Blog
Buyer’s Guide for Evaluating Cyber Threat Exposure Management (CTEM) Tools
The Problem with Vulnerability Assessment Scanners If you’re reading this post, chances are you’re looking to take the next step…
-
Attack Path Mapping: The Future of Vulnerability Management
In today’s dynamic threat landscape, relying solely on Common Vulnerabilities and Exposures (CVEs) to assess the exposure and the likelihood…
-
Top Trending CVEs of May 2024
It’s May, baseball is in full swing and schools are nearly out for summer vacation. This month we take a…
-
Top Trending CVEs of April 2024
April is here, spring has arrived and everyone in the lower 48 of the United States got to witness a…
-
Security Insights Feature Release: See Hidden Security Trends with Exception Insights
See Hidden Security Trends. Make Smarter Choices. Ever feel like you’re flying blind when it comes to your security posture?…
-
Security Insights Feature Release: Unmasking Hidden Vulnerabilities with Threat Vector Insights
Go Beyond the CVSS Score In the relentless fight against cybercrime, security analysts face an avalanche of vulnerability data. Each…
-
Security Insights Feature Release: Demystifying Remediation with Velocity Insights
Unmask the Hidden Forces Shaping Your Security Posture Every organization battles a relentless tide of vulnerabilities. The fight to identify,…
-
Top Trending CVEs of March 2024
March may be absolute madness for the NCAA and people in bunny suits, but it was a fairly quiet month…
-
The Future of the NopSec Platform: The Security Insights Platform for Cyber Threat Exposure Management
Security Data Analysis is Hindering Vulnerability Management Program Effectiveness Vulnerability management is a vital process for any organization that wants…
-
Top Trending CVEs of February 2024
February 2024 is off to a ripping start for security research. This month we’re focusing on a piece of open…
-
CTEM: The First Proactive Security Innovation in 20 Years
Summer 2021 It was in the summer of 2021, in the middle of COVID. Isolation and testing remained in effect,…
-
Volt Typhoon’s Chinese-State Sponsored Attack on U.S. Critical Infrastructure
The U.S. government this week said the Chinese state-sponsored hacking group known as Volt Typhoon had been embedded into some…
-
Achieve Faster and Easier Vulnerability Remediation with Remediation Plans
Vulnerability remediation is one of the most challenging and critical aspects of vulnerability management. It involves not only identifying and…
-
Top Trending CVEs of January 2024
Happy New Year! We open up 2024 with an interesting mix of vulnerabilities, some of which have been patched for…
-
Top Trending CVEs of December 2023
Happy Holidays! As we close out 2023 we do it with a bit of deja vu (depending on how sharp…
-
Top Trending CVEs of November 2023
The holiday season has officially arrived, but that hasn’t slowed down security research. November featured some seriously cool exploits and…
-
NopSec Announces Release of New Cyber Threat Exposure Platform
We are excited to announce the release of a new and improved NopSec platform – NopSec Cyber Threat Exposure Management….
-
Top Trending CVEs of September 2023
September was an exciting month for NopSec as we hosted our Customer Advisory Board meetings in New York City. Thanks…
-
Top Trending CVEs of August 2023
Summer is slowly cooking everyone into air conditioned spaces as vacations wind down and school winds up. August featured some…
-
Three Major Signs You Need a Cyber Threat Exposure Management Tool
Cyber threat exposure management (CTEM) tools are a new technology replacing traditional vulnerability prioritization tools (VPT). They were created to…
-
Top Trending CVEs of July 2023
July was a busy month for vulnerability research. We had the opportunity to be picky about our curated selection of…
-
NopSec Retains Soc 2 Type II Status for Second Straight Year
NopSec is proud to announce it has successfully completed the System and Organization Controls (SOC) 2 Type II examination in…
-
Top Trending CVEs of June 2023
It’s finally summer! That means kids are out of school and vacations are in full swing, that includes Security Researchers….
-
Top Trending CVEs of May 2023
May was a rather quiet month for security research, but an excellent write up filtered to the masses from the…
-
How to ROI a Cyber Threat Exposure Management Tool with Excel Instructions
When evaluating any software solution for purchase, ROI is one of the most crucial parts of that evaluation. Without communicating…
-
Feature Update: Vulnerability Query Builders
NopSec is proud to announce the release of a new feature this week aimed at enhancing our users’ workflows! We…
-
Top Trending CVEs of April 2023
April was a busy month for Microsoft. Patch Tuesday introduced critical Windows fixes to address a pair of remote command…
-
Top Trending CVEs of March 2023
In March 2023, security researchers identified a number of critical vulnerabilities that could be exploited by attackers to gain access…
-
Cryptocurrency Security Threat Modeling: Beyond Vulnerabilities
Another day goes by, another latest and greatest security breach affects the cryptocurrency world. The attacks range from phishing campaigns…
-
How Much Does a Vulnerability Prioritization Tool (VPT) Cost
So, you’re looking to take your vulnerability management game to the next level with a vulnerability prioritization tool (VPT). Well,…
-
What’s the Difference Between Vulnerability Assessment Scanners and Vulnerability Prioritization Tools
Under the umbrella of risked-based vulnerability management (RBVM) live a host of tools who’s applications correspond to various stages of…
-
Fix Less, Secure More: Why You Should Put Vulnerability Prioritization First
NopSec has been in the risk-based vulnerability management (RBVM) game for 10 years now. Over the course of this decade…
-
Top Trending CVEs of February 2023
In this month’s trending CVEs we have a number of patches released by Microsoft to address critical vulnerabilities identified in…
-
How to Identify Cybersecurity Attack Paths from the Attacker’s Perspective
When it comes to cybersecurity, there are two points of view to always consider – the external and the internal….
-
What is a Vulnerability Prioritization Tool and How Do They Work?
