Problem solve
Get help with specific problems with your technologies, process and projects.
Problem solve
Get help with specific problems with your technologies, process and projects.
What are the top five concepts or lessons on security management?
Many security managers wish their company executives understood more about the importance of information security. Security management expert Mike Rothman lists the top five things every executive should be informed of. Continue Reading
Password management best practices for financial services firms
Password management is a fundamental tenet of effective information security, but it's harder than it seems to manage passwords correctly, and far too easy to mess it up. In this tip, contributor Tony Bradley shares best practices for effective ... Continue Reading
Is a Master Boot Record (MBR) rootkit completely invisible to the OS?
Whether or not we see widespread attacks that use MBR rootkits will depend upon two factors. Platform security expert Michael Cobb explains them both. Continue Reading
-
How to install and configure Nessus
Nessus, an open source vulnerability scanner, can scan a network for potential security risks and provide detailed reporting that enables you to remediate gaps in your corporation's security posture. This tip, the first in a series of three on ... Continue Reading
Nessus: Vulnerability scanning in the enterprise
General advice for vulnerability scanning in the enterprise with the open source vulnerability scanner Nessus. Continue Reading
How to run a Nessus system scan
In the second tip in our series on running Nessus in the enterprise, our contributor takes you step-by-step through the process of running a Nessus system scan. View screenshots of the Nessus interface and learn commands for the Unix Nessus GUI.Continue Reading
Windows registry forensics guide: Investigating hacker activities
The Windows registry can be used as a helpful tool for professionals looking to investigate employee activity or track the whereabouts of important corporate files. In this tip, contributor Ed Skoudis explains how investigators and administrators ...Continue Reading
Best practices for application-level firewall selection and deployment
Application-level firewalls are an essential aspect of any organization's multi-layered defense strategy, but the implementation process has some security pros scratching their heads. In this tip, contributor Joel Dubin discusses the contrasting ...Continue Reading
Can a hacker actually post malicious scripts to any server using a drop-down list?
By viewing a page's HTML source code and writing malicious scripts to a drop-down list, hackers may be able to re-post the malicous page to the server. In this security threats expert response, learn how to avoid this attack.Continue Reading
What are the pros and cons of zero-knowledge penetration tests?
A penetration tester with no previous knowledge of the site being tested may be able to give some insight unavailable to other forms of penetration testing, but there are pros and cons. Expert Michael Cobb weighs in.Continue Reading
-
Pros and cons of multifactor authentication technology for consumers
Multifactor consumer authentication is a must-have for financial services firms, but there are a number of different types of multifactor authentication technology from which to choose. In this tip, contributor Judith M. Myerson addresses the pros ...Continue Reading
To what exactly would a request for biometric data from an insurance provider pertain?
Biometric data serves only to verify identity. Identity and expert management expert Joel Dubin explains what an insurance company might want with biometric data.Continue Reading
Security breach management: Planning and preparation
All organizations face the risk of an information security breach. While it can be a gut-wrenching ordeal, learning how to manage a breach can make it much easier to contain the damage. In this tip, contributor Khalid Kark unveils several key ...Continue Reading
The 'security standards dilemma': Network segmentation and PCI Compliance
The Hannford Bros. data security breach led many to believe that even PCI-compliant organizations did not properly segment their networks -- or that PCI does not adequately address the importance of network segregation. Contributor Stephen Cobb ...Continue Reading
Understanding multifactor authentication features in IAM suites
Enterprises often make the mistake of assuming that IAM suites come with tightly integrated multifactor authentication features, but in reality making sure they work together well can be a challenge. In this tip, IAM luminary Joel Dubin explains why...Continue Reading
Ophcrack: Password cracking made easy
Scott Sidel examines the open source security tool Ophcrack, a password cracking tool aimed at ensuring the strength of corporate passwords.Continue Reading
What tools can a hacker use to crack a laptop password?
Password cracking may be a hacker's specialty, but there are also many strategies to keep passwords secure.Continue Reading
More built-in Windows commands for system analysis
Windows command-line tools can be a valuable resource to security professionals charged with the secure configuration of Windows' machines. In this tip, Ed Skoudis defines five more useful Windows commands that can provide new insight into the realm...Continue Reading
Webmail security: Best practices for data protection
Webmail has become a popular choice for enterprises looking to provide users with email access outside the office, but deployment of any Web-based email system presents a unique set of security challenges. In this Messaging Security School tip, ...Continue Reading
PCI compliance and Web applications: Code review or firewalls?
