Many organizations now use these certifications as a requirement for hiring. At the same time, IT professionals gauge their peers’ skills and dedication through the types and levels of certifications obtained. In 2025, staying certified ensures you remain competitive in an evolving field.

Cybersecurity Certification Comparison Chart

IT and security professionals need different cybersecurity certifications in their careers. Initially, entry-level certificates open opportunities to move into your first cybersecurity positions, but later, advanced or specialty certifications will validate experience and open doors to even more opportunities.

For additional insights, industry podcasts can be a valuable resource — check out this list of top cybersecurity podcasts for expert perspectives and the latest trends in the field.

Top 5 Best Cybersecurity Certifications

1. CompTIA Security+

CompTIA Security+ is a globally recognized entry-level certification that establishes foundational cybersecurity skills. Covering topics like network security, threat management, cryptography, and risk management, it provides an excellent starting point for launching a career in cybersecurity. This certification equips candidates with the essential knowledge to secure information systems and networks effectively.

Who Should Get This Certification?

CompTIA Security+ is tailored for individuals starting on their cybersecurity careers or those who wish to solidify their foundational knowledge in the field. It is particularly beneficial for roles such as:

• Security Administrator: Responsible for maintaining the security of the organization’s network and systems.
• Systems Administrator: Ensures the functionality and security of computer systems, often implementing security measures.
• Network Administrator: Manages the organization’s network infrastructure and is crucial in safeguarding against cyber threats.

This certification not only helps beginners break into the industry but also serves as a valuable credential for experienced professionals looking to validate their skills.

Exam Pricing & Format

• Pricing: The exam fee for CompTIA Security+ is approximately $392. This investment is generally considered reasonable, given the certification’s reputation and the opportunities it can unlock for candidates.
• Format: The exam consists of 90 questions, including multiple-choice and performance-based questions that assess real-world problem-solving skills in a simulated environment.

Exam Requirements

While there are no formal prerequisites for taking the CompTIA Security+ exam, it is strongly recommended that candidates have at least two years of IT experience and a foundational understanding of networking concepts. Familiarity with basic security principles will also benefit candidates during their studies and exam preparation.

Exam Prep

Candidates preparing for the CompTIA Security+ exam can access various resources, including official CompTIA courses taught by certified instructors and online training platforms like Udemy and Pluralsight. Practice exams help familiarize them with the test format, while various books and study guides provide detailed insights and additional practice opportunities.

Salary Range & Sample Job Listings

• Salary Range: Individuals holding the CompTIA Security+ certification can earn between $55,000 and $90,000 annually, depending on their experience, job role, and geographical location. Entry-level positions may start lower, while those with more experience or in higher-demand areas may command higher salaries.
• Sample Job Listings:
  • Security Analyst: Responsible for monitoring and defending an organization’s networks and systems against threats.
  • Systems Administrator: Maintain and secure the company’s IT infrastructure, ensuring all systems run efficiently and securely.
  • Network Security Engineer: Specializes in protecting network integrity and security, often designing security measures to safeguard networked systems.

2. Certified Information Systems Security Professional (CISSP)

The Certified Information Systems Security Professional (CISSP) certification is a highly respected credential in the cybersecurity industry, administered by (ISC)². It validates expertise in designing, implementing, and managing cybersecurity programs, covering risk management, asset security, and security architecture. This certification is ideal for professionals aiming to establish themselves as leaders in the field.

Who Should Get This Certification?

CISSP is tailored for seasoned cybersecurity professionals ready to elevate their careers. Ideal candidates for this certification typically hold roles such as:

• Security Consultant: Offers expert advice to organizations on best security practices and risk mitigation strategies.
• Security Manager: Oversees an organization’s security policies and procedures, ensuring compliance with regulations and effective risk management.
• IT Director: Responsible for an organization’s overall technology strategy, including cybersecurity initiatives.

This certification is especially beneficial for individuals seeking leadership positions, as it demonstrates a comprehensive understanding of information security and the ability to manage complex security environments.

Exam Pricing & Format

• Pricing: The exam fee for the CISSP is approximately $749, which reflects its status as a premier certification in cybersecurity.
• Format: The exam employs computerized adaptive testing, consisting of 100 to 150 questions that adjust in difficulty based on the test taker’s responses. This format allows for a more personalized assessment of knowledge and skill levels.

Exam Requirements

To be eligible for the CISSP certification, candidates must meet specific requirements, including:

At least five years of cumulative paid work experience in two or more of the eight domains outlined in the (ISC)² CISSP Common Body of Knowledge (CBK). These domains include:

• Security and Risk Management
• Asset Security
• Security Architecture and Engineering
• Communication and Network Security
• Identity and Access Management
• Security Assessment and Testing
• Security Operations
• Software Development Security

If a candidate does not have the requisite experience, they may still take the exam and earn an Associate of (ISC)² designation, which allows them to work towards the required experience over time.

Exam Prep

Candidates preparing for the CISSP exam can choose from several options. Official (ISC)² training courses offer comprehensive coverage of exam topics, often led by experienced instructors. Intensive online boot camps provide a focused, fast track to certification. Study groups encourage peer support and accountability, while various study guides and practice exams offer detailed explanations and practice questions to enhance preparation.

Salary Range & Sample Job Listings

• Salary Range: CISSP-certified professionals typically earn between $100,000 and $160,000 annually, with variations based on experience, location, and specific job roles. As cybersecurity threats continue to escalate, demand for certified professionals remains high, often resulting in competitive salaries.
• Sample Job Listings:
  • Information Security Manager: Responsible for developing and enforcing policies to protect an organization’s information assets.
  • IT Security Consultant: Provides insights and solutions for enhancing an organization’s security posture, including risk assessments and vulnerability management.
  • Chief Information Security Officer (CISO): A senior executive responsible for an organization’s information security strategy, overseeing the security team, and ensuring compliance with regulatory requirements.

3. Certified Ethical Hacker (CEH)

The Certified Ethical Hacker (CEH) certification, offered by the EC-Council, equips IT professionals with essential skills to identify and exploit vulnerabilities in systems and networks. Focusing on ethical hacking techniques, it emphasizes understanding the mindset of malicious hackers to better defend against cyber threats. This credential is crucial for advancing careers in cybersecurity, particularly in penetration testing.

Who Should Get This Certification?

The CEH certification is ideal for IT professionals specializing in ethical hacking and penetration testing. It is well-suited for individuals in roles such as:

• Penetration Tester: Responsible for simulating cyber attacks on an organization’s systems to identify weaknesses and recommend security improvements.
• Security Analyst: Focuses on monitoring and analyzing security incidents, assessing vulnerabilities, and implementing strategies to enhance the organization’s security posture.
• Network Engineer: Works on designing and implementing secure network architectures, ensuring that all systems are resilient against potential cyber threats.

This certification is particularly beneficial for those looking to transition into offensive security roles or enhance their skills with ethical hacking knowledge.

Exam Pricing & Format

• Pricing: The CEH exam costs approximately $1,199, which reflects the comprehensive nature of the training and certification process.
• Format: Candidates will face 125 multiple-choice questions during the exam, testing their knowledge of various ethical hacking tools and techniques and their understanding of security protocols and best practices.

Exam Requirements

To qualify for the CEH certification, candidates must meet specific criteria:

• At least two years of work experience in the Information Security domain is recommended. Alternatively, candidates can attend an official EC-Council training program to waive this requirement.
• Candidates should possess foundational knowledge in networking and basic security principles to facilitate their understanding of the exam content.

Exam Prep

Candidates preparing for the CEH certification can utilize various resources, including official EC-Council training courses that offer comprehensive instruction and hands-on labs. Additionally, numerous online platforms provide tailored courses, video tutorials, and interactive exercises. Study guides and practice exams from various authors also help candidates cover exam topics and assess their readiness effectively.

Salary Range & Sample Job Listings

• Salary Range: Professionals holding the CEH certification typically earn between $70,000 and $120,000 annually, with the potential for higher salaries depending on experience, location, and specific job roles within the organization.
• Sample Job Listings:
  • Penetration Tester: Conducts simulated attacks to uncover vulnerabilities in systems and applications, providing detailed reports on findings and recommendations for remediation.
  • Ethical Hacker: Works on the front lines of cybersecurity, using hacking techniques to assess the security of networks and systems, ensuring robust defenses are in place.
  • Security Consultant: Advises organizations on security best practices and strategies, often conducting assessments and vulnerability tests to enhance overall security measures.

4. Certified Information Systems Auditor (CISA)

The Certified Information Systems Auditor (CISA) certification, offered by ISACA, validates expertise in information systems auditing, control, and security. Tailored for professionals ensuring information systems’ integrity, confidentiality, and availability, CISA is increasingly in demand as organizations prioritize cybersecurity and risk management.

Who Should Get This Certification?

The CISA certification is specifically designed for:

• IT Auditors: Professionals who assess and evaluate an organization’s information systems and processes to ensure compliance and security.
• Audit Managers: Individuals overseeing audit teams and ensuring the quality and integrity of audit processes within their organizations.
• Consultants: Those providing expert advice on information systems and security, helping organizations improve their governance and risk management practices.
• Security Professionals: Individuals looking to demonstrate their proficiency in information systems auditing and enhance their cybersecurity and risk management career prospects.

Exam Pricing & Format

• Pricing: The CISA certification exam costs approximately $575 for ISACA members and $760 for non-members. This pricing structure encourages membership within ISACA, providing additional resources and networking opportunities.
• Format: The exam consists of 150 multiple-choice questions, designed to assess candidates’ knowledge across various domains related to information systems auditing and control.

Exam Requirements

To be eligible for the CISA certification, candidates must meet the following requirements:

• Professional Experience: At least five years of professional experience in information systems auditing, control, or security is required. This experience helps ensure that candidates possess the necessary practical knowledge to perform in the auditing role effectively.
• Domain Experience: Candidates must have specific experience in at least two of the five CISA domains, which encompass areas such as information system auditing processes, governance and management of IT, and information systems acquisition, development, and implementation.

Exam Prep

Candidates preparing for the CISA certification can utilize various resources, including ISACA’s official review courses for structured study, comprehensive study guides and online materials for concept understanding, and practice exams to familiarize themselves with the test format and question types.

Salary Range & Sample Job Listings

• Salary Range: Certified CISA professionals can earn between $80,000 and $130,000 annually, depending on factors such as experience, geographic location, and the specific nature of their roles.
• Sample Job Listings:
  • IT Auditor: Responsible for assessing and evaluating the effectiveness of an organization’s information systems and controls, ensuring compliance with regulations and best practices.
  • Audit Manager: Oversees audit activities and manages audit teams, ensuring the organization’s financial and operational audits’ accuracy and integrity.
  • Compliance Analyst: Focuses on ensuring that the organization adheres to internal policies and external regulations, particularly concerning information security and data protection.

5. ISACA Certified in Risk and Information Systems Control® (CRISC®)

The Certified in Risk and Information Systems Control® (CRISC®) certification, offered by ISACA, is designed for IT professionals focused on managing risk, implementing effective controls, and ensuring robust governance.

As businesses increasingly navigate complex regulatory environments and cybersecurity threats, CRISC certification equips professionals with the knowledge and skills necessary to identify, assess, and mitigate risks associated with information systems.

Who Should Get This Certification?

The CRISC certification is particularly suited for:

• Risk Analysts: Professionals who assess potential risks to information systems and develop strategies to mitigate them.
• IT Managers: Individuals responsible for overseeing IT operations, ensuring that risk management and governance frameworks are implemented effectively.
• Compliance Officers: Those tasked with ensuring that organizations adhere to relevant regulations and standards, particularly concerning information security and data privacy.

Exam Pricing & Format

• Pricing: The exam fee for CRISC certification is approximately $575 for ISACA members and $760 for non-members. Membership with ISACA provides candidates with access to a wealth of resources and professional networking opportunities.
• Format: The certification exam consists of 150 multiple-choice questions, evaluating candidates’ understanding of risk management concepts and their ability to apply them in real-world scenarios.

Exam Requirements

To qualify for the CRISC certification, candidates must meet the following criteria:

• Professional Experience: Candidates should possess at least three years of experience in risk management and information systems control, ensuring they have a solid foundation in the subject matter.
• Domain Knowledge: Experience must be in at least two of the four CRISC domains, which include:
  • Risk Identification
  • Risk Assessment
  • Risk Response and Mitigation
  • Risk and Control Monitoring and Reporting

Exam Prep

Candidates preparing for the CRISC certification can benefit from several resources. ISACA offers detailed review guides covering the exam content, while various online courses and webinars provide flexible learning options. Practicing with sample questions and exams helps candidates familiarize themselves with the format and reinforce their knowledge.

Salary Range & Sample Job Listings

• Salary Range: Professionals holding a CRISC certification can expect salaries ranging from $90,000 to $140,000 annually, depending on experience, industry, and location.
• Sample Job Listings:
  • Risk Manager: Responsible for developing and implementing risk management strategies, assessing potential threats, and ensuring compliance with regulations.
  • Compliance Specialist: Focuses on monitoring and enforcing compliance with laws and internal policies, working closely with various departments to ensure adherence.
  • IT Risk Analyst: Analyzes potential risks to IT systems, assesses vulnerabilities, and recommends strategies for mitigating risks and enhancing security.

For those interested in getting started in a cybersecurity career, here is a useful resource on How to Get Started in a Cybersecurity Career. This guide provides practical insights and tips for anyone looking to break into the field, helping to bridge the gap between entry-level certifications and the skills required for a successful career in cybersecurity.

Frequently Asked Questions (FAQs)

How Do You Prepare for Cybersecurity Certification?

To prepare for cybersecurity certification, review the exam requirements to assess your knowledge. Experienced candidates may find inexpensive study guides sufficient, while others might need comprehensive self-study or instructor-led courses. Most certification programs offer low-cost study guides, practice tests, and courses on their websites.

Additionally, numerous third-party resources, including Coursera, Cybrary, ITPro.tv, Training Camp, and Udemy, are available for further preparation.

Which Cybersecurity Certification Should I Get First?

If you’re just starting out, earn one or more of the top entry-level certifications to secure your first role in cybersecurity. After gaining 2–5 years of experience, consider advancing with a career-focused or specialized certification to expand your opportunities.

To stay updated and informed, follow experts in the field; check out this guide to top Twitter cybersecurity voices (formerly Twitter) for insights and trends.

How Do I Know Which Advanced or Specialty Certification Is Right For Me?

To find the best advanced or specialty certification for your career goals, consider your interests and review job listings for the required certifications in your desired roles over the next 3–10 years. If you’re still unsure, explore the LinkedIn profiles of admired colleagues, peers, or industry influencers to see their certifications. This can highlight respected certifications that align with your interests and validate your skills.

Can You Get a Cybersecurity Job with Just Certifications?

Certifications verify knowledge or experience but must be combined with other factors to land a job. The basic requirements for employment also include an appropriate job history for the position, effective communication during interviews, and a good fit for the hiring organization’s needs.

Bottom Line: A.B.C. (Always Be Credentialing)

In the constantly changing cybersecurity landscape, credentials are essential for career growth, skill validation, and staying competitive. Certifications showcase expertise and keep professionals aligned with industry standards and best practices. By consistently pursuing relevant certifications, you demonstrate a commitment to professional development and adaptability, which are highly valued field traits.

Remember, in cybersecurity, always be credentialing: staying up-to-date ensures you’re prepared to meet new challenges, build resilience in your career, and open doors to exciting opportunities. Additionally, understanding industry services like Managed Security Service Providers (MSSPs) can further enhance your strategic value in the field.

The post 5 Best Cybersecurity Certifications to Get in 2025 appeared first on eSecurity Planet.

Policies provide a foundation of directives, regulations, rules, and practices that define how each organization will manage, protect, and distribute information. Additionally, regulators often cite a lack of formal policies as negligence as well as cause for higher fines and punishments after a breach.

This article will explore IT security policies through the following topics:

• What Is the Ultimate Goal of an IT Security Policy?
• The Importance & Objectives of IT Security Policies
• 6 Top IT Security Policy Benefits
• 3 Types of Security Policies
• 5 Best Practices for Writing IT Security Policies
• How to Create a Security Policy in 4 Steps
• Bottom Line: Create Policies to Improve Focus

What Is the Ultimate Goal of an IT Security Policy?

The ultimate goal of an IT security policy is to provide a formalized set of rules and policies to benchmark the IT and cybersecurity posture of an organization. This benchmark can be used for a variety of purposes, but will most often be used to:

• Demonstrate that risks are controlled and managed
• Meet compliance obligations
• Measure quality and capabilities of controls and staff
• Mitigate liabilities in the event of a breach

The Importance & Core Objectives of IT Security Policies

The U.S. National Institute of Standards and Technology (NIST) published An Introduction to Information Security (NIST SP 800-12) that declares:

“Information security policy is defined as an aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information.”

To organizations new to written policies, starting the process of developing security policies can be intimidating. Yet all organizations deploy security strategies that act as unwritten and unofficial strategies. The key disadvantage to these unwritten security strategies is that when they fail to protect the resources, the organization will struggle to prove to regulators and juries that the IT and security teams executed an appropriate and sufficient cybersecurity strategy.

Written policies, especially those that require regular reports, naturally generate the evidence of compliance. They also show a formal security strategy that has been approved by corporate management.

