Copyright TechTarget - All rights reserved https://cyber.law.harvard.edu/rss/rss.html Techtarget Feed Generator en Mon, 27 Apr 2026 04:58:13 GMT https://www.techtarget.com/searchsecurity editor@techtarget.com <p>Data centers must demonstrate compliance with industry standard guidelines. This quick checklist helps administrators create <a href="https://www.techtarget.com/searchsecurity/definition/data-compliance">data compliance</a> strategies to ensure the security of their customers' data and maintain high operational standards.</p> <p>Data centers are responsible for securely managing data for an organization's customers. A single data outage or breach can devastate the business that depends on that data and be <a href="https://www.techtarget.com/searchdatacenter/tip/Data-center-safety-tips-to-protect-staff">catastrophic for a data center facility</a>.</p> <p>An effective<a href="https://www.techtarget.com/searchdatamanagement/tip/10-key-elements-to-follow-data-compliance-regulations"> </a><a href="https://www.techtarget.com/searchdatamanagement/tip/10-key-elements-to-follow-data-compliance-regulations">compliance strategy</a> can help any data center<a href="https://www.techtarget.com/searchdatabackup/tip/Comparing-data-protection-vs-data-security-vs-data-privacy"> </a><a href="https://www.techtarget.com/searchdatabackup/tip/Comparing-data-protection-vs-data-security-vs-data-privacy">secure the sensitive data</a> it handles. The compliance strategy then becomes the foundation for highly available service delivery and drives long-term customer satisfaction.</p> <p>The compliance landscape has grown significantly more complex in the last few years. New regulations covering AI governance, sustainability reporting and cybersecurity disclosure have added fresh obligations for data center operators. Facilities intending to create or update a data center compliance strategy can use this checklist as a starting point.</p> <section class="section main-article-chapter" data-menu-title="1. Align data center and IT teams"> <h2 class="section-title"><i class="icon" data-icon="1"></i><a name="_v8qjmnje5aye"></a>1. Align data center and IT teams</h2> <p><a href="https://www.techtarget.com/searchsecurity/Data-security-guide-Everything-you-need-to-know">Data security</a> often resides with interested or affected groups within the organization. True data center<a href="https://www.techtarget.com/searchdatamanagement/tip/3-considerations-for-a-data-compliance-management-strategy"> </a><a href="https://www.techtarget.com/searchdatamanagement/tip/3-considerations-for-a-data-compliance-management-strategy">data compliance requires alignment across an entire company</a>. Data center administrators must align or communicate with customer compliance teams to ensure full coverage.</p> <p>Admins should obtain approval from senior leaders in relevant teams and clarify how department relationships work. They should define each team and member's role in the strategy. This transparency increases the chances of acceptance and ensures compliance with the processes and procedures.</p> <p>As of 2026, many organizations are appointing a dedicated Chief Compliance Officer (CCO) or Chief Data Officer (CDO) to lead compliance efforts, reflecting the growing regulatory burden. Data center operators should evaluate whether their current leadership structures can manage the expanding scope of requirements, particularly in AI governance and sustainability.</p> </section> <section class="section main-article-chapter" data-menu-title="2. Discover compliance options"> <h2 class="section-title"><i class="icon" data-icon="1"></i><a name="_1ad5269cr7ie"></a>2. Discover compliance options</h2> <p>Different compliance standards have distinct guidelines. If a data center handles healthcare data, for instance, it must be HIPAA certified and demonstrate compliance for patient privacy. If it handles e-commerce data, such as online stores or financial transactions, it must comply with the Payment Card Industry Data Security Standard (<a href="https://www.techtarget.com/searchsecurity/definition/PCI-DSS-compliance-Payment-Card-Industry-Data-Security-Standard-compliance">PCI DSS</a>) 4.0 to protect transmitted data, such as credit card information.</p> <p><b>Note:</b> PCI DSS 3.2.1 was retired in March 2024. Organizations must now comply with PCI DSS 4.0, which introduces enhanced authentication and monitoring requirements.</p> <p>Other foundational standards that data centers should be familiar with include:</p> <ul class="default-list"> <li><b>SOC 2:</b> The gold standard for cloud and SaaS providers, developed by the AICPA, covering security, availability, processing integrity, confidentiality and privacy.</li> <li><b><a href="https://www.techtarget.com/whatis/definition/ISO-27001">ISO 27001</a>:</b> An internationally recognized framework for information security management systems.</li> <li><a href="https://www.techtarget.com/whatis/definition/General-Data-Protection-Regulation-GDPR"><b>GDPR</b></a><b>:</b> Required for any facility handling personal data of EU residents, regardless of where the data center is located.</li> <li><a href="https://www.fedramp.gov/" target="_blank" rel="noopener"><b>FedRAMP</b></a><b>:</b> Required for cloud service providers selling to U.S. federal agencies. The FedRAMP 20x initiative, introduced in early 2025, is streamlining third-party technology adoption by agencies.</li> <li><a href="https://www.techtarget.com/searchsoftwarequality/definition/NIST"><b>NIST Cybersecurity Framework</b></a><b>:</b> Increasingly referenced in government contracts and regulatory guidance. Often used as a foundational layer on which industry-specific requirements are built.</li> </ul> <h3><a name="_k70bg7pkcjwl"></a>Newer frameworks to know about</h3> <p>There are several new frameworks and regulations that data center owners need to be aware of, in case they apply to them or their hosted clients.</p> <ul class="default-list"> <li><a href="https://artificialintelligenceact.eu/the-act/" target="_blank" rel="noopener"><b>EU AI Act</b></a><b>:</b> The most comprehensive AI regulation to date, the EU AI Act began broad enforcement in 2025 and 2026. It imposes requirements for risk assessments, transparency reporting and disclosures on organizations running AI workloads and their hosting infrastructure. Data centers must be able to classify workloads, document how they are isolated, secured and monitored, and explain the controls that govern data flows.</li> <li><b>ISO/IEC 42001:</b> An international standard for AI Management Systems. This framework provides a certifiable structure for demonstrating compliance with globally recognized AI governance benchmarks to regulators, investors and customers.</li> <li><b>State-level regulations in the U.S.:</b> These are multiplying rapidly. More than 200 bills aimed at regulating data centers were introduced across U.S. states in 2025, and more than 40 were enacted into law. Data center operators handling customer data across multiple states should closely track these developments, as requirements vary by jurisdiction.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="3. Learn compliance audit schedules"> <h2 class="section-title"><i class="icon" data-icon="1"></i><a name="_yer15zufcp2g"></a>3. Learn compliance audit schedules</h2> <p>Data centers must constantly review their operations and infrastructure. Small audits and updates of daily processes help keep things running smoothly, while thorough audits ensure data compliance. Most <a href="https://www.techtarget.com/searchcio/definition/compliance-audit">compliance audits</a> are conducted annually by third-party auditors, meaning facilities with multiple certifications must undergo several audits each year.</p> <p>Data center staff and customers must be aware of the audit schedule, as it can affect regular facility operations. An organization must include this information in any <a href="https://www.techtarget.com/searchitchannel/definition/service-level-agreement">service-level agreement</a> in customer contracts to ensure operational transparency.</p> <p>In 2026, the frequency of audits will increase for certain types of data centers. The <a href="https://www.sec.gov/resources-small-businesses/small-business-compliance-guides/cybersecurity-risk-management-strategy-governance-incident-disclosure" target="_blank" rel="noopener">SEC's Cybersecurity Disclosure Rule</a>, which became effective in December 2025, mandates annual Continuous Attestation Reports from independent third parties for facilities that handle securities-related workloads. Data centers serving those customers should include this requirement in their audit planning.</p> </section> <section class="section main-article-chapter" data-menu-title="4. Understand compliance proof"> <h2 class="section-title"><i class="icon" data-icon="1"></i><a name="_lyssfx5txgxi"></a>4. Understand compliance proof</h2> <p>Data centers can demonstrate their compliance by publishing the certificates and certifications they receive. What they should publish depends on the specific audit guidelines.<a href="https://www.thehartford.com/insights/cyber/cyber-third-party-assessments"> </a>Third-party auditing services award these certificates on behalf of the governing body and regularly assess the data center's operations and infrastructure.</p> <p>The certifications data centers require depend on their customers and specific compliance guidelines, so organizations should ensure they stay up to date.</p> <p>Proof of compliance is also evolving beyond paper certifications. The <a href="https://www.computerweekly.com/news/366630833/EU-Data-Act-comes-into-force-amid-fears-of-regulation-fatigue">EU Data Act</a>, which took effect in 2026, requires verifiable transparency records for the entire data flow chain, including cross-border transfers and data sources used for model training. Regulators in some jurisdictions now expect real-time or near-real-time access to compliance logs rather than point-in-time audit reports.</p> </section> <section class="section main-article-chapter" data-menu-title="5. Develop procedures to align with compliance rules"> <h2 class="section-title"><i class="icon" data-icon="1"></i><a name="_hcjegjs2nukh"></a>5. Develop procedures to align with compliance rules</h2> <p>Data center staff must align their procedures with the compliance rules they follow, as compliance audits are conducted regularly. Example processes and procedures include:</p> <ul class="default-list"> <li><b>Security gap ID.</b> Data center admins should conduct a network inventory to identify any security risks, vulnerabilities and exposures.</li> <li><b>Physical security review.</b> Facility staff should verify the<a href="https://www.techtarget.com/searchdatacenter/news/4500248374/Data-center-physical-security-gets-a-tougher-look"> </a>physical access control of devices in the facilities. They should also install surveillance cameras and other monitoring equipment.</li> <li><b>Incident management.</b> Data center staff should document the incident management process, procedures, roles and involved staff. This includes responses and remediation efforts during an incident.</li> <li><b>Training processes. </b><a href="https://www.techtarget.com/searchdatacenter/tip/What-does-a-data-center-facility-manager-do">Managers should ensure initial training</a> for all staff, onboarding training for new staff and ongoing training for everyone. They should emphasize employee reporting procedures so data center admins can learn how to report nonconformance.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="6. Address AI workload governance"> <h2 class="section-title"><i class="icon" data-icon="1"></i><a name="_gdb5sqiyb2fj"></a>6. Address AI workload governance</h2> <p>AI has evolved from a rising workload to a dominant one for data centers. As AI infrastructure has expanded, regulators have begun enforcing specific governance standards for facilities that host or run AI workloads. Data center operators must develop a compliance strategy that clearly addresses AI, separate from general data management requirements.</p> <p>Key areas of AI governance compliance to establish include:</p> <ul class="default-list"> <li><b>Workload classification.</b> Data centers should be able to identify and classify AI workloads by type and risk level, consistent with the EU AI Act's risk tiers -- unacceptable, high, limited and minimal risk. This classification determines which compliance requirements are applicable.</li> <li><b>Transparency documentation.</b> Operators should document how AI workloads are isolated, secured and monitored, and be able to explain the controls that govern related data flows.</li> <li><b>AI incident reporting.</b> California's <a href="https://www.gov.ca.gov/2025/09/29/governor-newsom-signs-sb-53-advancing-californias-world-leading-artificial-intelligence-industry/" target="_blank" rel="noopener">Transparency in Frontier Artificial Intelligence Act</a>, effective January 1, 2026, requires critical safety incident management and reporting, including unauthorized access or modification of AI model weights. Data centers hosting such workloads should align their incident management procedures accordingly.</li> <li><b>Supply chain and vendor accountability. </b>AI compliance responsibilities are increasingly extending beyond operators to include supply chains and partners. Data centers should ensure that vendors and subprocessors handling AI-related data meet equivalent governance standards.</li> </ul> <p>The regulatory landscape for AI compliance is still developing. The U.S. federal government <a href="https://www.techtarget.com/searchenterpriseai/feature/Who-wins-and-loses-with-Trumps-AI-executive-order">issued an executive order</a> in December 2025 to establish a national AI policy framework, which may override some state-level AI laws. Data center operators should develop flexible compliance programs that can adapt to ongoing regulatory changes.</p> </section> <section class="section main-article-chapter" data-menu-title="7. Track sustainability and environmental compliance"> <h2 class="section-title"><i class="icon" data-icon="1"></i><a name="_ji0wzup5nu96"></a>7. Track sustainability and environmental compliance</h2> <p>Energy consumption and water use have become compliance issues, not just operational ones. Governments worldwide are intensifying efforts to address the environmental impact of data centers, particularly given the high energy demands of AI workloads. Data center operators, especially those with EU customers or operations, are subject to mandatory sustainability reporting requirements.</p> <p>Key regulatory developments in this area include:</p> <ul class="default-list"> <li><a href="https://energy.ec.europa.eu/topics/energy-efficiency/energy-efficiency-targets-directive-and-rules/energy-efficiency-directive_en" target="_blank" rel="noopener"><b>EU Energy Efficiency Directive (EED)</b></a><b>.</b> A major revision of the EED took effect in 2023. It requires data centers to report operational efficiency metrics, including power usage effectiveness (PUE) and water usage effectiveness (WUE), and to adopt measures to optimize electricity and water use.</li> <li><b>U.S. state-level legislation.</b> While the U.S. has no federal equivalent of the EED, state-level activity is accelerating. Oregon's POWER Act, enacted in August 2025, establishes special electricity rates for data centers and other large power consumers, incentivizing efficiency and grid-friendly load profiles. Data centers should monitor similar legislation in the states where they operate.</li> <li><b>Energy reporting and green power procurement. </b>The <a href="https://www.congress.gov/crs-product/R48762" target="_blank" rel="noopener">Clean Cloud Act of 2025</a> would authorize federal agencies to collect electricity-related information from data centers and their energy suppliers. Regardless of legislative outcome, operators should have systems in place to measure and report energy sourcing, especially for customers with renewable energy commitments.<b> </b></li> </ul> <p>Data centers should incorporate sustainability metrics into their compliance reporting systems rather than treating environmental reporting as a separate operational task. Monitoring PUE, WUE and carbon footprint data alongside traditional compliance information streamlines audit preparation and demonstrates operational maturity to regulators and enterprise customers.</p> <p><b>Editor's note:</b> This article was updated in March 2026 to update existing information and to add two new sections: "Address AI workload governance" and "Track sustainability and environmental compliance." This article now highlights the importance of data center security compliance in the age of AI.</p> <p><em>Julia Borgini is a freelance technical copywriter, content marketer, content strategist and geek. She writes about B2B tech, SaaS, DevOps, the cloud and other tech topics.</em></p> </section> Create a security compliance plan for the data center that includes various standards, audit schedules, and 2026 AI governance and sustainability reporting requirements. https://cdn.ttgtmedia.com/rms/onlineimages/check_g1205300933.jpg https://www.techtarget.com/searchdatacenter/tip/Data-center-security-compliance-checklist Tue, 10 Mar 2026 15:45:00 GMT <p>Cybersecurity teams must be mindful at all times of the current threats their organization faces. While it's impossible to thwart every threat, stopping as many as possible and quickly detecting when they occur are both critical for reducing damage.</p> <p>It is important to note that many cybersecurity incidents involve multiple types of threats. In a nutshell, a&nbsp;<i>security threat</i>&nbsp;is a malicious act that aims to corrupt or steal data or disrupt an organization's systems or the entire organization. A&nbsp;<i>security event</i>&nbsp;refers to an occurrence during which company data or its network might have been exposed. An event that results in a data or network breach is called a&nbsp;<i>security incident</i>.</p> <p>Here are 10 types of threats that cybersecurity teams should focus on.</p> <section class="section main-article-chapter" data-menu-title="1. Supply chain attacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>1. Supply chain attacks</h2> <p>Supply chain attacks are challenging to identify because they usually involve a breach or other cybersecurity compromise affecting a trusted third party, such as a supplier, partner, contractor, vendor or service provider. In this attack, the third party does not realize it has been compromised and therefore spreads the threat to its customers, partners and vendors.</p> <p>For example, a vendor's software might accidentally be infected with malware during manufacturing, or bad actors might add malicious code that steals sensitive data from organizations using a service provider's offering. Another form of supply chain attack involves counterfeit products and legitimate products that have been tampered with after manufacturing and packaging.</p> <h3>How to prevent supply chain attacks</h3> <p>To prevent supply chain attacks, only work with trusted third-party vendors, service providers, partners and contractors. Perform <a href="https://www.techtarget.com/searchsecurity/tip/How-to-build-an-effective-third-party-risk-assessment-framework">third-party risk assessments</a>, conduct continuous vendor monitoring and keep an accurate inventory of all third parties and their dependencies.</p> <p>In addition, only purchase technology products and services from reputable manufacturers and vendors. Examine any physical technology purchases for anything suspicious, especially on product packaging or the product surface itself.</p> </section> <section class="section main-article-chapter" data-menu-title="2. Distributed denial-of-service attacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>2. Distributed denial-of-service attacks</h2> <p><a href="https://www.techtarget.com/searchsecurity/definition/distributed-denial-of-service-attack">DDoS</a> attacks occur when thousands or millions of compromised devices simultaneously overwhelm a server, network or other target. The compromised devices are typically part of a botnet, enabling attackers to easily coordinate all devices in performing DDoS attacks. The goal of a DDoS attack is to disrupt the target's operations, preventing legitimate use of resources.</p> <h3>How to prevent DDoS attacks</h3> <p>Preventing DDoS attacks is a unique challenge. No matter how much capacity enterprise systems and networks have, a large DDoS attack can still clog them.</p> <p>Options for mitigating DDoS attacks include the following:</p> <ul type="disc" class="default-list"> <li>Partner with an MSP or other third party that specializes in DDoS attack monitoring and mitigation.</li> <li>Deploy and configure network security devices in front of systems and networks to <a href="https://www.techtarget.com/searchsecurity/feature/Implement-API-rate-limiting-to-reduce-attack-surfaces">enforce rate limiting</a> and stop traffic from known botnets.</li> <li>Design the organization's important applications with resilience in mind, such as duplicating key resources on other networks so that a DDoS attack against one network will not completely disrupt applications.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="3. Social engineering and phishing attacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>3. Social engineering and phishing attacks</h2> <p>Social engineering comes in many forms, from someone pretending to be a delivery person in order to access a secure area to someone sending phishing emails, texts or other forms of messaging to deceive the recipient.</p> <p>The goal of phishing, the most popular form of social engineering, is to get the recipient to divulge credentials, bank information or other sensitive data, or to install malware on the recipient's device.</p> <h3>How to prevent social engineering and phishing attacks</h3> <p>Some social engineering and phishing attacks can be stopped only by the intended victims. This requires that individual users be trained on <a href="https://www.techtarget.com/searchsecurity/feature/How-to-avoid-phishing-hooks-A-checklist-for-your-end-users">how to identify attacks</a> and what to do if an attack occurs. For example, they'll need to scrutinize links and email attachments for anything suspicious.</p> <p>Many phishing attacks can be stopped through automated means, such as antispam and antimalware technologies, that are frequently updated with the latest threat intelligence. Some phishing attacks exploit software vulnerabilities, so keep all devices' software patched and up to date.</p> </section> <section class="section main-article-chapter" data-menu-title="4. Attacks through look-alike content"> <h2 class="section-title"><i class="icon" data-icon="1"></i>4. Attacks through look-alike content</h2> <p>Attackers often craft websites, social media accounts, advertisements and other online content to look just like the real thing. When visited, that content <a href="https://www.techtarget.com/searchsecurity/tip/10-common-types-of-malware-attacks-and-how-to-prevent-them">installs malware on users' computers</a>. Known as <i>drive-by download attacks</i>, users have no idea that anything bad has happened.</p> <h3>How to prevent attacks through look-alike content</h3> <p>Educate users on how to verify that URLs, social media accounts and other content are legitimate to prevent these attacks. Tell users not to click on advertisements from work devices.</p> <p>To stay on top of the latest threats, consider subscribing to near-real-time <a href="https://www.techtarget.com/searchsecurity/tip/Top-open-source-and-commercial-threat-intelligence-feeds">threat intelligence feeds</a>. These can be consumed by an organization's cybersecurity technologies to quickly stop access to look-alike content once others detect and report it. Organizations should also keep software patched and up to date to minimize the risk of malicious content exploiting vulnerabilities.</p> </section> <section class="section main-article-chapter" data-menu-title="5. Misinformation and disinformation"> <h2 class="section-title"><i class="icon" data-icon="1"></i>5. Misinformation and disinformation</h2> <p>Misinformation is incorrect information, while disinformation is intentional misinformation designed to trick people -- another form of social engineering. Whether information is accidentally or intentionally wrong, the effect is the same: it convinces people that false statements are true and often triggers them to act on those false statements.</p> <p>Misinformation and disinformation come in many forms. AI technologies are <a href="https://www.techtarget.com/searchsecurity/tip/Real-world-AI-voice-cloning-attack-A-red-teaming-case-study">now widely used to create deepfake audio and video</a> that often can't be distinguished from the real thing. Websites, emails and other content might also provide false instructions to users on how to improve security or functionality on their work computers. Rumors about the organization itself could also surface inside or outside the business.</p> <h3>How to prevent misinformation and disinformation</h3> <p>Misinformation and disinformation are often difficult to detect through automated means. Instead, rely on regularly scheduled <a href="https://www.techtarget.com/searchsecurity/definition/security-awareness-training">security awareness training</a> to teach employees how to spot misinformation and disinformation. Educate them on how to verify information pertaining to both internal and external matters. Also, provide a website where members of the public can verify the legitimacy of communications they receive from the organization, and provide a mechanism for the public to report misinformation and disinformation involving the organization.</p> </section> <section class="section main-article-chapter" data-menu-title="6. Credential compromise and account takeover"> <h2 class="section-title"><i class="icon" data-icon="1"></i>6. Credential compromise and account takeover</h2> <p>Passwords, ID badges and other credentials are obvious targets for attackers. Passwords can be acquired in many ways, including social engineering and phishing, watching someone enter a password on their phone, guessing a password -- known as <i>brute-force attacking</i> -- or reusing a previously compromised password that the person used for multiple accounts.</p> <p>Possessing a password enables an attacker, in many cases, to access and control the user account. This is known as an <i>account takeover</i>.</p> <h3>How to prevent credential compromise and account takeover</h3> <p>Avoid relying only on passwords for user authentication. Requiring MFA and switching from passwords to <a href="https://www.techtarget.com/searchsecurity/definition/passwordless-authentication">passwordless authentication</a> are two effective alternatives. If passwords are required, teach employees <a href="https://www.techtarget.com/searchsecurity/tip/How-to-create-a-strong-passphrase-with-examples">how to create strong passphrases</a>, which are a more secure alternative to passwords.</p> <p>In addition, train users on how to safeguard their credentials and what to do if they think one of their credentials has been compromised. Another helpful measure is to use cybersecurity technologies that monitor authentication attempts. Use these tools to identify anomalies, such as the same user connecting to email from different geographic locations at the same time, which could indicate someone masquerading as the user.</p> </section> <section class="section main-article-chapter" data-menu-title="7. Ransomware"> <h2 class="section-title"><i class="icon" data-icon="1"></i>7. Ransomware</h2> <p>Ransomware uses encryption to make computers or files inaccessible or extortion to get victims to pay a ransom to get their stolen data back. While most ransomware attacks result from phishing or other forms of social engineering, some ransomware campaigns target exploitable software vulnerabilities.</p> <h3>How to prevent ransomware</h3> <p>Train users to avoid social engineering attacks, and teach them <a href="https://www.techtarget.com/searchsecurity/tip/How-to-effectively-respond-to-a-ransomware-attack">what to do if a ransomware infection occurs</a>. Seconds can make a difference between a single computer being infected and an infection spreading throughout an organization.</p> <p>To minimize vulnerabilities that ransomware can exploit, organizations should keep all software current with the latest patches and updates. It's also critical to use antimalware technologies that detect and stop ransomware, along with cyberthreat intelligence feeds that provide near-real-time updates on the latest ransomware threats.</p> </section> <section class="section main-article-chapter" data-menu-title="8. Persistence threats"> <h2 class="section-title"><i class="icon" data-icon="1"></i>8. Persistence threats</h2> <p>Persistence refers to an attacker's ability to gain and then maintain access to a system without being detected. Known as <i>advanced persistent threats</i> (<a href="https://www.techtarget.com/searchsecurity/definition/advanced-persistent-threat-APT">APTs</a>), attackers can persist unnoticed in compromised systems for days, weeks or months. During this time, they could access and exfiltrate sensitive data, compromise additional systems and monitor conditions until they are ready to launch a more devastating attack.</p> <h3>How to prevent persistence</h3> <p>Use firewalls and other network security tools, along with threat intelligence feeds, to block access to and from known malicious domains, IP addresses and websites. This denies APTs by disrupting the command-and-control channels they rely upon.</p> <p>Monitor network traffic to look for signs of unauthorized access to internal systems. Use antimalware and antiphishing technologies to detect and stop attacks in transit. Also, scan the organization's devices regularly for signs of bots, exploit kits and other attack tools. Act swiftly whenever any such unauthorized tools are detected.</p> </section> <section class="section main-article-chapter" data-menu-title="9. Insider threats"> <h2 class="section-title"><i class="icon" data-icon="1"></i>9. Insider threats</h2> <p>An insider threat is when an employee, contractor or other person within an organization misuses their technology privileges in ways that violate and harm the organization's cybersecurity. For example, an employee emailing sensitive data to external email addresses for the purposes of selling the data. A more complex example is two employees in different roles colluding to steal from the organization.</p> <h3>How to prevent insider threats</h3> <p>Follow the <a href="https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP">principle of least privilege</a> to ensure each user has the minimal access needed to do their job. Train all users, including contractors and vendors, on acceptable use policies and the potential consequences of violating them. Monitor all user activity for signs of suspicious behavior. Promptly investigate potentially malicious behavior.</p> </section> <section class="section main-article-chapter" data-menu-title="10. Accidental data leaks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>10. Accidental data leaks</h2> <p>Accidental data leaks occur when an organization's sensitive data is inadvertently made available to unauthorized parties or systems. Examples include choosing the wrong recipient for an email, uploading the wrong file to a website or shared storage, or posting data for public access that has not yet been approved for release.</p> <p>Data leaks can also occur when old or broken technologies are disposed of without first sanitizing or physically destroying their data storage. Printouts are also mechanisms for data leaks.</p> <h3>How to prevent accidental data leaks</h3> <p>Teach users to double-check recipients, attachments and other components of emails and other messages before sending them. Use <a href="https://www.techtarget.com/searchsecurity/tip/Top-7-data-loss-prevention-tools">data loss prevention technologies</a> to examine outbound emails and other applications for potential signs of data leaks. Carefully control physical access to printed sensitive data so that printouts are not left unattended and are shredded when no longer needed.</p> <p><i>Karen Kent is the co-founder of Trusted Cyber Annex. She provides cybersecurity research and publication services to organizations and was formerly a senior computer scientist for NIST.