Give Thanks for Cybersecurity

Posted by Lia Konieczny on Nov 23, 2016 3:38:47 PM

iStock-491262500.jpg

Thanksgiving Day is almost here and with it, our focus turns to our family, friends, food, and most importantly, football. As we celebrate one of our country’s most cherished traditions, we give thanks to health, wealth, good company, and of course, turkeys. However, this holiday season, we should recognize our nation’s involvement in cybersecurity and how much we’ve grown with it! Whether it be booking your flight home online, posting a picture of your Thanksgiving feast to Instagram or Facebook, streaming the big game, or FaceTiming your relatives that can’t be there in person, being online is a huge part of this and every day. I’d like to take a moment to share with you some news within our industry that we should be thankful for this year.

Read More

Topics: Security, cybersecurity

How to Hack a Locked Windows or Mac OS X machine: Simple Vulnerability Exposed

Posted by Adam Byars on Oct 13, 2016 12:46:22 PM

iStock_77401293_LARGE.jpg

Hacking into a locked Windows or Mac computer should not be this simple, and yet it is. A security design flaw was recently exposed that shows a PC or Mac that is logged in but locked can have the login credentials stolen. The hack takes an average of 13 seconds and the credentials can then be used to compromise all other accounts sharing those credentials. Here’s how it works and what it means for your enterprise.

Read More

Topics: Security

Human Risk and the Impact of Security Awareness Training

Posted by Scottie Thompson on May 2, 2016 10:41:01 AM

BYOD_Blog_Post.jpg

Many of us travel for work, and as such, we must connect to a number of untrusted networks in order to stay on top of things. These public networks, while seemingly non-threatening, can be a hostile environment with malicious users seeking to extract any sensitive data they can, such as credit card information, personal information, and passwords. Some may say that this is unlikely, and that if there was a malicious user on a public network, they would be protected with the use of encrypted services. However, I would argue that this is not the case at all. Often adverse agents will use “passive” monitoring techniques to intercept data being sent over the network. This can be accomplished with any packet sniffing tool but will only allow an attacker to see traffic that is “in the clear” or unencrypted. If an attacker intends to intercept data transported via TLS, SSL, HTTPS, or from encrypted services like Gmail, Slack, or Dropbox, they need a way to subvert the in-transport data protection mechanisms.

Read More

Topics: Security, Wireless Security, Human Risk

Internet Connected Cars Raise Concerns about Vulnerabilities

Posted by Ross Moir on Apr 29, 2016 3:56:32 PM

Ross_Blog_Car.jpg

Cyber security researchers are increasingly concerned with Internet-connected vehicles.  Vehicles nowadays are connected to owners’ homes, traffic signals, insurance companies, and more and are just as vulnerable as corporate networks.  Security analysts and researchers have demonstrated ways to remotely manipulate a car’s system that controls breaking, accelerating, steering, and other critical functions.  Furthermore, these vulnerable systems were not limited to one brand or model of car.  As such, the FBI and National Highway Traffic Safety Administration (NHTSA) issued a public service announcement in March warning of the potential cyber threats.

Read More

Topics: Security, Wireless Security

Inflight Wi-Fi Not as Secure as You Think

Posted by Ross Moir on Mar 18, 2016 1:36:46 PM

Inflight_Wifi_Risks_Blog_Post.jpg
 
Image courtesy of satit_srihin at FreeDigitalPhotos.net

ARS Technica recently published an article on the security of inflight Wi-Fi.  Providers like GoGo Wireless and Global Eagle Entertainment offer passengers to pay for use of Wi-Fi services.  While customers may think their communications and activities are secure, think again, says USA Today columnist Steve Petrow.  Mr. Petrow was “hacked” while on an American Airlines flight – a man claimed to have been able to read his email communication with a source for a story.  Given the overall Wi-Fi security lapses, as addressed in this post from ComputerWorld, it is easy to begin to understand how this can happen.  But what can be done about it?

 

First, Wi-Fi on an airplane operates similar to public Wi-Fi networks.  Access is granted through a “captive portal” where you have to provide login details and/or payment info and accept the terms of service.  Once that is done – the user is granted access to the web.  There is no password protection on the connection, which means the traffic that is carried on the Wi-Fi network’s packets is being transmitted in the clear.  This means anyone listening can grab the data that passes through the access point.

