Manage
Learn to apply best practices and optimize your operations.
Manage
Learn to apply best practices and optimize your operations.
User provisioning best practices: Access recertification
User access recertification is the process of continually auditing users' permissions to make sure they have access only to what they need. Implementing recertification, however, can be challenging. Get best practices on creating a recertification ... Continue Reading
Outsourcing data center services: SMB security best practices
Learn best practices for outsourcing data center services and about the security and compliance considerations that influence whether an SMB should outsource data center services. Continue Reading
Are you in compliance with the ISO 31000 risk management standard?
The ISO 31000 risk management standard is becoming an important development tool for shaping existing and new programs. Learn if your programs are in compliance with the standard. Continue Reading
-
Data classification best practices in financial services
Data classification is critical in the highly regulated financial industry. Learn key steps for data classification. Continue Reading
Self-service user identity management: Pitfalls and processes
While it might seem that self-service user identity management can save time and money, as well as keep information more current, there are a number of potential pitfalls. In this expert tip, Randall Gamby explains how to avoid these issues. Continue Reading
Why it's important to turn on DEP and ASLR Windows security features
In the quest for application security, many developers are disabling or incorrectly implementing two important Windows security features. In this expert response, Michael Cobb explains why ASLR and DEP should always be turned on.Continue Reading
Your USB port management options
When it comes to managing USB ports, the choice is yours. Mike Chapple reviews your three best options.Continue Reading
Enterprise PDF attack prevention best practices
Malicious PDF exploits are at an all-time high. Should enterprises dump PDFs altogether? Expert Michael Cobb answers that question and offers his key enterprise PDF attack prevention tactics.Continue Reading
MD5 security: Time to migrate to SHA-1 hash algorithm?
Many organizations have been replacing the MD5 hash algorithm with the SHA-1 hash function, but can the MD5 hash algorithm still be used securely?Continue Reading
Applying the ISO 27005 risk management standard
The ISO 27005 risk management methodology standard has weaknesses when it comes to risk measurement. "Fuzzy math" theory can help fill the gaps.Continue Reading
-
Best practices and requirements for GLBA compliance
GLBA requirements to protect personal information have become more relevant than ever. In this tip, Paul Rohmeyer examines best practices for GLBA compliance.Continue Reading
Lack of incident response plan leaves hole in compliance strategy
Without an incident response plan, businesses can tend to be reactive rather than proactive when data breaches occur. Here are some steps to follow.Continue Reading
What is an encryption collision?
Michael Cobb reviews how encryption collision attacks on cryptographic hash functions could compromise the security of all kinds of digital systems.Continue Reading
Determine your Microsoft Windows patch level
A handful of patch management tools from Microsoft and third -parties can help your organization determine your Windows patch level and identify missing security patches.Continue Reading
How to prevent ActiveX security risks
Application expert Michael Cobb explains why ActiveX security relies entirely on human judgment.Continue Reading
Does using ISO 27000 to comply with PCI DSS make for better security?
PCI DSS is under fire for not providing enough security in the process of securing credit card data. Using ISO 27000 to complement PCI may provide better compliance and security.Continue Reading
What are new and commonly used public-key cryptography algorithms?
Expert Michael Cobb breaks down a variety of encryption algorithms and reviews the use cases for several types of cryptography.Continue Reading
What are the export limitations for AES data encryption?
Although AES is free for any use public or private, commercial or non-commercial programs that provide encryption capabilities are subject to U.S. export controls. Expert Michael Cobb reviews the limitations.Continue Reading
PCI DSS compliance requires new vendor management strategy
Requirement 12.8 requires a better vendor management strategy for PCI DSS compliance.Continue Reading
Port scan attack prevention best practices
While it's impossible to prevent against all port scanning attacks, there are best practices for port scanning security (such as a port scanning firewall) that can keep your network secure. Expert Mike Chapple weighs in.Continue Reading
Business model risk is a key part of your risk management strategy
Management consultants Amit Sen and John Vaughan discuss business model risk, a way to apply risk management policies to new or changed business processes.Continue Reading
How to mitigate operational, compliance risk of outsourcing services
Companies must have an approach to evaluating partner risk, the level of risk of both the service and the provider, and the adequacy of the security practices of the provider.Continue Reading
How does a Web server model differ from an application server model?
