Security audit, compliance and standards

Get tips from the experts on security audits, compliance and standards. Advice is offered on data privacy and theft, audit planning and management, how to work with auditors, and compliance with standards, regulations and guidelines such as PCI DSS, GLBA, HIPPA, SOX, FISMA, ISO 17799 and COBIT.

Top Stories

Tip 20 Sep 2022
How to develop a cybersecurity strategy: Step-by-step guide

A cybersecurity strategy isn't meant to be perfect, but it must be proactive, effective, actively supported and evolving. Here are the four steps required to get there. Continue Reading
Tip 14 Jun 2022
3 steps for CDOs to ensure data sovereignty in the cloud

Data sovereignty regulations, combined with a tsunami of data growth and increased cloud usage, have created a perfect storm that chief data officers must manage. Continue Reading

News 18 Jun 2019

Gartner: Cybersecurity skills shortage requires a new approach

At the Gartner Security and Risk Management Summit, analysts discuss the challenge of finding skilled cybersecurity professionals and how it can be solved. Continue Reading
News 18 Jun 2019

ReliaQuest's cybersecurity platform integrates technologies

ReliaQuest's security analytics platform, GreyMatter, claims to improve threat detection by up to four times and reduce system downtime by 98% by integrating AI and human analysis. Continue Reading
News 18 Jun 2019

GandCrab decryption tool helps victims recover data

The No More Ransom initiative released one last GandCrab decryption tool to help victims recover data after the ransomware was allegedly shut down by its authors. Continue Reading
News 18 Jun 2019

Netskope announces enterprise application security platform

Netskope for Private Access is a cloud-based platform that secures private enterprise applications on public clouds and in on-premises data centers using zero-trust access. Continue Reading
News 17 Jun 2019

YubiKey FIPS recalled from government for reduced randomness

Yubico recalled YubiKey FIPS series devices after discovering an issue leading to reduced randomness in values generated by the keys, which are used by federal agencies. Continue Reading
News 14 Jun 2019

Dragos: Xenotime threat group targeting U.S. electric companies

Dragos says Xenotime, the threat group behind a devastating ICS attack in 2017, has been probing the networks of U.S. electric utilities and also attempted network intrusions. Continue Reading
Feature 14 Jun 2019

SANS security awareness credential paves new career path

The SANS Security Awareness Professional credential gives enterprises a new method to recognize and promote cybersecurity awareness in the organization. Continue Reading
News 13 Jun 2019

RAMBleed: New Rowhammer attack can steal data from memory

Security researchers developed a Rowhammer attack variant, called RAMBleed, that can steal data from memory and works even if systems are patched against Rowhammer. Continue Reading
Answer 13 Jun 2019

What is subdomain takeover and why does it matter?

Subdomain takeover exposure can happen when cloud-hosted web services are incompletely decommissioned, but configuration best practices can reduce the risks. Continue Reading
News 13 Jun 2019

CrowdStrike IPO success puts spotlight on endpoint security

Cybersecurity firm CrowdStrike made its successful Wall Street debut Wednesday. The company closed its trading with a share price of $58. Continue Reading
News 12 Jun 2019

Election security threats increasing pressure on state governments

As local and state governments continue to tackle the evolving threat landscape, experts share tips on how to improve security posture and highlight the resources available for help. Continue Reading
Feature 11 Jun 2019

Red alerts: Inside Cisco's incident response best practices

Incident response is often challenging, but Cisco's Sean Mason offers recommendations for doing IR effectively, from keeping internal logs longer to embracing tabletop exercises. Continue Reading
News 10 Jun 2019

Google: Triada backdoors were pre-installed on Android devices

Google detailed the discovery and process of removing Triada malware after a supply chain attack led to backdoors being preinstalled on budget phones in overseas markets. Continue Reading
Answer 10 Jun 2019

What is MTA-STS and how will it improve email security?

Discover how the MTA-STS specification will improve email security by encrypting messages and enabling secure, authenticated email transfers between SMTP servers. Continue Reading
Tip 07 Jun 2019

3 reasons privilege escalation in the cloud works

Statistics show that many cloud attacks are linked to credential and privilege misuse. Learn three ways threat actors are able to launch privilege escalation attacks in the cloud. Continue Reading
Podcast 07 Jun 2019

Tenable CEO Amit Yoran wants to stop 'cyber helplessness'

This week's Risk & Repeat podcast features Tenable CEO Amit Yoran, who discusses what he calls 'cyber helplessness' and how the mentality is infecting enterprises. Continue Reading
Feature 06 Jun 2019