</i></p> <p>&nbsp;</p> </section> Know thine enemy -- and the common security threats that can bring an unprepared organization to its knees. Learn what these threats are and how to prevent them. https://cdn.ttgtmedia.com/rms/onlineimages/security_a303249453.jpg https://www.techtarget.com/searchsecurity/feature/Top-10-types-of-information-security-threats-for-IT-teams Thu, 05 Feb 2026 09:00:00 GMT <p>Mobile compliance has become a core governance issue for modern enterprises. As smartphones and tablets are used to access customer, financial and operational data across industries, organizations must be able to demonstrate how that access is controlled, monitored and reviewed.</p> <p>Unlike traditional endpoints, mobile devices operate across mixed ownership models, shifting networks and application ecosystems. Some devices are fully managed. Others are personal endpoints with limited enforcement. In both cases, compliance frameworks depend less on securing hardware and more on governing access to sensitive data across users, devices and applications.</p> <p>Regulatory frameworks such as the Health Insurance Portability and Accountability Act (<a href="https://www.techtarget.com/searchhealthit/definition/HIPAA">HIPAA</a>), the Payment Card Industry Data Security Standard (<a href="https://www.techtarget.com/searchsecurity/definition/PCI-DSS-Payment-Card-Industry-Data-Security-Standard">PCI DSS</a>), the General Data Protection Regulation (<a href="https://www.techtarget.com/whatis/definition/General-Data-Protection-Regulation-GDPR">GDPR</a>) and state-level privacy laws differ in scope, but they share common expectations around access control, data handling, auditability and incident response. Mobile environments expose gaps in these areas faster than any other endpoint category.</p> <p>Addressing mobile compliance requires organizations to rethink how policies, identity, application controls and monitoring work together across the device lifecycle.</p> <section class="section main-article-chapter" data-menu-title="What mobile compliance requirements are common in the enterprise?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What mobile compliance requirements are common in the enterprise?</h2> <p>Mobile compliance requirements vary by regulation, but they share a common set of expectations that apply across industries and jurisdictions. At a high level, organizations are expected to know what data is being accessed on mobile devices, who can access it and how that access is governed over time.</p> <p>Across privacy, financial and healthcare regulations, mobile compliance typically requires organizations to do the following:</p> <ul class="default-list"> <li>Define and enforce access controls for sensitive data based on user role, device context and application use.</li> <li>Maintain visibility into how <a href="https://www.techtarget.com/searchcontentmanagement/feature/Compare-information-governance-vs-records-management">data is accessed, transmitted and stored</a> on mobile devices.</li> <li>Support audit and reporting requirements that demonstrate policy enforcement and access governance.</li> <li>Enable incident response processes that can contain, investigate and remediate mobile-related data exposure.</li> </ul> <p>Mobile environments make these requirements harder to meet because access is distributed across managed and personal devices, cloud-based applications and external networks. As a result, compliance efforts must focus on governing access and behavior rather than relying solely on device ownership or perimeter controls.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/security-hipaa_compliance-f.png"> <img data-src="https://www.techtarget.com/rms/onlineImages/security-hipaa_compliance-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/security-hipaa_compliance-f_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/security-hipaa_compliance-f.png 1280w" alt="Illustration showing mobile compliance controls for protecting sensitive data, including access governance, training and monitoring" height="310" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Mobile compliance requires governing how sensitive data is accessed, monitored and audited across devices, applications and users. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Why is mobile compliance so difficult to manage?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why is mobile compliance so difficult to manage?</h2> <p>Mobile compliance is difficult to manage because organizations often lack consistent visibility and enforcement across the mobile device fleet. Unlike traditional endpoints, mobile devices operate across mixed ownership models, diverse operating systems and rapidly changing application environments.</p> <p>In many cases, organizations cannot easily answer basic compliance questions, such as which users can access sensitive data from mobile devices, which applications are involved and whether access policies are enforced consistently over time. This lack of clarity becomes a serious issue during audits or incident response, when organizations must demonstrate how access was governed rather than simply assert that controls existed.</p> </section> <section class="section main-article-chapter" data-menu-title="What can IT do to meet mobile compliance regulations?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What can IT do to meet mobile compliance regulations?</h2> <p>Meeting mobile compliance requirements requires more than deploying security tools. Organizations must establish clear governance over how mobile devices access sensitive data, how policies are enforced across ownership models and how compliance is demonstrated over time. The following practices focus on aligning policy, access controls and operational oversight across the mobile environment.</p> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/security-ccpa_compliance-h.png"> <img data-src="https://www.techtarget.com/rms/onlineImages/security-ccpa_compliance-h_half_column_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/security-ccpa_compliance-h_half_column_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/security-ccpa_compliance-h.png 1280w" alt="Illustration showing privacy compliance controls for mobile devices, including data access rules, consent handling and monitoring" height="358" width="279"> <figcaption> <i class="icon pictures" data-icon="z"></i>Privacy regulations require organizations to demonstrate how mobile access to personal data is controlled and enforced across managed and personal devices. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <h3>Establish and enforce an organization-wide mobile policy</h3> <p>To meet regulatory requirements and reduce mobile risk, organizations should establish a clearly defined, organization-wide mobile policy. This policy should govern how sensitive data can be accessed from mobile devices, which applications and services are permitted, and how authentication and authorization are enforced across different device types and ownership models.</p> <p>Enforcing these policies typically requires organizations to use mobile device management (<a href="https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management">MDM</a>), enterprise mobility management (<a href="https://www.techtarget.com/searchmobilecomputing/definition/enterprise-mobility-management-EMM">EMM</a>) or unified endpoint management (<a href="https://www.techtarget.com/searchenterprisedesktop/definition/unified-endpoint-management-UEM">UEM</a>) platforms to apply controls and maintain visibility across the mobile environment. These tools <a href="https://www.techtarget.com/searchenterprisedesktop/feature/Understand-how-UEM-EMM-and-MDM-differ-from-one-another">support policy enforcement, monitoring and response</a>, but they are effective only when aligned with clearly defined governance requirements.</p> <p>IT departments in highly regulated industries may already have portions of this structure in place. In some cases, organizations manage mobile compliance internally. In others, they rely on third-party mobility managed services providers (<a href="https://www.techtarget.com/searchitchannel/definition/managed-service-provider">MSPs</a>) with experience supporting regulatory and audit requirements.</p> <h3>Implement an effective mobile security strategy across the device fleet</h3> <p>Mobile devices are at a higher risk of theft, loss or compromise in hybrid and remote work scenarios, thus putting sensitive corporate data at risk. Use an MDM platform to provide a standard level of encryption, secure authentication and remote wipe capabilities.</p> <p>Managing corporate-owned devices makes implementing an effective strategy easier. <a href="https://www.techtarget.com/searchmobilecomputing/tip/3-BYOD-security-risks-and-how-to-prevent-them">Managing the compliance of BYOD endpoints</a> becomes more challenging due to the diversity of configurations, mobile OSes and app versions across user devices. The only way to preempt these challenges is to spend the extra time to put in a support structure for BYOD, starting with device requirements governed by MDM policies to help ensure mobile compliance by the authorization of devices.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/ilLEdbfzw-I?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <h3>Institute a compliance plan for mobile users</h3> <p>Organizations without an internal compliance plan for mobile users should either build one, seek guidance from a consulting group familiar with compliance requirements or outsource mobile governance to a specialized provider. Enforcement actions over the past decade highlight how recurring gaps in mobile governance and policy enforcement have led to compliance failures across industries.</p> <ul class="default-list"> <li>Jam City was fined $1.4 million in 2025 by California's Attorney General for alleged violations of the California Consumer Privacy Act (<a href="https://www.techtarget.com/searchcio/definition/California-Consumer-Privacy-Act-CCPA">CCPA</a>), including failures to honor opt-out requests and improper data sharing.</li> <li>Uber was fined €290 million in 2024 by the Dutch Data Protection Authority for GDPR violations related to unlawful transfers of European drivers' personal data to U.S. servers.</li> <li>Zoom was found to share users' personal data with Facebook without user consent, violating HIPAA regulations. In 2021, Zoom paid $85 million for failing to comply with HIPAA regulations. Allegations included Zoom sharing users' personal information with Facebook and Google without user consent and lying about its encryption practices.</li> <li>WhatsApp was fined $267 million in 2021 for violating GDPR related to a May 25, 2018, update to its Terms of Service.</li> <li>Bank of America, Barclays and Morgan Stanley are among the banks that have disclosed agreements to pay as much as $200 million because of employee use of unapproved messaging apps.</li> </ul> <p>Also, the Attorney General of the State of California announced an <a target="_blank" href="https://oag.ca.gov/news/press-releases/ahead-data-privacy-day-attorney-general-bonta-focuses-mobile-applications%E2%80%99" rel="noopener">investigative sweep</a> in January 2023 focusing on mobile app compliance. They sent letters to businesses in the retail, travel and food services industries that allegedly failed to comply with the CCPA -- in particular, consumer opt-out requests or consumers who wanted to stop the sale of their data.</p> <h3>Regularly monitor and update software and devices</h3> <p>Just as IT teams must monitor and update the software, PCs and servers that comprise the corporate network, IT must extend a <a href="https://www.techtarget.com/searchmobilecomputing/tip/Enterprise-mobile-compliance-is-critical-but-often-neglected">similar strategy over the corporate-owned and BYOD endpoints</a> and software that interact with IT infrastructure and back-end systems to ensure security and compliance.</p> <p>A useful reference point for mobile compliance best practices comes from the PCI Security Standards Council, the global body responsible for developing and maintaining payment security standards. The council's Mobile Payments on Commercial Off-The-Shelf (MPoC) Standard, most recently updated in late 2024, outlines <a href="https://www.pcisecuritystandards.org/standards/mobile-payments-on-cots-mpo" target="_blank" rel="noopener">modern security requirements</a> for accepting payments on smartphones and other commercial mobile devices. MPoC reflects current mobile payment models and has effectively superseded earlier guideline-style publications, including the PCI Mobile Payment Acceptance Security Guidelines.</p> <h3>Maintain accurate records</h3> <p>Managing the mobile device lifecycle with its accurate records is a necessity in meeting mobile compliance regulations. Records include tracking which devices an organization issues to employees, which employees have access to sensitive corporate data, and what security measures are on employee devices.</p> <h3>Deliver ongoing mobile security training to all users</h3> <p>Hybrid and remote work require organizations to rethink how they educate their users about mobile security and compliance. <a href="https://www.techtarget.com/searchmobilecomputing/The-ultimate-guide-to-mobile-device-security-in-the-workplace">Mobile device security</a> can no longer be a module in an online security awareness training course that's fluffy, with little regard to specifics for the organization, leading employees to blow through the course so they can email their manager a PDF certificate.</p> <p>Mobile security training in the hybrid and remote work era requires the following:</p> <ul class="default-list"> <li>Dedicated mobile device training starting from the time of employee onboarding that focuses on security and compliance.</li> <li>Publication and dissemination of mobile security-focused job aids and documentation through channels such as Notion or other centralized platforms.</li> <li>Mobile security becoming part of team meetings and asynchronous communication channels such as Slack.</li> <li>"Just-in-time" mobile security training as new threats surface in the industry or as the mobile security strategy changes.</li> </ul> <h3>Take mobile compliance seriously</h3> <p>Mobile compliance is no longer a secondary concern or a problem limited to highly regulated industries. As mobile devices become primary access points for sensitive data, organizations must be able to demonstrate how access is governed, monitored and reviewed across the mobile environment.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Mobile compliance depends on governing how sensitive data is accessed, monitored and reviewed across devices and applications. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Sustainable mobile compliance depends on clear policies, consistent enforcement and ongoing visibility into how devices, applications and users interact with sensitive data. Organizations that treat mobile compliance as a governance responsibility rather than a one-time security project are better positioned to meet regulatory expectations, support audits and adapt as mobile platforms and regulations evolve.</p> <p><b>Editor's note</b><strong>:</strong> This article was updated in January 2026 to improve the reader experience.</p> <p><i>Will Kelly is a freelance writer and content strategist who has written about cloud, DevOps, AI and enterprise mobility.</i></p> <p><i>Jack Gold is the founder and president of J.Gold Associates, LLC and has been a technology analyst for more than 20 years.</i></p> </section> Mobile compliance now requires governance over how sensitive data is accessed across managed and personal devices. Here are practical steps for sustainable enterprise compliance. https://cdn.ttgtmedia.com/rms/onlineimages/customer_service04.jpg https://www.techtarget.com/searchmobilecomputing/tip/Enterprise-mobile-compliance-is-critical-but-often-neglected Mon, 26 Jan 2026 10:00:00 GMT <p>Information security management encompasses many areas -- from perimeter protection and encryption to application security and disaster recovery. IT security is made more challenging by compliance regulations and standards, such as <a href="https://www.techtarget.com/searchhealthit/definition/HIPAA">HIPAA</a>, PCI DSS , the Sarbanes-Oxley Act and <a href="https://www.techtarget.com/whatis/definition/General-Data-Protection-Regulation-GDPR">GDPR</a>.</p> <p>This is where IT security frameworks and standards are essential. Knowledge of regulations, standards and frameworks is necessary for all cybersecurity professionals. Compliance with these frameworks and standards is especially important from an audit perspective.</p> <p>To help manage the process, let's examine standards, regulations and frameworks, as well as the more popular security options and how to use them.</p> <section class="section main-article-chapter" data-menu-title="What are IT security standards, regulations and frameworks?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are IT security standards, regulations and frameworks?</h2> <p><b>Standards</b> are like recipes; they list steps to follow. A well-managed IT organization must comply with the requirements set forth in a standard.</p> <p><b>Regulations</b>, in contrast, have a legally binding impact. The way they describe how to do something indicates government and public support for the rules and processes set forth in the regulation. Failure to comply with IT-focused regulations can result in financial penalties and litigation.</p> <p><b>Frameworks</b> detail how to develop, test, execute and maintain something. A cybersecurity framework is a series of documented processes that defines policies and procedures for implementing and managing infosec controls. Such frameworks are a blueprint for managing risk and reducing vulnerabilities.</p> <p>Information security professionals use frameworks to define and prioritize the tasks required to manage enterprise security. Frameworks also help prepare for compliance and other IT audits. Therefore, they must support specific requirements defined in a standard or regulation.</p> <p>Organizations can customize frameworks to solve specific information security problems, such as industry-specific requirements or regulatory compliance goals. Frameworks also come in varying degrees of complexity and scale. Today's frameworks often overlap, so it's important to select ones that effectively support operational, compliance and audit requirements. They should also be easy to adapt to existing security activities.</p> </section> <section class="section main-article-chapter" data-menu-title="Why are security frameworks important?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why are security frameworks important?</h2> <p>Frameworks provide a starting point for establishing processes, policies and administrative activities for infosec management.</p> <p>Security requirements often overlap, resulting in "crosswalks" that can be used to demonstrate compliance with different regulatory standards. For example, <a href="https://www.techtarget.com/searchsecurity/tip/How-to-write-an-information-security-policy-plus-templates"><i>information security policy</i></a> is defined in the following standards:</p> <ul class="default-list"> <li>ISO 27002 defines it in Section 5.</li> <li>Control Objectives for Information and Related Technology (COBIT) defines it in the "Align, Plan and Organize" section.</li> <li>HIPAA defines it in the "Assigned Security Responsibility" section.</li> <li>PCI DSS defines it in the "Maintain an Information Security Policy" section.</li> </ul> <p>Using a common framework, such as ISO 27002, an organization can establish crosswalks to demonstrate compliance with multiple regulations, including HIPAA, <a href="https://www.techtarget.com/searchcio/definition/Sarbanes-Oxley-Act">SOX</a>, PCI DSS and the <a href="https://www.techtarget.com/searchcio/definition/Gramm-Leach-Bliley-Act">Graham-Leach-Bliley Act</a>.</p> <p>Unlike standards and regulations, frameworks do not always have compliance requirements. For example, "ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection -- Information security management systems -- Requirements" has specific compliance mandates, whereas "ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection -- Information security controls" does not.</p> <p>After identifying a compliance requirement, security analysts should look for frameworks that help the organization comply with the primary standard or regulation. This is how ISO 27002 supports ISO 27001.</p> </section> <section class="section main-article-chapter" data-menu-title="How to choose an IT security framework"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to choose an IT security framework</h2> <p>Multiple factors drive the choice to use a particular security framework, including industry or compliance requirements. Publicly traded companies, for example, might want to use COBIT to comply with SOX, while the healthcare sector might consider the HITRUST (Health Information Trust Alliance) framework to comply with the <a href="https://www.techtarget.com/searchhealthit/definition/HITECH-Act">HITECH (Health Information Technology for Economic and Clinical Health) Act</a>. The ISO 27000 series of information security standards and frameworks, by contrast, is applicable in public and private sectors.</p> <p>ISO standards are often time-consuming to implement, but they are helpful when an organization needs to demonstrate its information security capabilities using ISO 27000 certification. While NIST Special Publication (SP) 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations is a standard required by U.S. federal agencies, any organization can use it to build a technology-specific information security plan.</p> </section> <section class="section main-article-chapter" data-menu-title="Top IT security standards and frameworks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Top IT security standards and frameworks</h2> <p>The following standards and frameworks help security professionals organize and manage an information security program. The only bad choice among these frameworks is not choosing any of them.</p> <h3>1. ISO 27000 series</h3> <p>The ISO 27000 series was developed by the International Organization for Standardization. It is a flexible cybersecurity framework that applies to organizations of all types and sizes.</p> <p>The two primary standards -- ISO <a href="https://www.techtarget.com/whatis/definition/ISO-27001">27001</a> and <a href="https://www.techtarget.com/searchsecurity/definition/ISO-27002-International-Organization-for-Standardization-27002">27002</a> -- establish the requirements and procedures for creating an information security management system (<a href="https://www.techtarget.com/whatis/definition/information-security-management-system-ISMS">ISMS</a>). Having an ISMS is an important audit and compliance activity. ISO 27000 consists of an overview and vocabulary and defines ISMS requirements. ISO 27002 specifies the code of practice for developing ISMS controls.</p> <p>Compliance with the ISO 27000 series of standards is established through audit and certification processes, typically provided by third-party organizations approved by ISO and other accredited agencies.</p> <p>The ISO 27000 series has 60 standards that cover a broad spectrum of cybersecurity issues, including the following:</p> <ul class="default-list"> <li>ISO 27017 describes security controls for cloud environments.</li> <li>ISO 27018 addresses the protection of personally identifiable information (PII) in cloud computing.</li> <li>ISO 27031 provides guidance on business continuity and related activities.</li> <li>ISO 27037 addresses the collection and protection of digital evidence.</li> <li>ISO 27040 addresses storage security.</li> <li>ISO 27400 covers IoT security and privacy.</li> <li>ISO 27799 defines information security in healthcare.</li> </ul> <h3>2. NIST SP 800-53</h3> <p>NIST has developed an extensive library of IT standards, many of which focus on information security. First published in 1990, the NIST SP 800 series addresses virtually every aspect of information security, with an increasing focus on <a href="https://www.techtarget.com/searchsecurity/feature/Guide-to-cloud-security-management-and-best-practices">cloud security</a>.</p> <p>SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations is the information security benchmark for U.S. government agencies and is widely used in the private sector. It has helped spur the development of information security frameworks, including the NIST Cybersecurity Framework (CSF).</p> <h3>3. NIST SP 800-171</h3> <p>SP 800-171 Rev. 3: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations has gained popularity due to requirements set by the U.S. Department of Defense regarding contractor compliance with security frameworks. Government contractors are a frequent target for cyberattacks due to their proximity to federal systems. To bid on federal and state business opportunities, &nbsp;manufacturers and subcontractors must have a cybersecurity framework.</p> <p>Controls included in the SP 800-171 framework are directly related to SP 800-53 but are less detailed and more generalized. It's possible to build a crosswalk between the two standards if an organization must show compliance with SP 800-53, using SP 800-171 as the base. This creates flexibility for smaller organizations -- they can show compliance as they grow using the additional controls included in SP 800-53.</p> <h3>4. NIST CSF</h3> <p>The NIST Framework for Improving Critical Infrastructure Cybersecurity, later known as the <a href="https://www.techtarget.com/searchsecurity/definition/NIST-Cybersecurity-Framework">NIST CSF</a>, was developed under Executive Order 13636, released in 2013. It was created to address U.S. critical infrastructure, including energy production, water supplies, food supplies, communications, healthcare delivery and transportation. These industries must maintain a high level of preparedness because they have all been targeted by nation-state actors.</p> <p>Unlike other NIST frameworks, the CSF focuses on cybersecurity risk analysis and risk management. Security controls in the framework are based on the five phases of risk management: identify, protect, detect, respond and recover. Like all IT security programs, these phases require the support of senior management. NIST CSF is suitable for both public and private sectors.</p> <p>The CSF 2.0, released in 2024, <a target="_blank" href="https://www.darkreading.com/ics-ot-security/nist-cybersecurity-framework-2-0-4-steps-get-started" rel="noopener">broadened the framework's applicability</a> to organizations of all sizes, expanded its response core function activities, added a new core function to emphasize the importance of governance, and made ransomware and supply chain threats more prominent.</p> <h3>5. NIST SP 1800 series</h3> <p>The NIST SP 1800 series, also known as the NIST Cybersecurity Practice Guides, is a set of documents that complement the SP 800 series of standards and frameworks. The guides offer information on how to implement and apply standards-based cybersecurity technologies in real-world applications.</p> <p>The SP 1800 series publications provide the following:</p> <ul class="default-list"> <li>Examples of specific situations and capabilities.</li> <li>Experience-based, how-to approaches using multiple products to achieve the desired result.</li> <li>Modular implementation guidance on capabilities for organizations of all sizes.</li> <li>Specifications of required components and installation, configuration and integration information so organizations can easily replicate the process themselves.</li> </ul> <p>Guides include implementing <a href="https://www.techtarget.com/searchsecurity/definition/zero-trust-model-zero-trust-network">zero trust</a>, <a href="https://www.techtarget.com/searchsecurity/tip/Shift-left-with-these-DevSecOps-best-practices">DevSecOps practices</a>, mobile device security, <a href="https://www.techtarget.com/searchsecurity/tip/What-to-know-about-5G-security-threats-in-the-enterprise">5G security</a> and data confidentiality.</p> <h3>6. COBIT</h3> <p><a href="https://www.techtarget.com/searchsecurity/definition/COBIT">COBIT</a> was developed in the mid-1990s by ISACA, an independent organization of IT governance professionals. ISACA offers the well-known Certified Information Systems Auditor and Certified Information Security Manager certifications.</p> <p>COBIT originally focused on reducing IT risks. COBIT 5, released in 2012, included new technology and business trends to help organizations balance IT and business goals. The current version is COBIT 2019. It's the most used framework to achieve SOX compliance. Numerous publications and professional certifications address COBIT requirements.</p> <h3>7. CIS Controls</h3> <p>The Center for Internet Security (CIS) Critical Security Controls, Version 8.1 -- formerly the SANS Top 20 -- lists technical security and operational controls that can apply to any environment. It does not address risk analysis or risk management like NIST CSF; rather, it solely focuses on reducing risk and <a href="https://www.techtarget.com/searchsecurity/tip/Build-a-strong-cyber-resilience-strategy-with-existing-tools">increasing resilience</a> for technical infrastructures. It was updated in 2024 to align with the updated NIST CSF 2.0.</p> <p>The 18 CIS Controls include the following:</p> <ul class="default-list"> <li>Inventory and control of enterprise assets.</li> <li>Data protection.</li> <li>Audit log management.</li> <li>Malware defenses.</li> <li>Penetration testing.</li> </ul> <p>CIS Controls link with existing risk management frameworks to help remediate identified risks. They're useful resources for IT departments that lack technical security experience.</p> <h3>8. HITRUST Common Security Framework</h3> <p>The HITRUST Common Security Framework (CSF) includes risk analysis and risk management frameworks, along with operational requirements. The framework has 14 different control categories and applies to almost any organization, including healthcare. Categories include access control, HR security, risk management, physical and environmental security, and privacy practices.</p> <p>The HITRUST CSF is a massive undertaking due to the heavy weight given to documentation and processes. As a result, many organizations end up scoping smaller areas of focus for HITRUST. The costs of obtaining and maintaining HITRUST certification add to the level of effort required to adopt this framework. The certification is audited by a third party, which adds a level of validity.</p> <h3>9. GDPR</h3> <p>The EU's GDPR is a framework of security requirements that global organizations must implement to protect the security and privacy of EU citizens' personal information.</p> <p>GDPR requirements include controls for restricting unauthorized access to stored data and access control measures, such as the <a href="https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP">principle of least privilege</a>, role-based access and MFA. Failure to comply with GDPR requirements can result in significant fines.</p> <h3>10. COSO</h3> <p>The Committee of Sponsoring Organizations of the Treadway Commission is a joint initiative of five professional associations that has published two complementary frameworks. Its <a href="https://www.techtarget.com/searchcio/definition/COSO-Framework">Internal Control -- Integrated Framework</a>, released in 1992 and updated in 2013, helps companies achieve a risk-based approach for internal controls. It covers the following components, referred to as the five pillars:</p> <ol class="default-list"> <li>Control environment.</li> <li>Risk assessment.</li> <li>Control activities.</li> <li>Information and communication.</li> <li>Monitoring activities.</li> </ol> <p>COSO is developing a Corporate Governance Framework in collaboration with the National Association of Corporate Directors. The framework, expected to be released in late 2025, aims to unify existing corporate governance activities in U.S. public companies. It will complement existing COSO frameworks, including its Enterprise Risk Management Framework.</p> <h3>11. PCI DSS</h3> <p>PCI DSS is a set of requirements and guidelines designed to help ensure secure business transactions and protect cardholder data, including credit card numbers, expiration dates and security codes.</p> <p>The 12 PCI DSS requirements include the following:</p> <ul class="default-list"> <li>Install and maintain network security controls.</li> <li>Protect stored account data.</li> <li>Develop and maintain secure systems and software.</li> <li>Test system and network security regularly.</li> </ul> <p>Created in 2004 by five major credit card companies and updated to version 4.0 in 2022, it called for more rigorous security measures, such as MFA and strong passwords. Version 4.0.1, released in 2024, did not add or remove requirements but <a target="_blank" href="https://www.darkreading.com/cyber-risk/new-pci-dss-rules-merchants-on-hook-compliance" rel="noopener">clarified existing requirements and updated terminology</a>.