Copyright TechTarget - All rights reserved https://cyber.law.harvard.edu/rss/rss.html Techtarget Feed Generator en Fri, 15 May 2026 18:54:17 GMT https://www.techtarget.com/searchsecurity editor@techtarget.com <p>Cybersecurity team exercises involve red, blue and purple teams working in tandem to test cyberdefenses, identify vulnerabilities and weaknesses, and improve an organization's security posture.</p> <p>Each team plays a vital role in these exercises. In a nutshell, the red team is offense, the blue team is defense, and the purple team is a mix of both the red and blue teams.</p> <p>Read on to learn more about each team, including its roles and responsibilities, and how each benefits a security operations center (SOC).</p> <section class="section main-article-chapter" data-menu-title="What is a red team?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is a red team?</h2> <p>Playing offense, the red team attacks and attempts to break the blue team's defenses. They simulate attacks to circumvent defense mechanisms, infiltrate networks, and access and exfiltrate data -- all while avoiding detection by the blue team.</p> <p>Red teams usually consist of ethical hackers, penetration testers and other security professionals. To be effective, red team members should have no knowledge of an enterprise's defense mechanisms. As such, organizations often outsource red team services to a third party.</p> <p>During cybersecurity exercises, red teams use <a href="https://www.techtarget.com/searchsecurity/tip/6-common-types-of-cyber-attacks-and-how-to-prevent-them">real-world cyberattack techniques</a> to act as adversaries that exploit weaknesses in a company's people, processes and technologies. Common techniques include the following:</p> <ul class="default-list"> <li>Penetration testing.</li> <li>Phishing and social engineering.</li> <li>Credential theft.</li> <li>Port scanning.</li> <li>Vulnerability scanning.</li> </ul> <p>Team members use open source, commercial and custom-made tools to infiltrate systems and then escalate privileges to successfully "breach" the network.</p> <p>Post-attack reporting is another red team task. Members write up details about the attacks, including techniques used, vectors targeted, and successful and unsuccessful attempts. Reports should also include recommendations about how to strengthen defensive security measures. These reports help blue teams understand where security gaps exist, how defenses failed and where to tighten security.</p> </section> <section class="section main-article-chapter" data-menu-title="What is a blue team?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is a blue team?</h2> <p>Playing defense, the blue team is responsible for regularly analyzing enterprise systems to adequately protect them, identifying and remediating vulnerabilities, and evaluating the effectiveness of security tools and processes.</p> <div class="pro-features-wrapper"></div> <p>Blue teams usually comprise SOC analysts, incident responders, threat hunters and digital forensics analysts.</p> <p>During a cybersecurity exercise, blue teams aim to detect, mitigate, contain, eradicate and recover from the red team's attack. Common tactics include the following:</p> <ul class="default-list"> <li>Monitoring corporate networks, systems and devices.</li> <li>Collecting network traffic and forensic data.</li> <li>Performing data analysis.</li> <li>Conducting network scans and <a href="https://www.techtarget.com/searchsecurity/tip/How-to-perform-a-cybersecurity-risk-assessment-step-by-step">risk assessments</a>.</li> </ul> <p>Blue team members use existing tools and processes during exercises.</p> <p>Day-to-day blue team responsibilities include the following:</p> <ul class="default-list"> <li>Creating, configuring and enforcing <a href="https://www.techtarget.com/searchsecurity/answer/Comparing-firewalls-Differences-between-an-inbound-outbound-firewall">firewall rules</a>.</li> <li>Setting and implementing device and user controls.</li> <li>Implementing the principle of least privilege.</li> <li><a href="https://www.techtarget.com/searchsecurity/tip/5-enterprise-patch-management-best-practices">Patching and updating enterprise software</a>.</li> <li>Deploying additional security tools and controls.</li> <li>Segmenting networks.</li> <li>Performing reverse engineering on cyberattacks.</li> <li>Conducting DDoS testing.</li> <li>Developing or updating incident response and remediation policies.</li> </ul> <p>The blue team is also key in assessing and addressing human vulnerabilities. Staying up to date with the latest phishing and social engineering scams helps blue teams effectively <a href="https://www.techtarget.com/searchsecurity/tip/Cybersecurity-employee-training-How-to-build-a-solid-plan">develop</a> and hold security awareness trainings and implement end-user policies, such as <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Create-and-enforce-a-password-policy-across-the-enterprise">password policies</a>.</p> <p>When they find risks, blue teams should notify senior management, who, in turn, can assess whether to accept the risks or implement new policies or controls to mitigate them.</p> <p>Like red teams, blue teams gather evidence, logs and data after completing an exercise to write reports about their experiences and insights, as well as develop a list of actions to be taken. They analyze what defenses work and what needs improvement to better protect against potential cyberattacks.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/blG5PnFt7As?si=wQVuqKHpfhn5CBnj?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="What is a purple team?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is a purple team?</h2> <p>Calling the purple team a <i>team</i> is a bit misleading. The purple team is, in fact, not a standalone team but a mix of blue and red team members, roles and responsibilities.</p> <p>While red and blue teams have the same goal of improving an organization's security, too often, neither is willing to share its "secrets." For example, red teams might not disclose methods used to infiltrate systems, while blue teams might not say how they detected and defended against red team attacks.</p> <p>However, sharing these secrets is critical to strengthening a company's security posture. The value of red and blue teams is diminished if they don't share their research and reporting.</p> <p>This is where the purple team steps in. Purple team members are instrumental in getting their red and blue teammates to communicate, collaborate and share. Purple teaming focuses less on which team "wins" <a href="https://www.techtarget.com/searchsecurity/tip/Explaining-cybersecurity-tabletop-vs-live-fire-exercises">cybersecurity exercises</a> and more on how teams work together to improve an organization's security.</p> <p>Because it is a mix of red and blue teams, purple teaming activities include the following:</p> <ul class="default-list"> <li>Vulnerability identification.</li> <li>Pen testing.</li> <li>Threat intelligence.</li> <li>Incident response.</li> <li>Patching.</li> <li>Network monitoring.</li> <li>Evaluating tools and security controls.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/security-blue_purple_red_teams-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/security-blue_purple_red_teams-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/security-blue_purple_red_teams-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/security-blue_purple_red_teams-f.png 1280w" alt="Graphic displaying the roles and responsibilities of red, blue and purple teams in cybersecurity" height="416" width="560"> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Benefits of red, blue and purple teaming"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of red, blue and purple teaming</h2> <p>While each color team offers its own benefits, organizations can reap the greatest rewards from combining the different teams and strategies. Namely, purple team exercises help with the following:</p> <ul class="default-list"> <li>Foster collaboration.</li> <li>Raise healthy competition.</li> <li>Identify where training exercises are needed.</li> <li>Encourage employees to think outside the box.</li> <li>Help employees learn new real-world security skills in real time.</li> <li>Improve threat detection and response teams.</li> <li>Continuously improve an organization's security posture.</li> </ul> <p><i>Sharon Shea is executive editor of Informa TechTarget's SearchSecurity site.</i></p> </section> Red teams attack, blue teams defend and purple teams facilitate collaboration. Together, they strengthen cybersecurity through simulated exercises and knowledge sharing. https://cdn.ttgtmedia.com/visuals/German/article/boxing_fotolia.jpg https://www.techtarget.com/searchsecurity/tip/Red-team-vs-blue-team-vs-purple-team-Whats-the-difference Fri, 22 Aug 2025 17:52:00 GMT <p>A denial-of-service attack is a cyberattack that aims to make key systems or services unavailable to users, usually by overwhelming them with traffic or malicious requests. DoS attacks bombard the target with such massive amounts of data that systems become unable to process legitimate requests and stop functioning.</p> <p>The most common form of DoS attack is distributed denial of service (DDoS), which sends network traffic from a large number of devices with different IP addresses, making the attack source difficult to filter or block. These attacks often use <a href="https://www.techtarget.com/searchsecurity/definition/botnet">botnets</a>, networks of hijacked computers or IoT devices. For example, the notorious <a href="https://www.cybersecuritydive.com/news/us-takedown-china-botnet/727501/">Mirai botnet and its successors</a> have enlisted thousands of compromised devices -- including CCTV cameras, home routers and baby monitors -- which threat actors have used to launch massive DDoS attacks.</p> <p><b>Editor's note: </b><i>For the purposes of this article, we consider a DDoS attack a type of DoS attack. Note, however, that some experts argue a true DoS attack has only one malicious source, with a single system attacking a single system. Defenders could mitigate such an attack relatively easily by identifying and blocking traffic from the relevant IP address. </i></p> <p><i>In contrast, a DDoS attack involves traffic from many sources, with multiple systems bombarding the target. DDoS attacks are more challenging to prevent and stop than single-source DoS attacks, because they involve many more malicious IP addresses. </i></p> <section class="section main-article-chapter" data-menu-title="Types of DoS attacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Types of DoS attacks</h2> <p>DoS attacks fall into the following three categories:</p> <ol class="default-list"> <li><b>Volumetric attacks.</b> Target network infrastructure, such as firewalls and routers, with vast amounts of traffic, through techniques such as <a href="https://www.techtarget.com/searchnetworking/definition/ICMP">Internet Control Message Protocol</a> or <a href="https://www.techtarget.com/searchnetworking/definition/UDP-User-Datagram-Protocol">User Datagram Protocol</a> floods.</li> <li><b>Protocol attacks. </b>Also target network infrastructure, but rather than simply flooding it with data, these attacks manipulate protocol behaviors to exhaust server resources.</li> <li><b>Application layer attacks.</b> Target websites and APIs by generating large numbers of <a href="https://www.techtarget.com/whatis/definition/HTTP-Hypertext-Transfer-Protocol">HTTP</a> requests or by triggering resource-intensive application functions, such as complex report generation.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/security-signs_dos_attack.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/security-signs_dos_attack_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/security-signs_dos_attack_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/security-signs_dos_attack.png 1280w" alt="Signs of a DoS attack" height="260" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>If online services are unusually slow or suddenly unavailable, a DoS attack could be underway. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Consequences of DoS attacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Consequences of DoS attacks</h2> <p>Successful DoS attacks can disrupt business and devastate organizations. Consequences include the following:</p> <ul class="default-list"> <li><b>Immediate financial losses.</b> When a business-critical system experiences downtime, the organization typically loses money. For example, even a brief DoS outage at a high-volume e-commerce merchant would result in many lost transactions, adding up to significant financial impact.</li> <li><b>Remediation costs. </b>An organization experiencing a DoS attack must respond and get affected systems back online quickly, which can require significant resources.</li> <li><b>Reputational damage. </b>A long outage can seriously damage a brand's reputation, prompting customers, shareholders and the public to question the organization's ability to protect its systems.</li> </ul> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Successful DoS attacks can devastate organizations. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> </section> <section class="section main-article-chapter" data-menu-title="DoS prevention and mitigation methods"> <h2 class="section-title"><i class="icon" data-icon="1"></i>DoS prevention and mitigation methods</h2> <p>As is so often the case in cybersecurity, an ounce of prevention is worth a pound of cure. Effective DoS prevention and mitigation must begin long before an attack attempt takes place.</p> <h3>Risk assessment</h3> <p>Start by identifying and evaluating all digital assets, especially critical systems and data that might draw attacks. Determine baseline traffic patterns. Assess potential vulnerabilities that threat actors might exploit.</p> <h3>Attack surface reduction</h3> <p><a href="https://www.techtarget.com/searchsecurity/tip/How-to-implement-an-attack-surface-management-program">Reduce the attack surface</a> by implementing necessary security patches and removing unnecessary internet-facing systems.</p> <h3>DoS prevention and mitigation services</h3> <p>While possible, it is difficult to defend against DoS attacks without the support of a third-party provider. Typically, organizations rely on <a href="https://www.techtarget.com/searchnetworking/definition/CDN-content-delivery-network?Offer=ab_ss_reeng_plt_ctrl">content delivery network</a> providers and specialized DDoS mitigation providers -- such as Cloudflare, AWS Shield and Azure DDoS Protection -- for scalable DoS protection. A company that enlists such a service can expect it to do the following:</p> <ul class="default-list"> <li>Provide a defensive layer that sits between an organization's applications and the public internet.</li> <li>Act as a reverse proxy, with all traffic hitting the mitigation provider's data centers first.</li> <li>Distribute sudden surges in traffic across multiple provider-owned data centers.</li> <li>Apply <a href="https://www.darkreading.com/cyberattacks-data-breaches/breaking-the-ddos-attack-loop-with-rate-limiting">rate limiting</a> -- restricting the number of requests servers will accept in a certain period -- to sources of suspicious traffic.</li> </ul> <h3>DoS prevention and mitigation tools</h3> <p>Other defensive mechanisms include the following:</p> <ul class="default-list"> <li><b>Web application firewalls.</b> WAFs filter out requests targeting specific URLs or API endpoints.</li> <li><b>Intrusion prevention and detection systems. </b>IPSes and IDSes monitor network activity to identify unusual traffic patterns that might indicate a DoS attack. These and other tools, such as firewalls, can also automatically <a href="https://www.techtarget.com/searchsecurity/tip/Allowlisting-vs-blocklisting-Benefits-and-challenges">block traffic</a> from sources an administrator flags as malicious. Note, however, that <a href="https://www.techtarget.com/searchsecurity/definition/IP-spoofing">IP spoofing</a> can readily circumvent blocklists.</li> <li><b>Blackhole routing.</b> Drops all traffic targeting the system. This has a similar effect to the attack itself, however, by taking the system offline.</li> </ul> <h3>DoS response plan</h3> <p>Even when an organization has a DoS mitigation strategy in place, its <a href="https://www.techtarget.com/searchsecurity/feature/5-critical-steps-to-creating-an-effective-incident-response-plan">incident response plan</a> should still cover DoS attacks and include the following:</p> <ul class="default-list"> <li>Clear escalation procedures.</li> <li>When to enlist expert third-party support.</li> <li><a href="https://www.techtarget.com/searchsecurity/tip/Build-a-strong-cyber-resilience-strategy-with-existing-tools">Business continuity measures to maintain critical operations</a>.</li> <li>Policies for when, what and how to communicate with internal stakeholders, customers and the public. Social media channels can provide an effective way to reach the latter when other resources are unavailable.</li> </ul> <p><i>Rob Shapland is an ethical hacker specializing in cloud security, social engineering and delivering cybersecurity training to companies worldwide.</i></p> </section> The worst DoS attacks are like digital tsunamis that put critical business operations at risk. Learn how they work, ways to stop them and how systems can withstand the flood. https://cdn.ttgtmedia.com/visuals/German/article/security_article_010.jpg https://www.techtarget.com/searchsecurity/tip/Preventing-DoS-attacks-The-best-ways-to-defend-the-enterprise Fri, 08 Aug 2025 11:46:00 GMT <p>Enterprise risk management helps organizations identify, analyze and manage circumstances that can create business risk. In companies, <a href="https://www.techtarget.com/searchcio/feature/4-basic-types-of-business-risks-in-the-enterprise">risk comes in many different forms</a> and could lead to disruptions that affect business operations. Some of the common risks that <a href="https://www.techtarget.com/searchcio/definition/enterprise-risk-management">ERM</a> programs must address include financial, operational, legal, compliance and strategic ones.</p> <p>ERM is also concerned with IT and cybersecurity risks that can hamper business activities. That includes <a href="https://www.techtarget.com/searchsecurity/The-ultimate-guide-to-cybersecurity-planning-for-businesses">cyberattacks and other security threats</a>, as well as inadequate IT systems, a lack of technical skills and technology failures caused by natural disasters, power outages or other issues.</p> <p>A successful risk management initiative <a href="https://www.techtarget.com/searchcio/feature/Implementing-an-enterprise-risk-management-framework">provides an ERM framework</a> that enables an organization to be aware of the various risks it faces and better prepared to deal with them. But ERM expertise is also required. One good way for IT, security and risk management professionals to obtain it is by earning enterprise risk management certifications.</p> <section class="section main-article-chapter" data-menu-title="What is the value of an ERM certification?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the value of an ERM certification?</h2> <p>In general, certifications enable job seekers to stand out from the crowd of applicants. Also, with the right type of certification, an existing employee can earn higher pay and potentially a promotion. ERM certifications, in particular, provide third-party validation of an individual's knowledge of the <a href="https://www.techtarget.com/searchcio/feature/Risk-management-process-What-are-the-5-steps">risk management process</a>. Requiring specific certifications for open positions can help risk leaders and hiring managers attract job candidates with the desired expertise.</p> <p>An ERM certification is especially useful for <a href="https://www.techtarget.com/searchcio/feature/Enterprise-risk-management-team-Roles-and-responsibilities">members of a risk management team</a>. But risk management expertise is often a requirement for other workers, too. For example, ERM skills are valuable for the CFO and employees in finance and accounting roles to help <a href="https://www.techtarget.com/searchcio/definition/What-is-financial-risk-management">manage financial risk</a>. ERM certifications are also useful for IT operations and security management professionals, as well as for workers responsible for regulatory compliance, project management and other functions.</p> <p>Risk management requires being able to both plan for unknown incidents and react quickly to limit potential harm when they occur. While those capabilities are rarely gained via certification alone, an ERM certification is a baseline indicator of a person's know-how, which can then be expanded further through on-the-job experience.</p> </section> <section class="section main-article-chapter" data-menu-title="16 ERM certifications to know about"> <h2 class="section-title"><i class="icon" data-icon="1"></i>16 ERM certifications to know about</h2> <p>There are a variety of ERM certifications for individuals and organizations to consider. Often, the key difference surrounding them is their focus and area of concentration. Some certifications are truly enterprise in nature and cover <a href="https://www.techtarget.com/searchsecurity/definition/What-is-risk-management-and-why-is-it-important">all aspects of risk management</a>, while others are more specifically aligned with financial, IT, cybersecurity, <a href="https://www.techtarget.com/searchdisasterrecovery/definition/business-continuity">business continuity</a> or project risks.</p> <div class="pro-features-wrapper"></div> <p>The following list is organized along those lines, beginning with broadly focused certifications, followed by ones that are narrower in nature. The list is unranked, and the entries in the different sets of certifications are listed alphabetically.</p> <h3>1. Certified Risk and Compliance Management Professional (CRCMP)</h3> <p><b>Issuing organization:</b> International Association of Risk and Compliance Professionals (IARCP).</p> <p><b>Who should get this certification:</b> The target audience is IT managers and professionals who want to document their ability to lead or support regulatory compliance and ERM initiatives.</p> <p><b>Certification details:</b> The CRCMP program includes a six-part course of study that starts with an introduction to risk management and governance, risk and compliance (<a href="https://www.techtarget.com/searchsecurity/definition/governance-risk-management-and-compliance-GRC">GRC</a>) concepts. Other modules cover the Sarbanes-Oxley Act and its international derivatives; the Basel I, II and III standards on GRC practices; the <a href="https://www.techtarget.com/searchcio/definition/COSO-Framework">COSO ERM and internal control frameworks</a>; implementing risk management and compliance programs; and <a href="https://www.techtarget.com/searchsecurity/tip/The-benefits-of-using-AI-in-risk-management">AI issues in risk management</a>. The IARCP provides presentations with a total of more than 2,000 slides as a self-directed study guide. The exam includes 35 multiple-choice questions that must be completed within 90 minutes. It's an open-book exam: The IARCP says the goal of the program is for participants to "acquire knowledge and skills, not commit something to memory."</p> <p><b>Website:</b> <a href="https://www.risk-compliance-association.com/Distance_Learning_and_Certification.htm" target="_blank" rel="noopener">https://www.risk-compliance-association.com/Distance_Learning_and_Certification.htm</a></p> <h3>2. COSO Enterprise Risk Management Certificate</h3> <p><b>Issuing organization:</b> Committee of Sponsoring Organizations of the Treadway Commission (COSO).</p> <p><b>Who should get this certification:</b> Risk management professionals, ERM consultants and board members who oversee risk management programs are the target audience. Participants should have at least two to six years of ERM experience and some exposure to COSO's updated ERM framework, which was published in 2017.</p> <p><b>Certification details: </b>Participants are trained on the concepts and principles of the COSO ERM framework through a course that includes seven self-study modules and a hands-on workshop component. After passing an online exam, they also receive 13.5 hours of continuing professional education (CPE) credits. COSO oversees the certification, which is available through four of its five sponsoring organizations: the American Institute of Certified Public Accountants; Financial Executives International; the Institute of Internal Auditors; and the Institute of Management Accountants.</p> <p><b>Website</b>: <a href="https://www.coso.org/erm-certificate" target="_blank" rel="noopener">https://www.coso.org/erm-certificate</a></p> <h3>3. Enterprise Risk Management Certified Professional (ERMCP)</h3> <p><b>Issuing organization:</b> Enterprise Risk Management Academy (ERMA).</p> <p><b>Who should get this certification:</b> The ERMCP target audience is experienced <a href="https://www.techtarget.com/searchcio/definition/risk-manager">risk managers</a> and risk analysts who have more than four years of relevant experience and are looking to boost their ERM expertise and career progression.</p> <p><b>Certification details:</b> The ERMCP involves an exam that assesses an individual's knowledge of ERM practices based on the <a href="https://www.techtarget.com/searchsecurity/definition/ISO-31000-Risk-Management">ISO 31000</a> risk management framework developed by the International Organization for Standardization, commonly known as ISO. The exam consists of 140 multiple-choice questions designed to test technical competency and 10 that focus on professional behavior. Registrants get access to study materials and an exam simulation in ERMA's exam portal. The certification is valid for two years; to maintain it, holders are required to obtain 40 professional development units -- akin to CPE credits -- through ERMA's Continuous Professional Development program.</p> <p><b>Website:</b> <a href="https://www.erm-academy.org/risk-management-certification/ermcp" target="_blank" rel="noopener">https://www.erm-academy.org/risk-management-certification/ermcp</a></p> <h3>4. GRC Professional (GRCP) Certification</h3> <p><b>Issuing organization:</b> Open Compliance and Ethics Group (OCEG).</p> <p><b>Who should get this certification: </b>GRCP is primarily designed for professionals who work in GRC positions or various related roles. But no specific work experience or educational degrees are required.</p> <p><b>Certification details:</b> Based on the OCEG's GRC Capability Model, the GRCP certification involves an open-book exam with 100 scored and up to 15 unscored questions to be completed within a two-hour time limit. All the questions are multiple choice; the unscored ones, which aren't labeled, are used to test new questions for future exam updates. An upfront course isn't mandated, but the OCEG provides an online self-study one and offers in-person courses by training partners. The certification is valid for one year, then requires eight CPE credits annually, which are included at no extra cost. Recipients are required to pass the exam every five years to retain the certification.</p> <p><b>Website:</b> <a href="https://www.oceg.org/certifications/grc-professional-certification/" target="_blank" rel="noopener">https://www.oceg.org/certifications/grc-professional-certification/</a></p> <h3>5. International Certificate in Enterprise Risk Management</h3> <p><b>Issuing organization:</b> Institute of Risk Management (IRM).</p> <p><b>Who should get this certification:</b> The IRM's certificate is geared toward risk management and business professionals across all sectors globally.</p> <p><b>Certification details:</b> Obtaining the certificate involves completing two modules, which typically takes six to nine months through a self-directed online learning course. The first module focuses on risk management principles and has a 60-question exam and one essay assignment, while the second is about ERM practices and includes two essay assignments but no exam. Participants can pay extra to attend a series of four virtual workshops that offer more interactive learning. The course can also be taken as the first part of a more advanced International Diploma in Risk Management program.</p> <p><b>Website:</b> <a href="https://www.theirm.org/qualifications/international-certificate-in-enterprise-risk-management/" target="_blank" rel="noopener">https://www.theirm.org/qualifications/international-certificate-in-enterprise-risk-management/</a></p> <h3>6. Professional Risk Manager (PRM) Designation</h3> <p><b>Issuing organization:</b> Professional Risk Managers' International Association (PRMIA).</p> <p><b>Who should get this certification:</b> The PRM program is designed for <a href="https://www.techtarget.com/searchcio/definition/risk-management-specialist">risk management specialists</a>, particularly in the financial services industry, who are looking to obtain a graduate-level risk credential.</p> <p><b>Certification details: </b>The program consists of two certification exams that candidates must pass within a two-year period. The full enrollment period is three years to provide upfront study time. Applicants must be a PRMIA sustaining member or a member of the associated Risk Management Initiative in Microfinance, known as RIM for short. They must also hold a graduate degree or be a chartered financial analyst (CFA) charterholder through the CFA Institute, an association for investment management professionals. Individuals with a bachelor's degree only are eligible if they have two years of full-time work experience in financial services or a risk management department in any industry. PRMIA also offers a less-advanced Associate PRM Certificate focused on risk management fundamentals.</p> <p><b>Website:</b> <a href="https://www.prmia.org/Public/Public/PRM/Becoming_a_Certified_PRM.aspx" target="_blank" rel="noopener">https://www.prmia.org/Public/Public/PRM/Becoming_a_Certified_PRM.aspx</a></p> <h3>7. RIMS-Certified Risk Management Professional (RIMS-CRMP)</h3> <p><b>Issuing organization:</b> Risk and Insurance Management Society (RIMS).</p> <p><b>Who should get this certification:</b> RIMS-CRMP is suitable for current and aspiring risk management professionals looking to validate their knowledge of key risk-related competencies.</p> <p><b>Certification details:</b> Applicants must have a college degree in risk management and one year of related work experience; another type of degree and three years of risk management work; or six years of experience in risk management with no degree. Students in the final year of a risk management degree program can also apply. Eligible applicants qualify for a two-hour exam, which consists of 120 multiple-choice questions and can be taken remotely or in person at Pearson VUE testing sites. RIMS provides a study guide, an online self-study overview course and exam prep workshops. RIMS-CRMP requires recertification every two years, which can be achieved by earning 50 recertification points, 35 of which must come from continuing education.</p> <p><b>Website:</b> <a href="https://www.rims.org/certification" target="_blank" rel="noopener">https://www.rims.org/certification</a></p> <h3>8. Certified Enterprise Risk Manager (CERM)</h3> <p><b>Issuing organization:</b> American Association for Investment and Financial Management (AAIFM).</p> <p><b>Who should get this certification:</b> It's primarily intended for professionals in the investment and financial management industry who want to demonstrate their compliance and risk management knowledge as well as relevant skills.</p> <p><b>Certification details:</b> Applicants must have a bachelor's degree in any field or at least two years of risk-related work experience. Twenty-five hours of approved training on compliance and risk management is also required. The CERM exam is three hours long and includes a combination of case study and essay questions with a heavy focus on risks related to <a href="https://www.techtarget.com/sustainability/feature/ESG-strategy-and-management-Complete-guide-for-businesses">environmental, social and governance programs</a>. The AAIFM provides an exam handbook and training sessions on exam questions, but participants can also get more comprehensive training through authorized partners or Prometric test centers. CERM holders are required to recertify every four years by documenting 25 hours of further educational activities.</p> <p><b>Website:</b> <a href="https://www.aaifm.org/view_Article.aspx?type=2&amp;ID=1069&amp;certification=1" target="_blank" rel="noopener">https://www.aaifm.org/view_Article.aspx?type=2&amp;ID=1069&amp;certification=1</a></p> <h3>9. Certified Enterprise Risk Manager (CERM)</h3> <p><b>Issuing organization:</b> Institute of Financial Consultants (IFC).</p> <p><b>Who should get this certification:</b> The IFC's certification validates the expertise of practitioners who are working in risk management, strategic planning, corporate governance, project management and related disciplines, as well as business consulting.</p> <p><b>Certification details:</b> Although this has the same name as the certification offered by the AAIFM, it's a separate one. The IFC's CERM program is offered through a partnership with Bristol Opus Leadership College (BOLC), a U.K.-based online learning provider. BOLC's course includes 13 modules that offer a risk management overview and cover specific ERM functions such as <a href="https://www.techtarget.com/searchcio/tip/What-is-risk-identification-Importance-and-methods">risk identification</a>, risk evaluation and management of different types of business risks. The final module outlines the process of <a href="https://www.techtarget.com/searchcio/tip/How-to-create-a-risk-management-plan-Template-key-steps">developing a risk management plan</a>. There are no eligibility requirements, but 500 study hours are recommended before taking the exam. Successful participants receive a diploma from BOLC and can get the CERM designation after paying an additional fee to the IFC.</p> <p><b>Website:</b> <a href="https://www.ifconsultants.org/cerm.html" target="_blank" rel="noopener">https://www.ifconsultants.org/cerm.html</a></p> <h3>10. Certified Enterprise Risk Professional (CERP)</h3> <p><b>Issuing organization:</b> American Bankers Association (ABA).</p> <p><b>Who should get this certification:</b> It's designed for risk management professionals who work in the banking industry.</p> <p><b>Certification details:</b> The CERP examination is composed of 200 multiple-choice questions spanning risk governance and risk management topics, to be completed within four hours. Applicants must have a bachelor's degree and five years of financial-industry experience, including three years in risk management or a closely related role; without a degree, the work experience requirements are seven and five years, respectively. The ABA offers an interactive online course to prepare for the exam, as well as risk management training courses and more in-depth "risk management schools." CERP certification holders need to earn 60 continuing education credits every three years to maintain their status.</p> <p><b>Website:</b> <a href="https://www.aba.com/training-events/certifications/certified-enterprise-risk-professional" target="_blank" rel="noopener">https://www.aba.com/training-events/certifications/certified-enterprise-risk-professional</a></p> <h3>11. Chartered Enterprise Risk Analyst (CERA)</h3> <p><b>Issuing organization: </b>CERA Global Association.</p> <p><b>Who should get this certification:</b> Actuaries who work in financial services are the intended candidates.</p> <p><b>Certification details:</b> The CERA certification is available from more than 25 actuarial associations around the world that follow a common syllabus but use different education and testing approaches. The syllabus covers seven areas, including ERM concepts, the risk management process, risk modeling, risk metrics and <a href="https://www.techtarget.com/searchcio/feature/Top-ERM-software-vendors-to-consider">risk management tools and techniques</a>. In the U.S., the certification is primarily offered by the Society for Actuaries. The SOA's program includes an ERM e-learning module that will be revised by the end of 2025 and an exam that will be replaced by a new one in the fall. CERA candidates also must pass a <a href="https://www.techtarget.com/searchcio/tip/Risk-prediction-models-How-they-work-and-their-benefits">risk modeling statistics</a> exam, as well as ones on probability, financial mathematics and actuarial mathematics, in addition to providing validation of several non-SOA educational courses.</p> <p><b>Website: </b><a href="https://ceraglobal.org/cera-credential/what-is-cera/" target="_blank" rel="noopener">https://ceraglobal.org/cera-credential/what-is-cera/</a></p> <h3>12. Certified in Risk and Information Systems Control (CRISC)</h3> <p><b>Issuing organization:</b> Information Systems Audit and Control Association (ISACA).</p> <p><b>Who should get this certification: </b>This is a good option for mid-career IT audit, risk and security professionals looking to <a href="https://www.techtarget.com/searchsecurity/opinion/5-areas-to-help-secure-your-cyber-risk-management-program">grow in a cyber-risk role</a>.</p> <p><b>Certification details:</b> The CRISC certification validates an individual's ability to identify and manage enterprise IT risk with appropriate technology and controls. Topics covered include organizational governance and risk management; IT <a href="https://www.techtarget.com/searchsecurity/definition/risk-assessment">risk assessment</a>; risk response and <a href="https://www.techtarget.com/searchsecurity/definition/risk-reporting">risk reporting</a>; and IT and information security. The exam includes 150 questions, and ISACA offers an online study course, review manuals and a database of exam questions, answers and explanations. Both the exam and the preparation materials are due to be updated in November 2025. Group training sessions and access to ISACA's member community for exam guidance from peers are also available. To maintain the certification, holders must earn at least 20 CPE credits annually and a total of 120 over three years.</p> <p><b>Website:</b> <a href="https://www.isaca.org/credentialing/crisc" target="_blank" rel="noopener">https://www.isaca.org/credentialing/crisc</a></p> <h3>13. Certified Information Systems Risk and Compliance Professional (CISRCP)</h3> <p><b>Issuing organization:</b> International Association of Risk and Compliance Professionals.</p> <p><b>Who should get this certification:</b> It's suited to IT managers and staffers looking to validate their knowledge of obligations and best practices in IT risk management, regulatory compliance, information security and <a href="https://www.techtarget.com/searchsecurity/tip/State-of-data-privacy-laws">data privacy protections</a>.</p> <p><b>Certification details: </b>Another certification offered by the IARCP, this program covers cybersecurity-related executive orders and directives from the U.S. government, plus <a href="https://www.techtarget.com/whatis/definition/General-Data-Protection-Regulation-GDPR">GDPR</a> and other EU regulations on <a href="https://www.techtarget.com/searchsecurity/Data-security-guide-Everything-you-need-to-know">data security</a> and data privacy. It's designed to help participants understand legal and regulatory requirements for organizations on the covered topics. The CISRCP study guide includes presentations with more than 1,100 slides. As with the CRCMP certification, CISRCP candidates must pass an open-book exam with 35 multiple-choice questions and a 90-minute time limit.</p> <p><b>Website:</b> <a href="https://www.risk-compliance-association.com/CISRCP_Distance_Learning_and_Certification.htm" target="_blank" rel="noopener">https://www.risk-compliance-association.com/CISRCP_Distance_Learning_and_Certification.htm</a></p> <h3>14. Certified Information Systems Security Professional (CISSP)</h3> <p><b>Issuing organization:</b> ISC2 (formerly the International Information System Security Certification Consortium).</p> <p><b>Who should get this certification: </b>This is for chief information security officers and other security managers or practitioners who want to demonstrate a broad understanding of cybersecurity concerns, including IT security risks.</p> <p><b>Certification details:</b> To qualify for the certification, candidates must have at least five cumulative years of work experience in two or more of the eight security-related areas covered in the CISSP Common Body of Knowledge. Others who pass the CISSP exam get an Associate of ISC2 badge, then have six years to attain the required experience and earn the certification. The exam uses a computerized adaptive testing approach that includes 100 to 150 questions with a three-hour time limit; it's available in English, Chinese, German, Japanese and Spanish. ISC2 offers self-paced or instructor-led online training courses and a classroom training option, plus textbooks, study guides and practice tests.</p> <p><b>Website:</b> <a href="https://www.isc2.org/Certifications/CISSP" target="_blank" rel="noopener">https://www.isc2.org/Certifications/CISSP</a></p> <h3>15. Certified Risk Management Professional (CRMP)</h3> <p><b>Issuing organization:</b> Disaster Recovery Institute International.</p> <p><b>Who should get this certification:</b> The CRMP certification is for experienced risk management workers who want to validate their foundational knowledge and experience, with a focus on business continuity.</p> <p><b>Certification details:</b> Applicants need two or more years of related professional experience, including in at least two of the four areas of risk management practices covered by the CRMP exam. Two references per subject matter area are also required. In addition, DRI International, as the organization is commonly known, mandates a two- or four-day course on risk management for business continuity as another prerequisite. In addition to passing the exam, participants must write a series of four essays focused on their risk management duties and accomplishments. To maintain the certification, CRMP holders must earn 80 continuing education activity points annually.</p> <p><b>Website:</b> <a href="https://drii.org/certification/crmp" target="_blank" rel="noopener">https://drii.org/certification/crmp</a></p> <h3>16. PMI Risk Management Professional (PMI-RMP)</h3> <p><b>Issuing organization:</b> Project Management Institute (PMI).