Tips

Tips

• Microsoft Baseline Security Analyzer: Do updates offer improved Windows security?

  The Microsoft Baseline Security Analyzer has always been useful at scanning Windows environments for the presence or absence of security updates. Now, see how the latest version adds support for Windows Vista and Windows Server 2008 to its bag of ...  Continue Reading

• Directory services and beyond: The future of LDAP

  From its remarkable debut in 1993 as a directory access system, LDAP has evolved to become one of the premier directory management services, rivaled only by Active Directory. But how implementable is LDAP in the current Microsoft market? Is it ...  Continue Reading

• The steps of privileged account management implementation

  Privileged accounts have always been difficult to secure, and they remain the focal point for the insider attack. Luckily, an emerging class of privileged account management products is here to help. Identity management pro Mark Diodati discusses ...  Continue Reading

• Key management challenges and best practices

  Key management is essential to a successful encryption project. In this tip, expert Randy Nash explains the challenges financial organizations face when implementing key management and some of the best practices to overcome them.  Continue Reading

• Screencast: Catching network traffic with Wireshark

  This month, Peter Giannoulis of the Academy.ca demonstrates the popular, free network protocol analyzer, Wireshark. See how Peter uses Wireshark to hack into a recorded VoIP phone call.  Continue Reading

• Ransomware: How to deal with advanced encryption algorithms

  It's late in the day, and your CEO reports a strange message on his computer screen: his files have been encrypted, and a payment is required to return all of his data. What do you do? Don't give in to the cyberterrorists just yet. Mike Chapple ...  Continue Reading

• Enterprise role management: Trends and best practices

  Enterprise role management technology is intended to help an enterprise keep tabs of who has access to various network resources, and also makes it easier to define groups of users. Joel Dubin explains how the technology integrates with RBAC and IAM...  Continue Reading

• Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities

  For anyone who doesn't speak NASL, network security expert Mike Chapple has a firm handle on the Nessus Attack Scripting Language. In this brand-new addition to our Nessus 3 Tutorial, Chapple provides examples of NASL scripts that can find known ...  Continue Reading

• Database patch denial: How 'critical' are Oracle's CPUs?

  A recent survey found that a considerable number of users are outright rejecting Oracle's Critical Patch Updates, perhaps suggesting database administrators feel comfortable with their security defenses or find Oracle's patches to be more of a ...  Continue Reading

• Screencast: Recovering lost data with WinHex

  WinHex is a forensics tool that allows users to examine running programs, wipe confidential files or unused space, and perform drive imaging and drive cloning. In this secreencast Peter Giannoulis of http://theacademy.ca shows you how to use WinHex ...  Continue Reading

• Learn from NIST: Best practices in security program management

  Security success means sweating the small stuff, like ensuring proficiency in implementing patches and configuring systems. Security management expert Mike Rothman offers advice on how certain NIST guidelines can help an organization highlight ...  Continue Reading

• Password management best practices for financial services firms

  Password management is a fundamental tenet of effective information security, but it's harder than it seems to manage passwords correctly, and far too easy to mess it up. In this tip, contributor Tony Bradley shares best practices for effective ...  Continue Reading

• How to install and configure Nessus

  Nessus, an open source vulnerability scanner, can scan a network for potential security risks and provide detailed reporting that enables you to remediate gaps in your corporation's security posture. This tip, the first in a series of three on ...  Continue Reading

• Nessus: Vulnerability scanning in the enterprise

  General advice for vulnerability scanning in the enterprise with the open source vulnerability scanner Nessus.  Continue Reading

• How to run a Nessus system scan

  In the second tip in our series on running Nessus in the enterprise, our contributor takes you step-by-step through the process of running a Nessus system scan. View screenshots of the Nessus interface and learn commands for the Unix Nessus GUI.  Continue Reading

• Windows registry forensics guide: Investigating hacker activities

  The Windows registry can be used as a helpful tool for professionals looking to investigate employee activity or track the whereabouts of important corporate files. In this tip, contributor Ed Skoudis explains how investigators and administrators ...  Continue Reading

