Data security strategies and governance

How does site isolation defend against Spectre vulnerabilities?

Spectre exploits how processors manage performance-enhancing features. Expert Michael Cobb explains Google Chrome's initiative to use site isolation as a defense mechanism. Continue Reading

By

• Michael Cobb

Quantum supremacy and the path to encryption chaos

Widespread use of quantum computing isn't as far into the future as some might think. When it arrives, this powerful computing technology could turn IT security upside down. Continue Reading

By

• Nick Martin, Senior Director of Content Strategy and Member Engagement

Five Eyes wants to weaken encryption, or legislation may be needed

Five Eyes -- the government intelligence alliance between Australia, Canada, New Zealand, the U.K. and the U.S. -- vows not to weaken encryption, while pushing for encryption backdoors. Continue Reading

By

• Michael Heller, TechTarget

What risks does the OpenFlow protocol vulnerability present?

Researchers found a vulnerability in OpenFlow that can cause problems. Learn how vendor-specific SDN controllers may cause these OpenFlow protocol vulnerabilities. Continue Reading

By

• Judith Myerson

PowerShell logging boosts security in the enterprise

Want to track any suspicious PowerShell activity across your network? Use these PowerShell logging techniques to curb potential threats that originate from scripts. Continue Reading

By

• Dan Franciscus

Citrix's Peter Lefkowitz on impact of GDPR privacy requirements

New consumer privacy laws are changing the global privacy landscape. Citrix's Peter Lefkowitz explains how Citrix is approaching GDPR compliance and privacy issues in general. Continue Reading

By

• Peter Loshin, Former Senior Technology Editor

Three steps to improve data fidelity in enterprises

Ensuring data fidelity has become crucial for enterprises. Expert Char Sample explains how to use dependency modeling to create boundaries and gather contextual data. Continue Reading

By

• Char Sample, ICF International

Ponemon: Mega breaches, data breach costs on the rise

The Ponemon Institute's '2018 Cost of a Data Breach Study' details a rise in data breaches with a look at mega breaches and why U.S. companies experience the greatest loss. Continue Reading

By

• Casey Clark, TechTarget

How does SirenJack put emergency warning systems at risk?

Bastille researchers created the SirenJack proof of concept to show how a vulnerability could put San Francisco's emergency warning system at risk. Judith Myerson explains how it works. Continue Reading

By

• Judith Myerson

How to identify and protect high-value data in the enterprise

Protecting data in the enterprise is a crucial but challenging task. Expert Charles Kao shares key steps and strategies to consider to identify and protect high-value data. Continue Reading

By

• Charles Kao, Simply Auri

Cisco's chief privacy officer on the future of data after GDPR

Michelle Dennedy, vice president and chief privacy officer at Cisco, discusses her company's approach to meeting the requirements of the EU's General Data Protection Regulation. Continue Reading

By

• Kathleen Richards

Q&A: Why data security controls are a hard problem to solve

Feeling less friendly after Facebook? "There is a great deal of power in being able to combine data-sources," says Jay Jacobs, security data scientist. Continue Reading

By

• Marcus J. Ranum

Q&A: Why data security controls are a hard problem to solve

 Continue Reading

Building an effective security program for beginners

Charles Kao explains why continuous learning, observation of merit and appreciation of others are key elements for an effective security program -- and for preventing cyberattacks. Continue Reading

By

• Charles Kao, Simply Auri

How security operations centers work to benefit enterprises

One key support system for enterprises is security operations centers. Expert Ernie Hayden reviews the basic SOC framework and the purposes they can serve. Continue Reading

By

• Ernie Hayden, 443 Consulting LLC

Illumio: Subtle data manipulation attacks pose serious threats

Illumio CTO P.J. Kirner discusses the threat of data manipulation and explains why subtle, hard to detect attacks could have devastating effects on enterprises. Continue Reading

By

• Rob Wright, Senior News Director, Dark Reading

Akamai touts network perimeter security shifts, zero-trust model

As network perimeter security grows less practical, Akamai talks at RSA Conference about moving beyond firewalls to improve authentication with a zero-trust model. Continue Reading

By

• Peter Loshin, Former Senior Technology Editor

Fidelis rolls out new active deception approach to security

Active deception is set to be an important part of cloud defense, as Fidelis Cybersecurity adds active decoys to protect cloud assets in the enterprise. Continue Reading

By

• Peter Loshin, Former Senior Technology Editor

What the security incident response process should look like

An enterprise needs to have a strong security incident response process plan mapped out early. Expert Ernie Hayden shares how to turn an incident into a learning experience. Continue Reading

By

• Ernie Hayden, 443 Consulting LLC

Security of big data fashions a whole new look with GDPR

As data managers scramble to protect their precious lakes of washed and unwashed data from the evils of hacking, malware, ransomware and botnets, there comes a privacy regulation of European Union origin that could change the way many U.S. companies protect their data from inside and outside forces. For some U.S. companies doing business in Europe and preparing for compliance, the EU's General Data Protection Regulation could be a well-intended enforcer of better data governance practices. But for businesses forced to change their old data protection habits, GDPR can be a four-letter word.

