by Date descending| by Title |

Cisco's Adoption of CERT Secure Coding Standards
Author(s): Martin Sebor
(February 2012) Implementing secure coding standards to reduce the number of vulnerabilities that can escape into operational systems is a sound business decision.

How to Become a Cyber Warrior
Author(s): Dennis Allen
(January 2012) Protecting the internet and its users against cyber attacks requires a significant increase in the number of skilled cyber warriors.

Considering Security and Privacy in the Move to Electronic Health Records
Author(s): Deborah Lafky
(December 2011) Electronic health records bring many benefits along with security and privacy challenges.

Measuring Operational Resilience
Author(s): Julia Allen
(October 2011) Measures of operational resilience should answer key questions, inform decisions, and affect behavior.

Why Organizations Need a Secure Domain Name System
Author(s): Alex Nicoll
(September 2011) Use of Domain Name System security extensions can help prevent website hijacking attacks.

Controls for Monitoring the Security of Cloud Services at All Seven Layers
Author(s): Jonathan Spring
(August 2011) Depending on the service model, cloud providers and customers can monitor and implement controls to better protect their sensitive information.

Building a Malware Analysis Capability
Author(s): Jeff Gennari
(July 2011) Analyzing malware is essential to assess the damage and reduce the impact associated with ongoing infection.

Using the Smart Grid Maturity Model (SGMM)
Author(s): David White
(May 2011) Over 100 electric power utilities are accelerating their transformation to the smart grid by using the Smart Grid Maturity Model.

Integrated, Enterprise-Wide Risk Management: NIST 800-39 and CERT-RMM
Author(s): Ron Ross
(March 2011) BuBusiness l leaders must address risk at the enterprise, business process, and system levels to effectively protect against today's and tomorrow's threats.

Conducting Cyber Exercises at the National Level
Author(s): Brett Lambo
(February 2011) Scenario-based exercises help organizations, governments, and nations prepare for, identify, and mitigate cyber risks.

Indicators and Controls for Mitigating Insider Threat
Author(s): Michael Hanley
(January 2011) Technical controls may be effective in helping prevent, detect, and respond to insider crimes.

How Resilient Is My Organization?
Author(s): Rich Caralli
(December 2010) Use the CERT Resilience Management Model (CERT-RMM) to help ensure that critical assets and services perform as expected in the face of stress and disruption.

Public-Private Partnerships - Essential for National Cyber Security
Author(s): Sam Merrell
(November 2010) Government agencies and private industry must build effective partnerships to secure national critical infrastructures.

Software Assurance: A Master's Level Curriculum
Author(s): Nancy Mead
(October 2010) Knowledge about software assurance is essential to ensure that complex systems function as intended.

How to Develop More Secure Software - Practices from Thirty Organizations
Author(s): Gary McGraw
(September 2010) Organizations can benchmark their software security practices against 109 observed activities from 30 organizations.

Mobile Device Security: Threats, Risks, and Actions to Take
Author(s): Jonathan Frederick
(August 2010) Internet-connected mobile devices are becoming increasingly attractive targets.

Establishing a National Computer Security Incident Response Team (CSIRT)
Author(s): John Haller
(August 2010) A national CSIRT is essential for protecting national and economic security, and ensuring the continuity of government agencies and critical infrastructures.

Securing Industrial Control Systems
Author(s): Art Manion
(July 2010) Securing systems that control physical switches, valves, pumps, meters, and manufacturing lines as these systems connect to the internet is critical for service continuity.

TJX, Heartland, and CERT's Forensics Analysis Capabilities
Author(s): Kevin Moore
(June 2010) Complex, distributed, multi-year investigations of computer crimes require sophisticated methods, techniques, and tools.

The Power of Fuzz Testing to Reduce Security Vulnerabilities
Author(s): Will Dormann
(May 2010) To help identify and eliminate security vulnerabilities, subject all software that you build and buy to fuzz testing.

