Risk assessments metrics and frameworks
- January 20, 2020
In this Q&A with CyCognito CEO Rob Gurzeev, he discusses what led to his company, how attack simulations work and how he plans to spend the company's recent round of funding.
- October 22, 2019
The new platform provides an extra layer of testing by sending its findings to Bugcrowd's crowdsourced security testing tools.
- August 12, 2019
The cyber insurance market is growing rapidly and policies are incredibly inexpensive -- but experts at Black Hat 2019 had concerns about those low prices.
- February 26, 2019
Security expert Art Manion discusses what he calls major problems within the Common Vulnerability Scoring System and explains why CVSS needs to be replaced.
- November 30, 2018
The first round of evaluations using the Mitre ATT&CK framework has gone public, putting on display how different endpoint products detect advanced threat activities.
- June 01, 2018
The 'Federal Cybersecurity Risk Determination Report and Action Plan' shows the majority of federal agencies are at risk, and DHS suggests a lack of leadership may be to blame.
- March 09, 2018
Tenable.io Lumin enables organizations to gauge their 'cyber exposure' to vulnerabilities and allows them to compare remediation efforts against industry benchmark data.
- February 19, 2018
In this week's Risk & Repeat podcast, SearchSecurity editors discuss a new industry partnership designed to give Apple and Cisco customers beneficial cyberinsurance policies.
- October 03, 2017
A longitudinal cyberinsurance study performed by the Department of Homeland Security could improve enterprise security but the effects depend on the data collected, said experts.
- September 25, 2017
Speaking at the (ISC)2 Security Congress, FBI Deputy Assistant Director Don Freese spoke about need for security pros to replace fear and emotion with proper cyber-risk management.
- July 28, 2017
Analyzing infosec through the lens of game theory shows that cyber-risk analysis and wasting attacker time may be highly effective cybersecurity strategies.
- February 22, 2017
One expert warned there can be a disconnect between what security remediation means to CISOs and what researchers announce because of divergent objectives.
- December 09, 2016
The IBM Watson for Cyber Security beta program aims to augment human intelligence, but experts question if IBM can distinguish it from other machine learning products.
- September 21, 2016
The SWIFT messaging system aims to improve the security of supported banks with new antifraud reports, but experts are unsure how useful the anomaly detection will be.
- September 15, 2016
Oracle's lack of response to security researchers raises more questions after a zero-day MySQL vulnerability was reported, though patches may have already been released.
- July 18, 2016
Responsible disclosure wins as researchers roll out branded website for 'httpoxy,' a set of vulnerabilities in server-side web apps that use the HTTP_PROXY variable.
- May 18, 2016
Internet pioneer Paul Vixie spoke with SearchSecurity about Internet crime, the glibc bug and other pervasive vulnerabilities that may never be eradicated.
- April 19, 2016
DHS says users need to uninstall QuickTime for Windows immediately as Apple quietly sends the software to its end of life following the disclosure of two zero-day flaws.
- April 14, 2016
The much-hyped Badlock bug is still important to patch, but raised issues with celebrity vulnerability promotion and responsible disclosure of security vulnerabilities.
- April 08, 2016
Vulnerability branding was once a practice that elevated understanding of flaws and potentially led to better remediation, but now serves as little more than marketing for security researchers.
- November 23, 2015
Adobe CSO Brad Arkin spoke at the recent Privacy. Security. Risk. 2015 event about his experiences dealing with the company's massive data breach two years ago.
- November 19, 2015
TechTarget 2015 Annual Salary and Careers Survey: Out of the myriad of security responsibilities for an enterprise, IT risk management and regulatory compliance occupy the most time.
- September 18, 2015
An internal audit of the U.S. Department of Homeland Security has been completed, detailing areas where its cyber mission has failed and what plans are in place to make improvements.
- July 29, 2015
Video: Security operations centers are critical to continuous network monitoring and detecting data breaches. Eric Cole discusses SOCs and the role security automation plays in them.
- June 26, 2015
RubyGems software packaging client was found to have a DNS vulnerability that redirects users to malicious gem servers.
- June 05, 2015
A new study claims social media may be a useful indicator of vulnerability risk and lead to more accurate CVSS scores and prioritization.
- May 21, 2015
A new study shows enterprises with security analytics are confident in their threat detection capabilities, while those without are overwhelmed by copious false positives and alerts.
- April 28, 2015
An open source threat model is aiming to be a repository for risk assessment with the aim of allowing enterprise to focus on creating the right security controls for each business.
- April 28, 2015
A panel discussion at RSA Conference 2015 outlined strategic methods enterprises can use to build and advocate for an insider threat program.
- April 22, 2015
A Forrester analyst told RSA Conference 2015 attendees that enterprise threat intelligence programs are maturing, though obstacles like nascent technology and hard-to-find employees mean some firms may never reach full maturity.
- April 13, 2015
Experts have split opinions regarding the correct methodology for counting vulnerabilities, but all agree that focusing on numbers can mask real cybersecurity risks.
