Tips

Tips

• Making the case for network security configuration management

  Network security configuration management isn't exciting, but it's necessary to ensure attackers can't exploit an enterprise's network. In this tip, Tom Bowers explains how easily malicious hackers can infiltrate misconfigured networks, and details ...  Continue Reading

• How to find and stop automated SQL injection attacks

  Automated SQL injection worms use search engines to filter through vulnerable Web servers. In this tip, Patrick Szeto explains how to keep your website off of the malware's radar.  Continue Reading

• An inside look at security log management forensics investigations

  David Strom provides some examples of log data that provided key clues to enterprise data breaches.  Continue Reading

• How to find sensitive information on the endpoint

  Worried that your enterprise endpoints may be harboring sensitive information like credit card numbers or Social Security numbers? Fear not. Mike Chapple offers algorithms and tools to conduct a search and advice on dealing with the results.  Continue Reading

• How to choose between source code reviews or Web application firewalls

  Michael Cobb explains how to make the right choice between Web application firewalls or source code security reviews.  Continue Reading

• When to use open source security tools over commercial products

  When budgets are cut and open networks still need securing, it may be helpful to try open source security tools as a sufficient and affordable alternative to pricey commercial products.  Continue Reading

• How to spot attacks through Apache Web server log analysis

  Log analysis requires refined search skills that will help you ferret out security issues. Brad Causey explains how to sift through log data and find the relevant security information.  Continue Reading

• HIPAA compliance: New regulations change the game

  Recent changes to HIPAA regulations coupled with renewed HIPAA enforcement may stir a panic among enterprise security teams charged with safeguarding PHI. Not so, according to security management expert David Mortman. Learn how HIPAA has changed and...  Continue Reading

• Kerberos configuration as an authentication system for single sign-on

  Looking to implement single sign-on in your enterprise, but have a lot of custom applications that don't seem compatible? In this tip, IAM expert David Griffeth takes a look at Kerberos, a non-proprietary IAM tool, as a solution to network ...  Continue Reading

• Preparing enterprise Wi-Fi networks for PCI compliance

  The Payment Card Industry Data Security Standard (PCI DSS) requires several key measures are in place to protect transaction data on enterprise Wi-Fi networks. In this special tip from Forrester Research, Senior Analyst John Kindervag details what ...  Continue Reading

• Short-lived Web malware: Fading fad or future trend?

  Attackers are increasingly spreading their malicious code through fly-by-night websites that seem legitimate to unsuspecting users, but are actually laden with malware. Marcos Christodonte II explains how short-lived Web malware works, and how ...  Continue Reading

• Data security best practices for PCI DSS compliance

  The glut of recent data breaches, such as the one at Heartland Payment Systems Inc., leaves some security pros wondering if PCI DSS is doing its job. Is it worth all the effort to become PCI compliant if breaches still seem inevitable? In this ...  Continue Reading

• Maltego demo: Identifying a website's trust relationships

  This month, Peter Giannoulis of TheAcademyPro.com and TheAcademyHome.com demonstrates Maltego, an information-gathering tool that infosec pros can use to assist with vulnerability assessments and penetration tests by identifying trust relationships ...  Continue Reading

• Vulnerability test methods for application security assessments

  Learn what to do when you have a huge portfolio of potentially insecure applications, limited resources and an overwhelming sense of urgency.  Continue Reading

• Security book chapter: The Truth About Identity Theft

  Jim Stickley, author of The Truth About Identity Theft, explains how easy it really is to hack a password.  Continue Reading

• Evaluating MSSP security before taking the plunge

  As the economic climate becomes more uncertain, many enterprises are considering the security and cost-saving benefits of managed security service providers (MSSPs). They're not for everyone, however, and Mike Chapple explains what each organization...  Continue Reading

• How to clear out anonymous Web proxy servers in the workplace

  Enterprises may use Web filtering software to limit Internet use, but some employees may respond right back with easily available anonymizing proxies. John Strand explains how to keep your users from bypassing content filters.  Continue Reading

