Vulnerability Management and Medical Device Manufacturers

Posted by Ross Moir on Feb 18, 2016 8:51:21 AM

Ross_FDAMedicalDevices_Blog_Post.jpgRecent updates from the FDA on securing network-connected medical devices show that there is growing concern for security surrounding the medical industry.  Hospital networks, medical devices, and other critical infrastructure are all at risk.  An article from Threatpost.com last week covered the Kaspersky Lab Security Analyst summit, in which a researcher from Kaspersky Lab was able to breach a Moscow hospital network.  What did he find?  According to the article, “…a shocking array of open doors on the network and weaknesses in medical devices and applications crucial not only to the privacy of patients, but also their physical well-being.”

Read More

Topics: Vulnerability Management, Security Assessment, DFARS

Does Passing a PCI Audit Guarantee Effective Operational Security?

Posted by Eric Noonan on Feb 10, 2016 11:43:29 AM

Erics_Hyatt_PCI_Blog_Post.jpgYou may have heard about the  recent breach involving payment card data from cards used onsite at certain Hyatt-managed locations.  According to Dark Reading, the "at-risk window" may have existed as early as July 30, 2015, with identified fraud being documented from August 13, 2015 to December 8, 2015. The malware responsible captured cardholder data while being transferred from the onsite processing location to the compromised system.

Post breach, Chuck Floyd, global president of operations for Hyatt, said "...we want to assure customers that we took steps to strengthen the security of our systems in order to help prevent this from happening in the future.” While we can't know for sure that statement implies that operational security controls were enhanced as a result of the breach, the question is, beyond the routine PCI-DSS assessments, were operational controls proactively reviewed and strengthened?

Read More

Topics: Security Assessment, PCI

Improve Healthcare IT Security: 5 Actions You Should Take Now

Posted by Eric Noonan on Feb 3, 2016 12:22:45 PM

Erics_Healthcare5Actions_Blog_Post.jpgModern Healthcare recently reported that "Health insurer Centene Corp. is hunting for six computer hard drives containing the personally identifiable health records of about 950,000 individuals..." While this potential data loss doesn't come close to the monumental data breaches suffered by Anthem, Blue Cross and Blue Shield and others in 2015; it highlights 5 actions that companies of any size in the healthcare space should be taking now to optimize security.

Read More

Topics: Security, eGRC, Privileged Accounts, Security Assessment

FDA Outlines Cybersecurity Recommendations for Medical Device Manufacturers

Posted by Eric Noonan on Jan 21, 2016 12:47:42 PM

Erics_Medical_Devices_Blog_Post.jpgThe FDA recently issued a draft guidance entitled "Postmarket Management of Cybersecurity in Medical Devices" and once again NIST is setting the standard as a recommended framework, specifically the NIST "Framework for Improving Critical Infrastructure Cybersecurity." The draft guidance issuance date is January 22, 2016, CyberSheath has expanded on what this guidance means for medical device manufacturers in a recent blog post, below you can review the FDA press release and draft guidance.

Read More

Topics: Security, Security Assessment

There is No Industry Average for Security Maturity

Posted by Mark Walsh on Dec 23, 2015 12:35:10 PM

Benchmarking_Blog_Post.jpg

“There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self.” – Ernest Hemingway

When planning for a security maturity assessment by an independent third party, many organizations often ask if their results can be compared to other companies in their specific industry.   On the surface this “benchmarking” seems to be a reasonable request.  CIOs want to spend as much on security as their peers;  CISOs want to be “as secure” as their competitors.  Nobody wants to devote wildly more or less resources to the effort than those in their industry.  However, the request to see your company’s security maturity “score” stacked side-by-side with other companies is not attainable for two reasons.

Read More

Topics: Security Assessment, DFARS

3 Steps To Secure Your POS Systems

Posted by Ross Moir on Nov 10, 2015 9:54:25 AM

POS (Point of Sale) SystemsLet’s be clear – POS is an ill-termed acronym for Point of Sale.  As the collective giggles fade, it’s time to think about security in the retail industry.  With Black Friday fast approaching, stores preparing for the mad rush of shoppers should ensure their POS systems are secure.  Cardholder data has been a lucrative draw for the cybercriminals seeking to make some serious money selling your stolen credit card data.  Along with cardholder data comes your customers’ personally identifiable information that is now floating around the Internet and could potentially fall into the wrong hands.   