The Payment Card Industry Data Security Standard is about to get a new wrinkle involving Web applications. As of June 30, 2008, to achieve PCI compliance, enterprises must either have their custom Web application code reviewed or install Web ...Continue Reading
Out-of-band authentication: Methods for preventing fraud
Out-of-band authentication can add another layer of data security as customers seek enhanced online banking security. There's also an added cost benefit. This tip delves into various methods and how they can benefit financial firms.Continue Reading
Vista WIL: How to take control of data integrity levels
In the past, Windows users could tweak NTFS permissions and decide who should have access to important data. With the introduction of the Windows Vista operating system, however, the Windows Integrity Levels (WIL) feature seeks to address previous ...Continue Reading
Penetration testing: Helping your compliance efforts
Penetration testing can be helpful as part of a corporate vulnerability assessment, but is it as valuable for enterprise compliance? In this tip, contributor Mike Rothman examines the connection between compliance and pen-testing and unveils why pen...Continue Reading
Are Internet cafe users' email credentials at risk?
Most browsers store all Web pages, including a user's message and other information, in a cache from which it is retrievable with relative ease. Expert Michael Cobb explains how to keep the personal data from getting into the wrong hands.Continue Reading
Microsoft PatchGuard: Locking down the kernel, or locking out security?
With Microsoft's release of Windows Vista, the software giant locked down the kernel and forced independent security vendors to change the way that they provide antivirus services. So is the OS safer from attacks as a result? Contributor Tony ...Continue Reading
Should iPhone email be sent without SSL encryption?
SSL encrypts all of the communication between your iPhone and your mail server. Network security expert Mike Chapple explains how important that feature really is.Continue Reading
Worst practices: Learning from bad security tips
In this tip, information security threats expert Ed Skoudis exposes some bad security practices, highlights the common and dangerous misconceptions held by security personnel, and offers insight on how corporations can learn from others' mistakes.Continue Reading
The ins and outs of database encryption
While pundits and gurus may say the "easy" data protection option is for an enterprise to encrypt its entire database, the truth is it's much harder than many realize. In this tip, database security expert Rich Mogull examines the two primary use ...Continue Reading
What are the possible benefits of microchip implants and RFID tags for employees?
Though it may seem like a good idea to mark employees in high risk areas with implants or RFID tags, there are some serious security concerns to take into account.Continue Reading
GLBA risk assessment steps to success
GLBA requires financial firms to protect their data from anticipated risks. How can those risks be determined? Follow these steps to perform a risk assessment at your financial organization.Continue Reading
Worst practices: Bad security incidents to avoid
Some of information security's worst practices are just best practices ignored. And those guilty of today's big infosec mistakes range from chief security officers to network firewall managers to security staffs at giant financial firms and ...Continue Reading
Which is a more secure data access technology: SPAN or TAP?
When monitoring traffic on a network, which is the best tool to use? Network security expert Mike Chapple gives advice.Continue Reading
Which operating system can best secure an FTP site?
In this expert Q&A, platform security expert Michael Cobb explains how a secure FTP protocol can improve websites and Web services.Continue Reading
Should a domain controller be placed within the DMZ?
When creating an Active Directory network, is it necessary to place domain controllers in the DMZ? Network security expert Mike Chapple explains.Continue Reading
What are the dangers of cross-site request forgery attacks (CSRF)?
Ed Skoudis defines the threats posed by cross-site request forgery attacks (CSRF), and explains how they are similar and different from cross-site scripting attacks.Continue Reading
Testing for client-side vulnerabilities
Client-side vulnerabilities have become a common target of attacks. Financial organizations must keep up by assessing their exposure to such threats. This tip offers three methods for testing your exposure.Continue Reading
What ports should be opened and closed when IPsec filters are used?
In this SearchSecurity.com Q&A, application security expert Michael Cobb explains how to set up separate branch IPsec filters that connect with a head office.Continue Reading
Is Triple DES a more secure encryption scheme than DUKPT?
