databases and applications. In this expert response, Michael Cobb explains where to start.Continue Reading