Category


Latest Blogs

All Blogs »

May 23, 2017 | Incident Response Planning
By Ondrej Krehel, IANS Faculty

 Negotiate an Effective Incident Response Retainer

The digital forensics and incident response (IR) market is a dynamic place with a growing number of vendors creating a wide variety of offerings and pricing models. In this report, IANS Faculty Ondrej Krehel details the three types of incident response retainers and offers key considerations for organizations deciding which would best suit their requirements and objectives. 

Read More »


May 22, 2017 | Incident Response Planning
By Marty Gomberg, IANS Faculty

 Creating a Crisis Management Plan

Good planning is key to responding to and recovering from an incident quickly and effectively, but where do you start? In this written Ask-an-Expert response, IANS Faculty Marty Gomberg steps through the process of creating a comprehensive crisis management plan.

Read More »


May 18, 2017 | Cloud Application and Data Controls
By Dave Shackleford, IANS Faculty

 Security-as-Code: A Key to Cloud Security

Businesses are moving faster to the cloud and DevOps is accelerating scale and pushing automation. But how do we secure DevOps and cloud deployments? In this report, IANS Faculty Dave Shackleford explores the concept of security-as-code and details how security teams must fully assess their threats, collaborate with DevOps and automate scanning and configuration to ensure a secure migration to the cloud. 

Read More »


May 16, 2017 | Threat Detection and Hunt Teaming
By Marcus Ranum, IANS Faculty

 Building a Low-Interaction Honeypot on Linux

A low-interaction honeypot is a great threat detection tool, but it can be difficult to create and configure. In this Ask-an-Expert written response, IANS Faculty Marcus Ranum steps through the process of building a Linux-based honeypot with specific services, such as Telnet, SSH, etc.

Read More »


May 15, 2017 | Data Classification
By Kevin Beaver, IANS Faculty

 Sensible Approaches to Data Classification

Most organizations want to protect their sensitive electronic assets, yet effective data classification programs are all but nonexistent. You certainly can’t secure what you don’t properly acknowledge, and that’s a big reason why many security organizations struggle in this area. In this webinar, IANS Faculty Kevin Beaver details an approach to data classification that involves taking a few basic steps early on and periodically moving the program forward.

Read More »


May 12, 2017 | Malware and Advanced Threats
By Joff Thyer, IANS Faculty

 Blocking Adware to Reduce Risk and Improve Browser Performance

Adware is more than a nuisance; it's often a clever delivery mechanism for spyware and malware. How can organizations block it effectively without impacting the business? In this Ask-an-Expert written response, IANS Faculty Joff Thyer explains how adware works and recommends taking a multi-layered approach to mitigating the risk.

Read More »


May 12, 2017 | Application Development and Testing
By Jason Gillam, IANS Faculty

 Outsourcing Application Security Testing

Outsourcing dynamic application security testing (DAST), especially since it involves automated tools like AppScan and Burp, should be relatively straightforward. That is, until you consider the importance of the human element. In this Ask-an-Expert live interaction, IANS Faculty Jason Gillam suggests staff augmentation and developer training as more cost-effective and efficient ways to free up internal staff.

Read More »


May 11, 2017 | Cloud Application and Data Controls
By Aaron Turner, IANS Faculty

 Securing Cloud Assets Using Federated Identities

Whether you view the cloud as infrastructure-, platform- or application-as-a-service, identity is the only control that exists universally across all cloud environments. Unfortunately, identity lifecycle management for cloud-based systems is not as mature as we need it to be. In this report, IANS Faculty Aaron Turner details how to make wise investments in a federated identity strategy that can scale to even the most complex cloud technology models.

Read More »


May 10, 2017 | Desktop Virtualization (VDI)
By James Tarala, IANS Faculty

 Securing a Virtual Desktop Infrastructure (VDI) Environment

While securing a VDI environment is not very different from securing a distributed PC environment, it does require some extra thought to ensure optimal performance, incident response and access control. In this Ask-an-Expert live interaction, IANS Faculty James Tarala recommends strategies to ensure the deployment is both secure and successful.

Read More »


May 10, 2017 | Authentication
By Aaron Turner, IANS Faculty

 Implementing Contactless MFA across a PKI Environment

Implementing contactless multifactor authentication (MFA) across an entire organization is difficult enough, without the added stress of getting it operational by year end to meet the tight deadline of DFARS compliance. In this Ask-an-Expert written response, IANS Faculty Aaron Turner recommends taking a phased approach to ensure a seamless rollout. 

Read More »


May 8, 2017 | Endpoints
By Dave Kennedy, IANS Faculty

 Weighing Traditional vs. Next-Gen Endpoint Protection

Traditional endpoint protection platforms (EPPs) like McAfee or Symantec tend to have rich feature sets, but are lagging in newer capabilities. Next-gen endpoint solutions, on the other hand, have cutting-edge features but don't offer a broad range of functionality. In this Ask-an-Expert live interaction, IANS Faculty Dave Kennedy compares the two spaces and offers recommendations for getting the best of both worlds.

