Risk management

A successful risk management plan helps enterprises identify, plan for and mitigate potential risks. Learn about the components of risk management programs, including penetration tests, vulnerability and risk assessments, frameworks, security awareness training and more.

Top Stories

Feature 19 May 2023
The potential danger of the new Google .zip top-level domain

How much should the average end user be concerned about the new .zip and .mov TLDs? They aren't as bad as some make them out to be, but it's still worth doing something about them. Continue Reading
News 16 May 2023
Coalition: Employee actions are driving cyber insurance claims

After analyzing cyber insurance claims data, Coalition determined that phishing escalated in 2022, ransomware dropped and timely patching remained a consistent problem. Continue Reading

Opinion 14 Apr 2022

Making sense of conflicting third-party security assessments

Third-party security assessments from different sources may not always agree, but that doesn't mean they can be ignored. Learn how Mitre ATT&CK can provide perspective. Continue Reading
News 12 Apr 2022

Ukraine energy grid hit by Russian Industroyer2 malware

The 2016 malware known as 'Industroyer' has resurfaced in a new series of targeted attacks against industrial controller hardware at a Ukraine power company. Continue Reading
News 05 Apr 2022

German authorities behead dark web Hydra Market

Police in Germany raided facilities hosting the infamous Hydra Market site as part of an international effort to crack down on dark web forums and marketplaces. Continue Reading
Feature 05 Apr 2022

How effective is security awareness training? Not enough

Annual security awareness trainings do little to improve security. Learn why they aren't helpful, and discover steps to improve your organization's training program. Continue Reading
News 29 Mar 2022

Rapid7 finds zero-day attacks surged in 2021

Cybercriminals are turning bugs into exploits faster than ever, according to Rapid7, which found that the average time to known exploitation dropped 71% last year. Continue Reading
Feature 29 Mar 2022

Cryptocurrency cyber attacks on the rise as industry expands

Consumers, businesses and governments are finding new ways to use cryptocurrency, but a recent string of cyber attacks has highlighted security risks and shortcomings. Continue Reading
Tip 25 Mar 2022

6 types of insider threats and how to prevent them

From disgruntled employees to compromised users to third-party vendors, here are six types of insider threats and best practices to mitigate the issues. Continue Reading
News 24 Mar 2022

North Korean hackers exploited Chrome zero-day for 6 weeks

Google researchers say a Chrome zero-day bug stemming from a use-after-free error was exploited by North Korean hackers against both media and financial targets earlier this year. Continue Reading
News 16 Mar 2022

LokiLocker ransomware crew bursts onto the scene

The mysterious LokiLocker ransomware group caught the attention of BlackBerry researchers, who say the outfit could become the next cybercrime group to menace enterprises. Continue Reading
Guest Post 16 Mar 2022

5 cybersecurity myths and how to address them

These myths persist due to misinformation and a lack of cybersecurity awareness. Continue Reading
News 14 Mar 2022

Cyber insurance war exclusions loom amid Ukraine crisis

Changes in insurance exemptions for acts of war reflect an increase in damages caused to enterprises related to state-sponsored cyber attacks. Continue Reading
Tip 11 Mar 2022

How to write an information security policy, plus templates

Infosec policies are key to any enterprise security program. Read up on types of security policies and how to write one, and download free templates to start the drafting process. Continue Reading
Answer 10 Mar 2022

Use microsegmentation to mitigate lateral attacks

Attackers will get into a company's system sooner or later. Limit their potential damage by isolating zones with microsegmentation to prevent lateral movement. Continue Reading
News 09 Mar 2022

Immersive Labs: Average cyberthreat response takes 96 days

Immersive Labs' Cyber Workforce Benchmark found that some critical threats, including a zero-day vulnerability, took an average of six months to fully address. Continue Reading
Feature 03 Mar 2022

How to stop malicious or accidental privileged insider attacks

How many permissions or privileges a user has will affect how big of an insider threat they are. Discover the issues surrounding privileged users and how to curtail these threats. Continue Reading
Guest Post 25 Feb 2022

4 tips for selecting cybersecurity insurance

Choosing a cybersecurity insurance provider can be a daunting and complex task. Follow this advice to select the best policy -- and provider -- for your business. Continue Reading
News 24 Feb 2022

