Manage

Manage

Learn to apply best practices and optimize your operations.

• How to use IPsec filtering rules to filter network traffic

  Learn how to control what enters and exits your PCs by using IPsec filtering rules to filter particular protocol and port combinations for both inbound and outbound network traffic. Continue Reading

• Preventing Data Theft, Combating Internal Threats

  Defend against internal threats and prevent information leakage and hacker attacks with several tactics such as employee monitoring, behavioral analysis tools, encryption and incident response. Continue Reading

• Mining NetFlow

  Your routers and switches can yield a mother lode of security information about your network--if you know where to dig Continue Reading

• The pros and cons of FTP over SSL

  Compare and contrast the pros and cons of having hosts send PGP-encrypted files to an existing FTP site against building an ad hoc FTP server using SSL, in this Ask the Expert Q&A Continue Reading

• Web application variable manipulation

  Learn what happens to a Web application that uses two certificates: a client-side SSL certificate and a server-side certificate, and whether this certificate combination prevents Web application manipulation. Continue Reading

• Proxy server functions

  In this Ask the Expert Q&A, our platform security expert details how proxy servers work and determines whether they protect personal and sensitive information safe from hacker exploits.Continue Reading

• Why form fields aren't a good place to hide sensitive information

  Web security guru Michael Cobb, takes an in-depth look at the dangers of HIDDEN form fields, how attackers use them to gain unauthorized entry or hijack sessions, and most importantly, how to secure the information sent in these fields.Continue Reading

• How buffer-overflow vulnerabilities occur

  Learn about buffer-overflow vulnerabilities; how they occur, types of buffer-overflow attacks, and how hackers exploit them to gain access to secure and sensitive files.Continue Reading

• How RSA keys differ from DH/DSS keys

  In this Ask the Expert Q&A, Michael Cobb, our application security expert explains how RSA and DH/DSS differ, examines the strengths and weaknesses of each, and, explains how to use the compression library Zlib.Continue Reading

• Best practices for managing secure Web server configurations

  In this tip, Michael Cobb, our Web security guru takes an in-depth look at ways to manage securing configurations of multiple Web servers. He explains the process from frequency to documentation and replication.Continue Reading

• How to prevent application attacks and reduce network vulnerabilities

  In this Ask the Expert Q&A, our application security guru discusses how hackers exploit network vulnerabilities to attack your applications and what you can do to mitigate this risk.Continue Reading

• Building A Perimeter Defense With Application-Level Firewalls

  Learn how application level firewalls, when carefully deployed, can build perimeter defenses and prevent hackers from exploiting vulnerabilities, such as application code, to achieve attacks.Continue Reading

• Application Security: Cenzic's Hailstorm v2.6

  Cenzic's Hailstorm v2.6Continue Reading

• How different DBMSes implement Internet database security

  Learn what it takes to achieve comprehensive DBMS security, in this application security Ask the Expert Q&A.Continue Reading

• Five common application-level attacks and the countermeasures to beat them

  This tip reviews five of the most common attacks against applications: injection vulnerabilities, cross-site scripting (XSS), broken authenticcationa nd session management, insecure direct object references and security misconfiguration. Michael ...Continue Reading

• How to keep your data and database secure

  In this Ask the Expert Q&A, Michael Cobb discusses why having a Web-based application that resides on the same server as the database can be problematic, and, what you can do to keep your data safe.Continue Reading

• Developing an incident response plan

  In this Ask the Expert Q&A, Shon Harris provides resources you can use to devise an effective incident response plan.Continue Reading

• MD5 vs. RC4

  In this Ask the Expert Q&A our application security expert compares the MD5 encryption algorithm against its competitor RC4 and examines the security features of each.Continue Reading

• Using attack responses to improve intrusion detection

  IPSes must detect an attack as it comes into the network; however, IDSes have the advantage of identifying an intrusion based on incoming our outgoing network traffic.Continue Reading

• Securing Web apps against authenticated users

  Improve Web site security by securing Web applications from authenticated users and avoiding client-side authentication.Continue Reading

• Avoiding Network Traffic Confusion with Consistent Firewall Rules

  Keep network traffic flowing by collaborating firewall rules and network access devices.Continue Reading

• Patch deployment timeline

  In this Ask the Expert Q&A, our platform security expert discusses how long a mid- to large company should expect to wait before they are able to deploy a patch.Continue Reading