Read More »


May 4, 2017 | Enterprise and IT Compliance Management
By Josh More, IANS Faculty

 Allocating the Right Resources for SOX Compliance

The optimal head count and cost structure for a Sarbanes-Oxley (SOX) compliance program varies widely depending on industry vertical, organization complexity, maturity and more. In this Ask-an-Expert written response, IANS Faculty Josh More details typical program requirements and offers recommendations for ensuring appropriate resources get allocated.

Read More »


May 4, 2017 | Threat Intelligence and Modeling
By Adam Shostack, IANS Faculty

 Threat Modeling in an Agile Environment

Threat modeling can be seen as a heavy, complex set of tasks that gets cast aside as we move at the speed of Agile, but in reality, it helps make the shift faster. In this report, IANS Faculty Adam Shostack explains why threat modeling is important, addresses concerns about fitting threat modeling practices into an Agile world and highlights some traps to avoid along the way.

Read More »


May 3, 2017 | Enterprise and IT Compliance Management
By Dave Shackleford, IANS Faculty

 Deploying the Right Controls for DFARS Compliance

The deadline for DFARS compliance is coming fast, but many organizations are finding the requirements vague and difficult to implement. In this Ask-an-Expert written response, IANS Faculty Dave Shackleford explains how most companies are interpreting specific rules around cryptographic, cloud and session termination controls. 

Read More »


May 3, 2017 | Security Analytics and Visualization
By Stephen McHenry, IANS Faculty

 Applying User and Entity Behavioral Analytics (UEBA) to Improve Security

As the market for user and entity behavioral analytics (UEBA) solutions continues to evolve, the need for these types of solutions will increase. At the same time, UEBA also poses challenges related to privacy, data security, policy and deployment/storage options. In this report, IANS Faculty Stephen McHenry examines the current state of the UEBA marketplace and offers some scenarios in which it could prove effective for organizations today and in the future. 

Read More »


May 2, 2017 | Team Structure and Management
By Mike Saurbaugh, IANS Faculty

 Creating a Workable Security Ambassador Program

We all know the importance of getting the business actively involved in security, but what's the best way to go about it? In this Ask-an-Expert live interaction, IANS Faculty Mike Saurbaugh explains how to build a workable security ambassador program that can act as a force multiplier across the business.

Read More »


April 28, 2017 | Penetration Testing and Red Teaming
By Kevin Johnson, IANS Faculty

 Drafting a Pen-Testing Request for Quote (RFQ)

Contracting with third-parties for penetration tests -- against both internal and externally facing resources -- is an important part of security. But what is the best way to craft a request-for-quote? In this Ask-an-Expert written response, IANS Faculty Kevin Johnson examines a sample draft RFQ and offers recommendations to ensure all the bases are covered.

Read More »


April 26, 2017 | Privileged Access Management
By Aaron Turner, IANS Faculty

 Choosing an IDAM Tool for the Future

Finding one tool to handle both identity and privileged identity management is difficult enough, but what about one that will also provide the right set of capabilities as identity needs evolve in the future? In this Ask-an-Expert written response, IANS Faculty Aaron Turner details how to evaluate current vendors to ensure they remain relevant today and tomorrow.

Read More »


April 26, 2017 | Cloud Access Security Brokers
By Rich Mogull, IANS Faculty

 Navigating an Increasingly Commoditized CASB Marketplace

Over the past few years, there has been a lot of consolidation in the cloud access security broker (CASB) market. In this live Ask-an-Expert interaction, IANS Faculty Rich Mogull offers an assessment of the current CASB marketplace and explains why the recent commoditization in the space means organizations should prioritize ease of integration when choosing a CASB. 

Read More »


April 25, 2017 | Enterprise and IT Compliance Management
By George Gerchow, IANS Faculty

 Selecting a GRC Tool

GRC tools have been around for a number of years now, but the market landscape and solutions themselves have evolved quite a bit. In this Ask-an-Expert written response, IANS Faculty George Gerchow details the primary features of today's GRC tools and offers recommendations for setting KPIs and completing a PoC. 

Read More »


April 25, 2017 | Team Structure and Management
By David Kolb, IANS Faculty

 Thriving When Policy and Business Priorities Clash

Corporate policy and business priorities live at two ends of a spectrum, and security professionals often find themselves at the collision point. In this report, IANS Faculty David Kolb and Chief Research Officer Stan Dolberg explore three types of intelligence (emotional, organizational and political) and offer tips for harnessing them to thrive in an environment where policies and priorities often clash. 

Read More »


April 19, 2017 | Enterprise and IT Compliance Management
By Josh More, IANS Faculty

 Understanding the Australian Regulation’s ‘Two-Person Rule’ Requirement

The Australian Regulation's PPG 234 requires that extremely sensitive IT assets be subject to the "two-person rule," but it doesn't offer much guidance in terms of what it deems "extremely sensitive." In this Ask-an-Expert written response, IANS Faculty Josh More explains the rule and offers some practical   advice for complying with it efficiently. 

