-
Automating Network Compliance and Security
In this excerpt from Chapter 2 of "The Shortcut Guide to Automating Network Management and Compliance," author Don Jones discusses how networks become non-compliant, and examines how automation can positively impact security and compliance business p... Book Chapter
-
Information Gathering: Port Scanning
This excerpt from Chapter 4 of "Network Security: A Practical Approach," by Jan Harrington examines how port scanning, while useful for troubleshooting network vulnerabilities, can arm crackers with a wealth of information. Book Chapter
-
Open source tools: A thrifty security manager's best friend
Secure your custom applications using open source security tools. Perspective
-
Quiz: Common Vulnerabilities
Test your knowledge of common security vulnerabilities. Quiz
- See More: Essential Knowledge on Vulnerability Risk Assessment
-
Chromebook security in question due to flawed Google Chrome extensions
Cross-site scripting flaws enable security researchers to bypass Chromebook security and silently steal sensitive data by hijacking browser sessions. News | 03 Aug 2011
-
Researcher uncovers browser vulnerabilities with cross_fuzz
Security researcher Michal Zalewski said his new cross_fuzz has helped identify about 100 bugs in prominent browsers that include Internet Explorer, Firefox and Opera. Article | 04 Jan 2011
-
Core Security launches CISO-level pen testing software
The new Core Insight pen testing suite can lay out the history of testing campaigns and the relative threat level of an enterprise's systems. Article | 15 Dec 2010
-
Compliance burdens hamper vulnerability management processes, survey finds
Survey finds some enterprises are overburdened with compliance issues and are using piecemeal patch testing and deployment processes. Article | 07 Dec 2010
-
New 'month of bugs' campaign outs LInux-based console flaw
New campaign aims to present detailed binary analysis of known exploits and a new zero-day vulnerability each day. Article | 02 Sep 2010
-
Black Hat convention hype hurts the enterprise risk management process
The annual Black Hat hacker confab makes for good security theater, according to Andrew Plato, but the hype is having a negative effect on enterprise risk management, and that needs to change. Column | 06 Aug 2010
-
TippingPoint Zero Day Initiative to push patch deadline on vendors
TippingPoint's vulnerability disclosure team will give vulnerable vendors six months to create a patch. Article | 03 Aug 2010
-
Black Hat: Poor SCADA systems security 'like a ticking time bomb'
An analysis of 120 security assessments at power plants, oil and chemical refineries and other critical systems revealed tens of thousands of security vulnerabilities, outdated operating systems and unauthorized applications. Article | 29 Jul 2010
-
Microsoft: Vulnerability disclosure will be coordinated, rather than 'responsible'
While responsibility remains an imperative, it should be shared between researchers and security and software vendors, Microsoft said. Some security researchers are not impressed. Article | 22 Jul 2010
-
Shavlik moves patch management systems to the cloud
New Web-based service is aimed at small and midsized businesses and can manage patch deployments via a browser-based console. Article | 20 May 2010
- See More: News on Vulnerability Risk Assessment
-
Exploring Google Chromebook security for the enterprise
The Chromebook is unique among new entrants in the mobile device arena. Mike Cobb breaks down the key Google Chromebook security issues enterprises need to know. Tip
-
Duqu malware advice: Should enterprises worry about the Duqu Trojan?
Enterprise threats expert Nick Lewis offers analysis of the recent Duqu malware outbreak and the Duqu Trojan response enterprises should take. Tip
-
Windows MBSA scan demo: Conducting a Windows security review
In this screencast, Mike McLaughlin shows how a Windows MBSA scan can help determine client and server patch status during a Windows security review. Tip
-
Zero-day vulnerabilities and the patch management process: To test or not to test?