• The future of Telnet and FTP

  In this Ask the Expert Q&A, our application security expert discusses what he believes what will happen to the Telnet and FTP application layer protocols as the industry prepares for the future.Continue Reading

• Protect your Web site against path traversal attacks

  How to protect your Web site against path traversal attacks.Continue Reading

• How to prevent the risks of client-side caching

  Problems of client-side caching and tips for developers on using secure cache-control directives.Continue Reading

• Hercules 4.0 Enterprise Vulnerability Management Suite

  Information Security magazine's contributing editor, James C. Foster , reviews Hercules 4.0 Enterprise Vulnerability Management Suite from Citadel Security Software.Continue Reading

• CRAM (challenge-response authentication mechanism)

  CRAM (challenge-response authentication mechanism) is the two-level scheme for authenticating network users that is used as part of the Web's Hypertext Transfer Protocol (HTTP).Continue Reading

• Market trends: The future of e-mail security

  The e-mail security market is undergoing a change that is marked by commoditization and centralization. Joel Snyder analyzes these trends and offers a glimpse at the future of e-mail security products.Continue Reading

• Using secure MIME (S/MIME) for securing email

  Secure MIME (S/MIME) and digital certificates offer channel professionals a low-cost way to improve their customers' email security. This tip explains how to implement S/MIME and digital certificates for email encryption.Continue Reading

• Step-by-Step Guide: Best practices for security patch management

  This step-by-step guide offers best practices on how to deploy a security patch and provides the tools you will need to mitigate the risk of a compromised computer.Continue Reading

• The pros and cons of application firewalls

  In this Ask the Expert Q&A, our application security expert discusses the pros and cons of application firewalls. He also explains how they differ from packet filter and stateful inspection firewalls, and why they are not the preferred among some ...Continue Reading

• How to prevent drive corruption in the event of power failure

  In this Ask the Expert Q&A, learn how a PDA device stores data and programs. Also learn how Compact Flash cards and hard drives differ and what some are doing to prevent drive corruption in the event of power failure.Continue Reading

• Malware signature updates

  In this Ask the Expert Q&A our platform security expert discusses how the malware detection and virus detection processes differ. Also learn what some are doing to prevent spyware, rootkits, trojans and other types of malware from running on their ...Continue Reading

• Digital certificates and webmail

  In this Ask the expert Q&A, our application security expert analyzes whether or not you can use digital IDs and certificates with webmail. He also discusses how and where to secure these devices to ensure your e-mail system is secure.Continue Reading

• Personal qualifications of an information security manager

  Charles Cresson Wood outlines the personal qualifications every information security manager should possess in this excerpt from Information Security Roles and Responsibilities Made Easy.Continue Reading

• Encryption detection

  In the Ask the Expert Q&A, Michael Cobb, our application security expert discusses if it is possible to detect encryption. He also takes a closer look at steganography, explains what it is and how it is used to secure e-mail communications.Continue Reading

• Imprivata's OneSign 2.8 - Single Sign-On

  Imprivata's OneSign 2.8Continue Reading

• Top 5 Hacker Tools: Google hacker, password cracker, WLAN detector

  Read about five must-have hacker tools: WikTo, a Web scanner and Google hacking tool; Paros Proxy, a Web application manipulation proxy; Cain and Abel, a password sniffer/cracker; Winfingerprint, a Windows configuration harvester; and Wellenreiter, ...Continue Reading

• Risk management methodologies

  Expert advice regarding best practices for risk management methodologies. Also learn how vulnerability management and risk management tools differ and how they can help protect your environment.Continue Reading

• How to configure an FTP server with SSL

  In this expert response, security expert Michael Cobb explains how to securely configure an FTP server with Secure Socket Layering (SSL).Continue Reading

• Storing hashed, encrypted values in a database

  Expert advice on storing hashed and encrypted values in a database.Continue Reading

• Testing a security patch

  Learn tool and techniques you can use to test a security patch prior to deployment.Continue Reading

• Wireless security review: Juniper Networks' Netscreen-5GT Wireless

  Juniper Networks' Netscreen-5GT WirelessContinue Reading

• Intrusion Detection: Tripwire's Enterprise 5.0

  June 2005 review of Tripwire's Enterprise 5.0Continue Reading

• nCircle's IP360 Vulnerability Management System product review

  Product review of nCircle's IP360 Vulnerability Management System pricing, setup, configuration, assessment, and installation feature information.Continue Reading

• Five essentials of a patch management solution

  Learn the key criteria you need to consider when purchasing a patch management solution to ensure it is effective.Continue Reading

• Pre-CISSP: Options for the security newbie

  Shon Harris advises novice security practitioners on the value of entry-level certifications -- and good, old-fashioned experience -- in preparation for the CISSP®.Continue Reading

• Who's responsible for security? Everyone!