Read More »


April 18, 2017 | Penetration Testing and Red Teaming
By Dave Kennedy, IANS Faculty

 Adversarial Simulations - Evolving Penetration Testing

Penetration testing has been given quite a few names over the past few years, including everything from “vulnerability scanning” all the way to “targeted and direct attacks” against organizations. This comes as attacker techniques themselves are shifting based on organizations adding more detection capabilities into their environments. In this webinar, IANS Faculty Dave Kennedy dives into some of the latest attack vectors and discusses why adversarial simulations are some of the most effective methods for building defenses within your organization. 

Read More »


April 14, 2017 | Enterprise and IT Compliance Management
By Josh More, IANS Faculty

 Addressing PCI’s ‘One Primary Function’ Requirement

While PCI DSS 3.2 requires that IT implement just one primary function per server, it isn't exactly clear about what compliance entails. In this Ask-an-Expert written response, IANS Faculty Josh More explains the requirement and offers strategies for defending common business practices.

Read More »


April 12, 2017 | Vulnerability Assessment and Management
By Josh More, IANS Faculty

 Managing the Vulnerability Exception Process

Vulnerability remediation can often seem like a three-way tug of war between operations, compliance and security. In this Ask-an-Expert written response, IANS Faculty Josh More details best practices for managing exceptions and keeping the whole process on track.

Read More »


April 12, 2017 | Network Access Controls (NAC)
By Jennifer Minella, IANS Faculty

 Deploying NAC for Both Wired and Wireless Networks

No two network access control (NAC) solutions are alike, and choosing the right implementation for a complex health care environment that spans both wired and wireless networks is difficult at best. In this Ask-an-Expert written response, IANS Faculty Jennifer Minella provides an overview of current NAC options along with some industry-specific recommendations.

Read More »


April 7, 2017 | Cloud Network and Host Controls
By Dave Shackleford, IANS Faculty

 IANS Cloud Security Update: Q1 2017

As more organizations move services and computing assets into cloud service provider environments, the need for adequate security controls grows as well. In this quarterly research report, IANS Faculty Dave Shackleford updates IANS’ clients on the new developments occurring in the cloud security arena.

Read More »


April 7, 2017 | Password Management
By IANS Faculty, IANS Faculty

 Poll: What Are the Best Password Strategies?

Password guidelines seems to change all the time. With new recommendations from NIST and vendors like Microsoft cropping up, how can enterprises determine the best approach? In this report, IANS Faculty Rich Guida, John Galda, Jason Gillam, Kevin Beaver, Marcus Ranum and Stephen McHenry offer their opinions and some rules of thumb for creating strong, enforceable password policies.

Read More »


April 7, 2017 | Endpoints
By Dave Shackleford, IANS Faculty

 Choosing the Right Endpoint Security Solution for a Virtualized Environment

When it comes to protecting endpoints in a virtualized environment, how important is antivirus (AV) at the hypervisor and host level? In this Ask-an-Expert written response, IANS Faculty Dave Shackleford provides an overview of the virtualization-ready endpoint security solution market and suggests focusing on next-generation capabilities vs. AV going forward.

Read More »


April 5, 2017 | Wireless Networks
By Paul Asadoorian, IANS Faculty

 Detecting Rogue Wireless Access Points

Rogue wireless access points (WAPs) are a known attack vector, but correctly detecting and identifying them amid the noise of different wireless networks and protocols can be difficult. In this Ask-an-Expert written response, IANS Faculty Paul Asadoorian steps through the process of detecting rogue WAPs, including those impersonating corporate SSIDs.

Read More »


April 5, 2017 | Risk Management
By Rich Guida, IANS Faculty

 Creating an Effective IDAM Governance Committee

Planning an optimal identity and access management (IDAM) strategy requires participation and buy-in from a variety of stakeholders, including HR, legal and more. In this Ask-an-Expert written response, IANS Faculty Rich Guida offers recommendations for creating the right membership, rules and processes for a strong IDAM governance committee.

Read More »


April 3, 2017 | Malware and Advanced Threats
By Mike Saurbaugh, IANS Faculty

 IANS Vulnerability and Breach Update: Q1 2017

A new vulnerability or breach seems to be discovered daily, but which should be taken more seriously and which are overhyped? In this report, IANS Faculty Mike Saurbaugh looks back over the major breaches and vulnerabilities of the past three months, explains them and provides real-world context and perspective.

Read More »


March 31, 2017 | DevOps Organization and Strategy
By Michael Pinch, IANS Faculty

 Making Threat Modeling an Integral Part of the Development Process

Threat modeling is a critical part of the mature software delivery process, especially in DevOps environments, but ensuring it's integrated effectively and seamlessly can be tricky. In this Ask-an-Expert written response, IANS Faculty Mike Pinch offers some tips for inserting threat modeling into the development process, along with some key tools to consider.

Read More »


March 29, 2017 | Encryption, Digital Signatures, Certificates, Tokenization
By Aaron Turner, IANS Faculty

 Choosing the Right MFA and PKI Solution for a Complex, High-Security Environment

Leveraging multi-factor authentication (MFA) and public key infrastructure (PKI) across a large organization with multiple domains and trust levels can get complicated fast. In this Ask-an-Expert written response, IANS Faculty Aaron Turner goes over all the options and offers advice for minimizing cost, effort, lifecycle management and security issues.

