Tips

Tips

• Extranet security strategy considerations

  Extranets can be beneficial for conducting e-commerce, but if they aren't properly secured, they can pose serious risks to you, your business partners and customers. In this tip, our network security expert, Mike Chapple, provides four tactics for ...  Continue Reading

• IIS security: Configure Web server permissions for better access control

  Updating user access controls as business portfolios expand can help protect confidential data. Learn how to secure user access controls and keep your greatest asset under lock and key by configuring IIS Web server permissions, in this tip by ...  Continue Reading

• How to install and configure Nmap for Windows

  In this second installment of our Nmap Technical Manual, SearchSecurity expert Michael Cobb offers pointers on how to install and configure Nmap for Windows.  Continue Reading

• Skype: Its dangers and how to protect against them

  Skype may be free for end users but it could be costing your enterprise its security. This tip outlines the free VoIP solution's security risks and offers tips for keeping Skype off of the network.  Continue Reading

• SOX compliance: Building a directory services model for adequate access controls

  Using meta-directories for authentication and access control puts data at risk, but they can be useful in obtaining the granular control of service directories required for compliance.  Continue Reading

• Nmap: A valuable open source tool for network security

  Open source tool Nmap is a popular choice amongst hackers and security pros alike for network mapping, port-scanning and testing for network vulnerabilities.  Continue Reading

• How to recover your network after a security breach

  For SMBs that don't have a budget to invest in a full-scale network management system, recovering from a security breach requires more work from the IT staff than just pressing a few buttons. In this tip, Tom Lancaster pinpoints the five most ...  Continue Reading

• SSO: Strong authentication in enterprise deployments

  By understanding the right amount of protection required, security pros can ensure SSO improves productivity, saves money and, most importantly, protects corporate information.  Continue Reading

• How to protect your company against cybercrime

  Thanks to the Internet's inherent anonymity, widespread reach and disjointed law enforcement status, cybercriminals have a lot to gain -- and enterprises have a lot to lose. In this tip, SearchSecurity expert and malware guru Ed Skoudis describes ...  Continue Reading

• NetChk Protect 5.5

  Information Security magazine's contributing editor, Wayne Rash , reviews Shavlik Technologies NetChk Protect 5.5  Continue Reading

• Compliance Q&A: Myths, mistakes and management advice

  Keeping organizations continuously compliant with multiple complex and ever-changing regulatory requirements remains a challenge for many infosec pros. But if they don't shape up now, it's only going to get worse. In this interview, Rebecca Herold, ...  Continue Reading

• HTTP attacks: Strategies for prevention

  Examine how hackers manipulate HTTP requests to solicit an attack, and learn various guidelines developers should follow to mitigate this threat.  Continue Reading

• Achieving network security with tomorrow's antivirus tools

  Learn about antivirus from an intelligence/technology perspective and offers best practices for simple file-type blocking, and the implementation of heuristic- and reputation-based antivirus tools.  Continue Reading

• The key technologies in a network perimeter intrusion defense strategy

  This article lays the groundwork for future discussions of intrusion defense. Joel Snyder introduces technologies that act as strong network perimeter defenses.  Continue Reading

• Pen testing your VPN

  Your VPN is a vital gateway into your network for your company's road warriors, telecommuters and other remote users. Unfortunately, it's also a gateway for the less-than-scrupulous predators prowling the Internet for access to your network. This ...  Continue Reading

• How to implement an effective risk management team

  In this installment of the Risk Management Guide, Shon Harris describes the roles and responsibilities of an information risk management team.  Continue Reading

• Biometrics: Best practices, future trends

  Biometrics products are improving, but they still require careful consideration and planning before implementation. In this tip, ID and access management expert Joel Dubin reviews some best practices and pitfalls to watch out for.  Continue Reading

• How to conduct a risk analysis

  In this installment of the Risk Management Guide, Shon Harris provides step-by-step instructions on conducting a risk analysis.  Continue Reading

