-
Vulnerability Scanning Best Practices
Vulnerability management’s cornerstone is largely going to revolve around setting up and managing your infrastructure scanner in order to find,…
-
Keeping Vulnerability Scanner Data in Sync for Vulnerability Remediation
All Risk-Based Vulnerability Management (RBVM) platforms include integrations to multiple vulnerability assessment products. In addition to vulnerability findings and asset…
-
Vulnerability Management Prioritization: Defense Wins Championships
Vulnerability Management is one of the less flashy or exciting parts of your cybersecurity department maintenance routine – but is…
-
Creating a Vulnerability Management Program – Vulnerability Remediation: More Complex than You Might Imagine
In prior blogs, we’ve spelled out how an organization finds its vulnerabilities and how security teams consider threat intelligence to…
-
Creating a Vulnerability Management Program – Cybersecurity Risk: Why You Need Both Vulnerability and Threat Assessments
In this blog, we’ll add to our cybersecurity considerations the concept of threats and threat intelligence. So far, we’ve looked…
-
Creating a Vulnerability Management Program – Penetration Testing: Valuable and Complicated
Once you’ve started a vulnerability scanning system, you may want to take the next step in identifying vulnerabilities: penetration testing,…
-
Creating a Vulnerability Management Program – Vulnerability Scanners: How They Help Cybersecurity Readiness
Learn how to identify the right vulnerability scanner(s) for your organization’s needs. So far in this series, we have laid…
-
Creating a Vulnerability Management Program – Patching: Take the Panic out of Patching by Managing CVE Threat Overload
Imagine a company that started in early 2012 with a half dozen employees — all working in one office —…
-
Creating a Vulnerability Management Program – Discovering Your Vulnerabilities: The First Foray
We talked previously about the need to use people, processes, and technology wisely to support your vulnerability risk management. Each element…
-
China is Exploiting Vulnerabilities in Widely Used Home-Office Devices, U.S. Agencies Warn
A new advisory from top federal security and law enforcement agencies warns that state-sponsored cyber actors from the People’s Republic…
-
Understanding the Difference Between Vulnerabilities and Exposures
The cybersecurity world talks a lot about “common vulnerabilities and exposures” (CVEs) and compiles ongoing lists of them with a…
-
New Security Vulnerabilities: How Should You Respond?
Cybercrime has exploded in growth over the past several years to levels that are stunning to contemplate. To put it…
-
Risk-Based Vulnerability Management: Efficient + Effective
We described in the previous blog post the difference between vulnerability management and risk management. A quick reminder: vulnerabilities are…
-
Vulnerability Management vs. Risk Management: Defining the Fundamentals
Businesses run fast to keep pace in a market that is ever dynamic, with new entries threatening to oust established…
-
Creating a Vulnerability Management Program – The People, Process, and Technology
Continuing our How to Build a VM Program series, this third installment breaks the working components of a program into…
-
Creating a Vulnerability Management Program – What is Vulnerability Management and the VM Lifecycle Stages?
As we said in the introduction to this series, cybercriminals are becoming increasingly sophisticated in their assaults, and the methods…
-
Creating a Vulnerability Management Program – Why You Need a Vulnerability Management Program Starting Now
In the past, cybercriminals relied heavily on phishing to slip into an organization’s IT system to achieve their objectives. Recently,…
-
Implementing and Maintaining Security Program Metrics
Cybersecurity metrics are a pertinent part of measuring the successes and failures of your program and the effectiveness of your…
-
Why IAM Technology is Critical to Your Vulnerability Management Program
In previous blogs, we discussed Attack Surface Management (ASM) and explained how ASM is critical to your overall Vulnerability Management…
-
Feature Release: Granular SLAs, Limit Asset Groups, ITSM Ticket Numbers
In addition to the Infrastructure Vulnerability Reports released this October, NopSec is also excited to announce the following additional product…
-
Feature Release: UVRM Infrastructure Vulnerability Reports
NopSec recently released a feature that makes it easy to obtain the information you need about the vulnerabilities in your…
-
Attack Surface Management: Why Your Attack Surface is Critical to Your Vulnerability Management Program
In our last blog, we discussed what Attack Surface Management (ASM) is. Now we will explore the importance of how…
-
5 Reasons Why Attack Surface Management MUST Be Part of Your VA Program
Back in 2019, when I was a research analyst at Gartner, I started to see a monumental shift in how…
-
Special Offer – COVID-19
Due to COVID-19, NopSec is empowering remote workforces with a much needed relief for businesses. Take Advantage of NopSec’s Amazing…
-
Clues to identifying IT vulnerability owners
IT Vulnerability Ownership, Part 2: Find early adopters Telling people what to do gets nowhere fast. I even have to…
-
IT Vulnerability Owners: How to Identify Vulnerability Owners (Yes Its’ Hard)
IT Vulnerability Ownership, Part 1: Problem, benefits to solving it, and understand its roots Running a successful vulnerability management program…
-
Instant Risk Reduction Recommendations to Align Priorities with IT
Snow flurries were a welcome change in New Jersey from last month’s high gust winds. I often multitask my dog…
-
Time is Money Part 6: Calculating ROI of Vulnerability Management Program
This is the final post in this six-part series. You can find the previous posts below. Time is Money, Part…
-
Time is Money, Part 5: Validating the Fix
This is part five in a six-part series. You can find the previous posts below. Time is Money, Part 1:…
-
CVE to KB: How to Correlate CVE Vulnerabilities to KB Patches via Automation
Here at NopSec our goal is to provide the most intelligent, automated way of managing cybersecurity risk in enterprise environments….