Read More »


March 28, 2017 | Mobile Access and Device Management
By Aaron Turner, IANS Faculty

 Geo-blocking Certain Mobile Device Functionality

Since high-capability mobile devices were first introduced, enterprises have wanted to deploy controls to limit the use of certain functions on these devices in sensitive locations. In this Ask-an-Expert written response, IANS Faculty Aaron Turner details the two major components of a comprehensive smartphone security control system and describes the process for implementing them. 

Read More »


March 27, 2017 | Certifications and Training
By David Kolb, IANS Faculty

 Get What You Need: Hints and Tips for Negotiation

Information security professionals are involved in negotiations every day, whether it's working with software developers to adopt safe coding practices or selling employees on mobile device management. In this report, IANS Faculty David Kolb and Chief Research Officer Stan Dolberg detail the process of negotiation and persuasion within an organization and offer specific examples to help infosec professionals understand the dynamics at play and get to a result that's beneficial to all parties. 

Read More »


March 24, 2017 | Directory Services
By Rich Guida, IANS Faculty

 Managing Terminated Active Directory Accounts

Managing AD accounts for terminated employees can become complex and confusing, especially as organizations evolve over time. In this Ask-an-Expert written response, IANS Faculty Rich Guida details best practices for managing terminated accounts to meet application, audit and regulatory requirements, and offers recommendations for easing the process.

Read More »


March 22, 2017 | Vendor and Partner Management
By Josh More, IANS Faculty

 Setting Requirements for Vendors Storing Sensitive Data

Vetting and managing vendors has become increasingly important for organizations in recent years, particularly for those that are storing, processing or transmitting sensitive data. In this Ask-an-Expert written response, IANS Faculty Josh More walks through a simplified approach to assessing, qualifying, classifying and verifying vendors to ensure they can be trusted to handle sensitive data. 

Read More »


March 22, 2017 | Mobile Access and Device Management
By Aaron Turner, IANS Faculty

 Enterprise Mobility: Defining a Security Strategy

Enterprises today are on their third generation of mobile technologies, and each iteration has had its own unique challenges. In this Ask-an-Expert written response, IANS Faculty Aaron Turner details some of the highest-impact risks organizations face in the mobility space today and offers some maturity-specific approaches companies can take to combat these risks. 

Read More »


March 16, 2017 | Embedded Systems and Internet of Things
By Aaron Turner, IANS Faculty

 Balancing Business Benefits with IoT Dangers

Some say IoT stands for Internet of Threats, but businesses and consumers are rushing headlong into the adoption of everything from wearables to smart buildings. In this report, IANS Faculty Aaron Turner examines the enterprise risks of IoT and explores defensive tactics to help build a short- and long-term strategy to effectively and securely employ IoT technology. 

Read More »


March 15, 2017 | Team Structure and Management
By Adam Ely, IANS Faculty

 Revamping the Security Organization

Every enterprise is different, as is the makeup of just about every security team. Are there any best practices for creating the ideal security organization? In this Ask-an-Expert live response, IANS Faculty Adam Ely offers some strategies for reworking the security organization to gain better alignment, agility and effectiveness.

Read More »


March 13, 2017 | Single Sign-on
By Aaron Turner, IANS Faculty

 Assessing the Pros and Cons of IdentityServer

When evaluating single sign-on (SSO) solutions, it's important to examine a number of factors, including scalability, features, ease-of-use and cost. In this Ask-an-Expert written response, IANS Faculty Aaron Turner examines some of the pros and cons of IdentityServer as an SSO platform and compares it against other popular solutions such as ForgeRock and Active Directory Federation Services. 

Read More »


March 10, 2017 | Architecture, Configuration and Segmentation
By Marcus Ranum, IANS Faculty

 Securing Your Network With Overlapping Controls

Many security practitioners complain about being flooded with alerts and vulnerabilities, because they don't get to design their systems so that the alerts are useful. Segmentation is one of many techniques these practitioners can use to manage alerts and reduce breach
impact. In this webinar, IANS Faculty Marcus Ranum and Ron Dilley describe a model for administratively breaking your network apart into management "zones" that can be analyzed and secured separately.

Read More »


March 9, 2017 | AppDev Frameworks
By Jason Gillam, IANS Faculty

 Deploying Containers Securely

Developers love containers because they are quick, simple to use and allow for easier scaling of hardware resources, but few pay much attention to the security issues they present. With containers in the mix, how can security organizations ensure their developers aren’t continually copying and pasting security issues across the environment? In this report, IANS Faculty Jason Gillam steps you through the worst of the pitfalls to ensure your organization rolls out more secure containerized solutions.

Read More »


March 8, 2017 | Directory Services
By Rich Guida, IANS Faculty

 Detailing Requirements for an IDAM System

Establishing a set of questions and requirements is a critical step in the process of constructing an identity and access management (IDAM) system. In this Ask-an-Expert written response, IANS Faculty Rich Guida details the important questions security teams should be asking their prospective IDAM vendors, ranging from cryptography and authentication requirements to privilege management and separation of duties. 

