Risk management
A successful risk management plan helps enterprises identify, plan for and mitigate potential risks. Learn about the components of risk management programs, including penetration tests, vulnerability and risk assessments, frameworks, security awareness training and more.
Top Stories
-
Feature
12 Jul 2024
Top enterprise risk management certifications to consider
Certifications are essential to many careers. Here are some useful enterprise risk management certifications for risk managers, IT professionals and other workers. Continue Reading
-
Tip
26 Jun 2024
The four phases of emergency management
To effectively recover from a disruptive incident, IT and DR teams must have a plan in place. This guide breaks down the four phases of an emergency management plan. Continue Reading
-
News
20 Jan 2020
CyCognito turning tables by using botnets for good
In this Q&A with CyCognito CEO Rob Gurzeev, he discusses what led to his company, how attack simulations work and how he plans to spend the company's recent round of funding. Continue Reading
-
Tip
16 Jan 2020
Craft an effective application security testing process
For many reasons, only about half of all web apps get proper security evaluation and testing. Here's how to fix that stat and better protect your organization's systems and data. Continue Reading
-
Quiz
07 Jan 2020
CISM practice questions to prep for the exam
Risk management is at the core of being a security manager. Practice your risk management knowledge with these CISM practice questions. Continue Reading
-
Tip
31 Dec 2019
NIST CSF provides guidelines for risk-based cybersecurity
Organizations benefit from identifying their unique risks when developing cybersecurity processes. Here's how the NIST Cybersecurity Framework can help guide risk-based IT protection. Continue Reading
-
News
16 Dec 2019
Siemens ICS flaws could allow remote exploits
Siemens recommends locking down industrial control systems as security researchers disclose 54 bugs, including remote exploit flaws, but only three patches are available. Continue Reading
-
Answer
09 Dec 2019
How can companies identify IT infrastructure vulnerabilities?
New, sophisticated technology is available to help infosec pros find IT infrastructure vulnerabilities. Automated pen testing and outsourcing threat intelligence services can help. Continue Reading
-
News
22 Nov 2019
Android Security Rewards program expands, adds $1.5M bounty
Google expanded its Android bug bounty program to include data exfiltration and lock screen bypass and raised its top prize for a full chain exploit of a Pixel device. Continue Reading
-
Answer
21 Nov 2019
Do you have the right set of penetration tester skills?
Pen testing is more than just the fun of breaking into systems. Learn about the critical penetration tester skills potential candidates must master to become proficient in their career path. Continue Reading
-
News
15 Nov 2019
Check Point: Qualcomm TrustZone flaws could be 'game over'
Researchers discovered vulnerabilities in Qualcomm TrustZone that Check Point says could lead to 'unprecedented access' because of the extremely sensitive data stored in mobile secure elements. Continue Reading
-
Feature
13 Nov 2019
Build new and old strategies into insider threat management
The risk of insider threat does not discriminate across industry lines. Learn how to build an insider threat management program that combines AI, zero-trust principles and a healthy security culture. Continue Reading
-
Feature
25 Oct 2019
On a penetration tester career path, flexibility and curiosity are key
Becoming a pen tester takes more than passing an exam. Learn the qualities ethical hackers should embrace to achieve success on their penetration tester career path. Continue Reading
-
Quiz
24 Oct 2019
CompTIA PenTest+ practice test questions to assess your knowledge
Think you're ready to take the CompTIA PenTest+ certification exam? Test your skill set with some of the sample multiple-choice questions you may be facing. Continue Reading
-
Feature
23 Oct 2019
Combat the human aspect of risk with insider threat management
When it comes to insider threat awareness and prevention, enterprises would be wise to marry a people-centric approach with a technology-centric approach. Continue Reading
-
News
22 Oct 2019
Bugcrowd launches Attack Surface Management platform
The new platform provides an extra layer of testing by sending its findings to Bugcrowd's crowdsourced security testing tools. Continue Reading
-
Feature
21 Oct 2019
Netscout CSO speaks to third-party risk, security gender gap
Veteran CSO at Netscout Deb Briggs recaps her fireside chat with Cisco CSO Edna Conway at FutureCon 2019, including their discussion on third-party risk and the gender gap in the security industry. Continue Reading
-
Answer
21 Oct 2019
6 different types of hackers, from black hat to red hat
Black, white and grey hats are familiar to security pros, but as the spectrum evolves to include green, blue and red, things get muddled. Brush up on types of hackers, new and old. Continue Reading
-
Tip
15 Oct 2019
Essential instruments for a pen test toolkit
Does your penetration testing toolkit have the proper contents? Learn the must-have tool for any pen tester, as well as specific tools for wireless, network and web app pen testing. Continue Reading
-
Feature
01 Oct 2019
Your third-party risk management best practices need updating
Organizations must modernize third-party risk management best practices to adapt to the changing technology landscape. Diversify risk assessments with these expert tips. Continue Reading
-
Feature
26 Sep 2019
Top tips for using the Kali Linux pen testing distribution
It's the best Linux distro for penetration testers' toolkits, but it's not just any Linux. Get tips on Kali Linux pen testing from project lead Jim O'Gorman. Continue Reading
-
Answer
26 Sep 2019
Penetration testing vs. red team: What's the difference?