• How to define an acceptable level of risk

  Even though management is responsible for defining an organization's acceptable level of risk, the security practitioner should understand the process and be able to illustrate to management how underlining security threats can negatively affect ...  Continue Reading

• How to deal with risk

  In this installment of the Risk Management Guide, Shon Harris explains the four ways to deal with identified risk: transfer it, avoid it, reduce it or accept it.  Continue Reading

• Information risk management: Defining the scope, methodology and tools

  In this installment of the Risk Management Guide, Shon Harris explains the importance of defining the scope of the IRM team's responsibilities, the difference between qualitative and quantitative risk analysis and the tools used to carry out risk ...  Continue Reading

• Understanding risk

  In this installment of the Risk Management Guide, contributor Shon Harris explains what risk is and clarifies the differences between risk and vulnerability management.  Continue Reading

• How to write an information risk management policy

  In this installment of the Risk Management Guide, Shon Harris describes the contents of a risk management policy and provides a sample policy template.  Continue Reading

• Defining adequate security controls

  Because of the changing nature of technology, the language in the Sarbanes-Oxley Act is purposefully vague. This article explores the meaning of adequate security controls and what is required for SOX compliance.  Continue Reading

• Adding 'fudge' to your passwords

  Many end users easily have half a dozen passwords to access the various Web apps they need to do their jobs. With this tip, you can enforce strong password policies -- and allow your users to write down their passwords.  Continue Reading

• Advice from the pros: What infosec newbies need to know

  Security practitioners discuss what you should know about the security industry before embarking on an information security career.  Continue Reading

• Designing a DMZ using iptables

  In this tip, excerpted from ITKnowledge Exchange, security practitioners share strategies used to design a demilitarized zone using iptables.  Continue Reading

• Become compliant – without breaking the bank, part 2

  Re-use your existing tools to meet regulatory demands.  Continue Reading

• Become compliant -- without breaking the bank

  Re-use your existing tools to meet regulatory demands.  Continue Reading

• Creating secure passwords you don't have to remember

  It's easy to tell users to create strong passwords, but hard to get them to do it. And when they do, it's common to see them written on a sticky note attached to someone's monitor. So what's the answer? It might be an online application that ...  Continue Reading

• Spear phishing: Don't be a target

  Hackers are beginning to use targeted attacks to exploit network vulnerabilities. In this tip, Al Berg introduces a specific targeted attack, spear phishing, and provides tactics information security practitioners can use to protect their ...  Continue Reading

• Ten dos and don'ts for secure coding

  Security practitioners should understand how developers introduce security vulnerabilities into applications and work to support the developers in improving code quality and security. Encouragement and support for improvement must be a fundamental ...  Continue Reading

• Best practices for pen testing Web applications

  Performing a Web application penetration test can gauge how well your Web application can withstand an attack. In this tip, platform security expert Michael Cobb provides best practices for performing Web application pen test.  Continue Reading

• Know your wireless encryption options

  Understanding wireless encryption is essential to deploying a secure wireless network. Contributor Tony Bradley breaks down the different encryption methods and explains why some are better than others.  Continue Reading

• Protect your business from a Google hack

  Learn how to use advanced operators, special searching techniques offered by Google that enable advanced queries, to discover if your company's sensitive security information is exposed on the Internet before a black hat does. This tip offers a ...  Continue Reading

• Six steps to beating backup server hacks

  Are your backup servers also backdoor servers? If you're not specifically addressing their vulnerabilities, they just might be. In this tip, W. Curtis Preston looks at the security issues behind backup servers and offers a quick list of things you ...  Continue Reading

• Checklist: What to do when you've been hacked

  Network hacking attacks are more common than most of us would like to admit. In this tip, SearchSecurity.com's network security Michael Gregg guru outlines six questions you should ask of your organization if you've been hacked, and provides ...  Continue Reading

