Welcome to SecurityDocs

A collection of 8,050 IT security white papers, carefully curated by professionals like yourself

Doing Multifactor Authentication the PCI Way

by David Mundhenk, Ben Rothke

In February 2017, the Payment Card Industry Security Standards Council (PCI SSC) issued an information supplement on multi-factor authentication. MFA is an access control method where access is only granted after a user is able to successfully present separate pieces of evidence to an authentication mechanism. This additional authentication criteria are often described as: Knowledge – something you know. This could be a password or a passphrase. Possession – something you have. This inclu...

Nov. 23, 2017 0 comments researchcenter.paloaltonetworks.com Management

What’s the difference between the terms “risk”, “threat”, “vulnerability” and “exploit”?

Vulnerability Vulnerability is described as a defect or a flaw inside the asset that could be used to obtain unauthorized access to it. A successful compromise of a vulnerability may result in data manipulation, code execution, etc. Threat A threat describes a potential danger to the machine system. It describes something that a company doesn’t …

Nov. 23, 2017 0 comments www.pentestingexperts.com Management

Is AI really the Future of Cyber Security

As we progressively get more dependent on technological innovation in our daily lives, we open ourselves up to cyber-attacks. Each device that we use today is vulnerable to cyber-attacks. Hackers are rapidly evolving to come up with new strategies and attack to breach our systems, steal our information or sabotage it for ransom drives. Cybersecurity …

Nov. 23, 2017 0 comments www.pentestingexperts.com Management

Best Practices for Implementing an IT/Cybersecurity Policy

An essential part of a company’s cybersecurity program is the creation and implementation of a workplace security policy, a document that outlines all plans in place to protect physical and information technology (IT) assets; in fact, a policy includes a set of rules, instructions, and information for companies’ end users and guests aiming at ensuring …

Nov. 23, 2017 0 comments www.pentestingexperts.com Management

The Future of Information Security

1. Introduction In this article, we look at the current trends in the field of information security and present speculations as to what the future of the field would be. It should be noted that unpredicted emergence of disrupting innovations may radically change the existing information security landscape. Nevertheless, we may reasonably expect that the …

Nov. 23, 2017 0 comments www.pentestingexperts.com Management

Cyber Defense Challenges from the Small and Medium-Sized Business Perspective

by Aric Asti

With 5.7 million SMBs in the United States, it is essential that the risks involving cybersecurity events are identified. Small and medium-sized businesses (SMBs) face different challenges than large enterprises in regard to cybersecurity. The goal of this project was to survey SMBs and reveal organizational barriers that impact the cybersecurity posture of SMBs. An online survey was administered with a final sample size of 22 SMBs. Significant results showed that the top challenges were...

Nov. 22, 2017 0 comments www.sans.org Management

An Introduction to Machine Learning

by Lisa Tagliaferri

In this tutorial, we’ll look into the common machine learning methods of supervised and unsupervised learning, and common algorithmic approaches in machine learning, including the k-nearest neighbor algorithm, decision tree learning, and deep learning. We’ll explore which programming languages are most used in machine learning, providing you with some of the positive and negative attributes of each. Additionally, we’ll discuss biases that are perpetuated by machine learning algorithms, and co...

Nov. 21, 2017 0 comments www.digitalocean.com Management

Predictions for 2018: Cyberthreats in the financial sector

Lots of businesses engage the services of third-party organizations for apps, databases, cloud computing, and much more. Seeing the benefits of software as a service, cybercriminals have rolled out similar models: Ransomware Trojans can be franchised or leased, for example, and DDoS attacks are available for order. Anyone with the cash and the desire can hire an army of bots, set up phishing websites, and lots more. Almost everything underpinning the financial cybercrime industry can be bough...

Nov. 19, 2017 0 comments www.kaspersky.com Management

Risk assessment: The first step in improving cyber security

by Michael Aminzade

PwC’s 2018 Information Security Survey, which surveyed more than 9,000 business and technology executives around the world, found that more than a quarter (28%) don’t know how many cyber-attacks they have suffered in total, and a third also don’t know how they occurred. While some security incidents are the result of high level attackers using advanced techniques to disguise their activity, the vast majority of cases are caused by common security failings and could be easily prevented with be...

Nov. 13, 2017 0 comments www.helpnetsecurity.com Management

The Internet, the Deep Web, and the Dark Web

by Daniel Miessler

The Dark Web (also called Darknet) is a subset of the Deep Web that is not only not indexed, but that also requires something special to be able to access it, e.g., specific proxying software or authentication to gain access. The Dark Web often sits on top of additional sub-networks, such as Tor, I2P, and Freenet, and is often associated with criminal activity of various degrees, including buying and selling drugs, pornography, gambling, etc. While the Dark Web is definitely used for nefa...

