Tips

Tips

• Preventing SQL injection attacks: A network admin's perspective

  Your database administrators and application developers should certainly be following best practices to avoid SQL injections, but Michael Cobb explains how network admins can do their part to fight those security exploits.  Continue Reading

• Security benefits of virtual desktop infrastructures

  In a highly regulated industry where security is critical, financial-services firms are turning to virtual desktop infrastructures. In this tip, Eric Ogren explains the security benefits of virtualized desktops and virtual workspace projects, ...  Continue Reading

• Screencast: How to launch an OpenVAS scan

  In this screencast, Peter Giannoulis demonstrates the OpenVAS Linux/Unix-based assessment and penetration testing tool.  Continue Reading

• Wireless network guidelines for PCI DSS compliance

  The PCI Security Standards Council recently released additional guidance for WLANs, but do they make the compliance process easier? Contributor Ben Rothke examines the key points of the new guidelines and offers additional advice for organizations ...  Continue Reading

• How to prevent phishing attacks with social engineering tests

  Is your enterprise capable of withstanding today's phishing attacks? Sherri Davidoff reviews how you can test your employees.  Continue Reading

• Creating a personal brand in information security

  In this month's Information Security Career Advisor column, experts Lee Kushner and Mike Murray explain how security pros can better demonstrate their abilities and stand out from the crowd.  Continue Reading

• Determine your Microsoft Windows patch level

  A handful of patch management tools from Microsoft and third -parties can help your organization determine your Windows patch level and identify missing security patches.  Continue Reading

• Automating Microsoft Windows patch management with WSUS

  Microsoft offers Windows Server Update Services (WSUS) as a free download, but there are installation and agent-related issues to contend with.  Continue Reading

• How SSL-encrypted Web connections are intercepted

  Enterprises and attackers alike have found ways to sniff private Web traffic, even when it's encrypted. Sherri Davidoff reviews how encrypted Web connections can be sniffed, and ways that users can reduce their risk.  Continue Reading

• PCI DSS compliance requirements: Ensuring data integrity

  Want to make sure you have secure data for PCI DSS? One of the first steps is making sure the data you're trying to secure is the right data. Security management expert David Mortman explains how to ascertain and maintain data integrity.  Continue Reading

• Vendor risk management: process and documentation

  As part of the vendor risk management process, regulators expect information security officers will document vendor relationships and have proper vendor documentation.  Continue Reading

• How to prepare for an information security job interview

  Lee Kushner and Mike Murray offer tips on how to impress possible employers after finally nailing down an information security job interview.  Continue Reading

• Understanding PCI DSS compliance requirements for log management

  Proper PCI DSS compliance requires effective event log management, but many enterprises fail to not only gather all the relevant data, but also analyze and remediate the results. Forrester Research Senior Analyst John Kindervag offers best practices...  Continue Reading

• Are 'strong authentication' methods strong enough for compliance?

  If multifactor authentication is so great, why hasn't it replaced the password? Michael Cobb reviews the hype surrounding strong authentication. There are more drawbacks than you think.  Continue Reading

• Monitoring program data and internal controls for risk management

  It's sad but true: Some employees are going to leak or even steal sensitive data. But what are the best ways to mitigate that risk? Learn the best ways to create internal controls for risk management in order to keep your data where it belongs.  Continue Reading

• Remote phone lock and GPS tracking counter smartphone security risks

  Lost or stolen smartphones pose serious security risks to data, but remote device lock technology and GPS tracking can help mitigate those risks. This is the first of two parts.  Continue Reading

• An introduction to Information Security Career Advisor

  SearchSecurity.com is pleased to partner with infosec career experts Lee Kushner and Mike Murray to bring you a new monthly column on information security careers. In their debut article, they explain why information security career coaching is ...  Continue Reading

• How to use Excel for security log data analysis

  Microsoft Excel can be an inexpensive and effective option for firewall, antivirus and server log analysis.  Continue Reading

• Checklist: Three firewall configuration tips

  If you are revisiting your firewall configurations, consider these three tips to help you monitor and manage your network traffic.  Continue Reading

• Acceptable use policy for Internet usage helps data protection efforts

  Acceptable use policies are an inexpensive, yet effective, control in limiting exposure to data breaches.  Continue Reading

• Making the case for enterprise IAM centralized access control

  Central access to multiple applications and systems can raise the level of security while getting rid of lots of red tape, so how do you go about creating central access management? In this tip, IAM expert David Griffeth explains the steps.  Continue Reading

• How to defend against rogue DHCP server malware

  Rogue DHCP server malware is a new twist on an old concept. The good news is that effective threat mitigation strategies exist; the bad news is that many organizations haven't bothered to deploy them.  Continue Reading

