Security audit, compliance and standards
Get tips from the experts on security audits, compliance and standards. Advice is offered on data privacy and theft, audit planning and management, how to work with auditors, and compliance with standards, regulations and guidelines such as PCI DSS, GLBA, HIPPA, SOX, FISMA, ISO 17799 and COBIT.
Top Stories
-
Tip
20 Sep 2022
How to develop a cybersecurity strategy: Step-by-step guide
A cybersecurity strategy isn't meant to be perfect, but it must be proactive, effective, actively supported and evolving. Here are the four steps required to get there. Continue Reading
-
Tip
14 Jun 2022
3 steps for CDOs to ensure data sovereignty in the cloud
Data sovereignty regulations, combined with a tsunami of data growth and increased cloud usage, have created a perfect storm that chief data officers must manage. Continue Reading
-
News
18 Jun 2019
Gartner: Cybersecurity skills shortage requires a new approach
At the Gartner Security and Risk Management Summit, analysts discuss the challenge of finding skilled cybersecurity professionals and how it can be solved. Continue Reading
-
News
18 Jun 2019
ReliaQuest's cybersecurity platform integrates technologies
ReliaQuest's security analytics platform, GreyMatter, claims to improve threat detection by up to four times and reduce system downtime by 98% by integrating AI and human analysis. Continue Reading
-
News
18 Jun 2019
GandCrab decryption tool helps victims recover data
The No More Ransom initiative released one last GandCrab decryption tool to help victims recover data after the ransomware was allegedly shut down by its authors. Continue Reading
-
News
18 Jun 2019
Netskope announces enterprise application security platform
Netskope for Private Access is a cloud-based platform that secures private enterprise applications on public clouds and in on-premises data centers using zero-trust access. Continue Reading
-
News
17 Jun 2019
YubiKey FIPS recalled from government for reduced randomness
Yubico recalled YubiKey FIPS series devices after discovering an issue leading to reduced randomness in values generated by the keys, which are used by federal agencies. Continue Reading
-
News
14 Jun 2019
Dragos: Xenotime threat group targeting U.S. electric companies
Dragos says Xenotime, the threat group behind a devastating ICS attack in 2017, has been probing the networks of U.S. electric utilities and also attempted network intrusions. Continue Reading
-
Feature
14 Jun 2019
SANS security awareness credential paves new career path
The SANS Security Awareness Professional credential gives enterprises a new method to recognize and promote cybersecurity awareness in the organization. Continue Reading
-
News
13 Jun 2019
RAMBleed: New Rowhammer attack can steal data from memory
Security researchers developed a Rowhammer attack variant, called RAMBleed, that can steal data from memory and works even if systems are patched against Rowhammer. Continue Reading
-
Answer
13 Jun 2019
What is subdomain takeover and why does it matter?
Subdomain takeover exposure can happen when cloud-hosted web services are incompletely decommissioned, but configuration best practices can reduce the risks. Continue Reading
-
News
13 Jun 2019
CrowdStrike IPO success puts spotlight on endpoint security
Cybersecurity firm CrowdStrike made its successful Wall Street debut Wednesday. The company closed its trading with a share price of $58. Continue Reading
-
News
12 Jun 2019
Election security threats increasing pressure on state governments
As local and state governments continue to tackle the evolving threat landscape, experts share tips on how to improve security posture and highlight the resources available for help. Continue Reading
-
Feature
11 Jun 2019
Red alerts: Inside Cisco's incident response best practices
Incident response is often challenging, but Cisco's Sean Mason offers recommendations for doing IR effectively, from keeping internal logs longer to embracing tabletop exercises. Continue Reading
-
News
10 Jun 2019
Google: Triada backdoors were pre-installed on Android devices
Google detailed the discovery and process of removing Triada malware after a supply chain attack led to backdoors being preinstalled on budget phones in overseas markets. Continue Reading
-
Answer
10 Jun 2019
What is MTA-STS and how will it improve email security?