Is penetration testing the same as red team engagement? There are similarities, but they're not the same. Understand the differences to improve your organization's cyberdefenses. Continue Reading
-
Tip
25 Sep 2019
Build an agile cybersecurity program with Scrum
Scrum's core principles translate well into an agile cybersecurity program setting. Learn how this framework bolsters communication and collaboration within infosec teams. Continue Reading
-
Feature
24 Sep 2019
Using DNS RPZ to pump up cybersecurity awareness
Combining DNS with threat intelligence feeds could hold a key to improving cybersecurity awareness by educating users who attempt to access potentially malicious websites. Continue Reading
-
Tip
19 Sep 2019
Cybersecurity frameworks hold key to solid security strategy
Cybersecurity frameworks take work, but they help organizations clarify their security strategies. If you don't have one, here's what to consider, even for emerging perimeterless security options. Continue Reading
-
News
12 Sep 2019
DerbyCon panel discusses IT mistakes that need to stop
Common security risks can be mitigated or prevented, according to a panel at DerbyCon. But users need to feel empowered to speak up, and education needs to be better. Continue Reading
-
News
10 Sep 2019
DerbyCon session tackles cyber attribution, false flag attacks
One expert showed the crowd at DerbyCon that proper attribution of a cyberattack requires multiple indicators in order to avoid being fooled by a false flag attempt. Continue Reading
-
Feature
05 Sep 2019
How does AttackSurfaceMapper help with attack surface mapping?
A new open source pen testing tool expedites attack surface mapping -- one of the most important aspects of any penetration testing engagement. Continue Reading
-
Answer
19 Aug 2019
How to build an enterprise penetration testing plan
Simulating an attack against your network is one of the best ways to remediate security holes before the bad guys find them. Here, learn penetration testing basics and how it can help keep your enterprise safe. Continue Reading
-
Feature
16 Aug 2019
How to identify and evaluate cybersecurity frameworks
Not all frameworks for cybersecurity are equal. ESG's Jon Oltsik explains what attributes make a cybersecurity framework and how to go about choosing and using one. Continue Reading
-
News
13 Aug 2019
Google wants Project Zero to be part of an open alliance
After five years of running Project Zero, Google wants to expand the scope to an open alliance of vulnerability researchers all working toward the same goal to 'make 0day hard.' Continue Reading
-
News
08 Aug 2019
Apple bug bounty expands to MacOS, offers $1 million iOS reward
Apple announced an expansion of its bug bounty program at Black Hat 2019, including rewards for MacOS vulnerabilities and a $1 million reward for a zero-click iOS exploit. Continue Reading
-
Opinion
01 Aug 2019
The must-have skills for cybersecurity aren't what you think
The most critical skills that cybersecurity lacks -- like leadership buy-in, people skills and the ability to communicate -- are not the ones you hear about. That needs to change. Continue Reading
- 01 Aug 2019
-
Feature
01 Aug 2019
Fitting cybersecurity frameworks into your security strategy
Whatever an organization's culture, effective use of a security framework requires understanding business goals and program metrics, and demands leadership communication. Continue Reading
- 01 Aug 2019
-
Feature
30 Jul 2019
Tackling IT security awareness training with a county CISO
A Michigan county CISO says government workers are under siege by cybercriminals. In this case study, he shares how his IT security awareness training strategy has evolved. Continue Reading
-
Tip
29 Jul 2019
3 ways to shore up third-party risk management programs
A new Nemertes research study shows enterprises need to adopt third-party risk management programs that jettison manual checklists in favor of automated tools, hands-on risk assessments and dedicated risk teams. Continue Reading
-
Answer
28 Jun 2019
Do I need to adopt a cybersecurity framework?
A comprehensive cybersecurity framework can help businesses avoid costly attacks. But there are other advantages. Continue Reading
-
Answer
28 Jun 2019
What's the best way to maintain top cybersecurity frameworks?
