Here are our picks for the best six digital forensics tools:

• Exterro FTK: Best overall forensics tool for a mix of pricing and features
• IBM QRadar SIEM & Forensics: Best for enterprise forensics and SIEM
• LogRhythm NetMon & SIEM: Best forensics software for customer support
• Cyber Triage: Best solution for cybersecurity-specific incident response
• Encase Forensic: Best solution for managed digital forensics services 
• Magnet AXIOM Cyber: Best solution for diverse deployment scenarios

Top Digital Forensics Software Compared

The following table gives a brief overview of our six top products, including features like data extraction and free trial availability:

	Data Extraction	Incident Response	Indicators of Compromise	Free Trial
Exterro FTK				30 days
IBM QRadar SIEM & Forensics
LogRhythm NetMon & SIEM
Cyber Triage				7 days
Encase Forensic
Magnet AXIOM Cyber				Contact for length

=Yes  =No/Unclear  =Add-On

Exterro FTK

Best Forensics Tool Overall for a Mix of Pricing & Features

Overall Rating: 3.9/5

• Core Features: 3.7/5
• Advanced Features: 4.3/5
• Deployment & Usability: 4.5/5
• Customer Support: 2.4/5
• Pricing: 5/5

Exterro Forensic Toolkit (FTK) offers advanced digital forensics capabilities for both computer systems and mobile devices, including media thumbnail reviews and facial recognition. Other notable features include remote data collection and file recovery for deleted data. We recommend it for organizations of all sizes for its strong feature set and its pricing information — Exterro is transparent about licensing compared to the rest of the market.

Exterro is a fantastic all-around forensics product, but it’s not very transparent about customer support options. If that’s important to your team, look at LogRhythm instead — it also has plenty of key and advanced forensics features and was our criterion winner for customer support.

Pros & Cons

Pricing

• Physical FTK license: $5,999–$11,500, depending on sale prices
• Virtual FTK license: $5,999–$11,500, depending on sale prices
• Yearly renewal: Subscription charges and renews annually
• Free trial: 30 days

Key Features

• Portable cases: Send data about a case to external reviewers and receive feedback.
• Facial and object recognition: FTK identifies identical image content automatically.
• Mac data analytics: Process data like encrypted Apple file systems.
• Thumbnail review: Inspect and categorize multimedia images by hovering over them.

IBM QRadar SIEM & Forensics

Best for Enterprise Forensics & SIEM

Overall Rating: 3.5/5

• Core Features: 3.8/5
• Advanced Features: 3.5/5
• Deployment & Usability: 3.4/5
• Customer Support: 3.7/5
• Pricing: 3.2/5

IBM QRadar SIEM is a security information and event management platform that offers capabilities like network analytics, threat response, and compliance audits. QRadar Forensics, which focuses specifically on digital forensics, can be a standalone product, but it’s also available as a SIEM module. Integrating the two is ideal for large enterprises that want to use a security management product and a digital forensics tool in conjunction.

QRadar is a strong enterprise solution, but it doesn’t support many cloud applications. Consider LogRhythm if you’re looking for cloud app support — it’s also a SIEM solution.

Pros & Cons

Pricing

• Usage model: Priced by events per second and flows per minute
• Enterprise model: Based on the number of managed virtual servers used
• Pricing calculator: IBM’s calculator helps estimate initial costs
• Contact for quote: Available add-ons, including Forensics

Key Features

• Network analytics: View network threat detections and dashboard visualizations.
• Compliance add-ons: Use QRadar SIEM extensions to comply with regulations.
• IBM X-Force integration: View recent threat intelligence data like malicious URLs.
• File recovery: The Forensics product finds raw capture data on specified devices.

LogRhythm NetMon & SIEM

Best Forensics Solution for Customer Support

Overall Rating: 3.3/5

• Core Features: 3.3/5
• Advanced Features: 3.6/5
• Deployment & Usability: 2.8/5
• Customer Support: 4.4/5
• Pricing: 1.8/5

LogRhythm’s next-gen SIEM platform integrates with LogRhythm NetMon, a forensics solution for networks that provides packet analytics, dashboards, and application recognition. This integration is another example of combined SIEM and forensics for teams that want those products connected. LogRhythm got particularly high marks in our rubric for its customer support availability, including phone support and a 24/7 platinum plan.

While LogRhythm SIEM is a strong network forensics product, it won’t be sufficient for all forensics cases. Consider Exterro if you need mobile and multi-platform forensics; it also finds indicators of compromise and offers incident response capabilities like LogRhythm.

Pros & Cons

Pricing

• Contact for quote: Custom pricing available

Key Features

• Threat scores: A risk-based priority calculator helps teams determine risk significance.
• Application recognition: NetMon identifies more than 3,500 applications.
• Incident response: The SIEM solution helps teams find and remediate security threats.
• Deep packet analytics: Extract and view network packet data from OSI layers 2-7.

Read more about different types of network security, including threat intelligence and network access control.

Cyber Triage

Best Solution for Cybersecurity-Specific Incident Response

Overall Rating: 3.2/5

• Core Features: 3.3/5
• Advanced Features: 4.8/5
• Deployment & Usability: 2.5/5
• Customer Support: 0.9/5
• Pricing: 4.3/5

Cyber Triage is a combined forensics and incident response platform that’s great for teams that want to both manage incidents and explore attacks in detail. Key capabilities include malware scanning, artifact scores, and incident response recommendations. Cyber Triage also integrates with endpoint detection and response (EDR) and SIEM products like SentinelOne Singularity and Splunk; consider Cyber Triage if you want those major security integrations.

While Cyber Triage is a strong incident response solution, it doesn’t support mobile devices. Consider Exterro, which offers incident response integrations and collects mobile device data, if you’re looking for both IR and mobile capabilities.

Pros & Cons

Pricing

• Standard plan: $2,500 per year
• Standard Pro plan: $3,500 per year
• Team plan: Custom pricing available
• Free trial: 7 days

Key Features

• Artifact scoring: Cyber Triage helps prioritize incident evidence by ranking it.
• Malware scanning: Over 40 scanning engines increase the chances of finding malware.
• Air-gapped labs: Export hash values into a text file format through offline mode.
• IOCs: Cyber Triage identifies indicators of compromise like signs of potential malware.

Encase Forensic

Best Solution for Managed Digital Forensics Services

Overall Rating: 3/5

• Core Features: 3.5/5
• Advanced Features: 2.2/5
• Deployment & Usability: 3.3/5
• Customer Support: 3.9/5
• Pricing: 2.3/5

Encase Forensic by OpenText is a well-rounded digital forensics tool with multi-platform support, including all three major operating systems and mobile devices. It collects data from social media sites as well as apps like LinkedIn and WhatsApp. Encase Forensic is available as an on-premises managed product. Consider Encase if your business is looking for a managed forensics solution or has a small or inexperienced team; it’s a good choice for small and midsize businesses (SMBs).

While Encase Forensic is a great multi-platform product, it doesn’t offer a free trial. Consider Magnet AXIOM Cyber instead if you need to try a forensics product before buying. Magnet also supports multiple platforms and offers an integration for mobile data, too.

Pros & Cons

Pricing

• Contact for quote: Custom pricing available; some pricing info available from resellers

Key Features

• Optical character recognition: OCR finds and extracts text data in images and PDFs.
• AI and ML: Identify incriminating content with machine learning and artificial intelligence.
• App activity collection: Supported apps include LinkedIn, Instagram, and Twitter.
• Browser and location data: Encase also collects internet and location history.

Magnet AXIOM Cyber

Best Solution for Diverse Deployment Scenarios

Overall Rating: 3/5

• Core Features: 2.8/5
• Advanced Features: 2.4/5
• Deployment & Usability: 4.4/5
• Customer Support: 3/5
• Pricing: 2.5/5

Magnet AXIOM Cyber’s digital forensics and incident response solution offers features like remote data collection and data visualization. It supports Windows, Mac, and Linux machines, and users can deploy it in both AWS and Azure. Through its integration with Verakey, AXIOM Cyber can receive extracted mobile data as well. For businesses with multiple operating systems and cloud environments, AXIOM Cyber is a great choice.

While AXIOM Cyber is a strong multi-platform forensics product, its data extraction capabilities are limited to other products. Consider Encase Forensic if you’re looking for native extraction; it also supports multiple platforms, including mobile devices.

Pros & Cons

Pricing

• Contact for quote: Custom pricing is available
• Free trial: Contact for length

Key Features

• Remote collections: You can collect data from off-network endpoint computers.
• Data visualization: AXIOM Cyber shows connections between various artifacts.
• Threat scoring: Integration with VirusTotal allows users to better prioritize threats.
• Incident response: AXIOM Cyber is a DFIR product and offers response and detection.

Top 5 Features of Digital Forensics Software

Digital forensics products vary somewhat in their feature sets, but there are a few core capabilities that your future product should have. Data extraction, reporting functionality, data recovery, prioritization, and integrations with security platforms are all critical to conducting a successful forensics case and tracking the most important information.

Data Extraction

Data extraction pulls information from places it would otherwise be hard to find. If a criminal deletes a file from their computer, it won’t be simple to collect by ordinary means. But a digital forensics product has special capabilities that help it reconstruct or recover data that’s been damaged or deleted, which is critical for cases in which a criminal tried to cover their tracks or information has simply been lost over time.

Reporting

Reporting functionality is important for almost every security product, but for digital forensics, it’s especially critical. Every piece of information could affect not only a company’s security but also a person’s life or livelihood. Reports help users present data clearly to business leaders, but they might also need to be provided to police and government officials.

Data Recovery

Some data appears to be lost, but forensics tools should be able to recover data that wouldn’t be found otherwise. That data could play a critical role in a case, and a threat actor or criminal might have attempted to hide the information. Digital recovery features are valuable and often necessary for a full forensics toolkit.

Threat Prioritization

Prioritizing alerts, threats, or other indicators of compromise take different forms, like threat scores, but a digital forensics tool should have some method of ranking potential issues. With prioritization features, teams will be better positioned to handle the most important alerts or potential cases first.

Security Integrations

Digital forensics tools should ideally integrate with at least one other security product, whether that’s a SIEM, EDR, or other type of incident response product. This product might also be a security management tool that centralizes multiple products. The best integrations depend on your business’s use cases and needs, though, so consider those before making a final selection.

How We Evaluated Digital Forensics Software

We used a product scoring rubric to compare a range of digital forensics tools, developing five main criteria with key characteristics of forensics products. The percentages below show how we weighted the criteria. Each criterion included multiple subcriteria with their own weighting. The total scores reflect how well each product ranked in our overall evaluation based on the criteria it met. After we scored the products, the six that scored best made our list.

Evaluation Criteria

The most important criteria we scored were core forensics features like data extraction and advanced features, like threat scores and SIEM integrations. We also considered deployment and usability, including product documentation, mobile device support, and supported operating systems. Lastly, we looked at customer support availability, including channels like phone and email, and pricing, like free trials and licensing details.

• Core features (30%): We looked at the most important forensics features, like data extraction and reporting functionality.
  • Criterion winner: IBM QRadar
• Advanced features (25%): We reviewed products based on advanced capabilities like SIEM integrations and threat scores.
  • Criterion winner: Cyber Triage
• Deployment and usability (20%): We evaluated ease of use and deployment with criteria like mobile device and operating system support.
  • Criterion winner: Exterro
• Customer support (15%): We scored products based on the availability of phone and email, as well as demos, support hours, and composite user reviews.
  • Criterion winner: LogRhythm
• Pricing (10%): We used criteria like free trials, pricing transparency, and license details to score our pricing category.
  • Criterion winner: Exterro

Frequently Asked Questions (FAQs)

What Types of Cases Require Digital Forensics Tools?

Any legal investigation involving software, hardware, or networks can require a digital forensics tool to find data that otherwise wouldn’t be retrievable. Extraction capabilities help legal and security teams find information that may have been deleted from a computer system. Common examples of cases requiring forensics tools include embezzlement, extortion, identity theft, assault, or child exploitation, including pornography and any kind of trafficking.

Businesses may want forensics simply for their information security and cybersecurity, too, so they can track intruder and attacker behavior in a clinical way. It doesn’t have to be a legal case — an internal security incident might benefit from forensic data as well.

Are Digital Forensics Tools Difficult to Use?

Like any other software solution, digital forensics tools take time to learn. Some will be simpler to use than others, though. If your business is looking for a particularly easy-to-learn product, look for user reviews that mention usability and features like a central management interface. Any product will have a learning curve, but they differ in length.

What Are Common Digital Forensic Product Capabilities?

Broadly speaking, forensics software should be able to pull data from multiple, difficult-to-find locations and present it so teams can analyze it meaningfully. Many different features serve that purpose, like reporting, data extraction, and remote collection, but distilled into simple terms, your digital forensics product needs to access the right systems, find the necessary data, and help users make sense of it.

Bottom Line: Digital Forensics Software Is a Critical Investment

A digital forensics product can be a powerful tool to not only uncover cybersecurity data but also support your team in a legal investigation. It should suit your security, compliance, and legal teams’ skill sets, as well as give them research and response abilities that may not have been available to them before. If your organization frequently deals with criminal activity or investigations, a digital forensics tool is one of the most important investments you’ll make.

Is your organization looking for specifically Linux-based forensics capabilities? Read about our picks for the best Linux distros for pentesting and forensics next.

The post 6 Best Digital Forensics Tools Used by Experts in 2024 appeared first on eSecurity Planet.

The best certification depends upon a candidate’s experience, so we selected the best certificates for specific categories based on three specific stages in a career:

• Best Entry-Level Certificates: These certificates validate basic skills and help a candidate to qualify for their first cybersecurity job. Read more below.
• Best Advanced Certificates: These certificates confirm cybersecurity experience for established professionals and helps to advance careers. Read more below.
• Best Specialty Certificates: These certificates provide training or verify specialized knowledge of cybersecurity specialties needed for specific cybersecurity positions. Read more below.

Cybersecurity Certification Comparison Chart

IT and security professionals need different cybersecurity certifications at different points in their careers. Initially, entry-level certificates open opportunities to move into your first cybersecurity positions, but later advanced or specialty certifications will validate experience and open doors to even more opportunities.

Best Entry-Level Certificates

CompTIA Security+

Best Overall Entry-Level Certificate

CompTIA’s Security+ certification provides the maximum boost for potential employment for a reasonable investment. This certification is listed more frequently as a minimum requirement for jobs than any other entry-level certificate because it confirms knowledge across fundamental security topics including security architecture, threats, and vulnerabilities.

Cliff Timpson, sr. cyber IT security engineer at NASA Goddard Space Flight Center, earned his Security+ certification while working as an Information assurance manager for the US Army.  “At the time, obtaining that certification helped me understand the broader scope of what we now know as cybersecurity. Solely relying on my technical skills limited me to certain roles, but when I gained a solid understanding of the strategic aspects, it opened many different doors for my career progression.”

Who Should Get This Certification?

Cybersecurity job seekers paying for their own certification will select this certification.

Exam Pricing & Format

• $392 exam fee,  $784 exam + retake option
• 90-minute, 90-question proctored exam
• Certificate renewal requirement
  • 50 education credits every three years
  • $150 fee every three years

Exam Requirements

• No formal requirements
• CompTIA recommends that candidates possess basic IT knowledge for securing applications, networks, and devices; threat analysis and response; and risk management

Exam Prep

• Free study guide and practice questions are available
• Courses (not required):
  • $545 self-paced study
  • $205 CertMaster labs
  • $205 CertMaster practice exam
  • $2,499 10-day hands-on instructor-led training

Salary Range & Sample Job Listings

• Glassdoor estimated salary range: $47,000–$147,000
• Sample job listings:
  • Cyber Security Specialist $83,000–$125,000
  • Help Desk Technician $65,000–$75,000
  • Systems Support Analyst $45,000–$66,000

Certified in Cybersecurity (CC) 

Best Entry-Level Certification for Learning Fundamentals

The CC certificate issued by the well-respected International Information System Security Certification Consortium (ISC2) provides free certification and a free self-guided online course. The course trains and the exam validates knowledge of basic cybersecurity fundamentals: security principles, business continuity, disaster recovery, incident response, access controls, network security, and security operations.

Candidates that pass the CC exam will gain confidence that can springboard success for other certifications. Mitch Rebello, IT manager of Technology Advice, obtained both the CC and the Security+ certifications. “The CC is an entry to certification in general and provides a good practice warmup for the Security+ exam.”

Who Should Get This Certification?

Anyone interested in a career in cybersecurity should pursue the entry-level CC certification first. It provides training and baseline knowledge useful for both entry-level jobs and other certificates.

Exam Pricing & Format

• Free exam
• Two-hour, 100-question proctored exam
• Certificate renewal requirement
  • Annual $50 maintenance fee

Exam Requirements

• No formal requirements
• ISC2 recommends that candidates possess basic IT knowledge

Exam Prep

• Free self-paced online course
• $19.95 eTextbook
• $804 guided live online instruction, exam retake, and first year of maintenance

Salary Range & Sample Job Listings

• Glassdoor estimated salary range of $87,000–$99,000
• Sample job listings:
  • Information Assurance/Cybersecurity Engineer/Analyst II $68,000–$114,000
  • Information Security Analyst II $69,000–$114,000
  • Network Engineer $63,000–$111,000

GIAC Security Essentials Certification (GSEC)

Best for Deep Learning of Cybersecurity Fundamentals

GSEC will typically be paired with a rigorous SANS Institute course by IT professionals that need more cybersecurity knowledge. The SANS course provides in-depth hands-on training on key security concepts and principles such as defense in depth, basic cryptography, and incident handling.

Most self-funded certification candidates will balk at nearly $10,000 in fees and course materials, but many companies invest in this training to build up their internal resources. Highly respected in the IT industry, the GSEC certification is required by thousands of job postings for potential candidates.

Who Should Get This Certification?

IT professionals seeking a strong foundation in cybersecurity should invest in GSEC training and accreditation.

