Risk management
A successful risk management plan helps enterprises identify, plan for and mitigate potential risks. Learn about the components of risk management programs, including penetration tests, vulnerability and risk assessments, frameworks, security awareness training and more.
Top Stories
-
Tip
07 Mar 2025
Top 14 open source penetration testing tools
From Aircrack-ng to ZAP, these open source penetration testing tools are essential additions to any security pro's toolbox. Continue Reading
-
Feature
06 Mar 2025
16 top ERM software vendors to consider in 2025
Various software tools can help automate risk management and GRC processes. Here's a look at 16 enterprise risk management vendors and their products. Continue Reading
-
Opinion
01 Aug 2019
The must-have skills for cybersecurity aren't what you think
The most critical skills that cybersecurity lacks -- like leadership buy-in, people skills and the ability to communicate -- are not the ones you hear about. That needs to change. Continue Reading
- 01 Aug 2019
-
Feature
01 Aug 2019
Fitting cybersecurity frameworks into your security strategy
Whatever an organization's culture, effective use of a security framework requires understanding business goals and program metrics, and demands leadership communication. Continue Reading
- 01 Aug 2019
-
Feature
30 Jul 2019
Tackling IT security awareness training with a county CISO
A Michigan county CISO says government workers are under siege by cybercriminals. In this case study, he shares how his IT security awareness training strategy has evolved. Continue Reading
-
Tip
29 Jul 2019
3 ways to shore up third-party risk management programs
A new Nemertes research study shows enterprises need to adopt third-party risk management programs that jettison manual checklists in favor of automated tools, hands-on risk assessments and dedicated risk teams. Continue Reading
-
Answer
28 Jun 2019
Do I need to adopt a cybersecurity framework?
A comprehensive cybersecurity framework can help businesses avoid costly attacks. But there are other advantages. Continue Reading
-
Answer
28 Jun 2019
What's the best way to maintain top cybersecurity frameworks?
Keeping top cybersecurity frameworks up to date means understanding how a business evolves and changes. What steps should you take to maintain your security strategy? Continue Reading
-
Answer
28 Jun 2019
What are the core components of a cybersecurity framework?
Cybersecurity frameworks differ from one company to another, but each plan has four fundamental stages. Find out what you need to know. Continue Reading
-
Feature
26 Jun 2019
Build a proactive cybersecurity approach that delivers
Whether it's zero-trust, adaptive security or just plain common sense, IT leaders must embrace an approach to IT security that's proactive, not reactive. Continue Reading
-
Feature
14 Jun 2019
SANS security awareness credential paves new career path
The SANS Security Awareness Professional credential gives enterprises a new method to recognize and promote cybersecurity awareness in the organization. Continue Reading
-
Feature
06 Jun 2019
Security awareness training for executives keeps whaling at bay
Security awareness training for executives teaches an enterprise's biggest fish to recognize potential whaling attacks -- before they take the bait. Continue Reading
-
Feature
23 May 2019
10 ways to prevent computer security threats from insiders
Whether via the spread of malware, spyware or viruses, insiders can do as much damage as outside attackers. Here's how to prevent computer security threats from insiders. Continue Reading
-
Podcast
22 May 2019
Risk & Repeat: Cisco vulnerabilities raise backdoor concerns
This week's Risk & Repeat podcast looks at vulnerabilities in Cisco and Huawei products, which have raised concerns about backdoor access in networking equipment. Continue Reading
-
Tip
08 May 2019
How to perform a building security assessment
There are four major systems to review in a building security assessment. Learn what they are and how to review their potential cyber and physical risks. Continue Reading
-
Tip
08 May 2019
How to conduct a security risk review on a large building
Assessors cannot dive into a security risk review of a large building; they have to prepare and strategize ahead of time. Learn how to get ready for this type of security assessment. Continue Reading
-
Infographic
01 May 2019
Are users your biggest risk? Raise IT security awareness
Users are either your best line of defense or greatest vulnerability. Learn how attackers exploit human behavior and fight back by improving user security awareness. Continue Reading
-
Tip
29 Apr 2019
How can organizations build cybersecurity awareness among employees?
A high level of cybersecurity awareness among employees is essential to protect corporate data. To build this awareness, start with a strong cybersecurity culture. Continue Reading
-
Answer
11 Apr 2019
How important is security awareness training for executives?
Corporate executives are prime targets for spies and hackers, and that is why security awareness training for executives is so important. Continue Reading
-
Answer
10 Apr 2019
What are the most important security awareness training topics?