Most importantly, written policies enable key IT security objectives that will have a daily impact on the organization by formalizing IT security strategies, goals, and objectives; managing user behavior; and measuring IT security success.

Formalize IT Security Strategies, Goals, & Objectives

Written policies provide written instructions that can be used to show the intended strategy of the organization. Most strategies focus on the key objectives of information security:

• Confidentiality: Allow access to specific data only to the users that need access
• Integrity: Prevent accidental or unauthorized modification of data in storage or in transit
• Availability: Provide continual access to data and systems for legitimate users

However, not all existing practices will always be found to incorporate best practices or adequately address these key objectives. The process of developing a security policy helps the IT security team to reflect on and improve the current practices as they are forced to write them down and compare them against goals and compliance requirements.

The policy creation process also helps to align the IT security goals and objectives with those of the business as policy goes through review by non-technical executives affected by the policies. In the end, the organization should enjoy the benefits of a policy that provides formal strategies, goals, and objectives that enable business growth within the protection of validated IT security strategies.

Manage User Behavior

Policies provide rules for acceptable use, access, and penalties for non-compliance for users of all kinds, from guest users on the public Wi-Fi network to administrative access of data center servers. These written policies then guide the settings within identity and access management (IAM) or privileged access management (PAM) tools.

Of course, IAM and PAM tools can be established without written policies, but written policies ensure consistent rules applied across the organization. The formal policies also provide a standard that can be compared against practices to determine if the practices are sufficient and within compliance.

Measure IT Security Success

An effective policy sets clear expectations for the IT security team. Reports required by policies should show compliance with the policy and enable the IT security team to measure their success to meet the goals of the policy.

While employees always strive for success, falling short can also be used to justify increases in resources. For example, if reports required by the patch management policy show that the patching of critical updates takes longer than desired, the management can consider adding more resources or outsourcing some functions.

6 Top IT Security Policy Benefits

Organizations of all sizes tend to avoid the hassle of documentation because the task seems overwhelming, tedious, and constraining. However, an effective security policy delivers six key benefits: IT hardening, employment defense, executive and board member peace of mind, litigation protection, compliance easy button, and improved operational efficiency and resilience.

IT Hardening

Developing an effective security policy will naturally enable a security process that hardens the IT environment against attack. Although some might consider compliance the primary motivation for written policies, the process of creating the policy forces security teams to evaluate systems more rigorously and address issues that might be overlooked in day-to-day operations.

Employment Defense

Despite the best efforts of the IT team, people will still click on phishing links, zero-day vulnerabilities will still be discovered, and company resource constraints may require some vulnerabilities to remain exposed. Although compliance with security policies can reduce the risk, attacks may still succeed in damaging the organization.

In many cases, executives may initially look for a scapegoat to take the blame for an incident and IT or security teams often will be targeted. An IT or security team that can demonstrate compliance with an executive-approved security policy also shows that best efforts were made to prevent possible breaches. This documentation can protect employees against unfair treatment after a breach and protect their jobs.

Executive & Board Member Peace of Mind

Effective security policies require reports that can be shared with non-technical executives to enable confidence in the IT and security teams. Policies reduce technical details into numeric reports and easy-to-understand metrics that make the status of security processes understandable and accessible to non-technical executives.

Clear reports enable smooth communication with executives and the board of directors of an organization to help build confidence in the security posture of the organization. Such reports not only demonstrate that the organization considers information security a high priority, but also build confidence that can translate into improved support for additional resources.

Litigation Protection

In the event of a breach or successful cybersecurity attack, government agencies or stakeholders may attempt to pursue legal action against the organization. Fortunately, legal standards generally only require “reasonable efforts,” which can be supported with the documentation from an effective security policy and the reports that demonstrate the policies have been implemented.

Organizations without formal reporting and processes will need to scramble to figure out what documentation may be required to support past efforts and then hope they still have the archival logs or other data to create that documentation. Organizations with formal documentation and reporting will already have a significant portion of their evidence ready to present with minimal effort or business disruption.

Compliance Easy Button

An effective security policy should be designed to reflect the compliance requirements of the organization. Auditors always ask for written policies to help them easily understand the objectives of the organization and the type of evidence they can expect to receive.

Fulfilling a written policy that has already conformed to a compliance framework makes it easy for the organization to satisfy the regulatory requirements. The organization’s regular internal reports will naturally provide evidence of compliance without any additional effort or steps.

Improved Operational Efficiency & Resiliency

An effective portfolio of security policies can help the organization:

• Recognize end-of-life hardware and software for replacement
• Quickly recognize infrastructure under strain from attack, failure, or workload
• Verify settings and integration between systems
• Ensure resilience of systems to minimize downtime
• Ensure integrity and availability of data
• Document uptime for internal and customer service level agreements (SLAs)

The survival of the business depends upon uptime and protected assets. Formalized documentation of security processes provide an internal checklist to protect assets, maintain uptime, and minimize mistakes.

Written policies also help with IT personnel transitions by providing documentation of expectations and reports of past activity. These will combine to save time by helping new IT employees grasp the status and expectations of the organization with less training.

3 Types of Security Policies

When developing a comprehensive set of security policies, an organization can get lost in the details. The SANS institute alone provides templates for more than 60 different policies! These granular policies help a mature organization, but an organization just getting started needs a bit more focus.

The three types of policies defined by the National Institute of Standards and Technology (NIST) Special Publication 800-12 include program, issue-specific, and system-specific policies.

Program policies provide strategic, high-level guides of the overall information security program. These can be singular programs, such as this program policy for the University of Arizona, that provide an overview of the goals and objectives of the security program. These policies are intended to be evergreen and not require frequent updates, and often will reference other types of policies in an appendix that can be updated more frequently without requiring updates for the program policy itself. Program policies tend to be too vague to measure or verify. Other types of non-security program policies might include business continuity or risk management.

Issue-specific policies provide directed guides for specific components of the information security program, but at a level of abstraction that describes goals, objectives, and reporting requirements instead of naming specific tools, techniques, and settings. These policies need to be reviewed periodically to ensure they remain current in the face of organizational, technological, or compliance changes. Examples of issue-specific security policies include network security, password, endpoint, and encryption policies. Some issue-specific policies may fall under multiple program policies such as data backup (security, business continuity) or acceptable-use policies for employees (security, HR).

System-specific policies describe how issue-specific policies will be applied and enforced on specific systems. For example, how the network security, user access, vulnerability management, and change control policies might be enforced for a specific firewall or a classification of servers in a data center. These detailed policies will be enforced through settings on the devices or through centralized software that can manage the devices.

Common Issue-Specific Policies

For an organization beginning to implement security policies, the focus should start with relevant issue-specific policies. The specific key policies will depend upon the organization. Although many will start with access, network, endpoint, and password policies, these priorities reflect a traditional IT environment. A small virtual office of five stock brokers using Google Workspace might instead focus on policies for data security, data backup, and remote access policies to comply with SEC and FINRA requirements.

Here are 10 common issue-specific and related policies:

• Acceptable Use Policy (AUP)
  • Instructs the organization how end users are permitted to use IT systems and services (computers, networks, data, internet, email)
  • Related policies: security awareness training policy, executive and administrative access policy
• Access Policy
  • Instructs an organization how to classify, enforce, and manage access, authentication, and accounting of users across various system and data classifications
  • Related policies: physical access policy, system access policy, privileged access policy, remote access policy (may include remote desktop [RDP] or virtual private network [VPN] policies), password policy, identity and access management policy, multi-factor authentication (MFA) policy, vendor management policy
• Application Security Policy
  • Instructs an organization how to secure code development and the connections to other corporate resources
  • Related policies: application programming interface (API) security policy, database security policy, application development policy
• Cloud Security Policy
  • Instructs an organization how to secure access, data, networks, and applications on cloud-based resources
  • Related policies: cloud use policy, software as a service (SaaS) security policy, infrastructure as a service (IaaS) policy
• Data Management Policy
  • Instructs an organization on the retention, management, and security of different classifications of data
  • Related policies: data retention policy, insider threat protection policy, encryption and cryptography policy, information security policy, data and asset classification policy, regulated data policy
• Disaster Recovery Plan
  • Instructs an organization how to proceed with business recovery under various emergency circumstances
  • Related policies: Backups policy, redundancy policy, capacity planning policy, stress testing policy 
• Endpoint Security Policy
  • Instructs an organization how to secure access, data, and applications on user-accessed endpoints that connect to the organization’s network and other resources
  • Related policies: endpoint security policy, bring-your-own-device (BYOD) security policy, mobile device policy, server security policy, container security policy
• Incident Response and Monitoring Policy
  • Instructs and organization how to detect, identify, validate, track, mitigate, remediate, and manage potential security incidents
  • Related policies: log tracking and audit policy, attack-specific policies (ransomware, DDoS, etc.), data breach response policy
• Network Security Policy
  • Instructs an organization how to secure access, data flows, and monitor connections between users and data
  • Related policies: firewall security policy, network security policy, email protection and security policy, wireless network and guest access policy
• Vulnerability Management Policy
  • Instructs an organization how to locate, validate, prioritize, mitigate, and track vulnerabilities
  • Related policies: patch management policy, change management policy, vulnerability scanning policy, penetration test policy

5 Best Practices for Writing IT Security Policies

An organization can create an effective security policy by following five key best practices, focus on what to do rather than how, make policies practical, right-size policy length, keep policies distinct, and make policies verifiable.

Focus on What to Do, Not How

Technology changes so quickly that a policy will usually not be able to keep up with the technical details such as security tools and IT architecture specifics. When writing any IT-related policy, the policy should focus on the high-level goals, key deliverables, and compliance requirements.

The IT team will then use those requirements in combination with their budget and personnel constraints to develop an appropriate solution. Too many details either force the policy to be updated constantly or lock the IT team into obsolete tools, practices, or perspectives that may ultimately undermine instead of strengthening security. Where needed, exhibits or additional reports can be used to provide details that may need to be changed more frequently than the policy itself.

Some organizations will consider system-specific policies an exception that requires detailed descriptions of tools, settings, and allowed users. However, others keep system-specific policies at a high level and maintain specific work instructions that maintain the details. This is a matter of preference for the individual organization.

Make Policies Practical

Security policies won’t be successful if they do not work for the team responsible for the policy, are not understandable, or don’t fit the organization. In some cases, these objectives will come into conflict and the policy creating team will need to work with stakeholders to enable an effective balance.

Stakeholder-Friendly Policies

Stakeholder-friendly policies will be more readily adopted by IT and security teams responsible for implementing the policy or the users affected by them. When policies demand too many changes, impractical requirements, or exceed the resource constraints, the policies may be undermined, circumvented, or ignored.

To enable stakeholder friendly policies, don’t dramatically change practices or add unnecessary details and instructions. Unless required by compliance or best practices, build off of existing practices to enable rapid adoption by both affected users and the teams enforcing the policy.

Additionally, use titles instead of names and tool categories instead of specific security tool names. This prevents the need to change the policy for every tool change, personnel change, or outsourcing engagement.

Understandable Policies

Not all readers have English as their first language, especially in international companies attempting to standardize policies worldwide. When drafting policies, use simple language written plainly for both the non-technical and non-legal audience.

During the drafting process, the document should be distributed to executives, legal counsel, and key staff members responsible for implementing the policy. Any confusion, vagueness, or uncertainty should be addressed and eliminated before approving the policy.

Fit Organization Needs

Tools and processes must fit the true needs of the organization and should not be followed blindly or without thought. Although every organization should begin drafting policies based upon existing practices and capabilities, this can lead to a trap of preserving incomplete processes into written policies. The organization should carefully examine their environment and ensure the policy reflects their true needs.

For example, an IT team of a hospital may use a commercial tool to conduct vulnerability scanning of their IT environment, but the tool may only scan PCs, network devices, and servers, which leaves an enormous range of healthtech devices unscanned for vulnerabilities. Their policy requirements should not reflect the limited devices currently scanned, but the full range of devices that need to be included in the vulnerability management process.

Policies should also have minimal exceptions and those exceptions should be documented. If the C-suite executives insist on being exempted from the password policy, then they should also be prepared to justify that exemption in court once the company suffers a breach. Just like employees, senior management should understand, agree with, and be bound by security policies.

Right-Size Policy Length

Policies should be no longer and no shorter than needed. IT and security teams often favor shorter policies because the lack of defined requirements provide them with maximum flexibility for execution. However, the lack of defined requirements often leaves gaps in requirements or makes the policies hard to verify for management or compliance.

On the other hand, attorneys often feel compelled to lock down as many details as possible to make verification more simple and to clarify as many points as possible. Unfortunately, this often tends to lead to over-prescriptive requirements that lock an IT team into the requirements of the moment and leave little room for keeping up with a dynamic IT environment.

These opposing forces must be balanced. IT teams, executives, and attorneys must work together to enable a document with sufficient detail so that the IT team can clearly demonstrate compliance with the policy, but not so much detail the policy becomes a shackle on the vulnerability management process.

Keep Policies Distinct

Security and compliance teams will look for information in expected policies. For example, to look up policies regarding endpoint protection, most would first look for an overall security policy or a specific endpoint protection policy. To bury the information in a vulnerability management policy is unintuitive and may lead to confusion.

Security policy creation teams should also avoid the temptation to copy-paste elements from other existing policies, such as a password policy, into semi-related policies (remote access, endpoint protection, etc.) for completeness. Unless the documents are linked to enable automatic updates, the copied information will rapidly become out of date. Instead of inserting sections of the other existing policies, reference them as needed.

Policies should be individually comprehensive with minimal overlap. Overlap with other policies can lead to language conflicts, uncertainties, and gaps in compliance and security. In the event an organization decides to mix policies, an index or guide should be produced to help team members locate policy information rapidly.

Make Policies Verifiable

Vague policies with nebulous, undefined deliverables satisfy only the requirement to have a policy, not the requirement to have a useful one. Effective policies define the deliverables clearly so that the IT or security team will have no difficulty satisfying policy requirements.

The security process should be measurable and testable to prove compliance with the policy as well as any relevant compliance frameworks. Reporting requirements should document metrics for measurement, define needed evidence (log files, vulnerability scans, etc.), the frequency of reports, and who should receive the reports.

How to Create a Security Policy in 4 Steps

Organizations large and small can create a functional security policy by following four key steps: determine the security policy principles, verify the vulnerability management policy, approve the vulnerability management policy, and review and modify the vulnerability management policy.

Determine the Security Policy Principles

The person or team drafting the policy will first need to determine the critical rules and steps within the vulnerability management policy. For example, some fundamental questions to answer include:

• Who is responsible for the security process or standard?
• Which people, assets, or systems will be covered by the security process or standard?
• What are the security processes, standards, components, and priorities for each?
• How can the security process or standard be validated and verified?
• What reports are needed to establish and measure success and compliance for the security process or standard?

Don’t know where to start? Write down the current practice. Most IT teams have at least an informal process for nearly all security practices, even if they are not written down or monitored. This first draft can simply be notes. Formal paragraphs and language can come later after the basic principles have been outlined.

Verify the Security Policy

With the basic rules or principles in place, the policy development team should verify them against external requirements and practical limitations.

External Security Policy Requirements

Every organization faces general or specific regulations from international, federal, state, or local governments.  Additionally, the organization may be forced or choose to comply with compliance frameworks (NIST, PCI DSS, etc.) and industry standards.

Some compliance standards will be broad and vague, but others will be detailed or have specific requirements. The policy development team needs to check these external regulations and revise any rule that does not meet the compliance requirements.

Practical Security Policy Limitations

Most organizations have limited resources, and often idealized policies do not take these limitations into account. The security policy development team should test the proposed rules with the IT and security teams. If these teams cannot comply with standards and requirements with their current resources, the organization will need to adjust the rules or resources as necessary.

For example, when developing a patch management policy, the IT team may not have the ability to meet the patch management schedule requirements with the current tools and staffing resources. The organization will then need to consider adjusting the schedule (if allowed by compliance requirements) or adding additional resources (tool upgrades, staffing increases, outsourcing, etc.).

Approve the Security Policy

After verification of the proposed security policy rules, the rules need to be formalized and approved by the organization’s management. Now is the time where rough notes need to be revised into formal paragraphs, tables, and appendices.

Once drafted, pass the policy to corporate management and legal counsel for review and approval. The policy can be modified as required and the final draft should be signed by the executives of the organization to ratify and acknowledge the requirements.

Review & Modify the Security Policy

Even though the security policy is approved in step three, the organization, IT resources, and regulations will change over time. All policies should be living documents that evolve as the organization changes. and should be periodically reviewed and updated. Generally, policies will be reviewed on a fixed schedule (quarterly, annually, bi-annually, etc.); however, notable events such as dramatic changes to IT architecture, adopting significantly different security tools, or a security breach may merit off-schedule review.

Bottom Line: Create Policies to Improve Focus

Organizations tend to view formal paperwork as a burden, but effective IT security policies enable organizations to improve their security posture, spend less time on compliance, and to eliminate many worries. With current and effective policies, Large and small businesses, non-profit organizations, and even government entities can validate their presumed security posture and gain the confidence to focus on challenges more critical to their core mission. 

