Tips

Tips

• PCI requirement 7: PCI compliance policy for access control procedures

  Though PCI DSS is generally prescriptive, when it comes to requirement 7, organizations have more leeway -- and, thus, more potential for error -- than other sections of the standard. Learn how to handle PCI DSS requirement 7 in this expert tip.  Continue Reading

• A step-by-step SMB IT security risk assessment process

  Assessing your organization's security threats and risks takes just five steps, says Robbie Higgins. Check out his quick guide to the SMB security risk assessment process.  Continue Reading

• Netcat tutorial: How to use the free Netcat command-line tool

  Helpful for penetration testers and network admins who need to debug infected systems, the netcat command-line tool boasts many free features for enterprise use.  Continue Reading

• Understanding the value of an enterprise application-aware firewall

  Today's enterprise application-aware firewall technology offers a host of features to manage application and Web 2.0 traffic. Expert Michael Cobb takes a look at the features and how to make the most of them.  Continue Reading

• Data sanitization policy: How to ensure thorough data scrubbing

  Could you be inadvertently leaking sensitive data via poorly sanitized devices? Learn techniques for thorough data scrubbing in this tip.  Continue Reading

• P0f: A free collection of passive OS fingerprinting tools

  In this screencast, learn how to use p0f, a collection of free passive OS fingerprinting tools.  Continue Reading

• How to plan a secure network by practicing defense-in-depth

  When designing an enterprise network that includes hosted infrastructure components, many different layers must work together to keep it secure. Learn how to build network security in by practicing defense in depth.  Continue Reading

• Linux security best practices for Linux server systems

  Linux servers are used throughout many enterprises, and their security posture shouldn't be overlooked. In this tip, King Ables discusses risk assessment pointers for Linux server systems.  Continue Reading

• SOC 2.0: Three key steps toward the next-generation security operations center

  According to Forrester Research, traditional security operations are no longer practical. Forrester's John Kindervag discusses the new model, SOC 2.0, why it's important, and how to make it happen.  Continue Reading

• Three pen test tools for free penetration testing

  Nmap, Nessus and Nikto are penetration testing tools that security operators can use to conduct pentests on their networks and applications.  Continue Reading

• Why attackers exploit multiple zero-day attacks and how to respond

  A recent and disturbing malware trend involves attacks that attempt to compromise multiple zero-day flaws at once. Threats expert Nick Lewis explains what you can do to protect your enterprise.  Continue Reading

• IDS vs. IPS: How to know when you need the technology

  IDS and IPS are useful security technologies, but how do you know whether your enterprise can benefit from one? In this tip, infosec pro Jennifer Jabbusch offers a few specific use cases to help you know when to consider IDS/IPS.  Continue Reading

• Insider fraud detection and prevention

  Financial institutions need to monitor and recognize changes in employee behavior in order to detect potential insider fraud.  Continue Reading

• Honeypots for network security: How to track attackers' activity

  Honeypots have long been used to track attackers' activity and defend against coming threats. In this tip, network security expert Anand Sastry describes the different types of honeypots and which is best for your enterprise.  Continue Reading

• Smartphone security implications of Microsoft Exchange Activesync

  How can employees securely sync their smartphones to your company's Exchange email system? Greg Braunton details the features and products you need to keep data secure.  Continue Reading

• Security management plan reveals essential business security upgrades

  As companies create their security management plan for the coming year, they should look to upgrades in Linux and Windows operating systems, Adobe applications and Internet browsers to improve their overall security position.  Continue Reading

• User provisioning best practices: Access recertification

  User access recertification is the process of continually auditing users' permissions to make sure they have access only to what they need. Implementing recertification, however, can be challenging. Get best practices on creating a recertification ...  Continue Reading

• Android enterprise security: Mobile phone data protection advice

  Android devices are increasingly popular among enterprise users, but is Android enterprise security where it needs to be to ensure the safety of important enterprise documents? Expert Michael Cobb offers his take.  Continue Reading

• WPA security: Enabling the best Wi-Fi security for SMBs

  To choose the best Wi-Fi security for the small or midsized business, consider using WPA Enterprise or wireless access points with WPA-E authentication, or use a Windows hosted RADIUS service. Network security expert Mike Chapple explains how to ...  Continue Reading

• Outsourcing data center services: SMB security best practices

  Learn best practices for outsourcing data center services and about the security and compliance considerations that influence whether an SMB should outsource data center services.  Continue Reading

• SSL vulnerabilities: Trusted SSL certificate generation for enterprises

  Presentations at both Black Hat and Defcon 2010 demonstrated serious vulnerabilities in the SSL protocol, which, considering how widely used SSL is, could mean security problems for many enterprises. In this tip, Nick Lewis examines the researchers'...  Continue Reading

