Tips

Tips

• NSTIC identity plan: Can identity brokers stop Internet identity theft?

  The new NSTIC identity proposal would have identity brokers handling enterprise merchant customer authentication. But can it work?  Continue Reading

• How to test a firewall: A three-step guide for testing firewalls

  There are three steps when testing firewalls for your organization. Expert Joel Snyder explains how to test a firewall.  Continue Reading

• Web-facing applications: Mitigating likely Web application threats

  New, interactive Web-facing applications are popping up all the time, but expert Nick Lewis advises enterprises on how to be vigilant against Web application threats.  Continue Reading

• Can a PCI Level 2 merchant perform a PCI self-assessment?

  Expert Mike Chapple clarifies whether a PCI Level 2 merchant can carry out an annual PCI self-assessment questionnaire.  Continue Reading

• Information security intelligence demands network traffic visibility

  Use the network and host data at your disposal to create business-focused information security intelligence policies and strategies.  Continue Reading

• How to set up your own secure enterprise Android app store

  Reduce the risk posed by smartphones and mobile applications by setting up a corporate app store for users that helps ensure Android application security.  Continue Reading

• SIEM technology primer: SIEM platforms have improved significantly

  After a rocky start with early SIEM technologies, current offerings are easier to use and provide more reliable automated responses.  Continue Reading

• Information security career paths leading to security specialist jobs

  Recruiter Peter Rendall sees information security career paths leading toward security specialist jobs; SIEM, DLP and analysis are especially hot.  Continue Reading

• For U.S. companies, EU cookie compliance calls for website changes

  With recent changes to European data privacy laws, U.S. enterprises must make website changes to meet EU cookie compliance deadlines.  Continue Reading

• Security event log management, analysis needs effective ways to search log files

  Search is a key discipline for security log management. John Burke explains how to better search log files to improve security event log management.  Continue Reading

• Securing the SIEM system: Control access, prioritize availability

  The prospect of a SIEM system crash should scare any enterprise. Guard against a compromised SIEM system to protect the security nerve center.  Continue Reading

• Key steps to perform a successful information security gap analysis

  Need to assess the holes in your organization’s network? Learn how an information security gap analysis can help you find network security weaknesses.  Continue Reading

• How to ensure data security by spotting enterprise security weaknesses

  How can a specialized organization spot security weaknesses? Nick Lewis offers a process to help niche companies ensure data security.  Continue Reading

• Carrier IQ software: A big risk to enterprise mobile security?

  Nick Lewis exposes the fact and fiction of the Carrier IQ software and the potential information security risk for enterprises.  Continue Reading

• Managed mobility services: Benefits of MDM in the cloud

  Mike Chapple on dealing with the mobile device management market and what MMS can do to benefit an organization.  Continue Reading

• Employee risk assessment: Helping security spot high-risk employees

  Expert Ernie Hayden offers a brief primer on employee risk assessment using CERT guidelines to help security teams spot high-risk employees.  Continue Reading

• SEC disclosure rules: Public company reporting requirements explained

  Learn the public company reporting requirements necessary to comply with CF Disclosure Guidance Topic No. 2, the SEC's cybersecurity reporting rules.  Continue Reading

• Enterprise mobile access: Considerations for two-factor mobile authentication

  Is two-factor mobile authentication the only answer to secure enterprise mobile access? Randall Gamby explores keeping mobile access under control.  Continue Reading

• Mac enterprise security: Going beyond Mac malware scans

  More attackers see an opportunity in Mac enterprise environments. Mike Cobb explains how to ensure a Mac enterprise security plan goes beyond Mac malware scans.  Continue Reading

• Windows 7 network security: Keys to a Windows 7 upgrade project plan

  Ensure Windows 7 network security during your enterprise desktop upgrade with two essential elements for your Windows 7 upgrade project plan.  Continue Reading

• Exploring Google Chromebook security for the enterprise

  The Chromebook is unique among new entrants in the mobile device arena. Mike Cobb breaks down the key Google Chromebook security issues enterprises need to know.  Continue Reading