To read more about related topics, consider:

• Vulnerability Management Policy: Steps, Benefits, and a Free Template
• Patch Management Policy: Steps, Benefits, and a Free Template

The post IT Security Policy: Importance, Best Practices, & Top Benefits appeared first on eSecurity Planet.

Let’s explore what to expect from the upcoming regulations, provide insights into critical federal and state laws, and offer practical compliance and risk management strategies.

What are Cybersecurity Laws & Regulations?

Cybersecurity laws and regulations encompass a range of legal requirements designed to protect information systems and data from cyber threats. These laws aim to establish standards for securing data, ensuring privacy, and mitigating risks associated with digital information. They cover various aspects of cybersecurity, including data protection, breach notification, and the responsibilities of organizations in safeguarding sensitive information.

By enforcing these regulations, governments seek to enhance the overall security posture of businesses and institutions, reduce the likelihood of cyber incidents, and promote trust in the digital ecosystem.

What are Federal Cybersecurity Regulations?

Federal cybersecurity regulations refer to the legal frameworks established by national authorities to govern the protection of information systems and data within the jurisdiction of a country. In the United States, federal cybersecurity regulations are primarily designed to safeguard government agencies, critical infrastructure, and certain private sector entities from cyber threats.

These regulations often set standards for cybersecurity practices, incident reporting, and compliance requirements. Various federal agencies enforce them and may include guidelines for implementing security measures, conducting risk assessments, and ensuring compliance with national security objectives.

Critical Federal Cybersecurity Laws to Be Aware Of

As cybersecurity threats grow more complex and pervasive, understanding key federal laws is crucial for ensuring compliance and protecting sensitive information. The following federal cybersecurity laws and frameworks play a significant role in shaping the cybersecurity landscape. Each of these regulations addresses different aspects of cybersecurity and data protection, making it essential for businesses and organizations to stay informed and proactive.

Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act (FISMA) is a foundational piece of legislation that mandates comprehensive information security programs for federal agencies and their contractors. Enacted in 2002 and updated by the Federal Information Security Modernization Act (FISMA) of 2014, FISMA requires agencies to implement a risk-based approach to security. This includes developing and maintaining security plans, conducting regular risk assessments, and ensuring continuous monitoring of information systems. Agencies must also report on their security posture and any incidents that occur. FISMA’s focus on risk management and continuous improvement makes it a critical component of federal cybersecurity efforts.

Cybersecurity Information Sharing Act (CISA)

The Cybersecurity Information Sharing Act (CISA) aims to enhance collaboration between government and private sector entities by facilitating the sharing of cybersecurity threat information. 

CISA encourages organizations to exchange information about cyber threats, vulnerabilities, and incidents to improve collective cybersecurity. It also provides legal protections for entities that share information, reducing concerns about liability and privacy violations. CISA helps organizations better understand and respond to evolving cyber threats by fostering greater information exchange.

For more information on network security threats and how to address them, visit Network Security Threats.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA) is designed to protect the privacy and security of consumer financial information. It applies to financial institutions and requires them to implement safeguards to protect nonpublic personal information (NPI). GLBA mandates that institutions develop privacy policies, disclose their information-sharing practices, and establish procedures for safeguarding customer data. The act also requires institutions to allow customers to opt out of having their information shared with non-affiliated third parties.

Health Insurance Portability & Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) sets standards for protecting sensitive health information, particularly electronic health records (EHRs). HIPAA mandates that healthcare providers, insurers, and business associates implement robust security measures to safeguard patient data. This includes administrative, physical, and technical safeguards like encryption and access controls. 

HIPAA also requires organizations to conduct regular risk assessments and report data breaches. Recent updates to HIPAA regulations may address new technologies and evolving threats in the healthcare industry.

Children’s Online Privacy Protection Act (COPPA)

The Children’s Online Privacy Protection Act (COPPA) regulates the collection of personal information from minors to protect the privacy of children under 13. COPPA requires operators of websites and online services directed at children to obtain parental consent before collecting, using, or disclosing personal information.

The act also mandates clear privacy policies and allows parents to review and delete their child’s information.

Computer Fraud & Abuse Act (CFAA)

The Computer Fraud and Abuse Act (CFAA) addresses unauthorized access to computer systems and data, criminalizing hacking, identity theft, and fraud. CFAA makes it illegal to access computers without permission or to use malicious software to exploit vulnerabilities.

The act also covers various forms of cybercrime, including malware distribution and data theft. Recent amendments to the CFAA may include updates to address new cybercrime techniques and technological advancements.

Electronic Communications Privacy Act (ECPA)

The Electronic Communications Privacy Act (ECPA) governs the interception and disclosure of electronic communications, including emails and other digital messages. ECPA protects against unauthorized access to communications and sets procedures for law enforcement agencies to obtain access to stored communications. The act aims to balance privacy rights with the needs of law enforcement in investigating cybercrimes.

National Institute of Standards & Technology (NIST) Framework

The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a set of guidelines for managing and mitigating cybersecurity risks. Organizations across various sectors widely adopt the framework to enhance their cybersecurity posture. It includes best practices for identifying, protecting, detecting, responding to, and recovering from cyber incidents. 

The NIST framework is designed to be flexible and adaptable to different organizational needs and threat landscapes. 

What are State Cybersecurity Regulations?

State cybersecurity regulations are legal requirements enacted by individual states to address cybersecurity concerns within their jurisdiction. These regulations often complement federal laws but can also introduce specific requirements tailored to state-level needs and priorities. State cybersecurity laws may cover various topics, including data protection, breach notification, and sector-specific regulations.

By establishing their own cybersecurity standards, states aim to enhance the security of information systems and data within their boundaries, particularly in sectors that federal regulations may not cover.

For a deeper understanding of how cloud security fits into the broader cybersecurity landscape, explore this article.

Notable State Cybersecurity Laws to Know

Each state may have its own set of cybersecurity laws and regulations. Here are some notable state-specific laws to be aware of:

California: California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)

California’s California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) establish comprehensive privacy protections for residents. The CCPA requires businesses to provide transparency about data collection practices and allows consumers to opt out of selling their personal information.

The CPRA, which builds on the CCPA, introduces additional rights and strengthens consumer protections, including establishing the California Privacy Protection Agency (CPPA) to enforce the law.

New York: New York SHIELD Act

The New York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act) enhances data security requirements for businesses handling the private information of New York residents. The act mandates that businesses implement reasonable safeguards to protect personal data and timely report data breaches. 

The SHIELD Act aims to improve the overall security of personal data and ensure that organizations take proactive measures to prevent breaches.

Massachusetts: Massachusetts Data Security Regulation (201 CMR 17.00)

Massachusetts Data Security Regulation (201 CMR 17.00) enforces standards from M.G.L. c. 93H to protect the personal information of Massachusetts residents. It requires businesses to implement minimum safeguards for paper and electronic records, ensuring security and confidentiality.

The regulation aims to prevent unauthorized access, mitigate threats, and avoid substantial harm or inconvenience to consumers by aligning with industry standards.

Texas: Texas Business & Commerce Code Chapter 521

Texas Business and Commerce Code Chapter 521 sets standards for protecting personal information. It requires businesses to secure both electronic and physical records against unauthorized access and data breaches. The code mandates data protection policies and breach notifications, ensuring the confidentiality of consumer information and enhancing overall data security in Texas.

Colorado: Colorado Privacy Act (CPA)

The Colorado Privacy Act (CPA) establishes data protection rights for Colorado residents and requires businesses to implement measures to protect personal information. The CPA includes data access, correction, and deletion provisions and requirements for transparency and consent in data processing activities.

Virginia: Virginia Consumer Data Protection Act (VCDPA)

The Virginia Consumer Data Protection Act (VCDPA) provides Virginia residents with rights regarding their personal data, including the right to access, correct, and delete information. The VCDPA also requires businesses to implement data protection measures and conduct impact assessments for certain data processing activities.

Nevada: Nevada Privacy Law

Nevada’s Privacy Law focuses on consumer rights related to the sale of personal information and requires businesses to provide consumers with opt-out mechanisms. The law aims to give individuals more control over their personal data and enhance transparency in data processing practices.

Washington: Washington Privacy Act (WPA)

The Washington Privacy Act (WPA) establishes comprehensive privacy protections for Washington residents, including rights to access, delete, and correct personal information. The WPA also requires businesses to conduct data protection impact assessments and implement security measures to protect personal data.

Cybersecurity Regulations by Industry

Different industries have unique cybersecurity requirements based on the nature of their operations and the type of data they handle. Here’s a brief overview of industry-specific cybersecurity regulations:

Financial Services

Financial services firms are subject to stringent cybersecurity regulations to protect sensitive financial data. These regulations often include requirements for data encryption, access controls, and incident reporting. The Gramm-Leach-Bliley Act (GLBA) and other financial cybersecurity regulations set standards for safeguarding customer information and ensuring data security.

Healthcare

Healthcare organizations must comply with specific cybersecurity regulations to protect patient health information. The Health Insurance Portability and Accountability Act (HIPAA) outlines requirements for securing electronic health records (EHRs) and other sensitive health information. Healthcare cybersecurity regulations also include provisions for breach notification and risk management.

Government

Government agencies face unique cybersecurity challenges and are subject to federal regulations such as the Federal Information Security Management Act (FISMA). These regulations require agencies to implement robust security measures, conduct regular risk assessments, and report on cybersecurity incidents to protect sensitive government data.

Energy

The energy sector is critical to national infrastructure and faces specific cybersecurity challenges. Regulations in this sector are designed to protect against threats that could disrupt energy supplies and critical infrastructure. Key regulations include the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) standards, which require energy providers to implement security measures, conduct risk assessments, and ensure the resilience of their systems against cyber threats.

Retail/E-commerce

In the retail and e-commerce sectors, cybersecurity regulations focus on protecting customer payment information and personal data. The Payment Card Industry Data Security Standard (PCI DSS) is a critical regulation that mandates security measures for handling payment card information. Retailers must implement encryption, secure access controls, and regular security assessments to safeguard customer data and prevent data breaches.

Technology

Technology companies, including those involved in software development and IT services, must adhere to cybersecurity regulations to protect proprietary information and user data. Regulations such as the Federal Information Security Management Act (FISMA) may apply to technology firms that work with government agencies, while industry standards like the International Organization for Standardization (ISO) 27001 provide guidelines for information security management systems.

Telecommunications

Telecommunications providers are essential for maintaining communication infrastructure and face regulations aimed at securing their networks and customer data. The Communications Assistance for Law Enforcement Act (CALEA) requires telecommunications companies to ensure that their systems can support law enforcement investigations, including providing access to communications data when legally required.

Education

Educational institutions handle various sensitive information, including student records and research data. Regulations in the education sector, such as the Family Educational Rights and Privacy Act (FERPA), set standards for protecting student data and ensuring privacy. Schools and universities must implement security measures to protect against data breaches and ensure compliance with these regulations.

Cybersecurity Regulations Strategies for Compliance and Risk Management

As cybersecurity regulations evolve, organizations must adopt effective strategies to ensure compliance and manage risks. Here are key strategies to consider:

Conducting a Regulatory Impact Assessment

A regulatory impact assessment helps organizations understand how new or updated regulations affect their operations. Organizations can develop targeted compliance strategies and address any gaps in their security practices by evaluating the potential impact of cybersecurity laws on their business.

Implementing Robust Cybersecurity Policies

Establishing comprehensive cybersecurity policies is essential for ensuring compliance with regulations and protecting sensitive data. Policies should cover data protection, access controls, incident response, and employee training. Regularly reviewing and updating these policies helps organizations stay aligned with evolving regulations and emerging threats.

Training & Awareness Programs

Employee training and awareness programs are crucial for fostering a culture of cybersecurity within an organization. Training should cover best practices for data protection, recognizing phishing attempts, and responding to security incidents. Regularly updating training materials and conducting refresher courses ensures employees know the latest threats and regulatory requirements.

Investing in Technology & Tools

Investing in advanced cybersecurity technology and tools can enhance an organization’s ability to detect and respond to cyber threats. Tools such as intrusion detection systems (IDS), firewalls, and encryption technologies are critical in safeguarding data and ensuring compliance with regulations. Regularly evaluating and updating these tools helps organizations stay ahead of evolving cyber threats.

Regular Audits & Reviews

Conducting regular audits and reviews of cybersecurity practices helps organizations identify vulnerabilities and ensure compliance with regulations. Audits should assess the effectiveness of security measures, evaluate compliance with regulatory requirements, and provide recommendations for improvement. Regular reviews help organizations proactively address potential security issues and adapt to regulation changes.

For insights into cloud security standards and their importance, check out our article about Cloud Security Standards.

Bottom Line: Navigating the Complexities of Cybersecurity Regulations

Navigating the landscape of cybersecurity regulations can be challenging, but understanding and preparing for these requirements is crucial for protecting sensitive data and ensuring compliance. By staying informed about federal and state laws, adopting industry-specific strategies, and implementing robust cybersecurity practices, organizations can effectively manage risks and safeguard their operations against evolving cyber threats.

For more detailed insights into cybersecurity practices and tools, explore resources on network security here.

The post 2024 Cybersecurity Laws & Regulations appeared first on eSecurity Planet.

Here are our picks for the best six digital forensics tools:

• Exterro FTK: Best overall forensics tool for a mix of pricing and features
• IBM QRadar SIEM & Forensics: Best for enterprise forensics and SIEM
• LogRhythm NetMon & SIEM: Best forensics software for customer support
• Cyber Triage: Best solution for cybersecurity-specific incident response
• Encase Forensic: Best solution for managed digital forensics services 
• Magnet AXIOM Cyber: Best solution for diverse deployment scenarios

Top Digital Forensics Software Compared

The following table gives a brief overview of our six top products, including features like data extraction and free trial availability:

	Data Extraction	Incident Response	Indicators of Compromise	Free Trial
Exterro FTK				30 days
IBM QRadar SIEM & Forensics
LogRhythm NetMon & SIEM
Cyber Triage				7 days
Encase Forensic
Magnet AXIOM Cyber				Contact for length

=Yes  =No/Unclear  =Add-On

Exterro FTK

Best Forensics Tool Overall for a Mix of Pricing & Features

Overall Rating: 3.9/5

• Core Features: 3.7/5
• Advanced Features: 4.3/5
• Deployment & Usability: 4.5/5
• Customer Support: 2.4/5
• Pricing: 5/5

Exterro Forensic Toolkit (FTK) offers advanced digital forensics capabilities for both computer systems and mobile devices, including media thumbnail reviews and facial recognition. Other notable features include remote data collection and file recovery for deleted data. We recommend it for organizations of all sizes for its strong feature set and its pricing information — Exterro is transparent about licensing compared to the rest of the market.

Exterro is a fantastic all-around forensics product, but it’s not very transparent about customer support options. If that’s important to your team, look at LogRhythm instead — it also has plenty of key and advanced forensics features and was our criterion winner for customer support.

Pros & Cons

Pricing

• Physical FTK license: $5,999–$11,500, depending on sale prices
• Virtual FTK license: $5,999–$11,500, depending on sale prices
• Yearly renewal: Subscription charges and renews annually
• Free trial: 30 days

Key Features

• Portable cases: Send data about a case to external reviewers and receive feedback.
• Facial and object recognition: FTK identifies identical image content automatically.
• Mac data analytics: Process data like encrypted Apple file systems.
• Thumbnail review: Inspect and categorize multimedia images by hovering over them.

IBM QRadar SIEM & Forensics

Best for Enterprise Forensics & SIEM

Overall Rating: 3.5/5

• Core Features: 3.8/5
• Advanced Features: 3.5/5
• Deployment & Usability: 3.4/5
• Customer Support: 3.7/5
• Pricing: 3.2/5

IBM QRadar SIEM is a security information and event management platform that offers capabilities like network analytics, threat response, and compliance audits. QRadar Forensics, which focuses specifically on digital forensics, can be a standalone product, but it’s also available as a SIEM module. Integrating the two is ideal for large enterprises that want to use a security management product and a digital forensics tool in conjunction.

QRadar is a strong enterprise solution, but it doesn’t support many cloud applications. Consider LogRhythm if you’re looking for cloud app support — it’s also a SIEM solution.

Pros & Cons

Pricing

• Usage model: Priced by events per second and flows per minute
• Enterprise model: Based on the number of managed virtual servers used
• Pricing calculator: IBM’s calculator helps estimate initial costs
• Contact for quote: Available add-ons, including Forensics

Key Features

• Network analytics: View network threat detections and dashboard visualizations.
• Compliance add-ons: Use QRadar SIEM extensions to comply with regulations.
• IBM X-Force integration: View recent threat intelligence data like malicious URLs.
• File recovery: The Forensics product finds raw capture data on specified devices.

LogRhythm NetMon & SIEM

Best Forensics Solution for Customer Support

Overall Rating: 3.3/5

• Core Features: 3.3/5
• Advanced Features: 3.6/5
• Deployment & Usability: 2.8/5
• Customer Support: 4.4/5
• Pricing: 1.8/5

LogRhythm’s next-gen SIEM platform integrates with LogRhythm NetMon, a forensics solution for networks that provides packet analytics, dashboards, and application recognition. This integration is another example of combined SIEM and forensics for teams that want those products connected. LogRhythm got particularly high marks in our rubric for its customer support availability, including phone support and a 24/7 platinum plan.