Read More »


March 7, 2017 | Security Operations Centers (SOCs)
By Mike Rothman, IANS Faculty

 Overcoming Resistance to SOC Data Collection

How can you run an effective security operations center (SOC) when operations won't provide you with the right data? In this Ask-an-Expert live interaction, IANS Faculty Mike Rothman outlines some potential reasons for operations' lack of cooperation and provides strategies for overcoming them.

Read More »


March 2, 2017 | Malware and Advanced Threats
By Ken Van Wyk, IANS Faculty

 Fake News: Fighting a Rampant Malware Delivery Mechanism

Due to its unprecedented success during the recent presidential election, fake news is increasingly being adopted by hackers as an elegant malware delivery mechanism, on par with spear-phishing email. In this report, IANS Faculty Ken Van Wyk details how fake news can be weaponized and offers some concrete steps to protect your company.

Read More »


February 28, 2017 | Privacy
By Aaron Turner, IANS Faculty

 Protecting Data Transferred From Canada

While Canadian regulators in the past typically followed U.S. precedent on data protection standards, the country has moved closer toward the EU model over the past few years. In this Ask-an-Expert written response, IANS Faculty Aaron Turner recommends companies handling Canadian citizen data follow the EU General Data Protection and offers some technical guidance for implementing the necessary controls. 

Read More »


February 27, 2017 | Vendor and Partner Management
By Josh More, IANS Faculty

 Managing Vendors With Disparate Frameworks

Vendor due diligence becomes even more challenging when there are a variety of information security frameworks in play. In this Ask-an-Expert written response, IANS Faculty Josh More details two approaches to the problem: a formalized mapping process using the COBIT framework and an ad-hoc approach designed to prioritize the specific risks facing the organization. 

Read More »


February 24, 2017 | Vulnerability Assessment and Management
By Kevin Beaver, IANS Faculty

 Assessing Vulnerability Scanning/Management Tools

When it comes to selecting a vulnerability scanning tool, it's often the level of service provided (and not technical capabilities) that separates the various solutions. In this Ask-an-Expert written response, IANS Faculty Kevin Beaver offers a breakdown of some of the key solutions in the space and details some important considerations for organizations in the process of choosing a vendor. 

Read More »


February 23, 2017 | Malware and Advanced Threats
By Kevin Beaver, IANS Faculty

 Strategies for Thwarting State-Sponsored Hacks

State-sponsored attackers are, by definition, highly skilled and highly funded. How can we keep up? In this report, IANS Faculty Kevin Beaver details the challenges around state-sponsored hacking, including the threats, vulnerabilities and risks that must be addressed, starting today, if organizations are going to stay off their radar. 

Read More »


February 23, 2017 | Encryption, Digital Signatures, Certificates, Tokenization
By David Etue, IANS Faculty

 Best Practices for Managing Keys

There is no one-size-fits-all approach to key management, and the solutions available today vary based on security and the types of keys they can manage. In this Ask-an-Expert written response, IANS Faculty David Etue assesses the current key management solution landscape and details some common pitfalls organizations face when it comes to storing and managing their keys. 

Read More »


February 16, 2017 | Cloud Access Security Brokers
By George Gerchow, IANS Faculty

 Deciphering the Dynamic CASB Marketplace

The cloud access security broker (CASB) market continues to mature. In this report, IANS Faculty George Gerchow provides an update, detailing the relevant vendors, their latest capability sets and the various deployment models available. He also offers some guidance on choosing the right CASB for your needs and cloud maturity level, as well as trends to expect in the future.

Read More »


February 15, 2017 | Virtual Private Networks
By Dave Shackleford, IANS Faculty

 DirectAccess: Understanding the Pros and Cons

Microsoft's DirectAccess offers some clear operational and cost advantages for organizations, but it also brings with it some potential drawbacks from a security perspective. In this Ask-an-Expert written response, IANS Faculty Dave Shackleford assesses these pros and cons and details some of the security considerations organizations need to take into account when deciding to implement DirectAccess. 

Read More »


February 9, 2017 | Incident Response Planning
By Ondrej Krehel, IANS Faculty

 Getting the Most from Your Incident Response Engagement

The actions taken after an incident can either lead to improving your security posture and building trust with your customers – or not. In this report, IANS Faculty Ondrej Krehel details ways to ensure the findings uncovered during your incident response (IR) engagements are fully internalized and integrated into your processes and business continuity plans going forward. 

Read More »


February 8, 2017 | Single Sign-on
By Aaron Turner, IANS Faculty

 Single Sign-On Platform Comparison

The identity and access management market is undergoing significant upheaval due to past under-investment in the space. In this Ask-an-Expert written response, IANS Faculty Aaron Turner offers a breakdown of the single sign-on (SSO) solution marketplace and provides recommendations for selecting a platform. 

Read More »


February 3, 2017 | Security Awareness, Phishing, Social Engineering
By Mike Saurbaugh, IANS Faculty

 Helping Users Avoid Common Tax Scams

While some people anxiously await their tax refund, scammers are also waiting with bated breath for unsuspecting individuals to slip up and fall for one of their tactics. In this Ask-an-Expert written response, IANS Faculty Mike Saurbaugh reviews some of the most common tax scams and offers some tips and proactive defenses to avoid getting 

Read More »


February 1, 2017 | Authentication
By Michael Pinch, IANS Faculty

 Authenticating Customers via Fingerprint Biometrics

A security team is considering using fingerprint-based biometrics to authenticate customers at its company's retail stores, but what are the pros/cons? In this Ask-an-Expert live interaction, IANS Faculty Mike Pinch details the current state of fingerprint biometrics and offers some advice for safe, cost-effective implementation.

