Results ordered by term relevance.

March 22, 2017 | Vendor and Partner Management
By Josh More, IANS Faculty

 Setting Requirements for Vendors Storing Sensitive Data

Vetting and managing vendors has become increasingly important for organizations in recent years, particularly for those that are storing, processing or transmitting sensitive data. In this Ask-an-Expert written response, IANS Faculty Josh More walks through a simplified approach to assessing, qualifying, classifying and verifying vendors to ensure they can be trusted to handle sensitive data. 

Read More »


February 27, 2017 | Vendor and Partner Management
By Josh More, IANS Faculty

 Managing Vendors With Disparate Frameworks

Vendor due diligence becomes even more challenging when there are a variety of information security frameworks in play. In this Ask-an-Expert written response, IANS Faculty Josh More details two approaches to the problem: a formalized mapping process using the COBIT framework and an ad-hoc approach designed to prioritize the specific risks facing the organization. 

Read More »


April 12, 2017 | Vulnerability Assessment and Management
By Josh More, IANS Faculty

 Managing the Vulnerability Exception Process

Vulnerability remediation can often seem like a three-way tug of war between operations, compliance and security. In this Ask-an-Expert written response, IANS Faculty Josh More details best practices for managing exceptions and keeping the whole process on track.

Read More »


April 14, 2017 | Enterprise and IT Compliance Management
By Josh More, IANS Faculty

 Addressing PCI’s ‘One Primary Function’ Requirement

While PCI DSS 3.2 requires that IT implement just one primary function per server, it isn't exactly clear about what compliance entails. In this Ask-an-Expert written response, IANS Faculty Josh More explains the requirement and offers strategies for defending common business practices.

Read More »


April 19, 2017 | Enterprise and IT Compliance Management
By Josh More, IANS Faculty

 Understanding the Australian Regulation’s ‘Two-Person Rule’ Requirement

The Australian Regulation's PPG 234 requires that extremely sensitive IT assets be subject to the "two-person rule," but it doesn't offer much guidance in terms of what it deems "extremely sensitive." In this Ask-an-Expert written response, IANS Faculty Josh More explains the rule and offers some practical   advice for complying with it efficiently. 

Read More »


December 9, 2016 | Risk Management
By Rich Guida, IANS Faculty

 Understanding the Relationship Between Physical and Logical Information Security

The relationship between physical security and cybersecurity can be more closely linked than some organizations might think. In this Ask-an-Expert written response, IANS Faculty Rich Guida details specific instances (i.e., insider threats) where the two types of security come together and offers insight into the practice of "incrementalism."

Read More »


November 28, 2016 | Embedded Systems and Internet of Things
By Chris Poulin, IANS Faculty

 Hidden Threats in Smart Buildings

In a quest to reduce energy consumption and make daily activities more convenient and pleasant for their occupants, smart buildings are becoming ever more interconnected, internet-connected and complex. In this report, IANS Faculty Chris Poulin details the latest advances in smart building technologies, the hidden threats they expose and key steps to take to ensure your smart building doesn’t become your latest threat vector.

Read More »


October 18, 2016 | Mainframe and Legacy Systems
By Philip Young, IANS Faculty

 Mainframes, APIs and the False Sense of Security

Mainframes usually hold companies’ most sensitive, mission-critical data. As more organizations decide to open up their mainframe “crown jewels” to participate in today’s mobile/cloud world, however, is mainframe security keeping up? In this report, IANS Faculty Philip Young details the riskiest areas of the mainframe and explains how best to secure them against today’s threats.

Read More »


October 6, 2016 | Regulations & Legislation
By Randy Sabett, IANS Faculty

 International Security, Privacy and Compliance Laws: Q3 2016 Update

Each quarter, IANS provides an update on the emerging international compliance laws and regulations that impact the information security community. For Q3 2016, we provide a short summary for each jurisdiction in which there was a change, followed by a more detailed description. An updated table of jurisdictions and changes can be accessed here.