• What's new in the revision of ISO 17799

  SearchSecurity expert Michael Cobb outlines the latest changes to the ISO 17799 standard.  Continue Reading

• 2006 Products of the Year: Antispyware

  Information Security and SearchSecurity readers selected the best desktop and gateway enterprise antispyware products of 2006.  Continue Reading

• Automate SQL injection testing

  Manual testing for SQL injection requires much effort with little guarantee that you'll find every vulnerability. Instead, run automated SQL injection tests. In this tip, security guru Kevin Beaver shows you how.  Continue Reading

• Checklist: 11 things to do after a hack

  Your network's been cracked, what do you do next? Contributor Jonathan Hassell recommends following these eleven steps to limit damage and preserve evidence.  Continue Reading

• Cheat sheet: Access management solutions and their pros and cons

  A cheat sheet of the most common access solutions with a brief description, and their risks and pros and cons to help you choose the solution that is right for your organization.  Continue Reading

• Simplifying Nessus security scans with a spreadsheet model

  In this tip, expert George Wrenn explains how to divide networks into small, manageable IP spaces and maintain Nessus data with a spreadsheet model.  Continue Reading

• Nessus vulnerability assessment with the SANS Top 20

  Using the SANS Top 20 in conjunction with Nessus can help you eliminate exposures that give unauthorized privileged access to vulnerable hosts.  Continue Reading

• Secure data transmission methods

  The main purpose of this tip is to explore secure data transmission options that are available to help meet regulatory and legal requirements.  Continue Reading

• An overview of the risk management process

  In this installment of the Risk Management Guide, Shon Harris provides a 10,000-foot view of the risk management process.  Continue Reading

• How to use IPsec filtering rules to filter network traffic

  Learn how to control what enters and exits your PCs by using IPsec filtering rules to filter particular protocol and port combinations for both inbound and outbound network traffic.  Continue Reading

• RSS: The next malware target?

  A recent report from Trend Micro names RSS as the next likely target for bot worm attacks and predicts feed hijackings will be prevalent with the release of IE 7. In this tip, security expert Mike Chapple explains how RSS could be exploited, and ...  Continue Reading

• Application firewall tips and tricks

  While network firewalls are effective at blocking unwanted communications, they do not provide a complete examination of traffic entering your network. Therefore, adding application-layer firewalls is essential to protecting your network from the ...  Continue Reading

• Hacker holiday greetings: Social engineering tactics

  While hackers may have a myriad of programs and exploits to choose from, they all pale in comparision to their numbe one weapon: social engineering. In this tip, contributor Tony Bradley provides some techniques that all should look out for.  Continue Reading

• Why form fields aren't a good place to hide sensitive information

  Web security guru Michael Cobb, takes an in-depth look at the dangers of HIDDEN form fields, how attackers use them to gain unauthorized entry or hijack sessions, and most importantly, how to secure the information sent in these fields.  Continue Reading

• The 5 A's of functional SAN security

  This tip examines why admins should follow the 5 A's of SAN security: Authentication, access, audits, alarms and availability, to keep their SAN secure.  Continue Reading

• Secure remote access: SSH Tectia Manager

  In this review, Information Security magazine's senior technology editor examines the strengths and weaknesses of SSH's Tectia Manager.  Continue Reading

• How to overcome Web services security obstacles

  Richard Mackey explains how to build secure Web service applications and the difference between Web service protocols and standards.  Continue Reading

• Service-level agreement advantages and disadvantages

  Learn about the advantages and disadvantages of service-level agreements.  Continue Reading

• How to prevent phishing scams and protect customers

  In this tip, Web security guru, Nalneesh Gaur examines how hackers are using phishing scams to exploit financial sectors of the industry, why you should care and what you can do to prevent these attacks.  Continue Reading

• How to break into security

  How do you break into security if you're fresh out of school or making a career change within IT? Learn how network admins and security newbies can acquire entry-level experience.  Continue Reading