-
How we mitigated CVE-2019-5736 for Unified VRM – Docker Runc Vulnerability
tl;dr CVE-2019-5736 is a runc vulnerability that allows attackers to obtain root access of any host running a docker container….
-
Time is Money Part 4: Fix Security Vulnerabilities
This is part four in a six-part series. You can find the previous posts below. Time is Money, Part 1:…
-
Time is Money, Part 3: Vulnerability Assignment
This is part three in a six-part series. You can find the previous posts below. Time is Money, Part 1:…
-
Time is Money, Part 2: Vulnerability Analysis
This is part two in a six-part series. You can find the first in this series here, which lists the…
-
Time is Money, Part 1: Vulnerability Management Maturity Levels
Time is Money is a six-part series we’re going to post throughout the first few months of 2019. We’ll also…
-
Saving Time in Vulnerability Management
2019 is here and it’s back to the workday routine. As a dad with a Jersey bus commute, mornings are…
-
Threat Exposure Management: The Hacker’s Approach to Vulnerability Risk Management
IT Security Teams spend most of their time putting out fires, and just plain dreading and waiting for the next…
-
Another Year, Another Critical Struts Flaw (CVE-2018-11776)
Will We Learn the Right Lesson This Time Around? A little over a year ago, Equifax announced a huge breach…
-
2018 Top Cybersecurity Threats
It’s a cliché now to declare any year the year of the _____-breach. It’s especially difficult to see around corners…
-
Black Swan Theory: Black Swan Risk Management for Vulnerabilities
The black swan theory grew out of a metaphor that referred to something that didn’t exist at one point. When…
-
IANS 2018 New York Information Security Forum
On Monday, March 19th, NopSec’s Co-founder & CTO, Michelangelo Sidagni will be speaking at this year’s IANS New York Information…
-
Fundamental Steps Organizations Can Take to Minimize Breach Risk
We’re living through the gold rush of information security. The awareness and importance of information (or cyber) security has never…
-
Are You Ready for PCI DSS 3.2?
The updated PCI 3.2 requirements are coming to a head with a deadline this February 1st, 2018. While we’re sure…
-
NopSec Unified VRM Highlight: My Risk
IT Security and Risk teams in every organization have one common goal: to protect the company’s data from breaches by…
-
NYDFS Cybersecurity Regulations: Key Deadlines
The first traditional deadline is coming to a close this month for compliance with the NYDFS Cybersecurity Regulations. Please note that…
-
DevOps Risk Management: Vulnerability Risk Management as DevOps Practice
Silos exist in all levels and all types of organizations. Different teams naturally have different priorities, methodologies, and more, though…
-
How Hackers Exploit Weak Password Vulnerabilities
The “password” is one of those seemingly foolproof ways to protect your online valuables. Like a secret word between you…
-
Password Cracking: Top Tools Hackers Use to Crack Passwords
What’s the quickest way to a hacker’s heart? Make sure your business email password is “Password123.” Or perhaps “Summer2017” if…
-
Penetration Testing Tools: Top 6 Testing Tools and Software
Penetration Testers (aka ethical hackers) use a myriad of hacking tools depending on the nature and scope of the projects they’re…
-
The True Cost of A Great Penetration Test
If you asked car salesmen from different dealerships the question, “How much does a great car cost?” you’re guaranteed to…
-
5 Benefits of Retaining a Virtual CISO
Cybersecurity is finally gaining the attention it’s due. From whistleblowers to major data breaches, issues once kept strictly in the…
-
Top 3 Cybersecurity Problems That are Solved with E3 Engine and Unified VRM
We’re proud to build products IT Security Teams actually need and use on a daily basis. We’re a company started…
-
RBAC Implementation: Role Based Access Control Implementation
Organizations seeking to improve their security posture and meet regulatory or audit compliance requirements must consider implementing role based access control (RBAC).