Both DES and TDES use a symmetric key, but Michael Cobb explains their separate and distinct roles in protecting financial transactions.Continue Reading
Failure mode and effects analysis: Process and system risk assessment
Information security pros are always trying to assess which systems and processes pose the greatest risk to an organization. In this tip, Gideon T. Rasmussen explains how the failure mode and effects analysis (FMEA) methodology can help quantify the...Continue Reading
If one server in a DMZ network gets attacked from outside, will the other servers be corrupted?
An attack to a DMZ server is a big security risk. But does it necessarily mean that other servers are infected? Network security expert Mike Chapple weighs in.Continue Reading
Google hacking exposes a world of security flaws
In this tip, contributor Scott Sidel examines Goolag, a open source security tool that assists security pros in finding flaws in websites through Google hacking.Continue Reading
What is the purpose of RFID identification?
RFID identification can be used to keep track of everything from credit cards to livestock. But what security risks are involved?Continue Reading
Encryption methods for financial organizations
Extreme encryption often comes with penalties. So how do you determine what type of encryption to use? Storage expert Deni Connor explores three methods in this tip.Continue Reading
Intrusion detection system deployment recommendations
Before you take the time and effort to deploy an IDS, consider this advice.Continue Reading
Phased NAC deployment for compliance and policy enforcement
Thinking about NAC? You're not alone. Many organizations are taking a new look at the latest generation of network access control tools, with the hopes of mapping security policy requirements to technical controls. For those about to take the NAC ...Continue Reading
How to secure an FTP connection
Network security expert Mike Chapple offers three tips that enable an FTP connection without opening up an enterprise to security risks.Continue Reading
Web scanning and reporting best practices
Implementing a solid Web scanning routine is a key way to avoid corporate Web application attacks. And with industry requirements such as PCI DSS, performing vulnerability scans are also required to stay compliant. In this tip, contributor Joel ...Continue Reading
DMVPN configuration: Should a firewall be between router and Internet?
Cisco's Dynamic Multipoint VPN (DMVPN) product allows the configuration of site-to-site VPNs across WAN connections. Security expert Mike Chapple explains how a firewall fits into this particular network setup.Continue Reading
Two-tier distributed systems vs. three-tier distributed systems
Mike Rothman discusses the pros and cons of using two-tier distribution systems vs. thee-tier distributed systems.Continue Reading
Is centralized logging worth all the effort?
Network log records play an extremely important role in any well-constructed security program. Expert Mike Chapple explains how to implement a centralized logging infrastructure.Continue Reading
What are the pros and cons of shaping P2P packets?
Packet shaping, a technique used to control computer network traffic, really isn't a security issue; it's a policy matter, says network expert Mike Chapple. Learn why, in this SearchSecurity.com Q&A.Continue Reading
Does SOX provision email archiving?
Although SOX may lack specificity regarding certain controls, it does have clear mandates for email retention.Continue Reading
Built-in Windows commands to determine if a system has been hacked
In this tip, contributor Ed Skoudis identifies five of the most useful Windows command-line tools for machine analysis and discusses how they can assist administrators in determining if a machine has been hacked.Continue Reading
How would you meet PCI requirement 2.3 when it comes to terminal service or RDP sessions?
What's the best way to comply with PCI DSS without having to create a secure IPsec tunnel with every connection to critical systems? Security management expert Mike Rothman gives his advice.Continue Reading
What techniques are being used to hack smart cards?
Hacked smart cards are a large potential threat to enterprises that utilize them. Learn how to thwart smart card hackers.Continue Reading
How secure is online banking today?
Most banks take the security of their online services seriously. In this expert Q&A, Michael Cobb explains why online banking is relatively safe -- with the exception of one particular mistake.Continue Reading
How to protect DNS servers
The DNS database is the world's largest distributed database, but unfortunately, DNS was not designed with security in mind. Application security expert Michael Cobb explains how to keep a DNS server from being hijacked.Continue Reading
How should the ipseccmd.exe tool be used in Windows Vista?
Ipseccmd is a command-line tool for displaying and managing IPsec policy and filtering rules. Expert Michael Cobb explains how to get the scripting utility to work with Vista.Continue Reading
Are encrypted Microsoft Word files safer in transit than PDF files?