Organizations looking to heighten security awareness among employees need to cover a wide variety of security awareness training topics, but social engineering tops the list. Continue Reading
-
News
26 Feb 2019
CERT/CC's Art Manion says CVSS scoring needs to be replaced
Security expert Art Manion discusses what he calls major problems within the Common Vulnerability Scoring System and explains why CVSS needs to be replaced. Continue Reading
- E-Zine 01 Feb 2019
-
News
23 Jan 2019
Top security initiatives for 2019 include MFA, end-user training
TechTarget's IT Priorities survey revealed key security initiatives companies plan to implement in 2019. Experts weigh in on best practices to be adopted. Continue Reading
-
News
18 Jan 2019
Experts: A breach response plan is a must in 2019
During an IT GRC Forum webinar, experts explain the need for shedding legacy security approaches and highlight the gravity of drafting a data breach response plan. Continue Reading
-
Answer
14 Jan 2019
How can an authentication bypass vulnerability be exploited?
A vulnerability was found in Western Digital's My Cloud NAS device that can be easily exploited by hackers. Discover what this vulnerability is and how users can be protected. Continue Reading
-
Tip
20 Dec 2018
What Moody's cyber-risk ratings mean for enterprises
Moody's announced it will soon begin composing cyber-risk ratings for enterprises. Kevin McDonald explores the move and what it could mean for enterprises and the infosec industry. Continue Reading
-
Answer
10 Dec 2018
L1TF: How do new vulnerabilities affect Intel processors?
New speculative execution vulnerabilities have been found affecting Intel processors. Learn how these flaws can lead to side-channel attacks with Judith Myerson. Continue Reading
-
News
30 Nov 2018
Mitre enters product testing with Mitre ATT&CK framework
The first round of evaluations using the Mitre ATT&CK framework has gone public, putting on display how different endpoint products detect advanced threat activities. Continue Reading
-
Answer
20 Nov 2018
Can a D-Link router vulnerability threaten bank customers?
A D-Link router vulnerability was used to send banking users to a fake site in order to steal their information. Learn more about this vulnerability with expert Judith Myerson. Continue Reading
-
News
15 Nov 2018
BT Security CEO: Red teaming is valuable, but challenging
During the Securing the Enterprise conference at MIT's CSAIL, BT Security CEO Mark Hughes discusses the benefits and challenges red teaming has presented to his company. Continue Reading
-
Tip
12 Nov 2018
Insider threat protection: Strategies for enterprises
Insider threats pose a serious risk to enterprises. Peter Sullivan explains how enterprises can use background checks and risk assessments for insider threat protection. Continue Reading
-
Tip
11 Oct 2018
How entropy sources interact with security and privacy plans
NIST published a draft of its 'Risk Management Framework for Information Systems and Organizations.' Learn what this report entails, as well as how entropy source controls play a key role. Continue Reading
-
Opinion
02 Oct 2018
Industries seek to improve third-party security risk controls
Healthcare security leaders are developing industry best practices for better third-party risk management using common assessment and certification standards. Continue Reading
- 02 Oct 2018
-
Opinion
02 Oct 2018
White hat Dave Kennedy on purple teaming, penetration testing
Russia and other nation-states use application control bypass techniques because they don't "trigger any alarms," the chief hacking officer says. Continue Reading
- 02 Oct 2018
-
Feature
02 Oct 2018
CISOs face third-party risk management challenges
Security professionals understand all too well what's at stake, and that's why more companies look to tighten up security with third parties. Continue Reading
-
Feature
28 Sep 2018
Teramind CTO talks insider threat prevention, employee monitoring
A fear of insider threats on Wall Street led one software engineer to start his own security company. Continue Reading
-
News
28 Sep 2018
DEF CON report: Election equipment plagued by 10-year-old flaw
The DEF CON report from the 2018 Voting Village paints a troubling picture for election equipment vendors, including a machine with a flaw known since 2007 left unpatched. Continue Reading
- 26 Sep 2018
-
Tip
13 Sep 2018
Understanding the risk SQL injection vulnerabilities pose
SQL injection vulnerabilities put a system at risk and are often unknown to users. Discover how this web vulnerability works and how to prevent it with expert Kevin Beaver. Continue Reading
-
News
12 Sep 2018
Jake Braun discusses the Voting Village at DEF CON
The Voting Village at DEF CON 26 expanded its scope to test every aspect of election security that it could. Organizer Jake Braun discusses how it went and what's next. Continue Reading
-
Tip
11 Sep 2018
How hardening options help handle unpatchable vulnerabilities
Using multiple hardening options to endure unpatchable vulnerabilities is explored in a recent NIST report. Learn how entropy sources can be an additional option with Judith Myerson. Continue Reading
-
Tip
04 Sep 2018
How insider fraud can be detected and avoided in the enterprise
IT sabotage and insider threats can put an organization at great risk. Guest expert Peter Sullivan details preventative measures to take and employee training techniques. Continue Reading
-
Tip
28 Aug 2018
Red team assessments and post-assessment posture improvement
Testing an organization's security maturity is crucial for an organization to improve their post-assessment posture. Learn how red teaming can help this situation with Matt Pascucci. Continue Reading
-
News
15 Aug 2018
Infosec mental health support and awareness hits Black Hat 2018
While burnout, depression and PTSD can affect anyone, infosec mental health still doesn't often get the attention it deserves, but Black Hat 2018 attempted to change that. Continue Reading
-
Answer
09 Aug 2018
UPnP vulnerability: How is the UPnP protocol being misused?