• How to use single sign-on for Web access control to prevent malware

  Web-based applications are popping up everywhere, and new worms and viruses are being developed just as quickly to exploit them. In this IAM expert tip, David Griffeth explains how to use single sign-on with multifactor authentication to keep ...  Continue Reading

• How to use (almost) free tools to find sensitive data

  No matter how much security awareness training employees get, some of them will still store sensitive data in insecure places. As a security manager, finding that data becomes of paramount importance -- but how to do it? In this tip, John Soltys ...  Continue Reading

• A preview of PCI virtualization specifications

  The PCI Data Security Standard has little to say about virtualization – for now. Michael Cobb explores which best practices are likely to appear in the council's upcoming clarification document.  Continue Reading

• How to integrate the security of both physical and virtual machines

  According to a recent Gartner Inc. research report, 60% of virtual machines will be less secure than their physical counterparts through 2009. Michael Cobb explores the challenges of securing a mixed infrastructure of physical and virtual machines.  Continue Reading

• Recovering lost passwords with Cain & Abel

  In his latest screencast, Peter Giannoulis of The AcademyPro.com demonstrates how to use the Cain & Abel tool to decipher or track down lost passwords..  Continue Reading

• How to block adult websites from enterprise users by logging content

  Inappropriate content has always been a problem for enterprise security teams. What are some best practices for blocking adult content and websites from systems? In this security management tip, learn strategies for keeping users' Web habits in ...  Continue Reading

• Strategies for email archiving and meeting compliance regulations

  According to a recent study, 29% of surveyed IT professionals archive their email for compliance reasons. Michael Cobb reviews compliance regulations that demand email archiving and how such products can ease some of the pain that comes with the ...  Continue Reading

• Book chapter: IPv6 implementation security issues

  IPv6 is becoming a reality, but the network-layer protcol is far from perfect. In Chapter 1 of his new book, "IPv6 Security," author Eric Vyncke reviews some vulnerabilities.  Continue Reading

• Are Windows Vista security features up to par?

  Expert Michael Cobb explains why attempts to bypass Windows Vista memory protections don't necessarily mean that the operating system lacks security.  Continue Reading

• Security book chapter: Applied Security Visualization

  In this section of Chapter 5: Visual Security Analysis (.pdf), author Raffael Marty discovers the forensic analysis of log data for discovering attacks and reporting incidents.  Continue Reading

• Screencast: How to scan with Nmap

  Peter Giannoulis takes a look at everybody's favorite, freely available port scanner and OS identifier: Nmap.  Continue Reading

• Information security forecast: Security management in 2009

  What will the year ahead hold for information security? Learn about the likely trends -- from dealing with questions of enterprise virtualization and SaaS security, to Web application security, to compliance issues.  Continue Reading

• Identity and access management 2009: Staff cuts, insider threats

  Identity and access management in 2009 will be drastically different from 2008, most notably because staff reductions may result in a new crop of malicious attackers. In this tip, David Griffeth explains how to deal with growing outsider and insider...  Continue Reading

• How to increase security with a decreasing budget

  Throughout 2009, organizations will focus on being smarter, leaner and cheaper, which may leave security --- and funding for security -- out of the big picture. But don't panic; Michael Cobb explains why there's still room for information security ...  Continue Reading

• Cracks in WPA? How to continue protecting Wi-Fi networks

  German researchers recently described a Wi-Fi Protected Access (WPA) flaw that seemed to put the security of the popular wireless protocol in question. Network security expert Mike Chapple explains the vulnerability, but argues that the standard ...  Continue Reading

• End-user Compliance: Creating a security awareness training program

  Security awareness training is a must, but what's the best way to create a successful program, and what are the tell-tale signs that it's working? In this tip, security management expert David Mortman explains how to create general as well as ...  Continue Reading

• Screencast: How to gather host-level data with Network Miner

  Peter Giannoulis of www.theacademypro.com demonstrates how to use Network Miner, an open source, passive network sniffer tool that hasn't received the attention that it deserves.  Continue Reading

• Use BotHunter for botnet detection

  Got bots? Hopefully not, but how can you be sure? Learn about botnet detection with the help of a free tool, BotHunter. This can keep your computers from participating in a botnet and subsequently leaking data.  Continue Reading

• How to prevent clickjacking attacks with security policy, not technology

  Clickjacking, an emerging hacker technique similar to cross-site scripting, tricks a user into executing malicious commands on a seemingly legitimate or innocent website. John Strand reviews how the attack works, how it compares to ...  Continue Reading

• Security and audit relationships: Uneasy antagonists or partners in arms?

