BeyondTrust, the cyber security company dedicated to preventing privilege misuse, vulnerability management, and stopping unauthorised access, announced the availability of a new book, Asset Attack Vectors:  Building Effective Vulnerability Management Strategies to Protect Organisations. The book, authored by BeyondTrust’s Chief Technology Officer, Morey J. Haber, and Chief Operating Officer, Brad Hibbert, and published by Apress, is focused on how to build an effective vulnerability management strategy to protect an organisation’s assets, applications, and data.

As published in BeyondTrust’s recent survey, next-generation, transformative technologies such as AI/Machine Learning and IoT, and business processes like DevOps are improving operational efficiencies and cost savings, however, 78 percent of users cite security concerns and acknowledge the vulnerabilities these technologies introduce to their networks. In fact, one in five respondents experienced five or more breaches related to next-generation technologies.

In the modern enterprise, everything connected to the network, cloud, and mobile device is a target as the perimeter expands beyond the traditional data centre

Understanding and mitigating vulnerabilities

This book details how today’s network environments are dynamic, requiring multiple defences to mitigate vulnerabilities and exploits and stop data breaches. In the modern enterprise, everything connected to the network, cloud, and mobile device is a target as the perimeter expands beyond the traditional data centre.

Today’s attack surfaces are rapidly expanding to include, not only traditional servers and desktops, but also routers, printers, cameras, and other IoT devices,” said Morey J. Haber, Chief Technology Officer at BeyondTrust. “It doesn’t matter whether an organisation uses LAN, WAN, cloud, wireless, or even a modern PAN ― savvy criminals have more potential entry points than ever before. To stay ahead of these threats, IT and security leaders must be aware of exposures and understand their potential impact.

SLAs for vulnerability and patch management

The book is structured to provide guidance to help organisations build a vulnerability management program fit to meet the challenges of the modern threat environment. Drawing on years of combined experience, the authors detail the latest techniques for threat analysis, risk measurement, and regulatory reporting. Also outlined are practical service level agreements (SLAs) for vulnerability management and patch management.

The book contains guidance for readers to:

  • Create comprehensive assessment and risk identification policies and procedures
  • Implement a complete vulnerability management workflow in nine easy steps
  • Understand the implications of active, dormant, and carrier vulnerability states
  • Develop, deploy, and maintain custom and commercial vulnerability management programs
  • Discover the best strategies for vulnerability remediation, mitigation, and removal
  • Automate credentialed scans that leverage least-privilege access principles

Our hope is the book helps readers get ahead of threats and protect their organisations with an effective asset protection strategy"Asset protection strategy

Readers will also gain insights from real-world case studies that share successful vulnerability management strategies and reveal potential pitfalls.

Vulnerability management needs to be more than a compliance check box—it should be a foundation of an organisation’s cybersecurity strategy,” said Brad Hibbert, Chief Operating Officer at BeyondTrust. “Our hope is the book helps readers get ahead of threats and protect their organizations with an effective asset protection strategy.

Late last year, authors Morey J. Haber and Brad Hibbert released another book, Privileged Attack Vectors: Building Effective Cyber-Defense Strategies to Protect Organisations. The book details the risks associated with poor privilege management, the techniques that hackers and insiders leverage, and the defensive measures that organisations must adopt to protect against a breach, prevent lateral movement, and improve the ability to detect hacker activity and insider threats in order to mitigate cyber risk. 

Download PDF version

In case you missed it

Unifying the mobile experience: cloud, IoT and the AI evolution of access control in 2019
Unifying the mobile experience: cloud, IoT and the AI evolution of access control in 2019