The April issue of Business Information opens with our editor's note and historical insights into the fundamental differences in attitude between the U.S. and Europe when it comes to protecting the data privacy of customers. As data breaches mount, however, the U.S. government -- willing or not -- may have to take steps beyond current regulations to ensure companies increase their security of big data.

Along those lines, our cover story examines some GDPR rules that can directly impact U.S. companies doing business overseas and, in the process, their data governance and ethics procedures. With the noted lack of maturity in data governance and security tools, we see in another feature how IT teams are addressing data security issues upfront in do-it-yourself ways when deploying big data systems.

Also in this issue, a GDPR compliance expert advises data managers on the best ways to prepare for a regulation that puts more control of information in the hands of users, the internet of things and edge computing could be compromising the security of big data and surveys show that companies place data protection among the top reasons for escalating their security spending.

 Continue Reading

GDPR requirements put focus on data ethics, governance

The General Data Protection Regulation makes privacy paramount and reinforces the practice of good data governance. Will a new focus on data ethics be an important side effect? Continue Reading

By

• Jack Vaughan

U.S. data protection laws fall short in the age of big data

Data breaches and a history of data abuse led the EU to adopt GDPR, but it might take massive scale data security crises for the U.S. to legislate similar data protection laws. Continue Reading

By

• Bridget Botelho, Editorial Director, News

Zero-trust model promises increased security, decreased risk

The zero-trust model takes focused and sustained effort, but promises to improve most companies' risk posture. Learn what it takes to get the most out of zero trust. Continue Reading

By

• Johna Till Johnson, Nemertes Research

Cloud-based email security tools barricade entry to Exchange

The pressure is on Exchange administrators to avoid a ransomware outbreak that cripples the on-premises email system. Cloud-based security tools can help blunt trending attacks. Continue Reading

By

• Reda Chouffani, Biz Technology Solutions

Cost of data privacy breach may not be enough

While the European Union is taking major steps to protect residents' data privacy, little has happened in the United States, even after Equifax and Facebook. Continue Reading

By

• Kathleen Richards

Cost of data privacy breach may not be enough

 Continue Reading

New Facebook privacy features and bug bounty aim to repair damage

News roundup: New Facebook privacy features and updates to the company's bug bounty program are being rolled out. Plus, Drupalgeddon 2.0 threatens over 1 million sites, and more. Continue Reading

By

• Madelyn Bacon, TechTarget

How are logic devices like WAGO PFC200 used by hackers?

The Department of Homeland Security warned of a vulnerability affecting WAGO PFC200 logic devices. Discover how this flaw enables threat actors with expert Judith Myerson. Continue Reading

By

• Judith Myerson

Watson's Law: IBM preaches data stewardship as A.I. advances

At IBM's Think conference, executives discussed the importance of protecting and managing data as artificial intelligence offerings like Watson grow and touch more information. Continue Reading

By

• Rob Wright, Senior News Director, Dark Reading

GDPR compliance requirements and how to best fulfill them

Learn the details of the European Union's new regulations for data security and what your company needs to do now to meet them and avoid expensive penalties. Continue Reading

Entropy sources: How do NIST rules impact risk assessments?

NIST recently released new guidance on entropy sources used for random bit generation. Judith Myerson explains these recommendations and how they alter cryptography principles. Continue Reading

By

• Judith Myerson

Protecting safety instrumented systems from malware attacks

Trisis malware targets safety instrumented systems and puts industrial control systems at risk. Expert Ernie Hayden reviews what to know about SIS and its security measures. Continue Reading

By

• Ernie Hayden, 443 Consulting LLC

GDPR breach notification: Time to focus on the requirements

Some large U.S. companies have been working behind the scenes on GDPR requirements for more than a year, but there's strong evidence that many have not been as diligent. Continue Reading

By

• Steve Zurier, ZFeatures

Data protection compliance costs less than noncompliance

Smaller companies -- with fewer than 5,000 employees -- in particular may be hit hard by GDPR requirements and other data compliance hurdles. A new report does the math. Continue Reading

By

• Kathleen Richards

GDPR breach notification: Time to focus on the requirements

 Continue Reading

Data protection compliance costs less than noncompliance

 Continue Reading

What do Dnsmasq vulnerabilities mean for Android users?

