Copyright TechTarget - All rights reserved https://cyber.law.harvard.edu/rss/rss.html Techtarget Feed Generator en Sat, 06 Jun 2026 08:02:24 GMT https://www.techtarget.com/searchsecurity editor@techtarget.com <p>Endpoint usage policies must evolve as user behavior, device ownership models and regulatory expectations continue to shift. BYOD endpoints present especially complicated challenges for organizations, which have to ensure all endpoints meet data privacy and security regulations, despite not owning the devices.</p> <p>From a compliance perspective, <a href="https://www.techtarget.com/whatis/definition/BYOD-bring-your-own-device">BYOD</a> complicates an organization's ability to demonstrate consistent access control, policy enforcement and audit readiness across enterprise data. Therefore, it's necessary to build a BYOD policy foundation that incorporates feedback from users in different business units.</p> <section class="section main-article-chapter" data-menu-title="Develop a BYOD policy and communicate it to users"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Develop a BYOD policy and communicate it to users</h2> <p>As with any security initiative, building a BYOD policy foundation will have the greatest likelihood of success. Take the time to clearly articulate the boundaries of personal device use within an organization. <a href="https://www.techtarget.com/searchmobilecomputing/tip/3-BYOD-security-risks-and-how-to-prevent-them">Enterprise BYOD security policies</a> should answer many common questions about personal device use for both end users and IT professionals. Here are some questions to consider:</p> <ul class="default-list"> <li>Who's authorized to access enterprise data from personal devices?</li> <li>Under what conditions can&nbsp;personal devices connect to enterprise networks?</li> <li>Does the organization require explicit approval for each BYOD instance?</li> <li>What security controls must exist on BYOD endpoints?</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Build BYOD policies around user needs, if possible"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Build BYOD policies around user needs, if possible</h2> <p>Setting BYOD policies in an IT silo tends to be counterproductive in the end, especially as more workers are outside the traditional network of endpoints. Work to build alliances and partnerships with workers in business units to set a positive foundation for the BYOD initiative.</p> <p>Resist the pull of giving HR an outsized voice as employee representatives in BYOD policy creation and maintenance. Rather, treat HR as any other business unit. The reason is that IT departments want unfiltered, firsthand feedback about how BYOD policies affect their productivity. Building relationships with end users will also improve the feedback because IT will discover which policies are working and which are hindering productivity.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/g4TMM7FrmzI?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <p>Meeting BYOD compliance requirements requires aligning policy, access controls, user behavior and verification processes rather than relying on device ownership alone.</p> </section> <section class="section main-article-chapter" data-menu-title="5 steps to manage BYOD security policies and stay compliant"> <h2 class="section-title"><i class="icon" data-icon="1"></i>5 steps to manage BYOD security policies and stay compliant</h2> <p>Simply establishing BYOD security policies isn't sufficient to meet mobile device compliance obligations. Users must follow the requirements of the policy, and this is only possible if they're familiar with the policy details in the first place. That's where training and awareness efforts come into play.</p> <p>BYOD training and subsequent personal device onboarding should become part of employee onboarding if it's not already. Current employees who opt in to the BYOD program later should receive more extensive training on what the policy allows and prohibits. At a minimum, every employee should know BYOD security policies exist, and they should consult IT staff before using personal devices for work.</p> <p>It's important to be realistic with BYOD policy decisions, which might include limiting the mobile OSes that IT can support without falling out of compliance. For example, if users work in financial services or healthcare, IT might&nbsp;want to restrict BYOD users to one mobile OS. This will make it easier to support mobile device compliance and not overwhelm the security team.</p> <h3>1. Implement MDM</h3> <p>Mobile device management (<a href="https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management">MDM</a>) platforms offer the ability to conduct policy-based management of mobile devices. MDM offerings enforce corporate security requirements, such as encrypting device contents, requiring a passcode to access the device, locking certain apps behind a passcode and facilitating the remote wiping of lost or stolen phones and tablets. Some MDM products also enable IT staff to specify the applications that can run on a device or those that can access sensitive corporate information.</p> <p>Common MDM platforms include Jamf, Kandji and Esper, among others. An organization should install and configure an MDM for BYOD devices to meet its compliance obligations and fit within the constraints of the corporate culture. Quite often, this translates into a back-and-forth between users and IT about the device policies their employer can implement on their personal devices.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/mobilecomputing-byod_vs_cyod_vs_cope_vs_cobo-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/mobilecomputing-byod_vs_cyod_vs_cope_vs_cobo-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/mobilecomputing-byod_vs_cyod_vs_cope_vs_cobo-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/mobilecomputing-byod_vs_cyod_vs_cope_vs_cobo-f.png 1280w" alt="Chart comparing BYOD, CYOD, COPE and COBO device ownership models, outlining differences in employee choice, IT control, security tradeoffs and typical enterprise use cases" height="426" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Comparing mobile device ownership models helps organizations balance user flexibility, management overhead and compliance requirements across different workforce needs. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p><a href="https://www.techtarget.com/searchenterprisedesktop/tip/How-to-successfully-implement-MDM-for-BYOD">Having an MDM in place to implement a BYOD program</a> enables IT to establish policies, such as the following, on enrolled devices:</p> <ul class="default-list"> <li>Requiring that the device run the latest mobile OS and security updates without depending on users doing it themselves.</li> <li>Requiring strong and unique passwords -- or even multifactor authentication -- for device access.</li> <li>Enforcing encryption on all devices to protect sensitive corporate data both at rest and in transit.</li> <li>Enabling remote wipe capabilities on devices that connect within the corporate network.</li> </ul> <p>IT must also prepare for employees who might not want an MDM client on their personal devices. They must respect that decision and come up with equitable options, depending on the organization's culture and internal politics.</p> <h3>2. Segregate data with containerization and virtualization</h3> <p>One of the greatest challenges for BYOD in organizations is protecting corporate information without adversely affecting personal use of the device. After all, employees are unlikely to react well to stringent corporate security requirements when they target the device they use for non-work tasks. Organizations can approach this segregation issue using containerization or virtualization to separate corporate data and apps from the user's personal data. These technologies help mitigate the risk of data leakage and enable the easy removal of any corporate resources without affecting personal data.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> BYOD compliance depends on governing access to enterprise data without assuming ownership of the device. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>If an organization is subject to strict compliance obligations such as HIPAA or the <a href="https://www.techtarget.com/searchcio/definition/Sarbanes-Oxley-Act">Sarbanes-Oxley Act</a>, it can choose to approach BYOD through the use of <a href="https://www.techtarget.com/searchitoperations/definition/application-containerization-app-containerization">app containerization</a>. Samsung Knox is a widely used example of app containerization that separates corporate and personal data on mobile devices.</p> <p>With this approach, employees working with enterprise data on a personal device can access that data through a secure <a href="https://www.techtarget.com/whatis/definition/secure-container">container</a> that lives as an application on the device. When the employee opens the app, they can access corporate information through the app's interface. When the app closes, it deletes all enterprise information from the device, removing the need for restrictions during users' personal tasks and communications. Enterprise organizations can view this approach as a secure island on an otherwise unmanaged personal device.</p> <h3>3. Factor generative AI into a BYOD compliance plan</h3> <p>Generative AI expands the number of data exposure paths on personal devices, increasing the importance of clear access governance in BYOD environments. The availability of generative AI applications on mobile platforms raises new questions about <a href="https://www.techtarget.com/searchmobilecomputing/feature/The-future-of-BYOD-Trends-and-predictions">how AI factors into BYOD security and compliance</a>. Organizations that ban generative AI on corporate-owned IT will be able to implement this policy easily. However, organizations that implement BYOD will need to work with IT and security teams to assess the potential risks of generative AI apps running on BYOD endpoints. The risks of running these apps on an endpoint that can access business data include data leakage and the sharing of company data or content with the program.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-1" src="https://www.youtube.com/embed/1U83yhGY_pI?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <p>Either way, it means setting restrictive MDM policies on employee-owned devices, which could provoke some pushback from employees who want to access generative AI apps or services.</p> <h3>4. Conduct regular risk assessments</h3> <p>Regularly assess the risks associated with a BYOD implementation to address new or overlooked issues. Identify potential threats, vulnerabilities and compliance gaps. The risk assessment strategy should include evaluating network infrastructure, data storage, access controls and user behavior.</p> <h3>5. Audit regularly and practice continuous improvement</h3> <p>No matter what approach an organization chooses for handling BYOD issues, it should regularly audit the reality of its IT operations against stated BYOD security policies. Even if an organization prohibits BYOD entirely, its security team should take steps to verify that only corporate-owned devices connect to enterprise networks. Organizations that allow BYOD should verify that BYOD users operate within the bounds of enterprise computing policies and external compliance obligations.</p> <p>Organizations that conduct regular BYOD audits can hone and improve BYOD security policies and practices continuously. They can bring together the results of these audits with user feedback to improve the creation and management of security policies.</p> <p>The principle of "trust, but verify" still applies in BYOD environments, where policy intent must be validated through ongoing enforcement and review.</p> <p><b>Editor's note:</b> <em>This article was updated in January 2026 to improve the reader experience.</em></p> <p><em>Will Kelly is a freelance writer and content strategist who has written about cloud, DevOps, AI and enterprise mobility.</em></p> <p><em>Mike Chapple is academic director of the Master of Science in Business Analytics program and teaching professor of IT, analytics and operations at the University of Notre Dame.</em></p> </section> BYOD endpoints are difficult to secure because IT does not own or preconfigure the device. Learn about policies and controls that help organizations stay compliant. https://cdn.ttgtmedia.com/visuals/search400/file_sharing/search400_article_002.jpg https://www.techtarget.com/searchsecurity/tip/How-to-manage-BYOD-security-policies-and-stay-compliant Tue, 27 Jan 2026 09:45:00 GMT <p>Identity and access management, or IAM, is a framework of business processes, policies and technologies that facilitates the management of digital identities. With an IAM framework in place, IT security teams can control user access to critical information within their organizations.</p> <p>Using methods such as single sign-on (<a href="https://www.techtarget.com/searchsecurity/definition/single-sign-on">SSO</a>), <a href="https://www.techtarget.com/searchsecurity/definition/two-factor-authentication">two-factor authentication</a> and <a href="https://www.techtarget.com/searchsecurity/definition/privileged-access-management-PAM">privileged access management</a>, IAM technologies securely store identity and profile data and manage data governance functions to ensure that only necessary and relevant data is shared.</p> <p>IAM performs the following fundamental security actions:</p> <ul class="default-list"> <li>Identifies individuals in a system through <a href="https://www.techtarget.com/searchsecurity/answer/Authentication-vs-digital-identity-Whats-the-difference">identity management and authentication</a>.</li> <li>Identifies roles in a system and how roles are assigned to individuals.</li> <li>Adds, removes and updates individuals and their roles in a system.</li> <li>Assigns levels of access to individuals or groups of individuals.</li> <li>Protects sensitive data within the system and secures the system itself.</li> </ul> <p>An enterprise's ability to know who is accessing which data and which systems and from where is not only helpful but critical to data protection. Employees are in far-flung locales, sometimes in branch offices and sometimes working remotely from their homes. Traditional defenses built around a known perimeter are no longer adequate, which is one reason why cybersecurity experts now refer to identity as the new perimeter.</p> <p>This comprehensive guide examines the many aspects of identity and access management, including its challenges, technologies and trends. Hyperlinks direct readers to related articles that provide additional insights and guidance about how to understand, implement and manage IAM.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/security-iam_risk_analytics-f.png"> <img data-src="https://www.techtarget.com/rms/onlineImages/security-iam_risk_analytics-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/security-iam_risk_analytics-f_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/security-iam_risk_analytics-f.png 1280w" alt="Graphic showing how an IAM system analyzes user behavior." height="321" width="560"> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <section class="section main-article-chapter" data-menu-title="Why is IAM important?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why is IAM important?</h2> <p>Business leaders and IT departments are under pressure to grant access to corporate resources while at the same time protecting those resources. It's a balancing act, and it's not a simple one. Security teams must assign and track user privileges so that users can work with the data and applications they need to be productive -- without being so lax that bad actors find their way into systems.</p> <p>The increased adoption of cloud services and the growth in hybrid and remote workforces mean more users are accessing more applications from more locations. These conditions make proper identity management indispensable.</p> <p>Cybersecurity relies on IAM and its ever-increasing list of features, including <a href="https://www.techtarget.com/searchsecurity/definition/biometrics">biometrics</a>, behavior analytics and AI. With its tight control of resource access in highly distributed and dynamic environments, IAM aligns with security's transition from using traditional firewalls and inherent-trust practices to more rigid control architectures.</p> <p>The foremost of these stricter controls is the <a href="https://www.techtarget.com/searchsecurity/definition/zero-trust-model-zero-trust-network">zero-trust model</a>. An organization that implements zero trust authorizes and authenticates users continuously, not merely once at the perimeter. This inverts the idea that users who've been cleared can be fully trusted. The zero-trust architecture prevents unnecessary movement between applications and systems, which, in turn, limits the damage an intruder might do.</p> <p>With IAM in place, an organization gives itself important capabilities for heightened control over managing users' access in an organized fashion. Automation features eliminate manual steps, which boosts efficiency and lowers the chance of human error.</p> <p>Businesses that are inattentive to IAM run the risk of intrusion, data loss, ransom attacks and worse. Bad actors often use stolen credentials to impersonate valid users. Because this access appears legitimate, cybercriminals can misuse credentials to linger inside a network for extended periods. If the stolen credential can be used to gain administrator privileges, the data loss and potential damage can be considerable. Bad actors use a range of tactics, including phishing and vishing, to acquire credentials.</p> <p>Research by Verizon found that, over the past decade, stolen credentials have played a role in nearly one-third of breaches. Credential theft is so effective that it is used by both run-of-the-mill cybercriminals and highly organized nation-state threat actors.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/D6nql-FGAyk?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="Basic components of IAM"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Basic components of IAM</h2> <p>IAM products offer access control, which lets system administrators regulate access to systems or networks based on the roles of individual users within the enterprise.</p> <p>In this context, <i>access</i> is the ability of an individual user to perform a specific task, such as view, create or modify a file. Roles are defined according to job, authority and responsibility. <a href="https://www.techtarget.com/searchsecurity/tip/Types-of-access-control">Key types of access control</a> include the following:</p> <ul class="default-list"> <li>Role-based access control.</li> <li>Discretionary access control.</li> <li>Attribute-based access control.</li> <li>Mandatory access control.</li> </ul> <p>To gain access to those authorized resources, users must prove they are who they say they are. This is a complicated but necessary component of IAM, typically involving passwords, <a href="https://www.techtarget.com/searchsecurity/definition/challenge-response-system">challenge-response authentication</a> and related methods.</p> <p>IAM systems should capture and record user login information, manage the enterprise database of user identities and orchestrate the assignment and removal of access privileges. Tools used for IAM should provide a centralized directory service with oversight and visibility into all aspects of the company user base.</p> <p>To ensure the effectiveness of their IAM efforts, security teams should look to various identity standards and protocols. These tried-and-true standards can help improve an organization's security posture, compliance efforts and even user experience. The <a href="https://www.techtarget.com/searchsecurity/definition/authentication-authorization-and-accounting">authentication, authorization and accounting</a> framework, for example, is a way for security teams to organize their IAM work. It provides structure for access control, policy enforcement and usage tracking.</p> <p>Another way for a business to manage IAM is the use of <a href="https://www.techtarget.com/searchsecurity/definition/identity-governance-and-administration-IGA">identity governance and administration</a>, which is a collection of processes that help ensure proper installation, oversight, enforcement and auditing of IAM policies.</p> <p>It's worth remembering that a <a href="https://www.techtarget.com/whatis/definition/digital-identity">digital identity</a> isn't just for a person. IAM can and should manage the digital identities of devices and applications -- what's often called <i><a href="https://www.techtarget.com/searchsecurity/definition/What-is-machine-identity-management">machine identity management</a></i> or <i>nonhuman identity management</i>. These can be APIs, servers and devices that access information and need to be managed. Security experts say organizations have begun to realize just how many of these identities are present in their environments. Working to secure them is one of the emerging trends in IAM.</p> </section> <section class="section main-article-chapter" data-menu-title="Benefits of IAM"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of IAM</h2> <p>IAM technologies can be used to initiate, capture, record and manage user identities and their related access permissions in an automated manner. In an era when workforces are more geographically scattered than ever before, well-operated IAM takes on greater importance.</p> <p>An organization with an effective IAM program should expect to see the following benefits, <a href="https://www.techtarget.com/searchsecurity/answer/What-are-the-key-identify-and-access-management-benefits">among other advantages</a>:</p> <ul class="default-list"> <li>Access privileges being granted according to policy, with all individuals and services properly authenticated, authorized and audited.</li> <li>Control of user access, which reduces the risk of internal and external data breaches.</li> <li>Enforcement of policies around user <a href="https://www.techtarget.com/searchsecurity/definition/authentication">authentication</a>, validation and privileging.</li> <li>Better compliance with government regulations.</li> </ul> <p>IAM implementation is necessary for secure operations, but companies can also gain competitive advantages. For example, IAM technologies enable a business to give users outside the organization -- such as customers, partners, contractors and suppliers -- access to applications and data without compromising security.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-1" src="https://www.youtube.com/embed/TbTUw2oz0EM?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="IAM technologies and tools"> <h2 class="section-title"><i class="icon" data-icon="1"></i>IAM technologies and tools</h2> <p>IAM technologies are designed to simplify the user provisioning and account setup process. These systems should reduce the time it takes to complete these processes with a controlled workflow that decreases errors and the potential for abuse while enabling automated account fulfillment. An IAM system should also allow administrators to instantly view and change evolving access roles and rights.</p> <p>These systems should balance the speed and automation of their processes with the control that administrators need to monitor and modify access rights. Consequently, to manage access requests, the central directory needs an access rights system that automatically matches employee job titles, business unit identifiers and locations to their relevant privilege levels.</p> <p>Multiple review levels can be included as workflows to enable the proper checking of individual requests. This simplifies setting up appropriate review processes for higher-level access. It also eases reviews of existing rights to prevent privilege creep, which is the gradual accumulation of access rights beyond what users need to do their jobs.</p> <p>A good IAM tool will automate least-privilege provisioning, enable SSO across multiple apps and providers, provide broad access visibility into an organization's systems and deliver a reasonably smooth user experience, among other functions.</p> <p>IAM systems should be used to provide flexibility to establish groups with specific privileges for specific roles so that access rights based on employee job functions can be uniformly assigned. The system should also provide request and approval processes for modifying privileges, as employees with the same title and job location might need customized or slightly different access.</p> <p>With IAM, enterprises can <a href="https://www.techtarget.com/searchsecurity/answer/What-are-the-most-common-digital-authentication-methods">implement a range of digital authentication methods</a> to prove digital identity and authorize access to corporate resources.</p> <p><b>Unique passwords.</b> The most common type of digital authentication continues to be the unique password. While not especially secure or convenient, passwords are typically how users access their accounts for shopping, banking, entertainment, email and work.</p> <p>To make passwords more secure, some organizations require longer or more complex passwords that include a combination of letters, symbols and numbers. Users understandably find it onerous to remember which long and complex password will get them logged in to this app or that site. SSO entry points and <a href="https://www.techtarget.com/searchsecurity/definition/password-manager">password managers</a> can help alleviate that burden.</p> <p><b>Multifactor authentication.</b> <a href="https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA">MFA</a> is an increasingly common type of authentication. An IAM system that requires a user to enter a code texted to their phone, for example, increases the likelihood that the access attempt is legitimate. Unless they've already gained access to -- or possession of -- the user's phone, bad actors with a stolen password won't be able to clear that second authentication hurdle.</p> <p>The MFA movement is gaining momentum. Employers now routinely ask remote workers to use a second or third factor to prove their identity. Financial institutions and other security-minded organizations use MFA processes before granting a customer access to an account. In 2024, Google Cloud, AWS and Microsoft Azure all decided that they will require MFA for their customers to access cloud services.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-2" src="https://www.youtube.com/embed/_3rlQVXGKZc?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <p><b>Adaptive authentication.</b> When dealing with highly sensitive information and systems, organizations can use behavioral or adaptive authentication methods to assist in identity management. IAM tools, for example, are now more capable of noticing when someone who typically logs in from a certain place at a certain time is attempting to access systems from another location and at a time they are not normally working. These behaviors could signal that the user's credentials have been compromised.</p> <p>By applying AI, organizations can more readily recognize if user or machine behavior falls outside of the norm; anomalies should trigger automatic lockdowns.</p> <p><b>Biometrics.</b> Some IAM systems use biometrics as their method of authentication. Biometric characteristics, such as fingerprints, irises, faces, palms, gaits, voices and, in some cases, DNA, are seen as an easy and precise way to know exactly who is accessing what.</p> <p>While the convenience of facial recognition or fingerprint scanning is hard to deny, the use of biometrics involves risks -- ones that are unlike other challenges in IT or security. Stolen fingerprint data, for example, can't be replaced the way a hacked password can be. Make sure to fully understand the <a href="https://www.techtarget.com/searchsecurity/tip/Evaluate-biometric-authentication-pros-and-cons-implications">pros and cons of biometric authentication</a>.</p> <p>When an organization collects a person's specific facial characteristics, it assumes the serious responsibility of safeguarding that data. Organizations with plans to adopt biometrics need to work through a <a href="https://www.techtarget.com/searchsecurity/tip/In-biometrics-security-concerns-span-technical-legal-and-ethical">long list of privacy and legal questions</a> before committing to this form of authentication.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/security-biometric_authentication_types.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/security-biometric_authentication_types_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/security-biometric_authentication_types_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/security-biometric_authentication_types.png 1280w" alt="An illustration of 16 types of biometric authentication." height="608" width="559"> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Implementing IAM in the enterprise"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Implementing IAM in the enterprise</h2> <p>A key area of concern in IAM is <a href="https://www.techtarget.com/searchsecurity/tip/User-provisioning-and-deprovisioning-Why-it-matters-for-IAM">how accounts are provisioned and deprovisioned</a>.</p> <p>IT teams will sometimes grant privileges to a user beyond what's needed for that person to do a particular job. For an intruder, these overprivileged accounts are especially valuable targets because they allow access to many parts of an organization. A related risk is poor deprovisioning practices, or the removal of access when a specific employee changes roles or leaves the company. Strict provisioning also reduces the chances of an insider threat.</p> <p>An organization needs to identify a team of people who will play a lead role in the enforcement of identity and access policies. IAM affects every department and every type of user -- employee, contractor, partner, supplier, customer and so on -- so it's essential the IAM team comprises a mix of corporate functions. An approach that pulls together various people and is organized around the same goals should improve the chances of success in identity security.</p> <p>What's needed for an <a href="https://www.techtarget.com/searchsecurity/feature/How-to-build-an-identity-and-access-management-architecture">effective IAM infrastructure</a>? Key points to evaluate include how to handle authentication and <a href="https://www.techtarget.com/searchsecurity/definition/federated-identity-management">federated identity management</a>. These activities could involve a decision to use the <a href="https://www.techtarget.com/whatis/definition/OpenID">OpenID Connect</a> protocol or the <a href="https://www.techtarget.com/searchsecurity/definition/SAML">SAML</a> standard, which are similar but not the same.</p> <p>Implementations should be carried out with <a href="https://www.techtarget.com/searchsecurity/tip/Best-practices-for-a-bulletproof-IAM-strategy">IAM best practices</a> in mind, which include the following:</p> <ul class="default-list"> <li>Adoption of the zero-trust architecture.</li> <li>Use of MFA.</li> <li>Strong password policies.</li> <li>Promotion of security awareness training.</li> </ul> <p>Businesses also should make sure to centralize security and critical systems around identity. Perhaps most importantly, organizations should create a process they can use to evaluate the efficacy of current IAM controls.</p> <p>While IAM relies on a lot of technology, it is not about only the frameworks and tools. An IT security team needs people who possess <a href="https://www.techtarget.com/searchsecurity/tip/What-skills-are-needed-for-a-successful-career-in-IAM">IAM skills and expertise</a>. Those seeking jobs in the field should be ready to demonstrate their knowledge when it comes time for <a href="https://www.techtarget.com/whatis/feature/IAM-Interview-Questions-and-Answers">the IAM job interview</a>.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/mfa_sms_examples-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/mfa_sms_examples-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/mfa_sms_examples-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/mfa_sms_examples-f.png 1280w" alt="Graphic of two smartphones displaying examples of MFA messages. " height="353" width="560"> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="IAM risks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>IAM risks</h2> <p>While essential to security efforts, IAM is not without risks. Organizations can -- and do -- get things wrong when trying to manage identities and control access.</p> <p>Access management can be of concern when the provisioning and deprovisioning of user accounts aren't handled correctly. Security teams need to be aware of vulnerable, inactive user accounts. When there is a sprawl in admin accounts, someone should notice and raise questions about why. Organizations need to ensure lifecycle control over all aspects of IAM to prevent malicious actors from gaining access to user identities and passwords.</p> <p>Specific <a href="https://www.techtarget.com/searchsecurity/answer/What-are-some-of-the-top-identity-and-access-management-risks">IAM risks to watch for</a> include the following:</p> <ul class="default-list"> <li>Irregular access reviews.</li> <li>Weak passwords and missing MFA.</li> <li>Overprivileged accounts.</li> <li>Poorly integrated IAM across systems and clouds.</li> </ul> <p>Audit capabilities act as a check to ensure users' access changes accordingly when they switch roles or leave the organization.</p> <p>To better assess their organization's security risks, IT professionals can pursue security certifications. Some certifications are <a href="https://www.techtarget.com/searchsecurity/tip/Comparing-top-identity-and-access-management-certifications">specific to identity management</a>.</p> </section> <section class="section main-article-chapter" data-menu-title="IAM vendors and products"> <h2 class="section-title"><i class="icon" data-icon="1"></i>IAM vendors and products</h2> <p>IAM vendors range from large companies -- such as IBM, Microsoft, Oracle and RSA -- to pure-play providers -- such as Okta, Ping Identity, SailPoint and OneLogin.</p> <p>The dynamic nature of <a href="https://www.techtarget.com/searchsecurity/feature/8-leading-identity-and-access-management-products-for-2020">the IAM tools market</a> means that organizations have plenty of options. It also means security teams will need to do some legwork to identify the right mix of products that will address the needs of the business, such as centralized management, SSO, governance, compliance and risk analytics tools.</p> <p>Some vendors are moving toward combining various products and tooling into IAM platforms. Having a suite of capabilities in a single platform could lessen the integration problems found with the currently fragmented market of IAM products.</p> </section> <section class="section main-article-chapter" data-menu-title="IAM and compliance"> <h2 class="section-title"><i class="icon" data-icon="1"></i>IAM and compliance</h2> <p>Central to IAM is an adherence to the <a href="https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP">principle of least privilege</a>, where users are granted only the access rights necessary to fulfill their particular work duties. This predetermined and real-time access control is necessary for security as well as compliance.</p> <p>With IAM controls in place, a business should be able to prove to outside entities that it takes its security responsibilities seriously and that data is protected. Organizations with effective IAM can <a href="https://www.techtarget.com/searchsecurity/tip/Identity-management-compliance-How-IAM-systems-support-compliance">demonstrate compliance</a> and adhere to applicable regulations, such as GDPR, HIPAA and the Sarbanes-Oxley Act.</p> </section> <section class="section main-article-chapter" data-menu-title="The IAM roadmap"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The IAM roadmap</h2> <p>Innovation is plentiful around IAM, and enterprises are the beneficiaries of new strategies that are backed up by products and features. As has always been the case, however, security professionals must confront threats that are known -- and persistent because of their proven effectiveness -- and ones that are emerging and less defined.</p> <p>One of the newer IAM-related defenses against cyberattacks is identity threat detection and response (<a href="https://www.techtarget.com/searchsecurity/definition/What-is-identity-threat-detection-and-response-ITDR">ITDR</a>). A combination of tools and best practices, ITDR is intended to stop bad actors from taking advantage of vulnerable identities, such as one associated with a legacy application that isn't compatible with a modern access management tool. ITDR can flag these weaknesses, giving an IT team the chance to address the vulnerabilities before they are exploited.</p> <p>Advancements in AI have heightened concerns about identity security. Experts worry that <a href="https://www.techtarget.com/searchsecurity/tip/Generative-AI-is-making-phishing-attacks-more-dangerous">AI could make phishing tactics more sophisticated</a> and more believable. Effective phishing typically requires some morsel of information that lends at least a ring of truth to the message -- something that sounds reasonable enough to trick a recipient into action. AI can quickly and efficiently gather the bits of information that provide that veneer of legitimacy.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Longer, stronger passwords might improve identity management, but they won't satisfy those who would like to see every password permanently expire. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>When cybercriminals can induce their victims to click a link or reveal a password, even strong organizational defenses and IAM protections can be thwarted.</p> <p>Even without AI's help, passwords have long been vulnerable. Cracking techniques make many passwords solvable. And the prospect of needing to create and remember yet another password is a common aggravation. It's fair to say passwords are about as popular with hackers as they are unpopular with users.</p> <p>Despite being both risky and unloved, passwords endure. The shift to <a href="https://www.techtarget.com/searchsecurity/definition/passwordless-authentication">passwordless authentication</a> is tantalizing, but that passwordless future has yet to arrive.</p> <p>In a September 2024 earnings call, Oracle's chairman and cofounder Larry Ellison lamented tech's continued reliance on passwords. Ellison argued that facial recognition tools should be the way forward. "Look at me and recognize me," Ellison said. "Don't ask me to type in some stupid 17-letter password."</p> <p>Ellison's remarks came at roughly the same time that NIST, which sets the most widely accepted cybersecurity standards, proposed significant adjustments to its password guidelines. Recognizing that passwords are still widely used and likely will be for the foreseeable future, NIST is advocating for better passwords. The 2024 draft guidelines call for organizations to eliminate the common mandate for users to reset a password every 90 days; a password change, NIST suggested, should be made only when there's evidence or reasonable concern that a breach has compromised someone's credentials. The NIST proposal also recommended password length grow to between 15 and 64 characters.</p> <p>Longer, stronger passwords might improve identity management, but they won't satisfy those who would like to see every password permanently expire. Promoters of passkeys, for example, argue that users should be able to access applications and websites with the same safe and simple methods they use to unlock a device. Once a passkey is created, password-manager technology matches a public key known only to the service being accessed with a private key known only to the device being used. This cryptographic key pair lets users authenticate themselves without needing to remember a password -- provided they have securely unlocked the device in use through a PIN or biometric method.</p> <p>The FIDO Alliance, a nonprofit with backing from Google and others, is <a href="https://www.passkeycentral.org/introduction-to-passkeys/the-passkey-experience" target="_blank" rel="noopener">pushing standards</a> that would enable wider use of passkeys. The goal would be to effectively replace passwords. Whether businesses and individuals will embrace passkeys and password managers is far from certain. And it's worth remembering that the password's demise has been sought -- and predicted -- for a long time, which gives you something to think about the next time you stop to remember how to sign in to your account.</p> <p><i>Phil Sweeney is an industry editor and writer focused on information security topics. Article was updated in 2025 to improve the reader's experience.</i></p> </section> No longer just a good idea, IAM is a crucial piece of the cybersecurity puzzle. It's how an organization regulates access to information and meets its compliance obligations. https://cdn.ttgtmedia.com/visuals/digdeeper/3.jpg https://www.techtarget.com/searchsecurity/definition/identity-access-management-IAM-system Fri, 21 Nov 2025 00:00:00 GMT <p>Employees are often cited as the weakest link in enterprise cybersecurity. Verizon's "2025 Data Breach Investigations Report" supports this view, finding that about 60% of all breaches involve the human element, from human error to stolen credentials to social engineering.</p> <p>Accidental or malicious, <a href="https://www.techtarget.com/searchsecurity/tip/Five-common-insider-threats-and-how-to-mitigate-them">insider threats</a> can cause enormous financial and reputational damage. The good news is that employees are also an organization's first line of defense -- if they receive the proper training.</p> <p>Security tools can alleviate the chances of insider threats, but to really drill down to the root cause and prevent user-related security incidents at their core, IT leaders need to create and implement a comprehensive and consistent <a href="https://www.techtarget.com/searchsecurity/tip/Cybersecurity-employee-training-How-to-build-a-solid-plan">cybersecurity awareness training program</a>.</p> <p>The following security awareness training quiz contains questions designed to test and reinforce employee cybersecurity fundamentals. Get a baseline of cybersecurity knowledge and discover where employees need more training.</p> <p><b>Editor's note:</b> <i>An editor used AI tools to aid in the generation of this quiz. Our expert editors always review and edit content before publishing.