• Best practices for application-level firewall selection and deployment

  Application-level firewalls are an essential aspect of any organization's multi-layered defense strategy, but the implementation process has some security pros scratching their heads. In this tip, contributor Joel Dubin discusses the contrasting ...  Continue Reading

• Pros and cons of multifactor authentication technology for consumers

  Multifactor consumer authentication is a must-have for financial services firms, but there are a number of different types of multifactor authentication technology from which to choose. In this tip, contributor Judith M. Myerson addresses the pros ...  Continue Reading

• Security breach management: Planning and preparation

  All organizations face the risk of an information security breach. While it can be a gut-wrenching ordeal, learning how to manage a breach can make it much easier to contain the damage. In this tip, contributor Khalid Kark unveils several key ...  Continue Reading

• The 'security standards dilemma': Network segmentation and PCI Compliance

  The Hannford Bros. data security breach led many to believe that even PCI-compliant organizations did not properly segment their networks -- or that PCI does not adequately address the importance of network segregation. Contributor Stephen Cobb ...  Continue Reading

• Understanding multifactor authentication features in IAM suites

  Enterprises often make the mistake of assuming that IAM suites come with tightly integrated multifactor authentication features, but in reality making sure they work together well can be a challenge. In this tip, IAM luminary Joel Dubin explains why...  Continue Reading

• Ophcrack: Password cracking made easy

  Scott Sidel examines the open source security tool Ophcrack, a password cracking tool aimed at ensuring the strength of corporate passwords.  Continue Reading

• More built-in Windows commands for system analysis

  Windows command-line tools can be a valuable resource to security professionals charged with the secure configuration of Windows' machines. In this tip, Ed Skoudis defines five more useful Windows commands that can provide new insight into the realm...  Continue Reading

• Webmail security: Best practices for data protection

  Webmail has become a popular choice for enterprises looking to provide users with email access outside the office, but deployment of any Web-based email system presents a unique set of security challenges. In this Messaging Security School tip, ...  Continue Reading

• PCI compliance and Web applications: Code review or firewalls?

  The Payment Card Industry Data Security Standard is about to get a new wrinkle involving Web applications. As of June 30, 2008, to achieve PCI compliance, enterprises must either have their custom Web application code reviewed or install Web ...  Continue Reading

• Out-of-band authentication: Methods for preventing fraud

  Out-of-band authentication can add another layer of data security as customers seek enhanced online banking security. There's also an added cost benefit. This tip delves into various methods and how they can benefit financial firms.  Continue Reading

• Vista WIL: How to take control of data integrity levels

  In the past, Windows users could tweak NTFS permissions and decide who should have access to important data. With the introduction of the Windows Vista operating system, however, the Windows Integrity Levels (WIL) feature seeks to address previous ...  Continue Reading

• Penetration testing: Helping your compliance efforts

  Penetration testing can be helpful as part of a corporate vulnerability assessment, but is it as valuable for enterprise compliance? In this tip, contributor Mike Rothman examines the connection between compliance and pen-testing and unveils why pen...  Continue Reading

• Microsoft PatchGuard: Locking down the kernel, or locking out security?

  With Microsoft's release of Windows Vista, the software giant locked down the kernel and forced independent security vendors to change the way that they provide antivirus services. So is the OS safer from attacks as a result? Contributor Tony ...  Continue Reading

• Worst practices: Learning from bad security tips

  In this tip, information security threats expert Ed Skoudis exposes some bad security practices, highlights the common and dangerous misconceptions held by security personnel, and offers insight on how corporations can learn from others' mistakes.  Continue Reading

• The ins and outs of database encryption

  While pundits and gurus may say the "easy" data protection option is for an enterprise to encrypt its entire database, the truth is it's much harder than many realize. In this tip, database security expert Rich Mogull examines the two primary use ...  Continue Reading

• GLBA risk assessment steps to success

  GLBA requires financial firms to protect their data from anticipated risks. How can those risks be determined? Follow these steps to perform a risk assessment at your financial organization.  Continue Reading

• Worst practices: Bad security incidents to avoid

  Some of information security's worst practices are just best practices ignored. And those guilty of today's big infosec mistakes range from chief security officers to network firewall managers to security staffs at giant financial firms and ...  Continue Reading