</p> <p><b>Who should get this certification:</b> The target audience is experienced project, risk or functional managers and C-suite executives looking to showcase their expertise in <a href="https://www.techtarget.com/searchcio/tip/Project-portfolio-risk-management-Learn-the-key-tenets">managing project-related risks</a>.</p> <p><b>Certification details: </b>PMI-RMP covers five risk management domains: strategy and planning, risk identification, <a href="https://www.techtarget.com/searchsecurity/definition/risk-analysis">risk analysis</a>, risk response, and <a href="https://www.techtarget.com/searchcio/tip/What-is-risk-monitoring-Definition-and-best-practices">risk monitoring</a>. Applicants must have a bachelor's degree and at least 24 months of project risk management experience within the last five years, or a secondary degree and 36 months of experience in the field. The exam includes 115 multiple-choice questions to be completed in 150 minutes, and the PMI offers two study guides, an e-learning prep course and another online learning tool with practice questions, lessons and "gamified activities." Ongoing education is also required: PMI-RMP certification holders must earn 30 professional development units every three years.</p> <p><b>Website</b>: <a href="https://www.pmi.org/certifications/risk-management-rmp" target="_blank" rel="noopener">https://www.pmi.org/certifications/risk-management-rmp</a></p> <p><b>Editor's note: </b><i>This article was updated in July 2025 for timeliness and to add new information.</i></p> <p><i>Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.</i></p> </section> Certifications are essential to many careers. Here are some useful enterprise risk management certifications for risk managers, IT professionals and other workers. https://cdn.ttgtmedia.com/rms/onlineimages/certification_g521753076.jpg https://www.techtarget.com/searchcio/feature/Top-enterprise-risk-management-certifications-to-consider Mon, 28 Jul 2025 11:30:00 GMT <p>Cybersecurity is the practice of protecting systems, networks and data from digital threats. It involves strategies, tools and frameworks designed to safeguard sensitive information and ensure the integrity of digital operations.</p> <p>An <a href="https://www.techtarget.com/searchsecurity/tip/How-to-develop-a-cybersecurity-strategy-Step-by-step-guide">effective cybersecurity strategy</a> can provide a strong <a href="https://www.techtarget.com/searchsecurity/definition/security-posture">security posture</a> against malicious attacks designed to access, alter, delete, destroy or extort an organization's and user's systems and sensitive data. Cybersecurity is also instrumental in preventing attacks designed to gain unauthorized access to systems or devices and then disable, disrupt or steal from them.</p> <p>An ideal cybersecurity approach has multiple layers of protection across any potential access point or <a href="https://www.techtarget.com/whatis/definition/attack-surface">attack surface</a>. This includes a protective layer for data, software, hardware and connected networks. In addition, all employees within an organization who have access to any of these <a href="https://www.techtarget.com/whatis/definition/endpoint-device">endpoints</a> should be trained on the proper compliance and security processes. Organizations also <a href="https://www.techtarget.com/searchsecurity/definition/unified-threat-management-UTM">unified threat management</a> systems and other tools as another layer of protection against threats. These tools detect, isolate and remediate potential threats to business and notify users when additional action is needed.</p> <p>Cyberattacks can disrupt or immobilize their victims, so creating a strong cybersecurity strategy for businesses is an integral part of any organization. Organizations should also have a <a href="https://www.techtarget.com/searchdisasterrecovery/definition/disaster-recovery-plan">disaster recovery plan</a> in place so they can quickly recover in the event of a successful cyberattack.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/xAtrKkzTV_U?si=_lUmF8j7ud5-9sxB?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <section class="section main-article-chapter" data-menu-title="Why is cybersecurity critical in the enterprise?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why is cybersecurity critical in the enterprise?<b> </b></h2> <p>With the number of users, devices and programs in the modern enterprise increasing, along with vast amounts of sensitive and confidential data, cybersecurity has become more important than ever. However, the volume and sophistication of cyberattacks and attack techniques compound the problem even further.</p> <p>According to a Gartner <a target="_blank" href="https://www.gartner.com/en/newsroom/press-releases/2025-04-22-gartner-survey-finds-85-percent-of-ceos-say-cybersecurity-is-critical-for-business-growth" rel="noopener">survey</a>, 61% of CEOs are concerned about cybersecurity threats and 85% believe cybersecurity is critical for business growth. Without a proper cybersecurity strategy and a staff that is trained on security best practices, malicious actors can bring an organization's operations to a standstill.</p> <p>The following are some key points highlighting the importance of cybersecurity:</p> <ul class="default-list"> <li><b>Protecting against cyberattacks.</b> Cybersecurity plays a critical role in safeguarding businesses from the growing threat of cyberattacks and <a href="https://www.techtarget.com/searchsecurity/definition/data-breach">data breaches</a>. By adopting comprehensive security measures, such as firewalls, <a href="https://www.techtarget.com/searchsecurity/definition/intrusion-detection-system">intrusion detection systems</a>, encryption, and multifactor authentication (<a href="https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA">MFA</a>), organizations can defend their networks and systems against cyberattacks.</li> <li><b>Protecting data. </b>Organizations handle vast amounts of confidential data, including personal information, financial records and proprietary business information. Cybersecurity helps protect this data from unauthorized access and theft, ensuring that sensitive information remains secure.</li> <li><b>Preventing financial losses.</b> Cyberattacks can directly lead to financial losses through unauthorized transactions, <a href="https://www.techtarget.com/searchsecurity/definition/ransomware">ransomware</a> demands or stolen funds from bank accounts. Strong cybersecurity measures help prevent these costly incidents, reducing the risk of fines, revenue loss and reputational damage.</li> <li><b>Ensuring business continuity.</b> Cyberattacks can disrupt operations by shutting down systems, encrypting data and disabling critical infrastructure. For industries that rely heavily on online transactions and automation, such as e-commerce, manufacturing and healthcare, these disruptions can be devastating. Strong cybersecurity practices can ensure <a href="https://www.techtarget.com/searchdisasterrecovery/definition/business-continuity">business continuity</a> by minimizing downtime and reducing productivity losses.</li> <li><b>Safeguarding critical infrastructure.</b> Infrastructure, such as energy, healthcare, transportation and government services, are prime targets for cyberattacks. A single successful attack on these systems can disrupt essential services and negatively affect public safety. Cybersecurity protects these vital operations.</li> <li><b>Improving recovery times.</b> Effective cybersecurity measures help organizations quickly detect and respond to cyberincidents, reducing recovery time after a breach. With well-prepared <a href="https://www.techtarget.com/searchsecurity/feature/5-critical-steps-to-creating-an-effective-incident-response-plan">incident response plans</a> and backup systems in place, businesses can restore operations faster, while minimizing downtime and limiting damage.</li> <li><b>Maintaining trust and reputation.</b> Preserving customer trust is essential for businesses. A single data breach can harm a company's reputation, resulting in lost customers and revenue. By adopting cybersecurity measures, organizations foster and sustain customer trust, making them feel safe when sharing their personal information.</li> <li><b>Complying with legal and regulatory requirements.</b> Many industries face regulatory requirements for protecting sensitive information. Failure to comply with these regulations can lead to fines, legal consequences and damage to an organization's brand or reputation. By adhering to cybersecurity best practices, organizations can meet regulatory obligations and operate within legal boundaries.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="What are the elements of cybersecurity and how does it work?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are the elements of cybersecurity and how does it work?</h2> <p>Cybersecurity can be broken into several different security sectors, the coordination of which within the organization is crucial to the success of a cybersecurity program. These sectors include the following:</p> <div class="pro-features-wrapper"></div> <ul class="default-list"> <li><b>Application security.</b> These measures prevent data and code within an application from being misused or hijacked. <a href="https://www.techtarget.com/searchsoftwarequality/definition/application-security">Application security</a> includes secure coding, regular updates and vulnerability assessments.</li> <li><b>Information security.</b> Also referred to as <i>data security</i>, <a href="https://www.techtarget.com/searchsecurity/definition/information-security-infosec">information security</a> focuses on protecting the confidentiality, integrity and availability of data, ensuring that sensitive information isn't accessed, altered or lost.</li> <li><b>Network security.</b> This approach protects the integrity and usability of networks and data. <a href="https://www.techtarget.com/searchnetworking/definition/network-security">Network security</a> uses firewalls, intrusion detection systems and secure communication protocols to do this.</li> <li><b>Disaster recovery.</b> DR strategies and <a href="https://www.techtarget.com/searchdisasterrecovery/definition/business-continuity-action-plan">business continuity planning</a> help recover data and maintain business operations in the event of a cyberattack or system failure.</li> <li><b>Operational security. </b>This aspect encompasses the processes and decisions for handling and protecting data assets. <a href="https://www.techtarget.com/searchsecurity/definition/OPSEC-operations-security">Operational security</a> includes user permissions and access controls.</li> <li><b>Cloud security.</b> These practices and policies are designed to protect data, applications and services hosted in cloud environments. <a href="https://www.techtarget.com/searchsecurity/definition/cloud-security">Cloud security</a> focuses on mitigating cyberthreats, ensuring confidentiality, integrity and availability.</li> <li><b>Critical infrastructure security. </b>This involves protecting the essential systems and assets that are vital to a nation's security, economy, public health and safety, ensuring their resilience against disruptions or attacks.</li> <li><b>Physical security.</b> Protecting an organization's physical assets -- such as servers, data centers and network equipment -- from unauthorized access, theft, damage or tampering. <a href="https://www.techtarget.com/searchsecurity/definition/physical-security">Physical security</a> ensures the integrity and availability of digital systems and data.</li> <li><b>End-user education.</b> Training and educating users about the importance of cybersecurity, teaching them to recognize threats such as phishing and to follow best practices for password management and safe browsing.</li> </ul> <p>Maintaining cybersecurity in a constantly evolving threat landscape is a challenge for all organizations. Reactive approaches, in which resources are put toward protecting against the biggest known threats while lesser- threats go undefended, aren't sufficient.</p> <p>To keep up with changing security risks, a more proactive and adaptive approach is necessary. Several key cybersecurity advisory organizations offer guidance. For example, the National Institute of Standards and Technology (<a href="https://www.techtarget.com/searchsoftwarequality/definition/NIST">NIST</a>) recommends adopting continuous monitoring and real-time assessments as part of a <a href="https://www.techtarget.com/searchsecurity/tip/How-to-perform-a-cybersecurity-risk-assessment-step-by-step">risk assessment framework</a> to defend against known and unknown threats.</p> </section> <section class="section main-article-chapter" data-menu-title="Enterprise cybersecurity frameworks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Enterprise cybersecurity frameworks</h2> <p>Enterprise cybersecurity frameworks provide structured approaches to managing cyber-risks, ensuring compliance and protecting critical assets. The following are some of the frameworks available:</p> <h3>NIST Cybersecurity Framework (CSF 2.0)</h3> <p><a href="https://www.techtarget.com/healthtechsecurity/news/366594008/NIST-Releases-CSF-20-Caters-to-Audience-Beyond-Critical-Infrastructure">NIST CSF 2.0</a> offers a flexible, risk-based approach to cybersecurity. It's comprised of five core functions:</p> <ul class="default-list"> <li>Identify.</li> <li>Protect.</li> <li>Detect.</li> <li>Respond.</li> <li>Recover.</li> </ul> <p>NIST CSF 2.0 emphasizes governance, <a href="https://www.techtarget.com/searcherp/definition/supply-chain-security">supply chain security</a> and <a href="https://www.techtarget.com/searchsecurity/definition/identity-management-ID-management">identity management</a>, making it suitable for organizations of all sizes and industries. It provides a common language for cybersecurity discussions across organizational levels and is widely adopted in both public and private sectors.</p> <h3>ISO/IEC 27001</h3> <p>This international standard provides guidance on establishing, implementing and maintaining an information security management system. <a href="https://www.techtarget.com/whatis/definition/ISO-27001">ISO/IEC 27001</a> is a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity and availability.</p> <p>Organizations must systematically examine security risks, enforce controls and adopt an overarching management process for continuous improvement. Certification demonstrates compliance and commitment to information security.</p> <h3>Cybersecurity Maturity Model Certification 2.0</h3> <p>CMMC 2.0 is a U.S. Department of Defense framework that enhances the cybersecurity posture of federal contractors and the defense industrial base. Its tiered approach has three levels of certification, ranging from basic cybergenic to advanced security practices.</p> <h3>Control Objectives for Information and Related Technologies</h3> <p><a href="https://www.techtarget.com/searchsecurity/definition/COBIT">COBIT</a> is a framework for developing, implementing, monitoring and improving IT governance and management practices. It encompasses the entire IT environment, providing structured guidance for developing effective cybersecurity governance models and management practices.</p> <p>COBIT helps organizations optimize IT-related risk, improve resource use and ensure compliance with regulatory requirements. It integrates with other frameworks such as the <a href="https://www.techtarget.com/searchdatacenter/definition/ITIL">Information Technology Infrastructure Library</a>, ISO 27000 and NIST.</p> <h3>Center for Internet Security Critical Security Controls</h3> <p>CIS controls are a prioritized set of 18 actionable cybersecurity best practices developed by a global community of experts. It's organized into three implementation groups of increasing sophistication, making it adaptable to organizations of varying security maturity levels.</p> <p>CIS focuses on mitigating the most common attack vectors based on real-world threat data. The framework is continuously updated to address the evolving threat landscape. It offers organizations guidance on which security controls to use first for maximum defensive effectiveness.</p> <p>In addition to enterprise-wide security frameworks, several industry-specific frameworks exist, such as the following:</p> <ul class="default-list"> <li><b>Payment Card Industry Data Security Standard.</b> <a href="https://www.techtarget.com/searchsecurity/definition/PCI-DSS-Payment-Card-Industry-Data-Security-Standard">PCI DSS</a> is a mandatory security standard for organizations handling credit card data. The major credit card companies developed it to protect cardholder data.</li> <li><b>Health Insurance Portability and Accountability Act Security Rule.</b> The <a href="https://www.techtarget.com/healthtechsecurity/feature/What-is-the-HIPAA-Security-Rule">HIPAA Security Rule</a> establishes national standards to protect electronic personal health information.</li> <li><b>North American Electric Reliability Corporation Critical Infrastructure Protection.</b> <a href="https://www.techtarget.com/searchsecurity/definition/North-American-Electric-Reliability-Corporation-Critical-Infrastructure-Protection-NERC-CIP">NERC CIP</a> standards are mandatory cybersecurity regulations designed to protect North America's bulk electric system from cyber and physical attacks.</li> <li><b>Federal Financial Institutions Examination Council.</b> The FFIEC standard provides a framework for financial institutions to evaluate their risk and cybersecurity preparedness.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="What are the different types of cybersecurity risks and threats?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are the different types of cybersecurity risks and threats?</h2> <p>Cyberthreats take many forms. <a href="https://www.techtarget.com/searchsecurity/tip/6-common-types-of-cyber-attacks-and-how-to-prevent-them">Types of cyberthreats</a> include the following:</p> <ul class="default-list"> <li><b>Malware.</b> This refers to a malicious software in which any file or program can be used to harm a user's computer. Different types of <a href="https://www.techtarget.com/searchsecurity/definition/malware">malware</a> include worms, viruses, Trojans and spyware.</li> <li><b>Ransomware.</b> This is a type of malware that involves an attacker locking the victim's computer system files -- typically through <a href="https://www.techtarget.com/searchsecurity/definition/encryption">encryption</a> -- and demanding a payment to decrypt and unlock them.</li> <li><b>Social engineering. </b>This is an attack that relies on human interaction. It tricks users into breaking security procedures to gain sensitive information that's typically protected.</li> <li><b>Phishing. </b>This<b> </b>is a form of <a href="https://www.techtarget.com/searchsecurity/definition/social-engineering">social engineering</a> in which fraudulent email or text messages that resemble those from reputable or known sources are sent. These are often random attacks that intend to steal sensitive data, such as credit card or login information.</li> <li><b>Spear phishing. </b>This is a type of phishing that has a specific target individual, organization or business.</li> <li><b>Insider threats. </b>These are security breaches or losses caused by humans -- for example, employees, contractors or customers. Insider threats can be malicious or negligent in nature.</li> <li><b>Distributed denial-of-service (DDoS) attacks. </b>Attackers use multiple systems to disrupt the traffic of a targeted system, such as a server, website or other network resource. By flooding the target with messages, connection requests or packets, <a href="https://www.techtarget.com/searchsecurity/definition/distributed-denial-of-service-attack">DDoS attacks</a> slow or crash the target system, preventing legitimate traffic from using it.</li> <li><b>Advanced persistent threat (APT). </b>This is a prolonged targeted attack in which an attacker infiltrates a network and remains undetected for long periods of time. The goal of an <a href="https://www.techtarget.com/searchsecurity/definition/advanced-persistent-threat-APT">APT</a> is to steal data.</li> <li><b>Man-in-the-middle (MitM) attacks. </b>These are eavesdropping attacks that involve an attacker intercepting and relaying messages between two parties who believe they're communicating with each other. During an <a href="https://www.techtarget.com/iotagenda/definition/man-in-the-middle-attack-MitM">MitM</a> attack, the attacker positions themselves between the two communicating parties. They can then read, insert and modify the messages, making both parties believe they're directly communicating with each other, rather than with an intermediary.</li> <li><b>SQL injection. </b>This technique involves attackers adding a string of malicious SQL code to a database query to gain access to a web application database. A <a href="https://www.techtarget.com/searchsoftwarequality/definition/SQL-injection">SQL injection</a> provides access to sensitive data and lets attackers execute malicious SQL statements.</li> <li><b>Zero-day exploits. </b>These attacks target vulnerabilities in software that are unknown to the vendor and for which no patch is available. Hackers take advantage of these unpatched vulnerabilities to infiltrate systems and cause damage.</li> <li><b>Internet of things vulnerabilities. </b>The proliferation of <a href="https://www.techtarget.com/iotagenda/definition/IoT-device">IoT devices</a> have<b> </b>introduced new entry points for cyberattacks. Many IoT devices have weak security, making them easy targets for cybercriminals looking to gain unauthorized access or disrupt services.</li> <li><b>Artificial intelligence-based attacks. </b>Attackers<b> </b>use AI technology to automate and enhance attacks, making them more sophisticated, scalable and difficult to detect. These attacks include highly convincing <a href="https://www.techtarget.com/searchsecurity/tip/Generative-AI-is-making-phishing-attacks-more-dangerous">phishing scams using deepfakes</a> and AI-generated text, rapid exploitation of system vulnerabilities, and attacks that target AI models themselves, potentially compromising critical AI-driven systems.</li> </ul> <p>Other common types of attacks include botnets, drive-by-download attacks, exploit kits, malvertising, vishing, credential stuffing attacks, <a href="https://www.techtarget.com/searchsecurity/definition/cross-site-scripting">cross-site scripting</a> attacks, <a href="https://www.techtarget.com/searchsecurity/definition/keylogger">keyloggers</a> and worms.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/whatis-malware_types.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/whatis-malware_types_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/whatis-malware_types_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/whatis-malware_types.png 1280w" alt="An infographic showing the different types of malware and viruses." height="392" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>There are many types of malware, including ransomware and viruses. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="What are the top cybersecurity challenges?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are the top cybersecurity challenges?</h2> <p><a href="https://www.techtarget.com/searchsecurity/tip/Cybersecurity-challenges-and-how-to-address-them">Cybersecurity is continually challenged</a> by hackers, data loss, privacy and changing cybersecurity strategies. And the number of cyberattacks isn't expected to decrease anytime soon. In 2024, the <a target="_blank" href="https://www.ibm.com/reports/data-breach" rel="noopener">average cost</a> of a data breach reached $4.88 million, which is a 10% increase over the previous year, according to IBM and the Ponemon Institute's "Cost of a Data Breach Report 2024."</p> <p>Moreover, increased entry points for attacks from IoT technology and the growing attack surface increase the need to secure networks and devices. The following cybersecurity <a href="https://www.techtarget.com/searchsecurity/definition/What-is-risk-management-and-why-is-it-important">risk management</a> challenges must be continuously addressed.</p> <h3>Evolving threats</h3> <p>One of the most problematic elements of cybersecurity is the evolving nature of security risks. As new technologies emerge -- and as technology is used in new or different ways -- new attack avenues are developed. Keeping up with these changes and advances in attacks, as well as updating practices to protect against them, is challenging. Issues include ensuring all elements of cybersecurity are continually updated to protect against potential vulnerabilities.</p> <p>This can be especially difficult for small organizations that don't have adequate staff or in-house resources.</p> <h3>Data deluge</h3> <p>Organizations gather a lot of potential data on the people who use their services. With more data being collected comes the potential for a cybercriminal to steal personally identifiable information. For example, an organization that stores personally identifiable information, or <a href="https://www.techtarget.com/searchsecurity/definition/personally-identifiable-information-PII">PII</a>, in the cloud could be subject to a ransomware attack.</p> <h3>Cybersecurity awareness training</h3> <p>Cybersecurity programs should also include <a href="https://www.techtarget.com/searchsecurity/tip/Cybersecurity-employee-training-How-to-build-a-solid-plan">end-user education</a>. Employees can accidentally bring threats and vulnerabilities into the workplace on their laptops and mobile devices. Likewise, they can act imprudently; for example, they might click links or download attachments from phishing emails. Regular security awareness training can help employees do their part in keeping their company safe from cyberthreats.</p> <h3>Workforce shortage and skills gap</h3> <p>Another cybersecurity challenge is a shortage of qualified cybersecurity personnel. As the amount of data collected and used by businesses grows, the need for cybersecurity staff to analyze, manage and respond to incidents also increases.</p> <p>According to an <a target="_blank" href="https://www.isc2.org/Insights/2024/10/ISC2-2024-Cybersecurity-Workforce-Study" rel="noopener">estimate</a> from the "2024 ISC2 Cybersecurity Workforce Study," the global cybersecurity workforce gap, which is the number of security professionals organizations need compared to the number of active pros, has grown to nearly 4.8 million, representing a 19% increase from 2023.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/cybersecurity_skills_gap-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/cybersecurity_skills_gap-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/cybersecurity_skills_gap-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/cybersecurity_skills_gap-f.png 1280w" alt="The causes of the cybersecurity skills gap and strategies to mitigate it." height="392" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Five reasons the cybersecurity skills gap continues to grow, and three ways companies can address the problem. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Supply chain attacks and third-party risks</h3> <p>Organizations can do their best to maintain security, but if the partners, suppliers and third-party vendors that access their networks don't act securely, all that effort is for naught. Software- and hardware-based supply chain attacks are becoming increasingly difficult security challenges.</p> <p>Organizations must <a href="https://www.techtarget.com/searchsecurity/tip/How-to-manage-third-party-risk-in-the-supply-chain">address third-party risk in the supply chain</a> and reduce software supply issues, for example, by <a href="https://www.techtarget.com/searchsecurity/tip/How-SBOMs-for-cybersecurity-reduce-software-vulnerabilities">using software bills of materials</a>.</p> <h3>Cloud security misconfigurations</h3> <p>The widespread adoption of cloud services introduces new security challenges, particularly related to misconfigurations. <a href="https://www.techtarget.com/searchsecurity/tip/Top-4-cloud-misconfigurations-and-best-practices-to-avoid-them">Improperly configured cloud settings</a> can lead to data breaches and unauthorized access. Organizations must implement comprehensive cloud security strategies, including regular audits, automated compliance checks and strong access controls to mitigate these risks.</p> <h3>Hybrid work environments</h3> <p>The shift to hybrid and remote work has blurred traditional corporate network boundaries, expanding the attack surface. With employees now working from diverse, often less secure locations, endpoints such as laptops and mobile devices operate outside managed office networks.</p> <p>As a result, organizations must secure not just their internal infrastructure and cloud environments, but also an array of remote devices and variable network conditions. This demands a comprehensive, adaptive security strategy that goes beyond on-premises defenses to protect the entire distributed workforce and their access to cloud-based applications and data.</p> </section> <section class="section main-article-chapter" data-menu-title="Cybersecurity metrics and KPIs for CISOs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cybersecurity metrics and KPIs for CISOs</h2> <p>For <a href="https://www.techtarget.com/searchsecurity/definition/CISO-chief-information-security-officer">chief information security officers</a>, selecting the right cybersecurity metrics and <a href="https://www.techtarget.com/searchbusinessanalytics/definition/key-performance-indicators-KPIs">key performance indicators</a> is crucial for demonstrating the effectiveness of security initiatives, securing budget approvals and aligning with organizational goals. The following is a list of some essential cybersecurity KPIs and metrics that CISOs should monitor:</p> <h3>Detection and response metrics</h3> <p>These metrics focus on the efficiency and effectiveness of responding to and managing security incidents and demonstrate the organization's resilience. Common metrics in this category include the following:</p> <ul class="default-list"> <li><b>Mean time to detect. </b><a href="https://www.techtarget.com/searchitoperations/definition/mean-time-to-detect-MTTD">MTTD</a> is<b> </b>the average time it takes to identify a security incident from its onset. A lower MTTD indicates strong detection capabilities.</li> <li><b>Mean time to respond. </b><a href="https://www.techtarget.com/searchstorage/definition/mean-time-to-repair-MTTR">MTTR</a> is the average time taken to begin addressing a detected security incident. It shows how fast a security team can react.</li> <li><b>Mean time to contain. </b>MTTC is the average time it takes to stop the spread and limit the impact of a security incident. This is critical for minimizing damage.</li> <li><b>Mean time to recover. </b>This is the average time taken to restore systems and operations to normal after an incident. This highlights business continuity and disaster recovery effectiveness.</li> </ul> <p>These metrics focus on proactive measures to identify and address weaknesses before they can be exploited. Common metrics in this category include the following:</p> <ul class="default-list"> <li><b>Number of open vulnerabilities. </b>This is the total count of identified vulnerabilities that have not yet been remediated.</li> <li><b>High-risk vulnerabilities remediated on time.</b> This is the percentage of high-priority vulnerabilities patched or addressed within defined <a href="https://www.techtarget.com/searchitchannel/definition/service-level-agreement">service-level agreements</a>.</li> <li><b>Vulnerability recurrence rate.</b> This is the frequency with which previously remediated vulnerabilities reappear. This indicates issues with root cause analysis or sustainable options.</li> <li><b>Patch management compliance.</b> This is the percentage of systems that are up to date with security patches and updates.</li> </ul> <h3>Incident and cost metrics</h3> <p>Understanding the financial effects of cybersecurity incidents is essential for CISOs to justify security investments and communicate risks effectively to stakeholders. These metrics encompass both direct and indirect costs associated with security breaches. Common metrics in this category include the following:</p> <ul class="default-list"> <li><b>Number of security incidents.</b> This metric counts the total number of security events over a specified period. An increase might indicate emerging threats or gaps in defenses.</li> <li><b>Cost per Incident.</b> This calculates the average financial toll of each security incident, including remediation and reputational damage.</li> <li><b>Breach costs. </b>This metric assesses the total expenses incurred from a data breach, encompassing legal fees, system repairs and customer notification costs.</li> </ul> <h3>Human factor and awareness metrics</h3> <p>These metrics assess the <a href="https://www.techtarget.com/searchsecurity/tip/The-human-firewalls-role-in-a-cybersecurity-strategy">role of human firewall</a> and the effectiveness of <a href="https://www.techtarget.com/searchsecurity/tip/Best-practices-for-board-level-cybersecurity-oversight">security oversight</a> and awareness programs. Common metrics in this category include the following:</p> <ul class="default-list"> <li><b>Phishing attack success rate. </b>This is the calculation of the percentage of employees who fall for simulated phishing attempts. A lower rate indicates effective training. In early 2025, over a million phishing attacks were <a target="_blank" href="https://apwg.org/trendsreports/" rel="noopener">observed by</a> the Anti-Phishing Working Group, indicating a significant increase in phishing threats.</li> <li><b>Employee security awareness assessment scores.</b> These are the results from quizzes or assessments testing employees' understanding of security best practices.</li> <li><b>Reporting of suspicious activity. </b>This is the number of employees who report potential security threats or suspicious emails. This indicates a strong security culture.</li> </ul> <h3>User and compliance metrics</h3> <p>Metrics that track user activity and compliance include the following:</p> <ul class="default-list"> <li><b>Security awareness training completion rate.</b> This metric measures the percentage of employees who have completed cybersecurity training. Higher completion rates are associated with reduced human error incidents.</li> <li><b>MFA coverage.</b> This tracks the percentage of user accounts secured with MFA. Aiming for 95% coverage enhances account protection.</li> <li><b>Compliance rate.</b> This evaluates adherence to regulatory standards such as ISO 27001 or PCI-DSS. Maintaining high compliance is essential for avoiding penalties.</li> </ul> <h3>Operational efficiency metrics</h3> <p>The following are metrics focused on operational efficiency:</p> <ul class="default-list"> <li><b>False positive rate.</b> The FPR metric monitors the percentage of security alerts that are false alarms. A lower FPR indicates more accurate threat detection systems.</li> <li><b>Patch velocity.</b> This metric measures the number of patches applied over a specific period. Higher patch velocity indicates a responsive and proactive patch management process.</li> <li><b>Security testing coverage.</b> This metric assesses the percentage of systems and applications that undergo regular security testing. Comprehensive testing helps identify vulnerabilities before exploitation.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Cybersecurity best practices"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cybersecurity best practices</h2> <p>To minimize the chance of a cyberattack, it's important to implement and follow a set of best practices that includes the following:</p> <ul class="default-list"> <li><b>Keep software up to date. </b>Employees should keep all software, including antivirus software, up to date. This ensures attackers can't take advantage of known vulnerabilities that software companies have already patched.</li> <li><b>Change default usernames and passwords.</b> Malicious actors can easily guess default usernames and passwords on factory preset devices to gain access to a network. To reduce this risk, it's essential to change all default usernames and passwords immediately upon setup.</li> <li><b>Use strong passwords.</b> Employees should select passwords that use a combination of letters, numbers and symbols. Those types of passwords are difficult to hack using a <a href="https://www.techtarget.com/searchsecurity/definition/brute-force-cracking">brute-force</a> attack or guessing. Employees should also change their passwords often.</li> <li><b>Use multifactor authentication.</b> MFA requires at least two identity components to gain access. This approach minimizes the chances of a malicious actor gaining access to a device or system.</li> <li><b>Train employees on proper security awareness.</b> Companies should provide security awareness training to help employees understand how seemingly harmless actions can leave systems vulnerable to attack. This should also include training on how to spot suspicious emails to avoid phishing attacks.</li> <li><b>Implement an identity and access management system.</b> <a href="https://www.techtarget.com/searchsecurity/definition/identity-access-management-IAM-system">IAM</a> defines the roles and access privileges for each user in an organization, as well as the conditions under which they can access certain data.</li> <li><b>Implement an attack surface management system.</b> This process encompasses the continuous discovery, inventory, classification and monitoring of an organization's IT infrastructure. It ensures security covers all potentially exposed IT assets accessible from within an organization.</li> <li><b>Use a firewall.</b> Firewalls restrict unnecessary outbound traffic, which helps prevent access to potentially malicious content.</li> <li><b>Implement a DR process.</b> In the event of a successful cyberattack, a disaster recovery plan helps an organization maintain operations and restore mission-critical data.</li> <li><b>Adopt a zero-trust architecture.</b> Companies should adopt a zero-trust model where trust is never assumed, and verification is continuous. This approach is essential as organizations increasingly rely on cloud services and remote work.</li> <li><b>Incorporate secure-by-design principles.</b> It's important to integrate security into the <a href="https://www.techtarget.com/searchsoftwarequality/definition/software-development-life-cycle-SDLC">software development lifecycle</a> from the outset. This proactive approach helps in identifying and mitigating vulnerabilities early, fostering a culture of security across the organization.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How is automation used in cybersecurity?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How is automation used in cybersecurity?</h2> <p>Automation has become an integral component to keeping companies protected from the increasing number and sophistication of cyberthreats. Using AI and <a href="https://www.techtarget.com/searchenterpriseai/definition/machine-learning-ML">machine learning</a> in areas with high-volume data streams can help improve cybersecurity in the following three main categories:</p> <ul class="default-list"> <li><b>Threat detection.</b> AI platforms can analyze data and recognize known threats, as well as predict novel threats that use newly discovered attack techniques that bypass traditional security.</li> <li><b>Threat response.</b> AI platforms create and automatically enact security protections. For example, upon detecting a security threat, automated systems can trigger predefined responses, such as isolating compromised endpoints, blocking malicious <a href="https://www.techtarget.com/whatis/definition/IP-address-Internet-Protocol-Address">Internet Protocol addresses</a> or executing scripts to neutralize malware. This minimizes the time between detection and remediation.</li> <li><b>Human augmentation.</b> Security professionals are often overloaded with alerts and repetitive tasks. AI can help eliminate <a href="https://www.techtarget.com/whatis/definition/alert-fatigue">alert fatigue</a> by automatically triaging low-risk alarms and automating big data analysis and other repetitive tasks. This frees IT professionals for more sophisticated tasks.</li> </ul> <p>Other benefits of automation in cybersecurity include attack classification, malware classification, traffic analysis and compliance analysis.</p> </section> <section class="section main-article-chapter" data-menu-title="Cybersecurity vendors and tools"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cybersecurity vendors and tools</h2> <p>Vendors in the cybersecurity field offer a variety of security products and services that fall into the following categories:</p> <ul class="default-list"> <li>Antimalware and antivirus.</li> <li><a href="https://www.techtarget.com/searchcloudcomputing/definition/cloud-access-security-broker-CASB">Cloud access security broker</a>.</li> <li>Cloud workload protection platform.</li> <li><a href="https://www.techtarget.com/whatis/definition/data-loss-prevention-DLP">Data loss prevention</a>.</li> <li>Encryption.</li> <li>Endpoint detection and response.</li> <li>Endpoint protection.</li> <li>Firewalls.</li> <li>IAM.</li> <li>Intrusion prevention systems and detection systems.</li> <li><a href="https://www.techtarget.com/searchsecurity/definition/security-information-and-event-management-SIEM">Security information and event management</a>.</li> <li><a href="https://www.techtarget.com/searchnetworking/definition/virtual-private-network">Virtual private networks</a>.</li> <li>Vulnerability scanners.</li> </ul> <p>According to Informa TechTarget's research, common cybersecurity vendors include the following:</p> <ul class="default-list"> <li><b>Acronis.</b> Provides data protection options, including backup, DR and secure file sharing.</li> <li><b>Check Point Software.</b> Provides unified threat management through advanced firewalls, intrusion prevention systems and secure access options.</li> <li><b>Cisco.</b> Offers a comprehensive suite of security tools, including <a href="https://www.techtarget.com/searchsecurity/definition/next-generation-firewall-NGFW">next-gen firewalls</a>, secure access and threat intelligence platforms.</li> <li><b>Code42 Software.</b> Specializes in data loss prevention with real-time monitoring and alerting capabilities.