• Best practices for managing secure Web server configurations

  In this tip, Michael Cobb, our Web security guru takes an in-depth look at ways to manage securing configurations of multiple Web servers. He explains the process from frequency to documentation and replication.  Continue Reading

• The pros and cons of migrating to Firefox

  Making the switch from Internet Explorer to Firefox isn't a security cure-all. Here are some factors to consider before you change Web browsers.  Continue Reading

• Configuresoft's Enterprise Configuration Manager v4.7

  Information Security magazine's contributing editor, Mike Chapple, reviews Configuresoft's Enterprise Configuration Manager v4.7.  Continue Reading

• How to tame Google Desktop

  Although not classified as spyware, if left unmanaged and unmonitored desktop search engines, like Google Desktop, can introduce serious security concerns. This tip examines these risks and explains how to block or secure Google Desktop in the ...  Continue Reading

• Educate users about security awareness

  User education is one of the hardest security layers for administrators to implement. This article by contributor Tony Bradley provides the top ten things users should know about information security.  Continue Reading

• Websense Enterprise 5.5

  Learn why Information Security magazine believes this product is ideal for organizations who need an robust Internet filtering solution.  Continue Reading

• Using attack responses to improve intrusion detection

  IPSes must detect an attack as it comes into the network; however, IDSes have the advantage of identifying an intrusion based on incoming our outgoing network traffic.  Continue Reading

• Best practices for protecting handhelds from mobile malware

  Mobile malware such as the Cabir worm and Dust virus indicate that it's a good idea to put sound handheld security practices in place now, although antivirus software for handhelds and mobile phones may not be worth the investment.  Continue Reading

• Block and reroute denial-of-service attacks

  Prevent denial-of-service and distributed denial-of-service attacks from taking down your network by blocking and rerouting DDoS and DoS traffic using honeypots, subnets and intrusion detection and prevention systems.  Continue Reading

• Securing Web apps against authenticated users

  Improve Web site security by securing Web applications from authenticated users and avoiding client-side authentication.  Continue Reading

• Layered access control: 6 top defenses that work

  Security guru Joel Snyder introduces six strategies for building layered security in networks in this presentation from Information Security Decisions.  Continue Reading

• IPsec and SSL VPNs: Solving remote access problems

  Learn how to solve remote access problems in this Information Security Decisions presentation by security expert Joel Snyder.  Continue Reading

• Standards-based compliance: A how-to guide

  This presentation by Dick Mackey discusses the pros and cons of using standards as the vehicles to improve regulatory compliance.  Continue Reading

• How to secure session tokens

  Dos and don'ts for protecting session IDs for users of e-commerce Web sites.  Continue Reading

• The 5 pillars of successful compliance

  Find out how to put the key benefits of what Pamela Fusco achieved at Merck & Co. to work in your own organization as she covers five key areas associated with security's role in compliance.  Continue Reading

• Smart options for safeguarding stored data

  Learn the three basic ways to encrypt sensitive data: encryption at the source, encryption with a backup application and hardware encryption, as well as the advantages and disadvantages of each option.  Continue Reading

• Creating a corporate security culture

  Learn how to successfully consolidate, integrate and centralize your security practices, as well as set in motion a security governance process that defines your company's security vision and strategy.  Continue Reading

• A guide to governance, security and safeguarding your business

  In this presentation, Dr. Fred Cohen, who is one of the world's leading researchers and analysts in information protection, investigates the link between corporate governance and information protection.  Continue Reading

• How to build a secure network from the ground up

  Receive peer advice on what steps are crucial when building a secure network from the ground up. Also learn what resources are available to guide you through this process.  Continue Reading

• Protect your Web site against path traversal attacks

  How to protect your Web site against path traversal attacks.  Continue Reading

• What to tell senior management about regulatory compliance

  The IT Governance Institute offers actionable advice for implementing security governance as it relates to regulatory compliance.  Continue Reading