If you’re new to cybersecurity technology or looking to mature your program you’ll quickly come across vulnerability prioritization tools in…
-
Top Trending CVEs of January 2023
Happy New Year! In this month’s trending CVEs ManageEngine takes the top spot with yet another unauthenticated remote command execution…
-
Top Trending CVEs of December 2022
Happy holiday season! December was off the chains, literally. Microsoft released a security update to address a remote command execution…
-
How to Create Vulnerability Management Reports for Executives
Vulnerability Management programs produce a lot of data about the vulnerabilities and remediation efforts. Due to this, it is very…
-
The Case for a ‘Vulnerability Management Token’: A new way to reward vulnerability remediation
November 2022 has not been a boring month indeed! One of the most prominent and powerful cryptocurrency exchange – FTX…
-
Feature Update: Reduce Asset Risk with Mitigating Controls
Overview NopSec provides the most accurate risk-based vulnerability prioritization across an organization’s entire attack surface. One key element of this…
-
Top Trending CVEs of November 2022
Happy Thanksgiving! November was a surprisingly slow month. It’ll be perfect for some light reading over a thanksgiving break. In…
-
The Benefits of Full Stack Vulnerability Management
What is Full Stack Vulnerability Management? Full stack vulnerability management utilizes a variety of vulnerability scanner types to identify and…
-
Vulnerability Scanning Best Practices
Vulnerability management’s cornerstone is largely going to revolve around setting up and managing your infrastructure scanner in order to find,…
-
Five Questions to Ask Before Choosing an RBVM Platform
Choosing a risk-based vulnerability management (RBVM) solution can be daunting. Where do you begin? What features are available, and what…
-
Vulnerability Management in Election Security
Vulnerability management is an ongoing, iterative process. Companies with large cybersecurity teams can still struggle with proving the efficacy of…
-
Top Trending CVEs of October 2022
Happy Halloween! The October trending CVEs feature another out of bound write of vulnerability being exploited in the wild that…
-
CISA Binding Operational Directive 23-01: A Mandate for Attack Surface and Vulnerability Management in Federal Networks
CISA has recently issued a Binding Operational Directive (BOD) 23-01: Improving Asset Visibility and Vulnerability Detection on Federal Networks, which…
-
“Future of Vulnerability Management” Podcast Episode 10: How to Reinvigorate the Vulnerability Management Category
The Future of Vulnerability Management podcast is dedicated to helping security professionals tackle real issues in the vulnerability management space. Lisa…
-
CVSS vs EPSS: Why Emerging EPSS Outperforms Old CVSS Models
Accurately assessing the risk of software vulnerabilities is critical in order to prioritize remediation efforts given limited remediation resources. For…
-
“Future of Vulnerability Management” Podcast Episode 9: Why it’s Important for Security Practitioners to Understand Business Logic to Prioritize Vulnerabilities
The Future of Vulnerability Management podcast is dedicated to helping security professionals tackle real issues in the vulnerability management space. Lisa…
-
Mapping CVEs and ATT&CK Framework TTPs: An Empirical Approach
Categorizing and classifying vulnerabilities and attacks is important to understand how a vulnerability is exploited and how a breach unfolds…
-
“Future of Vulnerability Management” Podcast Episode 8: How Organizational Culture Affects Consensus about the Criticality of Assets
The Future of Vulnerability Management podcast is dedicated to helping security professionals tackle real issues in the vulnerability management space. Lisa…
-
Using Machine Learning in Vulnerability Management for Prioritization
Securing computer systems is the ultimate big data problem. Billions of computers generate roughly 2.5 quintillion bytes of data everyday. …
-
“Future of Vulnerability Management” Podcast Episode 7: How Practitioners Can Use Vulnerability Management to Improve Business Objectives
The Future of Vulnerability Management podcast is dedicated to helping security professionals tackle real issues in the vulnerability management space. Lisa…
-
Top Trending CVEs of September 2022
In this month’s edition of trending CVEs, we feature a blast from the past that provides an excellent example of…
-
Keeping Vulnerability Scanner Data in Sync for Vulnerability Remediation
All Risk-Based Vulnerability Management (RBVM) platforms include integrations to multiple vulnerability assessment products. In addition to vulnerability findings and asset…
-
“Future of Vulnerability Management” Podcast Episode 6: The Role Vulnerability Management Plays in Proper Cyber Hygiene
The Future of Vulnerability Management podcast is dedicated to helping security professionals tackle real issues in the vulnerability management space. Lisa…
-
Vulnerability Management Prioritization: Defense Wins Championships
Vulnerability Management is one of the less flashy or exciting parts of your cybersecurity department maintenance routine – but is…
-
NopSec Achieves SOC 2 Type II Status
NopSec announces its new status as SOC 2 Type II qualified. A leading risk-based vulnerability management platform, NopSec maximizes the…
-
“Future of Vulnerability Management” Podcast Episode 5: How to Bridge the Gap Between Risk Management and Core Business Outcomes
The Future of Vulnerability Management podcast is dedicated to helping security professionals tackle real issues in the vulnerability management space. Lisa…
-
Security Priorities 2022: Insights from the State of Vulnerability Management Report
In its most basic form, security is about protecting people and systems from harm. Increasingly, our security depends on our…
-
“Future of Vulnerability Management” Podcast Episode 4: How a 105 year old Ad Agency Tackles Vulnerability Management With Clients
The Future of Vulnerability Management podcast is dedicated to helping security professionals tackle real issues in the vulnerability management space. Lisa…
-
Four Interesting Facts from the State of Vulnerability Management Report
The State of Vulnerability Management report, recently released by NopSec, shows that while organizations are making strides in vulnerability management,…
-
“Future of Vulnerability Management” Podcast Episode 3: The Power of Soft Skills in Vulnerability Management
The Future of Vulnerability Management podcast is dedicated to helping security professionals tackle real issues in the vulnerability management space. Lisa…
-
Top Trending CVEs of August 2022
This month we have five CVEs on the radar. The August 2022 Patch Now Award* this month goes to ManageEngine,…
-
Creating a Vulnerability Management Program – Vulnerability Remediation: More Complex than You Might Imagine
In prior blogs, we’ve spelled out how an organization finds its vulnerabilities and how security teams consider threat intelligence to…
-
“Future of Vulnerability Management” Podcast Episode 2: Weaknesses in the Vulnerability Management Field
The Future of Vulnerability Management podcast is dedicated to helping security professionals tackle real issues in the vulnerability management space. Lisa…
-
Creating a Vulnerability Management Program – Cybersecurity Risk: Why You Need Both Vulnerability and Threat Assessments
In this blog, we’ll add to our cybersecurity considerations the concept of threats and threat intelligence. So far, we’ve looked…
-
CIS 18 Critical Security Controls Version 8
The CIS Security Controls, published by SANS and the Center for Internet Security (SIS) and formerly known as the SANS…
-
Introducing: the “Future of Vulnerability Management” Podcast
Today, we are excited to announce our new podcast — the Future of Vulnerability Management which is dedicated to helping…
-
Creating a Vulnerability Management Program – Penetration Testing: Valuable and Complicated
Once you’ve started a vulnerability scanning system, you may want to take the next step in identifying vulnerabilities: penetration testing,…
-
State of Vulnerability Management: 6 Key Takeaways
Have you ever wondered what security professionals want most from their Vulnerability Management (VM) program? We have. In fact, we…
-
Creating a Vulnerability Management Program – Vulnerability Scanners: How They Help Cybersecurity Readiness
Learn how to identify the right vulnerability scanner(s) for your organization’s needs. So far in this series, we have laid…
-
Creating a Vulnerability Management Program – Patching: Take the Panic out of Patching by Managing CVE Threat Overload
Imagine a company that started in early 2012 with a half dozen employees — all working in one office —…
-
Creating a Vulnerability Management Program – Discovering Your Vulnerabilities: The First Foray
We talked previously about the need to use people, processes, and technology wisely to support your vulnerability risk management. Each element…
-
Feature Update: NopSec Risk Scoring Algorithm Improvements
Risk Score Update Key Takeaways NopSec is announcing the first in a series of updates to our Risk Scoring Machine…
-
China is Exploiting Vulnerabilities in Widely Used Home-Office Devices, U.S. Agencies Warn
A new advisory from top federal security and law enforcement agencies warns that state-sponsored cyber actors from the People’s Republic…
-
Understanding the Difference Between Vulnerabilities and Exposures
The cybersecurity world talks a lot about “common vulnerabilities and exposures” (CVEs) and compiles ongoing lists of them with a…
-
New Security Vulnerabilities: How Should You Respond?