  The relationship between information security pros and auditors can be a rocky one, but there are a few specific steps that can make it smoother. Tony Higgins explains the best ways to keep auditors happy, and make the compliance job easier.  Continue Reading

• Deleting user accounts: How to manage users during a layoff

  When budgets get cut across the enterprise, it's likely that employees will get cut, too. So what's the best way to handle a large number of user account modifications or deletions? IAM expert David Griffeth offers a step-by-step process for ...  Continue Reading

• Security beyond compliance: A proactive and customized security framework

  Though compliance guidelines are a good place to start, they in no way guarantee the security of a network. Marcos Christodonte II explains how to create a unique and dynamic security framework that can stand up to even the most current threats.  Continue Reading

• Writing Wireshark network traffic filters

  The freely available Wireshark tool can provide valuable analysis of network traffic, but capturing packets can often lead to an overload of data. Mike Chapple explains how to use Wireshark's traffic filters to zero in on the precise information ...  Continue Reading

• Video: The foundation of an email security strategy

  Guest instructor Joel Snyder explains which standards can help you increase the security of SMTP-based email.  Continue Reading

• The 100-day plan: Achieving success as a new security manager

  One of the top priorities of any newly minted information security manager is to implement a new enterprise security strategy. In this tip, security management expert Mike Rothman explains what needs to happen in the first 100 days of a security ...  Continue Reading

• Screencast: Collecting metadata with Metagoofil

  Peter Giannoulis explains how Metagoofil, an information gatherer that extracts metadata from public documents, can be extremely valuable when investigating a target network.  Continue Reading

• Review system event logs with Splunk

  Splunk is a free tool that provides log review and management. From parsing files to triggering alerts and scripts, Splunk can greatly reduce the amount of time security teams spend on logs.  Continue Reading

• How to stop malware in a 'Flash'

  Always innovating, attackers have found ways to mask their malware by placing the code into PDFs and Flash files. The malware often appears to be legitimate ads for products, and it can be particularly hard to analyze. John Strand explains why and ...  Continue Reading

• Video: Setting up a secure wireless network

  In a four-part video series, Joel Snyder of Opus One walks you through the phases of a secure wireless network setup.  Continue Reading

• Cloud compliance: How to manage SaaS risk

  While Software as a Service (SaaS) can cut costs, there are definite security concerns to be aware of, including compliance issues. What's the best way to make sure that data is safe and audit-ready on the provider's server? Expert Joel Dubin gives ...  Continue Reading

• The value of application whitelists

  Although some may find Windows Vista's User Account Control feature annoying, it is really a variation of a security mechanism that is now re-emerging: the application whitelist. Michael Cobb explores application whitelist benefits and drawbacks, ...  Continue Reading

• How to implement and enforce a social networking security policy

  For a new generation of employees entering the workforce, social networking isn't a luxury, it's a necessity. Yet not all enterprises understand that failing to consider social networking security can lead to unfortunate consequences. David Sherry ...  Continue Reading

• New blacklists: Highly predictive or hardly worth it?