• How to use Kerberos and Credential manager for Windows single sign-on

  Windows administrators can avoid the expense of third-party single sign-on software and use Windows Kerberos in Windows Server 2003 and Credential Manager in Windows XP and Vista for client-side SSO.  Continue Reading

• Firewall rule management best practices

  Given the growing complexity of firewalls, organizations often have hundreds, even thousands, of rules to review and manage. But configuration doesn't have to be overly complicated. Michael Cobb offers best practices that can allow you to make ...  Continue Reading

• When BIOS updates become malware attacks

  Most security pros don't give the system BIOS a second thought, or even a first one, but today's BIOS types are highly susceptible to malicious hackers. Information security threats expert Sherri Davidoff explains how attackers can plant BIOS ...  Continue Reading

• The basics of enterprise GRC project management

  Implementing an enterprise GRC project requires not only the right technology and training, it also requires cooperation with the executives and employees whose systems and daily work functions may change as a result of the implementation. In this ...  Continue Reading

• Best practices for a privileged access policy to secure user accounts

  Enterprises need to secure accounts belonging to actual users by reviewing and monitoring their privileged access.  Continue Reading

• How to align an information security framework to your business model

  CISOs should consider blending traditional business models with information security frameworks, and not rely solely on regulations to drive security programs.  Continue Reading

• Rootkit Hunter demo: Detect and remove Linux rootkits

  Peter Giannoulis of The Academy Home and The Academy Pro demonstrates how to install and use Rootkit Hunter, a free rootkit scanner for Linux and BSD distributions.  Continue Reading

• Best practices: How to implement and maintain enterprise user roles

  Effective enterprise role management is essential for properly managing user access rights and enforcing access policies, but the implementation process can be challenging. In this tip, Forrester Research Principal Analyst Andras Cser offers a ...  Continue Reading

• How to find and stop automated SQL injection attacks

  Automated SQL injection worms use search engines to filter through vulnerable Web servers. In this tip, Patrick Szeto explains how to keep your website off of the malware's radar.  Continue Reading

• How to fill patch management gaps using Microsoft MBSA

  Microsoft Baseline Security Analyzer examines and quantitatively summarizes the state of your organization's Windows security.  Continue Reading

• An inside look at security log management forensics investigations

  David Strom provides some examples of log data that provided key clues to enterprise data breaches.  Continue Reading

• How to find sensitive information on the endpoint

  Worried that your enterprise endpoints may be harboring sensitive information like credit card numbers or Social Security numbers? Fear not. Mike Chapple offers algorithms and tools to conduct a search and advice on dealing with the results.  Continue Reading

• Five steps to eliminate rogue wireless access

  Unauthorized wireless access points aren't always malicious. Learn how to distinguish between them and mitigate threats posed by rogue APs.  Continue Reading

• When to use open source security tools over commercial products

  When budgets are cut and open networks still need securing, it may be helpful to try open source security tools as a sufficient and affordable alternative to pricey commercial products.  Continue Reading

• How to spot attacks through Apache Web server log analysis

  Log analysis requires refined search skills that will help you ferret out security issues. Brad Causey explains how to sift through log data and find the relevant security information.  Continue Reading

• Kerberos configuration as an authentication system for single sign-on

  Looking to implement single sign-on in your enterprise, but have a lot of custom applications that don't seem compatible? In this tip, IAM expert David Griffeth takes a look at Kerberos, a non-proprietary IAM tool, as a solution to network ...  Continue Reading

• Data security best practices for PCI DSS compliance

  The glut of recent data breaches, such as the one at Heartland Payment Systems Inc., leaves some security pros wondering if PCI DSS is doing its job. Is it worth all the effort to become PCI compliant if breaches still seem inevitable? In this ...  Continue Reading

• Vulnerability test methods for application security assessments

  Learn what to do when you have a huge portfolio of potentially insecure applications, limited resources and an overwhelming sense of urgency.  Continue Reading

• How to clear out anonymous Web proxy servers in the workplace

  Enterprises may use Web filtering software to limit Internet use, but some employees may respond right back with easily available anonymizing proxies. John Strand explains how to keep your users from bypassing content filters.  Continue Reading

• How to use (almost) free tools to find sensitive data

  No matter how much security awareness training employees get, some of them will still store sensitive data in insecure places. As a security manager, finding that data becomes of paramount importance -- but how to do it? In this tip, John Soltys ...  Continue Reading

• How to integrate the security of both physical and virtual machines

  According to a recent Gartner Inc. research report, 60% of virtual machines will be less secure than their physical counterparts through 2009. Michael Cobb explores the challenges of securing a mixed infrastructure of physical and virtual machines.  Continue Reading

• From the gateway to the application: Effective access control strategies

  Organizations need to strike a balance between so-called front-door access control and more fine grained controls established within an application itself. This article discusses the difference between products designed to set access at the gateway ...  Continue Reading

• How many firewalls do you need?

