Risk management
A successful risk management plan helps enterprises identify, plan for and mitigate potential risks. Learn about the components of risk management programs, including penetration tests, vulnerability and risk assessments, frameworks, security awareness training and more.
Top Stories
-
Tip
12 Nov 2024
EDR vs. XDR vs. MDR: Key differences and benefits
One of the most important goals of cybersecurity professionals is to quickly identify potential or in-progress cyberattacks. These three approaches can help. Continue Reading
-
Tip
12 Nov 2024
5 principles of change management in networking
Network change management includes five principles, including risk analysis and peer review. These best practices can help network teams reduce failed network changes and outages. Continue Reading
-
News
30 Nov 2018
Mitre enters product testing with Mitre ATT&CK framework
The first round of evaluations using the Mitre ATT&CK framework has gone public, putting on display how different endpoint products detect advanced threat activities. Continue Reading
-
Answer
20 Nov 2018
Can a D-Link router vulnerability threaten bank customers?
A D-Link router vulnerability was used to send banking users to a fake site in order to steal their information. Learn more about this vulnerability with expert Judith Myerson. Continue Reading
-
News
15 Nov 2018
BT Security CEO: Red teaming is valuable, but challenging
During the Securing the Enterprise conference at MIT's CSAIL, BT Security CEO Mark Hughes discusses the benefits and challenges red teaming has presented to his company. Continue Reading
-
Tip
12 Nov 2018
Insider threat protection: Strategies for enterprises
Insider threats pose a serious risk to enterprises. Peter Sullivan explains how enterprises can use background checks and risk assessments for insider threat protection. Continue Reading
-
Tip
11 Oct 2018
How entropy sources interact with security and privacy plans
NIST published a draft of its 'Risk Management Framework for Information Systems and Organizations.' Learn what this report entails, as well as how entropy source controls play a key role. Continue Reading
-
Opinion
02 Oct 2018
Industries seek to improve third-party security risk controls
Healthcare security leaders are developing industry best practices for better third-party risk management using common assessment and certification standards. Continue Reading
-
Opinion
02 Oct 2018
White hat Dave Kennedy on purple teaming, penetration testing
Russia and other nation-states use application control bypass techniques because they don't "trigger any alarms," the chief hacking officer says. Continue Reading
- 02 Oct 2018
- 02 Oct 2018
-
Feature
02 Oct 2018
CISOs face third-party risk management challenges
Security professionals understand all too well what's at stake, and that's why more companies look to tighten up security with third parties. Continue Reading
-
Feature
28 Sep 2018
Teramind CTO talks insider threat prevention, employee monitoring
A fear of insider threats on Wall Street led one software engineer to start his own security company. Continue Reading
-
News
28 Sep 2018
DEF CON report: Election equipment plagued by 10-year-old flaw
The DEF CON report from the 2018 Voting Village paints a troubling picture for election equipment vendors, including a machine with a flaw known since 2007 left unpatched. Continue Reading
- 26 Sep 2018
-
Tip
13 Sep 2018
Understanding the risk SQL injection vulnerabilities pose
SQL injection vulnerabilities put a system at risk and are often unknown to users. Discover how this web vulnerability works and how to prevent it with expert Kevin Beaver. Continue Reading
-
News
12 Sep 2018
Jake Braun discusses the Voting Village at DEF CON
The Voting Village at DEF CON 26 expanded its scope to test every aspect of election security that it could. Organizer Jake Braun discusses how it went and what's next. Continue Reading
-
Tip
11 Sep 2018
How hardening options help handle unpatchable vulnerabilities
Using multiple hardening options to endure unpatchable vulnerabilities is explored in a recent NIST report. Learn how entropy sources can be an additional option with Judith Myerson. Continue Reading
-
Tip
04 Sep 2018
How insider fraud can be detected and avoided in the enterprise
IT sabotage and insider threats can put an organization at great risk. Guest expert Peter Sullivan details preventative measures to take and employee training techniques. Continue Reading
-
Tip
28 Aug 2018
Red team assessments and post-assessment posture improvement
Testing an organization's security maturity is crucial for an organization to improve their post-assessment posture. Learn how red teaming can help this situation with Matt Pascucci. Continue Reading
-
News
15 Aug 2018
Infosec mental health support and awareness hits Black Hat 2018
While burnout, depression and PTSD can affect anyone, infosec mental health still doesn't often get the attention it deserves, but Black Hat 2018 attempted to change that. Continue Reading
-
Answer
09 Aug 2018
UPnP vulnerability: How is the UPnP protocol being misused?
