An effective vulnerability management policy can help with the cyclical process of discovering and managing vulnerabilities found within IT hardware, software, and systems. A documented policy enables IT teams to create a trackable and repeatable process that meets the expectations of executives and conforms to compliance requirements.

This article helps organizations of all sizes to start the policy creation process with a fundamental overview and a downloadable template.

• Free Vulnerability Management Policy Template
• How to Create a Vulnerability Management Policy in 4 Steps
• Common Vulnerability Management Policy Sections
• Top 5 Vulnerability Management Policy Best Practices
• Top 6 Benefits of an Effective Vulnerability Management Policy
• Bottom Line: Adopt Vulnerability Management Policies Today to Gain Benefits

Free Vulnerability Management Policy Template

As both an example and a starting point, eSecurity Planet has developed a free vulnerability management policy template for organizations to download, modify to meet their needs, and use. Notes of explanation or how to use the template are enclosed [between brackets] and these sections should be removed from final drafts.

The sample patching policy contains many sections, but not all sections will be required for all organizations and others might require more details. See Common Vulnerability Management Policy Sections below for more details.

How to Create a Vulnerability Management Policy in 4 Steps

All security policies share the same four key steps to create a policy, and they are explored in detail in IT Security Policies: Importance, Best Practices, & Top Benefits. For a functional patch management policy, we summarized these steps as:

1. Determine the Vulnerability Management Policy: Determine the responsible parties, who or what is covered, basic processes, validation methods, and reports.
2. Verify the Vulnerability Management Policy: Formally check that basic policy developed in step 1 satisfies the complete needs of the organization and any compliance requirements.
3. Approve the Vulnerability Management Policy: Draft official language and circulate the policy for approval by affected stakeholders and executives.
4. Review and Modify the Vulnerability Management Policy: Periodically review the policy to ensure it remains updated and continues to satisfy the evolving needs of the organization.

Don’t know where to start? Write down the current practice. Most IT teams have at least an informal process for obtaining and applying updates and patches, even if they are not written down or monitored.

While updates and patching remain a subset of vulnerability management, it at least provides a starting point for a more comprehensive policy. If the organization already has processes for double-checking configurations for networking equipment or open ports for server firewalls, those can also be added and broadened into a more comprehensive policy that encompasses more IT systems.

Although the basics of all IT security policy creation remains the same, vulnerability management is a frequently regulated requirement and organizations will need to apply extra caution in verifying compliance requirements. Additionally, the organization may be forced or choose to comply with compliance frameworks (NIST, PCI DSS, etc.) and industry standards.  The policy development team needs to check these external regulations and revise any rule that does not meet the compliance requirements.

Some compliance standards will be broad and vague, others will be detailed or have specific requirements. For example, for the CIS Critical Security Controls, the requirements are broad:

• 7.1 Establish and Maintain a Vulnerability Management Process: Create and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard.
• 7.2 Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process with monthly, or more frequent, reviews.

The CIS requirement specifies a need for the existence of a vulnerability management process, but does not specify the content or requirements for what might need to be included in the vulnerability management process or risk-based remediation strategy.

The credit card industry PCI DSS requirements will be more specific. For example, a restaurant chain may already have a patching process and policy that covers their computers. However, PCI DSS may require vulnerability scanning for a network, evaluation of point of sale (POS) terminals, and periodic penetration testing.

Practical limitations also apply. In the restaurant chain example above, perhaps the patch management tool managing the current patch management policy cannot scan for network vulnerabilities or for updates on the POS terminals. The current patching tool will need to be upgraded or complemented by a vulnerability management tool, a vulnerability management service, or a penetration testing service that can meet the PCI DSS regulatory requirements.

Common Vulnerability Management Policy Sections

In the most effective vulnerability management policies, there are required, recommended, and bonus (aka nice-to-have) sections.

Required Sections

These core sections should be part of every policy related to Vulnerability Management:

• Scope: What IT assets and systems are covered by the policy.
• Vulnerability Management Authority: Who is in charge and responsible for the vulnerability management policy and its execution.
• Vulnerability Identification: Determine the type of vulnerability scans, penetration tests, and other methods required to identify vulnerabilities for mitigation.
• Vulnerability Evaluation: How to verify, evaluate, and rank the severity of the discovered vulnerability.
• Vulnerability Priority: How to prioritize vulnerabilities in the context of the risk of the exposed assets.
• Vulnerability Mitigation Guidelines: Define the vulnerability mitigation process from mitigation design and testing, scheduling the mitigation, and verifying successful mitigation.
• Mitigation Tracking and Exceptions: Requirements for tracking new, ignored, and mitigated vulnerabilities.
• Vulnerability Management Reporting: How to measure success and compliance with vulnerability management with reports, plus how and what to report.

Recommended Sections

These sections help to flesh out the vulnerability management policy with additional rules to protect the organization and to help prepare the IT department:

• Asset List: A list of resources or links to asset lists to help define the scope of systems and software tracked for patching and updating.
• Audit Controls and Management: Outline what reports, logs, and information can satisfy internal and external auditors to track vulnerability management success and verify vulnerabilities have been successfully mitigated.
• Enforcement: Penalties that the IT department may incur for failure to execute the vulnerability management process.
• Distribution: Who must or should receive the vulnerability management policy.
• Policy Version: Tracking versions and approvals of the vulnerability management policy.

See Top IT Asset Management Tools for Security to discover the best ITAM software and their key features.

Bonus / Nice-to-Have Sections: These sections do not change the core elements of the vulnerability management policy, but can make the policy more usable or comprehensive.

• Overview: Sets expectations and goals for the policy.
• Definitions: Technical term and acronym definitions can be useful to help non-technical readers understand the policy; generic terms can be defined for clarity.
• Compliance Appendix: Copies or links to relevant compliance frameworks with which the organization must comply.

Top 5 Vulnerability Management Policy Best Practices

All security policies share the same five best practices to create a policy, and they are explored in detail in IT Security Policies: Importance, Best Practices, & Top Benefits. For a functional patch management policy, we summarize these steps as:

• Focus on What to Do, Not How: By focusing on goals and objectives, a policy can set standards while allowing the vulnerability management team the flexibility to determine the best solution to meet those goals and objectives.
• Make Policies Practical: The vulnerability management team needs to be able to understand and implement the policy.
• Right-size Policy Length: Too short and the policy may not have sufficient requirements to be verified; too long and the policies may become over prescriptive or hard to understand.
• Keep Policies Distinct: Overlapping policies can introduce conflicts or become more difficult to keep current.
• Make Policies Verifiable: Effective policies require reports that prove the policy is both in place and effective.

The eSecurity Planet template seeks to be more comprehensive than some organizations may need, so every organization should review the template and add or remove content to fit their needs.

Beyond the standard best practices, vulnerability management benefits from additional considerations. For example, to maintain practical policies, exhibits or additional reports can be used to provide details that may need to be changed more frequently than the policy itself. For example, in the sample template, the IT team is required to maintain a list of the types of vulnerability scanners used to detect potential vulnerabilities.

Although every organization should begin drafting policies based upon existing practices and capabilities, this can lead to a trap of preserving incomplete processes into written policies. The organization should carefully examine their environment and ensure the policy reflects their true needs.

For instance, an IT team of a hospital may use a commercial tool to conduct vulnerability scanning of their IT environment, but the tool may only scan PCs, network devices, and servers, which leaves an enormous range of healthtech devices unscanned for vulnerabilities. Their policy requirements should not reflect the limited devices currently scanned, but the full range of devices that need to be included in the vulnerability management process.

Top 6 Benefits of an Effective Vulnerability Management Policy

Organizations of all sizes tend to avoid the hassle of documentation because the task seems overwhelming, tedious, and constraining. However, any effective security policy delivers six key benefits:

• IT Hardening: Creating and reviewing a security policy forces the IT and security teams to evaluate and potentially improve security practices.
• Employment Defense: In the event of a breach, IT and security teams can be protected if they can show compliance with an executive-approved written policy.
• Executive & Board Member Peace of Mind: Plain-language reports required by effective policies can illustrate the security posture of the organization clearly to executives and the board.
• Litigation Protection: Breaches happen, but lawsuits and regulators will be less of an issue if the organization can provide reports and other evidence showing compliance with policies that encompass reasonable security efforts.
• Compliance Easy Button: When the policy encompasses the compliance requirements, policy-required reports will automatically be available for auditors.
• Improved Operational Efficiency and Resilience: Effective policies ensure stronger security postures, eliminate configuration issues, and decrease the opportunities of attackers causing operational disruptions.

Bottom Line: Adopt Vulnerability Management Policies Today to Gain Benefits

No policy will be perfect, but organizations should start developing a vulnerability management policy as soon as possible so they can begin to reap the benefits, such as IT hardening and simplified compliance. The adoption of any policy will be an iterative process, so get a good version 1.0 in place and be prepared to revise it to meet real-world conditions.

More information on Vulnerability Management and Related Topics:

• IT Security Policies: Importance, Best Practices, & Top Benefits
• Vulnerability Management as a Service (VMaaS): Ultimate Guide
• 12 Top Vulnerability Management Tools
• Top Vulnerability Management Tools
• Patch Management vs Vulnerability Management: What’s the Difference?

