Get started

Get started

Bring yourself up to speed with our introductory content.

• Put application security testing at the top of your do-now list

  It's time to take a new attitude toward application security. Learn what must be tested and the specific steps that will take your apps from vulnerable to fortified. Continue Reading

• Craft an effective application security testing process

  For many reasons, only about half of all web apps get proper security evaluation and testing. Here's how to fix that stat and better protect your organization's systems and data. Continue Reading

• The who, what, why -- and challenges -- of CISM certification

  Think you're ready for the CISM certification exam? Peter Gregory, author of CISM: Certified Information Security Manager Practice Exams, has some pointers for you. Continue Reading

• How to keep each cloud workload accessible and secure

  Cloud security long operated on a shared-responsibility model, but lately that burden has shifted to the shoulders of the in-house security team. Continue Reading

• Learn some key cloud workload protection best practices

  Learn key practices to protect cloud workloads whether using VMs, endpoints or containers. And don't forget to consider the best means for building a fruitful feedback loop. Continue Reading

• Definitions to Get Started

  • What is machine identity management?
  • What is unified threat management (UTM)?
  • What is two-factor authentication (2FA)?
  • What is authentication, authorization and accounting (AAA)?

  • What is the Mitre ATT&CK framework?
  • What is extended detection and response (XDR)?
  • What is OPSEC (operations security)?
  • What is user behavior analytics (UBA)?

  View All Definitions

• What cloud workload security tools and controls work best?

  Read on to learn how to build a cloud security model that allows your team to embed controls and monitor deployment without getting in the way of business processes.Continue Reading

• The ins and outs of cyber insurance coverage

  Cyber insurance coverage can help companies successfully navigate the aftereffects of a data breach. However, choosing a policy in the first place can be confusing.Continue Reading

• How to implement zero-trust cloud security

  The nature of cloud environments and workloads is changing. Security team approaches must evolve in response. Learn how to implement zero-trust cloud security from expert Dave Shackleford.Continue Reading

• What is the role of CISO in network security?

  The role of CISO in network security goes beyond risk management. It also requires understanding compliance regulations and business needs, as well as the ability to communicate security policies to nontechnical employees.Continue Reading

• Building a security operations center with these features

  Building a security operations center means understanding the key features you need to ensure your network remains protected against threats.Continue Reading

• Do you have the right set of penetration tester skills?

  Pen testing is more than just the fun of breaking into systems. Learn about the critical penetration tester skills potential candidates must master to become proficient in their career path.Continue Reading

• Comparing Diffie-Hellman vs. RSA key exchange algorithms

  See which encryption method uses digital signatures, symmetric key exchanges, bulk encryption and much more in this Diffie-Hellman vs. RSA showdown.Continue Reading

• Raise enterprise network visibility, and security rises too

  The need to improve network visibility has bedeviled IT teams for years. Better tools offer hope but there are privacy and ethical concerns that come with responsible use.Continue Reading

• application whitelisting

  Application whitelisting is the practice of specifying an index of approved software applications or executable files that are permitted to be present and active on a computer system.Continue Reading

• Test your grasp of AI threats, privacy regulations and more

  Test your grasp of current security topics like AI in cybersecurity and what privacy regulations require. Then receive CPE credit by passing this quiz.Continue Reading

• Enterprises feel the pain of cybersecurity staff shortages

  It's hard enough keeping up with today's threats on a good day. But when your IT organization is spread thin, especially in terms of cybersecurity staff, the challenges mount.Continue Reading

• CompTIA PenTest+ practice test questions to assess your knowledge

  Think you're ready to take the CompTIA PenTest+ certification exam? Test your skill set with some of the sample multiple-choice questions you may be facing.Continue Reading

• What types of cybersecurity insurance coverage are available?