The UPnP protocol is being misused to distribute malware through home routers. Expert Michael Cobb explains the UPnP vulnerability and how to defend against it. Continue Reading
-
Feature
07 Aug 2018
Bugcrowd CTO explains crowdsourced security benefits and challenges
In part two of this interview, Bugcrowd founder and CTO Casey Ellis discusses the value of crowdsourced vulnerability research, as well as some of the challenges. Continue Reading
-
Feature
31 Jul 2018
Bugcrowd CTO on the need for responsible disclosure policy, 'good faith'
Bugcrowd founder and CTO Casey Ellis talks about his concerns that the era of 'good faith' between security researchers and enterprises is in jeopardy. Continue Reading
-
Tip
28 Jun 2018
Insider threats: Preventing intellectual property theft
IP theft is often committed by insiders or disgruntled employees who feel entitled to information. Peter Sullivan explains the threat and how to prevent these insider attacks. Continue Reading
-
Tip
21 Jun 2018
Know your enemy: Understanding insider attacks
Insider attacks are a significant threat to enterprises. Expert Ernie Hayden provides an introduction to insider threats and how organizations can protect themselves. Continue Reading
-
Answer
14 Jun 2018
Golden SAML: How can it abuse SAML authentication protocol?
CyberArk researchers created an attack called Golden SAML that uses Mimikatz techniques and applied it to a federated environment. Learn more about the attack with Nick Lewis. Continue Reading
-
Tip
14 Jun 2018
How to use the OODA loop to improve network security
The OODA loop can be used to establish cyber deception against hackers to improve network security. Learn the OODA steps and how they can be applied to security with Kevin Fiscus. Continue Reading
-
Survey
01 Jun 2018
Insider threat report tracks annual cost of theft, carelessness
The Ponemon Institute study "2018 Cost of Insider Threats" examines the cost to companies victimized by material insider threat incidents during the past 12 months. Continue Reading
-
Answer
31 May 2018
How do BGP flaws affect Quagga routing software?
Multiple Border Gateway Protocol vulnerabilities were found impacting security in the Quagga routing software. Expert Judith Myerson explains how these flaws impact systems. Continue Reading
- 29 May 2018
-
Answer
29 May 2018
How was a Cisco firewall vulnerability exploited by threat actors?
Threat actors exploited a critical Cisco firewall vulnerability that received a CVSS score of 10. Discover how this flaw works and how it was exploited with Judith Myerson. Continue Reading
-
Answer
15 May 2018
How does the KRACK vulnerability use encryption keys?
