Tips

Tips

• Don't get spoofed by distributed denial-of-service attacks

  Distributed denial-of-service attacks continue to use spoofing. But there are means to stop the practice.  Continue Reading

• How to avoid brand hacking and ensure enterprise social media security

  Enterprise social media has revolutionized how businesses communicate with consumers. However, it has also made brand hacking an even larger concern.  Continue Reading

• Exploring logical, physical access control systems integration

  Is it smart for infosec teams to push for integration of logical and physical access control systems? Learn how to make the case and where to start.  Continue Reading

• Java-based malware: Mitigating the threat of JRE vulnerabilities

  Java-based malware and JRE vulnerabilities are a constant enterprise threat. Expert Nick Lewis reveals how to reduce (or at least tolerate) the risk.  Continue Reading

• Network segmentation: No-brainer or unseen network security threat?

  When it comes to security, network segmentation can be a blessing or a curse. In this tip, we look at the pros and cons of this enterprise decision.  Continue Reading

• NIST cybersecurity framework analysis: Putting it to good use

  Expert Ernie Hayden explains how critical infrastructure organizations can use the NIST cybersecurity framework to assess, improve infosec practices.  Continue Reading

• Why wait for FIDO? Multifactor authentication methods you can use now

  FIDO-ready tech could take a while, but there are a variety of multifactor authentication methods available now to make your logins secure.  Continue Reading

• Four steps to taking the fear out of large file transfers

  Large file transfers don't have to be scary. Learn four key steps to keeping your network secure when big files exit your enterprise.  Continue Reading

• Whitelisting: Filtering for advanced malware prevention

  Though it's been maligned in the past, whitelisting can be an effective tactic for filtering advanced malware attacks against enterprise endpoints.  Continue Reading

• NSA TAO: What Tailored Access Operations unit means for enterprises

  The NSA's top-secret Tailored Access Operations offensive hacking unit offers enterprise defense strategy lessons. Expert Nick Lewis discusses.  Continue Reading

• After HIPAA Omnibus Rule 2013: How to implement continuous compliance

  Expert Mike Chapple explains why the HIPAA Omnibus Rule 2013 presents an opportunity for organizations to embrace a continuous compliance approach.  Continue Reading

• App security: Decompiling Android APK files

  Find hidden malware or security weaknesses by decompiling Android applications into Java source code.  Continue Reading

• CryptoLocker ransomware: Why ransomware prevention is a losing battle

  The CryptoLocker ransomware caught many enterprises off guard. Expert Nick Lewis explains why it's unique and the one defense strategy that works.  Continue Reading

• In dog days of enterprise authentication, can FIDO Alliance help?

  Enterprise authentication practices are plagued with problems. IAM expert Michele Chubirka examines whether the FIDO Alliance can offer solutions.  Continue Reading

• Changes to ISO 27001: What's new in the 2013 ISO 27001 update?

  Expert Mike Chapple reviews the recent ISO 27001 update, including the three most significant changes to ISO 27001 and the effect on infosec programs.  Continue Reading

• API security: How to ensure secure API use in the enterprise

  API security is a growing enterprise concern. In the wake of recent high-profile breaches, discover how to alleviate the issues of insecure APIs.  Continue Reading

• Why the ACA makes information security in healthcare more challenging

  Information security in healthcare has always been challenging, but expert Joseph Granneman says the ACA's focus on data storage makes it even harder.  Continue Reading

• RAM-scraping malware update: Enterprise defense against RAM scrapers

  As the Target breach proved, RAM-scraping malware is difficult to detect. Learn best practices to defend against RAM scrapers.  Continue Reading

• What to do when shadow IT risks move to the cloud

  Shadow IT isn't new, but now it's climbed into the cloud. Get a grip on it the old-fashioned way, with discovery, monitoring and interdiction.  Continue Reading