 

Read More

Topics: Security, Wireless Security, cybersecurity, policy

3 Security Myths That Will No Longer Fly in 2016

Posted by Mark Walsh on Feb 22, 2016 10:38:29 AM

2016_Myths_That_Wont_Fly_Blog_Post.jpgWith 2016 underway, and CIO’s taking a more critical eye at cyber security costs, and boards having a better informed definition of information risk, security organizations will be forced to evolve from past practices that were once seen as appropriate.  With today’s advanced threats weighed against business priorities, CISO’s may need to abandon some assumptions and methodologies that are no longer acceptable. 

3 Security Myths that Will No Longer Fly in 2016 

1: A Products vendor can drive the organization’s entire security strategy

Security product salespeople will tell you that simply buying their expensive software will “address all your PCI compliance needs” or “cover 14 of the 20 critical security controls.”  But the truth is that these tools neither solely ensure compliance nor fully meet the security needs of the business.   Information security is about people and processes. Spending an entire year’s security budget on security software will leave an organization without the appropriate amount of staff to run the tools, and lacking in the maturity that only documented procedures can provide.

Read More

Topics: Security

Need Your Security Budget Approved? Two Components to Increase Success

Posted by Mark Walsh on Feb 17, 2016 11:39:18 AM

Marks_Budget_Blog_Post.jpgIn the years before business leaders truly understood cyber risk, requested budgets for cyber security departments were often approved without thoughtful consideration or review.  There was a day when CISO’s could basically say to a CIO, “I can’t tell you how much safer this will make us, and I can’t say we absolutely won’t have a data breach, but I need 3.5 million dollars.”  Most of those inflated numbers were driven by the desire to buy the latest security tools that vendors promised would solve all security problems.  The funds were to be spent, generally, on products and the staff to support them.

CISO’s can no longer expect to have large annual budgets approved without tangible, quantified data to back up the necessity.  The days have passed when budgets were built on fear, uncertainty, and doubt (FUD), empire building, or opportunities to buy the trending tools.  Security funding needs to produce measurable results, or at a minimum, be supported by credible metrics that validate the business needs. 

Read More

Topics: Business, Security, Security Program Development

Improve Healthcare IT Security: 5 Actions You Should Take Now

Posted by Eric Noonan on Feb 3, 2016 12:22:45 PM

Erics_Healthcare5Actions_Blog_Post.jpgModern Healthcare recently reported that "Health insurer Centene Corp. is hunting for six computer hard drives containing the personally identifiable health records of about 950,000 individuals..." While this potential data loss doesn't come close to the monumental data breaches suffered by Anthem, Blue Cross and Blue Shield and others in 2015; it highlights 5 actions that companies of any size in the healthcare space should be taking now to optimize security.

Read More

Topics: Security, eGRC, Privileged Accounts, Security Assessment

FDA Outlines Cybersecurity Recommendations for Medical Device Manufacturers

Posted by Eric Noonan on Jan 21, 2016 12:47:42 PM

Erics_Medical_Devices_Blog_Post.jpgThe FDA recently issued a draft guidance entitled "Postmarket Management of Cybersecurity in Medical Devices" and once again NIST is setting the standard as a recommended framework, specifically the NIST "Framework for Improving Critical Infrastructure Cybersecurity." The draft guidance issuance date is January 22, 2016, CyberSheath has expanded on what this guidance means for medical device manufacturers in a recent blog post, below you can review the FDA press release and draft guidance.

Read More

Topics: Security, Security Assessment

3 Tips to Secure Data in a BYOD Environment

Posted by Kristen Morales on Jan 14, 2016 11:26:44 AM

BYOD_Blog_Post.jpgBring your own device (BYOD) is the use of an employee’s personal mobile device, e.g., smartphone, tablet and/or laptop, to access a company’s data or network.  Once a trend, BYOD has gained wide acceptance across businesses succeeding in today’s markets.  Findings from Tech Pro Research in early 2015 indicated “74 percent of organizations [are] either already using or planning to allow employees to bring their own devices to work.” What is the main motivator for this movement? A study conducted by IBM found the main advantages of the BYOD environment were a raise in employee productivity and satisfaction as well as an overall financial savings for the business. The benefits of BYOD are great, but what does it mean for the overworked IT environment already combating constant attacks on their network?

Read More

Topics: Security, Breach