The post Free Vulnerability Management Policy Template (+ Examples) appeared first on eSecurityPlanet.

Policies provide a foundation of directives, regulations, rules, and practices that define how each organization will manage, protect, and distribute information. Additionally, regulators often cite a lack of formal policies as negligence as well as cause for higher fines and punishments after a breach.

This article will explore IT security policies through the following topics:

• What Is the Ultimate Goal of an IT Security Policy?
• The Importance & Objectives of IT Security Policies
• 6 Top IT Security Policy Benefits
• 3 Types of Security Policies
• 5 Best Practices for Writing IT Security Policies
• How to Create a Security Policy in 4 Steps
• Bottom Line: Create Policies to Improve Focus

What Is the Ultimate Goal of an IT Security Policy?

The ultimate goal of an IT security policy is to provide a formalized set of rules and policies to benchmark the IT and cybersecurity posture of an organization. This benchmark can be used for a variety of purposes, but will most often be used to:

• Demonstrate that risks are controlled and managed
• Meet compliance obligations
• Measure quality and capabilities of controls and staff
• Mitigate liabilities in the event of a breach

The Importance & Core Objectives of IT Security Policies

The U.S. National Institute of Standards and Technology (NIST) published An Introduction to Information Security (NIST SP 800-12) that declares:

“Information security policy is defined as an aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information.”

To organizations new to written policies, starting the process of developing security policies can be intimidating. Yet all organizations deploy security strategies that act as unwritten and unofficial strategies. The key disadvantage to these unwritten security strategies is that when they fail to protect the resources, the organization will struggle to prove to regulators and juries that the IT and security teams executed an appropriate and sufficient cybersecurity strategy.

Written policies, especially those that require regular reports, naturally generate the evidence of compliance. They also show a formal security strategy that has been approved by corporate management.

Most importantly, written policies enable key IT security objectives that will have a daily impact on the organization by formalizing IT security strategies, goals, and objectives; managing user behavior; and measuring IT security success.

Formalize IT Security Strategies, Goals, & Objectives

Written policies provide written instructions that can be used to show the intended strategy of the organization. Most strategies focus on the key objectives of information security:

• Confidentiality: Allow access to specific data only to the users that need access
• Integrity: Prevent accidental or unauthorized modification of data in storage or in transit
• Availability: Provide continual access to data and systems for legitimate users

However, not all existing practices will always be found to incorporate best practices or adequately address these key objectives. The process of developing a security policy helps the IT security team to reflect on and improve the current practices as they are forced to write them down and compare them against goals and compliance requirements.

The policy creation process also helps to align the IT security goals and objectives with those of the business as policy goes through review by non-technical executives affected by the policies. In the end, the organization should enjoy the benefits of a policy that provides formal strategies, goals, and objectives that enable business growth within the protection of validated IT security strategies.

Manage User Behavior

Policies provide rules for acceptable use, access, and penalties for non-compliance for users of all kinds, from guest users on the public Wi-Fi network to administrative access of data center servers. These written policies then guide the settings within identity and access management (IAM) or privileged access management (PAM) tools.

Of course, IAM and PAM tools can be established without written policies, but written policies ensure consistent rules applied across the organization. The formal policies also provide a standard that can be compared against practices to determine if the practices are sufficient and within compliance.

Measure IT Security Success

An effective policy sets clear expectations for the IT security team. Reports required by policies should show compliance with the policy and enable the IT security team to measure their success to meet the goals of the policy.

While employees always strive for success, falling short can also be used to justify increases in resources. For example, if reports required by the patch management policy show that the patching of critical updates takes longer than desired, the management can consider adding more resources or outsourcing some functions.

6 Top IT Security Policy Benefits

Organizations of all sizes tend to avoid the hassle of documentation because the task seems overwhelming, tedious, and constraining. However, an effective security policy delivers six key benefits: IT hardening, employment defense, executive and board member peace of mind, litigation protection, compliance easy button, and improved operational efficiency and resilience.

IT Hardening

Developing an effective security policy will naturally enable a security process that hardens the IT environment against attack. Although some might consider compliance the primary motivation for written policies, the process of creating the policy forces security teams to evaluate systems more rigorously and address issues that might be overlooked in day-to-day operations.

Employment Defense

Despite the best efforts of the IT team, people will still click on phishing links, zero-day vulnerabilities will still be discovered, and company resource constraints may require some vulnerabilities to remain exposed. Although compliance with security policies can reduce the risk, attacks may still succeed in damaging the organization.

In many cases, executives may initially look for a scapegoat to take the blame for an incident and IT or security teams often will be targeted. An IT or security team that can demonstrate compliance with an executive-approved security policy also shows that best efforts were made to prevent possible breaches. This documentation can protect employees against unfair treatment after a breach and protect their jobs.

Executive & Board Member Peace of Mind

Effective security policies require reports that can be shared with non-technical executives to enable confidence in the IT and security teams. Policies reduce technical details into numeric reports and easy-to-understand metrics that make the status of security processes understandable and accessible to non-technical executives.

Clear reports enable smooth communication with executives and the board of directors of an organization to help build confidence in the security posture of the organization. Such reports not only demonstrate that the organization considers information security a high priority, but also build confidence that can translate into improved support for additional resources.

Litigation Protection

In the event of a breach or successful cybersecurity attack, government agencies or stakeholders may attempt to pursue legal action against the organization. Fortunately, legal standards generally only require “reasonable efforts,” which can be supported with the documentation from an effective security policy and the reports that demonstrate the policies have been implemented.

Organizations without formal reporting and processes will need to scramble to figure out what documentation may be required to support past efforts and then hope they still have the archival logs or other data to create that documentation. Organizations with formal documentation and reporting will already have a significant portion of their evidence ready to present with minimal effort or business disruption.

Compliance Easy Button

An effective security policy should be designed to reflect the compliance requirements of the organization. Auditors always ask for written policies to help them easily understand the objectives of the organization and the type of evidence they can expect to receive.

Fulfilling a written policy that has already conformed to a compliance framework makes it easy for the organization to satisfy the regulatory requirements. The organization’s regular internal reports will naturally provide evidence of compliance without any additional effort or steps.

Improved Operational Efficiency & Resiliency

An effective portfolio of security policies can help the organization:

• Recognize end-of-life hardware and software for replacement
• Quickly recognize infrastructure under strain from attack, failure, or workload
• Verify settings and integration between systems
• Ensure resilience of systems to minimize downtime
• Ensure integrity and availability of data
• Document uptime for internal and customer service level agreements (SLAs)

The survival of the business depends upon uptime and protected assets. Formalized documentation of security processes provide an internal checklist to protect assets, maintain uptime, and minimize mistakes.

Written policies also help with IT personnel transitions by providing documentation of expectations and reports of past activity. These will combine to save time by helping new IT employees grasp the status and expectations of the organization with less training.

3 Types of Security Policies

When developing a comprehensive set of security policies, an organization can get lost in the details. The SANS institute alone provides templates for more than 60 different policies! These granular policies help a mature organization, but an organization just getting started needs a bit more focus.

The three types of policies defined by the National Institute of Standards and Technology (NIST) Special Publication 800-12 include program, issue-specific, and system-specific policies.

Program policies provide strategic, high-level guides of the overall information security program. These can be singular programs, such as this program policy for the University of Arizona, that provide an overview of the goals and objectives of the security program. These policies are intended to be evergreen and not require frequent updates, and often will reference other types of policies in an appendix that can be updated more frequently without requiring updates for the program policy itself. Program policies tend to be too vague to measure or verify. Other types of non-security program policies might include business continuity or risk management.

Issue-specific policies provide directed guides for specific components of the information security program, but at a level of abstraction that describes goals, objectives, and reporting requirements instead of naming specific tools, techniques, and settings. These policies need to be reviewed periodically to ensure they remain current in the face of organizational, technological, or compliance changes. Examples of issue-specific security policies include network security, password, endpoint, and encryption policies. Some issue-specific policies may fall under multiple program policies such as data backup (security, business continuity) or acceptable-use policies for employees (security, HR).

System-specific policies describe how issue-specific policies will be applied and enforced on specific systems. For example, how the network security, user access, vulnerability management, and change control policies might be enforced for a specific firewall or a classification of servers in a data center. These detailed policies will be enforced through settings on the devices or through centralized software that can manage the devices.

Common Issue-Specific Policies

For an organization beginning to implement security policies, the focus should start with relevant issue-specific policies. The specific key policies will depend upon the organization. Although many will start with access, network, endpoint, and password policies, these priorities reflect a traditional IT environment. A small virtual office of five stock brokers using Google Workspace might instead focus on policies for data security, data backup, and remote access policies to comply with SEC and FINRA requirements.