Discover how the MTA-STS specification will improve email security by encrypting messages and enabling secure, authenticated email transfers between SMTP servers. Continue Reading
-
Tip
07 Jun 2019
3 reasons privilege escalation in the cloud works
Statistics show that many cloud attacks are linked to credential and privilege misuse. Learn three ways threat actors are able to launch privilege escalation attacks in the cloud. Continue Reading
-
Podcast
07 Jun 2019
Tenable CEO Amit Yoran wants to stop 'cyber helplessness'
This week's Risk & Repeat podcast features Tenable CEO Amit Yoran, who discusses what he calls 'cyber helplessness' and how the mentality is infecting enterprises. Continue Reading
-
Feature
06 Jun 2019
Security awareness training for executives keeps whaling at bay
Security awareness training for executives teaches an enterprise's biggest fish to recognize potential whaling attacks -- before they take the bait. Continue Reading
-
News
06 Jun 2019
NSA issues BlueKeep warning as new PoC exploit demos
The NSA issued a rare warning for users to patch against the BlueKeep vulnerability on the same day a security researcher demoed an exploit leading to a full system takeover. Continue Reading
-
News
06 Jun 2019
Why larger GDPR fines could be on the horizon
There haven't been many fines under the General Data Protection Regulation since the EU data privacy law went into effect a year ago. But experts warn that will likely change. Continue Reading
-
News
05 Jun 2019
Apple single sign-on option promises privacy for users
Apple is preparing its own single sign-on offering, called Sign In with Apple, which will focus on user privacy. But experts are split on how well this will work. Continue Reading
-
Tip
04 Jun 2019
Zero-trust security model means more than freedom from doubt
A zero-trust security model has a catchy name, but the methodology means more than not trusting any person or device on the network. What you need to know. Continue Reading
-
News
04 Jun 2019
Microsoft issues second BlueKeep warning urging users to patch
Microsoft again urged users to patch against the BlueKeep vulnerability as more potential exploits surface and one researcher discovered almost 1 million vulnerable systems. Continue Reading
-
Answer
31 May 2019
Why are fewer companies using SMS 2FA for authentication?
Instead of SMS two-factor authentication, some companies are switching to 2FA through messaging apps and social media platforms. Learn what's behind this authentication trend. Continue Reading
-
News
31 May 2019
Docker vulnerability with no patch could allow root access
A security researcher disclosed a Docker bug that could allow an attacker to gain root-level access to a system. Docker signed off on the disclosure, despite a fix not yet being available. Continue Reading
-
Answer
31 May 2019
How can SIEM and SOAR software work together?
Many security pros initially thought SOAR software could replace SIEM. Our security expert advocates learning how SIEM and SOAR can work together. Continue Reading
-
News
31 May 2019
Ransomware attacks on local and state governments increasing
State and local governments are experiencing a rise in ransomware attacks. Experts sound off on what's triggering this trend and offer best practices for defense. Continue Reading
-
Feature
31 May 2019
Explore this NGFW comparison of leading vendors on the market
Explore some of the top NGFWs currently on the market -- based on features and user reviews -- to help you make a buying decision Continue Reading
-
News
31 May 2019
New Sophos endpoint security software releases
Sophos has released Intercept X for Server with endpoint detection and response to protect users against blended threats and proactively detect stealthy attacks. Continue Reading
-
Guide
30 May 2019
How best to secure cloud computing in this critical era
Achieving cloud security today demands you continually update your strategy, policy, tactics and tools. This collection of expert advice helps keep your cloud defenses well-tuned. Continue Reading
-
News
30 May 2019
Recorded Future acquired by private equity firm for $780 million
Recorded Future said the $780 million acquisition agreement with private equity firm Insight Partners affirms the growing importance of threat intelligence for enterprises. Continue Reading
-
Feature
30 May 2019
Dark data raises challenges, opportunities for cybersecurity
Dark data is the data enterprises didn't know they had. Splunk CTO Tim Tully explains where this data is hiding, why it's important and how to use and secure it. Continue Reading
-
Answer
30 May 2019
The future of SIEM: What needs to change for it to stay relevant?