A Web server model and an application server model share many similarities but require different defense methods. Each model, for example, calls for distinct placement of application servers.Continue Reading
PCI DSS 3.1 requirement best practices
Requirement 3.1 of the PCI Data Security Standard requires minimum cardholder data storage. In this tip, learn how to determine how much data your organization should store.Continue Reading
ID and password authentication: Keeping data safe with management and policies
Learn how to improve authentication and avoid password hacking with management policies that enforce password expiration, length and complexity requirements.Continue Reading
Is it impossible to successfully remove a rootkit?
In this expert Q&A, Michael Cobb takes a closer a look at the nature of rootkits to see why they can be so difficult to remove.Continue Reading
How to lay the foundation for role entitlement management
Role entitlement management is a daunting task, however, there are steps you can take to lay the foundation for a successful management process. In this tip, expert Rick Lawhorn details these seven steps.Continue Reading
Key management challenges and best practices
Key management is essential to a successful encryption project. In this tip, expert Randy Nash explains the challenges financial organizations face when implementing key management and some of the best practices to overcome them.Continue Reading
Results Chain for Information Security and Assurance
Information Security Blueprint
Is Triple DES a more secure encryption scheme than DUKPT?
Both DES and TDES use a symmetric key, but Michael Cobb explains their separate and distinct roles in protecting financial transactions.Continue Reading
Developing a patch management policy for third-party applications
Enterprises may push the latest critical Windows patches once a month, but here's a dirty little secret: Most organizations don't bother patching their third-party applications. The diversity of client-side software -- including everything from ...Continue Reading
Preparing for uniform resource identifier (URI) exploits
URIs have always been a user-friendly way to recognize and access Web resources. By crafting malicious URLs and manipulating protocol handlers, however, attackers have devised new attacks that take advantage of the URI's locator functionality. Web ...Continue Reading
Enterprise risk management frameworks: Controls for people, processes, technology
Once responsibilities and requirements are defined, the next stage in developing a successful risk management framework involves developing controls. As Khalid Kark explains, that includes developing a culture of security, using technology in the ...Continue Reading
How does SSL 'sit' between the network layer and application layer?
SSL is neither a network layer protocol nor an application layer protocol. In this SearchSecurity.com Q&A, Michael Cobb explains how SSL "sits" between both layers.Continue Reading
How secure is the Windows registry?
In this SearchSecurity.com Q&A, platform security expert Michael Cobb explains the weaknesses of the Windows registry and explores other OS alternatives.Continue Reading
What are the drawbacks to application firewalls?
Application-layer firewalls examine ingoing and outgoing traffic more carefully than traditional packet-filtering firewalls, so why are some holding back on deployment? In this SearchSecurity.com Q&A, Michael Cobb reveals some cost and performance ...Continue Reading
What should be done with a RAID-5 array's failed drives?
Even one failed drive in a RAID-5 array can present an enterprise with serious data protection concerns. In this SearchSecurity.com Q&A, expert Michael Cobb explains which policies can protect and recover RAID-5 data.Continue Reading
How secure are document scanners and other 'scan to email' appliances?
Copiers and document scanners have always posed challenges for information security teams. In this SearchSecurity.com Q&A, Michael Cobb reveals how the right policies can control the use (and abuse) of these devices.Continue Reading
How can header information track down an email spoofer?
Spammers can use spoofed headers to hide the true origin of unwanted email. In this SearchSecurity.com Q&A, application security expert Michael Cobb explains how to trust where a message is coming from.Continue Reading
How should security and networking groups manage the firewall?
When it comes to firewalls, the networking group often handles the installation, while the information security department writes the rules. Should these responsibilities be split? In this expert Q&A, security management pro Shon Harris reveals how ...Continue Reading
Will two different operating systems cause administrative problems?
Using two different operating systems can often boost a company's security, but there are practical limitations to the enterprise practice. In this expert Q&A, Michael Cobb reveals how separate platforms can lead to deployment issues and higher ...Continue Reading
IT security auditing: Best practices for conducting audits
Even if you hate security audits, it's in your best interest to make sure they're done right.Continue Reading