Read More »


February 1, 2017 | Regulations & Legislation
By Debra Farber, IANS Faculty

 International Security, Privacy and Compliance Laws: Q4 2016 Update

Each quarter, IANS provides an update on the emerging international compliance laws and regulations that impact the information security community. For Q4 2016, we provide a short summary for each jurisdiction in which there was a change, followed by a more detailed description. An updated table of jurisdictions and changes can be accessed here.

Read More »


January 27, 2017 | Team Structure and Management
By Stan Dolberg, IANS Faculty

 Where CISOs Report: A Snapshot

While most CISOs report to IT leadership today, this is not the ideal reporting relationship for managing information-security risk. In this Ask-an-Expert written response, IANS Chief Research Officer Stan Dolberg reviews data from IANS CISO Impact research, which demonstrates that an experienced CISO is positioned for maximum influence when reporting into an organization's senior management. 

Read More »


January 26, 2017 | Threat Intelligence and Modeling
By Bill Dean, IANS Faculty

 Pros and Cons of CISA’s Threat-Sharing Program

With the passage of CISA and with DHS’ Automated Indicator Sharing (AIS) program getting up and running, organizations interested in sharing threat intelligence can now consider automating the process. How can they ensure their automated feed is scrubbed of PII and won’t leave them open to liability or privacy concerns? In this report, IANS Faculty Bill Dean offers tips for sharing threat indicators both automatically and safely.

Read More »


January 25, 2017 | Cloud Access Security Brokers
By George Gerchow, IANS Faculty

 Security Considerations Before Going Cloud-First

The business decision to go cloud-first has many implications, not the least of which is security. What do information security teams need to do up-front to ensure critical business data remains safe in this new paradigm? In this Ask-an-Expert live interaction, IANS Faculty George Gerchow offers some key strategies, tools and processes to put in place to ensure success.

Read More »


January 25, 2017 | Mobile Access and Device Management
By Aaron Turner, IANS Faculty

 Preventing Phishing on Mobile Devices

Phishing attacks happen on every platform, but few anti-phishing tools are available for mobile. In this Ask-an-Expert live interaction, IANS Faculty Aaron Turner suggests some network-based controls that can help reduce the risk and underscores the need for mobile-focused user awareness training.

Read More »


January 18, 2017 | Directory Services
By Jason Gillam, IANS Faculty

 Selecting an Access Management Solution

Access management within an organization can often be non-standardized, decentralized, mismanaged and unreliable. In this Ask-an-Expert written response, IANS Faculty Jason Gillam describes three potential solutions to this problem of access management and offers recommendations for when organizations should consider leveraging vendor solutions. 

Read More »


January 12, 2017 | Malware and Advanced Threats
By Mike Saurbaugh, IANS Faculty

 IANS Vulnerability and Breach Update: Q4 2016

A new vulnerability or breach seems to be discovered daily, but which should be taken more seriously and which are overhyped? In this report, IANS Faculty Mike Saurbaugh looks back over the major breaches and vulnerabilities of the past three months, explains them and provides real-world context and perspective.

Read More »


January 11, 2017 | Team Structure and Management
By David Kolb, IANS Faculty

 Managing Difficult Infosec Conversations

Information security professionals sign up for some daunting challenges. Building a toolkit of “soft skills” alongside technical expertise can make the difference in meeting those challenges. In this report, IANS Faculty David Kolb offers strategies for managing difficult conversations, from crafting a well-prepared message to handling the response in an effective manner. 

Read More »


January 10, 2017 | Security Awareness, Phishing, Social Engineering
By Mike Saurbaugh, IANS Faculty

 Moving From Security Awareness Toward Behavioral Change

There is no one-size-fits-all approach to security awareness, and the levels to your awareness program will vary based on department and the users' general knowledge of security. In this Ask-An-Expert written response, IANS Faculty Mike Saurbaugh details certain steps you can take to bring your program from basic awareness to actual behavioral change, and offers tips for measuring the success of your security awareness program. 

Read More »


January 6, 2017 | Cloud Application and Data Controls
By Dave Shackleford, IANS Faculty

 IANS Cloud Security Update: Q4 2016

As more organizations move services and computing assets into cloud service provider environments, the need for adequate security controls grows as well. In this quarterly research report, IANS Faculty Dave Shackleford updates IANS’ clients on the new developments occurring in the cloud security arena.

Read More »


January 6, 2017 | Team Structure and Management
By David Kolb, IANS Faculty

 Keeping CALM: Building the Business Relationships that Drive Infosec Success

CISOs and information security leaders are called upon to develop partnerships throughout their organizations in an effort to better align their objectives with those of the business. To do this, they need to understand how other leaders operate and determine how to best motivate them. In this webinar, professional development expert and IANS Faculty David C. Kolb, Ph.D. discussed his model for improving communication and facilitating leadership that drives effective partnerships, rather than simply transactional relationships.

