Risk management
A successful risk management plan helps enterprises identify, plan for and mitigate potential risks. Learn about the components of risk management programs, including penetration tests, vulnerability and risk assessments, frameworks, security awareness training and more.
Top Stories
-
Feature
12 Jul 2024
Top enterprise risk management certifications to consider
Certifications are essential to many careers. Here are some useful enterprise risk management certifications for risk managers, IT professionals and other workers. Continue Reading
-
Tip
26 Jun 2024
The four phases of emergency management
To effectively recover from a disruptive incident, IT and DR teams must have a plan in place. This guide breaks down the four phases of an emergency management plan. Continue Reading
-
Tip
10 Jan 2022
5 principles of the network change management process
Network change management includes five basic principles, including risk analysis and peer review. These best practices can help network teams limit failed network changes and outages. Continue Reading
-
Definition
29 Dec 2021
white hat hacker
A white hat hacker -- or ethical hacker -- is an individual who uses hacking skills to identify security vulnerabilities in hardware, software or networks. Continue Reading
-
Feature
28 Dec 2021
Types of cybersecurity controls and how to place them
A unilateral cybersecurity approach is ineffective in today's threat landscape. Learn why organizations should implement security controls based on the significance of each asset. Continue Reading
-
Feature
28 Dec 2021
Top infosec best practices, challenges and pain points
Weak infosec practices can have irrevocable consequences. Read up on infosec best practices and challenges, as well as the importance of cybersecurity controls and risk management. Continue Reading
-
News
20 Dec 2021
Critical bugs could go unpatched amid Log4j concern
Many organizations are focused on finding and patching Log4Shell, but there are other vulnerabilities, including Patch Tuesday bugs, already under active exploitation. Continue Reading
-
Definition
14 Dec 2021
Chernobyl virus
The Chernobyl virus is a computer virus with a potentially devastating payload that destroys all computer data when an infected file is executed. Continue Reading
-
Tip
06 Dec 2021
How to get started with attack surface reduction
Attack surface reduction and management are vital to any security team's toolbox. Learn what ASR is and how it complements existing vulnerability management products. Continue Reading
-
Guest Post
30 Nov 2021
Enterprise password security guidelines in a nutshell
In this concise guide to passwords, experts at Cyber Tec outline the security problems that put enterprises at risk and offer answers on how to solve them. Continue Reading
-
Tip
29 Nov 2021
How SBOMs for cybersecurity reduce software vulnerabilities
With SBOMs, companies will know what components constitute the software they purchase, making it easier for security teams to understand and manage vulnerabilities and risks. Continue Reading
-
Feature
29 Nov 2021
Elastic Stack Security tutorial: How to create detection rules
This excerpt from 'Threat Hunting with Elastic Stack' provides step-by-step instructions to create detection rules and monitor network security events data. Continue Reading
-
Feature
29 Nov 2021
Elastic Security app enables affordable threat hunting
New to threat hunting in cybersecurity? Consider using the open code Elastic Stack suite to gather security event data and create visualizations for decision-makers. Continue Reading
-
Guest Post
23 Nov 2021
How to talk about cybersecurity risks, colloquially
The cybersecurity field is riddled with confusion and complexity. Knowing how to talk about risk and how to manage it is key to building resilience. Continue Reading
-
News
19 Nov 2021
How enterprises need to prepare for 'cyberwar' conflicts
Infosec expert Tarah Wheeler said increasing international conflicts are posing new compliance and regulatory standards, but adapting the changes may be difficult for enterprises. Continue Reading
-
Guest Post
15 Nov 2021
Reduce the risk of cyber attacks with frameworks, assessments
Don't rely on a compliance mandate to reduce the risk of cyber attacks or on a cyber insurer to cover an attack's aftermath. Assessments and frameworks are key to staying safe. Continue Reading
-
Guest Post
10 Nov 2021
4 concepts that help balance business and security goals
The goal of enterprise security is to maintain connectivity, while remaining protected. Use these four concepts to balance business and security goals. Continue Reading
-
News
08 Nov 2021
Bug bounty programs in 2021: High payouts, higher stakes
Bug bounty programs today offer high monetary rewards for researchers, but they can also suffer from communication issues, delays and inaction that may portend bigger problems. Continue Reading
-
News
05 Nov 2021
Routers, NAS and phones hacked in Pwn2Own competition
Security researchers have spent the week attempting to break into network-connected hardware and other devices in hopes of winning recognition and big payouts. Continue Reading
-
Feature
25 Oct 2021