Cybercrime has exploded in growth over the past several years to levels that are stunning to contemplate. To put it…
-
Exploiting Kerberos for Lateral Movement and Privilege Escalation
Introduction Within most enterprise environments, authentication is handled by a central system known as the domain controller. The domain controller,…
-
Risk-Based Vulnerability Management: Efficient + Effective
We described in the previous blog post the difference between vulnerability management and risk management. A quick reminder: vulnerabilities are…
-
Vulnerability Management vs. Risk Management: Defining the Fundamentals
Businesses run fast to keep pace in a market that is ever dynamic, with new entries threatening to oust established…
-
How Many Venture-Backed Cybersecurity Startups Are Led By Women?
Cybersecurity startups have had an incredible past couple of years. In 2020, they raised $8.9 billion and last year, that…
-
Creating a Vulnerability Management Program – The People, Process, and Technology
Continuing our How to Build a VM Program series, this third installment breaks the working components of a program into…
-
Creating a Vulnerability Management Program – What is Vulnerability Management and the VM Lifecycle Stages?
As we said in the introduction to this series, cybercriminals are becoming increasingly sophisticated in their assaults, and the methods…
-
Creating a Vulnerability Management Program – Why You Need a Vulnerability Management Program Starting Now
In the past, cybercriminals relied heavily on phishing to slip into an organization’s IT system to achieve their objectives. Recently,…
-
Implementing and Maintaining Security Program Metrics
Cybersecurity metrics are a pertinent part of measuring the successes and failures of your program and the effectiveness of your…
-
Why IAM Technology is Critical to Your Vulnerability Management Program
In previous blogs, we discussed Attack Surface Management (ASM) and explained how ASM is critical to your overall Vulnerability Management…
-
Feature Release: Granular SLAs, Limit Asset Groups, ITSM Ticket Numbers
In addition to the Infrastructure Vulnerability Reports released this October, NopSec is also excited to announce the following additional product…
-
Feature Release: UVRM Infrastructure Vulnerability Reports
NopSec recently released a feature that makes it easy to obtain the information you need about the vulnerabilities in your…
-
Attack Surface Management: Why Your Attack Surface is Critical to Your Vulnerability Management Program
In our last blog, we discussed what Attack Surface Management (ASM) is. Now we will explore the importance of how…
-
5 Reasons Why Attack Surface Management MUST Be Part of Your VA Program
Back in 2019, when I was a research analyst at Gartner, I started to see a monumental shift in how…
-
Vulnerability Management FAQ
What is Vulnerability Management lifecycle? Vulnerability management lifecycle —Discovery, Detection, Prioritization, Remediation, Validation and Program Intelligence. What is an asset? …
-
The ROI of ThreatForce
Demonstrating the ROI of security investments has long been a challenge for SecOps teams. If an organization as a whole…
-
NopSec Drives the Vulnerability Management Standards with Latest Release of Program Intelligence Module
NopSec’s Vulnerability Risk Management Platform Enables Organizations to Better Manage Business Risk. New York, NY – NopSec,Inc., a leader in…
-
NopSec – CrowdStrike Joint Solution Brief
NopSec and CrowdStrike are pleased to announce that the two companies have entered into a global technology partnership, integrating NopSec’s leading enterprise Vulnerability…
-
Responder: Beyond WPAD
Penetration testing demands a diverse skill set to effectively navigate and defeat security controls within the evaluated environment. It’s a…
-
Webinar – Analysis of Verizon 2020 DBIR Report: Vulnerability Management Implications
Analysis of Verizon 2020 DBIR Report: Vulnerability Management Implications Webinar presented by Michelangelo Sidagni. THIS WEBINAR COVERED… • Asset management…
-
Verizon DBIR: Analysis of Verizon DBIR Report
It is that time of the year again! The Verizon 2020 DBIR report is out again – https://enterprise.verizon.com/resources/reports/dbir/ – and…
-
Special Offer – COVID-19
Due to COVID-19, NopSec is empowering remote workforces with a much needed relief for businesses. Take Advantage of NopSec’s Amazing…
-
Vulnerability Management in the time of a Pandemic
As an average person I had to refer to the book I read and to the movie I watch to…
-
SMBMap: Wield it like the Creator
The tool “SMBMap” was created nearly seven years ago. Originally based on a Python library called PySMB, it has since…
-
International Women’s Day 2020 – NopSec & Mastercard Partnership
In celebration of International Women’s Day 2020, NopSec and Mastercard partner to commemorate women in tech, diversity and product leadership…
-
NopSec Attended Fal.Con Unite 2019 Event
NopSec, a leader in vulnerability and cyber threat management, attended Fal.Con UNITE 2019, CrowdStrike Cybersecurity Conference. We have gathered on…
-
Trending CVEs for the Week of October 21st, 2019
Still CVE-2019-14287 – Linux Sodo Vulnerability Linux Sodo Vulnerability, tracked as CVE-2019-14287, has been a nightmare for IT & cyber-security…
-
Trending CVEs for the Week of October 14th, 2019
CVE-2019-14287 – Linux Sodo Vulnerability Description A flaw was found in the way sudo implemented running commands with arbitrary user…
-
Trending CVEs for the Week of October 7th, 2019
CVE-2019-1367 – MICROSOFT ZERO-DAY VULNERABILITY – OUT-OF-BAND PATCH, Again Microsoft zero-day vulnerability is still trending on social media and we…
-
Trending CVEs for the Week of September 30th, 2019
CVE-2019-16759 – vBulletin Remote Code Execution Description vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in…
-
Trending CVEs for the Week of September 23rd, 2019
CVE-2019-1367 – Microsoft Zero-Day Vulnerability – Out-of-band Patch Description A remote code execution vulnerability exists in the way that the…
-
Trending CVEs for the Week of September 16th, 2019
CVE-2019-0708 – BLUEKEEP Exploit Has Been Released The BlueKeep vulnerability, tracked as CVE-2019-0708, has been a nightmare for IT &…
-
Pentest Findings & Mitigating Controls
What Enables the Kill Chains for Total System Compromise At NopSec my red teaming service team never stops amazing me…
-
Trending CVEs for the Week of September 2nd, 2019
Still CVE-2019-11510 – Pulse Secure VPN CVE-2019-11510 has been a nightmare for IT & cyber-security teams for the past 2…
-
Asset Value
Security risk professionals need to assess asset values to add business context to vulnerability management prioritization. NopSec understands that it…
-
Trending CVEs for the Week of August 26th, 2019
CVE-2019-11510 – Pulse Secure VPN Description In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before…
-
Trending CVEs for the Week of August 19th, 2019
CVE-2019-1181 – Wormable Windows Remote Desktop Flaw Description A remote code execution vulnerability exists in Remote Desktop Services – formerly…
-
Trending CVEs for the Week of August 12th, 2019
CVE-2019-1125 – SWAPGS Vulnerability Description An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An…
-
Value of Using Trending Metrics in Vulnerability Management
My work as Senior Product Designer here at NopSec has given me a unique view of the industry landscape, as…
-
Unified VRM Role-Based Access Control (RBAC)
NopSec offers role-based access control (RBAC) that give you flexibility to determine the level of permissions and access scope that…
-
Unified VRM Role Permissions
In Unified VRM, permissions can be set for each user based on their role and their access. Roles can be…
-
Trending CVEs for the Week of August 5th, 2019
CVE-2019-13272 – Linux Kernel Privilege Escalation Vulnerability Alert Description In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the…
-
Risk Management Platform: Unified VRM Vulnerability Export API
NopSec’s Threat and Vulnerability Risk Management platform, Unified VRM, exposes a REST API with Unified VRM Vulnerability Export API. It…
-
Unified VRM Fuser