  Renowned security expert Marcus Ranum once declared that blacklists were one of the most misguided ideas in computer security. But what about a new, more customized approach called highly predictive blacklists? John Strand takes a look at the ...  Continue Reading

• Enterprise single sign-on: Easing the authentication process

  Learn how enterprise single sign-on (SSO) can ease the authentication process and can be a solution to employee access issues. Implementation and single sign-on software are also discussed.  Continue Reading

• ID and password authentication: Keeping data safe with management and policies

  Learn how to improve authentication and avoid password hacking with management policies that enforce password expiration, length and complexity requirements.  Continue Reading

• Security token and smart card authentication

  Get advice on how to mitigate data theft from hackers with security token and smart card authentication technology, smart card readers and software.  Continue Reading

• PKI and digital certificates: Security, authentication and implementation

  Get more information about PKI and digital certificates, such as how to implement PKI, how to ensure security and available implementation. Also learn about digital certificates, signatures and achieving authentication through a certificate ...  Continue Reading

• Richard Mackey: Building a framework-based compliance program

  Richard Mackey talks about frameworks that can help you find the holes in your compliance program.  Continue Reading

• Biometric authentication know-how: Devices, systems and implementation

  Discover the pros and cons of multiple biometric authentication devices and techniques, such as iris pattern or fingerprint scans, voice recognition and keystroke dynamics. Also get advice on biometric implementation best practices.  Continue Reading

• Smartphone security: The growing threat of mobile malware

  The increasingly pervasive use of wireless handhelds in the enterprise is just one reason why malware pros are getting serious about mobile malware. Lisa Phifer details all the reasons why smartphone and PDA viruses and malware may be on the rise, ...  Continue Reading

• Screencast: How Tor improves Web surfing privacy and security audits

  In an on-screen demonstration, learn how Tor can be used to ensure that surfing habits aren't recorded by malicious hackers.  Continue Reading

• FISMA compliance made easier with OpenFISMA

  Scott Sidel examines the open source security tool OpenFISMA, a compliance tool that assists government agencies and their contractors in meeting FISMA's requirements.  Continue Reading

• Workstation hard drive encryption: Overdue or overkill?

  In an age of high-profile data breaches and insider risks, encryption is an important defense mechanism for enterprises. The question is: how much encryption is necessary? Many security pros have gone to great lengths to protect data on network ...  Continue Reading

• Recovering stolen laptops one step at a time

  When a student's laptop was stolen last year on a university campus, police and IT investigators went to work, recovering it within a matter of weeks. Neil Spellman, one of the investigators on the case, offers some best practices on what to do if a...  Continue Reading

• How to detect system management mode (SMM) rootkits

  Rootkits were once a system administrator's best friend. Now they have evolved to become an admin's worst nightmare: well-known, surreptitious malware that can provide super user access to an infected machine. Michael Cobb explains how to get rid of...  Continue Reading

• User provisioning software: Emerging features reveal market's future

  As a fundamental feature of IAM suites, user provisioning can streamline access to multiple systems on a network. But how does user provisioning work and what features is it likely to add in the future? IAM expert Joel Dubin analyzes Gartner's Magic...  Continue Reading

• IE 8 beta 2 security features may mark improvements for browser security

  Despite Microsoft's previous best efforts to build a more secure browser, some users may have been discouraged with Internet Explorer 7. That may change now with the beta release of IE 8. Michael Cobb explores the latest browser's security features ...  Continue Reading

• WEP to WPA: Wireless encryption in the wake of PCI DSS 1.2

  The PCI Security Standards Council recently announced the upcoming release of PCI DSS version 1.2. Plenty of changes are on the way, but one in particular may call for some significant wireless infrastructure upgrades. Mike Chapple explains why the ...  Continue Reading

• Windows registry forensics: Investigating system-wide settings

  Information security forensic investigations can be a big job, but Windows registry command tools can make it easier. From querying autostart programs to getting the goods on every USB device ever connected to a particular Windows machine, these ...  Continue Reading

• Screencast: How to use Nipper to create network security reports

  Peter Giannoulis of The Academy.ca demonstrates how to use Nipper, a free open source network infrastructure parser tool.  Continue Reading

• How to get information security buy-in from the executive team

  When pitching security to the big bosses, it's important to brush up on public-speaking skills and lay out the case in advance. Mike Rothman gives his recommendations on how to prepare for a security presentation in order to receive the necessary ...  Continue Reading

• Weaponizing Kaminsky's DNS discovery

  The dust has settled since Dan Kaminsky revealed an intriguing -- and now, perhaps, notorious -- DNS exploit at this year's Black Hat briefings. But many organizations are still not patching their internal servers. John Strand explains why this ...  Continue Reading

