Blog
Insights for Reasonable Cyber Security and Compliance
What’s happening in the world of cybersecurity? How do you define 'reasonable' security controls? Which cyber threats can be prevented? What steps should you take to make your systems safer? Read our blog posts to gain new insights into cybersecurity news, security awareness, the latest threats and risks, penetration testing, compliance, regulations and so much more.
Your Policies Can Hurt You, Part 2: Overzealous Policies Can Create Breach-Prone Environments
Early on in my information security career I was auditing a firm that conducted complex economic analyses for their clients. They processed a lot of personal information and they wanted to be sure they were applying appropriate controls to safeguard that information. Part of their business model was to charge their clients per hour for statistical analyses of large datasets. This meant that analysts were motivated to conduct analyses day and night and through weekends; each analytic run taking as many as 4 to 12 billable hours. (more…)
Your Policies Can Hurt You, Part 1: The Importance of Well-Tailored Instructions
Managers often think about compliance in terms of policies. There is something concrete, achievable and finite about them. And they are required by laws and regulations for protecting information and systems. But too often managers think of policies as a finish line for compliance. Need to be compliant? Then write a bunch of new policies and move on to the next project. And while managers may know in the backs of their minds that a set of security policies may not be enough, they also believe that they are at least a step in the right direction. That misunderstanding has created a lot of problems for our clients. (more…)
Why should every organization embrace secure development?
Author: Todd Becker, PCI QSA, ISO 27001 Auditor
Secure development is not just for software companies and custom application development shops. Embracing secure development practices in IT and procurement functions within an organization ensures that reasonable and appropriate actions are exercised to achieve compliance to regulations and other cyber security requirements. According to a 2013 Ponemon report, applications were compromised to gain access in 42% of malicious data breach incidents. Secure development practices could also provide a marketable differentiator for any company that takes customer payments or maintains confidential or personally identifiable information (PII). (more…)
PCI DSS AND PA-DSS V3.0 CHANGE HIGHLIGHTS
Author: Viviana Wesley, PCI QSA
The PCI Security Standards Council has published a change highlights document for v3.0 expected in November 7th 2013. (more…)
PHEATS OF PHISHING – Will you be prepared when it happens to you?
Author: Todd Becker, PCI QSA, ISO 27001 Auditor
Phishing is by no means a new topic in today’s news. But the increasing complexity and targeted nature of attacks have evolved to a level of sophistication that is even phooling knowledgeable members of the IT community. The end result could just be embarrassing, but it could also cost millions of dollars, or your professional reputation. (more…)
Why are Hackers Heckling the Director of the NSA?
The Hackers Heckling. The Black Hat convention is under way today in Las Vegas, and there, before a group of information-security-minded individuals, stood General Keith Alexander, Director of the NSA, getting heckled by conference attendees. Their complaints were targeted at the NSA’s surveillance activities and Director Alexander’s dubious testimony to Congress about those activities. (more…)
Higher Education (sampled colleges and universities) is a Prime Target for Security Breaches
FOR IMMEDIATE RELEASE
HALOCK Investigation finds that 25% of sampled colleges and universities are putting student and parent private financial data at risk
While Technological Security Risks Are a Possibility, Management Security Risks are a Certainty
Most of my information security focus these past few years has concentrated on managing risks and governance, but this was not always the case. I came into this profession as a technologist and manager who focused on team building, turn-arounds and doing a lot with few resources. But as my career moved from technology operations to security it also moved from technology to governance. I chose this path on purpose, and as I tell the few techies who have asked, I did it for one main reason; while technological security risks are always a possibility, management security risks are a certainty. (more…)
NEXT-GEN MALWARE DEFENSE
‘Malware’ has come a long way – next-gen malware. From merely annoyance applications coded by bored engineering students for notoriety all the way to professionally developed stealth applications for financial gains and stealing state secrets. According to Verizon’s 2012 Data Breach Investigations Report, 69% of the breaches were attributed to malware infections. The business impact of such Advanced Malware is in the billions of dollars and the massive loss of intellectual property. The growing complexity of the malware and the risks it poses to business assets is a universal concern of Risk managers all over the world. (more…)
Password Facts & Tips for Secure Online Presences
Understand the importance of password safety. Every time Americans tune into the Nightly News and hear about the latest cyber attack, it sends millions of us to our computers to check and change our passwords. That’s because while most of us know we should use a unique username and password combination for each and every online account, we don’t. The reasons vary from sheer laziness to forgetfulness. After all, we’re only human, right? (more…)