How to hone an effective vulnerability management program

• 

  Article

  Network security vulnerabilities: What matters most?

  Risk management programs produce piles of data on your network's security vulnerabilities. Here's now to rank the risks so you can prioritize remediation. Read Now

• 

  Article

  Security soft spots: Advice for specialized companies

  How can a university hospital or an auto parts manufacturer identify their data security weaknesses? Information security architect Nick Lewis offers an effective process.  Read Now

• 

  Article

  Eliminate residual risks with this step-by-step assessment process

  Even after an organization applies security controls to comply with laws and regulations for their industry, data management gaps inevitably remain. But there are five steps you can take to identify and offset them. Read Now

• 

  Article

  Assessing risks with a RACI matrix

  Learn how to assess info security risks with the responsibility assignment matrix. Read Now

1Penetration testing

A vulnerability management program that's effective is one that's been thoroughly tested. Penetration testing is the search for security vulnerabilities in a system, network or application. The idea is to locate the weaknesses before an attacker does and eliminate them. In this portion of the guide, you'll get advice from several experts on what works best when it comes to organizing and carrying out a penetration test. There are risks involved, as with any security effort, but also new enhancements to pen testing to consider, like the use of social engineering methods.

• Article

  How a network pen test can increase application security

  Network penetration testing can reveal alternate routes to sensitive data. Learn how to secure your data from every angle.  Read Now

• Article

  How best to approach security penetration testing

  Learn the best approaches to penetration testing from top security expert Dave Shackleford, chief technology officer of IANS. Read Now

• Article

  Pen testing: On-demand versus in-house

  Pen testing is one of the newer services available on demand. But is it a good replacement for in-house testing? Network security expert Brad Casey discusses. Read Now

• Article

  Penetration testing involves risks. Learn how to reduce them

  You can minimize the risk associated with pen testing by limiting the test's scope, our expert says.  Read Now

• Article

  Four ways to use social engineering for pen testing

  Social engineering techniques can be used to increase security. Learn four ways to add it to your pen tests.  Read Now

• Article

  Picking the best Web app testing method for your budget

  If your budget's tight, what’s the best approach to Web application security testing? Michael Cobb compares penetration tests and code reviews. Read Now

• Article

  Why third-party pen tests are best

  A third-party penetration test can best determine whether an online data store could be compromised.  Read Now

2Ethical hacking

While pen testing is essential for security, there are right and wrong ways to go about it. A concept called "hacking back" has become popular but is still being developed, as well as debated. What's clear so far is that to "ethically" hack a system, you need to establish both policy and processes. The experts here weigh in on how to do both. Still, it's worth noting that some industry heavyweights, like Gary McGraw, argue that hacking back is the wrong way to think about the problem of system and app security. In this segment of our guide, you'll learn about the concept and the ongoing arguments in this still-evolving area of security.

• Article

  Security experts struggle with the concept of hacking back

  Is offensive security, known as "hacking back," an acceptable enterprise defense tactic? At a recent RSA Conference, experts struggled just to define the term.  Read Now

• Article

  Ethical hacking, step by step

  In this chapter from Hacking for Dummies, author Kevin Beaver explores how to hack ethically, glean info about your organization from the Internet, scan your network and look for vulnerabilities. For more from Beaver, see his presentation in the video section below. Read Now

• Article

  Forget hacking back -- build stronger software, systems instead

  Hacking back ain't no way to win a cyberwar, says Gary McGraw. It's far better to build software and systems with fewer vulnerabilities. Read Now

3Patch management

Testing a system inevitably reveals security gaps that must then be addressed. In this segment, learn the risks involved in patching in an era of zero-day exploits. Even without external threats, patching can be tough, and some are tougher than others. Read on and you'll come away better equipped to tackle particularly challenging fixes, and you'll also learn how to do so with a minimum of expense.

• Article

  To test or not to test? That is the zero-day question

  Is it better to risk exposure and test zero-day patches or risk business disruption and patch without testing. Michael Cobb considers the conundrum. Read Now

• Article

  Frugal patch management with virtual patching

  Struggling to cut patch-management costs? Expert Michael Cobb explains virtual patching and how automated tools can play a role.  Read Now

• Article

  Is Java patching a futile pursuit?

  Security threats expert Nick Lewis weighs in on whether patching Java security flaws is an exercise in futility.  Read Now

• Article

  Going outside: The best third-party patch tools

  Do you know what the best third-party patch deployment tools are? See expert Michael Cobb's recommendations on which tools would work best for your enterprise.  Read Now

4Risk tutorials

Creating a vulnerability management program from the ground up requires first understanding where your security gaps are, devising a plan to fill them and then deciding how to make the fixes. That means acquiring the tools. The links here lead you to informative presentations about a range of security vulnerability tools.

• Article

  Take a peek at OWASP's Mantra tool

  OWASP's Mantra tool is being praised by security pro's for its abundance of options and ease of use. In this screencast, Mike McLaughlin takes a look at what Mantra has to offer.  Read Now

• Article

  What can WebScarab do?

  In this WebScarab tutorial, get step-by-step advice on how to install and use this free tool, including the WebScarab proxy features.  Read Now

• Article

  Learn to use Netcat, a free command-line tool

  Helpful for penetration testers and network admins who need to debug infected systems, the netcat command-line tool boasts many free features for enterprise use.  Read Now

• Article

  Open source pen tools can detect your Web app and XSS weaknesses

  In this video demo, learn how to use XSSer, open source penetration testing tools for detecting various Web application flaws and exploiting cross-site scripting (XSS) vulnerabilities against applications.  Read Now

• Article

  Try these free vulnerability management tools

  Learn how to use NeXpose Community Edition, a free collection of vulnerability management tools that offers predefined scan templates and the ability to scan networks, OSes, desktops and databases. Read Now

5More from the Dummies author on vulnerability assessment

The preceding segments of this guide address a range of issues related to managing system vulnerabilities. But as expert Kevin Beaver knows, a huge part of maintaining security is remaining flexible and adapting to changing technology and attack methodologies. In this segment Beaver relates his on-the-ground experiences in coping with the changing threat landscape.

• Video

  Kevin Beaver reveals the secrets of vulnerability assessments

  In this webcast, the author of Hacking for Dummies explains how to improve vulnerability assessments with better planning, tools and respect for the process.  Watch Now

6Defining the terms

The information security field is loaded with sometimes confusing terminology and acronyms; the subfield of vulnerability management is no different. But here we've gathered a concise glossary for easy reference.

• Definition

  vulnerability management

  Vulnerability management is a pro-active approach to managing network security through reducing the likelihood that flaws in code or design compromise the security of an endpoint or network. Read Now

• Definition

  OWASP (Open Web Application Security Project)

  The Open Web Application Security Project (OWASP) is a not-for-profit group that helps organizations develop, purchase, and maintain software applications that can be trusted. Read Now

• Definition

  pen test (penetration testing)

  Penetration testing, also called pen testing or ethical hacking, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. Read Now

• Definition

  social engineering

  Social engineering is an attack vector that relies heavily on human interaction and often involves manipulating people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations, or for financial gain. Read Now

• Definition

  cross-site scripting (XSS)

  Cross-site scripting (XSS) is a type of injection security attack in which an attacker injects data, such as a malicious script, into content from otherwise trusted websites. Read Now

• Definition

  zero-day exploit

  A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known...(Continued) Read Now

• Definition

  zero-day (computer)

  A zero-day vulnerability, also known as a computer zero day, is a flaw in software, hardware or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw. Read Now