• How to choose a firewall

  Despite the development and evolution of security technologies, the firewall remains a vital component of any network architecture, and today's organizations have myriad options to choose from. This tip outlines five basic questions you should ask ...  Continue Reading

• Auditing firewall activity

  This Firewall Architecture Tutorial tip shows how completing a firewall audit of activity can help in the management of valuable firewall data.  Continue Reading

• Choosing the right firewall topology: Bastion host, screened subnet or dual firewalls

  An overview of the three most common firewall topologies, including diagrams of a bastion host, screened subnet and dual firewall architectures.  Continue Reading

• Firewall Architecture Tutorial

  In this Firewall Architecture Tutorial you will learn all aspects of firewall implementation such as how to choose the right type of firewall for your organization, how to choose a firewall topology and how to audit firewall activity.  Continue Reading

• Placing systems in a firewall topology

  In this Firewall Architecture Tutorial tip, you will learn a firewall topology for placing firewall systems, such as bastion host, screened subnet and multi-homed firewalls.  Continue Reading

• How to prevent the risks of client-side caching

  Problems of client-side caching and tips for developers on using secure cache-control directives.  Continue Reading

• Sizing up e-mail appliances, part 3

  Information Security magazine tests four e-mail appliances designed to clear the way for safe messaging. Here's how they measured up.  Continue Reading

• How to block IM applications in the enterprise

  In this tip, security guru Mike Chapple discusses how IM threatens the network and provides strategies you can use to keep your network free of IM traffic.  Continue Reading

• Sizing up e-mail appliances, part 2

  "Information Security" magazine tests four e-mail appliances designed to clear the way for safe messaging. Here's how they measured up.  Continue Reading

• How to write an RFP

  The principles of Six Sigma can be applied to the process of writing a request for proposal.  Continue Reading

• Sizing up e-mail appliances

  Information Security magazine tests four e-mail appliances designed to clear the way for safe messaging. Here's how they measured up.  Continue Reading

• Hercules 4.0 Enterprise Vulnerability Management Suite

  Information Security magazine's contributing editor, James C. Foster , reviews Hercules 4.0 Enterprise Vulnerability Management Suite from Citadel Security Software.  Continue Reading

• HIVE 3.0

  Information Security magazine reviews the strengths and weaknesses of Sentryware's HIVE 3.0.  Continue Reading

• Kaspersky Anti-Virus Business Optimal 5.0

  Information Security magazine reviews the strengths and weaknesses of Kaspersky's anti-virus solution.  Continue Reading

• SMTP policies help reduce the risk of unauthorized mail servers

  SMTP policies can help protect systems from rogue e-mail servers that clog the network with viruses, malware and spam.  Continue Reading

• Using secure MIME (S/MIME) for securing email

  Secure MIME (S/MIME) and digital certificates offer channel professionals a low-cost way to improve their customers' email security. This tip explains how to implement S/MIME and digital certificates for email encryption.  Continue Reading

• Step-by-Step Guide: Best practices for security patch management

  This step-by-step guide offers best practices on how to deploy a security patch and provides the tools you will need to mitigate the risk of a compromised computer.  Continue Reading

• Security patch testing and deployment phase

  Learn what conditions should be met in the security patch testing phase prior to deployment. Also learn how to deploy a security patch and what methods, tools to use to ensure a predicable rollout.  Continue Reading

• Security patch validation and verification

  Learn about the verification and review phase of the security patch deployment cycle. Learn how these phases help ensure the organizations security patch management procedure is proactive.  Continue Reading

• Web security benchmarks

  Learn how to increase your security posture and what resources are available to security admininstrators who want to quickly ramp up their posture of their protected systems.  Continue Reading

• Security awareness training: How to educate employees about spyware

  Educated end users are a valuable defense in the fight against spyware. Learn how to conduct effective security awareness training and create spyware policies.  Continue Reading

• End user's spyware prevention checklist

  Encourage end users to be vigilant in the fight against spyware. Help employees prevent spyware with this checklist.  Continue Reading