How to use Python for privilege escalation in Windows
Penetration testers can use Python to write scripts and services to discover security vulnerabilities. In this walkthrough, learn how to escalate privileges in Windows. Continue Reading
-
Feature
25 Oct 2021
Why hackers should learn Python for pen testing
The authors of 'Black Hat Python' explain the importance of learning Python for pen testing, how it helps create scripts to hack networks and endpoints, and more. Continue Reading
-
Podcast
22 Oct 2021
Risk & Repeat: Apple bug bounty frustrations boil over
Security researchers criticized the Apple Security Bounty program and claimed the company ignored bug reports, denied bounty payments and silently patched vulnerabilities. Continue Reading
-
News
15 Oct 2021
Burned by Apple, researchers mull selling zero days to brokers
Security researchers have grown frustrated with Apple's lack of communication, ‘silent patching’ of vulnerabilities, denial of bug bounty rewards and other issues. Continue Reading
-
Tip
11 Oct 2021
5 open source offensive security tools for red teaming
To be an effective red teamer, you need the right tools in your arsenal. These are five of the open source offensive security tools worth learning. Continue Reading
-
Feature
30 Sep 2021
How to use Ghidra for malware analysis, reverse-engineering
The Ghidra malware analysis tool helps infosec beginners learn reverse-engineering quickly. Get help setting up a test environment and searching for malware indicators. Continue Reading
-
Feature
30 Sep 2021
Get started with the Ghidra reverse-engineering framework
Malware analysts use Ghidra to examine code to better understand how it works. Learn what to expect from the reverse-engineering framework, how to start using it and more. Continue Reading
-
News
13 Sep 2021
Tenable acquires cloud security startup Accurics for $160M
The acquisition will be Tenable's first expansion into securing infrastructure as code, as it makes a push to identify and fix flaws in cloud-native software. Continue Reading
-
News
31 Aug 2021
College students targeted by money mule phishing techniques
Back to fool: University students with little security training are being targeted by Nigerian scammers to move fraudulent funds with the lure of quick bucks and flexible hours. Continue Reading
-
Tip
31 Aug 2021
How to use Metasploit commands and exploits for pen tests
These step-by-step instructions demonstrate how to use the Metasploit Framework for enterprise vulnerability and penetration testing. Continue Reading
-
News
09 Aug 2021
Transparency after a cyber attack: How much is too much?
Sharing threat intelligence and proof-of-concept exploits can often help other organizations better defend themselves, but such efforts are hampered by obstacles and restrictions. Continue Reading
-
News
04 Aug 2021
14 flaws in NicheStack put critical infrastructure at risk
The vulnerability disclosure process for Infra:Halt, a set of flaws impacting critical infrastructure, took nearly a year, due to the nature of supply chain vulnerabilities. Continue Reading
-
News
28 Jul 2021
CISA unveils list of most targeted vulnerabilities in 2020
Attackers chased the headlines in 2020, going after the most publicized vulnerabilities in Citrix, Pulse Secure and Fortinet products, according to the U.S. government. Continue Reading
-
Podcast
22 Jul 2021
Risk & Repeat: Vulnerability patching still falling short
Many organizations still fail to patch critical vulnerabilities, even when they're under exploitation in the wild. What are the best ways to improve patching rates? Continue Reading
-
News
13 Jul 2021
Schneider Electric PLCs vulnerable to remote takeover attacks
The authentication bypass vulnerability is a symptom of a much larger security crisis plaguing industrial control hardware, according to researchers who found the bug. Continue Reading
-
News
12 Jul 2021
SolarWinds warns of zero-day vulnerability under attack
SolarWinds says targeted attacks from a single threat actor have been reported on a previously unknown vulnerability in the Serv-U file transfer platform. Continue Reading
-
News
08 Jul 2021
Dutch researchers shed new light on Kaseya vulnerabilities
Dutch security researchers were working with Kaseya to get an authentication bypass flaw and other bugs patched when the catastrophic supply chain attack occurred. Continue Reading
-
Tip
29 Jun 2021
Mitigate threats with a remote workforce risk assessment
Risk assessments are more necessary than ever as organizations face the challenge of protecting remote and hybrid workers alongside in-office employees. Continue Reading
-
Definition
22 Jun 2021
security
Security for information technology (IT) refers to the methods, tools and personnel used to defend an organization's digital assets. Continue Reading
-
News
16 Jun 2021
Zscaler: Exposed servers, open ports jeopardizing enterprises
Zscaler analyzed 1,500 networks and found administrators are leaving basic points of entry wide open for attackers as neglected servers are falling by the wayside. Continue Reading
-
Feature
15 Jun 2021
How to get started with security chaos engineering