• Worst Practices: Three big identity and access management mistakes

  Simple IAM mistakes such as writing down passwords and unaudited user accounts can allow malicious access into corporate networks. In this tip, contributor Joel Dubin exposes the most common identity management and access control blunders, and ...  Continue Reading

• Testing for client-side vulnerabilities

  Client-side vulnerabilities have become a common target of attacks. Financial organizations must keep up by assessing their exposure to such threats. This tip offers three methods for testing your exposure.  Continue Reading

• Failure mode and effects analysis: Process and system risk assessment

  Information security pros are always trying to assess which systems and processes pose the greatest risk to an organization. In this tip, Gideon T. Rasmussen explains how the failure mode and effects analysis (FMEA) methodology can help quantify the...  Continue Reading

• Google hacking exposes a world of security flaws

  In this tip, contributor Scott Sidel examines Goolag, a open source security tool that assists security pros in finding flaws in websites through Google hacking.  Continue Reading

• Encryption methods for financial organizations

  Extreme encryption often comes with penalties. So how do you determine what type of encryption to use? Storage expert Deni Connor explores three methods in this tip.  Continue Reading

• Intrusion detection system deployment recommendations

  Before you take the time and effort to deploy an IDS, consider this advice.  Continue Reading

• Phased NAC deployment for compliance and policy enforcement

  Thinking about NAC? You're not alone. Many organizations are taking a new look at the latest generation of network access control tools, with the hopes of mapping security policy requirements to technical controls. For those about to take the NAC ...  Continue Reading

• Web scanning and reporting best practices

  Implementing a solid Web scanning routine is a key way to avoid corporate Web application attacks. And with industry requirements such as PCI DSS, performing vulnerability scans are also required to stay compliant. In this tip, contributor Joel ...  Continue Reading

• Windows BitLocker: Enabling disk encryption for data protection

  With Windows Vista, Microsoft introduced a whole-disk encryption mechanism called BitLocker. The feature has enabled Windows to provide better data protection, but the tool is not without drawbacks. Contributor Tony Bradley stacks BitLocker up ...  Continue Reading

• Built-in Windows commands to determine if a system has been hacked

  In this tip, contributor Ed Skoudis identifies five of the most useful Windows command-line tools for machine analysis and discusses how they can assist administrators in determining if a machine has been hacked.  Continue Reading

• Data loss prevention (DLP) tools: The new way to prevent identity theft?

  Despite advances in perimeter technologies, data theft has become common in today's enterprises. To protect their confidential information, some security professionals are turning to an emerging technology category: data loss prevention. But don't ...  Continue Reading

• Exploit research: Keeping tabs on the hacker underground

  Protecting an organization against malicious hackers is a constant challenge, especially when attack methods are constantly evolving. But, according to information security threats expert Ed Skoudis, there are effective methods security pros can use...  Continue Reading

• The forensics mindset: Making life easier for investigators

  Eventually every enterprise suffers an incident, and a little preparation now can make all the difference when an event occurs. In this tip, contributor Mike Rothman explains why thinking like an investigator can help security pros develop a ...  Continue Reading

• How to lock down USB devices

  USB devices, thumb drives, flash drives -- whatever you call them, portable media present a significant challenge for enterprises, as they enable easier data transport for mobile workers, but are often the cause for catastrophic data leaks. In this ...  Continue Reading

• Basel II's impact on information security

  Managing risk is a constant pain point at financial institutions. Regulations, like Basel II, can help. This tip explains how.  Continue Reading

• Data loss prevention from the inside out

  Corporate information loss can often be credited to a company's internal organization, or lack thereof. In other words, in order to prevent data leakage, corporations must not only eliminate external threats, but also internal processes that could ...  Continue Reading

• Challenges behind operational integration of security and network management

  The integration of security and network operations holds a great deal of promise thanks to today's security information management technology, but there are a number of hurdles to overcome when it's time to flip the switch. Sasan Hamidi outlines the...  Continue Reading