  Cybersecurity insurance coverage could prove invaluable to risk mitigation -- if it's chosen carefully. Find out which type of insurance plan is right for your organization.Continue Reading

• The 3 pillars of a DevSecOps model

  In this excerpt from Chapter 1 of Securing DevOps: Security in the Cloud, author Julien Vehent describes three principles critical to the DevSecOps model.Continue Reading

• The 3 types of DNS servers and how they work

  DNS is a core internet technology, instrumental in mapping human-readable domains into corresponding IP addresses. Learn about the three DNS server types and their roles in the internet.Continue Reading

• Penetration testing vs. red team: What's the difference?

  Is penetration testing the same as red team engagement? There are similarities, but they're not the same. Understand the differences to improve your organization's cyberdefenses.Continue Reading

• Create a manageable, secure IT/OT convergence strategy in 3 steps

  An effective IT/OT strategy requires at least three things: an evangelist, an infrastructure reference architecture and a plan to sanely divide operations between IT and OT.Continue Reading

• Cybersecurity frameworks hold key to solid security strategy

  Cybersecurity frameworks take work, but they help organizations clarify their security strategies. If you don't have one, here's what to consider, even for emerging perimeterless security options.Continue Reading

• What's the purpose of CAPTCHA technology and how does it work?

  Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums and blog comment sections.Continue Reading

• Test your infosec smarts about IAM and other key subjects

  Solidify your knowledge and get CPE credits by taking this quiz on IAM, security frameworks, IoT third-party risks and more.Continue Reading

• What it takes to be a DevSecOps engineer

  To address security early in the application development process, DevSecOps requires a litany of skills and technology literacy. Learn what it takes to be a DevSecOps engineer.Continue Reading

• How to build and maintain a multi-cloud security strategy

  When using multiple cloud service providers, it's critical to consider your enterprise's cloud scope and the specifics of each cloud service to maintain security.Continue Reading

• How does AttackSurfaceMapper help with attack surface mapping?

  A new open source pen testing tool expedites attack surface mapping -- one of the most important aspects of any penetration testing engagement.Continue Reading

• How to navigate the often challenging CISO career path

  There's no clear-cut path to becoming a CISO. However, the right security certifications, an ever-questioning attitude and a strong network of CISO peers can help prepare you for the journey.Continue Reading

• New network traffic analysis tools focus on security

  Companies have used traffic data analytics to improve bandwidth and network performance. Now, though, a new class of tools taps network data to improve security.Continue Reading

• Network traffic analysis tools secure a new, crucial role

  Gartner just produced its first-ever guide to network traffic analytics security tools. Learn how the analysis of network traffic is broadening to include network security.Continue Reading

• How to build an enterprise penetration testing plan

  Simulating an attack against your network is one of the best ways to remediate security holes before the bad guys find them. Here, learn penetration testing basics and how it can help keep your enterprise safe.Continue Reading

• How to start building a DevSecOps model

  To help transition to a DevSecOps model to protect enterprises, security teams need to identify key stakeholders, provide examples of specific company security events and work toward creating crossover teams.Continue Reading

• The must-have skills for cybersecurity aren't what you think

  The most critical skills that cybersecurity lacks -- like leadership buy-in, people skills and the ability to communicate -- are not the ones you hear about. That needs to change.Continue Reading

• New tech steers identity and access management evolution

  IAM is evolving to incorporate new technologies -- like cloud-based services and containerization -- promising more secure, granular management of access to company IT assets.Continue Reading

• How to pass the CISSP exam on your first try: Tips to get a good score

  Want to become a CISSP? Here's everything you need to know, such as how difficult the exam is, tips for studying, what's needed to obtain a passing score and more.Continue Reading

• How to limit the cloud security blast radius of credential attacks

  Explore how the security blast radius concept, which has admins evaluating how to assess and limit the damage of a threat, can be applied to cloud identity and access management.Continue Reading

• Portrait of a CISO: Roles and responsibilities

  Success in the role of CISO requires security experts to wear many hats. Couple that with changes in compliance regulations and sophisticated cyberthreats, and CISOs are left with a full plate.Continue Reading

• How does an island hopping attack work?