-
Implementing New York DFS Cybersecurity Regulations: Where Are You in the Process?
Here at NopSec, we’ve spoken with a number of financial organizations about where they are in the process of meeting…
-
3 Dangerous Myths About DDoS Attacks
Distributed denial of service (DDoS) attacks are a growing but frequently misunderstood threat in the cybersecurity world. Defined generally, a…
-
Application Security Management: Managing Vulnerabilities Throughout Secure SDLC
How can I find security people, how do I deal with budget and time, how should I prioritize, what will…
-
Doing Diversity Right: Turning Employment Obstacles into Opportunities
Blind assumptions about online security are not the only assumptions that demand attention in the cybersecurity industry today. An article…
-
Customized Threat Intelligence Engine
Unified VRM Analytics leverages vulnerability data from across all the modules (Internal, External and Web) the user has subscribed to…
-
Phishing: What Everyone in Your Organization Needs to Know
Do you feel confident that everyone in your organization could identify a phishing email that contained ransomware? What if the…
-
Top 5 Cybersecurity and Computer Threats of 2017
The year 2016 will be remembered for some big moments in the world of cybersecurity: the largest known distributed denial…
-
2017 Outlook: Remediation Trends
Each year, NopSec conducts a survey of IT and cybersecurity professionals to glean a snapshot of the current state of…
-
NYDFS Cybersecurity Regulations: Will You Be Ready?
When new cybersecurity regulations from the New York Department of Financial Services (NYDFS) take effect on March 1, 2017, financial institutions will…
-
Your Money or Your File(s)!
Growing up as a kid in the 80’s ransom used to be a simple thing. A bad person with a…
-
Growing Cyber Threats to the Energy and Industrial Sectors
Remember Shamoon, the malware that disabled some 35,000 computers at one of the world’s largest oil companies in 2012? If…
-
Social Engineering – The Mental Game, Part II.
Now, let’s talk technical. Malicious executable are used to deliver a payload to a victim. These can be very technical…
-
Social Engineering – The Mental Game, Part I.
The first thing that all organizations need to understand is why social engineering works. In many cases organizations, security professionals,…
-
Six Effective Ransomware Risk Reduction Strategies
Businesses, governments, and consumers alike need to be aware of ransomware – a type of malware that can inflict serious…
-
NopSec Cloud Security Module
Most organizations are currently migrating their computing infrastructure into the public cloud (AWS, Google, Azure) usually embracing a mixed private…
-
NopSec Report Finds Organizations Use Inadequate Risk Evaluation Scoring System
NopSec released a featured annual report, “2016 State of Vulnerability Risk Management.” The report reveals key security threats by industry,…
-
Malware Analysis: Moving Beyond the CVSS Score
Note: This article was updated in June 2022. Here at NopSec, we are all about risk — our number one…
-
3 Ways to Go Beyond HIPAA Compliance
Compliance isn’t enough for healthcare organizations. For years, we have equated compliance with effective vulnerability risk management. This is simply…
-
SMBs: Most Likely To Be Hacked?