  Learn how to decentralize security responsibility in your organization.Continue Reading

• How to configure Snort variables

  Learn how to define Snort's configuration variables.Continue Reading

• Snapping on SNMPv3

  The ubiquitous management protocol is more secure, but upgrading isn't simple.Continue Reading

• Dos and don'ts for passing the CISSP exam

  From choosing an exam date to answering the questions, here are some dos and don'ts for CISSP exam success.Continue Reading

• Identity and Access Management: Provisioning

  Continue Reading

• Wireless security product review: AirTight Networks' SpectraGuard 2.0

  A review of AirTight Networks' SpectraGuard 2.0Continue Reading

• SSHv2: Safe & Secure

  The overhauled encryption protocol helps harden networks.Continue Reading

• Quiz: Vulnerability management

  Test your knowledge of vulnerability management process and methodology with this quiz by Shon Harris, CISSP.Continue Reading

• The Myths of Security

  The ancient Greeks spun myths to explain the unexplainable. Modern enterprises use commonly held myths as a foundation for security.Continue Reading

• Best practices: Making vendor pitches work for you

  Get the most out of vendor calls with these best practices.Continue Reading

• Vulnerability testing with Open Vulnerability Assessment Language

  Learn how the Open Vulnerability Assessment Language (OVAL) can help organizations improve vulnerability testing processes.Continue Reading

• Simplify with SIM: Evaluating security information management systems

  Security information management tools are key to refining the deluge of raw data in an enterprise network into actionable intelligence. Expert Joel Snyder discusses.Continue Reading

• Password security issues: How enterprise single sign-on can help

  Learn how the U.S. Postal Service has reduced password security issues and improved productivity by leveraging enterprise single sign-on.Continue Reading

• Benefits of encryption: Improving your enterprise IT security structure

  Learn the benefits of encryption and how it can be one of the only true secure ways to protect your enterprise.Continue Reading

• The downside of cybercrime investigation and prosecution

  Prosecuting cybercrime puts your organization -- and your security -- on the hot seat.Continue Reading

• Preventing spyware and third-party attacks

  Is your IT infrastructure prepared for spyware? In this feature, learn how to prepare your enterprise for spyware and how best to avoid these third-party attacks.Continue Reading

• The self-defending network: Is it real technology or market speak?

  Cisco and other security vendors are touting the "self-defending" network. Is it real technology or market-speak?Continue Reading

• Best practices for choosing an outside IT auditor

  Learn six points for choosing the right outside auditor.Continue Reading

• Outsourcing best practices: Identifying offshoring risks

  Offshoring is good for business, but lax security practices can torpedo your investment.Continue Reading

• Service-level agreement management: Defining security policy roles

  Does your security plan include expectations or incentives for SLAs? Lawrence Walsh explains why setting standards for your enterprise is essential.Continue Reading

• Best practices for writing an information classification policy

  When developing your organization's information classification policy, there are three best practices that you should keep in mind.Continue Reading

• Firewall responsibilities and firewall timeout features

  Continue Reading

• NAC best practices and technologies to meet corporate security policy

  New solutions help you secure endpointsContinue Reading

• Week 28: New technical manager challenges and pitfalls

  In this column, Shelley Bard offers up some tips for the new technical manager.Continue Reading

• Six Sigma and CMM models offer security best practices

  Security can learn a lot from Six Sigma, CMM and other established business methodologies.Continue Reading

• Tier-1 policy overview: Procurement and contracts, records management

  In the fourth and last installment of this tier-1 policy overview series, Thomas Peltier looks at Procurement and Contracts, Records Management and Asset Classification Policies.Continue Reading

• Laws of security: 10 security best practices

  Learn the laws of security and 10 security best practices.Continue Reading

• The future of software security vulnerabilities

  The evolution of software security vulnerabilities opens new vistas for business... and the bad guys.Continue Reading

