Application Security Architecture Authentication
CertificationsCorporate ComplianceCryptology
Disaster RecoveryEnterprise SecurityExploits
FirewallsIncident HandlingIntrusion Detection
OS SecurityPolicies and ProceduresSecurity Basics
Security ManagementSecurity ToolsServers
StandardsVoIPVulnerability Management
Web SecurityWiFi SecurityWorms and Viruses

Hardening BYOD: Implementing Critical Security Control 3 in a Bring Your Own Device (BYOD) Architecture

by Christopher Jarko

The increasing prevalence of Bring Your Own Device (BYOD) architecture poses many challenges to information security professionals. These include, but are not limited to: the risk of loss or theft, unauthorized access to sensitive corporate data, and lack of standardization and control. This last challenge can be particularly troublesome for an enterprise trying to implement the Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense (CSCs). CSC 3, Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers, calls for hardened operating systems and applications. Even in traditional enterprise environments, this requires a certain amount of effort, but it is much more difficult in a BYOD architecture where computer hardware and software is unique to each employee and company control of that hardware and software is constrained. Still, it is possible to implement CSC 3 in a BYOD environment. This paper will examine options for managing a standard, secure Windows 10 laptop as part of a BYOD program, and will also discuss the policies, standards, and guidelines necessary to ensure the implementation of this Critical Security Control is as seamless as possible.
» Read more

Securing DNS Against Emerging Threats: A Hybrid Approach

by John Pescatore

This paper looks at the impact of mobility and new attack vectors on DNS-related risk and outlines use cases for securing DNS services more effectively. It also examines the use of a hybrid model of on-premises and cloud-based services to improve the security posture of organizations.
» Read more

Active Defense via a Labyrinth of Deception

by Nathaniel Quist

A network baseline allows for the identification of malicious activity in real time. However, a baseline requires that every listed action is known and accounted, presenting a nearly impossible task in any production environment due to an ever-changing application footprint, system and application updates, changing project requirements, and not least of all, unpredictable user behaviors. Each obstacle presents a significant challenge in the development and maintenance of an accurate and false positive free network baseline. To surmount these hurdles, network architects need to design a network free from continuous change including, changing company requirements, untested systems or application updates, and the presence of unpredictable users. Creating a static, never-changing environment is the goal. However, this completely removes the functionality of a production network. Or does it?
» Read more