Keeping top cybersecurity frameworks up to date means understanding how a business evolves and changes. What steps should you take to maintain your security strategy? Continue Reading
-
Answer
28 Jun 2019
What are the core components of a cybersecurity framework?
Cybersecurity frameworks differ from one company to another, but each plan has four fundamental stages. Find out what you need to know. Continue Reading
-
Feature
26 Jun 2019
Build a proactive cybersecurity approach that delivers
Whether it's zero-trust, adaptive security or just plain common sense, IT leaders must embrace an approach to IT security that's proactive, not reactive. Continue Reading
-
Feature
14 Jun 2019
SANS security awareness credential paves new career path
The SANS Security Awareness Professional credential gives enterprises a new method to recognize and promote cybersecurity awareness in the organization. Continue Reading
-
Feature
06 Jun 2019
Security awareness training for executives keeps whaling at bay
Security awareness training for executives teaches an enterprise's biggest fish to recognize potential whaling attacks -- before they take the bait. Continue Reading
-
Feature
23 May 2019
10 ways to prevent computer security threats from insiders
Whether via the spread of malware, spyware or viruses, insiders can do as much damage as outside attackers. Here's how to prevent computer security threats from insiders. Continue Reading
-
Podcast
22 May 2019
Risk & Repeat: Cisco vulnerabilities raise backdoor concerns
This week's Risk & Repeat podcast looks at vulnerabilities in Cisco and Huawei products, which have raised concerns about backdoor access in networking equipment. Continue Reading
-
Tip
08 May 2019
How to perform a building security assessment
There are four major systems to review in a building security assessment. Learn what they are and how to review their potential cyber and physical risks. Continue Reading
-
Tip
08 May 2019
How to conduct a security risk review on a large building
Assessors cannot dive into a security risk review of a large building; they have to prepare and strategize ahead of time. Learn how to get ready for this type of security assessment. Continue Reading
-
Infographic
01 May 2019
Are users your biggest risk? Raise IT security awareness
Users are either your best line of defense or greatest vulnerability. Learn how attackers exploit human behavior and fight back by improving user security awareness. Continue Reading
-
Tip
29 Apr 2019
How can organizations build cybersecurity awareness among employees?
A high level of cybersecurity awareness among employees is essential to protect corporate data. To build this awareness, start with a strong cybersecurity culture. Continue Reading
-
Answer
11 Apr 2019
How important is security awareness training for executives?
Corporate executives are prime targets for spies and hackers, and that is why security awareness training for executives is so important. Continue Reading
-
Answer
10 Apr 2019
What are the most important security awareness training topics?
Organizations looking to heighten security awareness among employees need to cover a wide variety of security awareness training topics, but social engineering tops the list. Continue Reading
-
News
26 Feb 2019
CERT/CC's Art Manion says CVSS scoring needs to be replaced
Security expert Art Manion discusses what he calls major problems within the Common Vulnerability Scoring System and explains why CVSS needs to be replaced. Continue Reading
- E-Zine 01 Feb 2019
-
News
23 Jan 2019
Top security initiatives for 2019 include MFA, end-user training
TechTarget's IT Priorities survey revealed key security initiatives companies plan to implement in 2019. Experts weigh in on best practices to be adopted. Continue Reading
-
News
18 Jan 2019
Experts: A breach response plan is a must in 2019
During an IT GRC Forum webinar, experts explain the need for shedding legacy security approaches and highlight the gravity of drafting a data breach response plan. Continue Reading
-
Answer
14 Jan 2019
How can an authentication bypass vulnerability be exploited?
A vulnerability was found in Western Digital's My Cloud NAS device that can be easily exploited by hackers. Discover what this vulnerability is and how users can be protected. Continue Reading
-
Tip
20 Dec 2018
What Moody's cyber-risk ratings mean for enterprises
Moody's announced it will soon begin composing cyber-risk ratings for enterprises. Kevin McDonald explores the move and what it could mean for enterprises and the infosec industry. Continue Reading
-
Answer
10 Dec 2018
L1TF: How do new vulnerabilities affect Intel processors?
New speculative execution vulnerabilities have been found affecting Intel processors. Learn how these flaws can lead to side-channel attacks with Judith Myerson. Continue Reading
-
News
30 Nov 2018
Mitre enters product testing with Mitre ATT&CK framework
The first round of evaluations using the Mitre ATT&CK framework has gone public, putting on display how different endpoint products detect advanced threat activities. Continue Reading
-
Answer
20 Nov 2018
Can a D-Link router vulnerability threaten bank customers?