Read More »


January 5, 2017 | Malware and Advanced Threats
By Dave Shackleford, IANS Faculty

 Information Security Trends for 2017

2016 was a challenging year for infosec, with the proliferation of ransomware, IoT botnets and more. What new attacks will surface in 2017, and what hot technologies are on the horizon to fight them? In this webinar and corresponding report, IANS Lead Faculty Dave Shackleford reveals major trends in store for IT security professionals in the coming year.

Read More »


January 4, 2017 | Regulations & Legislation
By Daniel Maloof, IANS Managing Editor

 Trump and Security: What to Expect in the New Administration

We all know incoming U.S. President Donald Trump is focused on physical security and building the wall, but what about cybersecurity policy? In this report, a handful of IANS Faculty detail what they believe we should expect from the new Donald Trump administration in terms of digital privacy, consumer protections, the EU-U.S. Privacy Shield, the U.S. Cybersecurity Framework and more.

Read More »


December 13, 2016 | Encryption, Digital Signatures, Certificates, Tokenization
By Davi Ottenheimer, IANS Faculty

 Detailing Technical Considerations For Implementing Tokenization Solutions

Although the concept of tokenization in IT can be easily explained, it can be complicated to architect and deploy these tokens for safe and reliable use. In this Ask-an-Expert written response, IANS Faculty Davi Ottenheimer offers a list of technical considerations to ease the process of selecting and implementing tokenization solutions.

Read More »


December 9, 2016 | Risk Management
By Rich Guida, IANS Faculty

 Understanding the Relationship Between Physical and Logical Information Security

The relationship between physical security and cybersecurity can be more closely linked than some organizations might think. In this Ask-an-Expert written response, IANS Faculty Rich Guida details specific instances (i.e., insider threats) where the two types of security come together and offers insight into the practice of "incrementalism."

Read More »


November 28, 2016 | Embedded Systems and Internet of Things
By Chris Poulin, IANS Faculty

 Hidden Threats in Smart Buildings

In a quest to reduce energy consumption and make daily activities more convenient and pleasant for their occupants, smart buildings are becoming ever more interconnected, internet-connected and complex. In this report, IANS Faculty Chris Poulin details the latest advances in smart building technologies, the hidden threats they expose and key steps to take to ensure your smart building doesn’t become your latest threat vector.

Read More »


November 22, 2016 | Embedded Systems and Internet of Things
By Chris Poulin, IANS Faculty

 Mirai Defense: Detecting IoT Devices on the Network

The recent Mirai botnet that took down DNS provider Dyn underscored the risks associated with unmanaged, unsecured Internet-of-Things (IoT) devices. In this Ask-an-Expert live interaction, IANS Faculty Chris Poulin explains how to discover/detect rogue IoT devices on the network and track them over time

Read More »


November 21, 2016 | Application Development and Testing
By Jason Gillam, IANS Faculty

 Secure Development Practices for Mobile Applications

Best practices around the secure development of mobile applications are still evolving because of the rapid evolution of the mobile platforms themselves. In this Ask-an-Expert written response, IANS Faculty Jason Gillam outlines the key differences between the secure development of mobile and web applications, and details standard accepted practices around encryption and authentication.

Read More »


November 18, 2016 | Team Structure and Management
By Dave Shackleford, IANS Faculty

 Security Operations Maturity Chart

For security organizations, understanding where you stand from a maturity perspective can offer valuable insight into which processes and procedures need to be improved. In this Ask-an-Expert written response, IANS Faculty Dave Shackleford charts benchmarks for certain aspects within information security, from event detection and incident management to metrics and data visualization

Read More »


November 14, 2016 | Data Classification
By Kevin Beaver, IANS Faculty

 Where, Exactly, Is Your Information?

Do you know where all of your critical data is located? Studies show that few information security pros do. In this report, IANS Faculty Kevin Beaver underscores the importance of data classification and offers tips to not only find exactly where sensitive information is located, but establish the right controls to ensure you always know where it is and that it’s secured effectively.

Read More »


November 14, 2016 | Endpoints
By Dave Shackleford, IANS Faculty

 Endpoint Protection: Burn and Churn

Malware containment has devolved into an arms race, with a steady stream of solutions and rapidly evolving new problems, leaving IT security struggling to keep up and make sense of it all. In this webinar, IANS Faculty Dave Shackleford examines the new players and techniques in the space, and reviews some of the tried-and-true strategies, including whitelisting, sandboxing, segmentation and configuration management.

Read More »


November 10, 2016 | Converged Infrastructure
By Aaron Turner, IANS Faculty

 Bluetooth Security Risks: An Overview

When it comes to evaluating Bluetooth security risks, it's important to divide up the technology into different sections and examine the potential risks of each. In this Ask-an-Expert written response, IANS Faculty Aaron Turner evaluates Bluetooth security from the perspectives of physical-layer, protocol implementation and application-layer vulnerabilities.