Here are 10 common issue-specific and related policies:

• Acceptable Use Policy (AUP)
  • Instructs the organization how end users are permitted to use IT systems and services (computers, networks, data, internet, email)
  • Related policies: security awareness training policy, executive and administrative access policy
• Access Policy
  • Instructs an organization how to classify, enforce, and manage access, authentication, and accounting of users across various system and data classifications
  • Related policies: physical access policy, system access policy, privileged access policy, remote access policy (may include remote desktop [RDP] or virtual private network [VPN] policies), password policy, identity and access management policy, multi-factor authentication (MFA) policy, vendor management policy
• Application Security Policy
  • Instructs an organization how to secure code development and the connections to other corporate resources
  • Related policies: application programming interface (API) security policy, database security policy, application development policy
• Cloud Security Policy
  • Instructs an organization how to secure access, data, networks, and applications on cloud-based resources
  • Related policies: cloud use policy, software as a service (SaaS) security policy, infrastructure as a service (IaaS) policy
• Data Management Policy
  • Instructs an organization on the retention, management, and security of different classifications of data
  • Related policies: data retention policy, insider threat protection policy, encryption and cryptography policy, information security policy, data and asset classification policy, regulated data policy
• Disaster Recovery Plan
  • Instructs an organization how to proceed with business recovery under various emergency circumstances
  • Related policies: Backups policy, redundancy policy, capacity planning policy, stress testing policy 
• Endpoint Security Policy
  • Instructs an organization how to secure access, data, and applications on user-accessed endpoints that connect to the organization’s network and other resources
  • Related policies: endpoint security policy, bring-your-own-device (BYOD) security policy, mobile device policy, server security policy, container security policy
• Incident Response and Monitoring Policy
  • Instructs and organization how to detect, identify, validate, track, mitigate, remediate, and manage potential security incidents
  • Related policies: log tracking and audit policy, attack-specific policies (ransomware, DDoS, etc.), data breach response policy
• Network Security Policy
  • Instructs an organization how to secure access, data flows, and monitor connections between users and data
  • Related policies: firewall security policy, network security policy, email protection and security policy, wireless network and guest access policy
• Vulnerability Management Policy
  • Instructs an organization how to locate, validate, prioritize, mitigate, and track vulnerabilities
  • Related policies: patch management policy, change management policy, vulnerability scanning policy, penetration test policy

5 Best Practices for Writing IT Security Policies

An organization can create an effective security policy by following five key best practices, focus on what to do rather than how, make policies practical, right-size policy length, keep policies distinct, and make policies verifiable.

Focus on What to Do, Not How

Technology changes so quickly that a policy will usually not be able to keep up with the technical details such as security tools and IT architecture specifics. When writing any IT-related policy, the policy should focus on the high-level goals, key deliverables, and compliance requirements.

The IT team will then use those requirements in combination with their budget and personnel constraints to develop an appropriate solution. Too many details either force the policy to be updated constantly or lock the IT team into obsolete tools, practices, or perspectives that may ultimately undermine instead of strengthening security. Where needed, exhibits or additional reports can be used to provide details that may need to be changed more frequently than the policy itself.

Some organizations will consider system-specific policies an exception that requires detailed descriptions of tools, settings, and allowed users. However, others keep system-specific policies at a high level and maintain specific work instructions that maintain the details. This is a matter of preference for the individual organization.

Make Policies Practical

Security policies won’t be successful if they do not work for the team responsible for the policy, are not understandable, or don’t fit the organization. In some cases, these objectives will come into conflict and the policy creating team will need to work with stakeholders to enable an effective balance.

Stakeholder-Friendly Policies

Stakeholder-friendly policies will be more readily adopted by IT and security teams responsible for implementing the policy or the users affected by them. When policies demand too many changes, impractical requirements, or exceed the resource constraints, the policies may be undermined, circumvented, or ignored.

To enable stakeholder friendly policies, don’t dramatically change practices or add unnecessary details and instructions. Unless required by compliance or best practices, build off of existing practices to enable rapid adoption by both affected users and the teams enforcing the policy.

Additionally, use titles instead of names and tool categories instead of specific security tool names. This prevents the need to change the policy for every tool change, personnel change, or outsourcing engagement.

Understandable Policies

Not all readers have English as their first language, especially in international companies attempting to standardize policies worldwide. When drafting policies, use simple language written plainly for both the non-technical and non-legal audience.

During the drafting process, the document should be distributed to executives, legal counsel, and key staff members responsible for implementing the policy. Any confusion, vagueness, or uncertainty should be addressed and eliminated before approving the policy.

Fit Organization Needs

Tools and processes must fit the true needs of the organization and should not be followed blindly or without thought. Although every organization should begin drafting policies based upon existing practices and capabilities, this can lead to a trap of preserving incomplete processes into written policies. The organization should carefully examine their environment and ensure the policy reflects their true needs.

For example, an IT team of a hospital may use a commercial tool to conduct vulnerability scanning of their IT environment, but the tool may only scan PCs, network devices, and servers, which leaves an enormous range of healthtech devices unscanned for vulnerabilities. Their policy requirements should not reflect the limited devices currently scanned, but the full range of devices that need to be included in the vulnerability management process.

Policies should also have minimal exceptions and those exceptions should be documented. If the C-suite executives insist on being exempted from the password policy, then they should also be prepared to justify that exemption in court once the company suffers a breach. Just like employees, senior management should understand, agree with, and be bound by security policies.

Right-Size Policy Length

Policies should be no longer and no shorter than needed. IT and security teams often favor shorter policies because the lack of defined requirements provide them with maximum flexibility for execution. However, the lack of defined requirements often leaves gaps in requirements or makes the policies hard to verify for management or compliance.

On the other hand, attorneys often feel compelled to lock down as many details as possible to make verification more simple and to clarify as many points as possible. Unfortunately, this often tends to lead to over-prescriptive requirements that lock an IT team into the requirements of the moment and leave little room for keeping up with a dynamic IT environment.

These opposing forces must be balanced. IT teams, executives, and attorneys must work together to enable a document with sufficient detail so that the IT team can clearly demonstrate compliance with the policy, but not so much detail the policy becomes a shackle on the vulnerability management process.

Keep Policies Distinct

Security and compliance teams will look for information in expected policies. For example, to look up policies regarding endpoint protection, most would first look for an overall security policy or a specific endpoint protection policy. To bury the information in a vulnerability management policy is unintuitive and may lead to confusion.

Security policy creation teams should also avoid the temptation to copy-paste elements from other existing policies, such as a password policy, into semi-related policies (remote access, endpoint protection, etc.) for completeness. Unless the documents are linked to enable automatic updates, the copied information will rapidly become out of date. Instead of inserting sections of the other existing policies, reference them as needed.

Policies should be individually comprehensive with minimal overlap. Overlap with other policies can lead to language conflicts, uncertainties, and gaps in compliance and security. In the event an organization decides to mix policies, an index or guide should be produced to help team members locate policy information rapidly.

Make Policies Verifiable

Vague policies with nebulous, undefined deliverables satisfy only the requirement to have a policy, not the requirement to have a useful one. Effective policies define the deliverables clearly so that the IT or security team will have no difficulty satisfying policy requirements.

The security process should be measurable and testable to prove compliance with the policy as well as any relevant compliance frameworks. Reporting requirements should document metrics for measurement, define needed evidence (log files, vulnerability scans, etc.), the frequency of reports, and who should receive the reports.

How to Create a Security Policy in 4 Steps

Organizations large and small can create a functional security policy by following four key steps: determine the security policy principles, verify the vulnerability management policy, approve the vulnerability management policy, and review and modify the vulnerability management policy.

Determine the Security Policy Principles

The person or team drafting the policy will first need to determine the critical rules and steps within the vulnerability management policy. For example, some fundamental questions to answer include:

• Who is responsible for the security process or standard?
• Which people, assets, or systems will be covered by the security process or standard?
• What are the security processes, standards, components, and priorities for each?
• How can the security process or standard be validated and verified?
• What reports are needed to establish and measure success and compliance for the security process or standard?

Don’t know where to start? Write down the current practice. Most IT teams have at least an informal process for nearly all security practices, even if they are not written down or monitored. This first draft can simply be notes. Formal paragraphs and language can come later after the basic principles have been outlined.

Verify the Security Policy

With the basic rules or principles in place, the policy development team should verify them against external requirements and practical limitations.

External Security Policy Requirements

Every organization faces general or specific regulations from international, federal, state, or local governments.  Additionally, the organization may be forced or choose to comply with compliance frameworks (NIST, PCI DSS, etc.) and industry standards.

Some compliance standards will be broad and vague, but others will be detailed or have specific requirements. The policy development team needs to check these external regulations and revise any rule that does not meet the compliance requirements.

Practical Security Policy Limitations

Most organizations have limited resources, and often idealized policies do not take these limitations into account. The security policy development team should test the proposed rules with the IT and security teams. If these teams cannot comply with standards and requirements with their current resources, the organization will need to adjust the rules or resources as necessary.

For example, when developing a patch management policy, the IT team may not have the ability to meet the patch management schedule requirements with the current tools and staffing resources. The organization will then need to consider adjusting the schedule (if allowed by compliance requirements) or adding additional resources (tool upgrades, staffing increases, outsourcing, etc.).