New tech, same threats for Web 3.0

Emerging technologies are prone to old-school social engineering attacks and credential-swiping techniques, according to Cisco Talos researchers who analyzed the new platforms. Continue Reading
Tip 23 Feb 2022

Crosswalk cloud compliance to ensure consistency

Combining a risk management framework with security policies can be tricky, but crosswalking -- especially in the cloud -- can help address inconsistencies and maintain compliance. Continue Reading
Tip 22 Feb 2022

Top 6 critical infrastructure cyber-risks

Cyber attacks on critical infrastructure assets can cause enormous and life-threatening consequences. Discover the top cyber-risks to critical infrastructure here. Continue Reading
News 16 Feb 2022

Trickbot has infected 140,000-plus machines since late 2020

In October 2020, Microsoft reported that more than 90% of Trickbot's infrastructure had been disabled. The threat actor bounced back and began thriving soon after. Continue Reading
News 14 Feb 2022

CISA says 'Shields Up' as Russia-Ukraine tensions escalate

CISA said in its advisory that 'there are not currently any specific credible threats to the U.S. homeland,' but cited past Russian cyber attacks against Ukraine and others. Continue Reading
Feature 08 Feb 2022

Pros and cons of manual vs. automated penetration testing

Automated penetration testing capabilities continue to improve, but how do they compare to manual pen testing? Get help finding which is a better fit for your organization. Continue Reading
News 07 Feb 2022

Metaverse rollout brings new security risks, challenges

When companies and users decide to adapt the technologies of the coming metaverse, they will also expose themselves to a new class of security risks and vulnerabilities. Continue Reading
Feature 31 Jan 2022

How to prepare for malicious insider threats

Stopping malicious insider threats is just as important as preventing external ones. Uncover what to look for and strategies to prevent insider threats before they cause damage. Continue Reading
Feature 31 Jan 2022

Include defensive security in your cybersecurity strategy

Is your company's cybersecurity strategy comprehensive enough to protect against an expanding threat landscape? Learn how developing defensive security strategies can help. Continue Reading
News 27 Jan 2022

Apple security update fixes zero-day vulnerability

Apple released a series of security updates for bugs that included a critical zero-day vulnerability in iOS and macOS that is being actively exploited in the wild. Continue Reading
Tip 26 Jan 2022

Build a strong cyber-resilience strategy with existing tools

Existing security protocols and processes can be combined to build a cyber-resilience framework, but understanding how these components relate to each other is key. Continue Reading
News 26 Jan 2022

New vulnerability rating framework aims to fill in CVSS gaps

The CVSS vulnerability scale doesn't always give a clear picture of the risk of a vulnerability, but experts hope the emerging standard called EPSS will provide more clarity. Continue Reading
Tip 18 Jan 2022

4 software supply chain security best practices

The increasing complexity of software supply chains makes it difficult for companies to understand all its components. Learn how to find vulnerabilities before attackers. Continue Reading
Guest Post 13 Jan 2022

Is ransomware as a service going out of style?

Increased government pressure has backed many ransomware gangs into a corner, in turn forcing attackers to replace the ransomware-as-a-service model with a smash-and-grab approach. Continue Reading
Tip 10 Jan 2022

5 principles of the network change management process

Network change management includes five basic principles, including risk analysis and peer review. These best practices can help network teams limit failed network changes and outages. Continue Reading
Feature 28 Dec 2021

Types of cybersecurity controls and how to place them

A unilateral cybersecurity approach is ineffective in today's threat landscape. Learn why organizations should implement security controls based on the significance of each asset. Continue Reading
Feature 28 Dec 2021

Top infosec best practices, challenges and pain points

Weak infosec practices can have irrevocable consequences. Read up on infosec best practices and challenges, as well as the importance of cybersecurity controls and risk management. Continue Reading
News 20 Dec 2021

Critical bugs could go unpatched amid Log4j concern

Many organizations are focused on finding and patching Log4Shell, but there are other vulnerabilities, including Patch Tuesday bugs, already under active exploitation. Continue Reading
Tip 10 Dec 2021

Cybersecurity employee training: How to build a solid plan

Cybersecurity training often misses the mark, while threats continue to grow. Succeed where others have failed by keeping training fresh, current and real. Here's how. Continue Reading
Tip 06 Dec 2021