</li> <li><b>CrowdStrike.</b> Delivers endpoint protection and threat intelligence, using AI and machine learning through its Falcon platform.</li> <li><b>Fortinet.</b> Offers high-performance network security products, including firewalls and <a href="https://www.techtarget.com/searchnetworking/definition/SD-WAN-security">SD-WAN security</a>.</li> <li><b>IBM. </b>Provides a range of cybersecurity services, such as identity and access management, threat intelligence and incident response.</li> <li><b>Imperva.</b> Specializes in data and application security, offering options including DDoS protection and <a href="https://www.techtarget.com/searchsecurity/definition/Web-application-firewall-WAF">web application firewalls</a>.</li> <li><b>KnowBe4.</b> Focuses on security awareness training and simulated phishing attacks to educate employees.</li> <li><b>McAfee.</b> Offers comprehensive endpoint protection, cloud security and threat intelligence options.</li> <li><b>Microsoft.</b> Provides integrated security products across its cloud and on-premises environments, including identity protection and threat detection.</li> <li><b>Palo Alto Networks.</b> Delivers next-gen firewalls and advanced threat prevention capabilities for enterprise environments.</li> <li><b>Rapid7.</b> Specializes in <a href="https://www.techtarget.com/searchsecurity/definition/vulnerability-management">vulnerability management</a>, application security and incident detection and response.</li> <li><b>Sophos.</b> Offers endpoint protection, firewall, and encryption options with a focus on simplicity and automation.</li> <li><b>Splunk.</b> Offers a platform for searching, monitoring and analyzing machine-generated big data via a web-style interface.</li> <li><b>Symantec by Broadcom.</b> Provides endpoint security, cloud security and advanced threat protection options.</li> <li><b>Trend Micro.</b> Offers products for endpoint, server and cloud security, focusing on threat intelligence and advanced malware protection.</li> <li><b>Trustwave.</b> Provides managed security services, including threat detection, compliance and vulnerability management.</li> <li><b>Watchguard.</b> Offers network security products, including firewalls, secure <a href="https://www.techtarget.com/searchmobilecomputing/definition/Wi-Fi">Wi-Fi</a>, and multi-factor authentication.</li> <li><b>Zscaler.</b> Specializes in secure internet access and private application access through its cloud-native platform.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="What are the career opportunities in cybersecurity?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are the career opportunities in cybersecurity?</h2> <p>As the cyberthreat landscape continues to grow and new threats emerge, organizations need individuals with cybersecurity awareness and hardware and software skills. IT professionals and other computer specialists are needed in the following security roles:</p> <ul class="default-list"> <li><b>Chief information security officer. </b>A CISO is the person who implements the security program across the organization and oversees the IT security department's operations.</li> <li><b>Chief security officer. </b>A <a href="https://www.techtarget.com/whatis/definition/CSO-Chief-Security-Officer">CSO</a> is the executive responsible for the physical and cybersecurity of a company.</li> <li><b>AI security architects.</b> AI security architects design and implement security frameworks that protect AI systems and the data they process. This role combines cybersecurity expertise with deep knowledge of AI and machine learning technologies.</li> <li><b>Network security architects. </b>Their responsibilities include defining network policies and procedures and configuring network security tools such as antivirus and firewall configurations. Network security architects strengthen network security while maintaining network availability and performance.</li> <li><b>Security architects. </b>Security and <a href="https://www.techtarget.com/searchsecurity/feature/How-to-become-a-cybersecurity-architect">cybersecurity architects</a> are responsible for planning, analyzing, designing, testing, maintaining and supporting an enterprise's critical infrastructure.</li> <li><b>Security engineers. </b>These IT professionals<b> </b>protect company assets from threats with a focus on quality control within the IT infrastructure.</li> <li><b>Computer forensics analysts.</b> These analysts investigate computers and digital devices involved in cybercrimes to prevent a cyberattack from happening again. A <a href="https://www.techtarget.com/searchsecurity/definition/computer-forensics">computer forensics</a> investigation uncovers how a threat actor gained access to a network, identifying security gaps. This position is also in charge of preparing evidence for legal purposes.</li> <li><b>Incident response analysts.</b> These professionals investigate and respond to security incidents, minimizing the effects of data breaches. They also collect digital evidence for potential legal proceedings.</li> <li><b>Security analysts. </b>These IT professionals plan security measures and controls, protect digital files, and conduct internal and external security audits.</li> <li><b>Security software developers. </b>These IT pros develop software and ensure it's secured to help prevent potential attacks.</li> <li><b>Threat hunters. </b>IT professionals who aim to uncover vulnerabilities and attacks. <a href="https://www.techtarget.com/searchcio/definition/threat-hunter-cybersecurity-threat-analyst">Threat hunters</a> help mitigate vulnerabilities before they compromise a business.</li> <li><b>Penetration testers. </b>These<b> </b>are <a href="https://www.techtarget.com/searchsecurity/definition/ethical-hacker">ethical hackers</a> who test system, network and application, security to find vulnerabilities that malicious actors could exploit.</li> </ul> <p>Other cybersecurity careers include security consultants, data protection officers, cloud security architects, <a href="https://www.techtarget.com/searchsecurity/tip/5-key-enterprise-SOC-roles-and-responsibilities">security operations managers and analysts</a>, security investigators, cryptographers and security administrators.</p> <p>Entry-level cybersecurity positions typically require one to three years of experience and a bachelor's degree in business or liberal arts, as well as certifications, such as <a href="https://www.techtarget.com/whatis/definition/CompTIA-Security">CompTIA Security+</a>. Jobs in this area include associate cybersecurity analysts and network security analyst positions, as well as cybersecurity risk and SOC analysts.</p> <p>Mid-level positions typically require three to five years of experience. These positions typically include security engineers, security analysts and forensics analysts.</p> <p>Senior-level positions typically require five to eight years of experience. They typically include positions such as senior cybersecurity risk analyst, principal application security engineer, penetration tester, threat hunter and cloud security analyst.</p> <p>Higher-level positions generally require more than eight years of experience and typically encompass C-level positions.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/security-cybersecurity_career_path-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/security-cybersecurity_career_path-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/security-cybersecurity_career_path-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/security-cybersecurity_career_path-f.png 1280w" alt="A table categorizing job titles, education, and certifications for entry-level, mid-career, senior-level and leadership positions in cybersecurity." height="548" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The typical progression in the cybersecurity field is structured into four main career stages: entry level, mid-career, senior level and leaders. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p></p> </section> <section class="section main-article-chapter" data-menu-title="Advancements in cybersecurity technology"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Advancements in cybersecurity technology</h2> <p>As newer technologies evolve, they can be applied to cybersecurity to advance security practices. Some recent technology trends in cybersecurity include the following:</p> <ul class="default-list"> <li><b>Security automation through AI. </b>While AI and machine learning can aid attackers, they can also be used to <a href="https://www.computerweekly.com/news/366545434/Security-AI-and-automation-may-reduce-cost-of-data-breaches">automate cybersecurity tasks</a>. AI is useful for analyzing large data volumes to identify patterns and for making predictions on potential threats. AI tools can also suggest possible fixes for vulnerabilities and identify patterns of unusual behavior.</li> <li><b>Zero-trust architecture. </b><a href="https://www.techtarget.com/searchsecurity/definition/zero-trust-model-zero-trust-network">Zero-trust</a> principles assume that no users or devices should be considered trustworthy without verification. Implementing a zero-trust approach can reduce both the frequency and severity of cybersecurity incidents, along with other zero-trust benefits.</li> <li><b>Behavioral biometrics.</b> This cybersecurity method uses machine learning to analyze user behavior. It can detect patterns in the way users interact with their devices to identify potential threats, such as if someone else has access to their account.</li> <li><b>Improvements in response capabilities. </b>Organizations must be continually prepared to respond to large-scale ransomware attacks, so they can properly respond to a threat without paying any ransom and without losing any critical data.</li> <li><b>Quantum computing.</b> While this technology is still in its infancy and still has a long way to go before it sees use, quantum computing will have a large impact on cybersecurity practices -- introducing new concepts such as <a href="https://www.techtarget.com/searchsecurity/definition/quantum-cryptography">quantum cryptography</a>.</li> <li><b>Deception technology.</b> This approach involves creating traps and lures within networks to detect and analyze unauthorized activity. <a href="https://www.techtarget.com/whatis/definition/deception-technology">Deception technology</a> provides early warning of potential cyberattacks and alerts organizations of unauthorized activity, enhancing internal threat detection capabilities.</li> <li><b>Machine identity management.</b> The proliferation of generative AI (<a href="https://www.techtarget.com/searchenterpriseai/definition/generative-AI">GenAI</a>), cloud, automation and <a href="https://www.techtarget.com/searchitoperations/definition/DevOps">DevOps</a> has caused an uncontrolled surge in machine identities and credentials. If these machine identities aren't properly managed, secured and monitored, they can create a significant vulnerability. For example, an attacker exploiting just one unmanaged machine identity could gain unauthorized access, move laterally through a network and cause extensive damage. As a result, <a href="https://www.techtarget.com/searchsecurity/definition/What-is-machine-identity-management">machine identity management</a> has become a critical priority that organizations can no longer afford to ignore.</li> <li><b>Continuous exposure management. </b>Customer <a href="https://www.techtarget.com/searchsecurity/definition/exposure-management">exposure management</a> provides continuous, real-time monitoring and assessment of an organization's security vulnerabilities and exposures. It focuses on identifying and mitigating risks by analyzing attack paths and providing recommendations. This ensures organizations maintain a resilient cybersecurity posture.</li> </ul> <p>As technologies such as AI, zero trust, behavioral analytics and quantum computing mature, cybersecurity practitioners must adopt a mindset of continuous learning and agility. Embracing these innovations will be essential for staying ahead of increasingly sophisticated threats and maintaining a strong and adaptive security posture.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/security-future of cybersecurity_trends-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/security-future of cybersecurity_trends-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/security-future of cybersecurity_trends-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/security-future of cybersecurity_trends-f.png 1280w" alt="Descriptions of five cybersecurity trends to watch" height="439" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Five cybersecurity trends enterprises need to pay attention to. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p><i>Cybersecurity has many facets that require a keen and consistent eye for successful use. Improve your cybersecurity implementation with these </i><a href="https://www.techtarget.com/searchsecurity/tip/10-cybersecurity-best-practices-and-tips-for-businesses"><i>cybersecurity best practices and tips</i></a><i>.</i></p> </section> Cybersecurity is the practice of protecting systems, networks and data from digital threats. https://cdn.ttgtmedia.com/visuals/digdeeper/6.jpg https://www.techtarget.com/searchsecurity/definition/cybersecurity Tue, 15 Jul 2025 09:00:00 GMT <p>An SBOM (software bill of materials) is a detailed inventory of all components and software dependencies involved in the development and delivery of an application. It has become an increasingly common and critical component of the <a href="https://www.techtarget.com/searchsoftwarequality/definition/software-development-life-cycle-SDLC">software development lifecycle</a> and <a href="https://www.techtarget.com/searchitoperations/definition/DevSecOps">DevSecOps</a> processes, helping organizations that want to strengthen their security posture identify and manage risks.</p> <p>Modern software applications and services are commonly built with multiple components and dependencies that can come from different sources. They can include open source software projects, licenses, proprietary code, <a href="https://www.techtarget.com/searchapparchitecture/definition/application-program-interface-API">application programming interfaces</a>, programming language frameworks and software libraries. The various sources that make up modern software are part of the software supply chain, serving as the supplying sources for enabling applications and services. An SBOM lists all of these components for organizations to use to improve security and software <a href="https://www.techtarget.com/whatis/definition/supply-chain-risk-management-SCRM">supply chain risk management</a> processes.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/software_bill_of_materials_example-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/software_bill_of_materials_example-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/software_bill_of_materials_example-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/software_bill_of_materials_example-f.png 1280w" alt="A software bill of materials example." height="252" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>SBOMs contain multiple details on each component of an application or service. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>An SBOM is similar to a bill of materials (<a href="https://www.techtarget.com/searcherp/definition/bill-of-materials-BoM">BOM</a>) used in supply chains and manufacturing. BOMs inventory all the items included in a product and help trace defects back to a specific part or supplier. Similarly, an SBOM provides visibility into software's internal underpinnings to help organizations and users better understand what is being used and where there could be a potential risk.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/erp-bill_of_materials_2.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/erp-bill_of_materials_2_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/erp-bill_of_materials_2_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/erp-bill_of_materials_2.png 1280w" alt="An image showing the levels of a bill of materials." height="465" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>A bill of materials lists out the individual components in an overall product. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <section class="section main-article-chapter" data-menu-title="What is in a software bill of materials?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is in a software bill of materials?</h2> <p>At its foundation, an SBOM is an inventory of all the components that make up a software application or online service. This includes any source components and dependencies. The source components can include a listing of the following:</p> <ul class="default-list"> <li>Shared objects, such as <a href="https://www.techtarget.com/searchwindowsserver/definition/dynamic-link-library-DLL">dynamic link libraries</a>.</li> <li>Software libraries for different functions.</li> <li>Open source code used in the application.</li> <li><a href="https://www.techtarget.com/searchapparchitecture/definition/middleware">Middleware</a>, containers, cloud services and programming frameworks on which an application operates.</li> </ul> <p>An SBOM differs from a list of ingredients or a simple inventory because it should also provide lineage information about the origin of the components. Modern software development often follows the principle that one piece of application code is dependent on another. As such, a dependency tree is needed to help provide visibility into an application's core foundational components.</p> <p>In 2021, the National Telecommunications and Information Administration (NTIA) issued definitive guidance in a <a target="_blank" href="https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf" rel="noopener">report</a> detailing the minimum elements for an SBOM, including the following three foundational areas:</p> <ol type="1" start="1" class="default-list"> <li><b>Data fields. </b>The data fields portion of an SBOM is the asset inventory component that outlines the dependency tree for an application. The fields should include the component's name, version, license information, supplier name, authorship and a timestamp for when the SBOM data was generated.</li> <li><b>Automation support. </b>Given the complexity of modern software development processes, manually developing an SBOM isn't advised. As such, NTIA recommends a minimum level of automation for SBOM generation and data transfer so that other systems can understand and use SBOM data.</li> <li><b>Practices and processes. </b>An SBOM requires the right processes in place to help enable the ongoing collection of data. There also needs to be a definition for how SBOMs are generated and accessed.</li> </ol> <p>In 2024, the Cybersecurity and Infrastructure Security Agency (CISA) <a href="https://www.cisa.gov/sites/default/files/2024-10/SBOM%20Framing%20Software%20Component%20Transparency%202024.pdf" target="_blank" rel="noopener">released a report</a> titled "Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)." This report expands on the NTIA's foundational areas. CISA's report defines the elements and attributes of an SBOM and includes details on how to implement one.</p> </section> <section class="section main-article-chapter" data-menu-title="Types of SBOMs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Types of SBOMs</h2> <p>SBOMs can be categorized in several different ways, depending on their level of depth, the detail needed or the use case. According to CISA, SBOMs can be categorized into the following six types:</p> <div class="pro-features-wrapper"></div> <ol class="default-list"> <li><b>Design.</b> This type of SBOM is created by listing planned components before development begins. It is often created from design specifications and expected components.</li> <li><b>Source.</b> This SBOM is created by directly listing components from the development environment, source files and dependencies.</li> <li><b>Build.</b> This SBOM is created during the build process and reflects what components were actively compiled and put into the final software.</li> <li><b>Analyzed. </b>This SBOM is created based on observed components. Pieces like executables, containers and virtual machines are typically scanned using third-party tools after the software is built.</li> <li><b>Deployed.</b> This type of SBOM is created by recording software components and configuration information in deployment environments. This is meant to inventory what is available and is actively installed.</li> <li><b>Runtime.</b> This SBOM is designed to record only the components that are actively loaded and used during an application's execution.</li> </ol> </section> <section class="section main-article-chapter" data-menu-title="Benefits of utilizing SBOMs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of utilizing SBOMs</h2> <p>As organizations increasingly rely on software to run business-critical operations, it's imperative to have SBOMs for the following reasons:</p> <ul class="default-list"> <li><b>Improve security posture.</b> SBOMs help organizations identify potential security risks and enable them to address these risks more efficiently.</li> <li><b>Help assess dependencies and supply chain risk. </b>When software vulnerabilities are discovered, they are often found in components that are dependencies for other software applications. Knowing whether an organization is at risk from a third-party component is a challenge that is commonly referred to as <i>supply chain risk</i>.</li> <li><b>Enhance transparency.</b> Many organizations struggle to understand whether they are at risk from a specific software vulnerability. SBOMs add more transparency and visibility into the exact components used in a software or service.</li> <li><b>Aid open source license compliance.</b> In addition to helping with supply chain risk, an SBOM can assist organizations with open source software license compliance issues. Different open source licenses can have <a href="https://www.techtarget.com/searchsoftwarequality/tip/Discern-these-open-source-license-terms-to-avoid-legal-snags">usage restrictions</a> or require organizations to share any changes made to the source code. A well-constructed SBOM reveals not only the underlying open source software dependencies, but also the license restrictions that are in place.</li> <li><b>Support regulatory and policy compliance.</b> After a string of supply chain attacks in 2020 and 2021, including the <a href="https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know">SolarWinds</a> breach in March 2020 and the <a href="https://www.techtarget.com/whatis/feature/Colonial-Pipeline-hack-explained-Everything-you-need-to-know">Colonial Pipeline</a> hack in July 2021, the U.S. federal government published <a target="_blank" href="https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity" rel="noopener">Executive Order 14028</a>, which advocates for U.S. government agencies to only deal with software vendors that provide SBOMs, among other directives. The executive order also directed NTIA to define the minimum requirements for an SBOM, which were defined by the agency in a comprehensive report released in July 2021.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Challenges of utilizing SBOMs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Challenges of utilizing SBOMs</h2> <p>Although SBOMs can benefit an organization by providing more visibility and a better security posture, they also come with the following challenges:</p> <ul class="default-list"> <li><b>Inconsistent integration with existing workflows.</b> The implementation of an SBOM should be consistent across teams and any parties involved in the software supply chain. It should also align with existing development, compliance and security processes.</li> <li><b>Maintaining SBOM accuracy. </b>Keeping an SBOM up to date can be difficult, as it needs to be maintained, scaled and updated with any changes to the software.</li> <li><b>Lacking vendor support.</b> Third-party vendors might not provide detailed information about their components that an organization could use in its SBOM.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How to select an SBOM tool"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to select an SBOM tool</h2> <p>When selecting a tool to create an SBOM, organizations should ensure it addresses the following:</p> <ul class="default-list"> <li><b>Provides scalability.</b> The SBOM tool should be able to scale to projects of different sizes, from smaller applications to larger enterprise-grade systems.</li> <li><b>Integrates with existing workflows and systems.</b> The correct tool must be able to properly integrate with an organization's development and operational systems. If the tool is going to be used for added security, it should integrate with existing security tools.</li> <li><b>Addresses the organization's needs.</b> The chosen tool must fit the organization's plan for creating the SBOM.</li> <li><b>Provides automation capabilities.</b> Some SBOM tools have features that automate SBOM generation and updates.</li> <li><b>Offers compliance features.</b> The tool should support relevant standards, such as Software Package Data Exchange (SPDX) or <a href="https://cyclonedx.org/" target="_blank" rel="noopener">CycloneDX</a>, and help meet any regulatory SBOM requirements.</li> <li><b>Fits the budget.</b> SBOM tools can be free, usage-based or subscription-based.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How to create a software bill of materials"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to create a software bill of materials</h2> <p>Multiple tools can integrate with <a href="https://www.techtarget.com/searchsoftwarequality/CI-CD-pipelines-explained-Everything-you-need-to-know">continuous integration/continuous delivery</a> technology to build an SBOM as part of a development pipeline. An SBOM can be generated before, during or after the software application's development process using the following steps:</p> <ol class="default-list"> <li><b>Define the SBOM scope.</b> The organization must decide what software it is creating an SBOM for and if it depends on any internal, external or third-party dependencies.</li> <li><b>Pick a format.</b> For both developers and end-user organizations that want or need visibility into supply chain risk, it's critical to use an industry standard form for SBOM data exchange. Whether the organization is generating an SBOM during development -- with a software composition analysis (SCA) tool or otherwise -- the SBOM data must be in a format that is portable and well understood so that it can be used in other applications.<br><br>One of the industry standards for SBOMs is <a target="_blank" href="https://www.iso.org/standard/81870.html" rel="noopener">International Organization for Standardization (ISO)/International Electrotechnical Commission 5962:2021</a> for the SPDX specification. SBOMs that are written to this specification can be consumed in software vulnerability, risk and patch management technologies to help understand what underlying software components an organization uses. ISO developed Software Identification <a href="https://csrc.nist.gov/projects/Software-Identification-SWID" target="_blank" rel="noopener">tagging</a> to help provide the data fields portion of an SBOM. CycloneDX, which is developed by the <a href="https://www.techtarget.com/searchsoftwarequality/definition/OWASP">Open Web Application Security Project</a>, is another common standard for helping organizations develop SBOM manifests.</li> <li><b>Choose the SBOM tool.</b> The organization should choose the SBOM tool it wants to use, such as the CycloneDX command-line interface, Grype, Syft or Tern. It needs to fit the type of SBOM the organization wants to implement.</li> <li><b>Generate the SBOM.</b> If generating the SBOM occurs during the build, for example, the SBOM tool might use SCA software to identify each application's components. SCA scanning can occur after an application is completed or during the application development process.</li> <li><b>Maintain.</b> The SBOM tool should be rerun whenever the software is updated or new dependencies are added.</li> </ol> <p><em>Learn about the <a href="https://www.techtarget.com/searchsecurity/tip/SBOM-tools-to-start-securing-the-software-supply-chain">different SBOM tools</a> that organizations can use to build their SBOMs and secure their software supply chains.</em></p> </section> An SBOM (software bill of materials) is a detailed inventory of all components and software dependencies involved in the development and delivery of an application. https://cdn.ttgtmedia.com/visuals/digdeeper/1.jpg https://www.techtarget.com/whatis/definition/software-bill-of-materials-SBOM Wed, 02 Jul 2025 09:00:00 GMT <p>Attack surface management is straightforward in concept. The self-explanatory term boils down to flagging and safeguarding the entry points where <a href="https://www.techtarget.com/whatis/definition/threat-actor">threat actors</a> could potentially attack an enterprise's IT infrastructure.</p> <p>That's where the simplicity ends. Attack surface management (ASM) calls on enterprises to continuously scan and identify possible exposures, recommend remediation steps and monitor an organization's IT environment for emerging threats. The goal is to discover IT assets wherever they exist and provide cybersecurity professionals <a href="https://www.techtarget.com/searchsecurity/The-ultimate-guide-to-cybersecurity-planning-for-businesses">visibility into potential vulnerabilities</a>. Those vulnerabilities could stem from physical IT assets within a business, digital assets exposed to the internet, third-party vendors' infrastructures and extended supply chains.</p> <p>The task is difficult, but there's a vital payoff: Ongoing surveillance of the IT environment helps chief information security officers (<a href="https://www.techtarget.com/searchsecurity/definition/CISO-chief-information-security-officer">CISOs</a>) and other <a href="https://www.techtarget.com/searchsecurity/definition/cybersecurity">cybersecurity</a> professionals shrink the <a href="https://www.techtarget.com/whatis/definition/attack-surface">attack surface</a>, address security gaps and prevent attacks.</p> <p>The data explosion stemming from <a href="https://www.techtarget.com/searchenterpriseai/definition/AI-Artificial-Intelligence">AI</a> adoption makes ASM systems necessary, said Rinki Sethi, chief security and strategy officer at cloud security platform provider Upwind. "You are looking at so much information," she explained. "[Determining] what's important to be remediated or resolved needs some type of technology. There is no human way." Sethi joined Upwind in June 2025, previously holding CISO roles at Twitter and Bill, a financial operations platform company.</p> <section class="section main-article-chapter" data-menu-title="Importance of attack surface management"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Importance of attack surface management</h2> <p>ASM has <a href="https://www.techtarget.com/searchsecurity/feature/Why-effective-cybersecurity-is-important-for-businesses">become increasingly important in recent years</a>. The acceleration of digital transformation and remote work during the COVID-19 pandemic significantly increased attack surfaces. The same can be said for the expanding use of cloud and edge computing. More recently, the surge in AI use has <a href="https://www.techtarget.com/searchsecurity/feature/AI-powered-attacks-What-CISOSs-need-to-know-now">created new vulnerabilities</a> regarding large language models (<a href="https://www.techtarget.com/whatis/definition/large-language-model-LLM">LLMs</a>) and the data used to train them.</p> <p>The expanding scope and complexity of IT require a comprehensive overview of assets -- and increases the need for attack surface management as a cybersecurity practice.</p> <p>Another consideration is an evolving roster of attack vectors seeking to exploit vulnerabilities across sprawling IT estates. <a href="https://www.techtarget.com/whatis/definition/ransomware-as-a-service-RaaS">Ransomware as a service</a>, nation-state threat actors targeting critical infrastructure, phishing attacks, malicious insiders and <a href="https://www.techtarget.com/searchdatacenter/feature/Explore-the-impact-of-quantum-computing-on-cryptography">post-quantum cryptography</a> are just a few of the concerns for enterprises. ASM's continuous monitoring puts cybersecurity managers on a more proactive footing, helping them address vulnerabilities and prepare for the next onslaught.</p> <p>"ASM is good at showing you what the attacker would see at first glance about your organization," said Pete Shoard, an analyst at Gartner. "It provides an attacker's eye view of the outside of your organization or the digital assets your organization has."</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/16_common_attack_vectors-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/16_common_attack_vectors-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/16_common_attack_vectors-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/16_common_attack_vectors-f.png 1280w" alt="Graphic summarizing common attack vectors." height="324" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Large language models and their training data have expanded the attack surface. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Comparing attack surface vs. threat surface vs. vulnerability management"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Comparing attack surface vs. threat surface vs. vulnerability management</h2> <p>The terms <i>attack surface</i> and <i>threat surface</i> are often used interchangeably. In some industry sectors, attack surface nomenclature appears to have wider recognition. For example, NIST, a U.S. federal government agency that provides cybersecurity guidelines widely used in the public and private sectors, publishes a definition for attack surface but not threat surface. NIST's definitions are based on documents such as <a target="_blank" href="https://doi.org/10.6028/NIST.SP.800-53r5" rel="noopener">NIST SP 800-53 Rev. 5</a>, a cybersecurity and privacy framework.</p> <div class="pro-features-wrapper"></div> <p>Some cybersecurity vendors, however, distinguish between attack surface and threat surface. Palo Alto Networks, for instance, defines attack surface as including "all possible vulnerabilities within an organization, whether activity exploited or not." The vendor describes threat surface as focusing "specifically on the vulnerabilities currently targeted by cybercriminals."</p> <p>ASM and <a href="https://www.techtarget.com/searchsecurity/definition/vulnerability-management">vulnerability management</a>, meanwhile, are interrelated fields with the same general objective of reducing attack surfaces and improving an organization's security posture. Attack surface management takes a broader view: The practice looks for potential weaknesses in a dynamic threat landscape, while vulnerability management tends to focus on known vulnerabilities. But the two approaches can work together to cover immediate risks while averting anticipated problems.</p> </section> <section class="section main-article-chapter" data-menu-title="Types and components of an attack surface"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Types and components of an attack surface</h2> <p>An organization's attack surface is the complete list of all points where a security exploit might occur. Types of attack surfaces include the following.</p> <p><b>Digital attack surface. </b>This area revolves around software vulnerabilities and network-connected entry points. Components include the following:</p> <ul class="default-list"> <li>Application programming interfaces.</li> <li>Cloud-based infrastructure.</li> <li>Internet-facing assets.</li> <li>Misconfigured software.</li> <li>SaaS applications.</li> <li>Shadow IT/shadow AI.</li> <li>Web applications.</li> </ul> <p><b>Physical attack surface.</b> This category spans hardware vulnerabilities and physical access points. Components include the following:</p> <ul class="default-list"> <li>Desktops, laptops and other endpoints.</li> <li>Enterprise storage systems.</li> <li>Operational technology and IoT systems.</li> <li>Removable media.</li> <li>Servers.</li> <li>Server rooms.</li> </ul> <p><b>Human/social engineering attack surface.</b> This area involves attacks that exploit human behavior and <a href="https://www.techtarget.com/searchsecurity/definition/social-engineering">social engineering</a> practices to access systems and data. Components include the following:</p> <ul class="default-list"> <li>Business email compromise.</li> <li>Deepfakes.</li> <li>Phishing/spear phishing.</li> <li>Smishing.</li> <li>Vishing.</li> </ul> <p><b>Third-party attack surface.</b> This area comprises an enterprise's suppliers, vendor partners and other entities that provide technology products or services. It also involves third-party suppliers. Components include the following:</p> <ul class="default-list"> <li>Cloud provider vulnerabilities.</li> <li>Software dependencies.</li> <li>Supply chain vulnerabilities.</li> <li>Vendor-managed assets.</li> <li>Vendors' regulatory compliance status.</li> </ul> <p>Attack surface types and components often overlap. Phishing, for example, can be viewed as both a digital and a human attack surface.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/attack_surface_management_characteristics-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/attack_surface_management_characteristics-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/attack_surface_management_characteristics-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/attack_surface_management_characteristics-f.png 1280w" alt="Graphic summarizing attack surface management evaluation criteria. " height="465" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Cybersecurity leaders have several ASM evaluation factors to consider. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Challenges for attack surface management"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Challenges for attack surface management</h2> <p>Enterprises and their cybersecurity leaders must consider the following factors when devising ASM strategies.</p> <h3>Vast and complex IT resources</h3> <p>Perhaps the top challenge of ASM is that there's so much surface to manage. The enterprise IT footprint continues to grow, as does its intricacy.</p> <p>Given the heterogeneity and complexity of today's technology, businesses face a difficult oversight task, said Nidhi Rastogi, assistant professor in the Department of Software Engineering at Golisano College of Computing and Information Sciences at the Rochester Institute of Technology. "Not everybody has the core knowledge or expertise in integrating these different environments together," she said.</p> <h3>Evolving attack vectors</h3> <p>Businesses face attack vectors, from cloud misconfigurations to zero-day vulnerabilities, that are "growing in variety and volume," according to a May 2025 <a target="_blank" href="https://www.kuppingercole.com/research/lc80874/attack-surface-management" rel="noopener">report</a> on attack surface management by KuppingerCole Analysts.</p> <p>Traditional reactive cybersecurity methods can't effectively deal with the expanding set of sophisticated attack vectors. "Although reactive cybersecurity measures are still common," the report noted, "they leave significant gaps because they only respond after damage has occurred."</p> <h3>The rise of AI in the enterprise</h3> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> The attack surface is getting expanded because of AI playing such a pivotal role. </figure> <figcaption> <strong>Nidhi Rastogi</strong>Assistant professor, Department of Software Engineering at Rochester Institute of Technology's Golisano College of Computing and Information Sciences </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>IT environments incorporating the latest LLMs <a href="https://www.techtarget.com/searchenterpriseai/tip/Explore-mitigation-strategies-for-LLM-vulnerabilities">have much more to monitor</a>, Rastogi said. "The attack surface is getting expanded because of AI playing such a pivotal role," she explained. "And when you say AI, it means both the models, as well as the data, which is training these large models [and] GPUs powering these language models."</p> <p>Leon Bian, vice president of product development, data security solutions, at Capital One Software, also noted <a href="https://www.techtarget.com/searchenterpriseai/tip/How-to-manage-generative-AI-security-risks-in-the-enterprise">AI's introduction of rapidly evolving attack surfaces</a>. He cited models, APIs, data pipelines and training environment as potential entry points. "Threats can include prompt injection, model inversion, data poisoning and unauthorized access to sensitive training data," Bian said.</p> <p>Capital One Software is the enterprise software business of financial services company Capital One.</p> <h3>The need to extend ASM</h3> <p>AI systems' attack surfaces might handle highly sensitive logic and data, but many of those components operate outside the traditional scope of attack surface management, according to Bian. This challenge requires businesses to extend ASM to cover AI assets, he said, noting that tasks include tracking where models are deployed and securing APIs.</p> <p>"Securing AI systems," he said, "must become a core part of any modern ASM strategy -- and better yet, any cybersecurity program."</p> <h3>Addressing the ASM's 'last mile'</h3> <p>"The deployment of an attack surface management product is not the difficult part," Sethi said. "If you sit down with a practitioner, the toughest part is what I call the last mile. You have these tools giving you signals, so you know where you have problems. What does a security practitioner do once they know about an issue?"</p> <p>The required actions include validating whether a particular signal is indeed an actual issue, determining who owns the problem and tracking its resolution within an organization's service level agreement, Sethi said, adding that these tasks are highly manual within security teams. "That takes a tremendous amount of time," she said. "That's the piece that really needs to be solved."