• Android security settings and controls for Android enterprise security

  Can Androids ever be secure enough for corporate use? Learn about Android security controls to enable effective Android enterprise security.  Continue Reading

• Adopt Zero Trust to help secure the extended enterprise

  Forrester Analyst John Kindervag explains Zero Trust Model and how it can be applied to protect data in today’s extended enterprise.  Continue Reading

• Metadata security and preventing leakage of sensitive information

  Without accounting for metadata security, sensitive document data can easily be extracted. Mike Chapple explores technologies to support metadata security.  Continue Reading

• Duqu malware advice: Should enterprises worry about the Duqu Trojan?

  Enterprise threats expert Nick Lewis offers analysis of the recent Duqu malware outbreak and the Duqu Trojan response enterprises should take.  Continue Reading

• VoIP eavesdropping: Hardening network security to contain VoIP risks

  Mike Chapple analyzes the VoIP risks posed by implementing a VoIP network and exposes the reality of telephone eavesdropping.  Continue Reading

• Privileged user access management: How to avoid access creep

  One of the most difficult areas of privileged user access management is avoiding access creep. John Burke covers how to keep privileged users in check.  Continue Reading

• EDRM-DLP combination could soon bolster document security management

  The integration of enterprise digital rights management solutions and data loss prevention tools could bring a level of automation to document security management.  Continue Reading

• Enabling secure Web development means treating vulnerabilities as bugs

  Gil Danieli explains why secure Web development depends on treating vulnerabilities like any other software bugs, and how to get Web developers to buy in.  Continue Reading

• How to implement an enterprise threat assessment methodology

  Learn how incorporating an assessment of external threats can increase the accuracy and comprehensiveness of risk assessments.  Continue Reading

• P2P encryption: Pros and cons of point-to-point encryption

  P2P encryption is an emerging technology; one that may be helpful for many companies, especially merchants. Mike Chapple dissects the pros and cons.  Continue Reading

• Building a compliance culture means learning from mistakes

  In this bonus to our "Compliance scorecard" Security School lesson, Eric Holmquist covers the importance of learning from failure by assessing how and why mistakes happen.  Continue Reading

• Antivirus engines: Lessons learned from the Tavis Ormandy Sophos research

  Learn how the discovery of several flaws in the Sophos antivirus engine can help advance the state of antimalware software.  Continue Reading

• Windows MBSA scan demo: Conducting a Windows security review

  In this screencast, Mike McLaughlin shows how a Windows MBSA scan can help determine client and server patch status during a Windows security review.  Continue Reading

• Modern security management strategy requires security separation of duties

  Contributor Matthew Pascucci argues that enterprises need security separation of duties to ensure an effective, modern security management strategy.  Continue Reading

• How to review your Web application security assessment tools, strategy

  Expert Cory Scott offers pointers for using Web application security assessment tools and developing an application security assessment strategy.  Continue Reading

• Anti-social engineering training: The first line of defense against human error

  Security team member Jeffrey Catalfamo details the key elements of a successful anti-social engineering training program.  Continue Reading

• How to write an effective enterprise mobile device security policy

  Expert Lisa Phifer explains the process for creating a winning enterprise mobile device security policy that reduces the risk of mobile data threats.  Continue Reading

• NSA best practices for data security

  Find out about Homeland Security and NSA best practices for automating data gathering, easing compliance and improving security.  Continue Reading

• Four VDI security concepts for every virtual desktop deployment

  Traditional IT security measures don’t always apply well to virtual desktop infrastructures; apply these four VDI security concepts.  Continue Reading

• Proposed HIPAA privacy rules changes may demand new tools, processes

  Proposed HIPAA privacy rules changes may require companies to keep closer tabs on electronic health records. Find out what it may mean for enterprise compliance.  Continue Reading