A D-Link router vulnerability was used to send banking users to a fake site in order to steal their information. Learn more about this vulnerability with expert Judith Myerson. Continue Reading
-
News
15 Nov 2018
BT Security CEO: Red teaming is valuable, but challenging
During the Securing the Enterprise conference at MIT's CSAIL, BT Security CEO Mark Hughes discusses the benefits and challenges red teaming has presented to his company. Continue Reading
-
Tip
12 Nov 2018
Insider threat protection: Strategies for enterprises
Insider threats pose a serious risk to enterprises. Peter Sullivan explains how enterprises can use background checks and risk assessments for insider threat protection. Continue Reading
-
Tip
11 Oct 2018
How entropy sources interact with security and privacy plans
NIST published a draft of its 'Risk Management Framework for Information Systems and Organizations.' Learn what this report entails, as well as how entropy source controls play a key role. Continue Reading
-
Opinion
02 Oct 2018
Industries seek to improve third-party security risk controls
Healthcare security leaders are developing industry best practices for better third-party risk management using common assessment and certification standards. Continue Reading
- 02 Oct 2018
-
Opinion
02 Oct 2018
White hat Dave Kennedy on purple teaming, penetration testing
Russia and other nation-states use application control bypass techniques because they don't "trigger any alarms," the chief hacking officer says. Continue Reading
- 02 Oct 2018
-
Feature
02 Oct 2018
CISOs face third-party risk management challenges
Security professionals understand all too well what's at stake, and that's why more companies look to tighten up security with third parties. Continue Reading
-
Feature
28 Sep 2018
Teramind CTO talks insider threat prevention, employee monitoring
A fear of insider threats on Wall Street led one software engineer to start his own security company. Continue Reading
-
News
28 Sep 2018
DEF CON report: Election equipment plagued by 10-year-old flaw
The DEF CON report from the 2018 Voting Village paints a troubling picture for election equipment vendors, including a machine with a flaw known since 2007 left unpatched. Continue Reading
- 26 Sep 2018
-
Tip
13 Sep 2018
Understanding the risk SQL injection vulnerabilities pose
SQL injection vulnerabilities put a system at risk and are often unknown to users. Discover how this web vulnerability works and how to prevent it with expert Kevin Beaver. Continue Reading
-
News
12 Sep 2018
Jake Braun discusses the Voting Village at DEF CON
The Voting Village at DEF CON 26 expanded its scope to test every aspect of election security that it could. Organizer Jake Braun discusses how it went and what's next. Continue Reading
-
Tip
11 Sep 2018
How hardening options help handle unpatchable vulnerabilities
Using multiple hardening options to endure unpatchable vulnerabilities is explored in a recent NIST report. Learn how entropy sources can be an additional option with Judith Myerson. Continue Reading
-
Tip
04 Sep 2018
How insider fraud can be detected and avoided in the enterprise
IT sabotage and insider threats can put an organization at great risk. Guest expert Peter Sullivan details preventative measures to take and employee training techniques. Continue Reading
-
Tip
28 Aug 2018
Red team assessments and post-assessment posture improvement
Testing an organization's security maturity is crucial for an organization to improve their post-assessment posture. Learn how red teaming can help this situation with Matt Pascucci. Continue Reading
-
News
15 Aug 2018
Infosec mental health support and awareness hits Black Hat 2018
While burnout, depression and PTSD can affect anyone, infosec mental health still doesn't often get the attention it deserves, but Black Hat 2018 attempted to change that. Continue Reading
-
Answer
09 Aug 2018
UPnP vulnerability: How is the UPnP protocol being misused?
The UPnP protocol is being misused to distribute malware through home routers. Expert Michael Cobb explains the UPnP vulnerability and how to defend against it. Continue Reading
-
Feature
07 Aug 2018
Bugcrowd CTO explains crowdsourced security benefits and challenges
In part two of this interview, Bugcrowd founder and CTO Casey Ellis discusses the value of crowdsourced vulnerability research, as well as some of the challenges. Continue Reading
-
Feature
31 Jul 2018
Bugcrowd CTO on the need for responsible disclosure policy, 'good faith'
Bugcrowd founder and CTO Casey Ellis talks about his concerns that the era of 'good faith' between security researchers and enterprises is in jeopardy. Continue Reading
-
Tip
28 Jun 2018
Insider threats: Preventing intellectual property theft
IP theft is often committed by insiders or disgruntled employees who feel entitled to information. Peter Sullivan explains the threat and how to prevent these insider attacks. Continue Reading
-
Tip
21 Jun 2018
Know your enemy: Understanding insider attacks
Insider attacks are a significant threat to enterprises. Expert Ernie Hayden provides an introduction to insider threats and how organizations can protect themselves. Continue Reading
-
Answer
14 Jun 2018
Golden SAML: How can it abuse SAML authentication protocol?