</i></p> <p><i>Sharon Shea is executive editor of Informa TechTarget's SearchSecurity site.</i></p> <p> <script src="https://cdn.ttgtmedia.com/rms/editorial/newsecurityawarenessquiz.js"></script> <script src="https://cdn.ttgtmedia.com/quiz/quiz.js"></script> </p> From phishing to patching, file sharing to MFA, find out how much you know about preventing cybersecurity incidents in this security awareness training quiz. https://cdn.ttgtmedia.com/rms/onlineimages/security_a252808758.jpg https://www.techtarget.com/searchsecurity/quiz/Quiz-Security-awareness-for-end-users Thu, 23 Oct 2025 09:00:00 GMT <p>Data masking is a <a href="https://www.techtarget.com/searchsecurity/Data-security-guide-Everything-you-need-to-know">security</a> technique that modifies sensitive data in a data set so it can be used safely in a non-production environment. Masking allows software developers, software testers, software application trainers and data analysts to work with an organization's data without putting confidential information at risk or violating compliance regulations designed to protect personally identifiable information (<a href="https://www.techtarget.com/searchsecurity/definition/personally-identifiable-information-PII">PII</a>).</p> <p>Data masking is most often used to protect <a href="https://www.techtarget.com/whatis/definition/structured-data">structured data</a> in software development environments and in situations where data sets that contain confidential information need to be shared between systems or with third-party partners. To be used effectively, masked data should be able to pass validation checks and maintain consistent relationships across tables, but not be able to be <a href="https://www.techtarget.com/searchsoftwarequality/definition/reverse-engineering">reverse-engineered</a>.</p> <p>Data masking uses <a href="https://www.techtarget.com/searchsecurity/definition/obfuscation">data obfuscation</a> techniques like scrambling and substitution to change confidential data values, while still preserving <a href="https://www.techtarget.com/searchapparchitecture/definition/data-type">data types</a> and <a href="https://www.techtarget.com/whatis/definition/file-format">file formats</a>. This allows the masked data to behave just like the original data in non-production environments but prevents it from being used for identity theft, fraud or other malicious reasons.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/0pbgV4GSKDo?si=jC7kvbODeb0-iXjx?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <p>Masked data is considered to be a pseudonymized <a href="https://www.techtarget.com/searchdatamanagement/definition/data-de-identification">data de-identification</a> technique because the altered data does not replace the true data values. Under compliance regulations in many parts of the world, pseudonymized data remains within the scope of privacy laws. This means that masked data is still subject to compliance requirements and organizations must still apply access controls, maintain audit trails and report a <a href="https://www.techtarget.com/searchsecurity/definition/data-breach">breach</a> if masked data is compromised.</p> <section class="section main-article-chapter" data-menu-title="How does data masking work?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How does data masking work?</h2> <p>The process of data masking typically involves discovering and classifying sensitive data fields in a structured data set and then determining how to alter the data while still preserving its format, data type and relationships.</p> <p>To facilitate the process, organizations often rely on <a href="https://www.techtarget.com/searchbusinessanalytics/tip/10-top-data-discovery-tools-for-insights-and-visualizations">data discovery</a> and <a href="https://www.techtarget.com/searchdatamanagement/definition/data-classification">data classification</a> tools that use pattern matching, regular expressions or natural language processing (<a href="https://www.techtarget.com/searchenterpriseai/definition/natural-language-processing-NLP">NLP</a>) to locate sensitive values like credit card numbers or health insurance claim codes. Once identified, those values can be altered in a way that disguises the original content but keeps the document or file usable in non-production environments.</p> <p>Masked values can be created manually, but to handle large data sets, organizations usually rely on curated pools of realistic data or format-preserving generators. After masking, the data set is checked to make sure it still works correctly, and the process is monitored closely to ensure it doesn't create new risks.</p> </section> <section class="section main-article-chapter" data-menu-title="Types of data masking"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Types of data masking</h2> <p>Data masking can be carried out statically, dynamically or on-the-fly. Static masking is completed in batches ahead of time, dynamic masking masks query results in real time and on-the-fly masking alters data as it moves between environments.</p> <ul class="default-list"> <li>Static masking involves making a copy of the original data and replacing sensitive values in the copy with realistic-looking stand-ins. Static masking allows sensitive data to be used safely in development, testing, training or analytics environments because it retains the original <a href="https://www.techtarget.com/searchdatamanagement/definition/data-structure">data structure</a> but no longer contains values that can be exploited.</li> <li>Dynamic data masking leaves the original data unchanged in the production system and applies masking rules in real time whenever the data is queried. Dynamic masking can be permission-based and allow some users to see the original values in query results while others see realistic-looking stand-in values.</li> <li>On-the-fly data masking modifies sensitive <a href="https://www.techtarget.com/whatis/definition/data-in-motion">data in motion</a>. This approach is especially useful when provisioning test databases in the cloud because it ensures the destination environment -- which is usually a nonproduction system -- only receives masked values and never has access to the original data.</li> </ul> <table class="main-article-table"> <thead> <tr> <td colspan="4"> <p><span style="color: #ecf0f1;"><b>Different types of data masking</b></span></p> </td> </tr> <tr> <td> <p><span style="color: #ecf0f1;"><b>Type of masking</b></span></p> </td> <td> <p><span style="color: #ecf0f1;"><b>Use case</b></span></p> </td> <td> <p><span style="color: #ecf0f1;"><b>Advantages</b></span></p> </td> <td> <p><span style="color: #ecf0f1;"><b>Limitations</b></span></p> </td> </tr> </thead> <tbody> <tr> <td> <p><b>Static data masking (SDM)</b></p> </td> <td> <p>Creating safe, permanent copies of production data for development, testing or training.</p> </td> <td> <p>Provides realistic data sets for non-production use; safe to share across teams.</p> </td> <td> <p>Requires making and maintaining copies; not suitable for live systems.</p> </td> </tr> <tr> <td> <p><b>Dynamic data masking (DDM)</b></p> </td> <td> <p>Producing different views of the same live production data.</p> </td> <td> <p>Protects sensitive fields at query time; supports permission-based access; no changes to production data.</p> </td> <td> <p>Can affect performance; can be complex to manage at scale.</p> </td> </tr> <tr> <td> <p><b>On-the-fly data masking (OFM)</b></p> </td> <td> <p>Transferring data between environments.</p> </td> <td> <p>Ensures sensitive data never leaves the source unmasked; reduces risk for data in transit.</p> </td> <td> <p>Requires integration with data transfer processes.</p> </td> </tr> </tbody> </table> </section> <section class="section main-article-chapter" data-menu-title="Data masking techniques"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Data masking techniques</h2> <p>A variety of <a href="https://www.techtarget.com/searchdatamanagement/definition/data-management">data management</a> techniques can be used to disguise sensitive data while still keeping data sets functional in non-production environments. Popular methods include the following:</p> <h3>Scrambling</h3> <p>Scrambling is a masking technique that obfuscates data by reordering alphanumeric characters. For example, customer ID number 3A429 in a production database might be replaced with 293A4 in a scrambled test environment. Scrambling is easy to implement, but because scrambled data can still reveal patterns that could be reverse-engineered, many organizations use it alongside stronger masking techniques such as substitution.</p> <h3>Substitution</h3> <p>This masking technique replaces some (or all) sensitive data values with similar values that have the same characteristics. For example, valid credit card numbers might be replaced with different numbers that could still pass the card provider's validation rules. Substitution is one of the strongest masking techniques because it produces realistic-looking data that cannot be linked back to the original values, while still preserving the <a href="https://www.techtarget.com/searchdatacenter/definition/integrity">integrity</a>, usability and format of the original data set.</p> <h3>Shuffling</h3> <p>Shuffling protects structured information by rearranging the order in which values appear in a database column. This approach preserves data formats and keeps data sets functional for testing or analysis, but it weakens the connection between individual records and their original values. Shuffling is considered a lightweight masking technique, so it is often used in combination with other masking techniques, such as substitution and scrambling.</p> <h3>Nulling</h3> <p>Nulling is a data masking technique that allows sensitive fields in a <a href="https://www.techtarget.com/searchdatamanagement/definition/relational-database">relational database</a> to be replaced with a null value (or sometimes a zero-length blank). For example, a customer record's Social Security number field might be set to null so that no value appears at all. This approach can only work if the database management system recognizes null as a placeholder. Nulling is often considered to be one of the weakest forms of data masking because it removes values entirely rather than replacing them with realistic stand-ins, and this can limit the usefulness of the data in certain testing or analytics environments.</p> <h3>Variance</h3> <p>Variances are often used to mask financial values and transactional values. In this approach, an algorithm is used to modify each number by a random percentage of its real value. For instance, a column of sales figures could have a variance of plus or minus 5% applied to it. Variances are often used to protect sensitive numerical data values while still maintaining the overall <a href="https://www.techtarget.com/searchdatacenter/definition/statistical-mean-median-mode-and-range">range</a>, distribution and statistical usefulness of the data set.</p> <h3>Data aging</h3> <p>Data aging is a specific type of variance that involves shifting date values forward or backward in time while keeping the format and logical sequence intact. For example, a customer's date of birth 07/14/1985 might be aged to 09/02/1984, or a transaction timestamp might be moved ahead by 90 days. Data aging is useful when data sets include sensitive information that is tied to actual events or timelines. By aging the dates, organizations can protect <a href="https://www.techtarget.com/searchcio/definition/data-privacy-information-privacy">data privacy</a> while still allowing developers, testers, or <a href="https://www.techtarget.com/searchbusinessanalytics/feature/What-does-a-business-intelligence-analyst-do">analysts</a> to work with realistic time-based data.</p> <h3>Deterministic masking</h3> <p>Deterministic masking is a type of pseudonymized data masking in which the same input value is always replaced with the same masked output value, every time it appears in the data set. This approach is often used in non-production environments that need to preserve relationships but don't need to know the true underlying values. Because it's possible to reverse engineer deterministic replacements, however, this type of masking is usually enhanced by strong substitution rules and typically uses large replacement pools designed to reduce predictability.</p> <h3>Masking out</h3> <p>Masking out hides part of a sensitive value with a placeholder. This approach to data masking is commonly used for PCI DSS compliance.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/examples_of_the_various_data_masking_techniques-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/examples_of_the_various_data_masking_techniques-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/examples_of_the_various_data_masking_techniques-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/examples_of_the_various_data_masking_techniques-f.png 1280w" alt="This comparison chart provides examples that show how scrambling, shuffling, substitution, variance, masking out and nullifying can be used to mask sensitive data." height="308" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Different masking methods can transform sensitive data into safe but realistic values for nonproduction use. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Why is data masking important?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why is data masking important?</h2> <p>Masking plays an important role in <a href="https://www.techtarget.com/searchsecurity/definition/What-is-risk-management-and-why-is-it-important">risk management</a> because it transforms sensitive data into a safe form that maintains functionality but removes any value the data might have to attackers. Even if a masked data set is stolen or leaked, it cannot be used for fraud, <a href="https://www.techtarget.com/searchsecurity/definition/identity-theft">identity theft</a>, or other malicious purposes.</p> <p>Masking also plays an important role in reducing <a href="https://www.techtarget.com/searchcio/definition/compliance-risk">compliance risks</a>. Various data protection laws and standards require organizations to safeguard personally identifiable information and protected health information (<a href="https://www.techtarget.com/searchhealthit/definition/personal-health-information">PHI</a>) and keep it confidential. Compliance with these frameworks is not optional; failure to comply can result in financial penalties and reputational damage.</p> <ul class="default-list"> <li><b>California Consumer Privacy Act.</b> <a href="https://www.techtarget.com/searchcio/definition/California-Consumer-Privacy-Act-CCPA">CCPA</a> gives consumers rights over how their personal information is collected, sold, and disclosed. Masking supports compliance by reducing the risk that personal information is exposed when data is used for development, testing, training or analytics.</li> <li><b>General Data Protection Regulation.</b> <a href="https://www.techtarget.com/whatis/definition/General-Data-Protection-Regulation-GDPR">GDPR</a> applies to all organizations that process personal data in the European Union or European Economic Area. Masking supports GDPR compliance by reducing the risk that personal data is exposed when it is used outside production systems.</li> <li><b>Health Insurance Portability and Accountability Act.</b> <a href="https://www.techtarget.com/searchhealthit/definition/HIPAA">HIPAA</a> requires covered entities and their business associates in the U.S. to implement safeguards that preserve personal health information <a href="https://www.techtarget.com/whatis/definition/Confidentiality-integrity-and-availability-CIA">confidentiality, integrity and availability</a>. Masking helps organizations use realistic health data sets for research, testing or training while still protecting patient privacy.</li> <li><b>Payment Card Industry Data Security Standard.</b> <a href="https://www.techtarget.com/searchsecurity/definition/PCI-DSS-compliance-Payment-Card-Industry-Data-Security-Standard-compliance">PCI DSS</a> is a global standard created by the PCI Security Standards Council to protect cardholder data. PCI DSS requires merchants and service providers to limit access to sensitive payment information, including the primary account number (PAN), expiration date, and card validation value (CVV).</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="What types of data should be masked?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What types of data should be masked?</h2> <p>Masking is used to obfuscate data values that could be used to determine a person's identity, finances or health if leaked. Common types of data that are often masked include the following:</p> <ul class="default-list"> <li><b>Personally identifiable information</b>. This includes names, addresses, Social Security numbers, license numbers, passport numbers, and other data types that can be used to specifically identify an individual.</li> <li><b>Protected health information</b>. This includes medical records, diagnoses, test results, treatment outcomes and other health data that can be traced back to a specific individual.</li> <li><b>Financial data.</b> In finance, developers, analysts, and third-party vendors often need access to realistic data for testing or modeling. Masking allows institutions to use functional data sets while reducing the risk of regulatory violations and data breaches.</li> <li><b>Payment card information</b>. PCI DSS requires merchants and service providers to protect cardholder data and ensure that primary account numbers are rendered unreadable anywhere they're stored, unless there is a strict business need for the full value.</li> <li><b>Internal corporate data</b>. Masking is often used to protect sensitive data in vendor and employee records. For example, masking allows HR systems to be tested or integrated with other tools safely while protecting employees' privacy.</li> <li><b>Intellectual property.</b> Sensitive data that is included in trade secrets, inventions, patents or other types of intellectual property documents can be masked to prevent unnecessary exposure during testing, collaboration or data sharing. Many organizations use <a href="https://www.techtarget.com/searchsecurity/definition/encryption">encryption</a> and role-based access controls (<a href="https://www.techtarget.com/searchsecurity/definition/role-based-access-control-RBAC">RBAC</a>) in addition to masking to protect their IP.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Data masking challenges"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Data masking challenges</h2> <p>Data masking is not a simple, one-step process because sensitive fields need to be transformed to prevent re-identification while still preserving the structure, data types and statistical properties of the original data set. If this balance is not maintained, the masked data won't be useful in non-production environments.</p> <p>In fact, maintaining referential integrity for masked data can be a major challenge. Masked values need to remain consistent across related tables and systems so that <a href="https://www.techtarget.com/searchdatamanagement/definition/primary-key">primary key</a> and <a href="https://www.techtarget.com/searchoracle/definition/foreign-key">foreign key</a> relationships are preserved. While this might sound straightforward, most databases are normalized for performance, and masking sensitive data stored in a <a href="https://www.techtarget.com/searchoracle/definition/distributed-database">distributed database</a> can quickly become a complicated process.</p> <p><a href="https://www.techtarget.com/searchdatamanagement/definition/data-governance">Data governance</a> is another challenge because masked data still needs to comply with business rules and validation requirements. For example, account numbers must retain their correct length and credit card numbers must pass a <a href="https://www.techtarget.com/searchsecurity/definition/LUHN-formula">Luhn check</a>. Without this, applications in non-production environments might crash during testing, and analytics might yield distorted results.</p> <p>To overcome these challenges, database administrators (<a href="https://www.techtarget.com/searchdatamanagement/definition/database-administrator">DBAs</a>) need to conduct a detailed review of the data that needs to be masked and include stakeholders who will be using the masked data in the review. This will help ensure that appropriate masking techniques are used for each use case and that data being masked actually maintains the characteristics of the original data.</p> </section> <section class="section main-article-chapter" data-menu-title="Data masking best practices"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Data masking best practices</h2> <p>Data masking allows organizations to <a href="https://www.techtarget.com/searchcio/definition/privacy-compliance">comply with privacy regulations</a> and still use data sets that contain sensitive data in non-production environments. To be used effectively, masking should follow these best practices:</p> <ul class="default-list"> <li><b>Identify what data should be masked. </b>Enterprise data is often spread across multiple databases, tables and storage locations. To ensure sensitive information is consistently protected, the first thing organizations need to do is locate and identify which data elements should be masked.</li> <li><b>Consider masking unstructured data.</b> Images, <a href="https://www.techtarget.com/whatis/definition/Portable-Document-Format-PDF">PDFs</a> and text-based files that contain sensitive information must also be protected. Organizations should consider using <a href="https://www.techtarget.com/searchcontentmanagement/definition/OCR-optical-character-recognition">optical character recognition</a> to locate sensitive data in <a href="https://www.techtarget.com/searchdatamanagement/definition/data-lake">data lakes</a> and other unstructured storage repositories.</li> <li><b>Include data masking in policies.</b> Best practices for data masking should be included in an organization's data management and security policies.</li> <li><b>Adopt the principle of least privilege.</b> Access to masked data should comply with an organization's security policies. A recommended best practice is to apply the principle of least privilege, i.e., <a href="https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP">POLP</a>.</li> <li><b>Test the usefulness of masked data.</b> It's important to assess the outputs of data masking techniques to verify that they are comparable with those made from the original data.</li> <li><b>Maintain referential integrity. </b>Masked values should remain consistent across related systems and tables. This will ensure that data joins, queries and analytics will work properly, even though the original values have been altered.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Data masking vs. other obfuscation techniques"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Data masking vs. other obfuscation techniques</h2> <p>Masking prevents sensitive information from being exposed in contexts where real data is not needed. Other obfuscation techniques -- like <a href="https://www.techtarget.com/searchdatamanagement/feature/Data-anonymization-best-practices-protect-sensitive-data">data anonymization</a>, <a href="https://www.techtarget.com/searchsecurity/video/An-explanation-of-encryption">encryption</a> or the use of <a href="https://www.techtarget.com/searchcio/definition/synthetic-data">synthetic data</a> -- serve related but different purposes.</p> <p>For example, anonymization irreversibly removes identifiers so data can never be linked back to a specific individual. Once anonymized, the data set is no longer considered personal data under frameworks such as GDPR because there is no realistic way to re-identify individuals. The tradeoff, however, is that anonymized data often loses some of its utility for detailed analysis or testing because the links to real-world individuals are permanently broken.</p> <p>Encryption secures <a href="https://www.techtarget.com/searchstorage/definition/data-at-rest">data at rest</a> or in transit by making it unreadable without the right encryption key. While encryption can protect sensitive information from unauthorized access, it does not provide realistic stand-ins for testing or training environments like masking does.</p> <p>Synthetic data is created from scratch by algorithms or <a href="https://www.techtarget.com/searchenterpriseai/definition/generative-AI">generative AI</a> models. Because synthetic data is not directly tied to real records, it is often considered a safe alternative to masking.</p> </section> <section class="section main-article-chapter" data-menu-title="Data masking use cases"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Data masking use cases</h2> <p>Data masking is widely used across a wide variety of industries to drive innovation and improve services without putting sensitive information at risk. In banking and finance, for example, masking can support the development of new <a href="https://www.techtarget.com/searchsecurity/definition/fraud-detection">fraud detection</a> systems while ensuring that regulated data such as account numbers and payment details remain protected. Healthcare, retail and government agencies also rely on masking to balance functionality with <a href="https://www.techtarget.com/searchcio/definition/regulatory-compliance">regulatory compliance</a>.</p> <p>Currently, the main drivers behind data masking revolve around <a href="https://www.techtarget.com/searchsecurity/definition/security">security</a> and <a href="https://www.techtarget.com/searchsecurity/tip/State-of-data-privacy-laws">privacy regulations</a>. By replacing sensitive values with realistic-looking stand-ins, masking allows businesses to work with data sets that contain sensitive information while reducing the likelihood of exposing confidential information.</p> <p>Masking can also help reduce the impact of a data breach. If an attacker exfiltrates a masked copy, and the masking was done effectively, sensitive information cannot be associated with specific individuals.</p> <p>It's also worth noting that many tasks in non-production environments require partial access to records rather than full visibility. Dynamic masking can help ensure employees are able to do their jobs without unnecessary access to sensitive data. To streamline masking and reduce manual effort, masking tools can be integrated with <a href="https://www.techtarget.com/searchdatamanagement/definition/Extract-Load-Transform-ELT">extract, transform, load</a> and <a href="https://www.techtarget.com/searchitoperations/definition/DevOps">DevOps</a> pipelines</p> </section> <section class="section main-article-chapter" data-menu-title="Masking tools"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Masking tools</h2> <p>There are several well-known tools that can help make the data masking process much faster, easier and more reliable. Here are some popular options that can make data discovery, classification, rule definition, masking execution and mask auditing easier and faster:</p> <ul class="default-list"> <li><a target="_blank" href="https://www.informatica.com/content/dam/informatica-com/en/collateral/data-sheet/persistent-data-masking_data-sheet_6990.pdf" rel="noopener">Informatica</a>. Known for offering strong discovery, static/ dynamic masking and its ability to be integrated with other data management platforms.</li> <li><a target="_blank" href="https://www.perforce.com/p/pdx/data-masking-contact-us" rel="noopener">Delphix</a>. Known for facilitating automated masking in non-production environments.</li> <li><a target="_blank" href="https://www.ibm.com/docs/da/iotdm/11.3.0?topic=data-masking" rel="noopener">IBM InfoSphere Optim Data Privacy</a>. Good for enterprises that have complex masking needs. Includes features for data discovery, classification, transformation and compliance reporting.</li> <li><a target="_blank" href="https://learn.microsoft.com/en-us/fabric/data-warehouse/dynamic-data-masking" rel="noopener">Microsoft / Azure SQL Server / Azure Dynamic Data Masking</a>. Useful especially in Microsoft/Cloud-heavy environments; offers built-in dynamic masking features.</li> <li><a target="_blank" href="https://www.oracle.com/security/database-security/data-masking/" rel="noopener">Oracle Data Masking and Subsetting</a>. Many options also support masking in non-Oracle databases.</li> <li><a target="_blank" href="https://www.k2view.com/blog/data-masking-techniques" rel="noopener">K2View</a>. Provides masking and synthetic data generation in enterprise settings, with attention to maintaining referential integrity and scaling across systems.</li> </ul> <p><i>To understand the pros and cons of data masking, it can be helpful to </i><a href="https://www.techtarget.com/searchdatamanagement/feature/15-top-data-governance-tools-to-know-about"><i>learn more about </i><i>data governance tools</i></a><i> and how they help organizations strike a balance between data utility and data protection.</i></p> </section> Data masking is a security technique that modifies sensitive data in a data set so it can be used safely in a non-production environment. https://cdn.ttgtmedia.com/visuals/digdeeper/3.jpg https://www.techtarget.com/searchsecurity/definition/data-masking Wed, 22 Oct 2025 17:09:00 GMT <p>Antivirus software (antivirus program) is a security program designed to prevent, detect, search and remove viruses and other types of <a href="https://www.techtarget.com/searchsecurity/definition/malware">malware</a> from computers, networks and other devices. Often included as part of a security package, antivirus software can also be purchased as a standalone option.</p> <p>Typically installed on a computer as a proactive approach to cybersecurity, an antivirus program can help mitigate a variety of cyber threats, including <a href="https://www.techtarget.com/searchsecurity/definition/keylogger">keyloggers</a>, browser hijackers, <a href="https://www.techtarget.com/searchsecurity/definition/Trojan-horse">Trojan horses</a>, worms, rootkits, <a href="https://www.techtarget.com/whatis/definition/Top-10-Spyware-Threats">spyware</a>, <a href="https://www.techtarget.com/searchsecurity/definition/adware">adware</a>, <a href="https://www.techtarget.com/searchsecurity/news/366611357/FBI-disrupts-another-Chinese-state-sponsored-botnet">botnets</a>, <a href="https://www.techtarget.com/searchsecurity/definition/phishing">phishing attempts</a> and <a href="https://www.techtarget.com/searchsecurity/definition/ransomware">ransomware</a> attacks.</p> <p>Due to the constantly <a href="https://www.techtarget.com/searchsecurity/feature/Lessons-in-the-new-era-of-AI-enabled-cybercrime">evolving nature of cybercrimes</a> and new versions of malware being released daily, including <a href="https://www.computerweekly.com/news/366629825/Three-new-Citrix-NetScaler-zero-days-under-active-exploitation">zero-day</a> attacks, no antivirus program can offer detection and protection against all threat vectors.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/12_common_types_of_malware-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/12_common_types_of_malware-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/12_common_types_of_malware-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/12_common_types_of_malware-f.png 1280w" alt="A chart listing some of the many types of malware that can harm a computer, network or server." height="318" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>A virus is just one of the many types of malware that antivirus software is designed to prevent, detect, search and remove. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <section class="section main-article-chapter" data-menu-title="How antivirus software works"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How antivirus software works</h2> <p>Antivirus software normally runs as a background process, scanning computers, servers or mobile devices to detect and restrict the spread of malware. Many antivirus software programs include <a href="https://www.techtarget.com/searchitoperations/definition/continuous-monitoring">real-time threat detection</a> and protection to guard against potential vulnerabilities and perform system scans that monitor device and system files, looking for possible risks.</p> <p>The best antivirus software usually performs these basic functions:</p> <ul class="default-list"> <li>Scans directories or specific files against a library of known malicious <a href="https://www.techtarget.com/whatis/definition/virus-signature-virus-definition">signatures</a> to detect abnormal patterns indicating the presence of malicious software.</li> <li>Enables users to schedule scans so they run automatically.</li> <li>Lets users initiate new scans anytime.</li> <li>Removes any malicious software it detects either automatically in the background or notifies users of infections and prompts them to clean the files.</li> </ul> <p>To scan systems comprehensively, antivirus software must have privileged access to the entire system. This makes antivirus software itself a common target for attackers, and researchers have discovered <a href="https://www.techtarget.com/searchwindowsserver/definition/remote-code-execution-RCE">remote code execution</a> and other serious vulnerabilities in antivirus software products in recent years.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/ynuliH_AwxI?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="Benefits of antivirus software"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of antivirus software</h2> <p>The purpose of antivirus software is to defend a system against security threats and vulnerabilities and provide real-time protection through automated <a href="https://www.techtarget.com/searchsecurity/definition/vulnerability-scanning">vulnerability scans</a>.</p> <p>Antivirus software provides several benefits:</p> <ul class="default-list"> <li><b>Virus and malware protection.</b> The main benefit of antivirus software is to protect against malicious viruses such as malware and spyware. Most cyberthreats today present themselves as multipronged threat vectors that can attack system data, steal confidential information, spy on system resources and degrade system performance simultaneously. Therefore, having reliable antivirus software running at all times is imperative.</li> <li><b>Protection against spam and pop-ups.</b> Among the most common ways viruses infiltrate and infect a system is through pop-up advertisements and spam-based webpages. Antivirus software keeps the system secure by automatically blocking pop-ups and spam coming from <a href="https://www.computerweekly.com/news/366542377/Nearly-quarter-of-a-million-malicious-websites-reported-and-removed-through-NCSC-service">malicious websites</a>.</li> <li><b>Web protection.</b> Antivirus software helps protect against the scam websites threat actors use to gather credit card and bank information from unsuspecting users. By restricting access to harmful websites, a reliable antivirus program can prevent users from accessing unauthorized networks.</li> <li><b>Real-time protection.</b> Antivirus software acts as a real-time shield that scans each inbound file and program. Depending on the settings of the antivirus program, once an infected file or program is detected, it's either automatically deleted or moved to a quarantine folder for further analysis. A quarantined file is prevented from interacting with the rest of the machine and its programs to mitigate damage.</li> <li><b>Boot-scan command.</b> Sophisticated viruses can often duplicate themselves while the system is active. However, an antivirus program can prevent a virus from self-replicating by invoking a boot-scan command. This command shuts down the operating system (OS), restarts the computer and scans the entire hard drive for viruses and malware. During the scan, the virus is detected and doesn't get a chance to self-replicate due to the deactivation of the OS.</li> <li><b>Dark web scanning.</b> Data from most data breaches, such as ransomware attacks, is often leaked on the <a href="https://www.techtarget.com/whatis/definition/dark-web">dark web</a>. Many antivirus tools can help organizations discover if their sensitive data is leaked on the dark web. For example, if they find an associated email address or account number on the dark web, they can notify the user and update the password to a new and more complex one.</li> <li><b>Protection from external devices.</b> Most people regularly plug in external devices, such as hard drives and USB adapters, to their computers. Antivirus software scans all attached devices and peripherals to thwart potential viruses from entering the system through external sources.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Types of antivirus programs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Types of antivirus programs</h2> <p>Antivirus software is distributed in several forms, including standalone antivirus scanners, <a href="https://www.techtarget.com/searchenterpriseai/definition/machine-learning-ML">machine learning</a> and cloud-based programs, malware signatures and internet security software suites that offer antivirus protection, along with <a href="https://www.techtarget.com/searchsecurity/answer/Comparing-firewalls-Differences-between-an-inbound-outbound-firewall">firewalls</a>, privacy controls and other security protections. Popular providers of both free and commercial antivirus products include AVG Technologies, <a href="https://www.computerweekly.com/news/366609114/How-Kaspersky-is-driving-growth-in-APAC">Kaspersky</a>, <a href="https://www.computerweekly.com/microscope/news/366563098/Malwarebytes-enhances-MSP-offering-as-DataSolutions-looks-for-vendor-growth">Malwarebytes</a>, <a href="https://www.techtarget.com/searchsecurity/news/252507537/FireEye-and-McAfee-Enterprise-announce-product-mashup">McAfee</a>, <a href="https://www.computerweekly.com/photostory/2240151126/13-Android-security-apps/3/2-Norton-Mobile-Antivirus">Norton</a> and <a href="https://www.techtarget.com/searchsecurity/news/366547713/Trend-Micro-discloses-silent-threat-flaws-in-Azure-ML">Trend Micro</a>.</p> <p>Some antivirus software vendors offer free basic versions of their products. These provide basic antivirus and spyware protection, but more advanced features and protections are usually available only to paying customers.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/whatis-spyware_types.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/whatis-spyware_types_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/whatis-spyware_types_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/whatis-spyware_types.png 1280w" alt="A chart describing four types of spyware." height="282" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Spyware is ubiquitous, unfortunately, and comes in several forms, including those shown here. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>While some OSes are targeted more frequently by virus developers, antivirus software is available for most OSes:</p> <ul class="default-list"> <li><b>Windows antivirus software.</b> Most antivirus software vendors offer several levels of Windows products at different price points, starting with free versions offering only basic protection. Users must perform scans and updates manually. Free versions of antivirus software won't usually protect against links to malicious websites or malicious code and attachments in emails. Premium versions of antivirus software often include suites of <a href="https://www.techtarget.com/searchsecurity/tip/How-endpoint-encryption-works-in-a-data-security-strategy">endpoint security</a> tools that provide secure online storage, ad blockers and file encryption. Since 2004, Microsoft has been offering free antivirus software as part of the Windows OS, generally under the name Windows Defender, though the software was mostly limited to detecting spyware before 2006. Microsoft now offers Microsoft Defender Antivirus as part of its <a target="_blank" href="https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide" rel="noopener">Microsoft 365 Defender portal</a>, which is available for Windows 10, Windows 11 and some versions of Windows Server.</li> <li><b>MacOS antivirus software.</b> Although Apple <a href="https://www.techtarget.com/whatis/definition/Mac-OS">macOS</a> viruses exist, they're less common than Windows viruses, so <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Does-macOS-need-third-party-antivirus-in-the-enterprise">antivirus products for Mac-based devices</a> are less standardized than those for Windows. There are several free and paid products available, providing on-demand tools to protect against potential malware threats through full-system malware scans and the ability to sift through specific email threads, attachments and various web activities.</li> <li><b>Android antivirus software.</b> <a href="https://www.techtarget.com/searchmobilecomputing/definition/Android-OS">Android</a> is the world's most popular mobile OS and is installed on more mobile devices than any other OS. Because most <a href="https://www.techtarget.com/searchmobilecomputing/tip/What-Android-security-threats-should-IT-know-about">mobile malware targets Android</a>, experts recommend all Android device users install antivirus software on their devices. Vendors offer a variety of free basic and paid premium versions of their Android antivirus software, including antitheft and remote-locating features. Some run automatic scans and actively try to stop malicious webpages and files from being opened or downloaded. <a href="https://www.techtarget.com/searchsecurity/definition/Google-Play-Protect">Play Protect</a> is Google's built-in malware protection for Android, which was first released with Android 8.0 Oreo, and now comes with every Android device that has Google Play services version 11 or newer installed on it.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Virus detection techniques"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Virus detection techniques</h2> <p>Antivirus software uses a variety of virus detection techniques. Six common types are:</p> <ol class="default-list"> <li><b>Signature-based detection. </b>Antivirus programs depend on stored virus signatures -- unique strings of data that are characteristic of known malware -- to flag malicious software. The antivirus software uses these signatures to identify viruses it encounters that security experts have already identified and analyzed.