- March 27, 2015
News roundup: The ban of "booth babes" at RSA Conference 2015 has been met with praise; does it equal an increase of women in infosec? Plus: Cyberthreat data-sharing bill advances; Flash flaw exploited days after patching; new twist on Google Play ...
- August 06, 2014
At Black Hat USA 2014, keynote speaker Dan Geer said bounding system dependencies was only hope for managing the risks of complexity.
- July 17, 2014
New Ponemon Institute data shows enterprise executives rarely if ever talk with their security teams, and that threat modeling may be underused.
- May 01, 2014
At a SANS event, former NSA cybersecurity boss Tony Sager said effective information security leadership requires a holistic, disciplined approach.
- December 02, 2013
You are better off with real numbers when it comes to measuring probability and the elements of security risk, even if they are wrong.
- November 01, 2013
What's a dollar spent on security worth in terms of risk? Break-even analysis helps you decide.
- October 22, 2013
Delayed by the government shutdown, the preliminary NIST Cybersecurity Framework offers general best practices for critical infrastructure security.
- October 01, 2013
In his inaugural Security Economics column, Peter Lindstrom looks at technology risk management, and how to make the hard decisions pay off.
- September 03, 2013
Analysts expect security concerns to drive global risk management, but executives may need convincing.
- July 19, 2013
A study by Bit9 explains just how bad the Java problem really is: The most popular version has 96 severe vulnerabilities.
- April 18, 2013
Big Yellow's annual report indicates a threefold rise in targeted attacks against SMBs as attackers search beyond big firms for susceptible targets.
- March 27, 2013
Panelists at the SANS Cyber Threat Intelligence Summit lament the challenges of using cyber-intelligence to thwart enterprise security threats.
- March 04, 2013
At RSA 2013, experts Ed Skoudis and Johannes Ullrich explained how the SANS CyberCity supports offensive forensics and helps prevent kinetic attacks.
- February 25, 2013
At B-Sides San Francisco, Dan Kaminsky discussed how society inhibits its own security culture, and the need to look beyond status-quo technology.
- December 10, 2012
Most risk management programs fail because they end up being another audit function, explains Alex Hutton, a faculty member at IANS.
- November 19, 2012
The PCI Risk Assessment Special Interest Group concludes that risk assessments are based on a company's unique risk tolerance and environment.
- November 14, 2012
Red teaming assesses the security of an organization and can be a more effective way to assess the organization's security posture.
- November 12, 2012
Study from vulnerability management firm Positive Technologies Security contends that 39% of systems in the U.S. and Europe are vulnerable to attack.
- October 17, 2012
Zero-day exploits are typically used in targeted attacks, but public disclosure of unpatched flaws significantly increases the use of the exploits.
- October 11, 2012
The Black Hole attack toolkit is fueling many of the exploits targeting the vulnerabilities, according to Microsoft.
- October 10, 2012
Mobile risk management vendor Mobilisafe assesses employee smartphones and tablets for platform vulnerabilities.
- October 02, 2012
Security expert Jayson E. Street explains why security pros must learn to communicate effectively to gain trust from management and empower employees.
- October 01, 2012
Pen testers often focus on system errors and application flaws, but employees are often an enterprise's greatest weakness, explains Chris Nickerson.
- September 12, 2012
After a year researching and implementing new advanced persistent threat protection tactics, the telco giant has put several new defenses in place.
- September 11, 2012
To get executive buy-in, the retailer's risk management program architect had to define success and make sure everyone could speak the same language.
- September 02, 2012
Security expert Marcus Ranum goes one-on-one with Alex Hutton about the problems with security metric efforts.
- July 25, 2012
The analysis environment aims to provide free access to millions of malware samples, according to Rodrigo Branco, who is unveiling the system at Black Hat 2012.
- July 23, 2012
Sean Barnum of MITRE will describe Structured Threat Information eXpression (STIX), a new cyberthreat intelligence system for incident response teams.
- June 21, 2012
U.K. companies are preparing to manage their security during the Olympics. Would your security contingency plan hold up to such a disruptive event?
- April 25, 2012
The Black Hole Exploit toolkit is behind the bulk of the HTML and Java exploits, according to version 12 of the Microsoft Security Intelligence Report.
- April 19, 2012
Luminary Dan Geer says IT infrastructure risk can be reduced by boosting Internet resiliency and by planning backup processes should the Net go down.
- April 12, 2012
How would you define a security threat? The correct answer could score the funding you need for your next security project.
- April 04, 2012
Blunt experts at InfoSec World said enterprise IT security strategy often misses the mark, but some attendees suggested the experts are out of touch.
- April 02, 2012
A security expert warns organizations against buying the latest and greatest security technology and advocates for more effective pen testing at InfoSec World Conference and Expo 2012.
- March 06, 2012
Too often, organizations jam all their compliance tasks into the quarter when the audit is due. Read advice for reducing compliance fatigue.