Approve the Security Policy

After verification of the proposed security policy rules, the rules need to be formalized and approved by the organization’s management. Now is the time where rough notes need to be revised into formal paragraphs, tables, and appendices.

Once drafted, pass the policy to corporate management and legal counsel for review and approval. The policy can be modified as required and the final draft should be signed by the executives of the organization to ratify and acknowledge the requirements.

Review & Modify the Security Policy

Even though the security policy is approved in step three, the organization, IT resources, and regulations will change over time. All policies should be living documents that evolve as the organization changes. and should be periodically reviewed and updated. Generally, policies will be reviewed on a fixed schedule (quarterly, annually, bi-annually, etc.); however, notable events such as dramatic changes to IT architecture, adopting significantly different security tools, or a security breach may merit off-schedule review.

Bottom Line: Create Policies to Improve Focus

Organizations tend to view formal paperwork as a burden, but effective IT security policies enable organizations to improve their security posture, spend less time on compliance, and to eliminate many worries. With current and effective policies, Large and small businesses, non-profit organizations, and even government entities can validate their presumed security posture and gain the confidence to focus on challenges more critical to their core mission. 

To read more about related topics, consider:

• Vulnerability Management Policy: Steps, Benefits, and a Free Template
• Patch Management Policy: Steps, Benefits, and a Free Template

The post IT Security Policy: Importance, Best Practices, & Top Benefits appeared first on eSecurityPlanet.

To cut to the chase before we get into the details: AI will make security worse before it makes it significantly better, but at the cost of a lot of jobs. Read on for the full implications of all this.

Security is the biggest challenge facing IT, and expect that to get worse in the near term. AI is likely to make hacks happen faster, whether that’s hacking training data so the model is skewed to make incorrect decisions, or the constant attacks on operating systems that threaten the core of our society. Whether it is Windows, Linux, or some other OS, hundreds if not thousands of people write code, people make mistakes, and operating interactions between various parts of the OS make it difficult to check all of the possible cases.

My hypothesis is that AI in the not too distant future will be used to evaluate operating systems and applications to improve security, and more and more code will be created by AI programs instead of humans. Initially, AI coding could create security issues, but over time, the machines will get better — Alphabet’s DeepMind lab and GitHub have already gotten started — and eventually they’ll surpass human abilities. Some eventually expect to see self-healing code.

The same goes for security. Hackers may gain an early advantage with AI, but as code and defenses adapt, it will be the machines that finally give us reliable cybersecurity. Security vendors have already started work with generative AI and large language models.

We are just at the start of this process of code generation and evaluation by AI. When — not if — this happens, it will have broad implications, both good and bad, for everything from our digital lives and personal data to millions of jobs. The disruption will be enormous, and we must prepare for it.

The Good News: Secure Code for All

There is a lot of good that will happen if AI can be secured and generate secure code for operating systems and applications, but the first step before that will be checking to see if the OS and application code written by humans is secure. We will see far fewer hacks as the vulnerabilities in code is slowly eliminated.

We may not be able to prevent people from infecting systems by clicking on malicious links, but that will likely be mitigated in a later phase when operating systems are rewritten to prevent this. I think that just like we are moving to application-specific processing today, we will have operating system interfaces that are specific to user needs, and the OSes will be able to dynamically modify and add features based on what the user needs that day, or maybe even in the moment.

All of this will help make the world a safer place and eliminate many of the hacks we see today, and many of those in the future too. What if your mail client could evaluate every single link, file, etc., and containerize it, evaluate the implications of that link or file, and determine if you can open it or not. Email gateways can do some of that today, but combine those defensive abilities with operating systems and applications that are secure and the threat of getting hacked is greatly diminished. There is still the issue of passwords and identity, but that’s an area that is seeing great progress now and will only get better.

With vastly fewer hacks, the world becomes a safer place for schools, hospitals, critical infrastructure, elections and governments, and hacking groups will need to look elsewhere, perhaps credit card and ATM skimming unless those see similar security improvements.

I’ve architected IT environments at the highest security levels, and what I see based on these early AI projects gives me hope; the whole dynamic will change compared to what is happening today. But with all good, there is a bad too, and the bad will be worldwide, for everyone and everything.

Also read: Security Analysts Using ChatGPT for Malicious Code Analysis, Predicting Threats

The Bad News: Massive Economic Disruption

The downside of AI advances will be catastrophic for many “safe” jobs like software engineers, security analysts and other white-collar jobs. Anything that can be intelligently automated will require far fewer employees.

The loss of these well-paying jobs will have a ripple effect throughout the global economy, as tax revenues and consumer spending will take a hit, hurting industries that depend on those revenue sources.

There are more than 4 million software engineering jobs in the U.S., and roughly 27 million around the world. Since the 1960s and maybe even the 1950s, a programmer’s job could be a lifetime career, but almost all the people that have chosen this career would have to do something else. I am not sure what that will be, but they will have to get retrained, and likely they will have to do the retraining themselves.

This isn’t any different than what happened to American manufacturing, but the effects there were devastating, as secure middle-class prospects for many disappeared. Sadly, I think programmers will experience this same fate.

But the implications are even broader than that. Our education system has been designed to turn out people who can write code for computer systems (firmware, operating systems, and applications), that can develop tests for that code and maintain that code (create release packages etc.). Our educational system does not know how to change quickly, but when these changes come, they will happen quickly.

All programming jobs won’t be immediately eliminated, as there are specialized cases that need development that will likely be retained until AI catches up. This is no different than what happened in the auto industry. The easiest tasks were eliminated first by robotics, and as the development of robotic equipment advanced more jobs were eliminated. Programming in the sciences such as physics and chemistry and likely firmware will take far longer to move to AI than will, say, Python coding or database programming, but the trend toward commoditization has likely already begun.

Also read: ChatGPT Security and Privacy Issues Remain in GPT-4

The Future Is Already Here

Throughout human history, progress has never been able to be stopped for any significant time. There have been setbacks such as the Dark Ages, but the Renaissance came and we exceeded knowledge from before significantly. Since the invention of the steam engine, more and more jobs have been eliminated, and the trends are moving faster and faster.  We cannot pretend that living in the past while the rest of the world is moving forward is going to end well for any nation or region. We must embrace change and progress, and develop frameworks for people to be successful. This means retraining education on a global scale for the survival of humanity, as many people are going to be very angry, as we have seen when jobs are eliminated and people have no idea what to do next. This would be a very good time for our leaders to stop appealing to the past and start embracing the future.

See the Hottest Cybersecurity Startups

The post AI Will Save Security – And Eliminate Jobs appeared first on eSecurityPlanet.

In a session on cybersecurity market trends and growth opportunities, Gartner analyst and VP Neil MacDonald said 75% of security buyers are pursuing vendor consolidation, up from just 29% in 2020.

“Customers want fewer providers,” he said.

MacDonald’s talk was directed at vendors rather than buyers, and he cautioned them: “Don’t just throw a bunch of stuff together; make it work better.”

Security Products Merge Into Platforms

As part of that trend, security products are consolidating too, MacDonald said. He noted 10 areas where cybersecurity products are merging into broader platforms (see slide below).

Secure web gateways, CASB and zero trust network access (ZTNA) are merging to become security service edge (SSE), he said — and with the addition of SD-WAN technology, SSE becomes secure access service edge (SASE).

EDR, NDR and identity threat and detection response (ITDR) are merging into XDR platforms — even as XDR joins with SIEM and SOAR to become Security Operations Platforms.

In cloud security, cloud workload protection platforms (CWPP) are joining with cloud security posture management (CSPM) and software composition analysis (SCA) to become workload security and CNAPP platforms.

Other broad security platforms highlighted by MacDonald include:

• Data Security: Includes DLP, digital asset management and data-centric audit and protection (DCAP)
• Workplace Security: Combines UEM, secure email gateways and EDR
• Attack Surface Management: external & cyber asset ASM (EASM and CAASM) and digital risk protection services (DRPS)
• Identity and Access Management: Includes access management, PAM and identity governance and administration (IGA)
• Integrated Risk Management: Digital rights management (DRM), vendor risk management (VRM), and GRC

Consolidation has been a central theme at the Gartner security conference in recent years. Cybersecurity mesh and decentralized identity were big themes in 2021 and hyperautomation was an emerging technology last year, and those trends came up again in a number of presentations this year.

CTEM, CIEM and AMTD Highlight Emerging Tech

Gartner is perhaps the biggest source of acronyms in the cybersecurity industry, and the 2023 event was no exception. CTEM, CIEM and AMTD are three emerging technologies that security pros might want to familiarize themselves with.

CTEM stands for continuous threat exposure management and is something like a continuous vulnerability management program (slide below from Gartner analyst Rich Addiscott).

CIEM is short for cloud infrastructure entitlement management, which controls cloud user and entity permissions (slide below from Gartner analyst Andrew Bales).

AMTD stands for automated moving target defense, which combines a number of security technologies to protect assets as they change states (slide below from Gartner analyst Mark Wah).

Read next:

• 34 Most Common Types of Network Security Protections
• Top Cloud Security Companies

The post Security Buyers Are Consolidating Vendors: Gartner Security Summit appeared first on eSecurityPlanet.