</li> <li><b>Heuristic-based detection. </b>This type of detection uses an <a href="https://www.techtarget.com/whatis/definition/algorithm">algorithm</a> to compare the signatures of known viruses against potential threats. With <a href="https://www.techtarget.com/whatis/definition/heuristic">heuristic</a>-based detection, antivirus software can detect viruses that haven't been discovered yet, as well as existing viruses that have been disguised or modified and released as new viruses. However, this method can also generate false-positive matches when antivirus software detects a program behaving similarly to a malicious program and incorrectly identifies it as a virus.</li> <li><b>Behavior-based detection.</b> Antivirus software can also use <a href="https://www.techtarget.com/whatis/definition/behavior-based-security">behavior-based</a> detection to analyze an <a href="https://www.techtarget.com/searchapparchitecture/definition/object">object's</a> behavior or potential behavior for suspicious activities and infer malicious intent based on those observations. For example, code that attempts to perform unauthorized or abnormal actions would indicate the object is malicious or, at least, suspicious. Some examples of behaviors that potentially signal danger include modifying or deleting large numbers of files, monitoring keystrokes, changing settings of other programs and remotely connecting to computers.</li> <li><b>Cloud analysis.</b> According to Atlas VPN, <a target="_blank" href="https://atlasvpn.com/blog/over-30-million-new-malware-samples-found-in-2022-as-cyber-threats-evolve" rel="noopener"></a>in 2025, over 34 million new malware samples have been discovered. Since it's impossible for any antivirus program to combat the vast number of rapidly appearing malware variants, antivirus companies now provide cloud analysis as part of their antivirus offerings. <a href="https://www.techtarget.com/searchsecurity/tip/6-AIOps-security-use-cases-to-safeguard-the-cloud">Cloud analysis</a> is <a href="https://www.techtarget.com/searchsecurity/feature/Malware-analysis-for-beginners-Getting-started"></a>done on the cloud using the antivirus vendor's servers. This way, if a malicious file or program is detected by the antivirus program, it's sent to the vendor's labs, where it's tested. If it's confirmed to be malicious, a signature is created for it, which blocks it from all the other devices where it's detected.</li> <li><b>Sandbox analysis.</b> This detection technique runs a program or file in a virtual <a href="https://www.techtarget.com/searchsecurity/definition/sandbox">sandbox</a> environment to analyze its behavior before permitting it into the system. Using this technique, antivirus software only permits a file to execute in the real environment if the sandbox analysis confirms it to be safe. This feature is also used for running files that the antivirus program is unable to <a href="https://www.techtarget.com/whatis/definition/whitelist">allowlist</a> or denylist. Since the files are executed in an isolated environment, even if they end up being malicious, no harm is done to the system, as they're only executed in a virtual sandbox container.</li> <li><b>Host intrusion prevention system (HIPS).</b> Security and antivirus software commonly use this technology to detect potentially malicious activities in a program using signature-based detection. A <a href="https://www.techtarget.com/searchenterprisedesktop/definition/host-intrusion-prevention-systems-HIPS">HIPS</a> continuously monitors each activity and instantly notifies users by presenting them with authorization options, such as <b>Allow</b> and <b>Block</b>.</li> </ol> </section> <section class="section main-article-chapter" data-menu-title="Challenges facing antivirus software"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Challenges facing antivirus software</h2> <p>According to <i>Cybercrime Magazine</i>, 90% of the world's population, ages six and older, will be <a target="_blank" href="https://cybersecurityventures.com/how-many-internet-users-will-the-world-have-in-2022-and-in-2030/" rel="noopener">connected to the internet by 2030</a>. This exponential growth in internet connections is also responsible for the significant rise in viruses and cyberattacks.</p> <p>While antivirus programs were originally developed to combat viruses and cyberthreats, they do come with some limitations.</p> <p>Here are current and future challenges of antivirus software:</p> <ul class="default-list"> <li>Antivirus software that uses only signature-based detection can't expose new types of malware, including variants of existing malware. Signature-based detection can only detect new viruses when the definition file is updated with information about the new virus. With the number of new malware signatures increasing rapidly, making antimalware software based solely on signatures is impractical. However, signature-based detection doesn't usually produce false-positive matches.</li> <li>Even the best antivirus software can sometimes erroneously identify a secure piece of a program or file as malware, which can lead to a legitimate and important file or program getting quarantined or deleted. Free antivirus options are typically more prone to false positives than paid services; they don't often provide enterprise-level scanning and detection of attacks and threat vectors.</li> <li>Antivirus software can sometimes interfere with <a href="https://www.techtarget.com/whatis/feature/5-reasons-software-updates-are-important">system updates</a> by preventing them from happening or halting them in the middle. In most cases, the user must take the extra step of disabling a firewall before attempting to install system updates or firmware upgrades.</li> <li>Antivirus software runs quietly in the background and is barely noticeable, but it can consume a lot of system resources, including memory and disk space, slowing a device's performance. The antivirus scanning feature can also cause noticeable lags in the network.</li> <li>Regular antivirus software provides just one layer of virus protection. For comprehensive protection, most organizations must invest in a multilayered approach, such as both hardware- and software-based firewalls or a complete internet security suite that includes antivirus options.</li> </ul> <p>Ever-evolving trends in technology, including <a href="https://www.techtarget.com/whatis/feature/The-metaverse-explained-Everything-you-need-to-know">metaverse</a>, <a href="https://www.techtarget.com/whatis/definition/Web-30">Web3</a>, fintech and autonomous vehicles, make it more challenging to get the right antivirus protection. With so many endpoints to secure -- from <a href="https://www.techtarget.com/searchsecurity/definition/crypto-wallet-cryptocurrency-wallet">crypto wallets</a> to virtual reality devices -- there are times that antivirus software can fall short. Most traditional antivirus technologies can't detect modern fileless attacks that use trusted systems, such as <a href="https://www.techtarget.com/searchwindowsserver/definition/PowerShell">PowerShell</a>, to carry out the attacks.</p> </section> <section class="section main-article-chapter" data-menu-title="How to select antivirus software for an organization"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to select antivirus software for an organization</h2> <p>Considering the many different antivirus products on the market, a <a href="https://www.techtarget.com/searchsecurity/tip/How-to-choose-a-cybersecurity-vendor-Key-criteria">careful selection process</a> is recommended. Several important decision factors should be addressed before acquiring a product. Here are some of those considerations:</p> <h3>Reliability and compatibility</h3> <ul class="default-list"> <li>The program should not cause conflicts or malfunctions with other software apps.</li> <li>The product should be compatible with existing OSes (e.g., Windows, macOS, <a href="https://www.techtarget.com/searchdatacenter/tutorial/A-guide-to-switch-from-Windows-to-Linux">Linux</a>).</li> <li>The product should be compatible with the devices to be protected (e.g., computers, smartphones, tablets).</li> </ul> <h3>Ease of use</h3> <ul class="default-list"> <li>Look for intuitive products that do not require special skills and training to operate properly.</li> <li>There should be a user-friendly interface that facilitates easy access and feature configuration</li> </ul> <h3>Features and level of protection</h3> <ul class="default-list"> <li>The program should deliver 24/7 protection against a broad range of malware (e.g., viruses, worms, Trojan horses).</li> <li>Look for strong antimalware and ransomware detection features, along with resources that <a href="https://www.techtarget.com/searchsecurity/video/Ransomware-Examples-prevention-and-mitigating-the-damage">mitigate attacks</a> when detected.</li> </ul> <h3>Maintenance</h3> <ul class="default-list"> <li>Regular database updating and patching keep antivirus software up to date with the latest threat actors.</li> <li>Technical support should be available to facilitate maintenance and deal with disruptions.</li> </ul> <h3>Protection approach</h3> <ul class="default-list"> <li>Protection should be continuous and accommodate scanning files and websites as they are accessed.</li> <li>Consider products that include malware and ransomware detection</li> <li>Additional features of interest might include firewalls, parental controls and virtual private networks (<a href="https://www.techtarget.com/searchnetworking/definition/virtual-private-network">VPNs</a>).</li> </ul> <h3>Performance characteristics</h3> <ul class="default-list"> <li>Determine if the software will have a material impact on computer performance and resource usage (e.g., CPU and RAM).</li> <li>Key scanning attributes include full scans and quick scans that can be managed in real time.</li> </ul> <h3>Third-party assessments</h3> <ul class="default-list"> <li>Examine results of tests conducted by independent firms such as AV-TEST and <a target="_blank" href="https://www.av-comparatives.org/" rel="noopener">AV-Comparatives</a> for ratings of antivirus software.</li> <li>User comments and reviews on antivirus software can be a helpful supplement to independent tests.</li> </ul> <h3>Financials and administrative issues</h3> <ul class="default-list"> <li>Select a product that offers the required features and protection that fits within technology budgets.</li> <li>Consider open source and free products.</li> <li>Pricing options can include one-time fixed prices, annual subscriptions or monthly fees.</li> <li>Identify and weigh issues such as installation and testing, user training, access to a help desk, and availability of documentation.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Antivirus software vendors"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Antivirus software vendors</h2> <p>Here is a brief list of antivirus product vendors:</p> <ul class="default-list"> <li><a href="https://www.computerweekly.com/news/252522100/Avast-uncovers-thieves-kitchen-of-malware-writing-teens">Avast</a>.</li> <li>Avira.</li> <li><a href="https://www.computerweekly.com/news/366588234/Bitdefender-makes-MDR-services-free-to-NHS-bodies-hit-by-Qilin">Bitdefender</a>.</li> <li><a href="https://www.computerweekly.com/microscope/news/366622929/ESET-continuing-to-increase-MSP-support">ESET</a>.</li> <li>G Data Antivirus.</li> <li>Kaspersky.</li> <li>Malwarebytes.</li> <li>McAfee.</li> <li>Microsoft Defender.</li> <li>Norton Antivirus.</li> <li>Norton 360 Select with LifeLock.</li> <li><a href="https://www.computerweekly.com/microscope/news/366623562/Sophos-rolls-out-MSP-Elevate">Sophos</a>.</li> <li>Surfshark Antivirus.</li> <li>Total AV Antivirus.</li> <li>Trend Micro.</li> <li>Webroot.</li> </ul> <p>Consider all the selection criteria mentioned in this article when looking at a new installation or upgrading an existing product. The ability to test software offline is important before putting a system into production.</p> <p><i>While antivirus software can mitigate certain ransomware attacks, it can't stop or remove ransomware once it's taken control of a system. Take advantage of a step-by-step guide on </i><a href="https://www.techtarget.com/searchsecurity/tip/How-to-remove-ransomware-step-by-step"><i>how to remove ransomware and minimize its effect</i></a><i>.</i></p> </section> Antivirus software (antivirus program) is a security program designed to prevent, detect, search and remove viruses and other types of malware from computers, networks and other devices. https://cdn.ttgtmedia.com/visuals/digdeeper/6.jpg https://www.techtarget.com/searchsecurity/definition/antivirus-software Thu, 16 Oct 2025 09:00:00 GMT <p>Information security management encompasses many areas -- from perimeter protection and encryption to application security and disaster recovery. IT security is made more challenging by compliance regulations and standards, such as <a href="https://www.techtarget.com/searchhealthit/definition/HIPAA">HIPAA</a>, PCI DSS , the Sarbanes-Oxley Act and <a href="https://www.techtarget.com/whatis/definition/General-Data-Protection-Regulation-GDPR">GDPR</a>.</p> <p>This is where IT security frameworks and standards are essential. Knowledge of regulations, standards and frameworks is necessary for all cybersecurity professionals. Compliance with these frameworks and standards is especially important from an audit perspective.</p> <p>To help manage the process, let's examine standards, regulations and frameworks, as well as the more popular security options and how to use them.</p> <section class="section main-article-chapter" data-menu-title="What are IT security standards, regulations and frameworks?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are IT security standards, regulations and frameworks?</h2> <p><b>Standards</b> are like recipes; they list steps to follow. A well-managed IT organization must comply with the requirements set forth in a standard.</p> <p><b>Regulations</b>, in contrast, have a legally binding impact. The way they describe how to do something indicates government and public support for the rules and processes set forth in the regulation. Failure to comply with IT-focused regulations can result in financial penalties and litigation.</p> <p><b>Frameworks</b> detail how to develop, test, execute and maintain something. A cybersecurity framework is a series of documented processes that defines policies and procedures for implementing and managing infosec controls. Such frameworks are a blueprint for managing risk and reducing vulnerabilities.</p> <p>Information security professionals use frameworks to define and prioritize the tasks required to manage enterprise security. Frameworks also help prepare for compliance and other IT audits. Therefore, they must support specific requirements defined in a standard or regulation.</p> <p>Organizations can customize frameworks to solve specific information security problems, such as industry-specific requirements or regulatory compliance goals. Frameworks also come in varying degrees of complexity and scale. Today's frameworks often overlap, so it's important to select ones that effectively support operational, compliance and audit requirements. They should also be easy to adapt to existing security activities.</p> </section> <section class="section main-article-chapter" data-menu-title="Why are security frameworks important?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why are security frameworks important?</h2> <p>Frameworks provide a starting point for establishing processes, policies and administrative activities for infosec management.</p> <p>Security requirements often overlap, resulting in "crosswalks" that can be used to demonstrate compliance with different regulatory standards. For example, <a href="https://www.techtarget.com/searchsecurity/tip/How-to-write-an-information-security-policy-plus-templates"><i>information security policy</i></a> is defined in the following standards:</p> <ul class="default-list"> <li>ISO 27002 defines it in Section 5.</li> <li>Control Objectives for Information and Related Technology (COBIT) defines it in the "Align, Plan and Organize" section.</li> <li>HIPAA defines it in the "Assigned Security Responsibility" section.</li> <li>PCI DSS defines it in the "Maintain an Information Security Policy" section.</li> </ul> <p>Using a common framework, such as ISO 27002, an organization can establish crosswalks to demonstrate compliance with multiple regulations, including HIPAA, <a href="https://www.techtarget.com/searchcio/definition/Sarbanes-Oxley-Act">SOX</a>, PCI DSS and the <a href="https://www.techtarget.com/searchcio/definition/Gramm-Leach-Bliley-Act">Graham-Leach-Bliley Act</a>.</p> <p>Unlike standards and regulations, frameworks do not always have compliance requirements. For example, "ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection -- Information security management systems -- Requirements" has specific compliance mandates, whereas "ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection -- Information security controls" does not.</p> <p>After identifying a compliance requirement, security analysts should look for frameworks that help the organization comply with the primary standard or regulation. This is how ISO 27002 supports ISO 27001.</p> </section> <section class="section main-article-chapter" data-menu-title="How to choose an IT security framework"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to choose an IT security framework</h2> <p>Multiple factors drive the choice to use a particular security framework, including industry or compliance requirements. Publicly traded companies, for example, might want to use COBIT to comply with SOX, while the healthcare sector might consider the HITRUST (Health Information Trust Alliance) framework to comply with the <a href="https://www.techtarget.com/searchhealthit/definition/HITECH-Act">HITECH (Health Information Technology for Economic and Clinical Health) Act</a>. The ISO 27000 series of information security standards and frameworks, by contrast, is applicable in public and private sectors.</p> <p>ISO standards are often time-consuming to implement, but they are helpful when an organization needs to demonstrate its information security capabilities using ISO 27000 certification. While NIST Special Publication (SP) 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations is a standard required by U.S. federal agencies, any organization can use it to build a technology-specific information security plan.</p> </section> <section class="section main-article-chapter" data-menu-title="Top IT security standards and frameworks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Top IT security standards and frameworks</h2> <p>The following standards and frameworks help security professionals organize and manage an information security program. The only bad choice among these frameworks is not choosing any of them.</p> <h3>1. ISO 27000 series</h3> <p>The ISO 27000 series was developed by the International Organization for Standardization. It is a flexible cybersecurity framework that applies to organizations of all types and sizes.</p> <p>The two primary standards -- ISO <a href="https://www.techtarget.com/whatis/definition/ISO-27001">27001</a> and <a href="https://www.techtarget.com/searchsecurity/definition/ISO-27002-International-Organization-for-Standardization-27002">27002</a> -- establish the requirements and procedures for creating an information security management system (<a href="https://www.techtarget.com/whatis/definition/information-security-management-system-ISMS">ISMS</a>). Having an ISMS is an important audit and compliance activity. ISO 27000 consists of an overview and vocabulary and defines ISMS requirements. ISO 27002 specifies the code of practice for developing ISMS controls.</p> <p>Compliance with the ISO 27000 series of standards is established through audit and certification processes, typically provided by third-party organizations approved by ISO and other accredited agencies.</p> <p>The ISO 27000 series has 60 standards that cover a broad spectrum of cybersecurity issues, including the following:</p> <ul class="default-list"> <li>ISO 27017 describes security controls for cloud environments.</li> <li>ISO 27018 addresses the protection of personally identifiable information (PII) in cloud computing.</li> <li>ISO 27031 provides guidance on business continuity and related activities.</li> <li>ISO 27037 addresses the collection and protection of digital evidence.</li> <li>ISO 27040 addresses storage security.</li> <li>ISO 27400 covers IoT security and privacy.</li> <li>ISO 27799 defines information security in healthcare.</li> </ul> <h3>2. NIST SP 800-53</h3> <p>NIST has developed an extensive library of IT standards, many of which focus on information security. First published in 1990, the NIST SP 800 series addresses virtually every aspect of information security, with an increasing focus on <a href="https://www.techtarget.com/searchsecurity/feature/Guide-to-cloud-security-management-and-best-practices">cloud security</a>.</p> <p>SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations is the information security benchmark for U.S. government agencies and is widely used in the private sector. It has helped spur the development of information security frameworks, including the NIST Cybersecurity Framework (CSF).</p> <h3>3. NIST SP 800-171</h3> <p>SP 800-171 Rev. 3: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations has gained popularity due to requirements set by the U.S. Department of Defense regarding contractor compliance with security frameworks. Government contractors are a frequent target for cyberattacks due to their proximity to federal systems. To bid on federal and state business opportunities, &nbsp;manufacturers and subcontractors must have a cybersecurity framework.</p> <p>Controls included in the SP 800-171 framework are directly related to SP 800-53 but are less detailed and more generalized. It's possible to build a crosswalk between the two standards if an organization must show compliance with SP 800-53, using SP 800-171 as the base. This creates flexibility for smaller organizations -- they can show compliance as they grow using the additional controls included in SP 800-53.</p> <h3>4. NIST CSF</h3> <p>The NIST Framework for Improving Critical Infrastructure Cybersecurity, later known as the <a href="https://www.techtarget.com/searchsecurity/definition/NIST-Cybersecurity-Framework">NIST CSF</a>, was developed under Executive Order 13636, released in 2013. It was created to address U.S. critical infrastructure, including energy production, water supplies, food supplies, communications, healthcare delivery and transportation. These industries must maintain a high level of preparedness because they have all been targeted by nation-state actors.</p> <p>Unlike other NIST frameworks, the CSF focuses on cybersecurity risk analysis and risk management. Security controls in the framework are based on the five phases of risk management: identify, protect, detect, respond and recover. Like all IT security programs, these phases require the support of senior management. NIST CSF is suitable for both public and private sectors.</p> <p>The CSF 2.0, released in 2024, <a target="_blank" href="https://www.darkreading.com/ics-ot-security/nist-cybersecurity-framework-2-0-4-steps-get-started" rel="noopener">broadened the framework's applicability</a> to organizations of all sizes, expanded its response core function activities, added a new core function to emphasize the importance of governance, and made ransomware and supply chain threats more prominent.</p> <h3>5. NIST SP 1800 series</h3> <p>The NIST SP 1800 series, also known as the NIST Cybersecurity Practice Guides, is a set of documents that complement the SP 800 series of standards and frameworks. The guides offer information on how to implement and apply standards-based cybersecurity technologies in real-world applications.</p> <p>The SP 1800 series publications provide the following:</p> <ul class="default-list"> <li>Examples of specific situations and capabilities.</li> <li>Experience-based, how-to approaches using multiple products to achieve the desired result.</li> <li>Modular implementation guidance on capabilities for organizations of all sizes.</li> <li>Specifications of required components and installation, configuration and integration information so organizations can easily replicate the process themselves.</li> </ul> <p>Guides include implementing <a href="https://www.techtarget.com/searchsecurity/definition/zero-trust-model-zero-trust-network">zero trust</a>, <a href="https://www.techtarget.com/searchsecurity/tip/Shift-left-with-these-DevSecOps-best-practices">DevSecOps practices</a>, mobile device security, <a href="https://www.techtarget.com/searchsecurity/tip/What-to-know-about-5G-security-threats-in-the-enterprise">5G security</a> and data confidentiality.</p> <h3>6. COBIT</h3> <p><a href="https://www.techtarget.com/searchsecurity/definition/COBIT">COBIT</a> was developed in the mid-1990s by ISACA, an independent organization of IT governance professionals. ISACA offers the well-known Certified Information Systems Auditor and Certified Information Security Manager certifications.</p> <p>COBIT originally focused on reducing IT risks. COBIT 5, released in 2012, included new technology and business trends to help organizations balance IT and business goals. The current version is COBIT 2019. It's the most used framework to achieve SOX compliance. Numerous publications and professional certifications address COBIT requirements.</p> <h3>7. CIS Controls</h3> <p>The Center for Internet Security (CIS) Critical Security Controls, Version 8.1 -- formerly the SANS Top 20 -- lists technical security and operational controls that can apply to any environment. It does not address risk analysis or risk management like NIST CSF; rather, it solely focuses on reducing risk and <a href="https://www.techtarget.com/searchsecurity/tip/Build-a-strong-cyber-resilience-strategy-with-existing-tools">increasing resilience</a> for technical infrastructures. It was updated in 2024 to align with the updated NIST CSF 2.0.</p> <p>The 18 CIS Controls include the following:</p> <ul class="default-list"> <li>Inventory and control of enterprise assets.</li> <li>Data protection.</li> <li>Audit log management.</li> <li>Malware defenses.</li> <li>Penetration testing.</li> </ul> <p>CIS Controls link with existing risk management frameworks to help remediate identified risks. They're useful resources for IT departments that lack technical security experience.</p> <h3>8. HITRUST Common Security Framework</h3> <p>The HITRUST Common Security Framework (CSF) includes risk analysis and risk management frameworks, along with operational requirements. The framework has 14 different control categories and applies to almost any organization, including healthcare. Categories include access control, HR security, risk management, physical and environmental security, and privacy practices.</p> <p>The HITRUST CSF is a massive undertaking due to the heavy weight given to documentation and processes. As a result, many organizations end up scoping smaller areas of focus for HITRUST. The costs of obtaining and maintaining HITRUST certification add to the level of effort required to adopt this framework. The certification is audited by a third party, which adds a level of validity.</p> <h3>9. GDPR</h3> <p>The EU's GDPR is a framework of security requirements that global organizations must implement to protect the security and privacy of EU citizens' personal information.</p> <p>GDPR requirements include controls for restricting unauthorized access to stored data and access control measures, such as the <a href="https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP">principle of least privilege</a>, role-based access and MFA. Failure to comply with GDPR requirements can result in significant fines.</p> <h3>10. COSO</h3> <p>The Committee of Sponsoring Organizations of the Treadway Commission is a joint initiative of five professional associations that has published two complementary frameworks. Its <a href="https://www.techtarget.com/searchcio/definition/COSO-Framework">Internal Control -- Integrated Framework</a>, released in 1992 and updated in 2013, helps companies achieve a risk-based approach for internal controls. It covers the following components, referred to as the five pillars:</p> <ol class="default-list"> <li>Control environment.</li> <li>Risk assessment.</li> <li>Control activities.</li> <li>Information and communication.</li> <li>Monitoring activities.</li> </ol> <p>COSO is developing a Corporate Governance Framework in collaboration with the National Association of Corporate Directors. The framework, expected to be released in late 2025, aims to unify existing corporate governance activities in U.S. public companies. It will complement existing COSO frameworks, including its Enterprise Risk Management Framework.</p> <h3>11. PCI DSS</h3> <p>PCI DSS is a set of requirements and guidelines designed to help ensure secure business transactions and protect cardholder data, including credit card numbers, expiration dates and security codes.</p> <p>The 12 PCI DSS requirements include the following:</p> <ul class="default-list"> <li>Install and maintain network security controls.</li> <li>Protect stored account data.</li> <li>Develop and maintain secure systems and software.</li> <li>Test system and network security regularly.</li> </ul> <p>Created in 2004 by five major credit card companies and updated to version 4.0 in 2022, it called for more rigorous security measures, such as MFA and strong passwords. Version 4.0.1, released in 2024, did not add or remove requirements but <a target="_blank" href="https://www.darkreading.com/cyber-risk/new-pci-dss-rules-merchants-on-hook-compliance" rel="noopener">clarified existing requirements and updated terminology</a>.</p> <h3>12. CMMC</h3> <p>The Cybersecurity Maturity Model Certification is a framework developed by the U.S. Department of Defense to ensure government-approved contractors comply with cybersecurity requirements. It is built on the controls and guidance in NIST SP 171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and defines the following three certification levels:</p> <ul class="default-list"> <li>Foundational, minimum security requirements for basic government contracting.</li> <li>Advanced, for contractors that handle controlled unclassified information.</li> <li>Expert, for contractors handling highly classified information.</li> </ul> <p>CMMC 1.0 was released in 2020. Version 2.0 was finalized in 2024.</p> <h3>13. FISMA</h3> <p>The <a href="https://www.techtarget.com/searchsecurity/definition/Federal-Information-Security-Management-Act">Federal Information Security Modernization Act</a>, which aligns closely with the NIST Risk Management Framework, provides a security framework for protecting federal government data and systems.</p> <p>FISMA requires U.S. federal agencies, as well as third parties, contractors and vendors that handle federal systems, to develop, document and implement security programs. Compliance requirements include continuous monitoring, annual security reviews and baseline security controls, such as those outlined in NIST SP 800-53.</p> <p>FISMA was introduced in 2002 and updated in 2014. It is currently undergoing legislative efforts for an update.</p> <h3>14. NERC CIP</h3> <p>The <a href="https://www.techtarget.com/searchsecurity/definition/North-American-Electric-Reliability-Corporation-Critical-Infrastructure-Protection-NERC-CIP">North American Electric Reliability Corporation Critical Infrastructure Protection framework</a> includes 14 ratified and proposed standards that apply to utility companies within the bulk power system. The standards outline recommended controls and policies to monitor, regulate, manage and maintain the security of critical infrastructure systems. Bulk power system owners, operators and users must comply with the NERC CIP framework.</p> <p>CIP standards include the following:</p> <ul class="default-list"> <li>CIP-004-7 Cyber Security -- Personnel and Training.</li> <li>CIP-008-6 Cyber Security -- Incident Reporting and Response Planning.</li> <li>CIP-013-2 Cyber Security -- Supply Chain Risk Management.</li> <li>CIP-014-3 Physical Security.</li> </ul> <h3>15. SOC 2</h3> <p><a href="https://www.techtarget.com/searchsecurity/definition/Soc-2-Service-Organization-Control-2">System and Organizational Controls 2</a> is a framework developed by the American Institute of Certified Public Accountants that assesses how organizations manage and protect data. It is an internal control that enables companies to demonstrate that they meet the following Trust Services Criteria:</p> <ul class="default-list"> <li><b>Security.</b> Protects data and maintains its privacy during creation, use, processing, transmission and storage. Focuses on preventing data leakage, unauthorized access and damage to systems that affect the availability, integrity and confidentiality of data.</li> <li><b>Availability.</b> Puts controls in place that ensure systems are operational, available and monitored.</li> <li><b>Processing integrity.</b> Confirms that processing is complete, accurate, timely, authorized and secure.</li> <li><b>Confidentiality.</b> Protects data designated confidential.</li> <li><b>Privacy.</b> Ensures PII is collected, used, retained, disclosed and disposed of properly.</li> </ul> <p>A SOC 2 audit, performed by a third-party CPA, examines whether an organization's controls meet SOC 2 criteria. While not a legal requirement, many customers use it to assess the security and privacy controls of their vendors and service providers.</p> <p><i>Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.</i></p> </section> Several IT security frameworks and standards exist to help protect company data. Here's advice for choosing the right ones for your organization. https://cdn.ttgtmedia.com/rms/onlineimages/security_a299192530.jpg https://www.techtarget.com/searchsecurity/tip/IT-security-frameworks-and-standards-Choosing-the-right-one Wed, 08 Oct 2025 09:00:00 GMT <p>A stealth virus is a computer <a href="https://www.techtarget.com/searchsecurity/definition/virus">virus</a> that uses various mechanisms to avoid detection by <a href="https://www.techtarget.com/searchsecurity/definition/antivirus-software">antivirus software</a>. It takes its name from the term <i>stealth</i>, which describes an approach to doing something while avoiding notice.</p> <p>Typically, a stealth virus can hide in a computing device's legitimate files, partitions or boot sectors without alerting the antivirus software or notifying the user of its presence. Once injected into a computer, the virus enables the attackers to operate and gain control over parts of the system or the entire system.</p> <section class="section main-article-chapter" data-menu-title="How a stealth virus works"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How a stealth virus works</h2> <p>A stealth virus is any virus that tries to avoid detection by antivirus software. However, viruses that escape notice, even if they're not specifically designed to do so, are also described as stealth viruses. This sometimes occurs because the virus is new or because users haven't updated their antivirus software to be able to detect the infection.</p> <p>Stealth viruses aren't new. Brain, the first known virus to target IBM PCs, was a stealth virus that infected the boot sector of a floppy storage disk. Brain was created in Pakistan as an antipiracy measure in 1986.</p> <p>A stealth virus has an intelligent architecture, making it hard to eliminate from a computer system. The virus is smart enough to rename itself and send copies to a different drive or location, evading detection by the system's antivirus software. The only way to remove it is to wipe the computer and rebuild it from scratch.</p> <p>Booting a computer from a removable disk, such as a <a href="https://www.techtarget.com/searchstorage/definition/USB-drive">USB drive</a>, prevents the stealth virus from running amok before the antivirus or <a href="https://www.techtarget.com/searchsecurity/definition/antimalware">antimalware</a> software scans for malware. Sophisticated, up-to-date antivirus software can reduce the risk of infection or eradicate a virus. Stealth viruses harm enterprises. The <a target="_blank" href="https://www.ibm.com/reports/data-breach" rel="noopener">average cost</a> of a data breach from a stealth virus or other cyberattack is $4.4 million.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/security-computer_virus-f_mobile.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/security-computer_virus-f_mobile_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/security-computer_virus-f_mobile_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/security-computer_virus-f_mobile.png 1280w" alt="List of the various types of stealth viruses"> <figcaption> <i class="icon pictures" data-icon="z"></i>Any virus that tries to avoid detection by antivirus software is considered a stealth virus. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Types of stealth viruses"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Types of stealth viruses</h2> <p>There are several types of stealth viruses. The most common are the following:</p> <ul class="default-list"> <li><b>Boot sector.</b> These are named after the master boot record that they infect. By infecting the <a href="https://www.techtarget.com/whatis/definition/Master-Boot-Record-MBR">master boot record</a>, the boot sector virus is active before the operating system loads, bypassing many digital defenses.</li> <li><b>Polymorphic.</b> These modify their <a href="https://www.techtarget.com/whatis/definition/code">code</a> with each infection, allowing them to evade <a href="https://www.techtarget.com/whatis/definition/virus-signature-virus-definition">signature-based virus</a> detection.</li> <li><b>Rootkit-based.</b> These embed themselves deep within a system file for long-term access.</li> <li><b>Encrypted.</b> These use <a href="https://www.techtarget.com/searchsecurity/definition/encryption">encryption</a> techniques to mask their presence, decrypting themselves only during execution.</li> <li><b>Metamorphic.</b> These completely rewrite their code to change their structure.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How a stealth virus infects a computer"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How a stealth virus infects a computer</h2> <p>A stealth virus usually enters the system via infected web links, malicious <a href="https://www.techtarget.com/searchsecurity/answer/How-secure-is-an-email-with-a-pdf-attachment">email attachments</a> and third-party application downloads. The virus tricks the system to get past an antivirus program using two primary methods:</p> <ul class="default-list"> <li><b>Code modification. </b>To avoid detection, the virus modifies every infected file's code and virus signature.</li> <li><b>Data encryption. </b>The virus renders the affected file inaccessible or unreadable to the user by encrypting it and using a different <a href="https://www.techtarget.com/searchsecurity/definition/key">encryption key</a> for different files.</li> </ul> <p>Typically, when an antivirus program runs, a stealth virus hides in memory and uses various tricks to conceal any changes it has made to files or boot records. It can maintain a copy of the original, uninfected data and monitor system activity. When a program attempts to access altered data, the virus redirects it to a storage area that maintains the original data.</p> <p>An antivirus program should scan the computer's memory and other commonly targeted areas to find stealth viruses. But this isn't always successful, because viruses can be designed to hide from antivirus software. They do this by concealing the size of the file they have infected, moving away from the infected file, copying themselves to a different drive and replacing themselves with a clean file.</p> </section> <section class="section main-article-chapter" data-menu-title="Common stealth virus attack issues"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Common stealth virus attack issues</h2> <p>When a stealth virus infects a computer system, it lets attackers control a variety of system tasks. The following are some of the issues associated with stealth virus attacks:</p> <ul class="default-list"> <li>Sudden system crashes.</li> <li>A prolonged time to restart.</li> <li>Slow system performance.</li> <li>Appearance of unidentified icons on the computer screen.</li> <li>System turns on or off without user intervention.</li> <li>Security programs stop working.</li> <li>Issues with printing devices.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/security-how_ceo_fraud_works-f.png"> <img data-src="https://www.techtarget.com/rms/onlineImages/security-how_ceo_fraud_works-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/security-how_ceo_fraud_works-f_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/security-how_ceo_fraud_works-f.png 1280w" alt="Steps involved in how business email compromise works" height="287" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Malicious email attachments are one of several ways a stealth virus can infect a system. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="How stealth viruses avoid detection"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How stealth viruses avoid detection</h2> <p>A stealth virus can use several different techniques to evade detection. The most common include the following:</p> <ul class="default-list"> <li>Altering system files so antivirus programs can't distinguish between infected and legitimate code.</li> <li>Interfering with security and detection software by disabling or manipulating them.</li> <li>Encrypting or modifying code to avoid recognition by traditional antivirus methods.</li> <li>Hiding in system memory so it can operate without writing to disk.</li> <li>Intercepting and altering system requests that security tools make.</li> <li>Replicating and spreading so that the virus infects multiple systems.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Protecting devices against stealth viruses"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Protecting devices against stealth viruses</h2> <p>The following are strategies to protect against a stealth virus:</p> <p><b>Strong antivirus software.</b> A comprehensive, up-to-date antivirus program recognizes and protects systems from stealth viruses and other malware, such as <a href="https://www.techtarget.com/searchsecurity/definition/Trojan-horse">Trojans</a>, <a href="https://www.techtarget.com/searchsecurity/definition/worm">worms</a>, <a href="https://www.techtarget.com/searchsecurity/definition/ransomware">ransomware</a>, <a href="https://www.techtarget.com/searchsecurity/definition/spyware">spyware</a> and <a href="https://www.techtarget.com/searchsecurity/definition/adware">adware</a>. Modern antivirus programs use a virus signature strategy to detect and eliminate stealth virus threats. These signatures must be regularly updated to ensure the antivirus software can detect and eliminate new types of stealth viruses.