Learn whether it’s better to risk exposure and take time to test zero-day patches, or risk business disruption and patch without testing. Tip
-
Remediating IT vulnerabilities: Quick hits for risk prioritization
There's no way to eradicate all IT vulnerabilities, but spotting the most critical ones is essential. Read these quick hits for risk prioritization. Tip
-
Balancing compliance with information security threat assessment
Compliance is often the driver for security spending rather than real risks. Learn how to incorporate current threats into a compliance program. Tip
-
WebScarab tutorial: Demonstration of WebScarab proxy functionalities
In this WebScarab tutorial video, get step-by-step advice on how to install and use this free tool, including the WebScarab proxy features, among others. Tip
-
Security sandbox program: Defense-in-depth or layered vulnerabilities?
Recently, companies like Adobe and Google have been using sandboxes to aid measures in their applications, but how can sandboxes be useful in the enterprise, and do they just add more vulnerabilities than they're worth? Tip
-
Creating a Java security framework that thwarts a Java exploit
The number of attacks on Java is steadily increasing, and many enterprises are unprepared for the threat. Get advice on how to lock down Java from expert Nick Lewis. Tip
-
SSL vulnerabilities: Trusted SSL certificate generation for enterprises
Presentations at both Black Hat and Defcon 2010 demonstrated serious vulnerabilities in the SSL protocol, which, considering how widely used SSL is, could mean security problems for many enterprises. In this tip, Nick Lewis examines the researchers' ... Tip
- See More: Tips on Vulnerability Risk Assessment
-
Dangerous applications: Time to ban Internet Explorer, Adobe in the enterprise?
CSIS says five dangerous applications are to blame for 99% of malware. Is it time to ban Internet Explorer, Flash and the others in the enterprise? Answer
-
How Microsoft security assessment tools can benefit your enterprise
Expert Michael Cobb explains how Microsoft security assessment tools can find and help your enterprise fix vulnerabilities in its Windows environment. Answer
-
Is a full vulnerability disclosure strategy a responsible approach?
When it comes to vulnerability disclosure, is it responsible for an infosec research firm to release all the details of a flaw before patching measures are in place? Expert Nick Lewis examines the question in this response. Ask the Expert
-
Are RealPlayer, Adobe Shockwave vulnerability risks too great for the enterprise?
Adobe Shockwave and RealNetworks RealPlayer are fun and convenient for enterprise users, but are their vulnerabilities worth the risk of having them? Ask the Expert
-
Identity management SSO security: Hardening single sign-on systems
Get information on how to harden single sign-on systems for greater security in this response from IAM expert Randall Gamby. Ask the Expert
-
MD5 security: Time to migrate to SHA-1 hash algorithm?
Many organizations have been replacing the MD5 hash algorithm with the SHA-1 hash function, but can the MD5 hash algorithm still be used securely? Ask the Expert
-
Using fuzzing for internal application security testing
Superstar security researchers often use fuzzing to find flaws in major vendors' applications, and you can use fuzzers to find vulnerabilities during internal software development. Expert Michael Cobb explains how. Ask the Expert
-
Should VMware vulnerabilities in JRE impede implementing virtualization?
Could recent VMware vulnerabilities in JRE hamper virtualization implementation? In this expert response, Michael Cobb explains that VMware attacks are theoretical at this point and shouldn't stop you from implementing virtualization if your risk ass... Ask the Expert
-
Can secure FTP services protect sensitive data from hackers?
Does secure FTP services protect against hackers and attacks? In this expert response, Michael Cobb explains why using a secure FTP service is vital for handling sensitive data transfers. Ask the Expert
-
What patch management metrics does Project Quant use?