Nov. 12, 2017 0 comments danielmiessler.com Management

8 steps to take within 48 hours of a data breach

by Scott Matteson

"A data breach itself is the second worst possible event which can occur in an organization; the mismanagement of the communication about the response is the worst." This observation comes from Exabeam chief security strategist Steve Moore, who has tracked criminal and nation-state adversaries and led the largest healthcare breach response in history. Moore added that the time spent on a breach, including audit, regulatory and litigation support can last not months but years.

Nov. 8, 2017 0 comments www.techrepublic.com Management

How Security Awareness Can Protect The Tech Industry

by Tahshina Mohsin

Because human error has played a significant part in successful security breaches in the past, the best way to protect the company from costly mistakes is to offer security awareness training sessions to all the employees. These sessions can include classroom-style training, periodic emails, posters and charts, and dedicating a website solely to security awareness.

Nov. 8, 2017 0 comments resources.infosecinstitute.com Management

Determining the Role of the IT Security Engineer

by Brian Dutcher

What is your view of the role performed by an IA/Security Engineer? Is it focused on securing the network perimeter through the operations of the firewall, virtual private networks (VPNs), intrusion detection system/intrusion prevention system (IDS/IPS), network access control (NAC), data loss prevention (DLP) and enterprise anti-virus solutions? Is it the network specialist responsible for the secure design of the local area network (LAN), virtual LAN (VLAN), wide area network (WAN) and...

Oct. 27, 2017 0 comments 23 minute read Management

Securing IPv6

In 1995, the Internet Engineering Task Force (IETF) chose IPv6 as the successor to IPv4. Initially, this was not an issue that raised much interest. But this changed when Microsoft added IPv6 support to its Windows Vista and Windows Server platforms in 2007. Linux in all its variants and Apple’s Mac OS X followed suit; thus, the new protocol spread with each new installation. On all of these computers today, IPv6 is active by default, communicating in unsolicited dual-stack operations using I...

Oct. 8, 2017 1 comment ADMIN Magazine Management

Harden your OpenStack configuration

One of the biggest concerns about virtualization is that an attacker could succeed in breaking out of the virtual machine (VM) and thus gain access to the resources of the physical host. The security of virtual systems thus hinges on the ability to isolate resources of the various VMs on the same server. A simple thought experiment shows how important it is that the boundaries of VM and host are not blurred. Assume you have a server that hosts multiple VMs that all belong to the same customer...

Oct. 8, 2017 0 comments ADMIN Magazine Management

Block Intruders with GreenSQL

Databases are mission-critical for most companies. Many corporate database systems store information about customers and employees, not things you would want to see escape into the wild. Unfortunately, this happens all the time, and even to large companies, who have a large technical team and a sophisticated IT infrastructure. Small businesses with few employees are often more vulnerable because, in addition to the expensive computer pool, they also lack the necessary expertise. Small and med...

Oct. 8, 2017 0 comments ADMIN Magazine Management

Avoiding KVM configuration errors

Whether a virtualization environment comprises only a few hosts or a complex cloud landscape, the majority of admins today who plan to use Linux as the basis of their hypervisors favor KVM. All common Linux distributions already have the necessary software packages, which often facilitates the decision to use KVM, as well as the virtualization project itself. The architects of such a setup all too rarely pay attention to the security of their design. The widespread distribution of container t...

Oct. 8, 2017 0 comments ADMIN Magazine Management

Advanced Windows security using EMET

Using Microsoft's Enhanced Mitigation Experience Toolkit (EMET) [1] , you can prevent attackers from exploiting security gaps in the software that you have installed on Windows computers. The security technologies used to limit damage cannot completely eliminate security risks, but instead, they meaningfully serve to complement other security measures. Such measures include installing the latest security updates using Windows Firewall with Advanced Security and using User Account Control (UAC...

Oct. 8, 2017 0 comments ADMIN Magazine Management

Acceptable Use Policy Template For Public WiFi Networks

by Dan Virgillito

Acceptable Use Policies (AUPs) are an essential component to all organizations, companies, and other establishments offering Internet or Intranet access. According to network security provider GFI, an Acceptable Use Policy should successfully define which network systems the policy covers; explicitly prohibit illicit behavior, distribution, and communications; establish privacy guidelines; and provide a clear description of the risks associated with noncompliance. Private Internet AUPs incl...

Oct. 8, 2017 0 comments INFOSEC Institute Management

Interview: David B. Coher

by InfoSec Resources

From helping to prevent a Y2K disaster as a Capitol Hill staffer to securing the Smart Grid with one of the Nation’s largest utilities, David B. Coher has over 15 years of experience in the technology policy arena. Throughout, David has sought to break otherwise complicated problems into simple, discrete issues that can be addressed and solved with less hand wringing and more action. Currently, David is the leader of SCE’s Reliability and Cybersecurity Department, which ensures that the syst...

Oct. 8, 2017 0 comments INFOSEC Institute Management


We'll send you a carefully curated list of the best IT security white papers to your mailbox every Friday.