</p> <ul class="default-list"> <li><b>Email security practices.</b> Stealth viruses can enter a system via email and email attachments. Users shouldn't open emails or click on links in them if they're from an unknown source or look suspicious.</li> <li><b>Computing and search hygiene.</b> It's important to avoid visiting unfamiliar websites and those that are known security risks. Ads on websites are a common source of viruses; ad blockers eliminate advertisements from appearing on webpages.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Real-life examples of stealth viruses"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Real-life examples of stealth viruses</h2> <p>Stealth viruses have been active for several decades. The following are among the most famous:</p> <ul class="default-list"> <li>Brain was the first recorded use of a stealth virus, infecting the boot sector of floppy disks. It appeared in 1986 and is no longer an active threat.</li> <li>Chernobyl appeared in 1998 and is no longer a significant threat. It overwrote system firmware and caused massive data loss.</li> <li>FunLove was first seen in 1999 and continues to cause problems. It's a stealth virus that infects Windows systems, bypassing standard security measures and spreading through network contacts.</li> <li>Sality appeared in 2003 and continues to be a threat. It's a polymorphic virus that alters its code while disabling antivirus software.</li> <li>ZeroAccess came out in 2011; variations of the original virus continue to cause problems. It's a <a href="https://www.techtarget.com/searchsecurity/definition/rootkit">rootkit</a>-enabled virus that hides deep within operating systems to create a <a href="https://www.techtarget.com/searchsecurity/definition/botnet">botnet</a>.</li> </ul> <p><i>Stealth viruses are one of the most dangerous modern cybersecurity threats. Explore the </i><a href="https://www.techtarget.com/searchsecurity/feature/Top-10-types-of-information-security-threats-for-IT-teams"><i>top types of information security threats for IT teams</i></a><i>.</i></p> </section> A stealth virus is a computer virus that uses various mechanisms to avoid detection by antivirus software. https://cdn.ttgtmedia.com/visuals/digdeeper/2.jpg https://www.techtarget.com/searchsecurity/definition/stealth-virus Fri, 12 Sep 2025 09:00:00 GMT <p>Triple Data Encryption Algorithm was used widely across many industries and in many popular network protocols to encrypt data at rest and data in motion. NIST deprecated the algorithm in 2018 and disallowed its use after 2023.</p> <section class="section main-article-chapter" data-menu-title="What is Triple DES?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is Triple DES?</h2> <p>The <a href="https://www.techtarget.com/searchsecurity/definition/Data-Encryption-Standard">Data Encryption Standard</a> algorithm on which Triple DES is based was first published in 1975. DES is a symmetric key <a href="https://www.techtarget.com/searchsecurity/definition/block-cipher">block cipher</a>. Symmetric key block ciphers process fixed-size blocks simultaneously using the same key to encrypt the data. The block size of a cipher refers to the number of bits that are processed together.</p> <p>The original DES algorithm specified the use of 56-bit keys. As computing advanced, this proved ineffective protection against certain attacks. The algorithm was retired in 2005.</p> <p>In 1998, Triple Data Encryption Algorithm, commonly referred to as Triple DES, TDEA and 3DES, was introduced. It applies the DES cipher algorithm three times to each data block for more effective key length.</p> </section> <section class="section main-article-chapter" data-menu-title="A brief history of DES and Triple DES"> <h2 class="section-title"><i class="icon" data-icon="1"></i>A brief history of DES and Triple DES</h2> <p>In the early 1970s, the National Bureau of Standards -- now NIST -- identified a need for a government-wide standard for encrypting unclassified, sensitive information. Early proposals for the new DES were not deemed acceptable. Then, a block cipher called Lucifer was submitted by IBM Corporation in 1974. After consultation with the National Security Agency (NSA), a modified version was approved as a Federal Information Processing Standard in 1976 and published on Jan. 15, 1977, as FIPS PUB 46. It was authorized for use on all unclassified data.</p> <p>The most notable changes between the approved algorithm and the original Lucifer cipher were a reduced key size -- from 128 bits to 56 bits -- and substitution boxes (S-boxes) designed under classified conditions. An S-box is the component of the algorithm that performs substitution.</p> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/security-block_cipher_basics-h.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/security-block_cipher_basics-h_half_column_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/security-block_cipher_basics-h_half_column_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/security-block_cipher_basics-h.png 1280w" alt="Graphic displaying how block ciphers work" height="279" width="279"> <figcaption> <i class="icon pictures" data-icon="z"></i>Block ciphers encrypt fixed-sized blocks simultaneously using the same key. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Many experts felt the smaller key size made DES more vulnerable to <a href="https://www.techtarget.com/searchsecurity/definition/brute-force-cracking">brute-force attacks</a> and that the NSA had somehow introduced a backdoor into the algorithm to allow the agency to decrypt data encrypted by DES without needing to know the encryption key. It was discovered 13 years later that the S-boxes were secure against an attack known as <i>differential cryptanalysis</i>, which was only publicly discovered in 1990. This suggests the NSA was already aware of this attack in 1977.</p> <p>Despite these criticisms, DES was quickly adopted and sparked a dramatic rise in the study and development of encryption algorithms. It was reaffirmed as the standard in 1983, 1988 and 1993.</p> <p>Due to the ever-increasing processing power of computers, however, DES became vulnerable to brute-force attacks. Although a 56-bit key space amounts to approximately 72 quadrillion possibilities, this no longer provides required levels of security. The algorithm was retired in 2005.</p> <p>To avoid the need to design a completely new cipher and to make replacing DES relatively straightforward, the Triple DES specification, <a href="https://csrc.nist.gov/files/pubs/fips/46-3/final/docs/fips46-3.pdf" target="_blank" rel="noopener">FIPS PUB 46-3</a>, was published in 1999. As of January 1, 2024, it reached the same fate as its predecessor.</p> </section> <section class="section main-article-chapter" data-menu-title="The Triple DES encryption process"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The Triple DES encryption process</h2> <p>Triple DES operates in three steps: Encrypt-Decrypt-Encrypt (EDE). It works by taking three 56-bit keys (K1, K2 and K3) known as a <i>key bundle</i> and encrypting first with K1, decrypting next with K2 and encrypting a last time with K3. A Triple DES two-key version exists, where the same algorithm runs three times but K1 is used for the first and last steps. This two-key variant was retired in 2015.</p> <p>The algorithm runs three times because double enciphering can't be used. A class of attacks called <a href="https://www.techtarget.com/iotagenda/definition/meet-in-the-middle-attack"><i>meet-in-the-middle attacks</i></a><i> </i>encrypt from one end, decrypt from the other and look for collisions -- keys that produce the same answer in either direction. With sufficient memory, Double DES -- or any other cipher run twice -- would only be twice as strong as the base cipher. In other words, the double cipher would only be as strong as the same cipher run once but with a key that was one bit longer.</p> <p>But that's not all: If the cipher forms a group, then encrypting twice with two keys is equivalent to encrypting once with some other key. It's not trivial to know what that other key is, but it does mean that a brute-force attack would find that third key as it tried all the possible single keys. So, if the cipher is a group, then multiple ciphering is a waste of time.</p> <p>A group is a relationship between a set and an operator. If they behave more or less the way integers do with addition, they form a group. If you keep encrypting a block and it makes a full circuit over the set of possible blocks, that also forms a group.</p> <p>DES is not a group. DES does, however, have known structural features in it that make people say it's not strongly <i>not</i> a group -- in other words, it might be a group. For example, known loops exist in DES where, if you keep encrypting with the same key, you run around in a long loop.</p> </section> <section class="section main-article-chapter" data-menu-title="Triple DES encryption modes"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Triple DES encryption modes</h2> <p>With Triple DES, each of the three rounds can be run in either direction -- encrypt or decrypt -- using the DES algorithm. This results in eight different possible modes for Triple DES.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/security-triple_des_chart.png"> <img data-src="https://www.techtarget.com/rms/onlineImages/security-triple_des_chart_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/security-triple_des_chart_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/security-triple_des_chart.png 1280w" alt="Chart displaying the eight modes of Triple DES" height="268" width="520"> <figcaption> <i class="icon pictures" data-icon="z"></i>Triple DES has eight different possible modes. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Those structural features are why you wouldn't want to use EEE or DDD mode if there were a better option, just as you wouldn't want to use EED, DEE, DDE or EDD. Because of the weak nongroupness of DES, EDE or DED compositions work best. Plus, EDE makes more sense. If you use DED, you have to explain why Triple DES starts with decryption.</p> </section> <section class="section main-article-chapter" data-menu-title="The strength of Triple DES: Why it was disallowed"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The strength of Triple DES: Why it was disallowed</h2> <p>The security strength of a cryptographic algorithm or system is specified in bits and is the expected amount of work -- that is, the base 2 logarithm of the number operations -- to cryptanalyze and break it.</p> <p>If 2N execution operations of the algorithm are required to break a cryptographic algorithm and reveal the original plaintext, the algorithm's security strength is N bits. NIST policy assigns specific strength values from the set -- for example, 80, 112, 128, 192 and 256 -- and for symmetric ciphers. The value is typically equal to the key size of the cipher, which is equivalent to the complexity of a brute-force attack. A cryptographic algorithm is considered broken when an attack is found to have less than its advertised level of security, though not all attacks are necessarily practical.</p> <p>When Triple DES is used with three independent keys, sometimes referred to as 3TDEA, it has a key length of 168 bits (3 x 56-bit DES keys = 168 independent key bits). Due to meet-in-the-middle attacks, however, the effective security 3TDEA provides is only 112 bits. Also, the small block size of 64 bits makes it vulnerable to block collision attacks when it's used to encrypt large amounts of data with the same key, such as an HTTPS session.</p> <p>In 2016, researchers successfully exploited Triple DES' short block size (<a href="https://nvd.nist.gov/vuln/detail/CVE-2016-2183" target="_blank" rel="noopener">CVE-2016-2183</a>) in various real-world protocols using a birthday attack called <a href="https://sweet32.info/" target="_blank" rel="noopener">Sweet32</a>. As a result, NIST restricted Triple DES use in 2017 to 8 MB of data using a single key bundle. This meant it could no longer effectively be used for TLS, IPsec or large file encryption.</p> <p>In 2018, NIST published guidance that, after a period of public consultation, Triple DES would be deprecated for all new applications -- meaning, it could be used, but risk must be accepted -- and usage disallowed -- meaning no longer allowed for the indicated use -- after 2023.</p> </section> <section class="section main-article-chapter" data-menu-title="What has replaced Triple DES?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What has replaced Triple DES?</h2> <p>NIST began a search for DES replacement algorithms in 1997. In 2000, Advanced Encryption Standard (<a href="https://www.techtarget.com/searchsecurity/definition/Advanced-Encryption-Standard">AES</a>) was chosen from 15 entries from around the world in an open competition. AES is more mathematically efficient and significantly faster than Triple DES, so it is ideal for applications, firmware and hardware that require low latency or high throughput.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/security-aes_vs_des-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/security-aes_vs_des-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/security-aes_vs_des-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/security-aes_vs_des-f.png 1280w" alt="Graphic displaying how DES and AES encryption function" height="362" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>DES and AES are both symmetric block ciphers, but DES has been deprecated and replaced by AES. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>AES is the first publicly accessible and open cipher approved by the NSA for top-secret information. It quickly became the de facto world encryption standard.</p> <p>AES comprises three block ciphers -- AES-128, AES-192 and AES-256 -- with both software and hardware implementations being considered efficient. Each cipher has a 128-bit block size, with key sizes of 128, 192 and 256 bits, respectively, making it exponentially stronger than the 56-bit key of DES. There are 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit keys. A round consists of several processing steps that convert the input plaintext into the final output of ciphertext.</p> <p>Security experts consider AES safe against brute-force attacks, and all key lengths are deemed sufficient to protect classified information up to the secret level with top-secret information requiring either 192 or 256 key lengths.</p> <p>Published as a <a href="https://csrc.nist.gov/pubs/fips/197/final" target="_blank" rel="noopener">FIPS 197</a> standard in 2001, AES was originally meant to be an alternative to Triple DES until 2030 to give everyone plenty of time to transition to AES. As mentioned, NIST withdrew this guidance and disallowed Triple DES after January 1, 2024, though its use is still allowed for the decryption, key wrapping and verification of <a href="https://www.techtarget.com/searchsecurity/definition/message-authentication-code-MAC">MACs</a> of already-protected data.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Quantum computing and encryption security</h3> <p>While AES can counter quantum threats by increasing key sizes, Triple DES lacks this adaptability, making it an especially obsolete choice for quantum computing's cryptographic impact.</p> <p>Read up on the future of cryptography in a post-quantum world:</p> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchsecurity/feature/How-CISOs-can-prepare-for-the-quantum-cybersecurity-threat">How CISOs can prepare for the quantum cybersecurity threat</a></li> <li><a href="https://www.techtarget.com/searchsecurity/feature/How-to-prepare-for-post-quantum-computing-security">How to prepare for post-quantum computing security</a></li> <li><a href="https://www.techtarget.com/searchsecurity/video/An-explanation-of-post-quantum-cryptography">An explanation of post-quantum cryptography</a></li> <li><a href="https://www.techtarget.com/searchcio/tip/Quantum-resistant-algorithms-Why-they-matter">Quantum-resistant algorithms: Why they matter</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/How-to-achieve-crypto-agility-and-future-proof-security">How to achieve crypto-agility and future-proof security</a></li> </ul> </div> </div> <p><b>Editor's note: </b><i>This article was updated in September 2025 to improve the reader experience.</i></p> <p><i>Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 20 years of experience in the IT industry.</i></p> </section> Triple DES offered 112-bit security through its three-step encryption process, but NIST deprecated it in 2018 and disallowed its use after 2023. https://cdn.ttgtmedia.com/rms/onlineimages/security_a252808758.jpg https://www.techtarget.com/searchsecurity/tip/Expert-advice-Encryption-101-Triple-DES-explained Wed, 03 Sep 2025 09:00:00 GMT <p>Information security (infosec) is a set of policies, procedures and principles for safeguarding digital data and other kinds of information. It involves the processes and tools designed and deployed to protect sensitive business information from modification, disruption, destruction and unauthorized inspection.</p> <p>Infosec responsibilities include establishing a set of <a href="https://www.techtarget.com/searchcio/definition/business-process">business processes</a> that protect information assets, regardless of how that information is formatted or whether it is in transit, being processed or at rest in storage. Generally, an organization applies information security to guard digital information as part of an overall <a href="https://www.techtarget.com/searchsecurity/definition/cybersecurity">cybersecurity</a> program. Infosec ensures that the employees have access to the data they require, while preventing unauthorized access. It's also be associated with <a href="https://www.techtarget.com/searchsecurity/definition/What-is-risk-management-and-why-is-it-important">risk management</a> and legal regulations.</p> <section class="section main-article-chapter" data-menu-title="Why is infosec important?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why is infosec important?</h2> <p>Information security plays a vital role in protecting an organization's most critical asset, which is its data. Inadequate security measures can expose businesses to serious risks such as financial loss, <a href="https://www.techtarget.com/searchdisasterrecovery/tip/How-to-manage-and-mitigate-reputational-risk">reputational damage</a>, regulatory fines and even the breakdown of essential operations.</p> <p>The following points highlight why information security is essential for organizations:</p> <ul class="default-list"> <li><b>Protects sensitive information.</b> Information security protects <a href="https://www.techtarget.com/whatis/definition/sensitive-information">sensitive information</a> for organizations, including customer records, employee details, confidential business information and trade secrets. It also protects data vital to critical infrastructure, such as power grids. Without strong information security measures, crucial information is vulnerable to unauthorized access, theft, malicious alteration and destruction. This poses risks to both individuals and organizations.</li> <li><b>Prevents financial losses.</b> Cyberattacks, such as ransomware, phishing and data breaches, can cost millions in recovery efforts, legal fees, lost business and regulatory fines. An effective infosec program helps prevent or reduce the effects of such incidents.</li> <li><b>Ensures business continuity and operational resilience.</b> Information security is essential for maintaining business continuity and <a href="https://www.techtarget.com/searchdisasterrecovery/definition/operational-resilience">operational resilience</a>. Cyberattacks and security incidents can cause disruptions that result in extended downtime and substantial financial losses. By adopting strong information security practices, such as <a href="https://www.techtarget.com/searchsecurity/tip/Incident-response-best-practices-for-your-organization">incident response strategies</a> and disaster recovery protocols, organizations can quickly identify, contain and recover from attacks.</li> <li><b>Maintains trust and reputation.</b> Information security is crucial for maintaining the trust and reputation of an organization. A data breach or security incident can damage an organization's public image and erode customer confidence, leading to customer churn and negative media coverage. This loss of trust can also undermine investor confidence, potentially causing a decline in market value and long-term brand damage. By implementing strong infosec practices, companies demonstrate their commitment to safeguarding their data against unauthorized access, misuse and cyberthreats.</li> <li><b>Enables regulatory compliance.</b> Many industries are governed by laws, such as the Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and Sarbanes-Oxley Act. Noncompliance can result in fines, legal actions and lawsuits. Information security helps organizations meet legal and regulatory requirements by proactively ensuring compliance with complex data protection laws and standards.</li> <li><b>Defends against threats.</b> Cyberthreats range from <a href="https://www.techtarget.com/searchsecurity/definition/insider-threat">insider threats</a> to sophisticated advanced persistent threats (<a href="https://www.techtarget.com/searchsecurity/definition/advanced-persistent-threat-APT">APTs</a>). Information security programs defend against these attack vectors by offering a structured approach to identifying, evaluating and managing these risks effectively.</li> </ul> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/w1d81Teltl0?si=lBFRJCwSpB4mOBYa?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <p></p> </section> <section class="section main-article-chapter" data-menu-title="Principles of information security"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Principles of information security</h2> <p>The pillars or principles of infosec are collectively known as the confidentiality-integrity-availability (<a href="https://www.techtarget.com/whatis/definition/Confidentiality-integrity-and-availability-CIA">CIA</a>) triad. These are intended to serve as a <a href="https://www.techtarget.com/searchsecurity/tip/How-to-write-an-information-security-policy-plus-templates">guide for information security policies</a> and processes within an organization. The overall goal of infosec is to let the good guys in, while keeping the bad guys out. The three primary tenants to support this are confidentiality, integrity and availability:</p> <ul class="default-list"> <li><b>Confidentiality.</b> This principle requires that information be available only to those with the proper authorization to access that data.</li> <li><b>Integrity.</b> This principle dictates that information is consistent, accurate and trustworthy.</li> <li><b>Availability.</b> This principle mandates that information is easily accessible to those with proper authorization and remains so in case of failure to minimize interruptions to users.</li> </ul> <p>These three principles don't exist in isolation but inform and affect one another. Therefore, any infosec system involves a balance of these factors. As an extreme example, information only available as a written sheet of paper stored in a vault is confidential but not easily available. Information carved into stone displayed in the lobby has a lot of integrity, but it isn't confidential or available.</p> <h3>Other infosec principles</h3> <p>While the CIA triad forms the basis of infosec policy and decision-making, other factors, including the following, should be added to a complete infosec plan:</p> <ul class="default-list"> <li><b>Risk management.</b> Because infosec involves a balance of competing factors, it is <a href="https://www.techtarget.com/searchcio/feature/Risk-management-process-What-are-the-5-steps">associated with risk management</a>. The goal here is to maximize positive outcomes, while minimizing negative ones. Organizations use risk management principles to determine the level of risk they are willing to take on when executing a system. They can also put safeguards and mitigations in place to reduce risk.</li> <li><b>Data classification.</b> Along with infosec, <a href="https://www.techtarget.com/searchdatamanagement/definition/data-classification">data classification</a> should be considered to give extra attention to information that needs to remain either highly confidential or easily available.</li> <li><b>Media and confidentiality agreements.</b> Information security isn't limited to digital data and computer systems. A full infosec policy covers physical information, printed information and other kinds of media. It might also include <a href="https://www.techtarget.com/whatis/definition/non-disclosure-agreement">confidentiality agreements</a>.</li> <li><b>User training.</b> Businesses should also employ user training to protect personal data, as well as both computer controls and organizational policy as <a href="https://www.techtarget.com/searchdisasterrecovery/definition/risk-mitigation">risk mitigation</a> factors. For example, to limit the risk of an accounting analyst changing financial data, an organization can put in place a technical control limiting change rights and logging changes. Alternatively, an organizational policy of having a second person audit completed records can also mitigate this risk.</li> <li><b>Nonrepudiation.</b> Another important infosec factor is <a href="https://www.techtarget.com/searchsecurity/definition/nonrepudiation">nonrepudiation</a>, which is the ability to prove that information hasn't been tampered with. No one should tamper with data at rest or in transit, its source should be trustworthy, and it shouldn't be accidentally or maliciously modified.</li> <li><b>Business continuity and disaster recovery.</b> <a href="https://www.techtarget.com/searchdisasterrecovery/definition/Business-Continuity-and-Disaster-Recovery-BCDR">BCDR</a> is an additional consideration of infosec. Data should remain available and unchanged in the case of a software or hardware failure. Organizations can accomplish this through <a href="https://www.techtarget.com/searchdatabackup/feature/Full-incremental-or-differential-How-to-choose-the-correct-backup-type">backups</a> or redundant systems.</li> <li><b>Change management.</b> Consider <a href="https://www.techtarget.com/searchcio/definition/change-management">change management</a> with an infosec policy as well. Poorly managed changes can cause outages that affect the availability of a system. System changes also affect the overall security of stored data.</li> <li><b>Local laws and governmental regulations. </b>Regulatory bodies often regulate <a href="https://www.techtarget.com/searchsecurity/definition/personally-identifiable-information-PII">personally identifiable information</a> depending on the region. Regulations, such as HIPAA for medical data, the Payment Card Industry Data Security Standard (<a href="https://www.techtarget.com/searchsecurity/definition/PCI-DSS-Payment-Card-Industry-Data-Security-Standard">PCI DSS</a>) for payment information or the European Union's (EU) GDPR legislation, require that some information be treated differently or have special security controls in place.</li> </ul> <p><b>Least privilege.</b> Strong information security requires that users and systems are granted only the minimum level of access required to perform their tasks. This enforces the <a href="https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP">principle of least privilege</a>, reducing the attack surface and limiting potential damage if credentials are compromised.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/businesscontinuity_planning.jpg"> <img data-src="https://www.techtarget.com/rms/onlineImages/businesscontinuity_planning_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/businesscontinuity_planning_mobile.jpg 960w,https://www.techtarget.com/rms/onlineImages/businesscontinuity_planning.jpg 1280w" alt="Diagram showing how business continuity and disaster recovery work together in an infosec strategy" height="448" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Business continuity and disaster recovery planning, as part of an overall infosec strategy, consists of multiple layers. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p></p> </section> <section class="section main-article-chapter" data-menu-title="Types of information security"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Types of information security</h2> <p>Although information security can take many different forms, the following are the most common types:</p> <ul class="default-list"> <li><b>Application security.</b> This infosec approach is designed for safeguarding applications and <a href="http://cdn.ttgtmedia.com/rms/editorial/SEC-Kirvan-ShadowITPolicyTemplateV1.0.docx?web=1">application programming interfaces</a>. It stops and blocks vulnerabilities and data breaches from affecting applications. Application security can be achieved through various techniques, such as using <a href="https://www.techtarget.com/searchsecurity/definition/Web-application-firewall-WAF">web application firewalls</a> and scanners that continuously find, monitor and mitigate vulnerabilities.</li> <li><b>Infrastructure security.</b> Infrastructure security focuses on safeguarding <a href="https://www.techtarget.com/whatis/definition/intranet">intranet</a> and <a href="https://www.techtarget.com/searchnetworking/definition/extranet">extranet</a> networks, as well as labs, <a href="https://www.techtarget.com/searchdatacenter/definition/data-center">data centers</a>, servers, desktop computers, cloud assets and mobile devices. It also protects against typical cybercrimes, as well as natural disasters and other mishaps. In short, infrastructure security plays a big part in reducing and mitigating damage from any type of malfunction.</li> <li><b>Cloud security.</b> This approach is geared toward securing, building and hosting apps in the cloud. To ensure <a href="https://www.techtarget.com/searchsecurity/definition/cloud-security">cloud security</a>, businesses must ensure secure application use and isolation between separate processes because cloud applications are run in a shared environment.</li> <li><b>Cryptography.</b> This is the process of converting plaintext data into secure data by encrypting it. <a href="https://www.techtarget.com/searchsecurity/definition/cryptography">Cryptography</a> encrypts both data at rest and in transit to ensure data integrity and defend against cyberattacks. To make messages and data harder to read, security teams frequently use <a href="https://www.techtarget.com/searchsecurity/definition/digital-signature">digital signatures</a> and sophisticated algorithms. For instance, symmetric key algorithms, such as <a href="https://www.techtarget.com/searchsecurity/definition/Advanced-Encryption-Standard">Advanced Encryption Standard</a>, are frequently used to secure sensitive government data.</li> <li><b>Vulnerability management.</b> Every year, thousands of new vulnerabilities are discovered that require organizations to patch their <a href="https://www.techtarget.com/whatis/definition/operating-system-OS">operating systems</a> and applications and reconfigure the security settings of their network. The vulnerability management process identifies and manages all the weak points in an environment to proactively address vulnerabilities before they turn into real threats.</li> <li><b>Incident response plan.</b> An incident response plan is a set of information security processes that are used to identify, contain and recover from security breaches. By having an incident response strategy in place, organizations can contain threats and recover easily from the aftermath of a security incident. Steps for preserving evidence for forensic examination and future prosecution should also be established as part of this plan. These details can be used to identify the perpetrator and prevent subsequent attacks.</li> <li><b>Identity and access management.</b> <a href="https://www.techtarget.com/searchsecurity/definition/identity-access-management-IAM-system">IAM</a> is a comprehensive framework of policies, processes and technologies designed to manage digital identities and regulate user access to resources. It encompasses the creation and administration of unique digital identities and the authentication of those identities via credentials such as passwords, <a href="https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA">multifactor authentication</a> or <a href="https://www.techtarget.com/searchsecurity/definition/biometrics">biometrics</a>. It also includes the authorization of permissions based on roles or attributes. By combining identity proofing, credential management, <a href="https://www.techtarget.com/searchsecurity/definition/access-control">access control</a> and auditing, IAM ensures that only verified and authorized users and systems can access specific resources at the appropriate times.</li> <li><b>Operational security.</b> This involves implementing and maintaining secure processes and decision-making practices related to data handling and protection. It includes activities such as securely disposing of devices, <a href="https://www.techtarget.com/searchsecurity/tip/How-to-create-a-third-party-risk-management-policy">managing third-party or vendor risks</a> and ensuring that day-to-day operations don't inadvertently expose sensitive information.</li> <li><b>Physical security. </b>While often overlooked in the digital age, physical security is a foundational component of infosec. It involves safeguarding physical assets that support information systems, such as data centers, server rooms and hardware, from unauthorized access, theft, damage and environmental threats. Measures include access control systems, such as keycards, biometrics, surveillance cameras, security guards and environmental controls.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/best_practices_for_avoiding_data_breaches-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/best_practices_for_avoiding_data_breaches-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/best_practices_for_avoiding_data_breaches-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/best_practices_for_avoiding_data_breaches-f.png 1280w" alt="List of best practices for avoiding data breaches" height="269" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Commonsense security practices help prevent data breaches as part of an overall infosec plan. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Information security threats"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Information security threats</h2> <p>Threats to information security manifest themselves in a variety of ways. The following are the most common threat vectors:</p> <ul class="default-list"> <li><b>Insecure systems.</b> New technology is being released every day. However, if it's not designed with security in mind, it can have severe repercussions for the information security of an organization. Consequently, if a business is running obsolete or <a href="https://www.techtarget.com/searchitoperations/definition/legacy-application">legacy systems</a>, it runs a great risk of falling prey to security breaches. Organizations should identify weak systems and patch them up or decommission them as necessary.</li> <li><b>Social media attacks.</b> Attacks on information security through <a href="https://www.techtarget.com/whatis/definition/social-media">social media</a> are on the rise. On Oct. 7, 2022, Facebook's parent company, Meta, announced its researchers had found 400 malicious Android and iOS apps during the previous year that were intended to steal Facebook users' usernames and passwords and compromise their accounts. Cybercriminals use direct or indirect means to attack social media sites. Through messaging, attackers can often transfer <a href="https://www.techtarget.com/searchsecurity/definition/malware">malware</a> to social media users who are the targets of direct attacks. Indirect techniques involve gathering data from social media sites to identify organizational or user vulnerabilities and plan an attack.</li> <li><b>Social engineering attacks.</b> <a href="https://www.techtarget.com/searchsecurity/definition/social-engineering">Social engineering</a> is the practice of coercing individuals into disclosing or stealing their personal information. This tactic relies on exploiting human nature, which is typically the weakest link in a system. Attackers typically send phishing emails and messages that have a tone of urgency or fear, tricking users into divulging their sensitive information.</li> <li><b>Third-party breaches.</b> Attackers occasionally use a flaw or vulnerability to gain access to and steal data held on the systems of third-party vendors. For instance, in 2021, hackers exploited the vulnerabilities in <a href="https://www.techtarget.com/searchwindowsserver/definition/Microsoft-Exchange-Server">Microsoft Exchange Server</a> to access the emails of 60,000 private companies and nine government entities.</li> <li><b>Attacks on sensitive information. </b><a href="https://www.techtarget.com/searchsecurity/definition/encryption">Encryption</a>nis a great way to protect information assets within an organization. For example, the healthcare industry follows HIPAA compliance, which requires every computer to be encrypted due to the sensitive nature of the data involved. However, this important method is often overlooked due to its complex nature and lack of legal implications.</li> <li><b>AI-driven and automated attacks.</b> Cybercriminals are increasingly using <a href="https://www.techtarget.com/searchenterpriseai/definition/AI-Artificial-Intelligence">AI</a> and automation to scale their attacks, making cyberthreats more pervasive and dynamic. According to a Fortinet <a target="_blank" href="https://www.fortinet.com/resources/reports/threat-landscape-report" rel="noopener">report</a>, AI-powered automated scanning surged to an astonishing 36,000 scans per second in 2024, which is a 16.7% annual increase. This let attackers identify vulnerabilities at an unprecedented pace. Threat actors also use AI to craft highly personalized phishing messages, develop adaptive malware and even deploy autonomous attacks that execute multistage exploits with minimal human intervention.</li> <li><b>Zero-day exploits.</b> <a href="https://www.techtarget.com/searchsecurity/definition/zero-day-vulnerability">These exploits</a> are security vulnerabilities in software that are unknown to the vendor and exploited by attackers before a fix is available. Because Zero-day exploits haven't been patched or publicly disclosed, they're a serious threat to information security as they give cybercriminals a window of opportunity to launch stealthy and often targeted attacks. These exploits are difficult to detect, making them a favorite tool for APTs and nation-state actors.</li> <li><b>Cloud security gaps.</b> <a href="https://www.techtarget.com/searchsecurity/tip/Top-11-cloud-security-challenges-and-how-to-combat-them">Cloud security gaps</a> arise when cloud environments are misconfigured, poorly monitored or lack strong identity and access controls. These vulnerabilities expose sensitive data to potential breaches. As organizations adopt <a href="https://www.techtarget.com/searchcloudcomputing/feature/Multi-cloud-vs-hybrid-cloud-and-how-to-know-the-difference">hybrid and multi-cloud architectures</a>, visibility and governance often become fragmented, increasing the risk of unauthorized access or accidental data leaks. Weak permission structures, excessive entitlements and overlooked assets all contribute to these vulnerabilities.</li> <li><b>Human error</b>. Beyond malicious attacks, information security is also threatened by human factors, which include unintentional mistakes, negligence and a lack of security awareness among individuals, leading to vulnerabilities such as misconfigured systems, accidental data disclosures and the use of weak passwords.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Information security tools"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Information security tools</h2> <p>Information security relies on a strong set of tools, platforms and technologies designed to detect, prevent, respond to and recover from threats.</p> <p>The following are some of the key security tools across the infosec ecosystem:</p> <ul class="default-list"> <li><b>Firewalls.</b> These act as a barrier between trusted internal networks and untrusted external networks, such as the internet. They control incoming and outgoing network traffic based on predefined security rules.</li> <li><b>Next-generation firewalls.</b> <a href="https://www.techtarget.com/searchsecurity/definition/next-generation-firewall-NGFW">NGFWs</a> go beyond traditional firewalls with features including deep packet inspection, application awareness and threat intelligence integration.</li> <li><b>Intrusion detection systems and intrusion prevention systems.</b> <a href="https://www.techtarget.com/searchsecurity/definition/intrusion-detection-system">IDS</a> monitors network or system activities for malicious activity or policy violations and alerts administrators. <a href="https://www.techtarget.com/searchsecurity/definition/intrusion-prevention">IPS</a> not only detects but also actively blocks or prevents detected threats from reaching their targets.</li> <li><b>Virtual private networks.</b> <a href="https://www.techtarget.com/searchnetworking/definition/virtual-private-network">VPNs</a> are used to create a secure, encrypted connection over a less secure network, such as the internet. This ensures remote users can securely access corporate resources.</li> <li><b>Security information and event management.</b> <a href="https://www.techtarget.com/searchsecurity/definition/security-information-and-event-management-SIEM">SIEM</a> tools collect and aggregate log data from various security devices and systems across an organization. In doing this, they provide centralized monitoring, correlation of events and real-time alerts.</li> <li><b>Cryptography.</b> This approach uses algorithms to transform information into an unreadable format, ensuring that only authorized individuals possessing the correct decryption key can access and comprehend its content.</li> <li><b>Endpoint detection and response.