  Hackers know better than to directly attack a well-defended target; learn how they use island hopping attack strategies to elude defenders -- and how best to repel them.Continue Reading

• Building a threat intelligence framework: Here's how

  A robust threat intelligence framework is a critical part of a cybersecurity plan. A top researcher discusses what companies need to know.Continue Reading

• What are the core components of a cybersecurity framework?

  Cybersecurity frameworks differ from one company to another, but each plan has four fundamental stages. Find out what you need to know.Continue Reading

• Strategies to mitigate cybersecurity incidents need holistic plans

  Every organization needs strategies to mitigate cybersecurity incidents, but what areas should the strategies address? Find out what experts suggest to protect the entire organization.Continue Reading

• Words to go: Identity and access management security

  IT pros must keep up to date with rapidly changing identity technology and access threats. Help protect IAM security by getting familiar with this list of foundation terms.Continue Reading

• Everything you need to know about multi-cloud security

  Make multi-cloud security a reality in your organization with these tips and strategies from industry experts as you implement more cloud platforms.Continue Reading

• What is the best way to write a cloud security policy?

  Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these policy writing best practices.Continue Reading

• What are the top cloud security certifications for 2019?

  Cloud security certifications serve to bolster security professionals' resumes and boost value to employers. Learn about the top certifications available from expert Nick Lewis.Continue Reading

• The CISO's guide to Kubernetes security and deployment

  Container orchestration platform Kubernetes provides tools needed to deploy scalable applications with efficiency. Learn what steps CISOs must take to secure a Kubernetes environment.Continue Reading

• Why user identity management is a security essential

  Who's on your network and accessing your data? IT security teams must be able to answer these questions. A strong identity management strategy will help.Continue Reading

• Biometric authentication terms to know

  Consumers are on board with biometric authentication, but enterprises aren't so sure. Here's a breakdown of the must-know terms for companies considering biometric authentication.Continue Reading

• Can holistic cybersecurity deliver the needed protection?

  A holistic approach to cybersecurity can provide continuous monitoring -- or create holes a hacker can breach. What makes the difference? It comes down to implementation.Continue Reading

• What holistic network security tools offer an organization

  Tools that provide a holistic approach to monitoring the IT infrastructure come in a variety of configurations and delivery models. Learn what's available.Continue Reading

• What is subdomain takeover and why does it matter?

  Subdomain takeover exposure can happen when cloud-hosted web services are incompletely decommissioned, but configuration best practices can reduce the risks.Continue Reading

• What is MTA-STS and how will it improve email security?

  Discover how the MTA-STS specification will improve email security by encrypting messages and enabling secure, authenticated email transfers between SMTP servers.Continue Reading

• 3 reasons privilege escalation in the cloud works

  Statistics show that many cloud attacks are linked to credential and privilege misuse. Learn three ways threat actors are able to launch privilege escalation attacks in the cloud.Continue Reading

• How can SIEM and SOAR software work together?

  Many security pros initially thought SOAR software could replace SIEM. Our security expert advocates learning how SIEM and SOAR can work together.Continue Reading

• The future of SIEM: What needs to change for it to stay relevant?

  Compared to security orchestration, automation and response (SOAR) software, SIEM systems are dated. Expert Andrew Froehlich explains how SIEM needs to adapt to keep up.Continue Reading

• How to find an MSP to protect you from outsourcing IT risks

  Check out what questions to ask MSPs to make sure they have the right security systems in place to protect your organization against outsourcing IT risks.Continue Reading

• Why EDR technologies are essential for endpoint protection

  In this post-perimeter era, endpoint detection and response tools can provide essential protection to thwart advanced persistent threats. Learn what EDR offers.Continue Reading

• Endpoint security tools get an essential upgrade

  Malware, APTs and other threats are getting smarter, but so are endpoint detection and response products. Learn what the latest versions can do to keep threats away.Continue Reading