Not surprisingly, they can be challenging to manage. A recent Gurucul survey of over 230 security pros at the recent RSA Conference found that managing and configuring SIEM solutions can be an overwhelming task.

More than 42 percent of respondents said it takes weeks, months, or longer to add new data sources to their SIEM, and over 30 percent said they don’t know how to do so. Almost 17 percent said they aren’t confident their SIEM can detect unknown threats, and almost 21 percent simply don’t know if it can or not.

Over 61 percent of respondents said they get more than 1,000 security alerts a day, and almost 20 percent said they get too many alerts to count.

In an interview with eSecurity Planet, Gurucul vice president of product marketing and solutions Sanjay Raja said getting control of that flood of information – and making good use of it – requires effective configuration and customization.

See the Top SIEM Solutions

Cloud Data Adds to SIEM Challenges

The cloud is a key factor in the SIEM configuration challenge. As organizations move more and more infrastructure to the cloud, the amount of data available for analysis just keeps growing, Raja said.

“Each architecture in the cloud is offering its own datasets, and it’s actually offering a lot more detail…and there’s a lot more alerting going on because of that,” he said.

At the same time, Raja said it’s often unclear whether the data security teams are getting from the cloud is actually what they need. “Are you getting the right datasets? Are you getting a complete set of datasets? People are struggling with trying to understand, ‘Am I really seeing everything from the cloud that I need to?'”

That can quickly become overwhelming. “A lot of the folks on the SOC team aren’t experts on the cloud,” Raja said. “Sure, the cloud team is really responsible for moving anything over to there, but now, as a security administrator, I have to be able to understand what that data means.”

So security experts now have to become cloud experts as well. “Before, I didn’t really have to know a ton about the app, or about the server – those are more simplistic. The cloud is much more complex,” Raja said. “And it becomes even worse when you’ve got multi-cloud environments.”

Also read: Implementing and Managing Your SIEM Securely: A Checklist

Detection Engineering

Helping security analysts parse the data that comes in is also an ongoing challenge. To address that challenge, Gurucul is seeing the rise of detection engineering groups, Raja said. “They’ve always been there, but they’re becoming more important to organizations to be able to configure and refine down the amount of data that gets sent to the security analysts.”

Raja said Gurucul also sees a lot of organizations struggling to support new devices, or new versions of devices. “The data changes, and now I need to be able to look at it differently, and yet the data parsers that were included with my platform don’t support that new version, so what do I do? This is where they go back to a detection engineer and build a parser that way.”

It’s also critically important to build effective detection models, monitoring for activity that crosses specific thresholds such as repeated login attempts. “You need the ability to either create your own models, or ideally to customize existing models, because now you can tweak them for your organization and your IT and governance rules,” Raja said.

That’s inevitably an ongoing process, with models having to be modified in response to new threats. “If I see a really high-profile attack out there that does some known behavior, I want to be able to tweak that in my model to go, ‘Okay, I’ve seen this is a problem – let me change the model a bit, and now I’m ready for it,'” Raja said.

Five Key Areas of SIEM Configuration

Ultimately, Raja said, there are five key things to keep in mind regarding SIEM configuration if you want to avoid the kind of overload and frustration found among the security pros surveyed at RSA.

1. Configure the full set of data sources you want to pull in: “Configuring your SIEM to be able to pull in all that data across cloud, across regions, remote, is very important, because otherwise you’re not getting a complete picture.”
2. Configure the SIEM to parse incoming data effectively: “That means, as a SOC, I’m monitoring the things that are important from a security standpoint, and sifting through all the other data to figure out, is this important or is it not important?”
3. Configure cloud sources to send the right data to the SIEM: “A lot of times, the security admin doesn’t know whether what the cloud is sending is correct or not, so they have to work with the cloud team to make sure they’re getting the right data for monitoring purposes.”
4. Configure the SIEM to leverage identity data effectively: “If you can pull that data into your SIEM and view it in your SIEM, you can start to look at that dataset and be more effective at determining what’s allowed and what’s not.”
5. Build an effective and comprehensive set of threat models: “The included models in most SIEMs are pretty light, and they’re pretty limited. If you can get detection engineering to build a set of robust threat models, that’s going to help detect a threat faster.”

Effective configuration makes the rest of your job much easier. “The more you can do up front around configuring things right, getting things working and deployed properly, and being able to parse data properly, the more it makes all the other functions easier within a SOC,” he said.

Read next: Security Data Lakes Emerge to Address SIEM Limitations

The post 5 Ways to Configure a SIEM for Accurate Threat Detection appeared first on eSecurityPlanet.

In a blog post, Microsoft boasted that the Security Copilot was the “first security product to enable defenders to move at the speed and scale of AI.” It was also trained on the company’s global threat intelligence, which included more than 65 trillion daily signals.

Of course, Microsoft isn’t the only one to leverage generative AI for security. In April, SentinelOne announced its own implementation to allow for “real-time, autonomous response to attacks across the entire enterprise.”

Or consider Palo Alto Networks. CEO Nikesh Arora said on the company’s earnings call that Palo Alto is developing its own LLM, which will launch this year. He noted that the technology will improve detection and prevention, allow for better ease-of-use for customers, and help provide more efficiencies.

Of course, Google has its own LLM security system, called Sec-PaLM. It leverages its PaLM 2 LLM that is trained on security use cases.

This is likely just the beginning for LLM-based security applications. It seems like there will be more announcements – and very soon at that.

Also read: ChatGPT Security and Privacy Issues Remain in GPT-4

How LLM Technology Works in Security

The core technology for LLMs is fairly new. The major breakthrough came in 2017 with the publication of the paper “Attention Is All You Need,” in which Google researchers set forth the transformer model. Unlike traditional deep learning systems – which generally analyze words or tokens in small bunches – this technology could find the relationships among enormous sets of unstructured data like Wikipedia or Reddit. This involved assigning probabilities to the tokens across thousands of dimensions. With that approach, the content generated can seem humanlike and intelligent.

This could certainly be a huge benefit for security products. Let’s face it, they can be complicated to use and require extensive training and fine-tuning. But with an LLM, a user can simply create a natural language prompt.

This can help deal with the global shortage of security professionals. Last year, there were about 3.4 million job openings.

“Cybersecurity practices must go beyond human intervention,” said Chris Pickard, Executive Vice President at global technology services firm CAI. “When working together, AI and cybersecurity teams can accelerate processes, better analyze data, mitigate breaches, and strengthen an organization’s posture.”

Another benefit of an LLM is that it can analyze and process huge amounts of information. This can mean much faster response times and a focus on those threats that are significant.

“Using the SentinelOne platform, analysts can ask questions using natural language, such as ‘find potential successful phishing attempts involving powershell,’ or ‘find all potential Log4j exploit attempts that are using jndi:ldap across all data sources,’ and get a summary of results in simple jargon-free terms, along with recommended actions they can initiate with one click – like ‘disable all endpoints,’” said Ric Smith, who is the Chief Product and Technology Officer at SentinelOne.

Ryan Kovar, the Distinguished Security Strategist and Leader of Splunk’s SURGe, agrees. Here are just some of the use cases he sees with LLMs:

• You can create an LLM of software versions, assets, and CVEs, asking questions like “Do I have any vulnerable software.”
• Network defense teams can use LLMs of open-source threat data, asking iterative questions about threat actors, like “What are the top ten MITRE TTPs that APT29 use?”
• Teams may ingest wire data, ask interactive questions like “What anomalous alerts exist in my Suricata logs.” The LLM or generative AI can be smart enough to understand that Suricata alert data is multimodal rather than modal – that is, a Gaussian distribution – and thus needs to be analyzed with IQR (interquartile range) versus Standard Deviation.

Also read: Cybersecurity Analysts Using ChatGPT for Malicious Code Analysis, Predicting Threats

The Limitations of LLMs

LLMs are not without their issues. They are susceptible to hallucinations, which is when the models generate false or misleading content – even as they still seem convincing.

This is why it is critical to have a system that is based on relevant data. Then there will need to be training for helping employees create effective prompts. But there also needs to be human validation and reviews.

Besides hallucinations, there are the nagging problems with the security guardrails for the LLMs themselves.

“There are the potential data privacy concerns arising due to the collection and storage of sensitive data by these models,” said Peter Burke, who is the Chief Product Officer at SonicWall. Those concerns have caused companies like JPMorgan, Citi, Wells Fargo and Samsung to ban or limit the use of LLMs.

There are also some major technical challenges limiting LLM use.

“Another factor to consider is the requirement for robust network connectivity, which might pose a challenge for remote or mobile devices,” said Burke. “Besides, there may be compatibility issues with legacy systems that need to be addressed. Additionally, these technologies may require ongoing maintenance to ensure optimal performance and protection against emerging threats.”

Something else: the hype of ChatGPT and other whiz-bang generative AI technologies may lead to overreliance on these systems. “When presented with a tool that has a wide general range of applications, there’s a temptation to let it do everything,” said Olivia Lucca Fraser, a staff research engineer at Tenable. “They say that when you have a hammer, everything starts to look like a nail. When you have a Large Language Model, the danger is that everything starts to look like a prompt.”

