Information Security

/Information Security

How Does Ashley Madison Threaten Your Organization?

Extortion is not usually a topic that employers have on their radar regarding their employees.  Most employers know they need to protect themselves against viruses, and "hackers", but they often don't think about the social engineering tactics that attackers may use to target employees.  However, when users put their private information on "secure" websites, they may assume this information is safe.  But, as the old adage goes, "assume anything you put online can be made public", and it is likely that all of the users of the Ashley Madison website failed to consider the implications. For more details about the Ashley [...]

By | 2015-08-27T12:05:05-05:00 August 26th, 2015|Data Breach, Information Security, Phishing, Social Engineering|Comments Off on How Does Ashley Madison Threaten Your Organization?

Spam Email – Stop it before your users click on it

It doesn’t matter if you’ve trained them or yelled at them or had to fix their infected computers in front of them (or all of the above) ……..they’re still going to open that suspicious email, aren’t they? Because who can resist the attachment that promises funny cat pictures, and who doesn’t have a slight panic attack when faced with a fraud alert from their bank? Protecting your corporate network from malicious email is a never-ending battle and there’s no simple, one-size-fixes-all method to do so, either. There are three modes of defense, though, that are remarkably effective but we’ve recently [...]

By | 2015-07-09T12:28:05-05:00 May 19th, 2015|Information Security|Comments Off on Spam Email – Stop it before your users click on it

Java vs. Javascript

We field questions about Java security issues on a regular basis, and have noticed that users are often confused about the differences between Java and Javascript. Java is a standalone application that runs separately from your browser, although it can be called on by your browser to run Java ‘applets.’ Applets aren’t that common any more, but the Java application is a different matter. Java has a history of being exploited for vulnerabilities, and updates have historically released on a somewhat tardy basis. Even more painful is that users have to manually watch for and install those updates unless they [...]

By | 2015-07-09T12:28:50-05:00 May 11th, 2015|Computer & Network Security, Information Security|Comments Off on Java vs. Javascript

What every organization should know about HIPAA

What Is The HIPAA Privacy Rule? Accoprding to HHS.gov, "The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically." In other words, the privacy rule sets forth standards to protect health related information specifically controlled by organizations that handle electronic forms of medical records. What is the HIPAA Security Rule? Also according to HHS.gov, "The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or [...]

By | 2014-09-30T08:25:37-05:00 September 30th, 2014|Compliance, Data Breach, HIPPA, Information Security, Research|0 Comments

Shellshock, What Does It Mean For Your Organization?

Updated: Added information about Macs and some additional reference links. This new vulnerability is much easier to exploit than heartbleed and can have a huge negative impact to your organization.  Windows Server environments are not immune either.  We have been waiting for the dust to settle before jumping on the media hype about all of this, and we wanted to make sure that information was gethered from multiple sources, official security organizations had made their opinions public, and that we weren't just posting information to try and gather web hits. According to Errata Security What is ShellShock? Shellshock is a vulnerability [...]

By | 2014-09-30T08:23:03-05:00 September 29th, 2014|Compliance, Information Security, Research|0 Comments

HHS Enforces Penalties for Losing Less Than 500 Patient Records

The Hospice of Northern Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services (HHS) $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  Source: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.html HONI reported that an unencrypted laptop was stolen in 2010 and that it contained 441 patient records.  HHS began an investigation and discovered that HONI had not performed a risk analysis to safeguard their PHI nor did it have any policies or procedures in place regarding mobile device security which is required by HIPAA. The HITECH breach notification rule requires covered entities [...]

By | 2014-09-17T08:59:20-05:00 September 16th, 2014|Compliance, Data Breach, HIPPA, Information Security|0 Comments

Is the healthcare industry a target?

Many of the clients we work with are either a medical service provider or a vendor to medical service providers.  If they are creating, transmitting or storing patient data, then they are a covered entity and therefore liable for compliance to HIPAA.  What we often find is that clients are under the impression that HIPAA provides a set of specific instructions for how to secure a network and protect data.  What they find out is there isn't a yellow brick road leading to compliance.  HIPAA lays out the results of information security efforts that are expected, but the clients are [...]

By | 2014-09-18T12:57:21-05:00 September 10th, 2014|Compliance, HIPPA, Information Security|0 Comments

Budgeting For Security

Security budgeting is a layered approach Security is important, for an organization, and its customers. However, there is often a misconception that security costs are included in the IT budget. Security best practices follow a layered approach, and budgeting is no different. There is no such thing as being 100% secure and mistakes can happen anywhere. Where should you focus your efforts? Cover the Basics first Before you look at some of the newest security solutions, it is important to make sure the basics are covered. Here are a few items to consider: Review your security policy Ensure security patches [...]

By | 2014-09-04T09:55:41-05:00 August 15th, 2014|Compliance, Information Security, Research|0 Comments

Phishing and FIFA

I have some friends staying with me right now from Brazil.  They arrived a few days ago, and said that, due to the world cup, the level of excitement in Brazil is very high, and that there are many foreigners that have arrived in the country to see the games.  The World Cup is all over everything in the country right now.  Apparel, food, merchandise, etc. is all branded with the World Cup (similar to how the U.S. advertises items for the World Series or the Super Bowl).  The World Cup is one of the largest sporting events in the [...]

Trustwave Global Security Report 2014: An Overview

The Trustwave Global Security Report for 2014 was recently released.  There are a number of very useful and insightful statistics in this report, which we can corroborate, based on our assessments of numerous organizations' networks.  We wanted to highlight a few of these statistics below: Top 10 Internal Network Penetration Test Vulnerabilities - which include weak passwords, shared accounts, and unencrypted storage [av_hr class='short' height='50' shadow='no-shadow' position='center'] Top 10 External Network Penetration Test Vulnerabilities - which include default SNMP strings and weak passwords: [av_hr class='short' height='50' shadow='no-shadow' position='center'] Top 10 Web Application Vulnerabilities - including path traversal, authentication bypass, SQL injection, unencrypted pages [...]