• How to perform a building security assessment

  There are four major systems to review in a building security assessment. Learn what they are and how to review their potential cyber and physical risks.Continue Reading

• How to conduct a security risk review on a large building

  Assessors cannot dive into a security risk review of a large building; they have to prepare and strategize ahead of time. Learn how to get ready for this type of security assessment.Continue Reading

• 5 common authentication factors to know

  Multifactor authentication is a security system that requires two or more authentication steps to verify the user's identity. Discover the most important terms related to MFA.Continue Reading

• How to manage application security best practices and risks

  The reality of application security risks requires software developers to be mindful of testing, tools and best practices to improve user experience and information security.Continue Reading

• Take this cybersecurity-challenges quiz and score CPE credit

  Just finished ISM's May 2019 issue? Solidify your knowledge, and get CPE credits too, by passing this 10-question quiz.Continue Reading

• Huawei ban highlights 5G security issues CISOs must tackle

  Why worry over Huawei? A U.S. ban of this Chinese company's products should remind CISOs that now is the time to consider security issues related to the rollout of the 5G network.Continue Reading

• Cloud security threats need a two-pronged approach

  You'll need to burn the security 'candle' at both ends to keep cloud safe from both nation-state hackers and vulnerabilities caused by human error.Continue Reading

• Conquering cloud security threats with awareness and tools

  Continue Reading

• Words to go: Multi-cloud security strategy

  For many enterprises, implementing multi-cloud security is complicated. Here's a breakdown of the must-know multi-cloud terms for organizations setting up this type of deployment.Continue Reading

• How to build a strong cloud network security strategy

  Building a secure network in the cloud is different from securing a traditional network. Learn what the main differences are and how to establish cloud networking security.Continue Reading

• The security benefits of using infrastructure as code

  Infrastructure as code bolsters security and ensures security best practices are built into software development. Learn more about the use of infrastructure-as-code models.Continue Reading

• How to put AI security to work in your organization

  Countering cyberthreats through human effort alone is impossible; you need to add AI and machine learning products to your security program. Here's how to get started.Continue Reading

• Mimikatz tutorial: How it hacks Windows passwords, credentials

  In this Mimikatz tutorial, learn about the password and credential dumping program, where you can acquire it and how easy it makes it to compromise system passwords.Continue Reading

• The security implications of serverless cloud computing

  Cloudflare Workers is new for serverless cloud computing and introduces benefits and drawbacks for security professionals. Expert Ed Moyle discusses the security side of serverless.Continue Reading

• Try this quiz on cybersecurity problems to earn CPE credit

  This quiz tests your understanding of key cybersecurity issues in 2019 covered in the February issue of 'Information Security' magazine. Pass the quiz and earn CPE credit.Continue Reading

• How to comply with the California privacy act

  Organizations that handle California consumer data have a year to comply with CCPA. Expert Steven Weil discusses what enterprises need to know about the California privacy law.Continue Reading

• How to build a cloud security strategy after migration

  Enterprises can face an array of issues when they migrate to the cloud. Learn about three of the main challenges and how to effectively create a cloud security strategy.Continue Reading

• Three examples of multifactor authentication use cases

  When evaluating the business case for multifactor authentication, an organization must first identify how these three operational scenarios apply to a potential implementation.Continue Reading

• Exploring multifactor authentication benefits and technology

  Take a look at multifactor authentication benefits and methods, as well as how the technologies have evolved from key fobs to smartphones, mobile devices and the cloud.Continue Reading

• How to perform an ICS risk assessment in an industrial facility

  An important step to secure an industrial facility is performing an ICS risk assessment. Expert Ernie Hayden outlines the process and why each step matters.Continue Reading

• Customer identity and access management: Why now and how?