• How to apply ISO 27002 to PCI DSS compliance

  The Payment Card Industry Data Security Standard may be fairly straightforward, but it's lacking in defining the processes that will ultimately lead to PCI DSS compliance. In this tip, expert Richard Mackey explains why the ISO 27002 can not only ...  Continue Reading

• IT GRC: Combining disciplines for better enterprise security

  IT governance, risk management and compliance (GRC) is a growing area of information security that isn't clearly defined. In this tip, Forrester Research's Khalid Kark defines the components of IT GRC and offers advice on how CISOs and organizations...  Continue Reading

• Secure file copying with WinSCP

  In his latest Downloads column, Scott Sidel examines WinSCP, an open source SFTP and FTP client for Windows. Sidel explains how the tool's optional interfaces, multiple secure authentication mechanisms and strong security features make it a ...  Continue Reading

• Social engineering attacks: What we can learn from Kevin Mitnick

  This article provides examples of how to strengthen your organization against social engineering.  Continue Reading

• Your physical security budget: Who pays and how much?

  In many organizations, the cost of data center security is a shared expense -- or at least it should be. How much then should you be spending on security and how much of that should be picked up by other business units?  Continue Reading

• Security awareness training: Stay in, or go out?

  So you've decided you need security awareness training. Now what? In this tip, Joel Dubin offers a primer on in-house vs. outsourced security awareness training, and guidelines to help an organization decide which choice is best for its needs.  Continue Reading

• Ten hacker tricks to exploit SQL Server systems

  SQL Server hackers have a medley of tricks and tools to gain access to your database systems. Learn their techniques and test SQL Server security before they do.  Continue Reading

• Firewall redundancy: Deployment scenarios and benefits

  There are, however, several good reasons to deploy multiple firewalls in your organization. Let's take a look at a few scenarios.  Continue Reading

• Types of confidential information

  CISSP Thomas Peltier offers guidance on what your information classification policy should address.  Continue Reading

• Data leakage detection and prevention

  While corporate data loss is not a new concern, newer technologies are emerging to help combat the threat. In this tip, Joel Dubin advises how to reduce data leaks, reviews products that can identify network vulnerabilities and keep mobile device ...  Continue Reading

• Five steps to building information risk management frameworks

  Implementing a successful enterprise risk management plan can be an overwhelming and harrowing process. In order to make the process work, many aspects need to examined, and all business areas need to be hands on. In this tip, contributor Khalid ...  Continue Reading

• Cleansing an infected mail server

  Learn five measures you can take to when cleaning up a massive email virus infection  Continue Reading

• Storage vulnerabilities you can't afford to miss

  In this tip, Keavin Beaver identifies eight common storage security vulnerabilites that are often overlooked and examines why network admins should develop a layered security strategy to protect sensitive data.  Continue Reading

• Developing a patch management policy for third-party applications

  Enterprises may push the latest critical Windows patches once a month, but here's a dirty little secret: Most organizations don't bother patching their third-party applications. The diversity of client-side software -- including everything from ...  Continue Reading

• Phone phishing: The role of VoIP in phishing attacks

  Learn how attackers are using the widespread deployment of low-cost VoIP to leverage phishing attacks and how to protect the enterprise.  Continue Reading

• Information protection: Using Windows Rights Management Services to secure data

  Keeping confidential information under wraps is paramount in any business, but finding the right mix of tools or techniques is a common challenge. In this tip, contributor Tony Bradley explains how Windows Rights Management Services (WRMS) can help ...  Continue Reading

• Thinking fast-flux: New bait for advanced phishing tactics

  Bot herders haven't made millions of dollars by relying on yesterday's botnet techniques. In fact, the bad guys have found an innovative new way to leverage thousands of drone machines; it's called fast flux, and it makes even the largest botnets ...  Continue Reading

• Lessons learned from TJX: Best practices for enterprise wireless encryption

  The TJX data breach revealed all too well the weaknesses of the Wired Equivalent Privacy security model. The retailer's well-documented compromise of more than 94 million credit card numbers proved that intruders can easily take advantage of ...  Continue Reading