  Whether your organizations needs multiple sets of firewalls depends on whether they will protect clients, servers or both and what kind of traffic they will monitor.  Continue Reading

• Recovering lost passwords with Cain & Abel

  In his latest screencast, Peter Giannoulis of The AcademyPro.com demonstrates how to use the Cain & Abel tool to decipher or track down lost passwords..  Continue Reading

• What are common (and uncommon) unified threat management features?

  Unified threat management products have gained popularity because they bring multiple security tools together into one appliance. In this SearchSecurity.com Q&A, Michael Cobb reviews just what those security tools are.  Continue Reading

• Strategies for email archiving and meeting compliance regulations

  According to a recent study, 29% of surveyed IT professionals archive their email for compliance reasons. Michael Cobb reviews compliance regulations that demand email archiving and how such products can ease some of the pain that comes with the ...  Continue Reading

• Understanding the FFIEC remote deposit capture guidance

  Federal banking regulators recently released guidance for assessing and managing risks associated with remote deposit capture. In this tip, Dan Fisher explains the key components of the guidance, including its definition of RDC and how it emphasizes...  Continue Reading

• File format vulnerabilities: Protecting your applications

  From WMF to the latest Excel file exploits, it's clear that attacks targeting file format vulnerabilities are on the rise. In this tip, network security expert Mike Chapple examines why files have become a tempting vector, and explores what can be ...  Continue Reading

• IPsec tunneling: Exploring the security risks

  As part of his monthly responses to readers, Mike Chapple reveals some information about VPNs that many may not want to hear.  Continue Reading

• How should a company's security program define roles and responsibilities?

  In many organizations, it's not uncommon for physical, legal and information security departments to step on each other's toes. In this expert Q&A, security management pro Shon Harris reveals how a CSO can bring these teams together and implement a ...  Continue Reading

• Are wireless networks inherently insecure?

  Wireless access protection and WPA2 are both good ways to keep networks secure, though nothing's perfect. Network security expert Mike Chapple expounds.  Continue Reading

• What are the benefits of employee security awareness training?

  In this Q&A, security management expert Mike Rothman discusses the short-term and long-term benefits of employee security awareness training.  Continue Reading

• How to conduct firewall configuration reviews

  As any firewall administrator knows, it's all too easy for a rule base to become convoluted over time, containing rules that may be outdated or simply incorrect. In this SearchSecurity.com Q&A, network security expert Mike Chapple reveals how to ...  Continue Reading

• How should multiple firewall rules be managed?

  Even with a change management system, firewall rule bases can become a nightmare for administrators. In this Q&A, network security expert Mike Chapple points out incorrect, overlapping and unused rules that can ruin your firewall.  Continue Reading

• What are ways to measure security risks, threats and vulnerabilities?

  In this Q&A, security management expert Mike Rothman offers advice on the most effective ways to manage and access security risks, threats and vulnerabilities within an enterprise.  Continue Reading

• Should a firewall ever be placed before the router?

  In terms of unit cost, it's generally much cheaper for a router to handle a packet than for a firewall to analyze it. But as network security expert Mike Chapple explains, one does not necessarily have to be placed before the other.  Continue Reading

• What are the risks associated with outsourcing security services?

  In this expert Q&A, security management pro Mike Rothman discusses why outsourcing security services could be a bad idea.  Continue Reading

• How to perform a network device audit

  From unauthorized applications to rogue devices like data-slurping USB sticks, enterprise networks face a growing number of security risks. For financial-services firms, the data loss or network intrusions that can result from unauthorized network ...  Continue Reading

• End-user Compliance: Creating a security awareness training program

  Security awareness training is a must, but what's the best way to create a successful program, and what are the tell-tale signs that it's working? In this tip, security management expert David Mortman explains how to create general as well as ...  Continue Reading

• How to prevent clickjacking attacks with security policy, not technology

  Clickjacking, an emerging hacker technique similar to cross-site scripting, tricks a user into executing malicious commands on a seemingly legitimate or innocent website. John Strand reviews how the attack works, how it compares to ...  Continue Reading

• Deleting user accounts: How to manage users during a layoff

  When budgets get cut across the enterprise, it's likely that employees will get cut, too. So what's the best way to handle a large number of user account modifications or deletions? IAM expert David Griffeth offers a step-by-step process for ...  Continue Reading

