Welcome to ISACA's Global Information Repository

Keyword Index

Certifications: IS Audit (CISAŽ) & Security (CISM™)
IS Audit, Control & Security - Specific Environments
IS Audit, Control & Security - Tools
IS Auditing
Net Centric (Intranet/Extranet/Internet) Control & Security
IS Security
IS Security Management

IS Control
IT Governance & Business Management
eBusiness
Telecommunications
Project Management
Professional Development

IS Security

Denotes access limited to ISACA members.

Education Opportunities Books & CD-ROMs Articles & Papers Web Resources

Note: All links will open in a new browser window.

O/S Security Issues

Biometrics

Identity Management

Patch Management

Application Security Issues

SANS Institute

Standards

Security Monitoring

ASIS International

Systems Acquisition

Security Administration

Risk Assessment

Information Security Policies

[General Subject References]

Awareness Programs

Authentication

Data Center

Identity Theft

Software Piracy

E-commerce

Security Portal

Information Systems Security Association

Resources

Wireless

System Administration

Incident Handling

Local Area Network (LAN)

Database Security Issues

Vulnerabilities

Information Privacy

Laptops

Hacker Related

Access Control

RFCs

Computer Crime / Forensics

[General Subject References]

Track Updates Feedback

Emerging Topics and Technologies in Information Systems - by Miltiadis D. Lytras and Patricia Ordonez de Pablos, editors. 2009, 350 pages.
Social and Human Elements of Information Security: Emerging Trends and Countermeasures - by edited by Manish Gupta and Raj Sharman. 2009, 412 pages.
Service Oriented Architecture Field Guide for Executives - by Kyle Gabhart and Bibhas Bhattacharya. 2008, 228 pages.
Global Perspectives in Information Security: Legal, Social, and International Issues - by Hossein Bidgoli. 2008, 896 pages.
COBIT Mapping: Mapping NIST SP800-53 Rev 1 With COBIT4.1 - by IT Governance Institute. 2007, 57 pages. (e-book)
How to Measure Anything: Finding the Value of Intangibles in Business - by Douglas W. Hubbard. 2007, 304 pages.
Service Oriented Architecture: A Planning and Implementation Guide for Business and Technology - by Eric A. Marks and Michael Bell. 2006, 384 pages.
Network Security Fundamentals - by Eric Cole, Ronald L. Krutz, James Conley, Brian Reisman, Mitch Ruebush and Dieter Gollmann. 2007, 560 pages.
Corporate Fraud Handbook: Prevention and Detection, 2nd Edition - by Joseph T. Wells. 2007, 456 pages.
Stepping Through the InfoSec Program - by Jennifer Bayuk. 2007, 238 pages.
Disaster Recovery Directory, 15th Edition 2006, 400 pages.
Information Security Architecture: An Integrated Approach to Security in the Organization, 2nd Edition - by Jan Killmeyer Tudor. 2005,416 pages.