Compared to security orchestration, automation and response (SOAR) software, SIEM systems are dated. Expert Andrew Froehlich explains how SIEM needs to adapt to keep up. Continue Reading
-
News
29 May 2019
Tortuga launches Radix-M, new firmware security product
Tortuga Logic has launched a firmware security platform that automatically performs security validation of firmware on SoC designs using an existing platform from Cadence. Continue Reading
-
News
29 May 2019
Hackers scan for MySQL ransomware targets
A security researcher found that malicious actors have been scanning database servers for MySQL ransomware targets running on Windows, but mitigation should be relatively easy. Continue Reading
-
Tip
28 May 2019
How to find an MSP to protect you from outsourcing IT risks
Check out what questions to ask MSPs to make sure they have the right security systems in place to protect your organization against outsourcing IT risks. Continue Reading
-
News
28 May 2019
Cylance CSO: Let's name and shame failed security controls
Malcolm Harkins, the chief security and trust officer at BlackBerry Cylance, says security controls that don't live up to their billing should be taking more blame for data breaches. Continue Reading
-
News
24 May 2019
CrowdStrike, NSS Labs settle legal disputes over product testing
CrowdStrike and NSS Labs have ended their legal dispute with a confidential settlement agreement, which resolves all lawsuits including NSS Labs' antitrust suit against the vendor. Continue Reading
-
Report
24 May 2019
Using virtual appliances for offload is a key encryption strategy
Using a virtual appliance to process traffic is a key encryption strategy enterprises can use to improve throughput. The results are striking Continue Reading
-
News
24 May 2019
Barracuda Advanced Bot Protection safeguards web applications
Advanced Bot Protection is a cloud-hosted platform that defends against automated threats using AI. It is available as both a web application firewall (WAF) and WAF as a service. Continue Reading
-
News
23 May 2019
Microsoft bets on ElectionGuard SDK to fortify election security
Ahead of the 2020 elections, Microsoft unveiled ElectionGuard, an open source SDK designed to provide end-to-end verification of electronic voting machine results. Continue Reading
-
Feature
23 May 2019
10 ways to prevent computer security threats from insiders
Whether via the spread of malware, spyware or viruses, insiders can do as much damage as outside attackers. Here's how to prevent computer security threats from insiders. Continue Reading
-
News
23 May 2019
'BlueKeep' Windows Remote Desktop flaw gets PoC exploits
Multiple researchers created proof-of-concept exploits, including remote code execution attacks, targeting the recently patched Windows Remote Desktop flaw called BlueKeep. Continue Reading
-
Podcast
22 May 2019
Risk & Repeat: Cisco vulnerabilities raise backdoor concerns
This week's Risk & Repeat podcast looks at vulnerabilities in Cisco and Huawei products, which have raised concerns about backdoor access in networking equipment. Continue Reading
-
Feature
21 May 2019
IT pros stress importance of security awareness training
End-user naiveté can lead to costly data breaches, underscoring the critical importance of security awareness training. Learn how phishing simulation tools can help. Continue Reading
-
Feature
20 May 2019
What makes BSA's secure software development framework unique?
BSA rolled out a new secure software development framework in an effort to promote best practices for secure software development and improve security for all. Continue Reading
-
Tip
17 May 2019
Endpoint security tools get an essential upgrade
Malware, APTs and other threats are getting smarter, but so are endpoint detection and response products. Learn what the latest versions can do to keep threats away. Continue Reading
-
News
17 May 2019
How Google turned 1.5 billion Android phones into 2FA keys
Google product manager Christiaan Brand discusses the journey to making 1.5 billion Android devices work as 2FA security keys and the plan for the future. Continue Reading
-
News
16 May 2019
New executive order moves to ban Huawei
U.S. businesses are barred from dealing with Huawei following an executive order from the White House and the additions of Huawei and its affiliates to a trade blacklist. Continue Reading
-
News
16 May 2019
ZombieLoad: More side channel attacks put Intel chips at risk
Another set of side channel vulnerabilities were discovered in Intel chips. Security researchers explain the risks posed by the flaws and offer advice on mitigation steps. Continue Reading
-
Feature
16 May 2019
Words to go: GPS tracking security
GPS and location-based services may be some of the most significant recent technological advancements, but they can also put personal privacy in jeopardy. Continue Reading
-
Feature
15 May 2019
Women in cybersecurity work to grow voice in US lawmaking
To encourage more input from women in cybersecurity in the legislative process, the Executive Women's Forum went to Washington to discuss key issues with Congress. Continue Reading
-
News
15 May 2019
WannaCry infections continue to spread 2 years later
Two years after the initial wave of WannaCry attacks, security researchers said the ransomware continues to spread to vulnerable devices even though it's not encrypting data. Continue Reading
-
Tip
15 May 2019
3 best practices for cloud security monitoring
Cloud security monitoring can be laborious to set up, but organizations can make it easier. Learn about three best practices for cloud security monitoring and the available tools. Continue Reading
-
News
14 May 2019
Verizon DBIR: Ransomware still a major threat, despite reports
The 2019 Verizon Data Breach Investigations Report challenges the wisdom that cryptomining attacks replaced ransomware as the dominant malware threat last year. Continue Reading
-
News
14 May 2019
Zero-day WhatsApp vulnerability could lead to spyware infection
A zero-day vulnerability in WhatsApp was used in targeted attacks that involved installing spyware on mobile devices, which may be the work of an advanced threat actor. Continue Reading
-
Feature
14 May 2019
6 firewall selection criteria to purchase NGFWs
These six key factors will help your company determine the best NGFW product for your organization's needs. Continue Reading
-
Answer
13 May 2019
How does an identity and access management framework work?