In this Q&A, expert Michael Cobb reviews the open patch management metrics model called Project Quant. Ask the Expert
- See More: Expert Advice on Vulnerability Risk Assessment
-
micro-botnet (mini-botnet or baby botnet)
A micro-botnet, also called a mini-botnet or baby botnet, is a small network of Internet-connected computers that have been hijacked to attack specific companies or individuals within a company. Word
-
gray hat (or grey hat)
Word
-
Exploit Intelligence Project: Rethinking information security threat analysis
Information security threat analysis is fundamentally flawed, said Dan Guido of iSEC Partners. He says the Exploit Intelligence Project hopes to change that. Video
-
Jose Granado on the benefits of penetration testing, ‘human hacking’
Ernst & Young’s Jose Granado discusses the benefits of penetration testing and the importance of including “human hacking” as well. Video
-
IT patch management best practices: Overcoming the challenges
This presentation on vulnerability and IT patch management best practices discusses the challenges of improving testing and deployment processes. Video
-
Narcissistic vulnerability pimp: Baker on researchers and bug bounties
In a blog post, Verizon Director of Risk Wade Baker proposed a new title for security researchers looking to get attention who release bug information before a patch is released: Narcisstic vulnerability pimps. Video
-
RSA Conference 2011 preview: State of APT
In this RSA Conference 2011 preview video, SearchSecurity.com News Director Robert Westervelt moderates a discussion on the state of the advanced persistent threat (APT). Speakers include SearchSecurity.com Senior Site Editor Eric Parizo, and Researc... Video
-
Metasploit and software vulnerability testing
Metasploit is a free tool that can be used to pen test for new and potentially damaging vulnerabilites. In this interview, H.D. Moore, creator of Metasploit, explains how the tool works and what it can contribute to software security. Video
-
Vulnerability mitigation study shows need for faster patching
Qualys CTO Wolfgang Kandek says vendors and administrators need to find ways to speed up the patching cycle. Video
-
Newest malware threats
What are the newest threats to enterprise networks, and how can you subvert these emerging security threats? Greg Hoglund, CEO of HBGary and creator of the first rootkit, answers these questions. Video
-
PCI compliance requirement 6: Systems and applications
Diana Kelley and Ed Moyle of Security Curve review PCI compliance requirement 6: "Develop and maintain secure systems and applications." Video
-
Cybercrime and threat management
It's no secret that cybercrime is an ever-growing issue for today's security professionals, but what roles and responsibilities need to change as a result of the glut in illicit cyber activity? In this video, Bill Boni, VP of information security and... Video
-
Dangerous applications: Time to ban Internet Explorer, Adobe in the enterprise?
CSIS says five dangerous applications are to blame for 99% of malware. Is it time to ban Internet Explorer, Flash and the others in the enterprise? Answer
-
Exploring Google Chromebook security for the enterprise
The Chromebook is unique among new entrants in the mobile device arena. Mike Cobb breaks down the key Google Chromebook security issues enterprises need to know. Tip
-
Duqu malware advice: Should enterprises worry about the Duqu Trojan?
Enterprise threats expert Nick Lewis offers analysis of the recent Duqu malware outbreak and the Duqu Trojan response enterprises should take. Tip
-
Windows MBSA scan demo: Conducting a Windows security review
In this screencast, Mike McLaughlin shows how a Windows MBSA scan can help determine client and server patch status during a Windows security review. Tip
-
Exploit Intelligence Project: Rethinking information security threat analysis
Information security threat analysis is fundamentally flawed, said Dan Guido of iSEC Partners. He says the Exploit Intelligence Project hopes to change that. Video
-
Zero-day vulnerabilities and the patch management process: To test or not to test?
Learn whether it’s better to risk exposure and take time to test zero-day patches, or risk business disruption and patch without testing. Tip
-
Remediating IT vulnerabilities: Quick hits for risk prioritization
There's no way to eradicate all IT vulnerabilities, but spotting the most critical ones is essential. Read these quick hits for risk prioritization. Tip
-
Jose Granado on the benefits of penetration testing, ‘human hacking’
Ernst & Young’s Jose Granado discusses the benefits of penetration testing and the importance of including “human hacking” as well. Video
-
How Microsoft security assessment tools can benefit your enterprise
Expert Michael Cobb explains how Microsoft security assessment tools can find and help your enterprise fix vulnerabilities in its Windows environment. Answer
-
Chromebook security in question due to flawed Google Chrome extensions
Cross-site scripting flaws enable security researchers to bypass Chromebook security and silently steal sensitive data by hijacking browser sessions. News
- See More: All on Vulnerability Risk Assessment
About Vulnerability Risk Assessment
In this vulnerability and risk assessment resource, get tips and tricks on how to conduct a network vulnerability assessment, vulnerability reporting, scanning, assessment tools and reports.