</p> </section> <section class="section main-article-chapter" data-menu-title="Best practices for attack surface management"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Best practices for attack surface management</h2> <p>Enterprises can adopt <a href="https://www.techtarget.com/searchsecurity/tip/10-cybersecurity-best-practices-and-tips-for-businesses">best practices to address expanding attack surfaces</a> and cyberthreats. CISOs and other cybersecurity managers should consider these five approaches.</p> <h3>1. Select the appropriate ASM approach</h3> <p>Selecting the right ASM approach to implement is a fundamental best practice, Shoard noted. Businesses must understand their most significant concerns and the types of attacks they aim to prevent.</p> <p>Shadow IT is a common theme in that regard, Shoard said. An enterprise that doesn't know where all its assets reside also doesn't know what's exposed to attackers. In that case, external attack surface management might be the place to start. EASM tools and processes discover internet-facing assets and flag vulnerabilities that threat actors could exploit, according to Gartner.</p> <p>Shoard said enterprises concerned with insiders or lacking good <a href="https://www.techtarget.com/searchdatacenter/definition/configuration-management-database">configuration management database</a> visibility might turn to cyber asset attack surface management (CAASM) offerings, which focus on internal assets and exposures, as well as external issues. Businesses worried about leaked credentials or brand imitation attacks might adopt digital risk protection services, he added. Those tools seek to shield digital assets from data breaches and reputational harm.</p> <h3>2. Keep 'tool sprawl' in check</h3> <p>ASM technology comes in various flavors, and adjacent technologies also contribute to protecting the attack surface. Organizations should seek ASM offerings that don't contribute to tool sprawl or technical debt, said Mir Kashifuddin, partner in PwC's data risk and privacy practice.</p> <p>Indeed, recent research suggests businesses have started to focus their cybersecurity spending on ASM and related technologies. The "2025 State of Cybersecurity Report," <a target="_blank" href="https://www.wipro.com/cybersecurity/reports/state-of-cybersecurity-report-2025/" rel="noopener">published</a> in June by consultancy Wipro, noted that enterprises are "consolidating their budgets and allocating funds toward sectors within attack surface management." Sectors include CAASM, <a href="https://www.techtarget.com/searchsecurity/definition/exposure-management">exposure management</a>, continuous threat exposure management, penetration testing as a service and other ASM offerings.</p> <p>Simplification is emerging as a strategic imperative, said Vinodh Kumar Allam, a practice partner in Wipro's cybersecurity and risk services. Consolidating tools and platforms, along with unified asset management and threat detection strategies, improves monitoring and centralizes control, he added.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/tips_to_reduce_attack_surfaces-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/tips_to_reduce_attack_surfaces-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/tips_to_reduce_attack_surfaces-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/tips_to_reduce_attack_surfaces-f.png 1280w" alt="Diagram providing tips on reducing attack surfaces." height="269" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Identifying assets and remediating entry points helps shrink attack surfaces. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>3. Keep ASM's scope in check</h3> <p>ASM offerings can potentially gather enormous amounts of data, which Shoard said can create more problems than it solves. <a href="https://www.techtarget.com/searchsecurity/opinion/6-steps-toward-proactive-attack-surface-management">Businesses should focus their use of ASM technology</a>. "One of the core best practices is to be very directional," Shoard advised. <u>"Don't</u> go looking for problems you don't have the resources or the desire to fix."</p> <h3>4. Replace outmoded security models</h3> <p>With attack surfaces expanding, old ways of threat modeling might not suffice. "We used to have attack trees," Rastogi said, referring to hierarchical diagrams used to show ways an attacker might compromise an IT asset. "I don't think that would apply today because of the attack surface getting expanded."</p> <p>Instead, Rastogi suggested NIST's AI Risk Management Framework, which provides an <a target="_blank" href="https://www.nist.gov/itl/ai-risk-management-framework" rel="noopener">approach</a> similar to attack trees and a way to understand complex attack vectors and attack surfaces. "I think this is the first place where we can start looking at how to manage this kind of environment," she said.</p> <h3>5. Recognize the limits of ASM</h3> <p>Attack surface management tools are highly assumptive and will identify a problem based on, for example, the version number of the software it discovers, Shoard said. But the technology doesn't necessarily validate such findings.</p> <p>"Don't trust anything ASM tells you in isolation," he cautioned. "You can't just blankly accept the findings." Instead, enterprises should consider ASM as a valuable starting point for identifying which potential exposures require deeper scans and <a href="https://www.techtarget.com/searchsecurity/tip/How-to-perform-a-cybersecurity-risk-assessment-step-by-step">assessing whether a genuine security gap exists</a>, he noted.</p> </section> <section class="section main-article-chapter" data-menu-title="How to choose an attack surface management tool"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to choose an attack surface management tool</h2> <p>ASM is a complex field, and cybersecurity leaders must consider several evaluation factors when selecting a tool. Here's a sampling of criteria:</p> <ul class="default-list"> <li><b>Integration with other cybersecurity tools. </b>Osman Celik, a research analyst at KuppingerCole Analysts, emphasized the importance of integration as an evaluation factor. "It is not realistic to expand ASM to fix all the problems you might have," he said. "One of the first things customers need to take a look at is if ASM is able to provide connectors to other cybersecurity tools." He specifically cited integration with <a href="https://www.techtarget.com/searchsecurity/definition/SOAR">security orchestration, automation and response</a>, IT service management or other detection-and-response tools.</li> <li><b>Links to upstream scanners. </b>Shoard pointed to API integration with an upstream scanner, such as an exposure assessment platform. "You don't want to pick up all the findings from ASM and manually import them into the next stage of the assessment," he said.</li> <li><b>Third-party risk capabilities. </b>Celik said third-party risk management (TPRM) capabilities are becoming increasingly important, although not currently a common practice. "You will have a better view of the partner landscape," he said, referring to TPRM features. "There is no single company now around doing business by itself."</li> <li><b>Incident ticket generation. </b>Customers should look for an ASM tool's ability to generate a case or incident ticket, Shoard said. Tickets help security organizations record findings and track issue resolutions, he added.</li> <li><b>Remediation features. </b>Remediating the issues uncovered by an attack surface management tool is an important feature for customers. "Remediation capabilities are central to effective ASM and are consistently cited as a top customer priority," according to the May 2025 ASM report by KuppingerCole Analysts.</li> <li><b>Innovation. </b>Technology evaluators should also consider an ASM platform's commitment to innovation. That could mean judicious use of AI or expanded automation capabilities, among other developments. Sethi sees ASM's future in AI. <a href="https://www.techtarget.com/searchenterpriseai/definition/AI-agents">AI agents</a>, she noted, have the potential to take on surface management tasks humans handle manually today. Those chores range from filing tickets to remediating issues.</li> </ul> <p>Existing ASM products "will do the scanning, find the issues, but they leave you with everything after that -- the hands-on-keyboard part," Sethi said. "Some of those tools don't provide enough context on what a developer or DevOps person needs to do to fix these things."</p> <p>In this context, an AI agent could pull all the necessary information from sources human security personnel would typically access. A security analyst, for example, might look up an asset owner on the organization's intranet or visit websites to validate an ASM's suggested fixes.</p> <p>"You should be able to automate all of that [and] have an agent decide what needs to be done," Sethi said. A human might still be in the loop and give the tool the okay to file a ticket, assign it to the owner and point to the SLA, she added.</p> <p>Celik, meanwhile, said he's seeing early signs of innovation in automated remediation. He said ASM vendors' remediation capabilities have typically involved providing recommendations, step-by-step guidance on how to mitigate a vulnerability or proactively shut down a threat. A human, however, would need to follow those steps. But now, a handful of vendors pursue automation in this area.</p> <p>"There are some solutions that are already offering automated remediation without any security team member involved," Celik said. "Some of them are very promising."</p> <p>Innovation helps enterprises prepare for the inevitable <a href="https://www.techtarget.com/searchsecurity/feature/What-is-the-future-of-cybersecurity">changes ahead in cybersecurity</a>. KuppingerCole Analysts includes innovation in its assessments of ASM technology providers. "Those vendors that score higher on innovation," Celik said, "are more likely to be future proof."</p> <p><i>John Moore is a writer for Informa TechTarget covering the CIO role, economic trends and the IT services industry.</i></p> </section> Attack surface management can help CISOs and other cybersecurity managers address the growth in the number of potential entry points threat actors might exploit. https://cdn.ttgtmedia.com/rms/onlineimages/ransom_g817486228.jpg https://www.techtarget.com/searchsecurity/tip/What-is-attack-surface-management-and-why-is-it-necessary Mon, 30 Jun 2025 10:00:00 GMT <p>At its annual Zenith Live user conference, Zscaler introduced several new capabilities to better address some of the top challenges IT and security teams face: securing distributed, cloud-centric environments, consistently protecting data across all channels, and simplifying and optimizing security operations.</p> <p>While remaining committed to its core network security offerings, Zscaler has also heavily focused on data security as well as security operations, creating the three pillars CEO Jay Choudry focused on in his keynote: zero-trust everywhere, data security everywhere and agentic operations.</p> <p>These pillars are closely intertwined. <a target="_blank" href="https://research.esg-global.com/reportaction/515201747/Marketing" rel="noopener">Research</a> from Omdia's Enterprise Strategy Group found that 39% of organizations plan to enhance analytics, detection, and response capabilities over the next 12-18 months to implement or optimize their zero-trust strategies, while 28% expect to incorporate more data-centric controls. Following the shift to work from home, many zero-trust strategies have become over-focused on ZTNA and secure access as the prominent use case. As the market view has expanded, Zscaler has followed suit.</p> <p>The messaging at the event felt much more direct than in past years. Rather than broadly speaking to the benefits a Zscaler-oriented approach can provide, Zscaler's leadership was blunt in their expectations around eliminating well-known technologies such as firewalls, VPNs, NAC, VDI, SD-WAN, switches, ExpressRoute, Direct Connect, and more.</p> <div class="pro-features-wrapper"></div> <p>In their view, these approaches do not adequately protect the modern enterprise because they rely on static, siloed, expensive tools. However, the cost savings Zscaler cited were internally calculated, so how applicable they are to any specific customer is unclear. Further, not every organization will eschew decades of established security practices, so while Zscaler continues to see strong results, it will likely take time to gain broad adoption of the firewall-free, internet café-like branch it envisions.</p> <p>There were a variety of announcements and highlights across all three areas over the two days, but some of the most interesting included:</p> <ul class="default-list"> <li><b>Red Canary. </b>With <a href="https://www.darkreading.com/cybersecurity-operations/zscaler-buyout-red-canary-telemetrys-value">this acquisition</a> still fresh, not a lot of time was spent on specifics. However, what was shared was that it should not be seen as a pivot to managed detection and response (<a href="https://www.techtarget.com/whatis/definition/managed-detection-and-response-MDR">MDR</a>). Zscaler will work with partners to serve customers in the MDR space and take advantage of Red Canary's AI SecOps technology, coupled with its own data fabric capabilities from the Avalour acquisition to fully enter the security operations space and optimize the use of the data and threat signals being collected.</li> <li><b>Endpoint Context. </b>Network telemetry can only provide so much context on its own. Sophisticated attacks often need additional indicators to detect. The Endpoint Context capability Zscaler has integrated into the Zscaler Client Connector helps close this gap and provide application, process, and vulnerability insights, as well as detection of living off the land attacks. This follows a trend of network-centric vendors expanding into the endpoint space and should provide value to Zscaler customers.</li> <li><b>Zero Trust Gateway service for cloud. </b>Over the last 18 months, many firewall vendors have introduced <a href="https://www.techtarget.com/searchsecurity/opinion/Cloud-native-firewalls-the-next-step-in-network-security">cloud-native firewalls</a> to address the complexity of virtual machine deployments in highly dynamic environments. Zscaler's Zero Trust Gateway for cloud follows this path, offering a managed services option that offloads many of the configuration, lifecycle management, scaling, and log management tasks to Zscaler. This allows customers to focus on the business policies they want to implement rather than managing infrastructure.</li> <li><b>Unified Appliance for Zero Trust Branch. </b>Zscaler's key appliance, launched at Zenith, unifies control over both connectivity and north/south and east/west traffic control in a single device. This covers branches, campuses, and factories, and segments OT and IoT devices within them. It also provides disposable jump boxes that provide contractors with secure, time-bound access to critical connected systems.</li> <li><b>Zero Trust Exchange for B2B. </b>Zscaler has been focused on third-party access, and merger and acquisition use cases for quite a while with its Private Access system. The B2B Exchange will augment and streamline these capabilities via tenant federation to allow customers to expose certain applications and application segments to partners that are Zscaler customers.</li> </ul> <p>At first glance, it might seem that Zscaler aims to be the one-stop cyber shop for its customers. With <a href="https://www.techtarget.com/searchsecurity/opinion/Too-many-pointless-tools-Platformization-is-better">platformization a key trend</a> in the industry, that would not be a surprising strategy. But on the whole, Zscaler has a fairly pragmatic view of where platforms fit, believing that while it does make sense to use a variety of vendors for inline controls, it is also unrealistic to expect one vendor to be able to provide every capability an enterprise needs. For example, while introducing Endpoint Context, it does not seek to be an <a href="https://www.techtarget.com/searchsecurity/definition/endpoint-detection-and-response-EDR">endpoint detection and response</a> vendor. This aligns with what how customers view platforms -- a means to an end to reduce complexity and improve interoperability, but without sacrificing capabilities or efficacy.</p> <p><i>John Grady is a principal analyst at Enterprise Strategy Group, now part of Omdia, who covers network security. Grady has more than 15 years of IT vendor and analyst experience.</i></p> <p><i>Enterprise Strategy Group is now part of Omdia. Its analysts have business relationships with technology vendors. </i></p> Zscaler has expanded beyond ZTNA with three strategic pillars and aims to challenge traditional security infrastructure. https://cdn.ttgtmedia.com/visuals/digdeeper/6.jpg https://www.techtarget.com/searchsecurity/opinion/Zscaler-delivers-network-data-security-tools-at-Zenith-Live Mon, 16 Jun 2025 18:21:00 GMT <p>Smart contracts are self-executing programs that run on VMs and are stored on a blockchain. They automate how agreements are completed after certain conditions are met. Smart contracts underpin the integrity of transactions, including those that initiate key business and financial services. A smart contract audit is one way to ensure these programs work as designed.</p> <p>Smart contracts are used for a variety of purposes, including orchestrating business processes, transferring assets and initiating services, among others. The process is straightforward: Once all provisions of a particular transaction or request have been satisfied, the contract responds accordingly.</p> <p><a href="https://www.techtarget.com/searchcio/definition/blockchain">Blockchain's</a> inherent security makes smart contracts difficult to compromise. Instead of being deployed on centralized networks where control resides in a single location, smart contracts are installed on decentralized networks with control and management functions embedded across each node. User files and data hold access and security codes, so regardless of where data travels, its credentials are available.</p> <p>This doesn't mean smart contracts are problem-free. If a contract has coding issues or is hacked, for example, it must be replaced by a new contract. This is where a smart contract audit pays off. It ensures any <a href="https://www.techtarget.com/searchsecurity/tip/Smart-contract-vulnerabilities-and-how-to-mitigate-them">flaws, errors or vulnerabilities</a> are addressed before the smart contract is uploaded to a blockchain and used.</p> <section class="section main-article-chapter" data-menu-title="What is a smart contract audit?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is a smart contract audit?</h2> <p>Because smart contracts play important roles in executing business logic -- often autonomously -- and contain critical data, security is paramount. Once a smart contract is on a blockchain, it is accessible by anyone. Any flaws, therefore, are also accessible by anyone.</p> <p>A smart contract audit evaluates a <a href="https://www.techtarget.com/searchapparchitecture/tip/How-to-create-a-smart-contract-using-Ethereum">smart contract's code</a>. These audits can be automated or performed manually. Most importantly, they should be completed prior to putting a smart contract on a blockchain. Audits examine smart contract code from multiple perspectives to do the following:</p> <ul class="default-list"> <li>Pinpoint coding errors, flaws and subpar code.</li> <li>Identify security vulnerabilities.</li> <li>Measure reliability and performance.</li> <li>Prevent security attacks.</li> <li>Identify logic error.</li> <li>Find issues with storage, data, memory, environments, logs and other metrics.</li> </ul> <p>Successful smart contract audits remediate any issues they might uncover. Organizations that identify and remediate flaws before contracts are deployed can be more confident that they are reliable and safe.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/qgMGqOYtIkY?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="Why is a smart contract audit needed?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why is a smart contract audit needed?</h2> <p>Once a smart contract is deployed on blockchain, it cannot be changed. Issues as small as a coding error could lead to security vulnerabilities, <a target="_blank" href="https://www.infrascale.com/data-loss-statistics-usa/" rel="noopener">breaches and financial losses</a>. Following are reasons why audits are necessary:</p> <div class="pro-features-wrapper"></div> <ul class="default-list"> <li><b>Security confirmation and validation.</b> Vulnerabilities, such as reentrancy attacks and unchecked external calls, are identified and addressed to prevent exploitation.</li> <li><b>Minimize financial losses.</b> Flawed and unaudited smart contracts have cost companies billions of dollars from breaches and other incursions.</li> <li><b>Code integrity validation.</b> Audits ensure and confirm that contracts will perform correctly using best practices.</li> <li><b>Compliance.</b> Depending on where they are put on blockchain, local jurisdictions could require smart contracts to meet security and other requirements.</li> <li><b>Credibility and trust confirmation.</b> Audit results verify that smart contracts are secure, boosting investor and user confidence and trust.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Who performs smart contract audits?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Who performs smart contract audits?</h2> <p>Smart contract auditing requires special expertise that differs from <a href="https://www.techtarget.com/searchsecurity/tip/How-to-prepare-for-a-cybersecurity-audit">general IT</a> or system and organizational control audits. IT departments and internal audit departments can conduct their own smart contract examinations, but expert coding and logic skills are key prerequisites.</p> <p>Because many organizations do not have this expertise in-house -- or because they want a third party to do the work -- they can hire smart contract audit specialists. These companies have the experience and knowledge, as well as the specialized software, to properly analyze a contract's code in detail to identify potential problems.</p> </section> <section class="section main-article-chapter" data-menu-title="How to perform a smart contract audit"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to perform a smart contract audit</h2> <p>The exact steps of a smart contract audit will vary from contract to contract. In general, smart contract steps include the following:</p> <ol class="default-list"> <li><b>Define the audit and secure management approval.</b> This includes the scope and objectives of the audit. Obtain management approval before the audit commences.</li> <li><b>Identify the audit team.</b> Assuming employees have the proper coding and analytic skills, audit team members can come from internal audit and IT departments. Otherwise, use an external smart contract auditing firm. Teams can also include both internal and external resources.</li> <li><b>Collect evidence.</b> This includes documentation that describes the smart contract, its purpose and activities, how it was designed and developed, how it operates when executing, testing results and other relevant documents. Access to the code is essential.</li> <li><b>Freeze code.</b> Once evidence has been collected and access to code is available, enact a freeze on all code changes. This prevents any changes from affecting the integrity and accuracy of the code analysis and the overall audit.</li> <li><b>Perform automated code analyses.</b> This step is where the actual field work begins. Launch automated tools to examine code for anomalies and suspicious code that might suggest security vulnerabilities. These tools can examine many different criteria. Results might indicate further analysis is needed. It might also be useful to <a href="https://www.techtarget.com/searchsecurity/tip/Pen-testing-guide-Types-steps-methodologies-and-frameworks">conduct penetration tests</a> to identify potential security flaws.</li> <li><b>Perform manual code analyses.</b> Once the automated tools have finished, manually examine lines of code to find issues the tools might have missed. Refer to smart contract documentation to determine if the code, as written, will execute as it was designed. A manual review, in combination with automated testing, produces the best results.</li> </ol> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/top_smart_contract_vulnerabilities-h.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/top_smart_contract_vulnerabilities-h_half_column_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/top_smart_contract_vulnerabilities-h_half_column_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/top_smart_contract_vulnerabilities-h.png 1280w" alt="Image listing the top smart contract vulnerabilities." height="355" width="279"> <figcaption> <i class="icon pictures" data-icon="z"></i>Smart contract audits can help prevent many smart contract vulnerabilities. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <ol start="6" class="default-list"> <li><b>Remediate any identified issues.</b> Resolve any issues once the code analysis is complete. This is especially important to ensure the code is correct and secure. Test the remediated code to verify it works correctly before it is deployed.</li> <li><b>Prepare and deliver a smart contract audit report.</b> The report, including recommendations, should include all the evidence gathered, the results of code analyses, remediation and testing, and any other activities. If more post-audit work is needed, determine when those activities must be completed and document those decisions.<br><br></li> </ol> </section> <section class="section main-article-chapter" data-menu-title="How much does a smart contract audit cost?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How much does a smart contract audit cost?</h2> <p>The cost of a smart contract audit is based on several factors, including the complexity of the contract, the number of lines of code to be audited, the reputation of the audit firm and the turnaround time required. Following is a general breakdown of fees, based on Informa TechTarget internet research:</p> <ul class="default-list"> <li>Simple contracts (fewer than 1,000 lines of code): $3,000 to $10,000.</li> <li>Medium complexity contracts (1000-5,000 lines of code): $10,000 to $50,000.</li> <li>Highly complex contracts (5,000-plus lines of code), such as decentralized financial protocols or custom decentralized exchanges: $50,000 to $100,000-plus.</li> </ul> <p>Top-tier audit firms could charge premium rates, and expedited audits often come at a higher cost. If a specific quote is needed, firms such as CertiK and Quantstamp provide pricing details based on project requirements.</p> </section> <section class="section main-article-chapter" data-menu-title="Smart contract audit tools and audit firms"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Smart contract audit tools and audit firms</h2> <p>The following are lists of smart contract audit tools and audit firms as identified from Informa TechTarget internet research.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Smart contract auditing requires special expertise that differs from general IT or system and organizational control audits. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <h3>Smart contract audit tools</h3> <ul class="default-list"> <li><b>Manticore.</b> Symbolic execution-based tool for smart contract security.</li> <li><b>Mythril.</b> Symbolic execution-based security analysis tool that detects security issues in Ethereum-based smart contracts.</li> <li><b>MythX.</b> Cloud-based security analysis tool.</li> <li><b>Scribble.</b> Specification language and runtime tool that translates high-level specifications into Solidity code.</li> <li><b>Securify v2.0.</b> Verification tool for Solidity contracts.</li> <li><b>Slither.</b> Static analysis tool for Solidity and Vyper contracts.</li> <li><b>SmartCheck.</b> Analysis tool for detecting bugs in Solidity-based smart contract code.</li> </ul> <h3>Smart contract audit firms</h3> <ul class="default-list"> <li><b>CertiK.</b> Provides Web3 smart contract auditing.</li> <li><b>ConsenSys Diligence.</b> Provides smart contract security and audit services.</li> <li><b>Cyfrin.</b> Provides smart contract auditing and research.</li> <li><b>Hacken.io.</b> Provides smart contract auditing services.</li> <li><b>KPMG.</b> Provides smart contract auditing.</li> <li><b>QuillAudits.</b> Provides smart contract auditing.</li> <li><b>Solidified.</b> Provides smart contract auditing.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How to select a smart contract audit tool"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to select a smart contract audit tool</h2> <p>When evaluating and selecting a smart contract audit tool, consider the following factors:</p> <ul class="default-list"> <li><b>Security features.</b> Tools should offer vulnerability detection, formal verification and <a href="https://www.techtarget.com/searchsecurity/tutorial/Fuzzy-about-fuzz-testing-This-fuzzing-tutorial-will-help">fuzz testing</a>.</li> <li><b>Blockchain support.</b> The tool should support the blockchain platform being used -- for example, Ethereum, Solana and Polkadot.</li> <li><b>Automated vs. manual auditing.</b> Based on audit needs, consider tools that provide automated scanning. Nonautomated tools require manual review by trained professionals.</li> <li><b>Support community.</b> Tools with an active user community might be more reliable and easier to fix.</li> <li><b>Financials.</b> Consider free tools vs. others that require a subscription or one-time payment.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="The impact of AI on smart contract auditing"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The impact of AI on smart contract auditing</h2> <p>&nbsp;Here are some ways <a href="https://www.techtarget.com/searchdisasterrecovery/tip/Assess-and-manage-the-risks-of-using-AI-for-business">AI is changing</a> smart contract auditing.</p> <h3>Positive impacts</h3> <ul class="default-list"> <li><b>Enhanced vulnerability detection.</b> Automated AI-based tools scan smart contracts for security flaws and other issues much more rapidly than manual audits.</li> <li><b>Code review using natural language processing.</b> AI examines contract documentation and maps it to the actual code, ensuring compliance.</li> <li><b>Security via machine learning.</b> Machine learning helps improve risk assessments and security issues by using AI's ability to learn from past audits and assessments.</li> <li><b>Formal verification improvements.</b> The accuracy of mathematical proofs used for smart contract logic validation can identify suspicious behavior.</li> </ul> <h3>Potential risks</h3> <ul class="default-list"> <li><b>False positives and negatives.</b> Human expertise is needed in situations where AI <a href="https://www.techtarget.com/searchenterpriseai/tip/Why-does-AI-hallucinate-and-can-we-prevent-it">incorrectly identifies</a> harmless code as a security risk.</li> <li><b>Suspicious exploits.</b> Attackers could create malicious contracts using AI to bypass security screens.</li> <li><b>Automation vs. human expertise.</b> AI speeds up the audit process, but organizations might still need to bring in experts who can analyze complex security issues.</li> </ul> <p><i>Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing. </i></p> </section> Smart contracts ensure the integrity of transactions, such as those that initiate key services. A smart contract audit is one way to ensure the programs work as designed. https://cdn.ttgtmedia.com/rms/onlineimages/security_a244600171.jpg https://www.techtarget.com/searchsecurity/tip/How-to-conduct-a-smart-contract-audit-and-why-its-needed Fri, 13 Jun 2025 00:00:00 GMT <p>Ransomware as a service (RaaS) is a subscription-based business model that enables threat actors, also called <i>affiliates</i>, to launch <a href="https://www.techtarget.com/searchsecurity/definition/ransomware">ransomware</a> attacks by accessing and using predeveloped ransomware tools.</p> <p>Ransomware is a type of malware that locks and encrypts a victim's data, files, devices or systems, rendering them inaccessible and unusable until the attacker receives a ransom payment.</p> <p>In RaaS, the author of the ransomware makes the software or pay-for-use <a href="https://www.techtarget.com/searchsecurity/definition/malware">malware</a> available to its affiliates, who use it to hold an organization's data hostage. The use of RaaS lets affiliates receive a percentage of each successful ransom payment, entering an area of extortion practices previously exclusive to ransomware authors or experienced hackers.</p> <p>This business model enables the malware author to scale earnings from their software, incurring less personal risk than if using it themselves. Offering their software to others shields the malware author from the consequences of the final crime by having another person perform the actual act of ransom. RaaS is also useful for threat actors who do not have the technical skills to create the malicious software themselves.</p> <p>Despite ransomware and RaaS being considered criminal exercises that are almost always illegal worldwide, these types of <a href="https://www.techtarget.com/searchsecurity/news/10-of-the-biggest-cybersecurity-stories-of-2024">cybersecurity breaches have become more common</a>.</p> <section class="section main-article-chapter" data-menu-title="How does ransomware as a service work?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How does ransomware as a service work?</h2> <p>RaaS is all about providing ransomware in a software as a service (<a href="https://www.techtarget.com/searchcloudcomputing/definition/Software-as-a-Service">SaaS</a>) model. At the top of the organizational hierarchy is the RaaS operator who develops the ransomware <a href="https://www.techtarget.com/searchsecurity/definition/payload">payload</a> that encrypts user data.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/fls3dTUqkOE?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <p>The ransomware operator also manages all back-end infrastructure to run the ransomware campaign. This involves the ransomware code, a portal that enables potential customers to sign up and use the service and customer service to support campaigns. Full-service RaaS operators also handle ransomware payments -- typically using a <a href="https://www.techtarget.com/whatis/definition/cryptocurrency">cryptocurrency</a>, such as <a href="https://www.techtarget.com/whatis/definition/Bitcoin">bitcoin</a> -- and provide decryption keys to <a href="https://www.techtarget.com/searchsecurity/tip/Should-companies-pay-ransomware-and-is-it-illegal-to">victims who pay the ransom</a>. In addition, RaaS operators actively advertise their services on different underground forums across the <a href="https://www.techtarget.com/whatis/definition/dark-web">dark web</a> to recruit affiliates.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/how_the_raas_profit_sharing_model_works-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/how_the_raas_profit_sharing_model_works-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/how_the_raas_profit_sharing_model_works-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/how_the_raas_profit_sharing_model_works-f.png 1280w" alt="An image showing how the RaaS profit-sharing model works." height="282" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>This shows how RaaS works and how revenue is shared between the operator and affiliate changes depending on the RaaS model. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The affiliates are the parties that use the ransomware after agreeing to a service fee based on each collected ransom.</p> </section> <section class="section main-article-chapter" data-menu-title="Types of RaaS models"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Types of RaaS models</h2> <p>There are several different business and revenue models for RaaS, including the following:</p> <ul class="default-list"> <li><b>Monthly subscription.</b> As a SaaS model, RaaS is offered to potential users on a subscription basis. Users pay a monthly flat fee and receive a small percentage of each successful ransom.</li> <li><b>One-time license fee.</b> The RaaS model is offered to users for a one-time fee. After they make a one-time payment, users gain indefinite access to services and do not have to share profits with the RaaS operators.</li> <li><b>Affiliate programs.</b> An affiliate model has the underlying goal of increasing profits. The RaaS operator takes a predetermined percentage of every ransom payout made by victims.</li> <li><b>Pure profit sharing.</b> In this business model, once the affiliate purchases a license, profits are split among users and operators according to predetermined percentages.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Ransomware vs. ransomware as a service"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Ransomware vs. ransomware as a service</h2> <p>Ransomware as a service takes ransomware and turns it into a product for other potential malicious actors.</p> <p>The ransomware itself is the actual malware payload that's used to encrypt the data of a victim's system. Once a system is infected with ransomware, a <a href="https://www.techtarget.com/searchsecurity/feature/Ransomware-negotiations-An-inside-look-at-the-process">ransom demand is made to the victim</a> to pay a ransom. When the victim pays the ransom, the attacker provides a decryption key to restore the encrypted data -- although the attacker might still decide to keep the data locked. Some ransomware might also be designed as <a href="https://www.techtarget.com/searchsecurity/definition/double-extortion-ransomware">double</a> or <a href="https://www.techtarget.com/searchsecurity/definition/triple-extortion-ransomware">triple extortion ransomware</a> attacks, which provide more opportunities for the attacker to extort a ransom from the victim.</p> <p>Ransomware developers provide RaaS to subscribers who pay to be affiliates of the program. RaaS expands the ransomware's accessibility and potential reach. Instead of a single group using ransomware code to attack victims, several groups of attackers can use RaaS to exploit victims with ransomware.</p> <p>RaaS can also be more resilient than typical ransomware developed and deployed by a single threat actor. For example, RaaS operators are likely to have a professional infrastructure with the technical expertise to create new malware payloads while avoiding detection. Likewise, a specific RaaS operation can be more difficult to shut down, as catching an affiliate does not necessarily shut down the operators, and catching the operators does not necessarily shut down their affiliates. If an operator is caught, its respective affiliates can switch to another ransomware kit.</p> </section> <section class="section main-article-chapter" data-menu-title="Examples of ransomware as a service"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Examples of ransomware as a service</h2> <p>In recent years, ransomware authors have discovered the lucrative nature of running a RaaS operation. And there hasn't been any shortage of threat actor groups building out RaaS operations to spread ransomware across nearly every industry.</p> <p>The following are some RaaS providers:</p> <ul class="default-list"> <li><b>RansomHub.</b> Launched in February 2024, RansomHub RaaS is responsible for more than 210 attacks on water and wastewater facilities. It is believed to be the successor to Alphv, which has ties to Russian-affiliated countries.</li> <li><b>RTM Locker.</b> Read the Manual (RTM) Locker emerged in early 2023. It evolved as a RaaS provider and is known to offer a standard affiliate-based business model. RTM affiliates are given a web interface to control their cybercrime operations along with a thorough explanation of the group's guidelines, goals and suggested offensive strategies.</li> <li><b>REvil.</b> While there are multiple RaaS operators, REvil is one of the most active. It was implicated in the Kaseya attack, which affected at least 1,500 organizations in July 2021. The group was also allegedly responsible for an attack on meat producer JBS USA in June 2021, in which the victim paid an $11 million ransom. In March 2021, REvil was also identified as being behind a ransomware attack on cyber insurance carrier CNA Financial.</li> <li><b>DarkSide.</b> Among the most notorious RaaS operators, this group is reported to be responsible for the <a href="https://www.techtarget.com/whatis/feature/Colonial-Pipeline-hack-explained-Everything-you-need-to-know">Colonial Pipeline attack</a> in May 2021. DarkSide is thought to have gotten its start in August 2020 and was particularly active in the first few months of 2021.</li> <li><b>DoppelPaymer.</b> DoppelPaymer has been linked to several incidents, including one against a hospital in Germany in 2020 that resulted in the death of a patient.</li> <li><b>LockBit.</b> LockBit first emerged in September 2019 as the ABCD virus, named for the file extension the group uses to encrypt victims' files. Among its attributes is its ability to automatically self-propagate in a target network, making it an attractive RaaS for would-be attackers.</li> <li><b>Maze.</b> Maze appeared in 2019. Beyond encrypting user data, it also attempted to shame victims by threatening to share data publicly. The Maze RaaS officially shut down in November 2020. However, after their disbandment, cybercriminals have continued Maze's exploits using the name Egregor.</li> <li><b>Dharma.</b> Dharma Ransomware first emerged in 2016 and was initially known as CrySis. There have been many Dharma Ransomware variants over the years, but in 2020, Dharma emerged in a RaaS model.</li> </ul> <p>Many different instances of ransomware attacks have occurred through RaaS. Organizations should be vigilant and proactive about <a href="https://www.techtarget.com/searchsecurity/tip/How-to-protect-against-malware-as-a-service">preventing these attacks</a>.</p> </section> <section class="section main-article-chapter" data-menu-title="How to prevent RaaS attacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to prevent RaaS attacks</h2> <p>The following are some <a href="https://www.techtarget.com/searchsecurity/tip/How-to-prevent-ransomware-6-key-steps-to-safeguard-assets">best practices to help mitigate the risk of ransomware</a>:</p> <ul class="default-list"> <li><b>Ensure data backup and recovery.