Exam Pricing & Format

• $979 exam fee, $879 retake fee
• 4–5 hour, 106–108 question proctored open book exam
• Certificate renewal requirement
  • 32 education credits every four years
  • $479 fee every four years

Exam Requirements

• No formal requirements
• Some certificate holders note that passing typically requires the SANS training course

Exam Prep

• $399 practice test
• $8,525 course SANS SEC401: Security Essentials – Network, Endpoint and Cloud

Salary Range & Sample Job Listings

• Glassdoor estimated salary range of $54,000–$155,000
• Sample job listings:
  • CSSP Auditor $130,000–$160,000
  • Information Security Analyst $55,000–$81,000
  • SIEM Engineer $75,000–$110,000

Best Advanced Certificates

Cybersecurity professionals pursue advanced security certifications that validate deeper cybersecurity knowledge acquired through experience. These certifications, such as CISA, CISSP, and C|EH, require several years of verifiable employment and enable candidates to pursue advanced-career positions with more responsibility and pay.

Certified Information Systems Auditor (CISA)

Best for Mid-Career Certification

The CISA certification offered by ISACA verifies experience for IT and cybersecurity professionals with work experience in the protection of information assets and information systems auditing processes. Since education can satisfy up to three of the five years of required work experience, this will often be the first certificate obtained by cybersecurity pros.

The exam tests technical and operations management capabilities in information systems auditing processes, acquisition, development, implementation, and asset protection. Candidates must also demonstrate knowledge of related IT governance and management concepts, especially information systems operations and business resilience.

Who Should Get This Certification?

Experienced IT and cybersecurity professionals use CISA certification to ratify their experience and improve career prospects. 

Exam Pricing & Format

• $575 for ISACA members + $145 ISACA membership fee + local chapter dues
• $760 exam fee for non-members
• Four-hour, 150-question proctored exam
• Certificate renewal requirement
  • 20 minimum education credits per year, 120 education credits every three years
  • Annual $85 annual maintenance fee ($45 for ISACA members)

Exam Requirements

• Five years of related work experience
• Waive up to three years of experience with college degrees

Exam Prep

• Free practice quiz
• $399 CISA review questions subscription ($299 for ISACA members)
• $895 online review course ($795 for ISACA members)

Salary Range & Sample Job Listings

• Glassdoor estimated salary range of $61,000–$175,0000
• Sample job listings:
  • Field Cyber Risk Consultant $140,000–$250,000
  • Information Assurance Analyst $61,000–$90,000
  • IT Security Engineer $90,000–$95,000

Certified Information Systems Security Professional (CISSP)

Best Certificate to Validate Advanced Experience

The CISSP certification by ISC2 stands as the most required certificate for cybersecurity job listings. Employers and peers understand that candidates need extensive experience to obtain this certification, including years of experience in multiple security disciplines.

The CISSP exam confirms deep knowledge in information security topics and tests capabilities to perform tasks as well as managing processes. The eight domains of knowledge tested include security and risk management, asset security, security architecture and engineering, communication and network security, identity and access management, security assessment and testing, security operations, and software development security.

Who Should Get This Certification?

Experienced cybersecurity professionals use the CISSP certification for career advancement and for the confidence the certification provides to others. For example, clients will be reassured of a certain standard of knowledge and baseline capabilities when contracting with a consultant bearing a CISSP certificate.

Exam Pricing & Format

• $749 exam fee
• Four-hour, 125–175 question exam with computerized adaptive testing and proctor
• Certificate renewal requirement
  • $125 annual maintenance fee
  • 120 education credits every three years

Exam Requirements

• At least five years of verifiable paid and full-time experience in two or more cybersecurity domains
• Up to one year may be satisfied by credentials or college degrees in computer science, information technology, or related fields
• Candidates capable of passing the test without the required experience earn an Associate of ISC2 designation until they earn sufficient experience

Exam Prep

• Free flashcards, mobile phone app, study group forum
• $995 self-paced self-study course
• $2,880 five-day online instructor-led training

Salary Range & Sample Job Listings

• Glassdoor estimated salary range of $66,000–$176,0000
• Sample job listings:
  • Cyber Security Specialist $83,000–$125,000
  • IS Network Administrator $60,000–$92,000
  • Principal System Administrator $98,000–$146,000

Certified Ethical Hacker (C|EH)

Best for Hacking Fundamentals Certification

Job listings use the EC-Council’s C|EH (aka: CEH) as a requirement more than any other penetration testing certificate. The CEH exam validates experience with over 500 potential attack techniques, over 3,500 hacking tools, and knowledge of 20 different hacking domains.

Basic C|EH certification requires a knowledge-based test, but the EC-Council also offers a companion C|EH Practical exam that tests skills and abilities. A candidate that passes both exams is certified as a C|EH Master.

Who Should Get This Certification?

IT professionals seek C|EH certification to advance their career, shift into penetration testing jobs, and to learn hacking techniques.

Exam Pricing & Format

• C|EH Knowledge Exam
  • $100 non-refundable eligibility application fee
  • $1,199 Pearson VUE or $950 ECC proctored exam voucher
  • Four-hour, 125-question proctored exam
• C|EH Practical Exam
  • $550 exam fee
  • Six-hour, 20-challenge proctored exam
• Certificate renewal requirement
  • 120 education credits every three years
  • $80 annual maintenance fee

Exam Requirements

• Recommended to have a minimum of two years of IT security experience
• Applicants can bypass experience requirements through official or authorized training

Exam Prep

• $149 CEH Exam Prep Guide
• $850 e-Courseware
• Candidates are encouraged to consider a training course
  • Three levels of training: C|EH, C|EH Pro, C|EH Elite
  • All training courses include an exam voucher and courseware
  • Courses range between $2,199–$3,499 depending on the desired options
  • Accredited training center prices may vary
  • Discounts may be available for students and military personnel.

Salary Range & Sample Job Listings

• Glassdoor estimated salary range of $62,000–$165,000
• Sample job listings:
  • Cybersecurity Operations Shift Lead $51,000–$80,000
  • Incident Response Analyst $64,000–$93,000
  • Systems Security Engineer $86,000–$120,000

Best Specialty Certificates

Cybersecurity professionals seeking to pursue or substantiate cybersecurity specialization will seek specialty certification. While many specializations exist in cybersecurity, security analysis, cloud security, and data privacy provide the most job listings for future opportunities.

Cybersecurity Analyst (CySA+)

Best for Specialized Security Analyst Certification

Security pros select CompTIA’s CySA+ certification to confirm experience and knowledge necessary for roles in security analysis, threat monitoring, managed IT security service provider (MSSPs) consulting, and security operations centers (SOC) staffing. The CySA+ is included more frequently in job listings and contains performance-based questions that test more than cursory knowledge.

CompTIA worked with the US Department of Defense, US Navy, Amazon Web Services, VISA, and John Hopkins’ Applied Physics Laboratory to develop the CySA+ exam and materials. The exam tests working knowledge of security operations tools and techniques; vulnerability assessment, prioritization, and mitigation; incident response analysis and activities; and effective communication or reporting to stakeholders of action plans, escalation, and metrics.

Who Should Get This Certification?

IT professionals that want to work as security analysts will seek the CySA+ certification.

Exam Pricing & Format

• $392 exam fee
• 165-minute, 85-question proctored exam
• Certificate renewal requirement
  • 60 continuing education credits every three years
  • $50 annual fee

Exam Requirements

• Four years of hands-on incident response or security operations center (SOC) analyst experience

Exam Prep

• $205 CertMaster practice questions
• $164–$174 for study guides
• Bundle packages available
  • $565 for exam + self-paced guide
  • $720 for exam + self-paced guide + certification practice
• Extensive instruction options
  • $545 CertMaster self-based instruction
  • $205 CertMaster Labs for hands-on practice
  • $2,499 instructor-led online training
  • $977 bundle CertMaster instruction + labs + exam
  • $1,080 bundle CertMaster instruction + labs + practice + exam
  • $2,499 bundle instructor-led training + CertMaster instruction + labs + practice + exam

Salary Range & Sample Job Listings

• Glassdoor estimated salary range of $51,000–$145,000
• Sample job listings:
  • Cybersecurity Product Engineer $95,000–$115,000
  • Senior Test Engineer $92,000–$111,000
  • Sr. Security Analyst $82,000–$99,000

Certified Cloud Security Professional (CCSP)

Best for Cloud Security Certification

ISC2’s CCSP exam offers a vendor-agnostic certification that reflects the increasing need and universal demand for cloud security certification. More jobs include CCSP than any other cloud security certificates, including vendor-specific certificates.

CCSP certification verifies a broad understanding of cloud security universal to all cloud environments. The exam confirms knowledge of cloud-specific architecture, design, data security, platform security, infrastructure security, application security, security operations, legal issues, risk, and compliance.

Who Should Get This Certification?

IT security professionals will seek CCSP to validate cross-platform cloud security experience.

Exam Pricing & Format

• $249 exam fee
• Four-hour, 150-question proctored exam
• Certificate renewal requirement
  • $125 annual maintenance fee (for all ISC2 credentials for members)
  • Renewal requires 90 continuing education credits every three years

Exam Requirements

• Five cumulative years of work experience
  • Three must be in information security
  • One or more years must be in at least one of the domains tested on the exam (cloud data security, etc.)

Exam Prep

• Free flashcards, mobile phone app, and study group forum
• $920 self-paced self-study course, $2,880 five-day online instructor-led training

Salary Range & Sample Job Listings

• Glassdoor estimated salary range of $43,000–$176,000
• Sample job listings:
  • Azure AD Administrator $110,000
  • Network Security Engineer $130,000–$140,000
  • Sr. Security Engineer $120,000–$128,000

Certificated Information Privacy Professional (CIPP)

Best Data Analyst Privacy Certification

The CIPP certification from the International Association of Privacy Professionals (IAPP) verifies deep and specialized knowledge of data privacy and protection laws and principles. The expanding use of data to inform business decisions and train artificial intelligence engines fuels the need for experts in this specialty.

The IAPP offers five exam versions focused on specific regulations and requirements for Asia, Canada, Europe, the US, and the US government. For example, the CIPP/US certification ensures working knowledge of US privacy regulation, workplace privacy, state privacy laws, government or court access to private-sector information, and limits on private sector collection and data use.

Who Should Get This Certification?

IT professionals verify data privacy knowledge and shift to data analysis career paths with CIPP certification.

Exam Pricing & Forma

• $550 exam fee
• 2.5-hour, 90-question proctored exam
• Certificate renewal requirement
  • 20 continuing education credits every two years
  • $250 fee every two years

Exam Requirements

• No education or job experience requirements

Exam Prep

• $55 practice exam
• $1,195 online course

Salary Range & Sample Job Listings

• Glassdoor estimated salary range of $52,000–$215,000
• Sample job listings:
  • Data Protection & Compliance Analyst $51,000–$84,000
  • Director, Information Security & Compliance $140,000–$165,000
  • Sr. Analyst Information Governance & Data Protection $93,000–$140,000

How We Evaluated the Best Cybersecurity Certifications

To evaluate the best entry-level, advanced, and specialized cybersecurity certifications, we examined the broader market and considered the qualifications of more than 30 different certifications. We chose the top three certifications in each category that provided effective value for the price, current job opportunities, and prospects for strong future opportunities.

Price & Value

To evaluate price and value, we considered that price always matters, but the lowest cost options don’t always deliver opportunities. Coursera offers practical education at a low monthly subscription price, but does not yet move the needle for job opportunities. At the other end of the spectrum, although GSEC training may exceed the knowledge required for competing entry-level CC or Security+ exams, its high cost limits its value to self-funded applicants.

Current Opportunities

To evaluate current opportunities, we required active job placements on popular job boards such as LinkedIn, Monster, Indeed, Simply Hired, Career Builder, Dice, and more. This criteria roughly ranked all certificates and eliminated many narrowly focused vendor-specific certifications or university continuing education programs that provide educational value but are not used by HR professionals to screen candidates.

Future Opportunities

To consider future opportunities we sought upwards trends in job offerings. Cybersecurity contains many niches, but older specialties such as digital forensics don’t have the job opportunities now even though they used to be in-demand. The specialties we selected offer thousands of job openings using that specialty certification as a criteria and continue to show a rising demand curve for employment.

Frequently Asked Questions (FAQs)

How Do You Prepare for Cybersecurity Certification?

To get ready for cybersecurity certification, first study the test requirements. Do you have enough basic knowledge to pass the exam without further instruction? Inexpensive study guides will provide sufficient information for knowledgeable or experienced students, but others may need to invest in more expansive self-study or instructor-guided coursework.

Most certification programs directly offer low-cost study guides, practice tests, and courses through their website. A quick search will also locate a wealth of official and unofficial third-party test-preparation resources from Coursera, Cybrary, ITPro.tv, Training Camp, Udemy, and more.

Which Cybersecurity Certification Should I Get First?

If you’re just starting out, first acquire one or more of the three entry-level certifications to land that initial security job. After 2–5 years of work in a security role, then consider at least one of the advanced career or specialty cybersecurity certifications. 

How Do I Know Which Advanced or Specialty Certification Is Right For Me?

To identify the best advanced or specialty certification for you, consider your desired career path and interests. Next, check job listings to see the certifications required for the jobs you want over the next 3–10 years.

Still not sure? Consider checking the LinkedIn profiles for admired coworkers, peers, cybersecurity podcasters, or prominent X personalities for their earned certifications. Their certifications will help to illustrate the most respected certifications that fit your interests and validate skills you value.

Can You Get a Cybersecurity Job with Just Certifications?

Certifications verify knowledge or experience, but must combine with other factors to land a job. The basic requirements for employment also include an appropriate job history for the position, effective communication during interviews, and a good fit for the hiring organization’s needs.

What Are Education Credits?

Education credits reflect the industry requirement to remain current on technology, tactics, and trends. These credits will be named differently between different credentialing organizations, although the most common name is continuing professional education (CPE) credits.

Different organizations list different standards for satisfying education credits. Some organizations consider obligations fulfilled if the candidate passes other credential exams. Some credits can be satisfied by job experience, convention sessions, volunteer hours, and more. Check each credentialing organization’s renewal requirements for details.

Bottom Line: A.B.C. (Always Be Credentialing)

A career path first requires knowledge and experience, but credentials provide stepping stones that add credibility to a resume or application. Internal candidates often demonstrate skills directly to employers, but outside candidates need certificates for any HR consideration. An advancing career requires multiple credentials, so start today with the most relevant credential and then plan the next ones to pursue.

Learn about other key steps to take beyond certification when getting started in a cybersecurity career.

The post 9 Best Cybersecurity Certifications to Get in 2024 appeared first on eSecurity Planet.

The understanding of different encryption types will often be confused by the many possible, inconsistent, and confusing ways that “encryption type” can be used. To minimize confusion, this article explains and classifies encryption types, explores what encryption will be best for which situation, and discusses how to effectively use encryption through the following topics:

For a more basic overview of encryption, consider reading: What Is Encryption? Definition, How it Works, & Examples.

Classifications of Encryption Types

To avoid confusion, let’s examine the different ways ‘type’ can be applied to encryption and how we will cover them in this article:

• Encryption category types will explain the overarching and basic categories of classification for encryption, including the two most important: symmetric and asymmetric encryption.
• Encryption algorithm types will provide an overview of the mathematical algorithms used to encrypt data (AES, RSA, etc.), their significance, and their pros and cons.
• Encryption tool types will discuss the major classifications of encryption tools available for use by an organization.

Although each is a ‘type’ of encryption, some sources mix these together, which can be confusing for those trying to understand encryption. We provide the additional distinctions to help better explain how encryption works and to better illustrate the tool to use for specific use cases.

Encryption Category Types

An encryption category type provides an overarching classification that encompasses multiple encryption algorithms or tool types. These conceptual buckets provide definitions that help to define the inherent weaknesses and strengths of families of algorithms and tools.

The two most important encryption categories are symmetric and asymmetric encryption. These critical encryption concepts encompass the vast majority of encryption algorithms and tools currently in wide use and can be used in combination for secure communication.

Other important categories of encryption categories include:

• Homomorphic encryption, which continues to rise in importance with the processing of sensitive and regulated data.
• Block ciphers process plain text in fixed-sized chunks for encryption.
• Format-preserving encryption (FPE) used to create encrypted fields with specific formatting and length requirements for databases.
• Stream ciphers process data as it passes through the algorithm and is used in communication.

We will also briefly discuss hashing, which is often associated with encryption but is not actually a type of encryption.

Symmetric Cryptography: Best for Speed

Symmetric cryptography uses the same concept as shared keys for a house — one or more individuals use an identical key to unlock the lock for access. Symmetric encryption works much the same way — to encrypt and decrypt messages with a single, shared key.

Users can establish a symmetric key to share private messages through a secure channel, like a password manager. Unfortunately, while symmetric encryption is a faster method, it is also less secure because sharing the key exposes it to theft.

Phishing and social engineering are common ways threat actors can obtain a symmetric key, but cryptanalysis and brute force attempts can also break symmetric key ciphers. Symmetric encryption is often used for drive encryption, WiFi encryption, and other use cases where speed performance is paramount and a password can be safely shared.

Modern algorithms use variable input, variable key lengths, and multiple rounds to compensate for symmetric key weaknesses.

Asymmetric Cryptography: Best for Sharing

Asymmetric cryptography works more like providing a code to unlock a small panel in an otherwise locked door for deliveries. The shared public key of asymmetric cryptology can encrypt documents, but decryption requires the use of a private key that is not intended to be shared.

Although more complicated and expensive to implement, asymmetric encryption ensures secure communications over distributed networks without exposing the encryption keys to theft. Asymmetric encryption does not use multiple rounds for encryption but instead uses variable-length, large sized prime numbers.

The larger key sizes and prime number calculations can take much longer to process than symmetric encryption; however, asymmetric algorithm public keys can be published to enable much more secure sharing of encrypted files.

The asymmetry of the algorithm enables either of the keys to encrypt the data, but that same key cannot be used for decryption. Typical examples of use include:

• Sender encrypts data with recipient’s public key; recipient decrypts data with their private key.
• Sender encrypts data with their own private key to verify the source of a document and re-encrypts the data with the recipient’s public key for security; the recipient uses their private key to access the message and uses the sender’s public key to decrypt the message.

Symmetric + Asymmetric Encryption

Software developers and organizations increasingly use both symmetric and asymmetric encryption methods to give users speed and security in communication. A common example is the standard Transfer Layer Security (TLS) protocol used to enable secure website browsing.

Also known as hybrid encryption, the bundle of the two methods usually starts with a handshake between users through asymmetric cryptography to establish security. Within the asymmetric connection, parties then securely share symmetric algorithms keys to enable faster processing of messages.

