Security Management Strategies for the CIO- Secure SaaS: Cloud services and systems
- Operating System Security
- Enterprise Vulnerability Management
- Virtualization Security Issues and Threats
- Securing Productivity Applications
- Software Development Methodology
- Web Security Tools and Best Practices
- Application Firewall Security
- Application Attacks (Buffer Overflows, Cross-Site Scripting)
- Database Security Management
- Email Protection
- Open Source Security Tools and Applications
- Social media security
Email Alerts
-
For U.S. Mint, cloud computing security transparency effort pays off
U.S. Mint CISO Chris Carpenter said his cloud provider wasn't ready for either his security questions or to share continuous monitoring and log data.News | 03 Oct 2012
-
Can enterprises really count on cloud computing cost savings?
Video: Enterprises counting on cloud computing cost savings may be in for an unpleasant surprise, plus learn about often-overlooked cloud risks.Video
-
PDF download: Information Security magazine September 2012
In this issue, learn about the pros and cons of cloud-based security services and mobile application security considerations.Magazine
-
Security as a Service: Benefits and risks of cloud-based security
Know the pros and cons to cloud-based security services before making the leap.Feature
-
Setting up for BYOD success with enterprise mobile management and mobile application security
Bring your own device is quickly becoming a popular practice and unfortunately, it's often misused. Access this informative e-zine to learn more about protection and mobile management. Find out how mobility is really changing the enterprise and what you can do to ensure that you deploy adequate security measures.E-Zine
-
Is IDaaS viable for a hybrid enterprise identity management system?
Is IDaaS a wise choice for managing access to cloud and on-premise systems? Randall Gamby discusses hybrid identity management systems.AtE
-
AWS outage doesn't discourage Netflix
Netflix says it remains bullish on the cloud despite major Amazon outage.News | 11 Jul 2012
-
Gary McGraw on cloud computing pros and cons for security
Cloud computing can help improve SMB security operations but doesn’t bode well for software security.News | 19 Jun 2012
-
Gary McGraw on cloud computing pros and cons for security
Cloud computing can help improve SMB security operations but doesn’t bode well for software security.Opinion | 19 Jun 2012
-
PDF download: Information Security magazine June 2012
In this issue, learn how organizations are overcoming challenges in sharing cyberthreat information.Magazine
- VIEW MORE ON : Secure SaaS: Cloud services and systems
-
application whitelisting
Application whitelisting is a computer administration practice used to prevent unauthorized programs from running. The purpose is primarily to protect computers and networks from harmful applications, and, to a lesser extent, to prevent unnecessary demand for resources.Definition
-
Microsoft issues rushed patch for ASP.NET encryption flaw
Emergency patch repairs a vulnerability in the ASP.NET framework that causes faulty AES encryption implementations.Article | 28 Sep 2010
-
Microsoft to address critical vulnerability in Office Web Components
Microsoft will issue security updates for five critical vulnerabilities next week, including one that affects multiple software packages.Article | 06 Aug 2009
-
Threat prevention techniques: Best practices for threat management
A successful threat management program requires effective processes, layered technology and user education.Feature
-
Readers' Choice Awards 2011
Readers vote on the best vulnerability management products, including network vulnerability assessment scanners, vulnerability risk management, reporting, remediation and compliance, patch management and vulnerability management lifecycle products.Guide
-
Black Hat 2011: Hacking technique targets Windows kernel errors
Researcher Tarjei Mandt uncovered dozens of hidden vulnerabilities deep inside Microsoft Windows.News | 26 Jul 2011
-
application blacklisting
Application blacklisting, sometimes just referred to as blacklisting, is a network administration practice used to prevent the execution of undesirable programs. Such programs include not only those known to contain security threats or vulnerabilities but also those that are deemed inappropriate within a given organization. Blacklisting is the method used by most antivirus programs, intrusion prevention/detection systems and spam filters.Definition
-
application whitelisting
Application whitelisting is a computer administration practice used to prevent unauthorized programs from running. The purpose is primarily to protect computers and networks from harmful applications, and, to a lesser extent, to prevent unnecessary demand for resources.Definition
-
Inaugural AWS re:Invent show to highlight AWS security issues
Amazon CEO Jeff Bezos will headline this week's first-ever AWS re: Invent cloud computing conference, where several sessions will cover security issues.News | 28 Nov 2012
-