Researchers found several Dnsmasq vulnerabilities that affect Google's Android operating system. Matt Pascucci explains how these flaws can be exploited by threat actors. Continue Reading

By

• Matthew Pascucci

Confused deputy: How did the vulnerability affect Slack?

A major SAML vulnerability was found in Slack that granted expired login credentials permission into the system. Matt Pascucci explains how this 'confused deputy' problem was handled. Continue Reading

By

• Matthew Pascucci

Business threat analytics: How does real-time data impact results?

Explore the top things you should know about real-time analytics with Johna Till Johnson and learn how it reduces false positives detected in your system on a daily basis. Continue Reading

By

• Johna Till Johnson, Nemertes Research

Get the best botnet protection with the right array of tools

Enterprise anti-botnet defenses, to be effective, must be added in multiple layers. No single security product will do the trick, but the right combo of tools can. Continue Reading

By

• Mike Chapple, University of Notre Dame

How can platform firmware be protected from attacks?

The NIST published guidance on building up platform firmware resiliency. Expert Judith Myerson looks at the NIST guidelines and the major takeaways for enterprises. Continue Reading

By

• Judith Myerson

What does a CISO do now? It's a changing, increasingly vital role

What does a CISO do in this day and age? The responsibilities of a chief information security officer, the senior executive responsible for an organization's information security program, are growing dramatically. Once relegated to the IT department -- if there was a designated corporate role at all -- the CISO is now often a member of the C-suite team, working alongside the CIO and others, formulating information security strategy and policy with an eye on both security and the business bottom line.

As the volume and sophistication of cyberattacks expand and corporate liability grows -- threatening profits and displeasing shareholders -- CISOs are now tasked with making tough decisions on how tools, systems and training are best used to manage risk. This quarterly supplement to Information Security magazine looks at the state of the CISO role -- how it's changed, where it's heading and what it takes to become an effective CISO in terms of cybersecurity skills, staff support and education.

 Continue Reading

Symantec Data Loss Prevention: Product overview

Expert Bill Hayes checks out the Symantec Data Loss Prevention suite, featuring an architecture consisting of content-aware detection servers, endpoint agents and unified management. Continue Reading

By

• Bill Hayes

CISSP Domain 3: Security systems engineering

Planning to take the CISSP exam? Brush up on essential concepts and vocabulary in security systems engineering, covered in Domain 3, in this Security School. Continue Reading

CISSP Domain 2 quiz: Data security control, asset protection

Domain 2 of the CISSP exam, known as asset security, covers data security control, classification, ownership and more. Test your knowledge with this 10-question practice quiz. Continue Reading

By

• (ISC) 2

CISSP Domain 2: Asset security

This Security School will help prepare you for Domain 2 of the CISSP exam, providing overviews of data encryption methods, data ownership concepts and asset protection. Continue Reading

Why data fidelity is crucial for enterprise cybersecurity

Cybersecurity teams can't be effective if they don't trust their data. Expert Char Sample explains the importance of data fidelity and the threat of cognitive hacking. Continue Reading

By

• Char Sample, ICF International

What you need to know about setting up a SOC

Setting up a SOC is different for every enterprise, but there are some fundamental steps with which to start. Expert Steven Weil outlines the basics for a security operations center. Continue Reading

By

• Steven Weil, Point B

Cyber-risk analysis, time are keys to infosec says game theory

Analyzing infosec through the lens of game theory shows that cyber-risk analysis and wasting attacker time may be highly effective cybersecurity strategies. Continue Reading

By

• Michael Heller, TechTarget

Tactics for security threat analysis tools and better protection

Threat analysis tools need to be in top form to counter a deluge of deadly security issues. Here are tips for getting the most from your analytics tool. Continue Reading

By

• Karen Kent, Trusted Cyber Annex

How intelligence data leaks caused collateral damage for infosec

Alvaka Networks' Kevin McDonald looks at the real-world damage caused by data leaks at the CIA and NSA, which have put dangerous government cyberweapons in the hands of hackers Continue Reading

By

• Kevin McDonald, Alvaka Networks

Information privacy and security requires a balancing act

Maintaining information privacy and security seem to be separate challenges, but in reality, each is integral to the other. Expert Kevin Beaver explains how to work toward both. Continue Reading

By

• Kevin Beaver, Principle Logic, LLC

Risk & Repeat: GDPR compliance clock is ticking

In this week's Risk & Repeat podcast, SearchSecurity editors discuss GDPR compliance and how the EU law will affect enterprise data privacy and security across the globe. Continue Reading

By

• Rob Wright, Senior News Director, Dark Reading

Cloud access security brokers: Hard to tell what's real

Most cloud access security brokers offer CISOs a way to set policy and gain better understanding of multiple cloud services and data in use across the enterprise. As CASBs have gained momentum in recent years, use cases for them have expanded. Do these tools fill the gaps around visibility and control of software as a service and other cloud services?