Point of sale systems is the catchall term to describe the consumer’s relationship to the store and how the consumer exchanges money for the goods and/or services.  A point of sale system has many different facets operating at different levels.  For the purpose of this blog post, I am only referring to the information technology assets that retailers have control over.  Payment gateways and bank systems are beyond the scope of this post.

The breaches of Home Depot, Target, and Neiman Marcus are prime examples of major retailer organizations that attested to PCI compliance, yet they were still breached.  While PCI compliance is important and ensures your organization has its ducks in a row, it doesn’t necessarily make your POS system more secure.  There are additional steps every organization should take to become proactive about securing your POS, arguably the lifeblood of your store.

Read More

Topics: eGRC, Security Assessment

The Five Questions CEOs Should Ask To Improve Security

Posted by Eric Noonan on Oct 16, 2015 12:44:03 PM

RiskRecently the New York Stock Exchange (NYSE) released a cybersecurity guide for public companies and succinctly captured 5 questions CEO’s should ask to improve security. I have reposted the questions here in addition to some thoughts and context as to the “so what” behind the answers to these questions. 

The Five Questions CEOs Should Ask To Improve Security 

1: What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks?

Risk is hard to quantify, but you have to try. The effort spent measuring risk can often reveal decisions narrowly made through the filter of budget pressures without the business explicitly accepting the risk resulting from those decisions. We’ve worked with organizations obsessed with management by headcount – don’t go over X number – without understanding the consequences of that broadly applied guidance.

CEO’s should explore and push their teams to quantify the maturity of processes and number of people in place to support tool investments. More often than not organizations have more tools then can be effectively deployed and supported with the existing staff. The risk discussion has to go beyond tools and delve into effectiveness of those tools in addressing risk.

Ironically this is no different than the rest of the business.  Your Enterprise Resource Planning system for example, doesn’t do anything without the people and processes to make it run effectively. Don’t let the security risk discussion start and stop with the products you have purchased.

Read More

Topics: Security Assessment

The First Step in Engaging Your Board in the Cybersecurity Conversation

Posted by Eric Noonan on Oct 5, 2015 10:43:19 AM

Boardroom MeetingThe Wall Street Journal recently published a consolidated set of highlights from recent surveys and reports dealing with risk and compliance issues. The results will hardly be surprising to security professionals, but they are an abysmal reminder of just how much work still needs to be done before boardrooms are really engaged on the issue of cybersecurity. One report by AT&T found, “75% of companies don’t involve their full boards in cybersecurity oversight, saying it is an IT issue and not a core business concern.” That aligns with my experience with the exceptions being companies who suffer a significant breach, not so surprisingly post breach companies see a substantial increase of board involvement.

How to Engage Your Board in the Conversation

Change has to come from both inside and out. Security leaders inside of companies have to continue advocating for board engagement and navigating corporate politics to effect change. This work is made harder due to the lack of agreed upon metrics and success criteria in cybersecurity, leaving leaders wondering where to start the conversation with their boards.

Read More

Topics: Security Assessment

Why Security Assessments are More Important than You Think

Posted by Jeff Schroeder on Feb 13, 2015 8:56:00 PM


Throughout my time as a security practitioner I’ve had the pleasure of working with security conscious customers stretching across almost every vertical market segment. Something I see time and again is small, medium, and large businesses struggling to implement the fundamental basics of cybersecurity. The greatest source I contribute to this problem is that businesses often believe that they are implementing the appropriate protective measures that will effectively managing risk when in fact- they are not.

Read More

Topics: Security Assessment

Too Many Tools

Posted by Eric Noonan on Jan 29, 2015 8:19:00 PM


It’s January so lists and predictions abound and most of them are just fun with prognosticators having no real stake in the accuracy of their predictions.  One trend that caught my eye was the prevalence of lists in the security space that were focused on product vendors and “hot” product companies. Dark Reading’s list of “20 Startups To Watch In 2015” and CRN’s list of “Top 10 Security Vendors To Watch In 2015” were both dominated by product companies. The focus on products implies that CIO’s and CISO’s are yearning for even more tools to spread across an already thin staff and that’s not been my experience at all.

Read More

Topics: Security Assessment