</p> <h3>12. CMMC</h3> <p>The Cybersecurity Maturity Model Certification is a framework developed by the U.S. Department of Defense to ensure government-approved contractors comply with cybersecurity requirements. It is built on the controls and guidance in NIST SP 171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and defines the following three certification levels:</p> <ul class="default-list"> <li>Foundational, minimum security requirements for basic government contracting.</li> <li>Advanced, for contractors that handle controlled unclassified information.</li> <li>Expert, for contractors handling highly classified information.</li> </ul> <p>CMMC 1.0 was released in 2020. Version 2.0 was finalized in 2024.</p> <h3>13. FISMA</h3> <p>The <a href="https://www.techtarget.com/searchsecurity/definition/Federal-Information-Security-Management-Act">Federal Information Security Modernization Act</a>, which aligns closely with the NIST Risk Management Framework, provides a security framework for protecting federal government data and systems.</p> <p>FISMA requires U.S. federal agencies, as well as third parties, contractors and vendors that handle federal systems, to develop, document and implement security programs. Compliance requirements include continuous monitoring, annual security reviews and baseline security controls, such as those outlined in NIST SP 800-53.</p> <p>FISMA was introduced in 2002 and updated in 2014. It is currently undergoing legislative efforts for an update.</p> <h3>14. NERC CIP</h3> <p>The <a href="https://www.techtarget.com/searchsecurity/definition/North-American-Electric-Reliability-Corporation-Critical-Infrastructure-Protection-NERC-CIP">North American Electric Reliability Corporation Critical Infrastructure Protection framework</a> includes 14 ratified and proposed standards that apply to utility companies within the bulk power system. The standards outline recommended controls and policies to monitor, regulate, manage and maintain the security of critical infrastructure systems. Bulk power system owners, operators and users must comply with the NERC CIP framework.</p> <p>CIP standards include the following:</p> <ul class="default-list"> <li>CIP-004-7 Cyber Security -- Personnel and Training.</li> <li>CIP-008-6 Cyber Security -- Incident Reporting and Response Planning.</li> <li>CIP-013-2 Cyber Security -- Supply Chain Risk Management.</li> <li>CIP-014-3 Physical Security.</li> </ul> <h3>15. SOC 2</h3> <p><a href="https://www.techtarget.com/searchsecurity/definition/Soc-2-Service-Organization-Control-2">System and Organizational Controls 2</a> is a framework developed by the American Institute of Certified Public Accountants that assesses how organizations manage and protect data. It is an internal control that enables companies to demonstrate that they meet the following Trust Services Criteria:</p> <ul class="default-list"> <li><b>Security.</b> Protects data and maintains its privacy during creation, use, processing, transmission and storage. Focuses on preventing data leakage, unauthorized access and damage to systems that affect the availability, integrity and confidentiality of data.</li> <li><b>Availability.</b> Puts controls in place that ensure systems are operational, available and monitored.</li> <li><b>Processing integrity.</b> Confirms that processing is complete, accurate, timely, authorized and secure.</li> <li><b>Confidentiality.</b> Protects data designated confidential.</li> <li><b>Privacy.</b> Ensures PII is collected, used, retained, disclosed and disposed of properly.</li> </ul> <p>A SOC 2 audit, performed by a third-party CPA, examines whether an organization's controls meet SOC 2 criteria. While not a legal requirement, many customers use it to assess the security and privacy controls of their vendors and service providers.</p> <p><i>Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.</i></p> </section> Several IT security frameworks and standards exist to help protect company data. Here's advice for choosing the right ones for your organization. https://cdn.ttgtmedia.com/rms/onlineimages/security_a299192530.jpg https://www.techtarget.com/searchsecurity/tip/IT-security-frameworks-and-standards-Choosing-the-right-one Wed, 08 Oct 2025 09:00:00 GMT <p>Large language models, such as ChatGPT, Gemini and Claude, are redefining how people obtain information and perform their daily tasks. The cybersecurity industry is no different. Teams are using LLMs for everything from security operations center automation to defending against phishing attacks, security awareness and everything in between.</p> <p>One particular area where LLMs shine is helping practitioners analyze the security of applications -- specifically in supporting <a href="https://www.techtarget.com/searchsecurity/tip/Red-team-vs-blue-team-vs-purple-team-Whats-the-difference">red team activities</a>. LLM-based tools and plugins are already paying benefits. Among them are ones that analyze HTTP stream information -- e.g., via context menu -- exported from testing apps such as Burp Suite or Zed Attack Proxy (ZAP), and tools that sit in the proxy chain to bulk offload requests and responses for LLM review.</p> <p>Even without special-purpose tools, though, the human-readable nature of HTTP, combined with its predictable structure, makes it particularly well suited for LLM analysis. Yet, as with anything related to new technology, it can be difficult to know where and how to start. To that end, let's examine a few ways to use LLMs for penetration testing.</p> <p>But first, here are a couple quick caveats:</p> <ul class="default-list"> <li>Be aware of both terms of service and guardrails. Each LLM might have different rules about what is allowed and what constitutes acceptable use. Stay informed of those constraints to ensure you adhere to them. Some LLMs have guardrails that gate use even if you're following the rules. Others might filter information they decide could potentially be sensitive in a different context -- for example, non-authentication fields within a JSON Web Token (JWT).</li> <li>The five use cases detailed below are not intended to be exhaustive; these are not the only potential deployments. The ones included are generally applicable under most test conditions and because they reliably add significant value. You might have needs or circumstances not covered here.</li> </ul> <section class="section main-article-chapter" data-menu-title="1. Session state and login flow"> <h2 class="section-title"><i class="icon" data-icon="1"></i>1. Session state and login flow</h2> <p>Analyzing application state maintenance is a great way to use an LLM for pen testing. The model can help establish state -- such as login flow -- as well as artifacts used to maintain it, among them <a href="https://www.techtarget.com/searchsecurity/definition/SAML">Security Assertion Markup Language</a> assertions, bearer tokens, universally unique identifiers, JWTs, session cookies and document object model artifacts.</p> <p>It's not always easy for humans to decode this. Cutting and pasting raw request and response blocks, such as headers and request/response bodies, to login requests can provide quite a bit of useful information. Even when practitioners can't just cut and paste one request -- for example, when login exchanges span multiple requests -- they can still get value here. <a href="https://www.techtarget.com/whatis/feature/17-free-cybersecurity-tools-you-should-know-about">ZAP, Burp and other popular tools</a> let professionals export these as text files or HTTP archive files that the LLM can analyze later.</p> <p>One important note: While most reasoning models can unpack and analyze even encoded artifacts -- for example, URL encoded, Base64 encoded or hex encoded -- more complex data structures and multiple levels of encoding can increase the chance that the <a href="https://www.techtarget.com/whatis/definition/AI-hallucination">LLM will hallucinate</a> and provide inaccurate data. The phenomenon is particularly true within smaller and self-hosted reasoning models.</p> </section> <section class="section main-article-chapter" data-menu-title="2. Reverse-engineering site composition"> <h2 class="section-title"><i class="icon" data-icon="1"></i>2. Reverse-engineering site composition</h2> <p>Login and state maintenance ranks first in this list because it is where many issues can occur. Consider how many of the OWASP Top 10 -- and in particular, its <a target="_blank" href="https://owasp.org/API-Security/editions/2023/en/0x11-t10/" rel="noopener">API Top 10</a> -- relate to authentication, authorization and state. That said, state maintenance likely isn't the most commonly performed task. That honor goes to identifying site architecture and construction -- a step required during each pen test, and in many cases, for multiple components in each test.</p> <p>LLMs can play a significant role here: A multitude of potential combinations define how a given site is built. Sites can have a mix of different application scaffolding strategies, middleware, PaaS, APIs, languages and other factors. It's almost impossible for any individual tester, no matter how experienced, to recognize them all at a glance. A tester might today work with a React front end and Scala-based Play Framework back end, and tomorrow wrestle with a GraphQL-heavy Node app on Django.</p> <p>It's a significant amount of work to reverse-engineer how a given application is built, understand how pieces fit together and research specific questions about its architecture. It's also a great opportunity to harness an LLM to make this task easier.</p> <p>Supply an LLM with requests and responses along with <a href="https://www.techtarget.com/whatis/feature/How-to-scrape-data-from-a-website">scraped data</a> from the site -- for example, a capture of the HTTP stream, output from Wget or Playwright, etc. -- via retrieval-augmented generation. It could be part of project files in a commercial LLM or as part of local data files in an internally hosted model.</p> </section> <section class="section main-article-chapter" data-menu-title="3. Identifying legacy components"> <h2 class="section-title"><i class="icon" data-icon="1"></i>3. Identifying legacy components</h2> <p>Using an LLM for pen testing also helps those looking for problematic, legacy, vulnerable or sunsetted components within an application. Consider a site built on WordPress. Identifying which plugins and themes are in use and cross-referencing them with vulnerable versions can be a pain, even if using special-purpose tools such as WPScan.</p> <p>And that's just WordPress. Similar potential issues occur with almost every page. Legacy versions of libraries such as jQuery, Angular or Handlebars -- not to mention smaller or special-purpose libraries -- can be a significant security headache. An LLM can help identify those that are out of date and, more importantly, those that might present a possible <a href="https://www.techtarget.com/searchsecurity/tip/Close-security-gaps-with-attack-path-analysis-and-management">attack path</a> for the application.</p> <p>LLMs are particularly effective here because they can pinpoint vulnerable versions of libraries more readily than a human can and without explicit version strings, such as those based on syntactic differences in how specific methods within the API are called or use of deprecated functions. An LLM might see a call to the <samp>.live()</samp> method in jQuery and correctly note that this usage was deprecated. As a result, the version in use could be susceptible to live-based cross-site scripting attacks (XSS). The LLM gives in minutes what otherwise might take professionals hours to research -- or worse, potentially miss.</p> </section> <section class="section main-article-chapter" data-menu-title="4. Reverse-engineering minified code"> <h2 class="section-title"><i class="icon" data-icon="1"></i>4. Reverse-engineering minified code</h2> <p>Minified code generates more hours of frustration than just about any other issue in the application space. For a time-bound test, unpacking and analyzing minified code is a major time sink and something many testers avoid unless absolutely necessary. Even then, time constraints -- for example, a test with a capped number of hours -- might prevent thoroughness.</p> <p>While tools that help inflate and unpack minified code exist, in many cases, the expansion relates mostly to spacing. But it's still difficult to get back to something a person can read when variable and function names are left completely opaque. LLMs have no such constraint. They can help unpack and understand minified code in a way that is difficult to accomplish otherwise. For example, an LLM might identify a minified function that parses a JWT and returns <samp>user.admin</samp> without checking the signature -- even if that function is named <samp>q()</samp> and the variable names are meaningless.</p> <p>Note that most LLMs, even smaller models, are accurate with standard libraries and frameworks. They are, however, more prone to hallucination with custom code that occurs only in the app being analyzed. To that end, while LLMs can yield beneficial baseline data, if reverse-engineering the minified code is central to an attack scenario a practitioner is undertaking, trust but verify.</p> </section> <section class="section main-article-chapter" data-menu-title="5. Payload crafting and mutation"> <h2 class="section-title"><i class="icon" data-icon="1"></i>5. Payload crafting and mutation</h2> <p>Humans are prone to burnout -- particularly when working during off-hour testing windows and after multiple solid hours of testing. Engineers can make mistakes when crafting payloads, coming up with <a href="https://www.techtarget.com/searchsecurity/tip/Web-fuzzing-Everything-you-need-to-know">seeds for fuzzing</a> and performing other testing procedures. Generative LLMs offer an alternative. A prompt such as "Generate an XSS payload to bypass React-based sanitizers and that will trigger on mouseover" can greatly assist testers validating exploitability. LLMs also offer help to those probing injection use cases -- among them SQLi, LDAP injection and XML injection -- as well as XSS, path traversal, JWT manipulation and other payloads.</p> <p>Another important caveat: This type of use case pushes right up to the edge of what many commercial LLMs will allow through their guardrails. Expect a lot of pushback here, including a flat refusal to do it, unless practitioners have a locally hosted model or an enterprise LLM tier that lets them define their own policy thresholds. Even in cases where the LLM does block a response, there's still quite a bit of potential value in discussing methods with the LLM's creator -- in the abstract, if no more specificity is allowed -- to bypass filtering or encoding mechanisms.</p> <p><b>Editor's note:</b><i> It is possible to use the use cases in this article both lawfully and unlawfully. It is up to you to ensure your usage is lawful. Get appropriate permission and approval before red teaming, and handle the information obtained ethically. If you are unsure whether your usage is lawful, do not proceed until you have confirmed that it is -- for example, by discussing and validating your planned usage with your organization's counsel.</i></p> <p><i>Ed Moyle is a technical writer with more than 25 years of experience in information security. He is a partner at SecurityCurve, a consulting, research and education company.</i></p> </section> Red teams can harness the power of LLMs for penetration testing. From session analysis to payload crafting, discover five ways AI transforms security testing. https://cdn.ttgtmedia.com/rms/onlineimages/chatbot_g1206801125.jpg https://www.techtarget.com/searchsecurity/tip/Red-teams-and-AI-Ways-to-use-LLMs-for-penetration-testing Mon, 25 Aug 2025 12:00:00 GMT <p>Electric power is one of the most important resources to protect when it comes to critical infrastructure. Virtually every business can experience power loss, and the results can be disastrous.</p> <p><a href="https://www.techtarget.com/searchdisasterrecovery/definition/business-continuity">Business continuity</a> is an organization's ability to maintain critical business functions during and after a disruption. Power outages can strike at any moment, leading to extended downtime or data loss. Incorporating power outage preparedness into a business continuity plan can help when the lights go down.</p> <p>A business continuity plan for power outages must be part of an organization's incident response protocols. Organizations can also take various measures to minimize the likelihood of power outages, such as infrastructure testing and ensuring ample backup power supply access.</p> <p>This article update will cover the consequences of power loss, causes, and detailed steps to create and implement an outage recovery plan.</p> <section class="section main-article-chapter" data-menu-title="Consequences of power loss"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Consequences of power loss</h2> <p>A loss of power can <a href="https://www.techtarget.com/searchdisasterrecovery/Free-incident-response-plan-template-for-disaster-recovery-planners">shut down an entire business</a> unless organizations take suitable precautions. A complete loss of commercial power is the worst-case scenario, as opposed to local and/or regional outages that are confined to specific locations. Extended outages can cause <a href="https://www.techtarget.com/searchdisasterrecovery/tip/Real-life-business-continuity-failures-Examples-to-study">catastrophic business losses </a>that might last hours, days or weeks.</p> <p>Unplanned downtime due to power outage might result in the following, if not remedied quickly:</p> <ul class="default-list"> <li>Data loss.</li> <li>Financial/legal troubles for not meeting compliance requirements.</li> <li>Reputational harm.</li> <li>Damage to critical systems.</li> <li>Employee injuries and even fatalities.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Causes of business power outages"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Causes of business power outages</h2> <p>Events that are most likely to cause power outages are often associated with natural causes, such as severe weather. Naturally occurring events likely to cause power outages include the following:</p> <ul class="default-list"> <li>Tornadoes.</li> <li>Wildfires.</li> <li>Earthquakes.</li> <li>Flooding.</li> <li>Mudslides.</li> <li>Lightning strikes.</li> <li>Sinkholes.</li> <li>Solar flares and storms.</li> </ul> <p>Outages can also be manmade, by error or malicious action. Disruptions caused by human activity can include the following:</p> <ul class="default-list"> <li>Flooding caused by damaged plumbing.</li> <li>Electrical damage caused by improper wiring or lack of grounding.</li> <li>Incorrect data entry or programming of power management systems.</li> <li>Failure of systems within the nation's electric grid.</li> <li>Damage to high-voltage overhead power lines and towers.</li> <li><a href="https://www.techtarget.com/searchdisasterrecovery/tip/Why-BCDR-teams-should-consider-EMP-disaster-recovery-plans">Electromagnetic pulses</a>.</li> <li>Damage to power cables by construction equipment.</li> <li>Incorrect power system installation.</li> <li>Insufficient fueling of backup power systems.</li> <li>Failure to regularly test backup power systems.</li> <li>Fire/arson.</li> </ul> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/ZetTrqWFE_w?si=TnvyxSiYJ0RLIzpX?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="8 steps to design and implement a business continuity plan for power outages"> <h2 class="section-title"><i class="icon" data-icon="1"></i>8 steps to design and implement a business continuity plan for power outages</h2> <p>Like most business continuity plans, several activities should occur before plan development begins. The following is a list of eight tasks IT teams and BCDR personnel must complete before implementing a plan.</p> <h3>1. Secure senior management approval and funding</h3> <p>Few, if any, business initiatives get off the ground if leadership is not on board, so it is critical to secure management approval early. Discussions with management will likely shape who is involved in a business continuity plan, as well as <a href="https://www.techtarget.com/searchdisasterrecovery/A-disaster-recovery-budget-template-A-free-download-and-guide">determine the budget</a>. This stage is an opportunity to make the case for investing in business continuity and evaluating power sources for potential outages.</p> <h3>2. Establish a project team</h3> <p>Depending on the size of the organization, the size of a <a href="https://www.techtarget.com/searchdisasterrecovery/tip/Establish-a-business-continuity-team-to-get-the-full-picture">business continuity team</a> varies. These teams are typically made up of IT personnel, with input from various department heads and HR. When creating a business continuity plan for power outages, members might also include internal facilities employees and external power professionals.</p> <h3>3. Conduct a business impact analysis (BIA) and risk assessment</h3> <p>Risks vary by organization, so it is critical that the business continuity team <a href="https://www.techtarget.com/searchdisasterrecovery/feature/Using-a-business-impact-analysis-BIA-template-A-free-BIA-template-and-guide">conduct a business impact analysis</a> (BIA) and risk assessment before creating a plan. A BIA will identify the severity of different risks and how badly they are likely to affect key business processes. For example, the analysis might show that a loss of electricity to a data center's power source would cause significant downtime, resulting in compliance violations or data loss. That finding would affect the structure of a business continuity plan, making sure that the power source is a high priority.</p> <p>A <a href="https://www.techtarget.com/searchsecurity/definition/risk-assessment">risk assessment</a>, on the other hand, determines the likelihood of different risks that might affect operations. When it comes to a power outage plan, key risks to assess would be aging infrastructure, local weather patterns <a target="_blank" href="https://www.energy.gov/articles/department-energy-releases-report-evaluating-us-grid-reliability-and-security" rel="noopener">and the reliability</a> of the region's electric grid.</p> <h3>4. Prepare a list of all power resources</h3> <p>When an outage strikes, you don't want to be scrambling to find the electric company's contact information. For a power outage business continuity plan, make sure someone has a copy of or access to this information. This could be a member of the business continuity team or HR.</p> <p>Organizations should have contact information for <a href="https://www.techtarget.com/searchdatacenter/feature/Data-center-power-infrastructure-essentials-prevent-downtime">key power resources</a>, which might include the following:</p> <ul class="default-list"> <li>Primary and alternate electric utility companies.</li> <li>Emergency power system vendors.</li> <li>Fuel companies for backup power systems.</li> <li>Electricians and specialized contractors.</li> <li>Access to power system engineers and consultants.</li> <li>Access to suppliers of power protection resources.</li> </ul> <h3>5. Establish procedures for responding to power outages</h3> <p>Statistically, the likelihood of a short-term power interruption is fairly high. Short-term outages can last about 15 minutes. They are nuisances, but will not likely disrupt business operations. By contrast, longer-term power outages, lasting hours or days, require a more intensive business recovery process.</p> <p>Organizations must establish several key procedures for resolving power outages. While some of the technical details will differ by organization, two key elements should be top priorities: people and power.</p> <p>Confirm that employees are unharmed and commence <a target="_blank" href="https://www.ready.gov/evacuation" rel="noopener">evacuation of personnel</a> as quickly as possible. Establish outside meeting locations where employees can gather, receive further instructions from management and first responders, and management can take headcounts of employees.</p> <p>Launching emergency power systems can help keep the organization running, unless other circumstances necessitate a physical evacuation. <a href="https://www.techtarget.com/searchdatacenter/tip/Data-center-backup-power-systems-standards-to-address-downtime">Backup power and remote working</a> make sense so long as the outage is of a relatively short duration, and is largely confined to a specific geographic area, such as a city or section of a city, and is not a statewide or nationwide disruption.</p> <p>For larger-area and extended power outages, the above strategies might be insufficient, so it is important to discuss short- and long-term power outage strategies periodically with senior management, facilities teams and utility companies.</p> <h3>6. Establish recovery procedures post-outage</h3> <p>Once power returns, the business will need time to recover and <a href="https://www.techtarget.com/searchwindowsserver/definition/System-Restore">restart systems</a>, and reestablish <a href="https://www.techtarget.com/searchdisasterrecovery/tip/How-to-maintain-network-continuity-in-a-DR-strategy">network connections</a> and related activities. Check with building facilities personnel on the cause of the outage and determine remedial actions that can help prevent future occurrences.</p> <h3>7. Establish and schedule testing activities</h3> <p>Testing is key to any business continuity plan. <a href="https://www.techtarget.com/searchdisasterrecovery/tip/Strengthen-a-business-continuity-plan-with-testing-exercises">IT teams must test</a> incident response activities, backup and restore operations, and communications resources to make sure the company can return to business smoothly. When creating a business continuity plan for power outages, you must also consider physical infrastructures that might be affected and test their backup power systems.</p> <h3>8. Schedule periodic assessments of power infrastructures</h3> <p>Business continuity plans typically include strategies for power outage response and necessary resources. These include local backup power systems, spare power supplies for equipment racks and devices, spare power cables, power connectors and spare power outlets.</p> <p>Periodically inspect the building infrastructure for power protection equipment, and be sure to include the following resources and strategies:</p> <ul class="default-list"> <li>Lightning arrestors.</li> <li>Grounding.</li> <li>Power conditioners.</li> <li>Surge suppressors.</li> <li>Cabling with the proper rating for the intended usage.</li> <li>Backup power systems.</li> <li>Flashlights.</li> <li>Diverse cable routing in vertical and horizontal raceways and cable paths.</li> <li>Diverse power cable routing into the building.</li> <li>Service from two different utility power substations.</li> </ul> <p>Make sure that emergency lighting is in place throughout each floor of the office and in stairwells. If an organization is a tenant in an office building or manufacturing facility, check with the facilities management team on their power protection activities.</p> </section> <section class="section main-article-chapter" data-menu-title="Include power loss in BCDR and resilience plans"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Include power loss in BCDR and resilience plans</h2> <p>Power loss is one of the principal risks and threats to business continuity. <a href="https://www.techtarget.com/searchdisasterrecovery/feature/Sample-business-continuity-plan-template-for-SMBs-Free-download-and-guide">No matter the size</a> or location of an organization, IT teams must prepare for several vulnerabilities to prevent or reduce the effects of potential power outages.</p> <p>When developing BCDR, incident response and resilience plans, organizations must include power disruptions in risk assessments and BIAs. These analyses help identify ways to prepare for power outages and how to <a href="https://www.techtarget.com/searchdisasterrecovery/tip/How-to-calculate-maximum-allowable-downtime">mitigate the severity of an outage to the business.</a> These assessments will also show the organization the likelihood of different disruptions, helping them dedicate resources where they are needed most.</p> <p><i>Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing. </i></p> </section> Loss of electric power presents a major risk to business continuity, and no organization is immune. Take these steps to create a solid business continuity plan for power outages. https://cdn.ttgtmedia.com/rms/onlineimages/collab_a362306286.jpg https://www.techtarget.com/searchdisasterrecovery/tip/Make-a-power-outage-business-continuity-plan-with-these-tips Tue, 19 Aug 2025 13:15:00 GMT <p>It was a banner week for cybercriminals and a challenging one for defenders. Hundreds of organizations saw threat actors exploit critical flaws in their Microsoft SharePoint servers, with more malicious hackers piling on and attacks still ongoing.</p> <p>Meanwhile, just two months after a major FBI takedown, Lumma <a href="https://www.techtarget.com/searchsecurity/tip/How-to-protect-against-malware-as-a-service">malware-as-a-service</a> operations not only appear to have fully recovered, but are stealthier and more effective than ever. And the innovative Coyote banking Trojan has broken new technical ground by weaponizing Windows accessibility features against users.</p> <p>Together, these stories highlight the opportunism, adaptability, resilience and ingenuity of <a href="https://www.techtarget.com/whatis/34-Cybersecurity-Statistics-to-Lose-Sleep-Over-in-2020">today's cyberthreats</a> -- and the critical importance of countermeasures, such as <a href="https://www.techtarget.com/searchsecurity/tip/How-to-build-a-better-vulnerability-management-program">prompt patching</a> and frequent <a href="https://www.techtarget.com/searchsecurity/tip/Cybersecurity-employee-training-How-to-build-a-solid-plan">security awareness training</a>.</p> <p>Read more about an eventful week in cybercrime.</p> <section class="section main-article-chapter" data-menu-title="Ongoing SharePoint attacks hit hundreds of Microsoft customers"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Ongoing SharePoint attacks hit hundreds of Microsoft customers</h2> <p>Microsoft customers with on-premises SharePoint servers are facing a massive wave of ongoing cyberattacks that began in early July and escalated in the past week.</p> <p>The intrusions exploit an attack chain dubbed ToolShell, a sequence combining remote code injection and network spoofing flaws. Attackers have reportedly used the vulnerabilities to compromise hundreds of SharePoint customers worldwide, including the <a href="https://www.darkreading.com/cyberattacks-data-breaches/us-nuclear-agency-hacked-microsoft-sharepoint">U.S. National Nuclear Security Administration</a> and the Department of Homeland Security.</p> <p>According to Microsoft, three Chinese nation-state threat actors were <a href="https://www.darkreading.com/application-security/3-china-nation-state-actors-sharepoint-bugs">among the first to initiate ToolShell attacks</a> in early July. More recently, one of the groups also began using the vulnerability sequence in <a href="https://www.darkreading.com/endpoint-security/ransomware-actors-toolshell-sharepoint-bugs">ongoing ransomware attacks</a>.</p> <p>Microsoft released an <a href="https://www.darkreading.com/remote-workforce/microsoft-rushes-emergency-fix-exploited-sharepoint-toolshell-flaw">emergency out-of-band security update</a> on July 19. The patch covers SharePoint Subscription Edition, SharePoint 2019 and SharePoint 2016. Researchers warned that more threat actors might join the ongoing attack campaign, making immediate patching critical for all SharePoint customers.</p> <p>The vulnerabilities do not affect the Microsoft 365 version of SharePoint Online.</p> <p><a href="https://www.cybersecuritydive.com/news/what-we-know-microsoft-sharepoint-attacks/753961/"><i>Read the full story by David Jones on Cybersecurity Dive</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Lumma stealer malware returns after FBI takedown"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Lumma stealer malware returns after FBI takedown</h2> <p>The notorious <a href="https://www.techtarget.com/searchsecurity/news/366566674/Google-researchers-in-dispute-over-account-hijacking-attacks">Lumma malware</a> -- which aims to steal sensitive information, such as credentials and cryptocurrency wallet information -- has rapidly resurfaced following its FBI takedown in May. Trend Micro researchers said Lumma threat actors' activity appeared to have returned to normal levels between June and July, although their tactics have gotten stealthier and more discreet.