Get started
Bring yourself up to speed with our introductory content.
Two Factor and Multifactor Authentication Strategies
mobile authentication
Mobile authentication is the verification of a user’s identity through the use a mobile device and one or more authentication methods for secure access. Continue Reading
shared secret
A shared secret is data known to only the two entities involved in a communication so that either party's possession of that data can be provided as proof of identity for authentication. Continue Reading
soft token
A soft token is a software-based security token that generates a single-use login PIN. Traditionally, a security token has been a hardware device that produces a new, secure and individual PIN for each use and displays it on a built-in LCD display. Continue Reading
-
out-of-band authentication
Out-of-band authentication is a type of two-factor authentication that requires a secondary verification method through a separate communication channel along with the typical ID and password. Out-of-band authentication is often used in financial ... Continue Reading
possession factor
The possession factor, in a security context, is a category of user authentication credentials based on items that the user has with them, typically a hardware device such as a security token or a mobile phone used in conjunction with a software ... Continue Reading
-
Definitions to Get Started
- security analytics
- NICE Framework (National Initiative for Cybersecurity Education Cybersecurity Workforce Framework)
- application blacklisting (application blocklisting)
- juice jacking
- hypervisor security
- claims-based identity
- Certified Cloud Security Professional (CCSP)
- password manager
four-factor authentication (4FA)
Four-factor authentication (4FA) is the use of four types of identity-confirming credentials, typically categorized as knowledge, possession, inherence and location factors.Continue Reading
COMSEC (communications security)
Communications security (COMSEC) is the prevention of unauthorized access to telecommunications traffic, or to any information that is transmitted or transferred.Continue Reading
Google Authenticator
Google Authenticator is a security application used to verify user identities before granting access to websites and services. The application uses a two-step verification process involving two-factor authentication to make it less likely that an ...Continue Reading
Duo Security
Duo Security is a vendor of cloud-based two-factor authentication products.Continue Reading
Understanding security flaws in IPv6 addressing schemes
Expert Fernando Gont explains why underlying characteristics of IPv6 address-generation schemes may enable nodes to be targeted in IPv6 address-scanning attacks.Continue Reading
-
The fundamentals of FDE: Full disk encryption in the enterprise
Expert Karen Scarfone examines full disk encryption, or FDE, tools and describes how the security technology protects data at rest on a laptop or desktop computer.Continue Reading
The three stages of the ISO 31000 risk management process
The ISO 31000 risk management process proposes three stages. Expert Mike Chapple reviews this alternative to the ISO 27001 framework.Continue Reading
SSL certificate (Secure Sockets Layer certificate)
A Secure Sockets Layer certificate, known commonly as an SSL certificate, is a small data file installed on a Web server that allows for a secure connection between a Web server and a Web browser.Continue Reading
CISSP cryptography training: Components, protocols and authentication
Spotlight article: Shon Harris outlines the main topics in the CISSP domain on cryptography -- background information, cryptography components, digital authentication, protocols and more.Continue Reading
CISSP online training: Inside the access control domain
Spotlight article: Shon Harris discusses the main topics covered in the CISSP domain on access control, including authorization, authentication, identity management and more.Continue Reading
total risk
Total risk is an assessment that identifies all of the risk factors, including potential internal and external threats and liabilities, associated with pursuing a specific plan or project or buying or selling an investment.Continue Reading
Introduction to Information Security: A Strategic-Based Approach
In this excerpt of Introduction to Information Security: A Strategic-Based Approach, authors Timothy J. Shimeall and Jonathan M. Spring discuss the importance of intrusion detection and prevention.Continue Reading
Security School: Distributed denial-of-service attack defense
Check you're up to speed and ready to protect your organization from the threat of denial of service attacks.Continue Reading
information assurance
Information assurance (IA) is the practice of protecting against and managing risk related to the use, storage and transmission of data and information systems.Continue Reading
Big data security analytics: Facebook's ThreatData framework
Expert Kevin Beaver explains how enterprises can take a page from Facebook's ThreatData framework security analytics to boost enterprise defense.Continue Reading
Cloud Controls Matrix
The Cloud Controls Matrix is a baseline set of security controls created by the Cloud Security Alliance to help enterprises assess the risk associated with a cloud computing provider.Continue Reading
antispoofing
Antispoofing is a technique for countering spoofing attacks on a computer network.Continue Reading
address space layout randomization (ASLR)
Address space layout randomization (ASLR) is a memory-protection process for operating systems (OSes) that guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory.Continue Reading
Stop attackers hacking with Metasploit