Read More »


November 7, 2016 | Malware and Advanced Threats
By Adam Ely, IANS Faculty

 Protecting Against the Latest Wave of DDoS Attacks

Now that Internet-of-Things (IoT)-based DDoS attacks are in the news, is it time to rethink your DDoS strategy? In this Ask-an-Expert live interaction, IANS Faculty Adam Ely outlines key strategies to implement at the network, server and operations level to defend against all types of DDoS attacks, even this latest iteration.

Read More »


November 7, 2016 | Vendor and Partner Management
By Marty Gomberg, IANS Faculty

 Identifying Vendor Risk Red Flags

When it comes to evaluating vendors, there are a number of factors organizations need to keep in mind, from integration costs to uptime guarantees. In this Ask-an-Expert written response, IANS Faculty Martin Gomberg lays out some of the major red flags organizations should look out for when evaluating vendors, from the due diligence phase to the questionnaire process.

Read More »


November 3, 2016 | Vulnerability Assessment and Management
By Michael Pinch, IANS Faculty

 Vulnerability Patching Policy Best Practices

Patching and vulnerability management can be a highly variable process depending on a number of factors, but there are some basic best practices that organizations can adhere to. In this Ask-an-Expert written response, IANS Faculty Mike Pinch details these best practices for vulnerability scanning and management, including for servers, endpoints and at the application level.

Read More »


November 3, 2016 | Malware and Advanced Threats
By Michael Pinch, IANS Faculty

 Health Care Roundtable: Tackling Ransomware

Ransomware is a scourge across every vertical but it seems to have found a soft spot in health care. For this roundtable, IANS brought together a group of health care sector security executives to talk about the problems they face and the strategies they are using to get ahead of the ransomware issue.

Read More »


November 2, 2016 | Risk Management
By Michael Pinch, IANS Faculty

 Breaking Down the Top 5 Security Risks Facing Health Care Organizations

The top priorities for health care organizations today are uptime and free access to data, which means companies in this space face a number of security challenges. In this Ask-an-Expert written response, IANS Faculty Mike Pinch details the major security risks the health care industry is dealing with today - from ransomware to the Internet of Things - and offers strategies for tackling these challenges.

Read More »


October 31, 2016 | Application Development and Testing
By Jason Gillam, IANS Faculty

 Application-Level DoS: Are You Ready?

Application-level DoS attacks can be difficult to detect, challenging to diagnose, and when effectively exploited, they can render your application completely inaccessible. In this report, IANS Faculty Jason Gillam explains how application-level DoS works and offers some key mitigation strategies. 

Read More »


October 27, 2016 | Insider Threats
By John Strand, IANS Faculty

 Going from Reactive to Proactive with Insider Threats

Honing your response to an insider threat is difficult enough, but building on the program to proactively identify and thwart potential malicious insiders is fraught with risk. In this Ask-an-Expert live interaction, IANS Faculty John Strand outlines the importance of partnering with HR, choosing the right tool set and funding the program adequately.

Read More »


October 20, 2016 | Encryption, Digital Signatures, Certificates, Tokenization
By Dave Shackleford, IANS Faculty

 Assessing Key Management Services Within AWS

There are a number of key management tools and services that organizations can use within the AWS cloud. In this Ask-an-Expert written response, IANS Faculty Dave Shackleford breaks down some of the major players in the space, including Amazon's own key management service, HyTrust DataControl and Vault.

Read More »


October 20, 2016 | Cloud Network and Host Controls
By Dave Shackleford, IANS Faculty

 Securing Hybrid Clouds

Hybrid clouds offer organizations the ultimate in flexibility, enabling IT to keep sensitive workloads in-house while taking advantage of the efficiencies and scalability of public clouds for everything else. But how secure is the setup? In this report, IANS Faculty Dave Shackleford steps you through the challenges of securing hybrid clouds and provides advice to ensure workloads remain secure, no matter where they are run.

Read More »


October 18, 2016 | Mainframe and Legacy Systems
By Philip Young, IANS Faculty

 Mainframes, APIs and the False Sense of Security

Mainframes usually hold companies’ most sensitive, mission-critical data. As more organizations decide to open up their mainframe “crown jewels” to participate in today’s mobile/cloud world, however, is mainframe security keeping up? In this report, IANS Faculty Philip Young details the riskiest areas of the mainframe and explains how best to secure them against today’s threats.

Read More »


October 13, 2016 | Networking and Network Devices
By Mike Saurbaugh, IANS Faculty

 What to Look for in a Secure Web Gateway

Secure web gateways provide a staple in network infrastructure and the market seems to suggest they will be around for the next few years. In this Ask-an-Expert written response, IANS Faculty Mike Saurbaugh explores the capabilities of modern proxy solutions and offers selection criteria to help evaluate various solutions.

Read More »


October 6, 2016 | Security Policies and Strategy
By Michael Pinch, IANS Faculty

 5 Ways to Improve Security While Cutting Costs

Attacks and malware continually evolve, forcing organizations to react by implementing an ever-expanding tool set. Unfortunately, few budgets expand in kind. In this report, IANS Faculty Michael Pinch details five key ways to immediately improve your organization’s security posture, without breaking the budget.

Read More »