While LogRhythm SIEM is a strong network forensics product, it won’t be sufficient for all forensics cases. Consider Exterro if you need mobile and multi-platform forensics; it also finds indicators of compromise and offers incident response capabilities like LogRhythm.

Pros & Cons

Pricing

• Contact for quote: Custom pricing available

Key Features

• Threat scores: A risk-based priority calculator helps teams determine risk significance.
• Application recognition: NetMon identifies more than 3,500 applications.
• Incident response: The SIEM solution helps teams find and remediate security threats.
• Deep packet analytics: Extract and view network packet data from OSI layers 2-7.

Read more about different types of network security, including threat intelligence and network access control.

Cyber Triage

Best Solution for Cybersecurity-Specific Incident Response

Overall Rating: 3.2/5

• Core Features: 3.3/5
• Advanced Features: 4.8/5
• Deployment & Usability: 2.5/5
• Customer Support: 0.9/5
• Pricing: 4.3/5

Cyber Triage is a combined forensics and incident response platform that’s great for teams that want to both manage incidents and explore attacks in detail. Key capabilities include malware scanning, artifact scores, and incident response recommendations. Cyber Triage also integrates with endpoint detection and response (EDR) and SIEM products like SentinelOne Singularity and Splunk; consider Cyber Triage if you want those major security integrations.

While Cyber Triage is a strong incident response solution, it doesn’t support mobile devices. Consider Exterro, which offers incident response integrations and collects mobile device data, if you’re looking for both IR and mobile capabilities.

Pros & Cons

Pricing

• Standard plan: $2,500 per year
• Standard Pro plan: $3,500 per year
• Team plan: Custom pricing available
• Free trial: 7 days

Key Features

• Artifact scoring: Cyber Triage helps prioritize incident evidence by ranking it.
• Malware scanning: Over 40 scanning engines increase the chances of finding malware.
• Air-gapped labs: Export hash values into a text file format through offline mode.
• IOCs: Cyber Triage identifies indicators of compromise like signs of potential malware.

Encase Forensic

Best Solution for Managed Digital Forensics Services

Overall Rating: 3/5

• Core Features: 3.5/5
• Advanced Features: 2.2/5
• Deployment & Usability: 3.3/5
• Customer Support: 3.9/5
• Pricing: 2.3/5

Encase Forensic by OpenText is a well-rounded digital forensics tool with multi-platform support, including all three major operating systems and mobile devices. It collects data from social media sites as well as apps like LinkedIn and WhatsApp. Encase Forensic is available as an on-premises managed product. Consider Encase if your business is looking for a managed forensics solution or has a small or inexperienced team; it’s a good choice for small and midsize businesses (SMBs).

While Encase Forensic is a great multi-platform product, it doesn’t offer a free trial. Consider Magnet AXIOM Cyber instead if you need to try a forensics product before buying. Magnet also supports multiple platforms and offers an integration for mobile data, too.

Pros & Cons

Pricing

• Contact for quote: Custom pricing available; some pricing info available from resellers

Key Features

• Optical character recognition: OCR finds and extracts text data in images and PDFs.
• AI and ML: Identify incriminating content with machine learning and artificial intelligence.
• App activity collection: Supported apps include LinkedIn, Instagram, and Twitter.
• Browser and location data: Encase also collects internet and location history.

Magnet AXIOM Cyber

Best Solution for Diverse Deployment Scenarios

Overall Rating: 3/5

• Core Features: 2.8/5
• Advanced Features: 2.4/5
• Deployment & Usability: 4.4/5
• Customer Support: 3/5
• Pricing: 2.5/5

Magnet AXIOM Cyber’s digital forensics and incident response solution offers features like remote data collection and data visualization. It supports Windows, Mac, and Linux machines, and users can deploy it in both AWS and Azure. Through its integration with Verakey, AXIOM Cyber can receive extracted mobile data as well. For businesses with multiple operating systems and cloud environments, AXIOM Cyber is a great choice.

While AXIOM Cyber is a strong multi-platform forensics product, its data extraction capabilities are limited to other products. Consider Encase Forensic if you’re looking for native extraction; it also supports multiple platforms, including mobile devices.

Pros & Cons

Pricing

• Contact for quote: Custom pricing is available
• Free trial: Contact for length

Key Features

• Remote collections: You can collect data from off-network endpoint computers.
• Data visualization: AXIOM Cyber shows connections between various artifacts.
• Threat scoring: Integration with VirusTotal allows users to better prioritize threats.
• Incident response: AXIOM Cyber is a DFIR product and offers response and detection.

Top 5 Features of Digital Forensics Software

Digital forensics products vary somewhat in their feature sets, but there are a few core capabilities that your future product should have. Data extraction, reporting functionality, data recovery, prioritization, and integrations with security platforms are all critical to conducting a successful forensics case and tracking the most important information.

Data Extraction

Data extraction pulls information from places it would otherwise be hard to find. If a criminal deletes a file from their computer, it won’t be simple to collect by ordinary means. But a digital forensics product has special capabilities that help it reconstruct or recover data that’s been damaged or deleted, which is critical for cases in which a criminal tried to cover their tracks or information has simply been lost over time.

Reporting

Reporting functionality is important for almost every security product, but for digital forensics, it’s especially critical. Every piece of information could affect not only a company’s security but also a person’s life or livelihood. Reports help users present data clearly to business leaders, but they might also need to be provided to police and government officials.

Data Recovery

Some data appears to be lost, but forensics tools should be able to recover data that wouldn’t be found otherwise. That data could play a critical role in a case, and a threat actor or criminal might have attempted to hide the information. Digital recovery features are valuable and often necessary for a full forensics toolkit.

Threat Prioritization

Prioritizing alerts, threats, or other indicators of compromise take different forms, like threat scores, but a digital forensics tool should have some method of ranking potential issues. With prioritization features, teams will be better positioned to handle the most important alerts or potential cases first.

Security Integrations

Digital forensics tools should ideally integrate with at least one other security product, whether that’s a SIEM, EDR, or other type of incident response product. This product might also be a security management tool that centralizes multiple products. The best integrations depend on your business’s use cases and needs, though, so consider those before making a final selection.

How We Evaluated Digital Forensics Software

We used a product scoring rubric to compare a range of digital forensics tools, developing five main criteria with key characteristics of forensics products. The percentages below show how we weighted the criteria. Each criterion included multiple subcriteria with their own weighting. The total scores reflect how well each product ranked in our overall evaluation based on the criteria it met. After we scored the products, the six that scored best made our list.

Evaluation Criteria

The most important criteria we scored were core forensics features like data extraction and advanced features, like threat scores and SIEM integrations. We also considered deployment and usability, including product documentation, mobile device support, and supported operating systems. Lastly, we looked at customer support availability, including channels like phone and email, and pricing, like free trials and licensing details.

• Core features (30%): We looked at the most important forensics features, like data extraction and reporting functionality.
  • Criterion winner: IBM QRadar
• Advanced features (25%): We reviewed products based on advanced capabilities like SIEM integrations and threat scores.
  • Criterion winner: Cyber Triage
• Deployment and usability (20%): We evaluated ease of use and deployment with criteria like mobile device and operating system support.
  • Criterion winner: Exterro
• Customer support (15%): We scored products based on the availability of phone and email, as well as demos, support hours, and composite user reviews.
  • Criterion winner: LogRhythm
• Pricing (10%): We used criteria like free trials, pricing transparency, and license details to score our pricing category.
  • Criterion winner: Exterro

Frequently Asked Questions (FAQs)

What Types of Cases Require Digital Forensics Tools?

Any legal investigation involving software, hardware, or networks can require a digital forensics tool to find data that otherwise wouldn’t be retrievable. Extraction capabilities help legal and security teams find information that may have been deleted from a computer system. Common examples of cases requiring forensics tools include embezzlement, extortion, identity theft, assault, or child exploitation, including pornography and any kind of trafficking.

Businesses may want forensics simply for their information security and cybersecurity, too, so they can track intruder and attacker behavior in a clinical way. It doesn’t have to be a legal case — an internal security incident might benefit from forensic data as well.

Are Digital Forensics Tools Difficult to Use?

Like any other software solution, digital forensics tools take time to learn. Some will be simpler to use than others, though. If your business is looking for a particularly easy-to-learn product, look for user reviews that mention usability and features like a central management interface. Any product will have a learning curve, but they differ in length.

What Are Common Digital Forensic Product Capabilities?

Broadly speaking, forensics software should be able to pull data from multiple, difficult-to-find locations and present it so teams can analyze it meaningfully. Many different features serve that purpose, like reporting, data extraction, and remote collection, but distilled into simple terms, your digital forensics product needs to access the right systems, find the necessary data, and help users make sense of it.

Bottom Line: Digital Forensics Software Is a Critical Investment

A digital forensics product can be a powerful tool to not only uncover cybersecurity data but also support your team in a legal investigation. It should suit your security, compliance, and legal teams’ skill sets, as well as give them research and response abilities that may not have been available to them before. If your organization frequently deals with criminal activity or investigations, a digital forensics tool is one of the most important investments you’ll make.

Is your organization looking for specifically Linux-based forensics capabilities? Read about our picks for the best Linux distros for pentesting and forensics next.

The post 6 Best Digital Forensics Tools Used by Experts in 2024 appeared first on eSecurity Planet.

The understanding of different encryption types will often be confused by the many possible, inconsistent, and confusing ways that “encryption type” can be used. To minimize confusion, this article explains and classifies encryption types, explores what encryption will be best for which situation, and discusses how to effectively use encryption through the following topics:

For a more basic overview of encryption, consider reading: What Is Encryption? Definition, How it Works, & Examples.

Classifications of Encryption Types

To avoid confusion, let’s examine the different ways ‘type’ can be applied to encryption and how we will cover them in this article:

• Encryption category types will explain the overarching and basic categories of classification for encryption, including the two most important: symmetric and asymmetric encryption.
• Encryption algorithm types will provide an overview of the mathematical algorithms used to encrypt data (AES, RSA, etc.), their significance, and their pros and cons.
• Encryption tool types will discuss the major classifications of encryption tools available for use by an organization.

Although each is a ‘type’ of encryption, some sources mix these together, which can be confusing for those trying to understand encryption. We provide the additional distinctions to help better explain how encryption works and to better illustrate the tool to use for specific use cases.

Encryption Category Types

An encryption category type provides an overarching classification that encompasses multiple encryption algorithms or tool types. These conceptual buckets provide definitions that help to define the inherent weaknesses and strengths of families of algorithms and tools.

The two most important encryption categories are symmetric and asymmetric encryption. These critical encryption concepts encompass the vast majority of encryption algorithms and tools currently in wide use and can be used in combination for secure communication.

Other important categories of encryption categories include:

• Homomorphic encryption, which continues to rise in importance with the processing of sensitive and regulated data.
• Block ciphers process plain text in fixed-sized chunks for encryption.
• Format-preserving encryption (FPE) used to create encrypted fields with specific formatting and length requirements for databases.
• Stream ciphers process data as it passes through the algorithm and is used in communication.

We will also briefly discuss hashing, which is often associated with encryption but is not actually a type of encryption.

Symmetric Cryptography: Best for Speed

Symmetric cryptography uses the same concept as shared keys for a house — one or more individuals use an identical key to unlock the lock for access. Symmetric encryption works much the same way — to encrypt and decrypt messages with a single, shared key.

Users can establish a symmetric key to share private messages through a secure channel, like a password manager. Unfortunately, while symmetric encryption is a faster method, it is also less secure because sharing the key exposes it to theft.

Phishing and social engineering are common ways threat actors can obtain a symmetric key, but cryptanalysis and brute force attempts can also break symmetric key ciphers. Symmetric encryption is often used for drive encryption, WiFi encryption, and other use cases where speed performance is paramount and a password can be safely shared.

Modern algorithms use variable input, variable key lengths, and multiple rounds to compensate for symmetric key weaknesses.

Asymmetric Cryptography: Best for Sharing

Asymmetric cryptography works more like providing a code to unlock a small panel in an otherwise locked door for deliveries. The shared public key of asymmetric cryptology can encrypt documents, but decryption requires the use of a private key that is not intended to be shared.

Although more complicated and expensive to implement, asymmetric encryption ensures secure communications over distributed networks without exposing the encryption keys to theft. Asymmetric encryption does not use multiple rounds for encryption but instead uses variable-length, large sized prime numbers.

The larger key sizes and prime number calculations can take much longer to process than symmetric encryption; however, asymmetric algorithm public keys can be published to enable much more secure sharing of encrypted files.

The asymmetry of the algorithm enables either of the keys to encrypt the data, but that same key cannot be used for decryption. Typical examples of use include:

• Sender encrypts data with recipient’s public key; recipient decrypts data with their private key.
• Sender encrypts data with their own private key to verify the source of a document and re-encrypts the data with the recipient’s public key for security; the recipient uses their private key to access the message and uses the sender’s public key to decrypt the message.

Symmetric + Asymmetric Encryption

Software developers and organizations increasingly use both symmetric and asymmetric encryption methods to give users speed and security in communication. A common example is the standard Transfer Layer Security (TLS) protocol used to enable secure website browsing.

Also known as hybrid encryption, the bundle of the two methods usually starts with a handshake between users through asymmetric cryptography to establish security. Within the asymmetric connection, parties then securely share symmetric algorithms keys to enable faster processing of messages.

Homomorphic Encryption

Homomorphic encryption allows for a set of limited operations on ciphertext without decrypting the message. Homomorphic models include:

• Partial homomorphic encryption (PHE) for algorithms that can perform a single operation on encrypted data.
• Somewhat homomorphic encryption (SHE) for algorithms capable of performing two operations on encrypted data.
• Fully homomorphic encryption (FHE) for algorithms capable of the broadest range of operations on encrypted data.

Google, IBM, and Microsoft continue to explore FHE capabilities to process specific data while maintaining its secrecy and have released open-source encryption libraries. However, these techniques lack widespread adoption or incorporation into commercial tools.

Block Ciphers

Encryption algorithms operate on chunks of data to render them unreadable without a proper decryption key. Block cipher encryption uses fixed-sized blocks of data such as 128 or 64 bit blocks. Many symmetric algorithms are block ciphers; asymmetric algorithms use different key lengths, so technically they are not block ciphers because there is a variable block length between the public and private keys.

When the plaintext to be encrypted is shorter than the block length, the data is padded by the algorithm to reach the block length before encryption. Data longer than the block length will be broken into smaller blocks prior to encryption and also padded if the smaller blocks fall below the block size.

A weakness of block ciphers is that encryption of identical, full-sized plaintext blocks can yield identical encrypted blocks, which can enable brute force detection of keys. Algorithms avoid this issue by using multiple passes of different block sizes or by applying variable-input-length algorithms to the data before it is processed by the encryption algorithm.

Format-Preserving Encryption (FPE)

The category of format-preserving encryption addresses the storage of encrypted data in legacy databases with strictly defined formats and field lengths. These databases cannot tolerate variances caused by many encryption algorithms that intentionally add padding to short encryption to obscure the length of the original data or convert both letters and numbers into hexadecimal code.

For example, the Social Security number “111-11-1111” might be encoded into the plaintext numeric code of “049049 049049 049049 049049 049,” which cannot be used in a database with a limit of 9 characters. Format preserving algorithms will instead transform the number into a 9-character numeric string so that the database utility will be preserved.

Format-preserving encryption can use existing encryption algorithms, such as AES (see below). However, programmers typically incorporate specially designed algorithms so specialized that we will not cover them in more detail in this article, such as the Thorp Shuffle, Variable Input Length (VIL) Ciphers, and the Hasty Pudding Cipher.

Streaming Ciphers

When sending data through a high-speed router or switch, the full size of the data will be unknown. Storing the data until it reaches a specific block size can cause unacceptable delays for processing and transmission.

Streaming ciphers solve the problem by using a key to encrypt data one bit at a time. Streaming ciphers are symmetric algorithms that use a secret key to feed a random number generator. Asymmetric keys cannot usually be used for streaming encryption because the block sizes cannot be known. The wired equivalent privacy (WEP) and Wi-Fi protected access (WPA) algorithms incorporate streaming ciphers to encode Wi-fi data transmissions.

Not Really Encryption: Hashing

Although associated with the verification of the integrity of a file, hashing algorithms such as the 128-bit message digest algorithm (MD-5) or the eight 32-bit-word secure hash algorithm (SHA-256) do not change the data of a file. Instead, the algorithm analyzes the bits of the contents to create a single number that represents the contents.

An added space or deleted letter will create a completely different hash value for a file, so hash values will often be used to verify that a file has not been altered during a copying or transmission process. However, since hashing algorithms leave the data in plaintext, hashing does not defend the data against unauthorized access.

Encryption Algorithm Types

Encryption algorithms are defined by the specific math formulas and the process required to perform an encryption transformation. While cryptologists develop many different algorithms, this article will focus on the main encryption algorithms adopted for use in IT data encryption:

• DES
• 3DES
• Blowfish
• Twofish
• DHM
• RSA
• AES
• ECC
• Post-quantum

DES: The Data Encryption Standard

The need for a government-wide standard to encrypt sensitive information became evident as early as 1973. The U.S. National Bureau of Standards (now the National Institute of Standards and Technology, or NIST) made a public request for potential ciphers.

