Manage

Manage

Learn to apply best practices and optimize your operations.

• Ranum Q&A with Renee Guttmann: Thriving in the CISO role

  A Fortune 500 veteran chats with Marcus Ranum about her management career and what it takes to reach the top of the security pyramid. Continue Reading

• Update your application security policy after Heartbleed

  Worried about the stability of your software security? Lower your risk by rewriting policy and procedures for development with open source and third-party components. Continue Reading

• Open source software security: Who can you trust?

  Fears of backdoors and heightened concerns about encryption software are running rampant. Continue Reading

• Application security policy after Heartbleed

  Enterprises leverage open source software for the perceived quality of the code, but the Heartbleed flaw has made many question their use of third-party libraries and components in projects. How do security teams go about documenting code to ensure ... Continue Reading

• Finding the best SIEM system for an outsourced IT environment

  When an organization has a highly outsourced IT environment, it is critical to use a SIEM system to reduce security complexity and identify threats. However, finding the proper system can be challenging. Kevin Beaver offers tips for success. Continue Reading

• Open source needs more than the Open Crypto Audit Project

  Open source needs some sort of body that promotes secure architectural design and coding, says Robert Richardson.Continue Reading

• Operational challenges as cybersecurity gets sensored

  As networking technologies move onto the factory floor, security executives bridge the gap between IT and industrial network security.Continue Reading

• 'Keypocalypse' another barrier to encryption systems

  Encryption deployment can reduce the impact of a security breach. But the complexity of key management prevents some companies from wider adoption.Continue Reading

• Beyond the Page: Application security in the age of open source

  This Beyond the Page feature explores some new tools for security pros to vet open source libraries and manage security vulnerabilities.Continue Reading

• Take inventory of your open source software security

  Developers love reusing code, whether it’s an open source library or a code snippet copied from the Internet. This expert tip looks at the best ways to secure and monitor component-driven software.Continue Reading

• Enterprise strategies to enforce open source software security

  In this video, application security expert Michael Cobb discusses open source risks and how revised security policies can standardize development.Continue Reading

• How to reduce the chances of distributed denial-of-service attacks

  Distributed denial-of-service attacks are increasingly a menace for enterprises. Expert Michael Cobb discusses industry initiatives that can help enterprises reduce the occurrence and power of DDoS attacks.Continue Reading

• The truth about distributed denial-of-service attack prevention

  Can determined attackers be prevented from launching a distributed denial-of-service attack against an enterprise? In this Q&A, expert Michael Cobb discusses the reality of attack prevention and offers best practices for thwarting attacks.Continue Reading

• CISSP introduction: A video guide to the CISSP exam

  In this CISSP Essentials Security School presentation, expert instructor Shon Harris offers a CISSP introduction. Learn about the 10 domains of the Common Body of Knowledge, typical exam content and what to expect after you pass the test.Continue Reading

• Distributed denial-of-service attack defense

  This Security School offers need-to-know information about distributed denial-of-service attack defense, prevention and best practices.Continue Reading

• New fundamentals of distributed denial-of-service attack defense

  Defending against and defeating distributed denial-of-service attacks is challenging without proper training. This video highlights best practices that boost an enterprise's DDoS defense plan.Continue Reading

• Distributed denial-of-service attack defense

  This Security School offers need-to-know information about distributed denial-of-service attack defense, prevention and best practices.Continue Reading

• The Target security breach is a turning point for enterprises

  The massive security breach at Target in 2013 is changing the way enterprises approach security strategies. Expert Joseph Granneman explains how the Target data breach is an industry turning point.Continue Reading

• PCI SSC issues SIG guidance on maintaining PCI compliance

  The new information supplement offers advice on how to address obstacles in maintaining year-round PCI compliance, even though PCI experts say the challenge is only getting harder.Continue Reading

• The key to assigning risk values in an IT security risk assessment

  Security expert Michael Cobb offers pointers on how to assign risk values during a security risk assessment.Continue Reading

• Next-generation firewall benefits: Is an NGFW best for your company?

  A next-generation firewall won't meet the security needs of every single organization. Before making the move to next generation, be sure your enterprise understands these key decision criteria.Continue Reading

• Enterprises seek greater security through network transparency

  Bigger, more diverse networks mean a larger attack surface for hackers. Today's networking pros must update security strategies to account for new vulnerabilities and respond to inevitable attacks. But first, they need a clear view into their ...Continue Reading

• CISSP self-assessment quiz: Check your CISSP test knowledge

  Take this CISSP self-assessment quiz to check your general knowledge of CISSP test topics and learn where you need to hone your skills.Continue Reading

• The importance of social media compliance

  Social media compliance is not typically considered a big issue for companies, but expert Mike Chapple explains why it should be.Continue Reading

