Tag Archives: risk i/o

Heartbleed Is Not A Big Deal?

Michael Roytman    April 17, 2014

As of this morning we have observed 224 breaches related to CVE-2014-0160, the Heartbleed vulnerability. More than enough has been said about the technical details of the vulnerability, and our own Ryan Huber covered the details a few days ago. I want to talk about the vulnerability management implications of Heartbleed, because they are both terrifying and telling. The Common Vulnerability… Read more »

The More You Know… (Heartbleed Edition)

rhuber    April 9, 2014

Yesterday, the information security community was made aware of a critical vulnerability in some versions of OpenSSL, one of the most commonly used software “libraries” for secure internet communications. When your web browser is connected via HTTPS (your less tech savvy friends might refer to it as the “lock icon”), there is a high probability that OpenSSL is involved in… Read more »

On Physical Security

rhuber    March 31, 2014

Our mission at Risk I/O is to help businesses understand threats to their infrastructure, but as security practitioners we are interested in many forms of security, including physical. This blog post concerns something of particular interest to me, securing my office and a nearly successful theft, which was thwarted by a bit of hobbyist tech. Risk I/O is an emerging… Read more »

A Simplified Interface, Perimeter Scanning & A Free Risk Profile (Oh My!)

Andrea Bailiff-Gush    March 11, 2014

The Risk I/O Team is excited to announce the latest release of our vulnerability threat management platform. In this release, we’ve updated the user interface, and made vulnerability scanning available for perimeters too. You can also now create a free risk profile on any technology. The latest release of our platform includes: Simplified User Interface – As you may have noticed,… Read more »

“Threat Intelligence” By Any Other Name: RSA 2014 Recap

Michael Roytman    March 4, 2014

I’m told that every year RSA has a theme, and that this theme is predictive of the year to come for the information security industry. Sometimes, that theme is hidden. Other times, (such as last year) that theme is a race car engine with the words “Big Data” splattered all over it jumping out at you on every corner. At… Read more »

Vulnerability Threat Management 2.0

jheuer    February 20, 2014

When it comes to managing your IT environment, there is often just too much to look at. As our Data Scientist Michael Roytman mentioned in his recent research paper, the biggest challenge isn’t finding security defects, but rather managing the mountain of data produced by security tools in order to fix what’s most important first. Well our latest version of… Read more »

Measuring vs. Modeling

Andrea Bailiff-Gush    December 10, 2013

This month our data scientist Michael Roytman is featured in the USENIX Association’s Journal alongside Dan Geer. Their article harkens back to our long-running theme of focusing on remediating the vulnerabilities which _actually_ generate risk for your environment. Michael and Dan argue that using CVSS as a guide for remediation is not only ineffective at identifying vulnerabilities likely to be… Read more »

What I Learned at BayThreat 2013

rhuber    December 9, 2013

BayThreat, an annual bay area information security conference, was this past weekend. As in years past it was top notch and well organized. The conference returned to it’s old home, the Hacker Dojo, for this fourth incarnation. Some highlights (in no particular order): Nick Sullivan spoke on white box cryptography, and the lack of a current open source implementation. White… Read more »

Introducing Nessus Auto-Close with Risk I/O

Ed Bellis    November 13, 2013

One of the common issues with running multiple siloed scanners is tracking the state of vulnerabilities over time. Which vulnerabilities should be closed based on my subsequent findings (or lack thereof)? This problem can be exacerbated when centralizing these point scanners into a central repository such as Risk I/O. Our  Nessus connector now tracks the state of all reported vulnerabilities… Read more »

SIRAcon Attendees, Start Your Engines

Michael Roytman    October 25, 2013

“Information is the oil of the 21st century, and analytics is the combustion engine.” –  Peter Sondergaard, SVP Gartner This week I attended SIRAcon in Seattle, a conference hosted by the Society of Information Risk Analysts. I spoke about the methodology behind Risk I/O’s “fix what matters” approach to vulnerability management, and how we use live vulnerability and real-time breach data… Read more »