• How descoping measures can help reduce regulatory compliance burden

  Expert Mike Chapple explains how two descoping techniques can help many organizations reduce their regulatory compliance burden.  Continue Reading

• Three ways to raise infosec awareness among non-security executives

  Low infosec awareness among C-level execs can hurt security funding. Expert Joseph Granneman details three ways that CISOs can raise that awareness.  Continue Reading

• Using Wireshark: Reviewing four key Wireshark features

  Become familiar with four Wireshark features network security pros value in this packet-capturing analytics tool.  Continue Reading

• How to build an effective corporate privacy compliance program

  Expert Mike Chapple reviews major data privacy laws and explains how to build a data privacy compliance program to meet regulatory requirements.  Continue Reading

• Return to sender: Improving security with DMARC email authentication

  Learn how domain-based messaging authentication, reporting and conformance, or DMARC, can enhance your email security.  Continue Reading

• SHA-1 to SHA-2: The future of SSL and enterprise application security

  The future of SSL is SHA-2. Security expert Michael Cobb explains why SHA-1 poses an increasing danger and what the transition entails.  Continue Reading

• Smart defense is good offense: Rethink how you use your SIEM product

  Learn how to improve policies and enhance monitoring to make your security information and event management (SIEM) product more effective.  Continue Reading

• Finding enterprise IPS nirvana: Granular data and simplicity

  More granular data is needed from an enterprise IPS than ever before. Brad Casey explores why and reveals other ways to get the info sought.  Continue Reading

• Essential security analytics technology for advanced malware detection

  Josh Sokol reviews the security technologies needed to support a successful security analytics program focused on advanced malware detection.  Continue Reading

• Pre-audit planning: Four keys to a successful IT security audit

  One QSA offers pre-audit planning advice to ensure a smooth, successful enterprise IT security audit for both the organization and the auditor.  Continue Reading

• Why marketing principles can help a security awareness program succeed

  Veteran CISO Ernie Hayden offers ideas from the realm of marketing to help spread security awareness like a virus -- but in a good way.  Continue Reading

• Continuous security monitoring: What enterprises can learn from CDM

  Uncover key continuous security monitoring tips enterprises can take away from the federal government's Continuous Diagnostics and Mitigation program.  Continue Reading

• Separate but equal: Mitigating the risk of Web-borne malware infections

  The potential damage from Web-borne malware can be effectively limited through a process of separation.  Continue Reading

• Malware defense: Mitigating malware hiding as digitally signed software

  Malware leveraging PKI and digital signatures is increasingly common. Nick Lewis explains the threat and five key defense strategies.  Continue Reading

• Windows XP upgrade planning: Preparing for Windows XP end of life

  The Windows XP end-of-life date, April 8, 2014, is approaching. Learn about the risk of delaying Windows XP upgrades and planning the transition.  Continue Reading

• How to rank enterprise network security vulnerabilities

  Risk management programs yield massive data on network security vulnerabilities. Infosec pros must rank risks before prioritizing remediation efforts.  Continue Reading

• Improve disaster preparedness with the National Mitigation Framework

  Businesses can use FEMA's National Mitigation Framework to improve disaster preparedness planning. Expert Joseph Granneman explains how.  Continue Reading

• IE 11 security: Has Web browser security technology reached its peak?

  Internet Explorer 11 offers few new security features. So, has Web browser security technology reached its peak? Michael Cobb details IE 11 security.  Continue Reading

• Locking the backdoor: Reducing the risk of unauthorized system access

  Rampant backdoors in enterprise IT products too often provide unauthorized access to attackers and governments. Learn how to defend against the risks.  Continue Reading

• Breach detection systems: Deployment models that detect malware better

  Breach detection systems, a tier-two security technology, identify malware in transit and help you detect unknown breaches and side-channel attacks.  Continue Reading

• How to protect corporate data after the NSA Bullrun revelations

  Expert Joe Granneman explains how to protect corporate data after leaks divulge information on NSA Bullrun and other government surveillance programs.  Continue Reading

• What attributes are necessary to have success in the CISO role?