Security awareness training for executives keeps whaling at bay

Security awareness training for executives teaches an enterprise's biggest fish to recognize potential whaling attacks -- before they take the bait. Continue Reading
News 06 Jun 2019

NSA issues BlueKeep warning as new PoC exploit demos

The NSA issued a rare warning for users to patch against the BlueKeep vulnerability on the same day a security researcher demoed an exploit leading to a full system takeover. Continue Reading
News 06 Jun 2019

Why larger GDPR fines could be on the horizon

There haven't been many fines under the General Data Protection Regulation since the EU data privacy law went into effect a year ago. But experts warn that will likely change. Continue Reading
News 05 Jun 2019

Apple single sign-on option promises privacy for users

Apple is preparing its own single sign-on offering, called Sign In with Apple, which will focus on user privacy. But experts are split on how well this will work. Continue Reading
Tip 04 Jun 2019

Zero-trust security model means more than freedom from doubt

A zero-trust security model has a catchy name, but the methodology means more than not trusting any person or device on the network. What you need to know. Continue Reading
News 04 Jun 2019

Microsoft issues second BlueKeep warning urging users to patch

Microsoft again urged users to patch against the BlueKeep vulnerability as more potential exploits surface and one researcher discovered almost 1 million vulnerable systems. Continue Reading
Answer 31 May 2019

Why are fewer companies using SMS 2FA for authentication?

Instead of SMS two-factor authentication, some companies are switching to 2FA through messaging apps and social media platforms. Learn what's behind this authentication trend. Continue Reading
News 31 May 2019

Docker vulnerability with no patch could allow root access

A security researcher disclosed a Docker bug that could allow an attacker to gain root-level access to a system. Docker signed off on the disclosure, despite a fix not yet being available. Continue Reading
Answer 31 May 2019

How can SIEM and SOAR software work together?

Many security pros initially thought SOAR software could replace SIEM. Our security expert advocates learning how SIEM and SOAR can work together. Continue Reading
News 31 May 2019

Ransomware attacks on local and state governments increasing

State and local governments are experiencing a rise in ransomware attacks. Experts sound off on what's triggering this trend and offer best practices for defense. Continue Reading
Feature 31 May 2019

Explore this NGFW comparison of leading vendors on the market

Explore some of the top NGFWs currently on the market -- based on features and user reviews -- to help you make a buying decision Continue Reading
News 31 May 2019

New Sophos endpoint security software releases

Sophos has released Intercept X for Server with endpoint detection and response to protect users against blended threats and proactively detect stealthy attacks. Continue Reading
Guide 30 May 2019

How best to secure cloud computing in this critical era

Achieving cloud security today demands you continually update your strategy, policy, tactics and tools. This collection of expert advice helps keep your cloud defenses well-tuned. Continue Reading
News 30 May 2019

Recorded Future acquired by private equity firm for $780 million

Recorded Future said the $780 million acquisition agreement with private equity firm Insight Partners affirms the growing importance of threat intelligence for enterprises. Continue Reading
Feature 30 May 2019

Dark data raises challenges, opportunities for cybersecurity

Dark data is the data enterprises didn't know they had. Splunk CTO Tim Tully explains where this data is hiding, why it's important and how to use and secure it. Continue Reading
Answer 30 May 2019

The future of SIEM: What needs to change for it to stay relevant?

Compared to security orchestration, automation and response (SOAR) software, SIEM systems are dated. Expert Andrew Froehlich explains how SIEM needs to adapt to keep up. Continue Reading
News 29 May 2019

Tortuga launches Radix-M, new firmware security product

Tortuga Logic has launched a firmware security platform that automatically performs security validation of firmware on SoC designs using an existing platform from Cadence. Continue Reading
News 29 May 2019

Hackers scan for MySQL ransomware targets

A security researcher found that malicious actors have been scanning database servers for MySQL ransomware targets running on Windows, but mitigation should be relatively easy. Continue Reading
Tip 28 May 2019

How to find an MSP to protect you from outsourcing IT risks

Check out what questions to ask MSPs to make sure they have the right security systems in place to protect your organization against outsourcing IT risks. Continue Reading
News 28 May 2019

Cylance CSO: Let's name and shame failed security controls

Malcolm Harkins, the chief security and trust officer at BlackBerry Cylance, says security controls that don't live up to their billing should be taking more blame for data breaches. Continue Reading
News 24 May 2019

CrowdStrike, NSS Labs settle legal disputes over product testing

CrowdStrike and NSS Labs have ended their legal dispute with a confidential settlement agreement, which resolves all lawsuits including NSS Labs' antitrust suit against the vendor. Continue Reading
Report 24 May 2019