The KRACK vulnerability was found in the WPA2 protocol for wireless networks and it enables attackers to crack encrypted connections. Learn how it works from Nick Lewis. Continue Reading
-
News
27 Apr 2018
Keycard vulnerability threatens millions of hotel rooms
News roundup: Researchers found a keycard vulnerability that enabled them to enter millions of hotel rooms worldwide. Plus, Yahoo has been fined $35 million by the SEC, and more. Continue Reading
-
News
20 Apr 2018
Keeper Security forms vulnerability disclosure program with Bugcrowd
Following its controversial lawsuit against an Ars Technica security reporter, Keeper Security has teamed with Bugcrowd on a formal vulnerability disclosure program. Continue Reading
-
News
19 Apr 2018
Moussouris: Bug bounty programs need to avoid jumping the shark
Bug bounty programs may seem to offer salvation at a bargain price for securing networks and systems, but Katie Moussouris offers tips for avoiding major pitfalls. Continue Reading
-
Tip
06 Apr 2018
Zero-trust model promises increased security, decreased risk
The zero-trust model takes focused and sustained effort, but promises to improve most companies' risk posture. Learn what it takes to get the most out of zero trust. Continue Reading
-
Tip
06 Apr 2018
How to do risk management in cybersecurity using ERM
Perfect security is impossible, but using risk management in cybersecurity using a range of strategies can significantly reduce your organization’s risk. Continue Reading
-
News
09 Mar 2018
Tenable introduces Lumin cyber exposure platform
Tenable.io Lumin enables organizations to gauge their 'cyber exposure' to vulnerabilities and allows them to compare remediation efforts against industry benchmark data. Continue Reading
-
News
07 Feb 2018
Cybersecurity insurance breaks coming for Apple, Cisco customers
Apple and Cisco customers could get lucrative terms for cybersecurity insurance under a new partnership with insurance giant Allianz and global services firm Aon. Continue Reading
-
Blog Post
26 Jan 2018
Blizzard security flaw should put game developers on notice
A newly-discovered Blizzard security bug, which affected all of the company's popular PC games including Overwatch, should serve as a warning for the video game industry. Continue Reading
-
News
25 Jan 2018
Electron framework flaw puts popular desktop apps at risk
The Electron framework -- used to develop desktop apps using web code -- included a remote code execution flaw that was passed on to popular apps like Slack. Continue Reading
-
Tip
23 Jan 2018
Insider threat behavior: How to identify warning signs
Enterprises can prevent insider threat incidents if they know what to look for. Peter Sullivan explains the precursors to and precipitating events for insider threat behavior. Continue Reading
-
News
04 Jan 2018
Meltdown and Spectre patches and mitigations released
Vendors released the vulnerability disclosures and patches for the new Meltdown and Spectre CPU attacks as the infosec industry begins mitigating risks. Continue Reading
-
Answer
04 Jan 2018
Vulnerability scans: How effective are they for web apps?
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can be missed by security teams. Continue Reading
-
Tip
19 Dec 2017
Get great results from authenticated vulnerability scanning
Here are five things you can do to successfully prepare and run authenticated vulnerability scanning and, in the end, achieve the most protection. Continue Reading
-
News
13 Dec 2017
Breach awareness low among executives, CA Veracode survey says
According to a new survey from CA Veracode, breach awareness regarding recent major cyber incidents was low among executives, managers and directors, surprising some experts. Continue Reading
-
Opinion
05 Dec 2017
Active Cyber Defense Certainty Act: Should we 'hack back'?
With the proposal of the Active Cyber Defense Certainty Act, individuals would be able to 'hack back' when information is stolen. Matt Pascucci makes the case against the bill. Continue Reading
-
News
21 Nov 2017
Multiple Intel firmware vulnerabilities in Management Engine
Security researchers tested the controversial Intel Management Engine and other products, finding multiple Intel firmware vulnerabilities. Continue Reading
-
News
03 Nov 2017
Researchers hack iOS 11 at Mobile Pwn2Own 2017
Security researchers competing at Mobile Pwn2Own 2017 used multiple vulnerabilities to hack iOS 11 in order to execute code and win prizes. Continue Reading
-
Feature
01 Nov 2017
The vulnerability management process after Equifax
Cataclysmic security incidents highlight the importance of a vulnerability management program versus a patch management system. Here's how to implement a risk-based approach. Continue Reading
-
News
31 Oct 2017
Google Buganizer flaw reveals unpatched vulnerability details
A security researcher earned more than $15,000 by finding three flaws in the Google Issue Tracker, aka Buganizer, which revealed details on unpatched vulnerabilities. Continue Reading
-
Tip
31 Oct 2017
How shared cloud security assessments can benefit enterprises
Ensuring cloud security is a constant problem that shared cloud security assessments are trying to address. Learn about the benefits of sharing assessments with Nick Lewis. Continue Reading
- 30 Oct 2017
-
Podcast
26 Oct 2017
Risk & Repeat: Is vulnerability marketing problematic?