v6 2009, Managing Sarbanes-Oxley Section 404 Compliance in ERP Systems Using Information Security Control Reports (JOnline) Abhik Chaudhuri, MCA, PMP, Dipanwita Chaudhuri, ACA (ICAI), MIIA and Robert E. Davis, CISA, CICA
v6 2009, Application Security Controls: An Audit Perspective (JOnline) Alagammai Adaikkappan, CISA, CISM
v6 2009, Seguridad Lógica y Seguridad Física: Dos Mundos Convergentes (JOnline) Jeimy J. Cano, Ph.D., CFE
v6 2009, Book Review: Healthcare Fraud: Auditing and Detection Guide (JOnline) Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA
v6 2009, The Rising Impact of Virtual Machine Hypervisor Technology on Digital Forensics Investigations Patty Bates, CISM, CSSLP, MCSE
v6 2009, Security and Privacy Trade-offs in RFID Use S. Srinivasan
v6 2009, How Has Sarbanes-Oxley Compliance Affected Information Security? Janine L. Spears, Ph.D.
v6 2009, How to Preserve Security and Autonomy While Meeting Information-sharing Directives Scott Schumacher, Ph.D.
v6 2009, Data Plumbing? Steven J. Ross, CISA, CBCP, CISSP, MBCP
v6 2009, Connections Galore! Sekar Sethuraman, CISA, CISM, CGEIT, CIA, CSQA, PMP
ISACA Warns Increase in Web Site Characters Could Lead to More Phishing Attacks According to ISACA, a global association of 86,000 IT governance professionals, it is critical to type a web sites IP address directly into the browser, rather than click on links in e-mails and social networking sites.
v5 2009, Information Security Program: Establishing It the Right Way for Continued Success (JOnline) Sekar Sethuraman, CISA, CISM, CGEIT, CIA, CISP, PMP, CSQA, CVA and Alagammai Adaikkappan, CISA, CISM, ACA, LCS
v5 2009, Help Source Q&A Gan Subramaniam, CISA, CISM, CIA, CISSP, SSCP, CCNA, CCSA, ISO 27001 LA
v5 2009, IS Audit and Security Professionals: An Emerging Role in a Changing World Order Sujata Kanhere, CGEIT, MBBS, DCH, DNB, and Vishnu Kanhere, Ph.D, CISA, CISM, CGEIT, CFE, FCA, AICWA
v5 2009, Five Questions With Vishal Gupta
v5 2009, The IT Security Professional: Bright Spot in a Dreary Economy David Foote
v5 2009, Who Is Melissa Chernobyl and Why Is She Doing These Terrible Things? Steven J. Ross, CISA, and Emily L. Quah
v4 2009, Mitigating IT Vulnerabilities Provides Continual Fraud Prevention (JOnline) Alyssa G. Martin, CPA
v4 2009, Fraud or Error (JOnline) Fidel Santiago, CISA
No Easy answers for complying with data protection regulations By now, most compliance professionals are at least aware of the most comprehensive data protection regulation in the U.S. Given that the Jan. 1 deadline for compliance with the Massachusetts data protection act (201 CMR 17.00) is fast approaching, organizations are actively seeking out information and guidance on what standards they must implement
v4 2009, COBIT Security Baseline Applied to Business Web Applications Colin Watson, CISA, CITP, CISSP
v4 2009, Mitigating Risky Employee Behavior During an Economic Downturn Elizabeth Charnock
v4 2009, The OCTAVEŽ Approach to Information Security Risk Assessment Parthajit Panda, CISA, CISM, CISSP, PMP
v4 2009, Book Review: Implementing the ISO/IEC 27001Information Security Management System Standard Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA
v4 2009, Fraude o Error Fidel Santiago, CISA
v4 2009, Lets Go, Vets Steven J. Ross, CISA, CBCP, CISSP
v3 2009, How to Achieve 27001 Certification An Example of Applied Compliance Management (JOnline) Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA
v3 2009, Help Source Q&A Gan Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA, BS 7799 LA
v3 2009, IT Risk Exploration: The IT Risk Management Taxonomy and Evolution Steve Schlarman, CISM, CISSP
v3 2009, Book Review: Cyber Forensics: A Field Manual for Collecting, Examining and Preserving Evidence of Computer Crime, 2nd Edition A. Rafeq, CISA, CGEIT, CIA, CCSA, FCA
v3 2009, Five Questions With MacDonnell Ulsch
v3 2009, Gang Aft Agley Steven J. Ross, CISA, CBCP, CISSP
v2 2009, Book Review: Insider Computer FraudAn In-depth Framework for Detecting and Defending Against Insider Attacks (JOnline) Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA
v2 2009, Information Technology Legislative Update (JOnline) A. Abimbola, Ph.D.
v2 2009, A Study on Canadian IT Security Practices (JOnline) Rafael Etges, Walid Hejazi and Alan Lefort
Social Engineering At a time when the economy demands all our attention, information and the intelligence of systems, processes and organizations that use it are at the heart of corporate change strategies. These changes are necessarily accompanied by protection measures; however, a silo approach is still evident which benefits a resurgence in social engineering. Nevertheless, the means to counter social engineering are within the reach of corporations, but they must be integrated within a holistic approach to information security.
Business Value Analysis Study: Citizens Business Bank This white paper uses the real-life example of Citizens Bank to illustrate how your firm can address mounting regulations associated with security and audits and enhance customer loyalty. Discover how consulting services conduct a comprehensive a comprehensive security assessment and protect your organization's information infrastructure
Risk Management:Bridging Policies and Procedures- Fundamental Security Concepts This white paper discusses risk management as a key process in designing security architectures, including a better way for security managers to approach the security ROI issue.
v2 2009, Driving Value From Information Security: A Governance Perspective Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA
v2 2009, Reliable Security, Revisited Steven J. Ross, CISA, CBCP, CISSP
v2 2009, Data Security Belden Menkus
v1 2009, How to Write a Security Policy: Network Security Policy Manual (JOnline) Paul R. Meynen
v1 2009, Preserving Electronically Encoded Evidence Robert E. Davis, CISA, CICA
v1 2009, The Future of Key Management Luther Martin, Landon Noll and James Randall
v1 2009, Risk Associated With Web Application Vulnerabilities Kim Fath and John Ott
v1 2009, Security Issues in a Continuous Reporting Environment Graham Gal, Ph.D.
v1 2009, Green Security Ashley Jones, CISA, CISSP
v1 2009, Getting Buy-inAn Easier Way Chris Konrad
v1 2009, Book Review: Wireless Crime and Forensic Investigation Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA
v1 2009, Four Little Words Steven J. Ross, CISA, CBCP, CISSP
v6 2008, Computer Ethics: A Potent Weapon for Information Security Management (JOnline) Wanbil W. Lee, D.B.A., FBCS, FIMA, FHKIE, and Keith C.C. Chan, Ph.D.
v6 2008, Cibercrimen y Ciberterrorismo: Dos Amenazas Emergentes (JOnline) Jeimy J. Cano, Ph.D., CFE
v6 2008, Board Portals: Are They Secure? (JOnline) Arvind Godbole, CISA, CA, and Vasant Raval, CISA
v6 2008, New Identity Theft Regulations Silka Gonzalez, CISA, CISM, CISSP, CITP, CPA
v6 2008, Implementing, Automating and Validating Controls for Privileged Users in Healthcare Organizations Cheryl Traverse
v6 2008, Accounting for Value and Uncertainty in Security Metrics C. Warren Axelrod, Ph.D., CISM, CISSP
v6 2008, Book Review: Phishing and Countermeasures: Understanding the Increasing Problem of Identity Theft Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA
v6 2008, Certification and the Disappearing Perimeter Steven J. Ross, CISA, CBCP, CISSP
v5 2008, HelpSource Q&A Gan Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA, BS 7799 LA
v5 2008, Payment Card Industry Data Security Standard in the Real World Doug Drew, CISSP, PCI QSA, and Sushila Nair, CISA, CISSP, BS 7799 LA, PCI QSA
v5 2008, Database Security, Compliance and Audit Charles Le Grand and Dan Sarel
v5 2008, Book Review: The Handbook of Fraud Deterrence Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA
v5 2008, Reliable Security Steven J. Ross, CISA, CBCP, CISSP
v4 2008, Evaluating Privacy Controls (JOnline) Sean M. Price, CISA, CISSP
v4 2008, HelpSource Q&A Gan Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA, BS 7799 LA
v4 2008, Secure Software DevelopmentThe Role of IT Audit Oezlem Aras, Barbara L. Ciaramitaro, Ph.D., CISSP, and Jeffrey Livermore, Ph.D.
v4 2008, Automating Security Policy and Procedures With Workflow: How to Improve the Effectiveness of Risk Management Solutions Michael Godfrey
Largest Coordinated ATM Rip-off Ever Nets $9+Million in 30 Minutes With only 100 compromised ATM cards thieves were able to grab $9 million bucks from the banking system in a new style of attack.
In today's security analytics, every bit of data matters Now things are changing yet again. In today's dangerous security landscape, no data is considered "noise" anymore.
v4 2008, Risk Management Standards: The Bigger Picture David Ramirez, CISA, CISM, CISSP, BS 7799 LA, MCSE, QSA
v4 2008, Book Review: Securing Converged IP Networks Kamal Parmar, CISA, FCCA, CCNA, MCP
v4 2008, Five Questions With... Ray Slocumb, CISA, CFE
v4 2008, Managing Information Crises Steven J. Ross, CISA, CBCP, CISSP
Data Loss Prevention: Is really necessary to record all IP Traffic? The main point here is to extract only the valuable information from the traffic and then storage it.
Vol. 4, 2008HelpSource Q&A - Gan Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA, BS 7799 LA
Vol. 4, 2008Automating Security Policy and Procedures With Workflow: How to Improve the Effectiveness of Risk Management Solutions - Michael Godfrey
Vol. 4, 2008Five Questions With... - Ray Slocumb, CISA, CFE
Vol. 4, 2008, Managing Information Crises - Steven J. Ross, CISA, CBCP, CISSP
v3 2008, Role Engineering: The Cornerstone of RBAC (JOnline) Srinivasan Vanamali, CISA, CISSP
v3 2008, The Art of Database Monitoring (JOnline) Sushila Nair, CISA, CISSP, BS 7799 LA
v3 2008, A Business Model for Information Security Kent Anderson, CISM
v3 2008, Pay Today or Pay LaterCalculating ROI to Justify Information Security and Compliance Budgets Jaspreet Singh, CISA, MCSE, MCSD, BS 7799 LA
v3 2008, Book Review: Stepping Through the InfoSec Program C. Warren Axelrod, Ph.D., CISM, CISSP
v3 2008, Five Questions With... Luis Eduardo Toro Lobos, CISM
v3 2008, Guest Editorial: Mobility Changes (Almost) Everything! William C. Boni, CISM
'Provider-in-the-Middle Attacks' Put Major Websites, Users at Risk Researchers discover that ad servers from over 70 ISPs, such as Earthlink and Comcast, put trademarked sites and users who visit them at risk of cross-site scripting, other attacks
v1 2008, Dysfunctional IT-A Business Issue - Howard Nicholson, CISA
v1 2008, HelpSource Q&A - Gan Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA, BS 7799 LA
v1 2008, Auditors Guide to Information Systems Auditing - A Rafeq, CISA, CIA, CQA, CFE, FCA
v1 2008, Business Risks and Security Assessment for Mobile Devices - Patricia Mayer Milligan, Ph.D., and Donna Hutcheson, CISA
v1 2008, Dysfunctional Operations in IT - Kent Anderson, CISM
v1 2008, Insider Threat--The Fraud That Puts Companies at Risk - Patrick Taylor
v1 2008, Is Your Printer Betraying Your Business? - Esteban Farao, CISA, CISSP, MCP
v1 2008, Dumb Luck, Smart Risk - Steven Ross, CISA, CBCP, CISSP
v6 2007, HelpSource Q&A - Gan Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA, BS 7799 LA
v6 2007, Five Questions With... - Gary Hinson, Ph.D., CISA, CISM, CISSP
v6 2007, I'm Not the Sheriff - Steven Ross, CISA, CBCP, CISSP
v6 2007, Preparation Is the Key Ingredient to a Successful SIM - Mark D. Emmett, CISM, CISSP, CCSP
v6 2007, Security Within VoIP Networks - David Ramirez, CISM, CISSP, BS 7799 LA
IT rank and file nervous about inadequate security 73% of 256 IT workers polled are very concerned they will lose their job in the event of a security breach
Open source security: Five best practices does open source software live up to its touted security credentials?
Vol. 5, 2007 HelpSource Q&A Gan Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA, BS 7799 LA
Vol. 5, 2007 Merger and Acquisition: Effective Information Security Depends on Strategic Security Metrics Urs E. Gattiker, Ph.D.
Vol. 5, 2007 A Hacker Breaks InLessons Learned From a True Story Zhu Wenming, CISA, Hu Hanhui and Wang Hao
Vol. 5, 2007 Tips and Strategies to Protect Laptops and the Sensitive Data They Contain John Livingston
JOnline, Vol. 2, 2007 Using Systems Engineering to Aid in HIPAA Compliancy (JOnline) Michael Martel, CISSP, CPP
JOnline, Vol. 2, 2007 Less Than Zero vs. Zero Day: An Approach to Vulnerabilities, Exploits, Patches and Security (JOnline) Alan Shimel
Vol. 2, 2007 HelpSource Q&A Gan Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA, BS 7799 LA
JOnline, Vol. 2, 2007 The Information Security Assessment and Evaluation Methodologies: A DoD Framework for Control Self-assessment (JOnline) Bryan S. Cline, CISA, CISM, CISSP-ISSEP
Vol. 2, 2007 ERP Security and Segregation of Duties Audit: A Framework for Building an Automated Solution David Hendrawirawan, Huseyin Tanriverdi, Carl Zetterlund, Hunaid Hakam, Hyun Ho Kim, Hyewon Paik, CPA, and Yeohoon Yoon
Vol. 2, 2007 Developing Metrics for Effective Information Security Governance John P. Pironti, CISA, CISM, CISSP, ISSAP, ISSMP
Vol. 2, 2007 Improving Regulatory Compliance: How to Make Content Protection Controls Effective Robert Moeller, CISA, CISSP, CPA, PMP
Vol. 2, 2007 What Every IT Auditor Should K Tommie W. Singleton, Ph.D., CISA, CMA, CPA, CITP
Vol. 2, 2007 Information Security Governance: Who Needs It? Krag Brotby, CISM
Vol. 2, 2007 Alerts, Alarms and Triggers Steven J. Ross, CISA, CISSP
Vol. 1, 2007 Professor Watts Explains It All Steven J. Ross, CISA, CISSP
JOnline, Vol. 4, 2007 Security and Privacy vs. Computer Forensics Capabilities (JOnline) S. Srinivasan
Vol. 4, 2007 Inseguridad Informática y Computación Anti-forense: Dos Conceptos Emergentes en Seguridad de la Información Jeimy J. Cano, Ph.D., CFE
Vol. 4, 2007 Compliance Assessment of IP Networks: A Necessity Today Rajesh Talpade, Ph.D., CISSP, and Jatinder Singh
Vol. 4, 2007 Achieving Compliance With the PCI Data Security Standard Alex Woda, CISA, QDSP, QPASP
Vol. 4, 2007 MP3 Players: Today's Business Threat Derek Oliver, Ph.D., CISA, CISM, CFE
Vol. 4, 2007 Security Controls That Work Dwayne Melanon, CISA
Vol. 3, 2007 HelpSource Q&A Gan Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA, BS 7799 LA
Vol. 3, 2007 Analyzing the Security of Internet Banking Authentication Mechanisms Christos K. Dimitriadis, Ph.D., CISA, CISM
Vol. 3, 2007 IT Security Matters: Mail Call III Steven J. Ross, CISA, CISSP
Q&A: A Common-Sense Approach To Computer Security
JOnline Vol. 6, 2006Framework for Measuring and Reporting Performance of Information Security Programs in Offshore Outsourcing Sekar Sethuraman, CISA, CISM, CISSP, CIA, CSQA, BS 7799 LA
Col. 6, 2006 Telephone Line Scanning Still Matters Beth Rosenberg
Vol. 6, 2006What Every IT Auditor Should Know About Identity Theft Tommie W. Singleton, Ph.D., CISA, CMA, CPA, CITP
Vol. 6, 2006 Issues & Comments Michael P. Cangemi, CISA, CPA
JOnline Vol. 5, 2006 Understanding Data Classification Based on Business and Security Requirements Rafael Etges, CISA, CISSP, and Karen McNeil
Vol. 5, 2006Streamline ISO 27001 Implementation: Reducing the Time and Effort Required for Compliance David Ramirez, CISM, CISSP, BS 7799 LA
Vol. 4, 2006 A Holistic Definition of IT SecurityPart 2 Yusuf Musaji, CISA, CISM, CPA, CISSP, CGA
Vol. 4, 2006 Information Security Governance: Motivations, Benefits and Outcomes John P. Pironti, CISA, CISM, CISSP, ISSAP, ISSMP
Vol. 4, 2006 Risks and Risk Control of Wi-Fi Network Systems Hui Du, Ph.D., and Chen Zhang, Ph.D.
Vol. 4, 2006 Imperatives Driving Security Convergence
Vol. 4, 2006 Improving Security Management for Mobile Operators Christos K. Dimitriadis, Ph.D., CISA, CISM
Vol. 4, 2006 Book Review: Security, Audit and Control Features SAPŽ R/3Ž: A Technical and Risk Management Reference Guide, 2nd Edition Michael Christodoulides, CISA
vol 4 2006, HelpSource Q&A Gan Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA, BS 7799 LA
vol 4, 2006 Governance of Mobile Technology in Enterprises Anil Jogani, CISA, FCA
vol 4, 2006 Global Perspectives: The Greatest Impacts to Security of Wireless Technology Jason Edelstein, Mark Segelov, CISA, CISM, CISSP-ISSAP, ISSMP, BS7799 LA, and Craig J. Thomas
vol 3, 2006 Information AssuranceOnline Lottery Systems (JOnline) Huzeifa Unwala, CISA, FCA
vol 3, 2006 Virtualization Usage, Risks and Audit Tools (JOnline) Michael Hoesing, CISA, CISSP, CCP, CIA, CPA, CMA
vol 3 2006, A Holistic Definition of IT SecurityPart 1 Yusuf Musaji, CISA, CISM, CPA, CISSP, CGA
vol 3, 2006 Critical Elements of Information Security Program Success Sharon K. O'Bryan, CISA, CISSP
vol 3, 2006 Introduction to Forensic Computing C. Matthew Curtin, CISSP
vol 3, 2006 Key Elements of a Threat and Vulnerability Management Program John P. Pironti, CISA, CISM, CISSP, ISSAP, ISSMP
vol 3, 2006 A New Approach for Assessing the Maturity of Information Security Saad Saleh AlAboodi, CISSP
A Taxonomy of Information Systems The dissertation aims at being a definitive guide to define the terminology and detail the related methodologies across the range of information assurance services.
Report Slams FBI Network Security
Network Access Control Learning Guide From PDAs to insecure wireless modems, users have myriad options for connecting to -- and infecting -- the network
Security, disaster recovery top SMB predictions for 2007 During the last few disaster-prone years, small and medium-sized businesses (SMBs) learned the hard way that they are as vulnerable as large enterprises to hackers, hurricanes and the penalties of not complying with federal regulations.
What Are The Most Common Causes Of Security Breaches? Anymore attackers are as advanced as the defenders - and the attacks dont always come from the expected direction.
WAN Acceleration: Best Practices for Preserving Security As more and more enterprises undergo server centralization projects, new products will be introduced to improve network and application performance. By following basic security precautions, enterprises can ensure that these performance improvements do not come at the expense of data security
Strategic considerations for an integrated malware defense To keep an enterprise malware-free, not only does it take several technologies, but those pieces must also fit together like a well-crafted puzzle. This technical tip from SearchSecurity.com's Messaging Security School discusses which product categories are must-haves and what to consider when assembling your enterprise's antimalware puzzle
Glossary of Terms Used in Security and Intrusion Detection
Top 15 Malicious Spyware Actions The following list describes some of the most malicious activities of today's spyware, illustrating the need for solid antispyware defenses.
Developing Security Policies: Rules vs. Risk When dealing with security risk, does your policy leave you holding the bag?
Nmap Technical Guide An Nmap Technical Guide, offering up all the guidance information security professionals need to install, configure, run and evaluate Nmap in the enterprise, both on Windows and Linux platforms.
How to defeat the new No. 1 security threat: cross-site scripting Cross-site scripting, often abbreviated XSS, is a class of Web security issues. A recent research report stated that XSS is now the top security risk.
The Risk Intelligent Enterprise - ERM Done Right The whitepaper disects ERM and what it means to businesses today.
Risk Intelligence in the Age of Global Uncertainty A whitepaper that is the second installment regarding risk intelligence.
A Framework to Collect Security Events for Intrusion Analysis This paper describes a framework to help security personnel have a starting point with which to collect and view security events from devices capable of reporting via syslog.
Endpoint security: The weakest link The endpoint is a juicy target for a few reasons and in this article the author explores them.
A Guide to Security Metrics
Web Browser Security Learning Guide This learning guide identifies the inherent flaws of Internet Explorer and Mozilla Firefox.
Five reasons backups fail and tips for prevention A list of the common problems that cause backup failure, in decreasing order of frequency.
Windows Security Log Encyclopedia Plain English explanations of Windows security log events.
Under Attack Can your systems really benefit from penetration testing?
Poor storage security policies: A clear and present danger The ubiquitous flash drive or memory stick, harmless as it may seem, could be used in some pretty unsavory ways by digital delinquents
Keep your cool when disaster strikes QuoVadis learned several key lessons when a fire struck Bermuda Electric Light Company Ltd.
v3 2006, Cybersecurity and the Critical Infrastructure: Looking Beyond the Perimeter C. Warren Axelrod, Ph.D., CISM, CISSP
v3 2006, Information Security Governance William J. Malik, CISA
v3 2006, What Every IT Auditor Should Know About Cyberforensics Tommie W. Singleton, Ph.D., CISA, CMA, CPA, CITP
v3 2006, Global Perspectives Andy Townsend, Claudio Cilli, Ph.D., CIA, CISA, CISM, CISSP, and Gilbert N. Alegue
v3 2006, Falling Off the Truck Steven J. Ross, CISA, CISSP
v3 2006, Issues & Comments Michael P. Cangemi, CISA, CPA
v2 2006, Strengthening Access Control: Using Smart Cards (JOnline) Tara Kissoon, CISA, CISSP
v2 2006, Road Map for Information Security: What to Do After BS 7799 Certification (JOnline) Sekar Sethuraman, CISA, CIA, CISSP, CSQA
v2, 2006, Delegating Root Authority and Auditing (JOnline) Edward Blunt, CISA
USB Security: A Sticky Situation Opinion: Shutting down transfer points must be made easier
v2 2006, HelpSource Q&A Gan Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA, BS 7799 LA
v2 2006, Red Teams: An Audit Tool, Technique and Methodology for Information Assurance Frederick Gallegos, CISA, CDE, CGFM, and Matthew L. Smith, CISA, CISSP
v2 2006, Mac OS X: A Secure Platform and a Valuable Security Tool in a Distributed Network Environment Robert B. Humphrey Jr., CISA, CISSP, MCSE, CCNA, A+, Network+
v2 2006, Converging Need, Diverging Response Steven J. Ross, CISA, CISSP
v6 2005, Creating and Enforcing an Effective Information Security Policy (JOnline) Mark Ungerman
v6 2005, Trazabilidad de las Operaciones Electrónicas. Un Reto para la Gerencia de Tecnologías de Información (JOnline) Jeimy J. Cano, Ph.D, CFA, CFE
v6 2005, On a Mission to Merge (JOnline) Ray OHara, CPP; Tim Williams, CPP; and Karl Perman
v1 2006, ID Theft: Fraudster Techniques for Personal Data Collection, the Related Digital Evidence and Investigation Issues (JOnline) Theodore Tryfonas, Ph.D., CISA, Paula Thomas and Paul Owen
v1 2006, Network Intrusion Detection: Know What You Do (Not) Need (JOnline) Tarlok Birdi, CCNP, CCSE, CISSP, and Kees Jansen, CISA, CISSP, PMP
v1 2006, Overview of Mobile Technology Matt Smith, CISA, CISSP
v1 2006, Audit and Assurance of Information Systems and Business Processes: A Foundation for Providing Sound Governance Decision Making Thomas Finne, Ph.D., CISA
v1 2006, ISO 17799: Then, Now and in the Future Scott H. Sweren, CISM, CISSP, PMP
v1 2006, HelpSource Q&A Gan Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA, BS 7799 LA
v1 2006, Why Information Security Governance Is Critical to Wider Corporate Governance DemandsA European Perspective Vernon Poole, CISM
v1 2006, Book Review: Outsourcing Information Security Sarathy Emani, CISA, CISM
v1 2006, Contents and Context Steven J. Ross, CISA, CISSP
Could your laptop be worth millions? The average laptop could contain data worth almost $1 million, according to new research
CIO PRIMER: VIRTUALIZATION BASICS Virtualization is software that allows a piece of hardware to run multiple operating system images at once
Researchers: Popular apps have mismanaged security Big-name companies like America Online (AOL) and Adobe could do a better job of writing secure software, according to a recent report by two Princeton University researchers
IPsec dead by 2008, says Gartner The IPsec protocol that has served remote access so well for the last decade is now in its death throes, Gartner has prophesised
v6 2005, On a Mission to Merge (JOnline) Ray OHara, CPP; Tim Williams, CPP; and Karl Perman
v6 2005, Internal Cyberforensics Sunil Bakshi, CISA, CISM, AMIIB, MCA
v6 2005, Security and Ownership of Personal Electronic Devices Richard A. Bassett, DPS, Rita Mack, Jason Foster and Andrew Swiatlon
v6 2005, Identity Theft: A New Frontier for Hackers and Cybercrime Claudio Cilli, Ph.D., CIA, CISA, CISM, CISSP
v6 2005, Best Practices for Establishing an Effective Workplace Policy for Acceptable Computer Usage John Nolan
v6 2005, Computer Forensics: An Overview Frederick Gallegos, CISA, CDE, CGFM
v6 2005, Issues & Comments Michael P. Cangemi, CISA, CPA
End Users are Clueless -- and it's IT's Fault End users are causing most of their own problems... and IT is to blame.
Tales from De Crypt A look at how one company assures confidentiality by encrypting all of the data that touches its SAN.
How To Lock Down Enterprise Data With Infrastructure Services This paper outlines the different strategies for encrypting stored data so you can make the decision that is best to use in each different situation.
DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
CSI: Corporate focus on compliance could undermine security Companies that make regulatory compliance the sole driver of their information security efforts could be weakening their long-term security posture instead of improving it
Being Big Brother: Monitoring employees network activity Employers have a lot of leeway in monitoring what their employees do while on company premises and using company equipment
Review of Security Planning Guides from Microsoft This article reviews the recommendations of several recently released security planning guides from Microsoft.
Steps for choosing the right federated identity standard for your company Three protocol standards are available to companies for federated identity management.
Ten steps to secure networking 10 tips to protect your network that will lower training costs and speed the introduction of new security capabilities
The threat with the most disaster potential Whether they oversee physical or online defenses, security officers say the disaster scenario that scares them most begins with an insider with malicious intentions.
Popular Policies: Keeping Storage Secure Secure storage of data has always been essential for any organisation, of whatever size.
v5 2005, Security Information Management: Not Just the Next Big Thing (JOnline) Nicole Pauls, CISSP-ISSAP, ISSMP
v5 2005, An Approach to Vulnerability Management (JOnline) Umesh Chavan, CISSP
v5 2005, Sarbanes-Oxley and Business Process Outsourcing Risk Yusuf Musaji, CISA, CISM, CISSP, CGA
v5 2005, Book Review: OS/390z/OS: Security, Audit and Control Features Miguel O. Villegas, CISA, CISSP
v5 2005, Book Review: Surviving SecurityHow to Integrate People, Process and Technology, 2nd Edition Christina Tsang-Reveche, CISA, CISM, PMP
v5 2005, HelpSource Q&A Gan Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA, BS 7799 LA
v5 2005, Give 'em the New Razzle-Dazzle Steven J. Ross, CISA, CISSP
v4 2005, Privacy: An Opportunity for IS Auditors? Claudio Cilli, Ph.D., CISA, CISM, CIA, CISSP
v4 2005, A Manager's Guide to Identity Management and Federated Identity Leslie Pang, Ph.D.
v4 2005, Radio Frequency Identification: What Does It Mean for Auditors? Beth Serepca, CFP, OIG, NRC, and Bob Moody, CISA, CIA, CFE, DOI
v4 2005, The Right Question Steven J. Ross, CISA, CISSP
Product-based Security vs. Service-based Security In this article, we examine the advantages and disadvantages of both.
Lessons learned from corporate security breaches
What is Endpoint Security? Disagreement over the meaning of endpoint security may be putting users at risk, according to a new IDC study
Application-level Security Products A list of vendors, along with URLs and brief product descriptions
Sensible IT Security for Small Businesses Small organizations should adopt a strategy of "defense in depth" -- using multiple mechanisms and levels for security.
Ordering off the Security Menu A basic list, or menu, of security technologies and processes that business and technical folks should consider
Take Care of the Details for a Secure Network Linda LeBlanc takes a look at the small details that could mean the difference between a secure network and one riddled with holes
Protecting Your Identity and Your Network eSecurityPlanet columnist Linda LeBlanc looks at the little things we do without thinking that put our identities and our networks at risk.
Home Users: IT's Cross to Bear With a growing number of employees working from home, IT administrators need to learn how to manage this increasingly remote workforce to better protect their network.
Getting at the Root of Security Problems Security problems run much deeper than many security professionals are looking.
Simplified Secure Access Management with CRYPTOCard A look at a technology that delivers toughened security while dispensing with the complexity
Addicted to Security? Shoveling cash into security products without a thorough understanding of the underlying threats can lead to a management nightmare and a hemorrhaging IT budget
Storage Security Back In The Spotlight With public concern over lost and compromised data growing, the time is right to take a closer look at storage security best practices
DDoS Attacks: What Can You Do? Faced with a massive DDoS attack, what are your options? Not many as it turns out, but it helps to have friends upstream.
FDIC advises banks on how to protect against spyware A list of best practices for financial services firms that details how to protect against spyware.
Is Open Source Really More Secure? In this article we'll discuss the claim made by proponents of open source software that such software is more secure.
How to Defend your Network Against Social Engineers Common social engineering tactics.
How to Plan for a Possible Network Attack In this article we will focus on a much needed topic which is proactive planning. Planning for your systems and network devices to get hit so that you can avert it if it does.
The Security Risks Of Desktop Searches In this article, I will discuss Googles security issues and talk about what this might mean for other companies developing similar applications.
Application Layer Filtering (ALF): What is it and How does it Fit into your Security Plan? In this article, well provide an overview of ALF technology, take a look at some ways in which its implemented in todays security products, and help you understand the benefits and the limitations of this component of a fully functional multi-layer filtering solution.
Protect Against Weak Authentication Protocols and Passwords There are methods that you can implement that will protect against weak authentication protocols and password hashes being generated.
Code Signing: Is it a Security Feature? In this article, well take a look at how code signing works and where it fits into your organizations security plan.
Evaluating a new security policy This article will explain how to evaluate a new security policy in a safe and responsible manner
Protective Layers: Securing Corporate Networks With so many types of malware stalking the Internet, companies pile on their e-mail defenses.
IDS Pays Off, Even if There's No Hacking System shows its value again as the security team sets out to mitigate the effects of a nasty worm.
Best Practices on Spyware Prevention and Detection This informational supplement describes the various challenges and best practices related to spyware.
Don't monkey about with security Greasemonkey illustrates the need to treat the tiniest sliver of code with the same critical concern as the most lumbering of applications.
A Few Good Metrics Here are five smart measurementsand effective ways to present information security metrics
Early Alerting - The Key To Proactive Security Increasingly, organizations are considering implementing an early warning system.
How To Combat Spyware There's no doubt that the presence of spyware on a computer is a serious intrusion of privacy that needs to be dealt with
Combating "Cardholder Not Present" Fraud The level of card fraud has risen significantly over recent years, caused in the main, by the explosion in the number and usage of payment cards and the associated high level of organised card crime activity.
Know Your Enemy: Honeynets This paper focuses on what a Honeynet is, its value to the security community, how it works, and the risks/issues involved.
Web Application Hacking: Exposing Your Backend
SOAP Web Services Attacks This whitepaper discusses various types of attacks based on the SOAP implementation of Web services over HTTP and describes how you can shield your applications from these assaults.
Circumventing Validation This paper is an introduction to breaking those assumptions and realizing just how vulnerable those chaulk board outlines can be in the real world
Combating The Hidden Dangers Of Adware Adware may remain a threat to your Web users, but by adopting proactive filtering, you can ensure that the only unwanted advertisements they see are on TV.
Does Firefox Really Provide More Security Than Internet Explorer? Is Firefox more secure than Internet Explorer? This article explores that question.
A role model for security. Almost. Although perfection is unattainable, we should strive for no less. Qmail is a great example of being "almost there."
Security for the Paranoid Paranoia is the key to success in the security world.
White Hat or White Whale? Sometimes an obsession over any one security approach, whether it's policy or a specific technology, can be a very unhealthy thing overall.
Security Action Plans Being smart about security is as much about commonsense practices as it is about deploying the right software tools
Increasing security with limited user accounts and restricted groups The differences between the built-in and default local account types and the differences between local and domain user accounts.
Record Risks Businesses are using technology to comply with legal and regulatory requirements -- and regain control over electronic records.
Who Can You Trust? There is no longer a trusted enterprise.
Who best to define spyware? In this two-part series, security professionals and others debate spyware detection and who is best qualified to define it.
A wolf in sheep's clothing In this two-part series, security professionals and others debate spyware detection and who is best qualified to define it.
Spyware and adware rage on Enterprises are still feeling the pain of adware and spyware, but much of it appears to be self-inflicted.
SSL - A discussion of the secure socket layer This is a paper discussiong the theory and practice of SSL.
v3 2005, JOnline - Information Security and the Human Factor Mark Egan
v3 2005, HelpSource Q&A Gan Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA, BS 7799 LA
The Link Between Information Security and Corporate Governance
Introduction to Spyware Keyloggers The purpose of this article is to discuss keyloggers found in spyware applications, including their detection, features, and removal.
v2 2005, JOnline- Generic Exploit Blocking: Prevention, Not Cure Carey Nachenberg
v2 2005, Help Source Q&A Gan Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA
v2 2005, Introduction to Voice-over IP Technology Kamal Khan, CISA, CISSP, MBCS, Rajan Syal and Achal Kapila
v2 2005, How Can Security Be Measured? David A. Chapin, CISA, CISM, CISSP, IAM and Steven Akridge, JD, CISM, CM, CISSP, IAM
Security: Essential to Compliance A whitepaper discussing how IT security plays an essential role in assisting companies to achieve and sustain a compliance environment.
Simple steps for raising the security bar at your company A list of activities that, if used effectively, can assist security personnel in turning things around and begin getting security woven into the fabric of the organization.
SANS top 20 Vulnerabilities: The Experts Consensus SANS top 20 Security Vulnerabilities.
Know Your Enemy: III This article is the third of a series focusing on the script kiddie.
Know Your Enemy: II This, the second paper, will cover how to track your enemies movements.
Honeypots Turn The Tables On Hackers
Honeytokens: The Other Honeypot Honeytokens are everything a honeypot is, except they are not a computer.
Honeypots: The next intrusion detection solution Why honeypot technologies are becoming a commercially relevant and acceptable intrusion detection methodology.
Honeypots get stickier for hackers The paper discusses technology to help users forge their own honeypots.
Honeypots: Catching the Insider Threat How honeypot technologies can be used to detect, identify, and gather information on specific threats.
Honeypots: Are They Illegal? The purpose of this paper is to address the most commonly asked legal issues regarding honeypots.
Honeypot Farms The paper discusses how to employ honeypots in your environment.
Disabling Worms With Honeypots and Active Immunization
Honeyd: A Low Involvement Honeypot in Action Whitepaper describing honeyd, a derivative of the honeypot.
Honey Pots and Honey Nets - Security through Deception Whitepaper describing honeypots and honeynets.
Hands in the Honeypot The paper focuses on the description and analysis of honeypots as well as how and where they are used.
Fighting Spammers With Honeypots: Part 2 Part two of a two part series.
Fighting Spammers With Honeypots: Part 1 This paper will evaluate the usefulness of using honeypots to fight spammers.
Dynamic Honeypots A look to see what honeypots should do, how they could work.
Digital Dishonesty as Best Policy A whitepaper describing the in's and out's of honeypots.
Defeating Honeypots: Network Issues, Part 2 Part 2 which examines the discussion with more practical examples for detecting honeypots, including Sebek-based honeypots, snort_inline, Fake AP, and Bait and Switch honeypots.
Defeating Honeypots: Network Issues, Part 1 Explains how attackers typically behave when they attempt to identify and defeat honeypots.
Build A Honeypot Here the author describe how he built, implemented, and monitored a honeypot network designed specifically to learn how black-hats work.
Bait Crackers With A Honeypot Adding a honeypot to your arsenal can be a big boost to your network's security, both in distracting malicious users and learning how the garden variety script kiddy or cracker thinks.
Bait and Switch with Honeyd Spoofing, diversion and obfuscation are all part of honeyd's powerful arsenal.
Baby steps with a honeypot This document describes the build and running of the authors first honeypot.
Advancements in Honeypot Tools Discusses the tools, tactics, and motives of the hacker community.
Building Code Why you should build security in from the start of a tech project.
v6 2000, Secure Electronic Transaction (SET) Protocol Ganesh Ramakrishnan, CISA
v6 2000, HelpSource Q&A Fred L. Lilly, CISA, CPA
v6 2000, Issues & Comments Michael P. Cangemi, CISA, CPA
v5 2000, HelpSource Q&A Fred L. Lilly, CISA, CPA
v5 2000, Investigating Computer-Related Crime Sarathy Emani, CISA
v5 2000, What's Your Sign? Steven J. Ross, CISA
v4 2000, How To Eliminate The Ten Most Critical Internet Security Threats
v4 2000, Securing LinuxIs Open Source Too Open for Its Own Good? Pete Loshin
v4 2000, BSD -- The Other Open Source Unix
v4 2000, Kennametal Uses ACL as Its Best Practices Tool Holly McMunn, CPA, CIA
v4 2000, Of Wolves and Privacy Steven J. Ross, CISA
v3 2000, Defeating the Cyber Criminal: Defense Tactics for Denial of Service Attacks Mark Bigler, CISA, CPA, CFE
v3 2000, HIPAA Preparation Begins and Y2K Ends John Landreth CPA, MB, MBA and Mark Conrad Ledman CPA, MPA
v3 2000, HelpSource Q&A Fred L. Lilly, CISA, CPA
v3 2000, Heft Steven J. Ross, CISA
v3 2000, Issues & Comments Michael P. Cangemi, CISA, CPA
v2 2000, Managed Risk, Enhanced Response Sean Adee, CISA
v2 2000, HelpSource Q&A Fred L. Lilly, CISA, CPA
v2 2000, The Lingering Doubt Steven J. Ross, CISA
v1 2000, Intellectual Property and the Internet: Who Owns the Information? Hugh Parkes, CISA, FCA
v1 2000, Secure E-Business Raj Mehta, CISA, CPA
v1 2000, Are E-mails Boon or Bane for Organisations? J.P. Pathak, Ph.D.
v1 2000, New Book Addresses Online Signature Authentication
v1 2000, HelpSource Q&A Fred L. Lilly, CISA, CPA
v1 2000, Fishy Stories Steven J. Ross, CISA
v6 2001, Understanding Virtual Organizations Les Pang, Ph.D.
v6 2001, Intrusion, Attack, Penetration--Some Issues Chidambaram Mahadevan, CISA, FCA
v6 2001, The State of Enterprise Security Management: An interview with Reed Harrison, Chief Technology Officer, e-Security Joe Judge
v6 2001, When Code Red Attacks: Addressing Vulnerabilities Behind Virus Hysteria Mark Burnette, CISA, CPA, CISSP, and Claudia Gómez
v6 2001, Virtual Private Infrastructure Steven J. Ross, CISA
v6 2001, Book Review: Netspionage: The Global Threat to Information Michel Lambert, CISA
v5 2001, Presenting Penetration Test Results to Management Amin Leiman, CISA
v5 2001, Ports and Port Scanning: An Introduction Robert Moody, CISA, CIA, CFE
v5 2001, HelpSource Q&A Fred L. Lilly, CISA, CPA
v5 2001, Doctor's Orders Steven J. Ross, CISA
v4 2001, Your Face to the Customer: What If It Is Wrong? Managing CRM Risks Michele McLaughlin, CISA, CPA; and David S. Erickson, CISA, CPA
v4 2001, How to Audit Customer Relationship Management (CRM) Implementations Priscila Balcazar, CISA
v4 2001, Penetrating Questions Steven J. Ross, CISA
v4 2001, Issues & Comments Michael P. Cangemi, CISA,CPA
v3 2001, E-commerce and Smart Cards Marcelo Héctor González, ASS, CISA
v3 2001, CPO Position Joins Executive Ranks Michael Parkinson, CISA, CIA
v3 2001, Cross-Border Privacy Impact Assessments Thomas J. Karol
v3 2001, Erosion of Trust--E-commerce and the Loss of Privacy Jonathan D. Andrews, CA, CISA, FCA
v3 2001, Creating the Privacy Compliant Organization Robert G. Parker, MBA, FCA, CISA, CMC
v3 2001, Choosing the Best Solution for Your Network Security: Secure Shell, TLS or IPSec Anne Carasik
v3 2001, Top US Privacy Stories of 2000 Stephen Keating and Richard M. Smith
v3 2001, Virtual Private Networking: Confidentiality on Public Networks Robert C. Norris, Jr., Ph.D., CISA
v3 2001, HelpSource Q&A Fred L. Lilly, CISA, CPA
v3 2001, Mahogany Row Mail Call Steven J. Ross, CISA
v3 2001, Issues & Comments Michael P. Cangemi, CISA, CPA
v2 2001, Fighting Security Breaches and Cyberattacks with Two-Factor Authentication Technology Tony Walker, Ph.D.
v2 2001, Securing Emerging Internet Applications Masaya Norifusa
v2 2001, Mathematical Proofs of Mayfield's Paradox: A Fundamental Principle of Information Security The University of New Haven Center for Cybercrime and Forensic Computer Investigation and The University of Southern California Department of Mathematics
v2 2001, Cybersecurity and the Future of E-commerce Allan R. Paliotta, CISA, CFE, CFSA
v2 2001, Computer Forensics--From Cottage Industry to Standard Practice John M. Patzakis
v2 2001, Automated User Authentication Mark K. Willoughby
v2 2001, HelpSource Q&A Fred L. Lilly, CISA, CPA
v2 2001, Standard Questions Steven J. Ross, CISA
v2 2001, Issues & Comments Michael P. Cangemi, CISA, CPA
v1 2001, Helping Businesses Safeguard Information and Networks Ron Hale
v1 2001, Virtual Private NetworkingNew Issues for Network Security Lily Shue, CISA, CCP
v1 2001, Why Passwords Persist Steven J. Ross, CISA
v5 2002, The Global Status of Electronic Signature Legislation Lily Shue, CISA, CCP
v5 2002, HelpSource Q&A Fred L. Lilly, CISA, CPA
v5 2002, Loose Lips Sink Chips Steven Ross, CISA
v4 2002, Buyer's Guide
v4 2002, Mail Call Steven J. Ross, CISA
v3 2002, Fighting Internal Crime Before It Happens Allen G. Lux and Sandra Fitiani
v3 2002, Combating Cyberthreats--Partnership Between Public and Private Entities Elsa Lee, CISA, CSQA
v3 2002, Avoiding Tainted Testimony Alan B. Sterneckert, CISA, CISSP, CFE, CCCI
v3 2002, Data Hiding Clayton Hoskinson, CFE, CFCE, and Jim Sleezer, CISA
v3 2002, Computer Forensics Emerges as an Integral Component of an Enterprise Information Assurance Program Douglas Barbin, CISSP, CPA, CFE, and John Patzakis
v3 2002, An E-citadel for Securing Credit Card and Consumer Data Tom Arnold
v3 2002, ROSI Scenarios Steven J. Ross, CISA
v2 2002, Wireless LAN Risks and Vulnerabilities Richard A. Stanley, Ph.D., PE, CISSP
v2 2002, Social Engineering: A Tip of the Iceberg Pramod Damle, CISA, CQA, CAIIB
v2 2002, Increasing Security Levels Nadia Alga
v2 2002, A Beginner's Guide to Auditing the AS/400 Operating System Judith S. Bines, CISA, CPA, CFSA, CBM
v2 2002, HelpSource Q&A Fred L. Lilly, CISA, CPA
v2 2002, Vive le ROI Steven J. Ross, CISA
v2 2002, Auditing and Security: AS/400, NT, UNIX, Networks and Disaster Recovery Plans Janine McMinn, CISA, FAIDC
v2 2002, Issues & Comments Michael P. Cangemi, CISA,CPA
v1 2002, Insuring Information Security Mark M. Pollitt
v1 2002, Book Review: Intrusion Signatures and Analysis Ashley Jelleyman
v1 2002, Issues & Comments Michael P. Cangemi, CISA,CPA
v1 2005, Fingerprint Identification: An Aid to the Authentication Process Rodger Jamieson, Ph.D., CA, Greg Stephens and Santhosh Kumar
v1 2005, Enterprise Instant Messaging: Taking Control Christophe Hug-Heuveneers, CISSP
v1 2005, A Network Is Threatened by Its Own Endpoints Mitchell Ashley
v1 2005, HelpSource Q&A Gan Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA
v1 2005, The Role of Attack Simulation in Automating Security Risk Management Gidi Cohen
v1 2005, Cost-effective Implementation of Identity Management Srinivas Sarva, CISA, AICWAI
v1 2005, Web Services Security Mohan Bhatia, CISM, AICWA, CCM, FRM, PGDST
v1 2005, Threat Assessment and Security Measures Justification for Advanced IT Networks Michael J. Cerullo, Ph.D., CPA, CITP, CFE, and Virginia Cerullo, Ph.D., CPA, CIA, CFE
v1 2005, Common Criteria: An Overview K.K. Mookhey
v1 2005, Key Elements of an Information Security Program John P. Pironti, CISA, CISM, CISSP
v1 2005, Book Review: Oracle Privacy Security Auditing Kamal Parmar, CISA, ACCA, CCNA, MCP
v1 2005, IT Security GovernanceA Slow Start to a High Maturity Level Peter R. Bitterli, CISA
v1 2005, Security Folklore, Facts and the Future Roger Southgate, CISA, CISM, FCCA, MBCS
v1 2005, Is Information Security a Threat to Resilience? Steven J. Ross, CISA, CISSP
v1 2005, Issues & Comments Michael P. Cangemi, CISA, CPA
v6 2004, A Wake Up Call to All Information Security and Audit Executives: Become Business-relevant Patrick Taylor
v6 2004, Building an Educational Response to Terrorism: A Multifaceted Problem, A Multidimensional Response William V. Maconachy, Ph.D., Corey Schou, Ph.D., James Frost, Ph.D., and John Springer, Ed.D.
v6 2004, COBIT: An Ideal Tool for Teaching Information Security Management Malcolm Pattinson, CISA
v6 2004, Information Technology Auditing and Cybercommerce: A Risk Perspective Jagdish Pathak, Ph.D.
v6 2004, Educating the Masses: Audit, Control and Security of Information Systems Today and Tomorrow Frederick Gallegos, CISA, CDE, CGFM
v6 2004, Frameworkers of the World, Unite Steven J. Ross, CISA, CISSP
v5 2004, Top Three Potential Risks With Outsourcing Information Systems Catherine Wright
v5 2004, Risk Management Strategies for Offshore Application and Systems Development Rudy Bakalov
v5 2004, HelpSource Q&A B. Ganapathi Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA
v5 2004, IT Governance and Outsourcing Hugh Parkes, CISA, FCA
v5 2004, Book Review: Role-based Access Control (RBAC) Reynaldo J. de la Fuente, CISM, CISA
v5 2004, Instant Mess Steven J. Ross, CISA
v4 2004, Biometrics: An Overview of the Technology, Challenges and Control Considerations Michael P. Down, OCNP, and Richard J. Sands, CISSP, OCNP
v4 2004, Identity Management Framework: Delivering Value for Business Srinivasan Vanamali, CISA, CISSP
v4 2004, Effective Encryption Requires an Integrated System Greg Farris
v4 2004, Protecting the PortsUsing an Event Log Manager to Improve Network Security Drew Robb
v4 2004, HelpSource Q&A B. Ganapathi Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA
v4 2004, BiometricsRisks and Controls Christos K. Dimitriadis, CISA, CISM, and Despina Polemi, Ph.D.
v4 2004, Assuring Data Privacy Compliance Steve Kenny, CISA
v4 2004, Systems Development Advice in a Web-enabled World Sanjiv Kumar Agarwala, CISA, CISSP
v4 2004, Implementing ISO17799: Pleasure or Pain? Carl Thorp, CISM, CISSP
v4 2004, The Costs of Not Securing Personally Identifiable Data Benjamin Wright
v4 2004, Security and Regulatory Compliance: A Quantitative Risk Management Approach Art Drake and Jerry Jeschke
v4 2004, Auditing Security and Privacy in ERP Applications S. Anantha Sayana, CISM, CISA, CIA
v3 2004, An Investigation of Computer Forensics Ryan Pidanick
v3 2004, A Guide to Wireless Network Security Mitchell Ashley
v3 2004, Using Wireless Network Audit Techniques Michael T. Hoesing, CISA, CIA, CISSP, CPA, and Vasant Raval, CISA, DBA
v3 2004, Best Practices for Wireless Network Security Susan Kennedy, CISA, CIW
v3 2004, What Auditors Should Know About Encryption David Chan, CISA, CISM, CFE, CPA
v3 2004, HelpSource Q&A B. Ganapathi Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA
v3 2004, Securing the Wireless Network William F. Nelson and Wei Lu, Ph.D.
v3 2004, Security, Audit and Control Issues for Managing Risk in the Wireless LAN Environment Richard A. Stanley, Ph.D., PE, CISSP
v3 2004, Book Review: Network Security: The Complete Reference Kamal Parmar, CISA, ACCA, CCNA, MCP
v2 2004, Auditing Governance in ERP Projects S. Anantha Sayana, CISA, CIA
v2 2004, HelpSource Q&A Fred Lilly
v2 2004, Book Review: The Art of Deception: Controlling the Human Element of Security Janine McMinn, CISA
v1 2004, How to Use a New Computer Audit Fraud Prevention and Detection Tool Richard B. Lanza, CPA, PMP
v1 2004, Employee Monitoring and SurveillanceThe Growing Trend Robin L. Wakefield, Ph.D., CPA
v1 2004, Automating System Security Audits Fred Pinkett
v1 2004, Open Source Tools for Security and Control Assessment K.K. Mookhey
v1 2004, Maybe We Have Won Steven J. Ross, CISA, CISSP
v1 2004, Issues & Comments Michael P. Cangemi, CISA, CPA
v6 2003, Security in the Land Down Under Stephen Ford
v6 2003, Identity Management: A Business Strategy for Collaborative Commerce Jay Ahuja
v6 2003, Privacy Is in the Eye of the Beholder Tari Schreider
v6 2003, Large-scale Biometric Management: A Centralized, Policy-based Approach to Reducing Organizational Identity Chaos Jim Byrne
v6 2003, Investing in SecurityDo Not Rely on FUD Rahul Tongia, Ph.D., and Kanika Jain
v6 2003, Wise Wireless: Securing the WLAN James Bindseil, CISSP
v6 2003, Who Needs Information Security? Steven J. Ross, CISA, CISSP
v5 2003, Apache Security Controls and Auditing K. K. Mookhey
v5 2003, Book Review: Risks of Customer Relationship Management: A Security, Control and Audit Approach Craigg Ballance
v4 2003, Justifying Investment in Security Kamal Parmar, CISA, ACCA, CCNA, MCP
v4 2003, Centralized Security Management Provides Foundation for Effective Intrustion Prevention Hugh S. Njemanze, CISSP
v4 2003, Internal Control Issues: The Case of Changes to Information Processes Benjamin Bae, Ph.D., Ruth W. Epps, Ph.D., CPA, and Susan S. Gwathmey, CMA
v4 2003,Enforce Security with a Fingerprint Biometric Solution John Wallhoff, CISA, CISSP
v4 2003, Preventing EFT Fraud John E. Humphries, Jr., CISA, CISSP GSEC
Threat Management System The State of Intrusion Detection The concept of Threat management, an automated and managable enterprise security system.
ComputerWorld Buyers Guide Directory of technology providers serving all aspects of the IT industry.
The move on to IPv6 An update and tips on getting your company ready for the transition to this Internet protocol.
How to close the information security gap at your company Symantec CIO Mark Egan offers a three-pronged approach to strengthening your company's security posture.
v3 2003, Implementing Enterprise Security: A Case Study (Part 2) Ken Doughty, CISA, CBCP
v3 2003, COBIT: A Tool To Manage Information Ecology Joseph Martin C F, CISA, CPIM
v3 2003, IT Security Awareness Programme Bruno Wiederkehr
v3 2003, Auditing OS and Database Controls S. Anantha Sayana, CISA, CIA
v3 2003, Identifier Management Steven J. Ross, CISA
v3 2003, Issues & Comments Michael P. Cangemi, CISA,CPA
v2 2003, The Computer Forensics and Cybersecurity Governance Model Kenneth C. Brancik, CISA
v2 2003, Risk Assessment Tools: A Primer Tari Schreider
v1 2003, Auditing Employee Use of E-mail Robert Moody, CISA, CIA, CFE, and Beth Serepca, CFE, CGFM
An Intrusion in an Outsourcing Data Center, That Works In Spite Of Security Whitepaper relaying the ease on an intrusion regardless of security in place.
Internet Security Systems Alerts Denial of Service Attack using the TFN2K and Stacheldraht programs
RFI aims at security info sharing The Federal Computer Incident Response Center released a call for industry participation in an effort to develop common standards for exchanging security incident information
Spyware found on one in three corporate networks One in three European companies are harbouring spyware apps on their networks, a new study claims.
Microsoft adds category to security rating system 'Critical' now applies only to holes that allow worms to spread without user action
Application Note: Securing BGP on Juniper Routers
Approaches to Computer Security: Filtering, Testing, and Detection
Secure File Deletion, Fact or Fiction? Microsoft Windows operating systems and associated applications will be the main focus.
Secure Deletion of Data from Magnetic and Solid-State Memory
Weigh the risks before outsourcing security Some things to consider before you outsource security.
Analysis: The network is the security Analysts say the network security market will inevitably consolidate.
Seven habits of highly secure companies The article recommends seven habits companies can practice to protect their systems.
Exploiting systems becoming easier, expert says. Automated attacks against widely deployed systems and applications are increasing in number and sophistication.
Ports to Adopt RFID Security System RFID tracking technology is designed prevent terrorists from sneaking weapons of mass destruction into cargo containers.
Security Of Payment Systems Guides from Verisign
U.S. National Security Agency 60 Minute Network Security Guide
Computer Security Audit Checklist
A guide to rolling out handhelds in the corporate environment This guide offers advice on personnel, technical and security issues for IT teams and systems administrators thinking of implementing a handheld computing policy.
War stories from the front lines of network security
Who says biology need be destiny? Today, researchers seeking answers to the technological issue of securing computer networks are turning to nature for solutions.
Survey shows security improvements in private sector Vast majority has boosted security spending since 9/11 and also put in place crisis communications and updated emergency response plans.
Is security getting any easier? Progress toward better security seems to be occurring.
Gates: 'Everything' impacted by security concerns Microsoft shows off a forthcoming update to Windows designed to make the operating system more secure.
Security tool more harmful than helpful? Easy-to-use scripts to circumvent security--called "exploits"--are a threat to the Internet
Integrating security: A look at secure content management IDC defines the SCM market as including antivirus, Web filtering and messaging security products.
Industrial control systems seen as vulnerable lack of a national strategy to deal with SCADA system security makes the nation "undeniably vulnerable" to cyberterrorism.
Coalition makes recommendations to improve software security a task force of industry and academic officials issued recommendations for improving the software development process
Route to Security Here's how to keep your network control valves traffic flowing safely
PDA Security: Chapter 4, When a Handheld Becomes Information Security's Problem
Breaking code in the name of good Gary McGraw and Greg Hoglund's intentions are to help people build better code by showing them how attackers work.
Can't Hide Your Prying Eyes New technologies can monitor employee whereabouts 24/7, but CIOs must be prepared for the backlash
The Kingdom of Impervious: Episode I -- Paradise misplaced (or misappropriated) Take a lighter look at the security world and enjoy the adventures of noblepersons (security gurus) defending their kingdoms (company networks) from evildoers (crackers).
Dangers of .zip files more than 40 worms since 1999 that have taken advantage of the compressed file format to spread
The Future of Security In 2010, information security will be much better than it is today. But between then and now, everything will get inconceivably worse.
Using a layered security approach to achieve network integrity Article states that the current model for network security has some serious shortcomings.
Copy No-No: Adobe and Uncle Sam Adobe Systems acknowledged it quietly added technology to the world's best-known graphics software prevent consumers from making copies of the world's major currencies
The Use and Administration of Shared Accounts
Security Concerns in Using Open Source Software for Enterprise Requirements
Using Scripts to Exploit and Mitigate Risks
Applying the OSI Seven Layer Network Model To Information Security
Security Survey: Disciplined Security recent surveys expose six common myths about IT security
Warning sounded on rise of Web compression The amount of compressed Web traffic is growing rapidly, but the bandwidth-saving option may be causing unintended security risks
Implementing the 'just-enough privilege' security model
The convergence of logical and physical security there is some talk about the convergences of these two types of security, this paper takes it a step further and details of how the two fit together
System administrators -- the security manager's untapped resource Making sure [security and IT] work together is the single most important thing you can do to secure your organization
Oracle and Microsoft: A tale of two security philosophies it's not surprising that the companies have differing policies on releasing information about security vulnerabilities
Logical integration: Physical and IT security If enterprises are serious about eventually integrating their logical security operations with physical security, they can probably turn to the aviation and transportation industries for examples.
In IT, security is hot In an era of constrained information technology budgets, Corporate America is willing to target money to safeguard employees, data and assets
Security Considerations in the Information System Development Life Cycle Addresses many key concerns from OMB.
NIST releases security guides Guidelines for federal agencies to address areas such as the basics of choosing security products and developing security training and awareness.
Laptop security policy: Key to avoiding infection note of caution regarding the handling of traveling laptops
Ballmer lays out Windows security plan "Has Trustworthy Computing worked?" he asked rhetorically. "I feel it has, but we have a lot more to do."
Readers Rate Microsoft's Security Progress reader poll to evaluate Microsoft's progress in Trustworthy Computing
A legal fix for software flaws? Security experts are debating whether changes to software End User License Agreements (EULAs), which currently exempt vendors from legal liability for flaws, would help improve security
Firms urged to raise their cyber security Small and medium-sized companies were yesterday urged to raise the computer security awareness of their staff and to invest in computer protection systems
Three steps CIOs should take to protect corporate data CIOs must take steps now to safeguard their company's regulated data and intellectual property or drown from the deluge of customer and investor loss.
3Com launches WAN routers based on Huawei's technology The vendor is broadening its reliance on partners
DHS cyber division taking shape, despite concerns about waning influence Amit Yoran will take the helm later this month
Congress Could See Cybersecurity Legislation One proposal would require companies to document efforts to secure systems
UK workers talk favourite revenge tactics More than half of UK workers would take revenge against a former employer if they were unhappy about losing their job
Information Security The process of protecting data from accidental or intentional misuse by persons inside or outside of an organization.
Oracle CSO: 'Unbreakable' security part of corporate culture Oracle chief security officer Mary Ann Davidson talks about "Unbreakable," Trustworthy Computing and more.
The Trusted PC: Current Status of Trusted Computing
Security pros talk, but can they walk? Industry and government leaders say they're focused on improving security while flaws continue to be found and exploited.
Security needs constant attention While the banking industry in SA has assured the market of stringent security measures in place to protect their clients, many other organisations are at risk.
Network Security: Submarine Warfare In this article, they show you a half-dozen ready-to-use "combat tactics" suited for submarine warfare, the new information warfare paradigm.
New ID Management Language to Debut SPML, Service Provisioning Markup Language, is an XML-based language for identity management.
Security data project to combat terrorism The government is developing an IT project to pull together intelligence data from security agencies to help counter terrorism
Slammed! The article describes the brilliance of the Slammer code in that it is as simple as "Lather, rinse, repeat."
Is cybersecurity the ultimate distraction? The article examines whether the increased focus on cybersecurity in recent years has resulted in neglect of vital business continuity measures.
The Emergence of Secure Content Management (SCM) to address the need for policy-based Internet management tools to manage Web content, messaging security, virus protection, and downloadable applications execution
Business Called on to Fight Cyber Risks Cyber-terrorism is hitting more corporate structures such as banking and finance, telecommunications, utilities, health and food providers focusing more on their daily supply chain rather than mainframe.
What's BGP got to do with Internet security? BGP is the interdomain routing protocol of the Internet. Its primary purpose is to route Internet traffic, not to ensure the secure delivery of that traffic.
Tales from the security trenches Companies share their best practices for avoiding internal threats
Leeds Uni, MS teach undergrads to write secure code Microsoft has teamed up with the University of Leeds to develop the UK's first undergraduate computer security module to focus on the skills which developers need write secure code
Microsoft details new rights management technology The Windows Rights Management Services (RMS) will be able to enforce protection policies by controlling which users can access specific content and what access rights they are granted.
Program Hides Secret Messages in Executables An application that lets users hide secret messages in virtually any executable computer program, without changing the program's size or affecting its operation.
Practical security on tap for 2003 2003 will be the year of security practicality, we'll see more focus on security policies and enforcement
Open and closed security are roughly equivalent Open and closed approaches to security are basically equivalent, with opening a system up to inspection helping attackers and defenders alike
Security predictions 2003: Future not so bright Year off to hectic start already
Microsoft Security: What's Next? progress Microsoft has made in the last year and what lies ahead for Trustworthy Computing.
Scan 26 Security challenge from the Honeynet Project.
Information security predictions for the New Year
Security 2002: For better or worse? Driven by terrorist attacks as well as by persistent computer viruses, security became a top priority for companies and the U.S. government in 2002
2002 in review compendium of events and trends in security
Securing Our Critical Infrastructures The most critical infrastructures include banking and finance, telecommunications, energy (gas and electric), transportation, emergency services, and essential government services.
Total Info System Totally Touchy Data mining is good for the purpose of increasing sales and figuring out where to place products in stores," he said. "This is very different from figuring out if these products are going to be used for terrorist activities
Microsoft: Truly trustworthy computing still years away Microsoft's chief technology officer predicted it would take until the end of the decade for the companys trustworthy computing initiative to bear fruit.
Security scare If your organisation doesnt use a multi-layered security strategy, it does not have a commercial future
Fibre Channel SAN Security As Fibre Channel SANs become larger and more complex, ensuring the security of the data they contain becomes more difficult
Smarter-Card Solutions Roundup Companies included in this article offer a broad range of integrated smart cards and biometric solutions -- what we like to call smarter cards
IT: Homeland Security's Glaring Flaw Uncle Sam's information-sharing, security, and e-mail systems need to be brought up to snuff. And fast
The Mother of All Cyberbattles? Experts predict that an invasion of Iraq will spill over into a global cyberwar.
Brave New World, or Business as Usual? 5 infosecurity trends promise a more secure future--one of these days.
A new era of partnership Microsoft Corp. and the entire IT industry are on the verge of a new era of partnership with the government to improve security and address privacy concerns
Microsoft Earns a Security Merit Badge Though its code is far from rock-solid, the Colossus of Redmond is making recognized strides
Intel to put security on a chip The initiative involves integrating security features into processors and chipsets to provide a more secure computing environment
Comment: Laptops can be bags of trouble The police warn that, along with mobile phones, laptops have become a prime target of opportunistic thieves.
Cybersecurity and You: Five Tips Every Consumer Should Know Cybersecurity strategy begins with an appeal to home users and small businesses
Baseline Protection Manual - DOS PC (multiuser)
Baseline Protection Manual - Laptop PC
Baseline Protection Manual - DOS PC (single user) A commercially available IBM-compatible PC run with DOS or a comparable operating system. Such a PC must not be connected to a local area network
Baseline Protection Manual - Hard- and Software-Management It is necessary to design all the procedures and processes which affect these IT systems in such away that the targeted IT security level can be achieved and maintained
The Seven Deadly Security Sins Most of them fall into the category of often-overlooked basics
Building a Secure Platform for Trustworthy Computing This paper discusses plans already underway for building a secure platform for Trustworthy Computing, the results and progress Microsoft has made to date, and offers a collection of the resources available to customers today.
Security and Trustworthy Computing What Microsoft Is Doing Now.
The Foundation for Data Security in a Layered Security Strategy Layered security strategies typically contain all or most of the following items: a security policy, an incident response plan, host system security, auditing, intrusion detection systems, router security, firewalls, and vulnerability assessment.
Security warning draws DMCA threat Hewlett Packard has found a new club to use to pound researchers who unearth flaws in the company's software: the Digital Millennium Copyright Act.
Keeping your cyber self safe and sound It is quite easy to make you and your computer much less vulnerable
UK terror 'failings' rejected by Blair Prime Minister Tony Blair insists the UK is doing enough to strengthen security and defence in the wake of the 11 September terrorist attacks.
Bush security plan calls for background checks The Bush administration plans to convene a panel of government and private-sector experts to determine the legal guidelines for subjecting tens of thousands of private-sector employees to background investigations.
Identification Procedures for Thermal Transfer Cartridges from printers and fax machines that use thermal-transfer or dye-sublimation technology retain images after the print or fax job is completed
Study: Open source poses security risks Open-source software is inherently less secure than proprietary software, and warns governments against relying on it for national security.
My five IT security wishes If I had a golden ring that would grant me five wishes for Security I suspect they would be something like what this article portrays
A general guide to Port Scanning short FAQ
U.S. Cyber Security Weakening Cyber security today is far worse that what known best practices can provide
Toward More Cybersecurity in 2002 List of resolutions that, if put into action, would help make the Net a much safer place
The First Step of Exploring a System The first step to finding information about a subject is by simply searching the web for information
Distributed Object Technology: Security Perspective The objective of this paper is to give a brief introduction to distributed object technology and an overview of security features available in Microsoft.NET and CORBA
The 21 Best Ways to Lose Your Information Here, in no particular order, are the 21 best ways to not secure your systems.
A Solaris Backup Script How-To Focus on the backup script and will detail a flexible backup script that uses built-in Solaris software tools which create a reliable local backup of a Solaris machine running Oracle.
New risks, roles for security professionals More than ever, security managers need to think like business people
US Government Accounting Office - Special Collections on Homeland Security
Security Requirements for Message-Oriented-Middleware (MOM) Examines the security requirements for middleware; authentication, authorization and encapsulation.
Common Vulnerabilities and exposures CVE aims to standardize the names for all publicly known vulnerabilities and security exposures.
Instant messaging--better safe than sorry IM users will jump from nearly 5.5 million in 2000, to over 181 million by 2004. It may mean that you have major security breaches on your hands.
Message to Vendors: Drop the Mind Games Trinkets and tricky sales techniques won't impress - how about products that work as advertised?
Ports for Internet Services Information about the ports used by new services, for use by firewall administrators and other network monitors
Port Numbers Ports are used in the TCP [RFC793] to name the ends of logical connections which carry long term conversations (updated 7/01)
Security Product Reviews From SearchSecurity.com
A Novice's Guide to the IETF Describes many aspects of the IETF (the Internet Engineering Task Force).
How Much Protection Is Enough? Too much or too little online security can lead to a world of trouble. Here's a solution.
End-to-End Confidence Full-service mortgage lending company keeps customer data safe with a multilayer security architecture. (case study)
Someone to Watch Over You Case Study of effective security function
Using Security White Papers Effectively White papers can help, but how can you verify a paper's reliability?
Security Workers In Short Supply Article on shortage of skilled resources
The Ten Immutable Laws of Security Real security problems as researched by Microsoft.
Back to Information Security Basics White paper on basic security practices and configurations
Information Security Managment - Learning From Leading Organizations US Government Accounting Office - Executive Guide report 5/98
Active IETF Working Groups List of current working groups under the Internet Engineering Task Force