Homomorphic Encryption

Homomorphic encryption allows for a set of limited operations on ciphertext without decrypting the message. Homomorphic models include:

• Partial homomorphic encryption (PHE) for algorithms that can perform a single operation on encrypted data.
• Somewhat homomorphic encryption (SHE) for algorithms capable of performing two operations on encrypted data.
• Fully homomorphic encryption (FHE) for algorithms capable of the broadest range of operations on encrypted data.

Google, IBM, and Microsoft continue to explore FHE capabilities to process specific data while maintaining its secrecy and have released open-source encryption libraries. However, these techniques lack widespread adoption or incorporation into commercial tools.

Block Ciphers

Encryption algorithms operate on chunks of data to render them unreadable without a proper decryption key. Block cipher encryption uses fixed-sized blocks of data such as 128 or 64 bit blocks. Many symmetric algorithms are block ciphers; asymmetric algorithms use different key lengths, so technically they are not block ciphers because there is a variable block length between the public and private keys.

When the plaintext to be encrypted is shorter than the block length, the data is padded by the algorithm to reach the block length before encryption. Data longer than the block length will be broken into smaller blocks prior to encryption and also padded if the smaller blocks fall below the block size.

A weakness of block ciphers is that encryption of identical, full-sized plaintext blocks can yield identical encrypted blocks, which can enable brute force detection of keys. Algorithms avoid this issue by using multiple passes of different block sizes or by applying variable-input-length algorithms to the data before it is processed by the encryption algorithm.

Format-Preserving Encryption (FPE)

The category of format-preserving encryption addresses the storage of encrypted data in legacy databases with strictly defined formats and field lengths. These databases cannot tolerate variances caused by many encryption algorithms that intentionally add padding to short encryption to obscure the length of the original data or convert both letters and numbers into hexadecimal code.

For example, the Social Security number “111-11-1111” might be encoded into the plaintext numeric code of “049049 049049 049049 049049 049,” which cannot be used in a database with a limit of 9 characters. Format preserving algorithms will instead transform the number into a 9-character numeric string so that the database utility will be preserved.

Format-preserving encryption can use existing encryption algorithms, such as AES (see below). However, programmers typically incorporate specially designed algorithms so specialized that we will not cover them in more detail in this article, such as the Thorp Shuffle, Variable Input Length (VIL) Ciphers, and the Hasty Pudding Cipher.

Streaming Ciphers

When sending data through a high-speed router or switch, the full size of the data will be unknown. Storing the data until it reaches a specific block size can cause unacceptable delays for processing and transmission.

Streaming ciphers solve the problem by using a key to encrypt data one bit at a time. Streaming ciphers are symmetric algorithms that use a secret key to feed a random number generator. Asymmetric keys cannot usually be used for streaming encryption because the block sizes cannot be known. The wired equivalent privacy (WEP) and Wi-Fi protected access (WPA) algorithms incorporate streaming ciphers to encode Wi-fi data transmissions.

Not Really Encryption: Hashing

Although associated with the verification of the integrity of a file, hashing algorithms such as the 128-bit message digest algorithm (MD-5) or the eight 32-bit-word secure hash algorithm (SHA-256) do not change the data of a file. Instead, the algorithm analyzes the bits of the contents to create a single number that represents the contents.

An added space or deleted letter will create a completely different hash value for a file, so hash values will often be used to verify that a file has not been altered during a copying or transmission process. However, since hashing algorithms leave the data in plaintext, hashing does not defend the data against unauthorized access.

Encryption Algorithm Types

Encryption algorithms are defined by the specific math formulas and the process required to perform an encryption transformation. While cryptologists develop many different algorithms, this article will focus on the main encryption algorithms adopted for use in IT data encryption:

• DES
• 3DES
• Blowfish
• Twofish
• DHM
• RSA
• AES
• ECC
• Post-quantum

DES: The Data Encryption Standard

The need for a government-wide standard to encrypt sensitive information became evident as early as 1973. The U.S. National Bureau of Standards (now the National Institute of Standards and Technology, or NIST) made a public request for potential ciphers.

IBM and lead cryptographer Horst Feistel soon proposed a symmetric-key block cipher algorithm that became called the Data Encryption Standard (DES). By the 1990s, DES received wide criticism for its vulnerability to brute force attacks and its short key size.

• Significance: First US national encryption standard
• Pros: Fast, easy to use
• Cons: Vulnerable to brute force attacks as early as the 1990s
• Used for: Obsolete, replaced by TDES

TDES: The Triple Data Encryption Standard

Triple DES (TDES), or 3-DES, improves upon the original DES encryption algorithm with three stages of encryption using three different keys:

• Stage 1: Key 1 used to encrypt plaintext data.
• Stage 2: Key 2 used to decrypt the encrypted data from step 1 to create a new document (does not reproduce original document; it will not be readable in this form).
• Stage 3: Key 3 used to re-crypt the data from step 2 to produce another encrypted document.

The symmetric block cipher TDES provides a dramatic improvement in strength over DES, but TDES has since been replaced by AES (see below). New applications no longer use TDES, but TDES-encrypted data can be found in legacy environments and Microsoft only retired 3DES from use within Office 365 in 2019.

• Significance: Replaced DES
• Pros: Much stronger than DES
• Cons: Remains vulnerable to brute force attacks, quantum attacks
• Used for: Obsolete, replaced by AES, however, legacy use remains for ATM pins, UNIX passwords, older payment systems

Blowfish

Bruce Schneier developed the symmetric block cipher Blowfish to replace the DES in 1993. The Blowfish encryption algorithm was released to the public without a required license and is known for its flexibility, speed, and resilience compared to other older encryption standards.

The algorithm uses 64-bit block sizes and encrypts them individually over 16 rounds using a key length between 32 and 448 bits. Each round consists of four actions that further scramble the data for encryption processing. This standard is not recommended to be used on files greater than 4 GB due to its small block size.

• Significance: Early open-source encryption tool, replaced by Twofish
• Pros: Fast, fairly secure, free
• Cons: Vulnerable to brute force and quantum attacks, slow for key changes
• Used for: Still in use for password management; file and disk encryption; older Secure Shell (SSH) protocol tools (OpenSSH, PuTTY, etc.); and is embedded in Linux and OpenBSD operating systems

Twofish

Twofish offers a next generation version of Blowfish developed in 1998 that uses keys between 128 and 256 bits long, block sizes between 128 and 256 bits, and 16 rounds of encryption. While more complex than Blowfish, the symmetric block cipher encryption is optimized for 32 bit CPUs, which enables better performance.

As with Blowfish, Twofish has also been made available in the public domain, allowing free use and incorporation of the algorithm into applications. While competitive with AES in speed on generic hardware, AES can be significantly faster using AES hardware acceleration.

• Significance: Replaced Blowfish, but remains smaller in adoption
• Pros: Stronger encryption than Blowfish, fast performance
• Cons: Not as fast as AES with hardware accelerators, theoretically vulnerable to quantum brute force attacks
• Used for: File and folder encryption

DHM: Diffie-Hellman-Merkle Introduces Key Exchange

Shortly after the release of DES, three computer scientists – Whitfield Diffie, Martin Hellman, and Ralph Merkle – published their research on public-private key cryptography in 1976. Their Diffie-Hellman-Merkle (DHM) key exchange pioneered asymmetric encryption and supported much longer key lengths of 2,048 to 4,096 bits.

• Significance: First asymmetric encryption algorithm published
• Pros: More secure for sharing information than symmetric algorithms
• Cons: Not widely adopted, more resource intensive, vulnerable to brute force attack
• Used for: Not widely adopted

RSA Encryption

A year after DHM’s release, three cryptographers – Ron Rivest, Adi Shamir, and Leonard Adleman – developed the asymmetric RSA public-key cryptosystem. The three innovators and MIT patented the RSA algorithm, a proprietary system available through RSA Security until its public release in 2000. The RSA algorithm remains the most popular public key cryptographic system today and introduced the concept of digital signatures for authentication outside of academia.

RSA depends on multiplying two very large randomized prime numbers to create a third, even larger prime number. While it’s very difficult for most computers to factor these prime numbers quickly, the algorithm has been found vulnerable to quantum computing attacks and tends to be a slow algorithm to implement. The algorithm is now in the public domain and RSA calculators websites can be used to examine how the process works.

• Significance: First commercially available public key, asymmetric algorithm
• Pros: Enables secure sharing
• Cons: Slow to implement, vulnerable to brute force attacks (especially quantum-powered)
• Used for: Secure messaging, payments, small encrypted files

AES: The Advanced Encryption Standard

In 1997, the NIST renewed its call to the public cryptography community for the successor to DES. Two Dutch cryptographers – Joan Daemen and Vincent Rijmen – submitted the eventual pick known as Rijndael. By 2001, the NIST dubbed it the Advanced Encryption Standard (AES) and officially replaced the use of DES. AES offered larger and different key sizes with a family of ciphers to choose from and remains one of the most popular standards over 20 years later. AES encrypts data over 10-14 rounds in block sizes of 128 bits and with key sizes between 128 and 256 bits.

While both DES and AES use symmetric block ciphers, AES uses a substitution-permutation network wherein plaintext goes through multiple rounds of substitution (S-box) and permutation (P-box) before finalizing the ciphertext block. Similarly, a client or application can decrypt the AES message by reversing these S-box and P-box transformations.

Most organizations use one of the AES algorithms for file encryption, full-disk encryption, application encryption, wifi transmission encryption, virtual public network (VPN) encryption, and encrypted protocols such as transport layer security (TLS).

• Significance: Most widely adopted symmetric, block cipher algorithm
• Pros: More secure than legacy encryption, faster than asymmetric options
• Cons: Vulnerable to key theft and brute force attacks
• Used for: Protocols, VPN, full-disk encryption, Wi-Fi transmission encryption

ECC: Elliptic-Curve Cryptography

Professors at the University of Washington and Columbia University independently published research in 1985 on elliptic curve cryptography (ECC), but it didn’t come into widespread implementation until the mid-2000s. Like RSA, ECC is an asymmetric encryption algorithm, but instead of using prime numbers, it uses elliptic curves to generate public and private keys.

The use of elliptic curves enables equivalent security with smaller key sizes than RSA, which enables faster execution of the encryption and decryption algorithms. ECC has proven to be a popular alternative choice to RSA but has also been found to be vulnerable to threats such as twist-security and side-channel attacks.

• Significance: Popular asymmetric encryption alternative to RSA
• Pros: Faster than RSA and uses smaller key sizes, more secure for sharing than symmetric encryption algorithms
• Cons: Vulnerable to twist-security, side-channel, and quantum-powered attacks
• Used for: Email encryption, cryptocurrency digital signatures, internet communication protocols

What Is Next? Post-Quantum Cryptography

Based on quantum mechanics rather than mathematical operations, quantum computers can utilize Shor’s algorithm to find prime factors much more rapidly than traditional computers. This allows an attacker with access to a large enough quantum computer to break asymmetric standards like DHM, RSA, and ECC by determining an organization’s private key from the public key.

Although not commonly available, the development of quantum computers is seen as a near future certainty. Data stolen today may be securely encrypted using today’s standards and uncrackable for the next 5-10 years. However, if the attacker who stole the information gains access to affordable quantum computing resources in the future, the encryption may easily be broken.

Post-quantum cryptography (PQC) describes research, algorithms, and vendors developed to address quantum attacks and secure the next generation of IT environments and data. The NIST and the US National Security Agency (NSA) started to release algorithms and resources in 2022 against quantum threats.

Still, research remains in early stages, so initial standards remain in draft form and a full mitigation architecture for federal agencies isn’t expected until the 2030s. Currently, the four recognized algorithms include:

• CRYSTALS-Kyber (FIPS 203) defines an algorithm incorporated into an asymmetric key encapsulation mechanism (KEM) standard designed to allow for quantum-resistant sharing of secure keys over public channels.
• CRYSTALS-Dilithium (FIPS 204) defines an algorithm incorporated into a standard to create quantum-resistant digital signature schemes to verify sources and identities.
• SPHINCS+ (FIPS 205) defines an algorithm incorporated into a stateless hash-based, quantum-resistant digital signature standard to verify sources and identities.
• FALCON (FIPS pending) will define an algorithm and a digital signature standard based on fast-fourier lattices.

Encryption Tool Types

Information technology uses encryption to protect data at rest and data in transit in many different ways. The broadest applications of encryption include:

• Encrypted data transmission protocols
• Full disk encryption
• File encryption
• Email encryption
• Application Embedded Encryption
• Digital certificates

While these are the solutions most often purchased and deployed, encryption can also be found incorporated into security solutions such as cloud access security brokers (CASB), next-generation firewalls (NGFW), password managers, virtual private networks (VPN), and web application firewalls (WAF).

Encrypted Data Transmission Protocols

Many fundamental protocols incorporate encryption into their programming to provide universal protection invisible to most users. Major protocols include:

• DomainKeys Identified Mail (DKIM) enables the authentication of email senders by hosting a public key for an encrypted block of text in sent emails.
• Internet protocol security (IPSec) provides encryption at the IP packet level and creates a secure tunnel for packets belonging to multiple users and hosts.
• Kerberos provides single sign-on and user authentication against a central authentication and key distribution server by distributing authenticated tickets for securing and supporting authentication on a local area network.
• Layer 2 Tunneling Protocol (L2TP) provides a framework for doubly-encrypted transmission of data using an encrypted tunnel between devices.
• Secure/Multipurpose Internet Mail Extension (S/MIME) upgrades email security.
• Secure Shell (SSH) secures remote terminals and provides support for single sign-on and secure tunneling for TCP streams.
• Transmission Control Protocol (TCP) adds encryption, server authentication, and client authentication to communication between devices and applications and enables HTTPS connections.

Full Disk Encryption

To protect data at rest, an entire hard drive can be encapsulated within an encrypted container. This feature can be included in firmware, in operating systems, or as a feature in open-source, shareware, or commercial applications.

Full-disk encryption protects against the theft of the device or hard drive when they are powered down by rendering the contents of the device unreadable without the security key. However, these applications typically use symmetric encryption and are vulnerable to stolen keys. Additionally, full-disk encryption does not protect against data theft from the device when the device is powered on and the data is unencrypted for use.

File Encryption

File encryption protects data at rest while the device is powered on and the data is otherwise available for use. Encryption is applied on either a folder or individual file basis and decryption is applied as needed when the information is required.

File encryption tends to require more user interaction and is more difficult to apply on a universal basis than full disk encryption. File encryption can add strong security, but it remains vulnerable to stolen passwords and can be more vulnerable to lost passwords than full disk encryption, which may have an admin password established by IT.

Email Encryption

Email encryption places email content in encrypted containers for safe transmission using unencrypted email protocols. Email encryption options exist within major email tools, but many organizations choose to deploy additional tools with more robust options for deployment or encryption.

Application Embedded Encryption

Applications such as databases, websites, and other programs can incorporate encryption within the programming to protect data. Databases offer the most varied types of encryption for fields, columns, or entire database storage instances. Other types of encryption can detect and encrypt specific data types, such as credit card numbers and Social Security numbers, throughout the application.

Digital Certificates

Digital certificates provide publicly published keys that can be used to verify identity or to encrypt and decrypt information. Certificates must be maintained with current information and replaced before they expire.

How to Choose an Encryption Type or Algorithm

When selecting encryption types, enterprises should first consider their security requirements based upon the organization’s risk. Risk defines the most important data in the organization from a financial, operational, and regulatory perspective, which aids in determining where and how encryption can protect that data.

Effective risk analysis requires effective classification of data, an accurate inventory of data locations, and an effective picture of how the most important data flows through the organization. The risk analysis will determine the security needs, and then a range of encryption solutions should be considered, not just the type of tool that is most commonly used or the most convenient to apply.

The top features of a commercial tool (other than cost) to consider include:

• Centralized policy management
• Speed of the tool
• Key management and automation
• Support for hardware-based cryptographic acceleration
• Ability to report for compliance
• Monitoring, logging, and auditing capabilities
• Operating system (OS) support
• Installation and configuration processes
• Impact on operations and user experience
• Encryption algorithm options
• Legacy encryption support

Unfortunately, encryption can result in loss of functionality, decreased performance, and even lost data, depending upon factors such as:

• User error
• Memory and hard drive requirements vs. available resources
• Required changes to infrastructure 
• Required changes to devices  

Solutions that require extensive changes to the infrastructure and end user devices should generally be used only when other options cannot meet the enterprise’s security needs. After selecting a tool, an organization may have the option to select from multiple available security algorithms. They should consider whether this algorithm is current or obsolete, is validated or untested, and suits the use case.

In addition to tool and algorithm considerations, an organization should also consider the way in which the encryption can be obtained and the economic consequences:

• Direct tool purchase offers the potential for one-time pricing and professional customer support but can become obsolete or may be narrowly focused.
• Open-source software will generally be free but will lack professional customer support, require the most resources to implement, may become obsolete, and will usually be narrowly focused on how it can be used.
• Add-on encryption is often a service provided by specific vendors for specific use cases, such as a cloud provider’s cloud storage encryption added to protect cloud resources.
• Encryption as a service offers a broad range of encryption options, will be continuously updated, and requires the least effort to manage; however, this option involves giving up control of company secrets to an outside party.

The selection of a tool can be a collaborative and iterative process. Affected users should be involved in testing encryption tools and deployment can be rolled out in stages to avoid disruptions and data loss. As with security, encryption should be applied in layers appropriate for the use: database, local file, email, or entire drives.

Bottom Line: Encryption Adds a Strong Layer to a Security Stack

Encryption may be required by compliance standards and customers expect important data will be encrypted for protection and to guard against theft. However, encryption alone will not fully protect valuable data. Encryption provides a very strong layer of defense, but it should complement a full security stack of solutions and services to protect servers, endpoints, network connections, applications, and more.

To read more about encryption, consider:

• Tokenization vs Encryption: Pros and Cons
• Disk vs File Encryption: Which Is Best For You?

This article was originally written by Sam Ingalls and published on May 26, 2022. It was updated by Chad Kime on December 7, 2023.

The post Types of Encryption, Methods & Use Cases appeared first on eSecurity Planet.

Every organization stores sensitive data. Sensitive data can include personally identifiable information (PII) that can impact user privacy. Sensitive data also includes payment and financial information that could lead to identity theft and fraud if the data is lost or stolen and winds up in the wrong hands. Intellectual property is another type of sensitive data that DLP tools typically monitor and protect.

DLP tools automate data classification and protection, typically after an initial assessment of an organization’s data types and where that data is located. DLP tools then monitor that data to look for potential exposure or leaks.