Protect Your Business from Money Mules
Author(s): Chad Dougherty
(April 2010) Organized criminals recruit unsuspecting intermediaries to help steal funds from small businesses.

Train for the Unexpected
Author(s): Matthew Meyer
(March 2010) Being able to respond effectively when faced with a disruptive event requires that staff members learn to become more resilient.

The Role of the CISO in Developing More Secure Software
Author(s): Pravir Chandra
(March 2010) CISOs must leave no room for anyone to deny that they understand what is expected of them when developing secure software.

Computer and Network Forensics: A Master's Level Curriculum
Author(s): Kristopher Rush
(February 2010) Students learn how to combine multiple facets of digital forensics and draw conclusions to support full-scale investigations.

Introducing the Smart Grid Maturity Model (SGMM)
Author(s): Ray Jones
(January 2010) The SGMM provides a roadmap to guide an organization's transformation to the smart grid.

Integrating Privacy Practices into the Software Development Life Cycle
Author(s): Ralph Hood
(December 2009) Addressing privacy during software development is just as important as addressing security.

Using the Facts to Protect Enterprise Networks: CERT's NetSA Team
Author(s): Timothy Shimeall
(December 2009) Network defenders and business leaders can use NetSA measures and evidence to better protect their networks.

Ensuring Continuity of Operations When Business Is Disrupted
Author(s): Gary Daniels
(November 2009) Providing critical services during times of stress depends on documented, tested business continuity plans.

Managing Relationships with Business Partners to Achieve Operational Resiliency
Author(s): David White
(October 2009) A defined, managed process for third party relationships is essential, particularly when business is disrupted.

The Smart Grid: Managing Electrical Power Distribution and Use
Author(s): James Stevens
(September 2009) The smart grid is the use of digital technology to modernize the power grid, which comes with some new privacy and security challenges.

Electronic Health Records: Challenges for Patient Privacy and Security
Author(s): Robert Charette
(September 2009) Electronic health records (EHRs) are possibly the most complicated area of IT today, more difficult than defense.

Mitigating Insider Threat: New and Improved Practices
Author(s): Dawn Cappelli
(August 2009) Preventing and detecting insider threat is greatly improved by implementing 16 best practices based on 282 cases.

Analyzing Internet Traffic for Better Cyber Situational Awareness
Author(s): Derek Gabbard
(July 2009) Automation, innovation, reaction, and expansion are the foundation for obtaining meaningful network traffic intelligence in today's extended enterprise.

Rethinking Risk Management
Author(s): Chris Alberts
(July 2009) Business leaders need new approaches to address multi-enterprise, systems of systems risks across the life cycle and supply chain.

The Upside and Downside of Security in the Cloud
Author(s): Tim Mather
(June 2009) When considering cloud services, business leaders need to weigh the economic benefits against the security and privacy risks.

More Targeted, Sophisticated Attacks: Where to Pay Attention
Author(s): Marty Lindner
(May 2009) Business leaders need to take action to better mitigate sophisticated social engineering attacks.

Is There Value in Identifying Software Security "Never Events?"
Author(s): Robert Charette
(May 2009) Now may be the time to examine our responsibilities when developing software with known, preventable errors - along with some possible consequences.

Cyber Security, Safety, and Ethics for the Net Generation
Author(s): Rodney Petersen
(April 2009) Capitalizing on the cultural norms of the Net Generation is essential when developing security awareness programs.

An Experienced-Based Maturity model for Software Security
Author(s): Gary McGraw
(March 2009) Observed practice, represented as a maturity model, can serve as a basis for developing more secure software.

Mainstreaming Secure Coding Practices
Author(s): Robert Seacord
(March 2009) Requiring secure coding practices when building of

Security: A Key Enabler of Business Innovation
Author(s): Roland Cloutier
(March 2009) Making security strategic to business innovation involves seven strategies and calculating risk-reward based on risk appetite.

Better Incident Response Through Scenario Based Training
Author(s): Chris May
(February 2009) Teams are better prepared to respond to incidents if realistic, hands-on training is part of their normal routine.