In this week's Risk & Repeat podcast, SearchSecurity editors discuss vulnerability marketing and compare how the recent KRACK attack and ROCA flaw were publicized and promoted. Continue Reading
-
Tip
24 Oct 2017
How automated web vulnerability scanners can introduce risks
While automation is a key ingredient for security, it can't always be trusted. This especially holds true when running web vulnerability scanners, as Kevin Beaver explains. Continue Reading
-
Answer
05 Oct 2017
How does a private bug bounty program compare to a public program?
Explore the differences of public versus private bug bounty programs, as well as the benefits of each one. Expert Mathew Pascucci explains the risk and return of both programs. Continue Reading
-
News
03 Oct 2017
DHS cyberinsurance research could improve security
A longitudinal cyberinsurance study performed by the Department of Homeland Security could improve enterprise security but the effects depend on the data collected, said experts. Continue Reading
-
News
28 Sep 2017
Network lateral movement from an attacker's perspective
A security researcher describes the network lateral movement process from an attacker's perspective and a few key points of focus for IT pros, at DerbyCon. Continue Reading
-
News
27 Sep 2017
Windows digital signature bypassed with two registry edits
The DerbyCon keynote covered why security research is an approachable field, as well as how to bypass a Windows digital signature check to run unwanted code. Continue Reading
-
News
25 Sep 2017
Freese: Cyber-risk management is the key to good infosec hygiene
Speaking at the (ISC)2 Security Congress, FBI Deputy Assistant Director Don Freese spoke about need for security pros to replace fear and emotion with proper cyber-risk management. Continue Reading
-
News
08 Sep 2017
Apache Struts vulnerability affects versions since 2008
A researcher discovered a remotely exploitable Apache Struts vulnerability being actively exploited in the wild. A patch was released, and users were urged to update software immediately. Continue Reading
-
News
07 Sep 2017
SHA-1 hashes recovered for 320M breached passwords
Security researchers once again proved how easy it can be to recover SHA-1 hashes by cracking the hashes on nearly 320 million passwords related to data breaches. Continue Reading
-
Opinion
01 Sep 2017
From security product marketing to CEO: Jennifer Steffens
The CEO of a global pen tester used to work for the New York Yankees. Find out how Jennifer Steffens went from sports marketing to head of a security service provider. Continue Reading
-
News
01 Sep 2017
Intel kill switch ME code indicates connection to NSA
Researchers discovered an Intel kill switch hiding in one of the chipmaker's software products, along with references to an NSA program focused on secure computing. Continue Reading
- 28 Aug 2017
-
News
28 Jul 2017
Cyber-risk analysis, time are keys to infosec says game theory
Analyzing infosec through the lens of game theory shows that cyber-risk analysis and wasting attacker time may be highly effective cybersecurity strategies. Continue Reading
-
Answer
24 Jul 2017
SQL Slammer worm returns: How risky is it for enterprises?
