Ask the Experts

Ask the Experts

Risk assessments, metrics and frameworks

• Explore benefits and challenges of cloud penetration testing

  Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help inform cloud pen test strategies.  Continue Reading

• The 6 benefits of zero-trust security for businesses

  The zero-trust security model demands infosec leaders take a holistic approach to IT infrastructure security. Learn about the six business benefits of zero trust and how it differs from traditional security approaches.  Continue Reading

• How to protect workloads using a zero-trust security model

  Never trust, always verify. Learn how to implement a zero-trust security model to help manage risk and protect IT workloads at your organization.  Continue Reading

• Risk management vs. risk assessment vs. risk analysis

  Understanding risk is the first step to making informed budget and security decisions. Explore the differences between risk management vs. risk assessment vs. risk analysis.  Continue Reading

• What are the 7 core zero-trust pillars?

  Learn how Forrester's seven pillars of zero trust model can help IT leaders identify, organize and implement the appropriate cybersecurity tools for a zero-trust framework.  Continue Reading

• Host IDS vs. network IDS: Which is better?

  Compare host IDS vs. network IDS through the pros and cons of each, and learn how more modern systems may be better suited to ensure effective enterprise security.  Continue Reading

• Do you have the right set of penetration tester skills?

  Pen testing is more than just the fun of breaking into systems. Learn about the critical penetration tester skills potential candidates must master to become proficient in their career path.  Continue Reading

• Do I need to adopt a cybersecurity framework?

  A comprehensive cybersecurity framework can help businesses avoid costly attacks. But there are other advantages.  Continue Reading

• What's the best way to maintain top cybersecurity frameworks?

  Keeping top cybersecurity frameworks up to date means understanding how a business evolves and changes. What steps should you take to maintain your security strategy?  Continue Reading

• What are the core components of a cybersecurity framework?

  Cybersecurity frameworks differ from one company to another, but each plan has four fundamental stages. Find out what you need to know.  Continue Reading

• How does the MnuBot banking Trojan use unusual C&C servers?

  IBM X-Force found MnuBot -- a new banking Trojan -- manipulating C&C servers in an unusual way. Learn how this is possible and how this malware differs from those in the past.  Continue Reading

• Vulnerability scans: How effective are they for web apps?

  Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can be missed by security teams.  Continue Reading

• How can the Dirty COW vulnerability be used to attack Android devices?

  A copy-on-write vulnerability known as 'Dirty COW' was found in the Linux kernel of Android devices. Expert Michael Cobb explains the risks of this attack.  Continue Reading

• How can enterprises leverage Google's Project Wycheproof?

  Google's Project Wycheproof tests crypto libraries for known vulnerabilities, but there are potential drawbacks to this tool. Expert Matthew Pascucci explains them.  Continue Reading

• How can two-factor authentication systems be used effectively?

  Two-factor authentication systems require more than using codes sent through SMS and smart cards. Expert Michael Cobb explains how to properly and effectively implement 2FA.  Continue Reading

• Why are cybersecurity KPIs important for enterprises to determine?

  Cybersecurity KPIs are important for enterprises to determine when setting up a security program. Expert Mike O. Villegas discusses why and what a KPI for security should be.  Continue Reading

• Irongate malware: What are the risks to industrial control systems?

  The Irongate malware has been discovered to have similar functionality to Stuxnet. Expert Nick Lewis explains how enterprises can protect their ICS and SCADA systems.  Continue Reading

• How can APT groups be stopped from exploiting a Microsoft Office flaw?

  APT groups have been continuously exploiting a flaw in Microsoft Office, despite it having been patched. Expert Nick Lewis explains how these attacks work and how to prevent them.  Continue Reading

• Rowhammer exploit: Are Microsoft Edge browser users at risk?

  The Rowhammer and memory deduplication attack enables read and write access to Microsoft Edge browsers. Expert Nick Lewis explains how to mitigate this threat.  Continue Reading

• SAP vulnerability: Why didn't the patch work correctly?

  An old SAP vulnerability that enabled remote administrative access was found to be ineffectually patched. Expert Nick Lewis explains how enterprises can secure their systems.  Continue Reading

• What are the new CFTC regulations on cybersecurity testing?

  The proposed CFTC regulations on cybersecurity testing are set to finalize in 2016. Expert Mike Chapple discusses the effects these regulations have on IT-reliant trading firms.  Continue Reading

• How can security automation tools keep organizations protected?

  Sometimes security teams fall into 'set and forget' habits with security automation. Expert Mike O. Villegas explains how to take advantage of automation while staying secure.  Continue Reading

• CVSS v3.0: What does Oracle's move mean for vulnerability assessment?

  Oracle has moved from using a modified version of CVSS v2.0 to CVSS v3.0. Expert Michael Cobb explains criticism of the old version, and the changes in vulnerability scoring in v3.0.  Continue Reading

• How can IP devices like multifunction printers and faxes be secured?

  IP devices like multifunction printers and faxes may be an attack vector. Expert Nick Lewis explains the vulnerabilities, and how to secure them against attacks.  Continue Reading

• Does mass scanning of the internet do more harm than good?