The UPnP protocol is being misused to distribute malware through home routers. Expert Michael Cobb explains the UPnP vulnerability and how to defend against it. Continue Reading
-
Feature
07 Aug 2018
Bugcrowd CTO explains crowdsourced security benefits and challenges
In part two of this interview, Bugcrowd founder and CTO Casey Ellis discusses the value of crowdsourced vulnerability research, as well as some of the challenges. Continue Reading
-
Feature
31 Jul 2018
Bugcrowd CTO on the need for responsible disclosure policy, 'good faith'
Bugcrowd founder and CTO Casey Ellis talks about his concerns that the era of 'good faith' between security researchers and enterprises is in jeopardy. Continue Reading
-
Tip
28 Jun 2018
Insider threats: Preventing intellectual property theft
IP theft is often committed by insiders or disgruntled employees who feel entitled to information. Peter Sullivan explains the threat and how to prevent these insider attacks. Continue Reading
-
Tip
21 Jun 2018
Know your enemy: Understanding insider attacks
Insider attacks are a significant threat to enterprises. Expert Ernie Hayden provides an introduction to insider threats and how organizations can protect themselves. Continue Reading
-
Answer
14 Jun 2018
Golden SAML: How can it abuse SAML authentication protocol?
CyberArk researchers created an attack called Golden SAML that uses Mimikatz techniques and applied it to a federated environment. Learn more about the attack with Nick Lewis. Continue Reading
-
Tip
14 Jun 2018
How to use the OODA loop to improve network security
The OODA loop can be used to establish cyber deception against hackers to improve network security. Learn the OODA steps and how they can be applied to security with Kevin Fiscus. Continue Reading
-
Survey
01 Jun 2018
Insider threat report tracks annual cost of theft, carelessness
The Ponemon Institute study "2018 Cost of Insider Threats" examines the cost to companies victimized by material insider threat incidents during the past 12 months. Continue Reading
-
Answer
31 May 2018
How do BGP flaws affect Quagga routing software?
Multiple Border Gateway Protocol vulnerabilities were found impacting security in the Quagga routing software. Expert Judith Myerson explains how these flaws impact systems. Continue Reading
- 29 May 2018
-
Answer
29 May 2018
How was a Cisco firewall vulnerability exploited by threat actors?
Threat actors exploited a critical Cisco firewall vulnerability that received a CVSS score of 10. Discover how this flaw works and how it was exploited with Judith Myerson. Continue Reading
-
Answer
15 May 2018
How does the KRACK vulnerability use encryption keys?