• Writing Wireshark network traffic filters

  The freely available Wireshark tool can provide valuable analysis of network traffic, but capturing packets can often lead to an overload of data. Mike Chapple explains how to use Wireshark's traffic filters to zero in on the precise information ...  Continue Reading

• The 100-day plan: Achieving success as a new security manager

  One of the top priorities of any newly minted information security manager is to implement a new enterprise security strategy. In this tip, security management expert Mike Rothman explains what needs to happen in the first 100 days of a security ...  Continue Reading

• Review system event logs with Splunk

  Splunk is a free tool that provides log review and management. From parsing files to triggering alerts and scripts, Splunk can greatly reduce the amount of time security teams spend on logs.  Continue Reading

• Cloud compliance: How to manage SaaS risk

  While Software as a Service (SaaS) can cut costs, there are definite security concerns to be aware of, including compliance issues. What's the best way to make sure that data is safe and audit-ready on the provider's server? Expert Joel Dubin gives ...  Continue Reading

• How to implement and enforce a social networking security policy

  For a new generation of employees entering the workforce, social networking isn't a luxury, it's a necessity. Yet not all enterprises understand that failing to consider social networking security can lead to unfortunate consequences. David Sherry ...  Continue Reading

• The value of application whitelists

  Although some may find Windows Vista's User Account Control feature annoying, it is really a variation of a security mechanism that is now re-emerging: the application whitelist. Michael Cobb explores application whitelist benefits and drawbacks, ...  Continue Reading

• PKI and digital certificates: Security, authentication and implementation

  Get more information about PKI and digital certificates, such as how to implement PKI, how to ensure security and available implementation. Also learn about digital certificates, signatures and achieving authentication through a certificate ...  Continue Reading

• ID and password authentication: Keeping data safe with management and policies

  Learn how to improve authentication and avoid password hacking with management policies that enforce password expiration, length and complexity requirements.  Continue Reading

• Security token and smart card authentication

  Get advice on how to mitigate data theft from hackers with security token and smart card authentication technology, smart card readers and software.  Continue Reading

• Biometric authentication know-how: Devices, systems and implementation

  Discover the pros and cons of multiple biometric authentication devices and techniques, such as iris pattern or fingerprint scans, voice recognition and keystroke dynamics. Also get advice on biometric implementation best practices.  Continue Reading

• Lessons learned: The Countrywide Financial breach

  The data breach at Countrywide Financial Corp. seems like something out of a TV crime drama: Two men regularly copied customer data and secretly sold it as leads to other mortgage brokers. The tale suggests that data theft is, more often than not, ...  Continue Reading

• FISMA compliance made easier with OpenFISMA

  Scott Sidel examines the open source security tool OpenFISMA, a compliance tool that assists government agencies and their contractors in meeting FISMA's requirements.  Continue Reading

• Workstation hard drive encryption: Overdue or overkill?

  In an age of high-profile data breaches and insider risks, encryption is an important defense mechanism for enterprises. The question is: how much encryption is necessary? Many security pros have gone to great lengths to protect data on network ...  Continue Reading

• Recovering stolen laptops one step at a time

  When a student's laptop was stolen last year on a university campus, police and IT investigators went to work, recovering it within a matter of weeks. Neil Spellman, one of the investigators on the case, offers some best practices on what to do if a...  Continue Reading

• How to detect system management mode (SMM) rootkits

  Rootkits were once a system administrator's best friend. Now they have evolved to become an admin's worst nightmare: well-known, surreptitious malware that can provide super user access to an infected machine. Michael Cobb explains how to get rid of...  Continue Reading

• Risk assessments: Internal vs. external

  Risk assessments are a necessary function at financial firms, but how do you know whether to conduct them internally or to use a third party? Expert Rick Lawhorn explores the pros and cons in this tip.  Continue Reading

• WEP to WPA: Wireless encryption in the wake of PCI DSS 1.2

  The PCI Security Standards Council recently announced the upcoming release of PCI DSS version 1.2. Plenty of changes are on the way, but one in particular may call for some significant wireless infrastructure upgrades. Mike Chapple explains why the ...  Continue Reading

• Windows registry forensics: Investigating system-wide settings

  Information security forensic investigations can be a big job, but Windows registry command tools can make it easier. From querying autostart programs to getting the goods on every USB device ever connected to a particular Windows machine, these ...  Continue Reading

• Vulnerability assessments: Steps to success

  Vulnerability assessments can be effective tools to gauge the greatest risks a financial institution faces. But what's the best way to go about a vulnerability assessment? Expert Rick Lawhorn lays out the steps to a successful test.  Continue Reading

