Blog
Insights for Reasonable Cyber Security and Compliance
What’s happening in the world of cybersecurity? How do you define 'reasonable' security controls? Which cyber threats can be prevented? What steps should you take to make your systems safer? Read our blog posts to gain new insights into cybersecurity news, security awareness, the latest threats and risks, penetration testing, compliance, regulations and so much more.
PRIVACY VS SECURITY – WHAT’S THE DIFFERENCE?
By Chris Cronin, ISO 27001 Auditor, Partner
The ever-increasing demands from laws and regulations to protect personal information comes with confusion about what exactly our protection responsibilities are. One source of that confusion is in the use of the terms “privacy” and “security.” While “privacy” and “security” are both common terms used in laws, regulations, and security standards, they mean very different things and they are managed very differently. In fact, the difference between the two has a lot to do with what organizations are capable of controlling. (more…)
WHAT KIND OF SECURITY ASSESSMENT DO I NEED?
What kind of security assessment do I need? It’s a question we at HALOCK Security Labs hear all the time. Every regulation and information security standard in existence tells us that we must undergo some kind of regular assessment. But the security field has not been consistent in advising what kinds of assessments fit which purpose best. (more…)
THE FTC IS TELLING US THAT PCI DSS CERTIFICATION IS NOT ENOUGH. NOW WHAT?
As part of its enduring interest in LifeLock, Inc., the Federal Trade Commission issued the following statement on December 17, 2015, “PCI DSS certification is insufficient in and of itself to establish the existence of reasonable security protections … the existence of a PCI DSS certification is an important consideration in, but by no means the end of, our analysis of reasonable security.” This statement might be alarming to the business and security communities, but it’s important to understand their statement in context, and for you to know what to do about it. (more…)
RANSOMWARE: CURRENT STRAINS, ATTACK VECTORS AND PROTECTION
By Steve Lawn, Senior Consultant
Staying ahead of security threats is no easy task. One threat that should definitely be on your radar is ransomware. From hospital heists to attacks on schools and other businesses, ransomware is costly and is projected to be one of the biggest threats in 2016. According to CNN, the FBI reported that it received 2,453 complaints about ransomware hold-ups last year, costing the victims more than $24 million dollars. And there’s little the FBI can do about it, and so victims pay. (more…)
ALERT: CRIMINALS REQUESTING W-2s VIA SIMPLE SOCIAL ENGINEERING
By Todd Hacke
Tax season is a hectic time of year for not only organizations but their employees. This year attackers are looking to take advantage of this turbulence with a simple social engineering inquiry that could land them a gold mine of personal and financial information. It turns out all they have to do is ask. (more…)
A Merchant’s Guide to PCI SSC Compliance
A Merchant’s Guide to PCI SSC Compliance By Morgan Rickel PMP, QSA
If you are a merchant considering the implementation of a mobile payment acceptance solution, or if you are currently using one, the Payment Card Industry Security Standards Council (PCI SSC) has determined that one of the major risk factors in validating mobile payment acceptance applications with the Payment Application Data Security Standard (PA–DSS) is the environment that the application operates within and the ability of that environment to support the merchant in achieving PCI DSS compliance. From a PCI perspective, the type of mobile communications device that is selected will have a direct impact on the PA-DSS validation. (more…)
Version 3.2 of the PCI DSS to be Released in Q2, ARE YOU READY?
Payment Card Industry Security Standards Council (PCI SSC) by Viviana Wesley, PCI QSA, ISO 27001 Auditor
The Payment Card Industry Security Standards Council (PCI SSC) will be releasing version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS) in the second quarter of 2016 and will become effective as soon as it’s published. PCI DSS version 3.1 will be retired three months later to allow organizations to complete PCI DSS v3.1 assessments already under way. (more…)
HIPAA INFORMATION AND EMAIL – HOW TO COMPLY
HIPAA INFORMATION AND EMAIL by Tod Ferran, CISSP, QSA
According to HHS, “the Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control, integrity and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.” (more…)
Proven Ways to Combat Ransomware
Proven Ways to Combat Ransomware. Ransomware stole a lot of headlines in 2016 and rightfully so. Every type of organization was afflicted by its intrusion this past year, even healthcare. With revenues of over $18 million dollars in 2015, it’s a safe bet that Ransomware isn’t going anywhere in 2017. That’s because it is highly profitable and thanks to the new prepackaged multi-level like distribution operations that are now offered by malware creators, just about anyone can get in on it. (more…)
CVE-2016-2046 – CROSS SITE SCRIPTING IN SOPHOS UTM 9
Title: CVE-2016-2046 – CROSS SITE SCRIPTING IN SOPHOS UTM 9
Product: Sophos UTM 9
Vendor: Sophos (more…)