Introducing security chaos engineering: the latest methodology security teams can implement to proactively discover vulnerabilities or weaknesses in a company's system. Continue Reading
-
Definition
14 Jun 2021
threat modeling
Threat modeling is a procedure for optimizing application, system or business process security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent or mitigate the effects of threats to the system. Continue Reading
-
News
08 Jun 2021
CISA taps Bugcrowd for federal vulnerability disclosure program
The new program follows a CISA directive from September that requires executive branch agencies to create and publish vulnerability disclosure policies. Continue Reading
-
Guest Post
08 Jun 2021
4 ways to build a thoughtful security culture
It's time companies paid more attention to their security culture, working toward building an effective security awareness program that everyone can understand and get behind. Continue Reading
-
Feature
07 Jun 2021
Hackers vs. lawyers: Security research stifled in key situations
The age-old debate between sharing information or covering legal liability is a growing issue in everything from bug bounties to disclosing ransomware attacks. Continue Reading
-
Feature
03 Jun 2021
How to ethically conduct pen testing for social engineering
Author Joe Gray explores his interest in pen testing for social engineering, what it means to be an ethical hacker and how to get started in the career. Continue Reading
-
Feature
03 Jun 2021
How to handle social engineering penetration testing results
In the wake of conducting social engineering penetration testing, companies need to have a plan ready to prevent or minimize phishing, vishing and other attacks. Continue Reading
-
Definition
21 May 2021
ethical hacker
An ethical hacker, or white hat hacker, is an information security expert authorized by an organization to penetrate computing infrastructure to find security vulnerabilities a malicious hacker could exploit. Continue Reading
-
News
18 May 2021
McAfee CTO: Use data to make better cyber-risk decisions
According to McAfee CTO Steve Grobman, the best response to today's cyber-risks includes both human and technology-based solutions, like threat intelligence and good security hygiene. Continue Reading
-
Definition
13 Apr 2021
physical security
Physical security is the protection of personnel, hardware, software, networks and data from physical actions and events that could cause serious loss or damage to an enterprise, agency or institution. Continue Reading
-
Tip
12 Apr 2021
Threat intelligence frameworks to bolster security
Organizations have many threat intelligence frameworks to work with, each with its own advantages. From for-profit to nonprofit, here's help to figure out which ones you need. Continue Reading
-
Guest Post
06 Apr 2021
6 ways to prevent insider threats every CISO should know
Too often, organizations focus exclusively on external risks to security. Infosec expert Nabil Hannan explains what CISOs can do to effectively assess and prevent insider threats. Continue Reading
-
Guest Post
11 Mar 2021
Strengthening supply chain security risk management
In the wake of several supply chain attacks, Pam Nigro discusses how companies can work to reduce risk by broadening how to manage third-party vendors' access to company data. Continue Reading
-
Tip
25 Feb 2021
How to manage third-party risk in the supply chain
From third-party risk assessments to multifactor authentication, follow these steps to ensure suppliers don't end up being your enterprise cybersecurity strategy's weakest link. Continue Reading
-
Guest Post
11 Feb 2021
4 tips to help CISOs get more C-suite cybersecurity buy-in
CISOs can get more cybersecurity buy-in with cohesive storytelling, focusing on existential security threats, leading with CARE and connecting security plans to business objectives. Continue Reading
-
Tip
03 Feb 2021
Design a human firewall training program in 5 steps
Follow these five steps to develop human firewall training that's not only effective at preventing social engineering attacks, but also relevant and accessible to employees. Continue Reading
-
News
14 Jan 2021
Tenable: Vulnerability disclosures skyrocketed over last 5 years
New research from Tenable shows a dramatic increase in vulnerability disclosures since 2015, as well as concerning data about data breaches, ransomware threats and unpatched bugs. Continue Reading
-
Answer
07 Jan 2021
Explore benefits and challenges of cloud penetration testing
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help inform cloud pen test strategies. Continue Reading
-
Tip
06 Jan 2021
The human firewall's role in a cybersecurity strategy
The human firewall is a crucial element of a long-term, holistic security initiative. Explore how human firewalls can protect your enterprise against attacks. Continue Reading
-
Guest Post
31 Dec 2020
The enterprise case for implementing live-fire cyber skilling
Companies continue to grapple with the cybersecurity skills gap, but Adi Dar offers a way to ensure security teams are properly trained through the use of live exercises. Continue Reading
-
Feature
30 Dec 2020
Insider threat vs. insider risk: What's the difference?