Also read: AI in Cybersecurity: How It Works

The Future of AI Security

LLM-based systems are definitely not a silver bullet. But no technology is, as there are always trade-offs. Yet LLMs do have significant potential to make a major difference in the cybersecurity industry. More importantly, the technology is improving at an accelerating pace as generative AI has become a top priority.

“AI has the power to take any entry-level analyst and make them a ‘super analyst,’” said Smith. “It’s a whole new way to reimagine cybersecurity. What it can do is astounding, and we believe it’s the future of cybersecurity.”

See the Hottest Cybersecurity Startups

The post How Generative AI Will Remake Cybersecurity appeared first on eSecurityPlanet.

RSR updates are new – the first batch was delivered at the beginning of this month. As Apple explained in a recent support document describing the updates, “They deliver important security improvements between software updates – for example, improvements to the Safari web browser, the WebKit framework stack, or other critical system libraries. They may also be used to mitigate some security issues more quickly, such as issues that might have been exploited or reported to exist ‘in the wild.'”

Because RSR updates are focused solely on urgent security patches, it makes sense to install them as quickly as possible. While they can be disabled, they’re delivered and applied automatically by default.

Although there was an install issue discussed on Reddit earlier this month when the first RSR updates was released, the problem Addigy describes appears to be both more persistent and more complex.

Stuck Updates and Unresponsive MDM

By checking customer environments in which its clients have macOS and iOS devices under management, Addigy found that some macOS devices end up in a “stuck” state in which the RSR update is delivered but never installed.

“More concerningly, there is no way for IT departments to know which machines are not implementing RSR updates without manually inspecting each machine and enabling the update,” Addigy warned today.

Critically, the stuck state also impacts the MDM stack on the affected device. “Addigy discovered the RSR wasn’t being implemented after finding that the MDM client binary gets stuck after executing the OSUpdateScan command and stops communicating with the Apple MDM Framework that Addigy follows,” the company said.

“If the MDM client on the device is unresponsive, necessary MDM actions are delayed, leading to potential security vulnerabilities in this critical RSR case,” the company added.

One in Four macOS Devices

According to Addigy, the issue affects only macOS devices, not iPhones or iPads, and impacts a quarter of all MDM-managed macOS environments. “As a result, all MDM vendors and customers are encouraged to audit their environments to ensure the critical RSR update is making its way onto every eligible machine under management,” the company said.

In response, Addigy has released a new MDM Watchdog utility that monitors the MDM framework on devices for the stuck condition described above and automatically fixes any in which it’s discovered.

“The stuck state condition we discovered within our customers’ environments affects one out of every four devices, so the impact to macOS environments in any enterprise is likely the same,” Addigy CEO Jason Dettbarn said in a statement.

Learn more about enterprise mobility management (EMM) and unified endpoint management (UEM) solutions

The post New Apple RSR Flaw Blocks MDM Functionality on macOS Devices appeared first on eSecurityPlanet.

Here are the top Twitter accounts to follow for the latest commentary, research, and much-needed humor in the ever-evolving information security space – followed by five accounts on the increasingly active Mastodon security community. Our review considered experience in enterprise cybersecurity, contributions to research and real-time developments, and Twitter-specific metrics like following and activity frequency.

See our picks for the top cybersecurity companies and startups

Aleksandra Doniec

@hasherezade
One of Europe’s top malware analysts thanks to her work for places like Malwarebytes, Aleksandra Doniec has provided a number of in-depth ransomware analyses and security tools throughout her career. Her contributions were significant enough to have her included in Forbes’ 2018 “30 Under 30 Europe” in the Technology category. Her private account offers a host of cybersecurity insights, particularly related to malware and ransomware, along with personal tweets. Her website also provides links to some of the useful cybersecurity tools and scripts she has created over the years, many of them open source.

Binni Shah

@binitamshah
Security enthusiast and Linux evangelist Binni Shah consistently offers valuable tutorials, guides, and insights for the cybersecurity community. Shah provides her expertise in hacking, software development, and kernel development and advocates for open source initiatives. This is an account to watch for developers working in Linux environments.

Bruce Schneier

@schneierblog
Security technologist Bruce Schneier was respected long before the launch of Twitter. His 1994 book detailing cryptographic algorithms (Applied Cryptography) was just the beginning of his contributions to technical perspectives on system design, cybersecurity, privacy, and more. His Twitter updates are short, newsy, and to the point. They include links to his blog posts, which expand on the mentioned topic.

Dave Kennedy

@HackingDave
Dave Kennedy started as a forensic analysis and cyber warfare specialist in the US Marine Corps before entering the enterprise space. Kennedy founded cybersecurity-focused TrustedSec and Binary Defense Systems and co-authored Metasploit: The Penetration Tester’s Guide. He retweets multiple experts’ posts on different security topics and also participates in industry conversations and events.

Eugene Kaspersky

@e_kaspersky
Russian software engineer Eugene Kaspersky’s frustration with the malware of the 80s and 90s led to the founding of antivirus and cybersecurity vendor Kaspersky Lab. Kaspersky currently serves as CEO and a distinguished cybersecurity expert in the international community. He discusses both consumer and business security on his Twitter feed and covers a wide variety of cybersecurity topics.

Eva Galperin

@evacide
Starting with her first desktop on a Unix machine at age 12, Eva Galperin’s contributions to cybersecurity include research on malware and privacy. Galperin is the current Director of Cybersecurity at the Electronic Frontier Foundation (EFF) and noted free speech advocate. Note that Galperin’s current Twitter discussions now center more around politics rather than cybersecurity.

Graham Cluley

@gcluley
Graham Cluley started as a videogame developer and antivirus programmer three decades ago before serving in senior roles at Sophos and McAfee. In recent years, Cluley has been well-known for his cybersecurity analysis, blog, and award-winning podcast Smashing Security. The podcast takes a lighter approach to major cybersecurity topics, for those who want a more humorous look at the industry.

Jason Haddix

@Jhaddix
Through tenures at Citrix, HP, and Bugcrowd, Jason Haddix offers his expertise in the areas of penetration testing, web application testing, static analysis, and more. Haddix continues to provide his insights on Twitter while occasionally appearing on podcasts. Consider following Haddix if you want to learn more about security testing news and trends.

Jeremiah Grossman

@jeremiahg
With deep industry experience, Jeremiah Grossman was the Information Security Officer for Yahoo!, founder and CTO of WhiteHat Security, and Chief of Security Strategy for SentinelOne. Grossman is an innovative industry leader. He currently works in security strategy at Tenable. Grossman’s tweets are short and straightforward, covering both enterprise tips and nationwide security news.

Marcus J. Carey

@marcusjcarey
Marcus J. Carey started his cybersecurity career assisting federal agencies with pen testing, incident response, and digital forensics. Two decades later, the information security expert is a distinguished author (Tribe of Hackers), entrepreneur, and speaker. Occasionally he posts security career information for those in the job field.

Maria Markstedter

@Fox0x01
As managing vulnerabilities in embedded systems become increasingly crucial to cybersecurity, Maria Markstedter offers her expertise as an independent security researcher and founder of Azeria Labs. Markstedter actively contributes to filling the infosec education gap.

Matthew Green

@matthew_d_green
Matthew Green is a renowned expert in cryptographic engineering. Green’s contributions to applied cryptography are profound, and his other research includes securing storage and payment systems. He is currently an Associate Professor at John Hopkins University.

Katie Moussouris

@k8em0
Katie Moussouris’ resume includes studying at MIT and Harvard, enterprise experience at Symantec and Microsoft, and years of promoting bug bounty programs and white hat hacking. Today, Moussouris is the founder and CEO of cybersecurity consultancy Luta Security.

Also read: Top Next-Generation Firewall (NGFW) Vendors

Kevin Mitnick

@kevinmitnick
Formerly on the FBI’s Most Wanted list, Kevin Mitnick is a crucial figure in the history of information security, including approaches to social engineering and penetration testing. Today, Mitnick operates his consultancy and serves as Chief Hacking Officer for KnowBe4. He also participates in educational sessions hosted by other major tech companies, covering cybersecurity topics.

Mikko Hyppönen

@mikko
Mikko Hyppönen is the veteran chief research officer of Finish cybersecurity company WithSecure. After three decades of experience analyzing and following the latest security threats, Hyppönen continues to offer his perspective on privacy, cybersecurity, and so-called “smart” devices.

Paul Asadoorian

@securityweekly
Once a penetration tester, Paul Asadoorian has been the founder and CEO of Security Weekly and host of a weekly show since 2005. Asadoorian has built a cybersecurity media force while also serving as a partner for Offensive Countermeasures. He is currently a security evangelist at Eclypsium.

Parisa Tabriz

@laparisa
Google’s Security Princess is Parisa Tabriz, one of the technology giant’s most esteemed hackers. Tabriz has led Google Chrome’s security since 2013, which extends to managing product, engineering, and UX today. Tabriz is a tireless advocate for ethical hacking.