Using virtual appliances for offload is a key encryption strategy

Using a virtual appliance to process traffic is a key encryption strategy enterprises can use to improve throughput. The results are striking Continue Reading
News 24 May 2019

Barracuda Advanced Bot Protection safeguards web applications

Advanced Bot Protection is a cloud-hosted platform that defends against automated threats using AI. It is available as both a web application firewall (WAF) and WAF as a service. Continue Reading
News 23 May 2019

Microsoft bets on ElectionGuard SDK to fortify election security

Ahead of the 2020 elections, Microsoft unveiled ElectionGuard, an open source SDK designed to provide end-to-end verification of electronic voting machine results. Continue Reading
Feature 23 May 2019

10 ways to prevent computer security threats from insiders

Whether via the spread of malware, spyware or viruses, insiders can do as much damage as outside attackers. Here's how to prevent computer security threats from insiders. Continue Reading
News 23 May 2019

'BlueKeep' Windows Remote Desktop flaw gets PoC exploits

Multiple researchers created proof-of-concept exploits, including remote code execution attacks, targeting the recently patched Windows Remote Desktop flaw called BlueKeep. Continue Reading
Podcast 22 May 2019

Risk & Repeat: Cisco vulnerabilities raise backdoor concerns

This week's Risk & Repeat podcast looks at vulnerabilities in Cisco and Huawei products, which have raised concerns about backdoor access in networking equipment. Continue Reading
Feature 21 May 2019

IT pros stress importance of security awareness training

End-user naiveté can lead to costly data breaches, underscoring the critical importance of security awareness training. Learn how phishing simulation tools can help. Continue Reading
Feature 20 May 2019

What makes BSA's secure software development framework unique?

BSA rolled out a new secure software development framework in an effort to promote best practices for secure software development and improve security for all. Continue Reading
Tip 17 May 2019

Endpoint security tools get an essential upgrade

Malware, APTs and other threats are getting smarter, but so are endpoint detection and response products. Learn what the latest versions can do to keep threats away. Continue Reading
News 17 May 2019

How Google turned 1.5 billion Android phones into 2FA keys

Google product manager Christiaan Brand discusses the journey to making 1.5 billion Android devices work as 2FA security keys and the plan for the future. Continue Reading
News 16 May 2019

New executive order moves to ban Huawei

U.S. businesses are barred from dealing with Huawei following an executive order from the White House and the additions of Huawei and its affiliates to a trade blacklist. Continue Reading
News 16 May 2019

ZombieLoad: More side channel attacks put Intel chips at risk

Another set of side channel vulnerabilities were discovered in Intel chips. Security researchers explain the risks posed by the flaws and offer advice on mitigation steps. Continue Reading
Feature 16 May 2019

Words to go: GPS tracking security

GPS and location-based services may be some of the most significant recent technological advancements, but they can also put personal privacy in jeopardy. Continue Reading
Feature 15 May 2019

Women in cybersecurity work to grow voice in US lawmaking

To encourage more input from women in cybersecurity in the legislative process, the Executive Women's Forum went to Washington to discuss key issues with Congress. Continue Reading
News 15 May 2019

WannaCry infections continue to spread 2 years later

Two years after the initial wave of WannaCry attacks, security researchers said the ransomware continues to spread to vulnerable devices even though it's not encrypting data. Continue Reading
Tip 15 May 2019

3 best practices for cloud security monitoring

Cloud security monitoring can be laborious to set up, but organizations can make it easier. Learn about three best practices for cloud security monitoring and the available tools. Continue Reading
News 14 May 2019

Verizon DBIR: Ransomware still a major threat, despite reports

The 2019 Verizon Data Breach Investigations Report challenges the wisdom that cryptomining attacks replaced ransomware as the dominant malware threat last year. Continue Reading
News 14 May 2019

Zero-day WhatsApp vulnerability could lead to spyware infection

A zero-day vulnerability in WhatsApp was used in targeted attacks that involved installing spyware on mobile devices, which may be the work of an advanced threat actor. Continue Reading
Feature 14 May 2019

6 firewall selection criteria to purchase NGFWs

These six key factors will help your company determine the best NGFW product for your organization's needs. Continue Reading
Answer 13 May 2019

How does an identity and access management framework work?