Below are our top picks for data loss prevention solutions, their features, use cases, functionality and customer support, followed by considerations for buyers in the market for DLP solutions.

• Forcepoint DLP: Best overall
• Digital Guardian Endpoint DLP: Best for small or inexperienced security teams
• Symantec DLP: Best for protecting large networks
• Clumio Protect and Discover: Best for AWS business environments
• Proofpoint Enterprise DLP: Best for standalone email protection
• Trellix DLP: Best for distributed enterprises
• Key Features of DLP Solutions
• How to Choose the Best DLP Solution for Your Business
• How We Evaluated DLP Solutions
• Frequently Asked Questions (FAQs)
• Bottom Line: Use DLP Tools to Protect Sensitive Data

Top DLP Solutions Compared

This table provides a brief overview of our top products and their feature availability. Read our full product reviews below for more detail on each.

	Support for regulatory compliance	Encryption	Network monitoring	Free trial
Forcepoint DLP			?
Digital Guardian Endpoint DLP				?
Symantec DLP				?
Clumio Protect and Discover			?
Proofpoint Enterprise DLP	?		?
Trellix DLP				?

= yes; ?= unclear; ?= no

Forcepoint DLP

Best overall

Forcepoint DLP offers tools to manage global policies across every major channel, including endpoint, network, cloud, web, or email. Predefined templates, policies, and streamlined incident management enable organizations to address risk by adding visibility and control where people work and data resides.

Forcepoint’s compliance features are a particular highlight — they help teams meet standards with more than 1,500 predefined templates, policies, and classifiers applicable to the regulatory demands of 83 countries. If you’re a large enterprise with significant regulatory demands, consider Forcepoint. We rated it best overall for its comprehensive feature coverage.

Pricing

• Forcepoint offers a 30-day free trial of DLP.
• Contact Forcepoint’s sales team for detailed pricing information specific to your organization’s needs.

Features

• Employee security coaching through messages that guide user actions, educate employees on policy, and validate user intent when interacting with critical data
• Automated data labeling and classification through integrations with third-party data classification tools
• Risk-based policy enforcement
• Intellectual property protection

Digital Guardian Endpoint DLP 

Best for small or inexperienced security teams

Digital Guardian Data Loss Prevention, offered by Fortra, performs DLP on traditional endpoints, across the corporate network, and on cloud applications. Our analysis focuses on Endpoint DLP, but Digital Guardian also has a Network DLP product for teams focused on network traffic monitoring and security. Your enterprise can combine both if needed.

Digital Guardian receives its high rating from us particularly for its functionality and management features like training videos and support for multiple operating systems. Additionally, Digital Guardian DLP is available either as software-as-a-service (SaaS) or a managed service deployment. While Digital Guardian DLP is a strong choice for large enterprises, SMBs should consider it too for ease of use through the managed service.

Pricing

• Contact Digital Guardian for a pricing quote request.

Features

• Automated blocking and encryption of sensitive data in emails and files on removable drives
• Dashboards
• Classification and tagging of intellectual property and regulated data
• Data-centric events collected are reported up to Digital Guardian’s Analytics & Reporting Cloud, part of the vendor’s overall data protection platform

Symantec DLP

Best for protecting large networks

Symantec Data Loss Prevention, now owned by Broadcom, is a two-product protective platform for enterprises. We mainly looked at Symantec DLP Core, but DLP Cloud is also available and offers cloud connectors to web gateways and cloud access security broker (CASB) controls.

DLP Core offers features like encryption and network monitoring; consider it for sprawling business networks, especially storage area networks that pool data from multiple storage systems. And if your team is looking for data protection for cloud environments, DLP Cloud can help monitor cloud-based applications and storage systems.

Pricing

• For pricing information, you can contact Broadcom’s sales team, or you can contact a reseller like CDW or SHI for pricing. Depending on the reseller, you may still need to request a quote. SHI reports a starting list price of $96 a year per license with support, with volume discounts.

Features

• One pane of glass for policy management
• Microsoft Information Protection integration for encryption and rights management
• Network monitoring
• Information Centric Analytics, a form of UEBA

Clumio Protect and Discover

Best for AWS business environments

While designed more as a backup solution, Clumio has enough DLP features to earn it a place on this list. The Protect and Discover products offer backup and recovery for AWS and Microsoft 365. It simplifies and automates AWS data protection for Amazon S3, EC2, EBS, and RDS; SQL Server on EC2; and other products.

Don’t count Clumio out if you’re a Microsoft customer, either: it helps teams develop policies for all their 365 products and stores data in an immutable environment to protect it from ransomware.

Pricing

• Clumio has a pay-per-use structure, with pricing specified for different AWS products and backup type and frequency. Check out the pricing page for a complete list of backup costs. For S3, Clumio offers SecureVault Standard and SecureVault Archive, so you can back up your less frequently accessed data, too.

Features

• Air-gapped backups for SQL Server data, stored outside user accounts
• Search, recovery, and restoration for EC2 files, volumes, and instances
• Encryption for data in motion and at rest
• Policy creation for AWS, including specified backup frequency and retention

Proofpoint Enterprise DLP

Best standalone email protection

Proofpoint’s broader Enterprise DLP platform provides both Endpoint DLP and Email DLP products. Proofpoint Endpoint DLP takes a people-centric approach to protecting data. It provides integrated content awareness in addition to behavioral and threat awareness, which gives granular visibility into user interactions with sensitive data. Proofpoint Endpoint DLP also offers the ability to detect, prevent, and respond to data loss incidents in real time.

Email DLP helps identify when sensitive data is being leaked through an email. It allows teams to create dictionaries with data formats specific to their organization for exact data matching. If your team is particularly interested in a comprehensive endpoint and email protection solution, consider Proofpoint.

Pricing

• Proofpoint doesn’t give public pricing information for its DLP products. Contact the sales team for pricing specific to your business.

Features

• Encryption for email data with Email DLP
• Custom dictionaries for specific data formats and exact data matching with Email DLP
• Out-of-the-box detection and prevention engine to halt data exfiltration with Endpoint DLP
• Access policies based on your team’s security goals with Endpoint DLP

Read more about email security:

• How to Improve Email Security for Enterprises & Businesses
• Best Email Security Software & Tools

Trellix DLP

Best for distributed enterprises

Trellix — an XDR-focused security company formed from the merger of McAfee Enterprise and FireEye — remains tightly coupled with its former cloud business, Skyhigh Security, in DLP. Composed of DLP Discover, DLP Endpoint, DLP Monitor, and DLP Prevent, Trellix’s data loss prevention platform is a good choice for both on-premises and hybrid environments, particularly combined with the Skyhigh’s SASE capabilities. Of course, that also makes Skyhigh a good choice for organizations looking for a cloud DLP option.

We focused on DLP Discover in our review; this product inventories data, searches for sensitive information, and helps develop data protection rules through fingerprinting. But the entire Trellix suite is a good choice for teams focused on threat monitoring and prevention. The one downside is it requires four DLP products to get all the DLP capabilities that Trellix offers, but for enterprises seeking a feature-rich DLP platform, Trellix is a strong contender.

Pricing

• Trellix doesn’t provide public pricing details. Contact Trellix to speak with a salesperson about products and pricing information. Some pricing can be found online in places like AWS and Connection.

Features

• Network monitoring through DLP Monitor
• Encryption and quarantining after a policy violation through DLP Prevent
• Statistical analysis for data pattern matches within documents and files
• Rule construction engine that helps your team create data protection rules for simple and complex data

Key Features of DLP Solutions

Data loss prevention helps storage, data, and security teams wrangle large volumes of information that might be scattered throughout multiple systems and locations. Look for the following features in the products you consider — while they will vary between solutions, you’ll at least want the majority in any DLP solution.

Data Discovery

DLP tools should enable users to identify what types of data should be protected. It’s easy to lose track of data in enterprise storage systems and applications, but your team should keep tabs on all that information. You can only protect it if you know it’s there. Data discovery is one of the core building blocks of DLP.

Data Classification

DLP tools should enable users to identify what types of data should be protected. Some data is more sensitive, and if it were stolen or exposed it would be a critical risk. Data should not only be grouped into appropriate categories but also prioritized according to its sensitivity.

Compliance Assistance

DLP has become a useful tool for helping organizations protect customer privacy and comply with privacy regulations like GDPR and CCPA. Many DLP products have built-in functionality for identifying whether data protection practices are actually compliant with regulatory standards.

Policy Creation

Many DLP tools offer a policy creation feature that allows you to develop data protection rules specific to your business. Some businesses may want more sophisticated policy-making tools, so if you’re a larger enterprise with experienced data or security teams, look for highly customizable policies. Conversely, if you want out-of-the-box policies, ask for a demo when shopping for a DLP product.

Network Monitoring

Not all DLP products offer network monitoring, but we particularly recommend it for teams that have a lot of sensitive data traveling across their network. Monitoring is also useful for businesses with large storage area networks, as data from multiple systems could be compromised if the network is breached.

How to Choose the Best DLP Solution for Your Business

When choosing a DLP technology or service, there are several key considerations organizations must take into account, including budget and team size but not limited to those. Also consider where your business data resides and any compliance assistance you’ll need.

Scope

Where is the data that needs to be protected? Have you inventoried every storage system or database containing sensitive data? And does the solution you’re looking at have full visibility into those deployments? These are the questions you should ask before choosing a data loss prevention product so you know whether it supports all the file types, unstructured data, or other information your team needs to protect.

Compliance

If the DLP service is being used to help enable regulatory compliance, look for integration with governance, risk, and compliance (GRC) tools. Not all DLP products will have the GRC capabilities you’re looking for, and a smooth integration could be critical for facilitating your team’s regulatory compliance operations.

Reporting

It’s important for many organizations to have visibility and reporting into what data is protected and how it is being accessed, particularly for compliance purposes. Businesses in the healthcare, financial services, and government sectors will especially benefit from strong built-in reporting tools.

Team expertise and business size

You’ll need to weigh a product’s interface and capabilities against the skills of your security, IT, and data teams. While you shouldn’t choose a product only for ease of use, it’s important to consider how long it’ll take for your teams to learn and how complex it is. Additionally, smaller businesses will need a product appropriate for their size; likewise for large enterprises.

Budget

While budget certainly isn’t an unimportant consideration, it shouldn’t be the only one. Your business should invest in a product that will last you many years, and if that requires spending some money for a platform with the right features, see if your team can afford a suitable product that will serve you well.

How We Evaluated DLP Solutions

We evaluated these DLP solutions using a product scoring rubric. In our rubric, we weighted criteria and features according to the percentages listed for each below, and that weighting factors into the total score for each product. The six products that scored highest in the rubric made our list. However, that doesn’t mean that one of these is automatically the best pick for you, nor that a good option can’t be found outside this list.

A note on ratings: The scores are not a reflection of the product’s overall quality but rather a representation of how the product met the criteria in our evaluation rubric. All these products are successful in this category, and their score here is not an overall measure of their value. Rather, it analyzes how well they met our specific criteria.

Pricing Transparency & Trials | 10 Percent

We evaluated whether the vendor was transparent about pricing and whether the product had a free trial, including how long the trial lasted.

Core Features | 35 Percent

We evaluated the most important DLP features, like data discovery, data classification, and policy creation.

Additional Features | 20 Percent

We considered some nice-to-have features, including digital rights management, behavioral analytics, and risk-based policy enforcement.

Functionality & Management | 20 Percent

We evaluated availability of knowledge bases and training videos, as well as the option to buy the product as a managed service.

Customer Support | 15 Percent

We looked at technical support phone and email availability, as well as whether the vendor offers a demo and a 24/7 support plan.

Frequently Asked Questions (FAQs)

People frequently ask the following questions about data loss prevention and its role in enterprises and security systems.

What Is an Example of a DLP Policy?

Data loss prevention policies can either be pre-made or customized specifically for your organization. For example, your IT team might set a DLP policy that permits only encrypted files to be sent from the Chief Information Officer’s email account. DLP policies specify what can happen to what data.

What Triggers a DLP Incident?

Your business’s set policies trigger a DLP incident. When someone goes against a policy — for example, when the aforementioned CIO attempts to email an unencrypted file — the DLP product triggers an alert, flagging the incident. Some DLP products have prevention features that will block the unencrypted file from sending.

Is There a Difference Between DLP and EDR?

DLP and endpoint detection and response (EDR) differ in intent, but they do serve similar purposes. DLP is focused on data, on its safety at rest and in motion. EDR is focused on endpoints and protecting systems starting at the endpoint, detecting and halting attacks on laptops and servers. While they may perform some of the same tasks, businesses will likely implement them for different reasons.

Bottom Line: Use DLP Tools to Protect Sensitive Data

DLP technology provides a mechanism to help protect against sensitive data loss and thus can also help mitigate interactions with compliance agencies in the wake of a data breach.

By classifying data and users and identifying or blocking anomalous behavior, DLP tools give enterprises the visibility and reporting needed to protect sensitive data and satisfy compliance reporting requirements. It’s likely that your DLP product won’t function in a vacuum — you’ll probably need other tools, too. But data loss prevention focuses on one of your business’s most important assets: its sensitive, secret and regulated information. The stakes for securing data continue to rise, and DLP is one strategy to help achieve your team’s data protection goals.

Read our tips to prevent data breaches next

The post Top 6 Data Loss Prevention (DLP) Solutions (Full Comparison) appeared first on eSecurity Planet.

That statistic is a bit misleading; the emails “passed” only because of a lack of enforcement controls by the brands themselves. The essential overlooked step of enforcement of email authentication protocols is a big reason why phishing emails remain the root cause of the overwhelming majority of cyber attacks and fraud.

A real reduction in impersonated emails will only happen when customers push the financial consequences of impersonation onto their vendors. We will explore this in more detail through the following topics:

• How To Create Financial Consequences For DMARC Failure
• Why “Passing” Is Not The Same As Passing
• Bottom Line: Impersonation Is Primarily A Condition of Inconvenience

How To Create Financial Consequences For DMARC Failure

When an organization does not enforce DMARC, attackers can impersonate the brand. From the organization’s perspective, the investment of time to prevent impersonation may not deliver a return on that investment – even if it is small.

Impersonated organizations avoid consequences and thus feel no pain from victims of impersonated emails. The only change will occur when angry customers start to share the pain.

The Problem: Impersonated Organizations Avoid Consequences

Most often, the ones suffering the consequences of impersonated emails will be the hundreds or thousands of companies, nonprofits, and other organizations whose employees fall for the impersonation emails. The impersonated emails might contain annoying SPAM, but more often the phishing email will deliver more dangerous payloads that lead to stolen credentials, business email compromise (BEC) attacks, or ransomware attacks.

Victim organizations have little to no recourse to extract any compensation from the organization that is allowing their brand to be impersonated. Meanwhile, the company being impersonated has no financial incentive to change their behavior.

The Solution: The Pain of Email Impersonation Must Be Shared

The only leverage an organization may be able to apply will be to their vendors. Customers should become angry that their vendors expose them to risk and should demand that their suppliers implement and enforce SPF, DKIM, and DMARC email authentication protocols as a criteria for a business relationship.

Vendors need to make sales and will make reasonable concessions to customers to keep them from switching to competitors. At the same time, an organization is also quite likely to fall for business email compromise and phishing attacks from their vendors. After all, accounts payable clerks will open virus-laden PDF files named “overdue invoice” or “past-due statement” even if they don’t recognize the sender.

Admittedly, smaller organizations will not have leverage. However, even a medium-sized government agency or a Fortune 5000 corporation can easily make a demand for email authentication protocols as one of the conditions within their contract. The organization making the demand will have little to no cost to add such a clause to their contract and will see a huge reduction in risk from email impersonations.

Implementing all three email authentication protocols takes time, but does not cost significant money. Vendors will not be financially harmed by making these requests that simply pass the pain of impersonated emails back to them.

Emails Don’t ‘Pass’ – They Are Allowed To Bypass

Cloudflare released its inaugural Phishing Threats Report recently and cited over 1 billion instances of brand impersonations detected in SPAM, email threats, and malicious messages. Email authentication protocols such as SPF, DKIM, and DMARC are supposed to protect brands, yet Cloudflare notes that the “majority (89%) of unwanted messages ‘passed’ SPF, DKIM, or DMARC checks.”

Cloudflare can be 100% accurate that roughly 890,000,000 emails contain faked brand impersonations attempting to spoof email recipients. However, they definitely had to put “passed” in quotation marks because email authentication checks only fail spoofed emails under very specific configurations that most companies fail to implement. Instead, most impersonated emails are simply allowed to bypass authentication by the impersonated organization because of inadequate setup of all three protocols.

SPF Protocol: Spoofed Passes and Legitimate Fails

SPF stands for the Sender Policy Framework, and SPF notes if the email server is an authorized email server. An organization sets up an SPF file on their domain and lists the legitimate email servers sending email on behalf of that domain.

SPF can be spoofed through a faked header in which a malicious sender can list their own email server. Instead of matching the spoofed domain in the body of the email or listed in the “From” field displayed to the email recipient, the email server reads the hidden header, which validates the SPF for the attacker’s malicious domain. It does not have to match the “From” field in any way.

SPF can also fail for legitimate emails if the SPF file is not maintained. A legitimate email sent by a new email server on the domain will simply fail if the server is not in the SPF file. A mail service such as MailChimp may contain an SPF reference to the MailChimp email servers or the MailChimp email servers need to be added to the organization’s SPF file.

DKIM Protocol: Spoofed Passes and Legitimate Fails

DKIM is the acronym for the DomainKeys Identified Mail protocol, which enables an organization to digitally sign emails using an encrypted hash value based on public encryption keys hosted on the organization’s domain.

As with SPF, malicious senders can implement DKIM for their malicious domain and sign SPAM with their own public encryption key hosted on their own domain. An email server will not compare the encryption key or the domain in the header with the domain shown in the “From” field to check for a match.

Just as with the SPF protocol, inadequate setup of legitimate third-party email senders, such as HubSpot, or new email servers can lead to DKIM failure. DKIM can also be tricky to publish without errors and simple typos can lead to failure for all DKIM protocol checks.

Our SPF and DKIM guides contain detailed information on how to properly set up the protocols.

DMARC Protocol: Spoofed Passes and Legitimate Fails

DMARC, while a clumsy acronym, replaces the full, and more unwieldy Domain-based Message Authentication Reporting and Conformance protocol. DMARC provides a mechanism to validate the domain of the brand listed in the “From” field displayed in the body of the email against SPF and DKIM protocols listed on that domain.