Most small and medium business owners believe that cyber criminals only target large businesses and corporations. They couldn’t be more…
-
Two Key Steps to Stop DROWN…
The information security industry is buzzing about the newest threat, DROWN. According to Drown Attack, “[it] is a serious vulnerability…
-
How to Speak Information Security to Executives: A CSO Perspective
According to recent research over 60 percent of survey participants stated their executives are only “somewhat” or “not at all” informed about…
-
Healthcare Data is the Next Vulnerable Target for Hackers
Another day, another hack. And not just any old hacking incident, but one involving yet another healthcare provider, only demonstrating how…
-
Help, My Car Got Hacked and the Internet of Things
The recent recall of 1.4 million vehicles by Fiat Chrysler has raised many questions and concerns after researchers discovered a security vulnerability…
-
Vulnerability Risk Management: Making the Move beyond Compliance
Information security professionals have a single core mission: to understand technological risks and take the necessary steps to protect information…
-
ThreatForce: The Vulnerability and Threat Search & Correlation Engine
NopSec has just launched ThreatForce – a flagship security vulnerability search engine that makes it easy for security analysts to gain a…
-
State of Insecurity: Challenges to Addressing Discovered Vulnerabilities
Penetration Testing, Red Team Operations, Exploit Development, Vulnerability Management, Brute Forcing, Advanced Persistent Threats and even BEAST, CRIME, Zeus, Code…
-
Customer Experience Case Study for Vulnerability Management
If you haven’t read the book or watched the movie Fight Club, you may not understand this reference. “1st RULE: You…
-
Find the Next Heartbleed-like Vulnerability
Heartbleed (CVE-2014-0160) is a vulnerability with a CVSSv2 base score of only 5.0/10.0. Though its CVSS score is relatively low,…
-
Take Your XSS and POST It
Parameter injection is one of the most common classes of web application vulnerabilities exploited in the wild. This class of…
-
PCI 3, Requirement 11: PCI Penetration Testing and Wireless Security Explained
Understanding and fulfilling PCI 11, Requirement 3 can be daunting, but NopSec is here to help you through it. 11.1…
-
The First Steps After an Attack
The term “security breach,” and other similar phrases, have become commonplace. This year alone we have seen the data of…
-
Xen and the Art of Vulnerability Maintenance
It is no secret that hackers have been making the rounds, targeting organizations of all sizes, from national retailers to local financial institutions,…
-
The Role of Threat Intelligence in Vulnerability Management
Threat intelligence is an increasing popular buzzword in security magazine articles and blogs. It also is becoming more prevalent in…
-
The Hidden Costs of an Information Security Breach
No industry is immune to IT security breaches and it seems that retailers have been in the spotlight of late….
-
Avoid this Mistake When Sourcing a Penetration Test
Understanding how to effectively evaluate and select a penetration testing vendor can be a challenging exercise. Frequently the problem comes…
-
Introduction to IT Security Vulnerability Assessments
A vulnerability assessment, also known as vulnerability testing, is the practice of detecting, classifying, prioritizing, and remediating security vulnerabilities in…
-
Lessons Learned from Data Breaches at Universities
No industry is immune to IT security breaches. Recent breaches at Indiana University, Iowa State, the University of Maryland, and…
-
4 Things to Consider When Outsourcing Vulnerability Management
Security risks to information systems and sensitive data are expanding at a rate that can outpace an organization’s technical resources…
-
The Year Ahead for Vulnerability Management
This is the time of year when companies gaze into their crystal ball and try to discern what lies ahead….
-
Total Cost of Ownership for Vulnerability Management
With any technology investment, budget is a core part of the decision criteria. IT security departments are expected to do…
-
The Single Most Important Thing You Can do to Improve Cyber-Security in 2014
According to a reports released by the Information Security Forum and ISACA, cyber-security will continue to be a critical issue for businesses in…
-
Has Your Company Performed an Annual Penetration Test Yet this Year?
Many federal regulations such as GBLA, HIPAA and PCI require an annual penetration test. Customers often ask for our penetration testing services in…
-
How Much does a Penetration Test Cost?
This is the time of the year that we get a lot of inquiries about performing an annual penetration test….
-
The Role of Penetration Testing in Vulnerability Risk Management
Reports in the news make it clear that the sophistication of cyber-attackers continues to evolve. So why do so many…
-
Horizontal Solution or Point Solution for IT Vulnerability Management?