</b> <a href="https://www.techtarget.com/searchsecurity/definition/endpoint-detection-and-response-EDR">EDR</a> tools continuously monitor endpoint activities, collect data and use analytics to detect and investigate suspicious behaviors, enabling rapid response to threats.</li> <li><b>Antivirus and antimalware.</b> These tools detect, prevent and remove malicious software such as viruses, worms, trojans and spyware from endpoints.</li> <li><b>Identity and access management.</b> IAM tools ensure that only the right individuals access the right resources at the right times for the right reasons.</li> <li><b>User behavior analytics.</b> <a href="https://www.techtarget.com/searchsecurity/definition/user-behavior-analytics-UBA">UBA</a> establishes a baseline of normal user activity within a secure network environment. It continuously monitors for deviations from this baseline, flagging any unusual or anomalous behavior as potentially malicious for further investigation.</li> <li><b>Packet and protocol analyzers.</b> Packet and protocol analyzers are powerful tools used to capture, inspect and analyze data packets traveling across a network. These tools enable security professionals, network administrators, and penetration testers to examine traffic at a granular level, helping to identify performance issues, misconfiguration and security threats.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="What is the difference between information security vs. cybersecurity?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the difference between information security vs. cybersecurity?</h2> <p>Since most information exchange happens in cyberspace these days, the terms <i>information security</i> and <i>cybersecurity</i> are often used interchangeably. While their paths intersect, both terms have individual meanings.</p> <p>Physical security, endpoint security, data encryption and network security are examples of information security. It's also closely related to <a href="https://www.techtarget.com/searchsecurity/definition/information-assurance">information assurance</a>, which safeguards data against threats, such as natural disasters and server outages. In short, information security is concerned with protecting any type of data, not just data in cyberspace.</p> <p>Cybersecurity, on the other hand, is a subcategory of information security. It deals with technological threats and the practices and tools that can be used to mitigate cyberattacks, such as spyware or ransomware. It prioritizes technologies such as firewalls, intrusion detection systems, endpoint protection, encryption and incident response to guard digital assets.</p> <p><a href="https://www.techtarget.com/searchsecurity/feature/The-importance-of-data-security-in-the-enterprise">Data security is another related category of cybersecurity</a> that focuses on protecting an organization's data from accidental or malicious exposure to unauthorized parties.</p> </section> <section class="section main-article-chapter" data-menu-title="Data protection laws for information security"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Data protection laws for information security</h2> <p>There are no federal laws governing data security in the United States, but some regulations have been passed to protect specific types of data. The EU, on the other hand, adheres to GDPR, which governs the collection, use, storage, security and transmission of data pertaining to EU residents.</p> <p>Data security regulations in the U.S. include the following:</p> <ul class="default-list"> <li><b>Federal Trade Commission Act.</b> This law forbids businesses from misleading consumers about privacy rules, failing to properly protect customer privacy and using deceptive advertising.</li> <li><b>Children's Online Privacy Protection Act.</b> This one controls how information and data regarding children are regulated.</li> <li><b>HIPAA. </b>This<b> </b>controls the use, storage and confidentiality of health information.</li> <li><b>Fair and Accurate Credit Transactions Act.</b> <a target="_blank" href="https://www.techtarget.com/whatis/definition/FACTA-Fair-and-Accurate-Credit-Transactions-Act" rel="noopener">FACTA</a> specifies how credit report data should be used and discarded.</li> <li><b>Gramm-Leach-Bliley Act.</b> <a href="https://www.techtarget.com/searchcio/definition/Gramm-Leach-Bliley-Act">GLBA</a> restricts how banks and financial institutions gather and store personal information.</li> </ul> <p>In addition to these federal laws, many U.S. states have enacted their own data breach notification laws and comprehensive privacy laws that impose data security requirements. Examples include the <a href="https://www.techtarget.com/searchcio/definition/California-Consumer-Privacy-Act-CCPA">California Privacy Act</a> and the California Privacy Rights Act, Virginia Consumer Data Protection Act and Colorado Privacy Act.</p> <p>There are other significant national regulations worldwide that impose stringent data protection and information security requirements. These include the following:</p> <ul class="default-list"> <li><b>Australian Prudential Regulatory Authority CPS 234.</b> The APRA standard mandates that regulated entities, such as banks and insurers, maintain information security capabilities commensurate with their information security vulnerabilities and threats.</li> <li><b>Canada's Personal Information Protection and Electronic Documents Act. </b>PIPEDA is a federal law that governs how private sector organizations collect, use and disclose personal information during commercial activities across Canada.</li> <li><b>Singapore's Personal Data Protection Act. </b>PDPA governs the collection, use and disclosure of personal data by organizations in Singapore, emphasizing consent and accountability for data protection.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Infosec jobs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Infosec jobs</h2> <p>Most roles working with computers involve an element of information security. Therefore, <a href="https://www.techtarget.com/searchsecurity/tip/10-must-have-cybersecurity-skills-for-career-success">infosec jobs</a> vary in their titles among organizations and are often cross-disciplinary or interdepartmental.</p> <p>The following are the most common job titles in information security:</p> <ul class="default-list"> <li>In IT, the <a href="https://www.techtarget.com/whatis/definition/CSO-Chief-Security-Officer">chief security officer</a> or <a href="https://www.techtarget.com/searchsecurity/definition/CISO-chief-information-security-officer">chief information security officer</a>, in collaboration with the chief information officer, is responsible for overall cybersecurity and infosec policy.</li> <li>A security director is a senior-level professional who oversees the application of all IT security measures within a company.</li> <li>An IT security architect is responsible for developing and overseeing the network and computer security infrastructure of a company.</li> <li>A security engineer or security systems administrator is responsible for executing or evaluating infosec controls, managing firewall configurations, keeping an organization's IT security solutions up to date and looking into intrusion incidents.</li> <li>An information security analyst or IT security consultant is responsible for making security risk assessments, evaluating effectiveness of controls and analyzing a failure and its consequences.</li> <li>A security operations center analyst works in a <a href="https://www.techtarget.com/searchsecurity/definition/Security-Operations-Center-SOC">SOC</a> to detect, analyze and escalate security events and potential breaches.</li> <li>A penetration tester, also known as an <a href="https://www.techtarget.com/searchsecurity/definition/ethical-hacker">ethical hacker</a>, simulates cyberattacks to identify and exploit security weaknesses legally.</li> <li>A cloud security engineer secures cloud environments, focusing on identity, encryption and misconfigurations.</li> <li>A digital forensics analyst investigates breaches and recovers compromised data.</li> <li>A governance, risk and compliance analyst ensures adherence to regulatory and internal standards.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/security-cybersecurity_career_path-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/security-cybersecurity_career_path-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/security-cybersecurity_career_path-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/security-cybersecurity_career_path-f.png 1280w" alt="Table showing career paths for cybersecurity careers " height="548" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Infosec professionals have many paths they can take in their information security career. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Infosec certifications"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Infosec certifications</h2> <p>A <a href="https://www.techtarget.com/searchsecurity/tip/10-cybersecurity-certifications-to-boost-your-career-in-2021">number of certifications</a> are available for IT professionals who work in or aspire to specialize in infosec and cybersecurity. The following is a curated list of in-demand information security certifications, organized by career stage and focus area:</p> <h3>Entry-level certifications</h3> <ul class="default-list"> <li><b>CompTIA Security+.</b> This certification covers core cybersecurity knowledge and is used to qualify for entry-level IT and infosec roles.</li> <li><b>Global Information Assurance Certification Security Essentials.</b> Created and administered by GIAC, this certification is geared toward security professionals who want to demonstrate they are qualified for hands-on roles with respect to security tasks related to IT systems. The exam requires candidates to demonstrate an understanding of information security beyond simple terminology and concepts.</li> <li><b>ISC2 Certified in Cybersecurity.</b> This is an entry-level certification offered by <a href="https://www.techtarget.com/searchsecurity/definition/ISC2-International-Information-Systems-Security-Certification-Consortium">ISC2</a>, an international nonprofit cybersecurity certification body. It's designed to help individuals start a career in cybersecurity, covering security principles, incident response, network security and security operations.</li> </ul> <h3>Midlevel certifications</h3> <ul class="default-list"> <li><b>CompTIA PenTest+. </b>This certification covers <a href="https://www.techtarget.com/searchsecurity/definition/vulnerability-assessment-vulnerability-analysis">vulnerability assessment</a> and penetration testing, including planning, scoping, performing and reporting on security assessments. It's ideal for cybersecurity professionals who perform hands-on penetration testing.</li> <li><b>EC-Council Certified Ethical Hacker.</b> This certification is one of the recognized <a href="https://www.techtarget.com/searchsecurity/tip/Ethical-hacker-certifications-to-consider">ethical hacking certificates</a>. It teaches about the tools and techniques commonly used by malicious hackers in a legal and ethical way to help identify and address system vulnerabilities.</li> <li><b>ISACA Certified Information Systems Auditor. </b><a href="https://www.techtarget.com/searchcio/definition/ISACA">ISACA</a> is a nonprofit, independent association that advocates for professionals in information security, assurance, risk management and governance. The <a href="https://www.techtarget.com/searchsecurity/definition/Certified-Information-Systems-Auditor-CISA">CISA</a> exam certifies the knowledge and skills of security professionals. To qualify for this certification, candidates must have five years of professional work experience related to information systems auditing, control or security.</li> <li><b>ISACA Certified Information Security Manager.</b> <a href="https://www.techtarget.com/searchsecurity/definition/certified-information-security-manager-CISM">CISM</a> is an advanced certification that validates individuals who have demonstrated the in-depth knowledge and experience required to develop and manage enterprise information security programs. ISACA aims this certification at information security managers, aspiring managers and IT consultants who support information security program management.</li> </ul> <h3>Advanced and senior level certifications</h3> <ul class="default-list"> <li><b>CompTIA Security X</b>. This is an advanced practitioner-level certification for enterprise security. It is a high-level, performance-based certification designed for seasoned cybersecurity professionals who want to remain hands-on rather than move into management.</li> <li><b>EC-Council Certified Chief Information Security Officer.</b> This certification is specifically designed for current and aspiring CISOs, covering executive-level security management, governance, risk management, strategic planning and financial management of security programs.</li> <li><b>GIAC Security Leadership Certification.</b> The GSLC certification is geared towards security leaders and managers, covering security strategy, policy, legal issues and effective communication with executive management. It provides a broad understanding of security leadership principles.</li> <li><b>IS2 Certified Cloud Security Professional</b>. CCSP focuses on securing cloud environments. The target audience for this certification is <a href="https://www.techtarget.com/searchcloudcomputing/definition/cloud-architect">cloud architects</a>, security consultants, engineers and managers responsible for cloud security architecture and operations.</li> <li><b>ISC2 Certified Information Systems Security Professional. </b><a href="https://www.techtarget.com/searchsecurity/definition/Certified-Information-Systems-Security-Professional">CISSP</a> is an advanced certification for experienced cybersecurity professionals. The exam covers the ability to design and develop an infosec program.</li> </ul> <p>Information security-focused <a href="https://www.techtarget.com/searchsecurity/tip/The-best-cloud-security-certifications-for-IT-professionals">certifications for a range of cloud vendors</a> are also readily available. Popular examples include AWS Certified Security -- Specialty, Google Professional Cloud Security Engineer and Microsoft Information Protection Administrator.</p> <p><i>Cybersecurity, a subcategory of information security, necessitates thorough planning to be successful. Discover how to </i><a href="https://www.techtarget.com/searchsecurity/The-ultimate-guide-to-cybersecurity-planning-for-businesses?Offer=ab_ss_reeng_plt_var"><i>execute cybersecurity best practices by reading this guide</i></a><i>. Also, </i><a href="https://www.techtarget.com/searchsecurity/Data-security-guide-Everything-you-need-to-know?Offer=ab_ss_reeng_plt_var"><i>learn the essentials of data security</i></a><i> and the practice of preserving the confidentiality, integrity and availability of organizational data.</i></p> </section> Information security (infosec) is a set of policies, procedures and principles for safeguarding digital data and other kinds of information. https://cdn.ttgtmedia.com/visuals/digdeeper/5.jpg https://www.techtarget.com/searchsecurity/definition/information-security-infosec Wed, 03 Sep 2025 09:00:00 GMT <p>A denial-of-service attack is a cyberattack that aims to make key systems or services unavailable to users, usually by overwhelming them with traffic or malicious requests. DoS attacks bombard the target with such massive amounts of data that systems become unable to process legitimate requests and stop functioning.</p> <p>The most common form of DoS attack is distributed denial of service (DDoS), which sends network traffic from a large number of devices with different IP addresses, making the attack source difficult to filter or block. These attacks often use <a href="https://www.techtarget.com/searchsecurity/definition/botnet">botnets</a>, networks of hijacked computers or IoT devices. For example, the notorious <a href="https://www.cybersecuritydive.com/news/us-takedown-china-botnet/727501/">Mirai botnet and its successors</a> have enlisted thousands of compromised devices -- including CCTV cameras, home routers and baby monitors -- which threat actors have used to launch massive DDoS attacks.</p> <p><b>Editor's note: </b><i>For the purposes of this article, we consider a DDoS attack a type of DoS attack. Note, however, that some experts argue a true DoS attack has only one malicious source, with a single system attacking a single system. Defenders could mitigate such an attack relatively easily by identifying and blocking traffic from the relevant IP address. </i></p> <p><i>In contrast, a DDoS attack involves traffic from many sources, with multiple systems bombarding the target. DDoS attacks are more challenging to prevent and stop than single-source DoS attacks, because they involve many more malicious IP addresses. </i></p> <section class="section main-article-chapter" data-menu-title="Types of DoS attacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Types of DoS attacks</h2> <p>DoS attacks fall into the following three categories:</p> <ol class="default-list"> <li><b>Volumetric attacks.</b> Target network infrastructure, such as firewalls and routers, with vast amounts of traffic, through techniques such as <a href="https://www.techtarget.com/searchnetworking/definition/ICMP">Internet Control Message Protocol</a> or <a href="https://www.techtarget.com/searchnetworking/definition/UDP-User-Datagram-Protocol">User Datagram Protocol</a> floods.</li> <li><b>Protocol attacks. </b>Also target network infrastructure, but rather than simply flooding it with data, these attacks manipulate protocol behaviors to exhaust server resources.</li> <li><b>Application layer attacks.</b> Target websites and APIs by generating large numbers of <a href="https://www.techtarget.com/whatis/definition/HTTP-Hypertext-Transfer-Protocol">HTTP</a> requests or by triggering resource-intensive application functions, such as complex report generation.</li> </ol> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/security-signs_dos_attack.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/security-signs_dos_attack_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/security-signs_dos_attack_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/security-signs_dos_attack.png 1280w" alt="Signs of a DoS attack" height="260" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>If online services are unusually slow or suddenly unavailable, a DoS attack could be underway. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Consequences of DoS attacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Consequences of DoS attacks</h2> <p>Successful DoS attacks can disrupt business and devastate organizations. Consequences include the following:</p> <ul class="default-list"> <li><b>Immediate financial losses.</b> When a business-critical system experiences downtime, the organization typically loses money. For example, even a brief DoS outage at a high-volume e-commerce merchant would result in many lost transactions, adding up to significant financial impact.</li> <li><b>Remediation costs. </b>An organization experiencing a DoS attack must respond and get affected systems back online quickly, which can require significant resources.</li> <li><b>Reputational damage. </b>A long outage can seriously damage a brand's reputation, prompting customers, shareholders and the public to question the organization's ability to protect its systems.</li> </ul> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Successful DoS attacks can devastate organizations. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> </section> <section class="section main-article-chapter" data-menu-title="DoS prevention and mitigation methods"> <h2 class="section-title"><i class="icon" data-icon="1"></i>DoS prevention and mitigation methods</h2> <p>As is so often the case in cybersecurity, an ounce of prevention is worth a pound of cure. Effective DoS prevention and mitigation must begin long before an attack attempt takes place.</p> <h3>Risk assessment</h3> <p>Start by identifying and evaluating all digital assets, especially critical systems and data that might draw attacks. Determine baseline traffic patterns. Assess potential vulnerabilities that threat actors might exploit.</p> <h3>Attack surface reduction</h3> <p><a href="https://www.techtarget.com/searchsecurity/tip/How-to-implement-an-attack-surface-management-program">Reduce the attack surface</a> by implementing necessary security patches and removing unnecessary internet-facing systems.</p> <h3>DoS prevention and mitigation services</h3> <p>While possible, it is difficult to defend against DoS attacks without the support of a third-party provider. Typically, organizations rely on <a href="https://www.techtarget.com/searchnetworking/definition/CDN-content-delivery-network?Offer=ab_ss_reeng_plt_ctrl">content delivery network</a> providers and specialized DDoS mitigation providers -- such as Cloudflare, AWS Shield and Azure DDoS Protection -- for scalable DoS protection. A company that enlists such a service can expect it to do the following:</p> <ul class="default-list"> <li>Provide a defensive layer that sits between an organization's applications and the public internet.</li> <li>Act as a reverse proxy, with all traffic hitting the mitigation provider's data centers first.</li> <li>Distribute sudden surges in traffic across multiple provider-owned data centers.</li> <li>Apply <a href="https://www.darkreading.com/cyberattacks-data-breaches/breaking-the-ddos-attack-loop-with-rate-limiting">rate limiting</a> -- restricting the number of requests servers will accept in a certain period -- to sources of suspicious traffic.</li> </ul> <h3>DoS prevention and mitigation tools</h3> <p>Other defensive mechanisms include the following:</p> <ul class="default-list"> <li><b>Web application firewalls.</b> WAFs filter out requests targeting specific URLs or API endpoints.</li> <li><b>Intrusion prevention and detection systems. </b>IPSes and IDSes monitor network activity to identify unusual traffic patterns that might indicate a DoS attack. These and other tools, such as firewalls, can also automatically <a href="https://www.techtarget.com/searchsecurity/tip/Allowlisting-vs-blocklisting-Benefits-and-challenges">block traffic</a> from sources an administrator flags as malicious. Note, however, that <a href="https://www.techtarget.com/searchsecurity/definition/IP-spoofing">IP spoofing</a> can readily circumvent blocklists.</li> <li><b>Blackhole routing.</b> Drops all traffic targeting the system. This has a similar effect to the attack itself, however, by taking the system offline.</li> </ul> <h3>DoS response plan</h3> <p>Even when an organization has a DoS mitigation strategy in place, its <a href="https://www.techtarget.com/searchsecurity/feature/5-critical-steps-to-creating-an-effective-incident-response-plan">incident response plan</a> should still cover DoS attacks and include the following:</p> <ul class="default-list"> <li>Clear escalation procedures.</li> <li>When to enlist expert third-party support.</li> <li><a href="https://www.techtarget.com/searchsecurity/tip/Build-a-strong-cyber-resilience-strategy-with-existing-tools">Business continuity measures to maintain critical operations</a>.</li> <li>Policies for when, what and how to communicate with internal stakeholders, customers and the public. Social media channels can provide an effective way to reach the latter when other resources are unavailable.</li> </ul> <p><i>Rob Shapland is an ethical hacker specializing in cloud security, social engineering and delivering cybersecurity training to companies worldwide.</i></p> </section> The worst DoS attacks are like digital tsunamis that put critical business operations at risk. Learn how they work, ways to stop them and how systems can withstand the flood. https://cdn.ttgtmedia.com/visuals/German/article/security_article_010.jpg https://www.techtarget.com/searchsecurity/tip/Preventing-DoS-attacks-The-best-ways-to-defend-the-enterprise Fri, 08 Aug 2025 11:46:00 GMT <p>Not every company has the scale and skills of Intuit's Credit Karma, but the company's data science head has some advice on where others can begin devising their own AI governance framework.</p> <p>Credit Karma can use Intuit's <a href="https://www.techtarget.com/searchsoftwarequality/news/366627890/Intuits-Ashok-Srivastava-on-AI-agents-new-frontier">GenOS AI operating system</a>, with its catalog of AI models, agents and software development tools. With help from GenOS, teams at Credit Karma recently created a multi-agent system to automatically review AI outputs before allowing them to reach production.</p> <div class="imagecaption alignLeft"> <img src="https://cdn.ttgtmedia.com/rms/onlineimages/daianu_madelaine.jpg" alt="Madelaine Daianu, senior director of data science and engineering, Credit Karma">Madelaine Daianu </div> <p>These form the technical basis for the AI compliance initiative led by Madelaine Daianu, senior director of data science and engineering at Credit Karma. But these efforts began with hands-on human collaboration that other companies can and must emulate, as every company and industry must <a href="https://www.techtarget.com/healthtechanalytics/feature/How-health-systems-are-facilitating-AI-governance">devise its own tailored approach</a>.</p> <p>"Finding a balancing act between innovation and safety, compliance or whatever is relevant to them is extremely important, and taking the step to slow down a little bit before they run and move fast," Daianu said. "Have your internal red team go and break an LLM-generated response and learn from it, and develop a thorough, custom evaluation framework for your use case."</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Have your internal red team go and break an LLM-generated response and learn from it, and develop a thorough, custom evaluation framework for your use case. </figure> <figcaption> <strong>Madelaine Daianu</strong>Senior director of data science and engineering, Credit Karma </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>At Credit Karma, <a href="https://www.techtarget.com/whatis/definition/red-teaming">red teams</a> that broke workflows driven by large language models (LLMs) and identified their weaknesses devised a five-step evaluation framework for AI governance.</p> <p>The framework's stages include the following:</p> <ul class="default-list"> <li>Response quality and accuracy.</li> <li>AI safety, including detecting bias.</li> <li>Compliance, primarily with the contractual expectations of Credit Karma partners when it presents credit card and loan information to customers on its platform.</li> <li>Data provenance and accuracy.</li> <li>System metrics such as cost and latency.</li> </ul> <p>"Within this framework, compliance is where we had to get super innovative, because it would take us a very long time to [manually] check summaries from an LLM," Daianu said. "For instance, in the case of a credit card, we need to make sure that we represent the benefits of that card as mapped to the partner brand with the utmost accuracy. But to be able to do that, we had to extract the fields from the summary that are pertinent to, say, rates or fees."</p> <p>That's where the <a href="https://www.techtarget.com/searchenterpriseai/news/366623681/IBM-customers-assess-the-performance-of-AI-agents">multi-agent</a> system came in. Specialized AI agents check each specific data field within LLM-generated summaries and ensure that their presentation to users follows the partner brand. In this and other stages of the evaluation framework, LLMs are also used to judge the overall response quality from groups of agents.</p> <p>Those models were trained with human feedback from Credit Karma's customer success team, which still performs spot checks. According to Daianu, AI agents simply reapply that evaluation process to new summaries, up to 50 times faster.</p> <p>However, when evaluating AI tools, it's also important not to overuse them, Daianu said.</p> <p>"We are using GenAI as a judge in some elements of our framework, especially for compliance, but not everywhere," she said. "For AI safety, we can use traditional machine learning. Not overfitting GenAI ... is important, because that can oftentimes give you better accuracy, better explainability, and is not as much of a black box."</p> <p><em>Beth Pariseau, a senior news writer for Informa TechTarget, is an award-winning veteran of IT journalism covering DevOps. Have a tip? <a href="mailto:beth.pariseau@informatechtarget.com?subject=News%20tip">Email her</a> or reach out <a target="_blank" href="https://x.com/PariseauTT" rel="noopener">@PariseauTT</a>.</em></p> Start slow and break things -- that's how the head of data and AI at the fintech says enterprises should start building AI governance frameworks. https://cdn.ttgtmedia.com/rms/onlineimages/ai_g1183318665.jpg https://www.techtarget.com/searchitoperations/news/366628735/Credit-Karma-leader-shares-AI-governance-lessons-learned Thu, 07 Aug 2025 13:56:00 GMT <p><i>In this video, Informa TechTarget product marketing associate Katie Donegan explains what quantum cryptography is, how it differs from classical cryptography and how it works.</i></p> <p>Math might not offer the security you need ... but physics might.</p> <p>Classical cryptography that encrypts messages with mathematical equations is secure enough for classical computing -- but with the emergence of quantum computing, it might not be enough protection. That's <a href="https://www.techtarget.com/searchsecurity/definition/quantum-cryptography">where quantum cryptography comes in</a>: It uses physics instead of math.</p> <p>Here, we'll talk about why quantum cryptography is so secure. However, despite the advantages, there are still limits and challenges to quantum cryptography and quantum key distribution (QKD).</p> <p>Quantum cryptography uses particles of light, or photons, to transmit cryptographic <a href="https://www.techtarget.com/searchsecurity/definition/key">keys</a> over fiber optic wire. The photons represent <a href="https://www.techtarget.com/whatis/definition/bit-binary-digit">binary bits</a>, meaning 0s and 1s. It's a completely secure system because of these properties of quantum mechanics:</p> <ul class="default-list"> <li>Particles can exist in more than one place or state at a time.</li> <li>A quantum property cannot be observed without changing or disturbing it.</li> <li>Whole particles cannot be copied.</li> </ul> <p>Quantum cryptography follows a model developed in 1984 that goes like this:</p> <p>Alice wishes to send Bob a message. Alice initiates the message, sending Bob a key or stream of photons. But the photons first pass through a polarizer, polarizing each photon in a certain state -- horizontal, vertical, diagonal to the right or diagonal to the left.</p> <p>As Bob receives the photons, he doesn't know the correct polarization of the photons, so he randomly uses one of two beam splitters to read each photon's polarization and decipher the key. Alice and Bob can then compare the splitter they used; the photons read with the wrong splitter are discarded, and the remaining sequence is the key.</p> <p>If there is an <a href="https://www.techtarget.com/searchunifiedcommunications/definition/eavesdropping">eavesdropper</a> present who has the same tools as Bob, they would not only have the disadvantage of not being able to compare their results with Alice, but their presence would also change the photon positions that Alice and Bob expect to see. This would blow their cover.</p> <p>It's impossible to measure the quantum state of a system without disturbing it. So, in theory, QKD is unhackable. After keys are exchanged between the involved parties, there is little concern that a malicious actor could decode the data without the key.</p> <p>What do you think? Is quantum cryptography the answer to the <a href="https://www.techtarget.com/whatis/definition/quantum-computing">quantum computing</a> threat? Share your thoughts in the comments.</p> <p><i>Sabrina Polin is a managing editor of video content for the Learning Content team. She plans and develops video content for Informa TechTarget's editorial YouTube channel, Eye on Tech. Previously, Polin was a reporter for the Products Content team.</i></p> Quantum cryptography uses photons to transmit keys securely through quantum properties, creating an unhackable system that outperforms traditional math-based encryption methods. https://www.techtarget.com/searchsecurity/video/An-explanation-of-quantum-cryptography Wed, 06 Aug 2025 10:00:00 GMT <p>When it comes to ransomware, it might seem like giving in and paying the ransom is the quickest fix. Luckily for today's businesses, there is a better alternative to forking over money to cybercriminals who might not even give the data back.</p> <p><a href="https://www.techtarget.com/searchsecurity/definition/ransomware">Ransomware</a> is among the most common types of cyberattacks that can strike organizations of all sizes across nearly every industry. A ransomware attack could come via any number of different attack vectors, including phishing, <a href="https://www.techtarget.com/searchsecurity/definition/social-engineering">social engineering</a>, or exploiting known or <a href="https://www.techtarget.com/searchsecurity/definition/zero-day-vulnerability">zero-day vulnerabilities</a>.</p> <p>In a ransomware attack, the perpetrator uses malware to encrypt a user's or organization's data. The attacker then holds that data for ransom, demanding that the victim pay a fee to receive the decryption key.</p> <p>All ransomware victims are faced with the same question: To pay or not to pay? Instead of considering payment, a better approach is to build up the organization's resilience early to avoid the need to pay a future ransomware demand. A strong business continuity and disaster recovery (<a href="https://www.techtarget.com/searchdisasterrecovery/definition/Business-Continuity-and-Disaster-Recovery-BCDR">BCDR</a>) strategy builds the resilience that organizations need to avoid and mitigate ransomware attacks.</p> <p>This article will discuss ransomware trends and the costs associated with <a href="https://www.techtarget.com/searchdisasterrecovery/tip/Build-and-maintain-digital-resilience-for-a-stronger-DR-program">bolstering resilience</a> as an alternative to payment. It will also outline the pros of a strong resilience plan vs. the cons of paying the ransom.</p> <section class="section main-article-chapter" data-menu-title="Recent ransomware trends"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Recent ransomware trends</h2> <p>In recent years, ransomware has evolved to become a particularly impactful type of cyberattack. Available ransomware statistics show a few key trends:</p> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchsecurity/definition/supply-chain-attack">Supply chain attacks</a>. Attackers target single points to affect multiple organizations.</li> <li><a href="https://www.techtarget.com/searchsecurity/definition/triple-extortion-ransomware">Triple extortion</a>. Beyond encryption, attackers now exfiltrate data and threaten public release for additional leverage.</li> <li><a href="https://www.techtarget.com/whatis/definition/ransomware-as-a-service-RaaS">Ransomware as a service</a>. Prebuilt malware infrastructure enables less technical criminals to launch sophisticated attacks.</li> <li><a href="https://www.techtarget.com/searchsecurity/tip/Generative-AI-is-making-phishing-attacks-more-dangerous">AI-enhanced phishing</a>. Generative AI is making phishing emails more convincing and harder to detect.</li> </ul> <p>Overall, the financial effects of ransomware are a growing concern. <a href="https://www.techtarget.com/searchsecurity/feature/Ransomware-trends-statistics-and-facts">Average ransom payments surged</a> by 500% from $400,000 in 2023 to $2 million in 2024. U.S. ransomware attacks increased by 149% in early 2025, with 59% of organizations affected in 2024. Total ransom payments in 2024 reached $813.55 million globally.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/traditional_ransomware_attack-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/traditional_ransomware_attack-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/traditional_ransomware_attack-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/traditional_ransomware_attack-f.png 1280w" alt="Timeline of a traditional ransomware attack." height="185" width="560"> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Has a reluctance to invest in DR changed to a reluctance to pay attackers?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Has a reluctance to invest in DR changed to a reluctance to pay attackers?</h2> <p>There has long been a challenge faced by IT teams to secure management buy-in for disaster recovery investment. Limited financial support is a frequent problem for IT professionals in this area, since business continuity and disaster recovery planning doesn't necessarily have an immediate return on investment. In addition, BCDR preparation can be an expensive process.</p> <p>With the increasing costs associated with ransomware, however, there is a somewhat growing shift in perception and attitudes. BCDR planning can, in many cases, help mitigate or lower the risk of a ransomware incident by building up organizational and IT resilience. Doing a cost-benefit analysis could potentially show that increased BCDR investment is less costly than ransomware payments.</p> <p>Organizations are discovering that the cost equation strongly favors proactive investment over reactive payments. Despite <a href="https://www.techtarget.com/searchsecurity/tip/Should-companies-pay-ransomware-and-is-it-illegal-to">advice to not pay the ransom</a>, 51% of organizations that suffered a ransomware attack paid the fee, according to Ponemon Institute's 2025 "Global Cost of Ransomware Study" <a target="_blank" href="https://www.illumio.com/blog/global-cost-of-ransomware-study-what-the-numbers-tell-us" rel="noopener">report</a>. But even more telling is the recovery reality: Only 13% of those organizations that paid the ransom recovered all their data.</p> <p>The shift in thinking reflects growing awareness that ransom payments represent a poor business decision. According to Chainalysis' "2024 Crypto Crime Report," ransomware victims are increasingly <a href="https://www.techtarget.com/searchsecurity/news/366618711/Chainalysis-records-35-decrease-in-ransom-payments-in-2024">demonstrating greater resistance</a> to paying ransoms, widening the gap between demands and payments. This resistance is driven by mounting evidence that paying ransoms doesn't guarantee successful recovery -- and often invites repeat attacks.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/rMVeLDk4r-I?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="Cost breakdown: Ransomware recovery vs. BCDR planning"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cost breakdown: Ransomware recovery vs. BCDR planning</h2> <p>Financial analysis reveals compelling evidence for prioritizing resilience over payments.</p> <p>The simple reality is that in any ransomware incident, even if the ransom is paid -- and even if the attackers return the data -- paying the ransom is only one part of the recovery cost. An analysis conducted by security vendor Check Point reported that the total cost of a ransomware incident could be as much as <a target="_blank" href="https://research.checkpoint.com/2022/behind-the-curtains-of-the-ransomware-economy-the-victims-and-the-cybercriminals/" rel="noopener">seven times more</a> than the actual dollar amount of the ransom.</p> <p>In addition to potentially paying a ransom, other costs that can be incurred because of a ransomware attack include the following:</p> <ul class="default-list"> <li>Operational <a href="https://www.techtarget.com/searchdisasterrecovery/tip/Prepare-for-planned-and-unplanned-downtime">downtime</a>.</li> <li>Lost productivity.</li> <li>Investigation costs.</li> <li>Legal costs.</li> <li>Incident recovery.</li> </ul> <p>The true cost of a ransomware attack extends far beyond the ransom itself, which emphasizes the importance of resilience planning and investment. The cost of a ransomware incident is not typically something an organization will have as part of budget planning, and the effects of those costs can be significant. In contrast, BCDR can be a fixed and properly costed line item, coming in at approximately 1% to 3% of an <a href="https://www.techtarget.com/searchdisasterrecovery/A-disaster-recovery-budget-template-A-free-download-and-guide">IT department's budget</a>.</p> <table class="main-article-table"> <thead> <tr> <td>Aspect</td> <td>Ransomware recovery</td> <td>DR planning</td> </tr> </thead> <tbody> <tr> <td><strong>Average cost</strong></td> <td> <ul class="default-list"> <li>Not budgeted.</li> <li>Average ransomware payment is $2 million.</li> <li>Additional costs due to incident recovery and operational disruption.</li> </ul> </td> <td>1%-3% of IT budget.</td> </tr> <tr> <td><strong>Downtime effects</strong></td> <td>Could potentially mean a loss of millions per hour for critical industries.</td> <td>Minimized through preparedness.</td> </tr> <tr> <td><strong>Long-term costs</strong></td> <td>High; especially with multiple attacks.</td> <td>Lower; prevents future incidents.</td> </tr> <tr> <td><strong>Guarantee of recovery?</strong></td> <td>No, only 8%-14% recover all data after paying.</td> <td>High likelihood, with tested backups and plans.</td> </tr> </tbody> </table> <p></p> </section> <section class="section main-article-chapter" data-menu-title="Consequences of paying attackers"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Consequences of paying attackers</h2> <p>Paying the ransom demanded by a cyberattacker might seem like the right answer for an organization that just wants to pay and get its data back. But that's not necessarily the right choice, since paying ransomware demands carries significant risks that extend beyond immediate financial costs.</p> <h3>No recovery guarantee</h3> <p>Even if a ransom is paid, there's no assurance that attackers will restore encrypted data or delete stolen information.</p> <h3>Repeated targeting</h3> <p>Demonstrating a willingness to pay often makes an organization a <a href="https://www.techtarget.com/searchsecurity/news/252484720/Repeat-ransomware-attacks-Why-organizations-fall-victim">repeat ransomware target</a>.</p> <h3>Fueling criminal activity</h3> <p>Every ransom payment funds cybercriminal operations, enabling attackers to develop more sophisticated malware and continue targeting other victims.</p> <h3>Legal and regulatory risks</h3> <p>Some jurisdictions and industries don't allow ransomware payments to be made, and paying can lead to regulatory penalties.