The SQL Slammer worm has re-emerged to attack a vulnerability in Microsoft SQL Server 2000. Expert Nick Lewis explains what enterprises can do to manage out-of-date systems. Continue Reading
-
Tip
28 Jun 2017
Incorporating static source code analysis into security testing
Static source code analysis, along with dynamic analysis and pen testing, can help strengthen your application security. Expert Kevin Beaver goes over the features to look out for. Continue Reading
-
Podcast
25 May 2017
Using threat intelligence tools to prevent attacks on your enterprise
Using threat intelligence tools can help your enterprise stay one step ahead of attackers and possible threats. Learn how threat intelligence can be used in your company. Continue Reading
-
Tip
10 May 2017
Avoid privilege creep from the software development team
Too often, privilege creep occurs via the software development team, the result of pressure to update or launch apps. Learn what tools and tactics can counter privilege creep. Continue Reading
-
Feature
13 Apr 2017
Reviewing the threat intelligence features of VeriSign iDefense
Expert Ed Tittel looks at VeriSign iDefense threat intelligence service for providing actionable, contextual data about today's top IT threats to organizations. Continue Reading
-
Feature
13 Apr 2017
Threat Intelligence service overview of Infoblox ActiveTrust
Expert Ed Tittel looks at the features and capabilities of the Infoblox ActiveTrust threat intelligence service for providing data on the top IT threats to organizations. Continue Reading
-
Feature
13 Apr 2017
Detailing the features of LookingGlass Cyber Threat Center
Expert Ed Tittel looks at the LookingGlass Cyber Threat Center service for providing organizations with intelligence on today's top IT threats. Continue Reading
-
Feature
07 Apr 2017
RSA NetWitness Suite and its threat intelligence capabilities
Expert Ed Tittel examines the RSA NetWitness Suite threat intelligence platform, which offers network forensic and analytics tools for investigating incidents and analyzing data. Continue Reading
-
News
06 Apr 2017
Chinese hacking group APT10 linked to global trade target
Evidence points to Chinese hacking group APT10 conducting economic espionage in the breach of a trade policy group prior to U.S.-China trade summit talks in Florida. Continue Reading
-
Feature
05 Apr 2017
SecureWorks threat intelligence and what it can do for your enterprise
Expert Ed Tittel examines the features and capabilities of SecureWorks, which gathers its intelligence from thousands of SecureWorks global customers. Continue Reading
-
News
10 Mar 2017
Report on zero-day vulnerabilities highlights shelf life, overlap
News roundup: Report on zero-day vulnerabilities questions government stockpiling. Plus, Comey talks encryption and privacy, FCC blocks consumer protection rule, and more. Continue Reading
-
News
09 Mar 2017
Operation Rosehub patches Java vulnerabilities in open source projects
Google employees recently completed Operation Rosehub, a grass roots effort that patches a set of serious Java vulnerabilities in thousands of open source projects. Continue Reading
-
News
06 Mar 2017
New cybersecurity report gets the hacker perspective
A new cybersecurity report used a hacker survey to offer a perspective on IT that can often be overlooked and found there may not be any easy answers. Continue Reading
-
Answer
27 Feb 2017
How can enterprises leverage Google's Project Wycheproof?
Google's Project Wycheproof tests crypto libraries for known vulnerabilities, but there are potential drawbacks to this tool. Expert Matthew Pascucci explains them. Continue Reading
-
Tip
09 Feb 2017
What global threat intelligence can and can't do for security programs
Global threat intelligence is a valuable complement to a company's security program, but it can't replace security measures like training and internally collected data. Continue Reading
-
News
06 Feb 2017
Q&A: Rapid7's Beardsley and Brown take on bug bounty programs, IoT
Rapid7's Beardsley and Brown are back with more insight into vulnerability disclosure, the value of bug bounty programs and, of course, IoT. Continue Reading
-
News
20 Jan 2017
Vulnerable Adobe extension downloads covertly to Chrome
News roundup: A flawed Adobe extension was secretly installed on 30 million Chrome browsers. Plus, the Mirai author has been identified; Google releases security details; and more. Continue Reading
-
Tip
17 Jan 2017
Managing vulnerable software: Using data to mitigate the biggest risks
Three pieces of vulnerable software are most targeted by the exploit kits studied in a Digital Shadows report. Expert Nick Lewis explains how your enterprise can manage them. Continue Reading
-
Answer
11 Jan 2017
Are bug bounty programs secure enough for enterprise use?
