Tips

Tips

• Software security training: Perspectives on best practices

  Software development training with an emphasis on secure coding can improve enterprise security postures. Steve Lipner of SafeCode discusses different ways to get the job done.  Continue Reading

• Entropy sources: How do NIST rules impact risk assessments?

  NIST recently released new guidance on entropy sources used for random bit generation. Judith Myerson explains these recommendations and how they alter cryptography principles.  Continue Reading

• What the Azure AD Connect vulnerability can teach enterprises

  Enterprises should learn from a Microsoft Azure AD Connect vulnerability that security requires a hands-on approach. Expert Rob Shapland takes a closer look at the permissions flaw.  Continue Reading

• Patch management programs: Who should run them?

  Patch management is a crucial part of enterprise security defenses, but should security teams be in charge of it? Charles Kao explains how to make patching programs successful.  Continue Reading

• Continuous security monitoring advances automated scanning

  Battling threats in today's fast-paced cyberworld means shutting down vulnerabilities fast, which requires round-the-clock monitoring. Learn how to make it happen in your company.  Continue Reading

• Automated patch management and the challenges from IoT

  From creating an inventory to scanning for IoT vulnerabilities, learn the key steps to take when it comes to automating patch management in your company.  Continue Reading

• Why the Bleichenbacher attack is still around

  The Bleichenbacher attack got a new name after 20 years. Expert Michael Cobb reviews the ROBOT attack and discusses why it's still active this long after it emerged.  Continue Reading

• Web vulnerability scanners: What you won't learn from vendors

  Web security flaws are a serious issue that web vulnerability scanners can manage. Discover your best fit scanner as expert Kevin Beaver shares tips that vendors won't tell you.  Continue Reading

• Protecting safety instrumented systems from malware attacks

  Trisis malware targets safety instrumented systems and puts industrial control systems at risk. Expert Ernie Hayden reviews what to know about SIS and its security measures.  Continue Reading

• Use software forensics to uncover the identity of attackers

  By analyzing the proverbial fingerprints of malicious software -- its program code -- infosec pros can gain meaningful insights into an attacker's intent and identity.  Continue Reading

• Embedded application security: Inside OWASP's best practices

  OWASP released a draft of new guidelines for creating secure code within embedded software. Expert Judith Myerson discusses best practices, pitfalls to avoid and auditing tools.  Continue Reading

• How to prevent SQL injection attacks in your enterprise

  SQL injection attacks threaten enterprise database security, but the use of cloud services can reduce the risk. Here's a look at some alternative SQL injection protection methods.  Continue Reading

• What enterprises need to know about ransomware attacks

  Ransomware attacks on enterprises are often the result of a company's poor IT hygiene. Expert Joe Granneman looks at attacks like those by WannaCry and SamSam ransomware.  Continue Reading

• Mobile security issues require a unified approach

  Security gaps in mobile devices can be many and varied, but they must be addressed immediately. Unified endpoint management is the next-gen way to close the gaps.  Continue Reading

• Counter mobile device security threats with unified tools

  Attacks on enterprise mobile endpoints are more lethal than ever. To help infosec pros fight back, enterprise mobile management has unified to fortify defenses.  Continue Reading

• Dynamic application security testing, honeypots hunt malware

  Stealth is an attacker's best friend, especially when it comes to sneaking malware past the firewall. Learn about some trusty tools that can stop malware in its tracks.  Continue Reading

• Cloud security lessons to learn from the Uber data breach

  Any organization that uses cloud services can learn something from the 2016 Uber data breach. Expert Ed Moyle explains the main takeaways from the massive breach.  Continue Reading

• Information security certification guide: Specialized certifications

  This information security certification guide looks at vendor-neutral certifications in specialized areas such as risk management, security auditing and secure programming.  Continue Reading

• How to manage application security risks and shortcomings

  A lack of proper testing, communication and insight into best practices all contribute to application security shortcomings. Kevin Beaver explains how to manage the risks.  Continue Reading

• Fight a targeted cyberattack with network segmentation, monitoring

  It takes a variety of tactics, including network segmenting and monitoring, to safeguard the network. Learn the latest defenses to keep your network safe.  Continue Reading