</p> </section> <section class="section main-article-chapter" data-menu-title="Benefits of investing in resilience over making payments"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Benefits of investing in resilience over making payments</h2> <p><a href="https://www.techtarget.com/searchdisasterrecovery/answer/What-are-some-examples-of-organizational-resilience">Building organizational resilience</a> offers numerous advantages over making reactive ransom payments. And unlike paying a ransom, there are no real downsides to strengthening resilience efforts.</p> <h3>Predictable costs</h3> <p>Resilience planning involves known, budgeted expenses rather than unpredictable ransom demands.</p> <h3>Broader protection</h3> <p>A complete resilience strategy protects against multiple types of IT risks, not just ransomware.</p> <h3>Faster recovery</h3> <p>Organizations with <a href="https://www.techtarget.com/searchdatabackup/answer/Can-ransomware-infect-backups-Tips-to-protect-data">proper backup</a> and recovery systems can typically restore operations more quickly.</p> <h3>Regulatory compliance</h3> <p>Many industries require that specific BCDR measures are in place to <a href="https://www.techtarget.com/searchdisasterrecovery/tip/Disaster-recovery-regulations-complicate-data-compliance">meet compliance needs</a>.</p> <h3>Employee confidence</h3> <p>Investing in resilience prepares organizations with well-defined and tested <a href="https://www.techtarget.com/searchsecurity/tip/How-to-conduct-incident-response-tabletop-exercises">incident response procedures</a>, reducing confusion when incidents occur.</p> <p><i>Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.</i></p> </section> No one wants to pay the ransom after a cyberattack, but many organizations feel like they have no choice. Explore the benefits of investing in resilience over making payments. https://cdn.ttgtmedia.com/rms/onlineimages/ransom_g691204760.jpg https://www.techtarget.com/searchdisasterrecovery/tip/Build-IT-resilience-to-avoid-paying-ransomware-demands Wed, 30 Jul 2025 16:30:00 GMT <p>It is critical to compare the roles of inbound and outbound firewall rules before deploying a corporate firewall to ensure it <a href="https://www.techtarget.com/searchsecurity/feature/Explore-this-NGFW-comparison-of-leading-vendors-on-the-market">properly secures</a> an enterprise IT environment.</p> <p>Inbound traffic originates from outside the network, while outbound traffic originates inside the network. Therefore, inbound firewall rules protect the network from unwanted incoming traffic from the internet or other networks -- in particular, disallowed connections, malware and DDoS attacks. Outbound firewall rules control outgoing traffic, that is, requests to resources outside of the network. For example, a connection request to an email service or the Informa TechTarget website might be allowed, but connection requests to unapproved or dangerous websites are stopped.</p> <p>A single <a href="https://www.techtarget.com/searchsecurity/definition/firewall">firewall</a> typically manages inbound and outbound firewall rules, but it's essential to understand the differences between them.</p> <section class="section main-article-chapter" data-menu-title="Inbound traffic versus outbound traffic"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Inbound traffic versus outbound traffic</h2> <p>Enterprise networks have both inbound traffic and outbound traffic:</p> <ul class="default-list"> <li><b>Inbound traffic requests.</b> They originate from outside the network, such as an external user with a web browser, email client, server or application making requests -- like FTP and SSH -- or API calls to web services.</li> <li><b>Outbound traffic requests. </b>They originate from inside the network, destined for services on the internet or outside networks, such as a user visiting an external website or an internal mail server connecting to an external one.</li> </ul> <p>Firewalls are designed and deployed to prevent inbound traffic from entering a network and to stop outbound traffic from connecting to external resources that are noncompliant with an organization's security policies.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/5geL5yHpa2Q?si=zpUOc4z_pED6RV1Q?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="Inbound vs. outbound firewall rules"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Inbound vs. outbound firewall rules</h2> <p>Firewall rules, which are either inbound or outbound, can be customized to allow traffic on specific ports, services and IP addresses to enter or leave the network:</p> <ul class="default-list"> <li><b>Inbound firewall rules.</b> They protect a network by blocking traffic known to be from malicious sources. This stops various attacks, such as malware and DDoS, from affecting internal resources.</li> <li><b>Outbound firewall rules. </b>They define the traffic allowed to leave a network and reach legitimate destinations. These rules also <a href="https://www.techtarget.com/searchsecurity/tip/Allowlisting-vs-blocklisting-Benefits-and-challenges">block requests sent to malicious websites and untrusted domains</a>. They can also prevent data exfiltration by analyzing the contents of emails and files sent from a network.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/security-inbound_outbound_firewall.jpg"> <img data-src="https://www.techtarget.com/rms/onlineImages/security-inbound_outbound_firewall_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/security-inbound_outbound_firewall_mobile.jpg 960w,https://www.techtarget.com/rms/onlineImages/security-inbound_outbound_firewall.jpg 1280w" alt="Graphic illustrating inbound and outbound firewall traffic" height="297" width="520"> <figcaption> <i class="icon pictures" data-icon="z"></i>Inbound traffic originates from outside the network, while outbound traffic originates inside the network. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The firewall policy that governs the configuration of inbound and outbound rules is based on a <a href="https://www.techtarget.com/searchsecurity/tip/How-to-perform-a-cybersecurity-risk-assessment-step-by-step">risk assessment of the assets it is protecting</a> and the business needs for users and services inside the network. For example, the HR department might be allowed access to the internet and the company's accounting department's network but not vice versa.</p> <p>Any changes to inbound and outbound firewall rules should be carefully planned, implemented and monitored to avoid unforeseen consequences, among them blocking valid requests, which can throttle legitimate business activities and frustrate users.</p> </section> <section class="section main-article-chapter" data-menu-title="Using inbound firewall rules"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Using inbound firewall rules</h2> <p>The goal of inbound firewall rules is to keep malicious traffic out of internal network systems and protect the resources located within them.</p> <p><a href="https://www.techtarget.com/searchnetworking/definition/network-segmentation">Network segmentation</a> enables teams to place firewalls at various points within a network, including at the perimeter and internally to divide a network into individual subnetworks. Each firewall's inbound rules can be configured to protect specific resources in each segment.</p> <p>For example, the firewall protecting the HR segment of the network only permits inbound requests from HR employees with the necessary privileges. A firewall protecting the network perimeter, meanwhile, has less restrictive rules. These rules, however, are based on threat intelligence and block traffic from known bad IP addresses or locations.</p> <p>Examples of inbound firewall rules include the following:</p> <ul class="default-list"> <li>Filtering traffic from a variety of sources, such as specific IP addresses.</li> <li>Restricting or permitting traffic to internal network ports.</li> <li>Allowing email and other communication from TCP (Transmission Control Protocol), UDP (User Datagram Protocol) or ICMP (Internet Control Message Protocol).</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Using outbound firewall rules"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Using outbound firewall rules</h2> <p>Outbound firewall rules protect internal network resources by preventing the following:</p> <ul class="default-list"> <li>Internal users from accessing malicious content.</li> <li>Sensitive data from leaving the network in violation of security policy rules.</li> <li>Data exfiltration from malware or insider threats.</li> </ul> <p>Teams can use an off-site cloud service, such as a secure web gateway, to control outbound traffic if specialized filtering technologies are necessary. Such systems perform targeted functions, such as <a href="https://www.techtarget.com/searchsecurity/definition/content-filtering">content filtering</a> for email or web browsing. They often tie into the business's directory service -- Active Directory and Lightweight Directory Access Protocol -- so they can provide access, filtering and reporting based on each user's network account.</p> <p>Other firewall systems look for outbound malware and <a href="https://www.techtarget.com/searchsecurity/feature/Top-10-types-of-information-security-threats-for-IT-teams">security-related threats</a>, including DNS lookups to hosts known to be threatening or blocklisted.</p> <p>Outbound firewall rules in locked-down environments can control network behavior down to the host, application and protocol levels.</p> <p>Examples of outbound firewall rules include the following:</p> <ul class="default-list"> <li>Restricting users from accessing external malicious or inappropriate websites.</li> <li>Managing outbound communication formats, which can interrupt the ability for malware to connect to command-and-control servers.</li> <li>Generating logs to enable security teams or network admins to monitor outgoing traffic.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Firewall rules now and in the future"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Firewall rules now and in the future</h2> <p>Firewalls are constantly evolving and will always be a key security control in any network. Modern firewalls use threat intelligence feeds, AI and machine learning to update inbound and outbound rules on the fly, enabling them to combat new and emerging threats as they develop.</p> <p>Remember that inbound and outbound firewall rules require careful configuration, as well as monitoring for system anomalies. Even the most secure firewalls can only do so much. Those enterprises without the necessary internal resources -- among them product training and security knowledge -- might consider outsourcing the management of their firewall environments to an outsourced managed security service provider (<a href="https://www.techtarget.com/searchitchannel/definition/MSSP">MSSP</a>). A dedicated, 24/7 MSSP network security monitoring service is often the best way to minimize associated risks.</p> <p><b>Editor's note:</b> <i>This article was updated in July 2025 to improve the reader experience.</i></p> <p><i>Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 20 years of experience in the IT industry.</i></p> <p><i>Kevin Beaver is an independent information security consultant, writer and professional speaker with Atlanta-based Principle Logic LLC. With more than 30 years of experience in the industry, he specializes in performing vulnerability and penetration tests, as well as virtual CISO consulting work.</i></p> </section> Firewalls can support both inbound and outbound firewall rules, but there are important differences between the two. Learn more about each and their uses. https://cdn.ttgtmedia.com/rms/onlineimages/competition_a299069360.jpg https://www.techtarget.com/searchsecurity/answer/Comparing-firewalls-Differences-between-an-inbound-outbound-firewall Wed, 30 Jul 2025 09:00:00 GMT <p>From smartwatches to smart streetlights, smart home devices to smart manufacturing, the internet of things has revolutionized how people and organizations operate, improving efficiencies and optimizing processes.</p> <p>With these <a href="https://www.techtarget.com/iotagenda/tip/Top-advantages-and-disadvantages-of-IoT-in-business">benefits</a>, however, comes a major challenge: <a href="https://www.techtarget.com/iotagenda/definition/Internet-of-Things-IoT">IoT</a> increases the number and types of security risks businesses and consumers face. Any device that connects to the internet is a potential entry point to the larger network and the sensitive data it contains. IoT-related cyberattacks could be detrimental to a business or, in some cases, life-threatening or deadly.</p> <p>Here are 11 of the many inherent <a href="https://www.techtarget.com/iotagenda/definition/IoT-security-Internet-of-Things-security">IoT security</a> challenges and how to mitigate them.</p> <section class="section main-article-chapter" data-menu-title="1. Expanding attack surface"> <h2 class="section-title"><i class="icon" data-icon="1"></i>1. Expanding attack surface</h2> <p><b>Challenge:</b> The sheer number, variety and complexity of <a href="https://www.techtarget.com/iotagenda/definition/IoT-device">IoT devices</a> create a vast attack surface for security teams to manage and secure. Yet, as one of the oldest security adages goes, "You can't protect what you can't see." This is especially true in the case of IoT, with small <a href="https://www.techtarget.com/iotagenda/definition/smart-sensor">sensors</a> and little internet-enabled devices deployed across networks and geographies that often lack oversight and management. Without proper visibility into what devices are connecting to their networks -- a problem known as <i><a href="https://www.techtarget.com/searchcloudcomputing/definition/shadow-IT-shadow-information-technology">shadow IT</a></i> -- organizations are subject to unauthorized access, data loss, attacks and operational disruptions.</p> <p><b>Solution:</b></p> <ul class="default-list"> <li><b>Perform asset discovery.</b> Use port scanning, protocol analysis and other detection techniques to determine which devices are connecting to networks. Free tools, such as Nmap, Shodan and <a href="https://www.techtarget.com/searchsecurity/tutorial/How-to-use-Masscan-for-high-speed-port-scanning">Masscan</a>, are available, as are commercial <a href="https://www.techtarget.com/iotagenda/feature/7-IoT-SaaS-platform-providers-help-streamline-adoption">products and services</a> that help discover, identify and manage IoT devices.</li> <li><b>Create and maintain an asset register.</b> List approved devices on an enterprise asset register, along with each device's associated patch management processes and lifecycle information.</li> <li><b>Conduct a risk assessment.</b> Perform an IoT risk assessment to understand what the devices can -- and should -- have access to and why.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/iota-shadow_iot_devices-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/iota-shadow_iot_devices-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/iota-shadow_iot_devices-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/iota-shadow_iot_devices-f.png 1280w" alt="Graphic of shadow IT devices." height="353" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Examples of shadow IT devices include surveillance cameras, smart TVs, wireless printers and rogue cell towers. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="2. Access control"> <h2 class="section-title"><i class="icon" data-icon="1"></i>2. Access control</h2> <p><b>Challenge:</b> IoT devices have a unique identifier that aids authentication and authorization. After discovering which devices connect to the network, organizations need to assess what they can access and talk to. With hundreds or thousands of unique IDs to manage, this can be a daunting task.</p> <p><b>Solution:</b></p> <ul class="default-list"> <li><b>Principle of least privilege.</b> Use the <a href="https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP">POLP</a> to permit devices to access only what is necessary for them to do their job.</li> <li><b>Strong passwords.</b> Update any device that comes with a factory-installed password. Use MFA when possible. Consider biometrics, if feasible.</li> <li><b>Hardware-based roots of trust.</b> Generally considered the strongest IoT security option, hardware-based roots of trust are built directly into hardware and embedded on devices.</li> <li><b>Digital certificates.</b> Digital certificates can be used, but some IoT devices do not have the ability to process them. Other lightweight cryptographic algorithms can be used in this instance (see "Encryption and data security" section below for more on that).</li> <li><b>Zero trust.</b> Take a <a href="https://www.techtarget.com/searchsecurity/definition/zero-trust-model-zero-trust-network">zero-trust security approach</a> to control devices and access rights.</li> <li><b>IoT platforms.</b> Commercial IoT platforms offer features to manage devices and control what data other devices and network devices can access.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="3. IoT passwords"> <h2 class="section-title"><i class="icon" data-icon="1"></i>3. IoT passwords</h2> <p><b>Challenge:</b> Remember the 2016 Mirai attacks? They were traced to connected cameras and other IoT devices that had factory-default or hardcoded passwords. Cybercriminals infiltrated servers using these devices and a list of known credentials -- a list that, by some accounts, only had 60 username/password combinations.</p> <p><b>Solution: </b>Hardcoded passwords are a problem that only manufacturers can solve. Organizations should only choose software that does not use hardcoded passwords, and manufacturers should not produce products with them.</p> <p>Consider the following tactics for other default and password security challenges:</p> <ul class="default-list"> <li>Update default passwords, if possible.</li> <li>Implement an <a href="https://www.techtarget.com/searchsecurity/tip/How-to-create-a-company-password-policy-with-template">enterprise password policy</a>.</li> <li>Require <a href="https://www.techtarget.com/searchsecurity/tip/Top-5-password-hygiene-tips-and-best-practices">strong, unique passwords</a>.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="4. Patch management"> <h2 class="section-title"><i class="icon" data-icon="1"></i>4. Patch management</h2> <p><b>Challenge:</b> IoT devices present several unique patching and updating challenges:</p> <ul class="default-list"> <li><b>IoT devices that use proprietary or outdated software, firmware and hardware.</b> The OS, applications and communications technology might not be able to be updated because it is old, legacy or retired.</li> <li><b>Some devices are physically inaccessible.</b> Consider sensors dispersed across hundreds of acres of farmland to detect temperature, humidity and moisture. Sensors on top of a bridge monitoring its vibration and the weather pose a similar challenge.</li> <li><b>Not all devices can be taken offline for long periods of time to perform updates.</b> Consider critical smart manufacturing equipment that could cost an <a href="https://www.techtarget.com/iotagenda/definition/Industrial-Internet-of-Things-IIoT">industrial IoT</a> organization millions of dollars if it's taken offline for an hour, smart grids that millions of people depend on for heat or electricity, and smart medical devices that keep people alive.</li> <li><b>Some IoT devices have no UI or screen. </b>And, to further complicate things, some won't even accept updates.</li> <li><b>Vendors create issues, too.</b> Some devices reach end of life and are no longer supported by the manufacturer. Similarly, some vendors don't realize security updates with vulnerabilities are discovered, leaving customers open to breaches.</li> <li><b>Patching operational technology is tough.</b> OT networks historically never connected to the internet and did not pose an imminent threat to IT networks. Legacy OT systems -- some decades old -- often run their own proprietary systems, which can make patching more difficult.</li> </ul> <p><b>Solution:</b></p> <ul class="default-list"> <li><b>Track patches.</b> Enter each IoT device deployed into an asset register as part of the device discovery or adoption process. Include which versions of software, firmware and hardware each device runs and keep track of when updates are available and installed. Also, track when devices reach end of life and must be retired.</li> <li><b>Think about patching predeployment.</b> Consider potential patching and updating processes before adopting. Ensure the availability and security of over-the-air updates. Also, decide between automatic updates and periodic schedules, as each has its own set of benefits and drawbacks.</li> <li><b>Consider IoT platform capabilities.</b> Many IoT platforms contain features to simplify patching and updating processes, such as automation, and can manage devices that require rollbacks or resets.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/iot-ota_update_process-f.png"> <img data-src="https://www.techtarget.com/rms/onlineImages/iot-ota_update_process-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/iot-ota_update_process-f_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/iot-ota_update_process-f.png 1280w" alt="Image explaining the over-the-air update process." height="350" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Over-the-air updates deliver patches and updates to software and firmware over the cloud. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="5. IoT cyberattacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>5. IoT cyberattacks</h2> <p><b>Challenge:</b> IoT systems are subject to the same cyberthreats as other cyber environments, including <a href="https://www.techtarget.com/searchsecurity/definition/distributed-denial-of-service-attack">DDoS attacks</a>, botnets, malware and ransomware.</p> <p><b>Solution:</b></p> <ul class="default-list"> <li>Use intrusion prevention/detection systems (IPSes/IDSes) with DDoS protection features.</li> <li>Partner with an ISP that detects and filters DDoS packets.</li> <li>Follow basic <a href="https://www.techtarget.com/searchsecurity/definition/cyber-hygiene">cyber hygiene</a> best practices, including the use of firewalls, antimalware, endpoint security platforms, endpoint detection and response, and extended detection and response.</li> <li>Keep software up to date.</li> <li>Change default passwords.</li> <li>Monitor network traffic.</li> <li>Segment which data and networks IoT devices can access.</li> <li>Disable unnecessary features on IoT devices.</li> <li>Regularly back up data from devices and networks.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="6. Physical security"> <h2 class="section-title"><i class="icon" data-icon="1"></i>6. Physical security</h2> <p><b>Challenge:</b> Protect IoT devices from not only cybersecurity threats but also physical security threats. Because IoT hardware -- including IoT sensors, wearables and edge devices -- is more easily accessible than other network components, it is subject to physical damage, tampering and theft.</p> <p>For example, attackers could attach a device that exfiltrates data to unsecured IoT devices that have been physically broken into. Or, storage mechanisms could be removed and their data stolen.</p> <p><b>Solution:</b></p> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchsecurity/tip/Use-IoT-hardening-to-secure-vulnerable-connected-devices">Harden IoT devices</a>.</li> <li>Embed security on the device.</li> <li>Ensure proper access control.</li> <li>Change default passwords.</li> <li>Encrypt data and connections.</li> <li>Remove or disable unused ports.</li> <li>Ensure IoT devices cannot be easily disassembled or components removed.</li> <li>Put devices in a tamper-resistant case or render the device unusable after physical tampering, if necessary.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="7. Encryption and data security"> <h2 class="section-title"><i class="icon" data-icon="1"></i>7. Encryption and data security</h2> <p><b>Challenge:</b> Cryptography is a mechanism that prevents privacy risks, protects data integrity and ensures secure communications. Many connected devices, however, don't have the power, processing or memory resources required to run traditional <a href="https://www.techtarget.com/searchsecurity/definition/encryption">encryption</a> algorithms, such as AES. Such devices must use an algorithm with high security but low consumption -- one that considers the size, power consumption and processing capabilities of resource-constrained devices.</p> <p><b>Solution:</b></p> <ul class="default-list"> <li><b>Use lightweight cryptographic ciphers.</b> Elliptical curve cryptography (<a href="https://www.techtarget.com/searchsecurity/definition/elliptical-curve-cryptography">ECC</a>), for example, provides the security equivalent of Rivest-Shamir-Adleman, or RSA, but with smaller key sizes and operations that require less processing, making it an ideal option for devices with lower storage space, processing power and battery life. Other lightweight ciphers include Clefia, a lightweight AES cipher; Enocoro, a hardware-oriented stream cipher; Speck, an add-rotate-XOR cipher; and Ascon, a family of symmetric-key cryptographic standards selected by NIST for future standardization.</li> <li><b>Use trusted security protocols.</b> Consider TLS or Datagram TLS, IPsec, MQTT and OAuth 2.0, among others.</li> <li><b>Consider PKI.</b> <a href="https://www.techtarget.com/searchsecurity/definition/PKI">Public key infrastructure</a> can be embedded into devices at the manufacturing or enterprise level. PKI issues unique identities and digital certificates to devices and supports the distribution and identification of public encryption keys, enabling users and devices to exchange data securely.</li> <li><b>Prepare for quantum computing.</b> When it becomes viable, quantum computing will be capable of breaking asymmetric cryptography, including algorithms such as RSA and ECC. Organizations should include IoT devices in their <a href="https://www.techtarget.com/searchsecurity/feature/How-CISOs-can-prepare-for-the-quantum-cybersecurity-threat">post-quantum security planning</a>.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="8. Network security"> <h2 class="section-title"><i class="icon" data-icon="1"></i>8. Network security</h2> <p><b>Challenge:</b> The scale and diversity of IoT devices connecting to an enterprise network make it difficult for admins to manage and maintain network security.</p> <p><b>Solution:</b></p> <ul class="default-list"> <li><b>Use network segmentation to separate IoT, OT and IT networks.</b> Put different networks or parts of networks into different zones to create subnetworks -- using one zone each for sales, finance, operations and so forth. Customize each zone's security policies based on its users, devices and data.</li> <li><b>Use an IoT gateway.</b> An <a href="https://www.techtarget.com/iotagenda/definition/IoT-gateway">IoT gateway</a> can mitigate the efficiency and connectivity issues that can accompany <a href="https://www.techtarget.com/searchnetworking/definition/network-segmentation">network segmentation</a>. Acting as an intermediary between the device and the network, a security gateway has more processing power, memory and compute capabilities than the IoT devices connecting to it. It can therefore implement stronger security measures -- such as firewalls and antimalware -- closer to the devices, preventing security threats from passing through to the network.</li> <li><b>Use network security technologies.</b> These include antimalware, firewalls, IDSes and IPSes.</li> <li><b>Manage ports.</b> Disable port forwarding and never open ports when not needed.</li> <li><b>Block unauthorized IP addresses.</b> Use allowlisting and denylisting to block unauthorized and malicious IP addresses.</li> <li><b>Monitor bandwidth. </b>Add bandwidth as needed to ensure applications receive the bandwidth needed to maintain productivity and efficiency.</li> <li><b>Use continuous traffic management and monitoring.</b> Monitor network traffic in real time to protect data and communications, detect abnormal activity and identify potential threats.</li> <li><b>IoT communications protocols.</b> Consider the security of <a href="https://www.techtarget.com/iotagenda/tip/Top-12-most-commonly-used-IoT-protocols-and-standards">IoT communications protocols</a>, such as Bluetooth, Bluetooth Low Energy, cellular, MQTT, Wi-Fi, Zigbee and Z-Wave. Insecure communications are prone to eavesdropping and <a href="https://www.techtarget.com/iotagenda/definition/man-in-the-middle-attack-MitM">man-in-the-middle attacks</a>.</li> <li><b>Penetration testing.</b> Include <a href="https://www.techtarget.com/searchsecurity/feature/Adopt-embedded-penetration-testing-to-keep-IoT-devices-secure">connected devices in penetration tests</a> to assess vulnerabilities.</li> <li><b>Create IoT policies.</b> Establish policies and capabilities to manage lost or stolen devices, such as remote wiping and disabling connectivity.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/iotagenda-top_12_iot_protocols_and_standards-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/iotagenda-top_12_iot_protocols_and_standards-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/iotagenda-top_12_iot_protocols_and_standards-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/iotagenda-top_12_iot_protocols_and_standards-f.png 1280w" alt="Image displaying names of 12 IoT protocols and standards." height="262" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Consider the security of the IoT protocols and standards used in an IoT deployment. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="9. Lack of standardization"> <h2 class="section-title"><i class="icon" data-icon="1"></i>9. Lack of standardization</h2> <p><b>Challenge:</b> The IoT industry has been plagued by a lack of standardization from the start, both in terms of security and otherwise. Global standards help ensure consistency, compatibility and security among products and applications -- a necessity for IoT environments to function smoothly.</p> <p><b>Solution:</b></p> <p><a href="https://www.techtarget.com/searchcio/tip/IoT-compliance-standards-and-how-to-comply">Legislation, regulations and standards</a> are emerging to remedy this, including the following:</p> <ul class="default-list"> <li>The <a href="https://www.techtarget.com/whatis/feature/Cyber-Trust-Mark-explained-Everything-you-need-to-know">U.S. Cyber Trust Mark program</a>, launched in January 2025, is a voluntary certification program that helps identify smart consumer devices that have met recommended security standards.</li> <li>Enacted in December 2024, the <a target="_blank" href="https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act" rel="noopener">EU Cyber Resilience Act</a> requires manufacturers to ensure security throughout the product lifecycle.</li> <li>In May 2021, a U.S. presidential executive order, "<a target="_blank" href="https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity" rel="noopener">Improving the Nation's Cybersecurity</a>," called for a consumer IoT labeling program to launch in 2023. The aim of the program is to inform consumers about the risks of their smart home devices.</li> <li>The U.S.'s <a href="https://www.techtarget.com/iotagenda/feature/Understand-the-IoT-Cybersecurity-Improvement-Act-now-law">2020 IoT Cybersecurity Improvement Act</a> required NIST and the U.S. Office of Management and Budget to develop guidelines and standards around security measures on IoT devices used by the federal government.</li> <li>Approved in 2018, <a href="https://www.techtarget.com/iotagenda/blog/IoT-Agenda/Californias-new-IoT-security-law-Inching-toward-a-safer-future">California's SB-327</a>, "Information privacy: connected devices," requires manufacturers to equip devices with "reasonable" security features, including a preprogrammed unique password for each device and a setting that requires a new password to be created upon first use.</li> <li>In 2018, the <a href="https://www.computerweekly.com/news/252450588/IoT-firms-sign-up-to-UK-security-code-of-practice">U.K. published</a> "Code of Practice for Consumer IoT Security," the <a href="https://www.computerweekly.com/news/252462505/UK-gears-up-for-new-laws-on-IoT-security">European Telecommunications Standards Institute's Technical Specification 103 645</a>, a standard to regulate the safety of consumer devices.</li> </ul> <p>NIST has introduced IoT guidance, including <a target="_blank" href="https://csrc.nist.gov/pubs/sp/800/213/a/final" rel="noopener">NIST Special Publication 800-213A</a> and <a target="_blank" href="https://csrc.nist.gov/pubs/sp/800/213/final" rel="noopener">NIST SP 800-213</a>, as well as several interagency reports.</p> <p>Other legislation, including GDPR, HIPAA and CCPA, also affects IoT security, as do industry regulations. Companies should keep abreast of any new standards -- government, consumer or otherwise. These will influence IoT device manufacturing and security standards in the future.</p> </section> <section class="section main-article-chapter" data-menu-title="10. Skills gap"> <h2 class="section-title"><i class="icon" data-icon="1"></i>10. Skills gap</h2> <p><b>Challenge:</b> The skills gap has affected every industry, and IoT is no different. One thing that sets IoT apart from other industries is that it is still a fairly new discipline. It is also a <a href="https://www.techtarget.com/iotagenda/tip/5-benefits-and-challenges-of-IT-OT-convergence">convergence of IT and OT</a>, meaning those fluent in OT are likely not well versed in IT, and vice versa. In addition, IoT isn't a single discipline. Successful IoT professionals <a href="https://www.techtarget.com/whatis/feature/Top-7-must-have-IoT-skills-to-boost-your-career">require many skills</a>, from cybersecurity and UX design to machine learning, AI knowledge and application development.</p> <p><b>Solution:</b></p> <ul class="default-list"> <li><a href="https://www.techtarget.com/iotagenda/tip/7-IoT-training-certifications-to-take-your-next-career-step">IoT-specific certifications</a> and trainings have emerged, including some that are IoT security-specific, which provide a baseline knowledge of connected environments.</li> <li>Invest in trainings and certifications for in-house employees.</li> <li>Hire third parties and consultants for IoT-specific projects.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="11. Remote work and smart home risks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>11. Remote work and smart home risks</h2> <p><b>Challenge:</b> Remote workers can present security risks to organizations, especially if employees' IoT devices -- think smart TVs, connected baby monitors and smart fridges -- use the same networks employees use to connect to their company's data and systems. An attacker who infiltrates a smart thermostat, for example, could potentially also access confidential corporate data. Likewise, smart speakers could create a privacy issue if they overhear conference calls or video chats.</p> <p><b>Solution:</b></p> <ul class="default-list"> <li>Include IoT security in regular security awareness trainings.</li> <li>Use policies to prevent IoT devices from creating enterprise security issues.</li> </ul> <p><i>Sharon Shea is executive editor of Informa TechTarget's SearchSecurity site.</i></p> </section> While influential and beneficial, IoT introduces several security challenges, from device discovery and patching to access control and cyberattacks. https://cdn.ttgtmedia.com/visuals/searchMidmarketSecurity/security_risks/midmarketsecurity_article_004.jpg https://www.techtarget.com/iotagenda/tip/Internet-of-Things-IOT-Seven-enterprise-risks-to-consider Fri, 25 Jul 2025 00:00:00 GMT <p>All businesses process, store and transmit customer, partner and company data. This data ranges from internal documents to price lists to HR notes on employee behavior. If released to the public, however, this information could cause tremendous embarrassment and potential legal troubles for an organization.</p> <p>The confidentiality and importance of such data make it a ripe target for threat actors looking to extort money from their victims.</p> <p>Let's look at extortionware and <a href="https://www.techtarget.com/searchsecurity/definition/ransomware">ransomware</a> and see how they fit into the larger cyberextortion picture.</p> <section class="section main-article-chapter" data-menu-title="How does extortionware work?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How does extortionware work?</h2> <p>In most cases, extortionware uses traditional <a href="https://www.techtarget.com/searchsecurity/definition/malware">malware</a> to infiltrate a company's digital resources. Once access is gained, the victim's data is stolen and analyzed to identify information that can be used against them. Cybercriminals then contact the victim and threaten to release sensitive, embarrassing or otherwise valuable information to the public unless the victim meets the criminals' demands. Typically, the demands are monetary in nature and involve the transfer of cryptocurrency.</p> </section> <section class="section main-article-chapter" data-menu-title="How does ransomware work?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How does ransomware work?</h2> <p>Ransomware is malware that locks and encrypts a victim's digital resources, ranging from select data to the entire computer system, making them inaccessible until a <a href="https://www.techtarget.com/searchsecurity/tip/Should-companies-pay-ransomware-and-is-it-illegal-to">ransom payment is made to the attacker</a>. Ransomware is usually distributed through an infected attachment or malicious link.</p> <p>Once ransomware has infected a user's system, cybercriminals search for files containing sensitive data, such as <a href="https://www.techtarget.com/searchsecurity/definition/personally-identifiable-information-PII">personally identifiable information</a>, financial data and health records. Users are then contacted by the attacker and made to pay a ransom to receive a <a href="https://www.techtarget.com/searchsecurity/definition/key">decryption key</a> to decrypt their files or to regain access to their system.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/fls3dTUqkOE?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="Comparing extortionware vs. ransomware vs. cyberextortion"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Comparing extortionware vs. ransomware vs. cyberextortion</h2> <p>Extortionware and ransomware both fall into the category of cyberextortion crimes. As an umbrella term, <i>cyberextortion</i> covers a range of malicious activities to blackmail an organization or a specific person. Cyberextortion can take a variety of forms, including DDoS attacks, doxing, extortionware and ransomware.</p> <p>Extortionware might sound a bit like ransomware, and it is. Both ransomware and extortionware access and exfiltrate company data, usually with the intent of making money off the company from which it was stolen.</p> <p>Unlike ransomware, which forces the business to either pay up or lose access to the stolen data, extortionists threaten to publicly release the collected information. This often pressures the business to comply, which increases the likelihood that the victim will adhere to the extortion demands.</p> <p><a href="https://www.techtarget.com/searchsecurity/feature/4-types-of-ransomware-and-a-timeline-of-attack-examples">Ransomware variants</a>, however, include extortionware features. <a href="https://www.techtarget.com/searchsecurity/definition/double-extortion-ransomware">Double extortion ransomware</a>, for example, is when a malicious actor encrypts or locks access to systems and also threatens to release data stolen during the attack.</p> </section> <section class="section main-article-chapter" data-menu-title="How risky is cyberextortion?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How risky is cyberextortion?</h2> <p>A business that takes steps to protect its backups can mitigate the dangers of cyberextortion. With ransomware, for example, clean backups make it possible for an organization to restore data that attackers have encrypted.</p> <p>Those offline backups prove worthless, however, when cybercriminals threaten to release data rather than delete it. As such, the only way to combat extortionware is to prevent it from happening in the first place. This distinction makes extortionware a greater threat than ransomware.</p> <p>Despite the risk, ransomware remains far more common than extortionware.</p> <p>The reason is simple: Extortionware takes more effort. Hackers can automate ransomware and cast a wide victim net. In some cases, cybercriminals even <a href="https://www.techtarget.com/whatis/definition/ransomware-as-a-service-RaaS">outsource part of the process</a>. Extortionware, however, requires a more targeted approach. Extra effort and more time are needed to review stolen content to determine if any of the information can be used for extortion purposes. Thus, extortionists usually <a target="_blank" href="https://www.senki.org/operators-security-toolkit/ddos-extortionist-behaviors/" rel="noopener">do their homework</a> before attacking to ensure a target is worth the effort. All this means that an extortionware attempt is much more complicated to perpetrate than a ransomware attack.</p> </section> <section class="section main-article-chapter" data-menu-title="How to prevent cyberextortion"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to prevent cyberextortion</h2> <p><a href="https://www.techtarget.com/searchsecurity/tip/How-to-prevent-ransomware-6-key-steps-to-safeguard-assets">Ransomware prevention best practices</a> also apply to preventing extortionware. Cyberextortion prevention measures include the following:</p> <ul class="default-list"> <li>Installing antimalware.</li> <li>Conducting user <a href="https://www.techtarget.com/searchsecurity/tip/Cybersecurity-employee-training-How-to-build-a-solid-plan">cybersecurity training</a> and ransomware-specific training so that employees know their responsibilities</li> <li>Following a defense-in-depth security program.</li> <li>Keeping systems and software <a href="https://www.techtarget.com/searchsecurity/tip/5-enterprise-patch-management-best-practices">current with patches</a>.</li> </ul> <p>Ransomware is the more common form of cyberextortion, but extortionware can cause damage well beyond the financial loss from paying a ransom.</p> <p><b>Editor's note:</b> <i>This article was updated in July 2025 to add additional information.</i></p> <p><i>Andrew Froehlich is founder of InfraMomentum, an enterprise IT research and analyst firm, and president of West Gate Networks, an IT consulting company. He has been involved in enterprise IT for more than 20 years.