  With the CISO role being a new addition for many executive teams, expert Joe Granneman says there are several challenges facing security execs.  Continue Reading

• Identifying and preventing router, switch and firewall vulnerabilities

  Routers, switches and firewalls are easy targets for hackers. Network security expert Brad Casey offers advice on keeping network devices secure.  Continue Reading

• Mitigate malicious apps with mobile device security training

  Mobile device security training can help reduce the threat of malicious mobile apps by making users think twice before clicking download.  Continue Reading

• Enterprise network security: Which model should you choose?

  With a range of physical and virtual appliance security controls, here's how to find the right security model for enterprise data centers.  Continue Reading

• How to cope with information security job search challenges

  Veteran CISO Ernie Hayden offers advice to one security pro who, despite many job openings, can't overcome information security job search challenges.  Continue Reading

• Overestimating layered security strategy: Why it's not a panacea

  Layered security is an enterprise networking best practice, but expert Brad Casey says products that don't fit together may render layers useless.  Continue Reading

• PCI DSS version 3.0: The five most important changes for merchants

  PCI DSS version 3.0 isn't a wholesale revision, but longtime PCI expert Ed Moyle says merchants' transitions must start now to avoid problems later.  Continue Reading

• Web browser extension security: Mitigating browser plug-in threats

  Application security expert Michael Cobb discusses the risks of Web browser extensions and what enterprises can do to counter browser plug-in threats.  Continue Reading

• Inside the BREACH attack: How to avoid HTTPS traffic exploits

  Enterprise threats expert Nick Lewis examines how the BREACH attack exploits HTTPS traffic and what enterprises can do to mitigate the attack risk.  Continue Reading

• CRM, ERP security best practices: How to secure aging software

  Enterprises rely on ERP and CRM systems, but they pose a risk if left unpatched. Michael Cobb reviews enterprise application security best practices.  Continue Reading

• PCI QSA analysis: PCI DSS 3.0 to bring new PCI challenges, benefits

  A veteran QSA believes PCI DSS 3.0 will help both QSAs and enterprises, but says further clarifications are needed to avoid PCI assessment disputes.  Continue Reading

• Adaptive authentication: An introduction to risk-based authentication

  Enterprise use of adaptive authentication is growing internally and for Web applications. Brad Causey details the allure of risk-based authentication.  Continue Reading

• Social media regulations and compliance: What enterprises should know

  Nick Hayes of Forrester Research details social media regulations and compliance issues, including five compliance areas that enterprises must manage.  Continue Reading

• Data governance 2.0: Adapting to a new data governance framework

  Data governance 2.0, an updated enterprise data governance framework, brings challenges and opportunities. Henry Peyret of Forrester Research details.  Continue Reading

• Analysis: Enterprise password management tools have room to improve

  Explore the differences between consumer and enterprise password management products and learn pros and cons about the latest tools.  Continue Reading

• How threat intelligence can give enterprise security the upper hand

  Expert Nick Lewis covers the benefits of threat intelligence for enterprises, plus how to integrate intel feeds with existing security programs.  Continue Reading

• VDI security: The benefits and pitfalls of virtualizing endpoints

  With the rise of endpoint virtualization, enterprises need to grasp the positives and manage the negatives of VDI security. Expert Brad Casey details.  Continue Reading

• Use SIEM technology to identify unauthorized access attempts

  Analyst Anton Chuvakin explains how to use SIEM technology to identify unauthorized access attempts that can lead to data theft.  Continue Reading

• PCI DSS review: Assessing the PCI standard nine years later

  As the industry preps for PCI DSS 3.0, compliance expert Mike Chapple reviews PCI's successes and failures. Has it made card data more secure?  Continue Reading