A comprehensive identity and access management framework is an IT necessity. But how do the two components work together? Continue Reading
Feature 13 May 2019

DDoS attacks among top 5G security concerns

DDoS attacks top the list of primary security concerns for mobile operators now that 5G wireless is advancing as the number of connected devices grows. Continue Reading
Tip 13 May 2019

Why centralization in a multi-cloud security strategy is key

When moving to a multi-cloud infrastructure, there are a few strategies to keep in mind. Learn how centralization will limit the challenges of fragmented security access and monitor controls. Continue Reading
Feature 13 May 2019

Next-generation firewall comparison based on company needs

Compare leading next-generation firewalls to help find the option that best fits your IT environment and security needs. Continue Reading
News 10 May 2019

Effects of cybersecurity skills shortage worsening, new study says

The cybersecurity skills shortage is putting businesses at risk in a variety of ways, according to a new study. Experts suggest ways to combat the problem. Continue Reading
News 10 May 2019

Symantec CEO Greg Clark unexpectedly steps down

Cybersecurity giant Symantec is searching for a new CEO once again after Greg Clark unexpectedly resigned from the vendor after three years at the helm. Continue Reading
Tip 10 May 2019

Building a cybersecurity awareness training program

Cybersecurity awareness training programs are sometimes perceived as an extraneous waste of time and energy, but are essential to building a strong security culture. Continue Reading
Blog Post 09 May 2019

Google focuses more on steering the Android ship than righting it

Google's security and privacy upgrades to Android are mostly forward-thinking changes, readying for a future that is inevitable but unclear, rather than ways to improve security today. Continue Reading
Tip 08 May 2019

How to perform a building security assessment

There are four major systems to review in a building security assessment. Learn what they are and how to review their potential cyber and physical risks. Continue Reading
Tip 08 May 2019

How to conduct a security risk review on a large building

Assessors cannot dive into a security risk review of a large building; they have to prepare and strategize ahead of time. Learn how to get ready for this type of security assessment. Continue Reading
News 08 May 2019

Google I/O 2019 keynote brings focus on security and privacy

After being a no-show at last year's conference, security and privacy improvements were big themes at Google I/O's first day, including discussion on federated learning. Continue Reading
Feature 08 May 2019

Next-generation firewalls vs. traditional and UTMs

Learn the advantages of next-generation firewalls that protect enterprise networks from attacks and intrusion, as well as the differences between NGFWs and traditional firewalls. Continue Reading
News 08 May 2019

2019 Verizon DBIR highlights cyberespionage, nation-state attacks

The 2019 Verizon Data Breach Investigations Report showed significant increases in cyberespionage and nation-state activity. It also painted a gloomy picture for email threats. Continue Reading
Feature 07 May 2019

The risks of multi-cloud security compared to single cloud

Single-cloud architecture poses some challenges, which has led to a new trend in adopting multi-cloud designs. Discover whether multi-cloud is right for your enterprise. Continue Reading
Opinion 07 May 2019

We talk a lot about access and authentication, but what about revoking user access?

Google hopes to make it easier with their proposed Continuous Access Evaluation Protocol. Continue Reading
Feature 06 May 2019

5 common authentication factors to know

Multifactor authentication is a security system that requires two or more authentication steps to verify the user's identity. Discover the most important terms related to MFA. Continue Reading
News 06 May 2019

Enterprise security threats rising, consumer attacks falling

Cybercriminals are increasingly taking aim at businesses, according to a recent Malwarebytes report. Security experts weigh in on best practices for defending against malware attacks. Continue Reading
News 06 May 2019

Cisco SSH vulnerability sparks debate over backdoors

Cisco released a patch for a critical vulnerability in Nexus 9000 switches that could allow a remote attacker to gain root access because of the use of a default SSH key pair. Continue Reading
Guide 03 May 2019

How to manage application security best practices and risks

The reality of application security risks requires software developers to be mindful of testing, tools and best practices to improve user experience and information security. Continue Reading
News 02 May 2019

CrowdStrike tackles BIOS attacks with new Falcon features

CrowdStrike added firmware attack detection capabilities to its Falcon platform and also expanded its partnership with Dell to help organizations tackle BIOS threats. Continue Reading
News 02 May 2019

White Ops: Ad fraud bot activity waning, but threats still loom

A new study from security vendor White Ops shows a decline in digital ad fraud, but the company says the battle against cybercriminals abusing ad platforms is far from over. Continue Reading
News 01 May 2019

DHS patching directive brings shorter deadlines

A new DHS directive placed new deadlines on patching critical vulnerabilities for federal agencies and experts are divided on whether the timelines are reasonable and realistic. Continue Reading
Opinion 01 May 2019

The top cloud security challenges are 'people problems'