</i></p> </section> Prevention is the only line of defense against an extortionware attack. Learn how extortionware works and why it can be more damaging than ransomware. https://cdn.ttgtmedia.com/visuals/searchMidmarketSecurity/security_risks/midmarketsecurity_article_004.jpg https://www.techtarget.com/searchsecurity/answer/Whats-the-difference-between-extortionware-and-ransomware Thu, 24 Jul 2025 00:00:00 GMT <p>The CISO (chief information security officer) is a senior-level executive responsible for developing and implementing an <a href="https://www.techtarget.com/searchsecurity/definition/information-security-infosec">information security</a> program. Such programs include procedures and policies designed to protect enterprise communications, systems and assets from both internal and external threats.</p> <p>The CISO is part of a business's C-level executive suite. CISOs ensure information resources and technologies are effectively protected. They oversee the development, implementation and enforcement of security policies. Depending on the organization's structure, they often report to the chief information officer (<a href="https://www.techtarget.com/searchcio/definition/CIO">CIO</a>) or even directly to the board. The CISO might also work alongside the CIO to procure cybersecurity products and services, and to manage <a href="https://www.techtarget.com/searchdisasterrecovery/definition/disaster-recovery">disaster recovery</a> and <a href="https://www.techtarget.com/searchdisasterrecovery/definition/business-continuity-action-plan">business continuity plans</a>.</p> <p>The chief information security officer is sometimes referred to as the chief security architect, security manager, corporate security officer or information security manager, depending on a company's structure and existing titles. When the CISO is also responsible for the overall security of the company -- which includes its employees and facilities -- they might simply be called the <a href="https://www.techtarget.com/whatis/definition/CSO-Chief-Security-Officer">chief security officer</a>.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/security_ciso.jpg"> <img data-src="https://www.techtarget.com/rms/onlineImages/security_ciso_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/security_ciso_mobile.jpg 960w,https://www.techtarget.com/rms/onlineImages/security_ciso.jpg 1280w" alt="List of the roles of a CISO." height="249" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>CISOs have a variety of roles and responsibilities surrounding an organization's security implementations. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <section class="section main-article-chapter" data-menu-title="Why is the CISO role critical to enterprise strategy?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why is the CISO role critical to enterprise strategy?</h2> <p>The CISO's role has evolved from a purely technical function to a critical, strategic leadership position that's indispensable to an enterprise's success. In today's interconnected and digitally driven world, <a href="https://www.techtarget.com/searchsecurity/tip/Cybersecurity-challenges-and-how-to-address-them">cybersecurity challenges</a> affect core business objectives, making the CISO a vital partner in shaping and executing enterprise strategy. There are several reasons why the CISO role and responsibilities are critical to enterprise strategy.</p> <h3>Safeguarding business continuity and resilience</h3> <p>Cyberattacks, such as <a href="https://www.techtarget.com/searchsecurity/definition/ransomware">ransomware</a> and <a href="https://www.techtarget.com/searchsecurity/definition/data-breach">data breaches</a>, are among the top causes of business disruption. The CISO is central to ensuring an organization's ability to withstand and recover from such events.</p> <p>The following are some ways CISOs safeguard business continuity and resilience:</p> <ul class="default-list"> <li><b>Proactive risk management. </b>CISOs develop and implement security strategies that identify, assess and mitigate cyber-risks before they can cause significant disruption. Their risk management includes creating strong defense mechanisms and proactive <a href="https://www.techtarget.com/searchsecurity/opinion/Threat-intelligence-programs-need-updating-and-CISOs-know-it">threat intelligence programs</a>.</li> <li><b>Incident response and disaster recovery.</b> The CISO leads the development, testing and execution of comprehensive <a href="https://www.techtarget.com/searchsecurity/definition/incident-response">incident response</a> plans and disaster recovery protocols. Their expertise ensures rapid detection, containment and recovery from cyberincidents, minimizing downtime and protecting critical operations. <a target="_blank" href="https://www.ibm.com/reports/data-breach" rel="noopener">According to</a> IBM's "Cost of a Data Breach Report 2024," the breach detection and containment statistics present a critical challenge. On average, it took organizations 204 days to identify a breach and an additional 73 days to contain it. The CISO's role is to significantly reduce these timeframes, lessening the severity and cost of a disruption.</li> <li><b>Operational resilience.</b> By embedding security into all aspects of the business, CISOs help build a resilient organization that continues to operate effectively even in the face of cyberthreats.</li> </ul> <h3>Building and managing investor confidence</h3> <p>In an era of increasing cybercrime and regulatory scrutiny, a strong cybersecurity posture is a significant factor in investor trust and market valuation. The following are some ways CISOs build and manage investor confidence:</p> <ul class="default-list"> <li><b>Reputation protection.</b> Major data breaches can severely damage a company's reputation, leading to <a href="https://www.techtarget.com/searchcustomerexperience/definition/customer-churn-customer-attrition">customer churn</a>, loss of brand loyalty and a decline in market value. The CISO's role in preventing and effectively managing breaches directly protects the company's public image and stakeholder trust.</li> <li><b>Regulatory compliance and avoidance of fines.</b> A CISO ensures that their organization adheres to a complex set of data protection laws and industry regulations, such as General Data Protection Regulation (<a href="https://www.techtarget.com/whatis/definition/General-Data-Protection-Regulation-GDPR">GDPR</a>), <a href="https://www.techtarget.com/searchcio/definition/California-Consumer-Privacy-Act-CCPA">California Consumer Privacy Act</a>, Health Insurance Portability and Accountability Act (<a href="https://www.techtarget.com/searchhealthit/definition/HIPAA">HIPAA</a>), <a href="https://www.techtarget.com/searchcio/definition/Sarbanes-Oxley-Act">Sarbanes-Oxley Act</a> and Securities and Exchange Commission (<a href="https://www.techtarget.com/searchsecurity/definition/Securities-and-Exchange-Commission-SEC">SEC</a>) disclosure requirements. Noncompliance can result in hefty fines, legal action and a significant blow to investor confidence. Regulations from bodies such as the SEC mandate timely reporting of material cybersecurity incidents and enhanced board of directors and executive <a href="https://www.techtarget.com/searchsecurity/tip/Best-practices-for-board-level-cybersecurity-oversight">cybersecurity oversight</a> of strategy. This puts the CISO firmly in the spotlight for investor communications.</li> <li><b>Transparency and accountability.</b> A CISO provides clear, quantifiable reports on the organization's <a href="https://www.techtarget.com/searchsecurity/definition/security-posture">security posture</a> to its executives, demonstrating accountability and providing the transparency investors increasingly demand. CISO-board communication is a particularly strategic part of the job.</li> </ul> <h3>Enabling secure digital transformation</h3> <p><a href="https://www.techtarget.com/searchcio/definition/digital-transformation">Digital transformation</a> initiatives, involving cloud adoption, internet of things, AI and new digital products, are critical for business growth. However, they also introduce new attack vectors and complexities.</p> <p>The CISO supports these initiatives, using the following strategies:</p> <ul class="default-list"> <li><b>Security by design.</b> CISOs make sure that security is integrated from the beginning of new projects and product development, rather than being an afterthought. This proactive approach prevents costly security flaws and delays down the line.</li> <li><b>Strategic technology adoption.</b> CISOs guide the secure adoption of new technologies, assessing risks, implementing appropriate controls and ensuring that innovation proceeds without exposing the organization to unnecessary vulnerabilities.</li> <li><b>Balancing security and agility.</b> The modern CISO understands the need to balance stringent security controls with <a href="https://www.techtarget.com/searchcio/definition/enterprise-agility">enterprise agility</a>. They work to implement security frameworks that enable, rather than hinder, rapid development and deployment.</li> <li><b>Competitive advantage.</b> Organizations with strong, secure digital infrastructure gain a competitive edge by attracting customers and partners who prioritize data protection. According to a PwC <a href="https://www.pwc.com/bm/en/press-releases/2025-global-digital-trust-insights.html" target="_blank" rel="noopener">survey</a>, 57% of organizations cite customer trust and 49% cite brand integrity and loyalty as primary drivers for investing in cybersecurity, viewing it as a key competitive differentiator. This underscores how cybersecurity, led by the CISO, contributes to business growth, positioning it as a value driver rather than just a cost center.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="What does a CISO do?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What does a CISO do?</h2> <p>In addition to responding to data breaches and other security incidents, the CISO is tasked with anticipating, assessing and actively managing new and potential cyberthreats. The CISO must work with other executives across different departments to <a href="https://www.techtarget.com/searchsecurity/feature/4-tips-for-aligning-security-with-business-objectives">align security initiatives with broader business objectives</a> and mitigate the security risks various threats pose to the organization's mission and goals.</p> <p>The <a href="https://www.techtarget.com/searchsecurity/feature/Portrait-of-a-CISO-Roles-and-responsibilities">chief information security officer's roles and responsibilities</a> include the following:</p> <ul class="default-list"> <li>Conducting employee <a href="https://www.techtarget.com/searchsecurity/feature/Tackling-IT-security-awareness-training-with-a-county-CISO">security awareness training</a>.</li> <li>Developing secure business and communication practices.</li> <li>Identifying security objectives and metrics.</li> <li>Choosing and purchasing security products from vendors.</li> <li>Ensuring that the company is in <a href="https://www.techtarget.com/searchcio/definition/regulatory-compliance">regulatory compliance</a> with the rules of relevant bodies.</li> <li>Enforcing adherence to data security practices.</li> <li>Ensuring the company's <a href="https://www.techtarget.com/searchcio/definition/data-privacy-information-privacy">data privacy</a> is secure.</li> <li>Managing the <a href="https://www.techtarget.com/whatis/definition/Computer-Security-Incident-Response-Team-CSIRT">computer security incident response team</a>.</li> <li>Conducting electronic discovery and digital forensic investigations.</li> <li>Developing cyber-resilience and disaster recovery plans.</li> <li>Determining if security strategies are worth the investment financially.</li> <li>Translating complex technical risks into business language for executive and board audiences.</li> <li>Providing regular updates on threat posture, risk exposure and mitigation efforts.</li> <li>Establishing frameworks to manage the risks of generative AI, machine learning models and data misuse.</li> <li>Collaborating with data science teams to implement <a href="https://www.techtarget.com/searchenterpriseai/post/Why-and-how-to-develop-a-set-of-responsible-AI-principles">responsible AI practices</a>.</li> <li>Partnering with legal, HR, compliance, IT and operations to integrate security into business processes.</li> <li>Aligning cybersecurity priorities with digital transformation, product development and customer experience.</li> </ul> <p>While traditionally focused on technical defenses, the modern CISO role has expanded dramatically, requiring cross-functional leadership, strategic vision and strong CISO business alignment across the organization. The modern CISO isn't just a technical guardian, they're also a strategic business leader. As cyberthreats become more sophisticated and digital transformation accelerates, CISOs are expected to do the following:</p> <ul class="default-list"> <li>Influence enterprise strategy and investment decisions.</li> <li>Contribute to revenue protection and brand trust.</li> <li>Take ownership of emerging risk domains such as AI; <a href="https://www.techtarget.com/whatis/definition/environmental-social-and-governance-ESG">environmental, social and governance</a> initiatives; and data ethics.</li> <li>Operate with board-level visibility and accountability.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="CISO qualifications and certifications"> <h2 class="section-title"><i class="icon" data-icon="1"></i>CISO qualifications and certifications</h2> <p>While there's no single must-have path to becoming a CISO, most organizations expect a strong combination of formal education, extensive hands-on experience and relevant industry certifications. The following is an overview of what it takes to become a CISO, including skills, qualifications, certifications and real-world insights:</p> <h3>What skills should a CISO have?</h3> <p>A CISO is typically a skilled leader and manager with a strong understanding of IT and security, who can communicate complicated security concepts to both technical and nontechnical employees. CISOs also have experience in <a href="https://www.techtarget.com/searchsecurity/definition/What-is-risk-management-and-why-is-it-important">risk management</a> and auditing. The following are some essential skills that every CISO should possess:</p> <ul class="default-list"> <li><b>Technical expertise.</b> This is in network, systems, cloud, application security, incident response and <a href="https://www.techtarget.com/searchsecurity/tip/What-is-threat-hunting-Key-strategies-explained">threat hunting</a>.</li> <li><b>Strategic thinking.</b> This is done to align cybersecurity initiatives with business objectives and long-term goals.</li> <li><b>Risk management.</b> This includes identification, assessment and mitigation of security risks.</li> <li><b>Regulatory compliance.</b> This covers knowledge of standards.</li> <li><b>Governance and policy development.</b> An important skill area to establish and enforce <a href="https://www.techtarget.com/searchsecurity/tip/IT-security-frameworks-and-standards-Choosing-the-right-one">security frameworks and protocols</a>.</li> <li><b>Crisis management.</b> This skill is needed to effectively handle and communicate during security incidents.</li> <li><b>Leadership and team management.</b> This includes building, mentoring and leading cross-functional security teams.</li> <li><b>Communication skills.</b> This is the ability to articulate complex security issues to nontechnical stakeholders and executives.</li> <li><b>Business acumen. </b>This is needed to understand organizational goals and integrate security strategies accordingly.</li> <li><b>Continuous learning.</b> This is required to stay updated with emerging threats, technologies and best practices.</li> <li><strong>Data storytelling.</strong> This is to transform complex security data into compelling narratives that resonate with stakeholders.</li> <li><strong>Board engagement</strong><strong>.</strong> This is to effectively communicate cybersecurity strategies and risks to the board, ensuring alignment with business objectives.</li> </ul> <h3>What qualifications should a CISO have?</h3> <p>Many companies require CISOs to have a bachelor's degree in cybersecurity or IT and advanced degrees in business, computer science or engineering.</p> <p>The following are common qualifications that CISOs typically possess:</p> <ul class="default-list"> <li>A bachelor's degree<b> </b>in computer science, cybersecurity, IT or related fields is required at a minimum for most CISO positions.</li> <li>A master's degree is increasingly preferred, especially for larger organizations with common options including master's in information security, master's in cybersecurity, MBA with technology focus and master's in computer science.</li> <li>Doctoral degrees<b> </b>aren't typically required but can be advantageous for research-oriented organizations and academic institutions.</li> <li>Becoming a CISO involves gaining hands-on technical experience in various cybersecurity roles for 7 to 15+ years, progressively moving into leadership positions. Common roles include security analyst, security engineer, security architect, incident response lead, security operations center manager and director of information security.</li> </ul> <p>Effective cybersecurity leadership demands more than technical expertise. Due to increasing legal, regulatory and financial risks, CISOs must excel in <a href="https://www.techtarget.com/searchsecurity/definition/governance-risk-management-and-compliance-GRC">governance, risk, and compliance</a>, communication and business strategy. As a result, more than 40% of new CISOs, especially those with backgrounds in privacy, compliance and enterprise risk, <a target="_blank" href="https://rhisac.org/wp-content/uploads/CISO-Benchmarking-Presentation-2025_TLP-Clear.pdf" rel="noopener">come from nontechnical fields</a>, according to RH-ISAC and Accenture's "2025 CISO Benchmark Report."</p> <h3>What certifications should a CISO have?</h3> <p>CISOs also typically have relevant certifications, such as those from the Information Systems Audit and Control Association (<a href="https://www.techtarget.com/searchcio/definition/ISACA">ISACA</a>), International Information Systems Security Certification Consortium <a href="https://www.techtarget.com/searchsecurity/definition/ISC2-International-Information-Systems-Security-Certification-Consortium">(ISC)2</a> and the Computing Technology Industry Association (CompTIA). Specific certifications include the following:</p> <ul class="default-list"> <li>EC-Council Certified Chief Information Security Officer (CCISO)</li> <li>CompTIA Cybersecurity Analyst Certification.</li> <li>CompTIA Network Vulnerability Assessment Professional.</li> <li>CompTIA Network Security Professional.</li> <li>CompTIA Security Analytics Professional.</li> <li>CompTIA IT Operations Specialist.</li> <li>GIAC Strategic Planning, Policy &amp; Leadership.</li> <li>ISACA <a href="https://www.techtarget.com/searchsecurity/definition/Certified-Information-Systems-Auditor-CISA">Certified Information Systems Auditor</a>.</li> <li>ISACA Certified Information Security Manager.</li> <li>ISACA <a href="https://www.techtarget.com/whatis/definition/Certified-in-Risk-and-Information-Systems-Control-CRISC">Certified in Risk and Information Systems Control</a></li> <li>ISC2 <a href="https://www.techtarget.com/searchsecurity/definition/Certified-Information-Systems-Security-Professional">Certified Information Systems Security Professional</a>.</li> <li>ISC2 <a href="https://www.techtarget.com/searchsecurity/definition/Certified-Cloud-Security-Professional-CCSP">Certified Cloud Security Professional</a>.</li> <li>ISC2 Systems Security Certified Practitioner</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/best_cybersecurity_certifications_for_aspiring_cisos-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/best_cybersecurity_certifications_for_aspiring_cisos-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/best_cybersecurity_certifications_for_aspiring_cisos-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/best_cybersecurity_certifications_for_aspiring_cisos-f.png 1280w" alt="A comparison chart showing key details for CISSP, CISM and CCISO certifications." height="380" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The CISSP, CISM and CCISO certifications are likely to serve CISOs and aspiring CISOs well. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="What is the salary of a CISO?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the salary of a CISO?</h2> <p>The average salary in the U.S. for CISOs varies quite a bit. The average annual salary has ranged between $152,700-$270,000 in 2025.</p> <p>Glassdoor lists the average U.S. CISO base salary in 2025 at $178,125, with a total median compensation including bonuses of $270,077 and the potential to earn up to $360,130 annually. Salary.com cites the average base salary at $339,489, with a total compensation median of $577,781, including bonuses and benefits. Pay might change based on degrees, certifications, geographical location and time spent in the profession.</p> <p>With economic uncertainties and tightening security budgets, CISO compensation continues to grow, but at a slower pace than in previous years. Compensation trends show modest base salary increases of 5%-6%, while total compensation growth remains strong due to performance bonuses and equity packages.</p> <p>Base salaries are expected to grow, fueled by increasing enterprise demand for cybersecurity leadership and talent scarcity. Total compensation for CISOs, especially those with expertise in AI, cloud and <a href="https://www.techtarget.com/searchsecurity/definition/zero-trust-model-zero-trust-network">zero-trust</a> architectures, might soon reach $600K-$700K, with top performers continuing to surpass the $1 million mark.</p> <p><i>CISOs must meet the qualifications set out by companies to meet security expectations. Learn more about </i><a href="https://www.techtarget.com/searchsecurity/tip/How-to-become-a-CISO"><i>how to become a CISO</i></a><i>.</i></p> </section> The CISO (chief information security officer) is a senior-level executive responsible for developing and implementing an information security program. https://cdn.ttgtmedia.com/visuals/digdeeper/5.jpg https://www.techtarget.com/searchsecurity/definition/CISO-chief-information-security-officer Mon, 21 Jul 2025 09:00:00 GMT <p>Biometric authentication is a security process that relies on the unique biological characteristics of individuals to verify their identity. Instead of relying on personal identification numbers (PINs) or <a href="https://www.techtarget.com/searchsecurity/definition/password">passwords</a>, biometric authentication systems compare physical or behavioral traits to stored, confirmed, authentic data in a database. If both samples of the biometric data match, <a href="https://www.techtarget.com/searchsecurity/definition/authentication">authentication</a> is confirmed. Typically, biometric authentication is used to manage access to physical and digital resources, such as buildings, rooms and computing devices.</p> <p>Biometric identification uses <a href="https://www.techtarget.com/searchsecurity/definition/biometrics">biometrics</a>, such as fingerprints, facial recognition and retina scans, to <i>identify</i> a person, whereas biometric authentication is the use of biometrics to <i>verify</i> that people are who they claim to be.</p> <section class="section main-article-chapter" data-menu-title="Types of biometric authentication methods"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Types of biometric authentication methods</h2> <p>The following examples of biometric technology built using <a href="https://www.techtarget.com/searchenterpriseai/feature/Computer-vision-tools-reach-into-test-healthcare-security">computer vision</a> algorithms. These technologies can be used to digitally identify people or permit them to access a system:</p> <ul class="default-list"> <li>Chemical biometric devices</li> </ul> <ul class="default-list"> <li style="list-style-type: none;"> <ul style="list-style-type: circle;" class="default-list"> <li>DNA (deoxyribonucleic acid) matching uses genetic material to identify a person.</li> </ul> </li> </ul> <ul class="default-list"> <li>Visual biometric devices</li> </ul> <ul class="default-list"> <li style="list-style-type: none;"> <ul style="list-style-type: circle;" class="default-list"> <li>Retina scans identify subjects by analyzing the unique pattern of blood vessels at the back of their eyes.</li> <li>Iris recognition uses a picture of the iris to identify people in an iris scan.</li> <li>Fingerprint scanners identify people based on their fingerprints.</li> <li>Hand geometry recognition verifies identity or authorizes transactions using a mathematical representation of the unique characteristics of people's hands. This is done by measuring the distances between various parts of the hand, including finger length, finger breadth and the shape of the valleys between the knuckles.</li> <li>Facial recognition relies on the unique characteristics and patterns of people's faces to confirm their identity. A <a href="https://www.techtarget.com/searchenterpriseai/definition/facial-recognition">facial recognition</a> system identifies 80 nodal points on a human face, which make up numeric codes called <i>faceprints</i>.</li> <li>Ear authentication verifies identity based on users' unique ear shape.</li> <li>Signature recognition uses pattern recognition to identify individuals based on their handwritten signature.</li> <li>Vein or vascular recognition uses scanners to detect and map the unique arrangement of veins beneath the skin using infrared light.</li> <li>Finger vein recognition identifies individuals based on the vein patterns in their finger.</li> </ul> </li> </ul> <ul class="default-list"> <li>Behavioral biometrics</li> </ul> <ul class="default-list"> <li style="list-style-type: none;"> <ul style="list-style-type: circle;" class="default-list"> <li>Gait analysis examines the way people walk.</li> <li>Typing recognition establishes people's identity based on their unique typing characteristics, including their typing speed.</li> <li>Mouse and touchscreen recognition identify how someone moves a pointer or swipes when using desktop and mobile apps.</li> </ul> </li> </ul> <ul class="default-list"> <li>Auditory biometric devices</li> </ul> <ul class="default-list"> <li style="list-style-type: none;"> <ul style="list-style-type: circle;" class="default-list"> <li>Voice ID identifies individuals with voice recognition and relies on characteristics created by the shape of the mouth and throat.</li> </ul> </li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/security-biometric_authentication_types.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/security-biometric_authentication_types_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/security-biometric_authentication_types_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/security-biometric_authentication_types.png 1280w" alt="List of biometric authentication types" height="608" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>Biometrics can digitally identify people or grant them permission to access a system. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="What are the components of biometric authentication devices?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are the components of biometric authentication devices?</h2> <p>A biometric device includes three components: a reader or scanning device, technology used to convert and compare collected biometric data, and a database for storage.</p> <p>A <a href="https://www.techtarget.com/whatis/definition/sensor">sensor</a> is a device that measures and captures biometric data. For example, it could be a fingerprint reader, voice analyzer or retina scanner. These devices collect data to compare to the stored information for a match. The software processes the biometric data and compares it to match points in the stored data.</p> <p>Most biometric data is stored in a database that's tied to a central server on which all data is housed. However, another method of storing biometric data is <a href="https://www.techtarget.com/searchsecurity/definition/cryptography">cryptographically</a> hashing it to enable the <a href="https://www.techtarget.com/searchsecurity/tip/Use-these-6-user-authentication-types-to-secure-networks">authentication process to be completed</a> without direct access to the data.</p> </section> <section class="section main-article-chapter" data-menu-title="What is multimodal biometric authentication?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is multimodal biometric authentication?</h2> <p>Many advanced systems use multimodal biometrics, combining two or more biometric methods, such as fingerprint and facial recognition, to enhance security and accuracy, making it significantly harder for unauthorized individuals to gain access. Multimodal biometric authentication adds layers to an authentication process by requiring multiple identifiers, which are read simultaneously during the process.</p> <p>Multimodal biometrics can be considered a form of multifactor authentication (<a href="https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA">MFA</a>). However, it differs significantly from the more commonly understood form of MFA, where users typically input sensitive information, such as a password and a one-time code, into a mobile or desktop device.</p> <p>Multimodal biometric authentication is often used in high-security environments such as <a href="https://www.techtarget.com/searchdatacenter/definition/data-center">data centers</a>, government facilities, banking systems or any place where the cost of identity compromise is high.</p> <p>Increased security without the need for key cards, access cards, <a href="https://www.techtarget.com/searchsecurity/opinion/Whats-the-difference-between-a-password-and-a-PIN">passwords or PINs</a> is among the advantages for organizations that choose to adopt this approach. Additionally, <a href="https://www.techtarget.com/whatis/definition/threat-actor">malicious actors</a> who attempt to hack or fake their way through an authentication system have a harder time faking two or more unique characteristics of an individual than if they were to try faking only one.</p> <p>However, this approach also comes with a few disadvantages. High costs can be incurred when assembling and implementing the tools needed, such as scanners, computing power and storage space for biometric data. Also, use of this technology can intensify public perception that an organization is collecting and storing personal information unnecessarily, which can then be used to surveil people with or without their consent.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/1nKE7sbQKtU?si=dvy5kmQxE_nNxlsi?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="Biometric authentication use cases"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Biometric authentication use cases</h2> <p>Examples of areas where biometric authentication is used include the following:</p> <h3>Law enforcement</h3> <p>Law enforcement and state and federal agencies use different kinds of biometric data for identification purposes. These include fingerprints, facial features, iris patterns, voice samples and DNA.</p> <p>For example, the Automated Fingerprint Identification System (AFIS) is a database that is used to identify fingerprints. It was first used in the early 1970s as a way for police departments to automate their otherwise manual fingerprint identification process, making it quicker and more effective. In the past, a trained human examiner had to compare a fingerprint image to the prints on file. If there was a match, the examiner would double-check the two prints to verify the match.</p> <p>Today, AFIS can match a fingerprint against a database of millions of prints in a matter of minutes.</p> <p><iframe title="The Beginning of the End of the Password" allowtransparency="true" height="150" width="100%" style="border: none; min-width: min(100%, 430px);" scrolling="no" data-name="pb-iframe-player" src="https://www.podbean.com/player-v2/?i=khtg9-13fd940-pb&amp;from=pb6admin&amp;pbad=0&amp;share=1&amp;download=1&amp;rtl=0&amp;fonts=Arial&amp;skin=f6f6f6&amp;font-color=000000&amp;logo_link=episode_page&amp;btn-skin=1b1b1b"></iframe></p> <h3>Travel</h3> <p>An electronic passport or e-passport is the same size as a conventional passport and contains a microchip that stores the same biometric information as a conventional passport, including a digital photograph of the holder. A chip stores a digital image of the passport holder's photo, which is linked to the owner's name and other <a href="https://www.techtarget.com/searchsecurity/definition/personally-identifiable-information-PII">personally identifiable information</a>.</p> <p>The e-passport is issued electronically by a country's issuing authority, which checks the identity of the applicant. They use fingerprints or other biometric information to confirm that the data in the chip matches the information provided by the applicant before issuing the passport.</p> <h3>Healthcare</h3> <p>Hospitals use biometrics to more accurately track patients and prevent mix-ups. Clinics and doctors' offices use it to keep patients' information secure. Using biometric data, hospitals can create digital identities of patients that help them store and access those patients' medical histories. This information can be used to ensure the right patient gets the right care, whether that means faster identification in emergencies or preventing medical errors.</p> <h3>Identity and access management systems</h3> <p>An identity and access management (<a href="https://www.techtarget.com/searchsecurity/definition/identity-access-management-IAM-system">IAM</a>) system is a combination of policies and technology tools that collectively form a centralized means of controlling user access to important information a business has stored.</p> <p>IAM systems use methods such as single sign-on, two-factor authentication and MFA. They also use sophisticated tools, including biometrics, analysis of behavioral characteristics, <a href="https://www.techtarget.com/searchenterpriseai/definition/AI-Artificial-Intelligence">AI</a> and <a href="https://www.techtarget.com/searchenterpriseai/definition/machine-learning-ML">machine learning</a>, as part of their overall strategy to make authentication more rigorous and secure.</p> <h3>Payments</h3> <p>The use of biometric authentication in payments and credit card processing is nascent and slowly expanding. The idea is to add more security to payments without added complexities or frustrations. Examples of biometric payments have consumers using cards to pay for goods, but those transactions are only authorized after they scan their fingerprint, eye or face.</p> <p>There's more than one way to scan as well, since cards can have built-in sensors to scan fingerprints, while a register or kiosk might have scanners readily available.</p> <h3>Education</h3> <p>Biometric authentication plays a growing role in the education sector, offering enhanced security and streamlined operations. For example, it's used for student identification, ensuring accurate attendance tracking and providing secure access to school facilities.</p> <p>Biometric authentication also helps prevent impersonation during exams by verifying that the test-taker is the enrolled student. It can also enable secure library access and contactless checkout of resources for students.</p> <h3>Smart homes and vehicles</h3> <p>Biometric authentication is becoming increasingly integrated into everyday living through <a href="https://www.techtarget.com/iotagenda/definition/smart-home-or-building">smart home</a> systems and connected vehicles. In modern homes, facial or voice recognition can be used to unlock doors, disarm security systems, adjust lighting and climate settings, and interact with digital assistants. This adds convenience and an extra layer of security by ensuring that only authorized users can control key functions.</p> <p>In the automotive industry, several manufacturers are incorporating biometrics into vehicles. For example, a fingerprint or facial recognition is used to start the car, unlock doors and personalize driver settings, such as seat position, mirror angles and infotainment preferences.</p> <h3>Physical access control</h3> <p>Biometric authentication significantly enhances physical access control, securing premises and ensuring only authorized individuals can enter restricted areas. This is achieved through various methods, such as fingerprints, facial recognition, or iris scans to grant entry to buildings, sensitive server rooms, or specific zones within a larger facility.</p> <p>Additionally, it streamlines time and attendance tracking by enabling employees to clock in and out with their unique biometrics, helping prevent time theft and ensuring accurate payroll records.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/mobile_computing-mobile%20biometrics_02.png"> <img data-src="https://www.techtarget.com/rms/onlineImages/mobile_computing-mobile%20biometrics_02_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/mobile_computing-mobile%20biometrics_02_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/mobile_computing-mobile%20biometrics_02.png 1280w" alt="Diagram showing how biometric fingerprint payments work" height="308" width="520"> <figcaption> <i class="icon pictures" data-icon="z"></i>Biometric payments use biometric authentication -- most commonly fingerprint scanning, with facial recognition quickly gaining prominence as well -- at the point of sale to identify a user and authorize the deduction of funds from their bank account. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="What are the advantages and disadvantages of biometric authentication?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What are the advantages and disadvantages of biometric authentication?</h2> <p>Biometric authentication offers both <a href="https://www.techtarget.com/searchsecurity/tip/Evaluate-biometric-authentication-pros-and-cons-implications">advantages and disadvantages</a>.</p> <h3>Advantages of biometric authentication</h3> <p>In the United States alone, business use of biometric authentication has drastically increased in recent years as more business leaders are becoming confident in its capabilities. Here are the key advantages of biometric authentication:</p> <ul class="default-list"> <li><b>Enhanced security.</b> Since biometric authentication uses unique characteristics for verification, these features are difficult to replicate. Traditional methods, such as usernames, passwords and ID cards, aren't as secure because they can be stolen or guessed easily.</li> <li><b>Convenience and speed.</b> Biometric authentication eliminates the need to remember complex passwords or carry physical tokens, streamlining the login process. It also makes unlocking devices and accessing accounts significantly faster and more convenient.</li> <li><b>Nontransferable.</b> Unlike passwords that can be shared or stolen, biometric traits are physically linked to the individual, making unauthorized sharing impossible.</li> <li><b>Reduced human error.</b> Biometric authentication minimizes the potential for human errors associated with traditional methods, such as forgetting passwords, typing mistakes or accidentally sharing credentials.</li> <li><b>Scalability.</b> Biometric systems can be easily scaled to accommodate many users, making them suitable for large organizations and public services.</li> <li><b>Long-term stability.</b> Physiological biometrics generally remain stable throughout a person's lifetime. This reduces the need for frequent updates or changes to authentication methods.</li> <li><b>Reduced costs.</b> Biometric authentication helps reduce costs related to password resets, customer support and fraud prevention. By enabling real-time, automated identity verification, it also speeds up processes such as customer onboarding and <a href="https://www.techtarget.com/searchsecurity/definition/access-control">access control</a>, improving overall <a href="https://www.techtarget.com/searchbusinessanalytics/definition/operational-efficiency">operational efficiency</a>.</li> </ul> <h3>Disadvantages of biometric authentication</h3> <p>While biometrics offers many advantages for particular industries, there are <a href="https://www.computerweekly.com/news/252495597/Biometrics-ethics-group-address-public-private-use-of-facial-recognition">controversies surrounding its usage</a>. Here are the key issues related to biometric authentication:</p> <ul class="default-list"> <li><b>Data interception.</b> If bad actors capture biometric data when it's being transmitted to a central database, they can fraudulently replicate that data to perform another transaction. For example, by capturing an individual's fingerprint and using it to access a fingerprint-secured device, hackers or other bad actors could access sensitive data, such as private messages or financial information.</li> <li><b>Risk of privacy invasion. </b>Another potential issue with biometric authentication is that once a security system has been implemented, an organization might be tempted to use the system for functions beyond its original intention, which is known as <i>function creep</i>. For example, a company might find the technology useful for employee monitoring and management.</li> <li><b>Irreplaceability of compromised data.</b> Once a biometric trait, such as a fingerprint template, is compromised or stolen, it's nearly impossible to change or revoke, potentially leaving the individual exposed.</li> <li><b>Accuracy challenges.</b> Despite their overall accuracy, biometric systems aren't infallible and can experience errors, such as False Acceptance Rate (FAR) and False Rejection Rate (FRR). FAR occurs when unauthorized individuals are mistakenly granted access, posing a security risk. FRR happens when legitimate users are wrongly denied access, causing frustration. These issues can result from factors such as sensor quality, environmental conditions, changes in appearance and <a href="https://www.techtarget.com/searchbusinessanalytics/feature/8-types-of-bias-in-data-analysis-and-how-to-avoid-them">biases in the training data</a>, affecting both security and user experience.</li> <li><b>High initial costs.</b> Setting up biometric authentication systems can involve significant initial investments in specialized hardware, software and infrastructure upgrades. This can make it costly for smaller organizations.