Read More »


October 4, 2016 | Data Breaches
By Mike Saurbaugh, IANS Faculty

 IANS Vulnerability and Breach Update: Q3 2016

A new vulnerability or breach seems to be discovered daily, but which should be taken more seriously and which are overhyped? In this report, IANS Faculty Mike Saurbaugh looks back over the major breaches and vulnerabilities of the past three months, explains them and provides real-world context and perspective.

Read More »


October 3, 2016 | Cloud Network and Host Controls
By Dave Shackleford, IANS Faculty

 IANS Cloud Security Update: Q3 2016

As more organizations move services and computing assets into cloud service provider environments, the need for adequate security controls grows as well. In this quarterly research report, IANS Faculty Dave Shackleford updates IANS’ clients on the new developments occurring in the cloud security arena.

Read More »


January 4, 2017 | Regulations & Legislation
By Daniel Maloof, IANS Managing Editor

 Trump and Security: What to Expect in the New Administration

We all know incoming U.S. President Donald Trump is focused on physical security and building the wall, but what about cybersecurity policy? In this report, a handful of IANS Faculty detail what they believe we should expect from the new Donald Trump administration in terms of digital privacy, consumer protections, the EU-U.S. Privacy Shield, the U.S. Cybersecurity Framework and more.

Read More »


January 6, 2017 | Cloud Application and Data Controls
By Dave Shackleford, IANS Faculty

 IANS Cloud Security Update: Q4 2016

As more organizations move services and computing assets into cloud service provider environments, the need for adequate security controls grows as well. In this quarterly research report, IANS Faculty Dave Shackleford updates IANS’ clients on the new developments occurring in the cloud security arena.

Read More »


January 12, 2017 | Malware and Advanced Threats
By Mike Saurbaugh, IANS Faculty

 IANS Vulnerability and Breach Update: Q4 2016

A new vulnerability or breach seems to be discovered daily, but which should be taken more seriously and which are overhyped? In this report, IANS Faculty Mike Saurbaugh looks back over the major breaches and vulnerabilities of the past three months, explains them and provides real-world context and perspective.

Read More »


January 5, 2017 | Malware and Advanced Threats
By Dave Shackleford, IANS Faculty

 Information Security Trends for 2017

2016 was a challenging year for infosec, with the proliferation of ransomware, IoT botnets and more. What new attacks will surface in 2017, and what hot technologies are on the horizon to fight them? In this webinar and corresponding report, IANS Lead Faculty Dave Shackleford reveals major trends in store for IT security professionals in the coming year.

Read More »


February 1, 2017 | Regulations & Legislation
By Debra Farber, IANS Faculty

 International Security, Privacy and Compliance Laws: Q4 2016 Update

Each quarter, IANS provides an update on the emerging international compliance laws and regulations that impact the information security community. For Q4 2016, we provide a short summary for each jurisdiction in which there was a change, followed by a more detailed description. An updated table of jurisdictions and changes can be accessed here.

Read More »


March 9, 2017 | AppDev Frameworks
By Jason Gillam, IANS Faculty

 Deploying Containers Securely

Developers love containers because they are quick, simple to use and allow for easier scaling of hardware resources, but few pay much attention to the security issues they present. With containers in the mix, how can security organizations ensure their developers aren’t continually copying and pasting security issues across the environment? In this report, IANS Faculty Jason Gillam steps you through the worst of the pitfalls to ensure your organization rolls out more secure containerized solutions.

Read More »


April 3, 2017 | Malware and Advanced Threats
By Mike Saurbaugh, IANS Faculty

 IANS Vulnerability and Breach Update: Q1 2017

A new vulnerability or breach seems to be discovered daily, but which should be taken more seriously and which are overhyped? In this report, IANS Faculty Mike Saurbaugh looks back over the major breaches and vulnerabilities of the past three months, explains them and provides real-world context and perspective.

Read More »


April 5, 2017 | Risk Management
By Rich Guida, IANS Faculty

 Creating an Effective IDAM Governance Committee

Planning an optimal identity and access management (IDAM) strategy requires participation and buy-in from a variety of stakeholders, including HR, legal and more. In this Ask-an-Expert written response, IANS Faculty Rich Guida offers recommendations for creating the right membership, rules and processes for a strong IDAM governance committee.