The industry faces numerous challenges in the coming year. Physical and cyber security threats continue to become more complex, and organisations are struggling to manage both physical and digital credentials as well as a rapidly growing number of connected endpoints in the Internet of Things (IoT). We are witnessing the collision of the enterprise with the IoT, and organisations now must establish trust and validate the identity of people as well as ‘things’ in an environment of increasingly stringent safety and data privacy regulations. Meanwhile, demand grows for smarter and more data-driven workplaces, a risk-based approach to threat protection, improved productivity and seamless, more convenient access to the enterprise and its physical and digital assets and services. Using smartphone apps to open doors Cloud technologies give people access through their mobile phones and other devices to many new, high-value experiencesEnterprise customers increasingly want to create trusted environments within which they can deliver valuable new user experiences. A major driver is growing demand for the ‘digital cohesion’ of being able to use smartphone apps to open doors, authenticate to enterprise data resources or access a building’s applications and services. Cloud technologies are a key piece of the solution. They give people access through their mobile phones and other devices to many new, high-value experiences. At the same time, they help fuel smarter, more data-driven workplace environments. With the arrival of today’s identity- and location-aware building systems that recognise people and use deep learning analytics to customise their office environment, the workplace is undergoing dramatic change. Improved fingerprint solutions Cloud-based platforms and application programming interfaces (APIs) will help bridge biometrics and access control in the enterprise, overcoming previous integration hurdles while providing a trusted platform that meets the concerns of accessibility and data protection in a connected environment. At the same time, the next generation of fingerprint solutions will deliver higher matching speed, better image capture quality and improved performance. The next generation of fingerprint solutions will deliver higher matching speed, better image capture quality and improved performance Liveness detection will ensure that captured data is from a living person. Biometrics authentication will also gain traction beyond access control in immigration and border control, law enforcement, military, defence and other public section use cases where higher security is needed. Flexible subscription models Access control solutions based on cloud platforms will also change how solutions are deployed. Siloed security and workplace optimisation solutions will be replaced with mobile apps that can be downloaded anywhere across a global ecosystem of millions of compatible and connected physical access control system endpoints. These connections will also facilitate new, more flexible subscription models for access control services. As an example, users will be able to more easily replenish mobile IDs if their smartphones are lost or must be replaced. Generating valuable insights with machine learning Machine learning analytics will be used to generate valuable insights from today’s access control solutionsEducation, finance, healthcare, enterprise, and other niche markets such as commercial real-estate and enterprises focussed on co-working spaces will benefit from a cloud-connected access control hardware foundation. There will be a faster path from design to deployment since developers will no longer have to create an entire vertically integrated solution. They will simply add an app experience to the existing access control infrastructure. New players will be drawn to the market resulting in a richer, more vibrant development community and accelerated innovation. Data analytics will be a rapidly growing area of interest. Machine learning analytics will be used to generate valuable insights from today’s access control solutions. Devices, access control systems, IoT applications, digital certificates and location services solutions, which are all connected to the cloud, will collectively deliver robust data with which to apply advanced analytics and risk-based intelligence. As organisations incorporate this type of analytics engine into their access control systems, they will improve security and personalise the user experience while driving better business decisions. 

What characteristics do salespeople require in the physical security industry?
What characteristics do salespeople require in the physical security industry?

A basic tenet of sales is ABC – always be closing. But it's a principle that most professional salespeople would say oversimplifies the process. Especially in a sophisticated, high-tech market such as physical security, the required sales skills are much more involved and nuanced. We asked this week's Expert Panel Roundtable: What unique characteristics are required of salespeople in the arena of physical security systems?

Can microchip implants replace plastic cards in modern access control?
Can microchip implants replace plastic cards in modern access control?

A futuristic alternative to plastic cards for access control and other applications is being considered by some corporate users in Sweden and the United Kingdom. The idea involves using a microchip device implanted into a user’s hand. About the size of a grain of rice and provided by Swedish company Biohax, the tiny device employs passive near field communication (NFC) to interface with a user’s digital environment. Access control is just one application for the device, which can be deployed in lieu of a smart card in numerous uses. Biohax says more than 4,000 individuals have implanted the device. Using the device for corporate employees Every user is given plenty of information to make an informed decision whether they want to use the deviceCurrently Biohax is having dialogue with curious corporate customers about using the device for their employees. “It’s a dialogue, not Big Brother planning to chip every employee they have,” says Jowan Österlund, CEO at Biohax. Every user is given plenty of information to make an informed decision whether they want to use the device. Data capture form to appear here! “Proof of concept” demonstrations have been conducted at several companies, including Tui, a travel company in Sweden that uses the device for access management, ID management, printing, gym access and self-checkout in the cafeteria. Biohax is also having dialogue with some big companies in the United Kingdom, including legal and financial firms. Österlund aims to have a full working system in place in the next year or so. A Swedish rail company accepts the implanted chip in lieu of a paper train ticket. They accept existing implants but are not offering to implant the chips. Österlund says his company currently has no plans to enter the U.S. market. The device is large enough to locate easily and extract if needed, and small enough to be unobtrusive Access control credential The device is inserted/injected below the skin between the index finger and the thumb. The circuitry has a 10-year lifespan. The device is large enough to locate easily and extract if needed, and small enough to be unobtrusive. The only risk is the possibility of infection, which is true anytime the skin is pierced, and the risk is mitigated by employing health professionals to inject the chip. Use of the device as an access control credential or any other function is offered as a voluntary option; any requirement by an employer to inject the device would be illegal, says Österlund. It’s a convenient choice that is made “based on a well-informed decision by the customer.” Aversion to needles, for example, would make some users squeamish to implant the device. More education of users helps to allay any concerns: Some 10% of employees typically would agree quickly to the system, but a larger group of 50% to 60% are likely to agree over time as they get more comfortable with the idea and understand the convenience, says Österlund. Protection of information The passive device does not actively send out any signals as you walk. It is only powered up by a reader if a user has access rightsIn terms of privacy concerns, information contained on the device is in physical form and is protected. The passive device does not actively send out any signals as you walk. There is no battery. It is only powered up by a reader if a user has access rights. With use of the device being discussed in the United Kingdom, there has been some backlash. For example, Frances O’Grady, general secretary of the Trades Union Congress (TUC), has said: “Microchipping would give bosses even more power and control over their workers.” A big misconception is that the chip is a tracking device, says Österlund. It isn’t. “We love people to get informed,” says Österlund. “If they’re scared or apprehensive, they can just read up. It’s not used to control you – it’s used to give you control.”