Manage
Learn to apply best practices and optimize your operations.
Manage
Learn to apply best practices and optimize your operations.
Safety of Web Applications
In this excerpt from chapter three of Safety of Web Applications, author Eric Quinton discusses symmetric and asymmetric encryption. Continue Reading
How to balance organizational productivity and enterprise security
It's no secret that enterprise security and organizational productivity can often conflict. Peter Sullivan looks at the root causes and how to address the friction. Continue Reading
What risk do Windows 10 telemetry features pose enterprises?
Microsoft collects data using Windows 10 telemetry features. Expert Michael Cobb explains what type of data is collected, and whether enterprises need to be worried about it. Continue Reading
-
After Stuxnet: Windows Shell flaw still most abused years later
A Windows Shell flaw used by the Stuxnet worm continues to pose problems years after it was patched. Nick Lewis explains how the flaw exposes enterprise security shortcomings. Continue Reading
How DNS TXT records can be used against enterprises
A domain name system is a widely used protocol, but new research shows how threat actors can use DNS TXT records for cyberattacks. Nick Lewis explains this new DNS threat. Continue Reading
Why DevOps security must be on infosecs' priority list
In the rush to implement DevOps, security is too often overlooked. But DevSecOps is essential in these hack-filled days. Learn how to add security to software development.Continue Reading
From security product marketing to CEO: Jennifer Steffens
The CEO of a global pen tester used to work for the New York Yankees. Find out how Jennifer Steffens went from sports marketing to head of a security service provider.Continue Reading
Why WannaCry and other computer worms may inherit the earth
A vast majority of APT attacks and malware delivery happens via spear phishing. But worms have always had a place in the toolkit when the delivery method fit the mission.Continue Reading
Meet the new government CISO for the nation's capital
With years of cybersecurity and military IT experience, the District of Columbia's first information security officer brings a well-developed toolkit to the job.Continue Reading
A damaging spring of internet worms and poor performance
Security is a hot topic for media outlets that report on stock markets as companies founder on corporate earnings. The financial fallout of global malware is a call to action.Continue Reading
-
What to do when cybersecurity breaches seem inevitable
The current threat landscape makes cybersecurity breaches seem unavoidable. Expert Peter Sullivan discusses some simple ways enterprises can reduce the risk of a breach.Continue Reading
How is cross-platform malware carried in Word docs?
Cross-platform malware enables attackers to leverage their attacks using infected Microsoft Word docs. Expert Nick Lewis explains how the attacks work and how to defend against them.Continue Reading
The difference between security assessments and security audits
Security audits vs. security assessments solve different needs. Organizations may use security audits to check their security stature while security assessments might be the better tool to use. Expert Ernie Hayden explains the differences.Continue Reading
DoubleAgent malware could turn antivirus tools into attack vector
DoubleAgent malware is a proof of concept for a zero-day vulnerability that can turn antivirus tools into attack vectors. Expert Nick Lewis explains how to contain the threat.Continue Reading
Destruction of service: How ransomware attacks have changed
New ransomware variants have introduced another threat to enterprises. Rob Shapland explains what destruction of service attacks are and how organizations should prepare for them.Continue Reading
How to attack DDoS threats with a solid defense plan
An anti-DDoS program requires solid understanding of the threat and a clearly thought-out strategy. This guide will help you define and implement a solid DDoS defense plan.Continue Reading
Applying a hacker mindset to application security
It can be beneficial to think like a black hat. Expert Kevin Beaver explains why enterprise security teams should apply a hacker mindset to their work and how it can help.Continue Reading
How FBI cyber investigations handle obfuscation techniques
An FBI agent discusses cyber investigations, how they handle obfuscation techniques, the anonymizing features of the deep web and how to catch the right person.Continue Reading
Why data fidelity is crucial for enterprise cybersecurity
Cybersecurity teams can't be effective if they don't trust their data. Expert Char Sample explains the importance of data fidelity and the threat of cognitive hacking.Continue Reading
FBI: Cyber investigations no different from real world
Despite a loud group claiming the burden of proof is harder to meet with digital evidence, an agent says FBI cyber investigations are not much different from traditional cases.Continue Reading
Can a PCI Internal Security Assessor validate level 1 merchants?