• Using metadata tagging tools for PCI DSS compliance

  Metadata tagging is not just for security. Expert Mike Chapple explains how tagging tools can be used to achieve PCI DSS compliance.Continue Reading

• Performing an authenticated vulnerability scan

  This Security School covers need-to-know topics for performing an authenticated vulnerability scan, including myths and misconceptions to be aware of.Continue Reading

• The gaping hole in your vulnerability management program

  Authenticated vulnerability scanning may be just what your organization needs to complete its vulnerability management program. In this video, expert Kevin Beaver offers pointers for performing an authenticated vulnerability scan.Continue Reading

• Achieve consolidated security with a next-generation firewall

  Learn more about one of the greatest assets of a next-generation firewall: Its ability to consolidate firewall and intrusion prevention features into a single device.Continue Reading

• Security that works: Three must-have enterprise security fundamentals

  In his debut 'Security that Works' column for SearchSecurity, Eric Cole of the SANS Institute challenges infosec pros to grade themselves on the three fundamental aspects of any successful enterprise security program.Continue Reading

• RTF security: Avoiding embedded malware

  The Zeus malware is threatening RTF security by embedding itself in the file, which is commonly seen as safer than other file formats such as PDFs. Learn how to prevent the threat.Continue Reading

• Mitigating mobile and PC malware hybrid threats

  Hybrid threats are becoming an increasing issue for mobile devices. Enterprise threats expert Nick Lewis explains how to mitigate the risk.Continue Reading

• Gartner on PCI DSS 3.0 changes: Bigger, harder and more expensive

  Gartner analyst Avivah Litan discusses how Gartner clients are reacting to the changes in PCI DSS 3.0, and whether the increased rigor in the standard will prove beneficial to enterprises.Continue Reading

• Ensuring privileged identity management program success

  Lieberman Software CEO Philip Lieberman discusses why a successful privileged identity management program needs support from two key executives, plus how to avoid common mistakes.Continue Reading

• How to detect Android malware that leverages TOR

  A new variety of Android malware is using TOR for C&C communications. Expert Nick Lewis explains how to mitigate the threat.Continue Reading

• Next-generation tools for next-generation network security

  The next-generation network -- one that must encompass the cloud, mobility and Internet of Things devices -- requires a different standard of network monitoring tools. Learn about new and improved tools that conquer those challenges.Continue Reading

• Turla spyware: Defending against undetectable malware

  Is there a way to detect malware that's designed to avoid detection? Nick Lewis explains how the Turla spyware works and how to defend against it.Continue Reading

• Reducing the risks of Java security updates

  Installing Java updates for security can be troublesome, so should companies still do it? Mike Chapple discusses Java and compliance issues.Continue Reading

• GICSP: Deconstructing SANS Institute's new ICS security cert

  A new SANS Institute certification, GICSP, could prove useful to industrial control system (ICS) security professionals. Expert Ernie Hayden explains the certification and how to prepare for the exam.Continue Reading

• Updating network diagrams for PCI DSS 3.0 compliance

  Compliance with the PCI DSS 3.0 requirements means enterprises need to update their network diagrams. Mike Chapple outlines how to make these changes.Continue Reading

• How IT lockdown periods affect PCI compliance regulations

  IT lockdown periods are sometimes used to improve system efficiency, but do they work with PCI compliance regulations? Expert Mike Chapple answers.Continue Reading

• HIPAA audit preparation: Is your company ready?

  HIPAA audits have increased in 2014. Expert Mike Chapple offers guidance to get your enterprise's compliance plan audit-ready.Continue Reading

• Network security: Threat intelligence feeds parse a sea of data

  Threat intelligence feeds help you prioritize signals from internal systems against unknown threats. Security intelligence takes it a step further.Continue Reading

• Is FedRAMP the cloud security standard we've been waiting for?

  FedRAMP raises the bar for security among applicable cloud providers, but can it influence broader cloud computing contracts and standards?Continue Reading

• Ranum Q&A: How to make the grade in information security metrics

  Marcus Ranum chats with Columbia University's Joel Rosenblatt to learn how "apples to apples" comparisons helped automate critical security processes.Continue Reading

• The NoSQL challenge: What's in store for big data and security

  Big data offers horizontal scalability, but how do you get your database security to scale along with it?Continue Reading

• Part of the conversation on cyber risk insurance

  Security deserves a seat at the risk management table.Continue Reading

• Vulnerability management: Benefits of a vulnerability scoring system

  What are the pros and cons of using a universal vulnerability scoring system from a vendor? Nick Lewis explains.Continue Reading

• Authentication out of the box: Built-in tools 'ease' Hadoop security

  Many Hadoop variants offer fully integrated Kerberos, with facilities to improve setup and link to your existing identity repository.Continue Reading

• Andrew Jaquith on defending against advanced targeted attacks

  Video: SilverSky CTO Andrew Jaquith says that despite the daunting growth in advanced targeted attacks, there are simple, practical strategies to reduce enterprise risk.Continue Reading