The KRACK vulnerability was found in the WPA2 protocol for wireless networks and it enables attackers to crack encrypted connections. Learn how it works from Nick Lewis. Continue Reading
-
News
27 Apr 2018
Keycard vulnerability threatens millions of hotel rooms
News roundup: Researchers found a keycard vulnerability that enabled them to enter millions of hotel rooms worldwide. Plus, Yahoo has been fined $35 million by the SEC, and more. Continue Reading
-
News
20 Apr 2018
Keeper Security forms vulnerability disclosure program with Bugcrowd
Following its controversial lawsuit against an Ars Technica security reporter, Keeper Security has teamed with Bugcrowd on a formal vulnerability disclosure program. Continue Reading
-
News
19 Apr 2018
Moussouris: Bug bounty programs need to avoid jumping the shark
Bug bounty programs may seem to offer salvation at a bargain price for securing networks and systems, but Katie Moussouris offers tips for avoiding major pitfalls. Continue Reading
-
Tip
06 Apr 2018
Zero-trust model promises increased security, decreased risk
The zero-trust model takes focused and sustained effort, but promises to improve most companies' risk posture. Learn what it takes to get the most out of zero trust. Continue Reading
-
Tip
06 Apr 2018
How to do risk management in cybersecurity using ERM
Perfect security is impossible, but using risk management in cybersecurity using a range of strategies can significantly reduce your organization’s risk. Continue Reading
-
News
09 Mar 2018
Tenable introduces Lumin cyber exposure platform
Tenable.io Lumin enables organizations to gauge their 'cyber exposure' to vulnerabilities and allows them to compare remediation efforts against industry benchmark data. Continue Reading
-
News
07 Feb 2018
Cybersecurity insurance breaks coming for Apple, Cisco customers
Apple and Cisco customers could get lucrative terms for cybersecurity insurance under a new partnership with insurance giant Allianz and global services firm Aon. Continue Reading
-
Blog Post
26 Jan 2018
Blizzard security flaw should put game developers on notice
A newly-discovered Blizzard security bug, which affected all of the company's popular PC games including Overwatch, should serve as a warning for the video game industry. Continue Reading
-
News
25 Jan 2018
Electron framework flaw puts popular desktop apps at risk
The Electron framework -- used to develop desktop apps using web code -- included a remote code execution flaw that was passed on to popular apps like Slack. Continue Reading
-
Tip
23 Jan 2018
Insider threat behavior: How to identify warning signs
Enterprises can prevent insider threat incidents if they know what to look for. Peter Sullivan explains the precursors to and precipitating events for insider threat behavior. Continue Reading
-
News
04 Jan 2018
Meltdown and Spectre patches and mitigations released
Vendors released the vulnerability disclosures and patches for the new Meltdown and Spectre CPU attacks as the infosec industry begins mitigating risks. Continue Reading
-
Answer
04 Jan 2018
Vulnerability scans: How effective are they for web apps?
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can be missed by security teams. Continue Reading
-
Tip
19 Dec 2017
Get great results from authenticated vulnerability scanning
Here are five things you can do to successfully prepare and run authenticated vulnerability scanning and, in the end, achieve the most protection. Continue Reading
-
News
13 Dec 2017
Breach awareness low among executives, CA Veracode survey says
According to a new survey from CA Veracode, breach awareness regarding recent major cyber incidents was low among executives, managers and directors, surprising some experts. Continue Reading
-
Opinion
05 Dec 2017
Active Cyber Defense Certainty Act: Should we 'hack back'?
With the proposal of the Active Cyber Defense Certainty Act, individuals would be able to 'hack back' when information is stolen. Matt Pascucci makes the case against the bill. Continue Reading
-
News
21 Nov 2017
Multiple Intel firmware vulnerabilities in Management Engine
Security researchers tested the controversial Intel Management Engine and other products, finding multiple Intel firmware vulnerabilities. Continue Reading
-
News
03 Nov 2017
Researchers hack iOS 11 at Mobile Pwn2Own 2017
Security researchers competing at Mobile Pwn2Own 2017 used multiple vulnerabilities to hack iOS 11 in order to execute code and win prizes. Continue Reading
-
Feature
01 Nov 2017
The vulnerability management process after Equifax
Cataclysmic security incidents highlight the importance of a vulnerability management program versus a patch management system. Here's how to implement a risk-based approach. Continue Reading
-
News
31 Oct 2017
Google Buganizer flaw reveals unpatched vulnerability details
A security researcher earned more than $15,000 by finding three flaws in the Google Issue Tracker, aka Buganizer, which revealed details on unpatched vulnerabilities. Continue Reading
-
Tip
31 Oct 2017
How shared cloud security assessments can benefit enterprises
Ensuring cloud security is a constant problem that shared cloud security assessments are trying to address. Learn about the benefits of sharing assessments with Nick Lewis. Continue Reading
- 30 Oct 2017
-
Podcast
26 Oct 2017
Risk & Repeat: Is vulnerability marketing problematic?
In this week's Risk & Repeat podcast, SearchSecurity editors discuss vulnerability marketing and compare how the recent KRACK attack and ROCA flaw were publicized and promoted. Continue Reading
-
Tip
24 Oct 2017
How automated web vulnerability scanners can introduce risks
While automation is a key ingredient for security, it can't always be trusted. This especially holds true when running web vulnerability scanners, as Kevin Beaver explains. Continue Reading
-
Answer
05 Oct 2017
How does a private bug bounty program compare to a public program?