• Audit failure: How one lab raised IT security awareness and its audit grade

  Learn how Argonne National Lab raised IT security awareness and its audit grade from 'F' to 'A'.Continue Reading

• Database security tools for preventing SQL injection attacks

  An emerging breed of database security tools is helping security teams spot attackers' favorite techniques, like SQL injection.Continue Reading

• Managing change in information security policies

  In this tip, security expert Mike Chapple will highlight a five-step process designed to help your organization approach necessary changes to its IT security policies in a formal, yet flexible fashion. He will also provide several questions that ...Continue Reading

• Implementing a better operational risk management framework

  Hackers don't impact long-term stock prices; rogue traders and lousy products do.Continue Reading

• A step-by-step network incident response plan

  We need automated response tools that go beyond fledging IPSes. In this tip you will learn how to create an IT incident response plan, step-by-step.Continue Reading

• Best practices for security report writing

  Concise, targeted security reports command the attention of the executives who need to act on them. Learn best practices for security report writing.Continue Reading

• A Patch in Time: Considering automated patch management

  Vulnerabilities are followed by patches, followed by exploits, followed by misery. Automated patch management solutions ease the pain and cut costs.Continue Reading

• Keys to an effective virus incident-response team

  How you recover from a malicious code attack depends on how quickly you respond. Learn how to coordinate a virus incident-response team to help minimize malware damage.Continue Reading

• Business continuity roles improve security incident management

  IT personnel may be front-line responders, but if they "own" incident management, your enterprise is at risk. Here's a business blueprint for an effective security incident management program with business continuity roles.Continue Reading

• Review: RSA ClearTrust 5.5 secure federated identity management system

  RSA ClearTrust 5.5 eases the administration of securing Web services identity management across business partners' systems.Continue Reading

• Week 1: The security manager's daily checklist

  Here's a daily checklist for security managers.Continue Reading

• Using control change management to improve attack resistance

  Learn how control change management can free your enterprise from the "widget mentality" -- and ensure better attack resistance.Continue Reading

• Four steps to ensure security deployment success

  Security deployment will go smoother if enterprises step back, ask questions, involve everyone and lower expectations.Continue Reading

• Computer Associates' Sanjay Kumar on the once-troubled firm's comeback

  Can Computer Associates' Sanjay Kumar convince the world that the once-troubled tech giant has changed?Continue Reading

• Vendor liability: Should we be suing for security?

  The latest lawsuit against Microsoft revives the legal debate of how much of security is the responsibility of the consumer, and how much is vendor liability.Continue Reading

• The security costs of outsourcing software development

  Before outsourcing software development, enterprises should make sure they perform due diligence and understand the associated security costs.Continue Reading

• Home office security: Seven ways to secure remote employees

  Fred Avolio outlines seven strategies enterprises should use to ensure their remote employees participate in good home office security.Continue Reading

• Fear factor: Malicious code and why the worst is yet to come

  As bad as the malicious code landscape may seem with Code Red, Nimda, and Sobig, Ed Skoudis says you ain't seen nothin' yet.Continue Reading

• Controlling Linux root privilege in a Linux environment

  If your enterprise has multiple sysadmins, giving them separate accounts is advisable. Su and Sudo can aid in keeping Linux root privilege rooted in safety.Continue Reading

• Employee privacy rights: When is it OK to spy on employees?

  Having a sound enterprise policy is everything if your organization wants to "spy" on employees -- otherwise it'll find itself violating employee privacy rights.Continue Reading

• Frank Abagnale preaches the dangers of hacking

  A penitent Frank Abagnale Jr. shuns white-collar crime and fraud, and helps others understand how to guard against the dangers of hacking.Continue Reading

• Proactive security: Make offense your best defense

  Information Security editorial director Andrew Briney outlines three measures that will help enterprises turn their reactive security into proactive security.Continue Reading

• Security survey results: Six information security myths dispelled

  A rose is a rose is a rose, but Information Security magazine and SearchSecurity surveys bust six security myths, proving infosec is maturing as a profession and a practice.Continue Reading

• Chain of command: Inside Prudential's security management program

  Information Security's October 2003 issue examines the security management program at Prudential Financial and why it's processes and people are a rock of information security stability. Also in this issue: how to reduce insider risk, how the ...Continue Reading

• Defending the rock: Prudential's security culture and change control management

  Cover story: Prudential's ingrained security culture and change control management makes it a security program worth emulating.Continue Reading