Identifying, managing and mitigating insider threats is far different than protecting against insider risks. Read up on the difference and types of internal risks here. Continue Reading
-
Feature
30 Dec 2020
Insider risk indicators thwart potential threats
By paying attention to risk indicators, enterprises can tell the difference between insider threat and insider risk to prevent falling victim at the hands of one of their own. Continue Reading
-
Tip
09 Dec 2020
Key SOC metrics and KPIs: How to define and use them
Enterprises struggle to get the most out of their security operation centers. Using the proper SOC metrics and KPIs can help. Learn how to define and benefit from them here. Continue Reading
-
Quiz
08 Dec 2020
Practice Certified Ethical Hacker exam questions
Preparing for your Certified Ethical Hacker certification? Assess your knowledge of topics on the CEH exam with these practice test questions. Continue Reading
-
Feature
08 Dec 2020
Ethical hacker career path advice: Getting started
Matt Walker, author of a Certified Ethical Hacker exam guide and practice exam book, offers advice to career hopefuls on the profession, CEH certification and more. Continue Reading
-
Tip
04 Nov 2020
Red team vs. blue team vs. purple team: What's the difference?
Red team-blue team exercises simulate attacks on enterprise networks. What does each team do? Where do purple teams fit in? Find out here. Continue Reading
-
News
04 Nov 2020
SaltStack discloses critical vulnerabilities, urges patching
The SaltStack vulnerabilities, disclosed Tuesday, allow remote attackers to execute arbitrary code on affected installations of the popular open source software. Continue Reading
-
Guest Post
28 Oct 2020
Addressing the expanding threat attack surface from COVID-19
CISOs need to ensure they and their security teams are aware of the new threats created by many businesses expanding their attack surface with many employees still working remotely. Continue Reading
-
Guest Post
27 Oct 2020
The need for independent cybersecurity solutions testing
Rohit Dhamankar suggests implementing standardized testing of cybersecurity providers, like MSSPs and MDRs, to help companies better understand the services they're getting from each. Continue Reading
-
News
27 Oct 2020
Mitre ATT&CK: How it has evolved and grown
Adoption of the Mitre ATT&CK framework, which saw version 8.0 released Tuesday, has grown rapidly over the last years, though challenges still remain for enterprise users. Continue Reading
-
Guest Post
21 Oct 2020
Changing the culture of information sharing for cybersecurity
Dan Young explains why it's time for the cybersecurity industry to come together regarding information sharing and how insurance providers, regulators and others could assist. Continue Reading
-
Tip
19 Oct 2020
Planning a zero-trust strategy in 6 steps
Launch a zero-trust strategy in six steps. Learn how to form a dedicated team, ask questions about existing security controls and evaluate the priority of zero-trust initiatives. Continue Reading
-
Feature
12 Oct 2020
Cybersecurity budget relies on planning and negotiation
Experts from Gartner and Forrester discuss how successful cybersecurity budgeting during these uncertain times requires planning, research and negotiation. Continue Reading
-
Guest Post
09 Oct 2020
For Cybersecurity Awareness Month, learn about emerging risks
Tami Hudson examines why leaders should use October to educate themselves and their companies around the latest attacks bad actors are implementing and where to prioritize investment. Continue Reading
-
Guest Post
28 Sep 2020
How to improve cybersecurity for the workforce of the future
Many organizations continue to have employees work from home, but they haven't always hardened their cybersecurity efforts alongside this move to better protect employees and data. Continue Reading
-
Guest Post
28 Sep 2020
Cybersecurity testing essentials for mergers and acquisitions
Before moving forward with an M&A, conduct some cybersecurity testing to ensure your company knows how the acquired company protects data, employees and customers. Continue Reading
-
News
23 Sep 2020
ConnectWise launches bug bounty program to boost security
ConnectWise, which provides remote management software to MSPs, partnered with HackerOne in its first bug bounty program, which is part of a larger strategy to improve security. Continue Reading
-
News
09 Sep 2020
Intel patches critical flaw in Active Management Technology
Intel's Patch Tuesday featured four security advisories, including a critical flaw in Active Management Technology that could allow an attacker privilege escalation. Continue Reading
-
News
03 Sep 2020
CISA issues vulnerability disclosure order for federal agencies
The U.S. Cybersecurity and Infrastructure Security Agency gives a directive for federal agencies to establish vulnerability disclosure policies in the next 180 calendar days. Continue Reading
-
Feature
31 Aug 2020
Inclusivity a crucial step beyond diversity in cybersecurity
Spurred on by the social justice movement around the world, cybersecurity experts want to see a move beyond diversity efforts to ensure inclusivity in organizations as well. Continue Reading