CyberArk researchers created an attack called Golden SAML that uses Mimikatz techniques and applied it to a federated environment. Learn more about the attack with Nick Lewis. Continue Reading
-
Tip
14 Jun 2018
How to use the OODA loop to improve network security
The OODA loop can be used to establish cyber deception against hackers to improve network security. Learn the OODA steps and how they can be applied to security with Kevin Fiscus. Continue Reading
-
Survey
01 Jun 2018
Insider threat report tracks annual cost of theft, carelessness
The Ponemon Institute study "2018 Cost of Insider Threats" examines the cost to companies victimized by material insider threat incidents during the past 12 months. Continue Reading
-
Answer
31 May 2018
How do BGP flaws affect Quagga routing software?
Multiple Border Gateway Protocol vulnerabilities were found impacting security in the Quagga routing software. Expert Judith Myerson explains how these flaws impact systems. Continue Reading
- 29 May 2018
-
Answer
29 May 2018
How was a Cisco firewall vulnerability exploited by threat actors?
Threat actors exploited a critical Cisco firewall vulnerability that received a CVSS score of 10. Discover how this flaw works and how it was exploited with Judith Myerson. Continue Reading
-
Answer
15 May 2018
How does the KRACK vulnerability use encryption keys?
The KRACK vulnerability was found in the WPA2 protocol for wireless networks and it enables attackers to crack encrypted connections. Learn how it works from Nick Lewis. Continue Reading
-
News
27 Apr 2018
Keycard vulnerability threatens millions of hotel rooms
News roundup: Researchers found a keycard vulnerability that enabled them to enter millions of hotel rooms worldwide. Plus, Yahoo has been fined $35 million by the SEC, and more. Continue Reading
-
News
20 Apr 2018
Keeper Security forms vulnerability disclosure program with Bugcrowd
Following its controversial lawsuit against an Ars Technica security reporter, Keeper Security has teamed with Bugcrowd on a formal vulnerability disclosure program. Continue Reading
-
News
19 Apr 2018
Moussouris: Bug bounty programs need to avoid jumping the shark
Bug bounty programs may seem to offer salvation at a bargain price for securing networks and systems, but Katie Moussouris offers tips for avoiding major pitfalls. Continue Reading
-
Tip
06 Apr 2018
Zero-trust model promises increased security, decreased risk
The zero-trust model takes focused and sustained effort, but promises to improve most companies' risk posture. Learn what it takes to get the most out of zero trust. Continue Reading
-
Tip
06 Apr 2018
How to do risk management in cybersecurity using ERM
Perfect security is impossible, but using risk management in cybersecurity using a range of strategies can significantly reduce your organization’s risk. Continue Reading
-
News
09 Mar 2018
Tenable introduces Lumin cyber exposure platform
Tenable.io Lumin enables organizations to gauge their 'cyber exposure' to vulnerabilities and allows them to compare remediation efforts against industry benchmark data. Continue Reading
-
News
07 Feb 2018
Cybersecurity insurance breaks coming for Apple, Cisco customers
Apple and Cisco customers could get lucrative terms for cybersecurity insurance under a new partnership with insurance giant Allianz and global services firm Aon. Continue Reading
-
Blog Post
26 Jan 2018
Blizzard security flaw should put game developers on notice
A newly-discovered Blizzard security bug, which affected all of the company's popular PC games including Overwatch, should serve as a warning for the video game industry. Continue Reading
-
News
25 Jan 2018
Electron framework flaw puts popular desktop apps at risk
The Electron framework -- used to develop desktop apps using web code -- included a remote code execution flaw that was passed on to popular apps like Slack. Continue Reading
-
Tip
23 Jan 2018
Insider threat behavior: How to identify warning signs
Enterprises can prevent insider threat incidents if they know what to look for. Peter Sullivan explains the precursors to and precipitating events for insider threat behavior. Continue Reading
-
News
04 Jan 2018
Meltdown and Spectre patches and mitigations released
Vendors released the vulnerability disclosures and patches for the new Meltdown and Spectre CPU attacks as the infosec industry begins mitigating risks. Continue Reading
-
Answer
04 Jan 2018
Vulnerability scans: How effective are they for web apps?
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can be missed by security teams. Continue Reading