Blog
Insights for Reasonable Cyber Security and Compliance
What’s happening in the world of cybersecurity? How do you define 'reasonable' security controls? Which cyber threats can be prevented? What steps should you take to make your systems safer? Read our blog posts to gain new insights into cybersecurity news, security awareness, the latest threats and risks, penetration testing, compliance, regulations and so much more.
HALOCK Helps – 2014 Year in Review
All year long, HALOCK employees are helping clients secure their information and data assets, and at the same time, these same employees are great stewards of the communities in which they live. In 2014, they have run, walked, biked and stepped up innumerable stairs for worthy causes. They’ve lost a few golf balls for Muscular Dystrophy and the Alzheimer’s Association and donated to help children and families in need. Our team members have had a busy and charitable 2014. (more…)
In the Wake of Backdoor.Regin: Accounting for the State Sponsored Threat
Recently the Symantec Corporation uncovered a highly sophisticated, modular piece of malware that has been infecting computers in a variety of countries as far back as 2008 – Backdoor.regin has characteristics beyond those of modern malware and is already generally accepted as a product of nation-state cyber espionage. The implant likely took considerable resources and time to create and has several stealth features including multiple levels of encryption and even anti-forensic capabilities, multiple attack vectors, custom surveillance tools, persistence. The works. (more…)
IT Pros: 4 Tips to Help Friends & Family Protect their Mobile Devices this Holiday Season
Author: Chris Cronin, ISO 27001 Auditor
As the holidays approach, you’ll probably be seeing many relatives and friends. Many will pull you aside and ask you about the latest security news, myths and rumors. While preparing for a Thanksgiving visit, one relative asked me about a hoax security alert warning that her iPhone’s flashlight was listening to her conversations. (more…)
All Done with Shellshock? Get Ready for the Next One.
Why read another article on the Shellshock bug when there have been a number of well-written articles and blog posts on it? Because almost all of the articles and blogs are talking about the bug itself, how it can be exploited, and how much of the Internet is open to it. However, what you should really be interested in is the security of your organization. Your response to Shellshock can tell you a great deal about that. (more…)
Lessons in Risk Management: What We Should Learn from the FAA Fire
Author: Chris Cronin, ISO 27001 Auditor
Too often in information security we focus on the confidentiality of personal information, ignoring the damage that can result from failures in integrity and availability. In fact, this is the main driver of much of our information security spending in the U.S. But the proper function of information and communications can create huge impacts not only to business, but to the public if the integrity or availability of systems is compromised. (more…)
How to Secure Your Assets from Cyber Sewage
There I was, ankle deep in raw sewage, incredulous that for the second time this summer, my basement was filling up with foul smelling murky waste. As I looked hopelessly at my wife while the water level continued to rise, I angrily thought to myself, “What else can I do?” Didn’t I shell out some major money to protect the basement against groundwater by installing drain tiles? Didn’t I reduce the chance of overloading the sewer systems by removing my gutters from draining into the city’s drainage system? And that crawlspace, I just spent several thousands to waterproof the last (what I thought) area that was susceptible to water. Yet here I was, again, plagued by unwanted water in my house. (more…)
PCI and Third Party Security Assurance: The PCI Council’s Guidance Summarized
Author: Viviana Wesley, PCI QSA
Some recent breaches of cardholder data have been the direct result of a successful compromise of a trusted third party to the breached entity. For example, a factor in the well-publicized breach at Target may have been compromised credentials of a trusted service provider with access to the Target internal network. In order to attain and maintain PCI compliance, all businesses must control the risk that third party service providers pose to the cardholder data environment. It’s important to understand the activities that you’ll need to undertake to manage this risk (third party risk management or TPRM). (more…)
CVE-2014-4980 Parameter Tampering in Nessus Web UI – Remote Information Disclosure
Title: CVE-2014-4980 Parameter Tampering in Nessus Web UI – Remote Information Disclosure
Product: Nessus
Vendor: Tenable Network Security (more…)
Code Spaces Spaced Out On Data Security
Author: Terry Kurzynski, ISO 27001 Auditor, CISSP, CISA, PCI QSA
The information security community is abuzz with the news of Code Spaces closing its doors after having all of its client’s data erased by an attacker who gained access to their environment. Code Spaces offered their clients a “code repository” service – think Subversion-as-a-Service – and convinced their clients that their code was safe from data loss when stored there. The failure is seen as the first “death” in the cloud. According to Dave Shackleford of Voodoo Security, “This thing is going to be a case study for everybody’s cloud security forever.” (Blevins, 2014) (more…)
Vendor Risk Management Hype Extends Beyond Target®
The Target® Breach in November 2013 lives infamously in our memories and has served as a pivot point for all businesses with regard to third party vendor management (TPRM). After all, who could have imagined that the giant retailer would have been breached through a seemingly insignificant third party that didn’t seem to have direct network access? (more…)