IBM and lead cryptographer Horst Feistel soon proposed a symmetric-key block cipher algorithm that became called the Data Encryption Standard (DES). By the 1990s, DES received wide criticism for its vulnerability to brute force attacks and its short key size.

• Significance: First US national encryption standard
• Pros: Fast, easy to use
• Cons: Vulnerable to brute force attacks as early as the 1990s
• Used for: Obsolete, replaced by TDES

TDES: The Triple Data Encryption Standard

Triple DES (TDES), or 3-DES, improves upon the original DES encryption algorithm with three stages of encryption using three different keys:

• Stage 1: Key 1 used to encrypt plaintext data.
• Stage 2: Key 2 used to decrypt the encrypted data from step 1 to create a new document (does not reproduce original document; it will not be readable in this form).
• Stage 3: Key 3 used to re-crypt the data from step 2 to produce another encrypted document.

The symmetric block cipher TDES provides a dramatic improvement in strength over DES, but TDES has since been replaced by AES (see below). New applications no longer use TDES, but TDES-encrypted data can be found in legacy environments and Microsoft only retired 3DES from use within Office 365 in 2019.

• Significance: Replaced DES
• Pros: Much stronger than DES
• Cons: Remains vulnerable to brute force attacks, quantum attacks
• Used for: Obsolete, replaced by AES, however, legacy use remains for ATM pins, UNIX passwords, older payment systems

Blowfish

Bruce Schneier developed the symmetric block cipher Blowfish to replace the DES in 1993. The Blowfish encryption algorithm was released to the public without a required license and is known for its flexibility, speed, and resilience compared to other older encryption standards.

The algorithm uses 64-bit block sizes and encrypts them individually over 16 rounds using a key length between 32 and 448 bits. Each round consists of four actions that further scramble the data for encryption processing. This standard is not recommended to be used on files greater than 4 GB due to its small block size.

• Significance: Early open-source encryption tool, replaced by Twofish
• Pros: Fast, fairly secure, free
• Cons: Vulnerable to brute force and quantum attacks, slow for key changes
• Used for: Still in use for password management; file and disk encryption; older Secure Shell (SSH) protocol tools (OpenSSH, PuTTY, etc.); and is embedded in Linux and OpenBSD operating systems

Twofish

Twofish offers a next generation version of Blowfish developed in 1998 that uses keys between 128 and 256 bits long, block sizes between 128 and 256 bits, and 16 rounds of encryption. While more complex than Blowfish, the symmetric block cipher encryption is optimized for 32 bit CPUs, which enables better performance.

As with Blowfish, Twofish has also been made available in the public domain, allowing free use and incorporation of the algorithm into applications. While competitive with AES in speed on generic hardware, AES can be significantly faster using AES hardware acceleration.

• Significance: Replaced Blowfish, but remains smaller in adoption
• Pros: Stronger encryption than Blowfish, fast performance
• Cons: Not as fast as AES with hardware accelerators, theoretically vulnerable to quantum brute force attacks
• Used for: File and folder encryption

DHM: Diffie-Hellman-Merkle Introduces Key Exchange

Shortly after the release of DES, three computer scientists – Whitfield Diffie, Martin Hellman, and Ralph Merkle – published their research on public-private key cryptography in 1976. Their Diffie-Hellman-Merkle (DHM) key exchange pioneered asymmetric encryption and supported much longer key lengths of 2,048 to 4,096 bits.

• Significance: First asymmetric encryption algorithm published
• Pros: More secure for sharing information than symmetric algorithms
• Cons: Not widely adopted, more resource intensive, vulnerable to brute force attack
• Used for: Not widely adopted

RSA Encryption

A year after DHM’s release, three cryptographers – Ron Rivest, Adi Shamir, and Leonard Adleman – developed the asymmetric RSA public-key cryptosystem. The three innovators and MIT patented the RSA algorithm, a proprietary system available through RSA Security until its public release in 2000. The RSA algorithm remains the most popular public key cryptographic system today and introduced the concept of digital signatures for authentication outside of academia.

RSA depends on multiplying two very large randomized prime numbers to create a third, even larger prime number. While it’s very difficult for most computers to factor these prime numbers quickly, the algorithm has been found vulnerable to quantum computing attacks and tends to be a slow algorithm to implement. The algorithm is now in the public domain and RSA calculators websites can be used to examine how the process works.

• Significance: First commercially available public key, asymmetric algorithm
• Pros: Enables secure sharing
• Cons: Slow to implement, vulnerable to brute force attacks (especially quantum-powered)
• Used for: Secure messaging, payments, small encrypted files

AES: The Advanced Encryption Standard

In 1997, the NIST renewed its call to the public cryptography community for the successor to DES. Two Dutch cryptographers – Joan Daemen and Vincent Rijmen – submitted the eventual pick known as Rijndael. By 2001, the NIST dubbed it the Advanced Encryption Standard (AES) and officially replaced the use of DES. AES offered larger and different key sizes with a family of ciphers to choose from and remains one of the most popular standards over 20 years later. AES encrypts data over 10-14 rounds in block sizes of 128 bits and with key sizes between 128 and 256 bits.

While both DES and AES use symmetric block ciphers, AES uses a substitution-permutation network wherein plaintext goes through multiple rounds of substitution (S-box) and permutation (P-box) before finalizing the ciphertext block. Similarly, a client or application can decrypt the AES message by reversing these S-box and P-box transformations.

Most organizations use one of the AES algorithms for file encryption, full-disk encryption, application encryption, wifi transmission encryption, virtual public network (VPN) encryption, and encrypted protocols such as transport layer security (TLS).

• Significance: Most widely adopted symmetric, block cipher algorithm
• Pros: More secure than legacy encryption, faster than asymmetric options
• Cons: Vulnerable to key theft and brute force attacks
• Used for: Protocols, VPN, full-disk encryption, Wi-Fi transmission encryption

ECC: Elliptic-Curve Cryptography

Professors at the University of Washington and Columbia University independently published research in 1985 on elliptic curve cryptography (ECC), but it didn’t come into widespread implementation until the mid-2000s. Like RSA, ECC is an asymmetric encryption algorithm, but instead of using prime numbers, it uses elliptic curves to generate public and private keys.

The use of elliptic curves enables equivalent security with smaller key sizes than RSA, which enables faster execution of the encryption and decryption algorithms. ECC has proven to be a popular alternative choice to RSA but has also been found to be vulnerable to threats such as twist-security and side-channel attacks.

• Significance: Popular asymmetric encryption alternative to RSA
• Pros: Faster than RSA and uses smaller key sizes, more secure for sharing than symmetric encryption algorithms
• Cons: Vulnerable to twist-security, side-channel, and quantum-powered attacks
• Used for: Email encryption, cryptocurrency digital signatures, internet communication protocols

What Is Next? Post-Quantum Cryptography

Based on quantum mechanics rather than mathematical operations, quantum computers can utilize Shor’s algorithm to find prime factors much more rapidly than traditional computers. This allows an attacker with access to a large enough quantum computer to break asymmetric standards like DHM, RSA, and ECC by determining an organization’s private key from the public key.

Although not commonly available, the development of quantum computers is seen as a near future certainty. Data stolen today may be securely encrypted using today’s standards and uncrackable for the next 5-10 years. However, if the attacker who stole the information gains access to affordable quantum computing resources in the future, the encryption may easily be broken.

Post-quantum cryptography (PQC) describes research, algorithms, and vendors developed to address quantum attacks and secure the next generation of IT environments and data. The NIST and the US National Security Agency (NSA) started to release algorithms and resources in 2022 against quantum threats.

Still, research remains in early stages, so initial standards remain in draft form and a full mitigation architecture for federal agencies isn’t expected until the 2030s. Currently, the four recognized algorithms include:

• CRYSTALS-Kyber (FIPS 203) defines an algorithm incorporated into an asymmetric key encapsulation mechanism (KEM) standard designed to allow for quantum-resistant sharing of secure keys over public channels.
• CRYSTALS-Dilithium (FIPS 204) defines an algorithm incorporated into a standard to create quantum-resistant digital signature schemes to verify sources and identities.
• SPHINCS+ (FIPS 205) defines an algorithm incorporated into a stateless hash-based, quantum-resistant digital signature standard to verify sources and identities.
• FALCON (FIPS pending) will define an algorithm and a digital signature standard based on fast-fourier lattices.

Encryption Tool Types

Information technology uses encryption to protect data at rest and data in transit in many different ways. The broadest applications of encryption include:

• Encrypted data transmission protocols
• Full disk encryption
• File encryption
• Email encryption
• Application Embedded Encryption
• Digital certificates

While these are the solutions most often purchased and deployed, encryption can also be found incorporated into security solutions such as cloud access security brokers (CASB), next-generation firewalls (NGFW), password managers, virtual private networks (VPN), and web application firewalls (WAF).

Encrypted Data Transmission Protocols

Many fundamental protocols incorporate encryption into their programming to provide universal protection invisible to most users. Major protocols include:

• DomainKeys Identified Mail (DKIM) enables the authentication of email senders by hosting a public key for an encrypted block of text in sent emails.
• Internet protocol security (IPSec) provides encryption at the IP packet level and creates a secure tunnel for packets belonging to multiple users and hosts.
• Kerberos provides single sign-on and user authentication against a central authentication and key distribution server by distributing authenticated tickets for securing and supporting authentication on a local area network.
• Layer 2 Tunneling Protocol (L2TP) provides a framework for doubly-encrypted transmission of data using an encrypted tunnel between devices.
• Secure/Multipurpose Internet Mail Extension (S/MIME) upgrades email security.
• Secure Shell (SSH) secures remote terminals and provides support for single sign-on and secure tunneling for TCP streams.
• Transmission Control Protocol (TCP) adds encryption, server authentication, and client authentication to communication between devices and applications and enables HTTPS connections.

Full Disk Encryption

To protect data at rest, an entire hard drive can be encapsulated within an encrypted container. This feature can be included in firmware, in operating systems, or as a feature in open-source, shareware, or commercial applications.

Full-disk encryption protects against the theft of the device or hard drive when they are powered down by rendering the contents of the device unreadable without the security key. However, these applications typically use symmetric encryption and are vulnerable to stolen keys. Additionally, full-disk encryption does not protect against data theft from the device when the device is powered on and the data is unencrypted for use.

File Encryption

File encryption protects data at rest while the device is powered on and the data is otherwise available for use. Encryption is applied on either a folder or individual file basis and decryption is applied as needed when the information is required.

File encryption tends to require more user interaction and is more difficult to apply on a universal basis than full disk encryption. File encryption can add strong security, but it remains vulnerable to stolen passwords and can be more vulnerable to lost passwords than full disk encryption, which may have an admin password established by IT.

Email Encryption

Email encryption places email content in encrypted containers for safe transmission using unencrypted email protocols. Email encryption options exist within major email tools, but many organizations choose to deploy additional tools with more robust options for deployment or encryption.

Application Embedded Encryption

Applications such as databases, websites, and other programs can incorporate encryption within the programming to protect data. Databases offer the most varied types of encryption for fields, columns, or entire database storage instances. Other types of encryption can detect and encrypt specific data types, such as credit card numbers and Social Security numbers, throughout the application.

Digital Certificates

Digital certificates provide publicly published keys that can be used to verify identity or to encrypt and decrypt information. Certificates must be maintained with current information and replaced before they expire.

How to Choose an Encryption Type or Algorithm

When selecting encryption types, enterprises should first consider their security requirements based upon the organization’s risk. Risk defines the most important data in the organization from a financial, operational, and regulatory perspective, which aids in determining where and how encryption can protect that data.

Effective risk analysis requires effective classification of data, an accurate inventory of data locations, and an effective picture of how the most important data flows through the organization. The risk analysis will determine the security needs, and then a range of encryption solutions should be considered, not just the type of tool that is most commonly used or the most convenient to apply.

The top features of a commercial tool (other than cost) to consider include:

• Centralized policy management
• Speed of the tool
• Key management and automation
• Support for hardware-based cryptographic acceleration
• Ability to report for compliance
• Monitoring, logging, and auditing capabilities
• Operating system (OS) support
• Installation and configuration processes
• Impact on operations and user experience
• Encryption algorithm options
• Legacy encryption support

Unfortunately, encryption can result in loss of functionality, decreased performance, and even lost data, depending upon factors such as:

• User error
• Memory and hard drive requirements vs. available resources
• Required changes to infrastructure 
• Required changes to devices  

Solutions that require extensive changes to the infrastructure and end user devices should generally be used only when other options cannot meet the enterprise’s security needs. After selecting a tool, an organization may have the option to select from multiple available security algorithms. They should consider whether this algorithm is current or obsolete, is validated or untested, and suits the use case.

In addition to tool and algorithm considerations, an organization should also consider the way in which the encryption can be obtained and the economic consequences:

• Direct tool purchase offers the potential for one-time pricing and professional customer support but can become obsolete or may be narrowly focused.
• Open-source software will generally be free but will lack professional customer support, require the most resources to implement, may become obsolete, and will usually be narrowly focused on how it can be used.
• Add-on encryption is often a service provided by specific vendors for specific use cases, such as a cloud provider’s cloud storage encryption added to protect cloud resources.
• Encryption as a service offers a broad range of encryption options, will be continuously updated, and requires the least effort to manage; however, this option involves giving up control of company secrets to an outside party.

The selection of a tool can be a collaborative and iterative process. Affected users should be involved in testing encryption tools and deployment can be rolled out in stages to avoid disruptions and data loss. As with security, encryption should be applied in layers appropriate for the use: database, local file, email, or entire drives.

Bottom Line: Encryption Adds a Strong Layer to a Security Stack

Encryption may be required by compliance standards and customers expect important data will be encrypted for protection and to guard against theft. However, encryption alone will not fully protect valuable data. Encryption provides a very strong layer of defense, but it should complement a full security stack of solutions and services to protect servers, endpoints, network connections, applications, and more.

To read more about encryption, consider:

• Tokenization vs Encryption: Pros and Cons
• Disk vs File Encryption: Which Is Best For You?

This article was originally written by Sam Ingalls and published on May 26, 2022. It was updated by Chad Kime on December 7, 2023.

The post Types of Encryption, Methods & Use Cases appeared first on eSecurity Planet.

Every organization stores sensitive data. Sensitive data can include personally identifiable information (PII) that can impact user privacy. Sensitive data also includes payment and financial information that could lead to identity theft and fraud if the data is lost or stolen and winds up in the wrong hands. Intellectual property is another type of sensitive data that DLP tools typically monitor and protect.

DLP tools automate data classification and protection, typically after an initial assessment of an organization’s data types and where that data is located. DLP tools then monitor that data to look for potential exposure or leaks.

Below are our top picks for data loss prevention solutions, their features, use cases, functionality and customer support, followed by considerations for buyers in the market for DLP solutions.

• Forcepoint DLP: Best overall
• Digital Guardian Endpoint DLP: Best for small or inexperienced security teams
• Symantec DLP: Best for protecting large networks
• Clumio Protect and Discover: Best for AWS business environments
• Proofpoint Enterprise DLP: Best for standalone email protection
• Trellix DLP: Best for distributed enterprises
• Key Features of DLP Solutions
• How to Choose the Best DLP Solution for Your Business
• How We Evaluated DLP Solutions
• Frequently Asked Questions (FAQs)
• Bottom Line: Use DLP Tools to Protect Sensitive Data

Top DLP Solutions Compared

This table provides a brief overview of our top products and their feature availability. Read our full product reviews below for more detail on each.

	Support for regulatory compliance	Encryption	Network monitoring	Free trial
Forcepoint DLP			?
Digital Guardian Endpoint DLP				?
Symantec DLP				?
Clumio Protect and Discover			?
Proofpoint Enterprise DLP	?		?
Trellix DLP				?

= yes; ?= unclear; ?= no

Forcepoint DLP

Best overall

Forcepoint DLP offers tools to manage global policies across every major channel, including endpoint, network, cloud, web, or email. Predefined templates, policies, and streamlined incident management enable organizations to address risk by adding visibility and control where people work and data resides.

Forcepoint’s compliance features are a particular highlight — they help teams meet standards with more than 1,500 predefined templates, policies, and classifiers applicable to the regulatory demands of 83 countries. If you’re a large enterprise with significant regulatory demands, consider Forcepoint. We rated it best overall for its comprehensive feature coverage.

Pricing

• Forcepoint offers a 30-day free trial of DLP.
• Contact Forcepoint’s sales team for detailed pricing information specific to your organization’s needs.

Features

• Employee security coaching through messages that guide user actions, educate employees on policy, and validate user intent when interacting with critical data
• Automated data labeling and classification through integrations with third-party data classification tools
• Risk-based policy enforcement
• Intellectual property protection

Digital Guardian Endpoint DLP 

Best for small or inexperienced security teams

Digital Guardian Data Loss Prevention, offered by Fortra, performs DLP on traditional endpoints, across the corporate network, and on cloud applications. Our analysis focuses on Endpoint DLP, but Digital Guardian also has a Network DLP product for teams focused on network traffic monitoring and security. Your enterprise can combine both if needed.

Digital Guardian receives its high rating from us particularly for its functionality and management features like training videos and support for multiple operating systems. Additionally, Digital Guardian DLP is available either as software-as-a-service (SaaS) or a managed service deployment. While Digital Guardian DLP is a strong choice for large enterprises, SMBs should consider it too for ease of use through the managed service.