  Mass scanning of the internet can reveal how pervasive a vulnerability is. Expert Michael Cobb explains how these scans work and what the arguments for and against them are.  Continue Reading

• What are the benefits of a risk-based framework for security?

  Many organizations use a risk-based framework to help manage their cybersecurity program. Expert Mike O. Villegas discusses the development and benefits of current frameworks.  Continue Reading

• How can vulnerability scanning tools help with PCI DSS compliance?

  Vulnerability scanning tools are necessary to be fully compliant with PCI DSS, but the tools need to come from a PCI DSS Approved Scanning Vendor. Expert Mike Chapple explains.  Continue Reading

• What are the best risk assessment frameworks?

  A recent survey indicated an increased use of risk assessment frameworks among enterprises. Here's why it's important to choose the right framework for your organization.  Continue Reading

• What are the best ways to improve SMB security?

  Despite popular belief, a small to medium-sized business can be a target of cybercriminals because of limited security. Expert Mike O. Villegas advises SMBs on security defenses.  Continue Reading

• What's the best risk analysis method for enterprises?

  There are a number of different risk analysis methods for enterprises to choose from. Expert Michael Cobb highlights some of the best options available.  Continue Reading

• How should CISOs present a security assessment report?

  CISOs regularly have to present a security assessment report to the board of directors. Expert Mike O. Villegas has some tips to make it more engaging.  Continue Reading

• How should enterprises use the OWASP Top Ten list?

  The OWASP Top Ten list is not a compliance standard but a set of best practices for enterprises looking to boost Web app security. Here's how to get the most out of OWASP Top Ten.  Continue Reading

• Code security: Can a continuous delivery model be secured?

  Continuous code delivery is critical in certain scenarios, but it's not always the most secure approach. Michael Cobb explains how to secure code in a continuous delivery model.  Continue Reading

• How is the NIST Cybersecurity Framework being received?

  The NIST Cybersecurity Framework gets mixed reviews, but it could be a good starting point for organizations looking to better manage cybersecurity.  Continue Reading

• Why are software bundles an enterprise software security issue?

  Third-party software bundling is not uncommon, but can present many issues to enterprise software security. Expert Michael Cobb discusses.  Continue Reading

• Should information security assessments be done by consultants?

  Information security assessments can be performed by consulting firms, but is that a better option than handling assessments with in-house staff? Expert Mike O. Villegas discusses.  Continue Reading

• How can HIPAA security risk analysis help with compliance?

  HHS recommends security risk analysis as an early step to become HIPAA compliant, so how should organizations put this tip into practice?  Continue Reading

• Is cybersecurity insurance valuable to enterprises?

  Cybersecurity insurance is used as a fallback after data breaches, but does it really cover everything an organization needs? Joseph Granneman provides some answers.  Continue Reading

• The key to assigning risk values in an IT security risk assessment

  Security expert Michael Cobb offers pointers on how to assign risk values during a security risk assessment.  Continue Reading

• Vulnerability management: Benefits of a vulnerability scoring system

  What are the pros and cons of using a universal vulnerability scoring system from a vendor? Nick Lewis explains.  Continue Reading

• Third-party application security evaluation tools and services

  Learn about the tools and services available that enterprises can use to determine the security of their third-party applications.  Continue Reading

• The best free vulnerability risk assessment tools

  Application security expert Michael Cobb discusses three free vulnerability risk assessment tools you should consider leveraging in the enterprise.  Continue Reading

• How to use the RACI matrix for a security risk assessment

  Expert Joseph Granneman explains how the RACI matrix can be used as part of an information security risk assessment.  Continue Reading

• What is the MEHARI risk management framework and how can it be used?

  Expert Joseph Granneman details the MEHARI risk management framework and compares it to the ISO 27000 and NIST 800 series.  Continue Reading

• Identifying and locking down known Java security vulnerabilities

  Expert Michael Cobb discusses why known Java security vulnerabilities are on so many endpoints and how to contain them -- without updating Java.  Continue Reading

• How to limit penetration test risks by defining testing scope

  Expert Nick Lewis explains how to reduce penetration testing risks by limiting the scope of the test.  Continue Reading

• Network security metrics: Basic network security controls assessment

  Get advice on how to devise appropriate network security metrics for your enterprise from expert Mike Chapple.  Continue Reading

• How Microsoft security assessment tools can benefit your enterprise

  Expert Michael Cobb explains how Microsoft security assessment tools can find and help your enterprise fix vulnerabilities in its Windows environment.  Continue Reading

• Merger management: How to handle potential merger threats to security

  During a merger, management of information security becomes even more crucial in order to mitigate threats, including the many new insiders and attentive attackers that want to take advantage of holes in the companies' infosec integration.  Continue Reading

• Identity management SSO security: Hardening single sign-on systems

  Get information on how to harden single sign-on systems for greater security in this response from IAM expert Randall Gamby.  Continue Reading

• Creating a security risk management plan format

  Enterprises without a codified risk management plan are much more susceptible to threats. In this expert response from Ernie Hayden, learn how to create a risk management plan that covers all the bases.  Continue Reading

• MD5 security: Time to migrate to SHA-1 hash algorithm?