• Bypassing facial recognition: The means, motive and opportunity

  Researchers bypassed Apple's facial recognition authentication program, Face ID, in under a week. Expert Michael Cobb explains why it's not a major cause for concern for users.  Continue Reading

• Information security certification guide: Forensics

  This information security certificate guide looks at vendor-neutral computer forensics certifications for IT professionals interested in cyber attribution and investigations.  Continue Reading

• Cryptojacking: How to navigate the bitcoin mining threat

  Due to the rising value of bitcoin and other cryptocurrency, hackers have started to use cryptojacking to mine bitcoin. Learn what this means for end users with expert Nick Lewis.  Continue Reading

• Information security certification guide: Advanced level

  Part three of this information security certification guide looks at vendor-neutral advanced security certifications for more experienced IT professionals.  Continue Reading

• How are middleboxes affecting the TLS 1.3 release date?

  Despite fixing important security problems, the official TLS 1.3 release date keeps getting pushed back, in part due to failures in middlebox implementations.  Continue Reading

• Insider threat behavior: How to identify warning signs

  Enterprises can prevent insider threat incidents if they know what to look for. Peter Sullivan explains the precursors to and precipitating events for insider threat behavior.  Continue Reading

• How HTTP security headers can defend enterprise systems

  HTTP security headers that have the right configurations can be used as defense methods against cyberattacks. Expert Judith Myerson outlines how to use headers this way.  Continue Reading

• TLS 1.3: What it means for enterprise cloud use

  The latest draft version of TLS 1.3 is out, and it will likely affect enterprises that use cloud services. Expert Ed Moyle explains the impact on users and their monitoring controls.  Continue Reading

• What the OWASP IoT security project means for device creation

  The OWASP IoT security project aims to get developers to incorporate security at the beginning of a device's life. Expert Ernie Hayden outlines how it is tackling the issue.  Continue Reading

• Security compliance standards as a guide in endpoint plans

  Consider security compliance regulations for your industry as a starting point and a guide for planning your specific approach to enterprise endpoint protection.  Continue Reading

• The endpoint security controls you should consider now

  With the perimeter wall gone, securing enterprise endpoints is even more essential. Learn how automation and other developments can up endpoint protection now.  Continue Reading

• IT sabotage: Identifying and preventing insider threats

  Preventing IT sabotage from insider threats can be a challenge. Peter Sullivan explains how enterprises should monitor for characteristics of insider threat behavior.  Continue Reading

• The 12 biggest cloud security threats, according to the CSA

  The Cloud Security Alliance reported what it found to be the biggest cloud security threats. Expert Rob Shapland looks at how cloud risks compare to on-premises risks.  Continue Reading

• Mobile app risks: Five things enterprises should consider

  Just like any other risk in the enterprise, mobile app risks need to be a top priority. Join Kevin Beaver as he explains the dangers that unsecure mobile apps pose.  Continue Reading

• The ROCA vulnerability: How it works and what to do about it

  The ROCA vulnerability is a serious flaw in cryptographic keys. Expert Michael Cobb explains what the flaw is, how it works and what can be done to lessen the risk to enterprises.  Continue Reading

• Information security certification guide: Intermediate level

  Part two of this information security certificate guide looks at vendor-neutral intermediate certifications for IT professionals interested in midlevel positions.  Continue Reading

• A look at the key GDPR requirements and how to meet them

  Meeting the most important GDPR requirements is a great first step to compliance with the new regulation. Expert Steve Weil outlines how to get started on GDPR compliance.  Continue Reading

• Get great results from authenticated vulnerability scanning

  Here are five things you can do to successfully prepare and run authenticated vulnerability scanning and, in the end, achieve the most protection.  Continue Reading

• Cryptographic keys: Your password's replacement is here

  As passwords become targets of phishing attacks, password management has become increasingly difficult. Expert Nick Lewis explains how cryptographic keys could replace passwords.  Continue Reading

• Prevent attacks with these security testing techniques

  Software bugs are more than a nuisance. Errors can expose vulnerabilities. Here’s the good news: These security testing tools and techniques can help you avoid them.  Continue Reading