-
Tip
24 Aug 2020
The 7 elements of an enterprise cybersecurity culture
An effective 'human firewall' can prevent or mitigate many of the threats enterprises face today. Adopt these seven elements of a culture of cybersecurity to defend against risks. Continue Reading
-
News
21 Aug 2020
Claroty: 70% of ICS vulnerabilities are remotely exploitable
Out of 365 ICS vulnerabilities that were disclosed by the National Vulnerability Database in the first half of 2020, Claroty found more than 70% can be remotely exploited. Continue Reading
-
News
11 Aug 2020
Healthcare CISO offers alternatives to 'snake oil' companies
Indiana University Health CISO Mitchell Parker discussed internal risk assessments, security snake oil salesmen and more at his Black Hat USA 2020 talk. Continue Reading
-
News
10 Aug 2020
Games, not shame: Why security awareness training needs a makeover
Elevate Security co-founder Masha Sedova spoke at Black Hat USA 2020 about why traditional security awareness training is ineffective and fails to change risky behavior. Continue Reading
-
News
06 Aug 2020
Voting vendor ES&S unveils vulnerability disclosure program
Election Systems & Software, the biggest vendor of U.S. voting equipment, will allow the security researcher community to test its elections equipment for vulnerabilities. Continue Reading
-
Quiz
03 Aug 2020
Test your cybersecurity knowledge with this quick ISM quiz
Read our August 2020 e-zine, and then take this short quiz to test your knowledge of cybersecurity awareness training and other issues -- from types of CISOs to talent recruitment. Continue Reading
-
Feature
03 Aug 2020
10 tips for cybersecurity awareness programs in uncertain times
Explore the winning tactics and tools CISOs and other cybersecurity leaders are employing in their programs to raise employee security awareness -- and consider how they might work for you. Continue Reading
- 03 Aug 2020
- 03 Aug 2020
- E-Zine 03 Aug 2020
-
Opinion
03 Aug 2020
Importance of cybersecurity awareness never greater
Security awareness is more essential than ever, but in a world of increasingly sophisticated threats, making it a reality requires more than set-it-and-forget-it training. Continue Reading
-
Tip
03 Aug 2020
How to start an enterprise bug bounty program and why
Incentivizing researchers for finding software vulnerabilities can be advantageous for vendors and participants. Here's what to know before starting a bug bounty program. Continue Reading
-
Feature
30 Jul 2020
How CISOs can deal with cybersecurity stress and burnout
Being a paramedic and working in cybersecurity taught CISO Rich Mogull how to avoid stress and burnout. Check out his advice to maintain mental health in high-stress roles. Continue Reading
-
Answer
15 Jun 2020
How to protect workloads using a zero-trust security model
Never trust, always verify. Learn how to implement a zero-trust security model to help manage risk and protect IT workloads at your organization. Continue Reading
-
Tip
05 May 2020
Identifying common Microsoft 365 security misconfigurations
Microsoft 365 security problems can double the time it takes to contain a breach, according to a new survey. Check out best practices and operational strategies to fix them. Continue Reading
-
News
28 Apr 2020
Bugcrowd launches 'classic' penetration testing service
The crowdsourcing security company launched the Bugcrowd Classic Pen Test service to offer enterprises a more cost-effective and efficient way to test their cybersecurity posture. Continue Reading
-
Tip
07 Apr 2020
AI pen testing promises, delivers both speed and accuracy
AI is making many essential cybersecurity tasks more effective and efficient. AI-enabled penetration testing, or BAS, technologies are a case in point. Continue Reading
-
News
01 Apr 2020
Voatz disputes claims it was 'kicked off' HackerOne
HackerOne has cut ties with Voatz, but the mobile voting vendor disputed reports that it was kicked off the bug bounty platform following controversy with security researchers. Continue Reading
-
Answer
10 Mar 2020
Risk management vs. risk assessment vs. risk analysis
Understanding risk is the first step to making informed budget and security decisions. Explore the differences between risk management vs. risk assessment vs. risk analysis. Continue Reading
-
Opinion
04 Mar 2020
RSA 2020 wrap-up: VMware Carbon Black integrations; MAM for BYOD; how to handle non-employees
RSA is always full of interesting things to learn about, so here are a few more vendors I sat down with. Continue Reading
- 03 Feb 2020
-
Feature
03 Feb 2020
Cisco CISO says today's enterprise must take chances
Cisco CISO Steve Martino talks about taking chances, threats, how the security leader's role is changing and what really works when it comes to keeping the company secure. Continue Reading
-
Tip
22 Jan 2020
How to write a quality penetration testing report
Writing a penetration testing report might not be the most fun part of the job, but it's a critical component. These tips will help you write a good one. Continue Reading