Blog

/Blog/

Cyber Security Budgeting for 2020

It is time to update our annual Cyber Security Budgeting advice.  I just lead an exercise at a conference where folks had limited budgets and needed to determine the best places to spend their Cyber Cash.  As I reviewed what we have adapted over the years, much of it is still the same.  We continue to become more dependent on technology composed of applications, operating systems, processors, storage, and connectivity.  IoT, autonomous vehicles, 5G, Huawei, and other new things continue to proliferate, but we still apply the same principles to protect ourselves.   So, what is new this year? The proliferation [...]

By | 2019-08-29T07:00:47-05:00 August 29th, 2019|Uncategorized|Comments Off on Cyber Security Budgeting for 2020

New York DFS – 23 NYCRR 500 Compliance

Checklist for Compliance In response to the increasing threats of cybercriminal activity and as an effort to protect Non-Public Information (NPI) held by entities under its jurisdiction, the New York State Department of Financial Services (DFS) implemented a cybersecurity regulation, 23 NYCRR 500. It has twenty-three Sections and went into effect on March 1, 2017. There are designated “Transition Periods,” but the last one expires on March 1, 2019. A few key things to consider when looking at this Regulation: It applies to Covered Entities, which include those operating under NY Banking Law, Insurance Law, or Financial Services Law – [...]

By | 2019-02-28T14:30:54-05:00 February 28th, 2019|Compliance, Computer & Network Security, Uncategorized|Comments Off on New York DFS – 23 NYCRR 500 Compliance

A Ransomware Savings Account – Pay in Advance!

Diet and exercise versus a pill. An ounce of prevention versus a pound of cure. Saving for expenses versus using credit cards. We all understand that good habits and planning are valuable to achieve our goals. We apply the same principles to Cyber Security… This is a cautionary tale. We all learn from experience, and when fortunate, we can learn from the experience of others. This story teaches a valuable lesson based on real-world experience, and it will help you avoid a terrible situation. A medium-sized firm, unfortunately, became the victim of a ransomware attack. An IT employee came into [...]

By | 2019-11-12T08:05:50-05:00 January 29th, 2019|Computer & Network Security, Data Breach, Viruses, Vulnerabilities|Comments Off on A Ransomware Savings Account – Pay in Advance!

Phishing Attacks and Multifactor Authentication

Stop the Password Reset Insanity How much time does your IT department spend changing a user’s network and or email account passwords because they clicked on a phishing link that they should not have? How many users do you have who do this repeatedly? Have you trained your users to identify, report, and ignore these phishing attempts? Why make the only procedure to resolve this resetting the password when it just keeps happening again and again? Stop the insanity and look at a new way of solving this problem. “The definition of insanity is doing the same thing over and [...]

By | 2018-12-07T16:19:16-05:00 September 19th, 2018|Uncategorized|Comments Off on Phishing Attacks and Multifactor Authentication

Cloud Computing and Security

Cloud Computing In its broadest term, Cloud Computing can be defined as the practice of using a network of remote servers hosted by a provider on the Internet (“the Cloud”) to store, manage and process data. In the current enterprise landscape, organizations (called tenants) are steadily migrating technologies to and services into the Cloud looking for a competitive advantage that will enable the business to set themselves apart from the rest of the pack. These advantages of Cloud computing include a reduction in start-up costs, lower capital expenditures, utilization of on-demand IT services, and the dynamic allocation of computing resources [...]

By | 2018-12-07T16:20:07-05:00 August 31st, 2018|Uncategorized|Comments Off on Cloud Computing and Security

Budgeting for Cyber Security for 2019

Cyber-Security Budgeting is a Layered Approach Cyber-Security is arguably the hottest market right now.  Organizations are now willing to spend $$ now more than ever to avoid becoming the next headline.  When planning, it is easy to focus on available products that vendors are spending millions of dollars to push at us every day.  Products are required, but it is the process around these that keep you secure.  Best practices in security follow a layered approach, and budgeting is no different.  Where should you focus your efforts? The Basic Layers:  Reduce Known Risks These are not sexy, but neither is [...]

By | 2018-12-07T16:21:40-05:00 July 31st, 2018|Information Security, Uncategorized|Comments Off on Budgeting for Cyber Security for 2019

Our top 5 findings from IT security audits

What are the top things we have learned from performing 200+ security audits? 1.  The “major issues” do not change Good security is good security, and you can think of the major security issues as being giant “targets” within your organization.  Targets which the bad guys hope will come into their line of fire, and they are regularly shooting at. You can easily spot and name these targets: User awareness, access control, backups/recoverability, etc.  These are the primary topics that most compliance requirements are based on. Identifying these large targets and putting in the appropriate safeguards to make these targets [...]

By | 2018-12-07T16:21:24-05:00 May 25th, 2018|Compliance, Computer & Network Security, Data Breach, Information Security, Research, Viruses, Vulnerabilities|Comments Off on Our top 5 findings from IT security audits

Everything you wanted to know about Ransomware…but were afraid to ask

What is Ransomware? Ransomware is a type of malicious software that prevents users from accessing their computer system or files until a sum of money (ransom) is paid. In the malware landscape, ransomware has earned itself a well-deserved nasty reputation. There are two types of ransomware identified in this branch of the malware family tree; 1) locker ransomware and 2) crypto ransomware Locker ransomware effectively locks Windows access preventing the user from accessing their desktop or files. Typically designed to prevent access to one’s computer interface, Locker ransomware mostly leaves the underlying system and files unaltered.  A message would be [...]

By | 2018-12-07T16:14:54-05:00 May 18th, 2018|Data Breach, Encryption, Information Security, Malware, Privacy, Uncategorized, Viruses, Vulnerabilities|Comments Off on Everything you wanted to know about Ransomware…but were afraid to ask

How to configure warning messages for Office 365 emails from external senders

As a security precaution, it’s a good idea to remind your staff not to open attachments from unknown senders. One easy way to implement this in Office 365 is by setting up a mail flow rule in the Exchange admin center. If you have ever set up a Disclaimer mail flow rule, the setup is almost identical. In this tutorial, we’ll cover how to setup your own warning message for all external email sent to users inside your organization. Steps to Configure Attachment Security in Office365 1. Log in to your Office 365 Admin account at: https://portal.office.com 2. Select Admin [...]

By | 2019-02-12T14:35:38-05:00 May 10th, 2018|Microsoft, Phishing, Viruses, Vulnerabilities|Comments Off on How to configure warning messages for Office 365 emails from external senders

A Vulnerability Scan is NOT a Penetration Test (Pentest)

What is the difference between a Penetration Test and a Vulnerability Scan? Understanding the difference between a penetration test and a vulnerability scan is critical to understanding security posture and managing risk. Vulnerability scans and Penetration tests (pen test for short) are very different from each other in both process and outcome. However, sometimes the terms are incorrectly used interchangeably. In this article, we will explore the differences between the two as well as how they relate to each other. Starting with the definitions of each you can see an immediate differentiator, the objective. The objective of a vulnerability scan [...]

By | 2018-12-07T16:16:13-05:00 May 3rd, 2018|Uncategorized|Comments Off on A Vulnerability Scan is NOT a Penetration Test (Pentest)