</p> <p>Previously, Lumma operators relied heavily on Cloudflare's infrastructure to hide their malicious domains. Now, however, they are increasingly turning to providers that are less beholden to U.S. law enforcement, such as Russia-based Selectel.</p> <p>Lumma distribution methods are also evolving, with recent attacks using fake cracked software, ClickFix campaigns with deceptive CAPTCHA pages, AI-generated GitHub repositories, and social media campaigns on YouTube and Facebook.</p> <p><a href="https://www.darkreading.com/endpoint-security/lumma-stealer-stealthier-than-ever"><i>Read the full story by Elizabeth Montalbano on Dark Reading</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Coyote breaks new ground by exploiting Windows UI Automation"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Coyote breaks new ground by exploiting Windows UI Automation</h2> <p>The banking <a href="https://www.techtarget.com/searchsecurity/definition/Trojan-horse">Trojan</a> Coyote, active in Latin America since February 2024, has pioneered a new attack method by exploiting the Windows UI Automation framework to steal banking credentials. This marks the first known instance of malware abusing this legitimate accessibility feature designed to help people with disabilities interact with Windows systems.</p> <p>Active primarily in Brazil, Coyote has targeted users of 75 banks and cryptocurrency exchanges. The malware gains initial access through malicious LNK files in <a href="https://www.techtarget.com/searchsecurity/feature/How-to-avoid-phishing-hooks-A-checklist-for-your-end-users">phishing</a> emails, then monitors browser activity for banking websites.</p> <p>Coyote is particularly dangerous because of its ability to function offline and use UI Automation to extract sensitive information from browser tabs in a more reliable way than traditional methods. It exemplifies how attackers' techniques continue to evolve to outpace security measures.</p> <p><a href="https://www.darkreading.com/cyber-risk/banking-trojan-coyote-windows-ui-automation"><i>Read the full story by Jai Vijayan on Dark Reading</i></a><i>.</i></p> <p><b>Editor's note:</b><i> An editor used AI tools to aid in the generation of this news brief. Our expert editors always review and edit content before publishing.</i></p> <p><i>Alissa Irei is senior site editor of Informa TechTarget's SearchSecurity.</i></p> </section> Check out the latest security news from the Informa TechTarget team. https://cdn.ttgtmedia.com/rms/onlineimages/ransom_g846011096.jpg https://www.techtarget.com/searchsecurity/news/366628194/News-brief-SharePoint-attacks-hammer-globe Fri, 25 Jul 2025 14:29:00 GMT <p>Generic spray-and-pray phishing attacks, such as the Nigerian prince scams that were fairly easy to identify, have rapidly evolved into targeted, convincing business email compromise attacks.</p> <p>Ransomware has advanced from locker strains that prevented users from accessing their systems -- something remedied by backups -- to <a href="https://www.techtarget.com/searchsecurity/definition/triple-extortion-ransomware">triple extortion ransomware attacks</a> that lock devices, encrypt data, extort data and even conduct DDoS attacks.</p> <p>These are just two examples of how the cat-and-mouse game between malicious hackers and enterprise security defenders has changed over the years. As soon as enterprises deploy new defenses, attackers find ways to circumvent them. Then defenders figure out how to remedy those, after which attackers learn to overcome the new defenses -- and the vicious cycle repeats endlessly.</p> <p>This week's featured articles explore how cyberattack trends have evolved to stay relevant.</p> <section class="section main-article-chapter" data-menu-title="Scattered Spider evolves attack methods against major industries"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Scattered Spider evolves attack methods against major industries</h2> <p>Microsoft reported that cybercrime group Scattered Spider has implemented new attack techniques targeting the airline, insurance and retail industries since April.</p> <p>While continuing its trademark <a href="https://www.techtarget.com/searchsecurity/tip/How-to-avoid-and-prevent-social-engineering-attacks">social engineering tactics</a> of impersonating users to request password resets, Scattered Spider has expanded to abusing SMS services and employing adversary-in-the-middle approaches.</p> <p>The group has also reversed its cloud-first strategy, now breaching on-premises environments before moving to cloud access.</p> <p><a href="https://www.cybersecuritydive.com/news/scattered-spider-expands-tactics-recent-hacks/753220/"><i>Read the full story by David Jones on Cybersecurity Dive</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Updated malware loader enables sophisticated ransomware attacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Updated malware loader enables sophisticated ransomware attacks</h2> <p>Cybercriminals are deploying Matanbuchus 3.0, a premium malware loader priced at $10,000 to $15,000 per month, to facilitate high-value ransomware attacks.</p> <p>The completely rewritten loader features advanced detection evasion, persistence mechanisms and security tool identification capabilities. In campaigns dating back to September 2024, attackers have impersonated IT help desk personnel over Microsoft Teams calls, convinced employees to grant remote access and execute malicious scripts, and deployed ransomware.</p> <p>The sophisticated loader specifically performs reconnaissance to look for <a href="https://www.techtarget.com/searchsecurity/definition/endpoint-detection-and-response-EDR">endpoint detection and response</a> and <a href="https://www.techtarget.com/searchsecurity/definition/extended-detection-and-response-XDR">extended detection and response</a> products from major security vendors and employs stealthy in-memory operations.</p> <p><a href="https://www.darkreading.com/threat-intelligence/matanbuchus-loader-ransomware-infections"><i>Read the full story by Nate Nelson on Dark Reading</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="AsyncRAT: Open source malware that democratizes cybercrime"> <h2 class="section-title"><i class="icon" data-icon="1"></i>AsyncRAT: Open source malware that democratizes cybercrime</h2> <p>AsyncRAT, an open source remote access Trojan released on GitHub in 2019, has evolved into a cornerstone of modern cybercrime by spawning numerous variants.</p> <p>ESET research revealed that AsyncRAT's C# codebase has created both sophisticated threats such as DCRAT and VenomRAT -- which feature advanced capabilities including ransomware modules and anti-analysis techniques -- and novelty variants such as NonEuclid RAT, which includes a plugin with five built-in jump scare images.</p> <p>Primarily used by lone threat actors attracted by its low barrier to entry, AsyncRAT persists because platforms hosting its code often avoid takedowns by <a href="https://www.techtarget.com/searchsecurity/tip/How-to-prevent-living-off-the-land-attacks">branding as legitimate tools</a>.</p> <p><a href="https://www.darkreading.com/remote-workforce/async-rat-labyrinth-forks"><i>Read the full story by Jai Vijayan on Dark Reading</i></a><i>.</i></p> <p><b>Editor's note:</b><i> An editor used AI tools to aid in the generation of this news brief. Our expert editors always review and edit content before publishing.</i></p> <p><i>Sharon Shea is executive editor of Informa TechTarget's SearchSecurity site.</i></p> </section> Check out the latest security news from the Informa TechTarget team. https://cdn.ttgtmedia.com/rms/onlineimages/ransom_g1264284948_01.jpg https://www.techtarget.com/searchsecurity/news/366627923/News-brief-Cyberattack-trends-signal-security-arms-race Fri, 18 Jul 2025 13:51:00 GMT <p>The practice of <a href="https://www.techtarget.com/searchsecurity/definition/What-is-risk-management-and-why-is-it-important">risk management</a> has, until recently, assumed timelines that are based on human decision-making. But now AI-powered risk management systems can raise issues in real time and even predict them.</p> <p>AI is also helping to transform enterprise risk management (<a href="https://www.techtarget.com/searchcio/definition/enterprise-risk-management">ERM</a>) from a reactive, compliance-driven function -- often seen as a necessary but unloved cost center -- into a proactive, strategic capability that identifies and mitigates business risks before they materialize.</p> <p>The benefits are promising, but risk leaders must also understand the challenges of AI implementation. Such knowledge is essential for organizations looking to modernize their risk management practices while maintaining regulatory compliance and the trust of customers, employees and investors. Many still hesitate when confronting the looming complexity of fully integrating AI into the <a href="https://www.techtarget.com/searchcio/feature/Risk-management-process-What-are-the-5-steps">risk management process</a>.</p> <p>In particular, the technical architecture that integrates AI into existing ERM platforms must support a graduated approach that results in systems that can take immediate actions in clear and precise scenarios, escalate ambiguous situations to human oversight (so-called humans in the loop) and continuously learn from both situations. However, this requires a level of integration between risk, business and IT systems that most organizations haven't yet achieved.</p> <p>To help <a href="https://www.techtarget.com/searchcio/definition/risk-manager">risk managers</a> map out the possibilities and what needs to be done, let's examine some of the benefits, applications and challenges that teams face on the journey to AI-powered risk management.</p> <section class="section main-article-chapter" data-menu-title="Benefits of using AI in risk management"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of using AI in risk management</h2> <p>AI brings numerous advantages to risk management, including the following:</p> <ul class="default-list"> <li><b>Increased ability to predict business risks. </b><a href="https://www.techtarget.com/searchcio/feature/Enterprise-risk-management-team-Roles-and-responsibilities">Risk management teams</a> can shift from reactive to predictive risk identification by using <a href="https://www.techtarget.com/searchenterpriseai/definition/machine-learning-ML">machine learning</a> algorithms to analyze historical patterns and forecast potential risk events before they occur. The resulting <a href="https://www.techtarget.com/searchcio/tip/Risk-prediction-models-How-they-work-and-their-benefits">risk prediction models</a> help prevent equipment failures, website downtime and other business problems.</li> <li><b>Improved decision-making speed and accuracy. </b>Business executives gain access to real-time risk insights and automated risk scoring that reduce decision-making time from days to minutes. However, this improvement also demands greater accuracy and validation; speedier decisions without accuracy could be a risk in themselves. The seemingly authoritative nature of AI recommendations can sometimes mask underlying uncertainties that require careful interpretation.</li> <li><b>Automated risk monitoring and reporting. </b>With IT's help, risk management teams can implement continuous monitoring systems that automatically scan for <a href="https://www.techtarget.com/searchcio/definition/key-risk-indicator-KRI">key risk indicators</a>. These systems can generate real-time alerts and produce standardized reports for regulatory compliance. Automation also frees up risk professionals to focus on higher-level strategic work that only humans can do, though some might resist delegating such critical assessments to an algorithmic process.</li> <li><b>Cost reduction through process automation. </b>Organizations can achieve cost savings by automating manual <a href="https://www.techtarget.com/searchsecurity/definition/risk-assessment">risk assessment</a> processes. Although automation can reduce the need for risk management teams to perform routine analyses, its greatest benefits will likely come from human-AI collaboration rather than human replacement. AI can handle the scanning, pattern recognition and initial analysis at machine speed, while risk managers interpret the context and assess sensitive issues such as brand reputation and human impact -- areas where judgment remains essential.</li> <li><b>Scalable risk assessments across complex business operations. </b>Risk management teams can analyze vast amounts of data across multiple business units, geographies and risk categories simultaneously, providing comprehensive risk visibility that would be impossible to achieve manually. But AI's value here goes beyond just processing more data: People can now analyze different types of data simultaneously, finding connections that span conventional categories of risk in ways that are often both potent and revelatory.</li> <li><b>Enhanced fraud detection and prevention capabilities. </b>AI systems can identify subtle patterns and anomalies in transaction data, user behavior and operational activities that human analysts might miss. The aim is to improve fraud detection rates while mitigating the corrosive effect of false positives on customer trust, which requires these systems to maintain exceptionally high standards.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Applications of AI in risk management"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Applications of AI in risk management</h2> <p>AI improves the speed and accuracy of common risk management tasks, such as the following:</p> <ul class="default-list"> <li><b>Credit risk modeling. </b>Although this field of risk management is relatively mature, with AI, financial institutions can incorporate alternative data sources such as <a href="https://www.techtarget.com/searchcustomerexperience/definition/CRM-customer-relationship-management">CRM</a> systems alongside deep historical data analysis and real-time financial indicators. The AI enables more objective risk assessment methods that minimize human bias, thereby reducing default rates and improving portfolio performance.</li> <li><b>Operational risk assessment. </b>Internal processes, employee behavior and system performance can all create <a href="https://www.techtarget.com/searchsecurity/definition/operational-risk">operational risks</a>, such as compliance violations, process failures and security breaches. AI can monitor these risks, separately or in combination, before they escalate into major incidents. This is often a first AI project for risk management because it's internal facing, has lower regulatory complexity and can quickly demonstrate value.</li> <li><b>Market risk analysis. </b>Investment firms and banks have long used predictive models for short-term analyses. New AI models can analyze a wider range of correlation patterns, market volatility and economic indicators to better understand portfolio exposure and optimize risk-adjusted returns. However, instead of just protecting against volatility, investors can use the same models to identify market inefficiencies and emerging investment opportunities that competitors haven't recognized yet.</li> <li><b>Cybersecurity risk management. </b>IT managers deploy <a href="https://www.techtarget.com/searchenterpriseai/tip/Evaluate-the-risks-and-benefits-of-AI-in-cybersecurity">AI-powered cybersecurity tools</a> to continuously monitor network traffic, user behavior and system vulnerabilities so organizations can detect and respond to anomalous behavior and possible cyberthreats in real time. Moreover, the AI systems don't just detect known threats but are starting to predict attack vectors that haven't been seen "in the wild" yet. They can do this by understanding the attacker and how individual vulnerabilities can interact or be combined in novel ways by malicious users.</li> <li><b>Regulatory compliance monitoring. </b>Risk management teams use <a href="https://www.techtarget.com/searchenterpriseai/definition/natural-language-processing-NLP">natural language processing</a> to automatically review emails and other communications, along with transactions, for regulatory requirements. This ensures they are continuously compliant and audit-ready, reducing the risk of penalties. A great advantage of some AI systems, such as <a href="https://www.techtarget.com/whatis/definition/large-language-model-LLM">large language models</a>, is that they can execute reviews across multiple languages automatically.</li> <li><b>Supply chain risk assessment. </b>Companies can use AI to monitor supplier performance, geopolitical events, weather patterns and economic indicators -- all complex influences that can <a href="https://www.techtarget.com/whatis/definition/supply-chain-risk-management-SCRM">disrupt supply chains</a>. The ability of AI to integrate analyses across these domains enables more effective contingency planning and, if necessary, diversification in suppliers, shippers and route plans.</li> <li><b>Insurance risk underwriting. </b>Insurance companies are significant players in the risk management space and are turning increasingly to AI to analyze customer data, external risk factors and historical claims patterns. These capabilities enable them to more accurately price policies and identify high-risk applicants. As with other applications, there is a predictive element, too. Instead of just assessing current risk profiles, insurers can predict how the profiles will evolve over the lifetime of policies.</li> <li><b>Monitoring environmental, social and governance risks. </b>Organizations can take advantage of AI to <a href="https://www.techtarget.com/sustainability/feature/ESG-metrics-Tips-and-examples-for-measuring-ESG-performance">track ESG metrics</a>, analyze customer or stakeholder sentiment and monitor regulatory changes. This helps to identify reputational and operational risks related to sustainability, social responsibility and corporate governance initiatives. However, evaluating these <a href="https://www.techtarget.com/sustainability/tip/ESG-risks-explained-Examples-and-tips-on-managing-them">types of ESG risks</a> generally requires close human involvement, as AI models might be unaware of social trends, regulatory changes or evolving sentiment that can affect levels of risk for a company.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Challenges of using AI in risk management"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Challenges of using AI in risk management</h2> <p>Organizations seeking to augment their risk management strategies with AI can expect to face some of the following hurdles:</p> <ul class="default-list"> <li><b>Data quality and availability issues. </b>Obtaining clean, complete and relevant data has always been an issue for risk managers. The problem takes on a new significance with algorithmic AI processes because legacy systems often contain inconsistent data formats, missing information and historical biases that can compromise risk model effectiveness. As a result, organizations often run technical projects to address data quality specifically for AI-enabled risk management.</li> <li><b>Model interpretability and explainability. </b>New AI regulations in many jurisdictions require explanations for AI-driven decisions. But even for experts, it can be difficult to understand how specific risk assessments are generated. Some newer AI systems can show their reasoning and identify which data inputs most influenced specific decisions, but this requires deliberate design of the system and the prompts fed into it to generate results.</li> <li><b>Integration with legacy systems and processes. </b>IT managers must handle the complexities of integrating modern AI tools with existing risk management systems, databases and workflows that weren't designed for AI integration. As with data quality, fixing this often calls for a focused technical project.</li> <li><b>Regulatory compliance and governance concerns. </b>The regulatory compliance dimension is particularly challenging because the rules are still evolving. Teams are trying to build compliant systems for regulations that don't fully exist yet. Some regulators want full explainability, others accept statistical validation, and requirements vary by jurisdiction.</li> <li><b>Skills gap and change management challenges. </b>Organizations struggle to find and retain people who have both <a href="https://www.techtarget.com/searchcio/feature/Top-12-risk-management-skills-and-why-you-need-them">risk management expertise</a> and AI technical skills. Furthermore, risk professionals require significant training to use AI-powered tools effectively and interpret their output. One potential solution is to build AI risk management expertise through structured collaboration between domain experts and AI specialists working in cross-functional teams, where knowledge transfer happens organically rather than through formal training.</li> <li><b>Risk model validation. </b>Traditional approaches for validating risk models might not be robust for AI models that continuously learn and adapt. Validating adaptive risk models is still an emerging practice.</li> <li><b>Bias and fairness considerations. </b><a href="https://www.techtarget.com/searchenterpriseai/definition/machine-learning-bias-algorithm-bias-or-AI-bias">Algorithmic bias</a> can emerge if certain customer segments or stakeholder groups are over- or underrepresented in historical data. This is notably problematic in credit decisions and insurance underwriting. Preserving historical biases to maintain model accuracy perpetuates unfair outcomes. However, removing them to ensure fairness could compromise the AI's predictive performance. The dilemma can only be resolved by a careful assessment of the historical data and diligent training of the AI involved.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Future of AI in risk management"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Future of AI in risk management</h2> <p>The evolution toward real-time, integrated <a href="https://www.techtarget.com/searchcio/feature/Top-ERM-software-vendors-to-consider">risk management platforms</a> will enable organizations to monitor and respond to risks as they emerge, rather than discovering them through periodic assessments or after-the-fact analysis. Organizations that master this real-time risk management will be able to pursue opportunities that others miss.</p> <p>Over time, explainable AI technologies will mature to provide risk managers with clear, auditable explanations for AI-driven decisions. With these techniques, managers can address regulatory requirements while maintaining the performance advantages of sophisticated machine learning models.</p> <p>Technical explainability will likely be supplemented by language models that can interact like chatbots, engaging in dialogs with human risk experts while the AI spots emerging patterns, explains their significance and helps decision-makers explore the implications in real time.</p> <p>Importantly, in this case, the human role evolves rather than disappears. Risk management becomes more about wisdom than analysis. Understanding stakeholder impacts, ethical implications and strategic context will remain a creative dimension of the human contribution. The future risk professional will be someone who can work with AI to explore possibilities rather than just analyze probabilities.</p> <p>Intriguingly, emerging privacy-protecting technologies that mask sensitive data could allow organizations to collaborate on developing risk models while maintaining data security. This could enable industry-wide improvements in risk detection without compromising privacy. For example, imagine industry-wide AI models that can detect systemic risks without any single organization having to share proprietary data. Similarly, banks could collaborate on fraud detection while maintaining competitive confidentiality.</p> <p>This commoditization of <a href="https://www.techtarget.com/searchsecurity/definition/risk-analysis">risk analysis</a> might bring about the biggest change in risk management. If everyone can identify and quantify risks equally well, competitive advantage comes from being willing and able to take the right risks at the right time.</p> <p>AI-enabled risk management should help organizations not only avoid bad business outcomes but also pursue good ones more confidently. Instead of risk management being a cost center that simply prevents financial losses, it could become a critical capability that enables new strategies for business growth.</p> <p><i>Donald Farmer is a data strategist with 30-plus years of experience, including as a product team leader at Microsoft and Qlik. He advises global clients on data, analytics, AI and innovation strategy, with expertise spanning from tech giants to startups. He lives in an experimental woodland home near Seattle.</i></p> </section> AI can improve the speed and effectiveness of risk management efforts. Here are the potential benefits, use cases and challenges your organization needs to know about. https://cdn.ttgtmedia.com/rms/onlineimages/ai_a352095729.jpg https://www.techtarget.com/searchsecurity/tip/The-benefits-of-using-AI-in-risk-management Tue, 15 Jul 2025 17:23:00 GMT <p>CISO as a service, or CISOaaS, is the outsourcing of <a href="https://www.techtarget.com/searchsecurity/definition/CISO-chief-information-security-officer">CISO</a> (chief information security officer) and information security leadership responsibilities to a third-party provider. By hiring a third-party provider to manage its security program remotely, an organization gains access to staff and resources that it does not have in-house, enabling it to better keep up with information security and compliance demands.</p> <p>CISOaaS is often paid for on a subscription or per-use basis, like many anything as a service (<a href="https://www.techtarget.com/searchcloudcomputing/definition/XaaS-anything-as-a-service">XaaS</a>) models. Also like many XaaS models, CISOaaS offerings can be entirely remote or a hybrid model in which the provider's experts work with an organization's existing security team both remotely and on-site.</p> <p>Strong security leadership is important in the modern organization, as digital transformation increases an organization's overall breadth of vulnerabilities. An industrywide cybersecurity skills shortage means that affordable, <a href="https://www.techtarget.com/searchsecurity/tip/10-must-have-cybersecurity-skills-for-career-success">skilled security leaders</a> are hard to find and easy to lose. High stress levels also fuel CISO turnover, leading many to bounce from organization to organization. CISOaaS can help alleviate potential staffing problems by providing organizations with access to cost-efficient security leadership on an as-needed basis.</p> <p>CISOaaS is also referred to as a <i>virtual CISO</i> (<a href="https://www.techtarget.com/searchsecurity/definition/virtual-CISO-vCISO">vCISO</a>).</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/security_ciso.jpg"> <img data-src="https://www.techtarget.com/rms/onlineImages/security_ciso_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/security_ciso_mobile.jpg 960w,https://www.techtarget.com/rms/onlineImages/security_ciso.jpg 1280w" alt="An image listing eight different CISO responsibilities." height="249" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>A CISO is a senior-level executive who is responsible for developing and implementing an information security program. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <section class="section main-article-chapter" data-menu-title="What are the benefits of employing CISO as a service?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are the benefits of employing CISO as a service?</h2> <p>Using a virtual CISO comes with both pros and cons. The potential benefits of using CISOaaS include the following:</p> <ul class="default-list"> <li><b>Flexibility.</b> CISOaaS platforms are typically flexible, enabling organizations to customize and scale the service to their specific needs.</li> <li><b>Unbiased analysis.</b> As an external third party, CISOaaS platforms can enable the vCISO to evaluate an organization's existing security program more objectively than internal employees might.</li> <li><b>Cost-effectiveness.</b> Pay-as-you-go pricing lets organizations pay for only the time and services they use. A CISOaaS platform is usually less expensive than having a salaried CISO in-house and saves on capital expenditures.</li> <li><b>On-demand service.</b> Using a service provider ensures constant availability of security resources. As demands change, organizations can alter their services accordingly.</li> <li><b>Long- and short-term benefits.</b> In the short term, CISOaaS can make organizations more secure by identifying immediate risks and introducing or tightening controls. In the long term, it can help lay the groundwork for a future in-house security program through training and improvement of core processes and infrastructure.</li> </ul> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/the_benefits_of_cisoaas-h.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/the_benefits_of_cisoaas-h_half_column_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/the_benefits_of_cisoaas-h_half_column_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/the_benefits_of_cisoaas-h.png 1280w" alt="A bullet list image showing six benefits of a CISOaaS model. " height="209" width="279"> <figcaption> <i class="icon pictures" data-icon="z"></i>The CISOaaS model offers flexibility and expertise to organizations that cannot afford the traditional in-house role or have staffing issues. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <ul class="default-list"> <li><b>Experience.</b> CISOaaS provides organizations with access to a team of experienced cybersecurity professionals who have extensive experience working with a wide array of diverse organizations.</li> </ul> <p>One disadvantage of hiring a vCISO is that they likely will be serving other organizations as well. This could potentially lead to problems with loyalty, timely responses and risk ownership if a breach occurs. An in-house CISO is a better option for organizations that need an employee with no other external commitments.</p> </section> <section class="section main-article-chapter" data-menu-title="Do you need CISO as a service?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Do you need CISO as a service?</h2> <p>Any organization without an in-house CISO could consider CISOaaS a viable option. The following are several scenarios in which CISOaaS can be used:</p> <ul class="default-list"> <li><b>Limited budgets.</b> Startups without the resources to hire full-time CISOs can use CISOaaS for its expertise and cost-effectiveness.</li> <li><b>Temporary role gaps.</b> Organizations looking for new permanent CISOs can temporarily hire a CISOaaS provider to fill the gap.</li> <li><b>Compliance deadlines.</b> Companies under pressure to meet security or compliance goals can benefit from the on-demand nature of CISOaaS.</li> <li><b>Security programs.</b> Those looking to upgrade their cybersecurity programs can seek the third-party expertise of CISOaaS.</li> <li><b>Lean IT environments.</b> Businesses that use <a href="https://www.techtarget.com/searchcio/definition/lean-management">lean IT</a> principles can temporarily employ CISOaaS rather than investing in a full-time position.</li> <li><b>Long-term security practices.</b> An organization that wants to lay the foundation for a new, long-term program but lacks a permanent security team can get started with CISOaaS.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="What to expect from CISO as a service"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What to expect from CISO as a service</h2> <p>The CISOaaS provider has most of the same responsibilities as an in-house CISO. These include the following:</p> <ul class="default-list"> <li><b>Data protection.</b> A CISOaaS protects the confidentiality, integration and availability of data.</li> <li><b>Cybersecurity.</b> A CISOaaS provider develops a long-term cybersecurity strategy that aligns with the organization's objectives.</li> <li><b>Governance, risk and compliance.</b> A CISOaaS provider develops a <a href="https://www.techtarget.com/searchsecurity/definition/governance-risk-management-and-compliance-GRC">governance, risk and compliance</a> program and ensures continued compliance with relevant laws or industry regulations.</li> <li><b>Risk assessments and risk management.</b> A CISOaaS provider conducts continual risk assessments to find potential threats and vulnerabilities and implements ways to manage them.</li> <li><b>Security oversight.