Blog
Insights for Reasonable Cyber Security and Compliance
What’s happening in the world of cybersecurity? How do you define 'reasonable' security controls? Which cyber threats can be prevented? What steps should you take to make your systems safer? Read our blog posts to gain new insights into cybersecurity news, security awareness, the latest threats and risks, penetration testing, compliance, regulations and so much more.
As Part of Your Incident Response Plan, Make Sure There are Needles in Your Haystack
Incident Responders take a lot of pride in finding that ‘Needle in the Haystack’ when conducting data breach investigations. The thrill of forensics lies in finding the tiniest clue that unravels the story of how a breach occurred and what exactly was compromised as a result. But the reality is that during forensic investigations, there is not always a needle in the haystack of evidence that we comb through, and the impact can be huge. (more…)
A Word about the Target Data Security Breach
What happened to Target® last week is every business’ worst nightmare. We’ve received a number of inquiries regarding the security breach incident from concerned clients and friends and wanted to share a few insights. (more…)
Why A Penetration Test ≠ An Automated Vulnerability Scan
Both penetration tests and automated vulnerability scans are useful tools for managing vulnerabilities. While these are different testing methods, they are complementary and both should be performed. (more…)
Expecting the Unexpected, Removing Fear From a Security Incident
Once again another company is on the heels of a massive data breach where intellectual property, customer records, private information, you-name-it, has been compromised, a security incident. The recent news of Adobe Systemsi where a malicious entity stole intellectual property and accessed millions of credit card numbers is another case where “if there is a will, there is an attacker that will find a way.” (more…)
California’s New “Do Not Track” Privacy Law is Weak … As Expected
If you operate a web site that accepts personal information from California residents, you may be aware that California’s amended CalOPPA law has added a “do not track” requirement this month. California’s legislators have added to the already-weak law a new, value-less clause that gives the appearance that the law does something that it does not actually do. (more…)
The Best Malware Defense: Strategy First, Technology Second
I’m one of those fortunate information security professionals who plays both sides of the technology defense game: I’m your incident response guy and your preventive technologies guy. When I’m working with a company after they’ve been breached I can see pretty quickly what defenses they were missing that allowed the breach in the first place, but then I can help them architect solutions to prevent the next cyber attacks. (more…)
An Open Letter to Antivirus Vendors: It is Time for Antivirus Software to Flag Memory Dumping
Dear Antivirus Vendors,
On more and more incident response investigations, my clients (victims) have been asking the question “Why didn’t our Antivirus software detect the malware when we always keep it up to date?” I respond by telling them that they had targeted malware on their system. Their follow up question usually is whether antivirus software is relevant in this era of targeted threats and Modern Malware. (more…)
Common Hazards in Risk Management: The Selfish Risk Assessment
Information security laws and regulations are telling us to conduct cyber security risk assessments before we develop our security and compliance programs. They insist on this so our security goals are meaningful to each of us, rather than aspiring to a generic list of controls that were written by experts who never met us and don’t understand our businesses. But at HALOCK we are seeing risk assessments that may be increasing the risks of the organizations that perform them. One very common risk assessment mistake is defining risk impacts by purely selfish criteria, such as bottom-line profits or executive compensation. (more…)
The NSA’s Threat to Information Security Culture
Over the past few weeks we’ve seen news coming out of the Edward Snowden leaks that we’ve been able to either shrug off or become perturbed by, depending on the details of each leak. But this past week, new information was revealed regarding a serious violation of trust. This time, reactions from security professionals are anything but middle of the road. ProPublica and The Guardian have reported that the NSA used its influence among U.S. and international standards bodies to create a purposefully weak encryption standard that they could compromise as needed. You read that right. (more…)
HALOCK is a proud supporter of the FARE Walk for Food Allergies
The FARE Walk Chicago will be held on September 29, 2013. To find out more visit foodallergy.org or foodallergywalk.org. (more…)