How to get started with attack surface reduction

Attack surface reduction and management are vital to any security team's toolbox. Learn what ASR is and how it complements existing vulnerability management products. Continue Reading
Tip 06 Dec 2021

Security log management and logging best practices

Learn how to conduct security log management that provides visibility into IT infrastructure activities and traffic, improves troubleshooting and prevents service disruptions. Continue Reading
Guest Post 30 Nov 2021

Enterprise password security guidelines in a nutshell

In this concise guide to passwords, experts at Cyber Tec outline the security problems that put enterprises at risk and offer answers on how to solve them. Continue Reading
Tip 29 Nov 2021

How SBOMs for cybersecurity reduce software vulnerabilities

With SBOMs, companies will know what components constitute the software they purchase, making it easier for security teams to understand and manage vulnerabilities and risks. Continue Reading
Feature 29 Nov 2021

Elastic Stack Security tutorial: How to create detection rules

This excerpt from 'Threat Hunting with Elastic Stack' provides step-by-step instructions to create detection rules and monitor network security events data. Continue Reading
Feature 29 Nov 2021

Elastic Security app enables affordable threat hunting

New to threat hunting in cybersecurity? Consider using the open code Elastic Stack suite to gather security event data and create visualizations for decision-makers. Continue Reading
Guest Post 23 Nov 2021

How to talk about cybersecurity risks, colloquially

The cybersecurity field is riddled with confusion and complexity. Knowing how to talk about risk and how to manage it is key to building resilience. Continue Reading
News 19 Nov 2021

How enterprises need to prepare for 'cyberwar' conflicts

Infosec expert Tarah Wheeler said increasing international conflicts are posing new compliance and regulatory standards, but adapting the changes may be difficult for enterprises. Continue Reading
Guest Post 15 Nov 2021

Reduce the risk of cyber attacks with frameworks, assessments

Don't rely on a compliance mandate to reduce the risk of cyber attacks or on a cyber insurer to cover an attack's aftermath. Assessments and frameworks are key to staying safe. Continue Reading
Guest Post 10 Nov 2021

4 concepts that help balance business and security goals

The goal of enterprise security is to maintain connectivity, while remaining protected. Use these four concepts to balance business and security goals. Continue Reading
News 08 Nov 2021

Bug bounty programs in 2021: High payouts, higher stakes

Bug bounty programs today offer high monetary rewards for researchers, but they can also suffer from communication issues, delays and inaction that may portend bigger problems. Continue Reading
News 05 Nov 2021

Routers, NAS and phones hacked in Pwn2Own competition

Security researchers have spent the week attempting to break into network-connected hardware and other devices in hopes of winning recognition and big payouts. Continue Reading
Feature 25 Oct 2021

How to use Python for privilege escalation in Windows

Penetration testers can use Python to write scripts and services to discover security vulnerabilities. In this walkthrough, learn how to escalate privileges in Windows. Continue Reading
Feature 25 Oct 2021

Why hackers should learn Python for pen testing

The authors of 'Black Hat Python' explain the importance of learning Python for pen testing, how it helps create scripts to hack networks and endpoints, and more. Continue Reading
Podcast 22 Oct 2021

Risk & Repeat: Apple bug bounty frustrations boil over

Security researchers criticized the Apple Security Bounty program and claimed the company ignored bug reports, denied bounty payments and silently patched vulnerabilities. Continue Reading
News 15 Oct 2021

Burned by Apple, researchers mull selling zero days to brokers

Security researchers have grown frustrated with Apple's lack of communication, ‘silent patching’ of vulnerabilities, denial of bug bounty rewards and other issues. Continue Reading
Tip 11 Oct 2021

5 open source offensive security tools for red teaming

To be an effective red teamer, you need the right tools in your arsenal. These are five of the open source offensive security tools worth learning. Continue Reading
Feature 30 Sep 2021

How to use Ghidra for malware analysis, reverse-engineering

The Ghidra malware analysis tool helps infosec beginners learn reverse-engineering quickly. Get help setting up a test environment and searching for malware indicators. Continue Reading
Feature 30 Sep 2021

Get started with the Ghidra reverse-engineering framework

Malware analysts use Ghidra to examine code to better understand how it works. Learn what to expect from the reverse-engineering framework, how to start using it and more. Continue Reading
News 13 Sep 2021