There are two ways a spoofed email can “pass” DMARC.

First, when the sender uses a lookalike domain such as “Amaz0n” or “Arnazon” when pretending to be “Amazon.” The malicious sender can set up SPF, DKIM, and DMARC for their malicious and look-alike domain and legitimately pass all three checks with their fraudulent domain that is not technically an impersonation domain.

Second, and much more commonly, the DMARC protocol is often simply not set up for active enforcement by the impersonated domain. In a standard process, DMARC will be established with a “p=none” setting, which does not provide any guidance to the receiving email server or email security tool for what to do if the protocols do not match.

Often, the default will be to deliver these messages, and this likely constitutes the bulk of the 89% of the emails that “passed” SPF, DKIM, and DMARC authentication checks. This is technically not passing DMARC because the impersonation email fails the check, but when less than half of enterprise DMARC policies meet the “p=reject” or even the “p=quarantine” authentication levels for enforcement, many impersonation emails can fail and simply bypass filters anyway.

Legitimate emails can fail DMARC if the organization has not carefully and thoroughly established and recorded the legitimate sources for email using their domain. Many organizations worry that they may not have SPF or DKIM properly established for all of their internal and third-party email servers. Afraid of the possibility of rejection for their marketing emails, an impersonated organization will be conservative and simply avoid enforcing DMARC.

Also read: Why DMARC Is Failing: 3 Issues With DMARC

Standard Email Protection Isn’t Enough

Some email services can also default to allowing even “p=reject” emails to be delivered to quarantine or SPAM folders. Similarly, email security tools will also typically be set up to be overly permissive to avoid blocking critical business emails.

Security teams should adjust their settings on email servers, for email SaaS providers, and within email security tools to explicitly reject emails that fail email authentication protocols. Organizations need to take action where they can to honor DMARC ‘p=reject’ and ‘p=quarantine’ settings and at least gain some advantage from the organizations that properly enforce the email authentication protocols.

Also read: How to Improve Email Security for Enterprises & Businesses

Bottom Line: Impersonation Is Primarily A Condition of Inconvenience

Those 890,000,000 emails that impersonate brands probably would not pass properly enforced SPF, DKIM, and DMARC protocols. Loose delivery filters tend to be overly permissive and put the burden of analyzing the emails for signs of spoofing on the shoulders of the weak link: our non-technical employees.

Proper enforcement of email authentication takes time, but does not cost much money. Companies don’t want to be inconvenienced by undelivered marketing emails, so instead they allow others to suffer from attacks impersonating them.

It is time for customers to get angry and push back where they can – at vendors. Vendors currently worry about losing potential customers, but will worry much more about losing actual customers. Instead of resisting security, the sales teams will start to help motivate the entire organization to stop email impersonation.

Read next: Spear Phishing Prevention: 10 Ways to Protect Your Organization

The post To Fix DMARC Requires Angry Customers appeared first on eSecurity Planet.

ITAM tools track hardware and software lifecycles so IT teams know how to best protect and use those assets. ITAM can also play an important role in cybersecurity by discovering and updating assets as part of the vulnerability management and patching process.

Our selections for the best ITAM software help overworked IT teams organize, manage, and protect their business’s important assets:

• Ivanti Neurons: Best for vendor and contract management
• ManageEngine Endpoint Central: Best for overall endpoint management
• Quest KACE: Best for teams with large IoT infrastructures
• SolarWinds Service Desk: Best for large enterprises
• Pulseway: Best for fully remote teams and MSPs
• Track-It! by BMC: Best for smaller teams that need help desk functionality
• Key Features of ITAM Software
• How to Choose the Best ITAM Software for Your Business
• How We Evaluated ITAM Software
• Frequently Asked Questions (FAQs)
• Bottom Line: Empowering IT Teams with ITAM Software

Top ITAM Software Comparison

The following table gives a short overview of our top six software selections, a few key ITAM features, and pricing availability.

	License tracking	Vendor management	Configuration management database (CMDB)	Mobile app functionality	Transparent pricing
Ivanti Neurons				?	?
ManageEngine Endpoint Central		?
Quest KACE		?		?	?
SolarWinds Service Desk
Pulseway		?	?
Track-It!		?	?	?	?

Learn more about IT asset management

Ivanti Neurons

Best for vendor and contract management

Ivanti’s ITAM portfolio includes Ivanti Neurons for Discovery, Neurons for ITAM, and Neurons for Spend Intelligence. Neurons for ITAM includes a product catalog that shows not only purchased assets but also active product orders. Contract management features allow IT teams to view the overall state of their business’s contracts.

With Ivanti, your IT team can manage asset requests like a new employee laptop as well as manage IT contracts. Ivanti offers a mobile app with features like barcode scanning, which helps teams track multiple assets more quickly; however, note that the app has low review scores on both Apple’s App Store and the Google Play store.

Pricing

Ivanti requires potential buyers to submit a quote request to receive pricing information. Buyers receive a discount by choosing annual billing rather than monthly billing.

Features

• Barcode scanning capabilities through the mobile app
• Asset lifecycle tracking, including receipt and disposal records
• Vendor data and performance management
• Charts and graphs that show software inventory and break down top software vendors
• Configuration management database

Pros

• Mobile app available
• Integrates with Ivanti’s IT service management (ITSM) product

Cons

• Lacks transparent pricing
• Mobile app could be better

ManageEngine Endpoint Central

Best for overall endpoint management

Formerly known as Desktop Central, ManageEngine’s unified endpoint management (UEM) solution offers ITAM for IT teams that want to double down on asset security. While the ITAM solution is just one component of Endpoint Central, it makes sense for organizations that want to combine their endpoint solution with software and hardware asset management.

Key features include digital asset tracking and scans, license compliance tracking, and file scanning. ManageEngine scans your business’s network for hardware and software inventory changes to determine if an unauthorized device is on your network.

Pricing

Endpoint Central has four different plans:

• Professional
• Enterprise
• UEM
• Security

Its comprehensive pricing list gives endpoint cost ranges for numbers of endpoints, workstations, servers, and additional technicians. Select the Get Quote button at the bottom of the page to calculate your team’s specific numbers.

Features

• Digital asset tracking and scanning
• Network scans for hardware and software inventory changes
• Hardware warranty management, which includes automated warranty detection
• IT license compliance tracking
• Customizable software and executable blocking
• Configuration management database

Pros

• Transparent pricing
• 30-day free trial
• Option to purchase an endpoint platform that includes ITAM if you want the whole package

Cons

• User reviews are mixed about customer support and usability of the user interface, with some customers having trouble with unhelpful tech support and a clunky UI

Quest KACE

Best for teams with large IoT infrastructures

Offered by Quest, the KACE Systems Management Appliance offers IT asset management along with IoT device management. Because the KACE appliance uses network protocols like SNMP, your IT team can scan not only computers but also network-connected devices like routers and printers. If your business uses a lot of IoT devices, consider KACE.

KACE also specifically integrates with Dell systems, including enterprise technology like servers and storage. For large enterprises with multiple Dell systems, KACE includes that hardware in its asset inventory so teams know when it’s time to phase it out.

Pricing

Quest only provides pricing for KACE once potential buyers request a quote. They can also request a free trial.

Features

• Tracking for devices like networking equipment and printers
• Configuration management database for overall asset and IoT device management
• Inventory software that tracks hardware’s age and compatibility with operating systems
• Integration with Dell products

Pros

• Supports a wide range of operating systems
• Free trial

Cons

• Lacks transparent pricing

SolarWinds Service Desk

Best for large enterprises

SolarWinds Service Desk is an IT service management (ITSM) solution that combines help desk capabilities with IT asset management. Users can monitor the licenses being used in their organization and see when an active license doesn’t match what the business has already purchased. IT teams can also use the configuration management database (CMDB), which shows how the IT infrastructure is affected when configurations are changed.

On the help desk side, users can design a knowledge base for their own employees to resolve IT issues with the help of articles and instructions. There’s also a mobile app for IT teams who need that flexibility. If you’re a large team looking for a combined IT help desk and asset management tool that’s feature-packed, consider SolarWinds.

Pricing

SolarWinds has three Service Desk plans:

• Essentials — $39/month/technician
• Advanced — $79/month/technician
• Premier — $99/month/technician

Features

• Configuration management database
• Automated risk detection and license monitoring for compliance with software licensing
• Employee self-service portal for IT help desk tickets
• Discovery Scanner that collects asset data from devices with IP addresses 

Pros

• 30-day free trial of the Premier plan
• Transparent pricing
• Integrates with SolarWinds’ observability solutions

Cons

• Smaller businesses might find the full-featured solution to be more than they need

Pulseway

Best for fully remote teams and MSPs

RMM provider Pulseway offers a SaaS IT management solution designed to be mobile-first. Its mobile application allows IT teams to monitor assets from their phones, and the app receives high overall ratings on both the App Storage and Google Play store. Pulseway’s agent is customizable so you can design alerts for situations specific to your business. Pulseway also offers security add-ons, including patch management and an antivirus software integration. Customers can choose either Webroot or Bitdefender.

Pulseway is available for both IT teams and managed service providers; consider Pulseway if you’re an MSP looking for an IT monitoring solution to serve your customers.

Pricing

Pulseway’s pricing calculator allows potential buyers to select a number of endpoints, as well as security add-on features. They can also contact Pulseway with any questions about pricing. Pulseway also has a $149 fee for their one-time onboarding and best practices session.

Features

• Server monitoring and management
• Customized triggers that can automatically remediate IT problems
• Patch policy creation
• Templates for reporting and report scheduling options
• Mobile app

Pros

• Transparent pricing
• Free trial
• Additional security features, including ransomware detection and antivirus software integration

Cons

• Limited support for Mac and Linux devices
• No configuration management database

Track-It! by BMC

Best for smaller teams that need help desk functionality

Track-It!, owned by BMC, has an ITAM module that belongs to a combined IT help desk and endpoint management platform. The ITAM module offers automated IT asset discovery and reporting, so IT teams can identify when an unauthorized device joins the company network. Track-It! can also import supplier and asset pricing data to give the team a clearer picture of potential asset purchases based on their budget.

Track-It! gives IT teams the option to combine multiple IT management-focused modules and features, including scheduled email reports, change and knowledge management, and help desk ticketing. Consider Track-It! if your business is looking for an integrated endpoint and help desk solution.

Pricing

Track-It! requires potential buyers to request a quote for any pricing information. It offers a free trial.

Features

• Imported supplier and asset cost data to inform IT budgeting
• Report creation and scheduling, including brief reports for executives and more detailed ones for IT managers
• Asset dashboards
• Automatic discovery of network-connected assets, including updates to existing assets

Pros

• Integrates endpoint management, help desk, and ITAM
• Free trial

Cons

• Lacks transparent pricing
• No configuration management database
• Customer reviews over time aren’t high overall

5 Key Features of ITAM Software

The central features of ITAM vary from vendor to vendor, but core functions include hardware and software discovery, asset change management, and license record tracking.

Hardware and software discovery

ITAM records servers, PCs, laptops, tablets, routers, switches, networking equipment, storage assets, and other devices existing within an organization. This includes remote assets and mobile devices belonging to the organization. Metadata and other sources can be used to track any operating systems and applications operating within the organization and using hardware assets.

License tracking

ITAM tools should record license usage within the enterprise and note any unlicensed assets. These can not only affect your business’s compliance stance but can also lead to potential security breaches depending on the license being used. If it’s shadow IT, it might be unsafe.

Tracking changes

Change management should be tracked automatically. As IT teams add new hardware or software to the overall IT infrastructure, the ITAM solution automatically updates the inventory.

Management

The ability to configure custom rules, manage permissions, create reports, and maintain scanning schedules helps IT teams develop a specialized solution and stay on top of it. When tools like ITAM perform tasks automatically or allow teams to develop reports for upper management, they save IT personnel valuable time.

Analytics

Some ITAM suites include financial analysis and risk management. These systems highlight areas where productivity could be improved via upgrades or where costs could be reduced due to unutilized resources.

How to Choose the Best ITAM Software for Your Business

As your IT team is evaluating IT asset management solutions, consider the following points while your team narrows down a list of tools to select the best fit for your business overall.

Systems supported

Ensure that the solution you use supports the operating systems and devices your business uses. If your team has Mac and Windows machines, the right ITAM solution should support both systems. Having to purchase multiple solutions or having incompatible devices will be a waste in the long run.

Single solution or suite

While some ITAM products are available as standalone solutions, others belong to a larger suite, like Pulseway. Consider whether your team is looking for multiple IT management solutions in one. This will affect cost, too, but it might save your team money in the long run if you need multiple tools.

Security tools

Security-focused IT teams have plenty of options: many ITAM products offer security add-ons like patch management or belong to a suite of security products already. Keep security integrations in mind if your team is looking for that.

Scalability

Does the ITAM solution you’re considering have the ability to increase the number of assets or technicians on a plan? This is particularly important if you have a small business that’s growing rapidly. You may only have five technicians now, but if you have twenty in a couple of years, you’ll need a product designed for businesses of multiple sizes.

Budget

Last but certainly not least, take your organization’s budget into consideration. Avoiding overspending while still choosing the best solution is a balancing act; you want to make sure the ITAM tool you choose is effective.

How We Evaluated ITAM Software

eSecurity Planet chose a selection of ITAM products to evaluate using a product scoring rubric. We also look at vendors’ product pages and data sheets, as well as comprehensive user reviews, as we analyze products to determine which are best for our audience.

In our product scoring rubric, the following criteria are weighted according to the percentages listed for each, and that weight affects the total score for each product accordingly. The top scored products made it onto our list, but some that were scored lower did not.

Features – 30%

We evaluated ITAM tools’ core capabilities, including hardware and software discovery, license tracking, and custom rules management.

Price – 20%

We not only evaluated available pricing information but also scored vendors based on their pricing transparency, availability of free trials, and whether they offered an annual pricing discount.

Deployment and administration – 25%

These subcriteria include knowledge bases, technical skill requirements to set up the product, and SaaS versus on-premises deployments.

Customer support – 15%

We scored customer support based on the frequency of availability, live chat and email support, and whether the vendor offered demos or training.

Additional capabilities – 10%

Other features that our research team scored included financial and risk analysis, third-party asset vendor management, and configuration management databases.

Frequently Asked Questions (FAQs)

People frequently ask the following questions about IT asset management software. We highlight benefits and considerations of using ITAM tools, among other details.

What are some key benefits of using IT asset management software?

IT asset management software is a central tool that IT teams can use to handle multiple parts of hardware and software lifecycles. IT assets like laptops, servers, and tablets need to be carefully managed, and that includes keeping licenses up to date but also making appropriate security upgrades. ITAM software simplifies the many jobs that IT teams have when they manage the business’s assets.

What security features should I consider when evaluating IT asset management software?

Patch management features can be a big help with the overwhelming process of addressing security vulnerabilities. Integration with endpoint security tools can simplify patch delivery, security monitoring and asset management. And discovering forgotten IT assets can protect your organization from security risks you were previously unaware of.

What is the difference between ITAM and ITSM?

ITAM and IT service management are similar, and it can be even more confusing when a vendor offers both in one product or suite of products. Broadly speaking, IT asset management focuses on IT assets like business devices and applications, while IT service management focuses on IT services (like help desk tickets and incident resolution) that often affect those assets. They overlap in some ITAM and ITSM products, though.

What are types of IT assets?

Along with company-issued laptops and desktops, tablets, mobile phones, and servers, other examples of IT assets include:

• Routers, switches, and other networking equipment
• Printers
• Storage arrays
• Databases
• Antivirus and other security software installations
• Software and applications

Note that not all solutions will support every networking or IoT device. If your business wants to cover those in an ITAM deployment, look for solutions like Quest KACE that inventory them, too.

Bottom Line: Empowering IT Teams with ITAM Software

IT asset management software simplifies IT teams’ jobs, centralizing many of the tasks they already have to do. It gives them tools to automate time-consuming tasks like taking asset inventory and searching for outdated licenses and unknown devices. ITAM products don’t automatically solve all of an IT team’s problems — they take time to learn and implement. But they’re a worthwhile investment, especially if you choose a tool that can scale with your business as it grows. If your IT team customizes ITAM software to fit your specific business needs, it can become a powerful tool that supports not only your technology department but also, behind the scenes, your entire organization.

Article written by Drew Robb on Dec. 1, 2021 and updated by Jenna Phipps on Aug. 23, 2023

Read next:

• Vulnerability Patching: How to Prioritize and Apply Patches
• Is the Answer to Vulnerabilities Patch Management as a Service?

The post 6 Best IT Asset Management (ITAM) Software appeared first on eSecurity Planet.

A patch management policy formalizes the fundamental IT requirement that all systems and software should be patched and updated in a timely manner with rules that explain the requirements for patching and updates, clear processes that can be followed, reported on, and confirmed, and standards that can be tested and verified.

This article can help organizations of all sizes start the process with a fundamental overview and a template:

• Free Patch Management Policy Template
• How to Create a Patch Management Policy in 4 Steps
• Common Patch Management Policy Sections
• Top 5 Patch Management Policy Best Practices
• Top 6 Benefits of an Effective Patch Management Policy
• Bottom Line: Patching Policies Promote Premium Processes

Also read: 11 Key Steps of the Patch Management Process

Free Patch Management Policy Template

To kick start any patch management policy development, eSecurity Planet has developed a template that can be downloaded and modified. Notes of explanation or how to use the template are enclosed [between brackets] and these sections should be removed from final drafts.

Access the Sample Patch Management Policy Template.

The sample patching policy contains many sections, but not all sections will be required for all organizations and others might require more details. See Common Patch Management Policy Segments below for more details.

How to Create a Patch Management Policy in 4 Steps

All security policies share the same four key steps to create a policy, and they are explored in detail in IT Security Policies: Importance, Best Practices, & Top Benefits. For a functional patch management policy, we summarized these steps as:

1. Determine the Patch Management Policy: Identify responsible parties, who or what is covered, basic processes, validation methods, and reports; these often will be based on the current practices.
2. Verify the Patch Management Policy: Formally check to ensure basic policy developed in step 1 satisfies the complete needs of the organization and any compliance requirements.
3. Approve the Patch Management Policy: Draft official language and circulate the policy for approval by affected stakeholders and executives.
4. Review and Modify the Patch Management Policy: Periodically review the policy to ensure it remains updated and continues to satisfy the evolving needs of the organization.