</b> The first and arguably most critical step is to have a <a href="https://www.techtarget.com/searchdatabackup/tip/Major-data-backup-trends-to-watch">data backup and recovery plan</a> in place. Ransomware encrypts data, rendering it inaccessible to users. If an organization has up-to-date backups that can be used in a recovery operation, this can reduce the effect of an attacker encrypting data.</li> <li><b>Update software.</b> Ransomware often exploits known vulnerabilities in applications and operating systems. Updating software as patches and updates come out is necessary to help prevent ransomware and other cyberattacks.</li> <li><b>Use multifactor authentication.</b> Some ransomware attackers use <a href="https://www.techtarget.com/whatis/definition/credential-stuffing">credential stuffing</a>, where passwords stolen from one site are reused on another to access user accounts. <a href="https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA">Multifactor authentication</a> reduces the effect of a single reused password, as a second factor is still needed to gain access.</li> <li><b>Implement phishing protection.</b> A common attack vector for ransomware is email <a href="https://www.techtarget.com/searchsecurity/definition/phishing">phishing</a>. Having some form of anti-phishing email security in place can potentially prevent RaaS attacks.</li> <li><b>Use DNS filtering.</b> Ransomware often communicates with a RaaS operator's platform using some form of command-and-control (<a href="https://www.techtarget.com/whatis/definition/command-and-control-server-CC-server">C&amp;C</a>) server. Communications from an infected system to the C&amp;C server almost always involve a Domain Name System (DNS) query. With a DNS filtering security service, organizations can identify when ransomware is attempting to communicate with the RaaS C&amp;C and block the communications. This can help protect against infection.</li> <li><b>Implement XDR endpoint security.</b> Another critical layer for ransomware protection is endpoint protection and threat-hunting technologies, such as extended detection and response (<a href="https://www.techtarget.com/searchsecurity/feature/From-EDR-to-XDR-Inside-extended-detection-and-response">XDR</a>) and antivirus software. These technologies provide capabilities that can limit ransomware risks.</li> <li><b>Manage third-party security.</b> To <a href="https://www.techtarget.com/searchsecurity/tip/How-to-manage-third-party-risk-in-the-supply-chain">avoid third-party breaches</a>, businesses must monitor the security practices of all of their vendors.</li> <li><b>Restrict access.</b> To avert security issues, companies should limit administrative and system access to people who genuinely require it.</li> <li><b>Educate staff.</b> <a href="https://www.techtarget.com/searchsecurity/tip/How-to-train-employees-to-avoid-ransomware">Regularly training employees</a> on cybersecurity best practices and <a href="https://www.techtarget.com/searchsecurity/definition/social-engineering">social engineering</a> tactics can be an effective way for companies to prevent RaaS attacks and cyberthreats in general.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="The future of RaaS"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The future of RaaS</h2> <p>The frequency of targeted ransomware attacks is increasing as the adoption of RaaS services grows. For example, ransomware accounted for 44% of cybersecurity breaches <a target="_blank" href="http://verizon.com/business/resources/reports/dbir/#top-takeaways" rel="noopener">in 2024</a>.</p> <p>Some current RaaS trends are likely to continue. Encryption algorithms and evasion techniques could improve, while operators design ransomware for more targeted and specific attacks. Multilayered ransomware, such as double and triple extortion attacks, is also becoming more common.</p> <p>The cybersecurity threat landscape constantly witnesses the emergence of new ransomware variants, placing pressure on security teams to respond by enforcing patching programs and quickly addressing known vulnerabilities. One key area is <a href="https://www.techtarget.com/searchenterpriseai/definition/generative-AI">generative AI</a>, which has the potential to develop new custom ransomware variants and exploit vulnerabilities.</p> <p>While it is difficult to determine the future trajectory of RaaS attacks with certainty, companies should proactively adopt measures to mitigate potential attacks.</p> <p><i>Organizations across various industries face the risk of becoming targets of financially motivated cybercrime. Explore more about RaaS and other </i><a href="https://www.techtarget.com/searchsecurity/feature/Ransomware-trends-statistics-and-facts"><i>ransomware trends and statistics</i></a><i>.</i></p> </section> Ransomware as a service (RaaS) is a subscription-based business model that enables threat actors, also called affiliates, to launch ransomware attacks by accessing and using predeveloped ransomware tools. https://cdn.ttgtmedia.com/visuals/digdeeper/5.jpg https://www.techtarget.com/whatis/definition/ransomware-as-a-service-RaaS Wed, 11 Jun 2025 00:00:00 GMT <p>A next-generation firewall (NGFW) is a network security device that combines traditional <a href="https://www.techtarget.com/searchsecurity/definition/firewall">firewall</a> capabilities with advanced features to detect and block sophisticated cyberattacks.</p> <p>NGFWs are hardware-, software- or cloud-based. They offer traditional firewall features, such as detecting and blocking sophisticated attacks by enforcing <a href="https://www.techtarget.com/searchsecurity/definition/security-policy">security policies</a> at the application, <a href="https://www.techtarget.com/searchnetworking/definition/port">port</a> and <a href="https://www.techtarget.com/searchnetworking/definition/protocol">protocol</a> levels, as well as the following advanced functions:</p> <ul class="default-list"> <li>Application awareness.</li> <li>Integrated intrusion prevention system (<a href="https://www.techtarget.com/searchsecurity/definition/intrusion-prevention">IPS</a>).</li> <li>Identity awareness -- enabling user and group control.</li> <li>Bridged and routed modes.</li> <li>Ability to use external intelligence sources.</li> <li>Advanced threat remediation.</li> </ul> <p>Most NGFWs integrate at least three basic functions: enterprise firewall capabilities, IPS functions and application control.</p> <p>Like the introduction of <a href="https://www.techtarget.com/searchsecurity/answer/How-do-stateful-inspection-and-packet-filtering-firewalls-differ">stateful inspection</a> in traditional firewalls, NGFWs bring additional context to the firewall's decision-making process. This context enables NGFWs to understand the details of web application traffic passing through them and to take action to block traffic that might exploit <a href="https://www.techtarget.com/whatis/definition/vulnerability">vulnerabilities</a>.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/ism_page14_graphic1_0913.png"> <img data-src="https://www.techtarget.com/rms/onlineImages/ism_page14_graphic1_0913_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/ism_page14_graphic1_0913_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/ism_page14_graphic1_0913.png 1280w" alt="Diagram showing the technology stack and where an NGFW fits." height="370" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>See where a next-generation firewall sits in the technology stack. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <section class="section main-article-chapter" data-menu-title="Next-generation firewall features"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Next-generation firewall features</h2> <p>NGFWs combine many of the capabilities of traditional firewalls -- including <a href="https://www.techtarget.com/searchnetworking/definition/packet-filtering">packet filtering</a>, network address translation (<a href="https://www.techtarget.com/searchnetworking/definition/Network-Address-Translation-NAT">NAT</a>) and port address translation (<a href="https://www.techtarget.com/searchnetworking/definition/Port-Address-Translation-PAT">PAT</a>), URL blocking, and virtual private networks (<a href="https://www.techtarget.com/searchnetworking/definition/virtual-private-network">VPNs</a>) -- with quality of service (QoS) functionality and other features not found in traditional firewalls. These include intrusion prevention, SSL and <a href="https://www.techtarget.com/searchsecurity/definition/Secure-Shell">SSH</a> inspection, <a href="https://www.techtarget.com/searchnetworking/definition/deep-packet-inspection-DPI">deep-packet inspection</a>, reputation-based <a href="https://www.techtarget.com/searchsecurity/definition/malware">malware</a> detection and application awareness.</p> <p>These application-specific capabilities help thwart the growing number of application attacks taking place at Layers 4-7 of the <a href="https://www.techtarget.com/searchnetworking/definition/OSI">OSI network stack</a>.</p> </section> <section class="section main-article-chapter" data-menu-title="Benefits of next-generation firewalls"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of next-generation firewalls</h2> <p>The different features of NGFWs combine to create unique benefits for users. NGFWs can often block malware before it enters a network, something traditional firewalls could not do.</p> <div class="pro-features-wrapper"></div> <p>NGFWs are also better equipped to address advanced persistent threats (<a href="https://www.techtarget.com/searchsecurity/definition/advanced-persistent-threat-APT">APTs</a>) because they can integrate with <a href="https://www.techtarget.com/whatis/definition/threat-intelligence-feed">threat intelligence feeds</a>. NGFWs offer a low-cost option for <a href="https://www.techtarget.com/searchsecurity/tip/How-to-evaluate-NGFW-products-to-strengthen-cybersecurity">companies trying to improve basic device security</a> using application awareness, inspection services, protection systems and awareness tools.</p> </section> <section class="section main-article-chapter" data-menu-title="Challenges of next-generation firewalls"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Challenges of next-generation firewalls</h2> <p>NGFWs are not without difficulties. They can be complicated to set up and maintain, which could require additional skills and expertise from security teams. They might also create an overload of alerts, including false positives, which puts increased pressure on security admins.</p> <p>NGFWs need to integrate with other security tools, which can increase complexity and create interoperability issues. NGFWs also require integration and constant updates, for example, with threat intelligence feeds, to combat new and evolving threats. The advanced features of NGFWs can also introduce latency and scalability problems.</p> <p>Additionally, while NGFWs offer more protection than traditional firewalls, they often have higher acquisition, implementation and operational costs.</p> </section> <section class="section main-article-chapter" data-menu-title="Next-generation firewall vs. traditional firewall"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Next-generation firewall vs. traditional firewall</h2> <p>While both next-generation and traditional firewalls aim to protect an organization's network and data assets, they have several similarities and differences.</p> <p>The main similarities include static packet filtering to block packets at the point of interface to network traffic. They also both provide stateful packet inspection, network and port address translations, and both can set up VPN connections.</p> <p>One of the most important differences between the firewalls is that NGFWs offer deep-packet inspection that goes beyond simple port and protocol inspection by inspecting the data carried in network packets. Other key differences are that NGFWs add application-level inspection, intrusion prevention and the ability to act on data provided by threat intelligence services.</p> <p>NGFWs extend the traditional firewall functionality of NAT, PAT and VPN support to operate both in routed mode -- in which the firewall behaves as a <a href="https://www.techtarget.com/searchnetworking/definition/router">router</a> -- and in transparent mode -- in which the firewall behaves like a bump in the wire when it scans packets -- while also integrating new threat management technologies.</p> <p><b>Editor's note: </b><i>Informa TechTarget editors revised this definition in 2025 to improve the reader experience.</i></p> </section> A next-generation firewall (NGFW) is a network security device that combines traditional firewall capabilities with advanced features to detect and block sophisticated cyberattacks. https://cdn.ttgtmedia.com/visuals/digdeeper/6.jpg https://www.techtarget.com/searchsecurity/definition/next-generation-firewall-NGFW Mon, 02 Jun 2025 09:00:00 GMT <p>The theme of <a href="https://www.techtarget.com/searchsecurity/conference/RSA-Conference-news-and-analysis">RSAC 2025</a> was "Many Voices, One Community," and while the number and diversity of the people involved in cybersecurity are the real focus of that theme, it can also be applied to the breadth of practices, technologies and vendors that consitute our industry as well.</p> <p>Ten years ago, you could neatly group most vendors into a handful of buckets. Now, the lines are blurred, and the number of buckets needed is overwhelming. While the end goal of aligning us as one community is ultimately the same -- helping customers reduce risk, limit attacks and protect valuable assets -- the complexity within cybersecurity continues to grow.</p> <p>On a positive note, there did seem to be an acknowledgement of that fact at the conference, with multiple trends emerging to address this issue. Key takeaways from RSAC 2025 included the following.</p> <section class="section main-article-chapter" data-menu-title="Tool and platform proliferation"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Tool and platform proliferation</h2> <p>If everyone has a platform, does anyone have a platform? We've acknowledged that there are too many point tools, which create too many silos. At the same time, we know it's unrealistic, especially for an enterprise, to standardize on one or two platforms. We now have a variety of platforms available for different use cases. This isn't a bad thing. It addresses part of the <a href="https://www.techtarget.com/searchsecurity/opinion/Too-many-pointless-tools-Platformization-is-better">point tool fatigue issue</a>, while keeping some lines of delineation across cybersecurity in place -- i.e., network security, application security, security operations, etc.</p> <p>In most cases, buyers are adopting a platform for specific capabilities in the short term but want to understand where they may be able to expand over time. The vendors that get that and support product strategies around that motion will see better success through better customer outcomes.</p> </section> <section class="section main-article-chapter" data-menu-title="Security is critical, but…"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Security is critical, but…</h2> <p>Obviously, security is at the core of what every vendor at RSAC Conference does. Yet, while half of my conversations were focused on security enhancements, the other half were about supporting digital transformation, addressing new network and application dynamics, or improving the experience and efficiency around management.</p> <div class="pro-features-wrapper"></div> <p>This serves to reinforce a couple points. First, few organizations will go with the best security software if it is difficult to use; there must be a balance. Second, security teams are still playing catch-up. As soon as one new innovation is addressed, something else comes up. We're still <a href="https://www.techtarget.com/searchsecurity/tip/Top-11-cloud-security-challenges-and-how-to-combat-them">working on securing the cloud</a> in many cases, and now, AI is on every organization's radar.</p> </section> <section class="section main-article-chapter" data-menu-title="Security and GenAI"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Security and GenAI</h2> <p>There's still some level of confusion even among vendors on how to convey exactly what they're addressing when it comes to <a href="https://www.techtarget.com/searchsecurity/feature/Explaining-AIs-impact-on-ransomware-attacks-and-security">security and AI</a>. Enforcing access policies and controls for public generative AI apps, protecting internally built applications that use GenAI and using GenAI for security tools are very different use cases.</p> <p>The first and last are quickly being fully integrated, with many vendors not charging for these capabilities. The middle case is where there's the most innovation and fragmentation from a tool perspective. It's important for buyers to fully understand where they are on the GenAI journey, what their needs are now and how that will change over time.</p> </section> <section class="section main-article-chapter" data-menu-title="Network and endpoint security convergence accelerates"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Network and endpoint security convergence accelerates</h2> <p><a href="https://www.techtarget.com/searchnetworking/The-complete-Secure-Access-Service-Edge-SASE-guide">Secure access service edge</a> (SASE) has focused on converging network and security capabilities from the beginning. Over the last year, though, there's been a steady line of enterprise browser enhancements from these vendors.</p> <p>This addresses three key areas: It closes security gaps in the last mile within the browser, where network-based tools do not have visibility; better addresses the unmanaged device use case for secure access; and helps maintain protection -- at least for browser-based activity -- when decryption may not be ideal due to privacy concerns. While dedicated enterprise browser vendors will undoubtedly disagree, it feels like these solutions are complementary to SASE and fit well into that architecture.</p> <p>While more was discussed, these themes were central to the network security discussions I had. I expect the rest of this year to move just as quickly as the last 12 months, so it will be interesting to look back after RSAC 2026 and see how far we were able to advance some of these initiatives.</p> <p><i>John Grady is a principal analyst at Enterprise Strategy Group, a division of Omdia, who covers network security. Grady has more than 15 years of IT vendor and analyst experience.</i></p> <p><i>Omdia's Enterprise Strategy Group analysts have business relationships with technology vendors.</i></p> </section> Themes on display at the conference reflected the cybersecurity industry's effort to streamline security operations, while adapting to emerging technologies and threats. https://cdn.ttgtmedia.com/visuals/digdeeper/2.jpg https://www.techtarget.com/searchsecurity/opinion/Key-network-security-takeaways-from-RSAC-2025 Wed, 07 May 2025 15:25:00 GMT <p>People should no longer have to append their initials to a document's file name or use other naming conventions to track document versions and collaborate. Unfortunately, this method still happens.</p> <p>While document versioning has progressed significantly over the past few decades, many organizations still lack the necessary management skills to improve this strategy. Although these changes have helped streamline work, they have allowed organizations to fall into bad <a href="https://www.techtarget.com/whatis/definition/version-control">version control</a> habits. Organizations must embrace proper version control to optimize their content management system's (CMS) potential and provide authoritative document collections for training enterprise-scale large language models (LLMs).</p> <section class="section main-article-chapter" data-menu-title="What is document version control?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is document version control?</h2> <p>Document version control is a planned strategy for managing file updates within a document repository. When all enterprise content management (ECM) systems ran on-premises and file storage was a cost consideration, versioning was a conscious choice. Content teams had to balance revision tracking with storage limitations, costs and business requirements, and everyone knew what versions were retained and discarded.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Keeping the last 50 copies of a document is versioning, but it is far from a version control strategy. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>In the modern cloud-based ECM world, organizations worry less about storage. Versioning is automatic and often hidden from view. While most <a href="https://www.techtarget.com/searchcontentmanagement/tip/4-tips-for-migrating-ECM-to-the-cloud">cloud content management</a> providers offer some default degree of versioning, they may lack structure, so it's not truly version control. Keeping the last 50 copies of a document is versioning, but it is far from a version control strategy.</p> <p>However, content teams should not introduce complexity. Version control works best when people know they have it and can use it without slowing down. Versioning strategies must fit seamlessly within an organization and meet regulatory and compliance requirements.</p> </section> <section class="section main-article-chapter" data-menu-title="How does version control work?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How does version control work?</h2> <p>Document version control uses an OS' file management capabilities and ability to read data from and write data to a storage device. A document is stored as a file within the OS file system. It has a file name and essential attributes, such as the date and time created, size and <a href="https://www.techtarget.com/searchsecurity/tip/Types-of-access-control">access control privileges</a>.</p> <div class="pro-features-wrapper"></div> <p>A file system supports four fundamental operations, commonly called CRUD: creating, reading, updating and deleting a file. Saving changes to a file generates a new version within the file system.</p> <p>An ECM system uses CRUD operations to manage document versioning. It organizes the stored files within a content repository and provides predefined fields, including title and author, linked to the file names. The ECM system maintains a list of file versions to generate a history of successive updates. It uses this history to support versioning <a href="https://www.forrester.com/blogs/ai-wakes-the-sleeping-giant-continuous-improvement-will-finally-fulfill-its-promise/" target="_blank" rel="noopener">operations</a>, such as restoring prior versions, tracking versions and viewing version history. The history also provides an audit trail of revisions.</p> </section> <section class="section main-article-chapter" data-menu-title="Why do organizations need document version control?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why do organizations need document version control?</h2> <p>Organizations need versioning to track updates to documents. And, with proper control, employees can undo common mistakes. Proper version control offers the following benefits:</p> <ul class="default-list"> <li><b>Collaborate.</b> Proper version control strategies can <a href="https://www.techtarget.com/searchcontentmanagement/feature/What-is-content-collaboration-An-in-depth-guide">track multiple people's contributions</a>. When collaborating and editing, employees can search, find and edit something another person changed.</li> <li><b>Denote official and draft content.</b> When dealing with policies and guidelines, employees can find official versions from prior years and drafts from revision processes. The latest version may not be the most recently approved, and proper version control can help employees distinguish between drafts and approved content.</li> <li><b>See past standards.</b> Employees should know which document version was current when an action occurred. If an action from a year ago goes against current policy, employees can also refer to an older version to determine if it went against policy. Content teams must track and maintain approved versions for these scenarios and any associated <a href="https://www.techtarget.com/searchcio/definition/regulatory-compliance">regulatory compliance</a>.</li> </ul> <p>Despite version control's benefits, it still poses challenges for the everyday content creator. Key challenges include the following:</p> <ul class="default-list"> <li><b>Storage.</b> Even in <a target="_blank" href="https://blogs.gartner.com/andrew-lerner/2021/04/09/storage-as-a-service-staas/" rel="noopener">cloud</a> environments, storage has limits and costs. Rules for how long employees should keep old versions can help mitigate these costs.</li> <li><b>Management.</b> The more versions an organization stores, the more effort it requires to <a href="https://www.techtarget.com/searchcontentmanagement/feature/MAM-vs-DAM-Whats-the-difference">manage each document iteration</a>. Some organizations may automate document versioning, but this is more easily achieved when version control is planned from the start. Planning sets employee expectations for document workflow and ensures compliance with an organization's content lifecycle policies.</li> <li><b>Complexity.</b> Too little or too much control can create challenges. Employees need simple versioning to understand and use it well. No matter the approach, improper communication creates confusion.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Tips for managing document version control"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Tips for managing document version control</h2> <p>To properly manage version control, content teams must fully understand the organization's needs. To determine the best version control implementation strategy, content teams should ask the following questions:</p> <ul class="default-list"> <li>Does the document get published as multiple versions over time or only once?</li> <li>How long should employees <a href="https://www.techtarget.com/searchcontentmanagement/tip/7-key-stages-of-enterprise-content-lifecycle-management">keep document drafts</a>?</li> <li>How can content teams communicate how versioning helps overall productivity?</li> <li>What versions should an organization use to <a href="https://www.techtarget.com/searchenterpriseai/tip/How-to-train-an-LLM-on-your-own-data">train its LLM</a> for an enterprise AI initiative?</li> </ul> <p>When planning to manage versions, content teams shouldn't treat all content the same and must distinguish between draft and published versions. Many individuals handle distinct sets of content daily, but every group handles different types of content. Version control strategies should <a href="https://www.techtarget.com/searchcontentmanagement/tip/Why-version-control-is-necessary-in-digital-asset-management">take these differences into account</a>.</p> <p>Content teams should also understand their current situation. If an organization uses a cloud-based CMS, versioning is likely already happening. Typically, that means every save generates a new version. If the CMS automatically saves documents, organizations have many versions saved. Additionally, the CMS may drop some important versions because people save their changes frequently.</p> <p>No organization needs 50 versions of a document -- at least not weeks after employees create them. For each type of content, content teams should examine how the organization manages documents and what steps people take to meet their versioning needs. Documenting those needs helps content teams craft effective version control strategies.</p> <p><b>Editor's note:</b> <i>This article was originally written by Laurence Hart and expanded upon by Geoffrey Bock.</i></p> <p><i>Laurence Hart is director of consulting services at CGI Federal and has more than 20 years of IT experience.</i></p> <p><i>Geoffrey Bock is principal of Bock &amp; Company and advises organizations on content technologies for business in the digital age.</i></p> </section> Although best practices have changed, many organizations lack a suitable versioning strategy. Proper document version control can improve collaboration and fact-checking. https://cdn.ttgtmedia.com/rms/onlineimages/folder-files08.jpg https://www.techtarget.com/searchcontentmanagement/tip/Why-is-document-version-control-important Thu, 01 May 2025 09:00:00 GMT <p>Providing both individuals and sites secure remote access to internal resources is a priority for organizations of all sizes. Prior to the COVID-19 pandemic, VPNs were the go-to technology. Since then, <a href="https://www.techtarget.com/searchnetworking/tip/The-basics-of-zero-trust-network-access-explained">zero-trust network access</a>, secure service edge and other related technologies have taken the remote access spotlight, but VPNs haven't gone away. In fact, VPNs underpin some of the newer offerings as well. This means the question of when it's better to deploy IPsec versus SSL VPNs remains.</p> <p>While both provide enterprise-grade security and enable secure communications, they do so in different ways -- namely by performing encryption and authentication at different network layers. These differences directly affect both application and security services and should help organizations make deployment decisions.</p> <p>In a nutshell, IPsec VPNs protect IP packets exchanged between remote hosts and an IPsec gateway located at the edge of the private network. SSL VPNs protect application traffic streams from remote users to a gateway. In other words, IPsec VPNs connect hosts or networks to a corporate network, while SSL VPNs connect an end user's application session to services inside a protected network.</p> <p>Let's take a deeper look at IPsec vs. SSL VPNs.</p> <section class="section main-article-chapter" data-menu-title="What is IPsec and how does it work?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is IPsec and how does it work?</h2> <p>Internet Protocol Security, or <a href="https://www.techtarget.com/searchsecurity/definition/IPsec-Internet-Protocol-Security"><i>IPsec</i></a>, is a suite of protocols and algorithms that secure data transmitted over the internet and public networks. It is the official architecture for securing IP network traffic.</p> <p>IPsec works by specifying ways in which IP hosts can encrypt and authenticate data sent at Layer 3 of the <a href="https://www.techtarget.com/searchnetworking/definition/OSI">OSI network</a>, the network layer.</p> <p>In VPNs, IPsec tunneling encrypts all network traffic sent between endpoints, enabling a remote user's system -- the VPN client -- to communicate with systems behind the VPN server.</p> </section> <section class="section main-article-chapter" data-menu-title="What is SSL and how does it work?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is SSL and how does it work?</h2> <p>Secure Sockets Layer, or <a href="https://www.techtarget.com/searchsecurity/definition/Secure-Sockets-Layer-SSL"><i>SSL</i></a>, is a networking protocol that encrypts data transmitted between web servers and clients. SSL was deprecated in 2015 and replaced by Transport Layer Security, or <a href="https://www.techtarget.com/searchsecurity/definition/Transport-Layer-Security-TLS"><i>TLS</i></a>. Most modern websites and other applications use TLS and do not support SSL.</p> <div class="pro-features-wrapper"></div> <p>TLS operates at Layers 4-7 of the OSI model. Every application and communication flow between client and server must establish its own TLS session for encryption and authentication.</p> <p>In VPNs, TLS encrypts streams of network data sent between processes. Note, though SSL is technologically obsolete, SSL VPN -- rather than TLS VPN or SSL/TLS VPN -- remains the preferred term.</p> </section> <section class="section main-article-chapter" data-menu-title="What is a VPN?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is a VPN?</h2> <p>A virtual private network, or <a href="https://www.techtarget.com/searchnetworking/definition/virtual-private-network"><i>VPN</i></a>, is virtual because it overlays a more secure network on top of a less secure one. It does so by encrypting traffic and by enforcing its own <a href="https://www.techtarget.com/searchsecurity/definition/access-control">access controls</a>. VPNs enable organizations to tailor how they secure their communications when the underlying network infrastructure alone cannot do so.</p> <p>The <a href="https://www.techtarget.com/searchnetworking/tip/The-pros-and-cons-of-VPNs-for-enterprises">justifications for using a VPN</a> instead of an actual private network engineered with built-in security usually revolve around feasibility and cost. A private network might not be technically achievable -- for example, organizations can't build a dedicated private network to every mobile worker's location. Or it might be too costly. While it's possible to set up a network that links remote workers to the WAN via private network connections, it's prohibitively expensive.</p> <p>The <a href="https://www.techtarget.com/searchnetworking/answer/How-do-site-to-site-VPN-configuration-and-remote-access-VPNs-vary">two most common types of VPN</a> are remote access VPNs, which enable individuals to establish short-term connectivity, and site-to-site VPNs, which are for interconnecting sites on a long-term basis.</p> <ul class="default-list"> <li><b>Remote access VPNs.</b> A remote access VPN uses public telecommunications infrastructures, almost always the internet, to provide remote users secure access to their organization's network.<br>To use a remote access VPN, a VPN client on the remote user's computer or mobile device connects to a VPN gateway on the organization's network. The <a href="https://www.techtarget.com/iotagenda/definition/gateway">gateway</a> typically forces users to authenticate their identities and then permits them to reach internal network resources.</li> <li><b>Site-to-site VPNs.</b> A site-to-site VPN uses a gateway at each site to securely connect the two sites' networks. Site-to-site VPNs usually connect a small branch to a data center, a network hub or a cloud environment. End-node devices in the one location do not need VPN clients to connect to resources in the other; the gateways handle encryption and decryption for all. <br>Most site-to-site VPNs connect over the internet. It is also common to use carrier <a href="https://www.techtarget.com/searchnetworking/definition/Multiprotocol-Label-Switching-MPLS">MPLS</a> clouds for transport, rather than the public internet. Even though MPLS connectivity itself segregates different companies' traffic, security-minded organizations sometimes fortify their control by using their own VPNs to layer on additional security.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/networking-sitetosite_vpn_02.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/networking-sitetosite_vpn_02_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/networking-sitetosite_vpn_02_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/networking-sitetosite_vpn_02.png 1280w" alt="Graphic displaying the differences between how IPsec and SSL VPNs work." height="510" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>IPsec and SSL VPNs provide enterprise-grade security, but in fundamentally different ways. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="IPsec vs. SSL VPNs: 2 approaches"> <h2 class="section-title"><i class="icon" data-icon="1"></i>IPsec vs. SSL VPNs: 2 approaches</h2> <p>VPNs use either IPsec or TLS, the successor to SSL, to secure their communications links. While both IPSec and SSL VPNs provide enterprise-level security, they do so in fundamentally different ways, and the differences are what drive deployment decisions.</p> <h3>IPsec VPN: Layer 3 security</h3> <p>IPsec VPNs support Layer 3 network access protocols. Because these VPNs carry IP packets, remote hosts or remote site networks appear to be connected directly to the protected private IP network.</p> <p>IPSec VPNs can support all IP-based applications and protocols -- including TCP and User Datagram Protocol -- layered on top of IP. To an OS or application, an IPsec VPN link looks like any other IP network link.</p> <h3>SSL VPN: 'Layer 6.5' security</h3> <p>SSL VPNs operate at a higher layer in the network. They work above Layer 4 (the transport layer) and are usually aimed at creating application-layer connections. They operate just below the actual application layer, Layer 7, however, and therefore are often thought of as operating at "Layer 6.5."</p> <p>SSL VPNs do not carry IP packets and remote clients do not look like internal network nodes to enterprise hosts. The client, usually built into a web browser to secure access to the web UIs of enterprise applications, protects application traffic to the SSL VPN gateway, which connects securely to target enterprise applications.</p> <h3>Mixing layers</h3> <p>Some VPNs work across one network layer to provide access at a lower layer, an operation called <a href="https://www.techtarget.com/searchnetworking/definition/tunneling-or-port-forwarding"><i>tunneling</i></a><i>.</i> For example, some devices want Ethernet access to each other -- Layer 2 access. Tunneling protocols include Secure Socket Tunneling Protocol, Point-to-Point Tunneling Protocol and Layer 2 Tunneling Protocol. SSTP, PPTP and L2TP mostly grant Layer 2 access and run across an IPsec VPN. Sometimes, though, a platform supports setting up SSL VPNs among sites by tunneling Layer 3 traffic -- IP packets -- through the Layer 5 and above SSL-VPN.</p> </section> <section class="section main-article-chapter" data-menu-title="How IPsec VPNs work"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How IPsec VPNs work</h2> <p>IPsec VPNs encrypt IP packets exchanged between remote networks or hosts and an IPsec gateway located at <a href="https://www.techtarget.com/searchnetworking/definition/What-is-an-enterprise-private-network-EPN"><strong>the edge of the enterprise's private network.</strong></a></p> <p>Site-to-site IPsec VPNs use a gateway to connect the local network to a remote network, making the whole site's network an add-on to the remote network. An IPsec remote access VPN uses a dedicated network client application on the remote host to connect only that host to the remote network.</p> <p>IPsec VPNs require a dedicated certificate to be installed on the remote computer or gateway to control encryption and authenticate the host or gateway to the remote network.</p> <h3>Strengths and weaknesses of an IPsec VPN</h3> <p>The main strength of IPsec over SSL VPNs is that IPsec VPNs put the remote host or site directly onto the destination IP network. This enables any application on the remote host, or any host on the remote site network, to reach any host on the destination network. IPsec VPNs make it possible, for example, for users to connect to enterprise applications using dedicated <a href="https://www.techtarget.com/whatis/definition/fat-client-thick-client">thick clients</a> instead of a web interface, which some legacy applications don't have. They also make it possible to use multiple applications across the VPN session at the same time and in ways that interact; applications are not isolated from each other at the network level.</p> <p>Yet, the IPsec VPN's strength is also its main weakness: It makes everything on the destination network <a href="https://www.techtarget.com/searchsecurity/tip/Common-lateral-movement-techniques-and-how-to-prevent-them">vulnerable to lateral attacks</a> from a compromised remote host, as if the compromised node was on the destination net. As a result, using an IPsec VPN requires organizations to deploy other protective layers, such as firewalls, <a href="https://www.techtarget.com/searchnetworking/definition/network-segmentation">segmentation</a> and zero trust, in the destination network.</p> <p>Another key strength is IPsec VPNs rely on a shared encryption key and support <a href="https://www.techtarget.com/searchsecurity/feature/Cryptography-basics-Symmetric-key-encryption-algorithms">symmetric encryption</a>, making them post-quantum ready. SSL VPNs use the web-standard asymmetric encryption of private-key/public-key pairs and will require upgrades to new algorithms to be ready for a post-quantum environment.</p> <h3>Operationalizing IPsec VPNs</h3> <p>IPsec standards support selectors -- packet filters implemented by clients and gateways -- for added security. Selectors tell a VPN to permit, encrypt or block traffic to individual destination IPs or applications. As a practical matter, most organizations still grant remote hosts and sites access to entire subnets. That way, they don't have to keep up with the overhead of creating and updating selectors for each IP address change, new application or change in user access rights. To make the use of selectors manageable, organizations need some type of application that integrates IPsec VPN selector management into their overall access management platforms.</p> <p>Absent such software -- or even with one in place -- IT must sort out several aspects of IPsec VPNs to have a successful deployment, including addressing, traffic classification and routing.</p> <ul class="default-list"> <li><b>Addressing.</b> IPsec tunnels have two addresses. Outer addresses come from the network where the tunnel starts -- e.g., a remote client. Inner addresses are on the protected network and assigned at the gateway. IT has to use Dynamic Host Configuration Protocol or other IP address management tools to define the address ranges the gateway can assign to packets coming in from the remote end. IT also has to ensure internal firewalls and other cybersecurity systems, if present, allow traffic to and from those addresses for the desired services and hosts on the private network.</li> <li><b>Traffic classification.</b> Deciding what to protect from remote IP hosts and then setting IPsec selectors to protect those things takes time to configure and maintain. "HR clients in Site A should be able to reach the HR server in data center subnet B," for example, must be mapped into the right set of users and destination subnets, servers, ports and even URLs, and maintained over time as the services, users, networks and hosts change.</li> <li><b>Routing.</b> Adding an IPsec VPN gateway changes network routes. Network engineers must decide how to route client traffic to and from the VPN gateway.