Trend Micro issues cloud, mobile security assessment tools
Online assessment tests the security posture, but more detailed guidance documents and reports are available from government agencies and organizations.News | 27 Nov 2012
-
Tackle virtualization compliance by balancing business, security needs
Security and business cultures don't always mesh, but virtualization compliance requires balance between them. Eric Ogren explains in this tutorial.Video
-
The cost of compliance: Data center server virtualization compliance
Security expert Mike Chapple explores whether the cost of compliance outweighs the benefits afforded by enterprise data center server virtualization.Tip
-
Crisis Trojan can infect VMware machines, Windows Mobile devices
The AV giant says the Windows version of the Crisis Trojan may be the first malware that can spread to so many different platforms.News | 22 Aug 2012
-
PDF download: Information Security magazine May 2012
In this issue, security expert Lisa Phifer examines mobile device management technology.Magazine
-
VMware strategy for security partners undergoes overhaul
Virtualization giant revamps its security partner program after hitting some bumps in the road.Magazine
-
Four VDI security concepts for every virtual desktop deployment
Traditional IT security measures don’t always apply well to virtual desktop infrastructures; apply these four VDI security concepts.Tip
-
Revitalizing endpoint security with VDI desktops
Implementing VDI desktops provides an opportunity to re-architech endpoint security and management. Learn how in this supercast with Eric Ogren.Video
-
Effectively navigating the security risk assessment process
This month’s Information Security magazine cover story focuses on active strategies for malware resistance and compliance, data protection and incident responses found in VDI approaches. Learn how you can implement three top strategies to ensure your active desktop security isn’t compromised.E-Zine
- VIEW MORE ON : Virtualization Security Issues and Threats
-
Quiz: Choosing a Web security gateway
Check you're up to speed and ready to choose and deploy a Web security gateway. This five-question quiz will test you on the key points we've covered in the webcast, podcast and article in this Security School.Quiz
-
SAP security overview: Server-side request forgery attack mitigation
Expert Michael Cobb provides an SAP security overview, including steps enterprises can take to defend against server-side request forgery attacks.Tip
-
Ten commandments for software security
Software security expert Gary McGraw provides actionable guidance based on analysis of dozens of software security firms.Opinion | 04 Oct 2012
-
Replace technical debt-laden Adobe Reader with alternative PDF readers
Adobe Reader's technical debt may pose too great a security risk for some enterprises. Security expert Nick Lewis advises turning to alternative PDF readers.Answer
-
Emergency Adobe update APSB12-19 addresses more Flash Player flaws
Adobe has released updates for six critical vulnerabilities, following a patch just one week ago that addressed other critical flaws.News | 22 Aug 2012
-
PDF download: Information Security magazine July/August 2012
In this issue, learn pen testing best practices and how to build an internal pen testing team.Magazine
-
Securing SharePoint: SharePoint security best practices
SharePoint has become ubiquitous in the enterprise, but organizations can overlook security. Learn SharePoint security best practices in this article.Feature
-
Three steps for securing SharePoint
Restricting user permissions, server hardening and dedicated service accounts are critical.Feature
-
Adobe Flash Player security update fixes flaws, issues Firefox shield
Adobe repaired seven dangerous vulnerabilities in its latest Flash Player update and added sandboxing protection for Firefox and Mac users.News | 08 Jun 2012
-
Steve Lipner on the Microsoft SDL, critical infrastructure protection
Microsoft’s senior director of security engineering says core SDL principles should be at the foundation of critical infrastructure system protection.News | 16 May 2012
- VIEW MORE ON : Securing Productivity Applications
-
Implement software development security best practices to support WAFs
WAFs aren't a panacea for all Web security woes. Software development security best practices are still vital. Expert Michael Cobb discusses why.Answer
-
mobile security (wireless security)
Mobile security is the protection of smartphones, tablets, laptops and other portable computing devices, and the networks they connect to, from threats and vulnerabilities associated with wireless computing. Mobile security is also known as wireless security.Definition
-
Enterprises at core of vendor software security testing, Veracode finds
Less than one in five enterprises have requested code-level security tests from at least one vendor, but the volume of assessments is growing.News | 13 Nov 2012
-
Gary McGraw: Proactive defense prudent alternative to cyberwarfare
Software security expert Gary McGraw explains that the U.S. should build proactive defense capabilities rather than pour billions into cyberweapons.News | 01 Nov 2012