• Screencast: How to use Nipper to create network security reports

  Peter Giannoulis of The Academy.ca demonstrates how to use Nipper, a free open source network infrastructure parser tool.  Continue Reading

• How to get information security buy-in from the executive team

  When pitching security to the big bosses, it's important to brush up on public-speaking skills and lay out the case in advance. Mike Rothman gives his recommendations on how to prepare for a security presentation in order to receive the necessary ...  Continue Reading

• How to configure NAP for Windows Server 2008

  The arrival of Windows Server 2008 ushers in a big portion of Microsoft's long-awaited Network Access Protection (NAP) initiative. In this tip, David Strom uses words and pictures to explain how to get started with NAP using the Network Policy ...  Continue Reading

• Exploring Microsoft's Network Access Protection policy options

  A policy platform was built into Microsoft Windows Vista and Windows Server 2008, one that offers the ability to create customized health policies that validate a computer's security before allowing access or communication. The mechanism, now known ...  Continue Reading

• How to lay the foundation for role entitlement management

  Role entitlement management is a daunting task, however, there are steps you can take to lay the foundation for a successful management process. In this tip, expert Rick Lawhorn details these seven steps.  Continue Reading

• How to avoid DLP implementation pitfalls

  Data leak prevention tools effectively reduce the chances that an enterprise's sensitive data will end up where it shouldn't, but several pitfalls can severely curtail a DLP tool's effectiveness. In this tip, Rich Mogull offers several best ...  Continue Reading

• Security certifications: Are they worth the trouble?

  Security certifications may or may not be helpful in furthering a security career, but many security pros feel they must "comply" with the unspoken expectation that certifications are a must for career advancement. In this special tip, security ...  Continue Reading

• Microsoft Baseline Security Analyzer: Do updates offer improved Windows security?

  The Microsoft Baseline Security Analyzer has always been useful at scanning Windows environments for the presence or absence of security updates. Now, see how the latest version adds support for Windows Vista and Windows Server 2008 to its bag of ...  Continue Reading

• Directory services and beyond: The future of LDAP

  From its remarkable debut in 1993 as a directory access system, LDAP has evolved to become one of the premier directory management services, rivaled only by Active Directory. But how implementable is LDAP in the current Microsoft market? Is it ...  Continue Reading

• The steps of privileged account management implementation

  Privileged accounts have always been difficult to secure, and they remain the focal point for the insider attack. Luckily, an emerging class of privileged account management products is here to help. Identity management pro Mark Diodati discusses ...  Continue Reading

• Key management challenges and best practices

  Key management is essential to a successful encryption project. In this tip, expert Randy Nash explains the challenges financial organizations face when implementing key management and some of the best practices to overcome them.  Continue Reading

• Screencast: Catching network traffic with Wireshark

  This month, Peter Giannoulis of the Academy.ca demonstrates the popular, free network protocol analyzer, Wireshark. See how Peter uses Wireshark to hack into a recorded VoIP phone call.  Continue Reading

• Ransomware: How to deal with advanced encryption algorithms

  It's late in the day, and your CEO reports a strange message on his computer screen: his files have been encrypted, and a payment is required to return all of his data. What do you do? Don't give in to the cyberterrorists just yet. Mike Chapple ...  Continue Reading

• Enterprise role management: Trends and best practices

  Enterprise role management technology is intended to help an enterprise keep tabs of who has access to various network resources, and also makes it easier to define groups of users. Joel Dubin explains how the technology integrates with RBAC and IAM...  Continue Reading

• Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities

  For anyone who doesn't speak NASL, network security expert Mike Chapple has a firm handle on the Nessus Attack Scripting Language. In this brand-new addition to our Nessus 3 Tutorial, Chapple provides examples of NASL scripts that can find known ...  Continue Reading

• Database patch denial: How 'critical' are Oracle's CPUs?

  A recent survey found that a considerable number of users are outright rejecting Oracle's Critical Patch Updates, perhaps suggesting database administrators feel comfortable with their security defenses or find Oracle's patches to be more of a ...  Continue Reading

• Screencast: Recovering lost data with WinHex

  WinHex is a forensics tool that allows users to examine running programs, wipe confidential files or unused space, and perform drive imaging and drive cloning. In this secreencast Peter Giannoulis of http://theacademy.ca shows you how to use WinHex ...  Continue Reading

• Learn from NIST: Best practices in security program management

  Security success means sweating the small stuff, like ensuring proficiency in implementing patches and configuring systems. Security management expert Mike Rothman offers advice on how certain NIST guidelines can help an organization highlight ...  Continue Reading