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How SSL VPNs work"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How SSL VPNs work</h2> <p>SSL VPNs connect a client application, almost always a web browser or application, to a service on the destination network via SSL gateways. They rely on TLS to secure connections. They do not require locally installed certificates.</p> <h3>Strengths and weaknesses</h3> <p>SSL VPNs are best suited for the following scenarios:</p> <ul class="default-list"> <li>When access to enterprise systems is tightly controlled.</li> <li>When access outside a web interface is not needed.</li> <li>When installed certificates are infeasible, as with business partner desktops, public kiosk computers and personal home computers.</li> </ul> <p>Because they operate near the application layer, SSL VPNs easily filter and make decisions about user or group access to individual applications, TCP ports and selected URLs, as well as embedded objects, application commands and content.</p> <p>SSL VPNs rely on <a href="https://www.techtarget.com/searchsecurity/definition/asymmetric-cryptography">asymmetric encryption</a>. They will need to be upgraded to <a href="https://www.techtarget.com/searchsecurity/feature/How-to-prepare-for-post-quantum-computing-security">quantum-safe algorithms</a> to protect them against next-generation quantum computers capable of breaking current public-private key pair encryption.</p> <h3>Operationalizing SSL VPNs</h3> <p>SSL VPNs make it easier for enterprises to implement granular access controls. They also offload some of the access control work often performed by application servers to VPN gateways. In addition, the gateways afford an added layer of protection, making it possible to enact different or added access controls on VPN sessions.</p> <p>To be manageable, SSL VPN access control policies must mirror the organization's overall access policy, usually through an enterprise directory. Otherwise, admins will have a lot of extra work keeping VPN policies in sync with changes in user access rights and changes in the application portfolio.</p> <p>One other important consideration: An organization implementing a new SSL VPN should choose a product that supports the most current version of TLS to avoid weaknesses of older protocol versions that make them vulnerable to encryption key cracking and forgery.</p> </section> <section class="section main-article-chapter" data-menu-title="IPsec vs. SSL VPNs: Which is best for your organization?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>IPsec vs. SSL VPNs: Which is best for your organization?</h2> <p>Organizations needing per-application, per-user access control at the gateway should first consider SSL VPNs. Organizations that find it too challenging to establish client certificates, or those that require standard web browsers to be the client software, should also look at SSL VPNs. But organizations considering SSL VPNs must understand they will only be able to provide access to web applications.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/network_evolution_0314_page11_graphic3.png"> <img data-src="https://www.techtarget.com/rms/onlineImages/network_evolution_0314_page11_graphic3_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/network_evolution_0314_page11_graphic3_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/network_evolution_0314_page11_graphic3.png 1280w" alt="Chart comparing the features and differences between IPsec and SSL VPNs." height="406" width="560"> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Companies needing to give trusted users and groups broad access to entire segments of their internal networks, or that want the highest level of security available with certificate-based, shared-secret symmetrical encryption, should first consider IPsec VPNs. And companies that want to provide access to non-web applications might have no choice but to use IPsec VPNs.</p> <p>IPsec VPNs have other network security advantages. They are more resistant to some attacks, among them <a href="https://www.techtarget.com/iotagenda/definition/man-in-the-middle-attack-MitM">man-in-the-middle attacks</a>. By contrast, SSL VPNs are vulnerable to these attacks, even as advances in the TLS standard make them more resilient.</p> <p>IPsec VPNs are also more resistant to DoS attacks because they work at a lower layer of the network. SSL VPNs are vulnerable to the same low-level attacks as IPsec VPNs but are also prey to common higher-layer attacks, such as <a href="https://www.techtarget.com/searchsecurity/answer/Security-risks-of-TCP-IP">TCP SYN floods</a> which fill session tables and cripple many off-the-shelf network stacks.</p> <p>It's also important to note that it doesn't have to be an either-or decision. Many organizations adopt both IPsec and SSL VPNs because each solves slightly different security issues. In practice, however, this might not be feasible due to the expense of purchasing, testing, installing, administering and managing two VPNs.</p> <p>Regardless of approach, it's important that companies fully integrate their VPNs with existing access control models, cloaked by a comprehensive zero-trust architecture.</p> </section> <section class="section main-article-chapter" data-menu-title="How to test VPN implementations"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to test VPN implementations</h2> <p>As with any other security product, test VPNs regularly. Prior to deployment, test the VPN on nonproduction networks, and then test regularly after deploying across systems.</p> <p>VPN testing should address the following:</p> <ul class="default-list"> <li><b>VPN infrastructure.</b> Test VPN hardware, software and cloud applications and how they integrate with systems and applications. Even the best VPN can't protect against vulnerabilities and attacks on unsecure services or applications, so test those as well.</li> <li><b>VPN cryptographic algorithms and protocols.</b> Do the VPN components implement strong encryption algorithms? Do VPN systems use up-to-date algorithms? Implementations of IPsec and SSL/TLS are sometimes slow to deprecate unsafe algorithms, which can enable some types of attack, such as the <a href="https://www.techtarget.com/searchsecurity/definition/Heartbleed">Heartbleed</a> vulnerability that made some TLS implementations vulnerable.</li> <li><b>VPN users.</b> The human element is a critical aspect of any security system. Do the people who use the VPN understand how it works? Can they use it securely? Do they understand the type of threats that they could face from attackers? Can the chosen VPN system withstand attacks from malicious insiders?</li> </ul> <p><i>John Burke is CTO and a research analyst at Nemertes Research. Burke joined Nemertes in 2005 with nearly two decades of technology experience. He has worked at all levels of IT, including as an end-user support specialist, programmer, system administrator, database specialist, network administrator, network architect, and systems architect.</i></p> </section> New technologies get all the headlines, but VPNs aren't going away anytime soon. Speed and security are among the factors to consider when determining what type of VPN to use. https://cdn.ttgtmedia.com/visuals/searchUnifiedCommunications/collaboration_applications/unifiedcommunications_article_003.jpg https://www.techtarget.com/searchsecurity/tip/IPSec-VPN-vs-SSL-VPN-Comparing-respective-VPN-security-risks Fri, 04 Apr 2025 09:00:00 GMT <p><a href="https://www.techtarget.com/whatis/definition/quantum-computing">Quantum computing</a> is becoming real and will soon be able to solve problems well beyond the capabilities of today's fastest supercomputers. In the wrong hands, however, quantum computers will also create a new pain level for cybersecurity professionals.</p> <p>Recent advancements suggest that a cryptographically relevant quantum computer (CRQC) -- one that can break commonly used encryption algorithms -- is getting closer to reality. In February 2025, for example, Microsoft announced its Majorana 1, which it claims is the first quantum processor to use more stable topological quantum bits (<a href="https://www.techtarget.com/whatis/definition/qubit">qubits</a>), the basic units of quantum information. Microsoft believes its quantum processor can eventually scale to 1 million qubits on a single chip.</p> <p>Majorana 1 is a long way from meeting its potential, but its announcement should be a warning to organizations that have yet to take <a href="https://www.techtarget.com/searchsecurity/definition/post-quantum-cryptography">post-quantum cryptography</a> (PQC) seriously. Quantum computers will render current encryption algorithms obsolete and help sophisticated adversaries find new ways to compromise critical systems. Preparing for that inevitability starts with adopting PQC algorithms.</p> <section class="section main-article-chapter" data-menu-title="Why quantum cybersecurity is important"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why quantum cybersecurity is important</h2> <p>The biggest quantum computing cybersecurity risk is the ability to quickly crack popular public key cryptography and encryption algorithms such as Rivest-Shamir-Adleman (<a href="https://www.techtarget.com/searchsecurity/definition/RSA">RSA</a>), <a href="https://www.techtarget.com/searchsecurity/definition/Diffie-Hellman-key-exchange">Diffie-Hellman</a> and the Advanced Encryption Standard (<a href="https://www.techtarget.com/searchsecurity/definition/Advanced-Encryption-Standard">AES</a>). Nation-states are the only adversaries with the resources to create a quantum system for this purpose, and it's believed they are collecting sensitive encrypted data for when that time comes. This is referred to as "harvest now, decrypt later."</p> <p>"Our adversaries are consuming everything possible on encrypted networks," said John Prisco, CEO of consultancy Safe Quantum. "We know that once there is a CRQC, every secret message using RSA-2048 or RSA-4096 will be decrypted. Nothing encrypted in this way will remain a secret in the near future."</p> <p>Decrypting previously stolen data isn't the only threat a CRQC poses. With a CRQC, "all digital communications that we use today leveraging asymmetric cryptography will also be broken," said Ray Harishankar, IBM Fellow and lead for IBM Quantum Safe. "Bad actors can perform fraudulent authentication and masquerade as anyone, and consequently, a number of bad things can happen. It's not as cut and dry as Y2K, when things happen [at a specific time]. It will happen gradually when powerful quantum computers become available, and nation actors have access to them."</p> <p>Organizations that should be most concerned are financial services, government agencies, academic and research institutions with sensitive intellectual property, and medical services and research. "We shouldn't make it any easier for the Chinese to steal our intellectual property," Prisco said. "Medical science is also at risk. Patient data remains relevant for a human lifetime. We need a lifelong security program to protect personal medical info."</p> <p>Post-quantum cybersecurity should concern all executive management and not just the CISO. "Anyone who has data that has value over five, seven, 10 years -- patent information, drug discovery information, formulae information -- those have [the] potential for being exfiltrated and causing damage," he said. "People who manage that data, chief data officers, are going to be concerned. It is broader than a CISO problem because it is a CIO problem. It is a chief risk officer problem. It is a CEO problem. It is even a board problem because all they need is damage [from one incident] and your brand reputation is at risk."</p> </section> <section class="section main-article-chapter" data-menu-title="How quantum computing is changing encryption"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How quantum computing is changing encryption</h2> <p>Today's encryption schemes, such as RSA, are "secure" not because they can't be broken but because of the time and processing power needed to break them. "Public key cryptography coupled with RSA encryption could be broken by computers of today, including supercomputers, in about 1,000 years," Prisco said. "A CRQC can do it in an hour or less."</p> <div class="pro-features-wrapper"></div> <p>To counter the threat, researchers have developed numerous PQC algorithms. Examples include Rainbow and Supersingular Isogeny Key Encapsulation (SIKE), both of which were approved by <a href="https://www.techtarget.com/searchsoftwarequality/definition/NIST">NIST</a> but have since been broken.</p> <p>"That should worry the U.S. quantum strategists who are taking an all-their-eggs-in-one-basket approach. Defense-in-depth is necessary to compete with today's security protection schemes," Prisco said.</p> </section> <section class="section main-article-chapter" data-menu-title="Why organizations should prepare for quantum computing threats now"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why organizations should prepare for quantum computing threats now</h2> <p>Potential threats from quantum computers have been known since at least 1994, when Peter Shor developed Shor's algorithm for prime factorization, which is considered capable of breaking today's encryption when used with a CRQC. Quantum computers are proliferating, even if none are powerful enough to crack standard encryption algorithms. IBM has deployed 75-plus quantum computers, with more than a dozen utility-scale systems currently online that users can experiment with using the cloud, according to Harishankar.</p> <p>The key question is: When will a cryptographically relevant quantum computer arrive? That's difficult to answer because much of the research is secretive. It is estimated that a quantum computer would require anywhere from several thousand to tens of millions of qubits to execute Shor's algorithm.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> History tells us that changing cryptography at scale doesn't happen in seven to 10 years. It takes more time. </figure> <figcaption> <strong>Ray Harishankar</strong>IBM Fellow and lead for IBM Quantum Safe </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>"We started with five qubits in 2016, and now we are at 156-plus qubits," Harishankar said. "We are able to get more and more reliable qubits as well. We have stated that by 2029 or 2030, we will have a fault-tolerant quantum computer with 200 logical qubits." IBM has made public its own quantum development <a target="_blank" href="https://www.ibm.com/quantum/technology#roadmap" rel="noopener">roadmap</a> through 2033.</p> <p>That might not be enough to have a CRQC, though. Harishankar's best estimate is that it will happen sometime in the mid-2030s. If you think that gives you plenty of time to prepare, think again. "History tells us that changing cryptography at scale doesn't happen in seven to 10 years. It takes more time," he said. "Unless people start thinking and planning today, they cannot complete the work in seven to 10 years."</p> </section> <section class="section main-article-chapter" data-menu-title="How organizations can prepare for quantum cybersecurity"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How organizations can prepare for quantum cybersecurity</h2> <p>The most important way organizations can <a href="https://www.techtarget.com/searchsecurity/feature/How-CISOs-can-prepare-for-the-quantum-cybersecurity-threat">prepare for PQC</a> is to begin the transition to quantum-secure algorithms and keys. It's a long process that includes the following steps:</p> <ul class="default-list"> <li><b>Select a PQC algorithm.</b> NIST has <a href="https://www.techtarget.com/healthtechsecurity/feature/Understanding-NISTs-post-quantum-cryptography-standards">three PQC algorithms</a> ready for use and is finalizing the <a target="_blank" href="https://www.nist.gov/news-events/news/2025/03/nist-selects-hqc-fifth-algorithm-post-quantum-encryption" rel="noopener">draft</a> standards for two others. Organizations should choose a primary algorithm for general encryption -- such as Federal Information Processing Standard (FIPS) 203 -- and one for digital signatures. NIST has designated some algorithms as backups in case the primary algorithms become vulnerable.</li> <li><b>Assess the PQC algorithm's effect on IT infrastructure.</b> A PQC algorithm will have bigger key sizes and produce increasingly fragmented network traffic, which increases performance overhead and implementation complexity.</li> <li><b>Adapt network security devices.</b> The additional complexity and performance requirements will place more demands on firewalls and network intrusion detection systems, which will need to handle a higher volume of fragmented traffic due to larger cryptographic keys and ciphertexts.</li> <li><b>Review hosting and other cloud-based services and software to ensure they are quantum-ready. </b>Even if you do all you can to make your own network quantum-secure, you probably have processes and data running in the cloud. If they aren't quantum-secure, you're still vulnerable to PQC attacks. Zoom, Apple and Microsoft are among the providers who say their cloud offerings are "quantum-safe."</li> <li><b>Take a crypto-agile approach. </b>Crypto-agility enables you to switch to another algorithm without much business disruption if your post-quantum encryption algorithm is compromised. "As we transform and remediate the current software to support post-quantum cryptography, we have to do it with crypto-agility in mind so that you're not caught in this trap of having to do major work in replacing them again and again and again," Harishankar said. "I know it's a little bit of extra work now, but it's going to save you immensely downstream."</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="What is the future of quantum cybersecurity?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the future of quantum cybersecurity?</h2> <p>The post-quantum cybersecurity world will certainly be more complex, but one constant will remain: the constant cat-and-mouse games between cyber adversaries and defenders.</p> <p>"I see quantum-resistant algorithms as failing over time," Prisco said. "No one knows if the Chinese already have broken the CRYSTALS lattice algorithms of NIST. Let's have a defense-in-depth approach that uses quantum science in addition to mathematical algorithms. It would be astounding if the NIST program provided security for 50 years like the Turing Laureates, Whit[field] Diffie and Mart[in] Hellman, did. I don't think that is a good bet."</p> <p><i>Michael Nadeau is an award-winning journalist and editor who covers IT and energy tech. He also writes the PowerTown blog on Substack for stakeholders in local renewable energy initiatives. Follow him on Bluesky at @mnadeau.bsky.social.</i></p> </section> Here's a full guide to the threats quantum computers pose to today's encryption algorithms -- and how to prepare now to become "crypto-agile" enough to stay ahead of bad actors. https://cdn.ttgtmedia.com/rms/onlineimages/security_a296619547.jpg https://www.techtarget.com/searchcio/tip/How-quantum-cybersecurity-changes-the-way-you-protect-data Mon, 31 Mar 2025 15:19:00 GMT <p>The National Security Agency (NSA) is a federal government surveillance and intelligence agency that's part of the U.S. Department of Defense and is managed under the authority of the director of national intelligence (DNI).</p> <p>Led by the NSA director, the agency performs global electronic monitoring, collection and processing of information and data from its headquarters in Fort Meade, Md. It's in the intelligence-gathering business and, unlike the Federal Bureau of Investigation (FBI), its agents don't handle law enforcement and don't make arrests. They also aren't part of the U.S. military. The NSA does have a cooperative relationship with the FBI and the military, and shares intelligence with other government entities and the military.</p> <section class="section main-article-chapter" data-menu-title="Responsibilities of the NSA"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Responsibilities of the NSA</h2> <p>As a member of the intelligence community, the NSA exists to protect the integrity of U.S. national communications systems, and to collect and process signals intelligence. <a href="https://www.techtarget.com/whatis/definition/SIGINT-signals-intelligence">SIGINT</a> is information that originates from foreign adversaries' secret communications, typically digital and electronic systems, such as communications and radar systems. The NSA operates around the world in support of U.S. national security and foreign policy.</p> <p>The NSA's role in preserving national security is twofold:</p> <ol class="default-list"> <li>NSA analysts gather and decrypt intelligence from electronic communications found on a range of electronic sources, including phone calls, email, videos, photos, stored data and <a href="https://www.techtarget.com/whatis/definition/social-networking">social networking</a>.</li> <li>The agency uses discovered intelligence to protect the nation's <a href="https://www.techtarget.com/whatis/definition/sensitive-information">classified data</a> and national security systems and guide policymakers in their decisions. These systems are crucial to intelligence, military operations and other government activities from unauthorized access and tampering by both domestic and foreign enemies.</li> </ol> <p>In October 2017, U.S. Attorney General Loretta Lynch signed guidelines enabling the NSA to provide intercepted communications and raw SIGINT before applying domestic and foreign privacy protections to 16 government agencies, including the FBI and Central Intelligence Agency.</p> <p>The number of NSA employees and its budget are classified information. However, the NSA employs analysts, engineers, physicists, linguists, computer science professionals, researchers, cybersecurity officers, data flow experts, managers, experts in intelligence analysis, customer relations and public affairs specialists, and administrative and clerical assistants.</p> <p>It also claims to be the largest employer of mathematicians in the U.S. and possibly worldwide. NSA mathematicians and their counterparts in the Central Security Service (CSS), an NSA subagency, perform the agency's two critical functions:</p> <ol class="default-list"> <li>They design cryptographic systems to protect U.S. communications and information assurance.</li> <li>They search for weaknesses in the counterpart systems of American adversaries.</li> </ol> <p>The NSA has denied reports claiming it has an unlimited black budget that's undisclosed even to other government agencies. Nevertheless, the agency has said that, if it were in the public sector, it would rank in the top 10% of Fortune 500 companies.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/security-cyber_espoinage_vs_warfare-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/security-cyber_espoinage_vs_warfare-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/security-cyber_espoinage_vs_warfare-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/security-cyber_espoinage_vs_warfare-f.png 1280w" alt="Graphic comparing cyberespionage and cyberwarfare" height="274" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>The NSA says its mission is to prevent and eradicate threats to national security, including cyberespionage and cyberwarfare. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="NSA programs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>NSA programs</h2> <p>The NSA can listen in on every international phone call made to and from the U.S., but that's just one aspect of the agency's work. The agency's bigger focus is on intelligence gathering.</p> <div class="pro-features-wrapper"></div> <p>For much of its history, it was thought that the NSA focused on gathering international intelligence. That changed in 2013 when details on other NSA surveillance programs became public.</p> <p>That year, Edward Snowden, a Booz Allen Hamilton contractor at that time, <a href="https://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969.html" target="_blank" rel="noopener">leaked confidential NSA information</a> to the national and international press. The documents indicated the agency had domestic surveillance activities that included the bulk collection of U.S. communications. Snowden told the press about 10 such surveillance programs:</p> <ul class="default-list"> <li><b>Prism.</b> Perhaps the most infamous NSA program, Prism collected data stored by nine major Silicon Valley technology companies: AOL, Apple, Google, Meta (formerly Facebook), Microsoft, Paltalk, Skype, Yahoo and YouTube. The data collected included emails, file transfers, photos and voice calls.</li> <li><b>Fairview.</b> Under this program, the NSA worked with AT&amp;T to access massive amounts of international internet traffic <a href="https://www.computerweekly.com/feature/Interview-the-original-NSA-whistleblower">passing through domestic U.S. networks</a>. The NSA is reported to have partnered extensively with U.S. <a href="https://www.techtarget.com/searchnetworking/definition/telecommunications-telecom">telecommunication</a> operators for decades as part of this program.</li> <li><b>Blarney. </b>This international version of the PRISM program was also said to be part of Fairview. Through Blarney, the NSA formed partnerships with foreign telecom operators to gain access to their customer data.</li> <li><b>Stormbrew and Oakstar.</b> Like Blarney, these two programs fall under the Fairview umbrella. Stormbrew allegedly refers to a partnership with Verizon, according to a<i> </i><a target="_blank" href="https://www.nytimes.com/interactive/2015/08/15/us/documents.html" rel="noopener"><i>New York Times</i> investigation</a>. OAKSTAR has a number of subprograms that <a target="_blank" href="https://www.washingtonpost.com/world/national-security/nsa-paying-us-companies-for-access-to-communications-networks/2013/08/29/5641a4b6-10c2-11e3-bdf6-e4fc677d94a1_story.html" rel="noopener"><i>The Washington Post </i>said</a> are designed to collect "data as it moves across fiber-optic cables and the gateways that direct global communications traffic."</li> <li><b>XKeyscore.</b> According to <i>The Guardian</i> , a report on XKeyscore by the NSA listed the project as collecting "nearly everything a typical user does on the internet," including the content of emails and <a href="https://www.techtarget.com/whatis/definition/chatting">chats</a>, visible in real time.</li> <li><b>Marina, Trafficthief and Pinwale.</b> Little is known about these three programs. However, as <a target="_blank" href="https://www.dailydot.com/debug/nsa-spy-prgrams-prism-fairview-blarney/" rel="noopener">reported in <i>The Daily Dot</i></a>, Trafficthief is described as containing "metadata from a subset of tasked strong-selectors." Pinwale contains "content selected from dictionary tasked terms," while Marina stores "user activity metadata with front end full take feeds and backend selected feeds."</li> <li><b>Boundless Informant.</b> This is said to be a measure of how well the other programs are doing. Slides that Snowden gave <i>The Guardian</i> indicated that, in one month in 2012, the NSA collected almost 100 billion pieces of intelligence worldwide. Three billion pieces of intelligence were collected in the U.S. during that same period. Presumably, an email or phone call would constitute a piece of intelligence.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="History of the NSA"> <h2 class="section-title"><i class="icon" data-icon="1"></i>History of the NSA</h2> <p>Early information gathering and interception techniques relied on radio signals, radar and <a href="https://www.techtarget.com/whatis/definition/telemetry">telemetry</a>. In the U.S., the first traces of SIGINT date back to July 1917 when the government created the Cipher Bureau of Military Intelligence. This was three months after the United States had declared war on Germany, in part because of the infamous Zimmerman Telegram.</p> <p>British intelligence intercepted and deciphered the Zimmerman Telegram. It <a target="_blank" href="https://www.history.com/news/what-was-the-zimmermann-telegram" rel="noopener">revealed</a> that the German foreign secretary had attempted to entice Mexico into war against the U.S. by promising to return the states of Texas, New Mexico and Arizona to Mexico should Germany win the war. The contents of the message inflamed the U.S. and proved the value of SIGINT.</p> <p>After World War I, SIGINT and foreign signals intelligence work became fragmented and scattered among numerous government entities. The Army Signal Corps developed the Signal Intelligence Service (SIS) in 1929 after taking over <a href="https://www.techtarget.com/searchsecurity/definition/cryptology">cryptology</a> from military intelligence. Civilian William F. Friedman became chief cryptologist at SIS and was tasked with teaching a team of civilians about <a href="https://www.techtarget.com/searchsecurity/definition/cryptanalysis">cryptanalysis</a> so they could compile codes for the U.S. Army.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/what_is_signals_intelligence-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/what_is_signals_intelligence-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/what_is_signals_intelligence-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/what_is_signals_intelligence-f.png 1280w" alt="List of different types of SIGINT" height="224" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Signals intelligence, or SIGINT, comes from the collection and analysis of foreign targets' electronic signals and communications. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p></p> <p>The military's success cracking German and Japanese codes during World War II, once again proved the merits of intelligence work. In 1952, President Truman officially established the National Security Agency with SIGINT operations under it. In 1957, the NSA moved to Fort Meade.</p> <p>In 1972, a presidential directive established the Central Security Service to provide cryptologic support, knowledge and assistance to the military cryptologic community. The NSA and CSS together form the National Security Agency Central Security Service. The job of the NSA/CSS is to <a target="_blank" href="https://www.nsa.gov/about/" rel="noopener">create a unified cryptologic effort</a> with the armed forces. It's also charged with working with senior military and civilian leaders to address and act on critical military-related issues in support of national and tactical intelligence objectives.</p> <p>In 2012, <i>The New York Times</i> reported that the <a href="https://www.techtarget.com/searchsecurity/news/252487374/10-years-after-Stuxnet-new-zero-days-discovered">Stuxnet worm</a>, discovered in June 2010 after a damaging attack on Windows machines and programmatic logic controllers in Iran's industrial plants, including its nuclear program, had been jointly developed by the U.S. and Israel. Neither country has admitted responsibility for the attack.</p> <p>In addition to protecting national security through cryptography and cryptanalysis, the NSA has weathered security breaches beyond Snowden that have embarrassed the agency and affected its intelligence-gathering capabilities.</p> <p>In 2015, an unidentified NSA contractor removed classified government information, which included code and spyware used to infiltrate foreign computer network operations, from the agency and stored it on a personal device. Russian hackers allegedly intercepted the files. The contractor acknowledged using antivirus software from Kaspersky Lab.</p> <p>In 2017, Israeli intelligence officers revealed that they detected NSA materials on Kaspersky networks in 2015. Kaspersky officials later admitted that they became aware of unusual files on an unidentified contractor's computer, and they didn't immediately report their findings. In December 2017, the U.S. government banned the use of Kaspersky Lab products for all federal agencies and government employees.</p> <p>A hacker group calling itself The Shadow Brokers claimed it had stolen NSA files in 2017. It released batches of files on the internet, some of which allegedly contained the Internet Protocol addresses of computer servers that were compromised by the <a href="https://www.techtarget.com/searchsecurity/blog/Security-Bytes/The-Equation-Group-malware-mystery-Kaspersky-offers-an-explanation">Equation Group</a>, an organization reported to have ties to the NSA.</p> <p>The continual dumping of NSA files has exposed <a href="https://www.techtarget.com/searchsecurity/definition/zero-day-vulnerability">zero-day</a> exploits targeting firewalls and routers, Microsoft Windows vulnerabilities and other cyberweapons. The NSA, according to the ongoing leaks, has been stockpiling vulnerabilities, most notably the <a href="https://www.techtarget.com/searchsecurity/news/450420393/Researchers-port-EternalBlue-exploit-to-Windows-10">Windows EternalBlue exploit</a> used by cybercriminals in the global <a href="https://www.techtarget.com/searchsecurity/definition/WannaCry-ransomware">WannaCry ransomware</a> attacks.</p> <p>The FBI arrested Harold T. Martin III, a former NSA contractor employed by Booz Allen Hamilton, in August 2016 and accused him of violating the Espionage Act for unlawful possession of terabytes of confidential materials allegedly taken from the NSA and other intelligence agencies over a 20-year period. A <a href="https://www.techtarget.com/searchsecurity/news/450412767/NSA-contractor-indicted-for-stealing-elite-cyberweapons-over-20-years">grand jury indicted him</a> in February 2018. After pleading guilty to willful retention of national defense information, Martin was <a target="_blank" href="https://www.justice.gov/opa/pr/former-government-contractor-sentenced-nine-years-federal-prison-willful-retention-national" rel="noopener">sentenced in 2019</a> to nine years in federal prison, followed by three years of supervised release.</p> <p>In October 2020, the <a href="https://www.techtarget.com/searchsecurity/news/252490929/NSA-issues-advisory-against-Chinese-state-sponsored-hackers">NSA released an advisory</a> specifying 25 publicly known vulnerabilities actively exploited or being scanned by Chinese state-sponsored actors. Later that year, the NSA verified that SolarWinds Orion Platform version 2020.2.1 HF 2 eliminated the malicious code used in the <a href="https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know">extensive SolarWinds hack</a>.</p> <p>In January 2021, for the first time, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the DNI and the NSA publicly suggested Russian threat actors were responsible for the <a href="https://www.techtarget.com/searchsecurity/ehandbook/SolarWinds-supply-chain-attack-explained-Need-to-know-info">SolarWinds supply chain attack</a>.</p> <p>That April, the Biden administration formally attributed the SolarWinds attacks to the Russian government's Foreign Intelligence Service (SVR). The FBI, NSA and CISA jointly warned that state-sponsored, SVR-allied threats were actively exploiting known vulnerabilities to get access to national security and government-associated networks.</p> <p>Among the NSA's more recent developments is the 2020 launch of its Cybersecurity Collaboration Center. The CCC partners with public and private organizations to better detect and mitigate cybersecurity threats to their critical infrastructure. Its goals include hardening the U.S. Defense Industrial Base, preparing responses to foreign nation-state cyberthreats and developing mitigations for cybersecurity challenges.</p> <p>In response to <a href="https://www.techtarget.com/searchsecurity/tip/How-AI-is-reshaping-threat-intelligence">emerging artificial intelligence threats</a>, in 2023 the NSA announced the creation of its AI Security Center to consolidate and centralize the agency's AI activities.</p> <p><i>Learn more about </i><a href="https://www.techtarget.com/searchsecurity/tip/Cybersecurity-career-path-5-step-guide-to-success"><i>cybersecurity as a career path</i></a><i>, what's required and the various types of jobs these IT professionals do.</i></p> </section> The National Security Agency (NSA) is a federal government surveillance and intelligence agency that's part of the U.S. Department of Defense and is managed under the authority of the director of national intelligence (DNI). https://cdn.ttgtmedia.com/visuals/digdeeper/3.jpg https://www.techtarget.com/searchsecurity/definition/National-Security-Agency Fri, 28 Feb 2025 09:00:00 GMT <p>Federated identity management (FIM) is an arrangement between multiple enterprises or <a href="https://www.techtarget.com/whatis/definition/domain">domains</a> that enables their users to use the same identification data (<a href="https://www.techtarget.com/whatis/definition/digital-identity">digital identity</a>) to access all their networks. These partners are also known as <i>trust domains</i>. A trust domain can be an organization, a business unit or a smaller subsidiary of a larger organization.</p> <p>FIM is a system of single login and multiple access. For FIM to work effectively, all involved partners must have a sense of mutual trust. Each trust domain maintains its own <a href="https://www.techtarget.com/searchsecurity/definition/identity-management-ID-management">identity management</a>. However, all domains are interlinked through a third-party service that stores user access credentials and provides the trust mechanism needed for FIM to work. This third service is known as the <a href="https://www.techtarget.com/searchsecurity/definition/identity-provider"><i>identity provider</i></a> or <i>identity broker</i>.</p> <p>This provider manages <a href="https://www.techtarget.com/searchsecurity/definition/access-control">access control</a> for multiple service providers. The FIM arrangement is made between two or more identity brokers across organizations.</p> <p>FIM links users' identities across multiple <a target="_blank" href="https://www.ibm.com/docs/en/workload-scheduler/9.4.0?topic=definition-security-domain" rel="noopener">security domains</a>. When two domains are federated, users must only <a href="https://www.techtarget.com/searchsecurity/definition/authentication">authenticate</a> themselves to one domain. This improves the user experience by enabling users to move between systems quickly and securely. That's because a second security domain -- and part of the FIM system -- trusts that the user's home domain authenticated the user and enables them to have unfettered access.</p> <section class="section main-article-chapter" data-menu-title="Examples of federated identity management"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Examples of federated identity management</h2> <p>Examples of FIM systems include <a href="https://www.techtarget.com/whatis/definition/OpenID">OpenID</a> and Open Authorization (<a href="https://www.techtarget.com/searchapparchitecture/definition/OAuth">OAuth</a>), as well as Shibboleth, which is based on the Security Assertion Markup Language (<a href="https://www.techtarget.com/searchsecurity/definition/SAML">SAML</a>) from the Organization for the Advancement of Structured Information Standards, commonly known as OASIS.</p> <p>A common example of FIM is when someone signs into a third-party website using their Google, Facebook or Apple accounts. With Google's FIM system, for example, users can log into their Gmail, YouTube, Disney+, Spotify and Netflix accounts, along with some other mobile apps and websites.</p> </section> <section class="section main-article-chapter" data-menu-title="How does federated identity management work?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How does federated identity management work?</h2> <p>FIM works because the FIM partners send each other authorization messages. These messages can be transmitted using SAML or a similar Extensible Markup Language (<a href="https://www.techtarget.com/whatis/definition/XML-Extensible-Markup-Language">XML</a>) standard. Both enable users to log on once to access multiple affiliated but separate websites or networks.</p> <div class="pro-features-wrapper"></div> <p>Users' credentials are provided to and stored with their identity provider, which is their home domain. Then, when logging in to a service, such as a software as a service (<a href="https://www.techtarget.com/searchcloudcomputing/definition/Software-as-a-Service">SaaS</a>) application, they don't have to provide credentials to the service provider. Rather, the service provider trusts the identity provider to validate these credentials and grant them access.</p> <p>So, when a user attempts to log into a website or application using FIM, the website or application requests federated authentication from the identity provider's authentication server, which verifies the user's access and permissions. The identity provider then authorizes the user to the service provider, and the user is granted access.</p> </section> <section class="section main-article-chapter" data-menu-title="What are common federated identity management use cases?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are common federated identity management use cases?</h2> <p>FIM is useful when administering applications that need access to resources in multiple security domains.</p> <p>The following are common FIM use cases:</p> <ul class="default-list"> <li>New users added to a system after a merger or acquisition.</li> <li>External vendors or <a href="https://www.techtarget.com/whatis/definition/distributor">distributors</a> that require access to the organization's resources.</li> <li>Users from commercial identity providers.</li> <li>Users with credentials from a public organization.</li> <li>Citizens using credentials from a national identity provider.</li> <li>Access to social websites, such as Gmail or Facebook.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Technologies that make up FIM"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Technologies that make up FIM</h2> <p>Several technologies make up FIM. Authentication protocols constitute a significant part of the process that enables communication between identity providers and service providers. Authentication protocols that can be used include the following:</p> <ul class="default-list"> <li><b>SAML.</b> SAML is an open standard for sharing security information about identity, authentication and authorization. It uses XML to share data.</li> <li><b>Open Authentication. </b>OAuth is an open standard authorization framework for authorization over the internet.</li> <li><b>OpenID Connect.</b> OpenID Connect is an open specification for authentication and single sign-on (<a href="https://www.techtarget.com/searchsecurity/definition/single-sign-on">SSO</a>). It expands on OAuth, enabling third parties to confirm user identities and retrieve profile data.