There are many reasons for an organization to perform a penetration test of its information systems: to meet compliance standards, test a security team's capabilities, or determine the effectiveness of controls, to name a few. A badly scoped or poorly executed penetration test might do nothing more than validate known vulnerabilities, easily identified by software, or reiterate the efficacy of social engineering. However, with some preparation and engagement on the part of the consumer, a penetration test can provide real value to an organization's overall cybersecurity posture. Read on to learn how.
Each year, the CERT Division of the SEI collaborates with CSO Magazine to develop a U.S. State of Cybercrime report1. These reports are based on surveys of more than 500 organizations across the country, ranging in size from fewer than 500 employees to more than 10,000. Each organization self-reports on information security issues that have impacted them in the past calendar year. The 2017 report covers activity that occurred in 2016. In this blog post, we share some of the findings from the upcoming report as they relate to insider threats.
The National Insider Threat Center (NITC) at the CERT Division of the SEI is developing an Insider Threat Program Evaluator (ITPE) Training course based on the methods and techniques the NITC currently uses to conduct Insider Threat Program Evaluations. This three-day, instructor-led, classroom-based, certificate training program presents strategies for measuring and evaluating an operational insider threat program within an organization. The first course will be offered in March 2018.