Metasploit attacks may not be sexy, but they can stab through enterprise defenses. Learn how basic security controls can thwart Metasploit hacking.Continue Reading
cardholder data environment (CDE)
A cardholder data environment or CDE is a computer system or networked group of IT systems that processes, stores and/or transmits cardholder data or sensitive payment authentication data, as well as any component that directly connects to or ...Continue Reading
speculative risk
Speculative risk is a category of risk that can be taken on voluntarily and will either result in a profit or loss. Continue Reading
Essential Guide: Windows XP security after end of updates for XP
Learn about security implications of the April 2014 Windows XP end-of-life date and the end of XP security updates, plus planning an XP migration.Continue Reading
How to develop software the secure, Gary McGraw way
This compilation of content featuring software security expert Gary McGraw covers every aspect of secure software development, from training to coding to post-launch analysis.Continue Reading
Beat the security odds with a cloud risk equation
Contributor Peter Lindstrom takes on cloud security economics and offers up a simple risk equation to help security pros plan their cloud strategies.Continue Reading
RSA 2014: News, analysis and video from RSA Conference 2014
Find out what's happening in the infosec industry with breaking news via reporting, video and tweets by the SearchSecurity team at RSA's 2014 conference in San Francisco.Continue Reading
Essential Guide: Security Analytics
It's tough to get reliable security data. This Security School explains how to use security analytics to safeguard your network system's health.Continue Reading
BYOI (bring your own identity)
BYOI (bring your own identity) is an approach to digital authentication in which an end user's username and password is managed by a third party such as Facebook, Twitter, LinkedIn, Google+ or Amazon.Continue Reading
privacy impact assessment (PIA)
A privacy impact assessment (PIA) is an analysis of how an individual's or groups of individuals' personally identifiable information is collected, used, shared and maintained by an organization.Continue Reading
2013 Security 7 award winners revealed
Inside, uncover the winners of our Security 7 awards, which recognize outstanding information security professionals in seven sectors.Continue Reading
mandatory access control (MAC)
Mandatory access control (MAC) is a system-controlled policy restricting access to resource objects (such as data files, devices, systems, etc.) based on the level of authorization or clearance of the accessing entity, be it person, process, or ...Continue Reading
Use John the Ripper to test network devices against brute forcing
Enterprise IT security organizations should test network devices using John the Ripper to ensure they are not susceptible to brute-force attacks.Continue Reading
ISO 27002 (International Organization for Standardization 27002)
The ISO 27002 standard is a collection of information security guidelines that are intended to help an organization implement, maintain, and improve its information security management.Continue Reading
privileged identity management (PIM)
Privileged identity management (PIM) is the monitoring and protection of superuser accounts in an organization’s IT environments. Oversight is necessary so that the greater access abilities of super control accounts are not misused or abused. ...Continue Reading
PCI 3.0 special report: The state of payment card compliance
Get an in-depth analysis of PCI DSS 3.0, an illustrated history of PCI DSS and insights on the future of enterprise payment card compliance.Continue Reading
Virtualization security dynamics get old
Virtualization and cloud computing are more popular than ever, yet bolted-on security remains the norm. Chris Hoff explains what needs to change.Continue Reading
The history of the PCI DSS standard: A visual timeline
The origins of the PCI Data Security Standard date back to the late 1990s. Explore key events in the history of PCI DSS, from Y2K to PCI DSS 3.0.Continue Reading
The value of 2,048-bit encryption: Why encryption key length matters
Leading browsers are required to use 2,048-bit length keys by the end of the year, but what effect does this have on security?Continue Reading
Security Readers' Choice Awards 2013
We tallied more than 1,000 readers' votes in 19 categories to come up with the winners of the Information Security Readers' Choice Awards 2013.Continue Reading
How to define SIEM strategy, management and success in the enterprise
Enterprise SIEM technology is as functional, manageable and affordable as it's ever been. Learn how to achieve success with SIEM in your organization.Continue Reading
Amazon S3 encryption overview: How to secure data in the Amazon cloud
Learn details for employing Amazon S3 encryption features. Expert Dave Shackleford compares S3 encryption to other cloud provider offerings.Continue Reading
Enterprise mobile device security 2012
SearchSecurity.com's editors surveyed nearly 500 enterprise security professionals on mobile device security in the enterprise.Continue Reading
Computer Fraud and Abuse Act (CFAA)
The Computer Fraud and Abuse Act (CFAA) of 1986 is United States legislation that made it a federal crime to access a protected computer without proper authorization.Continue Reading
Occupational Safety and Health Administration (OSHA)
Occupational Safety and Health Administration (OSHA) is a federal organization (part of the Department of Labor) that ensures safe and healthy working conditions for Americans by enforcing standards and providing workplace safety training.Continue Reading
Soc 2 (Service Organization Control 2)