</li> <li><b>Kerberos.</b> <a href="https://www.techtarget.com/searchsecurity/definition/Kerberos">Kerberos</a> is an authentication protocol that authenticates service requests between trusted hosts across untrusted networks.</li> <li><b>Remote Authentication Dial-In User Service (RADIUS).</b> <a href="https://www.techtarget.com/searchsecurity/definition/RADIUS">RADIUS</a> is a client-server protocol used for centralized authentication for remote and network access.</li> </ul> <p>Different frameworks are also used to define how an organization should establish trust and share identity data. <a target="_blank" href="https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adfsod/204de335-ea34-4f9b-ae73-8b7d4c8152d1" rel="noopener">WS-Federation</a>, for example, is a framework commonly used for Microsoft platforms, such as Active Directory Federation Services (<a href="https://www.techtarget.com/searchmobilecomputing/definition/Active-Directory-Federation-Services-AD-Federation-Services">AD FS</a>). WS-Federation provides a general language to connect users and resources across secure boundaries. Shibboleth is another example, which is an open source system that supports SAML for federated authentication.</p> <p>Technology is also needed to store user identities and attributes, which is usually done using a directory service, such as <a href="https://www.techtarget.com/searchmobilecomputing/definition/LDAP">Lightweight Directory Access Protocol</a> or AD FS.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/YvHmP2WyBVY?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="The 7 laws of identity that guide FIM"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The 7 laws of identity that guide FIM</h2> <p>There are seven commonly cited laws to FIM, called the <i>laws of identity</i>, which aim to provide a set of principles for designing secure and user-friendly identity management. These seven laws comprise the following:</p> <ol class="default-list"> <li><b>User control and consent.</b> Users should be able to give permission to share their identity data, and they should know how data is shared.</li> <li><b>Minimal disclosure.</b> Identity systems should share only the minimum amount of data necessary.</li> <li><b>Justification.</b> Identity systems should ensure that identity data is only shared with parties that can prove they have a valid reason to receive it.</li> <li><b>Directed identity.</b> Identity systems should protect public and private identifiers to protect user privacy.</li> <li><b>Competition.</b> Different identity providers should also be supported to improve interoperability between different technologies.</li> <li><b>Human integration.</b> To reduce computer-to-computer attacks, the human user should be included as a component of a distributed system.</li> <li><b>Consistency.</b> Users should have a simple and consistent experience from platform to platform.</li> </ol> </section> <section class="section main-article-chapter" data-menu-title="The government's role in FIM"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The government's role in FIM</h2> <p>Governments have also pushed for FIM requirements to be implemented. For example, in 2012, the Homeland Security Presidential Directive 12 was issued in the U.S. This established a governmentwide requirement to create a secure form of ID for federal employees and related contractors. The directive aimed to create a secure identification system across all federal agencies, encouraging quick movement between platforms and programs.</p> <p>One year earlier, in 2011, another governmentwide program was issued: the Federal Risk and Authorization Management Program. This was closely related to FIM, as it enforced a standardized use of identity and access management (<a href="https://www.techtarget.com/searchsecurity/definition/identity-access-management-IAM-system">IAM</a>) practices for cloud services.</p> </section> <section class="section main-article-chapter" data-menu-title="What is the difference between SSO and FIM?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the difference between SSO and FIM?</h2> <p>Single sign-on is an important component of FIM, but it isn't the same as FIM.</p> <p>SSO enables users to use a single set of credentials to access multiple systems within a single organization. It is <a href="https://www.techtarget.com/whatis/definition/token">token</a>-based, meaning that a token rather than a password identifies users.</p> <p>FIM enables users to access systems across <i>federated</i> organizations. They can use the same credentials to access the applications, programs and networks of all members within the federated group. It provides single-step access to multiple systems across different organizations. Unlike SSO, FIM users don't provide credentials directly to a web application but to the FIM system itself.</p> <p>Organizations that implement SSO do not necessarily use FIM. However, FIM relies heavily on SSO technologies to authenticate users across domains.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/federated_identity_management-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/federated_identity_management-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/federated_identity_management-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/federated_identity_management-f.png 1280w" alt="Federated identity management (FIM) pros and cons chart. " height="389" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Federated identity management has benefits and drawbacks that should be noted before implementation. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="What are the benefits and drawbacks of federated identity management?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are the benefits and drawbacks of federated identity management?</h2> <p>FIM provides several benefits to an organization if implemented, including the following:</p> <ul class="default-list"> <li>When organizations work together on a project, FIM enables participants to access and share resources across all domains.</li> <li>FIM simplifies the process of authenticating and authorizing users of the systems within the federation.</li> <li>At the same time, <a href="https://www.techtarget.com/searchnetworking/definition/system-administrator">administrators</a> in each organization still control access levels in their own domains. They can set permissions and access levels across different systems in different security domains for a user based on a single username. This reduces their work and simplifies IAM.</li> <li>Administrators can also avoid common issues that crop up when balancing multi-domain access, such as developing a specific system to make it easy to access the resources of an external organization. FIM's consolidation approach helps organizations save money and maintain control.</li> <li>FIM also eliminates the barriers that often prevent users from easily and securely accessing the resources they need. It delivers convenience so they can securely access systems in different domains without remembering multiple credentials or logging in multiple times. Consequently, the user can save time, minimize access friction and increase productivity.</li> <li>FIM also simplifies <a href="https://www.techtarget.com/searchdatamanagement/definition/data-management">data management</a>, privacy and <a href="https://www.techtarget.com/searchdatamanagement/definition/compliance">compliance</a>.</li> <li>Storage costs are reduced by centralizing identity management, reducing data redundancy and simplifying data synchronization.</li> </ul> <p>There are some drawbacks that come with FIM, however:</p> <ul class="default-list"> <li>One drawback of FIM is the upfront costs that organizations incur to modify existing systems and applications. This can be a substantial financial burden for smaller organizations.</li> <li>Another challenge is that participating federation members must create policies that adhere to the <a href="https://www.techtarget.com/searchsecurity/definition/security-policy">security requirements</a> of all members. This negotiation can be a complicated, time-consuming undertaking when each enterprise sets different requirements and rules.</li> <li>Finally, a participating organization can be a member of more than one federation, so its policies should reflect the rules and requirements of each federation. As the company joins additional federations, this can become complicated and require a huge time commitment that many enterprises might not be prepared for.</li> </ul> <p><i>FIM plays an active role in IAM. Learn more about the </i><a href="https://www.techtarget.com/searchmobilecomputing/feature/Cloud-SaaS-bring-identity-and-access-management-challenges"><i>challenges behind IAM</i></a><i> in cloud and SaaS environments. </i></p> </section> Federated identity management (FIM) is an arrangement between multiple enterprises or domains that enables their users to use the same identification data (digital identity) to access all their networks. https://cdn.ttgtmedia.com/visuals/digdeeper/6.jpg https://www.techtarget.com/searchsecurity/definition/federated-identity-management Thu, 27 Feb 2025 00:00:00 GMT <p>Red teaming is the practice of rigorously challenging plans, policies, systems and assumptions with an adversarial approach. A red team might be a contracted external party, an internal group or a combination of internal and external resources that uses strategies and tactics to encourage an outsider perspective.</p> <p>The goal of red teaming is to overcome <a href="https://www.techtarget.com/searchenterpriseai/definition/cognitive-bias">cognitive errors</a> like groupthink and <a href="https://www.techtarget.com/searchenterpriseai/definition/cognitive-bias">confirmation bias</a>, which can impair the decision-making or critical thinking ability of an individual or organization. Another goal is to determine if existing detective, preventive and mitigation measures are effective for a <a href="https://www.techtarget.com/searchsecurity/definition/CVSS-Common-Vulnerability-Scoring-System">wide range of attack vectors</a>.</p> <p>Often, a group of internal IT employees, a red team is used to simulate the actions of those who are malicious or adversarial. From a cybersecurity perspective, a red team's goal is to breach or compromise a company's digital security. A blue team, by contrast, is a group of internal IT employees used to simulate the preventative actions of individuals or departments responsible for security operations. The blue team's goal is to stop the red team from committing hypothetical cyberattacks, such as a data breach or phishing attack. Such interaction is what's called a <a href="https://www.techtarget.com/searchsecurity/tip/Red-team-vs-blue-team-vs-purple-team-Whats-the-difference">red team-blue team</a> simulation. Figure 1 depicts red and blue teaming for cybersecurity.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/red_vs_blue_vs_purple_teaming-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/red_vs_blue_vs_purple_teaming-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/red_vs_blue_vs_purple_teaming-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/red_vs_blue_vs_purple_teaming-f.png 1280w" alt="Chart showing the goals of red and blue teams and how exercises can create purple teams." height="215" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 1. Red and blue teaming; sharing of information from an exercise might result in a purple teaming exercise. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Red teaming does not require the existence of a blue team. An organization might seek to compare the active and passive systems of an agency.</p> <p>Red teaming originated in the military to realistically evaluate the strength and quality of strategies. Since then, red teaming has become a common cybersecurity training exercise among public and private sector organizations. Other security testing methods include <a href="https://www.computerweekly.com/opinion/How-does-red-teaming-test-the-ultimate-limits-of-cyber-security">ethical hacking</a> and <a href="https://www.techtarget.com/searchsecurity/definition/penetration-testing">penetration testing</a>, or pen testing. While the red team shares the same goal and perspective of these strategies, their execution is often quite different.</p> <section class="section main-article-chapter" data-menu-title="Penetration testing vs. red teaming"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Penetration testing vs. red teaming</h2> <p>Pen testing and red teaming are often used interchangeably to describe security testing techniques. Each uses an "outside" perspective but does so in a different way. Figure 2 compares the two activities.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/definition-red_teaming.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/definition-red_teaming_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/definition-red_teaming_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/definition-red_teaming.png 1280w" alt="Penetration testing versus red teaming comparison chart." height="314" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Figure 2. How penetration texting and red teaming compare to each other. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Penetration testing</h3> <p>Pen testing is a manual security testing method that organizations use to provide a comprehensive overview of the quality and effectiveness of their security controls. The goal is to test the vulnerability of networks, assets, hardware, platforms and applications within a defined scope. Often automated using <a href="https://www.techtarget.com/searchsecurity/tip/5-open-source-offensive-security-tools-for-red-teaming">special software tools</a>, the attack simulation launches actions attempting to defeat the organization's security posture. Existing security measures are violated and an attack path is established. The test attempts to break through preventive measures and establish an <a href="https://www.techtarget.com/whatis/definition/attack-surface">attack surface</a> red team operations can exploit.</p> <p>Pen testing transcends a <a href="https://www.techtarget.com/searchsecurity/definition/vulnerability-assessment-vulnerability-analysis">vulnerability assessment</a>, an evaluation process used to rank cybersecurity weaknesses by importance and/or risk. Pen testing leverages <a href="https://www.techtarget.com/searchsecurity/answer/What-is-red-and-white-hat-hacking">ethical hackers</a> to physically and virtually challenge the strength of security devices and procedures.</p> <p>These tests are deliberate and meticulous, placing no focus on stealth or evasion. The goal is to gain access and bypass security controls by simulating real-world attacks. Pen testing lacks a competing blue team. The blue team is often informed of penetration test plan scope and depth.</p> <p><i>Learn the necessary </i><a href="https://www.techtarget.com/searchnetworking/tip/5-steps-to-conduct-network-penetration-testing"><i>steps for network penetration testing</i></a><i>.</i></p> <h3>Red teaming</h3> <p>Red teaming is a stealthy procedure used to test systems, protocols and the people managing them. Red teaming is a focused security testing method with specific objectives. If the objective is to access a sensitive server or a <a href="https://www.techtarget.com/searchitoperations/definition/mission-critical-computing">business-critical application</a>, red team success is measured by how well it accomplishes this objective. If the red team achieves its goal, the organization is insufficiently prepared to prevent such an attack.</p> <p>Outcomes from the pen test can indicate measures to take to resolve deficiencies in security controls.</p> <p>The lack of notice distinguishes red teaming from pen testing. Blue teams are often purposely left in the dark during these evaluations. The goal is to force the blue team to respond as if it were an actual attack, providing a more accurate assessment.</p> <p><i>Read more here about </i><a href="https://www.techtarget.com/searchsecurity/answer/Penetration-testing-vs-red-team-Whats-the-difference"><i>penetration testing vs. red teaming</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Red team methodology"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Red team methodology</h2> <p>Red teaming involves a tactical, deliberate process to extract all the desired information. An assessment that identifies entry points and vulnerabilities legitimate cybercriminals may want to exploit should precede a red team simulation. Doing the assessment prior to simulation ensures a controlled process and measurable outcome.</p> <div class="pro-features-wrapper"></div> <p>The assessment will help illuminate goals the red team wants to achieve. Any weakness associated with digital assets, physical assets, technical processes or operational processes could be targeted for exploitation in the red teaming session.</p> <p>Once objectives are set, the red team will initiate an attack. Typically, the blue team will identify the red team activity as malicious and start to contain or limit the success of their efforts. Once the exercise ends, each party will provide findings that showcase the value of their perspective and the exercise itself.</p> <p>The blue team will identify any indicators of compromise (<a href="https://www.techtarget.com/searchsecurity/definition/Indicators-of-Compromise-IOC">IoC</a>) they were able to detect. IoCs are flags that security teams use to register suspicious activity. Typically, security systems that protect networks and systems generate them. The red team will prepare a breakdown of its tactics, techniques and procedures (TTPs) for the blue team.</p> <p>Together, the two teams use the results to create a list of actionable items -- such as firewall upgrades or server configurations -- they can perform to improve the current security system's detection and response activity. This sharing of information can often establish what's called a <a href="https://www.techtarget.com/searchsecurity/video/An-explanation-of-purple-teaming">purple team</a>, as shown in Figure 1 above.</p> </section> <section class="section main-article-chapter" data-menu-title="Red team activities"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Red team activities</h2> <p>Red team exercises that deal with cybersecurity might include a variety of activities that attempt to defeat cybersecurity controls, such as those listed in Figure 1. Examples include trying to bypass firewalls and intrusion detection and prevention systems (<a href="https://www.techtarget.com/searchsecurity/quiz/Quiz-Intrusion-detection-and-prevention-systems">IDS/IPS</a>), introducing viruses, conducting phishing and malware attacks and launching social engineering attacks.</p> <p>While attacks typically address systems, applications, utilities and networking resources, they might also include an attack on a data center's physical security. This could occur by surreptitiously allowing red team members entry into data centers.</p> <p><a href="https://www.computerweekly.com/news/366580938/More-social-engineering-attacks-on-open-source-projects-observed">Social engineering attacks</a> focus on psychological attributes of employees. Red team members must perform sufficient due diligence on employees (e.g., learning what they do and any particular habits that could be exploited) before launching the social engineering attack.</p> <p>Much information can be gained by walking around office areas and observing employee behavior. Employees who leave their workstations without logging off create a risk of unauthorized access to their systems. In a potential red teaming simulation, employees could be called about a "problem" detected on their systems and convinced to have "IT" remotely activate a "fix."</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/KZ93C-CroAA?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="Pros and cons of red teaming"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Pros and cons of red teaming</h2> <p>The positive benefits of red teaming are numerous. Most importantly, they identify vulnerabilities in systems, policies, procedures and employees that could be exploited in cyberattacks. Knowledge of such vulnerabilities can be used to identify and deploy remediations to prevent future attacks.</p> <p>Red teaming benefits grow when combined with blue teaming. Greater information sharing fosters collaboration, reveals areas where additional training is needed, and can encourage employees to <a href="https://www.techtarget.com/searchsecurity/tip/Cybersecurity-employee-training-How-to-build-a-solid-plan?">improve their cybersecurity skills</a> and reduce response times for future events.</p> <p>Among the downsides of red teaming are the potential costs for an exercise. An exercise might not be feasible or succeed if senior management is not engaged or resources to execute it are insufficient.</p> </section> <section class="section main-article-chapter" data-menu-title="Preparing for a red team exercise"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Preparing for a red team exercise</h2> <p>As with any cybersecurity activity, senior management approval is the first step. Next is assembling the team and tools to be used. The actual attack objectives and scope should be defined, and conducting a pen test is an important preliminary step. It establishes baseline security data that can be used to formulate the exercise.</p> <p>Once the exercise has been defined and resources assembled, the team decides when to launch the exercise. If a blue team has also been assembled, they should not be notified of the exercise date. Upon completion of the exercise, the teams should prepare a report of findings and recommendations. Data from cybersecurity software used in the exercise should be included. A <a href="https://www.techtarget.com/searchitoperations/tip/Conduct-an-incident-post-mortem-for-ongoing-DevOps-improvement">post-exercise meeting</a> provides an opportunity for all players to share their experiences and review recommendations.</p> </section> <section class="section main-article-chapter" data-menu-title="The role of AI in the future of red teaming"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The role of AI in the future of red teaming</h2> <p>Artificial intelligence is quickly permeating all aspects of IT, especially in cybersecurity. <a href="https://www.techtarget.com/searchenterpriseai/feature/Will-AI-replace-cybersecurity-jobs">Use of AI capabilities</a> can increase the likelihood of identifying potential attack vectors and facilitate better analysis of exercise results.</p> <p>Red and blue teaming are expected to remain important and AI will enhance greatly the overall process and results from exercises, resulting in better early warnings and faster, more accurate responses to cyberattacks.</p> <p><i>Learn about <a href="https://www.techtarget.com/searchenterpriseai/definition/AI-red-teaming">AI red teaming</a></i><i>, which is the practice of simulating attack scenarios on an artificial intelligence application to identify weaknesses and plan preventative actions.</i></p> </section> Red teaming is the practice of rigorously challenging plans, policies, systems and assumptions with an adversarial approach. https://cdn.ttgtmedia.com/visuals/digdeeper/6.jpg https://www.techtarget.com/whatis/definition/red-teaming Mon, 24 Feb 2025 15:00:00 GMT <p>Physical security protects personnel, hardware, software, networks, facilities and data from physical actions and events that could cause serious loss or damage to an enterprise, agency or institution. This includes protection from fire, flood, natural disasters, burglary, theft, vandalism and terrorism. While most of these events are covered by insurance, physical security's prioritization of damage prevention avoids the time, money and resources lost because of these events.</p> <p>Physical security is fundamental to an organization<span dir="RTL">'</span>s success. It safeguards valuable assets and sensitive information by limiting facility access and monitoring activities. It ensures the <a href="https://www.techtarget.com/whatis/definition/Confidentiality-integrity-and-availability-CIA">confidentiality, integrity and availability</a> of all types of data and information and also ensures the safety and protection of employees and others who work on premises. With the right security measures in place, an organization can ensure a safe and secure workplace.</p> <section class="section main-article-chapter" data-menu-title="What is a physical security framework?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is a physical security framework?</h2> <p>A physical security framework outlines the policies, procedures and technologies used to protect an area from unauthorized access, intrusion or damage. Core elements of a physical security framework typically include the following:</p> <h3>1. Deterrence</h3> <p>Deterrence means creating a visible security presence that makes an intruder think twice about trying to breach physical security. Companies deter criminals from attempting physical security breaches and unauthorized access by surrounding corporate campuses and remote buildings with visible physical security systems, such as tall perimeter fences, gates and security signage.</p> <h3>2. Detection</h3> <p>Surveillance is one of the most important physical security components for prevention and post-incident recovery. In this case, it refers to the technology, personnel and resources that organizations use to detect intrusion and monitor the activity of different real-world locations and facilities. Examples include patrol guards, heat sensors, motion detectors, cameras and other notification systems.</p> <p>Closed-circuit television (<a href="https://www.techtarget.com/whatis/definition/CCTV-closed-circuit-television">CCTV</a>) cameras are a common type of physical security control that records activity in certain areas. These video surveillance cameras are as valuable in capturing criminal behavior as they are in defending it. Threat actors who see a CCTV camera are less inclined to break in or vandalize a building out of fear of having their identity recorded. Similarly, if a particular asset or piece of equipment is stolen, surveillance cameras can provide visual evidence to identify the culprit and their tactics.</p> <h3>3. Delay</h3> <p>Using tactically placed obstacles, organizations can make it more difficult for attackers to access valuable assets and information. Similarly, these barriers increase the time it takes for <a href="https://www.techtarget.com/whatis/definition/threat-actor">threat actors</a> to successfully carry out acts of thievery, vandalism or terrorism. The more obstacles in place, the more time organizations have to respond to and contain threats and potential threats to physical security.</p> <p>Safes, vaults, walls and fences can help slow down physical intruders. Walls and fences can also harden buildings against environmental disasters, such as earthquakes, mudslides and floods. Organizations that divert resources toward such hardening measures should balance the cost and benefit of their implementation before investment.</p> <h3>4. Defend</h3> <p>Protecting physical assets begins by limiting and controlling what people can access -- whether a site, data center or other facility. <a href="https://www.techtarget.com/searchsecurity/definition/access-control">Access control</a> encompasses the measures taken to give only authorized personnel access to certain physical assets. These corporate barriers often include ID badges, keypads and security guards. However, these obstacles can vary significantly by method, approach and cost.</p> <p>More sophisticated access controls involve a technology-supported approach. Security teams can use physical authentication methods, such as security ID card scanners and <a href="https://www.techtarget.com/searchmobilecomputing/definition/Near-Field-Communication">near-field communication</a> ID cards, to verify the identities of individuals entering and exiting various facilities.</p> </section> <section class="section main-article-chapter" data-menu-title="Why is physical security important?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why is physical security important?</h2> <p>As businesses become more dependent on the internet of things (<a href="https://www.techtarget.com/iotagenda/definition/Internet-of-Things-IoT">IoT</a>) and edge computing, the need for digital and physical security grows. With IoT and edge computing providing industrial automation in manufacturing plants, remote offices and the field, a company's responsibility for physical security has expanded.</p> <div class="pro-features-wrapper"></div> <p>IoT sensors and devices, as well as new technologies like drones, the data they collect and the servers that store that data as well as where these technologies are deployed, must all be protected. For companies outsourcing their systems and applications to the cloud, agreements must be in place with all cloud vendors. They should require cloud vendors to maintain optimum physical security at their data centers and for the networks, physical storage and servers they use. Third-party cloud provider data centers require physical security to avoid data losses and uptime failures. Client companies should request reports of cloud data center physical security audits regularly.</p> </section> <section class="section main-article-chapter" data-menu-title="Types of physical security threats"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Types of physical security threats</h2> <p>Physical security threats and risk points can come in many different forms, including the following:</p> <h3>Human oversight</h3> <p>Employees can forget to lock doors or sign off systems, leaving these assets open to intruders. In remote sites, such as manufacturing plants, it isn't uncommon for employees to forget to return critical equipment, such as robots or servers, to securely locked cages after a shift ends.</p> <h3>Equipment failures</h3> <p>Security sensors in the field can malfunction. For example, a sensor might fail in temperatures below zero, or a visual sensor won't work in snow. Also, door and vault locks or high-security fencing can fail. When these types of surveillance mechanisms malfunction, they create vulnerabilities in physical security that a perpetrator could penetrate.</p> <h3>Natural and man-made disasters</h3> <p>Disasters such as floods, earthquakes, hurricanes, chemical spills and fires can all <a href="https://www.techtarget.com/whatis/feature/Prepare-your-business-for-natural-disasters-with-this-checklist">affect the operations of equipment and facilities</a> and compromise physical security. In these circumstances, companies need to take immediate steps to protect employees and minimize further damage to equipment and infrastructure.</p> </section> <section class="section main-article-chapter" data-menu-title="Developing a physical security plan"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Developing a physical security plan</h2> <p>Before a physical security plan is developed, it's important to assess all corporate physical assets for level of risk and refine the scope of the plan by addressing the following questions:</p> <ul class="default-list"> <li>Is surveillance installed at every mission-critical point throughout the enterprise and its satellite facilities?</li> <li>Are data centers and IT equipment in remote areas secured from unauthorized access?</li> <li>Are all physical security monitoring and check-in technologies such as badge scans, in-field sensors, cameras and vault locks in perfect working order?</li> <li>Are employees properly trained in physical security practices for their work areas? Are there written procedures for extenuating circumstances like storms or fires that would cause a loss of physical security?</li> <li>Are physical security guidelines and procedures documented in the corporate disaster recovery and business continuity plan, and are employees regularly refreshed on this plan and how it works? Are physical security systems regularly tested?</li> <li>Are the organization's physical assets insured for loss?</li> </ul> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/ZetTrqWFE_w?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <p></p> </section> <section class="section main-article-chapter" data-menu-title="Physical security best practices"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Physical security best practices</h2> <p>The following best practices can help an organization address its physical security needs:</p> <ul class="default-list"> <li><b>Use log and trail maintenance security.</b> Keeping a record of what is accessed and by whom is a reliable way to discourage unauthorized users and create a forensic-friendly data environment. Organizations can monitor and record multiple failed login attempts and attempted access to gather crucial evidence to pinpoint security weaknesses.</li> <li><b>Adopt an approach based on risk management.</b> This data analysis technique evaluates scenarios based on a person's risk profile. If a business is particularly risk-averse -- such as a credit union or a restaurant -- it might opt to invest in a more expensive physical security system that's more equipped to mitigate risk. Therefore, the amount of resources a company dedicates to its physical security using a risk-based approach should be equivalent to the value it places on risk mitigation.</li> <li><b>Tie</b><b> access control to individuals.</b> An organization can improve its visibility over personnel activity by tying access control to individuals. Imagine a particular room can only be accessed by a single key that's given to only two people. If an asset in that room goes missing, only those two people are accountable for its disappearance.</li> <li><b>Perform regular security testing.</b> Regular security testing is increasingly important. Fire drills are necessary for schools and buildings because they help to coordinate large groups and their methods of response. These tests should be conducted regularly so participants know exactly what to do in a physical emergency. Physical security deterrent equipment such as sensors, door locks, security cameras, badge and scanning systems should also be regularly tested.</li> <li><b>Train employees.</b> Employees should be regularly trained on the physical security measures they should take in their work areas. This reduces the likelihood of human error or omission.</li> <li><b>Maintain an updated plan.</b> Each year, companies acquire new physical assets and retire old ones. A company might open a new warehouse or acquire a server for a remote location. Regardless of the situation, the company's physical assets are always changing, so the plan for securing them must change, too.</li> <li><b>Determine who is in charge of physical security.</b> In many companies, physical security, even in data centers, is maintained by a separate maintenance or facilities department. In other cases, IT might be in charge of the data center, and a facilities group might handle other physical assets. Early on, it's essential to know who is in charge of what.</li> <li><b>Don't forget about the cloud.</b> Most companies discuss physical security with their cloud vendors during the service evaluation and sign-up period. However, after that, there's often a tendency to assume that the vendor is maintaining proper physical security of the organization's assets. A better course of action is to review the vendor's security audits annually so the organization knows that physical and other security has been addressed and maintained.</li> <li><b>Use AI with physical security.</b> The capabilities of physical security are changing. This transformation is largely being driven by the addition of artificial intelligence (<a href="https://www.techtarget.com/searchenterpriseai/definition/AI-Artificial-Intelligence">AI</a>) to <a target="_blank" href="https://www.forbes.com/councils/forbestechcouncil/2023/09/27/how-ai-is-disrupting-the-business-of-physical-security/" rel="noopener">physical security technology</a>. Examples include advanced video surveillance systems, smart access control systems and biometric readers. AI motion sensors and cameras do more than monitor and report on motion. They also observe employee movements and determine if anything is irregular.</li> </ul> <p><i>Learn the </i><a href="https://www.techtarget.com/searchsecurity/tip/Evaluate-biometric-authentication-pros-and-cons-implications"><i>pros and cons of biometric authentication</i></a><i> and the best ways to protect biometric data. </i></p> </section> Physical security protects personnel, hardware, software, networks, facilities and data from physical actions and events that could cause serious loss or damage to an enterprise, agency or institution. https://cdn.ttgtmedia.com/visuals/digdeeper/2.jpg https://www.techtarget.com/searchsecurity/definition/physical-security Fri, 07 Feb 2025 09:00:00 GMT <p>A DOS, or disk operating system, is an operating system (<a href="https://www.techtarget.com/whatis/definition/operating-system-OS">OS</a>) that runs from a disk drive. The term can also refer to a particular family of disk operating systems, most commonly <a href="https://www.techtarget.com/searchenterprisedesktop/definition/MS-DOS">MS-DOS</a> (Microsoft DOS). MS-DOS was the main operating system for personal computers (PCs) until 1995, when its popularity waned due to the introduction of the more user-friendly, graphical user interface (GUI)-based <a href="https://www.techtarget.com/searchwindowsserver/definition/Windows">Windows</a> 95 operating system.</p> <section class="section main-article-chapter" data-menu-title="History of DOS"> <h2 class="section-title"><i class="icon" data-icon="1"></i>History of DOS</h2> <p>Early computers of the 1940s and 1950s did not have disk drives. Instead, they were hard-wired to carry out specific computations. Later computers were able to store instructions loaded into the computer's memory using paper-based media like punch cards and still later, using <a href="https://www.techtarget.com/searchdatabackup/definition/magnetic-tape">magnetic tapes</a>. Computer memory space was limited, and when the instructions to control a computer were moved onto a disk drive, such as a floppy disk or internal hard disk drive (<a href="https://www.techtarget.com/searchstorage/definition/hard-disk-drive">HDD</a>), it was considered cutting-edge technology.</p> <p>An operating system is the software that provides the instructions that control a computer's hardware components (memory, processor, etc.) and peripheral devices, as well as allows other software programs to function. The instructions might be stored in the HDD or other storage medium. A DOS is a specific type of OS that runs from the computer's HDD and provides a command-line interface (<a href="https://www.techtarget.com/searchwindowsserver/definition/command-line-interface-CLI">CLI</a>) to allow users to access and control the system and its various components by typing commands using a keyboard. The use of a CLI is the chief difference between disk operating systems and modern GUI-based operating systems.</p> <p>The term DOS is also used to describe several similar command-line disk operating systems. Early computers, such as the Commodore 64, Atari 800 and Apple II, all featured a disk operating system: Commodore Business Machines DOS, Atari DOS and Apple DOS, respectively. DOS/360 was an OS for IBM <a href="https://www.techtarget.com/searchdatacenter/definition/mainframe">mainframes</a>, which first appeared in 1966, but it is unrelated to the 8086-based DOS of the 1980s used on personal computers.</p> </section> <section class="section main-article-chapter" data-menu-title="How does a disk operating system work?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How does a disk operating system work?</h2> <p>When a computer is powered on, it goes through various steps called the <a href="https://www.techtarget.com/searchwindowsserver/definition/boot"><i>boot process</i></a>. When running a disk operating system, these six booting steps are standard:</p> <div class="pro-features-wrapper"></div> <ol class="default-list"> <li>The read-only memory (<a href="https://www.techtarget.com/whatis/definition/read-only-memory-ROM">ROM</a>) <a href="https://www.techtarget.com/whatis/definition/bootstrap">bootstrap</a> loader reads the <a href="https://www.techtarget.com/whatis/definition/Master-Boot-Record-MBR">Master Boot Record</a> and passes control over to it.</li> <li>The boot record loads the disk operating system into memory, which takes control of the machine.</li> <li>The computer transfers data stored on a magnetic disk to its main memory, the random access memory (<a href="https://www.techtarget.com/searchstorage/definition/RAM-random-access-memory">RAM</a>).</li> <li>It also transfers data to external devices attached to the computer, such as a computer screen or printer.</li> <li>The computer provides various <a href="https://www.techtarget.com/searchapparchitecture/definition/application-program-interface-API">application programming interfaces</a> for programs like character input/output (<a href="https://www.techtarget.com/whatis/definition/input-output-I-O">I/O</a>), memory management, program loading and termination, as well as handling user input via a keyboard.</li> <li>The OS also provides <a href="https://www.techtarget.com/searchstorage/definition/file-system">file system</a> management that organizes, reads and writes files on storage. The management system uses a hierarchical structure of directories, subdirectories and files.</li> </ol> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/RhHMgkUdhdk?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="DOS and command-line interface"> <h2 class="section-title"><i class="icon" data-icon="1"></i>DOS and command-line interface</h2> <p>Because DOS has a character-based interface rather than a GUI, its users must type textual commands in its command line to indicate the actions they want the OS to perform, such as finding a file or running a specific program. The command line process can be complex and tedious, which is why nongraphical OSes are becoming obsolete.</p> <p>That said, nongraphical OSes use minimal system resources; they can be lightweight, fast and flexible. Also, users who know the operating system's standard commands might find it easier to use than a GUI-based OS, particularly if they want to do the following:</p> <ul class="default-list"> <li>Troubleshoot hardware or software issues.