Info-Tech Research Group Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.
Unified Compliance Framework The Unified Compliance Framework (UCF) is the first and largest independent initiative to map IT controls across international regulations, standards, and best practices
Norwich University Journal of Information Assurance peer reviewed articles on the practical aspects of information assurance.
Information Security Learning Guides Learning Guides targeting specific topics to provide you with all the resouces you need in one place
Vendor Programs Searching for security tools, services or professional/career agencies can be a lengthy, difficult process. Which vendors are "serious" and which are less so? The resources provide a starting point for your research.
Intrusion Detection FAQ - SANS.org SANS most widely read FAQ -- Intrusion Detection experts share answers to Frequently Asked Questions.
Security Service Providers In these lists IT pros will find familiar and not-so-familiar vendors selling security products and services, along with brief descriptions of what each company does.
Information Security Learning Guides Learning Guides targeting specific topics to provide you with all the resouces you need in one place
Spyware, Adware and Trojans SearchSecurity.com's resource center with the latest news and expert advice on spyware, adware and trojans.
Computerworld Whitepapers Security Whitepapers resource.
Computerworld Security Blog
DETER The goal of the DETER laboratory effort is to create, maintain, and support a collaborative and vendor-neutral experimental environment for cyber-security research
Council of European Union
Website of the UK government : Directgov Portal to public service information from the UK Government, including directories, online services, news and information of relevance to specific groups.
Council of European Professional Informatics Societies (CEPIS) CEPIS is a non-profit organisation seeking to improve and promote high standards among informatics professionals in recognition of the impact that informatics has on employment, business and society
European (institutions) Personnel Selection Office (EPSO) In this site you will find information on career opportunities in the European Institutions.
EUR-Lex the official European Union law.
Official Journal of the European Union This page presents the online editions of the Official Journal in pdf format
European Anti-Fraud Office European Anti-Fraud Office/Office Européen de Lutte Antifraude (OLAF)
The European Parliament
The Council of the European Union
Europa The European Unions gateway (portal)
Wireless Networking Reference - Security This Web site, from Practically Networked, an EarthWeb site, provides a chronological list of articles about wireless security and related subjects
Wireless Security Alerts Here's the latest Wireless Security Alerts from F-Secure! Please check here from time to time to get the latest.
Wireless Access Security Issues The site offers articles and white papers from the SANS Institute, a cooperative research and education organization
How big of a problem is spyware? Antivirus products allows users to protect themselves from a variety of potential software and internet threats.
Darwin.com Online IT magazine.
"Viruses, Worms and Security Holes" Special Coverage by Computerworld Coverage of the latest news in computer viruses, Trojan horses, worms and security holes.
The Internet Security Bookstore A wealth of Internet Security books.
Corsaire A whitepaper resource.
Secure Root Online computer security resource.
SecurityDocs Computer Security Papers.
NIAP Combines the extensive IT security experience of NIST and the NSA to promote the development of technically sound security requirements for IT products and systems and appropriate measures for evaluating those products and systems.
The Johns Hopkins University Information Security Institute The University's focal point for research and education in information security, assurance and privacy.
Information Security Forum Members only site offers practical guidance and solutions to overcome wide- ranging security challenges impacting business information today.
Information Technology Security Information on the standards development process, on current and proposed standards, and links to other useful resources.
Information Society The Information Society Portal provides a unique entry point for all European Commission policies and activities related to the Information Society
Working group offers 25 ways to improve IT security A combination of new legislation, public outreach and insurance changes would enhance government and corporate cybersecurity.
ISO 17799 Community Forum A Web Portal for computer Security personnel.
Federal Trade Commission, Privacy initiatives. The Federal Trade Commission is educating consumers and businesses about the importance of personal information privacy.
Practices and Checklists / Implementation Guides From NIST's CSRC on many technologies
Guideline on Network Security Testing It focuses on the details of setting up, maintaining and acting on standard enterprise network penetration testing programs.
International Organization for Standardization (ISO) On line resources
Internal Lab Security Policy Defines requirements for internal labs to ensure that confidential information and technologies are not compromised, and that production services and interests of the organization are protected from lab activities.
Information Sensitivity Policy Defines the requirements for classifying and securing the organizations information in a manner appropriate to its sensitivity level.
U.S. Information Security Law, Part Three This is the third part of a four-part series looking at U.S. information security laws and the way those laws affect security professionals.
U.S. Information Security Law, Part Two This is the second part of a four-part series looking at U.S. information security laws and the way those laws affect security professionals.
U.S. Information Security Law, Part One This is the first article in a four-part series exploring the law of information security in the United States.
U.S. Information Security Law, Part Four This is the last article in a four-part series looking at U.S. information security laws and the way those laws affect the work of security professionals.
SANS Institute The site contains detailed free information on IT security related issues.
Honeypots: Simple, Cost-Effective Detection This article will examine the role of detection in the overall security strategy.
Data deletion standard for Department of Defense US Department of Defense in the clearing and sanitizing standard DoD 5220.22-M
Be Ready US Department of Homeland Security preparedness site
Information Security Implementation for a Local Government implementation of IS security in that environment
Fed plan exposes 'Net's weak links Three critical components of the Internet's infrastructure are highly vulnerable to a variety of attacks.
Identity Theft Resource Center (ITRC) Helping People Prevent and Recover from Identity Theft
Executive Guide to Information Security Terms A guide to Information Security Terms. Provides orgins of some terms and jargon
Data Warehousing Institute Research information on Data Warehousing free white papers with registration and vendor white papers section.
INSTITUTE FOR THE ADVANCED STUDY OF INFORMATION WARFARE The purpose of the IASIW is to facilitate an understanding of information warfare with reference to both military and civilian life.
Security Systems News IS Security news articles including an archive, other IS Security Resources, buyers Guide and an Online Forum.
NIST Computer Security Resource Center Special Publications
Information Warfare Site (IWS) The Information Warfare Site is an online resource that aims to stimulate debate about a range of subjects from information security to information operations and e-commerce
Microsoft Technet Security Provides all the current information related to the security levels of the Microsoft family of products.
Security Stats Statistics on security incidents and latest computer security news.
OpenSSH Security Page of resources and links on OpenSSH
The Ideahamster Organization The resource for inspired Internet security. Open standards in development.
Infraguard National Threat Warning - Terrorist threat advisory update
Cable Modem Information
DSL Center Source of information on DSL or "digital subscriber lines,"
The Encyclopedia of Computer Security ITsecurity.com is a free security resource for anybody interested in IT security. It is all things security to all security people.
What is spyware? Also known as "adware," this hidden software program transmits user information via the Internet to advertisers in exchange for free downloaded software.
Configuring the Desktop Environment and Managing Security Configuring and troubleshooting the desktop environment as well as implementing, monitoring and troubleshooting security.
Internet Too Complex to Secure Every new product is less secure; every new level of complexity or integration makes a product less secure
Glossary of Information Warfare Terms
Microsoft Security Bulletins Base site for all announced Microsoft security issues and fixes
Generally Accepted Principles and Practices for Securing Information Technology Systems 1996 reoport from NIST
Security Glossary Terms used in Security and Intrusion Detection