Although the basics remain the same, patch management is a frequently regulated requirement and organizations will need to apply extra caution in verifying compliance requirements. Any rule that does not meet compliance requirements should be adjusted.

For example, a fire department might apply patches quarterly in practice. However, they might find that their state’s cybersecurity requirements require monthly patching and will therefore need to change their patching frequency to monthly to comply.

Practical limitations also will be very important and the policy team should work with the patching team to test the rules. If the IT team cannot comply with standards and requirements with their current resources, should the organization adjust the rules or the resources?

In the fire department example above, perhaps the volunteer fireman who used to apply the patches in their spare time will need to be replaced or assisted by a patch management tool or service that can meet the monthly regulatory requirements.

Common Patch Management Policy Sections

When writing your patch management policy, consider the required, recommended, and bonus (aka nice-to-have) sections.

Required Policy Sections

These core sections should be part of every policy related to patch management:

• Scope: What assets are covered by the policy and how to identify software and devices to be covered.
• Patch Management Authority: Who is in charge and responsible for the patch management policy and its execution.
• Patching Priority: How to determine the priority of patches and the basis for that determination based on severity, risk, and other factors.
• Patch Scheduling: The length of time between the patch release and the organization’s installation based upon priority.
• Patch Management Preparation: Backups and other system preparation that needs to be in place in case a patch fails and systems need to be restored.
• Manual Patch Management: How to apply patches manually — especially for systems that require downtime for maintenance. Explain the process for scheduling and obtaining approval for business system downtime.
• How to Handle Exceptions: Some patches will fail, some will cause business disruption, and some will simply not be needed. Explain how to recover systems and track exceptions and the process for mitigations to protect open vulnerabilities.
• Patch and Update Reporting: How to measure success and compliance with patch management with reports, including how and what to report.

Recommended Policy Sections

These sections help to flesh out the patch management policy with additional rules to protect the organization and to help prepare the IT department:

• Asset List: A list of resources or links to asset lists to help define the scope of systems and software tracked for patching and updating.
• Patch and Update Acquisition: Outline where to obtain valid patches and updates.
• Patch Testing: Test environments or testing of patches to verify they work and do not affect other business systems.
• Automated Patching: Organizations often express a preference for automated patching processes to reduce patching delays and burdens for IT teams.
• Audit Controls and Management: Outline what reports, logs, and information can satisfy internal and external auditors to track patch management success and verify patches have been successfully applied.
• Enforcement: Penalties to the IT department for failure to execute the patch management process, penalties to employees that interfere with the patch management processes, and how to handle assets that do not comply with the patch management policy.
• Distribution: Who must or should receive the patch management policy.
• Policy Version: Tracking versions and approvals of the patch management policy.

Bonus / Nice-to-Have Policy Sections

These sections do not change the core elements of the patch management policy, but can make the policy more usable or comprehensive:

• Overview: sets expectations and goals for the policy.
• Compliance Appendix: Copies or links to relevant compliance frameworks with which the organization must comply.
• How to Deal With BYOD and personal equipment.

Top 5 Patch Management Policy Best Practices

All security policies share the same five best practices to create a policy, and they are explored in detail in IT Security Policies: Importance, Best Practices, & Top Benefits. For a functional patch management policy, we summarize these steps as:

• Focus on What to Do, Not How: By focusing on goals and objectives, a policy can set standards while allowing the patch management team the flexibility to determine the best solution to meet those goals and objectives.
• Make Policies Practical: The patch management team needs to be able to understand and implement the policy.
• Right-size Policy Length: Too short and the policy may not have sufficient requirements to be verified; too long and the policies may become over prescriptive or hard to understand.
• Keep Policies Distinct: Overlapping policies can introduce conflicts or become more difficult to keep current.
• Make Policies Verifiable: Effective policies require reports that prove the policy is both in place and effective.

The eSecurity Planet template seeks to be more comprehensive than some organizations may need,  so every organization should review the template and add or remove content to fit their needs.

Beyond the standard best practices, patch management benefits from additional considerations. For example, when making patch management policies practical, use existing resources such as the Common Vulnerability Scoring System (CVSS) to determine risk and prioritize patches, but balance those resources with consideration of the organization’s specific context.

For example, some organizations only patch vulnerabilities with a score of 7 or above. Yet these ratings only show the risk of the vulnerability and must also be combined with the likelihood of exploitation and the value of the asset to the organization.

A data exfiltration bug of 8.0 on the marketing web server that only contains publicly released documents shouldn’t have higher priority than a 6.5 remote code execution vulnerability on the server with the company’s Active Directory (AD) services. The impact to the organization of a fully compromised AD simply would be too great to risk even modest possibilities of exploitation.

As a special consideration for patch management, many organizations deploy automated tools. These solutions work well and should be used; however, they tend to focus on certain parts of the IT ecosystem such as operating systems and common software such as Microsoft Office or Adobe Acrobat.

Tools often lack comprehensive coverage of third-party applications, firmware, internet-of-things (IoT) devices, networking equipment, backup applications, and more. The policy should not rely upon the tools or a patch management service to determine the asset list for the patching policy. The IT department must ensure that all resources that need patches are tracked and patched, even when applying the patch is difficult or may require manual patching.

Top 6 Benefits of an Effective Patch Management Policy

Many organizations feel that their undocumented patch management processes will not be improved by taking the time to put them into writing. However, this attitude overlooks six key benefits to any security policy:

• IT Hardening: The process of creating or reviewing security policies forces the evaluation and potential improvement of security practices.
• Employment Defense: Compliance with an executive-approved written policy provides coverage for the IT and security team in the event of a breach.
• Executive and Board Member Peace of Mind: Executive stakeholders can easily understand the organization’s security posture from plain-language reports required by effective policies.
• Litigation Protection: Reports and other evidence showing compliance with policies that encompass reasonable security efforts can provide protection against lawsuits and regulators in the event of a breach.
• Compliance Easy Button: Policy-required reports will automatically be available for auditors if the policy already encompasses the compliance requirements.
• Improved Operational Efficiency and Resilience: Effective policies, especially patch management policies, can detect end-of-life assets and ensure the installation of the latest features for ease of use and capabilities.

Bottom Line: Patching Policies Promote Premium Processes

A good patch management policy can provide a helpful checklist to help create an efficient, and reliable patch management process. The reduced cybersecurity risk from the patching and the improved communication from the reports will improve overall business processes and executive confidence.

However, patching cannot solve all problems. Patch management does not cover whether or not an organization has the correct software in place for their needs or if the software settings are properly configured.

Patch management policies provide a helpful part of an overall cybersecurity program but need to be combined with other critical policies and strategies to ensure a resilient organization.

More information on Patch Management and Related Topics:

• IT Security Policies: Importance, Best Practices, & Top Benefits
• Patch Management Best Practices & Steps
• Patch Management vs Vulnerability Management: What’s the Difference?
• Is the Answer to Vulnerabilities Patch Management as a Service?
• Best Patch Management Service Providers

The post Patch Management Policy: Steps, Benefits and a Free Template appeared first on eSecurity Planet.

Policies provide a foundation of directives, regulations, rules, and practices that define how each organization will manage, protect, and distribute information. Additionally, regulators often cite a lack of formal policies as negligence as well as cause for higher fines and punishments after a breach.

This article will explore IT security policies through the following topics:

• What Is the Ultimate Goal of an IT Security Policy?
• The Importance & Objectives of IT Security Policies
• 6 Top IT Security Policy Benefits
• 3 Types of Security Policies
• 5 Best Practices for Writing IT Security Policies
• How to Create a Security Policy in 4 Steps
• Bottom Line: Create Policies to Improve Focus

What Is the Ultimate Goal of an IT Security Policy?

The ultimate goal of an IT security policy is to provide a formalized set of rules and policies to benchmark the IT and cybersecurity posture of an organization. This benchmark can be used for a variety of purposes, but will most often be used to:

• Demonstrate that risks are controlled and managed
• Meet compliance obligations
• Measure quality and capabilities of controls and staff
• Mitigate liabilities in the event of a breach

The Importance & Core Objectives of IT Security Policies

The U.S. National Institute of Standards and Technology (NIST) published An Introduction to Information Security (NIST SP 800-12) that declares:

“Information security policy is defined as an aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information.”

To organizations new to written policies, starting the process of developing security policies can be intimidating. Yet all organizations deploy security strategies that act as unwritten and unofficial strategies. The key disadvantage to these unwritten security strategies is that when they fail to protect the resources, the organization will struggle to prove to regulators and juries that the IT and security teams executed an appropriate and sufficient cybersecurity strategy.

Written policies, especially those that require regular reports, naturally generate the evidence of compliance. They also show a formal security strategy that has been approved by corporate management.

Most importantly, written policies enable key IT security objectives that will have a daily impact on the organization by formalizing IT security strategies, goals, and objectives; managing user behavior; and measuring IT security success.

Formalize IT Security Strategies, Goals, & Objectives

Written policies provide written instructions that can be used to show the intended strategy of the organization. Most strategies focus on the key objectives of information security:

• Confidentiality: Allow access to specific data only to the users that need access
• Integrity: Prevent accidental or unauthorized modification of data in storage or in transit
• Availability: Provide continual access to data and systems for legitimate users

However, not all existing practices will always be found to incorporate best practices or adequately address these key objectives. The process of developing a security policy helps the IT security team to reflect on and improve the current practices as they are forced to write them down and compare them against goals and compliance requirements.

The policy creation process also helps to align the IT security goals and objectives with those of the business as policy goes through review by non-technical executives affected by the policies. In the end, the organization should enjoy the benefits of a policy that provides formal strategies, goals, and objectives that enable business growth within the protection of validated IT security strategies.

Manage User Behavior

Policies provide rules for acceptable use, access, and penalties for non-compliance for users of all kinds, from guest users on the public Wi-Fi network to administrative access of data center servers. These written policies then guide the settings within identity and access management (IAM) or privileged access management (PAM) tools.

Of course, IAM and PAM tools can be established without written policies, but written policies ensure consistent rules applied across the organization. The formal policies also provide a standard that can be compared against practices to determine if the practices are sufficient and within compliance.

Measure IT Security Success

An effective policy sets clear expectations for the IT security team. Reports required by policies should show compliance with the policy and enable the IT security team to measure their success to meet the goals of the policy.

While employees always strive for success, falling short can also be used to justify increases in resources. For example, if reports required by the patch management policy show that the patching of critical updates takes longer than desired, the management can consider adding more resources or outsourcing some functions.

6 Top IT Security Policy Benefits

Organizations of all sizes tend to avoid the hassle of documentation because the task seems overwhelming, tedious, and constraining. However, an effective security policy delivers six key benefits: IT hardening, employment defense, executive and board member peace of mind, litigation protection, compliance easy button, and improved operational efficiency and resilience.

IT Hardening

Developing an effective security policy will naturally enable a security process that hardens the IT environment against attack. Although some might consider compliance the primary motivation for written policies, the process of creating the policy forces security teams to evaluate systems more rigorously and address issues that might be overlooked in day-to-day operations.

Employment Defense

Despite the best efforts of the IT team, people will still click on phishing links, zero-day vulnerabilities will still be discovered, and company resource constraints may require some vulnerabilities to remain exposed. Although compliance with security policies can reduce the risk, attacks may still succeed in damaging the organization.

In many cases, executives may initially look for a scapegoat to take the blame for an incident and IT or security teams often will be targeted. An IT or security team that can demonstrate compliance with an executive-approved security policy also shows that best efforts were made to prevent possible breaches. This documentation can protect employees against unfair treatment after a breach and protect their jobs.

Executive & Board Member Peace of Mind

Effective security policies require reports that can be shared with non-technical executives to enable confidence in the IT and security teams. Policies reduce technical details into numeric reports and easy-to-understand metrics that make the status of security processes understandable and accessible to non-technical executives.

Clear reports enable smooth communication with executives and the board of directors of an organization to help build confidence in the security posture of the organization. Such reports not only demonstrate that the organization considers information security a high priority, but also build confidence that can translate into improved support for additional resources.

Litigation Protection

In the event of a breach or successful cybersecurity attack, government agencies or stakeholders may attempt to pursue legal action against the organization. Fortunately, legal standards generally only require “reasonable efforts,” which can be supported with the documentation from an effective security policy and the reports that demonstrate the policies have been implemented.

Organizations without formal reporting and processes will need to scramble to figure out what documentation may be required to support past efforts and then hope they still have the archival logs or other data to create that documentation. Organizations with formal documentation and reporting will already have a significant portion of their evidence ready to present with minimal effort or business disruption.

Compliance Easy Button

An effective security policy should be designed to reflect the compliance requirements of the organization. Auditors always ask for written policies to help them easily understand the objectives of the organization and the type of evidence they can expect to receive.

Fulfilling a written policy that has already conformed to a compliance framework makes it easy for the organization to satisfy the regulatory requirements. The organization’s regular internal reports will naturally provide evidence of compliance without any additional effort or steps.

Improved Operational Efficiency & Resiliency

An effective portfolio of security policies can help the organization:

• Recognize end-of-life hardware and software for replacement
• Quickly recognize infrastructure under strain from attack, failure, or workload
• Verify settings and integration between systems
• Ensure resilience of systems to minimize downtime
• Ensure integrity and availability of data
• Document uptime for internal and customer service level agreements (SLAs)

The survival of the business depends upon uptime and protected assets. Formalized documentation of security processes provide an internal checklist to protect assets, maintain uptime, and minimize mistakes.

Written policies also help with IT personnel transitions by providing documentation of expectations and reports of past activity. These will combine to save time by helping new IT employees grasp the status and expectations of the organization with less training.

3 Types of Security Policies

When developing a comprehensive set of security policies, an organization can get lost in the details. The SANS institute alone provides templates for more than 60 different policies! These granular policies help a mature organization, but an organization just getting started needs a bit more focus.

The three types of policies defined by the National Institute of Standards and Technology (NIST) Special Publication 800-12 include program, issue-specific, and system-specific policies.

Program policies provide strategic, high-level guides of the overall information security program. These can be singular programs, such as this program policy for the University of Arizona, that provide an overview of the goals and objectives of the security program. These policies are intended to be evergreen and not require frequent updates, and often will reference other types of policies in an appendix that can be updated more frequently without requiring updates for the program policy itself. Program policies tend to be too vague to measure or verify. Other types of non-security program policies might include business continuity or risk management.

Issue-specific policies provide directed guides for specific components of the information security program, but at a level of abstraction that describes goals, objectives, and reporting requirements instead of naming specific tools, techniques, and settings. These policies need to be reviewed periodically to ensure they remain current in the face of organizational, technological, or compliance changes. Examples of issue-specific security policies include network security, password, endpoint, and encryption policies. Some issue-specific policies may fall under multiple program policies such as data backup (security, business continuity) or acceptable-use policies for employees (security, HR).

System-specific policies describe how issue-specific policies will be applied and enforced on specific systems. For example, how the network security, user access, vulnerability management, and change control policies might be enforced for a specific firewall or a classification of servers in a data center. These detailed policies will be enforced through settings on the devices or through centralized software that can manage the devices.

Common Issue-Specific Policies

For an organization beginning to implement security policies, the focus should start with relevant issue-specific policies. The specific key policies will depend upon the organization. Although many will start with access, network, endpoint, and password policies, these priorities reflect a traditional IT environment. A small virtual office of five stock brokers using Google Workspace might instead focus on policies for data security, data backup, and remote access policies to comply with SEC and FINRA requirements.

Here are 10 common issue-specific and related policies:

• Acceptable Use Policy (AUP)
  • Instructs the organization how end users are permitted to use IT systems and services (computers, networks, data, internet, email)
  • Related policies: security awareness training policy, executive and administrative access policy
• Access Policy
  • Instructs an organization how to classify, enforce, and manage access, authentication, and accounting of users across various system and data classifications
  • Related policies: physical access policy, system access policy, privileged access policy, remote access policy (may include remote desktop [RDP] or virtual private network [VPN] policies), password policy, identity and access management policy, multi-factor authentication (MFA) policy, vendor management policy
• Application Security Policy
  • Instructs an organization how to secure code development and the connections to other corporate resources
  • Related policies: application programming interface (API) security policy, database security policy, application development policy
• Cloud Security Policy
  • Instructs an organization how to secure access, data, networks, and applications on cloud-based resources
  • Related policies: cloud use policy, software as a service (SaaS) security policy, infrastructure as a service (IaaS) policy
• Data Management Policy
  • Instructs an organization on the retention, management, and security of different classifications of data
  • Related policies: data retention policy, insider threat protection policy, encryption and cryptography policy, information security policy, data and asset classification policy, regulated data policy
• Disaster Recovery Plan
  • Instructs an organization how to proceed with business recovery under various emergency circumstances
  • Related policies: Backups policy, redundancy policy, capacity planning policy, stress testing policy 
• Endpoint Security Policy
  • Instructs an organization how to secure access, data, and applications on user-accessed endpoints that connect to the organization’s network and other resources
  • Related policies: endpoint security policy, bring-your-own-device (BYOD) security policy, mobile device policy, server security policy, container security policy
• Incident Response and Monitoring Policy
  • Instructs and organization how to detect, identify, validate, track, mitigate, remediate, and manage potential security incidents
  • Related policies: log tracking and audit policy, attack-specific policies (ransomware, DDoS, etc.), data breach response policy
• Network Security Policy
  • Instructs an organization how to secure access, data flows, and monitor connections between users and data
  • Related policies: firewall security policy, network security policy, email protection and security policy, wireless network and guest access policy
• Vulnerability Management Policy
  • Instructs an organization how to locate, validate, prioritize, mitigate, and track vulnerabilities
  • Related policies: patch management policy, change management policy, vulnerability scanning policy, penetration test policy

5 Best Practices for Writing IT Security Policies

An organization can create an effective security policy by following five key best practices, focus on what to do rather than how, make policies practical, right-size policy length, keep policies distinct, and make policies verifiable.

Focus on What to Do, Not How

Technology changes so quickly that a policy will usually not be able to keep up with the technical details such as security tools and IT architecture specifics. When writing any IT-related policy, the policy should focus on the high-level goals, key deliverables, and compliance requirements.