NopSec bidirectionally syncs a single source of truth to organizations’ IT ecosystems Organizations often have several tools as a part…
-
Trending CVEs for the Week of July 29th, 2019
CVE-2019-2107 – Android devices could be hacked by playing a video Description This vulnerability could lead to remote code execution…
-
Trending CVEs for the Week of July 22nd, 2019
CVE-2019-6342 – Drupal Core Access Bypass Vulnerability Description According to its self-reported version, in Drupal 8.7.4, when the experimental Workspaces…
-
Trending CVEs for the Week of July 15th, 2019
CVE-2019-1132 – Win32k Elevation of Privilege Vulnerability Description An elevation of privilege vulnerability exists in Windows when the Win32k component…
-
Trending CVEs for the Week of July 8th, 2019
CVE-2017-11774 – Microsoft Outlook Security Feature Bypass Vulnerability Description A security feature bypass vulnerability exists when Microsoft Outlook improperly handles…
-
Trending CVEs for the Week of July 1st, 2019
Again, CVE-2019-0708 – BlueKeep – Wormable RDP Vulnerability The BlueKeep vulnerability, tracked as CVE-2019-0708, has been a nightmare for IT…
-
Trending CVEs for the Week of June 17th, 2019
CVE-2019-11477 – SACK Panic Remote Command Execution Flaw in Exim is still trending on social media and we extensively covered…
-
Trending CVEs for the Week of June 10th, 2019
CVE-2019-10149 – Remote Command Execution Flaw in Exim The BlueKeep vulnerability is still the number one trending vulnerability on social…
-
Trending CVEs for the Week of June 3rd, 2019
CVE-2018-15664 – Docker Vulnerability The BlueKeep vulnerability is still trending on social media and we extensively covered CVE-2019-0708 in May…
-
Clues to identifying IT vulnerability owners
IT Vulnerability Ownership, Part 2: Find early adopters Telling people what to do gets nowhere fast. I even have to…
-
How Unified VRM is One Pane of Glass for Vulnerability Management
At NopSec we have one mission: to make vulnerability management easier. We bring transparency, order and ease to vulnerability data…
-
Trending CVEs for the Week of May 27th, 2019
Still CVE-2019-0708 – BlueKeep – Wormable RDP Vulnerability The BlueKeep vulnerability, tracked as CVE-2019-0708, has been a nightmare for IT…
-
Trending CVEs for the Week of May 20th, 2019
CVE-2019-0708 – BlueKeep – Wormable RDP Vulnerability NopSec advises you to apply patches immediately. Description CVE-2019-0708 is a critical remote…
-
Focus on Vulnerability prioritization with Nopsec’s Risk Score
NopSec’s founders, Michelangelo Sidagni and Lisa Xu built the company with one main goal in mind: better prioritization. After years…
-
Trending CVEs for the Week of May 13th, 2019
CVE-2019-0604 – Microsoft SharePoint Remote Code Execution Vulnerability Description A remote code execution vulnerability exists in Microsoft SharePoint when the…
-
Trending CVEs for the Week of May 6th, 2019
CVE-2019-3396 – Widget Connector Macro in Atlassian Confluence Server Last week, we covered CVE-2019-2725 which was a vulnerability in the…
-
Trending CVEs for the Week of April 29th, 2019
CVE-2019-2725 – Oracle WebLogic Server Zero-Day Vulnerability Description CVE-2019-2725 is a vulnerability in the Oracle WebLogic Server component of Oracle…
-
Trending CVEs for the Week of April 22nd, 2019
CVE-2019-0859 – Yet Another Windows Zero-Day Vulnerability Last week, we covered an elevation of privilege vulnerability in Win32k component of…
-
Trending CVEs for the Week of April 15th, 2019
CVE-2019-0859 – Yet Another Windows Zero-Day Vulnerability Description This week’s trending vulnerability may sound eerily familiar. CVE-2019-0859 is an elevation…
-
Penetration Testing With Shellcode: Hiding Shellcode Inside Neural Networks
NopSec commonly needs to bypass anti-virus / anti-malware software detection during our penetration testing engagements, which leads us to spend…
-
E3 Engine: Engine Microservice That Evaluates, Explores and Enriches Vulnerabilities
Three times the vulnerability prioritization When it comes to vulnerabilities, I always say: “not all vulnerabilities are created equal”. Some…
-
IT Vulnerability Owners: How to Identify Vulnerability Owners (Yes Its’ Hard)
IT Vulnerability Ownership, Part 1: Problem, benefits to solving it, and understand its roots Running a successful vulnerability management program…
-
Trending CVEs for the Week of April 8th, 2019
CVE-2019-0211 – Carpe Diem – Apache Local Privilege Escalation Vulnerability Description This week’s trending vulnerability is CVE-2019-0211, a local privilege…
-
Security Product vs Service Company
The Lines Are Blurring NopSec started as a penetration testing service delivery company at my kitchen table. The company then…
-
Machine Learning in Cybersecurity Course – Part 2: Specific Applications and Challenges
Spam detection, facial recognition, market segmentation, social network analysis, personalized product recommendations, self-driving cars – applications of machine learning (ML)…
-
2019 Q1 Social Media Trends
Back in February, we talked about a malicious container ‘break out’ vulnerability in runc (CVE-2019-5736), a universal command-line interface tool…
-
Trending CVEs for the Week of April 1st, 2019
CVE-2019-1002101 – Kubernetes Directory Traversal Description Back in February, we talked about a malicious container ‘break out’ vulnerability in runc…
-
Vulnerability Prioritization Tools: Creating a New User Experience
Launching the new Unified VRM gave us an opportunity to redesign the vulnerability management experience from the ground up. As…
-
Trending CVEs for the Week of March 25th, 2019
CVE-2019-5418 – Ruby on Rails File Content Disclosure Vulnerability Description This week’s trending vulnerability, CVE-2019-5418, is a file content disclosure…
-
Machine Learning in Cybersecurity Course – Part 1: Core Concepts and Examples
Spam detection, facial recognition, market segmentation, social network analysis, personalized product recommendations, self-driving cars – applications of machine learning (ML)…
-
Leveraging Exposed WADL XML in Burp Suite
Recently on a customer engagement, I discovered an application that exposed its Web Application Description Language (WADL) XML that describes…
-
Trending CVEs for the Week of March 18th, 2019
CVE-2019-0797 – Windows Zero-Day Vulnerability Description CVE-2019-0797 is one of the three zero-day vulnerabilities (one in Chrome, the other two…
-
Instant Risk Reduction Recommendations to Align Priorities with IT
Snow flurries were a welcome change in New Jersey from last month’s high gust winds. I often multitask my dog…
-
Trending CVEs for the Week of March 11th, 2019
Google Chrome Zero-Day Vulnerability (CVE-2019-5786) & Two New Actively Exploited Windows Zero-Day Vulnerabilities Description On February 27th, security engineers from…
-
NopSec Accelerates Enterprise Growth And Appoints Three Industry Veterans To The Board Of Advisors
NopSec Inc, a leader in vulnerability prioritization, remediation workflow automation and breach prediction announces the appointments of three new Board…
-
Trending CVEs for the Week of March 4th, 2019
Updates on Drupal (CVE-2019-6340) & A New Improper Input Validation Flaw Leading to RCE in Cisco Routers (CVE-2019-1663) The improper…
-
Time is Money Part 6: Calculating ROI of Vulnerability Management Program
This is the final post in this six-part series. You can find the previous posts below. Time is Money, Part…
-
Trending CVEs for the Week of February 25th, 2019
CVE-2019-6340 – Improper Input Validation Leading to Remote Code Execution in Drupal This week’s most tweeted-about vulnerability is a, yet…
-
Trending CVEs for the Week of February 18th, 2019
CVE-2019-5736 – Malicious Container “Break Out” Vulnerability in Runc Last week, we extensively covered a security flaw in runc –…
-
Time is Money, Part 5: Validating the Fix
This is part five in a six-part series. You can find the previous posts below. Time is Money, Part 1:…
-
CVE to KB: How to Correlate CVE Vulnerabilities to KB Patches via Automation
Here at NopSec our goal is to provide the most intelligent, automated way of managing cybersecurity risk in enterprise environments….