An Alternative to Risk Management for Information and Software Security
Author(s): Brian Chess
(February 2009) Standard, compliance, and process are more effective than risk management for ensuring an adequate level of information and software security.

Tackling Tough Challenges: Insights from CERT's Director Rich Pethia
Author(s): Rich Pethia
(January 2009) Rich Pethia reflects on CERT's 20-year history and discusses how he is positioning the program to tackle future IT and security challenges.

Leveraging Security Policies and Procedures for Electronic Evidence Discovery
Author(s): John Christiansen
(January 2009) Being able to effectively respond to e-discovery requests depends on well-defined, enatcted policies, procedures, and processes.

Climate Change: Implications for Information Technology and Security
Author(s): Richard Power
(December 2008) Climate change requires new strategies for dealing with traditional IT and information security risks.

Using High Fidelity, Online Training to Stay Sharp
Author(s): James Wrubel
(November 2008) Virtual training environments can deliver high quality content to security professionals on-demand, anywhere, anytime.

Integrating Security Incident Response and e-Discovery
Author(s): David Matthews
(November 2008) Responding to an e-discovery request involves many of the same steps and roles as responding to a security incident.

Concrete Steps for Implementing an Information Security Program
Author(s): Jennifer Bayuk
(October 2008) A sustainable security program is based on business-aligned strategy, policy, awareness, implementation, monitoring, and remediation.

Virtual Communities: Risks and Opportunities
Author(s): Jan Wolynski
(October 2008) When considering whether to conduct business in online, virtual communities, business leaders need to evaluate risks and opportunities.

Developing Secure Software: Universities as Supply Chain Partners
Author(s): Mary Ann Davidson
(September 2008) Integrating security into university curricula is one of the key solutions to developing more secure software.

Security Risk Assessment Using OCTAVE Allegro
Author(s): Lisa Young
(September 2008) OCTAVE Allegro provides a streamlined assessment method that focuses on risks to information used by critical business services.

Getting to a Useful Set of Security Metrics
Author(s): Clint Kreitner
(September 2008) Well-defined metrics are essential to determine which security practices are worth the investment.

How to Start a Software Development Program
Author(s): Gary McGraw
(August 2008) Software security is accomplished by thinking like an attacker and integrating security practices into your software development lifecycle.

Managing Risk to Critical Infrastructures at the National Level
Author(s): Bradford Willke
(August 2008) Protecting critical infrastructures and the information they use are essential for preserving our way of life.

Managing Security Vulnerabilites Based on What Matters Most
Author(s): Art Manion
(July 2008) Determining which security vulnerabilities to address should be based on the importance of the information asset.

Identifying Software Security Requirements Early, Not After the Fact
Author(s): Nancy Mead
(July 2008) During requirements engineering, software engineers need to think deeply about (and document) how software should behave when under attack.

Making Information Security Policy Happen
Author(s): Paul Love
(June 2008) Targeted, innovative communications and a robust life cycle are keys for security policy success.

Becoming a Smart Buyer of Software
Author(s): Brian Gallagher
(June 2008) Managing software that is developed by an outside organization can be more challenging than building it yourself.

Building More Secure Software
Author(s): Julia Allen
(May 2008) Software security is about building better, more defect-free software to reduce vulnerabilities that are targeted by attackers.

Connecting the Dots Between IT Operations and Security
Author(s): Gene Kim
(May 2008) High performing organizations effectively integrate information security controls into mainstream IT operational processes.

Getting in Front of Social Engineering
Author(s): Gary Hinson
(April 2008) Helping your staff learn how to identify social engineering attempts is the first step in thwarting them.

Using Benchmarks to Make Better Security Decisions
Author(s): Betsy Nichols
(April 2008) Benchmark results can be used to compare with peers, drive performance, and help determine how much security is enough.

Protecting Information Privacy - How To and Lessons Learned
Author(s): Kim Hargraves
(April 2008) Aligning with business objectives, integrating with enterprise risks, and collaborating with stakeholders are key to ensuring information privacy.