The IT team will then use those requirements in combination with their budget and personnel constraints to develop an appropriate solution. Too many details either force the policy to be updated constantly or lock the IT team into obsolete tools, practices, or perspectives that may ultimately undermine instead of strengthening security. Where needed, exhibits or additional reports can be used to provide details that may need to be changed more frequently than the policy itself.

Some organizations will consider system-specific policies an exception that requires detailed descriptions of tools, settings, and allowed users. However, others keep system-specific policies at a high level and maintain specific work instructions that maintain the details. This is a matter of preference for the individual organization.

Make Policies Practical

Security policies won’t be successful if they do not work for the team responsible for the policy, are not understandable, or don’t fit the organization. In some cases, these objectives will come into conflict and the policy creating team will need to work with stakeholders to enable an effective balance.

Stakeholder-Friendly Policies

Stakeholder-friendly policies will be more readily adopted by IT and security teams responsible for implementing the policy or the users affected by them. When policies demand too many changes, impractical requirements, or exceed the resource constraints, the policies may be undermined, circumvented, or ignored.

To enable stakeholder friendly policies, don’t dramatically change practices or add unnecessary details and instructions. Unless required by compliance or best practices, build off of existing practices to enable rapid adoption by both affected users and the teams enforcing the policy.

Additionally, use titles instead of names and tool categories instead of specific security tool names. This prevents the need to change the policy for every tool change, personnel change, or outsourcing engagement.

Understandable Policies

Not all readers have English as their first language, especially in international companies attempting to standardize policies worldwide. When drafting policies, use simple language written plainly for both the non-technical and non-legal audience.

During the drafting process, the document should be distributed to executives, legal counsel, and key staff members responsible for implementing the policy. Any confusion, vagueness, or uncertainty should be addressed and eliminated before approving the policy.

Fit Organization Needs

Tools and processes must fit the true needs of the organization and should not be followed blindly or without thought. Although every organization should begin drafting policies based upon existing practices and capabilities, this can lead to a trap of preserving incomplete processes into written policies. The organization should carefully examine their environment and ensure the policy reflects their true needs.

For example, an IT team of a hospital may use a commercial tool to conduct vulnerability scanning of their IT environment, but the tool may only scan PCs, network devices, and servers, which leaves an enormous range of healthtech devices unscanned for vulnerabilities. Their policy requirements should not reflect the limited devices currently scanned, but the full range of devices that need to be included in the vulnerability management process.

Policies should also have minimal exceptions and those exceptions should be documented. If the C-suite executives insist on being exempted from the password policy, then they should also be prepared to justify that exemption in court once the company suffers a breach. Just like employees, senior management should understand, agree with, and be bound by security policies.

Right-Size Policy Length

Policies should be no longer and no shorter than needed. IT and security teams often favor shorter policies because the lack of defined requirements provide them with maximum flexibility for execution. However, the lack of defined requirements often leaves gaps in requirements or makes the policies hard to verify for management or compliance.

On the other hand, attorneys often feel compelled to lock down as many details as possible to make verification more simple and to clarify as many points as possible. Unfortunately, this often tends to lead to over-prescriptive requirements that lock an IT team into the requirements of the moment and leave little room for keeping up with a dynamic IT environment.

These opposing forces must be balanced. IT teams, executives, and attorneys must work together to enable a document with sufficient detail so that the IT team can clearly demonstrate compliance with the policy, but not so much detail the policy becomes a shackle on the vulnerability management process.

Keep Policies Distinct

Security and compliance teams will look for information in expected policies. For example, to look up policies regarding endpoint protection, most would first look for an overall security policy or a specific endpoint protection policy. To bury the information in a vulnerability management policy is unintuitive and may lead to confusion.

Security policy creation teams should also avoid the temptation to copy-paste elements from other existing policies, such as a password policy, into semi-related policies (remote access, endpoint protection, etc.) for completeness. Unless the documents are linked to enable automatic updates, the copied information will rapidly become out of date. Instead of inserting sections of the other existing policies, reference them as needed.

Policies should be individually comprehensive with minimal overlap. Overlap with other policies can lead to language conflicts, uncertainties, and gaps in compliance and security. In the event an organization decides to mix policies, an index or guide should be produced to help team members locate policy information rapidly.

Make Policies Verifiable

Vague policies with nebulous, undefined deliverables satisfy only the requirement to have a policy, not the requirement to have a useful one. Effective policies define the deliverables clearly so that the IT or security team will have no difficulty satisfying policy requirements.

The security process should be measurable and testable to prove compliance with the policy as well as any relevant compliance frameworks. Reporting requirements should document metrics for measurement, define needed evidence (log files, vulnerability scans, etc.), the frequency of reports, and who should receive the reports.

How to Create a Security Policy in 4 Steps

Organizations large and small can create a functional security policy by following four key steps: determine the security policy principles, verify the vulnerability management policy, approve the vulnerability management policy, and review and modify the vulnerability management policy.

Determine the Security Policy Principles

The person or team drafting the policy will first need to determine the critical rules and steps within the vulnerability management policy. For example, some fundamental questions to answer include:

• Who is responsible for the security process or standard?
• Which people, assets, or systems will be covered by the security process or standard?
• What are the security processes, standards, components, and priorities for each?
• How can the security process or standard be validated and verified?
• What reports are needed to establish and measure success and compliance for the security process or standard?

Don’t know where to start? Write down the current practice. Most IT teams have at least an informal process for nearly all security practices, even if they are not written down or monitored. This first draft can simply be notes. Formal paragraphs and language can come later after the basic principles have been outlined.

Verify the Security Policy

With the basic rules or principles in place, the policy development team should verify them against external requirements and practical limitations.

External Security Policy Requirements

Every organization faces general or specific regulations from international, federal, state, or local governments.  Additionally, the organization may be forced or choose to comply with compliance frameworks (NIST, PCI DSS, etc.) and industry standards.

Some compliance standards will be broad and vague, but others will be detailed or have specific requirements. The policy development team needs to check these external regulations and revise any rule that does not meet the compliance requirements.

Practical Security Policy Limitations

Most organizations have limited resources, and often idealized policies do not take these limitations into account. The security policy development team should test the proposed rules with the IT and security teams. If these teams cannot comply with standards and requirements with their current resources, the organization will need to adjust the rules or resources as necessary.

For example, when developing a patch management policy, the IT team may not have the ability to meet the patch management schedule requirements with the current tools and staffing resources. The organization will then need to consider adjusting the schedule (if allowed by compliance requirements) or adding additional resources (tool upgrades, staffing increases, outsourcing, etc.).

Approve the Security Policy

After verification of the proposed security policy rules, the rules need to be formalized and approved by the organization’s management. Now is the time where rough notes need to be revised into formal paragraphs, tables, and appendices.

Once drafted, pass the policy to corporate management and legal counsel for review and approval. The policy can be modified as required and the final draft should be signed by the executives of the organization to ratify and acknowledge the requirements.

Review & Modify the Security Policy

Even though the security policy is approved in step three, the organization, IT resources, and regulations will change over time. All policies should be living documents that evolve as the organization changes. and should be periodically reviewed and updated. Generally, policies will be reviewed on a fixed schedule (quarterly, annually, bi-annually, etc.); however, notable events such as dramatic changes to IT architecture, adopting significantly different security tools, or a security breach may merit off-schedule review.

Bottom Line: Create Policies to Improve Focus

Organizations tend to view formal paperwork as a burden, but effective IT security policies enable organizations to improve their security posture, spend less time on compliance, and to eliminate many worries. With current and effective policies, Large and small businesses, non-profit organizations, and even government entities can validate their presumed security posture and gain the confidence to focus on challenges more critical to their core mission. 

To read more about related topics, consider:

• Vulnerability Management Policy: Steps, Benefits, and a Free Template
• Patch Management Policy: Steps, Benefits, and a Free Template

The post IT Security Policy: Importance, Best Practices, & Top Benefits appeared first on eSecurity Planet.

This article provides details to help an organization establish a robust DMARC policy with detailed information on:

• Troubleshooting DMARC
• Common Reasons Why DMARC Fails
  • Common DMARC Mistakes
  • Insufficient Resources
  • Failure to Escalate DMARC Settings
• Bottom Line: DMARC Enforcement Reduces Phishing

Troubleshooting DMARC

Troubleshooting and deploying a correctly formatted Domain-based Message Authentication, Reporting and Conformance (DMARC) policy will require precision and time. Fortunately, there are many resources available from the DMARC.org website, email vendors, and even full-service DMARC vendors to help IT teams with the process.

General Troubleshooting Process

When attempting to fix a DMARC policy after initial setup, organizations will run into various issues. Basic DMARC requirements help to define the best practices for troubleshooting, which include:

1. Verify and Check SPF, DKIM, and DMARC policies in detail
2. Deploy DMARC in monitoring mode (p=none)
3. Check DMARC report for several weeks to identify legitimate email sources suffering rejection
4. Resolve rejection issues by updating the appropriate policy (SPF, DKIM, DMARC, or email vendor settings)
5. Once legitimate email issues have been resolved
   1. Gradually enforce DMARC to ‘p=quarantine’ or ‘p=reject’
   2. Check for new rejection issues
   3. Repeat steps until all sending domains are verified, enforced, and fully protected
6. Periodically check reports for IP address changes or new domain conflicts to be resolved or spoofing sites to report or block

Vendor-Specific DMARC Troubleshooting Guides

Most DMARC settings do not rely upon the specific email vendor, but some details may be vendor specific — especially with regard to DNS deployment, DMARC activation, and troubleshooting. Fortunately, most email vendors also provide guides or tutorials.

Microsoft 365 and Gmail provide tutorials and specialized instructions for properly configuring DMARC policies for their email customers. Similarly, smaller vendors such as Twillio’s SendGrid will publish their own troubleshooting guides, so IT teams will need to check with their email and DNS providers for specific information.

Specialized DMARC Vendors

Harried IT teams without resources may not have time to study the requirements or troubleshoot the processes. For these organizations, specialized DMARC vendors can be an effective solution to save time and money.

Seth Blank, CTO of Valimail and co-chair of the DMARC Working Group, suggested, “To evaluate a platform’s ability to help you reach enforcement, assess its user experience, automation and customization.” Organizations should also verify that these potential vendors can service the full spectrum of policies (SPF, DKIM, DMARC) and can explain how they might address common issues such as SPF lookup limits.

Common Reasons Why DMARC Deployment Fails

DMARC deployment can fail for a host of reasons. Initially, an organization may make mistakes with their DMARC record that causes DMARC checks to fail. Once the DMARC record is corrected, the organization may find many emails suffering DMARC rejection which requires another round of troubleshooting.

Beyond the technical issues, DMARC can also fail due to insufficient resources dedicated to supporting DMARC or even by not escalating the DMARC settings. An IT team must work with other stakeholders in the organization to stress the importance of DMARC and overcome these obstacles.

Common DMARC Mistakes

Text files are small and simple; however, simplicity also means that small mistakes can create big problems. The DMARC working group publishes a list of common problems with DMARC records that includes detailed issues, and we will cover the major categories here.

Invalid DNS Records

Incorrectly published DMARC, DKIM, and SPF records with extra text or incorrect text will invalidate the records.  These issues can stem from several different types of errors, including:

Wildcard records include wildcard characters or the addition of extra text that might invalidate the record such as: 

• SPF records using the IP address: ip4: 201.5.YY.ZZZ (instead of numbers)
• Incomplete DKIM public encryption keys
• Random text or comments inserted into the record such as “Please contact your registrations service provider…” or or “***” or “This domain’s zone has been disabled”
• Domain or vendor owner inserting names into the text file

Not following directions can be similar to wildcard records because it includes extra text; however, in this case it typically will be instructions for content that have remained in the file such as “descriptive text” in the following sample: “_dmarc.fromage.XXXXXXXX.fr descriptive text v=DMARC1; p=reject;…”

Common formatting errors avoid wildcard and extra text issues but create problems in other ways such as:

• Order of elements: “v=DMARC1” must come first and be listed in all capital letters so both “p=none; v=DMARC1; rua=mailto:…” and “v=dmarc1;P=Reject;…” will cause errors
• Forgetting variable tags or proper syntax such as writing
  • “DMARC1” instead of “v=DMARC1”
  • “rua=email@…” instead of “rua=mailto:email@…”
• Forgetting semicolon (;) separators or using the wrong separator between variables such as with “v=DMARC1 p=none…” or “v=DMARC1:p=none…” instead of “v=DMARC1;p=none…”
• Permitted, but potentially problematic formatting such as
  • Using capital letters other than for DMARC1 such as “V=DMARC1;P=NONE…” instead of “v=DMARC1;p=none…”
  • Unneeded spaces such as with the extra space before “mailto” in “rua= mailto:email@…” instead of “rua=mailto:email@…”

Typos and extra characters will often sneak into a DNS record because of copy-paste errors or even specific DNS requirements. For example, some DNS servers require semicolon characters to be escaped using a backslash (\) character and the file may be found with too many (\\) backslashes or forward slash (/) characters used by accident.

Bad record content is listed separately by dmarc.org, but it has a lot in common with typos and formatting errors. For example, instead of using one of the three permitted values for the “p” tag (none, quarantine, reject), the record may use incorrect (“blocked” or “monitor”) or mispelled (“quarintine”) values.

Overlooked Subdomains

When creating SPF files, an organization will be limited to 10 DNS query lookups. Often this means larger organizations will have multiple SPF files and will segregate out specific subdomains for separate SPF records.

However, when the organization creates their DMARC record, the organization may focus exclusively on the top level domain (EX: SampleOrganization.com) and may overlook their subdomains (EX: ITNotifications.SampleOrganization.com or SalesEmails.SampleOrganization.com).

Unless explicitly handled separately, the DMARC policy deployed on the top-level domain automatically trickles down to subdomains.  Overlooking subdomains that require separate handling may unintentionally block legitimate emails originating from servers on those subdomains.

Overlooked DMARC Updates

All DNS records, including DMARC, require updates as organizations evolve. For example, an organization will switch the IP addresses for email servers  as they upgrade or transition to the cloud. Each IP address change requires an update to the filed policy.

Similarly, companies send email campaigns from a variety of third-party vendors for marketing (HubSpot, Mailchimp, etc.), sales (Salesforce, etc.), surveys (SurveyMonkey, etc.), accounting (Quickbooks, etc.), and help desks (Zendesk, etc.). As they adopt new vendors or these vendors change their email infrastructure, again, DMARC, SPF, and DKIM will require updates to keep up with the changes and avoid blocking legitimate emails.

DMARC Rejections

When implementing DMARC, organizations start with ‘p=none’ to avoid rejecting improperly configured but legitimate emails. The three most common ways legitimate emails will be rejected include:

• Failure to set up DKIM Signatures for email vendors — this leads to a mismatch between the sender (Gmail, Microsoft 365, etc.) and the DMARC domain
• Failure to whitelist third-party senders with DNS providers — these providers sign emails with their domain by default, which causes a mismatch
• Forwarding entities altering body and headers — resenders, gateways, and malware scanning solutions will intercept the email and then forward it on. The forwarding replaces the sender IP address, which causes a DMARC mismatch

The first two issues can be managed by correctly establishing DKIM signatures for email vendors and correctly whitelisting third-party senders with DNS providers. Unfortunately, there isn’t much that can be done with the third issue unless the organization can contact or control the forwarding email servers.

In addition to the three most common issues, an organization can also run into issues with SPF and DKIM alignment. DMARC alignment seeks to prevent spoofing of the “header from” address by matching:

• The “header from” domain name and the “MFROM” domain name used during an SPF check
• The “header from” domain name with the “d=domain name” in the DKIM signature

Often, third-party email senders cause issues by using their own “MFROM” domain.  This may pass SPF or DKIM, but not alignment. This issue will require coordination with the vendor to properly adjust the SPF, DKIM, and DMARC files.

Insufficient Resources

Smaller organizations always struggle with time-intensive IT issues. Seth Blank admitted, “Frankly, setting up DMARC is complicated, which accounts for the gap between policies and policies at enforcement.”

Insufficient Staffing

Despite the simplicity of the specific technologies, the regular maintenance to keep SPF, DKIM and DMARC current can be difficult to keep up with for large companies with dedicated teams. For small organizations with small IT teams, the maintenance can be nearly impossible.

“DMARC is an intricate standard reliant on two additional email standards, SPF and DKIM. Both of these standards would be strenuous to configure on their own. Smaller companies without an IT department to dedicate to DMARC do not have the resources to implement these records together,” said Blank.

Insufficient Tools

The DMARC aggregate and forensic reports sent from the receiving email service providers include crucial email ecosystem information, but the machine-readable files will not be intuitive or easy to read for humans.  Additionally, for even moderately-sized organizations the sheer volume of reports received can overwhelm an organization attempting to manually collate and parse the information in a meaningful way. Fortunately, many different DMARC reporting tools can be obtained to enable rapid and meaningful analysis of DMARC tools.

Failure to Escalate DMARC Settings

The most significant issue with DMARC stems from organizations failing to escalate their DMARC settings. Whether out of fear of blocking legitimate emails or simply because implementing teams overlook escalation, failure to switch from p=none to a more rigorous policy undermines the effectiveness of DMARC.

Unless an organization sets an enforcement policy to “quarantine” or “reject,” even emails recognized as fraudulent will still be allowed to pass through to inboxes. Without the more restrictive enforcement policy, organizations place an unnecessary burden on email security applications and increase the likelihood of a phishing attack successfully impersonating a brand.

“A policy not configured to ‘quarantine’ or ‘reject’ fraudulent actors is like a bouncer who checks IDs and lets everyone in regardless of age,” said Blank. “DMARC enforcement should be the first level of protection … Other network security measures, like AI-based monitoring, can be valuable, but validating IDs shows you who is trying to get access.”

Bottom Line: DMARC Enforcement Reduces Phishing

If every organization deployed DMARC with full enforcement, spoofed emails would be dramatically reduced and phishing emails would become much less effective. While not all email attacks can be stopped, reducing credible spoofing attacks will dramatically reduce the burden on our email security tools as well as the number of phishing victims for our organization and every other recipient. It is time to protect your brand, defend against BEC, and reduce SPAM globally with full deployment of SPF, DKIM, and DMARC.

The post Why DMARC Is Failing: 3 Issues With DMARC appeared first on eSecurity Planet.

Third-party risk management (TPRM) software and tools — also known as vendor risk management (VRM) — go beyond the general capabilities of risk management and governance, risk, and compliance (GRC) solutions with specialized onboarding, risk assessments, and due diligence for organizations working with third parties. Some TPRM tools also assess operational risks, but our focus here is on third-party security, privacy and compliance issues.