In this expert Q&A, Michael Cobb demonstrates how a misconfigured firewall makes it easy for some Microsft Word and PDF files to be sniffed in transit.Continue Reading
Data loss prevention (DLP) tools: The new way to prevent identity theft?
Despite advances in perimeter technologies, data theft has become common in today's enterprises. To protect their confidential information, some security professionals are turning to an emerging technology category: data loss prevention. But don't ...Continue Reading
How would you define the responsibilities of a data custodian in a bank?
Data security is incredibly important for financial institutions, and it's the data custodian's job to make sure that data is safe. Security management expert Mike Rothman explains more.Continue Reading
Can Trojans and other malware exploit split-tunnel VPNs?
The beauty of split tunneling is that an enterprise doesn't need to provide the general Internet access point for a VPN user. Mike Chapple, however, also explains why split-tunnel VPNs provide a false sense of security.Continue Reading
Can a firewall alone effectively block port-scanning activity?
In this expert response, Mike Chapple reveals which product is the best line of defense against port scanning threats.Continue Reading
Should an intrusion detection system (IDS) be written using Java?
There's no reason that you couldn't implement intrusion detection functionality in any higher-level programming language, Java included. Network security expert Mike Chapple, however, explains why Java may not be the best choice.Continue Reading
Exploit research: Keeping tabs on the hacker underground
Protecting an organization against malicious hackers is a constant challenge, especially when attack methods are constantly evolving. But, according to information security threats expert Ed Skoudis, there are effective methods security pros can use...Continue Reading
The forensics mindset: Making life easier for investigators
Eventually every enterprise suffers an incident, and a little preparation now can make all the difference when an event occurs. In this tip, contributor Mike Rothman explains why thinking like an investigator can help security pros develop a ...Continue Reading
How to lock down USB devices
USB devices, thumb drives, flash drives -- whatever you call them, portable media present a significant challenge for enterprises, as they enable easier data transport for mobile workers, but are often the cause for catastrophic data leaks. In this ...Continue Reading
What are the risks of connecting a Web service to an external system via SSL?
Security pro Joel Dubin discusses the risks associated with SSL connections, and offers advice on how to avoid them.Continue Reading
What are the dangers of using radio frequency identification (RFID) tags?
In this expert response, Joel Dubin discusses the dangers associated with radio frequency identification (RFID) tags, and how users can protect themselves.Continue Reading
Biometrics vs. biostatistics
In this expert response, Joel Dubin examines the differences between biometrics and biostatistics.Continue Reading
Basel II's impact on information security
Managing risk is a constant pain point at financial institutions. Regulations, like Basel II, can help. This tip explains how.Continue Reading
How to store and secure credit card numbers on the LAN
How do small companies typically store credit card numbers on their LANs? Joel Dubin comments.Continue Reading
Preventing employees from using a proxy to visit blocked sites
P2P blocking can be difficult; smart blocking tools can help.Continue Reading
What software development practices prevent input validation attacks?
Improper input validation leads to numerous kinds of attacks, including cross-site scripting, SQL injection and command injection. In this expert Q&A, Michael Cobb reviews the most important application development practices.Continue Reading
How are biometric signatures more than a fingerprint scanner?
How secure are biometric signatures, and what's the best way to keep them from being defeated? Identity and access management expert Joel Dubin explains.Continue Reading
Data loss prevention from the inside out
Corporate information loss can often be credited to a company's internal organization, or lack thereof. In other words, in order to prevent data leakage, corporations must not only eliminate external threats, but also internal processes that could ...Continue Reading
What can be done to block adult images in search engine results?