Access Control

Track Updates Feedback

Securing the Information Infrastructure - by Joseph Kizza and Florence Migga Kizza. 2008, 386 pages.
Role Engineering for Enterprise Security Management - by Edward J. Coyne and John M. Davis. 2007, 256 pages.
Information Security: Principles and Practice - by Mark Stamp. 2005, 416 pages.
Role-Based Access Control, 2nd Edition - by David F. Ferraiolo, D. Richard Kuhn and Ramaswamy Chandramouli. 2007, 400 pages.

v6 2009, How to Preserve Security and Autonomy While Meeting Information-sharing Directives Scott Schumacher, Ph.D.
Strong data security to protect critical assets: A focus on security yields compliance for free This paper offers thought leadership to help you address challenges surrounding information security and compliance issues. It will also introduce you to the value and importance of a hardware security module as a key part of any successful information security program.
v4 2009, Fraude o Error Fidel Santiago, CISA
v4 2009, Lets Go, Vets Steven J. Ross, CISA, CBCP, CISSP
A Focus on Security Yields Compliance for Free This paper offers thought leadership to help you address each of these challenges. It will also introduce you to the value and importance of a hardware security module as a key part of any successful information security program.
Auditor Tried to Swipe $9M From Former Company An auditor working for a privately held water supply company in California was caught attempting to move millions of dollars out of the country, in yet another example that a firm's employees can be more dangerous than outside hackers
10 Reasons to Deploy an Intrusion Detection and Prevention System An IDPS can secure your enterprise, track regulatory compliance, enforce security policies and save money.
Biometric security data adds layer of privacy compliance risk Add biometric security data to the list of personally identifiable information (PII) that IT managers must include in their compliance efforts.
Top 10 Tips for Successful Access Control This paper offers a practical guide to implementing fine-grained access controls with ten aspects that are important to consider when planning an implementation of fine-grained access controls in a corporate server environment.
Compliance fundamentals:Database logging, privelaged access control As she writes, "COBIT and most security frameworks consider these controls sine qua non. Unfortunately, neither fundamental is as sexy as IDS or hackers, and thus receive scant press attention."
Prepare for compliance auditors:Encourage compliance with IT policies This post is the second in a two-part series. The first post, review policies and standards, addressed the first step in preparing for the auditors.
v1 2009, Risk Associated With Web Application Vulnerabilities Kim Fath and John Ott
v6 2008, Implementing, Automating and Validating Controls for Privileged Users in Healthcare Organizations Cheryl Traverse
v5 2008, HelpSource Q&A Gan Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA, BS 7799 LA
v5 2008, Database Security, Compliance and Audit Charles Le Grand and Dan Sarel
v4 2008, Evaluating Privacy Controls (JOnline) Sean M. Price, CISA, CISSP
End user Compliance: Creating a security awareness training program this often-neglected area of infosec has had some new life breathed into it.
Phishing attack uses pop-up message on bank sites Security researchers have discovered a new phishing method that forces pop-up login messages to appear on legitimate banking websites.
Auditor: IRS still vulnerable to cyberbreaches GAO says the agency doesn't always enforce strong password management, encrypt some sensitive data, or limit number of workers with access to sensitive information
5 tips to improve physical access security One of the most overlooked facets of security is casual physical access. Dont let the need to use the restroom turn into a security breach
Browser attack technique poses serious threat Called clickjacking, the technique enables the attacker to force a user to click on a specific link. Researchers say the technique has been underestimated.
Social Security numbers exposed on Iowa land-records Web site a publicly accessible Web site maintained by the Iowa County Recorders Association (ICRA) has made land records containing the Social Security numbers of thousands of state residents
Vol. 4, 2008HelpSource Q&A - Gan Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA, BS 7799 LA
v3 2008, Role Engineering: The Cornerstone of RBAC (JOnline) Srinivasan Vanamali, CISA, CISSP
v3 2008, Guest Editorial: Mobility Changes (Almost) Everything! William C. Boni, CISM
v1 2008, Dysfunctional Operations in IT - Kent Anderson, CISM
Fear users, says IDC security chief "Businesses must fear the user," he said at IDC's Security Conference in London on Tuesday. "You have to control access, as well as educate the user."
Vol. 2, 2007 Achieving Privacy Through Security Measures C. Warren Axelrod, Ph.D., CISM, CISSP
Vol. 1, 2007 Company Perspectives on Business Value of IT Investments in Sarbanes-Oxley Compliance Swapna Velichety, Jeongil Park, CPA, Sungkun Jung, CPA, Sooyoun Lee, Ph.D., and Hüseyin Tanriverdi
Vol. 4, 2007 Achieving Compliance With the PCI Data Security Standard Alex Woda, CISA, QDSP, QPASP
Vol. 6, 2006Important, But Often Dismissed: Internal Control in a Microsoft Access Database John H. White, Ph.D., CISA, CPA
Vol. 6, 2006 Expert Consensus on the Top IT Controls for a Small Business Bruce (Harv) Busta, Ph.D., CISA, Kris Portz, Ph.D., CPA, Joel Strong, Ph.D., CPA, and Roger Lewis, CPA
JOnline Vol. 5, 2006 Understanding Data Classification Based on Business and Security Requirements Rafael Etges, CISA, CISSP, and Karen McNeil
Password protection perplexes IT managers Despite the obvious risks and dozens of clever password management practices, IT managers can't seem to convince users to stop carelessly writing down their passwords.
Special considerations for network-based access control Author Timothy P. Layton examines how network services should be managed to ensure unauthorized access is prevented and provides questions that should be considered when establishing network-based access controls.
Password protection perplexes IT managers The article discusses password protection and it's effectiveness in the workplace.
Implementing ID and access management (Part 2) This is the second in a two-part series on identity and access management options for SMBs.
Setting up identity and access management for SMBs (Part 1) This is the first in a two-part series on identity and access management options for small and midsized businesses (SMBs).
Identity and Access Management Security School Each lesson is comprised of a webcast, podcast, technical article and quiz -- all available on-demand for your convenience
v2 2006, Strengthening Access Control: Using Smart Cards (JOnline) Tara Kissoon, CISA, CISSP
v6 2005, Security and Ownership of Personal Electronic Devices Richard A. Bassett, DPS, Rita Mack, Jason Foster and Andrew Swiatlon
v6 2005, Best Practices for Establishing an Effective Workplace Policy for Acceptable Computer Usage John Nolan
Changing Passwords for Key User Accounts The goal with this article is to expose a few vulnerabilities in your network, so that they can be fixed.
Passwords In Security Breaking into corporate networks, and thereby corporate information, has never been easier. This article discusses why.
Hashing out stronger password authentication
Life beyond passwords How phishers killed the password (and why that's a good thing)
Protect Your Passwords -- Part 1 The plunging cost of memory has given rise to a possible solution to the password-recall problem that plagues nearly all computer users.
Password Palooza Passwords are more secure than you think. And you can make them even better using intelligent password management.
Passwords: the Weak Link in Network Security In this article, we will discuss how passwords work, why and how passwords are vulnerable, how to create more secure passwords.
Using passwords as a defense mechanism to improve Windows security (Part 2) In this article I will focus more on the global settings of password policies and where to change them to incorporate the 20 Golden rules of good password management in Part 1.
Using passwords as a defense mechanism to improve Windows security (Part 1) This two-piece article highlights the need for strong passwords.
Protect Against Weak Authentication Protocols and Passwords There are methods that you can implement that will protect against weak authentication protocols and password hashes being generated.
Passwords - Common Attacks and Possible Solutions This article will provide you with an overview of how important, yet fragile, passwords security really is.
Passwords - Common Attacks and Possible Solutions This article will provide you with an overview of how important, yet fragile, passwords security really is.
v6 2000, HelpSource Q&A Fred L. Lilly, CISA, CPA
v5 2000, HelpSource Q&A Fred L. Lilly, CISA, CPA
v3 2000, HelpSource Q&A Fred L. Lilly, CISA, CPA
v2 2000, HelpSource Q&A Fred L. Lilly, CISA, CPA
v1 2000, HelpSource Q&A Fred L. Lilly, CISA, CPA
v3 2002, HelpSource Q&A Fred L. Lilly, CISA, CPA
v2 2002, Increasing Security Levels Nadia Alga
v2 2002, A Beginner's Guide to Auditing the AS/400 Operating System Judith S. Bines, CISA, CPA, CFSA, CBM
v1 2005, Cost-effective Implementation of Identity Management Srinivas Sarva, CISA, AICWAI
v5 2004, Book Review: Role-based Access Control (RBAC) Reynaldo J. de la Fuente, CISM, CISA
v4 2004, Identity Management Framework: Delivering Value for Business Srinivasan Vanamali, CISA, CISSP
v4 2004, HelpSource Q&A B. Ganapathi Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA
v4 2004, Auditing Security and Privacy in ERP Applications S. Anantha Sayana, CISM, CISA, CIA
v3 2004, A Guide to Wireless Network Security Mitchell Ashley
v3 2004, Book Review: Network Security: The Complete Reference Kamal Parmar, CISA, ACCA, CCNA, MCP
v2 2004, HelpSource Q&A Fred Lilly
v6 2003, Identity Management: A Business Strategy for Collaborative Commerce Jay Ahuja
v5 2003, Apache Security Controls and Auditing K. K. Mookhey
v5 2003, Approach to Auditing Network Security S. Anantha Sayana
v4 2003, Identity and Access Management Bill McQuaide
v4 2003, Preventing EFT Fraud John E. Humphries, Jr., CISA, CISSP GSEC
v4 2004, Identity Architecture Steven J. Ross, CISA
v3 2003, Identifier Management Steven J. Ross, CISA
Efficient Zero-knowledge Authentication Based on a Linear Algebra Problem The general problem addressed is the classical problem of interactive entity authentication.
Information Security The process of protecting data from accidental or intentional misuse by persons inside or outside of an organization.
Biometric-based passport in the works The State Department is developing a passport that contains biometric technology to authenticate the identities of U.S. citizens who travel abroad
Snags hold up biometrics, experts say The article discusses the advantages and drawbacks of biometric technologies.
Time is ripe for biometrics The cost of acquiring and managing biometric technology has fallen steadily, so the future of biometrics may be now.
Trends In Biometric Security (Part 2): Heterogeneous Security Solutions Security solution providers need to focus on developing biometric technologies that reinforce but do not replace current authentication methods such as passwords
Role Based Access Control With RBAC, security is managed at a level that corresponds closely to the organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role
Journal v2, 2002, Increasing Security Levels - by Nadia Alga
Common Vulnerabilities & Exposures Dictionary of Common Vulnerabilities and Exposures, Free Newsletters, News and Events.

Identity and Access Management Security School This Security School explores critical topics related to helping security practitioners establish and maintain an effective identity and access management plan.

Application Security Issues

Track Updates Feedback

Network Security Fundamentals - by Eric Cole, Ronald L. Krutz, James Conley, Brian Reisman, Mitch Ruebush and Dieter Gollmann. 2007, 560 pages.