Explore the differences of public versus private bug bounty programs, as well as the benefits of each one. Expert Mathew Pascucci explains the risk and return of both programs. Continue Reading
-
News
03 Oct 2017
DHS cyberinsurance research could improve security
A longitudinal cyberinsurance study performed by the Department of Homeland Security could improve enterprise security but the effects depend on the data collected, said experts. Continue Reading
-
News
28 Sep 2017
Network lateral movement from an attacker's perspective
A security researcher describes the network lateral movement process from an attacker's perspective and a few key points of focus for IT pros, at DerbyCon. Continue Reading
-
News
27 Sep 2017
Windows digital signature bypassed with two registry edits
The DerbyCon keynote covered why security research is an approachable field, as well as how to bypass a Windows digital signature check to run unwanted code. Continue Reading
-
News
25 Sep 2017
Freese: Cyber-risk management is the key to good infosec hygiene
Speaking at the (ISC)2 Security Congress, FBI Deputy Assistant Director Don Freese spoke about need for security pros to replace fear and emotion with proper cyber-risk management. Continue Reading
-
News
08 Sep 2017
Apache Struts vulnerability affects versions since 2008
A researcher discovered a remotely exploitable Apache Struts vulnerability being actively exploited in the wild. A patch was released, and users were urged to update software immediately. Continue Reading
-
News
07 Sep 2017
SHA-1 hashes recovered for 320M breached passwords
Security researchers once again proved how easy it can be to recover SHA-1 hashes by cracking the hashes on nearly 320 million passwords related to data breaches. Continue Reading
-
Opinion
01 Sep 2017
From security product marketing to CEO: Jennifer Steffens
The CEO of a global pen tester used to work for the New York Yankees. Find out how Jennifer Steffens went from sports marketing to head of a security service provider. Continue Reading
- 28 Aug 2017
-
News
28 Jul 2017
Cyber-risk analysis, time are keys to infosec says game theory
Analyzing infosec through the lens of game theory shows that cyber-risk analysis and wasting attacker time may be highly effective cybersecurity strategies. Continue Reading
-
Answer
24 Jul 2017
SQL Slammer worm returns: How risky is it for enterprises?
The SQL Slammer worm has re-emerged to attack a vulnerability in Microsoft SQL Server 2000. Expert Nick Lewis explains what enterprises can do to manage out-of-date systems. Continue Reading
-
Tip
28 Jun 2017
Incorporating static source code analysis into security testing
Static source code analysis, along with dynamic analysis and pen testing, can help strengthen your application security. Expert Kevin Beaver goes over the features to look out for. Continue Reading
-
Podcast
25 May 2017
Using threat intelligence tools to prevent attacks on your enterprise
Using threat intelligence tools can help your enterprise stay one step ahead of attackers and possible threats. Learn how threat intelligence can be used in your company. Continue Reading
-
Feature
13 Apr 2017
Reviewing the threat intelligence features of VeriSign iDefense
Expert Ed Tittel looks at VeriSign iDefense threat intelligence service for providing actionable, contextual data about today's top IT threats to organizations. Continue Reading
-
Feature
13 Apr 2017
Threat Intelligence service overview of Infoblox ActiveTrust
Expert Ed Tittel looks at the features and capabilities of the Infoblox ActiveTrust threat intelligence service for providing data on the top IT threats to organizations. Continue Reading
-
Feature
13 Apr 2017
Detailing the features of LookingGlass Cyber Threat Center
Expert Ed Tittel looks at the LookingGlass Cyber Threat Center service for providing organizations with intelligence on today's top IT threats. Continue Reading
-
Feature
07 Apr 2017
RSA NetWitness Suite and its threat intelligence capabilities
Expert Ed Tittel examines the RSA NetWitness Suite threat intelligence platform, which offers network forensic and analytics tools for investigating incidents and analyzing data. Continue Reading
-
News
06 Apr 2017
Chinese hacking group APT10 linked to global trade target
Evidence points to Chinese hacking group APT10 conducting economic espionage in the breach of a trade policy group prior to U.S.-China trade summit talks in Florida. Continue Reading
-
Feature
05 Apr 2017
SecureWorks threat intelligence and what it can do for your enterprise
Expert Ed Tittel examines the features and capabilities of SecureWorks, which gathers its intelligence from thousands of SecureWorks global customers. Continue Reading