We’ll take an in-depth look at the top third-party risk management vendors and tools — followed by what buyers should consider before making a purchase.

• OneTrust: Best Overall
• Prevalent TPRM Platform: Best for Managed Vendor Risk Assessments
• Venminder: Best for Customer Support
• BitSight: Best for Vendor Intelligence Networking
• ProcessUnity TPRM: Best for Automated Vendor Management Workflows
• Archer: Best for SLA Management
• SecurityScorecard: Best for Intuitive User Experience
• Aravo for Third Party Management: Best for Customization
• Panorays: Best for Ease of Deployment
• Diligent ThirdPartyBond: Best for Reporting and Visualizations

Comparing the Top TPRM Software & Tools

OneTrust Third-Party Risk Management

Best Overall

A bonafide unicorn, OneTrust launched in 2016 to offer privacy management and marketing compliance solutions. To comply with a growing list of global regulations, the Atlanta-based compliance monitoring provider offers OneTrust Third-Party Risk Management (previously Vendorpedia) to help organizations evaluate customer, employee, and vendor data transfers. OneTrust offers privacy impact assessments, data inventory mapping, remediation actions, and recurring audits on a web-based portal. It is widely considered one of the best TPRM solutions for compliance-driven industries.

OneTrust TPRM’s highest user reviews cite its usability and accessibility, quality of technical support, and high-quality automation for vendor management. OneTrust is also one of the few TPRM solutions that offer a free trial option to users.

Key Features

• Workflow integration builder
• Unified third-party relationship inventory
• OneTrust Insights and Analytics engine
• Intelligent onboarding workflows
• Dynamic questionnaires

Pros

• Highly integrated with other OneTrust solutions and third-party data sources
• Offers AI auto-completion technology for faster questionnaire completion
• Workflows are highly configurable and follow intuitive if/then logic

Cons

• Some limitations to OneTrust’s risk mitigation features
• Limited risk scoring and advanced analytics capabilities
• Room for growth in native integrations

Pricing

Pricing for smaller businesses starts at $600 a month. Enterprise buyers will need to contact OneTrust for pricing information.

Prevalent TPRM Platform

Best for Managed Vendor Risk Assessments

Started in 2004, Prevalent is an IT consulting firm that specializes in governance, risk, infrastructure, and compliance technology. The company offers customers a suite of third-party risk management solutions through the Prevalent TPRM Platform; features include inherent risk scoring, offboarding and termination, and vendor risk assessment and monitoring. With Prevalent’s sourcing and selection, organizations can reduce cost, complexity, and exposure from the start by picking trusted vendors.

Prevalent’s highest reviews and ratings cite its ease of integration and deployment, profile management, and technical support. It is also one of the best options for buyers who are looking to move beyond TPRM software into fully managed services and strong customer support.

Key Features

• Automated risk assessment and continuous risk monitoring
• Automated assessment workflows and remediation management
• Vendor intelligence networks
• RFx Essentials for centralized distribution and management of RFPs and RFIs
• Inherent risk scoring with prescriptive guidance on corrective action and due diligence

Pros

• Users have real-time access to completed risk reports for thousands of companies through vendor intelligence networks
• Strong professional and managed services backbone
• Extensive connector marketplace for easier integration

Cons

• Only basic risk-scoring capabilities are available.
• Customization is limited at the customer level; most customization happens only through the vendor.
• The user interface is less intuitive than some competitors

Pricing

Pricing information is not transparently provided on the Prevalent site. Prospective buyers will need to contact the vendor directly for pricing information. Prevalent TPRM can also be found on AWS.

Venminder

Best for Customer Support

Venminder launched in 2003 as a SaaS vendor that streamlines third-party risk management. Venminder provides administrators with oversight and contract management frameworks, risk assessments, due diligence requirements, questionnaires, SLA management, and vendor onboarding. In Venminder Exchange, clients can access the platform’s repository for assessments of vendor security status, SOC reports, contracts, financials, business continuity and disaster recovery, and more.

Venminder’s highest reviews and ratings cite its quality of end-user training, profile management, and evaluation and contracting. New users are assigned a relationship manager for more hands-on onboarding. After onboarding, the company continues to offer extended support hours for customers with email, phone, and chat communication options.

Key Features

• Customizable risk assessments with templating and progress monitoring
• Automated, customizable questionnaires
• Oversight Management feature with vendor scorecard tracking
• Issue and SLA management
• Point-in-time risk profile creation

Pros

• Extensive library of free learning resources, webinars, infographics, etc.
• Unlimited user access is available in all plans
• With a la carte services and features, this solution is easy to scale and adjust to your business’s specific requirements

Cons

• Limited international presence and reach; works almost exclusively with North American clients
• Historically has mostly focused on finance clients; expertise and experience in other areas may be limited
• Mostly geared toward smaller business requirements

Pricing

Venminder is sold in two different pricing package formats: Professional and Enterprise. Beyond general software features, users also have the option to purchase control assessments and managed services on an a la carte basis. Specific pricing information is not transparently provided on the Venminder site. Prospective buyers will need to contact the vendor directly for pricing information. AWS quotes enterprise pricing, including all modules, at around $100,000.

BitSight Third-Party Risk Management

Best for Vendor Intelligence Networking

BitSight — known as a pioneer in the security ratings space — is a top provider of TPRM solutions. Using sophisticated algorithms and daily security ratings, BitSight Third-Party Risk Management and the Security Ratings Platform help organizations manage third-party risk. BitSight also integrates with other VRM tools like ServiceNow and ProcessUnity to offer users the best of the TPRM market.

BitSight’s highest reviews and ratings cite the timeliness of vendor response to product questions and patching cadence. The TPRM provider is known for its vendor intelligence network, with over 20,000 vendor profiles available to users.

Key Features

• Automated onboarding assessments
• Data-driven vendor response validation
• Real-time reporting
• Fourth-party product usage discovery
• Customizable workflows for vendor assessment prioritization

Pros

• BitSight integrates and works well with most other TPRM solutions
• Customers and non-customers alike have access to free cyber security reports
• Reporting is comprehensive and fairly easy to customize

Cons

• Limited peer community and forum opportunities
• Limited communication and access to customer support representatives
• It’s not easy to filter data results or update report results as issues in the network are resolved

Pricing

Pricing information is not transparently provided on the BitSight site. Prospective buyers will need to contact the vendor directly for pricing information. The only sources we could find cite starting pricing around $20,000 a year.

ProcessUnity Third-Party Risk Management

Best for Automated Vendor Management Workflows

ProcessUnity offers SaaS solutions for managing various components of governance, risk, and compliance (GRC). With ProcessUnity Third-Party Risk Management, organizations are empowered to assess, monitor, and conduct due diligence when working with business partners. Across vendor risk assessment processes, ProcessUnity’s solution can help identify, manage, and remediate issues. The tool also includes periodic vendor performance reviews to ensure the ongoing strength of the organization’s security posture.

ProcessUnity’s highest reviews and ratings cite timely support responses, product configurability, and added features. Users are particularly impressed with the automation that’s been added to the tool over time; automated critical workflows can be customized for assessment scoping, evidence collection, and other risk management processes.

Key Features

• Pre- and post-contract due diligence
• Third-party onboarding with sourcing and RFx support
• Risk domain screening
• Issue and vendor performance management with SLAs
• Automated assessment scoping and evidence collection

Pros

• Hands-on automations and no-code features make this tool highly customizable
• Reporting-As-A-Service feature translates report data in a way that all stakeholders can understand
• The solution supports the whole TPRM lifecycle, from sourcing to contract management

Cons

• Considered a fairly expensive TPRM solution
• Limited visualization features in reports
• Questionnaires could offer more features

Pricing

Pricing information is not transparently provided on the ProcessUnity site. Prospective buyers will need to contact the vendor directly for pricing information. The VRM Essential Edition for SMEs starts at $15,000.

Archer Third-Party Governance

Best for SLA Management

Archer Third-Party Governance — formerly part of RSA but now privately owned — is an enterprise-ready risk quantification software solution for aggregating risks and safeguarding organizations from disruption. Critical features for Archer include customizable controls and risk indicators, risk profile metrics, and advanced visualization tools to compare risk consequences.

Archer’s highest reviews and ratings cite its history and reporting, integration and deployment, and comprehensive management of third-party SLAs. Archer was previously owned by RSA but was acquired by private equity firm, Cinven, in April 2023.

Key Features

• Bowtie diagrams for risk and mitigation illustration
• Customizable risk reporting and monitoring
• Quantitative and qualitative risk analysis
• Desktop and mobile accessibility
• Customizable key risk indicators

Pros

• Designed with highly regulated industries in mind
• AI-powered features make it easier to quickly assess third-party asset risk
• Some of the best fourth-party risk management features in the market

Cons

• The solution works most effectively only when used with other Archer solutions
• The pricing and licensing model for Archer is somewhat complicated
• Frequent acquisitions and internal moves make it difficult to predict the long-term direction and stability of this solution

Pricing

Pricing information is not transparently provided on the Archer site. Prospective buyers will need to contact the vendor directly for pricing information, but the company says typical TPRM pricing is around $30,000 to $50,000.

SecurityScorecard Platform

Best for Intuitive User Experience

Considered a pioneer in the TPRM space, SecurityScorecard is a cybersecurity service provider with patented rating technology. Boasting over 1,000 organizations as clients and a million companies continuously rated by extension, SecurityScorecard has come a long way since its founding. Organizations can analyze their digital footprint and fill cybersecurity gaps with instant risk ratings mapped to vendor cybersecurity questionnaire responses.

The SecurityScorecard Platform’s highest reviews and ratings cite its ease of deployment, superior customer support, and capability of handling public-facing infrastructure risk. The layout of the tool and its central dashboard are easy to navigate, and its graphics make for some of the best TPRM visualizations in the market.

Key Features

• Continuous monitoring and global IP scanning
• Automated send-and-response for questionnaires
• Rule-based tools for cybersecurity responses
• Dashboarding for third- and fourth-party vendors
• Customizable scores, due dates, reminders, and alerts for vendors

Pros

• Strong user interface and visualization capabilities
• One of the few TPRM solutions that offer transparent pricing models for prospective buyers
• The free version of SecurityScorecard offers limited features to an unlimited number of users

Cons

• Limited risk mitigation and response features; the tool primarily focuses on detection
• Occasional lag in response times from customer support
• Somewhat limited reporting capabilities

Pricing

SecurityScorecard is available in four different plan options:

• Free: $0 per month for unlimited team members
• Pro: $400 per month, billed annually
• Business: $1,000 per month, billed annually
• Enterprise: Custom pricing

Aravo for Third Party Management

Best for Customization

Launched in 2000 to address the growing need for enterprise supplier management, Aravo now offers SaaS-based supplier information management (SIM) and TPRM technology. Aravo for Third Party Management enables users to better manage new vendor intake, risk assessment automation, and due diligence.

Aravo’s highest reviews and ratings cite its pricing and contract flexibility, its configurability, and the company’s expert consultations in vendor risk evaluation. Although the solution offers many preconfigured workflows, assessments, dashboards, and reports, it is also easy to configure these features according to an individual business’s needs.

Key Features

• Automated risk assessment and vendor onboarding
• Third-party risk scoring based on dynamic online surveys
• Self-service survey creation with Customer Defined Assessment
• Third-party intelligence networking
• Corrective action and issue tracking

Pros

• Aravo offers specialized features for anti-bribery, anti-corruption, data privacy, and infosec requirements
• Interactive customer experience is available through innovation exchange and customer community
• Aravo’s preconfigured apps and native content integration are robust and highly usable

Cons

• The company has mostly shifted away from TPRM development to focus on business resilience
• Many features are only available through third-party partnerships or add-ons that come at an additional cost
• The pricing model for Aravo is somewhat complicated

Pricing

Pricing information is not transparently provided on the Aravo site. Prospective buyers will need to contact the vendor directly for pricing information. Aravo is also available on Azure.

Panorays

Best for Ease of Deployment

Panorays is a cybersecurity solution that offers automated features for third-party risk management and remediation. The Panorays strategy brings together dynamic questionnaires for existing suppliers with attack surface assessments to give clients greater risk visibility. The tool is particularly capable of meeting compliance standards like GDPR and HIPAA.

Panorays’s highest reviews and ratings cite its ease of deployment and onboarding, its centralized management features, and its ongoing feature updates. It also has a modern and intuitive user interface and a strong commitment to hands-on customer support.

Key Features

• Pre-built template for vendor security questionnaires
• External attack surface monitoring and assessments
• Customizable remediation plans
• Out-of-the-box reporting
• Autocomplete responses for questionnaires

Pros

• The product is constantly evolving and the vendor is receptive to customer feedback; a strong development roadmap is in place
• Straightforward and consistent approach to automation
• Users have commented on the quality and consistency of customer support for planning, assessment, and software implementation

Cons

• Somewhat limited connectors and integration capabilities
• Reports could be improved, especially with more self-service elements
• Limited functionality in the asset scanning feature

Pricing

Panorays is available in five different plan options:

• Free: For up to five third-party one-time assessments
• Basic: For up to 50 third-party continuous assessments
• Premium: For up to 100 third-party continuous assessments
• Enterprise: For up to 250 third-party continuous assessments
• Enterprise+: For more than 250 third-party continuous assessments

Specific pricing information is not transparently provided on the Panorays site. Prospective buyers will need to contact the vendor directly for pricing information. Google Cloud quotes starting enterprise prices of $2,500 per supplier.

Diligent ThirdPartyBond

Best for Reporting and Visualizations

Diligent — previously known as Galvanize — offers top-tier software solutions for audit, risk, and compliance. With the ThirdPartyBond solution, organizations can access end-to-end third-party risk management with resources for vendor onboarding, automated evidence collection, and assessment surveys. ThirdPartyBond also tracks service level agreements (SLA), maintains updated intelligence feeds, and provides tangible reporting for senior management.

ThirdPartyBond’s highest reviews and ratings cite its responses to product questions, its ease of integration and deployment, and its overall efficiency. It also offers some of the best reporting and visualization capabilities, with granular drag-and-drop dashboards, interactive storyboards, and various pre-built reports.

Key Features

• Centralized inventory and bulk import of third parties
• Risk-based control assessments
• Reports driven by KPIs and KRIs
• SLA performance monitoring and contract management
• Adaptive vendor surveys and risk scoring

Pros

• Strong risk analytics are built into the platform
• Advanced machine learning algorithms are incorporated to predict control failures
• One of the few TPRM options that offer interactive storyboards with advanced data visualizations

Cons

• Limited customizability in the most recent version of Diligent’s TPRM solution
• Pricing can quickly get expensive for teams that need multiple out-of-the-box solutions from Diligent
• Most edits to Diligent features can only be completed through scripting, making it challenging for less-technical users

Pricing

Pricing information is not transparently provided on the Diligent site. Prospective buyers will need to contact the vendor directly for pricing information.

Why Do You Need Third-Party Risk Management?

Third-party risk management is necessary for many organizations because adopting any kind of new digital system — especially one from a third party — comes with inherent vulnerabilities, including threats of breach, data loss, noncompliance, and human error. Specialized TPRM tools automate many of the relationship management workflows and steps, making the effort of organizing, optimizing, and securing third-party relationships seamless and simpler for business continuity purposes.

While network infrastructure vulnerabilities have long been the responsibility of security and network professionals, supply chain vulnerabilities are a growing and prescient concern due to their upstream ripple effect. As third-party networks grow larger and third-party tools become more difficult to regulate and track, organizations must increasingly practice vigilance in safeguarding their privacy, operations, and reputation; a strong TPRM posture can help organizations stay on top of these growing security concerns.

8 Common Features of Third-Party Risk Management Software

Every third-party risk management software solution is a little bit different, especially if it’s offered as part of a security suite or managed services offering. However, regardless of which tool appeals to your team most, it’s important to look for the following features and capabilities:

• Self-service portals for suppliers and vendors to provide pertinent documentation and guidance for questionnaires and risk scoring
• User-friendly reports and visualizations that cover risk monitoring and risk exposure to inform action steps
• Processes and templates for supplier risk control, oversight, and risk assessments
• Continuous monitoring of vendor performance and changes to supplier risk status
• Third-party relationship guidance that includes structured steps to follow from sourcing to relationship termination
• Built-in compliance features for internal policies and external mandates for supplier risk; compliance features for finance, government, and other highly regulated sectors are ideal
• Quantitative and qualitative data to show progress in reducing third-party risk exposure
• Reports and visualizations that help the customer and third-party vendors quickly understand current issues and possible mitigation strategies

How to Choose a Third-Party Risk Management Tool

With so many features to consider and other factors that go into making a TPRM purchase, you need to drill down to what’s most important for your business’s risk management strategy. To choose the right third-party risk management tool for your business, be sure to ask organizational leaders and members of your cybersecurity team these kinds of questions:

• How will the solution improve the organization’s third-party risk exposure?
• How does the TPRM tool enable compliance reporting and operational management?
• Is the tool compatible with the business’s specific compliance requirements?
• Does the vendor offer flexible pricing that can scale as third-party exposure grows?
• Is this tool compatible with the organization’s budget?
• What training, deployment, and implementation support comes with this purchase?
• What integrations are compatible and/or configurable for use?
• What advanced features make this TPRM solution stand out?
• What do past and present customers of this TPRM solution say about the tool?
• Does this tool simplify the organization’s TPRM workflow?

Bottom Line: Third-Party Risk Management Tools

Even if your organization trusts and has thoroughly vetted the third-party vendors you partner with, your network becomes increasingly vulnerable to cyberattacks and noncompliance issues with each new partner you add and each new change they make to their own ecosystems. Especially with the rise of modern artificial intelligence (AI) and Internet of Things (IoT) technologies, it has become increasingly difficult to monitor and identify risk across all endpoints through traditional methods and tools.

Though third-party risk management software is a specialized kind of cybersecurity tool that won’t cover all of your network security requirements, TPRM solutions are an important component of overall network security strategy and tooling. Investing in a TPRM solution or service is one of the most effective ways to simultaneously manage your third-party relationships and the security and compliance standards to which you hold these partners.

Read next: 34 Most Common Types of Network Security Protections

This updates an August 2021 article by Sam Ingalls

The post 10 Best Third-Party Risk Management Software & Tools appeared first on eSecurity Planet.