• Multi-platform Java-based malware: Reducing Java risks

  A new variant of Java-based malware can execute regardless of the operating system used. Nick Lewis explains how to limit the threat.Continue Reading

• Despite OpenSSL security issues, industry needs open source SSL

  SilverSky CTO Andrew Jaquith says despite the recent Heartbleed flaw, the industry will stick with OpenSSL over commercially licensed SSL products. Jaquith also opines on the aftermath of the Target breach.Continue Reading

• Developing a compliance awareness training program

  Developing a compliance awareness training program is key to preventing accidental internal compliance breaches. Expert Mike Chapple explains the steps to follow when starting such a program.Continue Reading

• The big data challenge: What's in store for NoSQL security

  In the rush to capitalize on big data, many companies forget that developing an ecosystem of structured and unstructured data means higher risk of loss and exposure. What technologies should be in place to enforce NoSQL security controls on-premises...Continue Reading

• A comprehensive guide to securing the Internet of Things

  As the number of Internet-connected devices grows, the potential security challenges of the so-called "Internet of Things," or IoT, can no longer be ignored. The web of interconnected devices promises both enormous benefits to users and Continue Reading

• Non-malicious insiders: The biggest insider threat of all?

  Video: Insider threats expert Randy Trzeciak explains why non-malicious insiders, particularly developers, pose as much risk to an enterprise as intentionally malicious insiders.Continue Reading

• Blocking VPN bypass flaws and malicious apps on Android

  Expert Nick Lewis explains how to avoid a detrimental VPN bypass flaw that allows malicious apps to infiltrate Android devices.Continue Reading

• Pretexting: How to avoid social engineering scams

  Expert Nick Lewis explains how to keep call center employees from getting duped by social engineering scams and pretexting.Continue Reading

• Heartbleed security bug offers lessons in incident response

  Perhaps the biggest security bug of this generation, Heartbleed offers a number of lessons for improving incident response. Threat expert Nick Lewis highlights his key takeaways.Continue Reading

• Mobile keyloggers and touchscreen detection attacks

  A recent proof of concept shines new light on the future of mobile keyloggers. Michael Cobb reviews how to keep touchscreen devices safe from attack.Continue Reading

• Building the business case for a formal patch management program

  Delaying security patches is a huge risk. Michael Cobb explains how to build the business case for a formal patching program for a variety of systems.Continue Reading

• In-house app stores a handy weapon against malicious mobile apps

  Michael Cobb explains why an enterprise in-house app store is an effective weapon against malicious mobile apps and dispels common misunderstandings against this means for securing employee devices and company data.Continue Reading

• Malicious mobile apps are getting tougher to fight

  Learn why enterprises must revise their defenses to keep mobile users and data safe, and where to concentrate your IT security budget.Continue Reading

• How to stop the malicious mobile apps aimed at your network

  This presentation explains the threat from malicious mobile apps and how to neutralize it through rules, training and more.Continue Reading

• Does Heartbleed exploit risk always justify patching?

  Video: Gartner analyst Jay Heiser discusses Heartbleed's aftermath, including whether the risk of a Heartbleed exploit always justifies patching.Continue Reading

• Achieve converged security with a secure Web gateway

  While you may have never heard of a secure Web gateway, it may be the Swiss army knife of converged security your enterprise needs.Continue Reading

• How to survive a cybersecurity staff shortage

  Despite today's enterprise cybersecurity staffing crisis, management expert Joseph Granneman says InfoSec success is possible with a sharpened focus.Continue Reading

• Multifactor authentication key to cloud security success

  Following the collapse of an AWS-based cloud hosting provider, experts say enterprises should prioritize use of multifactor authentication.Continue Reading

• After Heartbleed: New realities of open source software security

  In the wake of Heartbleed, many enterprises are revisiting open source software security. Expert Michael Cobb offers a reality check.Continue Reading

• An MDM strategy in a BYOD world must focus on data first, then devices

  In the BYOD era, mobile device security requires a strategy that focuses on data, not device, protection.Continue Reading

• P2P malware detection techniques

  The amount of malware using peer-to-peer communications has increased dramatically. Enterprise threats expert Nick Lewis explains how to detect P2P malware.Continue Reading

• Sandbox evasion: How to detect cloaked malware

  Cloaked malware, like DGA.Changer, can reportedly evade sandbox detection. Nick Lewis explains how to handle the risk.Continue Reading

• Improving security management with SIEM

  This Security School explains the best methods for infosec pros to effectively use SIM to get the best data in order to improve incident response, change management processes and security policies overall.Continue Reading

• Zeus malware: Analyzing next-generation features

  An updated, 64-bit version of the Zeus malware leverages Tor for C&C. What does this mean for enterprises? Nick Lewis discusses.Continue Reading