</li> <li><b>Sensing limitations.</b> External factors, such as dirt, moisture, lighting conditions or even minor injuries to the biometric trait, can affect the performance of biometric sensors.</li> <li><b>Limited device compatibility.</b> Biometric devices might not work with other systems and applications, limiting its use.</li> <li><b>Single point of failure.</b> If a single biometric modality is compromised or malfunctions, the entire authentication process can be affected. However, multimodal systems aim to mitigate this risk.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/security-biometrics_of_mfa-f.png"> <img data-src="https://www.techtarget.com/rms/onlineImages/security-biometrics_of_mfa-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/security-biometrics_of_mfa-f_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/security-biometrics_of_mfa-f.png 1280w" alt="Table outlining pros and cons of biometrics in multifactor authentication" height="308" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Biometric authentication has its upsides and downsides. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Biometric authentication vs. passwords"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Biometric authentication vs. passwords</h2> <p>Biometric authentication and passwords are both methods of proving identity, but they work in different ways, each with its strengths and trade-offs. The following is a comparison of various aspects of both methods:</p> <h3>Identification</h3> <p>Biometric authentication uses unique physical or behavioral traits, such as fingerprints, face or voice, to verify a person's identity. On the other hand, passwords are secret words or phrases that users input to confirm their identity.</p> <h3>Security</h3> <p>Biometric authentication typically offers stronger protection than traditional passwords because the traits used for identification are inherently difficult to replicate, guess or phish. It also resists <a href="https://www.techtarget.com/searchsecurity/definition/brute-force-cracking">brute-force attacks</a> that commonly target passwords. However, biometric systems aren't foolproof and can be spoofed using techniques such as fake fingerprints, high-resolution photo masks, or 3D-printed replicas.</p> <p>Whereas the security of passwords largely depends on their complexity and uniqueness. Weak or reused passwords are especially vulnerable to security breaches and are linked to poor password practices. Passwords are also easily compromised through <a href="https://www.techtarget.com/searchsecurity/definition/phishing">phishing</a>, brute-force attacks or even physical methods such as thermal or smudge analysis.</p> <h3>Flexibility</h3> <p>Once compromised, biometric data can't be reset, posing a significant challenge. Additionally, environmental factors or physical changes can affect the accuracy of biometric systems. However, passwords can be changed immediately if compromised, unlike biometric data. The flexibility of passwords enables users to quickly mitigate security risks.</p> <h3>Usability</h3> <p>Biometric authentication is quick and effortless, requiring only a simple presentation of a finger or face, with no need to type anything. This streamlined process enhances user convenience and helps eliminate password fatigue that comes from managing numerous credentials across different platforms.</p> <p>Passwords remain a familiar and universally accepted method of authentication, requiring no specialized hardware to set up. However, they can be frustrating for users to manage, as they're often difficult to remember and frequently forgotten, especially when strong, unique passwords are used for multiple accounts.</p> <h3>Implementation costs</h3> <p>Biometric authentication requires specialized hardware and software, leading to higher initial setup costs. Ongoing maintenance and system updates also add to the expenses. Additionally, organizations must ensure compliance with data protection regulations when handling biometric data.</p> <p>Passwords don't require specialized hardware for implementation, making them cost-effective and easy to deploy. However, managing passwords across multiple platforms can be cumbersome and prone to human error.</p> <p>To address the limitations of both methods, many modern security systems integrate biometric authentication with passwords, such as using a fingerprint to unlock a <a href="https://www.techtarget.com/searchsecurity/definition/password-manager">password manager</a>. This hybrid approach uses the strengths of both methods, offering a more secure and user-friendly authentication experience.</p> </section> <section class="section main-article-chapter" data-menu-title="Can you hack or bypass biometric authentication?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Can you hack or bypass biometric authentication?</h2> <p>While biometric authentication systems are generally more secure than traditional passwords, they aren't immune to sophisticated attacks. However, no technology is entirely hacker-proof. The following is a breakdown of how biometric authentication can be hacked or bypassed:</p> <ul class="default-list"> <li><b>Fingerprint spoofing.</b> In this method, attackers create fake fingerprints using materials such as gelatin, silicone or <a href="https://www.techtarget.com/whatis/definition/3-D-printing-rapid-prototyping-stereolighography-or-architectural-modeling">3D printing</a>. These replicas can deceive fingerprint scanners, especially if the system lacks advanced liveness detection, a security feature that verifies whether the biometric input comes from a real, live person rather than a spoof.</li> <li><b>Facial recognition manipulation.</b> Facial recognition systems can be deceived using several sophisticated methods. Attackers might use high-resolution photos or videos of the target to bypass some systems. Additionally, life-like 3D masks that closely mimic a person's facial features can fool the system into granting access. More advanced techniques involve <a href="https://www.techtarget.com/whatis/definition/deepfake">deepfakes</a>, which are AI-generated videos that convincingly replicate a person's facial movements and expressions, making it increasingly challenging for facial recognition technology to distinguish between real and fake identities.</li> <li><b>Voice imitation.</b> Advanced AI tools can synthesize a person's voice, enabling attackers to pass voice authentication systems.</li> <li><b>Iris spoofing.</b> This is more challenging but has been demonstrated using high-resolution printed images of an iris with a contact lens placed over it to simulate depth and texture, or by reconstructing an iris from compromised binary data.</li> <li><b>Skimming.</b> Similar to <a href="https://www.techtarget.com/whatis/feature/How-to-spot-a-card-skimmer">credit card skimming</a>, devices can be used to surreptitiously capture biometric data, such as fingerprints, from scanners or surfaces the user interacts with.</li> <li><b>Social engineering. </b>Attackers might use phishing or other <a href="https://www.techtarget.com/searchsecurity/definition/social-engineering">social engineering</a> tactics to trick users into providing their biometric data directly or performing actions that enable its capture.</li> <li><b>System vulnerabilities.</b> Weaknesses in the biometric system's software, algorithms or hardware implementation can create entry points for attackers. This includes bugs, misconfigurations or insufficient liveness detection capabilities.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Future of biometric authentication"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Future of biometric authentication</h2> <p>The future of biometric authentication is expected to be characterized by increasing sophistication, deeper integration into daily life, and a continuous push towards enhanced security and user convenience. Several key trends and advancements that are shaping this evolution include the following:</p> <h3>AI and machine learning integration</h3> <p>AI and machine learning are playing an increasingly central role in advancing biometric authentication systems. These technologies enhance accuracy, adapt to changing user traits and help defend against sophisticated spoofing attempts, such as deepfakes. They do this by analyzing micro-expressions, voice intonation and behavioral patterns. For example, modern facial recognition systems now use <a href="https://www.techtarget.com/searchenterpriseai/definition/deep-learning-deep-neural-network">deep learning</a> to detect subtle facial movements and 3D depth, making them more resilient to photo or mask-based spoofing.</p> <p>According to a Gartner <a target="_blank" href="https://www.gartner.com/en/newsroom/press-releases/2024-02-01-gartner-predicts-30-percent-of-enterprises-will-consider-identity-verification-and-authentication-solutions-unreliable-in-isolation-due-to-deepfakes-by-2026" rel="noopener">press release</a>, by 2026, 30% of enterprises will consider identity verification and authentication tools unreliable when used in isolation, due to the growing threat of AI-generated deepfakes. This highlights the growing need for layered security approaches and technologies such as liveness detection.</p> <p>Voice authentication with AI is also becoming stronger. For example, AI models can analyze pitch, cadence and even unnatural pauses in speech to detect deepfake audio with increasing precision.</p> <h3>Multimodal and contactless biometric authentication</h3> <p>The future of biometric authentication is rapidly advancing toward multimodal systems that integrate two or more distinct biometric modalities, such as facial recognition, fingerprint scanning and voice authentication. This layered approach enhances security, making it much more difficult for attackers to spoof multiple traits at once. It also improves reliability and accessibility by offering users multiple options for identity verification.</p> <p>There is also a strong shift toward contactless biometrics, driven by growing demands for convenience and heightened hygiene concerns, especially in the wake of recent global health events. Innovations in this area include advanced facial recognition, precise iris scanning and hover-based technologies for palm or fingerprint authentication, all designed to eliminate the need for physical contact during the verification process.</p> <h3>Behavioral biometrics for continuous authentication</h3> <p>Beyond physical traits, behavioral biometrics, such as typing rhythm, mouse movements, gait and voice patterns, are seeing increased adoption. These systems work passively and continuously, verifying a user's identity in the background as they interact with a device or system. This enables real-time identity assurance by detecting anomalies that might signal session hijacking or <a href="https://www.techtarget.com/searchsecurity/definition/insider-threat">insider threats</a>, enabling adaptive security responses based on deviations from the user's typical behavior.</p> <h3>Edge computing and decentralized identity</h3> <p>Biometric data is increasingly being processed locally on <a href="https://www.techtarget.com/searchnetworking/definition/edge-device">edge devices</a>, such as smartphones and smartcards, reducing the need to transmit sensitive data to the cloud. This enhances both speed and privacy, especially in areas with limited connectivity.</p> <p>At the same time, technologies such as <a href="https://www.techtarget.com/searchcio/definition/blockchain">blockchain</a> are being explored as a way to store immutable, verifiable biometric credentials. This could give individuals greater control over their data, enabling them to share it securely without relying on centralized third-party systems.</p> <p><i>Explore the </i><a href="https://www.techtarget.com/searchsecurity/answer/What-are-the-most-common-digital-authentication-methods"><i>most common digital authentication methods</i></a><i> and discover how they play a vital role in enhancing cybersecurity for both organizations and users.</i></p> </section> Biometric authentication is a security process that relies on the unique biological characteristics of individuals to verify their identity. https://cdn.ttgtmedia.com/visuals/digdeeper/5.jpg https://www.techtarget.com/searchsecurity/definition/biometric-authentication Fri, 18 Jul 2025 09:00:00 GMT <p>The best way to validate the effectiveness of an incident response plan is to try it with a live audience. After all, if a plan doesn't work when needed, it has no value.</p> <p>This is where incident response tabletop exercises come in. Let's examine these exercises and how to create and plan them.</p> <section class="section main-article-chapter" data-menu-title="What is an incident response tabletop exercise?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is an incident response tabletop exercise?</h2> <p>An incident response tabletop exercise is an activity that involves testing the processes outlined in an <a href="https://www.techtarget.com/searchsecurity/feature/5-critical-steps-to-creating-an-effective-incident-response-plan">incident response plan</a>. Attack simulations are run to ensure incident response team members know their roles and responsibilities -- as well as the tools and processes to use -- in response to a given attack scenario.</p> <p>Incident response tabletop exercises can be discussion-based or operational:</p> <ul class="default-list"> <li>Discussion-based tabletop exercises involve the incident response team talking through the events of a specific security incident.</li> <li>Operational exercises involve hands-on and discussion-based activities.</li> </ul> <p>Exercises offer the following benefits:</p> <ul class="default-list"> <li>Validate the effectiveness of an incident response plan.</li> <li>Identify and solidify plan procedures that work and correct any procedures that do not work.</li> <li>Pinpoint and correct steps that are out of sequence or steps that need to be added or deleted to create a more efficient and effective plan.</li> <li>Determine resources that could be needed in the event of an incident -- for example, staffing, equipment, communications, transportation or alternate locations.</li> </ul> <p>The following standards have been developed for exercising and incident response:</p> <ul class="default-list"> <li>ISO 22320:2018 -- Security and resilience -- Emergency management -- Guidelines for incident management.</li> <li>ISO 22361:2022 -- Security and resilience -- Crisis management -- Guidelines.</li> <li>ISO/IEC 27035-1:2023 -- Information technology -- Information security incident management.</li> <li>NIST Special Publication (SP) 800-61 Rev. 3 -- Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile.</li> </ul> <p>NIST offers a <a target="_blank" href="https://csrc.nist.gov/pubs/sp/800/84/final" rel="noopener">guide</a> on testing, training and exercise programs for IT plans. The U.S. Department of Homeland Security and the Federal Emergency Management Agency similarly provide security exercise and evaluation <a target="_blank" href="https://www.fema.gov/emergency-managers/national-preparedness/exercises/hseep" rel="noopener">guidance</a>.</p> </section> <section class="section main-article-chapter" data-menu-title="Incident response tabletop exercise template"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Incident response tabletop exercise template</h2> <p>Successful tabletop exercises involve planning, processes and participation, followed by post-exercise review. Whether discussion-based or operational, incident response teams must ensure exercises encompass realistic scenarios that are tailored to their organization's threat landscape.</p> <p>Our <a href="https://www.techtarget.com/searchsecurity/pro/Incident-Response-Tabletop-Exercise-Template?Offer=2023templateMemWall">downloadable incident response tabletop exercise template</a> is a good starting point. It can be customized to any organization's unique incident response exercises and adjusted as necessary.</p> <div class="imagecaption alignRight" style="text-align: center;"> <a href="https://www.techtarget.com/searchsecurity/pro/Incident-Response-Tabletop-Exercise-Template?Offer=2023templateMemWall"><img src="https://cdn.ttgtmedia.com/rms/onlineimages/Incident_response_tabletop_exercise_template-c.png" alt="Incident response tabletop exercise template download thumbnail.">Click</a> to download <br>our incident <br>response tabletop <br>exercise template. </div> <p>This template includes the following core components:</p> <ul class="default-list"> <li>Scope.</li> <li>Purpose.</li> <li>Objectives.</li> <li>Attack vector.</li> <li>Incident scenario.</li> <li>Discussion questions.</li> <li>Notes.</li> <li>Post-exercise remediations and review.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Incident response exercise scenarios"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Incident response exercise scenarios</h2> <p>Incident response exercises document situations that could threaten an organization's operations or survival. Incident response plans and the accompanying steps for initial response are essential to business continuity (BC), disaster recovery and cybersecurity planning processes. They provide a way to identify problems and their accompanying solutions to recover and restore normal operations after a disruptive event.</p> <p>Incident response exercise scenarios can cover many different events, from biological attacks to pandemics to natural disasters. In terms of cybersecurity-specific incidents, common tabletop exercise attack vectors include the following:</p> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchsecurity/definition/distributed-denial-of-service-attack">DDoS attacks</a>.</li> <li>Phishing attacks.</li> <li>Viruses.</li> <li><a href="https://www.techtarget.com/searchsecurity/definition/ransomware">Ransomware</a>.</li> <li>Credential theft.</li> <li>Malicious insiders.</li> <li><a href="https://www.techtarget.com/searchsecurity/definition/brute-force-cracking">Brute-force attacks</a>.</li> <li>Device or system misconfigurations.</li> <li>Unpatched vulnerabilities.</li> </ul> <p>The following are some cybersecurity incident scenarios typically covered during incident response tabletop exercises:</p> <ul class="default-list"> <li>Data breaches.</li> <li>Unauthorized access.</li> <li>Device compromise.</li> <li>Network compromise.</li> <li>Service compromise.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How to create and plan an incident response tabletop exercise"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to create and plan an incident response tabletop exercise</h2> <p><a href="https://www.techtarget.com/searchsecurity/definition/incident-response-team">Incident response teams</a> should create exercises for the scenarios and attack vectors specific to their organizations. Expand the premise of the incident into a series of steps to make it more realistic. For example, a data breach tabletop exercise should include the initial attack vector, such as a phishing scam or credential theft, and its consequences.</p> <p>Base the exercise on the scenario occurring, what could happen during said incident and the responses to address it. Detail each situation and its objectives, team members involved, equipment used and any additional materials needed.</p> <p>Before the exercise, take these steps:</p> <ul class="default-list"> <li>Assign an exercise moderator who presents the ground rules for the exercise and serves as the timekeeper to keep exercises on track and on schedule.</li> <li>Assign someone to take notes.</li> <li>Plan where the exercise will take place. Discussion-based exercises can be held in a conference room if on-premises or conducted remotely. In an ideal exercise, team members work side by side to encourage interaction and discussion about how to deal with an incident as it unfolds.</li> </ul> <p>Teams should prepare for the following during an exercise:</p> <ul class="default-list"> <li>Run through the events of the incident and possible responses.</li> <li>Situations that develop outside the exercise flow should be addressed or noted for later discussion.</li> <li>Exercise facilitators might introduce specific situations -- called <i>injects</i> -- that can change or alter the sequence of events. Injects challenge exercise participants and encourage them to modify or adapt their incident response approaches during what could be rapidly changing circumstances.</li> </ul> <p>Post-exercise, discuss the events while they are fresh in participants' minds:</p> <ul class="default-list"> <li>Capture details about what worked.</li> <li>Document what did not work.</li> <li>Note any updates to make to the incident response plan.</li> <li>Schedule a follow-up exercise if necessary.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Tabletop exercise example"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Tabletop exercise example</h2> <p>The following table outlines a ransomware tabletop exercise, including the scenario events and responses, as well as a column for exercise observations. Note that exercise leaders would have access to both columns, while participants would only see the scenario column.</p> <table class="main-article-table"> <thead> <tr> <td style="width: 33%;">Scenario event</td> <td style="width: 33%;">Response</td> <td style="width: 33%;">Observations</td> </tr> </thead> <tbody> <tr> <td>Firewalls or intrusion prevention systems alert security team about an issue.</td> <td>Security team examines alarms, makes initial assessment of attack vector and contacts the incident response team.</td> <td></td> </tr> <tr> <td>Employees report they are unable to access files and systems, saying a code is needed to access them.</td> <td>Security team examines code patterns captured by perimeter security systems.</td> <td></td> </tr> <tr> <td>Security team is alerted of a suspected ransomware attack.</td> <td> <p>Security team initiates incident response plan and alerts incident response team members of the plan launch.</p> <p>Incident response team alerts senior leadership of the attack and advises employees to log off systems and back up files.</p> </td> <td></td> </tr> <tr> <td>Security team examines systems, determines access to them has been blocked.</td> <td>Incident response plan activities isolate the malware for examination and quarantining.</td> <td></td> </tr> <tr> <td>Employees are still unable to access files and systems.</td> <td>Incident response team asks senior leadership and others to identify negative impact within their departments -- for example, inability to handle customer inquiries and place orders.</td> <td></td> </tr> <tr> <td>Senior leadership and others inform incident response team that the attack is causing operational problems.</td> <td>Incident response team continues to assess the situation and examines malware captured by the antimalware system.</td> <td></td> </tr> <tr> <td>Senior leaders determine whether the company needs to shut down until the attack is remediated.</td> <td>Incident response team determines the company's BC plans might need to be launched.</td> <td></td> </tr> <tr> <td>Senior management delays launching BC plan, informs incident response team.</td> <td> <p>Employees are advised they can remain in their offices or leave, told to await further updates.</p> <p>Incident response team determines the nature of the attack, attempts a fix.</p> </td> <td></td> </tr> <tr> <td>Employees still unable to access files and systems.</td> <td>Incident response team finds the encryption used in the attack is too difficult to decrypt, advises senior leaders.</td> <td></td> </tr> <tr> <td>Senior leaders instruct IT to recover the damaged files and systems from backup copies.</td> <td>IT and incident response teams begin system recovery, clean affected systems and reload backed-up assets.</td> <td></td> </tr> <tr> <td>Employees report they can access systems and files.</td> <td>Incident response team notifies senior leadership. A message is sent to employees that systems have been recovered. Post-incident activity launches.</td> <td></td> </tr> </tbody> </table> </section> <section class="section main-article-chapter" data-menu-title="Incident response tabletop exercise schedule"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Incident response tabletop exercise schedule</h2> <p>Just as incident response plans should be reviewed and updated annually -- at a minimum -- so should incident response tabletop exercises. Keep the incident response plan and tabletop exercises up to date and as current as possible. Add scenarios as needed to account for <a href="https://www.techtarget.com/searchsecurity/feature/Top-10-types-of-information-security-threats-for-IT-teams">new and emerging threats</a>, and to review steps and procedures with new and existing team members.</p> <p>Review and revise plans and exercises, if needed, any time changes are made to the company's business, infrastructure or compliance needs.</p> <p><i>Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.</i></p> </section> Have an incident response plan but aren't running incident response tabletop exercises? These simulations are key to knowing if your plan will work during an actual security event. https://cdn.ttgtmedia.com/rms/onlineimages/maze_g1194975109.jpg https://www.techtarget.com/searchsecurity/tip/How-to-conduct-incident-response-tabletop-exercises Wed, 09 Jul 2025 00:00:00 GMT <p>As the old adage goes, there are plenty of fish in the sea. In cybersecurity, make that plenty of phishing scams in the cyber-sea. And despite all the warnings not to take the bait, too many people continue to fall for phishing attempts hook, line and sinker.</p> <p><a href="https://www.techtarget.com/searchsecurity/definition/phishing">Phishing</a> is a form of social engineering in which attackers trick users into providing access to data and systems. Attackers' motives range from getting users to download malware to stealing their login credentials to duping them into sharing sensitive data, such as credit card numbers, bank account info and company data.</p> <p>Successful phishing attacks have repercussions on individuals and organizations alike. They can result in identity theft, data loss, financial loss, business disruptions, regulatory fines, damaged reputations and the risk of further attacks.</p> <p>Phishing prevention requires a combination of people, processes and technologies:</p> <ul class="default-list"> <li><b>People.</b> This refers to <a href="https://www.techtarget.com/searchsecurity/tip/Beyond-awareness-Human-risk-management-metrics-for-CISOs%20">end users who are targets</a> of -- and the first line of defense against -- phishing scams. It also includes the teams that conduct <a href="https://www.techtarget.com/searchsecurity/definition/security-awareness-training">security awareness trainings</a> in a company and the security team members who monitor, detect and respond to phishing incidents.</li> <li><b>Processes. </b>They include the security awareness trainings and phishing simulations that train and test employees on phishing attempts. Processes also refer to incident response plans and security policies that establish how to react to and recover from phishing incidents.</li> <li><b>Technologies. </b>These are the protocols, tools and services that scan and block phishing attempts, prevent account compromises, filter malicious websites, prevent malware from executing on devices and more.</li> </ul> <p>Let's take a look at how to identify, respond to, report and prevent phishing.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/LrFarFrzbD4?si=ghHvm2xrUaqBTaFF?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> <section class="section main-article-chapter" data-menu-title="How to identify phishing scams"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to identify phishing scams</h2> <p>Phishing emails used to be fairly easy to detect. The "Nigerian prince" scams of yesteryear are still rampant, but attacks today are more convincing and personalized than ever before.</p> <p>When you receive a suspicious email, do the following:</p> <ul class="default-list"> <li><b>Look for typos.</b> Many phishing emails contain grammatical errors and misspelled words.</li> <li><b>Check the sender's address.</b> If you don't recognize it, be wary. Attackers forge sender addresses to make their emails appear to be from legitimate sources. Check the IP address in the email source code to see if you can <a href="https://www.techtarget.com/searchwindowsserver/tip/Authenticating-email-in-Exchange-for-brand-protection">trace it to a legitimate contact</a>. If the email comes from a genuine email address, reach out separately to the purported sender to ensure the email is real.</li> <li><b>Look at the greeting.</b> Generic salutations, such as dear or customer, or the absence of a name could indicate a phishing attempt.</li> <li><b>Examine the sender's domain.</b> Beware of illegitimate domains. Assess if the domain is indeed trusted or has been spoofed. For example, tectharget.com or tech1arget.com instead of the real techtarget.com.</li> <li><b>Beware of emails that create a sense of urgency.</b> Many attackers try to rattle people by using urgent, time-sensitive wording or trying to scare them. Don't act hastily and without thinking; question the email and its legitimacy.</li> <li><b>Beware of emails that ask for sensitive information and never share data.</b> Never trust an email, text or website that asks for personal, corporate or financial information. Legitimate companies never ask for such data. If you are concerned about an account, contact the organization using a telephone number you know is genuine. If you must enter sensitive data on a website, visit it by typing the URL into the browser. Never click the link in an email or copy and paste it. Also, ensure the site's security by checking for a lock symbol in the browser bar and making sure the URL starts with HTTPS. It should go without saying but bears repeating: Never share your passwords.</li> <li><b>Beware of impersonators.</b> Phishing scams have evolved from spray-and-pray campaigns that use one tactic on multiple victims to more targeted, personalized attacks, as evidenced in spear phishing, whaling and business email compromise (<a href="https://www.techtarget.com/whatis/definition/business-email-compromise-BEC-man-in-the-email-attack">BEC</a>). In such attacks, malicious actors search the web to gather information that enables them to masquerade as known contacts and impersonate legitimate communications and transactions.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/comprehensive_phishing_prevention_checklist-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/comprehensive_phishing_prevention_checklist-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/comprehensive_phishing_prevention_checklist-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/comprehensive_phishing_prevention_checklist-f.png 1280w" alt="Graphic of phishing prevention and identification tips" height="319" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Use this checklist to identify and respond to phishing attacks. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Always check who sent the email and, if in doubt, reach out separately to the purported sender to ensure the email is legitimate.</p> </section> <section class="section main-article-chapter" data-menu-title="How to respond to a phishing attempt"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to respond to a phishing attempt</h2> <p>If you suspect you have received a phishing scam, do the following:</p> <ul class="default-list"> <li><b>Look for indicators of phishing. </b>Use the list above to identify a phish.</li> <li><b>Don't click links or download attachments.</b> Never reply to a suspicious message, click on any links or download any attachments. All three actions can lead to malware being installed on your computer. In addition, never click untrusted shortened URLs, such as Bitly or TinyURL links.</li> <li><b>Don't copy and paste links.</b> Never copy and paste links from suspicious emails. While you can hover over a link to see its destination, this is not always an indicator that the link is safe. Attackers can use coding to make the URL appear like a legitimate link.</li> <li><b>Report the phishing email to your organization.</b> Some companies have a designated email address for users to report suspicious activity. If you receive phishing messages to your company email address, report them if possible. Likewise, some specific vendors and providers at risk of being spoofed have websites or email addresses to report scams, for example, <a target="_blank" href="https://www.amazon.com/gp/help/customer/display.html?nodeId=GRGRY7AQ3LMPXVCV" rel="noopener">Amazon</a>, <a target="_blank" href="https://help.netflix.com/en/node/65674" rel="noopener">Netflix</a> and <a href="mailto:phishing@visa.com">Visa</a>.<br><br>Industry groups also collect phishing attack data to shut down websites and take legal action against phishers. Report phishing scams to groups such as the <a href="mailto:reportphishing@apwg.org">Anti-Phishing Working Group (APWG)</a>, <a target="_blank" href="https://www.ic3.gov/" rel="noopener">Internet Crime Complaint Center (IC3) </a>or <a target="_blank" href="https://reportfraud.ftc.gov/#/assistant" rel="noopener">Federal Trade Commission (FTC)</a>.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="What to do if you become a phishing victim"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What to do if you become a phishing victim</h2> <p>If you suspect you have acted on a phishing scam -- clicked a link, visited a malicious website or shared sensitive data -- do the following:</p> <ul class="default-list"> <li><b>Report it.</b> If the incident occurred on your work device, inform your company's IT department. Report the incident to the APWG, IC3 or FTC. If you shared credit card or banking details, contact the relevant companies and one of the three major credit bureaus (Equifax, Experian or TransUnion). Monitor accounts for suspicious activity and identity theft.</li> <li><b>Disconnect the device.</b> Disconnect from the internet to prevent infecting other devices and systems on the network.</li> <li><b>Change passwords.</b> Update your password to a unique, never-before-used password. Implement MFA.</li> <li><b>Scan for malware.</b> Run antivirus and antimalware to detect and remove any installed malware.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="How to prevent and respond to phishing in organizations"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to prevent and respond to phishing in organizations</h2> <p>Enterprise phishing prevention includes <a href="https://www.techtarget.com/searchsecurity/tip/Cybersecurity-employee-training-How-to-build-a-solid-plan">security awareness training programs</a>, strong credential management, security tools and patch management.</p> <h3>Security awareness training</h3> <p>Phishing prevention in the form of security awareness training for employees is one of the most effective ways an organization can combat the increasingly voluminous and sophisticated threat. Teach employees how to identify and respond to phishing attacks. Security teams should hold regular trainings that not only reiterate the dangers of phishing but also cover new and existing threats.</p> <p>During the training, cultivate a security culture. Explain to employees their role in securing the enterprise and maintaining <a href="https://www.techtarget.com/searchsecurity/definition/cyber-hygiene">cyber hygiene</a>.</p> <h3>Credential management</h3> <p>Require employees to follow <a href="https://www.techtarget.com/searchsecurity/tip/Top-5-password-hygiene-tips-and-best-practices">password hygiene best practices</a>, such as creating passwords or passphrases that are easy to remember but difficult for attackers to guess. Don't rely on username/password combos. Use <a href="https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA">MFA</a> to add more layers to password security.</p> <p>Create a <a href="https://www.techtarget.com/searchsecurity/tip/How-to-create-a-company-password-policy-with-template">password policy</a> that outlines the organization's guidelines.</p> <h3>Security tools</h3> <p>The following tools and controls won't eliminate phishing emails but help minimize them:</p> <ul class="default-list"> <li>Run antivirus and antimalware software.</li> <li>Deploy email filtering tools that scan and block suspicious emails before delivery.</li> <li>Use a firewall that can block suspicious IP addresses and websites.</li> <li>Use URL filtering to block known malicious websites.</li> <li>Install a web browser toolbar or extension that protects against known phishing websites.</li> <li>Use antispoofing protocols, including <a href="https://www.techtarget.com/searchsecurity/answer/Email-authentication-How-SPF-DKIM-and-DMARC-work-together">DMARC, SPF and DKIM</a> to prevent email address forgery.</li> <li>Use <a href="https://www.techtarget.com/searchsecurity/tip/Traditional-MFA-isnt-enough-phishing-resistant-MFA-is-key">phishing-resistant MFA</a>.</li> </ul> <h3>Patch management</h3> <p>Install updates and patch software, systems and browsers. All the major web browsers have antiphishing features, but if not kept up to date, they will not catch the latest known malicious websites.</p> <p>Likewise, keep all software and hardware up to date, including antimalware and other tools, to ensure their effective operation against threats.</p> <h3>Additional security measures</h3> <p>Supplemental phishing safeguards include the following:</p> <ul class="default-list"> <li>Implement the <a href="https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP">principle of least privilege</a>.</li> <li>Conduct regular <a href="https://www.techtarget.com/searchsecurity/answer/How-to-conduct-a-periodic-user-access-review-for-account-privileges">user access reviews</a>.</li> <li>Use security monitoring technologies to detect attacks early.</li> <li>Have an <a href="https://www.techtarget.com/searchsecurity/feature/5-critical-steps-to-creating-an-effective-incident-response-plan">incident response plan</a> in place to react to phishing attacks.</li> <li>Use end-to-end encryption to protect communications.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Types of phishing attacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Types of phishing attacks</h2> <p>Common phishing tactics include the following:</p> <p><a href="https://cdn.ttgtmedia.com/rms/onlineimages/types_of_phishing_attacks-f.png"></a></p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/types_of_phishing_attacks-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/types_of_phishing_attacks-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/types_of_phishing_attacks-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/types_of_phishing_attacks-f.png 1280w" alt="Graphic displaying the different types of phishing attacks, including email phishing, spear phishing, QR code phishing and more" height="204" width="559"> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <ul class="default-list"> <li><b>Email phishing. </b>This is the most common form of phishing. Attackers send emails with malicious links or attachments to infect their targets.</li> <li><b>Spear phishing. </b><a href="https://www.techtarget.com/searchsecurity/definition/spear-phishing">Spear phishing</a> is more selective, with malicious hackers sending emails to a specific target.</li> <li><b>Whaling. </b><a href="https://www.techtarget.com/searchsecurity/definition/whaling">Whaling</a> targets a high-profile employee, such as the CEO or CFO, in a phishing scam.</li> <li><b>VoIP phishing.</b> Also known as <a href="https://www.techtarget.com/searchunifiedcommunications/definition/vishing"><i>vishing</i></a>, this is a phishing scam carried out using voice technology, such as over the phone.</li> <li><b>Pharming. </b><a href="https://www.techtarget.com/searchsecurity/definition/pharming">Pharming</a> is an attack that tricks a DNS server into replacing a legitimate cached IP address with a malicious one, thereby redirecting users to the malicious website when they type the legitimate one into the browser.</li> <li><b>SMS phishing. </b>Also known as <a href="https://www.techtarget.com/searchmobilecomputing/definition/SMiShing"><i>smishing</i></a>, SMS phishing is a scam executed via text message.</li> <li><b>Social media phishing. </b>This involves phishing messages sent via social media platforms.</li> <li><b>Search engine phishing.</b> Also known as <a href="https://www.techtarget.com/whatis/definition/search-poisoning">SEO poisoning</a>, it involves attackers using search engine optimization to help their spoofed websites rank highly in online searches. Users who click the link to the spoofed site see a legitimate-looking page that is actually malicious.</li> <li><b>Clone phishing. </b>This involves malicious actors replicating a previously delivered email but replacing the legitimate links or attachments with malicious ones.</li> <li><b>Angler phishing. </b>Angler phishing occurs when an attacker masquerades as a customer service representative on a fake company social media account. For example, a customer who complains about a bank online might be contacted by a legitimate-looking social media account from that bank to resolve the issue when the attacker's true motive is to get the customer to download malware or share personal information.</li> <li><b>QR code phishing.</b> Also known as <a href="https://www.techtarget.com/searchsecurity/feature/Quishing-on-the-rise-How-to-prevent-QR-code-phishing">quishing</a>, QR phishing tricks users into scanning a QR code with their phone that leads them to download malware or tricks them into sharing sensitive data.</li> <li><b>Business email compromise. </b><a href="https://www.techtarget.com/searchsecurity/tip/CISOs-guide-How-to-prevent-business-email-compromise">BEC involves attackers impersonating higher-level employees</a> to trick employees who have access to corporate bank accounts into transferring money or sharing sensitive data with them.</li> <li><b>Deepfakes.</b> These fake images, videos and audio files use AI to perform phishing attacks.</li> </ul> <p><i>Sharon Shea is executive editor of Informa TechTarget's SearchSecurity site.</i></p> </section> From email scams to BEC attacks, phishing is one of the biggest fish organizations must fry. Get advice on how to identify, prevent and respond to phishing schemes. https://cdn.ttgtmedia.com/rms/onlineimages/ransom_g1320502708.jpg https://www.techtarget.com/searchsecurity/feature/How-to-avoid-phishing-hooks-A-checklist-for-your-end-users Tue, 08 Jul 2025 09:00:00 GMT 60 webmaster@techtarget.com