Read More »


April 7, 2017 | Cloud Network and Host Controls
By Dave Shackleford, IANS Faculty

 IANS Cloud Security Update: Q1 2017

As more organizations move services and computing assets into cloud service provider environments, the need for adequate security controls grows as well. In this quarterly research report, IANS Faculty Dave Shackleford updates IANS’ clients on the new developments occurring in the cloud security arena.

Read More »


April 18, 2017 | Penetration Testing and Red Teaming
By Dave Kennedy, IANS Faculty

 Adversarial Simulations - Evolving Penetration Testing

Penetration testing has been given quite a few names over the past few years, including everything from “vulnerability scanning” all the way to “targeted and direct attacks” against organizations. This comes as attacker techniques themselves are shifting based on organizations adding more detection capabilities into their environments. In this webinar, IANS Faculty Dave Kennedy dives into some of the latest attack vectors and discusses why adversarial simulations are some of the most effective methods for building defenses within your organization. 

Read More »


November 22, 2016 | Embedded Systems and Internet of Things
By Chris Poulin, IANS Faculty

 Mirai Defense: Detecting IoT Devices on the Network

The recent Mirai botnet that took down DNS provider Dyn underscored the risks associated with unmanaged, unsecured Internet-of-Things (IoT) devices. In this Ask-an-Expert live interaction, IANS Faculty Chris Poulin explains how to discover/detect rogue IoT devices on the network and track them over time

Read More »


November 21, 2016 | Application Development and Testing
By Jason Gillam, IANS Faculty

 Secure Development Practices for Mobile Applications

Best practices around the secure development of mobile applications are still evolving because of the rapid evolution of the mobile platforms themselves. In this Ask-an-Expert written response, IANS Faculty Jason Gillam outlines the key differences between the secure development of mobile and web applications, and details standard accepted practices around encryption and authentication.

Read More »


November 14, 2016 | Data Classification
By Kevin Beaver, IANS Faculty

 Where, Exactly, Is Your Information?

Do you know where all of your critical data is located? Studies show that few information security pros do. In this report, IANS Faculty Kevin Beaver underscores the importance of data classification and offers tips to not only find exactly where sensitive information is located, but establish the right controls to ensure you always know where it is and that it’s secured effectively.

Read More »


November 10, 2016 | Converged Infrastructure
By Aaron Turner, IANS Faculty

 Bluetooth Security Risks: An Overview

When it comes to evaluating Bluetooth security risks, it's important to divide up the technology into different sections and examine the potential risks of each. In this Ask-an-Expert written response, IANS Faculty Aaron Turner evaluates Bluetooth security from the perspectives of physical-layer, protocol implementation and application-layer vulnerabilities.

Read More »


November 7, 2016 | Malware and Advanced Threats
By Adam Ely, IANS Faculty

 Protecting Against the Latest Wave of DDoS Attacks

Now that Internet-of-Things (IoT)-based DDoS attacks are in the news, is it time to rethink your DDoS strategy? In this Ask-an-Expert live interaction, IANS Faculty Adam Ely outlines key strategies to implement at the network, server and operations level to defend against all types of DDoS attacks, even this latest iteration.

Read More »


November 3, 2016 | Malware and Advanced Threats
By Michael Pinch, IANS Faculty

 Health Care Roundtable: Tackling Ransomware

Ransomware is a scourge across every vertical but it seems to have found a soft spot in health care. For this roundtable, IANS brought together a group of health care sector security executives to talk about the problems they face and the strategies they are using to get ahead of the ransomware issue.

Read More »


October 31, 2016 | Application Development and Testing
By Jason Gillam, IANS Faculty

 Application-Level DoS: Are You Ready?

Application-level DoS attacks can be difficult to detect, challenging to diagnose, and when effectively exploited, they can render your application completely inaccessible. In this report, IANS Faculty Jason Gillam explains how application-level DoS works and offers some key mitigation strategies. 

Read More »


October 27, 2016 | Insider Threats
By John Strand, IANS Faculty

 Going from Reactive to Proactive with Insider Threats

Honing your response to an insider threat is difficult enough, but building on the program to proactively identify and thwart potential malicious insiders is fraught with risk. In this Ask-an-Expert live interaction, IANS Faculty John Strand outlines the importance of partnering with HR, choosing the right tool set and funding the program adequately.

