Tips

Tips

• Understanding the FFIEC remote deposit capture guidance

  Federal banking regulators recently released guidance for assessing and managing risks associated with remote deposit capture. In this tip, Dan Fisher explains the key components of the guidance, including its definition of RDC and how it emphasizes...  Continue Reading

• How should multiple firewall rules be managed?

  Even with a change management system, firewall rule bases can become a nightmare for administrators. In this Q&A, network security expert Mike Chapple points out incorrect, overlapping and unused rules that can ruin your firewall.  Continue Reading

• What are ways to measure security risks, threats and vulnerabilities?

  In this Q&A, security management expert Mike Rothman offers advice on the most effective ways to manage and access security risks, threats and vulnerabilities within an enterprise.  Continue Reading

• What are the risks associated with outsourcing security services?

  In this expert Q&A, security management pro Mike Rothman discusses why outsourcing security services could be a bad idea.  Continue Reading

• Should a firewall ever be placed before the router?

  In terms of unit cost, it's generally much cheaper for a router to handle a packet than for a firewall to analyze it. But as network security expert Mike Chapple explains, one does not necessarily have to be placed before the other.  Continue Reading

• File format vulnerabilities: Protecting your applications

  From WMF to the latest Excel file exploits, it's clear that attacks targeting file format vulnerabilities are on the rise. In this tip, network security expert Mike Chapple examines why files have become a tempting vector, and explores what can be ...  Continue Reading

• IPsec tunneling: Exploring the security risks

  As part of his monthly responses to readers, Mike Chapple reveals some information about VPNs that many may not want to hear.  Continue Reading

• Are wireless networks inherently insecure?

  Wireless access protection and WPA2 are both good ways to keep networks secure, though nothing's perfect. Network security expert Mike Chapple expounds.  Continue Reading

• How to conduct firewall configuration reviews

  As any firewall administrator knows, it's all too easy for a rule base to become convoluted over time, containing rules that may be outdated or simply incorrect. In this SearchSecurity.com Q&A, network security expert Mike Chapple reveals how to ...  Continue Reading

• How should a company's security program define roles and responsibilities?

  In many organizations, it's not uncommon for physical, legal and information security departments to step on each other's toes. In this expert Q&A, security management pro Shon Harris reveals how a CSO can bring these teams together and implement a ...  Continue Reading

• What are the benefits of employee security awareness training?

  In this Q&A, security management expert Mike Rothman discusses the short-term and long-term benefits of employee security awareness training.  Continue Reading

• How to perform a network device audit

  From unauthorized applications to rogue devices like data-slurping USB sticks, enterprise networks face a growing number of security risks. For financial-services firms, the data loss or network intrusions that can result from unauthorized network ...  Continue Reading

• Information security forecast: Security management in 2009

  What will the year ahead hold for information security? Learn about the likely trends -- from dealing with questions of enterprise virtualization and SaaS security, to Web application security, to compliance issues.  Continue Reading

• Future security threats: Enterprise attacks of 2009

  Will organizations be ready for next year's enterprise security threats? Expert John Strand reviews what's in store for 2009, including new weapons, old vulnerabilities, and new takes on old attack techniques.  Continue Reading

• End-user Compliance: Creating a security awareness training program

  Security awareness training is a must, but what's the best way to create a successful program, and what are the tell-tale signs that it's working? In this tip, security management expert David Mortman explains how to create general as well as ...  Continue Reading

• How to prevent clickjacking attacks with security policy, not technology

  Clickjacking, an emerging hacker technique similar to cross-site scripting, tricks a user into executing malicious commands on a seemingly legitimate or innocent website. John Strand reviews how the attack works, how it compares to ...  Continue Reading

• Deleting user accounts: How to manage users during a layoff

  When budgets get cut across the enterprise, it's likely that employees will get cut, too. So what's the best way to handle a large number of user account modifications or deletions? IAM expert David Griffeth offers a step-by-step process for ...  Continue Reading