- March 01, 2012
RSA Conference 2012 panelists discussed court rulings on liability for hacked bank accounts, and gave advice to security pros for protecting financial assets.
- February 07, 2012
While organizations focus on mobile security and other emerging threats, an analysis of more than 2,000 penetration tests conducted by Trustwave found older threats often overlooked.
- February 06, 2012
A researcher calls the state of industrial control system security “laughable” and warns of the consequences of unpatched critical infrastructure that is reachable over the Internet.
- October 04, 2011
Even the most mature organizations are using multiple risk-management frameworks and various processes to make risk-based decisions.
- August 03, 2011
Cross-site scripting flaws enable security researchers to bypass Chromebook security and silently steal sensitive data by hijacking browser sessions.
- June 23, 2011
Eric B. Parizo discusses the top themes from the 2011 Gartner Security & Risk Management Summit, including the rediscovery of enterprise risk management.
- January 04, 2011
Security researcher Michal Zalewski said his new cross_fuzz has helped identify about 100 bugs in prominent browsers that include Internet Explorer, Firefox and Opera.
- December 15, 2010
The new Core Insight pen testing suite can lay out the history of testing campaigns and the relative threat level of an enterprise's systems.
- December 07, 2010
Survey finds some enterprises are overburdened with compliance issues and are using piecemeal patch testing and deployment processes.
- September 15, 2010
OpenPages will be integrated with IBM's business analytics software portfolio.
- August 03, 2010
TippingPoint's vulnerability disclosure team will give vulnerable vendors six months to create a patch.
- July 29, 2010
An analysis of 120 security assessments at power plants, oil and chemical refineries and other critical systems revealed tens of thousands of security vulnerabilities, outdated operating systems and unauthorized applications.
- March 04, 2010
Health care organizations say medical identity fraud is on the rise and they're boosting their online security with anti-fraud measures used in the banking industry.
- August 13, 2009
Despite critical Flash and Adobe Reader updates July 30, only a fraction of Adobe users have installed them, Trusteer says. Trusteer's CEO urges better patching mechanisms.
- August 13, 2009
IT pros need to take patch management processes seriously and more dilligently understand the plethora of applications being used by end users.
- May 15, 2009
The $47 million deal adds Solidcore's whitelisting technology to McAfee's product line up.
- March 23, 2009
SWFScan analyzes Adobe Flash to identify dozens of source code errors.
- March 05, 2009
Two firms certified to conduct PCI assessments have been placed into the PCI Council's remediation program for violating the QSA Validation Requirements.
- February 24, 2009
Though a payload hasn't been issued, the Conficker worm reminds security professionals to be actively protecting the network from attacks.
- January 27, 2009
Archer's acquisition of Brabeion indicates convergence in the IT GRC market. Compliance and trend to risk management bode well for GRC companies' in wake of economic meltdown.
- December 24, 2008
An NSS Labs test of six business products yield disappointing results.
- October 14, 2008
More employees are leaving the office with sensitive business and customer data on laptops, smartphones and USB flash drives, bypassing security policies to get their work done.
- September 15, 2008
Former QSA turned Forrester analyst John Kindervag calls PCI a "communicable disease." Anything introduced to the network is in PCI scope if credit card systems aren't segmented.
- September 05, 2008
Protecting customer data, corporate intellectual property and other sensitive internal data, remains a priority in many corporate board rooms, a Forrester Research survey finds.
- July 09, 2008
The subprime mortgage crisis illustrates the critical need for enterprises to implement processes for governing data, says IBM Council chairman.
- June 13, 2008
Panelists at the Symantec Vision 2008 conference said a well implemented IT governance, risk and compliance (GRC) program boosts revenue and cuts costs.
- June 02, 2008
Security pros are beginning to use metrics to measure the effectiveness of security technologies and strengthen budget requests, but those measurements are still being inhibited, some experts say.
- March 19, 2008
The security incident at the Hannaford supermarket chain and elsewhere have some wondering if it's time to purchase data breach insurance. But experts say there are drawbacks.
- March 05, 2008
Security experts say IT pros should be more concerned about the risks created by misconfigured networks than all the flaws and exploit code they read about.
- December 04, 2007
Hoping to ramp up sales of its cyber insurance policies, commercial insurer, Chubb is offering a discount for companies that deploy a penetration testing tool.
- July 10, 2007
Recent high profile data breaches and compliance pressures are forcing companies to spend more on technology to protect intellectual property, according to a new study.
- June 19, 2007
HP said it would bolster Web site assessments and Web application vulnerabilities with its acquisition of Atlanta-based SPI Dynamics Inc.
- June 05, 2007
Gartner IT Security Summit: An enterprise security architecture is an important part of a long term strategy and can help mitigate the risks when data is used in new ways.
- April 25, 2007
IT operations is turning to software that monitors security configurations across the enterprise to meet a number of regulations.