</b> A CISOaaS provider develops, monitors and reports on security, business and communication operations and practices.</li> <li><b>Management of personnel and vendor relationships.</b> A CISOaaS provider tracks vendor integrations and <a href="https://www.techtarget.com/searchsecurity/tip/15-benefits-of-outsourcing-your-cybersecurity-operations">manages other third-party security services</a>.</li> <li><b>Metrics and reporting.</b> A CISOaaS provider <a href="https://www.techtarget.com/searchsecurity/tip/7-key-cybersecurity-metrics-for-the-board-and-how-to-present-them">defines key performance indicators</a> to measure security program effectiveness.</li> </ul> <p>CISOaaS providers serve multiple businesses simultaneously. A vCISO must therefore have good people skills and be able to adapt to, understand and meet each customer's unique needs.</p> </section> <section class="section main-article-chapter" data-menu-title="CISO as a service vs. full-time CISO"> <h2 class="section-title"><i class="icon" data-icon="1"></i>CISO as a service vs. full-time CISO</h2> <p>A traditional CISO is a senior-level executive responsible for developing and implementing an information security program. They work full-time within a company, helping to steer their organization's security efforts. This role is intended to fulfill continuous leadership for in-house cybersecurity.</p> <p>A vCISO, offered through a CISOaaS offering, however, is an external entity. The idea of CISO as a service is to outsource the role to a qualified third party. Instead of hiring a full-time employee to fill the role in a traditional manner, a CISOaaS provider often works in a more flexible manner. They might work part-time, act as a consultant or work in a hybrid online or in-person manner. They provide the same level of expertise as a traditional full-time CISO but with more flexibility. This is ideal for organizations that do not require or cannot afford a full-time traditional employee to fill the role.</p> <p>Sometimes vCISOs are hired to implement short-term fixes to security issues; other times, they are hired for longer-term projects, such as developing a company's entire security program.</p> <p>CISOs are some of the highest-paid professionals in IT security, <a href="https://www.techtarget.com/searchsecurity/tip/How-to-become-a-CISO">making it an attractive role</a>. Hiring a vCISO is often drastically less expensive because of its payment model. Because of this, vCISOs are increasingly being used by managed service providers and managed security service providers to <a href="https://www.channelfutures.com/security/much-pain-lots-of-gain-for-virtual-cisos">deliver services</a>.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/vuzbQLxF-Ks?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="5 CISOaaS providers"> <h2 class="section-title"><i class="icon" data-icon="1"></i>5 CISOaaS providers</h2> <p>Although there are numerous CISOaaS offerings, the following is just a sampling:</p> <ul class="default-list"> <li><b>Bulletproof.</b> This U.K.-based vCISO service offers modular subscription package options and strongly focuses on Cyber Security Services, Accreditations &amp; Training (CREST) best practices and implementations. CREST is an international not-for-profit cybersecurity industry organization.</li> <li><b>FRSecure.</b> FRSecure is a cybersecurity consulting firm that offers vCISO services that focus on vulnerability management for well-regulated industries.</li> <li><b>Kroll.</b> This cybersecurity and risk management firm is known for its incident response and digital forensics capabilities. The company also offers vCISO services that boast of its skilled experts.</li> <li><b>Integris.</b> Integris is an IT firm that also offers vCISO services. These vCISOs have Certified Information Systems Security Professional -- commonly known as <a href="https://www.techtarget.com/searchsecurity/definition/Certified-Information-Systems-Security-Professional">CISSP</a> -- accreditation and are focused on compliance and governance support.</li> <li><b>TechMagic.</b> This CISOaaS provider offers ISO 27001‑certified consultants. It also provides other cybersecurity services, such as threat intelligence and application security as a service.</li> </ul> <p>CISOaaS offerings are usually pay-as-you-go and on-demand models. They are often paid for as a yearly subscription using a retainer. The amount of time the vCISO spends on-site is negotiated, and the retainer is based on a set number of days or hours per year. This varies based on the vendor's offerings and the customer organization's needs.</p> <p><i>The CISO role has evolved over time and is offered either in-house or outsourced in an as-a-service model. Learn more about </i><a href="https://www.techtarget.com/searchsecurity/tip/The-CISO-evolution-From-security-gatekeeper-to-strategic-leader"><i>how the chief information security officer role evolved</i></a><i>. </i></p> </section> CISO as a service, or CISOaaS, is the outsourcing of CISO (chief information security officer) and information security leadership responsibilities to a third-party provider. https://cdn.ttgtmedia.com/visuals/digdeeper/3.jpg https://www.techtarget.com/searchsecurity/definition/CISO-as-a-service-vCISO-virtual-CISO-fractional-CISO Wed, 09 Jul 2025 00:00:00 GMT <p>Because security decisions are made based on risk analysis, risk assessment remains an essential element of a cybersecurity professional's toolbox.</p> <p>The goal is to provide a realistic, comprehensive picture of an organization's presence that extends beyond the IP addresses to all the factors around that, including processes and personnel. The result should be a plan that guides the organization into a thoroughly understood view of their risks and priorities.</p> <p>Risk is a function of threat and vulnerability. For risk to exist, both threat and vulnerability must concurrently exist. Risk assessment implicitly implies this existence and assumes that something of value must be protected.</p> <p>The protection of assets -- both tangible and not -- is key in driving the risk assessment process. Thus, an asset inventory analysis should precede a risk assessment.</p> <section class="section main-article-chapter" data-menu-title="Scope of risk assessment"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Scope of risk assessment</h2> <p>Scoping the cybersecurity risk assessment is key to having a meaningful outcome. Where to draw the boundaries varies depending on the nature of the environment. Some key items to consider when scoping the work include the organization's public face and how far it reaches, thinking of connections that extend outside the organization. Depending on the company's attractiveness to adversaries, the scope of the assessment can grow to include infrastructure and supply chains.</p> <p><a href="https://www.techtarget.com/searchdatacenter/tip/Figure-out-the-differences-of-asset-management-vs-CMDB">Asset values and locations</a> will drive much of the scoping and assumptions. For example, financial assets stored in an insured financial institution can be placed out of scope, since that institution manages the risk and liability. The path into the account for deposits and withdrawals, however, is clearly in scope. When setting the project scope, the boundaries and assumptions must both be clearly set and annotated.</p> <p>And don't overlook the importance of time. Risk assessments are snapshots of a specific moment. While the validity time window for risk assessments is longer than the window for vulnerability assessments, the risk assessment also requires periodic refreshes. Procedures and personnel will change, as will technologies. All can change the risk profile.</p> </section> <section class="section main-article-chapter" data-menu-title="How to identify cybersecurity risks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to identify cybersecurity risks</h2> <p>Once the assets have been identified and the scope has been set, the stage is set to start examining risks. Here is where a good security architect or the architectural report can come in handy. A top-level architecture view can provide the vision of how an organization ties assets and procedures into the mission. Understanding the organization's mission early in the process pays off in the ranking of findings.</p> <p>A focus on the risks requires a full-scope examination, from the physical to the personnel and everything in between. When identifying risks, be as thorough with the physical and procedural risk factors as with the procedural and technologic risk factors. When determining physical risks, for example, consider the role of natural disasters as well as the human-made disasters sometimes associated with construction. Remember to consider access to the site and assets.</p> <p>Technology might be the easiest part of the assessment. Security auditing products, such as the open source network-mapping <a href="https://nmap.org/docs.html" target="_blank" rel="noopener">tool</a> Nmap, can quickly return results.</p> <p><a href="https://www.techtarget.com/searchsecurity/tip/Beyond-awareness-Human-risk-management-metrics-for-CISOs%20">As for humans</a>, it's fair to acknowledge that they make costly mistakes, but it is wrong to label them <i>the weakest link</i>, as is common in IT conversations. It would be more accurate to describe humans as <i>the least-understood link</i>.</p> <p>People range from bold defender to willing saboteur to inadvertent helper. We all know that person who clicks the link, but we also need to consider the individual whose seemingly harmless social media post makes them an inviting target for an attacker. That person can be blamed, but, if no procedures are in place advising on social media behavior, the problem is also procedural. Thus, the risk assessment, much like the architectural planning, requires a much more holistic view of the organization.</p> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/security-5_cybersecurity_risk_assessment_steps-h.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/security-5_cybersecurity_risk_assessment_steps-h_half_column_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/security-5_cybersecurity_risk_assessment_steps-h_half_column_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/security-5_cybersecurity_risk_assessment_steps-h.png 1280w" alt="List of cybersecurity risk assessment steps" height="240" width="279"> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Beginning with the mission statement, a risk analysis should consider which risks -- physical and virtual -- exist. Consider the functions, procedures, data and personnel that contribute to the mission and how each of these offers support. What risks exist at this level?</p> <p>At this point, assets are being mapped to functions. This is also an opportunity to identify assets that might have been previously overlooked. Going deeper, which technologies provide support, and how is that support provided? How are they connected into the overall system? Which risks exist in the object, functions and interconnections? This scrutiny results in the application of a systems approach to risk analysis.</p> <p>As the process of understanding the network continues, the risk assessor should also consider the overall footprint. Identify partner access, remote access and, when necessary, cloud connection points or endpoints. Know which tenants share the physical space and which cloud services are being used. IaaS should be of most significant concern, followed by PaaS and then SaaS.</p> <p>If the service is managed by the cloud service provider (CSP), the service is out of scope. Even so, the <a href="https://www.techtarget.com/searchstorage/definition/cloud-storage-SLA">cloud service-level agreement</a> should be reviewed, and risks in the agreement should be addressed. An example of this is when a CSP has many self-managed tenants, in which case the client organization will want assurances based on fellow tenant vulnerabilities. A vulnerability in one tenant space that goes unaddressed can result in a compromise, in certain cases, of the hypervisor. Most CSPs run a tight ship. Still, in a what-if risk assessment, all situations involving <a href="https://www.techtarget.com/searchsecurity/tip/Key-factors-to-achieve-data-security-in-cloud-computing">data protection in the cloud</a> should be considered.</p> <p>In addition to the cloud, what other resources are shared? How are those resources attained? What about the supply chains to those resources? Which resources are unique or irreplaceable? How are they separated and backed up? NIST has compiled a comprehensive list of <a href="https://csrc.nist.gov/pubs/sp/800/37/r2/final">similar questions to ask</a> about risk management.</p> </section> <section class="section main-article-chapter" data-menu-title="Analyze risks and their potential danger"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Analyze risks and their potential danger</h2> <p>The process of tying risk to potential danger involves both technical and organizational knowledge. Each discovered vulnerability must be traced to every corporate function that it touches. In effect, the risk assessor creates a dependency model, typically depicted as a diagram, showing the path taken and where the vulnerability is invoked.</p> <p>This risk analysis phase is another departure point of discussion. Determining the impact value can be subjective, objective or a hybrid of both. Objective impacts are typically mapped to dollar amounts, so risks to inventory can easily fit into this group. Subjective values, however, typically cover the intangibles, such as loss of trust, loss of personnel and even loss of intellectual property. These assets are typically more difficult to measure objectively.</p> <p>In addition to asset value, workflow value should also be considered. An example of workflow valuation occurs when a vulnerability might not be associated with a high-cost event but is so frequent that numerous events are associated with the vulnerability. As a result, the remediation of that problem might result in extensive downtime or other lost availability.</p> </section> <section class="section main-article-chapter" data-menu-title="Prioritize risks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Prioritize risks</h2> <p>Risk prioritization is an area of discussion in many cybersecurity circles. Some risk analysis, especially when a vulnerability scan reveals a problem, relies on predefined values provided by the software. This is a mistake. Risk analyses are unique to each organization, as is leadership's risk tolerance.</p> <p>There's also the overselling of fear, uncertainty and doubt (FUD) in cybersecurity. Scare tactics can result in a quick buying decision, with the buyer needing constant reassurance. On the other end of this spectrum is the customer who might acknowledge problems and then ask, "But what's the chance it will happen to me?" This results in a discussion of <a href="https://www.techtarget.com/whatis/definition/threat-actor">threat actors</a>, their methods and how they operate in specific industries. Even though this information is a part of the assessment, it does little to answer the question about the odds of the event occurring.</p> <p>Don't put too much credence in the risk values that vulnerability software assigns based on usage. For example, a bug in a frequently used library might be assigned a high-risk score due to the library's frequent use by many software modules. This is problematic. Even a frequently used, error-prone library might never reach a critical asset. So, is the risk from that vulnerability a priority, or should the risk be downgraded?</p> <p>It can be tricky to prioritize risk. The task will be based on the customer's and assessor's understanding of risk. The assessor can serve the customer well by offering a cost-benefit analysis where appropriate. When assets are more subjective, consider mapping those assets to revenue and determine the portion of revenue that the asset contributes. In short, find meaningful metrics and apply them appropriately.</p> </section> <section class="section main-article-chapter" data-menu-title="Document risks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Document risks</h2> <p>Creating a final report is an important but time-consuming step. Do not use an AI tool to assist with the writing of the report. Much of the data collected in a risk assessment is proprietary. AI not only generates results based on the proprietary data but also adds that information to its training data set, essentially scooping up and claiming the proprietary data. Proceed without AI.</p> <p>When it is complete, the cybersecurity risk assessment should identify the vulnerabilities and threat actors. Perhaps you'll have those vulnerabilities and threats sorted into a matrix and quantitatively prioritized.</p> <p>Remember to document both risks and relationships. Relationships were likely attained from your dependency model. A good report will also contain the mitigation plan and path, discussing both near-term tactical actions and long-term strategic goals.</p> <p><i>Char Sample is a cybersecurity research fellow at ICF International.</i></p> </section> When assessing cybersecurity risk, be sure to consider the scope of the project, your organization's specific assets and leadership's tolerance for risk. https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/cyber-security-computer-training-fotolia.jpg https://www.techtarget.com/searchsecurity/tip/How-to-perform-a-cybersecurity-risk-assessment-step-by-step Wed, 09 Jul 2025 00:00:00 GMT <p>Microsoft addressed 130 unique new CVEs this month -- one of the larger Patch Tuesday releases of late -- but admins have no pressing zero-day vulnerabilities to tackle.</p> <p>Of the new vulnerabilities, there were 14 CVEs rated critical, 115 rated important and one labeled moderate. As usual, most vulnerabilities are in the Windows OS, with a mix of flaws affecting Azure, Microsoft Office and Hyper-V. Microsoft also republished seven CVEs and included fixes for 10 non-Microsoft products, including ones that affect libraries in Visual Studio. There is one public disclosure in SQL Server (CVE-2025-49719).</p> <section class="section main-article-chapter" data-menu-title="Microsoft Office and RRAS vulnerabilities take precedence"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Microsoft Office and RRAS vulnerabilities take precedence</h2> <p>This month, admins will have to focus on releasing Windows cumulative updates quickly, particularly since a high concentration of vulnerabilities affect Windows Routing and Remote Access Service, with 16 total. All the RRAS CVEs have a maximum severity of important and an exploitability assessment of exploitation unlikely.</p> <p>RRAS in Windows Server handles network traffic control and remote connectivity on public and private networks, providing <a href="https://www.techtarget.com/searchwindowsserver/tutorial/Why-you-can-benefit-from-using-Always-On-VPN">compatibility with several VPN protocols</a> and ensuring secure remote access.</p> <p>Most of the risk types are remote code execution, with two in the information disclosure threat category.</p> <p>"The vulnerabilities are all remotely exploitable without the need for authentication over the network," said Chris Goettl, vice president of product management for security products at Ivanti.</p> <p>He said the following mitigations could curb attacks on RRAS:</p> <ul class="default-list"> <li>Limit RRAS ports to trusted networks or <a href="https://www.techtarget.com/searchnetworking/answer/How-does-the-VPN-concentrator-work">VPN concentrators</a>.</li> <li>Apply strict firewall rules to RRAS ports.</li> <li>Disable unused features in RRAS or determine whether the service can be removed entirely.</li> </ul> <p>Microsoft Office also had 16 total CVEs, with six rated critical and the rest important. Six vulnerabilities affect the core Microsoft Office platform, plus two in Excel, one in PowerPoint, three in SharePoint, three in Microsoft Word and one in the Microsoft Office Developer Platform.</p> <p>Admins will want to focus on the CVEs rated more likely to be exploited:</p> <ul class="default-list"> <li>CVE-2025-49695: Microsoft Office remote code execution vulnerability, 8.4 CVSS, critical rating.</li> <li>CVE-2025-49696: Microsoft Office remote code execution vulnerability, 8.4 CVSS, critical rating.</li> <li>CVE-2025-49701: Microsoft Office SharePoint remote code execution vulnerability, 8.8 CVSS, important rating.</li> <li>CVE-2025-49704: Microsoft Office SharePoint remote code execution vulnerability, 8.8 CVSS, critical rating.</li> </ul> <p>The preview pane is a potential attack vector for CVE-2025-49695 and CVE-2025-49696, meaning that users only need to preview a malicious file to trigger the exploit.</p> </section> <section class="section main-article-chapter" data-menu-title="Patches for 7 CVEs related to Visual Studio released"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Patches for 7 CVEs related to Visual Studio released</h2> <p>Admins who work with development teams will need to ensure that seven vulnerabilities -- CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385 and CVE-2025-48386 -- related to Git are addressed by updating to the latest version of Visual Studio.</p> <p>Regular updates to these third-party libraries are crucial to <a href="https://www.techtarget.com/searchsecurity/tip/Leading-open-source-application-security-testing-tools">prevent the slow accumulation of security debt</a> and maintain compliance with service-level agreements, according to Goettl.</p> <p>"Most development organizations, if they're doing a good CI/CD pipeline assessment, are going to see vulnerabilities in the third-party libraries and development tools they're using," he said.</p> <p>Goettl said the method to test fixes for developer tools depends on the size of the organization. Smaller ones rely on regression testing with the new libraries installed to run validation checks. Larger organizations typically use a staged rollout, starting with the lower-risk environments before updating the more critical systems.</p> <p>"It's quite a bit different than just an automated patch management process of OS updates and third-party updates when you're dealing with the development side. There's a bit more of a heavy lift to validate that everything is good," Goettl said.</p> </section> <section class="section main-article-chapter" data-menu-title="Other security updates of note for July Patch Tuesday"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Other security updates of note for July Patch Tuesday</h2> <ul class="default-list"> <li>Two Azure-related CVEs will only require admin intervention if auto-update functionality is not enabled. An Azure Service Fabric runtime elevation-of-privilege vulnerability (CVE-2025-21195) has a CVSS rating of 6.0. An Azure Monitor Agent remote code execution vulnerability (CVE-2025-47988) has a 7.5 CVSS rating.</li> <li>Microsoft corrected an issue stemming from its June Patch Tuesday security updates that caused Dynamic Host Configuration Protocol (DHCP) problems with Windows Server. The affected Windows Server systems and their Knowledge Base articles are Windows Server 2025 (KB5060842), Windows Server 2022 (KB5060526), Windows Server 2019 (KB5060531) and Windows Server 2016 (KB5061010). DHCP automatically assigns IP addresses to devices on a network and manages IP address leases.</li> <li>Microsoft republished a June Patch Tuesday fix for a .NET and Visual Studio remote code execution vulnerability (CVE-2025-30399) that was expanded to include PowerShell 7.4 and 7.5. "An attacker could exploit this vulnerability by placing files in particular locations, leading to unintended code execution," according to Microsoft's security <a target="_blank" href="https://github.com/PowerShell/Announcements/issues/77" rel="noopener">advisory</a>. The vulnerability is particularly significant because it affects Windows, macOS and Linux systems that run those exploitable PowerShell versions.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Next phase of Kerberos hardening process takes effect"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Next phase of Kerberos hardening process takes effect</h2> <p>July Patch Tuesday also implemented the next stage in the three-phase process to improve security for Kerberos authentication to prevent machine-in-the-middle attacks and <a href="https://www.techtarget.com/searchsecurity/feature/A-list-of-wireless-network-attacks">local network spoofing</a>.</p> <p>On April Patch Tuesday, Microsoft first addressed a Windows Kerberos elevation-of-privilege vulnerability (CVE-2025-26647) in Windows Server systems and introduced Audit mode to uncover noncompliant certificates. Admins were expected to use Audit logs to find these certificates, make corrections and check for issues.</p> <p>July Patch Tuesday's release introduced the second phase, Enforced by Default, to domain controllers. This update makes checks to the NTAuth store -- the <a target="_blank" href="https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/import-third-party-ca-to-enterprise-ntauth-store" rel="noopener">repository</a> on Windows domain controllers that contains a list of trusted certificate authorities -- mandatory, but admins can temporarily revert to Audit mode for adjustments.</p> <p>After the October Patch Tuesday updates, Microsoft will put domain controllers in Enforcement mode and remove the ability to enable these registry bypasses.</p> <p><i>Tom Walat is the site editor for Informa TechTarget's SearchWindowsServer site.</i></p> </section> Admins will want to focus on issuing corrections for the large number of flaws, some of which require no user interaction, in Windows RRAS and Microsoft Office. https://cdn.ttgtmedia.com/rms/onlineimages/ransom_g1264284948_01.jpg https://www.techtarget.com/searchwindowsserver/news/366627292/Microsoft-targets-130-vulnerabilities-on-July-Patch-Tuesday Tue, 08 Jul 2025 20:43:00 GMT <p>Bitdefender researchers discovered that an overwhelming 84% of major attacks -- rated as those incidents with high severity by the vendor's cybersecurity platform -- use living-off-the-land techniques.</p> <p>After analysis of more than 700,000 security events logged by the Bitdefender GravityZone platform across 90 days, researchers concluded that adversaries are "demonstrably successful in evading traditional defenses by expertly manipulating the very system utilities we trust and rely on daily -- and threat actors operate with a confident assertion of undetectability."</p> <p>LOTL attacks aren't new. While the term was coined in 2013, the approach dates back to 2001's Code Red, a <a href="https://www.techtarget.com/searchsecurity/definition/worm">worm</a> that ran entirely in memory, didn't download or install any files, and reportedly cost billions in damages.</p> <p>In a nutshell, LOTL attacks use legitimate software and functions that <a target="_blank" href="https://www.bitdefender.com/en-us/blog/businessinsights/700000-security-incidents-analyzed-living-off-land-tactics" rel="noopener">already exist</a> in victim systems to perform attacks. In the case of Code Red, the worm exploited Microsoft's IIS web server software to conduct DoS attacks. Because they use known and trusted systems, these attacks are often able to hide in the background and evade users, making them difficult to <a href="https://www.techtarget.com/searchsecurity/tip/How-to-prevent-living-off-the-land-attacks">prevent, detect and mitigate</a>.</p> <p>Once inside a victim's systems, attackers can perform reconnaissance, deploy fileless or memory-only malware, and steal credentials, among other LOTL techniques -- completely unbeknownst to the victim.</p> <p>This week's roundup highlights a malware campaign that conducts LOTL attacks against Cloudflare Tunnel infrastructure and Python-based loaders. Plus, scammers use legitimate websites to trick victims seeking tech support, and malicious GitHub repositories masquerade as legitimate penetration testing suites.</p> <section class="section main-article-chapter" data-menu-title="Serpentine#Cloud uses shortcut files and Cloudflare infrastructure"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Serpentine#Cloud uses shortcut files and Cloudflare infrastructure</h2> <p>Researchers at Securonix have identified a sophisticated malware campaign called Serpentine#Cloud that uses LNK shortcut files to deliver remote payloads. Attacks begin with phishing emails containing links to zipped attachments that execute remote code when opened, ultimately deploying a Python-based, in-memory shellcode loader that backdoors systems.</p> <p>Threat actors use Cloudflare's tunneling service to host the malicious payloads, benefiting from its trusted certificates and use of HTTPS. While showing some sophistication reminiscent of nation-state actors, certain coding choices of these LOTL attacks have suggested that Serpentine#Cloud is likely not from any major nation-state groups.</p> <p><a href="https://www.darkreading.com/cloud-security/serpentinecloud-cloudflare-tunnels-sneak-attacks"><i>Read the full story by Alexander Culafi on Dark Reading</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Scammers hijack search results with fake tech support numbers"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Scammers hijack search results with fake tech support numbers</h2> <p>Cybercriminals are creating deceptive tech support scams by purchasing sponsored Google ads that appear to represent major brands, including Apple, Microsoft and PayPal. Unlike traditional scams, these attacks direct users to legitimate company websites, but overlay fraudulent support phone numbers. When users call these numbers, scammers pose as official tech support to steal data and financial information or gain remote access to devices.</p> <p>Malwarebytes researchers called this a "search parameter injection attack," where malicious URLs embed fake phone numbers into genuine sites. Users should verify support numbers through official company communications before calling.</p> <p><a href="https://www.darkreading.com/cloud-security/scammers-spread-false-support-info-legitimate-websites"><i>Read the full story by Kristina Beek on Dark Reading</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Threat group weaponizes GitHub repositories to target security pros"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Threat group weaponizes GitHub repositories to target security pros</h2> <p>Trend Micro researchers identified a new threat group called Water Curse that weaponizes GitHub repositories disguised as legitimate security tools to deliver malware through malicious build scripts.</p> <p>Active since March 2023, the group has used at least 76 GitHub accounts to target cybersecurity professionals, game developers and DevOps teams. The multistage malware can exfiltrate credentials, browser data and session tokens while establishing remote access and persistence. The attack typically begins when victims download compromised open source projects containing embedded malicious code. The code triggers during compilation, deploying VBScript and PowerShell payloads that perform system reconnaissance and data theft.</p> <p><a href="https://www.darkreading.com/cyberattacks-data-breaches/water-curse-targets-cybersecurity-pros-github-repos"><i>Read the full story by Elizabeth Montalbano on Dark Reading</i></a><i>.</i></p> <p><b>Editor's note:</b><i> An editor used AI tools to aid in the generation of this news brief. Our expert editors always review and edit content before publishing.</i></p> <p><i>Sharon Shea is executive editor of Informa TechTarget's SearchSecurity site.</i></p> </section> Check out the latest security news from the Informa TechTarget team. https://cdn.ttgtmedia.com/rms/onlineimages/ransom_g1264284948_01.jpg https://www.techtarget.com/searchsecurity/news/366626071/News-brief-LOTL-attacks-spoofed-sites-malicious-repositories Fri, 20 Jun 2025 14:57:00 GMT <p>A time-based one-time password (TOTP) is a temporary passcode generated by an <a href="https://www.techtarget.com/whatis/definition/algorithm">algorithm</a> that uses the current time of day as one of its authentication factors.</p> <p>Time-based <a href="https://www.techtarget.com/searchsecurity/definition/one-time-password-OTP">one-time passwords</a> are commonly used for two-factor authentication (<a href="https://www.techtarget.com/searchsecurity/definition/two-factor-authentication">2FA</a>), providing a second authentication factor that works for a limited amount of time.</p> <section class="section main-article-chapter" data-menu-title="Why are TOTPs important?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why are TOTPs important?