Software (In)security: Securing Web 3.0 The biggest security problem in the Web 3.0 world will be controlling state over time with a jungle of new syntax.
Application Denial of Service Attacks
v1 2005, Web Services Security Mohan Bhatia, CISM, AICWA, CCM, FRM, PGDST
v4 2004, Effective Encryption Requires an Integrated System Greg Farris
v4 2004, Systems Development Advice in a Web-enabled World Sanjiv Kumar Agarwala, CISA, CISSP
v3 2004, A Guide to Wireless Network Security Mitchell Ashley
v6 2003, Patch Management: An Effective Line of Defense for UNIX and Linux Chris Andrew
v5 2003, Apache Security Controls and Auditing K. K. Mookhey
v4 2003, Preventing EFT Fraud John E. Humphries, Jr., CISA, CISSP GSEC
v6 2002, Web Application Security Ken Stasiak, CISA, CISSP, GSEC
v6 2002, A Survey of Application Security in Current International Standards Fredric Greene, CISSP, CPA, CCNA, MCSE
Ten questions to ask about application security systems These 10 questions will help you evaluate whether a product delivers true application protection
U.S. National Security Agency 60 Minute Network Security Guide
Decoding Application Security Today's Web-connected applications need more than just firewalls. Application-security gateways can't grow up fast enough.
PDA Security: Chapter 4, When a Handheld Becomes Information Security's Problem
A tool for running Snort in dynamic IP address assignment environment. Details the creation of a small tool program which aids the operation of the Snort IDS in dynamically assigned IP address environment.
The Foundation for Data Security in a Layered Security Strategy Layered security strategies typically contain all or most of the following items: a security policy, an incident response plan, host system security, auditing, intrusion detection systems, router security, firewalls, and vulnerability assessment.
A Novice's Guide to the IETF Describes many aspects of the IETF (the Internet Engineering Task Force).
Information Security Managment - Learning From Leading Organizations US Government Accounting Office - Executive Guide report 5/98

webgoat This site tries to give a look inside web application sec. by teaching with real world lessons and demonstations.
Information Sensitivity Policy Defines the requirements for classifying and securing the organizations information in a manner appropriate to its sensitivity level.
SANS Institute The site contains detailed free information on IT security related issues.
Generally Accepted Principles and Practices for Securing Information Technology Systems 1996 reoport from NIST

Authentication

Track Updates Feedback

v4 2009, Lets Go, Vets Steven J. Ross, CISA, CBCP, CISSP
GAO report finds security lagging at federal agencies Twenty-three of the 24 major U.S. government agencies contain weaknesses in their information security programs, potentially placing sensitive data at risk to exposure, according to a government report issued this week.
Financial Insights (IDC Co.) Study: Customer Data Security In this study, Financial Insights describes emerging priorities in the management of information security for financial institutions, with an emphasis on the management of customer information security. We describe the main strategies financial institutions are adopting in response to security attacks and regulatory requirements.
Top 10 Tips for Successful Access Control This paper offers a practical guide to implementing fine-grained access controls with ten aspects that are important to consider when planning an implementation of fine-grained access controls in a corporate server environment.
Biometrics project studies ways to combat bank fraud An industry group recently launched a project to analyze how biometrics could strengthen customer identification and help thwart fraud.
Leverage the Benefits of a Shared Authentication Network Read this whitepaper to learn about a shared two-factor authentication network, and why it is an essential requirement for continued customer participation in online interactions and commerce.
Study of banking malware analyzes underground economy A recent study of keyloggers and banking Trojans provides a view into the underground economy of stolen bank account credentials, passwords and credit card numbers.
v4 2008, What Every IT Auditor Should Know About Access Controls Tommie W. Singleton, Ph.D., CISA, CITP, CMA, CPA
How does bad password policy like this even happen? Just when you think youve seen the worst case of bad authentication policy youll ever see, youll stumble across something even more surprising and unfathomable
Vol. 4, 2008, What Every IT Auditor Should Know About Access Controls - Tommie W. Singleton, Ph.D., CISA, CITP, CMA, CPA
v6 2007, Analysis of FFIEC Guidance: Technologies and Decisions on Authentication - Mikhael Felker, CISSP-ISSEP
Vol. 4, 2006 A Holistic Definition of IT SecurityPart 2 Yusuf Musaji, CISA, CISM, CPA, CISSP, CGA
Remote Authentication: Different Types and Uses Computer networks have arguably helped worker efficiency and helped a companys bottom line. Well with that has come the need for workers to, at times, remotely log into the corporate network. This is ideally done via secure means. Within the confines of this article we will look at several of these methods.
Why and how to implement SecurID Authentication Social engineering has become a growing problem for companies of all sizes.
Super Power Password Protection - Watching You Watching Me
How Companies Can Manage Strong Authentication Intelligently The use of security systems for strong authentication practically excludes the risk of passwords being deliberately stolen or cracked.
Signed and Sealed? Might Get Delivered! While two-factor authentication schemes face various snags, S/MIME is ready to help secure e-mail today.
Understanding IPsec identity and authentication options This article is part of the Identity and Access Management Security School lesson on VPNs and remote access. Visit the VPNs and remote access lesson page for more learning resources.
Second Thoughts on Second Factors Seven ways in which a new strong-authentication standard isn't quite what it appears to be.
Passwords still the weakest link insiders exploit lax password management policies that provide systems administrators, computer programmers and others access to service account and administrative passwords
v5 2005, HelpSource Q&A Gan Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA, BS 7799 LA
v4 2005, A Manager's Guide to Identity Management and Federated Identity Leslie Pang, Ph.D.
Public Key Infrastructure (PKI): A Primer PKI can scale well while avoiding the costs and inconveniences of password loss. This article delves into that idea.
Problems with authentication Columnist Paul A. Strassmann discusses the challenges involved with various methods of authentication.
Authentication and access Discusses how authentication can help secure your system and prevent you from sending harmful information to someone elses system.
Taking a swipe at two-factor authentication An essay in an April trade magazine maintains two-factor authentication can't counter emerging threats, this article discusses that essay and it's claims.
v1 2000, New Book Addresses Online Signature Authentication
v3 2001, E-commerce and Smart Cards Marcelo Héctor González, ASS, CISA
v3 2001, Choosing the Best Solution for Your Network Security: Secure Shell, TLS or IPSec Anne Carasik
v2 2001, Fighting Security Breaches and Cyberattacks with Two-Factor Authentication Technology Tony Walker, Ph.D.
v2 2001, Automated User Authentication Mark K. Willoughby
v1 2001, Helping Businesses Safeguard Information and Networks Ron Hale
v1 2001, Virtual Private NetworkingNew Issues for Network Security Lily Shue, CISA, CCP
v1 2001, Why Passwords Persist Steven J. Ross, CISA
v2 2002, Siebel's eBusiness Application and Controls Kees Jansen, CISA
v2 2002, Increasing Security Levels Nadia Alga
v1 2005, Fingerprint Identification: An Aid to the Authentication Process Rodger Jamieson, Ph.D., CA, Greg Stephens and Santhosh Kumar
v1 2005, Cost-effective Implementation of Identity Management Srinivas Sarva, CISA, AICWAI
v1 2005, Web Services Security Mohan Bhatia, CISM, AICWA, CCM, FRM, PGDST
v1 2005, Common Criteria: An Overview K.K. Mookhey
v4 2004, Biometrics: An Overview of the Technology, Challenges and Control Considerations Michael P. Down, OCNP, and Richard J. Sands, CISSP, OCNP
v4 2004, Identity Management Framework: Delivering Value for Business Srinivasan Vanamali, CISA, CISSP
v4 2004, BiometricsRisks and Controls Christos K. Dimitriadis, CISA, CISM, and Despina Polemi, Ph.D.
v4 2004, Systems Development Advice in a Web-enabled World Sanjiv Kumar Agarwala, CISA, CISSP
v3 2004, A Guide to Wireless Network Security Mitchell Ashley
v3 2004, Using Wireless Network Audit Techniques Michael T. Hoesing, CISA, CIA, CISSP, CPA, and Vasant Raval, CISA, DBA
v6 2003, An Introduction to Cryptography Fred Piper
v6 2003, Identity Management: A Business Strategy for Collaborative Commerce Jay Ahuja
v6 2003, Large-scale Biometric Management: A Centralized, Policy-based Approach to Reducing Organizational Identity Chaos Jim Byrne
v5 2003, HelpSource Q&A Fred Lilly, CISA, CPA
v4 2003, Identity and Access Management Bill McQuaide
v4 2004, Identity Architecture Steven J. Ross, CISA
v3 2003, HelpSource Q&A Fred L. Lilly, CISA, CPA
v3 2003, Identifier Management Steven J. Ross, CISA
Token Effort USB tokens aren't as strong as you think. Multifactor authentication is meaningless when the supporting software is insecure.
Talking To Strangers: Authentication in Ad-Hoc Wireless Networks Presents a user-friendly solution, which provides secure authentication using almost any established public-key-based exchange protocol.
Extensible Authentication Protocol (EAP) This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements.
Authentication and Authorization: The Big Picture with IEEE 802.1X
Efficient Zero-knowledge Authentication Based on a Linear Algebra Problem The general problem addressed is the classical problem of interactive entity authentication.
Authentication and Authorisation for (W)LAN using 802.1X
Final E-Authentication architecture approved Final architecture for a federated e-authentication portal.
FTC wants to encourage e-mail authentication standards The Federal Trade Commission is responsible for policing the Internet for online fraud such as phishing.
Securing SQL Connection String Paper focuses on protecting connection strings used to authenticate communication between the web server and the back-end database.
Practice safe resets: How to securely use a password self-service solution Tips on securely using password self-service technology.
Error Tolerant Password Recovery The user is able to recover the correct key if she remembers a certain percentage of the passwords correctly.
Will Trade Passwords For Chocolate Fun and interesting survey.
Mass-Market Authentication: the Gateway to Access-Hungry Consumers The need for greater security has meant added complexity and cost for user and provider alike. Strong authentication of users that is both easy to use and cost-effective is the answer.
An Overview of the Kerberos Authentication Protocol
Recommendation for Electronic Authentication (NIST) has released its Special Publication 800-53. Initial draft covers low and medium security baselines.
OMB releases e-authentication guidance Steps to assess system risks, identify their proper assurance level and select the right technology to implement it.
Its All About Authentication This paper categorizes and then simplifies some of the core fundamentals of electronic security controls and mechanisms and concludes that authentication is the single most important aspect of information security
Passwords are Dead (Long Live Passwords) Short description of alternative methods of authentication
Details of Kerberos Vulnerability Leaked The Kerberos development team at MIT said the contents of an unpublished paper with details of this vulnerability have been leaked on the Internet.
THE NEW HOLY GRAIL? Authorization policy servers make single sign-on a reality in multi-application Web environments.
Access Control Management The short answer is that for most people the term "access control" means little.
An Old-Fashioned Solution to Reducing Fraud in e-Commerce Trust model underlying every security infrastructure is the initial authentication of online users

An Analysis of the RADIUS Authentication Protocol Commonly used for embedded network devices such as routers, modem servers, switches, etc. It is used for several reasons:
Citrix adds password management to MetaFrame Addition of a password management tool to its MetaFrame server.
Technological Trends in Access Control Companies will be demanding a one-stop shop to offer the complete security solution.
Network & Systems Mgmt-Setting the Stage for Authentication Network Computing article on Information Security Authentication.
Kerberos Links Provide more information about Kerberos
Kerberos - FAQ Comprehensive site on overview and use of Kerberos as an authentication tool

Awareness Programs

Track Updates Feedback

Security Awareness: Best Practices to Serve Your Enterprise - by Tim Wulgaert, CISA, CISSP and Information Systems Audit and Control Association. 2005, 124 pages.
Surviving Security: How to Integrate People, Process and Technology - by Amanda Andress. Dec. 2003, 528 pages.
COBIT Security Baseline, 2nd Edition - by IT Governance Institute. 2007

Cybersecurity Awareness: Rules of the Virtual Road Your information security program is only as strong as your weakest link. In the case of many businesses, including financial institutions, that weakest link is your customer or your employee.
GAO report finds security lagging at federal agencies Twenty-three of the 24 major U.S. government agencies contain weaknesses in their information security programs, potentially placing sensitive data at risk to exposure, according to a government report issued this week.
Security policies need simplifying, expert says Company security policies are often unfocused and get in the way of overall business objectives. The result is a hodgepodge of security rules frequently ignored by end users and ultimately an increased risk of data leakage
InfoSec: Cybersecurity expert says preparation key to business surviva The world is more interconnected than ever before, so security pros have opportunities to make a difference in their enterprises, a former White House cybersecurity adviser told a group of CSOs.
End user Compliance: Creating a security awareness training program this often-neglected area of infosec has had some new life breathed into it.
An SMB PCI DSS Learning Opportunity f you see an opportunity to provide some awareness to a business about information security, privacy or compliance, take it!
Security policy being bypassed by employees, survey finds Companies are encouraging employees to leave the office with sensitive information, the trick is how you put appropriate security controls in place so that's safe.
Sound compliance policies, practices reduce legal costs how much you spend on legal costs does not depend so much on the size of your organization, but, rather, on the policies, processes and practices you have in place
v3 2008, Book Review: Stepping Through the InfoSec Program C. Warren Axelrod, Ph.D., CISM, CISSP
Women Are Four Times More Likely to Give Up Passwords for Chocolate researchers stood outside the Liverpool Street tube station in London and offered 576 office workers a bar of chocolate for filling out a survey. Included in the survey was a range of personal information, including name, address, birthdate, and computer passwords.
Fear users, says IDC security chief "Businesses must fear the user," he said at IDC's Security Conference in London on Tuesday. "You have to control access, as well as educate the user."
vol 3, 2006 A New Approach for Assessing the Maturity of Information Security Saad Saleh AlAboodi, CISSP
Social Engineering impact due to human behavior
Security Awareness Professional Awareness Training Materials and Services
Security awareness training for SMBs It's a good idea, in any case, to educate employees about computer security hygiene. It can help protect the intellectual assets of a company, the loss of which could be especially lethal to an SMB without resources to protect itself. However, unlike the regulated companies they may serve, SMBs don't have lavish budgets and staff for dedicated training departments
Security awareness training for SMBs two things an SMB should keep in mind for its security awareness program. First, it should teach a consistent security message to the entire company. SMBs are too small to have multiple training programs with different slants. And it should be managed by your IT department.
Security awareness training: Stay in, or go out? Once your company has made the decision to conduct security awareness training, the next big decision is whether to do it in-house or outsource it to a professional training company.
v5 2002, Loose Lips Sink Chips Steven Ross, CISA
v2 2004, Book Review: The Art of Deception: Controlling the Human Element of Security Janine McMinn, CISA
Key to policy success: Centralized information security training If your organization doesn't yet use a centralized approach to information security training, there are four steps that you can take to get on track.
PCs Monitored, E-mail Bugged The average computer houses roughly 28 items of monitoring software, unbeknownst to the user.
Essential Information Security For Corporate Employees
Building A Security Awareness Program The primary goal of the program should be to recognize threats and vulnerabilities and respond to them appropriately
Brush up on personnel security It's important that your security policy include a sound personnel security program.
The art of self-defense in network security The article discusses ways to implement a strong, multifaceted defense and it begins with some basic architectural decisions.
Social engineering attacks: What we can learn from Kevin Mitnick "Social engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he isn't."x
Assessing Your Company's Security Aptitude How smart are employees at your company when it comes to safeguarding corporate information systems? A test for security aptitude.
Creating the effective Security Awareness Program and Demonstration The most potentially vulnerable areas within the corporate infrastructure is the end user
Oasis to create an XML security standard Standards body Oasis has formed a technical committee to create a model and data format for describing security problems.
Office workers give away passwords for a cheap pen The second annual survey into office scruples, conducted by the people organising this month's InfoSecurity Europe 2003 conference, found that office workers have learnt very little about IT security in the past year.
Poor training causes security holes Human error in the workplace still poses the single biggest threat to corporate networks, with a lack of training being blamed for problems businesses should have overcome long ago.
Study: Human error causes most security breaches The survey, "Committing to Security: A CompTIA Analysis of IT Security and the Workforce," suggests more training and certification of IT workers will help the U.S. protect itself against cyberthreats
Keeping workers aware of security Organisations worldwide are concentrating on creating and improving employee security awareness
Data security needs staff effort Data security is about human behaviour as much as technology. No company can hope to protect its data without first educating its people
Quiz: Security awareness for end users To help you in your efforts to raise security awareness in your organization, we've created the enclosed quiz.
Curious employees are biggest security risk Employees are the biggest security problem for most businesses.

2003 Global Security Survey The purpose of the survey is to enable you to assess the state of information security within your organization relative to other comperable instutions.
Security Awareness Materials Free slogans and ideas.
Security Awareness Incorporated This page has been developed to encourage the sharing of awareness ideas among security professionals
Federal Association of Security Officers - Canada Association works closely with government security organizations and the security industry to organize training seminars, workshops, and conferences, and obtain briefings in such areas as new developments and new technologies.
Internet Security Tutorial 6 parts with links

Biometrics

Track Updates Feedback

Biometric Technologies and Verification Systems - by John Vacca. 2007, 656 pages.
Security Metrics: Replacing Fear, Uncertainty and Doubt - by Andrew Jaquith. 2007, 336 pages.
Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI - by Debra S. Herrmann. 2007, 824 pages.

Biometric security data adds layer of privacy compliance risk Add biometric security data to the list of personally identifiable information (PII) that IT managers must include in their compliance efforts.
Govt. biometrics use still raises privacy concerns But more widespread use of biometrics, especially by the government, raises substantial privacy concerns that may alarm many Americans and prove difficult to resolve
Anti-cybercrime legislation sent to president "The key anti-cybercrime provisions that are included in this legislation will close existing gaps in our criminal law to keep up with the cunning and ingenuity of today's identity thieves,"
Biometrics Security: Thumbs Down? Though biometrics are becoming commonplace, the debate rages over whether they're effective
Handling Accountability Issues Polk County School District, the eighth-largest school district in Florida, replaced a cumbersome and insecure password system with innovative, biometric technology available for SAP software.
Vol. 4, 2006 A Holistic Definition of IT SecurityPart 2 Yusuf Musaji, CISA, CISM, CPA, CISSP, CGA
1Biometric Data Specification for Personal Identity Verification
Adding Biometrics to Enterprise Security Arsenal Are biometrics ready for widespread deployment? What are the pros and cons of going with this security weapon?
Finger On The Pulse Of Identity Are biometric technologies sufficient to provide good security while also ensuring the privacy and trust of end users?
Seeing is believing Iris-recognition systems provide highly secure authentication.
Face-off Face recognition is emerging as a viable tool for verifying identities
Biometrics: Getting Back to Business Turning to biometrics for access control.
Biometrics gaining more identity as security option Here's an introduction to biometrics
Considerations for biometric use Article discusses that Biometrics are a fine way to do authentication, but they need to handled carefully.
BIO-key International Vendor site offering fingerprint biometric solutions.
Pointing the finger at biometrics Discusses how biometrics fared at the recent 2005 Consumer Electronics Show (CES) in Las Vegas.
Will 2005 measure up as the year of business biometrics? The author discusses how far biometrics have come in business in 2005.
v3 2001, Issues & Comments Michael P. Cangemi, CISA, CPA
v2 2001, Issues & Comments Michael P. Cangemi, CISA, CPA
v4 2002, Buyer's Guide
v2 2002, Increasing Security Levels Nadia Alga
v2 2002, Issues & Comments Michael P. Cangemi, CISA,CPA
v1 2002, Issues & Comments Michael P. Cangemi, CISA,CPA
v1 2005, Fingerprint Identification: An Aid to the Authentication Process Rodger Jamieson, Ph.D., CA, Greg Stephens and Santhosh Kumar
v4 2004, Biometrics: An Overview of the Technology, Challenges and Control Considerations Michael P. Down, OCNP, and Richard J. Sands, CISSP, OCNP
v4 2004, BiometricsRisks and Controls Christos K. Dimitriadis, CISA, CISM, and Despina Polemi, Ph.D.
v6 2003, Large-scale Biometric Management: A Centralized, Policy-based Approach to Reducing Organizational Identity Chaos Jim Byrne
v4 2003,Enforce Security with a Fingerprint Biometric Solution John Wallhoff, CISA, CISSP
Biometrics by Fire From iris scans to fingerprints, three DHS pilot programs have created a high-profile test bed for biometrics technology
Americans give thumbs up to biometrics Most Americans are willing to accept increased use of biometric technologies by private sector firms, providing proper privacy safeguards are applied.
Application Note: Securing BGP on Juniper Routers
Biometric security: more bottom-line benefits, less James Bond Bimetrics security and roi.
9/11 report urges info sharing, biometrics Adoption of biometric technologies and the completion of a visitor tracking system.
Biometric Security One of the most common causes of network security breaches is easily guessable or insecure passwords.
Biometrics: Security Boon or Busting Privacy? Privacy advocates and security vendors square off over public use of facial recognition technology.
A guide to rolling out handhelds in the corporate environment This guide offers advice on personnel, technical and security issues for IT teams and systems administrators thinking of implementing a handheld computing policy.
Security strategies for E-Companies Computers will automatically recognize and handle the identification and authentication function with little effort on my part.
Biometrics Large-scale deployment of biometric identification and authorization systems throughout the United States.
Military certifies biometric profile The first of five planned biometric protection profiles for DOD and other government agencies.
Cell Phone Reads User Fingerprint Cell-phone touchpad with built-in fingerprint recognition as a security feature.
Smart cards: A step ahead, or a step backward?
Expanding the Reach of Speech Recognition Speech recognition is poised to continually improve productivity in the clinical documentation process.
Can't Hide Your Prying Eyes New technologies can monitor employee whereabouts 24/7, but CIOs must be prepared for the backlash
Biometrics Enters Third Dimension biometric security device that generates in-depth, three-dimensional facial portraits similar to holograms and secure enough to be embedded in documents
The Biometrics Myth The author suggests using an encrypted vault to store biometric data.
Identity Confirmed, Access Permitted The Basics On Voice Authentication, Security And Consumer Use Of An Emerging Biometric.
The People Element In Biometrics And Physical Access Control The article discusses hand vascular pattern identification as a biometric security measure.
Trends In Biometric Security (Part 3): Buyer Behavior Analysis Part 3 in a 3 part series on biometric security.
Biometric Security Barely Skin-Deep Vulnerabilities in biometrics security.
Biometric Security Products Microsoft Certified Professional Magazine discusses biometrics solutions.
A Practical Guide to Biometric Security Technology Thorough overview of Biometric principles.
Roles for NIST Accelerating Biometric Consensus Standards. NIST white paper discussing Biometrics.
Challenges in Using Biometrics GAO White Paper on Biometrics.
Implementing the 'just-enough privilege' security model
The convergence of logical and physical security there is some talk about the convergences of these two types of security, this paper takes it a step further and details of how the two fit together
Comparison of biometric technologies
Practical biometrics a brief look at a few common biometric technolgy
Las Vegas airport to implement RFID baggage-tag system The first phase of the airportwide system is expected to be in use by May
Health fears hamper biometrics use The article discusses how users are concerned that scanners can cause damage
Hackers Claim New Fingerprint Biometric Attack "We have developed methods to fake fingerprints on the run"
NIST releases guidelines for IT security metrics The National Institute of Standards and Technology has released its final version of guidelines for developing metrics to help ensure agencies meet IT security requirements.
Security Considerations in the Information System Development Life Cycle Addresses many key concerns from OMB.
NIST releases security guides Guidelines for federal agencies to address areas such as the basics of choosing security products and developing security training and awareness.
The state of IT security: Disaster recovery is hot; biometrics is not
Biometrics hot topic on Capitol Hill
Use of RFID Raises Privacy Concerns 'Smart' tags could profile consumers, critics contend.
Feds Plan Biometrics For Border Control Technology details not finalized, but $400M system is due for use next year
Atmel solves fingerprint riddle Thermal fingerprint tech improves scanning in small devices
Vendors lock down PCs Radio frequency technology, biometrics protect PCs from internal breaches
Biometric-based passport in the works The State Department is developing a passport that contains biometric technology to authenticate the identities of U.S. citizens who travel abroad
Smart cards of different stripes Differing priorities mark DOD, DHS and TSA efforts
Combining Functions Another issue for contactless cards is the large installed base of proximity cards and readers for physical access
Changing with the times GSA's smart card contract zeros in on post-Sept. 11 priorities
Snags hold up biometrics, experts say The article discusses the advantages and drawbacks of biometric technologies.
The Trusted PC: Current Status of Trusted Computing
Why Biometrics Is No Magic Bullet This promising ID technology works best in controlled situations -- which are hardly the norm in the real world
Time is ripe for biometrics The cost of acquiring and managing biometric technology has fallen steadily, so the future of biometrics may be now.
Sensing the future of security Once exotic, biometric technology may be heading for a desktop near you.
Security tool double-checks identity A new biometric device checks not only a user's signature but also their fingerprints before granting access.
Trends In Biometric Security (Part 2): Heterogeneous Security Solutions Security solution providers need to focus on developing biometric technologies that reinforce but do not replace current authentication methods such as passwords
Trends In Biometric Security: The Biometric ASP Model One of the top trends in the biometric industry is the emergence of a Biometric Service Provider (BSP) model, a biometric-specialized application service provider (ASP) model
Face Your Options What's needed in high security applications is a way to let staff in through doors quickly, while identifying each individual passing through a door. The technology needs to be fast - ideally, it needs to be hands-off.
Picking Your Brain In The Name Of Security Brain fingerprinting
The Rolls Royce of Security So is biometric security right for your application? There are several factors to consider
Testing the limits of biometrics There are few judicial developments regarding collection of biometric identifiers
Biometric Selection: Body Parts Online The scope of this paper is limited to the selection of biometric technology as an authenticator in a networked environment.
Technology vs. Civil Liberties? Government's Use of Biometrics Security Technology Worries Some Privacy Activists
NIST identifies good and bad points of biometrics The National Institute of Standards and Technology is busy wrapping up an evaluation of biometric technology for Congress, as mandated by the USA Patriot Act of 2001.
College Seeks Security in Thumbs It's down with passwords and up with thumbs for a school in Iowa trying to keep its data safe
Fingerprint scanners can be fooled Many biometric scanning systems are not as foolproof and reliable as you might think
Biometrics Come of Age A braver new world of iris recognition and fingerprinting
Biometric sensors beaten senseless in tests Comprehensive tests of 11 consumer-orientated biometric products by German technology magazine c't.
A Solaris Backup Script How-To Focus on the backup script and will detail a flexible backup script that uses built-in Solaris software tools which create a reliable local backup of a Solaris machine running Oracle.
Fun With Fingerprint Readers Article about fooling biometric thumbprint readers.
Journal v2, 2002, Increasing Security Levels - by Nadia Alga
Journal v2, 2002, Issues & Comments - by Michael P. Cangemi, CISA, CPA
Biometrics Inside Out Most biometric authentication methods rely on a mathematical representation of certain features within the fingerprint, iris, or voice print.
'Bond'-foolish or business-wise? Is it time for my business to look at biometrics or is it just another idea ahead of its time?
Biometrics at Work? Recent advances have made biometrics more reliable, accurate, scalable, and cost-effective for the enterprise.
Journal v2, 2001, Automated User Authentication: The Final Frontier of Information Security - by Mark K. Willoughby
Journal v2, 2001, Issues & Comments - Biometrics - by Michael P. Cangemi, CISA,CPA