-
How we mitigated CVE-2019-5736 for Unified VRM – Docker Runc Vulnerability
tl;dr CVE-2019-5736 is a runc vulnerability that allows attackers to obtain root access of any host running a docker container….
-
Trending CVEs for the Week of February 11th, 2019
CVE-2019-5736 – malicious container “break out” vulnerability in runc If you follow cybersecurity news at all, you have likely already…
-
Trending CVEs for the Week of February 4th, 2019
CVE-2019-1653 (Cisco Routers information disclosure), CVE-2018-16858 (LibreOffice directory traversal bug) It has been a relatively slow week as we have…
-
Time is Money Part 4: Fix Security Vulnerabilities
This is part four in a six-part series. You can find the previous posts below. Time is Money, Part 1:…
-
Time is Money, Part 3: Vulnerability Assignment
This is part three in a six-part series. You can find the previous posts below. Time is Money, Part 1:…
-
Trending CVEs for the Week of January 28th, 2019
This week’s most talked about vulnerability is CVE-2019-1653. It is an information disclosure vulnerability affecting web-based management interface of Cisco…
-
Trending CVEs for the Week of January 21st, 2019
CVE-2018-15982 is a use after free zero-day vulnerability in Adobe Flash Player (versions up to 31.0.0.153) which can result in…
-
Time is Money, Part 2: Vulnerability Analysis
This is part two in a six-part series. You can find the first in this series here, which lists the…
-
Time is Money, Part 1: Vulnerability Management Maturity Levels
Time is Money is a six-part series we’re going to post throughout the first few months of 2019. We’ll also…
-
Saving Time in Vulnerability Management
2019 is here and it’s back to the workday routine. As a dad with a Jersey bus commute, mornings are…
-
VRM Wishlist for 2019
At this time of the year, like any other year, the security industry goes back to reflect on itself and…
-
NIST Teams up with IBM Watson AI System to Score Vulnerabilities
The Great News It has been recently reported that NIST, the agency hosting the National Vulnerability Database (NVD), plans to replace its…
-
Threat Exposure Management: The Hacker’s Approach to Vulnerability Risk Management
IT Security Teams spend most of their time putting out fires, and just plain dreading and waiting for the next…
-
Another Year, Another Critical Struts Flaw (CVE-2018-11776)
Will We Learn the Right Lesson This Time Around? A little over a year ago, Equifax announced a huge breach…
-
Musings on the OSCP
I’d like to diverge from our typical blog topics today to discuss the Offensive Security Certified Professional (OSCP) certification, and…
-
Pen Testing Toolkit: White Hat Tools to Improve Web Application Penetration Testing
Many of our clients at NopSec have mature web application security programs with their own internal white hat penetration testing…
-
2018 Top Cybersecurity Threats
It’s a cliché now to declare any year the year of the _____-breach. It’s especially difficult to see around corners…
-
Black Swan Theory: Black Swan Risk Management for Vulnerabilities
The black swan theory grew out of a metaphor that referred to something that didn’t exist at one point. When…
-
IANS 2018 New York Information Security Forum
On Monday, March 19th, NopSec’s Co-founder & CTO, Michelangelo Sidagni will be speaking at this year’s IANS New York Information…
-
In the DCShadow: How to Become a Domain Controller
I have always been fascinated by lateral movement attacks possible within Windows Active Directory environments. Hosts are compromised; credentials extracted;…
-
Fundamental Steps Organizations Can Take to Minimize Breach Risk
We’re living through the gold rush of information security. The awareness and importance of information (or cyber) security has never…
-
Python for Pentesters: 5 Python Libraries Every Pentester Should Be Using
As a penetration tester who uses Python in virtually all engagement, here are the top 5 python libraries that I recommend…
-
Are You Ready for PCI DSS 3.2?
The updated PCI 3.2 requirements are coming to a head with a deadline this February 1st, 2018. While we’re sure…
-
NopSec Unified VRM Highlight: My Risk
IT Security and Risk teams in every organization have one common goal: to protect the company’s data from breaches by…
-
NYDFS Cybersecurity Regulations: Key Deadlines
The first traditional deadline is coming to a close this month for compliance with the NYDFS Cybersecurity Regulations. Please note that…
-
DevOps Risk Management: Vulnerability Risk Management as DevOps Practice
Silos exist in all levels and all types of organizations. Different teams naturally have different priorities, methodologies, and more, though…
-
How Hackers Exploit Weak Password Vulnerabilities
The “password” is one of those seemingly foolproof ways to protect your online valuables. Like a secret word between you…
-
Pen Testing Toolkit: Tools & Antivirus Software Evasion Techniques
Antivirus software is one of the oldest and the most ever present security control against malware and various types of…
-
Password Cracking: Top Tools Hackers Use to Crack Passwords
What’s the quickest way to a hacker’s heart? Make sure your business email password is “Password123.” Or perhaps “Summer2017” if…
-
Fighting the War with the Right Weapon: Countering Complexity with Automation
Here at NopSec, we have always been fascinated with automation. It has been a focus of ours since the beginning…
-
CIS 20 Controls: Utilizing CIS 20 Critical Controls for Vulnerability Prioritization
CIS 20 Security Controls represent one of the reference frameworks of the most critical controls an organization can implement to…
-
Knowledge (Data) is Power in Vulnerability Management
Data is power virtually everywhere, and it’s all about how you utilize that information. In business, you can use data…
-
Penetration Testing Tools: Top 6 Testing Tools and Software
Penetration Testers (aka ethical hackers) use a myriad of hacking tools depending on the nature and scope of the projects they’re…
-
The True Cost of A Great Penetration Test
If you asked car salesmen from different dealerships the question, “How much does a great car cost?” you’re guaranteed to…
-
Key Milestone Dates: NYDFS Cybersecurity Regulations
If you’re in the financial industry (or working as a provider with such organizations), you most likely have already heard…
-
5 Benefits of Retaining a Virtual CISO
Cybersecurity is finally gaining the attention it’s due. From whistleblowers to major data breaches, issues once kept strictly in the…
-
Top 3 Cybersecurity Problems That are Solved with E3 Engine and Unified VRM
We’re proud to build products IT Security Teams actually need and use on a daily basis. We’re a company started…
-
The Shadow Brokers-Leaked Equation Group’s Hacking Tools: A Lab-Demo Analysis
According to the The Register’s article, last week we started assisting to the widespread exploitation of The Shadow Brokers’ leaked Windows…
-
RBAC Implementation: Role Based Access Control Implementation
Organizations seeking to improve their security posture and meet regulatory or audit compliance requirements must consider implementing role based access control (RBAC).