-
Debating international cyberespionage, poor secure coding practices
Corey Schou explains why cyberespionage and corporate intelligence are linked; also, why attackers aren't to blame for insecure coding practices.Video
-
Web app design at the core of coding weaknesses, attacks, says expert
When addressing Web application threats and vulnerabilities, security teams need to look out for design flaws, says Mike Shema of Qualys, Inc.News | 16 Oct 2012
-
Ten commandments for software security
Software security expert Gary McGraw provides actionable guidance based on analysis of dozens of software security firms.Opinion | 04 Oct 2012
-
Replace technical debt-laden Adobe Reader with alternative PDF readers
Adobe Reader's technical debt may pose too great a security risk for some enterprises. Security expert Nick Lewis advises turning to alternative PDF readers.Answer
-
Firms failing at mobile application development security, study finds
Security is failing to gain a priority in the rush to build and test mobile applications, according to a study by Capgemini.News | 19 Sep 2012
-
Little being done to prevent Web application threats, analysts say
Vulnerabilities in HTML 5 make it an emerging threat; however, SQL injection and XSS remain among the top attacks.News | 19 Sep 2012
- VIEW MORE ON : Software Development Methodology
-
Quiz: Choosing a Web security gateway
Check you're up to speed and ready to choose and deploy a Web security gateway. This five-question quiz will test you on the key points we've covered in the webcast, podcast and article in this Security School.Quiz
-
PDF download: Information Security magazine February 2012
Read about new antimalware strategies and readers' 2012 priorities in this issue of Information Security magazine.Magazine
-
Book chapter: Social media security policy best practices
The following is an excerpt from chapter 6 Gary Bahadur from the book Securing the clicks: Network security in the age of social media.Chapter Excerpt
-
Web application attacks: Building hardened apps
This security school lesson details the myriad of Web application attacks in circulation today, providing detailed explanations of SQL injection attacks, clickjacking, cross-site scripting and cross-site request forgery attacks and other Web-based attacks that lead right to sensitive information stored in a backend database. We’ll also explain how to begin assessing your production Web apps for dangerous flaws and how to architect a software development process that can help you counter these threats in both QA and production.partOfGuideSeries
-
Internet Explorer 8 XSS filter: Setting the bar for cross-site scripting prevention
The Internet Explorer 8 XSS filter can assist in cross-site scripting prevention. Michael Cobb explains how it works in this expert response.Answer
-
XML firewall security guide: Prevent XML vulnerabilities and threats
This section of the XML Web services Tutorial highlights the functions and capabilities of the XML firewall, how the features of an XML firewall compare to other firewalls, and offers advice on how to prevent XML vulnerabilities and stop XML attacks.Learning Guide
-
Mitigating Web 2.0 threats
As companies look to cut costs, Software as a Service has gained ground in the enterprise. Similarly, social networking sites like Facebook and LinkedIn are must-haves in today's workplace. David Sherry reviews how to secure these services and defend against a variety of Web 2.0 threats.partOfGuideSeries
-
Implement software development security best practices to support WAFs
WAFs aren't a panacea for all Web security woes. Software development security best practices are still vital. Expert Michael Cobb discusses why.Answer
-
Custom, targeted malware attacks demand new malware defense approach
Widespread use of custom malware in targeted attacks requires better attack preparation and response, and a variety of new malcode defenses.News | 16 Nov 2012
-
pfSense tutorial: Configure pfSense as an SMB-caliber firewall
Video: Keith Barker of CBT Nuggets provides a brief pfSense tutorial. Learn how to configure pfSense, a free yet surprisingly capable firewall.Screencast
-
Readers' Choice Awards 2012
For the seventh consecutive year, Information Security readers voted to determine the best security products. More than 2,000 voters participated this year, rating products in 14 different categories.guideSeries
-
Web application firewalls: Patching, SDLC key for security, compliance
Mike Chapple on improving defense-in-depth security with Web application firewalls (WAFs) and a strong software development lifecycle (SDLC) process.Tip
-
Do you need virtual firewalls? What to consider first
With virtual firewalls, you can avoid routing traffic out of the virtual environment to pass through a physical firewall. But there are challenges to consider in going virtual.Tip
-
Security School: Antimalware deployment concerns
Does antimalware shield enterprises like it once did? Is it even necessary? What's next? Expert Diana Kelley offers a fresh take.Lesson