• Windows vs. Mac security: An enterprise endpoint security comparison

  Expert Mike Chapple explores the security implications of running Macs on the corporate network in a side-by-side comparison of Windows vs. Mac security.  Continue Reading

• Continuous monitoring strategy for government security managers

  A security expert offers insights and advice for government security managers on implementing a continuous monitoring strategy.  Continue Reading

• How to create a problem management process flow to minimize incidents

  Most organizations have an incident response team, but how many have a problem management team? Michael Cobb explains how problem management can prevent incidents.  Continue Reading

• NMAP NSE tutorial: Network asset and vulnerability identification

  In this screencast, expert Mike McLaughlin offers an NMAP NSE tutorial for enterprise network asset and vulnerability identification.  Continue Reading

• Best practices for enterprise database compliance

  Successful enterprise database compliance means, for starters, access must be tightly controlled and monitored. Get an understanding of key database compliance essentials.  Continue Reading

• Call to action: Is now the time to upgrade from Windows XP to 7?

  A disproportionate percentage of PCs infected with rootkits are running Windows XP. Does the upgrade from Windows XP to 7 need to happen now?  Continue Reading

• Securing Android devices with a mobile device security policy

  Secure employee-liable Android devices with workable security policies that discover, enroll, protect and monitor all Android endpoints.  Continue Reading

• Zero-day vulnerabilities and the patch management process: To test or not to test?

  Learn whether it’s better to risk exposure and take time to test zero-day patches, or risk business disruption and patch without testing.  Continue Reading

• Using standardized enterprise security practices to secure and defend your network

  PCI DSS, HIPAA, ISO and other enterprise compliance guidelines offer a foundation to build repeatable information security processes and procedures. Marcos Christodonte II explains how.  Continue Reading

• How to avoid VoIP security risks: Forrester’s six-step process

  If left unprotected, VoIP security risks pose a threat to corporate data. Learn how to secure VoIP systems with Forrester’s six-step process.  Continue Reading

• Malware on a Mac: How to implement a Mac antimalware program

  Learn how to create a Mac security program at your enterprise, before the amount of Apple platform malware reaches critical mass.  Continue Reading

• Remediating IT vulnerabilities: Quick hits for risk prioritization

  There's no way to eradicate all IT vulnerabilities, but spotting the most critical ones is essential. Read these quick hits for risk prioritization.  Continue Reading

• How to prevent phishing attacks: User awareness and training

  In this expert tip, David Sherry describes how a combination of technical controls and user awareness training can help put a dent in phishers’ attempts at spear phishing.  Continue Reading

• Analysis: PCI Tokenization Guidelines offer clarity, but questions remain

  Expert Diana Kelley says the new PCI Tokenization Guidelines pave the way for CDE tokenization, but some technical specifications remain unclear.  Continue Reading

• How to know if you need file activity monitoring to track file access

  Is file activity monitoring, a new product meant to integrate with DLP to provide more granular file access tracking, right for your enterprise?  Continue Reading

• Role-based access control for effective security management

  Effective role-based access control is vital for properly managing user access rights and enforcing access policies, but avoiding role sprawl can be challenging.  Continue Reading

• XACML tutorial: Using XACML as a foundation for entitlement management

  Learn how to use XACML to externalize fine-grained authorization from application logic and support cloud-based IAM initiatives.  Continue Reading

• Spear phishing examples: How to stop phishing from compromising users

  Spear phishing targets the weakest link in most security programs: users. These spear phishing examples can help your enterprise thwart attacks.  Continue Reading

• SOX compliance checklist: Five ways to refine a SOX compliance program

  SOX compliance is still too burdensome for many enterprises. Here are five ways to streamline a lagging SOX compliance program.  Continue Reading

• VoIP security best practices: Securing communication in the workplace

  VoIP communications can be a great money-saver, but without solid VoIP security best practices, it can introduce new risks.  Continue Reading

• How to use OWASP Broken Web Apps to prevent vulnerabilities

  OWASP Broken Web Apps allows pen testers to attack applications that are intentionally insecure to hone their skills at securing their own apps.  Continue Reading