Read More »


October 20, 2016 | Encryption, Digital Signatures, Certificates, Tokenization
By Dave Shackleford, IANS Faculty

 Assessing Key Management Services Within AWS

There are a number of key management tools and services that organizations can use within the AWS cloud. In this Ask-an-Expert written response, IANS Faculty Dave Shackleford breaks down some of the major players in the space, including Amazon's own key management service, HyTrust DataControl and Vault.

Read More »


October 20, 2016 | Cloud Network and Host Controls
By Dave Shackleford, IANS Faculty

 Securing Hybrid Clouds

Hybrid clouds offer organizations the ultimate in flexibility, enabling IT to keep sensitive workloads in-house while taking advantage of the efficiencies and scalability of public clouds for everything else. But how secure is the setup? In this report, IANS Faculty Dave Shackleford steps you through the challenges of securing hybrid clouds and provides advice to ensure workloads remain secure, no matter where they are run.

Read More »


October 13, 2016 | Networking and Network Devices
By Mike Saurbaugh, IANS Faculty

 What to Look for in a Secure Web Gateway

Secure web gateways provide a staple in network infrastructure and the market seems to suggest they will be around for the next few years. In this Ask-an-Expert written response, IANS Faculty Mike Saurbaugh explores the capabilities of modern proxy solutions and offers selection criteria to help evaluate various solutions.

Read More »


October 6, 2016 | Security Policies and Strategy
By Michael Pinch, IANS Faculty

 5 Ways to Improve Security While Cutting Costs

Attacks and malware continually evolve, forcing organizations to react by implementing an ever-expanding tool set. Unfortunately, few budgets expand in kind. In this report, IANS Faculty Michael Pinch details five key ways to immediately improve your organization’s security posture, without breaking the budget.

Read More »


October 1, 2016 | Risk Management
By Rich Guida, IANS Faculty

 Best Practices for Risk Registers

When it comes to building a risk register, there are a number of important steps organizations must take. In this Ask-an-Expert written response, IANS Faculty Rich Guida details the process of constructing a risk register and offers specific criteria for determining how accurate and successful it is.

Read More »


September 29, 2016 | Threat Intelligence and Modeling
By Aaron Turner, IANS Faculty

 Breaking Down Cyber Threat Trends in Mexico

For organizations that operate in Mexico and Latin America, it's important to keep tabs on the current cyberthreat trends taking hold in these countries. In this live Ask-an-Expert response, IANS Faculty Aaron Turner details the current threat landscape in Mexico and Latin America, from ATM attacks to state-sponsored cybercrime.

Read More »


September 29, 2016 | Cloud Application and Data Controls
By Dave Shackleford, IANS Faculty

 Detailing Security Controls For Office 365

When deploying Office 365, organizations need to take a number of steps to ensure they are implementing the proper security controls as well. In this Ask-an-Expert written response, IANS Faculty Dave Shackleford explains the core security controls and settings that should be implemented, including configuring TLS encryption connectors for mail and enabling content searches for e-discovery.

Read More »


September 29, 2016 | Privileged Access Management
By Aaron Turner, IANS Faculty

 Using a Bastion Forest for Privileged Account Management in Microsoft AD Environments

In Microsoft Active Directory (AD) environments, a bastion forest can be used to both reliably manage privileged access and recover a compromised AD implementation. In this report, IANS Faculty Aaron Turner explains the theory behind the bastion forest and steps you through the process of setting one up. He also explains how some organizations may be able to use a bastion forest as a cost-effective alternative to pricier privileged access management (PAM) tools.

Read More »


September 21, 2016 | Insider Threats
By Bill Dean, IANS Faculty

 Insider Threats: Understanding the Risks

Insider threats can often pose a greater risk to an organization than external actors. In this Ask-an-Expert written response, IANS Faculty Bill Dean offers some key statistics regarding insider threats and provides a number of steps organizations can take to anticipate and prepare for the risks posed by insiders.