• Writing Wireshark network traffic filters

  The freely available Wireshark tool can provide valuable analysis of network traffic, but capturing packets can often lead to an overload of data. Mike Chapple explains how to use Wireshark's traffic filters to zero in on the precise information ...  Continue Reading

• The 100-day plan: Achieving success as a new security manager

  One of the top priorities of any newly minted information security manager is to implement a new enterprise security strategy. In this tip, security management expert Mike Rothman explains what needs to happen in the first 100 days of a security ...  Continue Reading

• Review system event logs with Splunk

  Splunk is a free tool that provides log review and management. From parsing files to triggering alerts and scripts, Splunk can greatly reduce the amount of time security teams spend on logs.  Continue Reading

• Cloud compliance: How to manage SaaS risk

  While Software as a Service (SaaS) can cut costs, there are definite security concerns to be aware of, including compliance issues. What's the best way to make sure that data is safe and audit-ready on the provider's server? Expert Joel Dubin gives ...  Continue Reading

• How to implement and enforce a social networking security policy

  For a new generation of employees entering the workforce, social networking isn't a luxury, it's a necessity. Yet not all enterprises understand that failing to consider social networking security can lead to unfortunate consequences. David Sherry ...  Continue Reading

• The value of application whitelists

  Although some may find Windows Vista's User Account Control feature annoying, it is really a variation of a security mechanism that is now re-emerging: the application whitelist. Michael Cobb explores application whitelist benefits and drawbacks, ...  Continue Reading

• PKI and digital certificates: Security, authentication and implementation

  Get more information about PKI and digital certificates, such as how to implement PKI, how to ensure security and available implementation. Also learn about digital certificates, signatures and achieving authentication through a certificate ...  Continue Reading

• ID and password authentication: Keeping data safe with management and policies

  Learn how to improve authentication and avoid password hacking with management policies that enforce password expiration, length and complexity requirements.  Continue Reading

• Security token and smart card authentication

  Get advice on how to mitigate data theft from hackers with security token and smart card authentication technology, smart card readers and software.  Continue Reading

• Biometric authentication know-how: Devices, systems and implementation

  Discover the pros and cons of multiple biometric authentication devices and techniques, such as iris pattern or fingerprint scans, voice recognition and keystroke dynamics. Also get advice on biometric implementation best practices.  Continue Reading

• Lessons learned: The Countrywide Financial breach

  The data breach at Countrywide Financial Corp. seems like something out of a TV crime drama: Two men regularly copied customer data and secretly sold it as leads to other mortgage brokers. The tale suggests that data theft is, more often than not, ...  Continue Reading

• FISMA compliance made easier with OpenFISMA

  Scott Sidel examines the open source security tool OpenFISMA, a compliance tool that assists government agencies and their contractors in meeting FISMA's requirements.  Continue Reading

• Workstation hard drive encryption: Overdue or overkill?

  In an age of high-profile data breaches and insider risks, encryption is an important defense mechanism for enterprises. The question is: how much encryption is necessary? Many security pros have gone to great lengths to protect data on network ...  Continue Reading

• Recovering stolen laptops one step at a time

  When a student's laptop was stolen last year on a university campus, police and IT investigators went to work, recovering it within a matter of weeks. Neil Spellman, one of the investigators on the case, offers some best practices on what to do if a...  Continue Reading

• How to detect system management mode (SMM) rootkits

  Rootkits were once a system administrator's best friend. Now they have evolved to become an admin's worst nightmare: well-known, surreptitious malware that can provide super user access to an infected machine. Michael Cobb explains how to get rid of...  Continue Reading

• Risk assessments: Internal vs. external

  Risk assessments are a necessary function at financial firms, but how do you know whether to conduct them internally or to use a third party? Expert Rick Lawhorn explores the pros and cons in this tip.  Continue Reading

• WEP to WPA: Wireless encryption in the wake of PCI DSS 1.2

  The PCI Security Standards Council recently announced the upcoming release of PCI DSS version 1.2. Plenty of changes are on the way, but one in particular may call for some significant wireless infrastructure upgrades. Mike Chapple explains why the ...  Continue Reading