• Firewall logging: Telling valid traffic from network 'allows' threats

  While tracking firewall "deny" actions is a good way to identify threats, logging the "allow" actions can give greater insight into malicious traffic that could be both more subtle and more dangerous.  Continue Reading

• Value and limitations of Windows Data Execution Prevention

  When attackers inject malicious code into an application, Microsoft's Data Execution Prevention (DEP) technique can thwart the attack and save the day. But expert Tom Chmielarski says DEP does have some limitations.  Continue Reading

• Holistic fraud reduction through customer security management

  Monitoring customer behavior across multiple channels would help banks fight fraud, but today's fraud detection technology isn't there yet. In this tip, financial services expert Jerry Silva explains how banks could benefit from the concept of "...  Continue Reading

• PDF document security: A look inside Google Chrome PDF viewer

  You don't have to rely on Adobe's Acrobat Reader as your only PDF viewer; Google Chrome provides a secure PDF viewer that cuts down on your chances of falling victim to a PDF exploit.  Continue Reading

• How to install an OSSEC server on Linux and an OSSEC Windows agent

  Learn how to install the free, host-based intrusion detection system OSSEC, with step-by-step instructions on setting up an OSSEC Linux server with an OSSEC Windows agent.  Continue Reading

• Resist credit card data compromise threats due to memory-scraping malware

  PCI DSS does a good job of making sure credit card data in persistent storage is secure, however, such data in non-persistent storage -- such as files stored temporarily in memory -- can still be vulnerable to compromise, particularly via ...  Continue Reading

• Database security best practices: Tuning database audit tools

  Database auditing requires more than just the right tools: Those tools also have to be properly configured to offer the information that's needed and database performance that's required. Learn more about tuning database audit tools in this tip.  Continue Reading

• Microsoft IIS 7 security best practices

  Are you up to date with Microsoft IIS security best practices? Don't allow your enterprise to become vulnerable.  Continue Reading

• Data classification best practices in financial services

  Data classification is critical in the highly regulated financial industry. Learn key steps for data classification.  Continue Reading

• The pros and cons of deploying OpenLDAP: Windows and Unix

  Randall Gamby discusses how OpenLDAP should (or shouldn't) be used in conjunction with enterprise directory implementations.  Continue Reading

• Cisco MARS: What third-party lockout means for SIEM products

  Now that Cisco's MARS SIEM product no longer supports third-party product integration, should enterprises migrate away from the product? In this tip, network security expert Anand Sastry discusses how MARS works and whether the technology is still ...  Continue Reading

• XSSer demo: How to use open source penetration testing tools

  In this video demo, learn how to use XSSer, open source penetration testing tools for detecting various Web application flaws and exploiting cross-site scripting (XSS) vulnerabilities against applications.  Continue Reading

• How to refine an enterprise database security policy

  Noel Yuhanna of Forrester Research outlines what should be covered in a successful enterprise database security policy, including foundational security, preventative measures and intrusion detection.  Continue Reading

• Self-service user identity management: Pitfalls and processes

  While it might seem that self-service user identity management can save time and money, as well as keep information more current, there are a number of potential pitfalls. In this expert tip, Randall Gamby explains how to avoid these issues.  Continue Reading

• A PCI compliance network testing checklist to limit PCI DSS scope

  Network security pros may not realize it, but they may inadvertently be on the hook regarding PCI DSS compliance if card data is inadvertently spread across the network. Ed Moyle discusses how this happens and how to make sure the network falls out ...  Continue Reading

• Identity management federation best practices

  Outsourcing is necessary in the financial industry, but establishing secure partner communications can be difficult. Learn some best practices for implementing identity management federation.  Continue Reading

• How to use NeXpose: Free enterprise vulnerability management tools

  Learn how to use NeXpose Community Edition, a free collection of vulnerability management tools that offers pre-defined scan templates, and the ability to scan networks, OSes, desktops and databases.  Continue Reading

• Unmasking data masking techniques in the enterprise

  Patch-testing and development environments can't use live data and keep it secure. That's where data masking comes in. Michael Cobb examines the principles behind data masking and why security pros should endorse its use in order to keep production ...  Continue Reading

• How to find a keylogger on your computers

  If a hardware or software keylogger made it on to one of your organization's machines, it would be a security pro's worst nightmare. Learn how to detect and defend against the malware.  Continue Reading