Although cloud service visibility and data leak protection continue to be the biggest drivers, cloud access security brokers can do more than just help with your shadow IT problem and unsanctioned application activity in the cloud.

Organizations are increasingly looking to use cloud access security brokers to identify anomalies in data movement between on-premises and cloud apps as well as multiple cloud services. Malware identification and encryption of data have become important. More enterprises are also beginning to use CASBs or similar intermediary security technologies to provide some level of security policy management for custom identity-as-a-service platforms.

In this issue of Information Security magazine, we look at cloud access security brokers and the best ways to evaluate new models, such as infrastructure as a service and platform security.

 Continue Reading

What MongoDB security issues are still unresolved?

There are some MongoDB security issues that have yet to be resolved. Expert Matthew Pascucci discusses the risks and how to protect your enterprise from them. Continue Reading

By

• Matthew Pascucci

Using threat intelligence tools to prevent attacks on your enterprise

Using threat intelligence tools can help your enterprise stay one step ahead of attackers and possible threats. Learn how threat intelligence can be used in your company. Continue Reading

By

• Rob Shapland

Trustwave Data Loss Prevention: Product overview

Expert Bill Hayes examines Trustwave Data Loss Prevention and how the product addresses data at rest, endpoint data in use and network data in transit for enterprises. Continue Reading

By

• Bill Hayes

Cognitive hacking: Understanding the threat of bad data

Bad data can create more than just 'fake news.' Expert Char Sample explains how cognitive hacking and weaponized information can undermine enterprise security. Continue Reading

By

• Char Sample, ICF International

How effective is geofencing technology as a security method?

Geofencing technology is increasingly being used as a security tactic, such as to control access to servers with DNS settings. Expert Michael Cobb explains how it works. Continue Reading

By

• Michael Cobb

ISAOs: The benefits of sharing security information

ISAOs are a good way for organizations to share information about security threats. Expert Steven Weil explains what these organizations are and their attributes. Continue Reading

By

• Steven Weil, Point B

DARPA's SSITH program takes aim at hardware vulnerabilities

News roundup: DARPA's SSITH program tackles hardware vulnerabilities for better security. Plus, new risks placed in OWASP Top 10, SWIFT launches new anti-fraud tool, and more. Continue Reading

By

• Madelyn Bacon, TechTarget

RSA Data Loss Prevention Suite: Product overview

Expert Bill Hayes examines the RSA Data Loss Prevention Suite, which covers data in use, in transit and at rest for corporate networks, mobile devices and cloud services. Continue Reading

By

• Bill Hayes

Windows 10 privacy issues persist, says EU privacy watchdog

Windows 10 privacy issues remain as EU's top privacy watchdog group, the Article 29 Working Party, issues a second warning letter to Microsoft to simplify, clarify data collection. Continue Reading

By

• Peter Loshin, Former Senior Technology Editor

Digital Guardian for Data Loss Prevention: Product overview

Expert Bill Hayes examines Digital Guardian for Data Loss Prevention and more of the vendor's DLP product lineup, which cover data in use, data in transit and data in the cloud. Continue Reading

By

• Bill Hayes

CA Technologies Data Protection: DLP product overview

Expert Bill Hayes examines CA Technologies Data Protection, a data loss prevention suite designed to protect data at rest, in transit and in use across enterprise devices, networks and cloud services. Continue Reading

By

• Bill Hayes

Blue Coat DLP: Data loss prevention product overview

Expert Bill Hayes takes a look at Blue Coat DLP, a single appliance data loss prevention system that works with the company's web security gateway products. Continue Reading

By

• Bill Hayes

WinMagic SecureDoc: Full-disk encryption product overview

Expert Karen Scarfone examines the features of WinMagic's SecureDoc, a full-disk encryption product for laptops, desktops, mobile devices and servers. Continue Reading

By

• Karen Kent, Trusted Cyber Annex

What privacy regulations should enterprises follow?

The U.S. government has been criticized for its lack of updated privacy regulations. Expert Mike Chapple advises enterprises that want to bolster their privacy policies. Continue Reading

By

• Mike Chapple, University of Notre Dame

How can power consumption-tracking malware be avoided?