• How to manage HTTP response headers for IIS, Nginx and Apache

  HTTP response header configuration files on servers need to be set up properly to secure sensitive data. Expert Judith Myerson outlines how to do this on different types of servers.  Continue Reading

• Information security certifications: Introductory level

  This series looks at the top information security certifications for IT professionals. Part one reviews basic, vendor-neutral certifications for entry-level positions.  Continue Reading

• How machine learning-powered password guessing impacts security

  A new password guessing technique takes advantage of machine learning technologies. Expert Michael Cobb discusses how much of a threat this is to enterprise security.  Continue Reading

• Use caution with OAuth 2.0 protocol for enterprise logins

  Many apps are using the OAuth 2.0 protocol for both authentication and authorization, but technically it's only a specification for delegated authorization, not for authentication.  Continue Reading

• Data breach litigation: What enterprises should know

  Data breach litigation can be highly detrimental to an organization that just suffered a major security incident. Find out what kinds of legal action enterprises could face in the event of a data breach.  Continue Reading

• How a technology advisory group can benefit organizations

  A technology advisory group can have an irreplaceable impact on an organization. Kevin McDonald explains how volunteer advisors can aid law enforcement and other organizations.  Continue Reading

• How to add HTTP security headers to various types of servers

  Expert Judith Myerson outlines the different types of HTTP security headers and how to add them to different servers, including Apache, Ngnix and Microsoft IIS Manager.  Continue Reading

• How to prevent password attacks and other exploits

  Prevention is essential to protection against various types of password attacks, unauthorized access and related threats. Expert Adam Gordon outlines how to proactively bolster your defenses.  Continue Reading

• How security controls affect web security assessment results

  Network security controls are a blessing and a curse as they help an organization's IT environment, yet hinder web security assessment results. Kevin Beaver explains how they work.  Continue Reading

• How social engineering attacks have embraced online personas

  Discover the extent to which attackers will go to plan social engineering attacks. Nick Lewis explains how the progression of threats is changing how we monitor social media.  Continue Reading

• Email security issues: How to root out and solve them

  Effectively tackling email security issues requires infosec pros to address a broad range of areas, including cloud, endpoints, user training and more.  Continue Reading

• How to prepare for potential IPv6 DDoS attacks

  Enterprises learn how to prepare for IPv6 with DDoS attack tools. Michael Cobb further addresses the inevitable attacks and what users can do.  Continue Reading

• Why threat models are crucial for secure software development

  Threat modeling is an important component of the secure software development process. Steve Lipner of SafeCode explains how threat models benefit software security.  Continue Reading

• Learn how to identify and prevent access control attacks

  Once an attacker has gained entry to a network, the consequences can be severe. Find out how the right access control tools can help prevent that from happening.  Continue Reading

• How shared cloud security assessments can benefit enterprises

  Ensuring cloud security is a constant problem that shared cloud security assessments are trying to address. Learn about the benefits of sharing assessments with Nick Lewis.  Continue Reading

• Windows XP patches: Did Microsoft make the right decision?

  Microsoft had to make several tradeoffs when developing patches for Windows XP. Expert Nick Lewis explains what these tradeoffs were and how enterprises should respond.  Continue Reading

• How automated web vulnerability scanners can introduce risks

  While automation is a key ingredient for security, it can't always be trusted. This especially holds true when running web vulnerability scanners, as Kevin Beaver explains.  Continue Reading

• How app libraries share user data, even without permission

  A new study shows how app libraries can share data among apps, even without permission. Michael Cobb explains how library collusion works and what users can do about it.  Continue Reading

• Analyzing the flaws of Adobe's HTTP security headers

  A recent patching issue with Flash drew attention to shortcomings with Adobe's HTTP security headers. Judith Myerson discusses the importance of HTTP header security.  Continue Reading

• Addressing web server vulnerabilities below the application layer

  Web application security is crucial, but enterprises also need to look below that layer for weaknesses. Kevin Beaver explains how to look for common web server vulnerabilities.  Continue Reading