-
How to test a firewall: A three-step guide for testing firewalls
There are three steps when testing firewalls for your organization. Expert Joel Snyder explains how to test a firewall.Tip
-
How application whitelisting can help prevent advanced malware attacks
Advanced malware can be tricky, but application whitelisting on desktops can provide an additional layer of protection against malware attacks.Tip
-
NGFW: Getting clarity on next-gen firewall features
There’s a lot of hype about next-generation firewalls. Here’s what you need to know.Magazine
- VIEW MORE ON : Application Firewall Security
-
Quiz: Choosing a Web security gateway
Check you're up to speed and ready to choose and deploy a Web security gateway. This five-question quiz will test you on the key points we've covered in the webcast, podcast and article in this Security School.Quiz
-
PDF download: Information Security magazine November 2012
In this issue, find out who won this year’s Security 7 Award, Also, we examine the pros and cons of the Metasploit penetration testing framework.Feature
-
PDF download: Information Security magazine November 2012
In this issue, find out who won this year’s Security 7 Award, Also, we examine the pros and cons of the Metasploit penetration testing framework.Magazine
-
Adobe investigates zero-day that bypasses Reader X sandbox
Zero-day exploit Zero-day exploit was added to a custom version of the Black Hole attack toolkit, according to a Russian-based security firm Group IB.News | 09 Nov 2012
-
likebaiting
Likebaiting is the practice of trying to compel Facebook users to click the Like button associated with a piece of content. The practice is similar to linkbaiting, in which content producers craft content with the intent of getting people to link to it.Definition
-
SEO poisoning (search poisoning)
Search poisoning, also known as search engine poisoning, is an attack involving malicious websites that are designed to show up prominently in search results. The sites associated with the links may infect visitors with malware or fraudulently access sensitive information to be used for identity theft.Definition
-
Old Application Vulnerabilities, Misconfigurations Continue to Haunt
Flaws in legacy applications and configuration blunders still plague organizations, experts say.Feature
-
Research firm discovers new Java sandbox vulnerability
A Java sandbox flaw could allow malicious code to run on any system running Java 5, 6, or 7. Users are advised to disable the Java browser plugin.News | 26 Sep 2012
-
Little being done to prevent Web application threats, analysts say
Vulnerabilities in HTML 5 make it an emerging threat; however, SQL injection and XSS remain among the top attacks.News | 19 Sep 2012
-
Defend against the SQL injection tool Havij, other SQL injection tools
Expert Nick Lewis discusses the dangers of the SQL injection tool Havij and provides tips to protect the enterprise against other SQL injection tools.Answer
- VIEW MORE ON : Application Attacks (Buffer Overflows, Cross-Site Scripting)
-
SAP security overview: Server-side request forgery attack mitigation
Expert Michael Cobb provides an SAP security overview, including steps enterprises can take to defend against server-side request forgery attacks.Tip
-
Oracle security advisory addresses Black Hat database flaw disclosure
A privilege escalation flaw, which prominent security researcher David Litchfield disclosed at Black Hat, can be exploited to gain system privileges.News | 13 Aug 2012
-
Using the network to prevent an Oracle TNS Listener poison attack
Expert Michael Cobb details the Oracle TNS Listener poison attack and tells how enterprises can use the network to defend vulnerable applications.Tip
-
Black Hat 2012: David Litchfield slams Oracle database indexing
At Black Hat 2012, longtime Oracle thorn David Litchfield presents working exploits targeting Oracle database indexing vulnerabilities.News | 26 Jul 2012
-
Password database inventory required following LinkedIn breach
Many organizations have acquired legacy applications over the years, storing password data and other information in clear text, according to one noted security expert.News | 25 Jun 2012
-
Database security assessment vital to password protection, experts say
Hashing and salting passwords help deter cybercriminals from cracking them, but the goal should be to keep attackers out of the database, say security experts.News | 12 Jun 2012
-
Oracle security patches, InfoSec World 2012 controversy offer important lessons
Editor Eric B. Parizo says controversies involving Oracle security patches and InfoSec World 2012 prove the importance of differing opinions.Opinion
-
Analysis: Oracle trips on TNS zero-day workaround
Oracle's refusal to patch a zero-day in its flagship database management system is another example of how it carelessly exposes customers to risk.News | 02 May 2012
-
Oracle won’t patch four-year-old zero-day in TNS listener
Despite the accidental release of attack code for a bug in Oracle’s database, the company won’t change the code for fear of “regression.”News | 01 May 2012