A PCI Internal Security Assessor might not be the best bet to validate the compliance of a level 1 service provider. Expert Matthew Pascucci explains why and the alternative.Continue Reading
IPv6 addresses: Stability concerns and usage advice
Enterprises can deploy IPv6 addresses to improve privacy and security, but there are stability and usage considerations. Expert Fernando Gont explains what they are.Continue Reading
CISOs: Disruptive technology trends and how to prepare
Information security managers and venture capitalists weigh in on which digital trends are changing security operations and how IT teams should deal with the fallout.Continue Reading
Security innovations need to catch up with technology trends
When we asked CISOs and venture capitalists about disruptive technologies that could transform enterprise security models -- and how to prepare for them -- a few trends stood out.Continue Reading
Passive Python Network Mapping
In this excerpt from chapter two of Passive Python Network Mapping, author Chet Hosmer discusses securing your devices against network security threats.Continue Reading
As privacy requirements evolve, CISSPs must stay informed
Just as technology constantly changes, so too do the laws and regulations that govern data privacy. CISSPs must remain aware of their organization's individual requirements.Continue Reading
Tactics for security threat analysis tools and better protection
Threat analysis tools need to be in top form to counter a deluge of deadly security issues. Here are tips for getting the most from your analytics tool.Continue Reading
Information privacy and security requires a balancing act
Maintaining information privacy and security seem to be separate challenges, but in reality, each is integral to the other. Expert Kevin Beaver explains how to work toward both.Continue Reading
To secure Office 365, take advantage of controls Microsoft offers
Securing Office 365 properly requires addressing upfront any specific risks of a particular environment and taking advantage of the many security controls Microsoft offers.Continue Reading
WannaCry ransomware threat exposes enterprise security shortcomings
Expert Rob Shapland explains how a confluence of weaknesses in enterprise security led to the WannaCry ransomware threat generating maximum devastation.Continue Reading
Cloud access security brokers: Hard to tell what's real
Most cloud access security brokers offer CISOs a way to set policy and gain better understanding of multiple cloud services and data in use across the enterprise. As CASBs have gained momentum in recent years, use cases for them have expanded. Do ...Continue Reading
Can BGP anycast addressing be used for DDoS attacks?
The BGP anycast addressing technique could potentially be used for malicious purposes. Expert Judith Myerson explains how this might work and what types of attacks to look out for.Continue Reading
Managing access to keep privileged users' credentials secure
Privilege creep is a constant threat. It's why privileged user management must be part of any comprehensive security plan and always at the top of an infosec pro's to-do list.Continue Reading
Avoid privilege creep from the software development team
Too often, privilege creep occurs via the software development team, the result of pressure to update or launch apps. Learn what tools and tactics can counter privilege creep.Continue Reading
How should companies prepare for EU GDPR compliance?
Companies that don't meet GDPR compliance standards by May 2018 will be fined. Expert Matthew Pascucci looks at how Microsoft is preparing, and what other companies should do to comply with GDPR.Continue Reading
Mobile endpoint security: What enterprise infosec pros must know now
Do you know how to take care of mobile endpoint security in your enterprise? This guide walks you through all aspects of the issue, from policy and strategy to emerging threats.Continue Reading
Q&A: GDPR compliance with Microsoft CPO Brendon Lynch
Failure to achieve compliance with the EU's General Data Protection Regulation in the next 12 months can trigger fines of up to 4% of a company's gross annual revenue.Continue Reading
Polycom CISO focused on ISO 27001 certification, data privacy
Tasked with security and compliance, Lucia Milica Turpin watches over internal systems and remote communications customers entrust to the video conferencing company.Continue Reading
Challenging role of CISO presents many opportunities for change
With some reports showing incredibly short tenures, new CISOs barely have time to make their mark. The salaries are good; the opportunities for the right skills, unlimited.Continue Reading
Measuring and Managing Information Risk: A FAIR Approach
In this excerpt from chapter 13 of Measuring and Managing Information Risk, authors Jack Freund and Jack Jones discuss information security metrics.Continue Reading
The security pros and cons of using a free FTP tool
A free FTP tool can help move enterprise files to a managed file transfer service, but there are security factors to consider. Expert Judith Myerson explains what they are.Continue Reading
Mobile Data Loss: Threats and Countermeasures
In this excerpt from chapter three of Mobile Data Loss, author Michael T. Raggo discusses mobile security countermeasures.Continue Reading
Identity and access management strategy: Time to modernize?