Pricing

• Contact Digital Guardian for a pricing quote request.

Features

• Automated blocking and encryption of sensitive data in emails and files on removable drives
• Dashboards
• Classification and tagging of intellectual property and regulated data
• Data-centric events collected are reported up to Digital Guardian’s Analytics & Reporting Cloud, part of the vendor’s overall data protection platform

Symantec DLP

Best for protecting large networks

Symantec Data Loss Prevention, now owned by Broadcom, is a two-product protective platform for enterprises. We mainly looked at Symantec DLP Core, but DLP Cloud is also available and offers cloud connectors to web gateways and cloud access security broker (CASB) controls.

DLP Core offers features like encryption and network monitoring; consider it for sprawling business networks, especially storage area networks that pool data from multiple storage systems. And if your team is looking for data protection for cloud environments, DLP Cloud can help monitor cloud-based applications and storage systems.

Pricing

• For pricing information, you can contact Broadcom’s sales team, or you can contact a reseller like CDW or SHI for pricing. Depending on the reseller, you may still need to request a quote. SHI reports a starting list price of $96 a year per license with support, with volume discounts.

Features

• One pane of glass for policy management
• Microsoft Information Protection integration for encryption and rights management
• Network monitoring
• Information Centric Analytics, a form of UEBA

Clumio Protect and Discover

Best for AWS business environments

While designed more as a backup solution, Clumio has enough DLP features to earn it a place on this list. The Protect and Discover products offer backup and recovery for AWS and Microsoft 365. It simplifies and automates AWS data protection for Amazon S3, EC2, EBS, and RDS; SQL Server on EC2; and other products.

Don’t count Clumio out if you’re a Microsoft customer, either: it helps teams develop policies for all their 365 products and stores data in an immutable environment to protect it from ransomware.

Pricing

• Clumio has a pay-per-use structure, with pricing specified for different AWS products and backup type and frequency. Check out the pricing page for a complete list of backup costs. For S3, Clumio offers SecureVault Standard and SecureVault Archive, so you can back up your less frequently accessed data, too.

Features

• Air-gapped backups for SQL Server data, stored outside user accounts
• Search, recovery, and restoration for EC2 files, volumes, and instances
• Encryption for data in motion and at rest
• Policy creation for AWS, including specified backup frequency and retention

Proofpoint Enterprise DLP

Best standalone email protection

Proofpoint’s broader Enterprise DLP platform provides both Endpoint DLP and Email DLP products. Proofpoint Endpoint DLP takes a people-centric approach to protecting data. It provides integrated content awareness in addition to behavioral and threat awareness, which gives granular visibility into user interactions with sensitive data. Proofpoint Endpoint DLP also offers the ability to detect, prevent, and respond to data loss incidents in real time.

Email DLP helps identify when sensitive data is being leaked through an email. It allows teams to create dictionaries with data formats specific to their organization for exact data matching. If your team is particularly interested in a comprehensive endpoint and email protection solution, consider Proofpoint.

Pricing

• Proofpoint doesn’t give public pricing information for its DLP products. Contact the sales team for pricing specific to your business.

Features

• Encryption for email data with Email DLP
• Custom dictionaries for specific data formats and exact data matching with Email DLP
• Out-of-the-box detection and prevention engine to halt data exfiltration with Endpoint DLP
• Access policies based on your team’s security goals with Endpoint DLP

Read more about email security:

• How to Improve Email Security for Enterprises & Businesses
• Best Email Security Software & Tools

Trellix DLP

Best for distributed enterprises

Trellix — an XDR-focused security company formed from the merger of McAfee Enterprise and FireEye — remains tightly coupled with its former cloud business, Skyhigh Security, in DLP. Composed of DLP Discover, DLP Endpoint, DLP Monitor, and DLP Prevent, Trellix’s data loss prevention platform is a good choice for both on-premises and hybrid environments, particularly combined with the Skyhigh’s SASE capabilities. Of course, that also makes Skyhigh a good choice for organizations looking for a cloud DLP option.

We focused on DLP Discover in our review; this product inventories data, searches for sensitive information, and helps develop data protection rules through fingerprinting. But the entire Trellix suite is a good choice for teams focused on threat monitoring and prevention. The one downside is it requires four DLP products to get all the DLP capabilities that Trellix offers, but for enterprises seeking a feature-rich DLP platform, Trellix is a strong contender.

Pricing

• Trellix doesn’t provide public pricing details. Contact Trellix to speak with a salesperson about products and pricing information. Some pricing can be found online in places like AWS and Connection.

Features

• Network monitoring through DLP Monitor
• Encryption and quarantining after a policy violation through DLP Prevent
• Statistical analysis for data pattern matches within documents and files
• Rule construction engine that helps your team create data protection rules for simple and complex data

Key Features of DLP Solutions

Data loss prevention helps storage, data, and security teams wrangle large volumes of information that might be scattered throughout multiple systems and locations. Look for the following features in the products you consider — while they will vary between solutions, you’ll at least want the majority in any DLP solution.

Data Discovery

DLP tools should enable users to identify what types of data should be protected. It’s easy to lose track of data in enterprise storage systems and applications, but your team should keep tabs on all that information. You can only protect it if you know it’s there. Data discovery is one of the core building blocks of DLP.

Data Classification

DLP tools should enable users to identify what types of data should be protected. Some data is more sensitive, and if it were stolen or exposed it would be a critical risk. Data should not only be grouped into appropriate categories but also prioritized according to its sensitivity.

Compliance Assistance

DLP has become a useful tool for helping organizations protect customer privacy and comply with privacy regulations like GDPR and CCPA. Many DLP products have built-in functionality for identifying whether data protection practices are actually compliant with regulatory standards.

Policy Creation

Many DLP tools offer a policy creation feature that allows you to develop data protection rules specific to your business. Some businesses may want more sophisticated policy-making tools, so if you’re a larger enterprise with experienced data or security teams, look for highly customizable policies. Conversely, if you want out-of-the-box policies, ask for a demo when shopping for a DLP product.

Network Monitoring

Not all DLP products offer network monitoring, but we particularly recommend it for teams that have a lot of sensitive data traveling across their network. Monitoring is also useful for businesses with large storage area networks, as data from multiple systems could be compromised if the network is breached.

How to Choose the Best DLP Solution for Your Business

When choosing a DLP technology or service, there are several key considerations organizations must take into account, including budget and team size but not limited to those. Also consider where your business data resides and any compliance assistance you’ll need.

Scope

Where is the data that needs to be protected? Have you inventoried every storage system or database containing sensitive data? And does the solution you’re looking at have full visibility into those deployments? These are the questions you should ask before choosing a data loss prevention product so you know whether it supports all the file types, unstructured data, or other information your team needs to protect.

Compliance

If the DLP service is being used to help enable regulatory compliance, look for integration with governance, risk, and compliance (GRC) tools. Not all DLP products will have the GRC capabilities you’re looking for, and a smooth integration could be critical for facilitating your team’s regulatory compliance operations.

Reporting

It’s important for many organizations to have visibility and reporting into what data is protected and how it is being accessed, particularly for compliance purposes. Businesses in the healthcare, financial services, and government sectors will especially benefit from strong built-in reporting tools.

Team expertise and business size

You’ll need to weigh a product’s interface and capabilities against the skills of your security, IT, and data teams. While you shouldn’t choose a product only for ease of use, it’s important to consider how long it’ll take for your teams to learn and how complex it is. Additionally, smaller businesses will need a product appropriate for their size; likewise for large enterprises.

Budget

While budget certainly isn’t an unimportant consideration, it shouldn’t be the only one. Your business should invest in a product that will last you many years, and if that requires spending some money for a platform with the right features, see if your team can afford a suitable product that will serve you well.

How We Evaluated DLP Solutions

We evaluated these DLP solutions using a product scoring rubric. In our rubric, we weighted criteria and features according to the percentages listed for each below, and that weighting factors into the total score for each product. The six products that scored highest in the rubric made our list. However, that doesn’t mean that one of these is automatically the best pick for you, nor that a good option can’t be found outside this list.

A note on ratings: The scores are not a reflection of the product’s overall quality but rather a representation of how the product met the criteria in our evaluation rubric. All these products are successful in this category, and their score here is not an overall measure of their value. Rather, it analyzes how well they met our specific criteria.

Pricing Transparency & Trials | 10 Percent

We evaluated whether the vendor was transparent about pricing and whether the product had a free trial, including how long the trial lasted.

Core Features | 35 Percent

We evaluated the most important DLP features, like data discovery, data classification, and policy creation.

Additional Features | 20 Percent

We considered some nice-to-have features, including digital rights management, behavioral analytics, and risk-based policy enforcement.

Functionality & Management | 20 Percent

We evaluated availability of knowledge bases and training videos, as well as the option to buy the product as a managed service.

Customer Support | 15 Percent

We looked at technical support phone and email availability, as well as whether the vendor offers a demo and a 24/7 support plan.

Frequently Asked Questions (FAQs)

People frequently ask the following questions about data loss prevention and its role in enterprises and security systems.

What Is an Example of a DLP Policy?

Data loss prevention policies can either be pre-made or customized specifically for your organization. For example, your IT team might set a DLP policy that permits only encrypted files to be sent from the Chief Information Officer’s email account. DLP policies specify what can happen to what data.

What Triggers a DLP Incident?

Your business’s set policies trigger a DLP incident. When someone goes against a policy — for example, when the aforementioned CIO attempts to email an unencrypted file — the DLP product triggers an alert, flagging the incident. Some DLP products have prevention features that will block the unencrypted file from sending.

Is There a Difference Between DLP and EDR?

DLP and endpoint detection and response (EDR) differ in intent, but they do serve similar purposes. DLP is focused on data, on its safety at rest and in motion. EDR is focused on endpoints and protecting systems starting at the endpoint, detecting and halting attacks on laptops and servers. While they may perform some of the same tasks, businesses will likely implement them for different reasons.

Bottom Line: Use DLP Tools to Protect Sensitive Data

DLP technology provides a mechanism to help protect against sensitive data loss and thus can also help mitigate interactions with compliance agencies in the wake of a data breach.

By classifying data and users and identifying or blocking anomalous behavior, DLP tools give enterprises the visibility and reporting needed to protect sensitive data and satisfy compliance reporting requirements. It’s likely that your DLP product won’t function in a vacuum — you’ll probably need other tools, too. But data loss prevention focuses on one of your business’s most important assets: its sensitive, secret and regulated information. The stakes for securing data continue to rise, and DLP is one strategy to help achieve your team’s data protection goals.

Read our tips to prevent data breaches next

The post Top 6 Data Loss Prevention (DLP) Solutions (Full Comparison) appeared first on eSecurity Planet.

That statistic is a bit misleading; the emails “passed” only because of a lack of enforcement controls by the brands themselves. The essential overlooked step of enforcement of email authentication protocols is a big reason why phishing emails remain the root cause of the overwhelming majority of cyber attacks and fraud.

A real reduction in impersonated emails will only happen when customers push the financial consequences of impersonation onto their vendors. We will explore this in more detail through the following topics:

• How To Create Financial Consequences For DMARC Failure
• Why “Passing” Is Not The Same As Passing
• Bottom Line: Impersonation Is Primarily A Condition of Inconvenience

How To Create Financial Consequences For DMARC Failure

When an organization does not enforce DMARC, attackers can impersonate the brand. From the organization’s perspective, the investment of time to prevent impersonation may not deliver a return on that investment – even if it is small.

Impersonated organizations avoid consequences and thus feel no pain from victims of impersonated emails. The only change will occur when angry customers start to share the pain.

The Problem: Impersonated Organizations Avoid Consequences

Most often, the ones suffering the consequences of impersonated emails will be the hundreds or thousands of companies, nonprofits, and other organizations whose employees fall for the impersonation emails. The impersonated emails might contain annoying SPAM, but more often the phishing email will deliver more dangerous payloads that lead to stolen credentials, business email compromise (BEC) attacks, or ransomware attacks.

Victim organizations have little to no recourse to extract any compensation from the organization that is allowing their brand to be impersonated. Meanwhile, the company being impersonated has no financial incentive to change their behavior.

The Solution: The Pain of Email Impersonation Must Be Shared

The only leverage an organization may be able to apply will be to their vendors. Customers should become angry that their vendors expose them to risk and should demand that their suppliers implement and enforce SPF, DKIM, and DMARC email authentication protocols as a criteria for a business relationship.

Vendors need to make sales and will make reasonable concessions to customers to keep them from switching to competitors. At the same time, an organization is also quite likely to fall for business email compromise and phishing attacks from their vendors. After all, accounts payable clerks will open virus-laden PDF files named “overdue invoice” or “past-due statement” even if they don’t recognize the sender.

Admittedly, smaller organizations will not have leverage. However, even a medium-sized government agency or a Fortune 5000 corporation can easily make a demand for email authentication protocols as one of the conditions within their contract. The organization making the demand will have little to no cost to add such a clause to their contract and will see a huge reduction in risk from email impersonations.

Implementing all three email authentication protocols takes time, but does not cost significant money. Vendors will not be financially harmed by making these requests that simply pass the pain of impersonated emails back to them.

Emails Don’t ‘Pass’ – They Are Allowed To Bypass

Cloudflare released its inaugural Phishing Threats Report recently and cited over 1 billion instances of brand impersonations detected in SPAM, email threats, and malicious messages. Email authentication protocols such as SPF, DKIM, and DMARC are supposed to protect brands, yet Cloudflare notes that the “majority (89%) of unwanted messages ‘passed’ SPF, DKIM, or DMARC checks.”

Cloudflare can be 100% accurate that roughly 890,000,000 emails contain faked brand impersonations attempting to spoof email recipients. However, they definitely had to put “passed” in quotation marks because email authentication checks only fail spoofed emails under very specific configurations that most companies fail to implement. Instead, most impersonated emails are simply allowed to bypass authentication by the impersonated organization because of inadequate setup of all three protocols.

SPF Protocol: Spoofed Passes and Legitimate Fails

SPF stands for the Sender Policy Framework, and SPF notes if the email server is an authorized email server. An organization sets up an SPF file on their domain and lists the legitimate email servers sending email on behalf of that domain.

SPF can be spoofed through a faked header in which a malicious sender can list their own email server. Instead of matching the spoofed domain in the body of the email or listed in the “From” field displayed to the email recipient, the email server reads the hidden header, which validates the SPF for the attacker’s malicious domain. It does not have to match the “From” field in any way.

SPF can also fail for legitimate emails if the SPF file is not maintained. A legitimate email sent by a new email server on the domain will simply fail if the server is not in the SPF file. A mail service such as MailChimp may contain an SPF reference to the MailChimp email servers or the MailChimp email servers need to be added to the organization’s SPF file.

DKIM Protocol: Spoofed Passes and Legitimate Fails

DKIM is the acronym for the DomainKeys Identified Mail protocol, which enables an organization to digitally sign emails using an encrypted hash value based on public encryption keys hosted on the organization’s domain.

As with SPF, malicious senders can implement DKIM for their malicious domain and sign SPAM with their own public encryption key hosted on their own domain. An email server will not compare the encryption key or the domain in the header with the domain shown in the “From” field to check for a match.

Just as with the SPF protocol, inadequate setup of legitimate third-party email senders, such as HubSpot, or new email servers can lead to DKIM failure. DKIM can also be tricky to publish without errors and simple typos can lead to failure for all DKIM protocol checks.

Our SPF and DKIM guides contain detailed information on how to properly set up the protocols.

DMARC Protocol: Spoofed Passes and Legitimate Fails

DMARC, while a clumsy acronym, replaces the full, and more unwieldy Domain-based Message Authentication Reporting and Conformance protocol. DMARC provides a mechanism to validate the domain of the brand listed in the “From” field displayed in the body of the email against SPF and DKIM protocols listed on that domain.

There are two ways a spoofed email can “pass” DMARC.

First, when the sender uses a lookalike domain such as “Amaz0n” or “Arnazon” when pretending to be “Amazon.” The malicious sender can set up SPF, DKIM, and DMARC for their malicious and look-alike domain and legitimately pass all three checks with their fraudulent domain that is not technically an impersonation domain.

Second, and much more commonly, the DMARC protocol is often simply not set up for active enforcement by the impersonated domain. In a standard process, DMARC will be established with a “p=none” setting, which does not provide any guidance to the receiving email server or email security tool for what to do if the protocols do not match.

Often, the default will be to deliver these messages, and this likely constitutes the bulk of the 89% of the emails that “passed” SPF, DKIM, and DMARC authentication checks. This is technically not passing DMARC because the impersonation email fails the check, but when less than half of enterprise DMARC policies meet the “p=reject” or even the “p=quarantine” authentication levels for enforcement, many impersonation emails can fail and simply bypass filters anyway.

Legitimate emails can fail DMARC if the organization has not carefully and thoroughly established and recorded the legitimate sources for email using their domain. Many organizations worry that they may not have SPF or DKIM properly established for all of their internal and third-party email servers. Afraid of the possibility of rejection for their marketing emails, an impersonated organization will be conservative and simply avoid enforcing DMARC.