Cloud security begins at home. Considering the human factor in cybersecurity is step one when it comes to addressing how to keep critical assets safe in the cloud. Continue Reading
Opinion 01 May 2019

Putting cybersecurity for healthcare on solid footing

CISO Kevin Charest talks security threats he sees in the healthcare field and the means his company is using to thwart them, including HCSC's Cyber Fusion Center. Continue Reading
01 May 2019

Putting cybersecurity for healthcare on solid footing

Continue Reading
Quiz 01 May 2019

Take this cybersecurity-challenges quiz and score CPE credit

Just finished ISM's May 2019 issue? Solidify your knowledge, and get CPE credits too, by passing this 10-question quiz. Continue Reading
Feature 01 May 2019

Huawei ban highlights 5G security issues CISOs must tackle

Why worry over Huawei? A U.S. ban of this Chinese company's products should remind CISOs that now is the time to consider security issues related to the rollout of the 5G network. Continue Reading
01 May 2019

Huawei ban highlights 5G security issues CISOs must tackle

Continue Reading
Infographic 01 May 2019

Are users your biggest risk? Raise IT security awareness

Users are either your best line of defense or greatest vulnerability. Learn how attackers exploit human behavior and fight back by improving user security awareness. Continue Reading
Feature 01 May 2019

Top cloud security risks that keep experts up at night

Hackers are after your assets in the cloud. Here's how they get in and what you can do to plug security holes, starting with minimizing the risks created through human error. Continue Reading
Opinion 01 May 2019

Cloud security threats need a two-pronged approach

You'll need to burn the security 'candle' at both ends to keep cloud safe from both nation-state hackers and vulnerabilities caused by human error. Continue Reading
E-Zine 01 May 2019

Conquering cloud security threats with awareness and tools

Continue Reading
News 30 Apr 2019

A recent history of Facebook security and privacy issues

Since the start of 2018, Facebook has had a seemingly constant cascade of security issues and privacy scandals. Here's a look back at the social media giant's most serious issues. Continue Reading
Feature 30 Apr 2019

How information sharing can reduce cybersecurity vulnerabilities

Cybersecurity vulnerabilities come from multiple fronts for modern businesses, but information sharing about real-world breaches -- good and bad -- provides valuable intelligence. Continue Reading
Feature 30 Apr 2019

Inside 'Master134': More ad networks tied to malvertising campaign

Check Point's report on the Master134 malvertising campaign implicated five ad networks, but a SearchSecurity investigation revealed more companies were involved. Continue Reading
Feature 30 Apr 2019

Inside 'Master134': Propeller Ads connected to malvertising campaign

A SearchSecurity investigation determined ad network Propeller Ads played a significant role in the early stages of the Master134 malvertising campaign. Continue Reading
Feature 30 Apr 2019

Inside 'Master134': Adsterra's history shows red flags, abuses

Adsterra denied it was involved in the Master134 malvertising campaign, but a review of the company's history reveals many red flags, including activity in a similar campaign. Continue Reading
Feature 30 Apr 2019

Inside 'Master134': Ad networks' 'blind eye' threatens enterprises

Online ad networks linked to the Master134 malvertising campaign and other malicious activity often evade serious fallout and continue to operate unabated. Continue Reading
Feature 30 Apr 2019

'Master134' malvertising campaign raises questions for online ad firms

Malvertising and adware schemes are a growing concern for enterprises. Our deep investigation into one campaign reveals just how complicated threats can be to stop. Continue Reading
Feature 30 Apr 2019

Inside 'Master134': ExoClick tied to previous malvertising campaigns

Online ad network ExoClick denied any involvement in the Master134 campaign, but the company has ties to similar malvertising threats. Continue Reading
Tip 29 Apr 2019

How can organizations build cybersecurity awareness among employees?

A high level of cybersecurity awareness among employees is essential to protect corporate data. To build this awareness, start with a strong cybersecurity culture. Continue Reading
Tip 29 Apr 2019

2019's top 5 free enterprise network intrusion detection tools

Snort is one of the industry's top network intrusion detection tools, but plenty of other open source alternatives are available. Discover new and old favorites for packet sniffing and more. Continue Reading
Guide 29 Apr 2019

How to manage email security risks and threats

When faced with email security risks -- and who isn't? -- do you have the right tools, features, training and best practices in place to face down phishing attacks and manage other threats proactively? Start with this guide. Continue Reading
Tip 26 Apr 2019

How infrastructure as code tools improve visibility

Visibility into cloud infrastructures and applications is important for data security. Learn how to maintain that visibility while using infrastructure as code tools. Continue Reading