White Papers

This section contains a few of our published White Papers. Click on the document image or title to download.

For our most recent publications, please check our News page.

Cloud Security: Understand the Risks Before You Make the Move

Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud. In this Dark Reading Tech Center report, we explain the risks and guide you in setting appropriate cloud security policies, processes and controls. Plus: How to catch up when security is an afterthought to a cloud migration.

Compliance From the Inside Out: Auditors Look for Insider Threat Controls. Are Yours in Place?

When the auditors come, they’ll be looking at your internal controls as well as your external defenses. Will you be ready?

When you talk about security and compliance, you typically think about protecting the organization from external attackers who want to steal sensitive corporate information. But in many cases, the reason companies fare poorly with audits has nothing to do with those bad guys but, rather, with internal threats.

Small wonder. These are, after all, people we trust (there’s a reason Dante put traitors at the lowest depths of hell). But the facts tell us we are at high risk from internal attack. Studies conducted jointly by CERT and the U.S. Secret Service show about half the companies responding have experienced at least one insider incident, and about a third of all electronic crimes were committed by insiders.

In a Fix? Try a Vulnerability Remediation Life Cycle (VRLC)

There are plenty of ways to detect vulnerabilities. But assigning priorities and determining the best way to fix them is another matter. Which vulnerabilities need to be dealt with immediately, and which can wait? What should you do when a simple patch won’t suffice? How do you ensure that the problems won’t recur? In this Dark Reading Tech Center report, we explain how to implement a vulnerability remediation process that improves security for the long haul.

Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle

Enterprises understand the importance of securing web applications to protect critical corporate and customer data. What many don’t understand, however, is how to implement a robust process for integrating security and risk management throughout the web application software development lifecycle. Poorly implemented processes are, at best, ineffective for managing web application risk and, at worst, lead to data loss and unacceptable slow-downs in delivery times. Securing the web application lifecycle does not have to mean slowing it down. When web application delivery is implemented in a collaborative, repeatable, and process-oriented manner, companies can benefit from more efficient development models and more secure applications. By integrating security into the process from the very beginning, companies can short-circuit expensive and time consuming “gotchas” at the end of the lifecycle. Additional efficiency can be realized by focusing attention on the most critical exposures and vulnerabilities, such as the SANS Top 25 (http://www.sans.org/top25errors/) and leveraging automated tools and solutions that seamlessly integrate with existing development practices.

Addressing the Unstructured Data Protection Challenge

This document provides an overview analysis of the many facets of data-centric protection and explains how organizations can approach the problem strategically. Next we concentrate on one key aspect of data-centric security: that of unstructured data and detail selection criteria most companies should consider when choosing an enterprise solution for the unstructured data-centric security problem.

To Tell the Truth: Why Vendor Hype Benefits No One

A piece from 2003 about the root causes and unfortunate consequences of vendor hype. Many thanks to Carol Baroudi, founder of Baroudi Group, Inc. for kind permission to reprint this document here.

Software and technology vendors, especially those in the United States, have gotten into the habit of overselling the capabilities of their products in an effort to close deals. While this is an annoying practice for non-security related products, it can be downright dangerous when it’s applied to the products that enterprises rely on to protect their assets. The issue is so serious that the government has stepped in. On August 8, 2002 the FTC ruled that Microsoft had misstated the security of their Passport product.

Timothy Muris, FTC Chairman said, “Privacy and security promises must be kept. It’s good business. It’s the law, and we’ll take action against companies that do not keep their promises.” Security vendors that overstate the ability of their solutions can lead to enterprises installing inferior systems that don’t work as advertised. And the use of inferior products can translate into security vulnerabilities and costly exploits and attacks. How bad can it get?…To continue reading please click here.

Financial fraud is nothing new; enterprising attackers have been coming up with schemes like the “Yazoo Land Fraud” for at least the past hundreds of years. Check-kiting and socially engineered wire transfers are decades old attacks that have been frustrating banking customers and fraud examiners for years. Online and electronic banking services have brought significant efficiencies to customers and financial institutions, but they’ve also introduced new exploit channels to the fraud pipeline.

While increasing phishing and malware attacks grab the headlines, financial fraudsters are also using hybrid attacks across multiple channels to obfuscate their trail and maximize their take. Silently performing reconnaissance work in an online ac-count is often a first-step to executing a more lucrative offline scam. In this Note, we’ll take a brief look at how seemingly innocuous access to online account could be contributing to the rise in offline fraud and provide a look at how stopping unauthorized online access could lead to a reduction in fraud across multiple channels.