More likely than not, your company's identity and access management strategy needs an update. Learn how to decide if that's the case and, if so, what you should do now.Continue Reading
Should a forced password reset be standard after a data breach?
Yahoo reportedly rejected a forced password reset after numerous data breaches compromised user data. Expert Mike O. Villegas discusses whether this should be a standard practice.Continue Reading
Dedicated security teams: The pros and cons of splitting focus areas
Could using dedicated security teams that focus on one area of risk help reduce the attack surface for enterprises? Expert Steven Weil looks at the pros and cons of that approach.Continue Reading
Totally automatic: Improve DevOps and security in three key steps
Concerned about DevOps security? Learn three key steps to embedding security into the software development process, including how to improve automation.Continue Reading
Enterprise scenarios for threat intelligence tools
Expert contributor Ed Tittel explains which types of organizations need threat intelligence tools as part of a proactive, layered security strategy to protect against threats.Continue Reading
MSSPs add advanced threats as managed security services gain hold
Skill shortages and budget constraints have lead some companies to adopt a hybrid approach to managed security. Is it time for CISOs to start looking for 'expertise as a service'?Continue Reading
The managed security provider comes knocking
A constantly evolving threat landscape and a deepening skills crisis has more enterprises looking to a managed security service provider for help handling some of their security requirements. The trend is expected to drive strong demand for MSSPs ...Continue Reading
Sharpen your DDoS detection skills with the right tool
DDoS detection and prevention tools are more sophisticated than ever. But finding the right one for your company takes studying and asking vendors the right questions.Continue Reading
IoT development and implementation: Managing enterprise security
The CSA's guidelines for secure IoT development can give enterprises an idea of how to evaluate IoT products. Expert Nick Lewis explains the steps enterprises should take.Continue Reading
CJIS Security Policy: How can companies ensure FIPS compliance?
Companies and government agencies handling criminal justice information need to comply with CJIS Security Policy. Expert Michael Cobb explains the cryptographic modules to use.Continue Reading
Why authorization management is paramount for cybersecurity readiness
After enterprise identities are authenticated, an authorization management system should monitor how resources are being used. Expert Peter Sullivan explains how it can work.Continue Reading
What to consider about signatureless malware detection
Endpoint security is changing into signatureless malware detection and protection. Expert Matthew Pascucci discusses the transition away from signatures.Continue Reading
Q&A: IBM's Diana Kelley got an early start in IT, security came later
How did an editor become a security architect? A fascination with computers sparked a lifelong journey for IBM's executive security advisor.Continue Reading
MIAX Options CSO on security's role in business continuity
Faced with the demands of derivatives trading, CSO John Masserini understands the value of aligning controls with business risk. We ask him how he does it.Continue Reading
Security looks to machine learning technology for a cognitive leg up
Advances in machine learning technology and artificial intelligence have proven to work well for some information security tasks such as malware detection. What's coming next?Continue Reading
How to use DNS reverse mapping to scan IPv6 addresses
Enterprises looking to perform IPv6 address scans can use DNS reverse mapping techniques. In part one of this tip, expert Fernando Gont explains how the process works.Continue Reading
What global threat intelligence can and can't do for security programs
Global threat intelligence is a valuable complement to a company's security program, but it can't replace security measures like training and internally collected data.Continue Reading
How to organize an enterprise cybersecurity team effectively
The structure of an enterprise's cybersecurity team is important for ensuring it's as effective as possible. Expert Steven Weil outlines strategies for setting up a security group.Continue Reading
Set up your system for the best network security possible
The IT pro's job is to ensure the best network security network performance both. Our guide provides solid steps to take right now to achieve both in this age of mobile and the internet of things.Continue Reading
Recent ransomware attacks: Data shows 50% growth in 2016
With high sums paid, ransomware gets all the attention. But malware is not the only way that criminals gained control of enterprise systems, a new report shows.Continue Reading
Role of CISO: FICO enlists CISO in security product management
As head of FICO's information security program, Vickie Miller's role is wide-ranging.Continue Reading
Insider Edition: Attaining security for IoT, through discovery, identity and testing
Ever since the internet of things became a "thing," the potential for abuse has been well documented; how best to achieve security for IoT is not yet clear. This Insider Edition of Information Security magazine tackles that second ...Continue Reading
Privileged access management and security in the enterprise
This Security School explores the important steps enterprises need to take when managing privileged access accounts to prevent credential abuse and security incidents.Continue Reading
Are investigations crucial to data breach protection?