• Monitoring strategies for insider threat detection

  Insider threat detection is a vital part of the security of any enterprise organization. In this tip, part of the SearchSecurity.com Insider Threats Security School lesson, learn about the best insider threat detection strategies.  Continue Reading

• Mobile banking risks and mitigation measures

  Mobile banking is taking off, but can financial firms keep up with the risks? Learn about steps Wells Fargo and Bank of America are taking to ensure mobile banking security.  Continue Reading

• Fake antivirus pop-up scams: Forming a security awareness training plan

  Rogue antimalware programs have been around for a while, and, according to a recent Google report, are more prominent and more difficult to detect than ever before. In this expert tip, Michael Cobb explains how to train employees to deal with these ...  Continue Reading

• Role-based access control: Pros of an open source RBAC implementation

  There are many advantages to an open source RBAC implementation. However, it's important to know the context in which such a product will work best. In this tip, expert Randall Gamby discusses how to determine if open source RBAC is right for you.  Continue Reading

• Email, website and IP spoofing: How to prevent a spoofing attack

  Find out how to prevent spoofing attacks, including IP spoofing, email and website spoofing.  Continue Reading

• Operating system comparison: The Windows OS security debate

  The security debate between Linux, Mac OS X and Windows got even more heated when Google ended its internal use of Windows. Tom Chmielarski explains when an organization may (or may not) be ready for a change in operating systems.  Continue Reading

• Data masking best practices for protecting sensitive information

  Protection of customer data is critical for financial services firms but encryption isn't the only option. Learn key considerations for data masking.  Continue Reading

• FTP security best practices for the enterprise

  FTP is easy and commonly used in the enterprise, but is it secure? Anand Sastry discusses its security shortcomings, best practices for securing FTP in the enterprise and FTP alternatives that may be even more secure.  Continue Reading

• Database application security: Balancing encryption, access control

  Database applications are often the epicenter of a company's sensitive data, so security is paramount, but maintaining a balance between security and business use can be tricky. In this tip, Andreas Antonopoulos discusses encryption strategies for ...  Continue Reading

• How to avoid attacks that exploit a Web browser vulnerability

  Beyond patching, Tom Chmielarski explains what you'll need to do to avoid application exploits caused by Web browser vulnerabilities.  Continue Reading

• Log management best practices: Five tips for success

  The right log management tool can quickly seem like the wrong one without advance planning on how to make the most of it. Diana Kelley offers six log management best practices to help do just that.  Continue Reading

• How to use Windows Group Policy to secure and restrict USB devices

  Learn how to use Windows GPOs take control of USB devices in your organization.  Continue Reading

• How to use a PDF redaction tool with a redacted document policy

  It may seem rudimentary, but sensitive data commonly leaks out of corporate networks in plain sight in the form of un-redacted documents. Such files -- those still containing hidden data or Microsoft "Track Changes" data -- can potentially lead to ...  Continue Reading

• Alternatives to password-reset questions tackle social networking cons

  With so much personal information available on the Internet, finding the answers to someone's password-reset questions can be quite easy. In this tip, learn about alternatives to the password-reset question option that can lead to more secure ...  Continue Reading

• Web 2.0 widgets: Enterprise protection for Web add-ons

  Web 2.0 widgets represent a threat vector that should not be overlooked at any enterprise organization. In this tip, Nick Lewis explains what a Web 2.0 widget is, and how companies can protect against them.  Continue Reading

• HIPAA covered entity and business associate agreement requirements

  Under HITECH, both "covered entities" and "business associates" must comply with HIPAA data protection mandates, but, as a covered entity, what's the best way both to maintain compliance for your organization, and make sure all your BAs are ...  Continue Reading

• Free port scan: How to use Angry IP scanner

  Scanning IP ports is a critical part of maintaining enterprise information security. In this screencast, Peter Giannoulis explains how to use the free tool Angry IP scanner for these port scans.  Continue Reading

• Buying an IPS: Decide which applications and protocols your IPS will protect

  Application and protocol coverage varies in signature-, rate- and behavior-based intrusion prevention systems. Understanding the differences is crucial to your IPS investments. This is the third in a seven-part series.  Continue Reading

• How to test Windows operating system patches

  Windows patch testing may be easy when it comes to applications like Outlook. Tom Chmielarski reviews how to test more difficult updates to the operating system.  Continue Reading

• Evaluating tools for online bank security

  Criminals are hijacking online bank accounts with sophisticated bank Trojans but a variety of technologies promise online bank security. In this tip, Dave Shackleford examines the pros and cons of tools designed to thwart online banking fraud.  Continue Reading