-
Implementing New York DFS Cybersecurity Regulations: Where Are You in the Process?
Here at NopSec, we’ve spoken with a number of financial organizations about where they are in the process of meeting…
-
3 Dangerous Myths About DDoS Attacks
Distributed denial of service (DDoS) attacks are a growing but frequently misunderstood threat in the cybersecurity world. Defined generally, a…
-
Application Security Management: Managing Vulnerabilities Throughout Secure SDLC
How can I find security people, how do I deal with budget and time, how should I prioritize, what will…
-
Doing Diversity Right: Turning Employment Obstacles into Opportunities
Blind assumptions about online security are not the only assumptions that demand attention in the cybersecurity industry today. An article…
-
Customized Threat Intelligence Engine
Unified VRM Analytics leverages vulnerability data from across all the modules (Internal, External and Web) the user has subscribed to…
-
Phishing: What Everyone in Your Organization Needs to Know
Do you feel confident that everyone in your organization could identify a phishing email that contained ransomware? What if the…
-
Top 5 Cybersecurity and Computer Threats of 2017
The year 2016 will be remembered for some big moments in the world of cybersecurity: the largest known distributed denial…
-
2017 Outlook: Remediation Trends
Each year, NopSec conducts a survey of IT and cybersecurity professionals to glean a snapshot of the current state of…
-
NYDFS Cybersecurity Regulations: Will You Be Ready?
When new cybersecurity regulations from the New York Department of Financial Services (NYDFS) take effect on March 1, 2017, financial institutions will…
-
Your Money or Your File(s)!
Growing up as a kid in the 80’s ransom used to be a simple thing. A bad person with a…
-
Growing Cyber Threats to the Energy and Industrial Sectors
Remember Shamoon, the malware that disabled some 35,000 computers at one of the world’s largest oil companies in 2012? If…
-
Social Engineering – The Mental Game, Part II.
Now, let’s talk technical. Malicious executable are used to deliver a payload to a victim. These can be very technical…
-
Social Engineering – The Mental Game, Part I.
The first thing that all organizations need to understand is why social engineering works. In many cases organizations, security professionals,…
-
Six Effective Ransomware Risk Reduction Strategies
Businesses, governments, and consumers alike need to be aware of ransomware – a type of malware that can inflict serious…
-
NopSec Cloud Security Module
Most organizations are currently migrating their computing infrastructure into the public cloud (AWS, Google, Azure) usually embracing a mixed private…
-
NopSec Report Finds Organizations Use Inadequate Risk Evaluation Scoring System
NopSec released a featured annual report, “2016 State of Vulnerability Risk Management.” The report reveals key security threats by industry,…
-
UnifiedVRM Roadmap SiteRep
…..and I am back!! Apologies for waiting so long to blogging. The past few months here at NopSec have been…
-
Malware Analysis: Moving Beyond the CVSS Score
Note: This article was updated in June 2022. Here at NopSec, we are all about risk — our number one…
-
3 Ways to Go Beyond HIPAA Compliance
Compliance isn’t enough for healthcare organizations. For years, we have equated compliance with effective vulnerability risk management. This is simply…
-
SMBs: Most Likely To Be Hacked?
Most small and medium business owners believe that cyber criminals only target large businesses and corporations. They couldn’t be more…
-
Know Thy[self] Environment
Securing an environment is a constant game of cat-and-mouse. Safety measures of all kinds can (and should) be put in…
-
Improving Business Outcomes With VRM
Time and again, we hear from information security leaders who have invested in vulnerability risk management (VRM) technology and are…
-
Pen Testing Costs: The Business Value of Pen Testing Services
On March 23rd 2016, I had the pleasure to participate in the Inaugural 2016 National Conference of Minority Cybersecurity Professionals…
-
What Matters Most: Remediating Vulnerabilities
Scanning is an important part of a well-established vulnerability risk management program. Vulnerability scanners allow you to identify the threats…
-
Two Key Steps to Stop DROWN…
The information security industry is buzzing about the newest threat, DROWN. According to Drown Attack, “[it] is a serious vulnerability…
-
Unified VRM 4.0: Usability for SecOps
Since product launch (2012), Unified VRM has been rapidly expanding with new features and advanced automation solutions for security professionals….
-
Vulnerability Management Myths
Automation Strikes Back! There are tons of technologies out there that are trying to “AUTOMATE” every aspect of human life….
