20 useful IT security Web sites

How to foil hackers, protect users and prepare for the inevitable robot uprising

  • IT Compliance Institute: The IT department may be more involved in complying with various government, security and privacy regulations than ever before. This site provides one-stop shopping for compliance news, research and analysis. One useful tool lets you search for regulations by industry and region (registration required).

  • SecurityFocus: A collection of security primers and news updates, the Web site also offers weekly newsletters on both Microsoft and Linux security issues. One typical recent news story titled "Web developers, fix thy Flash" detailed how poorly scripted Flash files on a banking (or other) Web site could put a customer's personal information and money at risk.

  • Bruce Schneier: Schneier is one of the foremost minds on computer security today, and on this site you can read his blog along with seemingly every article he's written and interview he's granted over the past few years. It's also the place to sign up for Crypto-Gram, Schneier's monthly newsletter which delves into topics as diverse as Israeli aircraft security, privacy and vendor lock-in.

  • Find out something no one else knows? This is the place to report computer hacking, fraud and Internet-related crimes to the government. With so many government agencies, it's easy to get lost in a bureaucratic maze when you don't know who to contact, but this site does a pretty good job listing which crimes should be reported to which agencies.

  • Liquidmatrix Security Digest: Liquidmatrix is a labor of love for Dave Lewis, a security professional who has run the site since 1998 while working in the financial, military, government and health care industries. Lewis aggregates security news and information, and is nothing if not prolific. In one recent two-day stretch, he posted 10 blog items covering Trojan attacks launched against pro-Tibetan groups, Google's "family safety guide," and vulnerabilities in Cisco and Microsoft products.

  • Cisco Security Center: Cisco provides all of its product security alerts here, along with a wealth of other information. In-depth reports include a monthly response to the latest Microsoft security bulletin, a variety of technical guides, and reports from Cisco's IntelliShield on recent vulnerabilities. Some content must be paid for, but a lot of it is free.

  • Monitoring employee Web use: Should you monitor employees' Web use? This is the question discussed in an article at the Microsoft Small Business Center, which says executives should ask themselves whether monitoring solves a real problem, or is fueled by paranoia. Overzealous monitoring can backfire, so you need a reasonable balance between security and privacy. There are plenty of affordable monitoring tools out there, and this site gives a high-level overview of such tools and helps you figure out the best way to implement a monitoring program.

  • SecureMac: Macs generally come under attack less often than Windows machines, but this site authored by "Macintosh security experts around the world" keeps you up to date on the latest threats to Apple computers, and tools for protecting the Mac.

  • SANS Institute: The SANS reading room has more than 1,600 free white papers covering a vast range of security topics, such as disaster recovery, legal issues, mainframes, logging technology, VoIP, Windows, storage and many more. The site is run by SANS, a provider of information security training, certification courses and research. Even for people who'd rather not pay for SANS training, there are plenty of resources including an "Internet Storm Center" that analyzes recent exploits and security news.

  • Open Web Application Security Project (OWASP): Dedicated to improving the security of Web applications, this nonprofit publishes a list of the top ten Web application vulnerabilities along with information on how to protect against hackers looking to exploit these security holes. Tops on the list are cross-site scripting and injection flaws.

  • US government Computer Security Resource Center: Maintained by the National Institute of Standards and Technology, this site contains resources for complying with the Federal Information Security Management Act (mandatory for government agencies and government contractors), as well as technical guides for improving security regardless of government mandates. Recent guides include one on securing external devices for telework and remote access, and another on storage encryption technologies for end-user devices.

  • Commtouch Malware Outbreak Center: Ever wonder whether a virus that wrecked your computer could have been stopped if you were just using a different anti-virus tool? You can find out at this site run by Commtouch, which lists recently discovered malware and details the response from more than 30 anti-virus tools. Just keep in mind that the site displays only those viruses caught by Commtouch's technology, which it calls Zero-Hour Virus Outbreak Protection. While there's some obvious self-interest here, Commtouch says the comparison of other vendors can be trusted because the results come from the independent AV-Test.

  • How to survive a robot uprising: Okay, this one's just for goofs. You're walking in an alley after dark and a menacing figure approaches. Is it man or machine? This Web site, based on a book by author Daniel H. Wilson, helps you prepare for that inevitable robot uprising which will happen any century now. To survive a robot uprising, you'll have to be aware of your surroundings, swiftly determine whether a robot is hostile or friendly, and, in worst-case scenarios, pose as a humanoid robot or survive hand-to-hand combat. What the heck, it'll be more fun than doing something useful, right?

  • 103 Free Security Apps for Mac, Windows and Linux: The headline really says it all. This list (also from is about a year old, but provides a comprehensive set of links to free tools for network security, anti-virus, intrusion detection, virtual private networks, temporary file cleanup and deletion, wireless network controls, encryption, anti-rootkit applications and more.

  • CERT : Detailed reports on insider threats, best practices for governing enterprise security programs and other topics are among the highlights of this site. CERT, located at Carnegie Mellon University's Software Engineering Institute, studies Internet security vulnerabilities and provides information and training to help IT shops improve security.

  • Secunia: Here's a place to get news on the latest vulnerabilities that could leave you open to attack, whether they exist in Firefox, VMware, Cisco products or anything else on your network. The alerts are gathered by Secunia, a six-year-old company that distributes information about security bugs and how to fix them. The advisories mostly come directly from the vendors whose products are affected, but this site aggregates them all and provides a chronological list of viruses detected by seven anti-virus companies.

  • IronPort Security Network: This site gets into the nitty-gritty of the hacking world: one report lists the top 100 spammers by IP address in the past 24 hours. A simple search tool on the site lets you check the credibility of any IP address or domain name.

  • IT Security: Ranging from general tips to specific advice on how to implement systems and choose security products, this site has a series of invaluable white papers and FAQs. Small companies just getting started with security may want to check out IT Security's "Nine essential checklists" with details on protecting remote laptops, e-mail security, and securing your Web servers and Internet connection. More nitty-gritty resources include a security audit asking questions like "how difficult are your passwords to crack?"

  • Microsoft TechNet Security Center: Download the latest Microsoft security bulletins and get a host of other research articles and practical tools to help defend your network. Resources include a malicious software removal tool, and a guide for encrypting data on mobile PCs combined with software that centrally controls PC encryption settings.

  • A chronology of data breaches: More than 220 million records containing sensitive personal information have been leaked in security breaches in the United States since January 2005. This site tracks every breach and provides links to resources businesses should consult if they experience a security breach and aren't sure how to respond.

Show Comments