A Service Organization Control 2 (Soc 2) reports on various organizational controls related to security, availability, processing integrity, confidentiality or privacy.Continue Reading
Security School: Data breach prevention strategies
In this lesson, expert Nick Lewis establishes a baseline data breach prevention strategy every enterprise should have in place.Continue Reading
Technical Guide on SIM
Application security managers: learn four key steps to connect apps with SIMs to enable successful analysis, reporting and alerting.Continue Reading
RSA Conference 2012: Special Conference Coverage
Get news from RSA Conference 2012. Cloud computing, mobile threats and attack intelligence gathering are likely to be among this year's top themes.Continue Reading
RSA Conference 2012 to feature cloud computing, mobile threats
Get news from RSA Conference 2012. Cloud computing, mobile threats and attack intelligence gathering are likely to be among this year's top themes.Continue Reading
Security School: Network content monitoring must-haves
In this new lesson, expert Mike Chapple explores how to best prioritize and strategize for data protection investments to protect key content.Continue Reading
Common Weakness Enumeration (CWE)
Common Weakness Enumeration (CWE) is a universal online dictionary of weaknesses that have been found in computer software... (Continued)Continue Reading
BIOS rootkit attack
A BIOS-level rootkit attack, also known as a persistent BIOS attack, is an exploit in which the BIOS is flashed (updated) with malicious code. A BIOS rootkit is programming that enables remote administration.Continue Reading
BIOS rootkit
A BIOS-level rootkit is programming that exists in a system's memory hardware to enable remote administration. Because the rootkit lives in the computer’s BIOS (basic input/output system), it persists not only through attempts to reflash the BIOS ...Continue Reading
authentication, authorization, and accounting (AAA)
Authentication, authorization, and accounting (AAA) is a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services.Continue Reading
wildcard certificate
A wildcard certificate is a digital certificate that is applied to a domain and all its subdomains.Continue Reading
user account provisioning
User account provisioning is a business process for creating and managing access to resources in an information technology (IT) system. To be effective, an account provisioning process should ensure that the creation of accounts and provisioning of...Continue Reading
alternate data stream (ADS)
An alternate data stream (ADS) is a feature of Windows New Technology File System (NTFS) that contains metadata for locating a specific file by author or title.Continue Reading
FAQ: An introduction to the ISO 31000 risk management standard
Learn more about ISO 31000:2009, a new risk management standard: It's plainly written, short, process-oriented and relevant reading for anyone dealing with risk.Continue Reading
national identity card
A national identity card is a portable document, typically a plasticized card with digitally-embedded information, that someone is required or encouraged to carry as a means of confirming their identity. Since the World Trade Center tragedy of ...Continue Reading
government Trojan
A government Trojan is spyware installed on a computer or network by a law enforcement agency for the purpose of capturing information relevant to a criminal investigation. Government Trojans represent a step in turning the tables on cybercriminals ...Continue Reading
Class C2
Class C2 is a security rating established by the U.S. National Computer Security Center (NCSC) and granted to products that pass Department of Defense (DoD) Trusted Computer System Evaluation Criteria (TCSEC) tests.Continue Reading
honey monkey
A honey monkey is a virtual computer system that is programmed to lure, detect, identify and neutralize malicious activity on the Internet. The expression, coined by Microsoft, is based on the term honey pot, which refers to a computer system ...Continue Reading
LEAP (Lightweight Extensible Authentication Protocol)
LEAP (Lightweight Extensible Authentication Protocol) is a Cisco-proprietary version of EAP, the authentication protocol used in wireless networks and Point-to-Point connections. LEAP is designed to provide more secure authentication for 802.11 ...Continue Reading
PEAP (Protected Extensible Authentication Protocol)
PEAP (Protected Extensible Authentication Protocol) is a version of EAP, the authentication protocol used in wireless networks and Point-to-Point connections. PEAP is designed to provide more secure authentication for 802.11 WLANs (wireless local ...Continue Reading
anti-money laundering software (AML)
Anti-laundering software is a type of computer program used by financial institutions to analyze customer data and detect suspicious transactions... (Continued)Continue Reading
Open Source Hardening Project
The Open Source Hardening Project is an initiative of the United States Department of Homeland Security, created to improve the security of open source code. Because the infrastructure of the Internet, financial institutions and many other critcal...Continue Reading
role mining
Role mining is the process of analyzing user-to-resource mapping data to determine or modify user permissions for role-based access control (RBAC) in an enterprise... (Continued)Continue Reading
logon (or login)
In general computer usage, logon is the procedure used to get access to an operating system or application, usually in a remote computer.Continue Reading
signature file
A signature file is a short text file you create for use as a standard appendage at the end of your e-mail notes or Usenet messages.Continue Reading