-
How to Speak Information Security to Executives: A CSO Perspective
According to recent research over 60 percent of survey participants stated their executives are only “somewhat” or “not at all” informed about…
-
The Importance of Technology Integration to the Value of an InfoSec product
According to FireEye, a U.S. based provider of next generation threat protection, it takes companies, on average, more than 200 days…
-
Docker-based OpenVAS Scanning Cluster to Improve Scope Scalability
OpenVAS (Open Vulnerability Assessment Scanner) – is an open source security vulnerability scanner and manager. It is an open source…
-
Consumers: The Last Best Mile of the Security Perimeter
For consumers and businesses alike, when it comes to keeping private information private your best defense is vigilance; in both…
-
Vulnerability Management and the Road Less Traveled
When I started my career as a penetration tester, the name of the game was all about breaching the external…
-
Healthcare Data is the Next Vulnerable Target for Hackers
Another day, another hack. And not just any old hacking incident, but one involving yet another healthcare provider, only demonstrating how…
-
Help, My Car Got Hacked and the Internet of Things
The recent recall of 1.4 million vehicles by Fiat Chrysler has raised many questions and concerns after researchers discovered a security vulnerability…
-
Vulnerability Risk Management: Making the Move beyond Compliance
Information security professionals have a single core mission: to understand technological risks and take the necessary steps to protect information…
-
Threat Intelligence: one size does not fit all
Literally a flood of lines have already been written about Security Threat Intelligence and its uses, so I would not…
-
A little Machine Learning “Magic”…
This blog post is the first of a series documenting the journey into Machine Learning Algorithms NopSec is undertaking as part…
-
ThreatForce: The Vulnerability and Threat Search & Correlation Engine
NopSec has just launched ThreatForce – a flagship security vulnerability search engine that makes it easy for security analysts to gain a…
-
Working Hard towards Vulnerability Remediation: ServiceNow Integration
At NopSec, we work hard every day not only to make it easy for organizations to detect and prioritize vulnerabilities,…
-
Go party with the #DevOps
As part of the DevOps movement, it would be desirable to scan your web application for security vulnerability as part of the Continuous Integration loop…
-
Active Directory Authentication and Asset Sync
Enterprise organizations need vulnerability risk management solutions that integrate with the existing authentication and asset management infrastructure. Unified VRM has…
-
Vulnerability Management Presentation to CISO – No problem
Most of our customers’ security analysts are called on a monthly basis (or more often) to deliver a presentation of…
-
DevOpS and Remediation Task Management
Lately a lot of attention has been directed towards the “DevOps” or “SecOps” disciplines and for good reasons. According to…
-
Mapping Penetration Testing report and vulnerability management CVEs
Penetration tests are point-in-time adversarial tests aimed at testing the intrusion prevention, detection, and incident response capabilities and controls of an…
-
Vagrant Boxes: Private Vagrant Box Hosting With Easy Versioning
At NopSec, we are using vagrant and packer to spin up local dev environments and build our instances across the various hypervisor and cloud…
-
Counting Vulnerabilities. Assessing Threats. Frictionless Remediation
A couple of days ago I read an interesting article in the Tenable Network Security Blog — here — where…
-
State of Insecurity: Challenges to Addressing Discovered Vulnerabilities
Penetration Testing, Red Team Operations, Exploit Development, Vulnerability Management, Brute Forcing, Advanced Persistent Threats and even BEAST, CRIME, Zeus, Code…
-
Detecting the GHOST glibc Vulnerability with Unified VRM
In the previous blog post here, we described the GHOST Linux glibc vulnerability in details and its repercussions to the…
-
Linux Ghost Vulnerability: A GHOST in the….Linux….Wires
Our partner Qualys discovered a new vulnerability nick-named “GHOST” (called as such because it can be triggered by the GetHOST…
-
Customer Experience Case Study for Vulnerability Management
If you haven’t read the book or watched the movie Fight Club, you may not understand this reference. “1st RULE: You…
-
Security Doom Scenarios…..OK….name your passwords’ directory “Password”
Usually I am not particularly a big fan of security doom scenarios, but looking at this week’s security news and…
-
Find the Next Heartbleed-like Vulnerability
Heartbleed (CVE-2014-0160) is a vulnerability with a CVSSv2 base score of only 5.0/10.0. Though its CVSS score is relatively low,…
-
Projecting Your Burp
If you’re a security researcher or penetration tester you’re probably already well aware of the extensive array of tools available…
-
Take Your XSS and POST It
Parameter injection is one of the most common classes of web application vulnerabilities exploited in the wild. This class of…
-
PCI 3, Requirement 11: PCI Penetration Testing and Wireless Security Explained
Understanding and fulfilling PCI 11, Requirement 3 can be daunting, but NopSec is here to help you through it. 11.1…
-
The First Steps After an Attack
The term “security breach,” and other similar phrases, have become commonplace. This year alone we have seen the data of…
-
Poodle SSLv3 vulnerability: What it is, how to discover it, how to defend against it
Google security researchers Bodo Moller, Thai Duong and Krzysztof Kotowicz recently uncovered a vulnerability in SSL 3.0 that could allow secure connections to…
-
Continuous Collaboration at Qualys Security Conference
Call it good timing. After all the horrendous cybersecurity news of the past weeks, it feels great about that our…
-
Xen and the Art of Vulnerability Maintenance
It is no secret that hackers have been making the rounds, targeting organizations of all sizes, from national retailers to local financial institutions,…
-
Are the clouds in the sky rebooting?!
If you are like us at NopSec one of the companies that operators on Amazon AWS cloud, this past couple…
-
The Role of Threat Intelligence in Vulnerability Management
Threat intelligence is an increasing popular buzzword in security magazine articles and blogs. It also is becoming more prevalent in…
-
Successful Account Penetration: The Key to a Successful Penetration Test
With the time, effort and resources that companies dedicate to penetration testing, it can be frustrating (at best) to not…
-
The Hidden Costs of an Information Security Breach
No industry is immune to IT security breaches and it seems that retailers have been in the spotlight of late….
-
Avoid this Mistake When Sourcing a Penetration Test
Understanding how to effectively evaluate and select a penetration testing vendor can be a challenging exercise. Frequently the problem comes…
-
Introduction to IT Security Vulnerability Assessments
A vulnerability assessment, also known as vulnerability testing, is the practice of detecting, classifying, prioritizing, and remediating security vulnerabilities in…
-
Lessons Learned from Data Breaches at Universities
No industry is immune to IT security breaches. Recent breaches at Indiana University, Iowa State, the University of Maryland, and…
-
Vulnerability Remediation Process & Management: Why is Remediation so Difficult?
Note: This article was updated in June 2022. Risk Based Vulnerability management is the ongoing practice of detecting, classifying, prioritizing,…
-
4 Things to Consider When Outsourcing Vulnerability Management
Security risks to information systems and sensitive data are expanding at a rate that can outpace an organization’s technical resources…
-
The Year Ahead for Vulnerability Management
This is the time of year when companies gaze into their crystal ball and try to discern what lies ahead….
-
Vulnerability Scanning Best Practices: Where and When to Run Vulnerability Scans
As penetration testers know, spending nights awake to probe networks, servers and applications is common practice. For companies completing vulnerability…
-
Total Cost of Ownership for Vulnerability Management
With any technology investment, budget is a core part of the decision criteria. IT security departments are expected to do…
-
The Single Most Important Thing You Can do to Improve Cyber-Security in 2014
According to a reports released by the Information Security Forum and ISACA, cyber-security will continue to be a critical issue for businesses in…
-
Has Your Company Performed an Annual Penetration Test Yet this Year?
Many federal regulations such as GBLA, HIPAA and PCI require an annual penetration test. Customers often ask for our penetration testing services in…
-
How Much does a Penetration Test Cost?
This is the time of the year that we get a lot of inquiries about performing an annual penetration test….
-
The Role of Penetration Testing in Vulnerability Risk Management
Reports in the news make it clear that the sophistication of cyber-attackers continues to evolve. So why do so many…
-
Horizontal Solution or Point Solution for IT Vulnerability Management?