Initiating a Security Metrics Program: Key Points to Consider
Author(s): Sam Merrell
(March 2008) A sound security metrics program is grounded in selecting data that is relevant to consumers and collecting it from repeatable processes.

Insider Threat and the Software Development Life Cycle
Author(s): Dawn Cappelli
(March 2008) Significant insider threat vulnerabilities can be introduced (and mitigated) during all phases of the software development life cycle.

Tackling the Growing Botnet Threat
Author(s): Nicholas Ianelli
(February 2008) Business leaders need to understand the risks to their organizations caused by the proliferation of botnets.

Building a Security Metrics Program
Author(s): Betsy Nichols
(February 2008) Selecting and reporting meaningful security metrics depend on picking topics of great interest, defining the business context, and having access to sound data.

Inadvertent Data Disclosure on Peer-to-Peer Networks
Author(s): M. Eric Johnson
(January 2008) Peer-to-peer networks are being used today to unintentionally disclose government, commercial, and personal information.

Information Compliance: A Growing Challenge for Business Leaders
Author(s): Tom Smedinghoff
(January 2008) Directors and senior executives are personally accountable for protecting information entrusted to their care.

Internal Audit's Role in Information Security: An Introduction
Author(s): Dan Swanson
(December 2007) Internal Audit can serve a key role in putting an effective information security program in place, and keeping it there.

What Business Leaders Can Expect from Security Degree Programs
Author(s): Sean Beggs
(November 2007) Information security degree programs are proliferating, but what do they really offer business leaders who are seeking knowledgeable employees?

The Path from Information Security Risk Assessment to Compliance
Author(s): Bill Wilson
(November 2007) Information security risk assessment, performed in concert with operational risk management, can contribute to compliance as an outcome.

Computer Forensics for Business Leaders: Building Robust Policies and Processes
Author(s): Cal Waits
(October 2007) Business Leaders can play a key role in computer forensics by establishing strong policies and proactively testing to ensure those policies work in tough situations.

Business Resilience: A More Compelling Argument for Information Security
Author(s): Scott Dynes
(October 2007) A business resilience argument can bridge the communication gap that often exists between information security officers and business leaders.

Resiliency Engineering: Integrating Security, IT Operations, and Business Continuity
Author(s): Lisa Young
(October 2007) By taking a holistic view of business resilience - similar in many ways to classical engineering - business leaders can help their organizations stand up to known and unknown threats.

The Human Side of Security Trade-Offs
Author(s): G. Newby, S. Losi
(September 2007) It's easy to think of security as a collection of technologies and tools - but people are the real key to any security effort.

Dual Perspectives: A CIO's and CISO's Take on Security
Author(s): P. Morrison, B. Boni, J. Allen
(September 2007) Given that you can't secure everything, managing security risk to a "commercially reasonable degree" can lead to the best possible solution.

Tackling Security at the National Level: A Resource for Leaders
Author(s): J. Carpenter, J. Allen
(August 2007) Business leaders can use national CSIRTs (Computer Security Incident Response Teams) as a key resource when dealing with incidents with a national or worldwide scope.

Reducing Security Costs with Standard Configurations: U.S. Government Initiatives
Author(s): C. Kreitner, J. Allen
(August 2007) Information security costs can be significantly reduced by enforcing standard configurations for widely deployed systems.

Real-World Security for Business Leaders
Author(s): P. Fusco, W. Pollak
(July 2007) Security is not an option - but it may be time to start viewing it as a business enabler, rather than just a cost of doing business.

Using Standards to Build an Information Security Program
Author(s): W. Wilson, J. Allen
(July 2007) Business leaders can use international standards to create a business- and risk-based information security program.

Getting Real About Security Governance
Author(s): J. Allen, S. Losi
(June 2007) Enterprise security governance is not just a vague idea - it can be achieved by implementing a defined, repeatable process with specific activities.