Tenable acquires cloud security startup Accurics for $160M

The acquisition will be Tenable's first expansion into securing infrastructure as code, as it makes a push to identify and fix flaws in cloud-native software. Continue Reading
News 31 Aug 2021

College students targeted by money mule phishing techniques

Back to fool: University students with little security training are being targeted by Nigerian scammers to move fraudulent funds with the lure of quick bucks and flexible hours. Continue Reading
Tip 31 Aug 2021

How to use Metasploit commands and exploits for pen tests

These step-by-step instructions demonstrate how to use the Metasploit Framework for enterprise vulnerability and penetration testing. Continue Reading
News 09 Aug 2021

Transparency after a cyber attack: How much is too much?

Sharing threat intelligence and proof-of-concept exploits can often help other organizations better defend themselves, but such efforts are hampered by obstacles and restrictions. Continue Reading
News 04 Aug 2021

14 flaws in NicheStack put critical infrastructure at risk

The vulnerability disclosure process for Infra:Halt, a set of flaws impacting critical infrastructure, took nearly a year, due to the nature of supply chain vulnerabilities. Continue Reading
News 28 Jul 2021

CISA unveils list of most targeted vulnerabilities in 2020

Attackers chased the headlines in 2020, going after the most publicized vulnerabilities in Citrix, Pulse Secure and Fortinet products, according to the U.S. government. Continue Reading
Tip 23 Jul 2021

Risk-based vulnerability management tools in the cloud

As enterprises increasingly rely on cloud services, a risk-based vulnerability management approach can provide the best protection against cybersecurity threats. Continue Reading
Podcast 22 Jul 2021

Risk & Repeat: Vulnerability patching still falling short

Many organizations still fail to patch critical vulnerabilities, even when they're under exploitation in the wild. What are the best ways to improve patching rates? Continue Reading
Tip 16 Jul 2021

The benefits of using AI in risk management

Manual risk management is a thing of the past; AI in risk management is here to stay. Uncover the benefits, use cases and challenges your organization needs to know about. Continue Reading
News 13 Jul 2021

Schneider Electric PLCs vulnerable to remote takeover attacks

The authentication bypass vulnerability is a symptom of a much larger security crisis plaguing industrial control hardware, according to researchers who found the bug. Continue Reading
News 12 Jul 2021

SolarWinds warns of zero-day vulnerability under attack

SolarWinds says targeted attacks from a single threat actor have been reported on a previously unknown vulnerability in the Serv-U file transfer platform. Continue Reading
News 08 Jul 2021

Dutch researchers shed new light on Kaseya vulnerabilities

Dutch security researchers were working with Kaseya to get an authentication bypass flaw and other bugs patched when the catastrophic supply chain attack occurred. Continue Reading
Tip 30 Jun 2021

How to rank enterprise network security vulnerabilities

Risk management programs yield massive data on network security vulnerabilities. Infosec pros must rank risks to prioritize remediation efforts. Continue Reading
Tip 29 Jun 2021

Mitigate threats with a remote workforce risk assessment

Risk assessments are more necessary than ever as organizations face the challenge of protecting remote and hybrid workers alongside in-office employees. Continue Reading
News 16 Jun 2021

Zscaler: Exposed servers, open ports jeopardizing enterprises

Zscaler analyzed 1,500 networks and found administrators are leaving basic points of entry wide open for attackers as neglected servers are falling by the wayside. Continue Reading
Feature 15 Jun 2021

How to get started with security chaos engineering

Introducing security chaos engineering: the latest methodology security teams can implement to proactively discover vulnerabilities or weaknesses in a company's system. Continue Reading
News 08 Jun 2021

CISA taps Bugcrowd for federal vulnerability disclosure program

The new program follows a CISA directive from September that requires executive branch agencies to create and publish vulnerability disclosure policies. Continue Reading
Guest Post 08 Jun 2021

4 ways to build a thoughtful security culture

It's time companies paid more attention to their security culture, working toward building an effective security awareness program that everyone can understand and get behind. Continue Reading
Feature 07 Jun 2021

Hackers vs. lawyers: Security research stifled in key situations

The age-old debate between sharing information or covering legal liability is a growing issue in everything from bug bounties to disclosing ransomware attacks. Continue Reading
Feature 03 Jun 2021