Fingerprint Matching: Among all the biometric techniques, fingerprint-based identification is the oldest method which has been successfully used in numerous applications.
Fingerprint Recognition Fingerprint identification is the oldest and most reliable biometric technique in use today.
Feds Face Deadlines on Smart ID Cards A 2004 presidential directive calling for governmentwide adoption of smart cards is running out.
Forget fingerprints and eye scans; the latest in biometrics is in vein Fujitsu has a security device that uses vein patterns to verify identity.
IT, biometrics key to CIS strategy through 2015 A new case management system would create online processes for case referrals and comprehensive data sets for each applicant.
Biometrics: A Journal of the International Biometrics Society A forum for academic and scholarly information about biometrics.
The Biometric Consortium A focal point for research, development, testing, evaluation and application of biometric-based identification and verification technology.
Bioidentification: FAQ Answers and information compiled by Dr. Manfred Bromba.
Advanced Software Technologies In Spanish, Advanced Software Technologies site.
Cordis Community research and development information service.
Corsaire A whitepaper resource.
Information Technology Security Information on the standards development process, on current and proposed standards, and links to other useful resources.
SafeGuard Biometrics Biometrics as the Key to your Smartcard
findBIOMETRICS.com's Biometrics Glossary
findBIOMETRICS.com A site that boasts to be the 'complete identification verification resource'.
BiometriTech Biometric Solutions For Secure Access And Authentication
The Biometrics Institute Home page of valuable Biometrics resource.
Practices and Checklists / Implementation Guides From NIST's CSRC on many technologies
Gov't speaks to voice identification Discussion on voiceprint technology
Fidelity looks at biometrics to ID clients, employees It is emerging as an alternative for companies to authenticate employees and clients without using passwords.
Access in a flash Contactless smart cards gain ground in federal market
Internal Lab Security Policy Defines requirements for internal labs to ensure that confidential information and technologies are not compromised, and that production services and interests of the organization are protected from lab activities.
SANS Institute The site contains detailed free information on IT security related issues.
Are Biometrics The Answer? Certain situations, however, lend themselves to the use of biometrics
Association for Biometrics To provide a forum for the European and International Biometrics Community
BioAPI Consortium was formed to develop a widely available and widely accepted API that will serve for various biometric technologies.
European Biometric Forum brings together 9 major European players in a co-ordinated effort to realise opportunities
International Biometric Industry Association (IBIA) Trade association to advance, advocate, defend and support the collective international interests of the biometric industry
Biometric Digest Guide to the companies and people providing and using biometric technology for identification, fraud prevention, security, convenience, customer service, and other applications
Biometric Security Information on security products based biometrics
International Biometric Group Vendor Links, Research on Biometric Market; Forecast Biometric Market, Use of biometric in Network Security; Financial Services & Government. Applications, Hands on Comparison of Biometric Solutions.
The Biometric Consortium Introduction to Biometrics; Research & Databases; Meeting & Events, Standards Activities Links, Publications & Periodicals
Precise Biometrics Vendor site with newest biometric products
Biomet Organization Great deal of information on fingerprint recognition and existing projects
Biometrics Facial Scan Source for independent, objective information on facial scan biometric research and usage
Face Recognition Home Page This page is focused on the task of detecting faces in arbitrary images.
Biometrics Numerous resources on biometrics
Generally Accepted Principles and Practices for Securing Information Technology Systems 1996 reoport from NIST

Computer Crime / Forensics

Track Updates Feedback

Securing the Information Infrastructure - by Joseph Kizza and Florence Migga Kizza. 2008, 386 pages.
Computer Aided Fraud Prevention and Detection: A Step by Step Guide - by David Coderre. 2009, 304 pages.
Essentials of Corporate Fraud - by Tracy Coenen. 2008, 207 pages.
Storm Worm: The energizerbunny of botnets In the world of botnets, Storm isnt king anymore, but Storms botnet owners arent giving up.
Insider Computer Fraud: An In-depth Framework for Detecting and Defending Against Insider IT Attacks - by Kenneth Brancik. 2007, 504 pages.
Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, 2nd Edition - by Albert Marcella Jr. and Doug Menendez. 2007, 528 pages.
Fraud Casebook: Lessons from the Bad Side of Business - by Joseph T. Wells. 2007, 624 pages.
Phishing & Counter Measures: Understanding the Increasing Problem of Electronic Identity Theft - by Editors: Markus Jakobsson and Steven Myers. 2007, 700 pages.
Corporate Fraud Handbook: Prevention and Detection, 2nd Edition - by Joseph T. Wells. 2007, 456 pages.
Gray Hat Hacking: The Ethical Hacker's Handbook, Second Edition - by Shon Harris, Allen Harper, Chris Eagle and Jonathan Ness. 2007, 512 pages.
Fraud Auditing and Forensic Accounting, 3rd Edition - by Tommie Singleton, Aaron Singleton, G. Jack Bologna and Robert J. Lindquist. 2006, 336 pages.
The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers - by Kevin D. Mitnick and William L. Simon. 2005, 288 pages.
Cybercrime: Incident Response and Digital Forensics - by Information Systems Audit and Control Association. 2005, 218 pages.
Fraud Investigation Using IDEA - by C. Stephen Turnbull. 2004, 85 pages.