• Windows registry forensics: Investigating system-wide settings

  Information security forensic investigations can be a big job, but Windows registry command tools can make it easier. From querying autostart programs to getting the goods on every USB device ever connected to a particular Windows machine, these ...  Continue Reading

• Vulnerability assessments: Steps to success

  Vulnerability assessments can be effective tools to gauge the greatest risks a financial institution faces. But what's the best way to go about a vulnerability assessment? Expert Rick Lawhorn lays out the steps to a successful test.  Continue Reading

• Screencast: How to use Nipper to create network security reports

  Peter Giannoulis of The Academy.ca demonstrates how to use Nipper, a free open source network infrastructure parser tool.  Continue Reading

• How to get information security buy-in from the executive team

  When pitching security to the big bosses, it's important to brush up on public-speaking skills and lay out the case in advance. Mike Rothman gives his recommendations on how to prepare for a security presentation in order to receive the necessary ...  Continue Reading

• How to configure NAP for Windows Server 2008

  The arrival of Windows Server 2008 ushers in a big portion of Microsoft's long-awaited Network Access Protection (NAP) initiative. In this tip, David Strom uses words and pictures to explain how to get started with NAP using the Network Policy ...  Continue Reading

• Exploring Microsoft's Network Access Protection policy options

  A policy platform was built into Microsoft Windows Vista and Windows Server 2008, one that offers the ability to create customized health policies that validate a computer's security before allowing access or communication. The mechanism, now known ...  Continue Reading

• How to lay the foundation for role entitlement management

  Role entitlement management is a daunting task, however, there are steps you can take to lay the foundation for a successful management process. In this tip, expert Rick Lawhorn details these seven steps.  Continue Reading

• How to avoid DLP implementation pitfalls

  Data leak prevention tools effectively reduce the chances that an enterprise's sensitive data will end up where it shouldn't, but several pitfalls can severely curtail a DLP tool's effectiveness. In this tip, Rich Mogull offers several best ...  Continue Reading

• Security certifications: Are they worth the trouble?

  Security certifications may or may not be helpful in furthering a security career, but many security pros feel they must "comply" with the unspoken expectation that certifications are a must for career advancement. In this special tip, security ...  Continue Reading

• Microsoft Baseline Security Analyzer: Do updates offer improved Windows security?

  The Microsoft Baseline Security Analyzer has always been useful at scanning Windows environments for the presence or absence of security updates. Now, see how the latest version adds support for Windows Vista and Windows Server 2008 to its bag of ...  Continue Reading

• Directory services and beyond: The future of LDAP

  From its remarkable debut in 1993 as a directory access system, LDAP has evolved to become one of the premier directory management services, rivaled only by Active Directory. But how implementable is LDAP in the current Microsoft market? Is it ...  Continue Reading

• Key management challenges and best practices

  Key management is essential to a successful encryption project. In this tip, expert Randy Nash explains the challenges financial organizations face when implementing key management and some of the best practices to overcome them.  Continue Reading

• The steps of privileged account management implementation

  Privileged accounts have always been difficult to secure, and they remain the focal point for the insider attack. Luckily, an emerging class of privileged account management products is here to help. Identity management pro Mark Diodati discusses ...  Continue Reading

• Screencast: Catching network traffic with Wireshark

  This month, Peter Giannoulis of the Academy.ca demonstrates the popular, free network protocol analyzer, Wireshark. See how Peter uses Wireshark to hack into a recorded VoIP phone call.  Continue Reading

• Ransomware: How to deal with advanced encryption algorithms

  It's late in the day, and your CEO reports a strange message on his computer screen: his files have been encrypted, and a payment is required to return all of his data. What do you do? Don't give in to the cyberterrorists just yet. Mike Chapple ...  Continue Reading

• Enterprise role management: Trends and best practices

  Enterprise role management technology is intended to help an enterprise keep tabs of who has access to various network resources, and also makes it easier to define groups of users. Joel Dubin explains how the technology integrates with RBAC and IAM...  Continue Reading

• Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities

  For anyone who doesn't speak NASL, network security expert Mike Chapple has a firm handle on the Nessus Attack Scripting Language. In this brand-new addition to our Nessus 3 Tutorial, Chapple provides examples of NASL scripts that can find known ...  Continue Reading

• Database patch denial: How 'critical' are Oracle's CPUs?