• Keys to a successful network-based malware detection deployment

  Network-based malware detection is an attractive alternative to traditional AV, but deployment challenges loom large. Expert Michael Cobb advises.  Continue Reading

• Information security policy management for emerging technologies

  Veteran CISO Ernie Hayden discusses how to foster infosec policies that secure emerging technologies without being perceived as a business roadblock.  Continue Reading

• How context-aware security can improve enterprise APT detection

  Expert Brad Casey explains why enterprises are turning to context-aware security approaches to improve their APT detection capabilities.  Continue Reading

• IT compliance planning: How to maintain IT compliance documentation

  Documentation is a key requirement for many IT security regulations. Expert Mike Chapple offers tips for maintaining documentation the right way.  Continue Reading

• Malware defense revisited: How to improve Web-based malware detection

  Signature-based AV doesn't stop Web-based malware, but what does? Spyro Malaspinas points out what's next in enterprise malware detection technology.  Continue Reading

• Obad.a analysis: Is malware on Android devices now equal to Windows?

  Expert Nick Lewis determines how enterprises should react to Obad.a, a strand of malware on Android devices reportedly equal to that on Windows.  Continue Reading

• A decade later: SOX program management best practices

  After 11 years of Sarbanes-Oxley and other mandates, enterprises have finally embraced holistic compliance program management as a best practice.  Continue Reading

• Using a next-gen firewall to determine application access policies

  Learn how next-gen firewalls offer improved application awareness and granularity to manage or block particular application features.  Continue Reading

• Why sandboxing technology is integral for advanced malware detection

  Expert Brad Casey details how advanced malware detection products rely heavily on sandboxing technology, though it's not a cure all for enterprises.  Continue Reading

• IT security strategy 2.0: Adjusting for a shifting infosec landscape

  Seismic shifts in the infosec landscape can no longer be ignored. Ernie Hayden explains how to update an IT security strategy to account for change.  Continue Reading

• TPM security overview: Defining the benefits of TPM devices

  The nearly ubiquitous TPM device is an often-overlooked tool in an infosec pro's arsenal. Expert Michael Cobb details the benefits of TPM security.  Continue Reading

• Security incident response procedures: When to do a system shutdown

  At times, security incident response procedures require drastic measures. Expert Nick Lewis explains when and how to perform a system shutdown.  Continue Reading

• Open source code management: How to safely use open source libraries

  Expert Michael Cobb explains why enterprises need better open source code management to negate the security risks posed by open source libraries.  Continue Reading

• Corporate compliance program: How to give a status update to the board

  Expert Mike Chapple explains how to communicate the status of a corporate compliance program to the board, including both successes and shortcomings.  Continue Reading

• Advanced threat-detection products emerge: Benefits and challenges

  Traditional security tools are no longer sufficient for defending against new breeds of attacks, forcing advanced threat-detection products to emerge.  Continue Reading

• Deploying network security devices: Tips to avoid failed deployments

  John Burke offers advice on effectively deploying network security devices to protect sensitive data and manage the mobility boom in the enterprise.  Continue Reading

• To improve breach detection, revisit intrusion detection techniques

  To solve the breach-detection issues highlighted in the 2013 Verizon DBIR, several intrusion detection techniques are needed, says expert Nick Lewis.  Continue Reading

• CASP certification: Does CompTIA's security certification offer value?

  The new CompTIA Advanced Security Practitioner certification won't replace the CISSP, but it may offer critical value to one specific group.  Continue Reading

• Mega-DDoS attack prevention: How to prepare for larger DDoS attacks

  Enterprises face increasing risks from mega-DDoS attacks. Expert Brad Casey provides advice on high-bandwidth DDoS attack prevention.  Continue Reading

• Evaluating network security virtualization products

  Don't risk making mistakes when you evaluate network security virtualization products. Our six key points will keep you on track.  Continue Reading

• Whistleblower policy: Preventing insider information leak incidents

  NSA-level incidents are rare, but they do happen. Learn how to prevent a whistleblower scenario and limit the risk of insider information leaks.  Continue Reading