When IBM Security announced availability of its QRadar Vulnerability Manager earlier this year, vulnerability risk management was solidified as an…
-
Penetration Testing in Healthcare
In September the deadline for compliance with changes to the HIPAA rules relating to breaches of unsecured electronic Protected Health Information…
-
Importing Vulnerability Scanner Results into Unified VRM
One of the most important aspects of every complex system is flexibility. Flexibility of adapting to changing circumstances and leveraging…
-
Wireless Network Penetration Testing
Cyber forensic investigators report that some of the most complicated and audacious hacks started in two simple ways: either with…
-
Vulnerability Management for Amazon Web Services (AWS)
As the benefits of cloud computing drive increased adoption by businesses, the fastest growing area of public cloud computing appears…
-
Banking and Insurance Regulators Focus on Cyber-Threats
If you are responsible for IT security in the financial services industry, you may have been asked by a regulator…
-
NopSec Recognized as 2013 “Emerging Security Vendor” by CRN Magazine
NopSec was recognized on the CRN Magazine 2013 list of “Emerging Security Vendors” for the second consecutive year. CRN’s Emerging Vendors…
-
Reflection on Black Hat 2013 – a Technical Perspective
As every year the Las Vegas security conferences extravaganza unfolds and then passes leaving a head full of new knowledge…
-
NopSec’s CEO featured in Forbes article about building an Advisory Board
Lisa Xu, Chief Executive Officer at NopSec, knows that an outside perspective is critical to building the company. Lisa recently…
-
Surprise insights from the Black Hat security conference
You may have heard the adage, “The best defense is a good offense.” As Chief Marketing Officer at NopSec, I…
-
The state of IT security at Las Vegas conferences
Wendy Nather is Research Director within 451 Research’s Enterprise Security Program, providing analysis on the current state of security from the…
-
Vulnerability Risk Score: How to Evaluate Vulnerability Severity Scores
There’s a quote attributed to Fabio Massacci, professor of information systems and security at the University of Trento in Italy…
-
Embedded Malware: Account Takeovers Multiplying
Robert McGarvey recently covered the topic of account takeover attempts in his regular column in the Credit Union Times. Michelangelo…
-
Vulnerability Management is a Lie
I came across a post by Tony Turner titled, “Vulnerability Management is a Lie” and I could hardly wait to…
-
Achieving SANS top 20 Critical Security Controls with Unified VRM
Recently I got the chance to spend a little more time examining the SANS top 20 Critical Security Controls for…
-
Required Reading for Vulnerability Management Market Insights
Do you ever wish there was a single document that would answer all your burning questions? If you’ve ever moved…
-
Forbes: It’s Not Just Warren Buffett Who Is Bullish On Women
The rationale for this blog post is the Rule of Three and, as noted on Wikipedia, the Latin phrase, “omne trium perfectum”….
-
Is there value in cyber-security degrees?
I came across some news the other day that a local university will start offering a master’s degree in “Cyber-Security…
-
Credibility and Reputation – New Target for Cyber-Attacks
Is there anybody that has not received an email that starts like this, “<Company name> recently experienced a cyber-attack on…
-
VC firms need to find their feminine sides
An industry colleague forwarded me a recent article from Upstart Business Journal titled, “VC firms need to find their feminine…
-
Security Careers: Breaking Barriers
Lisa Xu, CEO of NopSec, was interviewed recently by BankInfoSecurity.com about her career in information security – a male-dominated field…
-
BankInfoSecurity: Overcoming Too Much Data
Last week at the RSA Conference, Lisa Xu and I had an opportunity to sit down with Tracy Kitten, Managing…
-
Credit Union Times: APT Will Get You
In a recent article posted by Robert McGarvey in the Credit Union Times, Threat of the Week: APT Will Get…
-
NopSec announces Executive Dashboard and new capabilities for Unified VRM software-as-a-service
NopSec is pleased to announce the immediate availability of a new Executive Dashboard for Unified VRM. NopSec continues the rapid…
-
Mistakes Companies Make When it Comes to Vulnerability Management
We observe a common misconception that companies believe they are doing “vulnerability management” when, more often than not, they are…
-
As big banks and media wise up to cyber threat, New York’s security firms get noticed
Crain’s New York Business, there is an article written by Matthew Flamm that discusses the pervasiveness of cyber attacks and…
-
Executive Order on Cybersecurity
It looks like the Federal Government is getting serious about IT security. “Now our enemies are also seeking the ability…
-
Reduce your odds of needing incident response
It has been hard to keep up with my news alert due to all the IT security headlines. “Hackers in…
-
Reemerging from the Flood
Some of you probably wondered where the NopSec crew and I ended up these days….already tired for blog writing? Not…
-
Another Type of Correlation – Vulnerability Correlation
The other day I was thinking about the concept of “event correlation” embedded into various SIEM products. Security events can…
-
What’s the matter with vulnerability management?
Every day I get tot talk to a lot of infosec professionals and business people regarding vulnerability management. They tell…