• Zeus botnet analysis: Past, present and future threats

  The Zeus botnet isn't showing signs of fading. In fact, it now threatens a wider scope of organizations beyond the banking industry. Expert Nick Lewis offers a Zeus botnet analysis, looking at why it's been so effective, what it's doing now and how ...  Continue Reading

• Choosing smartphone encryption software for mobile smartphone security

  If your enterprise users have smartphones, then your enterprise may need smartphone encryption. In this tip, expert Dave Shackleford describes what to look for in smartphone encryption software, from cost to management capabilities.  Continue Reading

• Endpoint fingerprinting: How to improve NAC security for 'dumb devices'

  Many enterprises underestimate the potential security problems posed by "dumb devices" like network printers or IP phones. Forrester Research analyst Usman Sindhu explains how endpoint fingerprinting can be used as a NAC add-on to identify and ...  Continue Reading

• Your USB port management options

  When it comes to managing USB ports, the choice is yours. Mike Chapple reviews your three best options.  Continue Reading

• How to perform an Active Directory security audit

  As a security professional, you depend on Active Directory to provision users, but how secure is your implementation of AD itself? Learn how to perform an Active Directory security audit in this expert tip.  Continue Reading

• Enterprise PDF attack prevention best practices

  Malicious PDF exploits are at an all-time high. Should enterprises dump PDFs altogether? Expert Michael Cobb answers that question and offers his key enterprise PDF attack prevention tactics.  Continue Reading

• Database activity monitoring (DAM) software deployment issues to avoid

  Database activity monitoring software deployments can have their shortcomings. For example, issues with network monitoring and policy overload can impact compliance audits and database performance.  Continue Reading

• How to manage compliance as Chief Information Security Officer (CISO)

  When it comes to IT compliance management, creating an effective compliance program is one of many jobs of a Chief Information Security Officer (CISO). In this tip from security management expert Ernie Hayden, learn how to create such a program.  Continue Reading

• Conducting a user access review with a small information security staff

  Has there been cutbacks on your company's information security staff? It would be easy for certain security tasks to fall through the cracks. Learn how to keep access controls tight without spending a lot of time or energy.  Continue Reading

• Create a data breach response plan in 10 easy steps

  Having a solid data breach response plan in place can make the threat of a security breach less intimidating. In this tip, learn 10 steps to take that will lead to an effective data breach response plan.  Continue Reading

• Employee compliance: Creating a compliance-focused workforce

  If your security team is low on time and money, one of the best things you can do is recruit more people: an entire enterprise worth's. In this tip, learn how to engage corporate employees to be secure themselves and to help enforce compliance best ...  Continue Reading

• Performing a security risk analysis to assess acceptable level of risk

  No organization is ever completely without risk, but there are steps that can be taken to establish an acceptable level of risk that can be appropriately mitigated. In this tip, Michael Cobb explains how to perform a security risk analysis to help ...  Continue Reading

• SMS two-factor authentication for electronic identity verification

  Tokens are no longer the only choice when it comes to OTPs and electronic identity verification. Learn about new two-factor authentication options involving SMS and mobile phones.  Continue Reading

• How to configure IIS authorization and manager permissions

  David Shackleford reviews authorization rules that will help you secure your IIS 7 Web server.  Continue Reading

• Operation Aurora: Tips for thwarting zero-day attacks, unknown malware

  In December 2009, Google, Adobe and other companies were the victims of a damaging cyberattack called Operation Aurora. In this tip, expert Nick Lewis outlines the lessons learned from this attack, and how companies can avoid falling victim to ...  Continue Reading

• Using Windows software restriction policies to stop executable code

  Software restriction policies are one way to prevent known malware and file-sharing applications from taking control of your network.  Continue Reading

• Creating a proactive enterprise security incident response program

  Every organization should develop a proactive security incident response program to ensure that when an incident does occur, it can be handled quickly and efficiently. Contributor Marcos Christodonte II explains how.  Continue Reading

• How risk management standards can work for enterprise IT

  Every organization should be able to articulate how IT threats can harm a business. Forrester Research Analyst Chris McClean explains how a five-step risk management strategy, based on a risk management standard like ISO 31000, makes it easier to ...  Continue Reading

• How to buy an IPS: Features, testing and review

  If you're considering IPS for your enterprise, make sure you know what to look for in the products you're reviewing. In this tip, network security expert David Meier describes how to conduct an IPS comparison and review of various features, ...  Continue Reading

• How to use COBIT for compliance

  While the COBIT framework has been around for a long time, it can still be very useful in terms of understanding goals and benchmarks for a security program that can, in turn, aid compliance with many regulations.  Continue Reading