• HIPAA privacy regulations get some teeth: Be prepared

  In July, a Seattle healthcare agency received a six-figure fine by the U.S. Department of Health and Human Services for compromising patient data. The penalty was the first of its kind, raising the stakes on HIPAA compliance. As HIPAA regulations ...  Continue Reading

• Mining enterprise SIM logs for relevant security event data

  SIM products can be tremendously useful, but only if they offer information in a clear, concise manner. Given the complex nature of today's enterprise networks and the massive amount of information that SIMs can harvest, too much data can be worse ...  Continue Reading

• How to configure NAP for Windows Server 2008

  The arrival of Windows Server 2008 ushers in a big portion of Microsoft's long-awaited Network Access Protection (NAP) initiative. In this tip, David Strom uses words and pictures to explain how to get started with NAP using the Network Policy ...  Continue Reading

• Exploring Microsoft's Network Access Protection policy options

  A policy platform was built into Microsoft Windows Vista and Windows Server 2008, one that offers the ability to create customized health policies that validate a computer's security before allowing access or communication. The mechanism, now known ...  Continue Reading

• Debian: A niche OS with a not-so-niche security flaw

  A recently discovered flaw in the Debian version of Linux meant that any OpenSSL keys generated during the past 20 months could be guessed in a matter of hours. But does the vulnerability suggest broader security issues for Linux? Michael Cobb ...  Continue Reading

• Version 1.2 of Payment Card Industry (PCI) Data Security Standard answers questions, raises others

  Understanding the wording of the PCI Data Security Standard isn't always easy. What exactly qualifies as an "application firewall," for example, or even "strong encryption?" Thankfully, clarifications to terminology and requirements are coming in ...  Continue Reading

• PCI version 1.2 clarifications: How to get an early start on compliance audits

  Last month, the PCI Security Standards Council released a preview of changes in the upcoming Payment Card Industry Data Security Standard revision. The clarifications in the standard's language are welcome adjustments, but the tweaks may have an ...  Continue Reading

• The Little Black Book of Computer Security, 2nd Edition

  In an online excerpt of The Little Black Book of Computer Security, expert author Joel Dubin reviews how to prepare for today's most important compliance requirements.  Continue Reading

• Screencast: How to use Wikto for Web server assessment

  Peter Giannoulis demonstrates what kinds of website and Web server information can be found using the free Wikto tool.  Continue Reading

• How to avoid DLP implementation pitfalls

  Data leak prevention tools effectively reduce the chances that an enterprise's sensitive data will end up where it shouldn't, but several pitfalls can severely curtail a DLP tool's effectiveness. In this tip, Rich Mogull offers several best ...  Continue Reading

• Security certifications: Are they worth the trouble?

  Security certifications may or may not be helpful in furthering a security career, but many security pros feel they must "comply" with the unspoken expectation that certifications are a must for career advancement. In this special tip, security ...  Continue Reading

• Microsoft Baseline Security Analyzer: Do updates offer improved Windows security?

  The Microsoft Baseline Security Analyzer has always been useful at scanning Windows environments for the presence or absence of security updates. Now, see how the latest version adds support for Windows Vista and Windows Server 2008 to its bag of ...  Continue Reading

• How to patch Kaminsky's DNS vulnerability

  When Dan Kaminsky revealed the details of his recently discovered DNS flaw at this year's Black Hat briefings, it confirmed what many in the security community already feared: that it was one of the most important discoveries in years, and that ...  Continue Reading

• Web advertising exploits: Protecting Web browsers and servers

  Web browser exploits are nothing new, but few security managers are consciously aware of the threat that Web advertisement exploits represent.  Continue Reading

• How to look past information security vendor rhetoric

  Security professionals are bombarded with messages from vendors (and their marketing messages) heralding sure-fire cure-alls for compliance and information security woes. So what's the best way to differentiate between a useful product and a useless...  Continue Reading

• Directory services and beyond: The future of LDAP

  From its remarkable debut in 1993 as a directory access system, LDAP has evolved to become one of the premier directory management services, rivaled only by Active Directory. But how implementable is LDAP in the current Microsoft market? Is it ...  Continue Reading