• Forrester: Developing an enterprise risk assessment template

  Despite skeptics, an enterprise risk assessment template is worth investing in. Forrester’s Chris McClean explains why and how to get started.  Continue Reading

• Addressing the dangers of JavaScript in the enterprise

  The dangers of JavaScript are no secret to security professionals. Expert Michael Cobb discusses enterprise JavaScript defense technology and tactics.  Continue Reading

• COBIT 5: A first look at the recent updates

  In this tip, learn how to integrate the new management practices from COBIT 5 into current IT security framework implementations.  Continue Reading

• Proactive security measures: How to prevent malware attacks

  Security teams don't always need to be on the reactive. Learn how to implement proactive security strategies that prevent malware infections.  Continue Reading

• Choosing between job offers: Gauging security career opportunities

  How can you tell which job offer could lead you to becoming a CISO? InfoSec Leaders' Lee Kushner and Mike Murray weigh in.  Continue Reading

• Enterprise network forensic analysis: Reconstructing a breach

  In the aftermath of a breach, what are the first steps security pros should take? Learn how to get started with enterprise network forensic analysis.  Continue Reading

• Identity Ecosystem should make life a little easier for IT shops

  While implementation of the Identity Ecosystem is a long way off, the benefits for projects such as electronic health records could be significant.  Continue Reading

• Mitigating security risks of mobile location-based services technology

  What can enterprises do to mitigate the security risk of mobile location-based services technology and the like? Start by limiting smartphone apps.  Continue Reading

• Website secure login: Alternatives to out-of-wallet questions

  Learn about alternatives to static knowledge-based authentication and out-of-wallet questions for secure website logins in this tip.  Continue Reading

• Secure tokens: Preventing two-factor token authentication exploits

  What are the most common attacks against two-factor authentication, and how can you protect against them? Expert Nick Lewis weighs in.  Continue Reading

• An inside look into OWASP’s Mantra tool

  OWASP’s Mantra tool is being praised by security pro’s for its abundance of options and ease of use. In this screencast, Mike McLaughlin takes a look at what Mantra has to offer.  Continue Reading

• Balancing compliance with information security threat assessment

  Compliance is often the driver for security spending rather than real risks. Learn how to incorporate current threats into a compliance program.  Continue Reading

• How to collect Windows Event logs to detect a targeted attack

  Targeted attacks are growing, and eventually your enterprise will be a target. Expert Richard Bejtlich covers how to collect Windows Event logs to detect an intrusion.  Continue Reading

• Understanding iPad security concerns for better iPad enterprise management

  Are iPad security concerns burdening your company’s adoption of the technology? Expert Michael Cobb discusses common security concerns and iPad enterprise management issues.  Continue Reading

• The security career path: Pros and cons of job hopping

  Is going elsewhere the only path to the top? InfoSecLeaders.com's career experts Lee Kushner and Mike Murray discuss the pros and cons of job hopping.  Continue Reading

• Business partner security: Managing business risk

  Allowing outside business partner access to your systems and data always comes with some level of risk. Nick Lewis examines what those risks are and strategies for managing business risk.  Continue Reading

• PCI virtualization SIG analysis: Guidance for the cardholder data environment

  The PCI virtualization SIG guidance is in. Get analysis and advice on virtualization in the cardholder data environment from expert Diana Kelley.  Continue Reading

• WebScarab tutorial: Demonstration of WebScarab proxy functionalities

  In this WebScarab tutorial video, get step-by-step advice on how to install and use this free tool, including the WebScarab proxy features, among others.  Continue Reading

• Requirements for secure IPv6 deployments include better IPv6 tester tools

  More staff training, industry research and improved IPv6 tester tools are essential for secure IPv6 deployments in the enterprise. Expert Fernando Gont explains why.  Continue Reading