  A recent survey found that a considerable number of users are outright rejecting Oracle's Critical Patch Updates, perhaps suggesting database administrators feel comfortable with their security defenses or find Oracle's patches to be more of a ...  Continue Reading

• Screencast: Recovering lost data with WinHex

  WinHex is a forensics tool that allows users to examine running programs, wipe confidential files or unused space, and perform drive imaging and drive cloning. In this secreencast Peter Giannoulis of http://theacademy.ca shows you how to use WinHex ...  Continue Reading

• Learn from NIST: Best practices in security program management

  Security success means sweating the small stuff, like ensuring proficiency in implementing patches and configuring systems. Security management expert Mike Rothman offers advice on how certain NIST guidelines can help an organization highlight ...  Continue Reading

• Password management best practices for financial services firms

  Password management is a fundamental tenet of effective information security, but it's harder than it seems to manage passwords correctly, and far too easy to mess it up. In this tip, contributor Tony Bradley shares best practices for effective ...  Continue Reading

• How to install and configure Nessus

  Nessus, an open source vulnerability scanner, can scan a network for potential security risks and provide detailed reporting that enables you to remediate gaps in your corporation's security posture. This tip, the first in a series of three on ...  Continue Reading

• How to run a Nessus system scan

  In the second tip in our series on running Nessus in the enterprise, our contributor takes you step-by-step through the process of running a Nessus system scan. View screenshots of the Nessus interface and learn commands for the Unix Nessus GUI.  Continue Reading

• Windows registry forensics guide: Investigating hacker activities

  The Windows registry can be used as a helpful tool for professionals looking to investigate employee activity or track the whereabouts of important corporate files. In this tip, contributor Ed Skoudis explains how investigators and administrators ...  Continue Reading

• Pros and cons of multifactor authentication technology for consumers

  Multifactor consumer authentication is a must-have for financial services firms, but there are a number of different types of multifactor authentication technology from which to choose. In this tip, contributor Judith M. Myerson addresses the pros ...  Continue Reading

• Security breach management: Planning and preparation

  All organizations face the risk of an information security breach. While it can be a gut-wrenching ordeal, learning how to manage a breach can make it much easier to contain the damage. In this tip, contributor Khalid Kark unveils several key ...  Continue Reading

• The 'security standards dilemma': Network segmentation and PCI Compliance

  The Hannford Bros. data security breach led many to believe that even PCI-compliant organizations did not properly segment their networks -- or that PCI does not adequately address the importance of network segregation. Contributor Stephen Cobb ...  Continue Reading

• Understanding multifactor authentication features in IAM suites

  Enterprises often make the mistake of assuming that IAM suites come with tightly integrated multifactor authentication features, but in reality making sure they work together well can be a challenge. In this tip, IAM luminary Joel Dubin explains why...  Continue Reading

• Ophcrack: Password cracking made easy

  Scott Sidel examines the open source security tool Ophcrack, a password cracking tool aimed at ensuring the strength of corporate passwords.  Continue Reading

• More built-in Windows commands for system analysis

  Windows command-line tools can be a valuable resource to security professionals charged with the secure configuration of Windows' machines. In this tip, Ed Skoudis defines five more useful Windows commands that can provide new insight into the realm...  Continue Reading

• Webmail security: Best practices for data protection

  Webmail has become a popular choice for enterprises looking to provide users with email access outside the office, but deployment of any Web-based email system presents a unique set of security challenges. In this Messaging Security School tip, ...  Continue Reading

• PCI compliance and Web applications: Code review or firewalls?