Convergence: Integrating Physical and IT Security
Author(s): B. Crowell, B. Contos
(June 2007) Deploying common solutions for physical and IT security is a cost-effective way to reduce risk and save money.

IT Infrastructure: Tips for Navigating Tough Spots
Author(s): S. Huth
(May 2007) Organizations occasionally may need to redefine their IT infrastructures - but to succeed, they must be prepared to handle tricky situations.

The Value of De-Identified Personal Data
Author(s): S. Ganow
(May 2007) As the legal compliance landscape grows increasingly complex, de-identification can help organizations share data more securely.

Adapting to Changing Risk Environments: Operational Resilience
Author(s): R. Caralli
(May 2007) Business leaders need to ensure that their organizations can keep critical business processes and services up and running in the face of the unexpected.

Computer Forensics for Business Leaders: A Primer
Author(s): R. Nolan
(April 2007) Computer forensics is often overlooked when planning an incident response strategy; however, it is a critical part of incident response, and business leaders need to understand how to tackle it.

The Real Secrets of Incident Management
Author(s): G. Killcrece
(April 2007) Incident management is not just about technical response. It is a cross-enterprise effort that requires good communication and informed risk management.

The Legal Side of Global Security
Author(s): J. Westby
(March 2007) Business leaders, including legal counsel, need to understand how to tackle complex security issues for a global enterprise.

A New Look at the Business of IT Education
Author(s): L. Rogers
(March 2007) System administrators increasingly need business savvy in addition to technical skills, and IT training courses must try to keep pace with this trend.

Crisis Communications During a Security Incident
Author(s): K. Kimberland
(February 2007) Business leaders need to be prepared to communicate with the media and their staff during a high-profile security incident or crisis.

Assuring Mission Success in Complex Environments
Author(s): C. Alberts
(February 2007) Analysis tools are needed for assessing complex organizational and technological issues that are well beyond traditional approaches.

Privacy: The Slow Tipping Point
Author(s): A. Acquisti
(January 2007) A trend toward more and more data disclosure, as seen in online social networks, may be causing users to become desensitized to privacy breaches in general.

Building Staff Competence in Security
Author(s): B. Laswell
(January 2007) Practical specifications and guidelines now exist that define necessary knowledge, skills, and competencies for staff members in a range of security positions - from practitioners to managers.

Inside Defense-in-Depth
Author(s): K. Rush
(December 2006) Defense-in-Depth is one path toward enterprise resilience - the ability to withstand threats and failures. The foundational aspects of compliance management and risk management serve as stepping-stones to and supports for other, more technical aspects.

Evolving Business Models, Threats, and Technologies: A Conversation with CERT's Deputy Director for Technology
Author(s): T. Longstaff
(December 2006) Business models are evolving. This has challenging implications as security threats become more covert and technologies facilitate information migration.

Protecting Against Insider Threat
Author(s): D. Cappelli
(November 2006) The threat of attack from insiders is real and substantial. Insiders have a significant advantage over others who might want to harm an organization.

Change Management: The Security 'X' Factor
Author(s): G. Kim
(November 2006) In a recent survey of organizations' security posture, one factor separated high performers from the rest of the pack: change management.

CERT Lessons Learned: A Conversation with Rich Pethia, Director of CERT
Author(s): R. Pethia
(October 2006) Learn more about the future of CERT and Rich Pethia's view of the Internet security landscape.

Why Leaders Should Care About Security
Author(s): J. Allen
(October 2006) Leaders need to be security conscious and to treat adequate security as a non-negotiable requirement of being in business.

The ROI of Security
Author(s): S. Losi
(October 2006) ROI is a useful tool because it enables comparison among investments in a consistent way.

Proactive Remedies for Rising Threats
Author(s): M. Lindner
(October 2006) Threats to information security are increasingly stealthy, but they are on the rise and must be mitigated through sound policy and strategy.

Compliance vs. Buy-in
Author(s): J. Allen
(October 2006) Integrating security into standard business operating processes and procedures is more effective than treating security as a compliance exercise.