• Partner access: Balancing security and availability

  Granting business partners access to corporate systems and data is essential to keep business processes on track, but doing so insecurely could mean exposing your enterprise to a plethora of insider threats. In this tip, contributor Joel Dubin ...  Continue Reading

• Preventing spam bots from hijacking an enterprise network

  According to security expert Michael Cobb, the likelihood of your enterprise being compromised by a botnet is not a question of if, but when. In this Messaging Security School tip, Cobb discusses how spammers use botnets to corrupt enterprise ...  Continue Reading

• Applying PCI DSS to Web application security

  With millions of online credit card transactions taking place each day, Web application security is a critical issue for any enterprise. In this tip, contributor Diana Kelley reviews the key PCI DSS sub-requirements for Web applications, and ...  Continue Reading

• Email authentication showdown: IP-based vs. signature-based

  Email has long been a favorite method for malicious hackers looking to launch attacks, and one of the first steps in defending against vicious email threats lies in developing a strong email authentication strategy. In this tip, contributor Noah ...  Continue Reading

• Getting the best bargain on network vulnerability scanning

  When it comes to enterprise network analysis, is it best to use a costly commercial vulnerability scanner or a less expensive open source product? In this week's tip, Mike Chapple explains which enterprise assets require the expensive stuff and ...  Continue Reading

• Making the case for Web application vulnerability scanners

  If a Web application scanner can find common SQL injection flaws, cross-site scripting vulnerabilities, buffer overflows and dangerous backdoors, then why aren't more enterprises using them? In this tip, Michael Cobb not only examines where the ...  Continue Reading

• iPhone security in the enterprise: Mitigating the risks

  Since its flashy launch in June 2007, the Apple iPhone has certainly garnered a great deal of buzz. Almost immediately, hackers searched for exploitable flaws in the product, and they weren't disappointed. In this tip, Ed Skoudis examines ...  Continue Reading

• Screencast: Snort -- Tactics for basic network analysis

  In this exclusive screencast step-by-step demo, Tom Bowers explains how the Snort open source IDS tool works and illustrates how it can help security pros assess network security.  Continue Reading

• Preparing for uniform resource identifier (URI) exploits

  URIs have always been a user-friendly way to recognize and access Web resources. By crafting malicious URLs and manipulating protocol handlers, however, attackers have devised new attacks that take advantage of the URI's locator functionality. Web ...  Continue Reading

• IT discussion: Is malware the cause of a DNS server error?

  DNS connectivity problems are quite common, but an increasing number of DNS issues are being caused by surreptitious attacks. In this Q&A thread from SearchSecurity.com's redesigned IT Knowledge Exchange, learn how an innocent query about a finicky ...  Continue Reading

• Complex password compliance requirements made simple

  In order to comply with a number of well-known industry regulations, it's necessary for enterprises to have stringent password management requirements in place. In this tip, expert Joel Dubin reviews the password requirements put forth by key ...  Continue Reading

• Guide to passing PCI's five toughest requirements

  As data security breach threats increase and the Payment Card Industry (PCI) Data Security Standard's authority continues to expand, credit card-processing companies have little choice but to implement PCI's dozen requirements. Some best practices, ...  Continue Reading

• How to avoid dangling pointers: Tiny programming errors leave serious security vulnerabilities

  For years, many have said that there is no practical way to exploit a dangling pointer, a common application programming error. But these software bugs should no longer be thought of as simple quality-assurance problems. Michael Cobb explains how ...  Continue Reading

• Building malware defenses: From rootkits to bootkits

  There's an evolving form of malware on the scene that can silently and maliciously wreak havoc on operating systems. Meet the "bootkit" -- a rootkit variant reminiscent of the old-school boot sector virus. While software exists for rootkit detection...  Continue Reading

• Enterprise risk management frameworks: Controls for people, processes, technology

  Once responsibilities and requirements are defined, the next stage in developing a successful risk management framework involves developing controls. As Khalid Kark explains, that includes developing a culture of security, using technology in the ...  Continue Reading

• Finding malware on your Windows box (using the command line)

  Security professionals typically overlook the Windows command line, instead spending their time with more complex GUI-based forensics tools. In this tip, Ed Skoudis explains how just a few command-line tricks can help users closely examine the ...  Continue Reading