  There's an important distinction between consumers and customers; just as crucial is understanding the difference between customer IAM and traditional IAM.Continue Reading

• CCPA compliance begins with data inventory assessment

  In this SearchCIO Q&A, multiple experts sound off on major questions businesses have about CCPA compliance ahead of its January 2020 enforcement date.Continue Reading

• What Moody's cyber-risk ratings mean for enterprises

  Moody's announced it will soon begin composing cyber-risk ratings for enterprises. Kevin McDonald explores the move and what it could mean for enterprises and the infosec industry.Continue Reading

• 5 actionable deception-tech steps to take to fight hackers

  Consider taking these five 'deceptive' steps to make your detection and response capabilities speedier, more effective and to improve your company's security posture.Continue Reading

• Testing email security products: Challenges and methodologies

  Kevin Tolly of the Tolly Group offers a look at how his company set out to test several email security products, as well as the challenges it faced to come up with sound methodologies.Continue Reading

• How Google's cloud data deletion process can influence security policies

  Understanding the process behind Google's cloud data deletion can help influence stronger enterprise security policies. Expert Ed Moyle explains the process and how to use it.Continue Reading

• How to configure a vTAP for cloud networks

  A vTAP can give enterprises better visibility into their cloud networks. Expert Frank Siemons of InfoSec Institute explains how virtual network TAPs work and the available options.Continue Reading

• NIST incident response plan: 4 steps to better incident handling

  The NIST incident response plan involves four phases enterprises can take to improve security incident handling. Expert Mike O. Villegas reviews each step.Continue Reading

• How to protect enterprise ICS networks with firewalls

  ICS network security can be improved using firewalls. Expert Ernie Hayden explains how ICS-specific firewalls can help keep ICS networks strong and protected.Continue Reading

• How Shodan helps identify ICS cybersecurity vulnerabilities

  Shodan can be a helpful tool for security pros to locate ICS cybersecurity vulnerabilities. Expert Ernie Hayden explains how Shodan works and how it can be used for security.Continue Reading

• How to collect open source threat intelligence in the cloud

  Threat intelligence analysis can be challenging and expensive for enterprises. Expert Frank Siemons explains how open source threat intelligence can simplify the process.Continue Reading

• How do cloud deployment models affect IT operations?

  Security plays a vital role in cloud operations. Test your knowledge of important concepts covered in Domain 5 of the CCSP exam, “Operations,” with this practice quiz.Continue Reading

• Securing remote access for cloud-based systems

  Don't believe the hype: Access control in the cloud is not a lost cause. Read these tips to learn how you can better secure remote access to your cloud-based systems.Continue Reading

• How does the SynAck ransomware use Process Doppelgänging?

  A technique called Process Doppelgänging was used by the SynAck ransomware to bypass security software. Expert Michael Cobb explains how this technique works and why it's unique.Continue Reading

• SIEM evaluation criteria: Choosing the right SIEM products

  Establishing solid SIEM evaluation criteria and applying them to an organization's business needs goes far when selecting the right SIEM products. Here are the questions to ask.Continue Reading

• Advances in access governance strategy and technology

  Recent advances in IAM policy, strategy and technology are raising companies' ability authenticate identities and manage access to their systems and data.Continue Reading

• SIEM benefits include efficient incident response, compliance

  SIEM tools enable centralized reporting, which is just one of the many SIEM benefits. Others include real-time incident response, as well as insight for compliance reporting.Continue Reading

• Test your knowledge of secure software architecture

  Domain 4 of the CCSP exam covers the fundamentals of cloud application security. Take this practice quiz to see how well you've absorbed key concepts and vocabulary.Continue Reading

• A comprehensive guide to SIEM products

  Expert Karen Scarfone examines security information and event management systems and explains why SIEM systems and SIEM products are crucial for enterprise security.Continue Reading

• Endgame's Devon Kerr on what it takes to be a threat hunter

  Threat hunting goes beyond mere monitoring and detection. Endgame's Devon Kerr explains tomorrow's threat hunters and the keys to successful cyberthreat hunting.Continue Reading

• The risks of container image repositories compared to GitHub

  As container use rises, so does the use of container image repositories. Expert Dave Shackleford discusses the risks associated with them and how they compare to other registries.Continue Reading