  The Payment Card Industry Data Security Standard is about to get a new wrinkle involving Web applications. As of June 30, 2008, to achieve PCI compliance, enterprises must either have their custom Web application code reviewed or install Web ...  Continue Reading

• Out-of-band authentication: Methods for preventing fraud

  Out-of-band authentication can add another layer of data security as customers seek enhanced online banking security. There's also an added cost benefit. This tip delves into various methods and how they can benefit financial firms.  Continue Reading

• Vista WIL: How to take control of data integrity levels

  In the past, Windows users could tweak NTFS permissions and decide who should have access to important data. With the introduction of the Windows Vista operating system, however, the Windows Integrity Levels (WIL) feature seeks to address previous ...  Continue Reading

• Penetration testing: Helping your compliance efforts

  Penetration testing can be helpful as part of a corporate vulnerability assessment, but is it as valuable for enterprise compliance? In this tip, contributor Mike Rothman examines the connection between compliance and pen-testing and unveils why pen...  Continue Reading

• Microsoft PatchGuard: Locking down the kernel, or locking out security?

  With Microsoft's release of Windows Vista, the software giant locked down the kernel and forced independent security vendors to change the way that they provide antivirus services. So is the OS safer from attacks as a result? Contributor Tony ...  Continue Reading

• Worst practices: Learning from bad security tips

  In this tip, information security threats expert Ed Skoudis exposes some bad security practices, highlights the common and dangerous misconceptions held by security personnel, and offers insight on how corporations can learn from others' mistakes.  Continue Reading

• The ins and outs of database encryption

  While pundits and gurus may say the "easy" data protection option is for an enterprise to encrypt its entire database, the truth is it's much harder than many realize. In this tip, database security expert Rich Mogull examines the two primary use ...  Continue Reading

• GLBA risk assessment steps to success

  GLBA requires financial firms to protect their data from anticipated risks. How can those risks be determined? Follow these steps to perform a risk assessment at your financial organization.  Continue Reading

• Worst practices: Bad security incidents to avoid

  Some of information security's worst practices are just best practices ignored. And those guilty of today's big infosec mistakes range from chief security officers to network firewall managers to security staffs at giant financial firms and ...  Continue Reading

• Worst Practices: Three big identity and access management mistakes

  Simple IAM mistakes such as writing down passwords and unaudited user accounts can allow malicious access into corporate networks. In this tip, contributor Joel Dubin exposes the most common identity management and access control blunders, and ...  Continue Reading

• Testing for client-side vulnerabilities

  Client-side vulnerabilities have become a common target of attacks. Financial organizations must keep up by assessing their exposure to such threats. This tip offers three methods for testing your exposure.  Continue Reading

• Failure mode and effects analysis: Process and system risk assessment

  Information security pros are always trying to assess which systems and processes pose the greatest risk to an organization. In this tip, Gideon T. Rasmussen explains how the failure mode and effects analysis (FMEA) methodology can help quantify the...  Continue Reading

• Google hacking exposes a world of security flaws

  In this tip, contributor Scott Sidel examines Goolag, a open source security tool that assists security pros in finding flaws in websites through Google hacking.  Continue Reading

• Encryption methods for financial organizations

  Extreme encryption often comes with penalties. So how do you determine what type of encryption to use? Storage expert Deni Connor explores three methods in this tip.  Continue Reading

• Intrusion detection system deployment recommendations

  Before you take the time and effort to deploy an IDS, consider this advice.  Continue Reading

• Phased NAC deployment for compliance and policy enforcement

  Thinking about NAC? You're not alone. Many organizations are taking a new look at the latest generation of network access control tools, with the hopes of mapping security policy requirements to technical controls. For those about to take the NAC ...  Continue Reading

• Web scanning and reporting best practices

  Implementing a solid Web scanning routine is a key way to avoid corporate Web application attacks. And with industry requirements such as PCI DSS, performing vulnerability scans are also required to stay compliant. In this tip, contributor Joel ...  Continue Reading