</h2> <p>TOTPs provide additional account security. If a user's traditional password is stolen or compromised, an attacker cannot gain account access without the TOTP, which expires quickly.</p> </section> <section class="section main-article-chapter" data-menu-title="How does a TOTP work?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How does a TOTP work?</h2> <p>2FA is a <a href="https://www.techtarget.com/searchsecurity/tip/Use-these-6-user-authentication-types-to-secure-networks">common authentication method</a> for verifying users' identities. It authenticates users based on two conditions: something they know and something they have. For example, when users log into their bank accounts with their username and password, an SMS message or email with a random code is sent for them to input into the banking service prior to logging them in. The username and password are known to the user, and the random code is sent to a device the user owns.</p> <p>TOTPs typically expire after 30 or 60 seconds.</p> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/whatis-totp.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/whatis-totp_half_column_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/whatis-totp_half_column_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/whatis-totp.png 1280w" alt="Image of a user entering a time-based one-time password to access their account." height="225" width="279"> <figcaption> <i class="icon pictures" data-icon="z"></i>A user inputs a time-based one-time password to verify their identity. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Various methods for users to receive time-based one-time passwords include the following:</p> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchsecurity/definition/security-token">Hardware security tokens</a> that display the password on a small screen.</li> <li>Mobile authenticator apps, such as <a href="https://www.techtarget.com/searchsecurity/definition/Google-Authenticator">Google Authenticator</a>.</li> <li>Text messages sent from a centralized server.</li> <li>Email messages sent from a centralized server.</li> <li>Voice messages sent from a centralized server.</li> </ul> <p>TOTPs can be generated offline when using a mobile authenticator app or a hardware security token. This is ideal for authenticating users with limited internet access.</p> </section> <section class="section main-article-chapter" data-menu-title="What's the difference between time-based and non-time-based OTPs?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What's the difference between time-based and non-time-based OTPs?</h2> <p>Time-based algorithms use the time -- along with a shared secret or token -- to generate a password. Non-time-based algorithms start with a seed value and use <a href="https://www.techtarget.com/searchdatamanagement/definition/hashing">hash functions</a> to generate passwords.</p> <p>After the initial password is generated, the prior password is used as input to generate the next password.</p> <p>TOTP is an approved standard (RFC 6238) of the Internet Engineering Task Force (<a href="https://www.techtarget.com/whatis/definition/IETF-Internet-Engineering-Task-Force">IETF</a>). Other OTP standards include the <a target="_blank" href="https://tools.ietf.org/html/rfc1760" rel="noopener">S/KEY One-Time Password System</a> (RFC 1760), <a target="_blank" href="https://tools.ietf.org/html/rfc2289" rel="noopener">One-Time Password System</a> (RFC 2289) and the <a target="_blank" href="https://tools.ietf.org/html/rfc4226" rel="noopener">HMAC-Based One-Time Password Algorithm</a> (RFC 4226).</p> <p><b>Editor's note:</b><em> </em><em>Informa TechTarget editors revised this article in 2025 to improve the reader experience.</em></p> </section> A time-based one-time password (TOTP) is a temporary passcode generated by an algorithm that uses the current time of day as one of its authentication factors. https://cdn.ttgtmedia.com/visuals/digdeeper/3.jpg https://www.techtarget.com/searchsecurity/definition/time-based-one-time-password-TOTP Mon, 02 Jun 2025 00:00:00 GMT <p>Security for information technology (IT) refers to the methods, tools and personnel used to defend an organization's digital assets. The goal of IT security is to protect these assets, devices and services from being disrupted, stolen or exploited by unauthorized users, otherwise known as <a href="https://www.techtarget.com/whatis/definition/threat-actor">threat actors</a>. These threats can be external or internal and malicious or accidental in both origin and nature.</p> <p>An effective security strategy uses a range of approaches to minimize vulnerabilities and target many types of cyberthreats. Detection, prevention and response to security threats involve the use of <a href="https://www.techtarget.com/searchsecurity/definition/security-policy">security policies</a>, software tools and IT services.</p> <p>Unfortunately, technological innovation benefits both IT defenders and <a href="https://www.techtarget.com/searchsecurity/definition/cybercrime">cybercriminals</a>. To protect business assets, companies must routinely review, update and improve security to stay ahead of cyberthreats and increasingly sophisticated cybercriminals.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/w1d81Teltl0?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <p>IT security consists of two areas: physical and information.</p> <section class="section main-article-chapter" data-menu-title="What is physical security?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is physical security?</h2> <p><a href="https://www.techtarget.com/searchsecurity/definition/physical-security">Physical security</a> is the protection of people, hardware, software, network information and data from physical actions, intrusions and other events that could damage an organization and its assets. Safeguarding the physical security of a business means protecting it from threat actors, as well as accidents and natural disasters, such as fires, floods, earthquakes and severe weather. A lack of physical protection could risk the destruction of servers, devices and utilities that support business operations and processes. That said, people are a large part of the physical security threat.</p> <p>Theft and vandalism are examples of human-initiated threats that require physical security solutions. A physical security breach doesn't necessarily require technical knowledge, but it can be just as dangerous as a <a href="https://www.techtarget.com/searchsecurity/definition/data-breach">data breach</a>.</p> <p>There are three parts to physical security:</p> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchsecurity/definition/access-control">Access control</a>.</li> <li>Surveillance.</li> <li>Testing.</li> </ul> <p>The success of an organization's physical security program depends on effectively implementing, maintaining and updating each of these components.</p> <h3>Access control</h3> <p>Controlling access to office buildings, research centers, laboratories, data centers and other locations is vital to physical security. An example of a physical security breach is an attacker gaining entry to an organization and using a Universal Serial Bus (<a href="https://www.techtarget.com/searchstorage/definition/USB-drive">USB</a>) flash drive to copy and steal data or put <a href="https://www.techtarget.com/searchsecurity/definition/malware">malware</a> on the systems.</p> <p>The goal of access control is to record, monitor and limit the number of unauthorized users interacting with sensitive and confidential physical assets. Access control can be as simple as barriers like walls, fences and locked doors. Identification badges and key codes are also part of an effective physical access system. Physical identification is a great way to <a href="https://www.techtarget.com/searchsecurity/definition/user-authentication">authenticate</a> the identity of users attempting to access devices and areas reserved for authorized personnel.</p> <p>More sophisticated access control methods include various forms of <a href="https://www.techtarget.com/searchsecurity/definition/biometric-authentication">biometric authentication</a>. These security systems use <a href="https://www.techtarget.com/searchsecurity/definition/biometrics">biometrics</a>, or unique biological characteristics, to authenticate the identity of authorized users. Fingerprint and <a href="https://www.techtarget.com/searchenterpriseai/definition/facial-recognition">facial recognition</a> are two examples of common applications of this technology.</p> <h3>Surveillance</h3> <p>Surveillance involves the technologies and tactics used to <a href="https://www.computerweekly.com/feature/Getting-physical-with-datacentre-security">monitor activity</a> in and around facilities and equipment. Many companies install <a href="https://www.techtarget.com/whatis/definition/CCTV-closed-circuit-television">closed-circuit television</a> cameras to secure the perimeter of their buildings. These cameras act as both a deterrent to intruders and a tool for incident response and analysis. Cameras, thermal sensors, motion detectors and security alarms are only some examples of surveillance technology.</p> <h3>Testing</h3> <p>Testing is a reliable way to increase physical security. Companies with strong security protocols test their policies to see if they need to be updated or changed. Such tests can include <a href="https://www.techtarget.com/whatis/definition/red-teaming">red teaming</a>, where a group of ethical hackers try to infiltrate a company's cybersecurity protocols.</p> </section> <section class="section main-article-chapter" data-menu-title="What is information security?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is information security?</h2> <p>Information security is also referred to as information security (<a href="https://www.techtarget.com/searchsecurity/definition/information-security-infosec">infosec</a>). It includes strategies for managing the processes, tools and policies that protect both digital and nondigital assets. When implemented effectively, infosec can maximize an organization's ability to prevent, detect and respond to threats.</p> <p>Infosec encompasses several specialized categories of security technology, such as the following:</p> <p><a href="https://www.techtarget.com/searchsoftwarequality/definition/application-security">Application security</a> protects applications from threats that seek to manipulate, access, steal, modify or delete software and its related data. Application security uses a combination of software, hardware and policies that are called <i>countermeasures</i>. Common countermeasures include <a href="https://www.techtarget.com/searchsoftwarequality/definition/application-firewall">application firewalls</a>, <a href="https://www.techtarget.com/searchsecurity/definition/encryption">encryption</a>, <a href="https://www.techtarget.com/searchenterprisedesktop/definition/patch-management">patch management</a> and biometric authentication systems.</p> <p><a href="https://www.techtarget.com/searchsecurity/definition/cloud-security">Cloud security</a> is a set of policies and technologies designed to protect data and infrastructure in a cloud computing environment. Two key concerns of cloud security are identity and access management and data privacy. <a href="https://www.techtarget.com/searchsecurity/definition/penetration-testing">Penetration testing</a>, network protocol maintenance, man-in-the-middle (<a href="https://www.techtarget.com/iotagenda/definition/man-in-the-middle-attack-MitM">MitM</a>) detection and application scanning are some tools infosec professionals use to secure information confidentiality.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/cloudsecurity-cloud_security_challenges-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/cloudsecurity-cloud_security_challenges-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/cloudsecurity-cloud_security_challenges-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/cloudsecurity-cloud_security_challenges-f.png 1280w" alt="Cloud security challenges list diagram." height="333" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Cloud security challenges include compliance, misconfiguration and cyberattacks. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Cloud security is a responsibility shared by the cloud service provider (<a href="https://www.techtarget.com/searchitchannel/definition/cloud-service-provider-cloud-provider">CSP</a>) and the tenant, or the business that rents infrastructure such as servers and storage. A legal gray zone in cloud security can occur if CSP agreements are not well-constructed. For example, if a tenant's server is compromised by cybercriminals who gain access to another tenant's server, it is not clear who is to blame.</p> <p>Endpoint security requires network nodes to meet certain security standards, like the Federal Information Security Modernization Act, prior to establishing a secure connection. Node devices include personal computers, laptops, tablets, smartphones and equipment such as point-of-sale terminals, barcode readers, sensors and internet of things (IoT) devices.</p> <p>Internet security is the protection of software applications, <a href="https://www.techtarget.com/whatis/definition/browser">web browsers</a> and virtual private networks that use the internet. Techniques such as encryption, for example, protect data from attacks such as malware, <a href="https://www.techtarget.com/searchsecurity/definition/phishing">phishing</a>, MitM and <a href="https://www.techtarget.com/searchsecurity/definition/denial-of-service">denial-of-service</a> attacks.</p> <p>Mobile security is also known as wireless security. <a href="https://www.techtarget.com/whatis/definition/mobile-security">Mobile security</a> protects mobile devices such as smartphones, tablets and laptops and the networks they connect to from theft, data leakage and other attacks.</p> <p>Network security defends the network infrastructure and the devices connected to it from threats such as unauthorized access, malicious use and modifications.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/networking-9_elements_netsec-f.png"> <img data-src="https://www.techtarget.com/rms/onlineImages/networking-9_elements_netsec-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/networking-9_elements_netsec-f_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/networking-9_elements_netsec-f.png 1280w" alt="9 elements of network security diagram." height="581" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Network security includes nine elements, including network firewalls, intrusion prevention systems and SD-WAN security. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Supply chain security protects the network between a company and its suppliers, who often have access to sensitive information such as employee information and intellectual property. The <a href="https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know">SolarWinds data breach</a> in 2020 demonstrated how vulnerable organizations can be when supply chain channels are poorly monitored with a lack of <a href="https://www.techtarget.com/searcherp/definition/supply-chain-security">supply chain security</a>. SolarWinds is an IT company that manages client networks and systems and has access to the customers' IT. Once hackers infiltrated SolarWinds' update server, they were able to install a virus that acted as a <a href="https://www.techtarget.com/searchsecurity/definition/back-door">digital backdoor</a> to client systems and data.</p> </section> <section class="section main-article-chapter" data-menu-title="Why is security important?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why is security important?</h2> <p>In an IT context, security is essential for modern-day organizations. The most important reasons for implementing strong security include the following:</p> <ul class="default-list"> <li>Protect sensitive data critical to an organization's operations against cyberthreats.</li> <li>Prevent disruptions to operational continuity.</li> <li>Maintain trust by protecting customer and employee data.</li> <li>Support regulatory compliance and prevent against financial regulatory penalties.</li> <li>Prevent <a target="_blank" href="https://www.ibm.com/reports/data-breach" rel="noopener">costly attacks and data breaches</a>.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/apparch-defense_in_depth_layers-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/apparch-defense_in_depth_layers-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/apparch-defense_in_depth_layers-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/apparch-defense_in_depth_layers-f.png 1280w" alt="Layer of defense-in-depth diagram." height="442" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Defense-in-depth layers are comprised of physical, perimeter and internal network. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Information technology security concepts and principles"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Information technology security concepts and principles</h2> <p>A number of concepts and principles form the foundation of IT security. Some of the most important ones are:</p> <ul class="default-list"> <ul class="default-list"> <li><b>Application lifecycle management</b><b>.</b> <a href="https://www.techtarget.com/searchsoftwarequality/definition/application-lifecycle-management-ALM">Application lifecycle management</a> protects all stages of the application development process by reducing exposure to bugs, design flaws and configuration errors.</li> <li><b>Defense in depth.</b> This is a strategy that uses multiple countermeasures simultaneously to protect information. These methods can include endpoint detection and response, antivirus software and kill switches. Defense in depth is based on the military principle that it's more difficult for an enemy to beat a multilayered defense system than a single-layer one.</li> </ul> </ul> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/security-5_benefits_least_privilege-h.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/security-5_benefits_least_privilege-h_half_column_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/security-5_benefits_least_privilege-h_half_column_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/security-5_benefits_least_privilege-h.png 1280w" alt="Benefits of using principle of least privilege checklist graphic."> <figcaption> <i class="icon pictures" data-icon="z"></i>The five benefits of using the principle of least privilege include the prevention of malware spreading and improved user productivity. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <ul class="default-list"> <li><b>Patch management.</b> Patches and updates are acquired, tested and installed for flawed code in applications, OSes and firmware.</li> <li><b>Principle of least privilege</b><b>.</b> This <a href="https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP">principle of least privilege</a> strengthens IT security by limiting user and program access to the lowest level of access rights needed for them to do their jobs or functions.</li> <li><b>Risk management</b><b>.</b> <a href="https://www.techtarget.com/searchsecurity/definition/What-is-risk-management-and-why-is-it-important">Risk management</a> is the process of identifying, assessing and controlling security risks that threaten an organization's IT environment.</li> <li><b>Vulnerability management.</b> With this approach, security admins routinely check for vulnerabilities by identifying, verifying, mitigating and patching IT security weaknesses as they arise.</li> </ul> <p>These are some of the most important concepts and principles of IT security and technology. However, combining all these principles doesn't guarantee 100% security for an organization. This is a fundamental problem facing every IT security leader and business. However, by deploying a comprehensive security strategy, organizations can defend against physical and infosec threats.</p> </section> <section class="section main-article-chapter" data-menu-title="Types of cybersecurity"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Types of cybersecurity</h2> <p>An effective cybersecurity strategy involves various tools and methods. The most common include:</p> <ul class="default-list"> <li><b>Firewalls.</b> Firewalls are the barriers between an internal barrier and potential threats from external networks. Firewalls implement security rules that filter incoming and outgoing traffic.</li> <li><b>Anitvirus and antimalware.</b> Antivirus and antimalware detect, isolate and remove malicious software like viruses, ransomware and spyware, protecting devices and networks from infections.</li> <li><b>Encryption</b>. Encryption converts readable data into coded, or encrypted, formats that only authorized users can decrypt, ensuring privacy and confidentiality.</li> <li><b>Intrusion detection and prevention systems (IDPS).</b> These <a href="https://www.techtarget.com/searchsecurity/definition/intrusion-detection-system">intrusion detection</a> and prevention systems monitor network traffic for unusual patterns that may indicate security breaches and can automatically take action to block or report potential intrusions.</li> <li><b>Multifactor authentication.</b> <a href="https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA">MFA</a> requires multiple forms of verification before granting access, reducing the risk of unauthorized access even if passwords are compromised.</li> <li><b>Virtual private networks.</b> VPNs create a secure, encrypted connection over the internet, protecting data in transit and ensuring privacy.</li> <li><b>Security information and event management.</b> <a href="https://www.techtarget.com/searchsecurity/definition/security-information-and-event-management-SIEM">SIEM</a> gathers, analyzes and reports on security-related data from across the network, providing visibility into potential threats and assisting in swift responses.</li> <li><b>Data loss prevention. </b>DLP monitors and controls data transfers, ensuring sensitive information does not leave secure environments.</li> <li><b>Network segmentation.</b> <a href="https://www.techtarget.com/searchnetworking/definition/network-segmentation">Network segmentation</a> divides networks into smaller parts, reducing the risk of attacks spreading, and allows security teams to isolate issues.</li> </ul> <div class="youtube-iframe-container"> <iframe id="ytplayer-1" src="https://www.youtube.com/embed/1SVlUJ1lk5I?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="Cybersecurity vs. infosec"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cybersecurity vs. infosec</h2> <p>Considering information security's intersection with endpoint, IoT and network security, it can be <a href="https://www.techtarget.com/searchnetworking/answer/What-are-the-differences-between-network-security-vs-cybersecurity">difficult to separate information security from cybersecurity</a>; however, there are distinct differences. One difference is geopolitical issues. Cybersecurity can refer to the defense mechanisms that protect a country or a government's data from <a href="https://www.techtarget.com/searchsecurity/definition/cyberwarfare">cyberwarfare</a>. This is because cybersecurity includes the protection of data and its related technologies from threats.</p> <p>Information security, on the other hand, focuses on ensuring information is available, remains confidential and maintains its integrity.</p> <p><i>Learn more about the </i><a href="https://www.techtarget.com/searchsecurity/feature/Top-10-types-of-information-security-threats-for-IT-teams"><i>threats to information security</i></a><i> that enterprise IT is facing today.</i></p> </section> Security for information technology (IT) refers to the methods, tools and personnel used to defend an organization's digital assets. https://cdn.ttgtmedia.com/visuals/digdeeper/3.jpg https://www.techtarget.com/searchsecurity/definition/security Fri, 30 May 2025 16:15:00 GMT <p>The challenges of enterprise cybersecurity are well known, yet data breaches, third-party compromises and other cyberattacks continue to wreak havoc.</p> <p>PwC, which surveyed more than 4,000 business and tech leaders for its "2025 Global Digital Trust Insights," <a target="_blank" href="https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/library/global-digital-trust-insights.html" rel="noopener">reported</a> that "what worries organisations most is what they're least prepared for." The top five threats cited by respondents -- cloud-related threats, hack-and-leak operations, third-party breaches, connected device attacks and ransomware -- also ranked among the top issues that security leaders claimed they felt the least prepared to address.</p> <p>History has proved that these concerns are justified, and this past week's news highlighted just how prevalent such issues are. The following companies are a few of the many that made headlines for data breaches, data leaks and attacks.</p> <section class="section main-article-chapter" data-menu-title="IT management software vendor ConnectWise"> <h2 class="section-title"><i class="icon" data-icon="1"></i>IT management software vendor ConnectWise</h2> <p>ConnectWise disclosed a breach targeting customers of its ScreenConnect remote monitoring and management software. The company attributed the attack to a "sophisticated nation state actor." ConnectWise engaged Mandiant for forensic investigation and notified affected customers and law enforcement.</p> <p>ConnectWise said it implemented enhanced monitoring and hardening measures. Details remain limited about the attack scope and number of affected customers.</p> <p><a href="https://www.darkreading.com/cyberattacks-data-breaches/connectwise-breached-screenconnect-customers-targeted"><i>Read the full story by Rob Wright on Dark Reading</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Risk management services firm LexisNexis"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Risk management services firm LexisNexis</h2> <p>LexisNexis Risk Solutions (LNRS) is facing a third-party data leak affecting more than 360,000 customers. The breach, which was discovered on April 1, but occurred on Dec. 25, 2024, involved an unauthorized individual accessing LNRS customer data from a third-party platform.</p> <p>Compromised data could include names, contact details, Social Security numbers, driver's license numbers and birth dates. LNRS' own networks were unaffected.</p> <p>LNRS notified law enforcement, launched an investigation, and is offering affected users free identity protection and credit monitoring for up to two years. No evidence of data misuse has been reported, and no threat group has claimed responsibility.</p> <p><a href="https://www.darkreading.com/cyberattacks-data-breaches/lexisnexis-360k-customers-third-party-data-leak"><i>Read the full story by Kristina Beek on Dark Reading</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Retailer Victoria's Secret"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Retailer Victoria's Secret</h2> <p>Victoria's Secret took its U.S. website offline following an unspecified "security incident," while its U.K. site remained operational and physical stores continued business as usual.</p> <p>The company said it implemented response protocols and engaged third-party experts to address the incident. Online customer services, including online returns and customer care, were temporarily unavailable. No details about the nature, scope, timing or potential data compromise have been provided.</p> <p><a href="https://www.darkreading.com/endpoint-security/victoria-secret-website-security-incident"><i>Read the full story by Kristina Beek on Dark Reading</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Telecom provider Cellcom"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Telecom provider Cellcom</h2> <p>Cellcom has nearly restored calling and texting services after a cyberattack forced it to take its network offline on May 14, leaving Wisconsin and Michigan customers' devices in SOS mode for nearly a week.</p> <p>CEO Brighid Riordan confirmed that the company had notified the FBI and begun an investigation. She said there was no evidence that customer data was compromised, as the attack targeted a separate network area. While Cellcom said services were "performing well for most customers" as of Tuesday, some intermittent issues persisted.</p> <p>Security experts have suggested that the incident might have been a DDoS attack, noting that telecom providers are frequent targets for service disruption and cyberespionage.</p> <p><a href="https://www.darkreading.com/cyberattacks-data-breaches/cellcom-restores-regional-mobile-services-cyberattack"><i>Read the full story by Elizabeth Montalbano on Dark Reading</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Software vendor MathWorks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Software vendor MathWorks</h2> <p>MathWorks, creator of Matlab and Simulink, disclosed a ransomware attack that began on May 18. The attack affected both customer-facing online applications and internal systems. The company initially reported "an issue with multiple applications" and later revealed more affected services, including ThingSpeak, Cloud Center and Matlab Mobile.</p> <p>By May 21, the company had restored single sign-on and MFA, but some authentication services remained degraded. MathWorks is working with cybersecurity experts to restore remaining systems and has notified federal law enforcement. The ransomware group responsible for the attack remains unidentified, and it's unclear if any data was stolen.</p> <p><a href="https://www.darkreading.com/vulnerabilities-threats/mathworks-confirms-ransomware-attack"><i>Read the full story by Kristina Beek on Dark Reading</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Retailer Adidas"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Retailer Adidas</h2> <p>Adidas confirmed that it suffered a data breach through a third-party customer service provider. Affected data included contact information of customers who previously interacted with the company's help desk. No passwords, credit cards or other financial information was compromised.</p> <p>The company said it is notifying affected consumers and authorities while investigating the incident with security experts. The third-party customer service provider remains unnamed, and the attackers' identity is unknown.</p> <p><a href="https://www.darkreading.com/vulnerabilities-threats/adidas-victim-third-party-data-breach"><i>Read the full story by Kristina Beek on Dark Reading</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Unnamed MSP"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Unnamed MSP</h2> <p>The DragonForce ransomware gang conducted a supply chain attack by exploiting three vulnerabilities in SimpleHelp, a remote monitoring and management tool used by MSPs.</p> <p>According to Sophos research published this week, the attackers compromised an MSP's SimpleHelp instance to deploy ransomware to multiple downstream customers. SimpleHelp said it patched the vulnerabilities -- tracked as CVE-2024-57727, CVE-2024-57728 and CVE-2024-57726 -- within 48 hours of notification.</p> <p>DragonForce, which emerged in 2023, is gaining popularity in the criminal ecosystem due to its unique "customer-centric" model that enables affiliates to use their own branding while using DragonForce's infrastructure.</p> <p><a href="https://www.darkreading.com/application-security/dragonforce-ransomware-msp-supply-chain-attack"><i>Read the full story by Alexander Culafi on Dark Reading</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Third-party risk management resources"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Third-party risk management resources</h2> <p>Learn more about how to manage risks related to third parties here:</p> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchsecurity/tip/How-to-build-an-effective-third-party-risk-assessment-framework">How to build an effective third-party risk assessment framework</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/How-to-create-a-third-party-risk-management-policy">How to create a third-party risk management policy</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/How-to-manage-third-party-risk-in-the-cloud">How to manage third-party risk in the cloud</a></li> <li><a href="https://www.techtarget.com/searcherp/feature/5-supply-chain-cybersecurity-risks-and-best-practices">Cybersecurity risks and challenges in supply chain</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/Why-fourth-party-risk-management-is-a-must-have">Why fourth-party risk management is a must-have</a></li> </ul> <p><b>Editor's note:</b><i> An editor used AI tools to aid in the generation of this news brief. Our expert editors always review and edit content before publishing.