• Using an IAM maturity model to hone identity and access management strategy

  Forrester Research’s Andras Cser discusses how to use an IAM maturity model to assess your identity and access management strategy.  Continue Reading

• Is private browsing really private? Identifying Web browser risk

  Private browsing may offer users a false sense of security when surfing the Web. In this expert tip, learn how private browsing really works, and how to mitigate its risks.  Continue Reading

• Government cybersecurity: User-level security tools mitigate Fed insider risks

  Taking on a new zero-trust model, many federal agencies are implementing insider threat controls at the user level.  Continue Reading

• IPv6 myths: Debunking misconceptions regarding IPv6 security features

  Aggressive marketing has helped perpetuate a number of security-related IPv6 myths. Expert Fernando Gont helps separate myth from fact to ensure a secure IPv6 deployment.  Continue Reading

• Application log management: Enabling application security compliance

  Expert Michael Cobb discusses how application audits and information and event management can save you time and energy with application security compliance.  Continue Reading

• Thwarting a hacktivist: How to avoid sociopolitical IT security attacks

  Is your enterprise a significant hacktivist target? Learn how to determine whether your enterprise is more likely to be attacked.  Continue Reading

• How to detect content-type attacks in information security

  Malicious attackers have increasingly turned to exploiting vulnerabilities in client-side software. Learn how to detect and prevent these types of attacks in your environment.  Continue Reading

• Auditing virtualization: Security training for infosec pros

  This chapter discusses auditing virtualized environments, and begins with an overview of common virtualization technologies and key controls.  Continue Reading

• IPv6 security issues: IPv6 transition mechanisms

  Several IPv6 transition mechanisms have been created to ease the transition from IPv4, but Fernando Gont explains why they present IPv6 security concerns for enterprises.  Continue Reading

• Evolving IT security threats: Inside Web-based, social engineering attacks

  Attackers have mixed a dangerous cocktail of social engineering, Web-based attacks and persistence. Lenny Zeltser explains how your organization can keep from drowning in malware.  Continue Reading

• Malvertisements: Mitigating malicious advertisement malware

  Expert Michael Cobb explains why malvertisements are so hard to control and what enterprises can do to help mitigate the risk of malicious advertisement malware.  Continue Reading

• Cybersecurity insurance: Choosing a cyber insurance policy

  A cybersecurity insurance policy can help defray the costs of a data breach, should one occur, but is it worth the cost? Expert Ernie Hayden weighs in.  Continue Reading

• Assessing Internet Explorer 9 security: Safest browser ever?

  Research shows Internet Explorer 9 security identifies as much as 99% of potential malware. So is IE9 now the safest browser out there? Michael Cobb answers that question in this expert tip.  Continue Reading

• Top 5 mobile data protection best practices

  In this tip, we highlight five essential best practices for protecting business data stored on mobile devices and tablets, and identify readily available technologies that can be used to implement them.  Continue Reading

• Exploring SIM architecture options for virtual data center security

  To be successful in securing the virtual data center, security information management (SIM), a key element for effective data center security, must virtualize and become virtualization-aware. In this tip, we’ll discuss some of the options ...  Continue Reading

• Defining enterprise security best practices for self-provisioned technology

  Is your current enterprise security policy ready for mobile and cloud computing technology? Probably not, but it can be: Forrester's Chenxi Wang explains how.  Continue Reading

• UTM features: Is a UTM device right for your layered defense?

  Expert Mike Chapple explores what features a contemporary UTM device provides, and explains the factors that help determine UTM total cost of ownership.  Continue Reading

• Internal controls checklist for corporate data protection, compliance

  Expert Eric Holmquist details four key governance items that should be on every enterprise’s internal controls checklist to ensure corporate data protection.  Continue Reading

• Hacktivism examples: What companies can learn from the HBGary attack

  A few simple security best practices may have spared security company HBGary Federal from the recent attack by the hacktivist group Anonymous. Nick Lewis explains what happened and how to prevent such an attack against your company.  Continue Reading