How to handle social engineering penetration testing results

In the wake of conducting social engineering penetration testing, companies need to have a plan ready to prevent or minimize phishing, vishing and other attacks. Continue Reading
Feature 03 Jun 2021

How to ethically conduct pen testing for social engineering

Author Joe Gray explores his interest in pen testing for social engineering, what it means to be an ethical hacker and how to get started in the career. Continue Reading
News 18 May 2021

McAfee CTO: Use data to make better cyber-risk decisions

According to McAfee CTO Steve Grobman, the best response to today's cyber-risks includes both human and technology-based solutions, like threat intelligence and good security hygiene. Continue Reading
Quiz 30 Apr 2021

Security awareness training quiz: Insider threat prevention

Find out how much you know about preventing user-caused cybersecurity incidents through education in this security awareness training quiz for infosec pros. Continue Reading
Tip 12 Apr 2021

Threat intelligence frameworks to bolster security

Organizations have many threat intelligence frameworks to work with, each with its own advantages. From for-profit to nonprofit, here's help to figure out which ones you need. Continue Reading
Guest Post 06 Apr 2021

6 ways to prevent insider threats every CISO should know

Too often, organizations focus exclusively on external risks to security. Infosec expert Nabil Hannan explains what CISOs can do to effectively assess and prevent insider threats. Continue Reading
Guest Post 11 Mar 2021

Strengthening supply chain security risk management

In the wake of several supply chain attacks, Pam Nigro discusses how companies can work to reduce risk by broadening how to manage third-party vendors' access to company data. Continue Reading
Tip 25 Feb 2021

How to manage third-party risk in the supply chain

From third-party risk assessments to multifactor authentication, follow these steps to ensure suppliers don't end up being your enterprise cybersecurity strategy's weakest link. Continue Reading
Guest Post 11 Feb 2021

4 tips to help CISOs get more C-suite cybersecurity buy-in

CISOs can get more cybersecurity buy-in with cohesive storytelling, focusing on existential security threats, leading with CARE and connecting security plans to business objectives. Continue Reading
Tip 03 Feb 2021

Design a human firewall training program in 5 steps

Follow these five steps to develop human firewall training that's not only effective at preventing social engineering attacks, but also relevant and accessible to employees. Continue Reading
News 14 Jan 2021

Tenable: Vulnerability disclosures skyrocketed over last 5 years

New research from Tenable shows a dramatic increase in vulnerability disclosures since 2015, as well as concerning data about data breaches, ransomware threats and unpatched bugs. Continue Reading
Answer 07 Jan 2021

Explore benefits and challenges of cloud penetration testing

Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help inform cloud pen test strategies. Continue Reading
Tip 06 Jan 2021

The human firewall's role in a cybersecurity strategy

The human firewall is a crucial element of a long-term, holistic security initiative. Explore how human firewalls can protect your enterprise against attacks. Continue Reading
Guest Post 31 Dec 2020

The enterprise case for implementing live-fire cyber skilling

Companies continue to grapple with the cybersecurity skills gap, but Adi Dar offers a way to ensure security teams are properly trained through the use of live exercises. Continue Reading
Feature 30 Dec 2020

Insider risk indicators thwart potential threats

By paying attention to risk indicators, enterprises can tell the difference between insider threat and insider risk to prevent falling victim at the hands of one of their own. Continue Reading
Feature 30 Dec 2020

Insider threat vs. insider risk: What's the difference?

Identifying, managing and mitigating insider threats is far different than protecting against insider risks. Read up on the difference and types of internal risks here. Continue Reading
Tip 09 Dec 2020

Key SOC metrics and KPIs: How to define and use them

Enterprises struggle to get the most out of their security operation centers. Using the proper SOC metrics and KPIs can help. Learn how to define and benefit from them here. Continue Reading
Quiz 08 Dec 2020

Practice Certified Ethical Hacker exam questions

Preparing for your Certified Ethical Hacker certification? Assess your knowledge of topics on the CEH exam with these practice test questions. Continue Reading
Feature 08 Dec 2020

Ethical hacker career path advice: Getting started

Matt Walker, author of a Certified Ethical Hacker exam guide and practice exam book, offers advice to career hopefuls on the profession, CEH certification and more. Continue Reading
Tip 04 Nov 2020

Red team vs. blue team vs. purple team: What's the difference?