Rachel Tobac

@RachelTobac
Three-time winner of DEF CON’s Social Engineering Capture the Flag Contest, Rachel Tobac is a hacker and CEO of SocialProof Security. Tobac’s expertise in social engineering and spreading awareness provides excellent insight into today’s sophisticated threats.

Robert M. Lee

@RobertMLee
Dragos founder and CEO Robert M. Lee started his career as a Cyber Warfare Operations Officer for the U.S. Air Force before building the SANS Institute’s first dedicated ICS monitoring courses. Lee continues to be a leading voice in the critical infrastructure cybersecurity space.

Runa Sandvik

@Runasand
Runa Sandvik was a hacker and early developer of the Tor network before her rise to senior director of information security for the New York Times. Today Sandvik is an independent researcher and consultant and advocate for strengthening freedom of the press and privacy. Her Twitter feed often addresses international security news.

Samy Kamkar

@Samykamkar
Hacker, researcher, and entrepreneur Samy Kamkar launched a unified communications company as a teen before setting off an XSS attack against MySpace. Lesson learned, Kamkar continues to test security integrity years later as co-founder and CSO of Openpath Security.

SwiftOnSecurity

@SwiftOnSecurity
The pseudonymous information security expert known as SwiftOnSecurity is a prominent voice in the universe of cybersecurity. They continually offer a balanced dose of genuine insight into systems and security with the funniest and hardest-hitting memes for SysAdmin.

Tavis Ormandy

@taviso
Tavis Ormandy is an ethical hacker and an information security engineer for Google Project Zero. Ormandy’s expertise includes vulnerability hunting, research, and software development with a bundle of GitHub contributions and published research. His tweets often discuss older technology or ask interactive questions of other experts.

Thaddeus Grugq

@thegrugq
Commonly known as just the Grugq, Thaddeus Grugq is a security researcher and hacker known for publications and commentary regarding forensic analysis, international espionage, and cybersecurity. In recent years, Grugq has talked openly about high-end exploit brokering.

Troy Hunt

@troyhunt
Troy Hunt is an Australian web security consultant and perhaps best known for his project Have I Been Pwned (HIBP), which helps users confirm if their data was compromised due to a breach. After 14 years of enterprise experience at Pfizer, Hunt offers his expertise in a weekly vlog. He’s also written infosec courses for Pluralsight.

Accounts to follow on Mastodon

Some popular security leaders have shifted their focus to Mastodon, an open source social media platform, in the wake of recent turmoil at Twitter. Mastodon’s infosec.exchange platform is specifically geared toward the security industry. Check out these accounts if you prefer not to use Twitter.

Brian Krebs

Brian Krebs still has a Twitter account (@krebsonsecurity), but he posts more regularly about security on Mastodon. He is known for his strong background in journalism, writing often about cybercrime.

Marcus Hutchins

Marcus Hutchins is a security researcher. He frequently posts about artificial intelligence, Twitter, and politics on his Mastodon feed.

Jake Williams

Jake Williams is a security researcher and IANS faculty member. He posts about a variety of international security topics, and also maintains a presence on Twitter.

Kevin Beaumont

Kevin Beaumont is a head of security operations in the United Kingdom. He has over 20 years of experience in the cybersecurity industry and also has a security-focused website, doublepulsar.com.

Lesley Carhart

IT industry veteran and former Hacker of the Year Lesley Carhart is another security researcher who has made the move to Mastodon. She consistently contributes to research and dialogue around incident response, digital forensics, industrial control system security, and more. Carhart is currently the Director of Incident Response at Dragos.

To learn more about security, read about our picks for the best cybersecurity podcasts.

Jenna Phipps updated this article on April 3, 2023.

The post Top 25 Cybersecurity Experts & Accounts to Follow on Twitter appeared first on eSecurityPlanet.

President Biden came into office around the time of the SolarWinds and Colonial Pipeline cyber attacks, so cybersecurity has been a major focus of the Administration from the beginning. The new document spells out an ambitious plan for implementing national cybersecurity controls and laws.

Cybersecurity leaders generally responded positively to the plan while acknowledging that the road to implementation will be a long one. The initiatives that stand out the most — critical infrastructure security standards, a national data privacy and security law, and liability for security failures — will likely take time and the support of Congress to implement.

Security Strategy Priorities and Pillars

The National Cybersecurity Strategy [PDF] is aimed at generating what it describes, almost idyllically, as “a resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences.”

To that end, the Biden-Harris administration suggested in a statement, “[W]e must make fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace.”

Those fundamental shifts are focused on two core priorities. The first is to rebalance responsibility for cybersecurity away from individuals, small businesses and local governments, and towards “the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.”

The second priority is to focus on long-term investments, with the aim of “building toward a future digital ecosystem that is more inherently defensible and resilient.”

The strategy itself is structured around five key pillars:

1. Defend Critical Infrastructure: “We must build new and innovative capabilities that allow owners and operators of critical infrastructure, Federal agencies, product vendors and service providers, and other stakeholders to effectively collaborate with each other at speed and scale.”
2. Disrupt and Dismantle Threat Actors: “The United States will use all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interests. These efforts may integrate diplomatic, information, military (both kinetic and cyber), financial, intelligence, and law enforcement capabilities.”
3. Shape Market Forces to Drive Security and Resilience: “We must hold the stewards of our data accountable for the protection of personal data; drive the development of more secure connected devices; and reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities, and other risks created by software and digital technologies.”
4. Invest in a Resilient Future: “We will leverage the National Science Foundation’s (NSF) Regional Innovation Engines program, longstanding Secure and Trustworthy Cyberspace program; new grant programs and funding opportunities established in the Bipartisan Infrastructure Law, Inflation Reduction Act, and CHIPS and Science Act; Manufacturing Institutes; and other elements of the Federal research and development enterprise.”
5. Forge International Partnerships to Pursue Shared Goals: “To counter common threats, preserve and reinforce global Internet freedom, protect against transnational digital repression, and build toward a shared digital ecosystem that is more inherently resilient and defensible, the United States will work to scale the emerging model of collaboration by national cybersecurity stakeholders to cooperate with the international community.”

Also read: MITRE ResilienCyCon: You Will Be Breached So Be Ready

Big Goals: Critical Infrastructure, Liability, and GDPR-like Law

A few items stand out as particularly ambitious and time-consuming to implement.

Strategic Objective 1.1 is the creation of mandatory requirements for critical infrastructure security. While that’s an obvious need, between published notices and comment periods the federal regulatory process can take two to three years to finalize new rules, so that could take much of the remainder of President Biden’s first term to implement — and potentially depend on the commitment of a successor.

The critical infrastructure security objective may require help from Congress too, which is never a sure thing, so the document emphasizes cooperation and working with regulatory agencies and state governments where possible to use existing authority.

“Regulations will define minimum expected cybersecurity practices or outcomes, but the Administration encourages and will support further efforts by entities to exceed these requirements,” the document says.

The objective also discusses the importance of cloud security services and says the government will “identify gaps in authorities to drive better cybersecurity practices in the cloud computing industry and for other essential third-party services, and work with industry, Congress and regulators to close them.”

The document is also mindful of cost and said the government will work to ease that burden through initiatives such as tax incentives.

Two of the plan’s most ambitious objectives will need Congressional approval.

In Strategic Objective 3.2, the Administration suggests it will pursue a national data privacy law similar to the EU’s GDPR.

The document says the Administration “supports legislative efforts to impose robust clear limits on the ability to collect, use, transfer, and maintain personal data and provide strong protections for sensitive data like geolocation and health information. This legislation should also set national requirements to secure personal data consistent with standards and guidelines developed by NIST. By providing privacy requirements that evolve with threats, the United States can pave the way for a more secure future.”

In Strategic Objective 3.3, the Administration calls for greater liability for failure to follow basic security practices.

“Markets impose inadequate costs on and often reward those entities that introduce vulnerable products or services into our digital ecosystem,” the objective states. “Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance…

“We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities… Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software nor on the open source developer of a component that is integrated into a commercial product.”

At the same time the Administration said it will also work to shield from liability companies that meet an “adaptable safe harbor framework” of security best practices.

The Administration will also pursue coordinated vulnerability disclosure, promote further development of SBOMs, and “develop a process for identifying and mitigating the risk presented by unsupported software that is widely used or supports critical infrastructure.”

The plan says the government will also continue to invest in the development of secure software, including “memory-safe languages and software development techniques, frameworks and testing tools.”

Another key element of the plan is for the government to act as a backstop for the insurance market in event of “catastrophic events.”

Also read: Software Supply Chain Security Guidance for Developers

Responsibility is a Key Theme

ImmuniWeb founder Ilia Kolochenko said by email that while shifting the cybersecurity burden onto industry might seem harsh, it makes sense economically.

“Software vendors will certainly argue that they will be required to raise their prices, eventually harming the end users and innocent consumers,” Kolochenko said. “This is, however, comparable to car makers complaining about ‘unnecessarily expensive’ airbag systems and seatbelts, arguing that each manufacturer should have the freedom to build cars as it sees fit.”

“Most industries – apart from software – are already comprehensively regulated in most of the developed countries: you cannot just manufacture what you want without a license or without following prescribed safety, quality and reliability standards,” Kolochenko added.