• Considerations for developing a cyber threat intelligence team

  The use of a cyber threat intelligence team can greatly help organizations. Learn the best practices for team location and selection from expert Robert M. Lee.  Continue Reading

• Make your incident response policy a living document

  Effective incident response policies must be detailed, comprehensive and regularly updated -- and then 'embedded in the hearts and minds' of infosec team members.  Continue Reading

• How the Docker REST API can be turned against enterprises

  Security researchers discovered how threat actors can use the Docker REST API for remote code execution attacks. Michael Cobb explains this threat to Docker containers.  Continue Reading

• Understanding data manipulation attacks in enterprise security

  When it comes to protecting data, ransomware isn't the only thing that should worry enterprises. Nick Lewis explains the threat of data manipulation attacks and how to stop them.  Continue Reading

• Securing endpoints with supplementary tools protects data

  Learn how network access control (NAC), data loss prevention (DLP) and robust data destruction tools secure the data in your corporate endpoints against data loss.  Continue Reading

• What a data protection officer can offer enterprises subject to GDPR

  The EU GDPR requires that organizations appoint a data protection officer, but is that really necessary for security? Expert Francoise Gilbert examines the compliance requirement.  Continue Reading

• How attackers can intercept iCloud Keychain data

  A verification flaw in the synchronization service of iCloud Keychain enables attackers to intercept the data it transfers. Expert Frank Siemons explains what to do about it.  Continue Reading

• How to balance organizational productivity and enterprise security

  It's no secret that enterprise security and organizational productivity can often conflict. Peter Sullivan looks at the root causes and how to address the friction.  Continue Reading

• The HTML5 vulnerabilities enterprises need to know

  Adobe Flash's end of life is coming, but there are some HTML5 vulnerabilities enterprises should be aware of before making the switch. Expert Judith Myerson outlines the risks.  Continue Reading

• After Stuxnet: Windows Shell flaw still most abused years later

  A Windows Shell flaw used by the Stuxnet worm continues to pose problems years after it was patched. Nick Lewis explains how the flaw exposes enterprise security shortcomings.  Continue Reading

• Why DevOps security must be on infosecs' priority list

  In the rush to implement DevOps, security is too often overlooked. But DevSecOps is essential in these hack-filled days. Learn how to add security to software development.  Continue Reading

• How NotPetya ransomware used legitimate tools to move laterally

  WannaCry and NotPetya ransomware woke enterprises up to an expanded threat landscape. Expert Michael Cobb explains these threats and what enterprises can do to stop them.  Continue Reading

• What to do when cybersecurity breaches seem inevitable

  The current threat landscape makes cybersecurity breaches seem unavoidable. Expert Peter Sullivan discusses some simple ways enterprises can reduce the risk of a breach.  Continue Reading

• Cryptography attacks: The ABCs of ciphertext exploits

  Encryption is used to protect data from peeping eyes, making cryptographic systems an attractive target for attackers. Here are 18 types of cryptography attacks to watch out for.  Continue Reading

• The difference between security assessments and security audits

  Security audits vs. security assessments solve different needs. Organizations may use security audits to check their security stature while security assessments might be the better tool to use. Expert Ernie Hayden explains the differences.  Continue Reading

• Destruction of service: How ransomware attacks have changed

  New ransomware variants have introduced another threat to enterprises. Rob Shapland explains what destruction of service attacks are and how organizations should prepare for them.  Continue Reading

• Common web application login security weaknesses and how to fix them

  Flawed web application login security can leave an enterprise vulnerable to attacks. Expert Kevin Beaver reviews the most common mistakes and how to fix them.  Continue Reading

• Security teams must embrace DevOps practices or get left behind

  DevOps practices can help improve enterprise security. Frank Kim of the SANS Institute explains how infosec teams can embrace them.  Continue Reading

• Applying a hacker mindset to application security

  It can be beneficial to think like a black hat. Expert Kevin Beaver explains why enterprise security teams should apply a hacker mindset to their work and how it can help.  Continue Reading

• Are biometric authentication methods and systems the answer?