Red team-blue team exercises simulate attacks on enterprise networks. What does each team do? Where do purple teams fit in? Find out here. Continue Reading
News 04 Nov 2020

SaltStack discloses critical vulnerabilities, urges patching

The SaltStack vulnerabilities, disclosed Tuesday, allow remote attackers to execute arbitrary code on affected installations of the popular open source software. Continue Reading
Guest Post 28 Oct 2020

Addressing the expanding threat attack surface from COVID-19

CISOs need to ensure they and their security teams are aware of the new threats created by many businesses expanding their attack surface with many employees still working remotely. Continue Reading
Guest Post 27 Oct 2020

The need for independent cybersecurity solutions testing

Rohit Dhamankar suggests implementing standardized testing of cybersecurity providers, like MSSPs and MDRs, to help companies better understand the services they're getting from each. Continue Reading
News 27 Oct 2020

Mitre ATT&CK: How it has evolved and grown

Adoption of the Mitre ATT&CK framework, which saw version 8.0 released Tuesday, has grown rapidly over the last years, though challenges still remain for enterprise users. Continue Reading
Guest Post 21 Oct 2020

Changing the culture of information sharing for cybersecurity

Dan Young explains why it's time for the cybersecurity industry to come together regarding information sharing and how insurance providers, regulators and others could assist. Continue Reading
Tip 19 Oct 2020

Planning a zero-trust strategy in 6 steps

Launch a zero-trust strategy in six steps. Learn how to form a dedicated team, ask questions about existing security controls and evaluate the priority of zero-trust initiatives. Continue Reading
Feature 12 Oct 2020

Cybersecurity budget relies on planning and negotiation

Experts from Gartner and Forrester discuss how successful cybersecurity budgeting during these uncertain times requires planning, research and negotiation. Continue Reading

1
2
3
4
5

Networking

Google interconnects with rival cloud providers
Video platform provider Pexip said Google's Cross-Cloud Interconnect reduced the cost of connecting Google Cloud with Microsoft ...
How to interact with network APIs using cURL, Postman tools
Network engineers can use cURL and Postman tools to work with network APIs. Use cases include getting interface information and ...
Modular network design benefits and approaches
Modular network design is a strategic way for enterprises to group network building blocks in order to streamline network ...

CIO

Experts doubt U.S. retaliation following China's Micron ban
The Biden administration likely won't retaliate for China's Micron Technology ban but will continue to play the long game ...
AI transparency: What is it and why do we need it?
As the use of AI models has evolved and expanded, the concept of transparency has grown in importance. Learn about the benefits ...
How to write an RFP for a software purchase, with template
Software buying teams should understand how to create an effective RFP. Here's a look at what components to include, along with a...

Enterprise Desktop

Best practices for a PC end-of-life policy
Organizations that deploy PCs need a strong and clear policy to handle hardware maintenance, end of life decisions, sustainable ...
What does the new Microsoft Intune Suite include?
With all the recent name changes with Microsoft's endpoint management products and add-ons, IT teams need to know what Intune ...
Does macOS need third-party antivirus in the enterprise?
Macs are known for their security, but that doesn't mean they're safe from viruses and other threats. IT teams can look into ...

Cloud Computing

Cloud experts weigh in on the state of FinOps
Surprised by your cloud bill? Experts weigh in on the rising popularity of FinOps, the art of building a FinOps strategy and the ...
Dell Apex updates support enterprise 'cloud to ground' moves
Dell's latest Apex updates puts the company in a position to capitalize on the hybrid, multi-cloud and edge computing needs of ...
Prepare for the Azure Security Engineer Associate certification
Are you ready to boost your resume or further your cloud career path? Review this preparation guide to get ready for Exam AZ-500 ...

ComputerWeekly.com

Workers ‘deeply uncomfortable’ with digital surveillance at work
Employees express discomfort towards employers’ use of various digital surveillance and monitoring techniques, which are often ...
Bank of International Settlement sets up channel secure from quantum breach
The Bank of International Settlement has worked with two of Europe's central banks to explore preventing the security risks posed...
UK has time limit on ensuring cryptocurrency regulatory leadership, says Parliamentary report
Parliamentary report makes 53 recommendations to the government's plans to regulate cryptocurrency

Close