Read More »


September 20, 2016 | Security Awareness, Phishing, Social Engineering
By Chris Gonsalves, IANS Director of Technology Research

 Recognizing, Protecting Against Social Media Threats

These days, enterprises need to be very aware of the fact that once information gets posted to a social site, it can never again be considered private. In this Ask-an-Expert written response, IANS Director of Technology Research Chris Gonsalves breaks down some of the common types of social media-related attacks organizations could face and offers a number of tips and features designed to combat these attacks.

Read More »


September 12, 2016 | Risk Management
By Adam Ely, IANS Faculty

 IT Governance Everyone Can Live With

Building a quality, efficient, multi-entity governance, risk and compliance (GRC) structure that doesn’t slow business units and allows for consistent and effective risk mitigation is hard but achievable. In this report, IANS Faculty Adam Ely explains how to determine costs, handle staffing and empower stakeholders to create a GRC program that efficiently mitigates risk and garners support from line-of-business leaders.

Read More »


September 1, 2016 | Software Development Lifecycle (SDLC)
By Jason Gillam, IANS Faculty

 Ensuring a PCI-Compliant SDLC Review Process

Establishing a review process for PCI DSS compliance is something organizations should do in a strategic, ongoing fashion, rather than as a once-per-year activity. In this Ask-an-Expert written response, IANS Faculty Jason Gillam details the Building Security in Maturity Model (BSIMM) and demonstrates how organizations can consult this framework to build a continuous compliance review process within the software development lifecycle.

Read More »


August 26, 2016 | Cloud Application and Data Controls
By George Gerchow, IANS Faculty

 Securing Microsoft Office 365 and OneDrive for Mobile Access

Moving to Office 365 and other cloud applications presents both security and compliance challenges. In this Ask-an-Expert live interaction, IANS Faculty George Gerchow recommends using a CASB, together with Microsoft's own DLP and SharePoint data classification schemes to keep corporate data safe while easing access for mobile and cloud users.

Read More »


August 18, 2016 | Security Awareness, Phishing, Social Engineering
By Kevin Beaver, IANS Faculty

 CEO Spoofing: Don't Get Fooled!

Austrian aerospace firm FACC fired its CEO after losing nearly €50 million when fraudsters posing as the CEO forced the finance department to approve multimillion dollar payments. In this report, IANS Faculty Kevin Beaver explains how such scams work and offers tips to ensure your company doesn’t become the next victim.

Read More »


August 15, 2016 | Incident Response Planning
By Bill Dean, IANS Faculty

 Creating Effective Tabletop Exercises

Designed correctly, tabletop exercises can help you determine how well your people, processes and technologies are prepared for an incident – and improve that preparation over time. In this report, IANS Faculty Bill Dean steps you through the process of designing, planning and executing effective tabletop exercises. 

Read More »


August 9, 2016 | Security Analytics and Visualization
By Dave Shackleford, IANS Faculty

 User Behavior Analytics: A Tools Overview

Over the past few years, a number of organizations have begun to implement a user behavior analytics program in an effort to combat things like insider threats. In this live Ask-an-Expert interaction with the security team at a large financial services organization, IANS Faculty Dave Shackleford assesses the current landscape of user behavior analytics tools and offers tips and pitfalls to consider when implementing such a program.

Read More »


August 9, 2016 | Team Structure and Management
By Rich Guida, IANS Faculty

 Prioritizing Risk to Manage the Security Team’s Workload

When it comes to managing the workload of the security team (particularly if it only has a few members), prioritizing organizational risks is an important first step. In this Ask-an-Expert written response, IANS Faculty Rich Guida offers tips for developing a true risk register, compiling critical metrics and getting the various business units to own risks.

Read More »


August 2, 2016 | IT Asset Disposal (ITAD)
By Chris Poulin, IANS Faculty

 IT Asset Management Tools and Best Practices

IT asset management is an ongoing process that requires continual maintenance and dedicated resources. In this Ask-an-Expert written response, IANS Faculty Chris Poulin provides an overview of the tools required for building and tracking an inventory, and offers best practices for managing an organization's physical and virtual assets.

Read More »