When IBM Security announced availability of its QRadar Vulnerability Manager earlier this year, vulnerability risk management was solidified as an…
-
Penetration Testing in Healthcare
In September the deadline for compliance with changes to the HIPAA rules relating to breaches of unsecured electronic Protected Health Information…
-
Using Unified VRM to Implement SANS 20 Critical Security Controls
The SANS 20 Critical Security Controls are prioritized mitigation steps to improve cybersecurity. Coordinated through the SANS Institute, many companies with…
-
Importing Vulnerability Scanner Results into Unified VRM
One of the most important aspects of every complex system is flexibility. Flexibility of adapting to changing circumstances and leveraging…
-
Wireless Network Penetration Testing
Cyber forensic investigators report that some of the most complicated and audacious hacks started in two simple ways: either with…
-
Vulnerability Management for Amazon Web Services (AWS)
As the benefits of cloud computing drive increased adoption by businesses, the fastest growing area of public cloud computing appears…
-
SANS Critical Control 20: SANS Penetration Testing and Red Team Exercises
As we have reached the end of this blog post series on SANS 20 Critical Controls, this one is definitely…
-
Banking and Insurance Regulators Focus on Cyber-Threats
If you are responsible for IT security in the financial services industry, you may have been asked by a regulator…
-
SANS Critical Controls 17, 18 and 19: Data Loss Prevention, Incident Response and Management, Secure Network Engineering
In this installment of our SANS 20 Critical Security Controls, I bundled three controls together simply because they are very…
-
SANS Critical Control 16: Account Monitoring and Control
Have you ever considered what is the venue most attackers use to infiltrate target systems? In terms of percentage, certainly…
-
SANS Critical Controls 14 and 15: Network Audit Logging and Controlled Access
This week we come back with our blog series on SANS 20 Critical Controls and focus on Audit Logs and Controlled…
-
NopSec Recognized as 2013 “Emerging Security Vendor” by CRN Magazine
NopSec was recognized on the CRN Magazine 2013 list of “Emerging Security Vendors” for the second consecutive year. CRN’s Emerging Vendors…
-
Reflection on Black Hat 2013 – a Technical Perspective
As every year the Las Vegas security conferences extravaganza unfolds and then passes leaving a head full of new knowledge…
-
NopSec’s CEO featured in Forbes article about building an Advisory Board
Lisa Xu, Chief Executive Officer at NopSec, knows that an outside perspective is critical to building the company. Lisa recently…
-
Surprise insights from the Black Hat security conference
You may have heard the adage, “The best defense is a good offense.” As Chief Marketing Officer at NopSec, I…
-
The state of IT security at Las Vegas conferences
Wendy Nather is Research Director within 451 Research’s Enterprise Security Program, providing analysis on the current state of security from the…
-
SANS Critical Control 13: Network Boundary Defense
As we are getting ready to descend for a couple of days to Vegas for Black Hat / DefCon /…
-
SANS Critical Control 6: SANS Application Software Security
Another very important area of an organization’s security program is its application security roadmap. We all know that web and…
-
Recommended sessions at Black Hat 2013 Conference
I have been attending the Black Hat Conference in Las Vegas for many years now and I have to admit that the…
-
Vulnerability Risk Score: How to Evaluate Vulnerability Severity Scores
There’s a quote attributed to Fabio Massacci, professor of information systems and security at the University of Trento in Italy…
-
SANS Critical Control 12: Controlled Use of Administrative Privileges
In a system there is no privilege that is higher than administrative privileges. In Unix and Linux world, this is…
-
SANS Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services
Exposure level and Risk level are directly proportional to each other! Ports, protocols and services are entry points and mechanisms…
-
SANS Critical Security Controls: Secure Configurations for Network Devices
Why all graphical representations of a network firewall include a wall with flames? Do you have to set a wall…
-
Embedded Malware: Account Takeovers Multiplying
Robert McGarvey recently covered the topic of account takeover attempts in his regular column in the Credit Union Times. Michelangelo…
-
SANS Critical Control 8 and 9: Data Recovery Capability & Security Skill Assessment
On this blog post of the SANS Critical Control series I comment on two critical controls that at the first…
-
SANS Critical Control 7: Wireless Device Control
Wireless networks have always been a “no man’s land” in terms of security and appropriate configuration. Some of the most…
-
Vulnerability Management is a Lie
I came across a post by Tony Turner titled, “Vulnerability Management is a Lie” and I could hardly wait to…
-
SANS Critical Control 4: Continuous Vulnerability Assessment and Remediation
As part of SANS 20 Critical Security Controls mapping with Unified VRM series, today I am going to discuss Critical…
-
SANS Critical Control 5: Malware Defenses
In this latest installment of this blog series, I am going to analyze how to implement the SANS Critical Control…
-
SANS Critical Control 3: Secure Configurations
In the previous two blog posts I have been addressing Control 1 and Control 2 in the SANS Critical Security…
-
SANS Critical Control 2: Inventory of Authorized and Unauthorized Software
Yesterday, I published the first blog post on mapping SANS 20 critical security controls to Unified VRM. The post dealt…
-
Achieving SANS top 20 Critical Security Controls with Unified VRM
Recently I got the chance to spend a little more time examining the SANS top 20 Critical Security Controls for…
-
Required Reading for Vulnerability Management Market Insights
Do you ever wish there was a single document that would answer all your burning questions? If you’ve ever moved…
-
Forbes: It’s Not Just Warren Buffett Who Is Bullish On Women
The rationale for this blog post is the Rule of Three and, as noted on Wikipedia, the Latin phrase, “omne trium perfectum”….
-
Is there value in cyber-security degrees?
I came across some news the other day that a local university will start offering a master’s degree in “Cyber-Security…
-
Credibility and Reputation – New Target for Cyber-Attacks
Is there anybody that has not received an email that starts like this, “<Company name> recently experienced a cyber-attack on…
-
VC firms need to find their feminine sides
An industry colleague forwarded me a recent article from Upstart Business Journal titled, “VC firms need to find their feminine…
-
Security Careers: Breaking Barriers
Lisa Xu, CEO of NopSec, was interviewed recently by BankInfoSecurity.com about her career in information security – a male-dominated field…
-
How Attackers Choose Which Vulnerabilities To Exploit
I loved the opening paragraph in a recent article titled, “How Attackers Choose Which Vulnerabilities To Exploit” by Michael Cobb,…
-
CVE-2003-0095 – Oracle Database Server Unauthenticated Remote Overflow Metasploit Module
Penetration testing is one of the services that we offer NopSec customers. A vulnerability assessment and penetration test provide an…
-
BankInfoSecurity: Overcoming Too Much Data
Last week at the RSA Conference, Lisa Xu and I had an opportunity to sit down with Tracy Kitten, Managing…
-
Credit Union Times: APT Will Get You
In a recent article posted by Robert McGarvey in the Credit Union Times, Threat of the Week: APT Will Get…
-
NopSec announces Executive Dashboard and new capabilities for Unified VRM software-as-a-service
NopSec is pleased to announce the immediate availability of a new Executive Dashboard for Unified VRM. NopSec continues the rapid…
-
Mistakes Companies Make When it Comes to Vulnerability Management
We observe a common misconception that companies believe they are doing “vulnerability management” when, more often than not, they are…
-
The importance of implementing security controls
Cyber Security was all over the news recently. Facebook revealed that it was hacked – even though it came out…
-
As big banks and media wise up to cyber threat, New York’s security firms get noticed
Crain’s New York Business, there is an article written by Matthew Flamm that discusses the pervasiveness of cyber attacks and…
-
Executive Order on Cybersecurity
It looks like the Federal Government is getting serious about IT security. “Now our enemies are also seeking the ability…
-
Reduce your odds of needing incident response
It has been hard to keep up with my news alert due to all the IT security headlines. “Hackers in…
-
Reemerging from the Flood
Some of you probably wondered where the NopSec crew and I ended up these days….already tired for blog writing? Not…
-
Another Type of Correlation – Vulnerability Correlation
The other day I was thinking about the concept of “event correlation” embedded into various SIEM products. Security events can…
-
What’s the matter with vulnerability management?
Every day I get tot talk to a lot of infosec professionals and business people regarding vulnerability management. They tell…