A comprehensive identity and access management framework is an IT necessity. But how do the two components work together? Continue Reading
-
Feature
13 May 2019
DDoS attacks among top 5G security concerns
DDoS attacks top the list of primary security concerns for mobile operators now that 5G wireless is advancing as the number of connected devices grows. Continue Reading
-
Tip
13 May 2019
Why centralization in a multi-cloud security strategy is key
When moving to a multi-cloud infrastructure, there are a few strategies to keep in mind. Learn how centralization will limit the challenges of fragmented security access and monitor controls. Continue Reading
-
Feature
13 May 2019
Next-generation firewall comparison based on company needs
Compare leading next-generation firewalls to help find the option that best fits your IT environment and security needs. Continue Reading
-
News
10 May 2019
Effects of cybersecurity skills shortage worsening, new study says
The cybersecurity skills shortage is putting businesses at risk in a variety of ways, according to a new study. Experts suggest ways to combat the problem. Continue Reading
-
News
10 May 2019
Symantec CEO Greg Clark unexpectedly steps down
Cybersecurity giant Symantec is searching for a new CEO once again after Greg Clark unexpectedly resigned from the vendor after three years at the helm. Continue Reading
-
Tip
10 May 2019
Building a cybersecurity awareness training program
Cybersecurity awareness training programs are sometimes perceived as an extraneous waste of time and energy, but are essential to building a strong security culture. Continue Reading
-
Blog Post
09 May 2019
Google focuses more on steering the Android ship than righting it
Google's security and privacy upgrades to Android are mostly forward-thinking changes, readying for a future that is inevitable but unclear, rather than ways to improve security today. Continue Reading
-
Tip
08 May 2019
How to perform a building security assessment
There are four major systems to review in a building security assessment. Learn what they are and how to review their potential cyber and physical risks. Continue Reading
-
Tip
08 May 2019
How to conduct a security risk review on a large building
Assessors cannot dive into a security risk review of a large building; they have to prepare and strategize ahead of time. Learn how to get ready for this type of security assessment. Continue Reading
-
News
08 May 2019
Google I/O 2019 keynote brings focus on security and privacy
After being a no-show at last year's conference, security and privacy improvements were big themes at Google I/O's first day, including discussion on federated learning. Continue Reading
-
Feature
08 May 2019
Next-generation firewalls vs. traditional and UTMs
Learn the advantages of next-generation firewalls that protect enterprise networks from attacks and intrusion, as well as the differences between NGFWs and traditional firewalls. Continue Reading
-
News
08 May 2019
2019 Verizon DBIR highlights cyberespionage, nation-state attacks
The 2019 Verizon Data Breach Investigations Report showed significant increases in cyberespionage and nation-state activity. It also painted a gloomy picture for email threats. Continue Reading
-
Feature
07 May 2019
The risks of multi-cloud security compared to single cloud
Single-cloud architecture poses some challenges, which has led to a new trend in adopting multi-cloud designs. Discover whether multi-cloud is right for your enterprise. Continue Reading
-
Opinion
07 May 2019
We talk a lot about access and authentication, but what about revoking user access?
Google hopes to make it easier with their proposed Continuous Access Evaluation Protocol. Continue Reading
-
Feature
06 May 2019
5 common authentication factors to know
Multifactor authentication is a security system that requires two or more authentication steps to verify the user's identity. Discover the most important terms related to MFA. Continue Reading
-
News
06 May 2019
Enterprise security threats rising, consumer attacks falling
Cybercriminals are increasingly taking aim at businesses, according to a recent Malwarebytes report. Security experts weigh in on best practices for defending against malware attacks. Continue Reading
-
News
06 May 2019
Cisco SSH vulnerability sparks debate over backdoors
Cisco released a patch for a critical vulnerability in Nexus 9000 switches that could allow a remote attacker to gain root access because of the use of a default SSH key pair. Continue Reading
-
Guide
03 May 2019
How to manage application security best practices and risks
The reality of application security risks requires software developers to be mindful of testing, tools and best practices to improve user experience and information security. Continue Reading
-
News
02 May 2019
CrowdStrike tackles BIOS attacks with new Falcon features
CrowdStrike added firmware attack detection capabilities to its Falcon platform and also expanded its partnership with Dell to help organizations tackle BIOS threats. Continue Reading
-
News
02 May 2019
White Ops: Ad fraud bot activity waning, but threats still loom
A new study from security vendor White Ops shows a decline in digital ad fraud, but the company says the battle against cybercriminals abusing ad platforms is far from over. Continue Reading
-
News