SWIFT banking has a team dedicated to data breach investigations. Expert Mike O. Villegas discusses why this is necessary and whether other organizations should follow suit.Continue Reading
The dangers of using security policy templates in the enterprise
Among other drawbacks, using security policy templates can make compliance audits and breach assessments harder for enterprises. Expert Joseph Granneman explains why they're risky.Continue Reading
Information Security Science
In this excerpt from chapter 1 of Information Security Science, author Carl Young discusses information security threats and risk.Continue Reading
Industrial Network Security
In this excerpt from chapter 3 of Industrial Network Security, authors Eric D. Knapp and Joel Langill discuss the history and trends of industrial cybersecurity.Continue Reading
Should one cybersecurity mistake mean the end of a CEO's career?
In one case, a tenured CEO made one cybersecurity mistake and was fired. Expert Mike O. Villegas discusses whether this sets a precedence for enterprises going forward.Continue Reading
Should CISOs share the responsibility for a cybersecurity incident?
CISOs usually take the brunt of the blame when a cybersecurity incident occurs, but should they? Expert Mike O. Villegas details ways CISOs can share the responsibility.Continue Reading
Meet security goals by avoiding threat intel and analytics mistakes
Meeting top security goals is only the first step. Get up to speed on how to avoid common pitfalls in the use of threat intelligence and analytics.Continue Reading
How do the Linux kernel memory protection features on Android work?
Google has added Linux kernel memory protection and other security measures to the Android OS. Expert Michael Cobb explains how these features work to protect devices.Continue Reading
High-stakes role of CISO: Scott Howitt, MGM Resorts International
Many organizations are making the CISO a peer to the CIO or taking the position out of IT altogether, says Howitt, who has held several technology and leadership positions.Continue Reading
Dedicated CISO job still open to debate
Almost 20 years after Citicorp decided to hire an executive-level security position dedicated to protecting its banking business, the responsibilities of the CISO job are still unclear to many business executives and open to discussion. Why do some ...Continue Reading
Is a no-SMS 2FA policy a good idea for enterprises?
Now that NIST has deprecated the use of SMS 2FA, should nongovernment organizations follow suit? Expert Mike Chapple discusses the risks of SMS-based 2FA to enterprises.Continue Reading
Are browsers using the HTTP/2 protocol vulnerable to HEIST attacks?
HEIST, a new HTTP/2 protocol exploit, can steal encrypted content from HTTPS traffic. Expert Michael Cobb explains how this attack works and how to stop it.Continue Reading
How can users protect mobile devices from SandJacking attacks?
Attackers can use the SandJacking attack to access sandboxed data on iOS devices. Expert Nick Lewis explains how to protect your enterprise from this attack.Continue Reading
Preventing trusted users from misusing their privileges
Users with privileged accounts have the ability to make critical changes to your enterprise system. Find out how to control trusted users and prevent malicious actions.Continue Reading
Information security risk management: Understanding the components
An enterprise has to know what risks it is facing. Expert Peter Sullivan explains why an information security risk management plan is crucial for cybersecurity readiness.Continue Reading
Privileged user access: Managing and monitoring accounts
Maintaining the security principle of least privilege can prevent abuse of privileged user accounts. Learn about the best practices for monitoring privileged access.Continue Reading
Patching and updating applications: How much time should be spent?