</li> <li><a href="https://www.techtarget.com/searchdisasterrecovery/definition/data-recovery">Recover data</a> from a corrupted HDD.</li> <li>Create HDD <a href="https://www.techtarget.com/searchstorage/definition/partition">partitions</a>.</li> <li>Run <a href="https://www.techtarget.com/searchsecurity/definition/antivirus-software">antivirus</a> software.</li> <li>Run legacy software.</li> <li>Set up and configure the system <a href="https://www.techtarget.com/whatis/definition/BIOS-basic-input-output-system">BIOS</a>.</li> <li>Set up file/data <a href="https://www.techtarget.com/searchdatabackup/tip/Why-data-backup-is-important">backup</a>.</li> <li>Update system date/clock settings.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/startup_screen_for_ms_dos-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/startup_screen_for_ms_dos-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/startup_screen_for_ms_dos-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/startup_screen_for_ms_dos-f.png 1280w" alt="A screenshot of DOS startup." height="453" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The startup screen from an early version of IBM DOS shows some of the options that can be run from the command line prompt. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="DOS features"> <h2 class="section-title"><i class="icon" data-icon="1"></i>DOS features</h2> <p>The main features of all disk operating systems are as follows:</p> <ul class="default-list"> <li><b>CLI.</b> There is no GUI in any DOS, so mouse inputs are not accepted. It is a character-based interface system where all commands are entered in text at the command-line prompt.</li> <li><b>Prompt.</b> Disk operating systems provide a visual message, known as a prompt, that provides the location of the current directory or folder and enables users to enter various commands from the keyboard.</li> <li><b>Management.</b> A DOS is useful to manage a computer's files, I/O system and memory.</li> <li><b>Batch files.</b> Disk operating systems support <a href="https://www.techtarget.com/searchwindowsserver/definition/batch-file">batch files</a> that are macros that can be used to automate groups of commands to simplify tasks, and save time and effort.</li> <li><b>Kernel.</b> The DOS <a href="https://www.techtarget.com/searchdatacenter/definition/kernel">kernel</a> functions as the brain of the OS; it manages the computer's fundamental operations (memory allocation, file access, etc.) and provides an interface for the computer and its programs to interact with each other.</li> <li><b>Data recovery capabilities.</b> Booting a computer from the DOS can help recover data in the event of an expected event, such as a crash or hard drive corruption.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="DOS limitations"> <h2 class="section-title"><i class="icon" data-icon="1"></i>DOS limitations</h2> <p>Although it was a ubiquitous operating system, DOS does have some limitations:</p> <ul class="default-list"> <li><b>No built-in security.</b> It does not have built-in security, such as file ownership and permissions.</li> <li><b>No multiusers or multitasking.</b> As single-task operating systems, disk operating systems do not support multiusers or multitasking. Thus, only one program can run at a time (even though it provides direct access to the basic I/O system and underlying hardware).</li> <li><b>Challenging interface.</b> The CLI, in which a user must type in commands, requires the user to remember commands to run programs and do other OS tasks.</li> <li><b>Unexpected output.</b> A small mistake in typing the command can result in unexpected or unwanted consequences. For example, a user might want to list the files in the current directory by typing <span style="font-family: 'courier new', courier, monospace;">cd \directory_name</span><i>.</i> However, that command changes the current working directory to the named directory. To list the contents of a folder, the command <span style="font-family: 'courier new', courier, monospace;">dir</span> should be used.</li> <li><b>Slow updating of disk directory information. </b>Some disk operating systems like MS-DOS do not update the disk directory information until a file is closed by the application, which can keep the file in an unsafe state and result in programming issues.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Common DOS commands"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Common DOS commands</h2> <p>MS-DOS is not case-sensitive, so commands can be typed in either uppercase or lowercase. However, other disk operating systems have case-sensitive CLIs. DOS commands include the following:</p> </section> <section class="section main-article-chapter" data-menu-title="Common DOS commands"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Common DOS commands</h2> <p>MS-DOS is not case-sensitive, so commands can be typed in either uppercase or lowercase. However, other disk operating systems have case-sensitive CLIs. DOS commands include the following.</p> <table style="width: 100%;" class="main-article-table"> <thead> <tr> <td><strong>Command</strong></td> <td><strong>What it does</strong></td> <td><strong>Example</strong></td> </tr> </thead> <tbody> <tr> <td><span style="font-family: 'courier new', courier, monospace;">cd</span></td> <td>Changes directory</td> <td>Type <span style="font-family: 'courier new', courier, monospace;">cd c:\techtarget</span> in the command line to change the working directory to c:\techtarget.</td> </tr> <tr> <td><span style="font-family: 'courier new', courier, monospace;">cls</span></td> <td>Clears all the contents on the screen, leaving only the command prompt</td> <td>Type <span style="font-family: 'courier new', courier, monospace;">cls</span> in the command line.</td> </tr> <tr> <td><span style="font-family: 'courier new', courier, monospace;">copy</span></td> <td>Copies one or more files to another location</td> <td>Type <span style="font-family: 'courier new', courier, monospace;">copy c:\techtarget\file.txt c:\techtarget\file2.txt</span> to copy c:\techtarget\file.txt to c:\techtarget\file2.txt.</td> </tr> <tr> <td><span style="font-family: 'courier new', courier, monospace;">del</span></td> <td>Deletes one or more files</td> <td>Type <span style="font-family: 'courier new', courier, monospace;">del c:\techtarget\file2.txt</span> to delete the file file.txt from the directory c:\techtarget.</td> </tr> <tr> <td><span style="font-family: 'courier new', courier, monospace;">deltree</span></td> <td>Deletes all files and subdirectories from a computer</td> <td>Type <span style="font-family: 'courier new', courier, monospace;">deltree c:\techtarget\drafts</span> to delete the directory drafts, including all files and subdirectories contained in it.</td> </tr> <tr> <td><span style="font-family: 'courier new', courier, monospace;">dir</span></td> <td>Displays a list of files and directories in a directory</td> <td>Type <span style="font-family: 'courier new', courier, monospace;">dir c:\techtarget</span> to display a list of files and directories in the directory c:\techtarget.</td> </tr> <tr> <td><span style="font-family: 'courier new', courier, monospace;">format</span></td> <td>Formats a disk for DOS files</td> <td>Type <span style="font-family: 'courier new', courier, monospace;">format e:</span> to format the disk in drive e: for use with DOS.</td> </tr> <tr> <td><span style="font-family: 'courier new', courier, monospace;">help</span></td> <td>Lists the available commands or more information about a specific command</td> <td>Type <span style="font-family: 'courier new', courier, monospace;">help del</span> to display information about the <span style="font-family: 'courier new', courier, monospace;">del</span> command and how to use it. Most commands have optional switches that are explained in the help information.</td> </tr> <tr> <td><span style="font-family: 'courier new', courier, monospace;">mkdir or md</span></td> <td>Creates a new subdirectory</td> <td>Type <span style="font-family: 'courier new', courier, monospace;">mkdir c:\techtarget\drafts</span> to create the subdirectory drafts in the c:\techtarget directory.</td> </tr> <tr> <td><span style="font-family: 'courier new', courier, monospace;">move</span></td> <td>Moves files or directories from one directory to another or from one drive to another</td> <td> <p>Type <span style="font-family: 'courier new', courier, monospace;">move c:\techtarget\file.txt c:\techtarget\drafts\file.txt</span> to move c:\techtarget\file.txt to c:\techtarget\drafts\file.txt.</p> </td> </tr> <tr> <td><span style="font-family: 'courier new', courier, monospace;">ren or rename</span></td> <td>Changes the name of a file or directory</td> <td>Type <span style="font-family: 'courier new', courier, monospace;">ren c:\techtarget\file.txt c:\techtarget\file2.txt</span> to rename the file c:\techtarget\file.txt to c:\techtarget\file2.txt.</td> </tr> <tr> <td><span style="font-family: 'courier new', courier, monospace;">type</span></td> <td>Displays the contents of a file on the screen</td> <td> <p>Type <span style="font-family: 'courier new', courier, monospace;">type c:\myfile.txt</span> to show the contents of the myfile.txt file.</p> </td> </tr> <tr> <td><span style="font-family: 'courier new', courier, monospace;">*</span></td> <td>A wildcard character that represents one or more characters a group of files has in common</td> <td>Type <span style="font-family: 'courier new', courier, monospace;">copy c:\techtarget\*.txt c:\techtarget\drafts</span> to copy all files with the extension of .txt to c:\techtarget\drafts.</td> </tr> <tr> <td><span style="font-family: 'courier new', courier, monospace;">?</span></td> <td>A wildcard character that represents a single character a group of files has in common</td> <td>Type <span style="font-family: 'courier new', courier, monospace;">copy c:\techtarget\document?.txt c:\techtarget\drafts</span> to copy files named document1.txt, document2.txt and so on to c:\techtarget\drafts.</td> </tr> </tbody> </table> </section> <section class="section main-article-chapter" data-menu-title="More history and future of DOS"> <h2 class="section-title"><i class="icon" data-icon="1"></i>More history and future of DOS</h2> <p>The arrival of the microprocessor in the 1970s started a computing revolution, and the market for personal computers (PCs) began to boom. IBM released the IBM 5150 Personal Computer in August 1981. To speed up the development of this new computer, IBM decided to license various components from other companies.</p> <p>IBM's first choice for an OS was the CP/M-86 software from Digital Research, but disagreements over nondisclosure agreements and licensing led IBM to choose a CP/M-like OS from Microsoft that was originally called QDOS 86-DOS.</p> <p>Microsoft bought the rights to market QDOS 86-DOS in 1980. This OS was created by Tim Paterson at Seattle Computer Products (SCP) and was originally called QDOS, an acronym of <b>Q</b>uick and <b>D</b>irty <b>OS</b>. The number "86" refers to the fact that the OS was originally designed to be used with the <a href="https://www.techtarget.com/whatis/definition/Intel">Intel</a> 8086 processor. After leaving SCP for Microsoft in 1981, Paterson worked on the PC-DOS version of 86-DOS for IBM's PC. PC-DOS was the first widely installed DOS used in PCs running on Intel 8086.</p> <p>Microsoft produced its own almost identical version of PC-DOS called MS-DOS, which was first released in 1981. As PC sales grew, the ubiquity of MS-DOS grew as well. Subsequent versions of the OS provided improved performance and included additional functionalities, such as support for foreign and extended characters and larger HDDs. Later versions of MS-DOS also enhanced memory management, featured an improved text editor, and provided network support.</p> <p>When Microsoft first introduced Windows as a GUI for MS-DOS, early users had to type "WIN" at the DOS prompt to launch the Windows program. Windows has since evolved from being a GUI program running under MS-DOS to a full OS taking over as the default OS, though it was not until Windows XP that consumer versions of Windows stopped relying on the DOS program win.com to bootstrap the Windows kernel.</p> <p>The last retail version of MS-DOS was MS-DOS 6.22; PC-DOS 2000 was the last retail release of PC-DOS. MS-DOS was still bundled as part of Windows but no longer required a separate <a href="https://www.techtarget.com/searchcio/definition/software-license">software license</a>. It can still be run under Windows using a command processor that emulates the MS-DOS interface. There is also an <a href="https://www.techtarget.com/whatis/definition/open-source">open source</a> version of DOS called FreeDOS that is based on and compatible with MS-DOS. Other versions of these OSes include DR-DOS, ROM-DOS and PTS-DOS (PhysTechSoft DOS).</p> <p>Because of the many legacy applications that they support, disk operating systems will likely continue to be used for the foreseeable future. Today, they can be used for simple <a href="https://internetofthingsagenda.techtarget.com/definition/embedded-system">embedded systems</a> or other use cases because they provide machine independence and because the licensing costs are zero for free or open source OSes.</p> <p>That said, these legacy OSes present critical security problems that make it hard to safeguard them against modern cyberattacks such as <a href="https://www.techtarget.com/searchsoftwarequality/definition/SQL-injection">SQL injections</a>, man-in-the-middle (<a href="https://www.techtarget.com/iotagenda/definition/man-in-the-middle-attack-MitM">MitM</a>) attacks, <a href="https://www.techtarget.com/searchsecurity/definition/zero-day-vulnerability">zero-day vulnerabilities</a>, and more familiar attacks from <a href="https://www.techtarget.com/searchsecurity/definition/virus">viruses</a>, <a href="https://www.techtarget.com/searchsecurity/definition/worm">worms</a>, <a href="https://www.techtarget.com/whatis/video/An-explanation-of-ransomware">ransomware</a> and <a href="https://www.techtarget.com/whatis/video/An-explanation-of-Trojan-horse">Trojans</a>.</p> <p>Disk operating systems played a significant role in the early development of personal computing. Today, some 55 years after their initial development, they hold a place as one of the most important types of OSes in the history of computing.</p> <p><i>The latest Microsoft OS is Windows 11.</i> <i>Check out this </i><a href="https://www.techtarget.com/whatis/feature/Windows-11-explained-Everything-you-need-to-know"><i>Windows 11 crash course for desktop admins and Microsoft users</i></a><i>, and explore what you need to know when </i><a href="https://www.techtarget.com/searchenterprisedesktop/tip/When-is-Windows-10-end-of-life-How-to-extend-support"><i>planning to upgrade to Windows 11</i></a><i>.</i></p> <p><b>Note:</b><i> For disk operating system, the acronym used is always DOS (all three letters in uppercase). The acronym DoS with a lowercase "o" is short for <a href="https://www.techtarget.com/searchsecurity/definition/denial-of-service">denial of service</a></i><i>, a method of attacking a networked computer by sending it an abnormally high number of requests in order to exhaust its resources so that genuine users cannot gain access.</i></p> </section> A DOS, or disk operating system, is an operating system (OS) that runs from a disk drive. The term can also refer to a particular family of disk operating systems, most commonly MS-DOS (Microsoft DOS). https://cdn.ttgtmedia.com/visuals/digdeeper/1.jpg https://www.techtarget.com/searchsecurity/definition/DOS Fri, 31 Jan 2025 09:00:00 GMT <p>Security Assertion Markup Language (SAML) is an open standard for sharing security information about identity, <a href="https://www.techtarget.com/searchsecurity/definition/authentication">authentication</a> and authorization across different systems. Instead of remembering a different password for every website, SAML enables users to use one set of login credentials to access multiple applications, services or websites through a single sign-on (<a href="https://www.techtarget.com/searchsecurity/definition/single-sign-on">SSO</a>) service. Identity and authentication levels are shared across different systems and services using the SAML protocol to request, receive and format that data.</p> <p>SAML is based on the Extensible Markup Language (<a href="https://www.techtarget.com/whatis/definition/XML-Extensible-Markup-Language">XML</a>) standard for sharing data. It provides a framework for enabling SSO and other federated identity systems. A federated identity system links an individual identity to multiple identity domains. This approach enables SSO that encompasses resources on enterprise, trusted third-party vendor and customer networks.</p> <p>The Organization for the Advancement of Structured Information Standards (OASIS) manages the SAML <a href="https://www.techtarget.com/searchnetworking/definition/protocol">protocol</a>. SAML 2.0, the current version, was published as an OASIS standard in 2005.</p> <section class="section main-article-chapter" data-menu-title="What is SAML used for?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is SAML used for?</h2> <p>Organizations use SAML both for business-to-business and business-to-consumer apps. It is used to share user credentials across one or more networked systems. The SAML <a href="https://www.techtarget.com/whatis/definition/framework">framework</a> is designed to achieve two objectives: user authentication and user authorization. Additionally, SAML facilitates interoperability between different systems, enabling different <a href="https://www.techtarget.com/searchsecurity/definition/identity-provider">identity providers</a> and service providers to communicate effectively, even if they have different technical specifications</p> <p>SAML is most often used to operate SSO authentication systems that enable end users to log in to their networks once and be authorized to access multiple resources on that network. For example, SSO used with Microsoft Active Directory (<a href="https://www.techtarget.com/searchwindowsserver/definition/Active-Directory">AD</a>) can be integrated with SAML 2.0 authentication requests.</p> <p><a href="https://www.techtarget.com/searchsecurity/definition/authentication-authorization-and-accounting">Authentication is the process</a> of determining whether an entity is what it claims to be. It is required before authorization, which is the process of determining whether the authenticated identity has permission to use a resource.</p> <p>SAML authentication depends on verifying user credentials, which, at a minimum, include user identity and password. SAML can also enable support for <a href="https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA">multifactor authentication</a>.</p> </section> <section class="section main-article-chapter" data-menu-title="How does SAML work?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How does SAML work?</h2> <p>SSO applications use SAML to move information about user identities from an identity provider to a service provider. SAML authenticates end users who are logged in to a primary service provider to access another service provider's resources.</p> <div class="pro-features-wrapper"></div> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/whatis-single_sign_on-h.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/whatis-single_sign_on-h_half_column_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/whatis-single_sign_on-h_half_column_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/whatis-single_sign_on-h.png 1280w" alt="Chart illustrating how single sign-on can connect users to multiple applications. " height="294" width="279"> <figcaption> <i class="icon pictures" data-icon="z"></i>SAML enables single sign-on architectures so users can log in once and gain access to multiple network resources. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>For example, enterprise users logged in to their primary SSO work network can be authenticated to a third-party <a href="https://www.techtarget.com/searchcloudcomputing/definition/cloud-application">cloud application</a> provider through SAML rather than being required to log in separately to the cloud application.</p> <p>The primary SSO system acts as the identity provider, and the cloud application acts as the service provider. When an end user, already logged in to the identity provider, attempts to open the cloud application, the cloud application identifies the end user. It then points the user -- or the user's browser or other client software -- back to the identity provider to be authenticated.</p> <p>Authentication requests and responses to those requests must conform to the SAML protocols for exchanging information, with SAML authorization data being formatted as assertions.</p> <p>Here's a breakdown of how the SAML process works:</p> <ol type="1" start="1" class="default-list"> <li><b>User initiates a request.</b> A user attempts to access a service provider's application, such as a web application or a cloud application with an identity or SSO provider.</li> <li><b>User is redirected to identity provider.</b> If the user is not already authenticated, the service provider redirects the user to the identity provider for authentication. This redirection includes a request for authentication.</li> <li><b>User is authenticated.</b> The identity provider prompts the user to log in. Once the user successfully logs in, the identity provider generates a <i>SAML assertion</i>, which is a secure token or a digitally signed SAML response containing information about the user's identity and attributes. The response might include other information indicating that the user is -- or is not -- authenticated and authorized to access restricted resources.</li> <li><b>SAML assertion is transmitted.</b> The identity provider sends the SAML assertion back to the service provider, typically through the user's browser. This assertion confirms the user's identity and might include additional attributes, such as roles or permissions.</li> <li><b>Access is granted.</b> The service provider receives the SAML assertion, validates it and grants the user access to the application based on the information contained in the assertion.</li> </ol> </section> <section class="section main-article-chapter" data-menu-title="SAML entities"> <h2 class="section-title"><i class="icon" data-icon="1"></i>SAML entities</h2> <p>A <i>SAML entity</i> refers to any system component that participates in SAML-based communications, specifically in the context of identity and service provision.</p> <p>SAML defines three categories of entities:</p> <ol type="1" start="1" class="default-list"> <li><b>End users.</b> An <i>end user</i> is a person who needs to be authenticated before getting access to an application.</li> <li><b>Service providers.</b> A <i>service provider</i> is any system that provides services, typically the services for which users seek authentication, including web or enterprise applications.</li> <li><b>Identity providers.</b> An <i>identity provider</i> is a special type of service provider that administers identity information.</li> </ol> <p>SAML's main purpose is to define the markup language used to standardize the encoding of authentication data for exchange between systems. It also includes all the associated protocols and bindings that use SAML-compliant messages to exchange security assertions among end users, service providers and identity providers.</p> </section> <section class="section main-article-chapter" data-menu-title="Benefits of SAML"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of SAML</h2> <p>SAML offers many benefits for both users and service providers, especially over other standards in <a href="https://www.techtarget.com/searchsecurity/definition/identity-access-management-IAM-system">identity and access management</a>.</p> <p>Common benefits and use cases of SAML include the following:</p> <ul class="default-list"> <li><b>Simplified login credentials.</b> With the SSO aspect of SAML, users can log in once and gain access to multiple applications without needing to remember various usernames and passwords. While users might briefly observe web browser redirects during the SAML process, they don't need to interact with or configure any underlying technology. SAML operates seamlessly in the background, enabling users to effortlessly enjoy the benefits of simplified login experiences.</li> <li><b>Improved security.</b> SAML shifts the responsibility of storing and managing user credentials to a dedicated identity provider, eliminating the need for individual applications to store sensitive password data and <a href="https://www.techtarget.com/searchsecurity/tip/How-to-prevent-a-data-breach-10-best-practices-and-tactics">reducing the risk of data breaches</a>. By centralizing authentication, organizations can enforce stronger security measures, such as multifactor authentication, robust password policies and granular <a href="https://www.techtarget.com/searchsecurity/tip/Types-of-access-control">access controls</a>, to create a more secure and resilient environment.</li> <li><b>Interoperability.</b> SAML is highly interoperable because it's an open standard that isn't owned by any single vendor. The protocol is well defined and extensively documented, which ensures consistent integration across different systems. It also supports <a href="https://www.techtarget.com/searchsecurity/definition/federated-identity-management">federated identity management</a>, enabling organizations to manage user identities across various domains and services. This interoperability simplifies user management and improves collaboration between organizations.</li> <li><b>Reduced password reset and management requests.</b> SAML reduces password reset and management requests by centralizing authentication. Since users are only required to remember one set of credentials, the frequency of forgotten passwords and the need for password resets are significantly decreased. Additionally, centralized identity management means password changes are handled at the identity provider level, further streamlining the process and reducing administrative overhead.</li> <li><b>Cost and time savings.</b> SAML saves time and costs by reducing administrative tasks related to managing multiple accounts and passwords. With SSO, users authenticate once, leading to fewer password resets and help desk support requests. Additionally, centralized <a href="https://www.techtarget.com/searchsecurity/tip/User-provisioning-and-deprovisioning-Why-it-matters-for-IAM">identity management streamlines user provisioning</a> and access control, cutting down IT workload and saving on labor and maintenance costs.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="SAML components"> <h2 class="section-title"><i class="icon" data-icon="1"></i>SAML components</h2> <p>SAML consists of several key components that work together to facilitate the secure exchange of identity, authentication and authorization information between different entities.</p> <p>The four different types of SAML components include assertions, protocols, bindings and profiles.</p> <h3>SAML assertions</h3> <p>SAML assertions are statements of identity, authentication and authorization information. These are formatted using XML-based tags specified in SAML.</p> <p>According to the SAML core <a target="_blank" href="http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf" rel="noopener">protocol specification</a>, a SAML assertion is a unit of information that supplies zero or more statements made by a SAML authority. SAML authorities are any system that generates SAML authentication assertions. SAML identity providers are examples of these authorities.</p> <p>SAML specifies three types of assertions:</p> <ol type="1" start="1" class="default-list"> <li><b>Authentication assertion.</b> This assertion indicates that the subject of the assertion has been authenticated. It includes the time and method of authentication as well as the subject being authenticated.</li> <li><b>Attribute assertion.</b> This assertion associates the subject of the assertion with the specified attributes. A specified SAML attribute is one that refers to a defined piece of information relating to the authentication subject.</li> <li><b>Authorization decision assertion.</b> This assertion indicates whether a subject's request to access a resource has been approved or declined.</li> </ol> <h3>SAML protocols</h3> <p>SAML protocols define how different entities request and respond to requests for security information. Similar to SAML assertions, these protocols are encoded with XML tags specified in SAML.</p> <p>SAML defines its own generalized protocols for request/response interactions between systems and the entities that can be authenticated -- either principals or subjects. SAML 2.0 protocols include the following:</p> <ul class="default-list"> <li><b>Authentication Request Protocol.</b> This protocol defines requests for authentication assertions and valid responses to such requests. It is used when a request sent from a user to a service provider needs to be redirected to an identity provider.</li> <li><b>Single Logout Protocol.</b> This protocol defines a technique in which all of a user's active sessions can be terminated nearly simultaneously. This capability is important for SSO executions that require terminating sessions with multiple resources when the user logs out.</li> <li><b>Assertion Query and Request Protocol.</b> This protocol defines requests for new and existing authentication assertions.</li> <li><b>Artifact Resolution Protocol.</b> This protocol defines how to request and transmit SAML protocol messages using an identifying value or <a href="https://www.techtarget.com/searchsoftwarequality/definition/artifact-software-development">artifact</a>. This approach simplifies the exchange of specific protocol messages.</li> <li><b>Name Identifier Management Protocol.</b> This protocol defines a mechanism for an identity provider to manage its name by changing the name identifier and its format or to notify other SAML entities that a name identifier has been terminated.</li> <li><b>Name Identifier Mapping Protocol.</b> This protocol defines a mechanism for mapping a user identifier across different service providers.</li> </ul> <p>These request and response protocols are defined as part of SAML to enable systems to request authentication, respond to authentication requests and exchange SAML assertions. These protocols are independent of the networking protocols that SAML messages are bound to for network transport.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/saml_protocol_messaging_for_sso_login-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/saml_protocol_messaging_for_sso_login-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/saml_protocol_messaging_for_sso_login-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/saml_protocol_messaging_for_sso_login-f.png 1280w" alt="Chart illustrating how SAML messaging is used to authenticate over SSO, connecting users to service provider resources. " height="411" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Service providers use SAML messaging to authenticate over single sign-on. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>SAML bindings</h3> <p>SAML bindings are the formats specified for SAML protocol messages to be embedded and transported over different transmission mechanisms.</p> <p>SAML depends on several other protocols that are used to format and exchange SAML requests and responses. These include the following:</p> <ul class="default-list"> <li>XML, which defines how SAML messages are formatted.</li> <li>Hypertext Transfer Protocol (<a href="https://www.techtarget.com/whatis/definition/HTTP-Hypertext-Transfer-Protocol">HTTP</a>), which SAML uses to exchange messages.</li> <li>SOAP, which originally stood for <a href="https://www.techtarget.com/searchapparchitecture/definition/SOAP-Simple-Object-Access-Protocol">Simple Object Access Protocol</a> (though that meaning has dropped off), encapsulates SAML messages.</li> </ul> <p>SAML bindings define how SAML protocol messages are transmitted. They use the transport protocols that enable communication between SAML entities. SAML 2.0 defines the following bindings:</p> <ul class="default-list"> <li><b>HTTP Redirect Binding.</b> Defines a format for exchanging SAML authentication messages in HTTP redirect messages.</li> <li><b>HTTP POST Binding.</b> Defines a format for exchanging SAML authentication messages in HTML forms.</li> <li><b>HTTP Artifact Binding.</b> Defines a format for exchanging SAML artifacts in HTML forms or in a string added to a URL.</li> <li><b>SAML SOAP Binding.</b> Defines a format for exchanging SAML authentication messages in SOAP messages.</li> <li><b>Reverse SOAP (PAOS) Binding.</b> Defines a mechanism for a web browser client to respond to SAML messages encoded in SOAP messages -- sometimes referred to as <i>PAOS</i>, which is SOAP in reverse.</li> <li><b>SAML URI Binding.</b> Defines a mechanism for retrieving a SAML assertion using a <a href="https://www.techtarget.com/whatis/definition/URI-Uniform-Resource-Identifier">Uniform Resource Identifier</a>.</li> </ul> <p>SAML bindings enable authenticating systems to exchange SAML assertions and requests using widely supported protocols.</p> <h3>SAML profiles</h3> <p>SAML profiles determine how SAML assertions, protocols and bindings are used together for interoperability in certain applications.</p> <p>A SAML profile consists of SAML assertions, protocols and bindings. SAML profiles are used to define specific applications.</p> <p>Profiles defined for SAML 2.0 include the following:</p> <ul class="default-list"> <li><b>Web browser SSO profile.</b> Defines how SAML is used to enable SSO on web browsers.</li> <li><b>Enhanced client and proxy profile.</b> Specifies how specialized clients or <a target="_blank" href="https://internetofthingsagenda.techtarget.com/definition/gateway" rel="noopener">gateway</a> proxies operate using SOAP or PAOS bindings.</li> <li><b>Identity provider discovery profile.</b> Defines a technique to give service providers access to identity providers a user previously visited.</li> <li><b>Single logout profile.</b> Shows how the Single Logout Protocol works with SAML bindings.</li> <li><b>Assertion query/request profile.</b> Specifies how SAML entities receive SAML assertions over a synchronous binding like SOAP.</li> <li><b>Artifact resolution profile.</b> Defines how SAML artifacts are exchanged over specific protocols.</li> <li><b>Name identifier management profile.</b> Defines how SAML Name Identifier Management Protocol works over specific protocols.</li> <li><b>Name identifier mapping profile.</b> Defines how SAML Name Identifier Mapping Protocol works over specific protocols.</li> <li><b>Attribute query profile.</b> Outlines how a service provider can request supplementary user attributes from an identity provider following the initial authentication process.</li> </ul> <p>These profiles can be configured to enable an SSO deployment.</p> </section> <section class="section main-article-chapter" data-menu-title="What's the difference between SAML and SSO?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What's the difference between SAML and SSO?</h2> <p>SAML and SSO are related concepts in the realm of authentication and identity management, but they serve different purposes and have distinct characteristics.</p> <p>The key characteristics that differentiate SAML and SSO are as follows:</p> <ul class="default-list"> <li>SAML is a platform for requesting authentication. Its most common use is to enable SSO. Some products that utilize SSO services using SAML include <a href="https://www.techtarget.com/searchwindowsserver/definition/Microsoft-Windows-Azure-Active-Directory-Windows-Azure-AD">Microsoft Azure AD</a>, Citrix Workspace, Entrust Identity and <a href="https://www.techtarget.com/searchvmware/definition/VMware-vSphere">VMware vSphere</a>.</li> <li>SSOs uses identity federation management to enable multiple domains to authenticate users using one set of credentials. SSO can use SAML protocols to exchange authentication information, or it can use some other protocol, such as <a href="https://www.techtarget.com/whatis/definition/OpenID">OpenID</a>, to manage cross-domain authentication.</li> <li>SAML provides the technical framework and protocols necessary for executing SSO. It specifies how authentication requests and responses should be formatted and exchanged between the identity provider and service provider.</li> <li>SSO is the end-user experience that results from using protocols such as SAML. When a user logs in once, they can access various services without needing to reenter their credentials.</li> <li>SAML is often used in enterprise environments where secure, cross-domain authentication is required. It's particularly effective for web-based applications and services.</li> <li>SSO is typically executed using various protocols, including SAML, Open Authorization (<a href="https://www.techtarget.com/searchapparchitecture/definition/OAuth">OAuth</a>) and OpenID Connect.</li> <li>SAML is based on XML and uses assertions to transmit authentication information.</li> <li>SSO can use different technologies, such as cookies, tokens and various authentication protocols, including SAML.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="SAML vs. OAuth vs. OpenID"> <h2 class="section-title"><i class="icon" data-icon="1"></i>SAML vs. OAuth vs. OpenID</h2> <p>In addition to SAML, OAuth and OpenID are two important specifications that enable SSO.</p> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/how_saml_and_oauth_compare-h.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/how_saml_and_oauth_compare-h_half_column_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/how_saml_and_oauth_compare-h_half_column_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/how_saml_and_oauth_compare-h.png 1280w" alt="Table comparing SAML vs. OAuth across three characteristics. " height="217" width="279"> <figcaption> <i class="icon pictures" data-icon="z"></i>SAML and OAuth differ in important ways. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>OAuth</h3> <p>OAuth 2.0 Authorization Framework protects user credentials while using those credentials to gain access to third-party applications. As a framework, OAuth can be used with either SAML or OpenID Connect to enable SSO.</p> <p>The following are some differences between SAML and OAuth:</p> <ul class="default-list"> <li>SAML enables authentication of user credentials, while OAuth enables authorization of users that could be authenticated through some other mechanism.</li> <li>SAML messages are based on XML formatting, while OAuth uses JavaScript Object Notation (<a href="https://www.theserverside.com/definition/JSON-Javascript-Object-Notation">JSON</a>) to format its messages.</li> <li>SAML uses session <a href="https://www.techtarget.com/searchsoftwarequality/definition/cookie">cookies</a> to manage session state, such as authentication tokens, while OAuth uses API calls to manage authorizations.</li> <li>SAML secures <a href="https://www.techtarget.com/searchcontentmanagement/tip/How-do-digital-signatures-work">data exchange through digital signatures</a> and encryption, whereas OAuth depends on HTTPS encryption and bearer tokens for security.</li> </ul> <h3>OpenID</h3> <p>Published in 2014, OpenID Connect is a relatively newer protocol built on the OAuth framework to enable users to use a single existing account to log in to multiple websites. It was specifically designed for web and mobile applications.</p> <p>OpenID Connect defines identities using the OAuth 2.0 protocol. It uses industry-standard JSON Web Tokens and relies on secure HTTPS communication, making it a flexible and user-friendly option for authentication and authorization. Various providers, including Meta, Google and Microsoft, use it to enable access to third-party websites using the providers' credentials.</p> </section> <section class="section main-article-chapter" data-menu-title="History of SAML"> <h2 class="section-title"><i class="icon" data-icon="1"></i>History of SAML</h2> <p>As the world started doing business on the internet at the turn of the century, the need grew for cross-domain authentication and authorization. At the time, the <a href="https://www.techtarget.com/searchsecurity/definition/Kerberos">Kerberos</a> authentication protocol was established for use inside enterprise networks, but it fell short on authentication across domains. Microsoft released AD along with Windows 2000 Server edition, but that wasn't enough. It was clear that an open standard was needed.</p> <p>SAML 1.0 was released in 2002, offering a basic framework for authentication and authorization. SAML 1.1, released in 2003, addressed some limitations but still had restricted capabilities. In 2005, SAML 2.0, which is still its latest version, was introduced with significant improvements, including support for <a href="https://www.techtarget.com/whatis/definition/metadata">metadata</a>, enhanced single sign-on and better attribute exchange. Since then, SAML 2.0 has had widespread adoption as an authentication standard.</p> <p>Here's a brief <a target="_blank" href="https://saml.xml.org/wiki/an-historical-timeline-for-saml" rel="noopener">historical timeline of SAML</a>:</p> <ul class="default-list"> <li><b>2001.</b> The first meeting of the OASIS Security Services Technical Committee. This committee was tasked with creating an XML framework for authentication and authorization.</li> <li><b>2002.</b> Publication of SAML 1.0 specification as an OASIS standard.</li> <li><b>2003.</b> SAML 1.1 published as an OASIS standard.</li> <li><b>2005.</b> SAML 2.0 published as an OASIS standard.</li> </ul> <p>Since 2005, the history of SAML has largely been one of adoption and support from SSO vendors.</p> <p><i>User authentication is crucial for protecting sensitive information and systems from unauthorized access. Discover </i><a href="https://www.techtarget.com/searchsecurity/tip/Use-these-6-user-authentication-types-to-secure-networks"><i>six key authentication types</i></a><i> to enhance network security.</i></p> </section> Security Assertion Markup Language (SAML) is an open standard for sharing security information about identity, authentication and authorization across different systems. https://cdn.ttgtmedia.com/visuals/digdeeper/3.jpg https://www.techtarget.com/searchsecurity/definition/SAML Fri, 24 Jan 2025 00:00:00 GMT 60 webmaster@techtarget.com