• The steps of privileged account management implementation

  Privileged accounts have always been difficult to secure, and they remain the focal point for the insider attack. Luckily, an emerging class of privileged account management products is here to help. Identity management pro Mark Diodati discusses ...  Continue Reading

• Screencast: Catching network traffic with Wireshark

  This month, Peter Giannoulis of the Academy.ca demonstrates the popular, free network protocol analyzer, Wireshark. See how Peter uses Wireshark to hack into a recorded VoIP phone call.  Continue Reading

• Ransomware: How to deal with advanced encryption algorithms

  It's late in the day, and your CEO reports a strange message on his computer screen: his files have been encrypted, and a payment is required to return all of his data. What do you do? Don't give in to the cyberterrorists just yet. Mike Chapple ...  Continue Reading

• Compliance recycling: Combining compliance efforts to manage PCI DSS

  While the Payment Card Industry Data Security Standard (PCI DSS) looms large over most enterprises' compliance efforts, it doesn't necessarily mean abandoning other compliance efforts. Expert Diana Kelley explains not only how to use existing ...  Continue Reading

• DNS rebinding defenses still necessary, thanks to Web 2.0

  The scripted content and plug-ins of today's Web 2.0 websites have opened enterprise networks to an old threat: DNS rebinding. The attacks can create serious problems for your enterprise network, but the defenses are easier than you think. Security ...  Continue Reading

• Easing e-discovery preparation by mapping enterprise data

  With a well-planned data retention policy, an organization can often avoid tracking down old data when served with an e-discovery request. In this tip, Stephen Foskett highlights the linchpin of a data retention policy, the ESI map, including what ...  Continue Reading

• Enterprise role management: Trends and best practices

  Enterprise role management technology is intended to help an enterprise keep tabs of who has access to various network resources, and also makes it easier to define groups of users. Joel Dubin explains how the technology integrates with RBAC and IAM...  Continue Reading

• Trends in enterprise identity and access management

  The market for identity and access management (IAM) products is growing rapidly to meet varied business and compliance demands. What trends -- good and bad -- are on the horizon?  Continue Reading

• Hidden endpoints: Mitigating the threat of non-traditional network devices

  Organizations have many safeguards in place for network-enabled devices like PCs and servers, but few realize the threat posed by non-traditional devices like printers, physical access devices and even vending machines. Endpoint security expert Mark...  Continue Reading

• Web 2.0 and e-discovery: Risks and countermeasures

  Enterprise employees often love Web 2.0 services like wikis and social networking services, but the data employees may create with or provide to those services can put an enterprise at risk, especially when litigation calls for electronic discovery ...  Continue Reading

• Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities

  For anyone who doesn't speak NASL, network security expert Mike Chapple has a firm handle on the Nessus Attack Scripting Language. In this brand-new addition to our Nessus 3 Tutorial, Chapple provides examples of NASL scripts that can find known ...  Continue Reading

• Database patch denial: How 'critical' are Oracle's CPUs?

  A recent survey found that a considerable number of users are outright rejecting Oracle's Critical Patch Updates, perhaps suggesting database administrators feel comfortable with their security defenses or find Oracle's patches to be more of a ...  Continue Reading

• Screencast: Recovering lost data with WinHex

  WinHex is a forensics tool that allows users to examine running programs, wipe confidential files or unused space, and perform drive imaging and drive cloning. In this secreencast Peter Giannoulis of http://theacademy.ca shows you how to use WinHex ...  Continue Reading

• Learn from NIST: Best practices in security program management

  Security success means sweating the small stuff, like ensuring proficiency in implementing patches and configuring systems. Security management expert Mike Rothman offers advice on how certain NIST guidelines can help an organization highlight ...  Continue Reading

• New defenses for automated SQL injection attacks

  By automating SQL injection attacks, hackers have found a way to expedite the process of finding and exploiting vulnerable websites. The old defense of testing and patching Web app code may not be enough to stop the threat. Michael Cobb explains how...  Continue Reading