v6 2009, Book Review: Healthcare Fraud: Auditing and Detection Guide (JOnline) Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA
v6 2009, The Rising Impact of Virtual Machine Hypervisor Technology on Digital Forensics Investigations Patty Bates, CISM, CSSLP, MCSE
The IT Secrets from the Liar's Lair fascinating piece in the December issue of American Banker on how the technology used within the Bernie Madoff empire may have helped perpetrate and conceal the fraudulent goings on within the company. Well worth a read, and if you can identify with similar concerns within your own company perhaps you also should be worried!
v4 2009, Mitigating IT Vulnerabilities Provides Continual Fraud Prevention (JOnline) Alyssa G. Martin, CPA
v3 2009, Book Review: Cyber Forensics: A Field Manual for Collecting, Examining and Preserving Evidence of Computer Crime, 2nd Edition A. Rafeq, CISA, CGEIT, CIA, CCSA, FCA
v3 2009, Five Questions With MacDonnell Ulsch
v2 2009, Book Review: Insider Computer FraudAn In-depth Framework for Detecting and Defending Against Insider Attacks (JOnline) Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA
It's the Information, Stupid ocus of this article is to identify ways that information in the enterprise can be inappropriately removed and a framework for how to mitigate these risks and protect your organization from the potential litigation, fines, and sheer embarrassment that can follow from such an event.
Responding to a financial security breach The following outlines example precautionary steps recommended for a bank, but some of the measures are valid for any institution.
Nine Ways to Stop Data Loss and Reduce the Risk of Insider Threat This paper details how a SIEM (security information and event management) solution has been proven to improve organization effectiveness and reduce risk by protecting against fraud, data loss, and insider threats.
v1 2009, Preserving Electronically Encoded Evidence Robert E. Davis, CISA, CICA
v1 2009, Book Review: Wireless Crime and Forensic Investigation Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA
v6 2008, Cibercrimen y Ciberterrorismo: Dos Amenazas Emergentes (JOnline) Jeimy J. Cano, Ph.D., CFE
v6 2008, Book Review: Phishing and Countermeasures: Understanding the Increasing Problem of Identity Theft Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA
v5 2008, Electronically Stored Information and Cyberforensics Albert J. Marcella Jr., Ph.D., CISA
v5 2008, Book Review: The Handbook of Fraud Deterrence Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA
The Online Underground Economy: How Cybercriminals Profit from Your Stolen Information This report provides an analysis of the cybercrime activity in the underground economy observed by Symantec between July 1st 2007 and June 30th 2008 for underground economy servers and between July and September 2008 for software piracy.
9 Dirty Tricks: Social Engineers' Favorite Pick-Up Lines Social engineering is the criminal art of scamming a person into doing something or divulging sensitive information.
Study of banking malware analyzes underground economy A recent study of keyloggers and banking Trojans provides a view into the underground economy of stolen bank account credentials, passwords and credit card numbers.
BLACKLISTED! Because of unsolicited promotional email and other forms of network abuse, access to network servicessuch as mail exchangersis restricted more and more often. This document suggests a procedural framework for administrators whose networks or servers have been blacklisted
COMPOSING ABUSE REPORTS What to send, how to send it, where to send it - and what not to send or do
FBI: Criminals auto-dialing with hacked VoIP systems Criminals are taking advantage of a bug in the Asterisk Internet telephony system that lets them pump out thousands of scam phone calls in an hour, the U.S. Federal Bureau of Investigation warned Friday
Data Loss Prevention: Is really necessary to record all IP Traffic? The main point here is to extract only the valuable information from the traffic and then storage it.
FBI Hunts Extortionists Holding Health Data on Millions Express Scripts, which handles prescription drug benefits for millions of Americans, is the subject of an extortion attempt, and it has called in the FBI for help. Someone claims to have the personal information for millions of customers and is threatening to reveal it unless the company pays up
1 Trojan + 3 years = 500,000 online financial accounts RSA FraudAction Research Lab has discovered log-in information for about 300,000 online bank accounts and 250,000 credit and debit card accounts that have been gathered by a cybercrime gang over the past three years using the Sinowal Trojan
How 'carders' trade your stolen personal info Debit cards and PINs are hot subjects on the criminal underground forums these days
Anti-cybercrime legislation sent to president "The key anti-cybercrime provisions that are included in this legislation will close existing gaps in our criminal law to keep up with the cunning and ingenuity of today's identity thieves,"
FBI warns of hit man scam Beware emails promising death
Rising fraud threats in virtual worlds Virtual worlds are playgrounds not just for people who want some online fantasy role-playing, but for cybercriminals who are looking for places to launder money and steal data
Best Western downplays data breach Best Western International Monday acknowledged it suffered a data breach that exposed sensitive customer information at a European hotel
Global trail of an online crime ring The indictments last week of 11 people involved in the group give a remarkably comprehensive picture of how the Internet is enabling new kinds of financial crimes on a vast international scale
11 charged in theft of 41 million card numbers Federal prosecutors have charged 11 people with stealing more than 41 million credit and debit card numbers, cracking what officials say appeared to be the largest hacking and identity theft ring ever exposed.
How does bad password policy like this even happen? Just when you think youve seen the worst case of bad authentication policy youll ever see, youll stumble across something even more surprising and unfathomable
The tale of two busted spammers Reporter tracks down a pair of spammers to learn how they are harvesting e-mail addresses
Update:Microsoft warns of new Access Attack Bug in Snapshot Viewer enables running of malicious software
v3 2008, Guest Editorial: Mobility Changes (Almost) Everything! William C. Boni, CISM
Cracking open the cybercrime economy the criminal elements, the ones who are making money, making millions out of all this online crime, are just getting stronger and stronger.
CSI for the CISO Corporations are often their own worst enemy. They only think about being ready for forensics after the fact.
JOnline, Vol. 4, 2007 Security and Privacy vs. Computer Forensics Capabilities (JOnline) S. Srinivasan
Vol. 4, 2007 Inseguridad Informática y Computación Anti-forense: Dos Conceptos Emergentes en Seguridad de la Información Jeimy J. Cano, Ph.D., CFE
vol 3, 2006 Introduction to Forensic Computing C. Matthew Curtin, CISSP
Cybercrime Poses Challenges for Government, Industry Says Report cybercrime is a threat to U.S. national economic and security interests
Forensics Fundamentals forensics isn't simply about finding data on a hard drive. It is knowing what the data could mean, and what to do with the data, that makes a forensics expert valuable.
Data Forensics the value of the evidence all hinges upon how the data is collected, stored, and examined
Computers, Networks and Theft Cybercrime has evolved considerably over the past few years with new technologies being created and applied. As a result, cybercrime is no longer committed by individual amateurs; its become a lucrative business run by highly organized groups.
How to Keep a Digital Chain of Custody Advice, straight from the experts, on how to handle digital evidence.
v3 2006, What Every IT Auditor Should Know About Cyberforensics Tommie W. Singleton, Ph.D., CISA, CMA, CPA, CITP
v3 2006, Global Perspectives Andy Townsend, Claudio Cilli, Ph.D., CIA, CISA, CISM, CISSP, and Gilbert N. Alegue
v1 2006, ID Theft: Fraudster Techniques for Personal Data Collection, the Related Digital Evidence and Investigation Issues (JOnline) Theodore Tryfonas, Ph.D., CISA, Paula Thomas and Paul Owen
v1 2006, Network Intrusion Detection: Know What You Do (Not) Need (JOnline) Tarlok Birdi, CCNP, CCSE, CISSP, and Kees Jansen, CISA, CISSP, PMP
v1 2006, HelpSource Q&A Gan Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA, BS 7799 LA
Companies still not reporting attacks, FBI director says Most companies that experience network intrusions don't report the incidents to law enforcement out of privacy and other concerns
Cybercrime concerns affecting Net use You are more likely to be victims of cybercrime than physical crime - that is the belief of US citizens, according to a new survey commissioned by IBM
Phishing Attacks Hit All-Time High The continued rise in phishing attacks shows increasing sophistication in strategy as well as more organized efforts among online criminals
Computer crime costs $67 billion, FBI says Dealing with viruses, spyware, PC theft and other computer-related crimes costs U.S. businesses a staggering $67.2 billion a year, according to the FBI
v6 2005, Internal Cyberforensics Sunil Bakshi, CISA, CISM, AMIIB, MCA
v6 2005, Identity Theft: A New Frontier for Hackers and Cybercrime Claudio Cilli, Ph.D., CIA, CISA, CISM, CISSP
v6 2005, Computer Forensics: An Overview Frederick Gallegos, CISA, CDE, CGFM
v6 2005, Issues & Comments Michael P. Cangemi, CISA, CPA
Body of Evidence Part art, part science, a computer forensics practice requires more planning and investment than technology vendors would have you believe.
Information Society Website Legal Aspects of computer related crime in the information society - Comcrime study
Creating a Safer Information Society by Improving the Security of Information Infrastructure and Combating Computer-Related Crime Whitepaper containing information regarding computer crime.
CSI: Corporate focus on compliance could undermine security Companies that make regulatory compliance the sole driver of their information security efforts could be weakening their long-term security posture instead of improving it
Reproducibility of Digital Evidence in Forensic Investigations A three-component model of a digital investigation.
Preparing for Large-Scale Investigations with Case Domain Modeling
Packet forensics using TCP
Monitoring Access to Shared Memory-Mapped Files Whitepaper discussing reconstructing files.
Preserving Digital Evidence to Bring Hackers and Attackers to Justice In this article, well explain how standard rules of evidence apply to digital data and what precautions you should take to preserve it properly for a
A Method for Forensic Previews This article explains the forensic preview process, whereby a production machine is left as undisturbed as possible while it is evaluated for potential intrusion and compromise.
Web Browser Forensics, Part 2 Part 2 of this web browser forensics series looks at reconstructing Mozilla Firefox' cache in order to catch an internal hacker using an administrator's account.
Defining Event Reconstruction of Digital Crime Scenes Whitepaper defining event reconstruction of digital crime scenes.
Computer Forensics: Introduction to Incident Response and Investigation of Windows NT/2000 Whitepaper that is an introduction to computer forensics.
Computer Forensics: An Approach to Evidence in Cyberspace White paper that defines the term computer forensics, discusses how digital media relates to the legal requirements of paper-based evidence.
RAID Reassembly - A forensic Challenge This paper will detail a method to allow RAID to be done reliably
Recovering and Examining Computer Forensic Evidence
Remote Physical Device Fingerprinting Article discusses fingerprinting devices and methods.
Save It! Rethinking Retention Policies
Smoking Microchip Tells It All Computer forensic experts mine hard drives for data that too-clever users thought long deleted.
Software Forensics: Can We Track Code to its Authors? Features of code remnants that might be analyzed and then used to identify their authors are described in this paper.
The Electronic Evidence Information Center A compilation of links to material related to all aspects of Digital Forensics and Electronic Evidence.
The Honeynet Project's Forensic Challenge An effort to allow incident handlers around the world to all look at the same data and to see who can dig the most out of that system and communicate what they've found in a concise manner.
The Law Enforcement and Forensic Examiner Introduction to Linux - A Beginner's Guide Provides an introduction to GNU/Linux as a forensic tool for computer crime investigators.
The Trojan Made Me Do It: A First Step in Statistical Based Computer Forensics Event Reconstruction Exploratory study done to represent a standardized method for digital forensics events reconstruction.
Tracing Activity on a Windows-Based Laptop
Unlocking E-Evidence. Know How to Discover Computerized Information Whitepaper discusses how to unlock key evidence from computers.
Using Computer Forensics to Manage Electronic Evidence Whitepaper discussing managing electronic evidence.
Using Extended File Information (EXIF) File Headers in Digital Evidence Analysis Author examines how EXIF effects the forensics expert with digital analysis.
What Forensic Analysts should know about NT Alternate Data Streams (ADS) Article discusses Alternate Data Streams and why we should bother with them.
Web Browser Forensics, Part 1 This two-part article presents the techniques and tools commonly used by computer forensics experts to uncover such evidence, through a fictitious investigation that closely mimics real-world scenarios.
Know Your Enemy: Worms at War A continuation of the Know Your Enemy series.
Know Your Enemy: Motives This paper is a continuation of the Know Your Enemy series.
Know Your Enemy The Know Your Enemy series is dedicated to teaching the tools, tactics, and motives of the blackhat community.
Know Your Enemy: A Forensic Analysis To give you the forensic skills necessary to analyze and learn on your own the threats your organization faces.
Beyond Conventional Terrorism: The Cyber Assault Established to review the various intents, events, acts, and possibilities of computing technology based terrorism and warfare.
Automated Analysis for Digital Forensic Science Whitepaper discussing relevant causes and effects of security attacks.
Automated Analysis for Digital Forensic Science The importance of sutomated digital forensic science.
Anti-Forensics Degaussers A resource of forensics and anti-forensics degaussers.
Analysis of LOKI2, Using mtree as a Forensic Tool, and Sharing Data with Law Enforcement Analysis of an unknown binary, mtree tools, and legal issues related to forensic tools.
An Extended Model of Cybercrime Investigations An extended model of cybercrime investigations which identifies the investigative process and the major information flows in that process.
A Lessons Learned Repository for Computer Forensics Discouraging the use of work practices that lead to undesirable outcomes and encourage the use of work practices that lead to desireable outcomes.
A Case for Forensics Tools in Cross-Domain Data Transfers Three options for forensics are persented and discussed.
A Formalization of Digital Forensics Whitepaper discussing digital Forensics.
v6 2000, Issues & Comments Michael P. Cangemi, CISA, CPA
v5 2000, Investigating Computer-Related Crime Sarathy Emani, CISA
v3 2000, Defeating the Cyber Criminal: Defense Tactics for Denial of Service Attacks Mark Bigler, CISA, CPA, CFE
v1 2000, Fishy Stories Steven J. Ross, CISA
v6 2001, Book Review: Netspionage: The Global Threat to Information Michel Lambert, CISA
v2 2001, Computer Forensics--From Cottage Industry to Standard Practice John M. Patzakis
v3 2002, Fighting Internal Crime Before It Happens Allen G. Lux and Sandra Fitiani
v3 2002, Combating Cyberthreats--Partnership Between Public and Private Entities Elsa Lee, CISA, CSQA
v3 2002, Avoiding Tainted Testimony Alan B. Sterneckert, CISA, CISSP, CFE, CCCI
v3 2002, Computer Forensics Emerges as an Integral Component of an Enterprise Information Assurance Program Douglas Barbin, CISSP, CPA, CFE, and John Patzakis
v6 2004, Building an Educational Response to Terrorism: A Multifaceted Problem, A Multidimensional Response William V. Maconachy, Ph.D., Corey Schou, Ph.D., James Frost, Ph.D., and John Springer, Ed.D.
v6 2004, Educating the Masses: Audit, Control and Security of Information Systems Today and Tomorrow Frederick Gallegos, CISA, CDE, CGFM
v3 2004, An Investigation of Computer Forensics Ryan Pidanick
v2 2004, Book Review: The Art of Deception: Controlling the Human Element of Security Janine McMinn, CISA
v1 2004, How to Use a New Computer Audit Fraud Prevention and Detection Tool Richard B. Lanza, CPA, PMP
v6 2003, Patch Management: An Effective Line of Defense for UNIX and Linux Chris Andrew
v4 2003, Enhancing Security with an IT Network Awareness Center Scott Driml
v4 2003, Preventing EFT Fraud John E. Humphries, Jr., CISA, CISSP GSEC
Handbook of Forensic Services The FBI handbook of forensic services.
Forensic Analysis of a Live Linux System, Part Two Part two of a four part series on deriving forensic evidence from a running Linux system.
Forensic Analysis of a Live Linux System, Part One The main goal of this article is a presentation of methods used during an evidence collection procedure.
Digital Media Forensics Understanding of the underlying technologies behind the various tools used and the ability to present scientifically valid information.
Computer Forensics - We've had an accident, who do we get to investigate?
Computer Forensics as an Integral Component of the Information Security Enterprise Provides an overview of computer forensics and addresses recent developments as well as future trends impacting the field.
Building a Low Cost Forensics Workstation Outlines the fundamentals of computer forensic investigation, and then based on these essentials, create requirements for a low cost forensics workstation for use in electronic investigations.
Adventures in Computer Forensics The article goes through what a computer forensics expert usually experiences.
A Ten Step Process for Forensics Readiness This paper proposes a ten step process for an organisation to implement forensic readiness.
Computer Evidence Processing Good Documentation Is Essential
Measuring security The article examines what exactly we are measuring for information security.
Five mistakes of log analysis Typical mistakes organizations make when analyzing audit logs and other security-related records produced by security infrastructure components.
v2 2003, The Computer Forensics and Cybersecurity Governance Model Kenneth C. Brancik, CISA
v2 2003, No Harm, No Foul Steven J. Ross, CISA
Top 10 Most Effective Cybercrime Policies Here are the methods that our 500 respondents identified as the most effective to fight e-crime.
Shadow Data, The Fifth Dimension of Data Security Risk
Classified Data Identification
Tales from the Abyss: UNIX File Recovery
The Forensix Project
Windows, NTFS and Alternate Data Streams Security Essentials GSEC Practical Assignment, May 2001.
Computer Evidence Processing
Know Your Enemy: A Forensic Analysis
Finding and analyzing trojans under unix
Examples of Using DD within UNIX to Create Physical Backups
Raging Debate: Who Should Pay for Digital Discovery? New York Law Journal Article by Eric van Buskirk, Jan 2003
Automatic Reassembly of Document Fragments via Context Based Statistical Models
Analysis: The forensics of Internet security This article describes the actions taken to investigate an actual security breach.
A Palmtop for the Prosecution THE Sony Clié was as good a smoking gun as investigators could get in a white-collar crime.
Becoming a Forensic Investigator A methodology for producing forensic analysis in a written format.
Tracking Down the Phantom Host How to locate a problem host when you are not sure where it is physically located
Audit Trail Pattern Analysis for Detecting Suspicious Process Behavior
Forensic computing uncloaks industrial espionage Forensic computing techniques
Cyberterrorism: fear factor Vulnerabilities have been discovered in critical infrastructures in the energy and financial sectors.
Tales of Cyber-Crime Running Rampant The article discusses the unbelievable frequency of internet crime.
Identity Thieves go PHISHING 1.8 million phishing scam emails in one 24-hour period
Combating The Cyber Criminals it is harder to convince the uninitiated of the very real risks.
Information management and open source intelligence for anti-fraud policy from Cybercrime European Commission
Commission of the European Communities Annual Report 2000 - Protection of the Communities: Financial interests and the fight against Computer Crime
The Field Guide for Investigating Computer Crime, Part Eight: Information Discovery - Searching and Processing This is the eighth and final article in Field Guide for Investigating Computer Crime.
The Field Guide for Investigating Computer Crime, Part Seven: Information Discovery - Basics and Planning This article begins discussion of information discovery, the process of viewing log files, databases, and other data sources on unseized equipment.
The Field Guide for Investigating Computer Crime, Part Six: Search and Seizure - Evidence Retrieval and Processing Part six of eight, discusses the last two stages of search and seizure, starting with evidence retrieval
The Field Guide for Investigating Computer Crime: Search and Seizure Approach, Documentation, and Location Part five of in eight part series. This article discusses the action of computer crime.
The Field Guide for Investigating Computer Crime: Search and Seizure Planning This article looks at the first stage of the search and seizure process: planning
The Field Guide for Investigating Computer Crime: Search and Seizure Basics The gritty details of the search and seizure forensic activity.
The Field Guide for Investigating Computer Crime: Part two of an eight part series, will endeavor to provide a field guide for the computer fraud and abuse investigator.
An Introduction to the Field Guide for Investigating Computer Crime This article and those which follow, will endeavor to provide a field guide for the computer fraud and abuse investigator.
Forensics on the Windows Platform, Part Two The second article in a two part series that is much more specific to Microsoft Windows platforms than part one
Forensics on the Windows Platform, Part One This article will examine some basic, non-technical concepts that are applicable to all forensic investigations.
Computer forensics not just for TV The skills used in computer forensics will pay dividends for companies even if they don't have a lot of incidents to investigate
Network postmortem: Forensic analysis after a compromise Working with a forensics team can give a company a new perspective on where breaches take place, how they occur and how the company should be secured.
More than 125 fraudsters caught in Operation Cyber Sweep Officials said more than 125,000 victims incurred losses of more than $100M
Former White House cybersecurity czar calls for security audit standards Richard Clarke, now a security consultant, says Congress needs to act
Online fraud concerns on rise as holiday season nears Internet retail sales are growing, and so are fraudulent transactions
U.S. cybercrime crackdown nets 125 arrests nationwide
Cyber cops get forensics code The article discusses the new quidelines for the police where cyber crimes are concerned.
Cyber cops get forensics code Police have been issued new guidelines for gathering computer crime and electronic forensic evidence that deals with handling PDAs and mobile phones and the use of outside expert witnesses in investigations.
Enterprise Security Moves Toward Intrusion Prevention
Feds' Math Is Fuzzy on Computer Crime Key agencies don't report statistics
Network forensics tighten security Although pricey, analysis tools provide in-depth security event information
Telcos, IT companies at high risk from economic crime Fifteen percent of the companies surveyed reported losses from cybercrime
Appeal in bug disclosure case Federal prison for violating the Federal Computer Fraud and Abuse Act.
FTC cracks down on Web page selling scam The U.S. Federal Trade Commission (FTC) has filed suit against a company that the agency charges is hawking Web presence over the phone and then charging its targets on their phone bill without their authorization.
Bugwatch: Know your security onions The multiple, overlapping layers of the 'onion' approach to cyber-security.
Security officials discuss efforts to combat computer crime
Cyber criminals in the online of fire The Australian High Tech Crime Center opens July 2, 2003 to fight many cyber crimes.
Security holds its ground in IT crime survey Dramatic drop in financial losses caused by computer attacks.
The law, cybercrime, risk assessment and cyber protection The article discusses the rise of cybercrime in the UK. How to handle the increase and the importance of IT security.
Prevention Of Computer Frauds In Banking Three key safeguards that must be observed by banks so that they do not unwittingly fall prey to computer fraud and crime.
Report: Insiders Wreaking Havoc on Corporate Security By 2005, 60 percent of the costs associated with corporate security breaches will be financially or politically motivated, according to a new report from Gartner Inc
Fighting Cybercrime: Ukraine Develops Special Law In particular, illegal intervention in computer work, their systems or networks, which have led to change or destruction of the computer information, and also computer virus distribution are punished
Information technologies and organized crime The research of criminal situation and study of its peculiarities and tendencies in 21 century is impossible without scientific and technical phenomenon as a general use of information technologies (IT)
EU to unify e-crime rules To deter online attacks, forthcoming regulations will require EU states to harmonise anti-hacking laws and hand out custodial sentences for serious offences
Credit Card Fraud By the end of 2003, over 85 million online shoppers are expected to spend more than $35 billion. Despite these positive indicators, the presence of fraud tempers the tremendous opportunity
These Are Not Your Father's Wiretaps Privacy advocates fear that the FBI's need to monitor Internet Age technologies, such as voice over IP, will give it far too sweeping powers
EU Agrees Jail Terms for Computer Hackers Computer hackers and virus spreaders could be jailed for five years in serious cases under new laws approved by European Union justice ministers on Friday.
Automated Crime Some components of automated security strategy.
Lawyers: Hackers sentenced too harshly The nation's largest group of defense lawyers published a position paper arguing that people convicted of computer-related crimes tend to get stiffer sentences than comparable non-computer-related offenses.
Criminals using high-tech methods for old-style crimes Organized crime rings are increasingly trading their automatic weapons for automatic software tools to conduct a wide array of white-collar crimes such as identity theft and fraud.
Internet fraud expanding, security experts warn Internet fraud is not only growing in frequency but also expanding in scope
Cyber hype Cyberterrorism is giving governments an opportunity to curb civil liberties, but is it really a lethal weapon?
Forensic skill needed to bring hackers to justice Most firms have strategies to prevent their systems being attacked, but they should also develop policies on what to do in the event of a security breach to preserve evidence and prosecute the culprits
Bug Watch: Don't touch the evidence! Computer evidence can be invaluable, but it must be treated carefully to be admissable in court.
Plentiful resources, certifications for combating cybercrime Various professional organizations, resources and certifications
Online job listing an ID theft scam Identity theft scammers have found a new venue for mining personal information: resumes and data from online job services
Europe's cops can't collar cybercriminals Europe is losing out in its fight against cybercrime
FBI chief: Lack of incident reporting slows cybercrime fight Private-sector cooperation in that fight remains woefully inadequate
Insiders, not hackers, biggest information theft risk Intellectual property and proprietary information are more at risk from ex-employees, foreign and domestic competitors and contractors working on-site than from computer hackers
Electronic Crime Scene Investigations US Department of Justice guide for first responders
Does Crime Pay More on the Internet? While cybercrime might be more difficult than more traditional criminal activities to stamp out, companies and individuals can do much more to protect themselves
Experts see ounce of prevention key to cyber cure Organizations and government agencies should change their cybersecurity mindset to one of prevention
Hundreds of weapons, laptops missing from Justice Department Five Justice Department agencies, including the FBI, have reported hundreds of lost or stolen weapons and computers over the last few years
IT Nightmare: The Enemy Within The discovery that employees are attacking internal systems is a challenge because the majority of security monitoring is focused on the outside perimeter of the organization, not on the inside.
Developing an Effective Incident Cost Analysis Mechanism Can Computer Crime Damages be Calculated? This article provides an authoritative model
Identity Theft - Prevention and Survival Identity-Theft is the fastest growing crime in America, affecting approximately 900,000 new victims each year
Identity Theft U.S. government's central website for information about identity theft
Theft is top information security risk' MORE than 60% of local companies have seen trade secrets and corporate computer equipment disappear in the hands of thieves, with every loss costing an average of R180000. [$16,014.38 U.S.D. - WK]
High Technology Crime Investigation Association designed to encourage, promote, aid and effect the voluntary interchange of data, information, experience, ideas and knowledge about methods, processes, and techniques relating to investigations and security in advanced technologies among its membership
Evidence Seizure Methodology for Computer Forensics We need to know what the weaknesses are in case we have to defend our work in a court of law. We need to be able to explain and support our methodology, our tool selection, our work.
Journal v6, 2001, Intrusion, Attack, Penetration--Some Issues - by Chidambaram Mahadevan, CISA, FCA
FBI-Backed Survey Shows Increasing Computer Crime The Computer Crime and Security Survey, commissioned by the Federal Bureau of Investigation (FBI), shows U.S. businesses suffering increasing financial losses as a result of crime and information security breaches.
Organized Crime and Cybercrime: Synergies, Trends, and Responses If these steps are taken,there is at least some chance that cybercrime can be contained within acceptable bounds.
Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime.
Electronic Crime Scene Investigation Guide for first responders from US Department of Justice
Identifying Internet Activity Computer Forensics Goes To Cyber Space
Journal v4, 2001, IS Security Matters - Penetrating Questions - by Steven Ross, CISA
ICC Cybercrime Unit Business has become increasingly concerned at the prospect of a corresponding explosion in crime involving information systems and the Internet. ICC can assist in the mitigation of such crime
Computer Incident Response Guidelines Article on preserving computer evidence
Journal v2, 2001, Computer Forensics - From Cottage Industry to Standard Practice - by John M. Patzakis
Journal v3, 2000, Defeating the Cyber Criminal: Defense Tactics for Denial of Service Attacks - by Mark Bigler, CISA, CPA, CFE

What Is Computer Forensics? Computer forensics is the analysis of information contained within and created with computer systems and computing devices.
Forgetting to Lock the Back Door: A Break-in Analysis on a Red Hat Linux 6.2 Machine Gathering evidence, securing the network, and providing suggestions for amendments to minimize repeat break-ins.
Windows Forensics: Have I been Hacked? Ultimately, if you feel you have been hacked the decision is yours to try to clean up the box and continue using it, or to reinstall the OS.
Sleuthkit, the Digital Forensic Toolkit Vendor site, Sleuthkit performs forensic analysis on both Microsoft and Unix filesystems.
Forensic Science Communications Magazine
Computer Forensics, Cybercrime, and Steganography resources Online resource with many articles and links.
High Technology Crime Investigation Association
Practical Windows Forensics BU is building its toolkit for Windows security incident handling. We will attempt to share what weve learned about doing forensics in the Windows environment.
Computer Forensics, Cybercrime and Steganography Resources Links and papers related to Forensics, Cybercrime, and Steganography
Computer Forensics INC. Site devoted to computer forensic papers, articles, and resources.
Digital Forensic Science List Server
Digital Forensics various forensic projects detailed
Maintaining System Integrity During Forensics This article is an examination of the issues which investigators concerned about "best practices" might care to bear in mind.
Reaction to AU spies' forensic tool mixed Reaction to the release of open source forensics software by the Defence Signals Directorate (DSD) has been mixed.
The National White Collar Crime Center Vendor site with computer crime training opportunities
International Association of Computer Investigative Specialists (IACIS) Non-profit organization of law enforcement professionals in the field of forensic computer science. Features information on membership, forensic procedures, training opportunities and links to other sites and organizations.
Criminals' new trick Child-Porn Collectors using pocket-size storage drives.
Links to Computer Forensics & Related Law Enforcement Pages
The Consequences of Criminalizing Crypto The Justice Department's plan to make routine encryption illegal in the hands of criminals will hurt law abiding citizens, and prove catastrophic for Internet security.
Windows Forensics - A Case Study: Part Two This article deals with determining the scope of the compromise, and understanding what the attacker is trying to accomplish at the network level.
Windows Forensics: A Case Study, Part One This article is the first in a two-part series that will offer a case study of forensics in a Windows environment
New cybersecurity institute to fight online crime to provide research, analysis, training and technical assistance relating to cybercrime
International Journal of Digital Evidence IJDE is a forum for the publication and discussion of theory, research, policy, and practice in the rapidly changing field of digital evidence
Card Cops Free service to check your credit cards to see if the numbers have been known as stolen
CYBERCOP Encourage private sector businesses, foundations, educational institutions and individuals to assist law enforcement in their efforts
US FBI Field Offices Contact List
Computer Forensics Definitions NTI Inc. has provided technical definitions to assist their clients.
Computer Crime and Intellectual Property Section US Dept of Justice
Hackers A report on the exploits of hackers and how they have highlighted the Internet's insecurities
Insurgency on the Internet CNN Survey of hacking and computer security
Computer Crime and Intellectual Property Section of the Criminal Division of the US Department of Justice. Resources on US Law, cases, procedures for reporting, investigating and prosecuting computer crime.
Guidance Software, Inc. - New Wire Section Contains news on forensics, forensics software, computer forensic training.
Information Warfare Many articles on information security
New Technologies Inc Experts in the exploitation of the security weaknesses in DOS, Windows, Windows 95, Windows 98, Windows NT and Windows 2000 to find computer evidence and computer security data leakage.(vendor site with services and tools)
High Technology Crime Investigation Association HTCIA - Northeast Chapter list of training opportunities in computer crime and forensics
International Association of Computer Investigative Specialists IACIS is an international volunteer non-profit corporation composed of law enforcement professionals dedicated to education in the field of forensic computer science.
US Federal Guidelines - Searching and Seizing Computers Federal Guidelines published in 1994 with 1997 and 1999 supplements
Royal Canadian Mounted Police (RCMP) - Technical Security Branch Providing Canadian federal government clients with a full range of professional physical and information technology security services and police forces with high technology forensic services.
Internet Fraud Complaint Center Partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C) to combat Internet Fraud.

Data Center

Track Updates Feedback

Governance, Risk, and Compliance Management: Realizing the Value Of Cross-Enterprise Solutions This paper explains SAPs vision for a cross-enterprise GRC solution and the benefits it can provide, defines key terms, and discusses what to look for when evaluating GRC software options.
v1 2009, Green Security Ashley Jones, CISA, CISSP
Seven tips to improving enterprise data protection Enterprise data protection requires a holistic program that encompasses people, process and technology.
Seven steps to securing funding of your disaster recovery plan In a disaster recovery (DR) report issued earlier this year, Forrester Research Inc. recommended the following seven steps for securing new, additional or ongoing funding of your disaster recovery plans:
Vol. 3, 2007 Maximizing Backup and Recovery of Data and Systems Philip L. Wandrei
Keeping Secrets Secret New approaches to protecting data at rest (and avoiding the wrath of your customers)
Improving Data Center Security... Simply There are quite a few security enhancements that you can make simply by making better use of what's almost certainly already on your system.
v5 2000, HelpSource Q&A Fred L. Lilly, CISA, CPA
v6 2001, Virtual Private Infrastructure Steven J. Ross, CISA
v2 2004, HelpSource Q&A Fred Lilly
v6 2003, HelpSource Q&A Fred Lilly
v4 2003, Internal Control Issues: The Case of Changes to Information Processes Benjamin Bae, Ph.D., Ruth W. Epps, Ph.D., CPA, and Susan S. Gwathmey, CMA
v4 2004, Identity Architecture Steven J. Ross, CISA
v3 2003, Auditing OS and Database Controls S. Anantha Sayana, CISA, CIA
v6 2002, HelpSource Q&A Fred L. Lilly, CISA, CPA
v6 2002, Assessing Data Authenticity with Benford's Law Bassam Hasan, Ph.D.
v6 2002, The Importance of Event Correlation for Effective Security Management Matthew Caldwell, CISSP
Require Accuracy for Nation's Largest Criminal Justice Database A broad coalition of US organizations has endorsed a letter urging the reestablishment of accuracy requirements for the FBI's National Crime Information Center
Journal v1, 2001, Helping Businesses Safeguard Information and Networks - by Ron Hale

The New Data Center Online resource for Data Center information contains; articles, links and whitepapers.
SearchStorage Concentration of storage related information and links

Database Security Issues

Track Updates Feedback

Implementing Database Security and Auditing - by Ron Ben Natan. 2005, 432 pages.

v6 2009, Data Plumbing? Steven J. Ross, CISA, CBCP, CISSP, MBCP
v4 2009, Understanding How to Protect Web-facing Applications Sushila Nair, CISA, CISM, CISSP, Doug Drew, CISSP, PCI QSA, and Peter Verderber, CISA, CISSP, PCI QSA
Data Loss Prevention: Keeping Sensitive Data out of the Wrong Hands Data security breaches pose a serious threat. Companies need to reduce risks associated with exposing customer data, losing intellectual property, or violating compliance obligations. Learn more about DLP issues, strategies and solutions.
Top Ten Database Security Threats: How to Mitigate the Most Significant Database Vulnerabilities This document addresses the most critical of database infrastructure threats by providing a top ten list as identified by Imperva's Application Defense Center. Background information, risk mitigation strategies, and an overview of Imperva's SecureSphere Database Security Gateway protections are provided for each threat
E-Guide: The Ins and Outs of Database Encryption This E-Guide discusses how your company can effectively address the difficulties of deploying a database encryption strategy, how to effectively determine what types of data you should be protecting, and expert best practices for managing separation of duties to maintain secure databases.
Nine Ways to Stop Data Loss and Reduce the Risk of Insider Threat This paper details how a SIEM (security information and event management) solution has been proven to improve organization effectiveness and reduce risk by protecting against fraud, data loss, and insider threats.
v2 2009, Data Security Belden Menkus
v6 2008, Implementing, Automating and Validating Controls for Privileged Users in Healthcare Organizations Cheryl Traverse
v5 2008, Database Security, Compliance and Audit Charles Le Grand and Dan Sarel
Security industry moves forward on data security industry players are starting to team up to lower the cost, complexity, and integration effort needed for data-centric security.
Data Loss Prevention: Is really necessary to record all IP Traffic? The main point here is to extract only the valuable information from the traffic and then storage it.
Anti-cybercrime legislation sent to president "The key anti-cybercrime provisions that are included in this legislation will close existing gaps in our criminal law to keep up with the cunning and ingenuity of today's identity thieves,"
Arizona death notices taken offline on ID fraud concerns Digital copies of death certificates have been removed from the Web site of Maricopa County in Arizona because they could be used for identity fraud
Social Security numbers exposed on Iowa land-records Web site a publicly accessible Web site maintained by the Iowa County Recorders Association (ICRA) has made land records containing the Social Security numbers of thousands of state residents
Heads Up: Chrome's Omnibox May Record What You Type The shine on Google's Chrome browser is dulling a bit as users discover some features that could affect their privacy.
v3 2008, The Art of Database Monitoring (JOnline) Sushila Nair, CISA, CISSP, BS 7799 LA
Penetration testing: Hacking the FBI Can you imagine being paid to find embarrassing security holes?
v1 2008, Insider Threat--The Fraud That Puts Companies at Risk - Patrick Taylor
Vol. 3, 2007 Maximizing Backup and Recovery of Data and Systems Philip L. Wandrei
Database compliance demystified With multiple industry regulations continuing to be the dreaded thorn in the side of most database administrators and security practitioners, the notion of database compliance is a significant challenge
Building Up Database Defenses Protecting the corporate database involves targeting at-risk data and implementing four key defenses.
v3 2006, Falling Off the Truck Steven J. Ross, CISA, CISSP
Data: Lost, Stolen or Strayed The missing link in data security may have four wheels and a gas tank.
Backup Best Practices Save Critical Data
Data Breaches: Turn Back the Tide The article discusses all of the things that work against the task of security managers to protect critical business information.
v2 2001, Mathematical Proofs of Mayfield's Paradox: A Fundamental Principle of Information Security The University of New Haven Center for Cybercrime and Forensic Computer Investigation and The University of Southern California Department of Mathematics
v4 2003, Centralized Security Management Provides Foundation for Effective Intrustion Prevention Hugh S. Njemanze, CISSP
v3 2003, Auditing OS and Database Controls S. Anantha Sayana, CISA, CIA
v6 2002, Assessing Data Authenticity with Benford's Law Bassam Hasan, Ph.D.
v6 2002, The Importance of Event Correlation for Effective Security Management Matthew Caldwell, CISSP
DBAs should beware the hacker they know Why should a DBA care about security?
Database Servers Take the Security Test! Database professionals hesitate to blindly trust the assurances they receive from vendors that a product is secure.
Database Security Issues: Inference One of the main issues faced by database security professionals is avoiding inference capabilities.
DB2 Security Dinged Again IBM's DB2 UDB enterprise relational database has two more holes and the article has a link to the payches available.
Two Major Databases Spring Security Leaks Two major databases have sprung security leaks.
Eyes Slammed Open The article askes "How Secure is your Business-Critical Database?".
Databases Ripe for Attacks More hacker activities focused on probing databases and not enough alacrity on the part of DBAs (database administrators) when it comes to installing patches.
Security Considerations for Enterprise Level Backups Enterprise level backups are becoming the fundamental way to safeguard your data
The Intrinsic Hole In Information Security This is the issue of type safety in the C programming language
Baseline Protection Manual - Databases A database is a collection of data representing facts on a specific application in the real world
Quick Takes: Database security takes center stage vendor tools
Top 10 database security headaches This list provides insights into why database security problems arise and tips about how to avoid mistakes and which tasks should be performed regularly.

