Infosec Insider

In this featured post, we speak to TrustedSec Founder Dave Kennedy who offers up advice on how you can set up your security department’s defenses to respond and defend against common attacks.

Jonathan Sander addresses why security teams fail at controlling privileged identities, and what they should be doing that won't upset the apple cart.

There is no question that the cybersecurity job market is hot, but not any old recruiter is suited to help you with your hiring needs.

Tony Sager hopes security practitioners don't view the CIS Controls as "just another checklist."

The rise of the "citizen developer" may be a blessing for organizations looking to create efficiencies, but could become a curse for security teams if not handled properly.

Tackling GDPR means knowing where all your data reside, even if they're outside of your direct control. Here we take a look at how you can tackle this initiative even if you're a bit late given the time of year and when the regulation goes into effect.

SMBs can’t just throw up their hands at cybersecurity, despite a probable dearth of resources. Since most aren't likely to magically receive a multimillion dollar cybersecurity budget windfall, we've provided our top 6 tips for how to manage security on a limited budget.

Security testing must be about more than finding vulnerabilities and remediating them. In this feature article we take a look at four proven ways that you can improve your security testing outcomes.

When it comes to old or no-longer-useful corporate data, you can't just hit "delete." Effective electronic data disposal and destruction requires a much more pragmatic and centralized approach. 

For security metrics to be relevant to the board of directors, security teams must tell the story of how those metrics are supporting business goals. How to accomplish this is no easy task.

What do running and your career in information technology/information security have in common? At first glance, not a whole lot. But with a couple of quick examples, I think we will find some similarities.

If you're looking to ensure that your cyber incident response plan doesn't turn into shelfware, here are five ways to make it actionable. 

If you're a government contractor or a government entity hiring contractors, you need to know the ins and outs of the new FAR and DAR Councils' cybersecurity rules for government contractors.

The infosec tools market can be overwhelming with its abundance of options. How do you choose the best tool for your environment? This informative article will help point you in the right direction.

CISOs may have a highly-respected job title, but earning influence with business peers is a more significant challenge.

Is your organization adequately equipped to identify anomalous patterns across the network? If you're doubtful, it may be time to try out alternative models that will help you detect previously unknown attacks.

Browser password-saving tools are convenient and may allow account holders to apply stronger passwords, but they're not security tools.

To help security leaders find new ways to better align with business colleagues, we turned to two experts to find out how they’re constantly maneuvering between technical requirements and fueling business priorities.

Given today’s content-driven society, it benefits cybersecurity and threat intelligence practitioners to gain some understanding of the psychological strategies and exploitation techniques within the intelligence and counterintelligence tradecraft.

In this follow-up article, cloud researcher Mark Nunnikhoven gives us his take on the Meltdown and Spectre vulnerabilities, which can exploit flaws in modern processors. Nunnikhoven provides us with the potential implications that you should take note of.

An interview with industry veteran Aaron Turner that helps demystify the probable consequences of Meltdown and Spectre, the two headline-grabbing security vulnerabilities capable of exploiting critical vulnerabilities in modern processors. Turner breaks down what you should do.

New technology is impressive, but sometimes it’s not available or just plain doesn’t work. Legwork, investigation, and following leads are skills security pros can’t forget to practice and use. 

A security team—just like any functional area team—is made of up unique individuals with distinct personalities and working styles.

If the term “asset inventory” elicits involuntary yawns of boredom, you’re not looking at the problem from the right angle. You could make an entire career out of a true, living asset inventory.

Technologists are the bedrock of IT and IT security. They innovate, create, build, implement, maintain, and decommission the most amazing software and hardware systems ever compiled.

The Marcher Android Trojan is a malware variant which first emerged in late 2013. Sold on underground forums, the early malware targeted predominantly Russian Android users.

Sever Message Block A server message block (“SMB,” not to be confused with “small and medium businesses,” another common abbreviation) is an application layer network file-sharing protocol which allows systems within the same network to share and access files and resources easily. SMBs facilitate network communication between client applications and the server. 

One of the ways to mitigate damage in the event of a breach is to “hash” password, or cryptographically convert a plaintext password to an irreversible output, like a key or token (i.e., “hash”) that is stored and can be used in place of the original input.

Cybersecurity has been gaining traction as a “board level topic” over the past several years. While boards of directors, along with executive management, all want the answer to, “How secure are we,” security professionals know that that answer doesn’t often come wrapped in a tidy little box. 

Security teams fight many battles. There are threats, vulnerabilities, exploits, improperly configured systems, legacy equipment, lean budgets, staffing shortages, and users who are fallible. Any of these things, alone, add up to challenge, but possibly the biggest challenge security teams face is the battle between the security department and the CIO.

For companies on the path of cloud adoption, the fear that dark “clouds gathering” could impact business health and one's financial bottom is a source of anxiety. Despite recent data that show cloud adoption rates consistent growth over the last 18 months, a group of holdouts endure.

Cloud technology has been moving at a tremendous pace. For businesses, it seems to have happened in the blink of an eye. It’s faster and more agile, with the ability to re-architect an entire infrastructure. But why has this happened so quickly, and what does it mean for security practitioners? 

By Marcos Colón September 26, 2016 The cybersecurity industry is full of terms that both vendors and end users love to glom on to. Ok, maybe vendors lead the way, but their customers may not be doing a good job of speaking up and asking them to clarify what it is they do – taking the various mixed marketing messages as they come and running with it.

After the contentious Brexit vote last week, the British Parliament’s House of Commons Committee is investigating potential commandeering of an online petition calling for a second referendum on the matter. 

One of the security downfalls of Android devices is the profusion of independent device makers and the varying states of attention each manufacturer pays to device security. 

Phishing is a social engineering technique through which an attacker spoofs (i.e., imitates) a known source in an attempt to fool a victim into providing information or performing an action, like clicking on a link or opening an attachment.

How do you secure that which you don't control? This is the big question for every enterprise, since no organization exists in a vacuum. From third-party commercial software (including operating systems) to open source, custom-written applications, there are plenty of attack vectors that cause concern.