Post-Quantum Preparations

Kaniah Konkoly-Thege, chief legal officer and senior vice president of government relations at Quantinuum, noted that a subsection of the strategy’s fourth pillar focuses specifically on preparing for a post-quantum future, prioritizing “the transition of vulnerable public networks and systems to quantum-resistant cryptography-based environments.”

“While the guidance does not go in-depth regarding steps to prepare for a post-quantum future, it is best practice to assess current cryptographic systems, inventory data, experiment with NIST’s post-quantum algorithms and develop plans to protect data, especially sensitive data (i.e., medical, financial, or personal data), by transitioning to these post-quantum (PQC) algorithms,” Konkoly-Thege noted. “NIST is currently in the process of standardizing these algorithms with final standards due to be released in 2024.”

Also read: New Quantum-safe Cryptography Standards Arrive None Too Soon

A Broad Security Approach

Shift5 CEO and co-founder Josh Lospinoso said by email that the strategy takes the right approach to a significant and growing threat. “When you address cybersecurity issues in a wholesale way like this strategy spells out, you start to really encourage the integration of cyber capabilities that will ensure the U.S. maintains its tactical edge over near-peer competitors,” he said.

“The policy is very clear-eyed about needing to take the burden off the user, the small business, the local government – and very correct that the government and private industry need to keep breaking down barriers to move and innovate at the speed of war,” Lospinoso added.

Still, Swimlane co-founder and chief strategy officer Cody Cornell said it’s going to take a lot of collaborative effort to turns these ideas into action. “The National Cybersecurity Strategy lays out a lot of great high-level ideas with the goal of modernizing the federal government’s cybersecurity strategy with the understanding that it needs help from across the government and the private sector, but does leave some questions unanswered around the speed and agility to execute inside the windows of an Executive administration and its inevitable changes in leadership that come at a longest in an eight-year cycle,” he said.

“Like almost everything in cybersecurity, real progress is not just made with strategy, but in detailed hands-on work,” Cornell added.

eSecurity Planet Editor Paul Shread contributed to this report

Read next: Is the Answer to Vulnerabilities Patch Management as a Service?

The post Biden Cybersecurity Strategy: Big Ambitions, Big Obstacles appeared first on eSecurityPlanet.

Wireless security is critical because these networks are subject to eavesdropping, interception, data theft, denial of services (DoS) assaults, and malware infestations. Without sufficient security measures, unauthorized users can easily gain access to a wireless network, steal sensitive data, and disrupt network operations.

To prevent unwanted access and protect data in transit, wireless connections must be secured with strong authentication procedures, encryption protocols, access control rules, intrusion detection and prevention systems, and other security measures. By securing wireless connections, your organization’s data is protected and you maintain the trust of customers and partners.

What is Wireless Security?

Wireless security refers to the technology and practices used to safeguard networks from unauthorized access, theft and other hostile actions. Wireless networks broadcast data using radio waves, which can be intercepted by anybody within the network range. As a result, wireless networks are prone to eavesdropping, illegal access and theft. Using security measures such as encryption protocols, access control rules, and authentication procedures prevents unauthorized access and safeguards these wireless networks.

A wireless network can be a cellular network, wireless LAN or other sensor or communications network, but Wi-Fi is the wireless network protocol people are generally most familiar with.

Wireless security protocols such as WEP, WPA, WPA2, and WPA are commonly used to secure wireless networks. The oldest protocol, WEP, is no longer considered secure because of its vulnerability to attack. WPA and WPA2, on the other hand, were released as improved versions of WEP.

WPA2 is the most widely used protocol because it uses the AES encryption technique for improved security. WPA3 is the newest protocol and offers better security features such as stronger encryption, protection against dictionary attacks, and easier setting of IoT devices, but has yet to become widely used.

Whatever your choice, a strong security protocol is critical for securing wireless networks and protecting sensitive data.

How Does Wireless Security Work?

Primary security measures used in wireless networks include encryption, authentication, access control, and intrusion detection and prevention. These measures are intended to prevent unauthorized access, guarantee data is not intercepted, and protect the network’s security and availability.

Encryption is the process of converting data into a code that can be read only by authorized users with the appropriate key. There are different encryption protocols such as WPA2 and WPA3 that are used to secure wireless networks.

Authentication processes validate identities of individuals and devices that attempt to connect to the network. For example, Wi-Fi protected access (WPA) requires users to provide a password or passphrase to gain access to the network.

Access control rules define which people or devices are permitted to connect to the network and what degree or level of access they have. Access control can be configured based on the user’s role, type of device, and level of security required. Most network access control (NAC) solutions support wireless networks in addition to wired ones, and many Wi-Fi routers include access controls like allowlisting or denylisting.

Device security is also an important part of wireless network security. You need to have a reasonable level of trust in the devices connecting to any network, so any policies you can set to require things like antivirus, updated operating systems and VPNs will protect both the network and its users. Limiting use of a device’s administrator account where possible for greater personal, mobile device security.

Intrusion detection and prevention systems monitor the network for suspicious activities and security breaches. These systems can detect and block unauthorized access attempts, malware infections and other wireless security threats.

See the Best Intrusion Detection and Prevention Systems

Types of Wireless Security Protocols and How they Work

Wireless security protocols encrypt data transmitted over wireless networks to prevent unauthorized access and eavesdropping. They also provide authentication mechanisms to verify the identity of users and devices attempting to access the network. These protocols implement access control rules to determine which users or devices are allowed on the network and what their access level is.

Wired Equivalent Privacy (WEP) employs a shared key authentication mechanism and the RC4 encryption algorithm to encrypt data. However, this protocol — introduced in 1997 — is outdated and considered insecure because it is easily hackable.

Wi-Fi Protected Access (WPA) is an improvement of WEP introduced in 2003. It provides stronger security measures like message integrity checks and improved key management. WPA uses the Temporal Key Integrity Protocol (TKIP) encryption algorithm, but is still vulnerable to attacks.

Wi-Fi Protected Access II (WPA2) — introduced in 2004 — remains the most popular wireless security protocol. It uses the Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) based on the  Advanced Encryption Standard (AES) encryption algorithm for stronger security measures. WPA2 is basically an upgraded version of WPA since it features improved management and is less vulnerable to attacks.

Wi-Fi Protected Access II (WPA3) is the latest wireless security protocol and offers enhanced security features such as stronger encryption, protection against dictionary attacks and individualized data encryption. Announced in 2018 by the Wi-Fi Alliance, WPA3 simplifies the process of configuring devices with little to no display interface — such as IoT devices—  by introducing Wi-Fi Easy Connect. This works by allowing the IoT device to present a QR code or a Near Field Communication (NFC) tag, which the user can scan with their device to establish a secure Wi-Fi connection. Despite advances like stronger encryption and more secure key exchange, WPA3 has yet to gain much traction among users.

How to Protect Your Wi-Fi Network

To ensure the safety and security of your data and other important assets, it is important to take the necessary actions to protect your Wi-Fi network from unauthorized access. By following these specific steps, you can safeguard your network and reduce the risk of security breaches:

1. Choose a strong and unique password, as it is the first line of defense against unauthorized access to your Wi-Fi network. Ensure that your password is complex, unique, and has a mix of upper and lower case letters, numbers and symbols. Change it often, particularly as employees leave, and use a guest network if possible. Whitelist devices if you want even more restrictive network access.
2. Update your router firmware from your router’s manufacturer and install them to ensure your router is up to date and secure. This will protect against potential vulnerabilities and attacks.
3. Enable network encryption by using WPA2 or WPA3, depending on your device’s compatibility, to protect your network traffic. This will prevent anyone from accessing your data and potentially stealing sensitive information.
4. Disable remote management so that no one can access your router settings from outside of your network. This helps prevent unauthorized changes to your router settings.
5. Use a firewall on your router and any devices connected to your network to prevent unauthorized access to your network and data. Segment parts of your network that are more sensitive than others.
6. Back up important data, as there is no better defense against ransomware.

See the Best Backup Solutions for Ransomware Protection

Bottom Line: Wireless Security

Wireless security is critically important for protecting wireless networks and services from unwanted attacks, breaches and access. Left unprotected, unauthorized users can easily gain access to a wireless network and disrupt operations and steal sensitive data.

To protect wireless networks, you need to have secure and strong authentication procedures, encryption protocols and access control policies. Secure routers, properly configured, are one of the most important wireless security controls, and tools like intrusion detection and prevention systems and firewalls can further boost security.

Wireless security protocols have evolved greatly over the years, and networks using WPA2 or WPA3 are off to a good start toward better security. By using the latest protocols, tools and practices, you can significantly improve the security of your wireless network and protect it from unauthorized access or hacking attempts.

Further reading:

• Best Wi-Fi Security & Performance Testing Tools
• The Best Wi-Fi 6 Routers Secure and Fast Enough for Business
• Cybersecurity Risks of 5G – And How to Control Them
• Best Enterprise VPN Solutions
• Best Antivirus Software

The post Wireless Security: WEP, WPA, WPA2 and WPA3 Explained appeared first on eSecurityPlanet.