</i></p> <p><i>Sharon Shea is executive editor of Informa TechTarget's SearchSecurity site.</i></p> </section> Check out the latest security news from the Informa TechTarget team. https://cdn.ttgtmedia.com/rms/onlineimages/security_a303249453.jpg https://www.techtarget.com/searchsecurity/news/366625254/News-brief-Weeks-top-breaches-stem-from-third-party-attacks Fri, 30 May 2025 15:56:00 GMT <p>A passkey is an alternative user authentication method that eliminates the need for usernames and passwords. Rather than relying on old login methods susceptible to <a href="https://www.techtarget.com/searchsecurity/definition/phishing">phishing</a> or hacking attacks, <a href="https://www.techtarget.com/searchsecurity/definition/keylogger">keyloggers</a>, data breaches and other security flaws, websites and applications can use passkeys to verify a user's login credentials. Passkeys are only stored on the user's device, so there is no password that could be intercepted by potential scammers.</p> <p><a href="https://www.techtarget.com/searchitoperations/podcast/Cybersecurity-expertise-gaps-More-than-meets-the-eye">Cybersecurity professionals</a> have long stressed the importance of strong passwords to prevent security vulnerabilities. However, because web users often create weak passwords or reuse passwords, two-factor authentication (<a href="https://www.techtarget.com/searchsecurity/definition/two-factor-authentication">2FA</a>) was developed. This adds a security checkpoint by confirming a user login with a phone call, text message or email containing a code sent to the user. The user then enters this code to complete the login process. Unfortunately, bad actors have found their way around 2FA and the standard login process. Because password technology is inherently vulnerable to phishing and other attacks designed to <a href="https://www.techtarget.com/searchsecurity/definition/credential-theft">steal or bypass credentials</a>, 2FA has only made things marginally more difficult for fraudsters.</p> <section class="section main-article-chapter" data-menu-title="How does a passkey work?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How does a passkey work?</h2> <p>When a user attempts to log into a site that uses passkey technology, the site sends a <a href="https://www.techtarget.com/searchmobilecomputing/definition/push-notification">push notification</a> to the smartphone they used when they registered their account. When they use their face, fingerprint or personal identification number (PIN) to unlock their device, it creates a unique passkey and communicates it to the website they are trying to access. At that point, the user is logged in, all without their login information or biometric data being transmitted using a potentially insecure Wi-Fi connection or needing to be typed out.</p> <p>Unlike 2FA, which uses Wi-Fi or other methods for user verification, passkeys use <a href="https://www.techtarget.com/searchmobilecomputing/definition/Bluetooth">Bluetooth</a>. Bluetooth checks to ensure the device logging in is nearby, further limiting the chances of a scammer or hacker accessing the user's account.</p> <p>Passkeys, which are based on the <a href="https://www.techtarget.com/searchsecurity/definition/WebAuthn-API">Web Authentication API</a>, only work for the website on which they were created. They are then stored on the user's device instead of on a physical or cloud-based server.</p> <p>To date, Apple offers the most thorough explanation of how passkeys work within its tech ecosystem. Its iCloud Keychain service stores its cryptographic keys in a rate-limited way to prevent <a href="https://www.techtarget.com/searchsecurity/definition/brute-force-cracking">brute-force attacks</a>. The keys are recoverable even if a user's devices are lost or compromised. Those new to the Apple world and setting up their first iOS device must set up 2FA first. To add a new device, the user needs their Apple ID password and the six-digit code sent to another trusted device or phone number using a push notification.</p> <p>For example, an iPhone user would set up 2FA the first time they use it and establish their Apple ID. When they want to make a purchase or complete some other secure transaction, they must enter their Apple ID password and check their iPhone -- or whatever device they used to set up their 2FA authentication initially -- for the six-digit code sent to them. When they enter the code, the new device is added to what Apple calls the <i>circle of trust</i> formed by the iCloud Keychain. This circle acts like a chain, and the devices represent links added to the chain as they are set up.</p> <p>When the user needs to log into a website on a computer they do not usually use -- regardless of whether it's an Apple, Google or Microsoft product -- with passkey technology enabled, the login screen on the website provides a <a href="https://www.techtarget.com/whatis/definition/QR-code-quick-response-code">quick response code</a> for them to scan with their phone. With Bluetooth enabled on their phone and the phone within Bluetooth frequency range of the device they're trying to log in on, they will receive a push notification <a href="https://www.techtarget.com/whatis/feature/Palm-scanning-tech-explained-Everything-you-need-to-know">to use biometric identification</a> or a PIN on their phone. Once they do that, their phone will give the website the all-clear and allow the user to log in.</p> </section> <section class="section main-article-chapter" data-menu-title="The origin of passkeys"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The origin of passkeys</h2> <p>The passkey idea first took hold in 2009, when Validity Sensors -- acquired by Synaptics in 2013 -- and PayPal jointly developed the concept of using biometrics instead of passwords for online identification.</p> <p>Along with several other tech leaders, they founded the <a target="_blank" href="https://fidoalliance.org/" rel="noopener">FIDO (Fast Identity Online) Alliance</a>, a web security collective, in July 2012. FIDO publicly announced its initiatives in February 2013. Google joined in April 2013. In February 2014, PayPal and Samsung launched the first public deployment of FIDO authentication with Samsung's Galaxy S5 smartphone. Users of the device could, for the first time, authenticate PayPal with a finger swipe and shop online without having to enter a password to complete the transaction payment.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/passkey_adoption_the_shift_toward_passwordless_authentication-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/passkey_adoption_the_shift_toward_passwordless_authentication-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/passkey_adoption_the_shift_toward_passwordless_authentication-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/passkey_adoption_the_shift_toward_passwordless_authentication-f.png 1280w" alt="An image showing passkey adoption statistics per the FIDO Alliance." height="465" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The FIDO Alliance's survey 'Consumer Password &amp; Passkey Trends' shows the growing use of passkeys versus passwords. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Is a passkey more secure than a password?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Is a passkey more secure than a password?</h2> <p>Because every passkey is unique, they tend to be more secure than passwords because they cannot be reused across multiple sites and platforms. And because passkeys are generated automatically, users do not need to rely on passwords that are either easy to remember -- and unfortunately, easy for others to guess -- or so complicated that they are easily forgotten.</p> <p>Because passkeys use end-to-end <a href="https://www.techtarget.com/searchsecurity/definition/encryption">encryption</a>, not even the companies creating them can see or change them. Apple says its passkeys use public key cryptography and create two keys. One key is public and stored on the website's server; the other is private and stored on the user's device, so it is only accessible to that user.</p> <p>This means that the private keys generated in each passkey pair are only stored on the user's device, not on any website's server, making it impossible for the user's login information to be discovered through a data breach or hacking attempt. A hacker could only access the public key, which would be useless to them because it would not grant access to the user's account information. Even if someone were to fall prey to a phishing link in an email or text message, the effort would fail because the passkey on the user's device would only work with the website that created it.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/hWYhPOxpgkI?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="Companies that use passkeys"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Companies that use passkeys</h2> <p>Awareness of passkey technology has accelerated. At the FIDO Alliance May 2022 conference, Apple, Google and Microsoft publicly announced a major initiative to promote passkeys as a <a href="https://www.techtarget.com/searchsecurity/definition/passwordless-authentication">passwordless authentication</a> standard, and Apple followed through in June 2022 by announcing a new passkey feature. This feature debuted in iOS 16 and macOS Ventura, was integrated into the iPhone 14, and is part of subsequent releases.</p> <p>The Apple passkey feature uses existing iOS technology powering its Touch ID and Face ID features. Websites that support passkeys enable users to create accounts and log in using their fingerprint or facial image instead of a password to authenticate their credentials. Apple passkeys use the iCloud Keychain password management system to back up passkeys and sync them across all a user's Apple devices. This means users can create a passkey for a website while on their phone and then use that same passkey to log in to that website later while using an iPad, for example.</p> <p>Google passkeys use similar fingerprint and facial image passkeys on Chrome browsers, Android devices and Google accounts, including Gmail and Drive.</p> <p>Microsoft includes passkeys on its Windows 10 and 11 operating systems through the Windows Hello program. This program enables users to log in with a PIN and <a href="https://www.techtarget.com/searchsecurity/definition/biometric-authentication">biometric authentication</a>, such as a fingerprint or a facial image. Passkeys are also available on Microsoft 365, Copilot and Xbox accounts. These services support passkey backups and device synchronization.</p> <p>In addition to Apple, Google and Microsoft, hundreds of other companies -- including GitHub, Facebook, Instacart, Kayak, Verizon and Zoho -- use passkeys, and the list is growing.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/security-biometric_authentication_types.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/security-biometric_authentication_types_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/security-biometric_authentication_types_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/security-biometric_authentication_types.png 1280w" alt="A chart showing the different types of biometrics that can be used for authentication." height="608" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Biometric identification is used in conjunction with a passkey to authenticate a user. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="The call for a passkey standard"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The call for a passkey standard</h2> <p>Going forward, security professionals are advocating for implementing standards that will prevent or at least discourage vendor lock-in. The concern is about what happens with existing passkeys if a user switches from one vendor's product to another.</p> <p>Some vendors have addressed this problem with workarounds. For example, Apple enables an existing passkey for an iPhone to be used on another device with Google Chrome running on either iOS 16 or later or on a Windows machine.</p> <p>It remains to be seen if standardization efforts are successful, but creating new passkeys is so easy and almost entirely automated that users should be able to easily establish credentials on a new device from a different vendor.</p> <p>The <a href="https://fidoalliance.org/design-system/" target="_blank" rel="noopener">FIDO Alliance Design System</a> and other methodologies published by the alliance should help encourage standardization.</p> </section> <section class="section main-article-chapter" data-menu-title="Passkey use is growing"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Passkey use is growing</h2> <p>Much of passkey's underlying technology has already been integrated into everyday tech life, such as 2FA and biometric authentication that rely on a user's face or fingerprint to unlock a device or otherwise provide authentication.</p> <p>Growing security vulnerabilities and password management issues are prompting many organizations to abandon password use in favor of passkeys. Users are also becoming increasingly frustrated with managing a multitude of different passwords, forcing a shift toward more secure alternatives like passkeys.</p> <p>In September 2024 and April 2025, the FIDO Alliance Working Group commissioned a survey regarding passkey deployments worldwide. It found that <a target="_blank" href="https://fidoalliance.org/new-fido-alliance-research-shows-87-percent-us-uk-workforces-are-deploying-passkeys-for-employee-sign-ins/" rel="noopener">87%</a> of the decision-makers surveyed have deployed passkeys at their organizations with 47% having rolled out a mix of physical security keys, cards and synced passkeys.</p> <p><i>Learn </i><a href="https://www.techtarget.com/searchsecurity/answer/Authentication-vs-digital-identity-Whats-the-difference"><i>how identity management and authentication compare</i></a><i> as part of an identity and access management framework.</i></p> </section> A passkey is an alternative user authentication method that eliminates the need for usernames and passwords. https://cdn.ttgtmedia.com/visuals/digdeeper/6.jpg https://www.techtarget.com/whatis/definition/passkey Wed, 21 May 2025 12:00:00 GMT <p>Patch management is one of the oldest and most well-known IT and security tasks, but it remains a bane of admins' existence. From buggy patches and time-consuming processes to fears of business downtime and <a href="https://www.techtarget.com/searchsecurity/tip/How-remote-work-is-changing-patch-management">increased complexity due to remote workers</a>, patch management isn't the easiest task for IT and security professionals.</p> <p>Yet it is a constant worry.</p> <p>Fifty-four percent of Ponemon Institute's "2024 State of Cyber Risk in the Age of AI" respondents cited unpatched vulnerabilities as the top cyber-risk at their organization. And it's no surprise why -- as of the writing of this article, NIST's National Vulnerability Database has received an average of 136 new CVEs a day this year.</p> <p>While not all vulnerabilities are critical, teams must be aware of them. Here are three that made the news this week.</p> <section class="section main-article-chapter" data-menu-title="SAP NetWeaver vulnerability under attack by APT and ransomware groups"> <h2 class="section-title"><i class="icon" data-icon="1"></i>SAP NetWeaver vulnerability under attack by APT and ransomware groups</h2> <p>A critical vulnerability, CVE-2025-31324, in SAP NetWeaver's Visual Composer development software is under attack by ransomware groups and Chinese advanced persistent threat actors. The flaw, which has a CVSS score of 9.8, enables unauthenticated <a href="https://www.techtarget.com/searchwindowsserver/definition/remote-code-execution-RCE">remote code execution</a>. Initially reported by cybersecurity company ReliaQuest on April 22, the vulnerability has attracted multiple threat actors. SAP released an emergency patch on April 24, but attackers continue to exploit it.</p> <p><a href="https://www.darkreading.com/vulnerabilities-threats/critical-sap-netweaver-vuln-cyberattacks"><i>Read the full story by Kristina Beek on Dark Reading</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Samsung MagicINFO Server PoC under exploit"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Samsung MagicINFO Server PoC under exploit</h2> <p>Threat actors are actively exploiting a critical vulnerability, CVE-2025-4632, in Samsung's digital signage management product. The MagicINFO Server 9 flaw, which received a CVSS score of 9.8, enables attackers to write arbitrary files with system authority. Bug disclosure group SSD Secure Disclosure reported the issue to Samsung on January 12 and published a proof of concept (PoC) on April 30. Security companies Arctic Wolf and Huntress observed exploitation attempts in early May, with some attacks linked to Mirai botnet activities. Samsung issued a hotfix on May 8, though researchers noted that the patch requires installation of a specific previous version first. The PoC bypasses versions patched against CVE-2024-7399, a restricted directory vulnerability disclosed and patched last year.</p> <p><i><a href="https://www.darkreading.com/endpoint-security/attackers-target-samsung-magicinfo-server-bug">Read the full story by Alexander Culafi on Dark Reading</a>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Chat app vulnerability exploited months after patch released"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Chat app vulnerability exploited months after patch released</h2> <p>A Turkish cyberespionage group known as Sea Turtle has been exploiting a critical vulnerability in Output Messenger to spy on Kurdish military forces in Iraq since April 2024, Microsoft reported. The messaging app, marketed as a private, secure enterprise messaging service, was compromised using <a href="https://www.techtarget.com/searchsecurity/tip/Types-of-DNS-attacks-and-how-to-prevent-them">DNS hijacking</a> or typosquatting to gain users' credentials. The attackers exploited a directory traversal vulnerability to plant backdoors that enabled them to intercept communications. Output Messenger's developer, Srimax, said it patched this issue on Dec. 25, but Microsoft reported that unpatched systems continue to be targeted.</p> <p><a href="https://www.darkreading.com/cyberattacks-data-breaches/turkish-apt-exploits-chat-app-zero-day-spy-iraqi-kurds"><i>Read the full story by Nate Nelson on Dark Reading</i></a><i>.</i></p> </section> <section class="section main-article-chapter" data-menu-title="Patch management resources"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Patch management resources</h2> <p>Learn more about enterprise patch management here:</p> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchsecurity/tip/5-enterprise-patch-management-best-practices">10 enterprise patch management best practices</a></li> <li><a href="https://www.techtarget.com/searchsecurity/answer/Testing-a-security-patch">Key software patch testing best practices</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/Security-patch-validation-and-verification">How to conduct security patch validation and verification</a></li> <li><a href="https://www.techtarget.com/searchenterprisedesktop/tip/Use-this-10-step-patch-management-process-to-ensure-success">An 11-step patch management process to ensure success</a></li> <li><a href="https://www.techtarget.com/searchenterprisedesktop/tip/Creating-a-patch-management-policy-Step-by-step-guide">Creating a patch management policy: Step-by-step guide</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/Automated-patch-management-Best-practices-for-success">Automated patch management: 9 best practices for success</a></li> </ul> <p><b>Editor's note:</b><i> An editor used AI tools to aid in the generation of this news brief. Our expert editors always review and edit content before publishing.</i></p> <p><i>Sharon Shea is executive editor of Informa TechTarget's SearchSecurity site.</i></p> </section> Check out the latest security news from the Informa TechTarget team. https://cdn.ttgtmedia.com/rms/onlineimages/security_a303249453.jpg https://www.techtarget.com/searchsecurity/news/366623968/News-brief-Patch-critical-SAP-Samsung-and-chat-app-flaws-now Fri, 16 May 2025 17:43:00 GMT <p>A penetration test, also called a <i>pen test</i> is a simulated <a href="https://www.techtarget.com/searchsecurity/definition/cyber-attack">cyberattack</a> on a computer system, network or application to identify and highlight vulnerabilities in an organization's <a href="https://www.techtarget.com/searchsecurity/definition/security-posture">security posture</a>.</p> <p>Also known as <i>ethical hacking</i>, these tests are often carried out by <a href="https://www.techtarget.com/searchsecurity/definition/ethical-hacker">ethical hackers</a>. These in-house employees or third parties mimic the strategies and actions of an attacker to evaluate the hackability of an organization's computer systems, network or web applications. Organizations can also use pen testing to evaluate their adherence to compliance regulations.</p> <p>Penetration testing is considered a <a href="https://www.techtarget.com/searchsecurity/feature/Build-a-proactive-cybersecurity-approach-that-delivers">proactive cybersecurity measure</a> because it involves consistent, self-initiated improvements based on the reports the test generates. This differs from nonproactive approaches, which don't fix weaknesses as they arise. A nonproactive approach to cybersecurity, for example, would involve a company updating its <a href="https://www.techtarget.com/searchsecurity/definition/firewall">firewall</a> after a <a href="https://www.techtarget.com/searchsecurity/definition/data-breach">data breach</a> occurs.</p> <p>The goal of proactive measures, such as pen testing, is to minimize the number of retroactive upgrades and maximize an organization's security.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/TA0TbzyU8GY?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <section class="section main-article-chapter" data-menu-title="Why is pen testing important?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why is pen testing important?</h2> <p>A test run of a cyberattack, a penetration test offers insights into the most vulnerable aspects of a system. It also serves as a mitigation technique, enabling organizations to close the identified loopholes before threat actors get to them.</p> <p>The following are four reasons why organizations should conduct pen testing:</p> <ol type="1" start="1" class="default-list"> <li><b>Risk assessment. </b>The rate of distributed denial of service (<a href="https://www.techtarget.com/searchsecurity/definition/denial-of-service">DoS</a>), <a href="https://www.techtarget.com/searchsecurity/definition/phishing">phishing</a> and <a href="https://www.techtarget.com/searchsecurity/definition/ransomware">ransomware</a> attacks is dramatically increasing, putting most companies at risk. Considering how reliant businesses are on technology, the consequences of a <a href="https://www.techtarget.com/searchsecurity/news/252500684/DarkSide-The-ransomware-gang-that-took-down-a-pipeline">successful cyberattack</a> have never been greater. A ransomware attack, for instance, could block a company from accessing the data, devices, networks and servers it relies on to conduct business. Such an attack could result in millions of dollars of lost revenue. Pen testing uses the hacker perspective to identify and mitigate cybersecurity risks before they're exploited. This helps IT leaders perform informed security upgrades that minimize the possibility of successful attacks.</li> <li><b>Security awareness.</b> As technology continues to evolve, so do the methods cybercriminals use. For companies to successfully protect themselves and their assets from these attacks, they need to be able to update their security measures at the same rate. The caveat, however, is that it's often difficult to know which methods cybercriminals are using and how they might be used in an attack. But by using skilled ethical hackers, organizations can quickly and effectively identify, update and replace the parts of their systems that are particularly susceptible to modern hacking techniques.</li> <li><b>Reputation.</b> A data breach can put a company's reputation at stake, especially if it goes public. Customers can lose confidence in the business and stop buying its products, while investors might be hesitant to invest in a business that doesn't take its cyberdefense seriously. Penetration testing protects the reputation of a business by offering proactive mitigation approaches.</li> <li><b>Compliance.</b> Industries such as healthcare, banking and service providers take compliance and regulation seriously and include pen testing as part of their compliance efforts. Common regulations such as <a href="https://www.techtarget.com/searchsecurity/tip/Pen-testing-guide-Types-steps-methodologies-and-frameworks">System and Organization Controls 2</a>, the <a href="https://www.techtarget.com/searchhealthit/definition/HIPAA">Health Insurance Portability and Accountability Act</a> and the <a href="https://www.techtarget.com/searchsecurity/definition/PCI-DSS-Payment-Card-Industry-Data-Security-Standard">Payment Card Industry Data Security Standard</a> require pen tests to be compliant. Therefore, by performing regularly scheduled pen testing, organizations can stay on top of their compliance needs.</li> </ol> </section> <section class="section main-article-chapter" data-menu-title="Benefits of penetration testing"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of penetration testing</h2> <p>Penetration testing offers a wide range of benefits for organizations looking to improve their security posture and resilience. Here are some common benefits of conducting penetration testing:</p> <ul class="default-list"> <li><b>Identification and prioritization of vulnerabilities.</b> Penetration tests provide a deeper analysis than automated scans, revealing complex and exploitable weaknesses in systems, networks and applications. They also help classify and prioritize vulnerabilities according to their potential effects and ease of exploitation, enabling organizations to concentrate their remediation efforts on the most significant issues.</li> <li><b>Real-world security assessment.</b> By simulating actual attack scenarios, pen testing offers a realistic evaluation of an organization's security posture. This helps identify weaknesses in defense mechanisms and provides a better understanding of how an attacker might succeed when trying to infiltrate a system.</li> <li><b>Improved security controls and processes.</b> The findings of a penetration test offer organizations the information needed to fine-tune their security defenses, such as firewalls, <a href="https://www.techtarget.com/searchsecurity/definition/intrusion-detection-system">intrusion detection systems</a> and access management. Additionally, it helps facilitate improvements to the security guidelines, operational processes and overall security architecture of the organization.</li> <li><b>Business continuity and reduced downtime. </b>Pen testing can uncover weaknesses that could lead to system failures or disruptions. Addressing these vulnerabilities helps ensure <a href="https://www.techtarget.com/searchdisasterrecovery/definition/business-continuity">business continuity</a> and minimizes potential downtime caused by security incidents.</li> <li><b>Cost savings.</b> Proactively addressing vulnerabilities through penetration testing is more cost-effective than dealing with the aftermath of a cyberattack. Penetration testing helps organizations identify and <a href="https://www.techtarget.com/searchsecurity/tip/Close-security-gaps-with-attack-path-analysis-and-management">close security gaps</a> before they're exploited, thereby preventing the financial losses associated with data breaches and system downtime.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Who performs penetration tests?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Who performs penetration tests?</h2> <p>Pen testing is typically performed by pen testers known as ethical hackers. These ethical hackers are IT experts who use hacking methods to help companies identify possible entry points into their infrastructure. By using different methodologies, tools and approaches, organizations can perform simulated cyberattacks to test the strengths and weaknesses of their existing security systems. <i>Penetration</i>, in this case, refers to the degree to which a hypothetical threat actor, or hacker, can penetrate an organization's cybersecurity measures and protocols.</p> <p>Most pen testers are experienced developers or security professionals with <a href="https://www.techtarget.com/searchsecurity/feature/On-a-penetration-tester-career-path-flexibility-and-curiosity-are-key">advanced credentials and pen testing certifications</a>. It's always best to hire penetration testers who have little to no experience with the system they're trying to infiltrate. For example, a developer performing pen testing on their own source code might miss a few blind spots that a tester from outside can catch.</p> </section> <section class="section main-article-chapter" data-menu-title="Team methodology in penetration testing"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Team methodology in penetration testing</h2> <p>In penetration testing, the team methodology refers to the structured approach and collaboration among various specialized groups or teams to simulate real-world cyberattacks or exercises effectively. Here's a breakdown of common teaming approaches and <a href="https://www.techtarget.com/searchsecurity/answer/What-is-red-and-white-hat-hacking">types of ethical hackers</a>:</p> <ul class="default-list"> <li><b>Red team.</b> The <a href="https://www.techtarget.com/whatis/definition/red-teaming">red team</a> is the core penetration testing team that simulates real-world attackers. Their goal is to identify and exploit vulnerabilities to gain unauthorized access, mimicking the tactics, techniques and procedures (TTPs) of actual threat actors. The red team operates offensively.</li> <li><b>Blue team.</b> The blue team is the internal security team of the organization being tested. Their role is to detect, prevent and respond to the red team's activities, just as they would with a real attack.</li> <li><b>Purple team.</b> This team facilitates collaboration between red and blue teams, ensuring that insights from simulated attacks are effectively communicated and used to enhance defensive strategies.</li> <li><b>Green team.</b> The green team is responsible for developing and maintaining secure systems and applications. They integrate secure coding practices and conduct regular security reviews to identify and prevent vulnerabilities.</li> <li><b>Yellow team.</b> This team's main responsibility is to focus on <a href="https://www.techtarget.com/searchsecurity/definition/social-engineering">social engineering</a> tactics, testing the organization's susceptibility to phishing and other manipulation techniques.</li> <li><b>White team.</b> The white team oversees the entire penetration testing process, ensuring that ethical guidelines are followed, and that testing aligns with legal and organizational policies.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="What are the types of penetration testing?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are the types of penetration testing?</h2> <p>There are various types of pen testing strategies, each offering pen testers a certain level of information they need to carry out their attack.</p> <ol class="default-list"> <li><b>White box testing. </b>White box testing provides testers with all the details about an organization's system or target network and checks the code and internal structure of the product being tested. <a href="https://www.techtarget.com/searchsoftwarequality/definition/white-box">White box testing</a> is also known as open glass, clear box, transparent or code-based testing.</li> <li><b>Black box testing</b>. This is a type of behavioral and functional testing where testers aren't given any knowledge of the system. Organizations typically hire ethical hackers for <a href="https://www.techtarget.com/searchsoftwarequality/definition/black-box">black box testing</a> where a real-world attack is carried out to get an idea of the system's vulnerabilities.</li> <li><b>Gray box testing. </b>Gray box testing<b> </b>is a combination of white box and black box testing techniques. It provides testers with partial knowledge of the system, such as low-level credentials, logical flow charts and network maps. The main idea behind gray box testing is to find potential code and functionality issues.