What steps can be taken to ensure that children cannot access pornographic images through Google on their school's internet connection? Mike Rothman explains the options and the inherent difficulties.Continue Reading
Challenges behind operational integration of security and network management
The integration of security and network operations holds a great deal of promise thanks to today's security information management technology, but there are a number of hurdles to overcome when it's time to flip the switch. Sasan Hamidi outlines the...Continue Reading
Open source vs. commercial network access control (NAC) products
There are now a number of free and open source network access control (NAC) products, but how do they stack up against the commercial options? Network professional Mike Chapple reviews the free alternatives, but also warns readers that a "stepping ...Continue Reading
A security checklist: How to build a solid DMZ
As part of his monthly response to readers, Mike Chapple provides a list of security add-ons that no DMZ should be without.Continue Reading
What to consider before opening a port
Recently, a reader asked network expert Mike Chapple, "What would be the security implications of opening six ports through a firewall?" Chapple reviews what questions need to be addressed before an organization exposes any network ports.Continue Reading
How to apply ISO 27002 to PCI DSS compliance
The Payment Card Industry Data Security Standard may be fairly straightforward, but it's lacking in defining the processes that will ultimately lead to PCI DSS compliance. In this tip, expert Richard Mackey explains why the ISO 27002 can not only ...Continue Reading
How to prevent hack attacks against smart card systems.
What are smart cards, and how can the security of a smart card itself be maintained?Continue Reading
IT GRC: Combining disciplines for better enterprise security
IT governance, risk management and compliance (GRC) is a growing area of information security that isn't clearly defined. In this tip, Forrester Research's Khalid Kark defines the components of IT GRC and offers advice on how CISOs and organizations...Continue Reading
Secure file copying with WinSCP
In his latest Downloads column, Scott Sidel examines WinSCP, an open source SFTP and FTP client for Windows. Sidel explains how the tool's optional interfaces, multiple secure authentication mechanisms and strong security features make it a ...Continue Reading
Storage vulnerabilities you can't afford to miss
In this tip, Keavin Beaver identifies eight common storage security vulnerabilites that are often overlooked and examines why network admins should develop a layered security strategy to protect sensitive data.Continue Reading
Social engineering attacks: What we can learn from Kevin Mitnick
This article provides examples of how to strengthen your organization against social engineering.Continue Reading
Security awareness training: Stay in, or go out?
So you've decided you need security awareness training. Now what? In this tip, Joel Dubin offers a primer on in-house vs. outsourced security awareness training, and guidelines to help an organization decide which choice is best for its needs.Continue Reading
Your physical security budget: Who pays and how much?
In many organizations, the cost of data center security is a shared expense -- or at least it should be. How much then should you be spending on security and how much of that should be picked up by other business units?Continue Reading
Ten hacker tricks to exploit SQL Server systems
SQL Server hackers have a medley of tricks and tools to gain access to your database systems. Learn their techniques and test SQL Server security before they do.Continue Reading
Firewall redundancy: Deployment scenarios and benefits
There are, however, several good reasons to deploy multiple firewalls in your organization. Let's take a look at a few scenarios.Continue Reading
Types of confidential information
CISSP Thomas Peltier offers guidance on what your information classification policy should address.Continue Reading
Five steps to building information risk management frameworks
Implementing a successful enterprise risk management plan can be an overwhelming and harrowing process. In order to make the process work, many aspects need to examined, and all business areas need to be hands on. In this tip, contributor Khalid ...Continue Reading
Data leakage detection and prevention
While corporate data loss is not a new concern, newer technologies are emerging to help combat the threat. In this tip, Joel Dubin advises how to reduce data leaks, reviews products that can identify network vulnerabilities and keep mobile device ...Continue Reading
Cleansing an infected mail server
Learn five measures you can take to when cleaning up a massive email virus infectionContinue Reading
Developing a patch management policy for third-party applications
Enterprises may push the latest critical Windows patches once a month, but here's a dirty little secret: Most organizations don't bother patching their third-party applications. The diversity of client-side software -- including everything from ...Continue Reading
Phone phishing: The role of VoIP in phishing attacks
Learn how attackers are using the widespread deployment of low-cost VoIP to leverage phishing attacks and how to protect the enterprise.Continue Reading
What are the pros and cons of using stand-alone authentication that is not Active Directory-based?
Password managment tools other than Active Directory are available, though they may not be the best access control coordinators.Continue Reading
How can birth certificate fraud and passport fraud be prevented?
Best practices for preventing birth certificate and passport fraud from expert Mike Rothman.Continue Reading
Information protection: Using Windows Rights Management Services to secure data
Keeping confidential information under wraps is paramount in any business, but finding the right mix of tools or techniques is a common challenge. In this tip, contributor Tony Bradley explains how Windows Rights Management Services (WRMS) can help ...Continue Reading