Malware authors are using power consumption tracking-malware to eavesdrop on and attack mobile devices. Expert Nick Lewis explains the threat and how to defend against it. Continue Reading

By

• Nick Lewis

Improve corporate data protection with foresight, action

Better corporate data protection demands foresight and concrete action. Learn why breach training, monitoring and early detection capabilities can minimize damage when hackers attack. Continue Reading

By

• David Sherry, Brown University

How to keep track of sensitive data with a data flow map

Expert Bill Hayes describes how to create a data flow map to visualize where sensitive data is processed, how it transits the network and where it's stored. Continue Reading

By

• Bill Hayes

NIST wants help building the one ID proofing system to rule them all

The U.S. government wants to solve the weaknesses in online ID proofing systems, but it needs the help of enterprise and security professionals in order to overcome privacy concerns and other issues. Continue Reading

By

• Michael Heller, TechTarget

Check Point Full Disk Encryption product overview

Expert Karen Scarfone examines the features of Check Point Full Disk Encryption, an FDE product for securing client devices such as laptops and desktops. Continue Reading

By

• Karen Kent, Trusted Cyber Annex

The top full disk encryption products on the market today

Full disk encryption can be a key component of an enterprise's desktop and laptop security strategy. Here's a look at some of the top FDE products in the industry. Continue Reading

By

• James Alan Miller, Senior Executive Editor

A CISO's introduction to enterprise data governance strategy

Every enterprise must have a viable strategy for protecting high-value data. See if your plan aligns with Francoise Gilbert's advice on top priorities to consider when defining data governance plans. Continue Reading

By

• Francoise Gilbert, Greenberg Traurig

The importance of email encryption software in the enterprise

Expert Karen Scarfone explains how email encryption software protects messages and attachments from malfeasance. Continue Reading

By

• Karen Kent, Trusted Cyber Annex

Inside the four main elements of DLP tools

Security expert Rich Mogull outlines the four elements of a DLP tool: the central management server, network monitoring, storage and endpoint DLP. Continue Reading

By

• Rich Mogull, Securosis

enhanced driver's license (EDL)

An enhanced driver's license (EDL) is a government-issued permit that, in addition to the standard features of a driver's license, includes an RFID tag that allows officials to pull up the owner's biographical and biometric data. Continue Reading

By

• Ivy Wigmore

Protecting Intellectual Property: Best Practices

Organizations need to implement best practices to protect their trade secrets from both internal and external threats. Continue Reading

By

• Peter J. Toren

How to protect employee information in email paystubs

Many companies are moving to a system of paperless paystubs. Learn how to protect the information contained in these email paystubs with the use of secure email in this expert response. Continue Reading

By

• David Mortman, Dell

Is Triple DES a more secure encryption scheme than DUKPT?

Both DES and TDES use a symmetric key, but Michael Cobb explains their separate and distinct roles in protecting financial transactions. Continue Reading

By

• Michael Cobb

How to secure an FTP connection

Network security expert Mike Chapple offers three tips that enable an FTP connection without opening up an enterprise to security risks. Continue Reading

By

• Mike Chapple, University of Notre Dame

What are the security risks of a corporate divestiture?

Security management expert Mike Rothman discusses the data protection issues involved with a corporate divestiture . Continue Reading

By

• Mike Rothman, Securosis

How should sensitive customer data, such as driver's license information, be handled?

In this Q&A, Identity management and access control expert Joel Dubin discusses how to properly protect the personal data of a driver's license. Continue Reading

By

• Joel Dubin

What should be done with a RAID-5 array's failed drives?

Even one failed drive in a RAID-5 array can present an enterprise with serious data protection concerns. In this SearchSecurity.com Q&A, expert Michael Cobb explains which policies can protect and recover RAID-5 data. Continue Reading

By

• Michael Cobb

How secure are document scanners and other 'scan to email' appliances?

Copiers and document scanners have always posed challenges for information security teams. In this SearchSecurity.com Q&A, Michael Cobb reveals how the right policies can control the use (and abuse) of these devices. Continue Reading

By

• Michael Cobb

What are the alternatives to RC4 and symmetric cryptography systems?

In this SearchSecurity.com Q&A, network security expert Mike Chapple explains how RC4 encryption stacks up against public key cryptography. Continue Reading

By

• Mike Chapple, University of Notre Dame

How to verify 140-2 (FIPS 140-2) compliance

In this SearchSecurity.com Q&A, identity management and access control expert, Joel Dubin, discuses several ways to verify that Federal Information Processing Standard 140-2 is being enforced. Continue Reading

By

• Joel Dubin