• Scapy tutorial: How to use Scapy to test Snort rules

  When creating Snort rules, it's often difficult to test them before they go live. In this Scapy tutorial, Judy Novak explains how to use Scapy, a tool that simplifies packet crafting, to test new Snort rules.  Continue Reading

• Clientless SSL VPN vulnerability and Web browser protection

  In a recent US-CERT advisory, clientless SSL VPN vulnerabilities were listed as posing serious threats to Web browser security. In this tip, learn possible actions to take for Web browser protection.  Continue Reading

• Preventing iPhone spying and other mobile management tips

  So you have an iPhone, you don't access the Internet, you use a PIN to authenticate and you never let the device out of your site. Michael Cobb explains why iPhone spying still isn't out of the question.  Continue Reading

• How to use hping to craft packets

  A packet crafting tool that's been around for a long time, hping can be used to test if ports are open, as well as for firewall testing. Learn how to use hping in this tutorial.  Continue Reading

• How to encrypt emails in Outlook

  Mike Chapple reviews how cryptography can be used to validate senders and keep important emails confidential.  Continue Reading

• Five endpoint DLP deployment data security tips

  Deploying data loss prevention technology on endpoints requires a careful roll-out. Expert Rich Mogull offers five tips, including the need to start slowly with a set of power users and how to manage endpoint discovery.  Continue Reading

• Encryption basics: How asymmetric and symmetric encryption works

  Before you encrypt your files, emails and Web transactions, make sure you know the cryptography basics.  Continue Reading

• Improving software with the Building Security in Maturity Model (BSIMM)

  Learn about the Building Security in Maturity Model (BSIMM), a software security framework that emphasizes attack models, software security testing, code review and compliance policies. Also, does your company have a software security group (SSG)?  Continue Reading

• Defending against RAM scraper malware in the enterprise

  A new type of malware attack, RAM scraper, may pose a serious threat to enterprise security. Learn what a RAM scraper attack is, and how you can defend your organization from this potentially damaging new malware attack.  Continue Reading

• How to properly implement firewall egress filtering

  Deploying outbound rules on a firewall can be a tricky task; if not done properly, it can lead to business interruptions. Scott Floyd reviews best practices for avoiding mistakes when blocking outbound network traffic.  Continue Reading

• Server Message Block Version 2 security in question: Disable or patch?

  Nick Lewis reviews the recent vulnerability discovered in a popular Windows file-sharing and printing protocol. Yes, there's a patch, but should you deploy it, or simply disable SMBv2?  Continue Reading

• What to do with network penetration test results

  It takes a lot of time and effort to plan and conduct an enterprise network penetration test, but the work doesn't stop there. Contributor David Meier explains how to conduct an analysis of pen testing results.  Continue Reading

• Considerations for buying and implementing DLP solutions

  Financial institutions are looking to data loss prevention solutions to prevent costly data security breaches. In this tip, Dave Shackleford explains key issues to weigh before buying and installing a DLP product.  Continue Reading

• Preparing for future security threats, evolving malware

  Security expert Nick Lewis predicts how infosec threats will evolve in 2010. Luckily, enterprise defenses will evolve, too.  Continue Reading

• Distributed denial-of-service protection: How to stop DDoS attacks

  In this tip, which is a part of our Web Application Attacks Security Guide, you will learn what a distributed denial-of service (DDoS) attack is, and learn how to stop and prevent DDoS attacks by using intrusion prevention technologies and products.  Continue Reading

• Prevent cross-site scripting hacks with tools, testing

  In this tutorial, learn how to prevent cross-site scripting (XSS) attacks, how to avoid a hack, and how to fix vulnerabilities and issues with cross-site scripting prevention tools, system and application testing and several other defense and ...  Continue Reading

• Preventing and stopping SQL injection hack attacks

  In this tip, which is a part of our Web Application Attack Security Guide, you will learn methods, tools and best practices for preventing, avoiding and stopping SQL injection hack attacks.  Continue Reading

• PuTTY configuration tips: How to connect to remote network systems

  Peter Giannoulis reviews PuTTY and explains how to use the Windows-based program as an SSH, telnet and rlogin client.  Continue Reading

• How to prevent memory dump attacks

  Because databases are often encrypted, some attackers have switched to memory dump attacks. Michael Cobb explains how to protect your unencrypted transactions.  Continue Reading

• Weighing the pros and cons of end-to-end encryption and tokenization

  With PCI DSS and other compliance requirements, organizations are looking for surefire solutions to protect payment card and other sensitive data. Tokenization and end-to-end encryption have emerged as promising technologies, but as Dave Shackleford...  Continue Reading