• Two-factor authentication options, use cases and best practices

  It may seem daunting, but two-factor authentication options are manageable for nearly all enterprises. Learn how to get started in this 2FA primer.  Continue Reading

• How to enact Apache security best practices for Web server security

  With Apache Web servers becoming ever more popular with attackers, organizations should follow Apache security best practices to avoid compromise.  Continue Reading

• Unmanaged endpoints? Rethink the defense-in-depth security model

  Today's endpoint security model is failing. What's next? Learn why endpoint defense-in-depth controls must assume the endpoint is compromised.  Continue Reading

• How to manage the deluge of information security threat reports

  Many vendors and analysts publish information security threat reports. See Joseph Granneman's strategy to find and use the information that matters.  Continue Reading

• No firewall? How disabling the firewall can improve network security

  Having no perimeter firewall may seem ludicrous, but Joel Snyder explains why disabling the firewall can actually improve enterprise network security.  Continue Reading

• Understanding logic bomb attacks: Examples and countermeasures

  In light of the attacks on South Korean organizations, expert Nick Lewis defines logic bomb attacks and offers other examples and countermeasures.  Continue Reading

• PCI e-commerce compliance guidelines for third-party payment processors

  Expert Mike Chapple details the PCI SSC's third-party processor rules and how to outsource card processing and stay PCI DSS compliant.  Continue Reading

• How key MDM features affect mobile security policy management

  As MDM features become more robust, enterprises must not only look for mature products, but also evolve mobile security policies accordingly.  Continue Reading

• Intro to two-factor authentication in Web authentication scenarios

  The Web's top brands are implementing two-factor authentication for consumer Web authentication. Learn 2FA benefits, burdens and how to get started.  Continue Reading

• Aligning business and IT security: Learning from South Carolina breach

  Ernie Hayden details how South Carolina's Department of Revenue breach proves business and IT security are often out of alignment, and how to fix it.  Continue Reading

• How to reduce IT security risk with IT asset management

  IT asset management expert Barb Rembiesa explains how ITAM best practices like IT asset standardization and rationalization reduce IT security risk.  Continue Reading

• Using network flow analysis to improve network security visibility

  To overcome network security issues from advanced attackers and BYOD, security professionals are turning to network flow analysis to gain improved network security visibility.  Continue Reading

• Exploit kits evolved: How to defend against the latest attack toolkits

  Expert Nick Lewis details how automated exploit kits are evolving and offers mitigations for the latest methods employed by these attack toolkits.  Continue Reading

• A HIPAA compliance checklist for corporate mergers and acquisitions

  Learn about the important HIPAA compliance best practices that can help maintain compliance before and after a corporate merger or acquisition.  Continue Reading

• SIEM best practices for advanced attack detection

  SIEM struggles are common, but Mike Rothman explains why SIEM products are critical for advanced attack detection, and offers a SIEM tuning step-by-step.  Continue Reading

• How to use compliance automation to reduce compliance risk

  Tony UcedaVelez offers tips for automating compliance tasks to reduce IT security and compliance risk while easing the pain of arduous compliance audits.  Continue Reading

• The evolution of threat detection and management

  Enterprises must understand the latest threat detection options to keep up with advanced cybercriminals who can bypass enterprise security defenses.  Continue Reading

• Choosing among antimalware products: Final considerations

  Mike Rothman discusses important last-minute considerations when choosing among antimalware products from finalist antimalware vendors.  Continue Reading

• How to choose the best antimalware products: Questions to ask vendors

  Mike Rothman offers 10 critical questions to ask antimalware vendors when seeking out the best antimalware products for enterprise use.  Continue Reading

• Technical considerations for selecting the best antimalware technology

  Mike Rothman discusses the evolution of malware and how today's antimalware products should handle detection and remediation.  Continue Reading