</li> <li><b>Targeted testing. </b>This type of testing is<b> </b>a collaborative effort between an organization's IT staff and external testers, who share an understanding of the testing's scope, objectives and timeline to enable real-time communication and immediate feedback. The main goal is to simulate realistic attack scenarios on critical systems, such as web applications, databases or internal networks to identify vulnerabilities that could be exploited by malicious actors.</li> <li><b>Web application testing. </b>This testing is conducted to find security weaknesses in web-based applications. This involves testing the application's endpoints, databases, source code and backend network. The main objective is to identify run-time vulnerabilities and check for <a href="https://www.techtarget.com/searchsoftwarequality/definition/SQL-injection">SQL injections</a>, cross-site scripting (<a href="https://www.techtarget.com/searchsecurity/definition/cross-site-scripting">XSS</a>) and authentication issues.</li> <li><b>Insider threat testing.</b> <a href="https://www.techtarget.com/searchsecurity/definition/insider-threat">Insider threat</a> testing focuses on simulating attacks originating from within an organization. Unlike external threats, these attacks are carried out by individuals who have authorized access to the organization's systems, such as employees, contractors or business partners. The primary goal is to identify vulnerabilities that could be exploited by insiders, whether maliciously or unintentionally.</li> <li><b>Wireless testing.</b> This type of testing is used to assess the security of <a href="https://www.techtarget.com/searchmobilecomputing/definition/Wi-Fi">Wi-Fi</a> networks and wireless protocols and the devices connected to them. This test examines the encryption methods, access controls and network configurations to identify weaknesses that could be exploited by unauthorized users.</li> <li><b>Internet of things testing. </b><a href="https://www.techtarget.com/iotagenda/tip/An-introduction-to-IoT-penetration-testing">IoT testing</a> is conducted to examine the security of IoT devices and networks, including vulnerabilities in devices, protocols and data transmission.</li> <li><b>Cloud testing. </b><a href="https://www.techtarget.com/searchstorage/definition/cloud-testing">Cloud testing</a><b> </b>evaluates the security of cloud-based infrastructure and services, including infrastructure-as-a-service (<a href="https://www.techtarget.com/searchcloudcomputing/definition/Infrastructure-as-a-Service-IaaS">IaaS</a>), platform-as-a-service (<a href="https://www.techtarget.com/searchcloudcomputing/definition/Platform-as-a-Service-PaaS">PaaS</a>) and software-as-a-service (<a href="https://www.techtarget.com/searchcloudcomputing/definition/Software-as-a-Service">SaaS</a>) options. Testers evaluate the configuration settings, access controls and data encryption mechanisms used within cloud environments to identify vulnerabilities and misconfigurations.</li> <li><b>Physical testing. </b><a href="https://www.techtarget.com/searchsecurity/tip/Physical-pen-testing-methods-and-tools">Physical pen testing</a><b> </b>is done to simulate real-world threats by attempting to bypass physical security controls, such as locks, alarms and security cameras, to gain unauthorized access to facilities or systems.</li> <li><b>API testing. </b><a href="https://www.techtarget.com/searchapparchitecture/definition/API-testing">API testing</a><b> </b>focuses on testing the security of APIs, which are crucial for modern application communication. It typically includes identifying vulnerabilities in authentication, authorization and data handling.</li> <li><b>Mobile testing. </b>A mobile application penetration test is a security assessment specifically focused on identifying vulnerabilities in mobile applications, such as those on Android and iOS and their related backend systems and APIs. It simulates real-world attacks to uncover weaknesses in the app's design, implementation and infrastructure that malicious actors could exploit.</li> </ol> </section> <section class="section main-article-chapter" data-menu-title="What are the stages of pen testing?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are the stages of pen testing?</h2> <p>Pen testing can be divided into the following six stages:</p> <ol class="default-list"> <li><b>1.</b> <b>Reconnaissance and planning.</b> Testers gather all the information related to the target system from public and private sources. Sources might include incognito searches, social engineering, domain registration information retrieval and nonintrusive <a href="https://www.techtarget.com/searchnetworking/definition/network-scanning">network and vulnerability scanning</a>. The information is vital for the testers, as it provides clues into the target system's attack surface and open vulnerabilities, such as network components, operating system details, open ports and access points.</li> <li><b>2.</b> <b>Scanning.</b> Based on the results of the initial phase, testers might use various scanning tools to further explore the system and its weaknesses. Pen testing tools -- including war dialers, <a href="https://www.techtarget.com/searchsecurity/answer/What-is-a-port-scan-attack">port scanners</a>, security vulnerability scanners and network mappers -- are used to detect as many vulnerabilities and loopholes as possible. The vulnerabilities are then shortlisted for exploitation.</li> <li><b>3.</b> <b>Obtaining entry.</b> During this stage, testers exploit vulnerabilities assessed in the previous phase by making a connection with the target. The testers conduct common web application security attacks -- including a DoS attack, SQL injections and backdoors, session hijacking and XSS -- to expose the system's vulnerabilities, which are then <a href="https://www.techtarget.com/searchsecurity/feature/Why-companies-should-focus-on-preventing-privilege-escalation">exploited through privilege escalations</a>, traffic interception or data stealing techniques.</li> <li><b>4.</b> <b>Maintaining access.</b> This stage ensures that the penetration testers stay connected to the target for as long as possible and exploit the vulnerabilities for maximum data infiltration. This stage imitates an <a href="https://www.techtarget.com/searchsecurity/definition/advanced-persistent-threat-APT">advanced persistent threat</a>, which can stay active in a system for prolonged periods to steal sensitive data and cause further damage.</li> <li><b>5. Analysis.</b> The testers analyze the results gathered from the penetration testing and builds them into a report. The report details each step taken during the testing process, including the following:</li> </ol> <ul class="default-list"> <li>The vulnerabilities the testers exploited.</li> <li>The type of sensitive data the testers accessed.</li> <li>The amount of time the testers stayed connected to the target.</li> </ul> <ol class="default-list"> <li><b>6. Cleanup and remediation.</b> Once the testing is complete, the pen testers should remove all traces of tools and processes used during the previous stages to prevent a real-world threat actor from using them as an anchor for system infiltration. During this stage, organizations should start remediating any issues found in their security controls and infrastructure.</li> </ol> </section> <section class="section main-article-chapter" data-menu-title="How often should pen tests be performed?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How often should pen tests be performed?</h2> <p>How frequently pen testing should be conducted depends on many factors, but most security experts recommend doing it <a target="_blank" href="https://static.fortra.com/core-security/pdfs/guides/fta-cs-2024-pen-testing-report-gd.pdf" rel="noopener">at least once a year</a>, as it can detect emerging vulnerabilities, such as <a href="https://www.techtarget.com/searchsecurity/definition/zero-day-vulnerability">zero-day threats</a>.</p> <p>Organizations should consider the following factors when scheduling pen testing:</p> <ul class="default-list"> <li><b>Company size.</b> Larger organizations can suffer greater monetary and reputational losses if they fall prey to cyberattacks. Therefore, they should invest in regular security testing to prevent these attacks.</li> <li><b>Budget.</b> Pen testing should be based on a company's budget and how flexible it is. For example, a larger organization might be able to conduct annual pen tests, whereas a smaller business might only be able to afford them once every two years.</li> <li><b>Regulations.</b> Depending on the industry and regulations, certain organizations are required to conduct mandatory penetration testing. Examples include banking and healthcare organizations.</li> <li><b>Scope and objectives.</b> Organizations should ensure that the systems, applications and data that are being tested are within the scope of the pen test. This could include internal networks, web applications, cloud services or specific databases.</li> <li><b>Risk tolerance.</b> Companies should identify the acceptable level of risk for the organization, which will influence the scope and intensity of the test.</li> </ul> <p>In addition to regularly scheduled penetration testing, organizations should also conduct security tests when the following events occur:</p> <ul class="default-list"> <li>New network infrastructure or appliances are added to the network.</li> <li>Upgrades are performed on existing applications and equipment.</li> <li>Patches are installed for security.</li> <li>New office locations are established.</li> <li>End-user policies have been modified.</li> <li>Integrations are made with third-party services.</li> <li>A merger or an acquisition happens.</li> <li>After major cybersecurity events such as ransomware attacks.</li> <li>New and emerging technologies are adopted.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How to perform a penetration test"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to perform a penetration test</h2> <p>Pen testing is unique from other cybersecurity evaluation methods, as it can be adapted to any industry or organization. Depending on its infrastructure and operations, an organization might want to use a certain set of hacking techniques or tools. These techniques and their methodologies can also vary based on the IT personnel and their company standards. Using the following adaptable six-step process, pen testing creates a set of results that can help organizations proactively update their security protocols:</p> <ol type="1" start="1" class="default-list"> <li><b>Preparation.</b> Depending on the organization's needs, this step can either be simple or elaborate. If the organization hasn't decided which vulnerabilities it wants to evaluate, a significant amount of time and resources should be devoted to combing the system for possible entry points. These in-depth processes are usually only necessary for businesses that haven't already conducted a complete audit of their systems. Once a <a href="https://www.computerweekly.com/feature/Vulnerability-assessment-done-Now-What">vulnerability assessment has been conducted</a>, however, this step becomes much easier.</li> <li><b>Construct an attack plan.</b> Before hiring ethical hackers, an IT department designs a cyberattack -- or a list of cyberattacks -- that its team should use to perform the pen test. During this step, it's also important to define what level of system access the pen tester has.</li> <li><b>Select a team.</b> The success of a pen test depends on the quality of the testers. This step is often used to appoint the ethical hackers who are best suited to perform the test. Companies can make these decisions based on employee specialties. For example, if a company wants to test its cloud security, a cloud expert might be the best person to evaluate its cybersecurity properly.</li> <li><b>Determine the stolen data type.</b> What is the team of ethical hackers stealing? The data type chosen in this step can have a profound effect on the tools, strategies and techniques used to acquire it.</li> <li><b>Perform the test.</b> This is one of the most complicated and nuanced parts of the testing process, as there are many automated tools and techniques testers can use, including Kali Linux, Nmap, <a href="https://www.techtarget.com/searchsecurity/tip/Using-Metasploit-for-real-world-security-tests">Metasploit</a> and <a href="https://www.techtarget.com/searchsecurity/tip/Wireshark-tutorial-How-to-sniff-network-traffic">Wireshark</a>.</li> <li><b>Integrate the report results.</b> Reporting is the most important step of the process. The results the testers provide must be detailed so the organization can incorporate the findings.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/security-pen_testing-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/security-pen_testing-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/security-pen_testing-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/security-pen_testing-f.png 1280w" alt="Diagram showing the steps involved in penetration testing." height="560" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Penetration testing at a glance. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="What happens after a pen test?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What happens after a pen test?</h2> <p>After a pen test is successfully concluded, an ethical hacker shares their findings with the information security team of the target organization. Ethical hackers usually <a href="https://www.techtarget.com/searchsecurity/tip/How-to-rank-network-security-vulnerabilities-in-your-system">rank and categorize the findings with a severity rating </a>so that the issues with the highest rating are given precedence during remediation.</p> <p>The organization uses these findings as a basis for further investigation, assessment and remediation of its security posture. The decision-makers and stakeholders also get involved at this stage and the organization's IT or security team creates deadlines to ensure all security issues are dealt with promptly.</p> <p>After completing remediation efforts, organizations conduct verification testing to ensure fixes effectively address vulnerabilities. They update security documentation and adjust policies as needed, incorporating lessons learned into their strategy. The process concludes with a review meeting for key stakeholders to discuss findings, options and plans for ongoing security improvements to maintain a strong security posture.</p> </section> <section class="section main-article-chapter" data-menu-title="What is the difference between pen testing and vulnerability assessments?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the difference between pen testing and vulnerability assessments?</h2> <p>Although pen tests aren't the same as <a href="https://www.techtarget.com/searchsecurity/definition/vulnerability-assessment-vulnerability-analysis">vulnerability assessments</a>, which provide a prioritized list of security weaknesses and how to amend them, they're often performed together.</p> <p>The main characteristics of pen testing and vulnerability assessments are as follows:</p> <h3>Pen testing</h3> <ul class="default-list"> <li>Pen testing is more in-depth compared to vulnerability assessments and is often conducted with a particular goal in mind. These goals typically fall under one of the following three objectives: identify hackable systems, attempt to hack a specific system or carry out a data breach.</li> <li>Each objective focuses on specific outcomes that IT leaders are trying to avoid. For example, if the goal of a pen test is to see <a href="https://www.techtarget.com/searchsecurity/feature/6-data-breach-prevention-strategies-to-defend-against-attack">how easily a hacker could breach</a> the company database, the ethical hackers would be instructed to try to carry out a data breach.</li> <li>The results of a pen test will communicate the strength of an organization's current cybersecurity protocols, as well as present the available hacking methods that can be used to penetrate the organization's systems.</li> <li>Penetration testing is generally live and manual, making it more accurate.</li> <li>It takes longer to complete a pen test, typically a day to a few weeks.</li> <li>Pen testing can be expensive, and the price varies depending on the type of test conducted. According to RSI Security, on average, pen testing costs anywhere from $4,000 to $100,000.</li> </ul> <h3>Vulnerability assessments</h3> <ul class="default-list"> <li>Vulnerability assessments do passive scanning to search for known vulnerabilities in the system and report potential exposures.</li> <li>Scans are typically automated or scheduled.</li> <li>Vulnerability assessments can be completed in a few minutes to several hours.</li> <li>Vulnerability assessments are affordable and depending on the vendor, they can average $1,000 to $5,000 per assessment. Vulnerability assessments sometimes generate false positives.</li> </ul> <p><i>Discover how penetration testing helps identify security vulnerabilities and learn about the </i><a href="https://www.techtarget.com/searchsecurity/tip/11-open-source-automated-penetration-testing-tools"><i>top open source tools</i></a><i> used by ethical hackers for testing network, application and device security controls.</i></p> </section> A penetration test, also called a 'pen test,' is a simulated cyberattack on a computer system, network or application to identify and highlight vulnerabilities in an organization's security posture. https://cdn.ttgtmedia.com/visuals/digdeeper/1.jpg https://www.techtarget.com/searchsecurity/definition/penetration-testing Wed, 14 May 2025 09:00:00 GMT <p>The top 10 spyware list describes the most common <u>spyware</u> threats behind famous spyware attacks and is frequently identified by leading antispyware tools from vendors like Webroot, Norton and Malwarebytes.</p> <section class="section main-article-chapter" data-menu-title="What is spyware?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is spyware?</h2> <p>Spyware refers to <a href="https://www.techtarget.com/searchsecurity/definition/malware">malicious software</a> purposely designed to access a computer and record its activity. Spyware can track and record a user's browsing habits, login credentials, passwords and more. The spyware author uses the information obtained in this data breach to engage in fraudulent activity or might sell it to a <a href="https://www.techtarget.com/whatis/definition/third-party">third party</a>.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/ZgXw3WCNXc8?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <p>Spyware often spreads through <a href="https://www.techtarget.com/healthtechsecurity/news/366615273/Using-psychology-to-defend-against-phishing-attacks">phishing</a> emails, malicious downloads, fake apps or compromised websites. Once installed, it can run in the background logging keystrokes, capturing screenshots or transmitting sensitive data.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/whatis-spyware_types.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/whatis-spyware_types_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/whatis-spyware_types_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/whatis-spyware_types.png 1280w" alt="A chart showing four types of spyware, including adware, keyword loggers, Trojans and mobile spyware." height="282" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Adware, keyword loggers, Trojans and mobile spyware are common forms of spyware. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Visit our <a href="https://www.techtarget.com/searchsecurity/definition/spyware">spyware</a> feature page to learn more about this problem and how to beat it.</p> </section> <section class="section main-article-chapter" data-menu-title="The top 10 spyware threats"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The top 10 spyware threats</h2> <p>Some of the top spyware threats organizations face today, according to security experts, include the following:</p> <h3>1. Advanced Keylogger</h3> <p>Advanced Keylogger, a <a href="https://www.techtarget.com/searchsecurity/definition/keylogger">keystroke logger</a>, monitors keystrokes and takes screenshots.</p> <h3>2. CoolWebSearch (CWS)</h3> <p>CoolWebSearch (CWS) is a software suite originally used to exploit vulnerabilities in Internet Explorer (<a href="https://www.techtarget.com/searchenterprisedesktop/definition/Internet-Explorer">IE</a>), which Microsoft officially retired in 2022. Though now considered outdated, CWS remains historically significant as one of the earliest, most aggressive examples of browser hijackers. It could rewrite search engine results, redirect <a href="https://www.techtarget.com/searchnetworking/definition/domain-name-system">DNS</a> lookups and change browser settings to push users toward ad-laden pages.</p> <h3>3. FinSpy (aka FinFisher)</h3> <p>FinSpy, or FinFisher, is an advanced suite of surveillance tools sold to law enforcement and intelligence agencies. FinSpy works on Windows, macOS, <a href="https://www.techtarget.com/searchdatacenter/definition/Linux-operating-system">Linux</a>, <a href="https://www.techtarget.com/searchmobilecomputing/definition/Android-OS">Android</a> and <a href="https://www.techtarget.com/searchmobilecomputing/definition/iOS">iOS</a> operating systems. Its capabilities vary depending on the platform. Law enforcement, intelligence agencies and <a href="https://www.techtarget.com/whatis/definition/threat-actor">threat actors</a> often use FinSpy to secretly turn on microphones to record conversations, switch on cameras, record and transmit images, transmit key logs in real time, modify files and more.</p> <h3>4. Gator (GAIN)</h3> <p>Gator is a type of <a href="https://www.techtarget.com/searchsecurity/definition/adware">adware</a> that can display banner advertisements based on a user's web surfing habits. Gator is often bundled with numerous free software programs and pirated applications. Gator monitors online user behavior and targets them with <a href="https://www.computerweekly.com/news/366622400/Meta-settles-lawsuit-over-surveillance-business-model">personalized ads</a>.</p> <h3>5. GO Keyboard</h3> <p>GO Keyboard was a virtual Android keyboard app that masqueraded as a legitimate <a href="https://www.techtarget.com/whatis/definition/mobile-app">mobile application</a>. It was found to transmit personal information to its remote servers without explicit user consent, violating Google Play policies. The app was eventually removed from the Google Play Store, but it serves as a cautionary example of the risks posed by third-party keyboard apps.</p> <p>Information shared by GO Keyboard spyware included the following:</p> <ul class="default-list"> <li>Android OS version.</li> <li>Device model and screen size.</li> <li>Google account email address.</li> <li>International Mobile Subscriber Identity (<a href="https://www.computerweekly.com/news/252485535/Police-secrecy-over-IMSI-catcher-mass-surveillance-of-mobile-phones">IMSI</a>).</li> <li>Location.</li> <li>Network type.</li> <li>Preferred language.</li> <li><a href="https://www.techtarget.com/whatis/definition/social-media">Social media</a> interactions.</li> </ul> <p>GO Keyboard executes code from a remote server to breach <a href="https://www.techtarget.com/searchmobilecomputing/definition/Google-Play-Android-Market">Google Play</a> privacy policies.</p> <h3>6. HawkEye</h3> <p>HawkEye, a keylogger <a href="https://www.techtarget.com/searchsecurity/definition/virus">virus</a>, was dormant for years but resurfaced during the COVID-19 pandemic. It infects machines to track key logs and other inputs, sharing that information with a remote server. New versions are increasingly difficult to detect due to enhanced anti-detection features. One campaign impersonated the World Health Organization in a <a href="https://www.techtarget.com/searchsecurity/definition/social-engineering">social engineering attack</a> designed to trick users into downloading a malicious <a href="https://www.techtarget.com/searchsecurity/answer/How-secure-is-an-email-with-a-pdf-attachment">attachment</a>.</p> <h3>7. HuntBar</h3> <p>HuntBar is a <a href="https://www.techtarget.com/searchsecurity/definition/Trojan-horse">Trojan application</a> that hijacks web browser settings and downloads and installs adware without the user's knowledge. Also known as Adware, Websearch or WinTools, HuntBar tracks browsing behavior, redirects web traffic to affiliate websites, forcefully displays advertisements and installs more spyware programs and toolbars on IE.</p> <h3>8. Look2Me</h3> <p>Look2Me is spyware that tracks user behavior, website logs and social media interactions and shares this information with a remote server. The information is then used to show intrusive advertisements. Look2Me spyware also downloads and installs various <a href="https://www.techtarget.com/whatis/definition/add-on">add-ons</a>, <a href="https://www.techtarget.com/whatis/definition/extension">extensions</a>, toolbars and other unwanted programs on a user's computer. This makes the spyware threat more dangerous than traditional adware. Removing Look2Me is difficult because of its <a href="https://www.techtarget.com/searchsecurity/definition/rootkit">rootkit</a>-type functionality.</p> <h3>9. Pegasus</h3> <p>NSO Group's <a href="https://www.techtarget.com/searchsecurity/definition/Pegasus-malware">Pegasus spyware</a> is one of the latest spyware threats making headlines. Although Pegasus was initially developed to fight terrorism, evidence suggests that many clients use Pegasus to spy on journalists, political activists, political opponents and almost anyone the client desires. The governments in France, Hungary, India, Saudi Arabia, United Arab Emirates, the United Kingdom and the United States are known to <a href="https://www.computerweekly.com/news/366614412/Democracy-campaigner-to-sue-Saudi-Arabia-over-Pegasus-and-QuaDream-spyware-in-UK-court">have used Pegasus spyware</a>.</p> <h3>10. PhoneSpy</h3> <p>PhoneSpy is an example of a spyware virus that pretends to be a mobile application to gain access to and infect <u>Android</u> mobile devices. This approach allows threat actors to remotely control mobile devices and steal data. Mobile applications with PhoneSpy aren't available on Google Play Store, so it's believed to spread through social engineering attacks and third-party platforms.</p> </section> <section class="section main-article-chapter" data-menu-title="Emerging mobile spyware threats"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Emerging mobile spyware threats</h2> <p>As mobile device usage continues to rise, threat actors have increasingly turned to smartphones as high-value targets. Here are a few of the most concerning <a href="https://www.techtarget.com/searchmobilecomputing/tip/How-to-prevent-and-remove-mobile-spyware">mobile spyware</a> threats discovered in recent years:</p> <h3>Hermit</h3> <p>Hermit is a powerful mobile spyware tool designed to infect both Android and iOS devices. Typically delivered via fake mobile carrier apps or malicious links in <a href="https://www.techtarget.com/searchmobilecomputing/definition/Short-Message-Service">SMS</a> messages, Hermit can record audio, track location, intercept texts and access contact lists. It has been linked to state-sponsored surveillance campaigns targeting journalists and political figures.</p> <h3>SpyNote</h3> <p>SpyNote is a remote access trojan (<a href="https://www.techtarget.com/searchsecurity/definition/RAT-remote-access-Trojan">RAT</a>) that targets Android users. Once installed, it allows attackers to record audio, access text messages and call logs, and even activate the device's camera without user consent. SpyNote is often disguised as a legitimate app and distributed through unofficial app stores or phishing links.</p> <h3>Anatsa (also known as TeaBot)</h3> <p>Anatsa is a banking Trojan with spyware-like capabilities. It has been known to steal login credentials by capturing keystrokes and recording screen activity on Android devices. Anatsa spreads through fake app downloads posing as <a href="https://www.techtarget.com/whatis/definition/QR-code-quick-response-code">QR code</a> readers, PDF viewers or security apps.</p> </section> <section class="section main-article-chapter" data-menu-title="How to protect yourself from spyware"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to protect yourself from spyware</h2> <p>Spyware can be difficult to detect until it's already compromised your device. Here are simple best practices to help reduce the risk of infection:</p> <ul class="default-list"> <li>Use reputable <a href="https://www.techtarget.com/searchsecurity/definition/antivirus-software">antivirus</a> and <a href="https://www.techtarget.com/whatis/definition/anti-spyware-software">antispyware</a> software and keep it up to date.</li> <li>Avoid downloading apps or files from untrusted sources, especially third-party websites.</li> <li>Enable automatic software updates on your devices to patch known vulnerabilities.</li> <li>Use strong, unique passwords and turn on two-factor authentication (<a href="https://www.techtarget.com/searchsecurity/definition/two-factor-authentication">2FA</a>) for sensitive accounts.</li> <li>Be cautious of phishing emails and attachments, especially those with urgent or alarming messages.</li> <li>Review app permissions before installing, particularly for mobile apps that request access to contacts, location or cameras.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/security-twofactor_authentication.jpg"> <img data-src="https://www.techtarget.com/rms/onlineImages/security-twofactor_authentication_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/security-twofactor_authentication_mobile.jpg 960w,https://www.techtarget.com/rms/onlineImages/security-twofactor_authentication.jpg 1280w" alt="A visual describing two-factor authentication." height="708" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Two-factor authentication is a good form of spyware protection. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Staying alert and maintaining good digital hygiene can significantly lower your risk of falling victim to spyware.</p> <h3>FAQs about spyware threats</h3> <ol type="1" start="1" class="default-list"> <li><b>Can spyware infect mobile devices?</b><br>Yes. Spyware is increasingly targeting mobile devices through fake apps, malicious links and phishing messages. <a href="https://www.techtarget.com/searchmobilecomputing/tip/Are-iPhones-more-secure-than-Android-devices">Android devices are especially vulnerable</a> when apps are downloaded from third-party sources.</li> <li><b>What is the most dangerous spyware in 2025?<br></b>Pegasus remains one of the most sophisticated spyware tools in use. However, newer threats like Hermit and Anatsa are also highly capable and dangerous, especially on mobile platforms.</li> <li><b>How do I know if my device has spyware?</b><br>Common signs include unexpected battery drain, overheating, slow performance, unknown apps appearing, and unusual network activity. If you suspect spyware, run a trusted mobile security scan and review app permissions.</li> <li><b>Is Pegasus spyware still active?</b><br>Yes. While originally marketed for counterterrorism, Pegasus has been used by various governments and entities for broader surveillance. It <a href="https://www.computerweekly.com/news/366551655/Polish-election-questioned-after-Pegasus-spyware-used-to-smear-opposition-investigation-finds">remains a high-profile threat</a> and continues to evolve.</li> </ol> <p><i>Learn more on </i><a href="https://www.techtarget.com/searchsecurity/tip/Check-IT-List-How-to-prevent-spyware"><i>how to prevent spyware</i></a><i> through best practices, including using a layered defense or content filtering. See how to </i><a href="https://www.techtarget.com/searchsecurity/tip/How-to-protect-against-malware-as-a-service"><i>protect against malware as a service</i></a><i>. Also, protecting your endpoints is critical for maintaining security. Learn why </i><a href="https://www.techtarget.com/searchsecurity/ehandbook/Why-EDR-technologies-are-essential-for-endpoint-protection"><i>endpoint detection and response technologies are essential for endpoint protection</i></a><i>. Explore how to </i><a href="https://www.techtarget.com/searchmobilecomputing/tip/How-to-protect-mobile-devices-from-malware-in-the-enterprise"><i>protect, detect and remove malware from mobile devices</i></a><i>.</i></p> </section> The top 10 spyware list describes the most common spyware threats behind famous spyware attacks and is frequently identified by leading antispyware tools from vendors like Webroot, Norton and Malwarebytes. https://cdn.ttgtmedia.com/visuals/digdeeper/3.jpg https://www.techtarget.com/whatis/definition/Top-10-Spyware-Threats Thu, 08 May 2025 14:35:00 GMT 60 webmaster@techtarget.com