• Whaling attacks: Taking phishing attacks to the next level

  Whaling attacks take phishing to the next level with much bigger targets. Enterprise threats expert Nick Lewis explains how to mitigate the risk.Continue Reading

• Gartner: Nascent SDN security controls pose sizable risk

  A Gartner analyst says SDN security issues abound because of lacking security controls, little interoperability and shaky management features.Continue Reading

• User security training program success relies on psychology

  A Gartner analyst offers some psychology tips to help security pros get inside users' heads and eliminate bad security behaviors.Continue Reading

• On prevention vs. detection, Gartner says to rebalance purchasing

  At its annual security confab, the research giant said enterprises buy too much threat prevention and not enough detection and response technology.Continue Reading

• Choosing PCI DSS-compliant service providers

  Learn how hiring the right PCI DSS-compliant service providers, especially payment services providers, can reduce your compliance burden.Continue Reading

• Do rogue mobile apps threaten Android device security?

  Michael Cobb discusses how an Android device security flaw may open the door for rouge mobile apps.Continue Reading

• Third-party vendor management security best practices

  Third-party vendor management is important for avoiding incidents like the Target breach. Joseph Granneman offers four must-have security controls.Continue Reading

• How to use TripWire SecureScan, a free vulnerability scanning tool

  Video: Learn how to use TripWire SecureScan, the free vulnerability scanning tool that helps enterprises detect Heartbleed on networks and devices.Continue Reading

• How to integrate SIEM system capabilities with incident response

  Learn how SIEM systems have evolved and how they now gather the data operations teams need to investigate and mitigate attackers' damage.Continue Reading

• API gateways emerge to address growing security demands

  With mobile, cloud and the Internet of Things driving massive API growth, experts say now is the time for API gateway technology to shine.Continue Reading

• The top five employee responsibilities in a BYOD security strategy

  Behind any successful enterprise BYOD strategy are employees who do the right things.Continue Reading

• Plan to migrate before Windows Server 2003 end of life

  Continuing with Windows Server 2003 after its end-of-life date is a problem waiting to happen. Michael Cobb offers pointers on an upgrade.Continue Reading

• McGraw on assessing medical devices: Security in a new domain

  Secure software development expert Gary McGraw says there's a lot of work to be done in the domain of medical device security.Continue Reading

• Socially engineered malware attacks: Enterprise defense best practices

  Enterprise threats expert Nick Lewis explains how socially engineered malware attacks work and how enterprises can defend against them.Continue Reading

• Is there such a thing as a secure smartphone?

  President Obama isn't allowed to use an iPhone, highlighting today's widespread mobile platform security issues. Is there such a thing as a secure smartphone?Continue Reading

• PCI DSS: Why vulnerability assessment and penetration testing are so hard

  Enterprises fail to meet requirement 11 more than any other PCI DSS requirement. Expert Mike Chapple explains why and how firms can do better.Continue Reading

• Are malicious mobile apps a mere inconvenience or a real threat?

  How big a security threat are the malicious mobile apps riding into your enterprise on employees' mobile devices?Continue Reading

• VBS worms: Still dangerous?

  VBS worms were a top security concern in the early 2000s. Should enterprises still be worried? Nick Lewis explains.Continue Reading

• How to protect employees from fake patches

  Attackers are using fake patches to trick users into installing malicious software. Security expert Nick Lewis explains how to avoid the threat.Continue Reading

• Defense is the best offense for preventing DoS attacks

  Expert Michael Cobb discusses how developing a response plan in conjunction with service providers can help enterprises better thwart DoS attacks.Continue Reading

• How to hone an effective vulnerability management program

  You must know your system's weak points to form an effective risk management program and a strong defense.Continue Reading

• John Pescatore: Critical Security Controls boost operational security

  John Pescatore on why the SANS Institute's Critical Security Controls make up for other security deficiencies; plus, secrets of working with Gartner.Continue Reading

• Cyberthreat intelligence is getting crowded

  As threat intelligence communities multiply, it may be time to revisit crowdsourcing security.Continue Reading

• Important business skill sets for information security professionals

  Expert Joseph Granneman explains important business skills information security pros need -- and how to acquire them -- as the discipline matures.Continue Reading

• Threat intelligence versus risk: How much cybersecurity is enough?

  Learn how threat intelligence plays into global risk assessment as more security officers are tasked with damage control.Continue Reading

• Threat intelligence and risk: Why cybersecurity hangs in the balance

  As more security professionals take on greater roles in global risk management, Global 2000 companies are investing in cybersecurity measures above and beyond compliance requirements. Global threat intelligence services have continued to evolve and ...Continue Reading

• PCI economics: Are the information security requirements working?

  How to evaluate whether PCI DSS is lowering credit card fraud and the risks associated with data breach disclosure.Continue Reading