Protecting Databases Protecting data at the source.
Oracle Database Listener Security Guide Few Oracle database installations have properly secured the Oracle listener as recommended by Oracle and security experts.
An Introduction to SQL Injection Attacks for Oracle Developers Developers do not fully understand the risk of SQL injection attacks and simple techniques used to prevent such attacks.
Database Password Policy Defines requirements for securely storing and retrieving database usernames and passwords.
DB2 Magazine Online database magazine. Contains the latest database news and product updates.

E-commerce

Track Updates Feedback

v2 2009, Information Technology Legislative Update (JOnline) A. Abimbola, Ph.D.
Leverage the Benefits of a Shared Authentication Network Read this whitepaper to learn about a shared two-factor authentication network, and why it is an essential requirement for continued customer participation in online interactions and commerce.
Is compliance with standards achieving the goal of protecting data? Compliance: An issue of substance
v4 2008, A Comprehensive Method for Assessment of Operational Risk in E-banking George Tanampasidis, CISA, PMP
An SMB PCI DSS Learning Opportunity f you see an opportunity to provide some awareness to a business about information security, privacy or compliance, take it!
Vol. 4, 2008A Comprehensive Method for Assessment of Operational Risk in E-banking - George Tanampasidis, CISA, PMP
v6 2007, Analysis of FFIEC Guidance: Technologies and Decisions on Authentication - Mikhael Felker, CISSP-ISSEP
vol 3, 2006 Information AssuranceOnline Lottery Systems (JOnline) Huzeifa Unwala, CISA, FCA
v3 2000, Heft Steven J. Ross, CISA
v2 2000, Managed Risk, Enhanced Response Sean Adee, CISA
v2 2000, The Lingering Doubt Steven J. Ross, CISA
v1 2000, Secure E-Business Raj Mehta, CISA, CPA
v6 2001, The State of Enterprise Security Management: An interview with Reed Harrison, Chief Technology Officer, e-Security Joe Judge
v4 2001, Issues & Comments Michael P. Cangemi, CISA,CPA
v3 2001, E-commerce and Smart Cards Marcelo Héctor González, ASS, CISA
v3 2001, CPO Position Joins Executive Ranks Michael Parkinson, CISA, CIA
v3 2001, Erosion of Trust--E-commerce and the Loss of Privacy Jonathan D. Andrews, CA, CISA, FCA
v3 2001, Creating the Privacy Compliant Organization Robert G. Parker, MBA, FCA, CISA, CMC
v2 2001, Securing Emerging Internet Applications Masaya Norifusa
v2 2001, Cybersecurity and the Future of E-commerce Allan R. Paliotta, CISA, CFE, CFSA
v2 2001, Standard Questions Steven J. Ross, CISA
v4 2002, Mail Call Steven J. Ross, CISA
v2 2002, Siebel's eBusiness Application and Controls Kees Jansen, CISA
v6 2004, Information Technology Auditing and Cybercommerce: A Risk Perspective Jagdish Pathak, Ph.D.
v6 2003, Identity Management: A Business Strategy for Collaborative Commerce Jay Ahuja
v5 2003, The Importance of Being Secure: The ROI of Web Site Security Ken Leonard
v5 2003, Documentation Standards for E-commerce Organisations Sam Lubbe, Ph.D.
v4 2003, Identity and Access Management Bill McQuaide
v1 2003, Internet Financial Reporting Pak-Lok Poon, Ph.D., CISA, CQA, MIEEE, MACM, David Li, CPA, and Yuen Tak Yu, Ph.D., MIEEE, MACM
CyberSecurity in the Singapore Financial Sector This presentation was created by panelist Mr. Tony Chew from the Monetary Authority of Singapore for the 2003 Global Dialogue on Electronic Safety and Soundness.
RFID Will Be Bigger Than Y2K

Directive 2000/31/EC of the European Parliament and of the Council Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market ('Directive on electronic commerce')
E-comm gains offset by escalating fraud Vendors release research information on e-commerce fraud.

Hacker Related

Track Updates Feedback

NMAP Network Scanning: The Official NMAP Project Guide to Network Discovery and Security Scanning - by Gordon Fyodor Lyon. 2009, 468 pages.
The Little Black Book of Computer Security, 2nd Edition - by Joel Dubin. 2008, 216 pages.
Extreme Exploits: Advanced Defenses Against Hardcore Hacks - by Victor Oppleman, Oliver Friedrichs and Brett Watson. 2005, 448 pages.
Anti-Hacker Tool KIt, 3rd Edition - by Mike Shema, Chris Davis and David G. Cowen. 2006, 799 pages.
The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers - by Kevin D. Mitnick and William L. Simon. 2005, 288 pages.
Hacking: The Art of Exploitation - by Jon Erickson. 2004, 264 pages.

v5 2009, Who Is Melissa Chernobyl and Why Is She Doing These Terrible Things? Steven J. Ross, CISA, and Emily L. Quah
v4 2009, Fraude o Error Fidel Santiago, CISA
v2 2009, A Study on Canadian IT Security Practices (JOnline) Rafael Etges, Walid Hejazi and Alan Lefort
It's the Information, Stupid ocus of this article is to identify ways that information in the enterprise can be inappropriately removed and a framework for how to mitigate these risks and protect your organization from the potential litigation, fines, and sheer embarrassment that can follow from such an event.
Social Engineering At a time when the economy demands all our attention, information and the intelligence of systems, processes and organizations that use it are at the heart of corporate change strategies. These changes are necessarily accompanied by protection measures; however, a silo approach is still evident which benefits a resurgence in social engineering. Nevertheless, the means to counter social engineering are within the reach of corporations, but they must be integrated within a holistic approach to information security.
Book Chapter: Hacking Windows The following is an excerpt from the book Hacking Exposed: Network Security Secrets & Solutions. In this section of Chapter 4: Hacking Windows (.pdf), authors Stuart McClure, Joel Scambray and George Kurtz describe what makes Windows a target for hackers, and what Microsoft is doing to combat Windows hacking.
v6 2008, Computer Ethics: A Potent Weapon for Information Security Management (JOnline) Wanbil W. Lee, D.B.A., FBCS, FIMA, FHKIE, and Keith C.C. Chan, Ph.D.
v6 2008, Book Review: Phishing and Countermeasures: Understanding the Increasing Problem of Identity Theft Vishnu Kanhere, Ph.D., CISA, CISM, AICWA, CFE, FCA
Don't be a data loss victim Disclosure laws provide a goldmine of information on the causes of data breaches and ways to avoid a costly incident
Largest Coordinated ATM Rip-off Ever Nets $9+Million in 30 Minutes With only 100 compromised ATM cards thieves were able to grab $9 million bucks from the banking system in a new style of attack.
On-demand Security Audits and Vulnerability Management A Proactive Approach to Network Security. Requires free registration
Penetration tester explains secrets to accessing corporate systems Chris Nickerson is your worst nightmare. He's the guy you never see coming, the one who can slip into your data center, install malware on any server he chooses and ease back out without so much as a shadow on your security cameras. Nickerson, CEO of Lares Consulting, talks about the fun of penetration tests and the risks of outsourcing
How 'carders' trade your stolen personal info Debit cards and PINs are hot subjects on the criminal underground forums these days
Browser attack technique poses serious threat Called clickjacking, the technique enables the attacker to force a user to click on a specific link. Researchers say the technique has been underestimated.
Best Western downplays data breach Best Western International Monday acknowledged it suffered a data breach that exposed sensitive customer information at a European hotel
Global trail of an online crime ring The indictments last week of 11 people involved in the group give a remarkably comprehensive picture of how the Internet is enabling new kinds of financial crimes on a vast international scale
11 charged in theft of 41 million card numbers Federal prosecutors have charged 11 people with stealing more than 41 million credit and debit card numbers, cracking what officials say appeared to be the largest hacking and identity theft ring ever exposed.
Security news roundup: Apple's DNS patch flawed The DNS patch that was finally rolled out by Apple to fix the much-publicized Domain Name Server (DNS) security flaw appears to be flawed.
McAfee: SMBs underestimate cybercrime risks SMBs are in fact rich hunting ground for hackers because the attacks are also less likely to gain the attention of law enforcement
Social Engineering Techniques, Risks, and Controls This article describes typical social engineering threat sources and techniques, analyzes the associated information security risks, and outlines a range of preventive, detective, and corrective controls to minimize social engineering risks.
v3 2008, The Art of Database Monitoring (JOnline) Sushila Nair, CISA, CISSP, BS 7799 LA
Six hours to hack the FBI (and other pen-testing adventures) White-hat hacker pros dish on top traumas and shocking snafus
Penetration testing: Hacking the FBI Can you imagine being paid to find embarrassing security holes?
Insiders Implicated in Hack Attacks on City Utilities Disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.
Cracking open the cybercrime economy the criminal elements, the ones who are making money, making millions out of all this online crime, are just getting stronger and stronger.
vol 3, 2006 Key Elements of a Threat and Vulnerability Management Program John P. Pironti, CISA, CISM, CISSP, ISSAP, ISSMP
Hacker secrets - to the highest bidder Now a Swiss company claims it can slow such activity by doing for hackers what eBay did for collectors of decorative spoons: create a marketplace for the sale of software vulnerabilities to the highest bidder
Lessons From a Honeynet That Attracted 700,000 Attacks This article will focus on providing some basic guidelines that will serve to assist you in conducting your own vulnerability management and performing scans against your own systems and networks, in the hope that you will identify and remedy any serious vulnerabilities and bugs in advance of the unyielding hackers, ultimately resulting in computer systems that are secure and protected
Germany passes controversial antihacking law It defines hacking as penetrating a computer security system and gaining access to secure data, without necessarily stealing data
Ten Ways Hackers Breach Security
Fiber optic networks vulnerable to attack Fiber optic networks aren't hack-proof: A savvy attacker can crack them with ease
Penetration Testing: The Third Party Hacker
War Dialing General information on war dialing, war dialing tools, and general steps you can take to protect your network from unwanted intruders.
Real life: My battle with spyware A modern-day parable of the authors own recent experience with a crippling spyware infestation, with some important lessons for systems administrators to learn as a result of his somewhat embarrassing mistakes
v3 2006, What Every IT Auditor Should Know About Cyberforensics Tommie W. Singleton, Ph.D., CISA, CMA, CPA, CITP
v3 2006, Global Perspectives Andy Townsend, Claudio Cilli, Ph.D., CIA, CISA, CISM, CISSP, and Gilbert N. Alegue
Six steps to beating backup server hacks a compromised backup server is a very scary thing. Therefore, you should do everything you can to protect it. Here are six quick tips for doing so.
Political hacking scandal hits Hungary A "Watergate-style" political scandal has broken in Hungary after the opposition party was forced to admit an over-zealous intern was responsible for hacking into the servers of the governing party.
RSS: The next malware target? Really Simple Syndication (RSS).
Hacker PC networks getting harder to find Hacked computer networks, or botnets, are becoming increasingly difficult to trace as hackers develop new means to hide them, says security experts.
Phishing Attacks Hit All-Time High The continued rise in phishing attacks shows increasing sophistication in strategy as well as more organized efforts among online criminals
Computer crime costs $67 billion, FBI says Dealing with viruses, spyware, PC theft and other computer-related crimes costs U.S. businesses a staggering $67.2 billion a year, according to the FBI
Application Denial of Service Attacks
What is spyware? The definition dilemma Examining the range of activities that fall under the general and nebulous spyware umbrella
SQL injection SQL injection is a type of security exploit in which the attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to resources or make changes to data
v6 2005, Internal Cyberforensics Sunil Bakshi, CISA, CISM, AMIIB, MCA
v6 2005, Identity Theft: A New Frontier for Hackers and Cybercrime Claudio Cilli, Ph.D., CIA, CISA, CISM, CISSP
v5 2005, An Approach to Vulnerability Management (JOnline) Umesh Chavan, CISSP
SearchSecurity.com's Guide to Thwarting Hacker Techniques This guide provides you with a plethora of tips, expert advice and Web resources that offer more in-depth information about hacker techniques and various tactics you can employ to protect your network.
Preserving Digital Evidence to Bring Hackers and Attackers to Justice In this article, well explain how standard rules of evidence apply to digital data and what precautions you should take to preserve it properly for a
Hiring Hackers As Security Consultants In this article, I will explore the pros and cons of using former hackers in such roles.
Web Application Hacking: Exposing Your Backend
Real World XSS This paper covers most aspects of XSS attacks including: injection points, attack scenarios, attacker motivations and techniques, code obfuscation examples, and starts laying a foundation on proper filtering framework.
v3 2005, Paris Hilton's Privacy Steven J. Ross, CISA, CISSP
Hacking Google for fun and profit There are numerous ways to exploit vulnerabilities and mount attacks that allow access to the back end of e-commerce websites.
v2 2005, JOnline- Generic Exploit Blocking: Prevention, Not Cure Carey Nachenberg
v2 2005, Introduction to Voice-over IP Technology Kamal Khan, CISA, CISSP, MBCS, Rajan Syal and Achal Kapila
v4 2000, How To Eliminate The Ten Most Critical Internet Security Threats
v3 2000, Defeating the Cyber Criminal: Defense Tactics for Denial of Service Attacks Mark Bigler, CISA, CPA, CFE
v3 2000, Heft Steven J. Ross, CISA
v3 2000, Issues & Comments Michael P. Cangemi, CISA, CPA
v4 2001, Penetrating Questions Steven J. Ross, CISA
v2 2001, Fighting Security Breaches and Cyberattacks with Two-Factor Authentication Technology Tony Walker, Ph.D.
v2 2001, Cybersecurity and the Future of E-commerce Allan R. Paliotta, CISA, CFE, CFSA
v2 2001, Automated User Authentication Mark K. Willoughby
v1 2001, Why Passwords Persist Steven J. Ross, CISA
v5 2002, HelpSource Q&A Fred L. Lilly, CISA, CPA
v3 2002, Fighting Internal Crime Before It Happens Allen G. Lux and Sandra Fitiani
v3 2002, Combating Cyberthreats--Partnership Between Public and Private Entities Elsa Lee, CISA, CSQA
v3 2002, Computer Forensics Emerges as an Integral Component of an Enterprise Information Assurance Program Douglas Barbin, CISSP, CPA, CFE, and John Patzakis
v3 2002, An E-citadel for Securing Credit Card and Consumer Data Tom Arnold
v2 2002, Social Engineering: A Tip of the Iceberg Pramod Damle, CISA, CQA, CAIIB
v1 2002, Book Review: Intrusion Signatures and Analysis Ashley Jelleyman
v1 2005, The Role of Attack Simulation in Automating Security Risk Management Gidi Cohen
v6 2004, A Wake Up Call to All Information Security and Audit Executives: Become Business-relevant Patrick Taylor
v6 2004, Educating the Masses: Audit, Control and Security of Information Systems Today and Tomorrow Frederick Gallegos, CISA, CDE, CGFM
v4 2004, Protecting the PortsUsing an Event Log Manager to Improve Network Security Drew Robb
v4 2004, BiometricsRisks and Controls Christos K. Dimitriadis, CISA, CISM, and Despina Polemi, Ph.D.
v4 2004, Systems Development Advice in a Web-enabled World Sanjiv Kumar Agarwala, CISA, CISSP
v3 2004, An Investigation of Computer Forensics Ryan Pidanick
v3 2004, A Guide to Wireless Network Security Mitchell Ashley
v3 2004, Best Practices for Wireless Network Security Susan Kennedy, CISA, CIW
v2 2004, Book Review: The Art of Deception: Controlling the Human Element of Security Janine McMinn, CISA
v6 2003, Patch Management: An Effective Line of Defense for UNIX and Linux Chris Andrew
v6 2003, Wise Wireless: Securing the WLAN James Bindseil, CISSP
v5 2003, The Importance of Being Secure: The ROI of Web Site Security Ken Leonard
v4 2003, Justifying Investment in Security Kamal Parmar, CISA, ACCA, CCNA, MCP
v4 2003, Enhancing Security with an IT Network Awareness Center Scott Driml
v4 2003, Centralized Security Management Provides Foundation for Effective Intrustion Prevention Hugh S. Njemanze, CISSP
v4 2003, Preventing EFT Fraud John E. Humphries, Jr., CISA, CISSP GSEC
Anatomy of a worm Why we are heading toward a 'worm a day' nightmare and what can be done about it.
v2 2003, Issues & Comments Michael P. Cangemi, CISA,CPA
v6 2002, Application Risk in a TCP/IP Environment Robert M. Harrison
Calling the CyberCops: Law Enforcement and Incident Handling Should you notify the police in the event of a hack?
Foiling Phishing Companies on the front lines of the phishing wars share tactics for protecting customers and employees alike.
BlackHat Media Archives This archive of computer security presentations is provided free of charge as a service to the world wide computer security community.
The hacker's tale: an interview with Kevin Mitnick Hacker extraordinaire Kevin Mitnick talks about the lessons he's learnt over his career and how he's using that knowledge to help businesses stay secure.
So Many Holes So Few Hacks Experts who discover and report security holes seem to be far more industrious than the malicious hackers willing or able to exploit those holes.
Hacker insurance set to rocket Hacker insurance on the rise, value of hacker policies still unclear though, warn analysts.
Hooked Phishing is luring more and more of your customers. Make sure they don't take the bait.
Hackers costing enterprises billions Hackers continued adding billions to the cost of doing business on the Internet in the first half of 2004, despite security executives' efforts to prevent malicious attacks.
Hackers deploying 'bots' on a massive scale Hackers have increased their attempts to hijack PCs since the start of the year, with up to 75,000 being compromised daily
Data Driven Attacks Using HTTP Tunneling Attackers can use HTTP tunneling to bypass access control restrictions.
Sloppy banks open the door to phishermen Using a variant of well-known cross site scripting attacks.
Ex-hacker: The unspoken, dirty little secret Hiring a hacker to assess the security risk of an organization.
Plan to Counterattack Hackers Draws More Fire Some security analysts have stepped up their concerns that it could cause more problems than it solves.
Hackers in demand! The only way to stop a hacker is to think like one and then put preventive measures in place.
DoS and phishing attacks: coming to a mobile near you? Hacking tactics from PCs could soon be making their way to mobiles, with phishing and denial of service attacks possible due to Bluetooth hacking tools.
Net threat overstated, says security researcher You could have isolated attacks against small networks, but they would most likely be able to recover quickly.
Insurers to drop hacking premiums Prices predicted to drop as insurance firms gain better understanding of market
SANS Institute's Alan Paller talks about fighting back hackers He laid out the seven most common and dangerous kinds of security attacks.
Hacking insurance is a must Companies don't regard digital assets seriously enough.
Hacking has its boundaries. What evil lurks in the hearts of hackers? Joe Grand knows, and he believes that systems administrators should know, too.
Profiling network administrators a white hat hacker who pled guilty to accessing The New York Times computers without permission, agreed to share what he knows about some of the common IT security slips network administrators make
Fighting the hacker myth What is a hacker?
Red Teaming: The Art of Ethical Hacking
Befriending 'Homeless Hacker' Adrian Lamo You could say he is a criminal with a conscience
Face-off: Hiring a hacker You're either willing to trust someone whose skills once landed them in trouble with the law, or you're not
Ethical Hacking Techniques to Audit and Secure Web-enabled Applications This article will explain why the Web application is so vulnerable to attack and discuss three of the most common Web application hacking techniques