The use of bug bounty programs in enterprises is growing, but they aren't risk free. Expert Mike O. Villegas discusses some concerns related to bug bounties. Continue Reading
-
Feature
29 Nov 2016
Google Earth Forensics: Using Google Earth Geo-Location in Digital Forensic Investigations
In this excerpt from chapter five of Google Earth Forensics, authors Michael Harrington and Michael Cross discuss the process of digital forensics. Continue Reading
-
Feature
08 Nov 2016
Tenable Nessus Vulnerability Scanner: Product overview
Expert Ed Tittel examines the Nessus vulnerability scanner series from Tenable Network Security, which includes client, cloud and on-premises vulnerability management products. Continue Reading
-
Feature
26 Oct 2016
Rapid7 Nexpose: Vulnerability management product overview
Ed Tittel examines Rapid7 Nexpose, a vulnerability management product for physical, virtual, cloud and mobile environments that discovers assets and scans for vulnerabilities. Continue Reading
-
Feature
26 Oct 2016
Qualys Vulnerability Management: Product overview
Expert Ed Tittel examines Qualys Vulnerability Management, a product for organizations of all sizes that is designed to help admins identify, monitor and mitigate vulnerabilities. Continue Reading
-
Answer
21 Sep 2016
How can security automation tools keep organizations protected?
Sometimes security teams fall into 'set and forget' habits with security automation. Expert Mike O. Villegas explains how to take advantage of automation while staying secure. Continue Reading
-
Tip
15 Sep 2016
Insider security threats: What CISOs can do to mitigate them
Dealing with insider security threats requires a combination of tactics. Expert Mike O. Villegas discusses the various aspects of insider threat mitigation strategies. Continue Reading
-
Feature
09 Sep 2016
When to take a bug bounty program public -- and how to do it
Bug-finding programs are valuable to enterprises, but they require a lot of planning and effort to be effective. Sean Martin looks at what goes into taking a bug bounty program public. Continue Reading
-
Feature
01 Sep 2016
The security ratings game grades third-party vendors
Can security ratings services patterned on consumer credit scores offer insight into the security postures of third parties and other business partners? Continue Reading
-
Feature
29 Jul 2016
Automated Security Analysis of Android and iOS Applications
In this excerpt of Automated Security Analysis of Android and iOS Applications with Mobile Security Framework, authors Ajin Abraham and Henry Dalziel discuss mobile application penetration testing. Continue Reading
-
Tip
12 Jul 2016
Best practices for an information security assessment
Information security assessments can be effective for identifying and fixing issues in your enterprise's policies. Expert Kevin Beaver explains the key components of the process. Continue Reading
-
Feature
09 Feb 2016
Comparing the top vulnerability management tools
Expert Ed Tittel compares how the top-rated vulnerability management tools measure up against each other so you can select the right one for your organization. Continue Reading
-
Feature
19 Jan 2016
Seven criteria for buying vulnerability management tools
Expert contributor Ed Tittel describes purchasing criteria for full-featured vulnerability management tools for small organizations to large enterprises. Continue Reading
-
Video
20 Nov 2015
Adjusting your network perimeter security
Expert Johna Till Johnson explains how the enterprise perimeter became obsolete, and how to replace network perimeter security with an approach to perimeterless security. Continue Reading
-
Tip
12 Oct 2015
Getting to the bottom of the software vulnerability disclosure debate
The vulnerability disclosure debate rages on: Enterprises should know they are at risk, but vendors need time to patch flaws. Which side should prevail? Expert Michael Cobb discusses. Continue Reading
-
Feature
01 Oct 2015
Choose the best vulnerability assessment tools
This Buyer's Essentials guide helps InfoSec pros assess vulnerability management products by explaining how they work and by highlighting key features corporate buyers should look for so they can evaluate vendor offerings. Continue Reading
-
News
16 Jul 2015
Flash Player security failures turn up the hate
There have been calls for the death of the Adobe Flash Player for years either due to performance issues or the threat of exploit. But with a recent rash of zero-day vulnerabilities, those calls are getting louder. Continue Reading