A survey found that half of its respondents perform application updates daily. Expert Michael Cobb explains how to allocate appropriate time on different security controls.Continue Reading
Preventing privilege creep: How to keep access and roles aligned
Privilege creep can result in the abuse of user access and security incidents. Expert Michael Cobb explains how enterprises can keep user roles and privileges aligned.Continue Reading
New tactics for better endpoint security threat prevention
Endpoint security threat prevention tools are crucial in your endpoint management strategy. This three-part technical guide will help you develop and advance your existing endpoint security management approach. It includes a chapter that outlines ...Continue Reading
Preventing and responding to a healthcare ransomware infection
The healthcare industry is a target for ransomware infections. Expert Ernie Hayden explains how organizations can take steps to prevent and respond to these attacks.Continue Reading
Which are the best cybersecurity certifications for beginners?
There are an overwhelming number of cybersecurity certifications available, so which one should people just beginning their career start with? Expert Mike O. Villegas answers.Continue Reading
Is a cybersecurity expert necessary on a board of directors?
Communicating cybersecurity issues to a board of directors can be challenging. Expert Mike O. Villegas discusses whether a cybersecurity expert on the board would ease the struggle.Continue Reading
Ransomware attacks: Why healthcare data is at risk
Ransomware attacks on healthcare data are on the rise. Expert Ernie Hayden explains why healthcare organizations are a target and the effects of these attacks.Continue Reading
Why are cybersecurity KPIs important for enterprises to determine?
Cybersecurity KPIs are important for enterprises to determine when setting up a security program. Expert Mike O. Villegas discusses why and what a KPI for security should be.Continue Reading
How can an HTTPS session get hijacked with the Forbidden attack?
An HTTPS session with a reused nonce is vulnerable to the Forbidden attack. Expert Nick Lewis explains how the attack works, and how to properly secure HTTPS-authenticated sites.Continue Reading
How to use hashcat to address authentication vulnerabilities
Authentication vulnerabilities are a constant problem, but testing tools like hashcat can make a significant difference. Expert Joe Granneman discusses hashcat and password cracking.Continue Reading
Improve endpoint security protection with advanced tools and techniques
Better endpoint security protection is possible with NAC, DLP and other tools and techniques. Learn how they fit together to improve enterprise endpoint protection.Continue Reading
How to handle out-of-band management for network infrastructure
Out-of-band management can be used for handling network infrastructure. Expert Judith Myerson explains the benefits of out-of-band management and how it can be implemented.Continue Reading
Report: Lack of SSL traffic inspection poses threat to enterprises
New research shows poor visibility into encrypted traffic increases the risk to enterprises as malicious actors take advantage of blind spotsContinue Reading
Identity of things? IAM system to change as IoT invades the workplace
Companies in certain industries -- manufacturing, healthcare and critical infrastructure -- are already dealing with securing the internet of things; others will have to start.Continue Reading
How can privileged access accounts be managed in large companies?
Network administrators typically resist policies for separate accounts when performing different tasks. Expert Michael Cobb explains the risk of privileged access.Continue Reading
Major password breaches: How can enterprises manage user risk?
With the large number of password breaches happening, enterprises should look into new methods of protecting their resources. Expert Nick Lewis explains how to reduce user risk.Continue Reading
Preparing for new DDoS techniques: Mitigating the inevitable attack
Attackers are using DDoS techniques that focus on IoT and IPv6. Learn how to build a response plan, select mitigation solutions and recover from an attack.Continue Reading
Risk & Repeat: MobileIron's James Plouffe on Mr. Robot, mobile threats
In this Risk & Repeat podcast, SearchSecurity talks with James Plouffe, lead solutions architect at MobileIron and a technical advisor for the television series 'Mr. Robot.'Continue Reading
Trusted? Certificate authority risks and how to manage them
Trusted certificate authorities are essential in today's business climate, but that doesn't mean they are easy to come by. Certificate authority risks are many, certainly, but this three-part technical guide is designed to make plain the challenges ...Continue Reading