-
Security event log management, analysis needs effective ways to search log files
Search is a key discipline for security log management. John Burke explains how to better search log files to improve security event log management.Tip
- VIEW MORE ON : Database Security Management
-
MoD plans secure email system based on TSCP specification
The Ministry of Defence is hoping a new, secure email system will improve its supply chain communication, but rollout is proving slow.Article | 17 Jan 2008
-
Zenmap tutorial: Mapping networks using Zenmap profiles
Video: In this Zenmap tutorial screencast, Keith Barker of CBT Nuggets explains how to efficiently map networks graphically using Zenmap profiles.Video
-
How to use Wireshark to detect and prevent ARP spoofing
Video: Keith Barker of CBT Nuggets demonstrates how to use Wireshark, the popular open source packet analyzer, to prevent ARP spoofing attacks.Screencast
-
Seven Outstanding Security Pros in 2012
Find out who won this year’s Security 7 Award, which honors outstanding security professionals in seven vertical markets. Also in this issue, we examine the pros and cons of the Metasploit penetration testing framework, and ways to overcome cloud compliance challenges.E-Zine
-
pfSense tutorial: Configure pfSense as an SMB-caliber firewall
Video: Keith Barker of CBT Nuggets provides a brief pfSense tutorial. Learn how to configure pfSense, a free yet surprisingly capable firewall.Screencast
-
Social engineering penetration testing: Four effective techniques
Social engineering penetration testing is now a must for enterprises. Learn about the four methods your pen tests should use.Tip
-
Screencast: Burp Suite tutorial highlights Burp Proxy, other key tools
In this screencast, Mike McLaughlin offers a short Burp Suite tutorial, including the key features of this powerful pen testing tool: Burp Proxy.Video
-
Dangerous Samba vulnerability affects all Linux systems
The commonly used tool contains an error that can be executed remotely by attackers, giving them root access to a system. Proof-of-concept code is available, experts warn.News | 11 Apr 2012
-
Screencast: ShareEnum eases network enumeration, network share permissions
Mike McLaughlin displays how easy network enumeration can be with ShareEnum, including the ability to quickly secure network shares and display share permissions.Screencast
-
Addressing HP netbook security with webOS discontinued
A company contemplates the security implications of continuing an HP netbook rollout with webOS discontinuedAnswer
-
OpenStack security analysis: Pros and cons of open source cloud software
Expert Michael Cobb examines the open source cloud computing platform OpenStack and relevant OpenStack security issues.Answer
- VIEW MORE ON : Open Source Security Tools and Applications
-
likebaiting
Likebaiting is the practice of trying to compel Facebook users to click the Like button associated with a piece of content. The practice is similar to linkbaiting, in which content producers craft content with the intent of getting people to link to it.Definition
-
likejacking
Likejacking is a variation on clickjacking in which malicious coding is associated with a Facebook Like button. The most common purposes of likejacking include identity theft and the dissemination of viruses, social spam and hoaxes.Definition
-
How to reassess privacy settings in wake of Facebook cloaking issues
Expert Nick Lewis discusses how Facebook cloaking exposed users' personal info and why it's important to control social media security settings.Answer
-
Assessing Pinterest security and defending against Pinterest spamming
Expert Nick Lewis discusses the state of Pinterest security and provides info on preventing Pinterest spamming and other social engineering attacks.Answer
-
Social media legal issues: Advice for IT security pros
Video: When a company or its employees use social media, the IT team should understand the legal terms and conditions of each social media site.Video
-
UGNazi hacker group claims responsibility for Twitter outage
Hacktivist group UGNazi says it caused multiple Twitter outages Thursday. Update: Twitter says a "cascading bug" was to blame.News | 21 Jun 2012
-
LinkedIn investigating user account password breach
More than 6 million passwords may have been stolen from the servers of social network LinkedIn and posted to a Russian hacking forum.News | 06 Jun 2012
-
Book chapter: Social media security policy best practices
The following is an excerpt from chapter 6 Gary Bahadur from the book Securing the clicks: Network security in the age of social media.Chapter Excerpt
-
Screencast: How to use WPScan to provide WordPress plug-in security
Mike McLaughlin displays the abilities of WPScan and the simplicity the tool offers in assessing the security of WordPress plug-ins and avoiding related security vulnerabilities.Video
-
Ramnit malware data out-of-date, social network says
A Facebook spokesperson said the malware is not propagating on the social network.News | 09 Jan 2012
- VIEW MORE ON : Social media security