Also read: Why DMARC Is Failing: 3 Issues With DMARC

Standard Email Protection Isn’t Enough

Some email services can also default to allowing even “p=reject” emails to be delivered to quarantine or SPAM folders. Similarly, email security tools will also typically be set up to be overly permissive to avoid blocking critical business emails.

Security teams should adjust their settings on email servers, for email SaaS providers, and within email security tools to explicitly reject emails that fail email authentication protocols. Organizations need to take action where they can to honor DMARC ‘p=reject’ and ‘p=quarantine’ settings and at least gain some advantage from the organizations that properly enforce the email authentication protocols.

Also read: How to Improve Email Security for Enterprises & Businesses

Bottom Line: Impersonation Is Primarily A Condition of Inconvenience

Those 890,000,000 emails that impersonate brands probably would not pass properly enforced SPF, DKIM, and DMARC protocols. Loose delivery filters tend to be overly permissive and put the burden of analyzing the emails for signs of spoofing on the shoulders of the weak link: our non-technical employees.

Proper enforcement of email authentication takes time, but does not cost much money. Companies don’t want to be inconvenienced by undelivered marketing emails, so instead they allow others to suffer from attacks impersonating them.

It is time for customers to get angry and push back where they can – at vendors. Vendors currently worry about losing potential customers, but will worry much more about losing actual customers. Instead of resisting security, the sales teams will start to help motivate the entire organization to stop email impersonation.

Read next: Spear Phishing Prevention: 10 Ways to Protect Your Organization

The post To Fix DMARC Requires Angry Customers appeared first on eSecurity Planet.

ITAM tools track hardware and software lifecycles so IT teams know how to best protect and use those assets. ITAM can also play an important role in cybersecurity by discovering and updating assets as part of the vulnerability management and patching process.

Our selections for the best ITAM software help overworked IT teams organize, manage, and protect their business’s important assets:

• Ivanti Neurons: Best for vendor and contract management
• ManageEngine Endpoint Central: Best for overall endpoint management
• Quest KACE: Best for teams with large IoT infrastructures
• SolarWinds Service Desk: Best for large enterprises
• Pulseway: Best for fully remote teams and MSPs
• Track-It! by BMC: Best for smaller teams that need help desk functionality
• Key Features of ITAM Software
• How to Choose the Best ITAM Software for Your Business
• How We Evaluated ITAM Software
• Frequently Asked Questions (FAQs)
• Bottom Line: Empowering IT Teams with ITAM Software

Top ITAM Software Comparison

The following table gives a short overview of our top six software selections, a few key ITAM features, and pricing availability.

	License tracking	Vendor management	Configuration management database (CMDB)	Mobile app functionality	Transparent pricing
Ivanti Neurons				?	?
ManageEngine Endpoint Central		?
Quest KACE		?		?	?
SolarWinds Service Desk
Pulseway		?	?
Track-It!		?	?	?	?

Learn more about IT asset management

Ivanti Neurons

Best for vendor and contract management

Ivanti’s ITAM portfolio includes Ivanti Neurons for Discovery, Neurons for ITAM, and Neurons for Spend Intelligence. Neurons for ITAM includes a product catalog that shows not only purchased assets but also active product orders. Contract management features allow IT teams to view the overall state of their business’s contracts.

With Ivanti, your IT team can manage asset requests like a new employee laptop as well as manage IT contracts. Ivanti offers a mobile app with features like barcode scanning, which helps teams track multiple assets more quickly; however, note that the app has low review scores on both Apple’s App Store and the Google Play store.

Pricing

Ivanti requires potential buyers to submit a quote request to receive pricing information. Buyers receive a discount by choosing annual billing rather than monthly billing.

Features

• Barcode scanning capabilities through the mobile app
• Asset lifecycle tracking, including receipt and disposal records
• Vendor data and performance management
• Charts and graphs that show software inventory and break down top software vendors
• Configuration management database

Pros

• Mobile app available
• Integrates with Ivanti’s IT service management (ITSM) product

Cons

• Lacks transparent pricing
• Mobile app could be better

ManageEngine Endpoint Central

Best for overall endpoint management

Formerly known as Desktop Central, ManageEngine’s unified endpoint management (UEM) solution offers ITAM for IT teams that want to double down on asset security. While the ITAM solution is just one component of Endpoint Central, it makes sense for organizations that want to combine their endpoint solution with software and hardware asset management.

Key features include digital asset tracking and scans, license compliance tracking, and file scanning. ManageEngine scans your business’s network for hardware and software inventory changes to determine if an unauthorized device is on your network.

Pricing

Endpoint Central has four different plans:

• Professional
• Enterprise
• UEM
• Security

Its comprehensive pricing list gives endpoint cost ranges for numbers of endpoints, workstations, servers, and additional technicians. Select the Get Quote button at the bottom of the page to calculate your team’s specific numbers.

Features

• Digital asset tracking and scanning
• Network scans for hardware and software inventory changes
• Hardware warranty management, which includes automated warranty detection
• IT license compliance tracking
• Customizable software and executable blocking
• Configuration management database

Pros

• Transparent pricing
• 30-day free trial
• Option to purchase an endpoint platform that includes ITAM if you want the whole package

Cons

• User reviews are mixed about customer support and usability of the user interface, with some customers having trouble with unhelpful tech support and a clunky UI

Quest KACE

Best for teams with large IoT infrastructures

Offered by Quest, the KACE Systems Management Appliance offers IT asset management along with IoT device management. Because the KACE appliance uses network protocols like SNMP, your IT team can scan not only computers but also network-connected devices like routers and printers. If your business uses a lot of IoT devices, consider KACE.

KACE also specifically integrates with Dell systems, including enterprise technology like servers and storage. For large enterprises with multiple Dell systems, KACE includes that hardware in its asset inventory so teams know when it’s time to phase it out.

Pricing

Quest only provides pricing for KACE once potential buyers request a quote. They can also request a free trial.

Features

• Tracking for devices like networking equipment and printers
• Configuration management database for overall asset and IoT device management
• Inventory software that tracks hardware’s age and compatibility with operating systems
• Integration with Dell products

Pros

• Supports a wide range of operating systems
• Free trial

Cons

• Lacks transparent pricing

SolarWinds Service Desk

Best for large enterprises

SolarWinds Service Desk is an IT service management (ITSM) solution that combines help desk capabilities with IT asset management. Users can monitor the licenses being used in their organization and see when an active license doesn’t match what the business has already purchased. IT teams can also use the configuration management database (CMDB), which shows how the IT infrastructure is affected when configurations are changed.

On the help desk side, users can design a knowledge base for their own employees to resolve IT issues with the help of articles and instructions. There’s also a mobile app for IT teams who need that flexibility. If you’re a large team looking for a combined IT help desk and asset management tool that’s feature-packed, consider SolarWinds.

Pricing

SolarWinds has three Service Desk plans:

• Essentials — $39/month/technician
• Advanced — $79/month/technician
• Premier — $99/month/technician

Features

• Configuration management database
• Automated risk detection and license monitoring for compliance with software licensing
• Employee self-service portal for IT help desk tickets
• Discovery Scanner that collects asset data from devices with IP addresses 

Pros

• 30-day free trial of the Premier plan
• Transparent pricing
• Integrates with SolarWinds’ observability solutions

Cons

• Smaller businesses might find the full-featured solution to be more than they need

Pulseway

Best for fully remote teams and MSPs

RMM provider Pulseway offers a SaaS IT management solution designed to be mobile-first. Its mobile application allows IT teams to monitor assets from their phones, and the app receives high overall ratings on both the App Storage and Google Play store. Pulseway’s agent is customizable so you can design alerts for situations specific to your business. Pulseway also offers security add-ons, including patch management and an antivirus software integration. Customers can choose either Webroot or Bitdefender.

Pulseway is available for both IT teams and managed service providers; consider Pulseway if you’re an MSP looking for an IT monitoring solution to serve your customers.

Pricing

Pulseway’s pricing calculator allows potential buyers to select a number of endpoints, as well as security add-on features. They can also contact Pulseway with any questions about pricing. Pulseway also has a $149 fee for their one-time onboarding and best practices session.

Features

• Server monitoring and management
• Customized triggers that can automatically remediate IT problems
• Patch policy creation
• Templates for reporting and report scheduling options
• Mobile app

Pros

• Transparent pricing
• Free trial
• Additional security features, including ransomware detection and antivirus software integration

Cons

• Limited support for Mac and Linux devices
• No configuration management database

Track-It! by BMC

Best for smaller teams that need help desk functionality

Track-It!, owned by BMC, has an ITAM module that belongs to a combined IT help desk and endpoint management platform. The ITAM module offers automated IT asset discovery and reporting, so IT teams can identify when an unauthorized device joins the company network. Track-It! can also import supplier and asset pricing data to give the team a clearer picture of potential asset purchases based on their budget.

Track-It! gives IT teams the option to combine multiple IT management-focused modules and features, including scheduled email reports, change and knowledge management, and help desk ticketing. Consider Track-It! if your business is looking for an integrated endpoint and help desk solution.

Pricing

Track-It! requires potential buyers to request a quote for any pricing information. It offers a free trial.

Features

• Imported supplier and asset cost data to inform IT budgeting
• Report creation and scheduling, including brief reports for executives and more detailed ones for IT managers
• Asset dashboards
• Automatic discovery of network-connected assets, including updates to existing assets

Pros

• Integrates endpoint management, help desk, and ITAM
• Free trial

Cons

• Lacks transparent pricing
• No configuration management database
• Customer reviews over time aren’t high overall

5 Key Features of ITAM Software

The central features of ITAM vary from vendor to vendor, but core functions include hardware and software discovery, asset change management, and license record tracking.

Hardware and software discovery

ITAM records servers, PCs, laptops, tablets, routers, switches, networking equipment, storage assets, and other devices existing within an organization. This includes remote assets and mobile devices belonging to the organization. Metadata and other sources can be used to track any operating systems and applications operating within the organization and using hardware assets.

License tracking

ITAM tools should record license usage within the enterprise and note any unlicensed assets. These can not only affect your business’s compliance stance but can also lead to potential security breaches depending on the license being used. If it’s shadow IT, it might be unsafe.

Tracking changes

Change management should be tracked automatically. As IT teams add new hardware or software to the overall IT infrastructure, the ITAM solution automatically updates the inventory.

Management

The ability to configure custom rules, manage permissions, create reports, and maintain scanning schedules helps IT teams develop a specialized solution and stay on top of it. When tools like ITAM perform tasks automatically or allow teams to develop reports for upper management, they save IT personnel valuable time.

Analytics

Some ITAM suites include financial analysis and risk management. These systems highlight areas where productivity could be improved via upgrades or where costs could be reduced due to unutilized resources.

How to Choose the Best ITAM Software for Your Business

As your IT team is evaluating IT asset management solutions, consider the following points while your team narrows down a list of tools to select the best fit for your business overall.

Systems supported

Ensure that the solution you use supports the operating systems and devices your business uses. If your team has Mac and Windows machines, the right ITAM solution should support both systems. Having to purchase multiple solutions or having incompatible devices will be a waste in the long run.

Single solution or suite

While some ITAM products are available as standalone solutions, others belong to a larger suite, like Pulseway. Consider whether your team is looking for multiple IT management solutions in one. This will affect cost, too, but it might save your team money in the long run if you need multiple tools.

Security tools

Security-focused IT teams have plenty of options: many ITAM products offer security add-ons like patch management or belong to a suite of security products already. Keep security integrations in mind if your team is looking for that.

Scalability

Does the ITAM solution you’re considering have the ability to increase the number of assets or technicians on a plan? This is particularly important if you have a small business that’s growing rapidly. You may only have five technicians now, but if you have twenty in a couple of years, you’ll need a product designed for businesses of multiple sizes.

Budget

Last but certainly not least, take your organization’s budget into consideration. Avoiding overspending while still choosing the best solution is a balancing act; you want to make sure the ITAM tool you choose is effective.

How We Evaluated ITAM Software

eSecurity Planet chose a selection of ITAM products to evaluate using a product scoring rubric. We also look at vendors’ product pages and data sheets, as well as comprehensive user reviews, as we analyze products to determine which are best for our audience.

In our product scoring rubric, the following criteria are weighted according to the percentages listed for each, and that weight affects the total score for each product accordingly. The top scored products made it onto our list, but some that were scored lower did not.

Features – 30%

We evaluated ITAM tools’ core capabilities, including hardware and software discovery, license tracking, and custom rules management.

Price – 20%

We not only evaluated available pricing information but also scored vendors based on their pricing transparency, availability of free trials, and whether they offered an annual pricing discount.

Deployment and administration – 25%

These subcriteria include knowledge bases, technical skill requirements to set up the product, and SaaS versus on-premises deployments.

Customer support – 15%

We scored customer support based on the frequency of availability, live chat and email support, and whether the vendor offered demos or training.

Additional capabilities – 10%

Other features that our research team scored included financial and risk analysis, third-party asset vendor management, and configuration management databases.

Frequently Asked Questions (FAQs)

People frequently ask the following questions about IT asset management software. We highlight benefits and considerations of using ITAM tools, among other details.

What are some key benefits of using IT asset management software?

IT asset management software is a central tool that IT teams can use to handle multiple parts of hardware and software lifecycles. IT assets like laptops, servers, and tablets need to be carefully managed, and that includes keeping licenses up to date but also making appropriate security upgrades. ITAM software simplifies the many jobs that IT teams have when they manage the business’s assets.

What security features should I consider when evaluating IT asset management software?

Patch management features can be a big help with the overwhelming process of addressing security vulnerabilities. Integration with endpoint security tools can simplify patch delivery, security monitoring and asset management. And discovering forgotten IT assets can protect your organization from security risks you were previously unaware of.

What is the difference between ITAM and ITSM?

ITAM and IT service management are similar, and it can be even more confusing when a vendor offers both in one product or suite of products. Broadly speaking, IT asset management focuses on IT assets like business devices and applications, while IT service management focuses on IT services (like help desk tickets and incident resolution) that often affect those assets. They overlap in some ITAM and ITSM products, though.

What are types of IT assets?

Along with company-issued laptops and desktops, tablets, mobile phones, and servers, other examples of IT assets include:

• Routers, switches, and other networking equipment
• Printers
• Storage arrays
• Databases
• Antivirus and other security software installations
• Software and applications

Note that not all solutions will support every networking or IoT device. If your business wants to cover those in an ITAM deployment, look for solutions like Quest KACE that inventory them, too.

Bottom Line: Empowering IT Teams with ITAM Software

IT asset management software simplifies IT teams’ jobs, centralizing many of the tasks they already have to do. It gives them tools to automate time-consuming tasks like taking asset inventory and searching for outdated licenses and unknown devices. ITAM products don’t automatically solve all of an IT team’s problems — they take time to learn and implement. But they’re a worthwhile investment, especially if you choose a tool that can scale with your business as it grows. If your IT team customizes ITAM software to fit your specific business needs, it can become a powerful tool that supports not only your technology department but also, behind the scenes, your entire organization.

Article written by Drew Robb on Dec. 1, 2021 and updated by Jenna Phipps on Aug. 23, 2023

Read next:

• Vulnerability Patching: How to Prioritize and Apply Patches
• Is the Answer to Vulnerabilities Patch Management as a Service?

The post 6 Best IT Asset Management (ITAM) Software appeared first on eSecurity Planet.

A patch management policy formalizes the fundamental IT requirement that all systems and software should be patched and updated in a timely manner with rules that explain the requirements for patching and updates, clear processes that can be followed, reported on, and confirmed, and standards that can be tested and verified.

This article can help organizations of all sizes start the process with a fundamental overview and a template:

• Free Patch Management Policy Template
• How to Create a Patch Management Policy in 4 Steps
• Common Patch Management Policy Sections
• Top 5 Patch Management Policy Best Practices
• Top 6 Benefits of an Effective Patch Management Policy
• Bottom Line: Patching Policies Promote Premium Processes

Also read: 11 Key Steps of the Patch Management Process

Free Patch Management Policy Template

To kick start any patch management policy development, eSecurity Planet has developed a template that can be downloaded and modified. Notes of explanation or how to use the template are enclosed [between brackets] and these sections should be removed from final drafts.

Access the Sample Patch Management Policy Template.

The sample patching policy contains many sections, but not all sections will be required for all organizations and others might require more details. See Common Patch Management Policy Segments below for more details.

How to Create a Patch Management Policy in 4 Steps

All security policies share the same four key steps to create a policy, and they are explored in detail in IT Security Policies: Importance, Best Practices, & Top Benefits. For a functional patch management policy, we summarized these steps as:

1. Determine the Patch Management Policy: Identify responsible parties, who or what is covered, basic processes, validation methods, and reports; these often will be based on the current practices.
2. Verify the Patch Management Policy: Formally check to ensure basic policy developed in step 1 satisfies the complete needs of the organization and any compliance requirements.
3. Approve the Patch Management Policy: Draft official language and circulate the policy for approval by affected stakeholders and executives.
4. Review and Modify the Patch Management Policy: Periodically review the policy to ensure it remains updated and continues to satisfy the evolving needs of the organization.

Although the basics remain the same, patch management is a frequently regulated requirement and organizations will need to apply extra caution in verifying compliance requirements. Any rule that does not meet compliance requirements should be adjusted.