01 May 2019
DHS patching directive brings shorter deadlines
A new DHS directive placed new deadlines on patching critical vulnerabilities for federal agencies and experts are divided on whether the timelines are reasonable and realistic. Continue Reading
-
Opinion
01 May 2019
The top cloud security challenges are 'people problems'
Cloud security begins at home. Considering the human factor in cybersecurity is step one when it comes to addressing how to keep critical assets safe in the cloud. Continue Reading
-
Opinion
01 May 2019
Putting cybersecurity for healthcare on solid footing
CISO Kevin Charest talks security threats he sees in the healthcare field and the means his company is using to thwart them, including HCSC's Cyber Fusion Center. Continue Reading
- 01 May 2019
-
Quiz
01 May 2019
Take this cybersecurity-challenges quiz and score CPE credit
Just finished ISM's May 2019 issue? Solidify your knowledge, and get CPE credits too, by passing this 10-question quiz. Continue Reading
-
Feature
01 May 2019
Huawei ban highlights 5G security issues CISOs must tackle
Why worry over Huawei? A U.S. ban of this Chinese company's products should remind CISOs that now is the time to consider security issues related to the rollout of the 5G network. Continue Reading
- 01 May 2019
-
Infographic
01 May 2019
Are users your biggest risk? Raise IT security awareness
Users are either your best line of defense or greatest vulnerability. Learn how attackers exploit human behavior and fight back by improving user security awareness. Continue Reading
-
Feature
01 May 2019
Top cloud security risks that keep experts up at night
Hackers are after your assets in the cloud. Here's how they get in and what you can do to plug security holes, starting with minimizing the risks created through human error. Continue Reading
-
Opinion
01 May 2019
Cloud security threats need a two-pronged approach
You'll need to burn the security 'candle' at both ends to keep cloud safe from both nation-state hackers and vulnerabilities caused by human error. Continue Reading
- E-Zine 01 May 2019
-
News
30 Apr 2019
A recent history of Facebook security and privacy issues
Since the start of 2018, Facebook has had a seemingly constant cascade of security issues and privacy scandals. Here's a look back at the social media giant's most serious issues. Continue Reading
-
Feature
30 Apr 2019
How information sharing can reduce cybersecurity vulnerabilities
Cybersecurity vulnerabilities come from multiple fronts for modern businesses, but information sharing about real-world breaches -- good and bad -- provides valuable intelligence. Continue Reading
-
Feature
30 Apr 2019
Inside 'Master134': More ad networks tied to malvertising campaign
Check Point's report on the Master134 malvertising campaign implicated five ad networks, but a SearchSecurity investigation revealed more companies were involved. Continue Reading
-
Feature
30 Apr 2019
Inside 'Master134': Propeller Ads connected to malvertising campaign
A SearchSecurity investigation determined ad network Propeller Ads played a significant role in the early stages of the Master134 malvertising campaign. Continue Reading
-
Feature
30 Apr 2019
Inside 'Master134': Adsterra's history shows red flags, abuses
Adsterra denied it was involved in the Master134 malvertising campaign, but a review of the company's history reveals many red flags, including activity in a similar campaign. Continue Reading
-
Feature
30 Apr 2019
Inside 'Master134': Ad networks' 'blind eye' threatens enterprises
Online ad networks linked to the Master134 malvertising campaign and other malicious activity often evade serious fallout and continue to operate unabated. Continue Reading
-
Feature
30 Apr 2019
'Master134' malvertising campaign raises questions for online ad firms
Malvertising and adware schemes are a growing concern for enterprises. Our deep investigation into one campaign reveals just how complicated threats can be to stop. Continue Reading
-
Feature
30 Apr 2019
Inside 'Master134': ExoClick tied to previous malvertising campaigns
Online ad network ExoClick denied any involvement in the Master134 campaign, but the company has ties to similar malvertising threats. Continue Reading
-
Tip
29 Apr 2019
How can organizations build cybersecurity awareness among employees?
A high level of cybersecurity awareness among employees is essential to protect corporate data. To build this awareness, start with a strong cybersecurity culture. Continue Reading
-
Tip
29 Apr 2019
2019's top 5 free enterprise network intrusion detection tools
Snort is one of the industry's top network intrusion detection tools, but plenty of other open source alternatives are available. Discover new and old favorites for packet sniffing and more. Continue Reading
-
Guide
29 Apr 2019
How to manage email security risks and threats
When faced with email security risks -- and who isn't? -- do you have the right tools, features, training and best practices in place to face down phishing attacks and manage other threats proactively? Start with this guide. Continue Reading
-
Tip
26 Apr 2019
How infrastructure as code tools improve visibility
Visibility into cloud infrastructures and applications is important for data security. Learn how to maintain that visibility while using infrastructure as code tools. Continue Reading