  Biometric authentication methods, like voice, fingerprint and facial recognition systems, may be the best replacement for passwords in user identity and access management.  Continue Reading

• Why data fidelity is crucial for enterprise cybersecurity

  Cybersecurity teams can't be effective if they don't trust their data. Expert Char Sample explains the importance of data fidelity and the threat of cognitive hacking.  Continue Reading

• What you need to know about setting up a SOC

  Setting up a SOC is different for every enterprise, but there are some fundamental steps with which to start. Expert Steven Weil outlines the basics for a security operations center.  Continue Reading

• SHA-1 collision: How the attack completely breaks the hash function

  Google and CWI researchers have successfully developed a SHA-1 attack where two pieces of data create the same hash value -- or collide. Expert Michael Cobb explains how this attack works.  Continue Reading

• IPv6 addresses: Security recommendations for usage

  IPv6 addresses can be used in a number of ways that can strengthen information security. Expert Fernando Gont explains the basics of IPv6 address usage for enterprises.  Continue Reading

• Applying cybersecurity readiness to today's enterprises

  How prepared is your organization for a cyberattack? Expert Peter Sullivan outlines the seven steps enterprises need to take in order to achieve cybersecurity readiness.  Continue Reading

• Tools to transfer large files: How to find and buy the best

  Need to transfer files within headquarters or between branches? Managed file transfer tools now offer some interesting new features.  Continue Reading

• Why security incident management is paramount for enterprises

  Enterprises aren't truly prepared for cyber threats unless they have proper security incident management in place. Expert Peter Sullivan explains what enterprises need to know.  Continue Reading

• How to detect preinstalled malware in custom servers

  Preinstalled malware was reportedly found by Apple in its custom servers. Expert Nick Lewis explains how enterprises can protect themselves from encountering similar issues.  Continue Reading

• Tactics for security threat analysis tools and better protection

  Threat analysis tools need to be in top form to counter a deluge of deadly security issues. Here are tips for getting the most from your analytics tool.  Continue Reading

• How WannaCry malware affects enterprises' ICS networks

  WannaCry malware has been plaguing organizations across the world. Expert Ernie Hayden explains how this ransomware threatens ICS networks and their security.  Continue Reading

• Incorporating static source code analysis into security testing

  Static source code analysis, along with dynamic analysis and pen testing, can help strengthen your application security. Expert Kevin Beaver goes over the features to look out for.  Continue Reading

• IT security governance fosters a culture of shared responsibility

  Effective information security governance programs require a partnership between executive leadership and IT. All parties work toward a common goal of protecting the enterprise.  Continue Reading

• How the use of invalid certificates undermines cybersecurity

  Symantec and other trusted CAs were found using bad certificates, which can create huge risk for internet users. Expert Michael Cobb explains how these incidents can be prevented.  Continue Reading

• Information privacy and security requires a balancing act

  Maintaining information privacy and security seem to be separate challenges, but in reality, each is integral to the other. Expert Kevin Beaver explains how to work toward both.  Continue Reading

• IPv6 update: A look at the security and privacy improvements

  The recent IPv6 update from the IETF introduces new security and privacy recommendations. Expert Fernando Gont explains these changes and what they mean for organizations.  Continue Reading

• To secure Office 365, take advantage of controls Microsoft offers

  Securing Office 365 properly requires addressing upfront any specific risks of a particular environment and taking advantage of the many security controls Microsoft offers.  Continue Reading

• Office 365 security features: As good as it gets?

  Online and application security is never perfect, but Office 365 security features come close. Here's an overview of how Microsoft installed security in its popular suite.  Continue Reading

• Address Office 365 security concerns while enjoying its benefits

  Office 365 security concerns should worry you but not dampen your enthusiasm for the platform's potential benefits for your business. Here's what you need to consider upfront.  Continue Reading

• Guide to vendor-specific IT security certifications

  The abundance of vendor-specific information technology security certifications can overwhelm any infosec professional. Expert Ed Tittel helps navigate the crowded field.  Continue Reading

• Embedded malware: How OLE objects can harbor threats

  Nation-states have been carrying out attacks using RTF files with embedded malware. Expert Nick Lewis explains how OLE technology is used and how to protect your enterprise.  Continue Reading