For example, a fire department might apply patches quarterly in practice. However, they might find that their state’s cybersecurity requirements require monthly patching and will therefore need to change their patching frequency to monthly to comply.

Practical limitations also will be very important and the policy team should work with the patching team to test the rules. If the IT team cannot comply with standards and requirements with their current resources, should the organization adjust the rules or the resources?

In the fire department example above, perhaps the volunteer fireman who used to apply the patches in their spare time will need to be replaced or assisted by a patch management tool or service that can meet the monthly regulatory requirements.

Common Patch Management Policy Sections

When writing your patch management policy, consider the required, recommended, and bonus (aka nice-to-have) sections.

Required Policy Sections

These core sections should be part of every policy related to patch management:

• Scope: What assets are covered by the policy and how to identify software and devices to be covered.
• Patch Management Authority: Who is in charge and responsible for the patch management policy and its execution.
• Patching Priority: How to determine the priority of patches and the basis for that determination based on severity, risk, and other factors.
• Patch Scheduling: The length of time between the patch release and the organization’s installation based upon priority.
• Patch Management Preparation: Backups and other system preparation that needs to be in place in case a patch fails and systems need to be restored.
• Manual Patch Management: How to apply patches manually — especially for systems that require downtime for maintenance. Explain the process for scheduling and obtaining approval for business system downtime.
• How to Handle Exceptions: Some patches will fail, some will cause business disruption, and some will simply not be needed. Explain how to recover systems and track exceptions and the process for mitigations to protect open vulnerabilities.
• Patch and Update Reporting: How to measure success and compliance with patch management with reports, including how and what to report.

Recommended Policy Sections

These sections help to flesh out the patch management policy with additional rules to protect the organization and to help prepare the IT department:

• Asset List: A list of resources or links to asset lists to help define the scope of systems and software tracked for patching and updating.
• Patch and Update Acquisition: Outline where to obtain valid patches and updates.
• Patch Testing: Test environments or testing of patches to verify they work and do not affect other business systems.
• Automated Patching: Organizations often express a preference for automated patching processes to reduce patching delays and burdens for IT teams.
• Audit Controls and Management: Outline what reports, logs, and information can satisfy internal and external auditors to track patch management success and verify patches have been successfully applied.
• Enforcement: Penalties to the IT department for failure to execute the patch management process, penalties to employees that interfere with the patch management processes, and how to handle assets that do not comply with the patch management policy.
• Distribution: Who must or should receive the patch management policy.
• Policy Version: Tracking versions and approvals of the patch management policy.

Bonus / Nice-to-Have Policy Sections

These sections do not change the core elements of the patch management policy, but can make the policy more usable or comprehensive:

• Overview: sets expectations and goals for the policy.
• Compliance Appendix: Copies or links to relevant compliance frameworks with which the organization must comply.
• How to Deal With BYOD and personal equipment.

Top 5 Patch Management Policy Best Practices

All security policies share the same five best practices to create a policy, and they are explored in detail in IT Security Policies: Importance, Best Practices, & Top Benefits. For a functional patch management policy, we summarize these steps as:

• Focus on What to Do, Not How: By focusing on goals and objectives, a policy can set standards while allowing the patch management team the flexibility to determine the best solution to meet those goals and objectives.
• Make Policies Practical: The patch management team needs to be able to understand and implement the policy.
• Right-size Policy Length: Too short and the policy may not have sufficient requirements to be verified; too long and the policies may become over prescriptive or hard to understand.
• Keep Policies Distinct: Overlapping policies can introduce conflicts or become more difficult to keep current.
• Make Policies Verifiable: Effective policies require reports that prove the policy is both in place and effective.

The eSecurity Planet template seeks to be more comprehensive than some organizations may need,  so every organization should review the template and add or remove content to fit their needs.

Beyond the standard best practices, patch management benefits from additional considerations. For example, when making patch management policies practical, use existing resources such as the Common Vulnerability Scoring System (CVSS) to determine risk and prioritize patches, but balance those resources with consideration of the organization’s specific context.

For example, some organizations only patch vulnerabilities with a score of 7 or above. Yet these ratings only show the risk of the vulnerability and must also be combined with the likelihood of exploitation and the value of the asset to the organization.

A data exfiltration bug of 8.0 on the marketing web server that only contains publicly released documents shouldn’t have higher priority than a 6.5 remote code execution vulnerability on the server with the company’s Active Directory (AD) services. The impact to the organization of a fully compromised AD simply would be too great to risk even modest possibilities of exploitation.

As a special consideration for patch management, many organizations deploy automated tools. These solutions work well and should be used; however, they tend to focus on certain parts of the IT ecosystem such as operating systems and common software such as Microsoft Office or Adobe Acrobat.

Tools often lack comprehensive coverage of third-party applications, firmware, internet-of-things (IoT) devices, networking equipment, backup applications, and more. The policy should not rely upon the tools or a patch management service to determine the asset list for the patching policy. The IT department must ensure that all resources that need patches are tracked and patched, even when applying the patch is difficult or may require manual patching.

Top 6 Benefits of an Effective Patch Management Policy

Many organizations feel that their undocumented patch management processes will not be improved by taking the time to put them into writing. However, this attitude overlooks six key benefits to any security policy:

• IT Hardening: The process of creating or reviewing security policies forces the evaluation and potential improvement of security practices.
• Employment Defense: Compliance with an executive-approved written policy provides coverage for the IT and security team in the event of a breach.
• Executive and Board Member Peace of Mind: Executive stakeholders can easily understand the organization’s security posture from plain-language reports required by effective policies.
• Litigation Protection: Reports and other evidence showing compliance with policies that encompass reasonable security efforts can provide protection against lawsuits and regulators in the event of a breach.
• Compliance Easy Button: Policy-required reports will automatically be available for auditors if the policy already encompasses the compliance requirements.
• Improved Operational Efficiency and Resilience: Effective policies, especially patch management policies, can detect end-of-life assets and ensure the installation of the latest features for ease of use and capabilities.

Bottom Line: Patching Policies Promote Premium Processes

A good patch management policy can provide a helpful checklist to help create an efficient, and reliable patch management process. The reduced cybersecurity risk from the patching and the improved communication from the reports will improve overall business processes and executive confidence.

However, patching cannot solve all problems. Patch management does not cover whether or not an organization has the correct software in place for their needs or if the software settings are properly configured.

Patch management policies provide a helpful part of an overall cybersecurity program but need to be combined with other critical policies and strategies to ensure a resilient organization.

More information on Patch Management and Related Topics:

• IT Security Policies: Importance, Best Practices, & Top Benefits
• Patch Management Best Practices & Steps
• Patch Management vs Vulnerability Management: What’s the Difference?
• Is the Answer to Vulnerabilities Patch Management as a Service?
• Best Patch Management Service Providers

The post Patch Management Policy: Steps, Benefits and a Free Template appeared first on eSecurity Planet.

This article provides details to help an organization establish a robust DMARC policy with detailed information on:

• Troubleshooting DMARC
• Common Reasons Why DMARC Fails
  • Common DMARC Mistakes
  • Insufficient Resources
  • Failure to Escalate DMARC Settings
• Bottom Line: DMARC Enforcement Reduces Phishing

Troubleshooting DMARC

Troubleshooting and deploying a correctly formatted Domain-based Message Authentication, Reporting and Conformance (DMARC) policy will require precision and time. Fortunately, there are many resources available from the DMARC.org website, email vendors, and even full-service DMARC vendors to help IT teams with the process.

General Troubleshooting Process

When attempting to fix a DMARC policy after initial setup, organizations will run into various issues. Basic DMARC requirements help to define the best practices for troubleshooting, which include:

1. Verify and Check SPF, DKIM, and DMARC policies in detail
2. Deploy DMARC in monitoring mode (p=none)
3. Check DMARC report for several weeks to identify legitimate email sources suffering rejection
4. Resolve rejection issues by updating the appropriate policy (SPF, DKIM, DMARC, or email vendor settings)
5. Once legitimate email issues have been resolved
   1. Gradually enforce DMARC to ‘p=quarantine’ or ‘p=reject’
   2. Check for new rejection issues
   3. Repeat steps until all sending domains are verified, enforced, and fully protected
6. Periodically check reports for IP address changes or new domain conflicts to be resolved or spoofing sites to report or block

Vendor-Specific DMARC Troubleshooting Guides

Most DMARC settings do not rely upon the specific email vendor, but some details may be vendor specific — especially with regard to DNS deployment, DMARC activation, and troubleshooting. Fortunately, most email vendors also provide guides or tutorials.

Microsoft 365 and Gmail provide tutorials and specialized instructions for properly configuring DMARC policies for their email customers. Similarly, smaller vendors such as Twillio’s SendGrid will publish their own troubleshooting guides, so IT teams will need to check with their email and DNS providers for specific information.

Specialized DMARC Vendors

Harried IT teams without resources may not have time to study the requirements or troubleshoot the processes. For these organizations, specialized DMARC vendors can be an effective solution to save time and money.

Seth Blank, CTO of Valimail and co-chair of the DMARC Working Group, suggested, “To evaluate a platform’s ability to help you reach enforcement, assess its user experience, automation and customization.” Organizations should also verify that these potential vendors can service the full spectrum of policies (SPF, DKIM, DMARC) and can explain how they might address common issues such as SPF lookup limits.

Common Reasons Why DMARC Deployment Fails

DMARC deployment can fail for a host of reasons. Initially, an organization may make mistakes with their DMARC record that causes DMARC checks to fail. Once the DMARC record is corrected, the organization may find many emails suffering DMARC rejection which requires another round of troubleshooting.

Beyond the technical issues, DMARC can also fail due to insufficient resources dedicated to supporting DMARC or even by not escalating the DMARC settings. An IT team must work with other stakeholders in the organization to stress the importance of DMARC and overcome these obstacles.

Common DMARC Mistakes

Text files are small and simple; however, simplicity also means that small mistakes can create big problems. The DMARC working group publishes a list of common problems with DMARC records that includes detailed issues, and we will cover the major categories here.

Invalid DNS Records

Incorrectly published DMARC, DKIM, and SPF records with extra text or incorrect text will invalidate the records.  These issues can stem from several different types of errors, including:

Wildcard records include wildcard characters or the addition of extra text that might invalidate the record such as: 

• SPF records using the IP address: ip4: 201.5.YY.ZZZ (instead of numbers)
• Incomplete DKIM public encryption keys
• Random text or comments inserted into the record such as “Please contact your registrations service provider…” or or “***” or “This domain’s zone has been disabled”
• Domain or vendor owner inserting names into the text file

Not following directions can be similar to wildcard records because it includes extra text; however, in this case it typically will be instructions for content that have remained in the file such as “descriptive text” in the following sample: “_dmarc.fromage.XXXXXXXX.fr descriptive text v=DMARC1; p=reject;…”

Common formatting errors avoid wildcard and extra text issues but create problems in other ways such as:

• Order of elements: “v=DMARC1” must come first and be listed in all capital letters so both “p=none; v=DMARC1; rua=mailto:…” and “v=dmarc1;P=Reject;…” will cause errors
• Forgetting variable tags or proper syntax such as writing
  • “DMARC1” instead of “v=DMARC1”
  • “rua=email@…” instead of “rua=mailto:email@…”
• Forgetting semicolon (;) separators or using the wrong separator between variables such as with “v=DMARC1 p=none…” or “v=DMARC1:p=none…” instead of “v=DMARC1;p=none…”
• Permitted, but potentially problematic formatting such as
  • Using capital letters other than for DMARC1 such as “V=DMARC1;P=NONE…” instead of “v=DMARC1;p=none…”
  • Unneeded spaces such as with the extra space before “mailto” in “rua= mailto:email@…” instead of “rua=mailto:email@…”

Typos and extra characters will often sneak into a DNS record because of copy-paste errors or even specific DNS requirements. For example, some DNS servers require semicolon characters to be escaped using a backslash (\) character and the file may be found with too many (\\) backslashes or forward slash (/) characters used by accident.

Bad record content is listed separately by dmarc.org, but it has a lot in common with typos and formatting errors. For example, instead of using one of the three permitted values for the “p” tag (none, quarantine, reject), the record may use incorrect (“blocked” or “monitor”) or mispelled (“quarintine”) values.

Overlooked Subdomains

When creating SPF files, an organization will be limited to 10 DNS query lookups. Often this means larger organizations will have multiple SPF files and will segregate out specific subdomains for separate SPF records.

However, when the organization creates their DMARC record, the organization may focus exclusively on the top level domain (EX: SampleOrganization.com) and may overlook their subdomains (EX: ITNotifications.SampleOrganization.com or SalesEmails.SampleOrganization.com).

Unless explicitly handled separately, the DMARC policy deployed on the top-level domain automatically trickles down to subdomains.  Overlooking subdomains that require separate handling may unintentionally block legitimate emails originating from servers on those subdomains.

Overlooked DMARC Updates

All DNS records, including DMARC, require updates as organizations evolve. For example, an organization will switch the IP addresses for email servers  as they upgrade or transition to the cloud. Each IP address change requires an update to the filed policy.

Similarly, companies send email campaigns from a variety of third-party vendors for marketing (HubSpot, Mailchimp, etc.), sales (Salesforce, etc.), surveys (SurveyMonkey, etc.), accounting (Quickbooks, etc.), and help desks (Zendesk, etc.). As they adopt new vendors or these vendors change their email infrastructure, again, DMARC, SPF, and DKIM will require updates to keep up with the changes and avoid blocking legitimate emails.

DMARC Rejections

When implementing DMARC, organizations start with ‘p=none’ to avoid rejecting improperly configured but legitimate emails. The three most common ways legitimate emails will be rejected include:

• Failure to set up DKIM Signatures for email vendors — this leads to a mismatch between the sender (Gmail, Microsoft 365, etc.) and the DMARC domain
• Failure to whitelist third-party senders with DNS providers — these providers sign emails with their domain by default, which causes a mismatch
• Forwarding entities altering body and headers — resenders, gateways, and malware scanning solutions will intercept the email and then forward it on. The forwarding replaces the sender IP address, which causes a DMARC mismatch

The first two issues can be managed by correctly establishing DKIM signatures for email vendors and correctly whitelisting third-party senders with DNS providers. Unfortunately, there isn’t much that can be done with the third issue unless the organization can contact or control the forwarding email servers.

In addition to the three most common issues, an organization can also run into issues with SPF and DKIM alignment. DMARC alignment seeks to prevent spoofing of the “header from” address by matching:

• The “header from” domain name and the “MFROM” domain name used during an SPF check
• The “header from” domain name with the “d=domain name” in the DKIM signature

Often, third-party email senders cause issues by using their own “MFROM” domain.  This may pass SPF or DKIM, but not alignment. This issue will require coordination with the vendor to properly adjust the SPF, DKIM, and DMARC files.

Insufficient Resources

Smaller organizations always struggle with time-intensive IT issues. Seth Blank admitted, “Frankly, setting up DMARC is complicated, which accounts for the gap between policies and policies at enforcement.”

Insufficient Staffing

Despite the simplicity of the specific technologies, the regular maintenance to keep SPF, DKIM and DMARC current can be difficult to keep up with for large companies with dedicated teams. For small organizations with small IT teams, the maintenance can be nearly impossible.

“DMARC is an intricate standard reliant on two additional email standards, SPF and DKIM. Both of these standards would be strenuous to configure on their own. Smaller companies without an IT department to dedicate to DMARC do not have the resources to implement these records together,” said Blank.

Insufficient Tools

The DMARC aggregate and forensic reports sent from the receiving email service providers include crucial email ecosystem information, but the machine-readable files will not be intuitive or easy to read for humans.  Additionally, for even moderately-sized organizations the sheer volume of reports received can overwhelm an organization attempting to manually collate and parse the information in a meaningful way. Fortunately, many different DMARC reporting tools can be obtained to enable rapid and meaningful analysis of DMARC tools.

Failure to Escalate DMARC Settings

The most significant issue with DMARC stems from organizations failing to escalate their DMARC settings. Whether out of fear of blocking legitimate emails or simply because implementing teams overlook escalation, failure to switch from p=none to a more rigorous policy undermines the effectiveness of DMARC.

Unless an organization sets an enforcement policy to “quarantine” or “reject,” even emails recognized as fraudulent will still be allowed to pass through to inboxes. Without the more restrictive enforcement policy, organizations place an unnecessary burden on email security applications and increase the likelihood of a phishing attack successfully impersonating a brand.

“A policy not configured to ‘quarantine’ or ‘reject’ fraudulent actors is like a bouncer who checks IDs and lets everyone in regardless of age,” said Blank. “DMARC enforcement should be the first level of protection … Other network security measures, like AI-based monitoring, can be valuable, but validating IDs shows you who is trying to get access.”

Bottom Line: DMARC Enforcement Reduces Phishing

If every organization deployed DMARC with full enforcement, spoofed emails would be dramatically reduced and phishing emails would become much less effective. While not all email attacks can be stopped, reducing credible spoofing attacks will dramatically reduce the burden on our email security tools as well as the number of phishing victims for our organization and every other recipient. It is time to protect your brand, defend against BEC, and reduce SPAM globally with full deployment of SPF, DKIM, and DMARC.

The post Why DMARC Is Failing: 3 Issues With DMARC appeared first on eSecurity Planet.