• PCI Data Security Standard compliance: Setting the record straight

  Helping executives understand what PCI Data Security Standard compliance is all about can be a challenge, especially when it comes to debunking the many myths that have been perpetuated over the years. Read this tip by contributor John Kindervag as ...  Continue Reading

• COSO and COBIT: The value of compliance frameworks for SOX

  In an attempt to blaze a path through the myriad of compliance regulations and requirements, organizations are looking to frameworks like COSO and COBIT. In this tip, contributor Mike Rothman examines these compliance paradigms and offers insights ...  Continue Reading

• Using an XML security gateway in a service-oriented architecture

  Enabling security for enterprise Web services and service-oriented architectures (SOA) requires an approach that differs from traditional security practices. In this tip, Gunnar Peterson explains how XML security gateways can help keep network ...  Continue Reading

• Compliance benefits of tokenization

  If your organization handles credit card data, then it's probably already heard about the benefits of tokenization. However, as Joel Dubin explains, tokenization not only keeps confidential data out of the hands of malicious hackers, but also offers...  Continue Reading

• Troubleshooting proxy firewall connections

  Investigating the TCP 'handshake' between clients and servers has always been a useful way to diagnose Web server and application problems. Firewalls, however, can interfere with the normal transmission control protocol process. In this tip, network...  Continue Reading

• Investigating logic bomb attacks and their explosive effects

  A logic bomb is a dangerous piece of software designed to damage a computer or network and cause massive data destruction. In this tip from SearchSecurity.com's Ask the Expert section, Ed Skoudis explains how an enterprise can prepare for a hacker's...  Continue Reading

• The dangers of granting system access to a third-party provider

  Granting system access to a third-party provider is a risk that can introduce security threats and technical and business dangers into your enterprise. In this tip, security expert Joel Dubin discusses the potential threats involved with granting ...  Continue Reading

• M&A: Merging network security policies

  Company mergers often call for the consolidation of two different network policies. But before making any final decisions on technology, the staff members of both organizations need to be on the same page. In this tip, contributor Mike Chapple ...  Continue Reading

• Screencast: How to configure a UTM device

  Unified threat management technologies provide protection against various network attacks, but properly configuring UTM boxes can be a whole other battle. In this exclusive screencast, expert David Strom gives an easy-to-follow, on-screen ...  Continue Reading

• Mergers and acquisitions: Building up security after an M&A

  Mergers and acquisitions are common headlines in today's information security world, and that's great news for malicious hackers and data thieves. When companies join forces, they often leave themselves open to attack. In this tip, contributor Ed ...  Continue Reading

• Understanding PCI DSS compensating controls

  By-the-book PCI DSS compliance scores big points with auditors, but abiding by all the regulations and requirements is a tall order in many organizations. Security management expert Mike Rothman discusses how compensating controls play a role in ...  Continue Reading

• Unified communications infrastructure threats and defense strategies

  Unified communications systems promise exciting productivity gains for workers and cost savings for businesses, but many often underestimate the security threats facing them. John Burke outlines the threats facing unified communications and how to ...  Continue Reading

• Best practices for compliance during a merger

  Company mergers involve more than just aligning two different security infrastructures. When one vendor acquires another, it's the handling of compliance issues that can be an IT security staff's toughest task. In this tip, security expert Joel ...  Continue Reading

• Using VMware for malware analysis

  Virtualization software like VMware helps ease the challenges of malware analysis. Malware expert Lenny Zeltser explains the steps enterprises must take to ensure malicious software doesn't leak out of their VMware-based labs and endanger production...  Continue Reading

• CISSP certification can serve as introduction to regulatory compliance

  The CISSP is widely considered a valuable baseline certification for information security professionals, but its coursework can also be a valuable introduction to the complex world of regulatory compliance. As certification expert Peter H. Gregory ...  Continue Reading

• How to choose the right smart card

  The ISO 7816 form factor is the most commonly deployed smart card in the enterprise, but it's not always the best option. As Burton Group's Mark Diodati explains, those looking for desktop simplicity and lower costs may want to consider an ...  Continue Reading