  Many organizations have been replacing the MD5 hash algorithm with the SHA-1 hash function, but can the MD5 hash algorithm still be used securely?  Continue Reading

• Using fuzzing for internal application security testing

  Superstar security researchers often use fuzzing to find flaws in major vendors' applications, and you can use fuzzers to find vulnerabilities during internal software development. Expert Michael Cobb explains how.  Continue Reading

• How to determine the net value of an asset for risk impact analysis

  Asset valuation and impact analysis are two different but equally important aspects of risk analysis. Expert Ernie Hayden explains.  Continue Reading

• Gap analysis methodology for IT security and compliance

  If your enterprise is faced with multiple-standard compliance, having a set gap analysis methodology can save a lot of time and effort. Learn more in this expert response from Ernie Hayden.  Continue Reading

• Can secure FTP services protect sensitive data from hackers?

  Does secure FTP services protect against hackers and attacks? In this expert response, Michael Cobb explains why using a secure FTP service is vital for handling sensitive data transfers.  Continue Reading

• Electronic access control system and biometrics authentication

  Biometrics authentication and an electronic access control system can be closely related, but they're not the same thing. In this IAM expert response, Randall Gamby explains the difference.  Continue Reading

• A recovery point objective (RPO) vs. a recovery time objective (RTO)

  When making business continuity and disaster recovery plans, it's essential to come up with a recovery point objective (RPO) and a recovery time objective (RTO), but what is the difference between the two? Find out more in this expert response.  Continue Reading

• Risk management strategy for an information technology solution provider

  Looking to create an enterprise risk management strategy for an information technology solution provider? Security management expert David Mortman weighs in.  Continue Reading

• Are Web application penetration tests still important?

  Web application penetration tests continue to be an important part of the secure software development lifecycle process in order to reduce the number and severity of security-related design and coding errors.  Continue Reading

• The requirements needed to make an external penetration test legal

  Rule number one of pen testing: Make sure you have permission in hand before you begin. But there's much more than this needed to perform a successful penetration test on a wireless network.  Continue Reading

• How to detect input validation errors and vulnerabilities

  Expert John Strand reviews how to spot input validation flaws on your websites.  Continue Reading

• How can gap analysis be applied to the security SDLC?

  When developing software securely, what role does gap analysis play? In this security management expert response, learn how to implement gap analysis into software development, and how it can help stop data leaks at your enterprise.  Continue Reading

• How does information security prevent fraud in the enterprise?

  When an enterprise is worried about fraud, where does the information security team step in? Security management expert Mike Rothman explains the role information security plays in enterprise fraud-prevention activities.  Continue Reading

• Is a Master Boot Record (MBR) rootkit completely invisible to the OS?

  Whether or not we see widespread attacks that use MBR rootkits will depend upon two factors. Platform security expert Michael Cobb explains them both.  Continue Reading

• What types of software can help a company perform a security risk assessment?

  Security management expert Mike Rothman unveils what kind of software is on the market to help assist a company in the risk assessment process.  Continue Reading

• What is the relationship between open port range and overall risk?

  Exposing a large number of well-known ports could be a substantial risk, depending upon their nature. In this expert Q&A, Mike Chapple explains why it may be best to narrow down a port range.  Continue Reading

• For asset management systems, is there a tool more comprehensive than Nmap?

  If you're looking for a network discovery tool, consider Nmap. There are other options for your asset management system, however, and Michael Cobb reviews them in this expert Q&A.  Continue Reading

• What is the risk estimation model for SSL VPN implementation?

  Risk assessment is a common way to evaluate new technologies. In our SearchSecurity.com Q&A, network security expert, Mike Chapple, explains how to determine if SSL VPN implementation is right for your organization.  Continue Reading

• What is the average cost of an MSSP?

  Looking to find the startup and maintenance costs of an MSSP? In this Ask the Expert Q&A, application security expert, Michael Cobb outlines the key issues for businesses to consider when examining managed security arrangements.  Continue Reading

• Risk-based authentication vs. static authentication

  How does risk-based authentication methods differ from static authentication methods? SearchSecurity's resident identity management and access control expert tackles this question in this Ask the Expert Q&A.  Continue Reading

• Gap analysis procedures

  In this Ask the Expert Q&A, Shon Harris, SearchSecurity's security management expert advises what should be done before a gap analysis is performed, and, provides six common steps of a gap analysis, so organizations will know what to expect before ...  Continue Reading

• Port searching

  In this Ask the Expert Q&A our network security expert dicusses whether it is possible to search for a port while it is in use.  Continue Reading

• Risk management methodologies

  Expert advice regarding best practices for risk management methodologies. Also learn how vulnerability management and risk management tools differ and how they can help protect your environment.  Continue Reading

• How security audits, vulnerability assessments and penetration tests differ

  Learn how security audits, vulnerability assessment and penetration tests differ, and how these tests help promote a more secure environment.  Continue Reading