• Windows BitLocker: Enabling disk encryption for data protection

  With Windows Vista, Microsoft introduced a whole-disk encryption mechanism called BitLocker. The feature has enabled Windows to provide better data protection, but the tool is not without drawbacks. Contributor Tony Bradley stacks BitLocker up ...  Continue Reading

• Built-in Windows commands to determine if a system has been hacked

  In this tip, contributor Ed Skoudis identifies five of the most useful Windows command-line tools for machine analysis and discusses how they can assist administrators in determining if a machine has been hacked.  Continue Reading

• Exploit research: Keeping tabs on the hacker underground

  Protecting an organization against malicious hackers is a constant challenge, especially when attack methods are constantly evolving. But, according to information security threats expert Ed Skoudis, there are effective methods security pros can use...  Continue Reading

• The forensics mindset: Making life easier for investigators

  Eventually every enterprise suffers an incident, and a little preparation now can make all the difference when an event occurs. In this tip, contributor Mike Rothman explains why thinking like an investigator can help security pros develop a ...  Continue Reading

• How to lock down USB devices

  USB devices, thumb drives, flash drives -- whatever you call them, portable media present a significant challenge for enterprises, as they enable easier data transport for mobile workers, but are often the cause for catastrophic data leaks. In this ...  Continue Reading

• Basel II's impact on information security

  Managing risk is a constant pain point at financial institutions. Regulations, like Basel II, can help. This tip explains how.  Continue Reading

• Challenges behind operational integration of security and network management

  The integration of security and network operations holds a great deal of promise thanks to today's security information management technology, but there are a number of hurdles to overcome when it's time to flip the switch. Sasan Hamidi outlines the...  Continue Reading

• How to apply ISO 27002 to PCI DSS compliance

  The Payment Card Industry Data Security Standard may be fairly straightforward, but it's lacking in defining the processes that will ultimately lead to PCI DSS compliance. In this tip, expert Richard Mackey explains why the ISO 27002 can not only ...  Continue Reading

• IT GRC: Combining disciplines for better enterprise security

  IT governance, risk management and compliance (GRC) is a growing area of information security that isn't clearly defined. In this tip, Forrester Research's Khalid Kark defines the components of IT GRC and offers advice on how CISOs and organizations...  Continue Reading

• Secure file copying with WinSCP

  In his latest Downloads column, Scott Sidel examines WinSCP, an open source SFTP and FTP client for Windows. Sidel explains how the tool's optional interfaces, multiple secure authentication mechanisms and strong security features make it a ...  Continue Reading

• Social engineering attacks: What we can learn from Kevin Mitnick

  This article provides examples of how to strengthen your organization against social engineering.  Continue Reading

• Security awareness training: Stay in, or go out?

  So you've decided you need security awareness training. Now what? In this tip, Joel Dubin offers a primer on in-house vs. outsourced security awareness training, and guidelines to help an organization decide which choice is best for its needs.  Continue Reading

• Your physical security budget: Who pays and how much?

  In many organizations, the cost of data center security is a shared expense -- or at least it should be. How much then should you be spending on security and how much of that should be picked up by other business units?  Continue Reading

• Ten hacker tricks to exploit SQL Server systems

  SQL Server hackers have a medley of tricks and tools to gain access to your database systems. Learn their techniques and test SQL Server security before they do.  Continue Reading

• Firewall redundancy: Deployment scenarios and benefits

  There are, however, several good reasons to deploy multiple firewalls in your organization. Let's take a look at a few scenarios.  Continue Reading

• Types of confidential information

  CISSP Thomas Peltier offers guidance on what your information classification policy should address.  Continue Reading

• Data leakage detection and prevention

  While corporate data loss is not a new concern, newer technologies are emerging to help combat the threat. In this tip, Joel Dubin advises how to reduce data leaks, reviews products that can identify network vulnerabilities and keep mobile device ...  Continue Reading

• Five steps to building information risk management frameworks

  Implementing a successful enterprise risk management plan can be an overwhelming and harrowing process. In order to make the process work, many aspects need to examined, and all business areas need to be hands on. In this tip, contributor Khalid ...  Continue Reading