Our top 5 findings from IT security audits

What are the top things we have learned from performing 200+ security audits? 1.  The “major issues” do not change Good security is good security, and you can think of the major security issues as being giant “targets” within your organization.  Targets which the bad guys hope will come into their line of fire, and they are regularly shooting at. You can easily spot and name these targets: User awareness, access control, backups/recoverability, etc.  These are the primary topics that most compliance requirements are based on. Identifying these large targets and putting in the appropriate safeguards to make these targets [...]

By | 2018-12-07T16:21:24-05:00 May 25th, 2018|Compliance, Computer & Network Security, Data Breach, Information Security, Research, Viruses, Vulnerabilities|Comments Off on Our top 5 findings from IT security audits

2015 Cyber Security Awareness Month

What is Cybersecurity? According to US-CERT, "The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation." In other words, it is the people, processes and technology that manage or maintain the Integrity, Availability, and Confidentiality of the systems and data with which an organization functions.  Many times these roles are shared with IT which in turn can come with its own challenges.  Often times, IT is focuses solely on availability, or up-time and ease of use, and both [...]

By | 2015-10-02T09:15:18-05:00 October 2nd, 2015|Compliance, Computer & Network Security, Information Security, Research|Comments Off on 2015 Cyber Security Awareness Month

The Hitlist: International Travel

International travel is common in today's business world.  Many times businesses assume that their standard policies can apply to any international destination.  We recently had a client contact us about traveling to their international office in a country that is typically known for lacking respect for other's privacy.  They asked us, considering this client would be discussing corporate trade secrets and other senstive info, what precautions they should take. We gave them a list of recommendations and explained that many of these would not make travel simple from a technological standpoint, but would provide them the most security benefit.  These [...]

By | 2015-01-28T09:21:23-05:00 October 17th, 2014|Compliance, Research, The Hitlist|0 Comments

What every organization should know about HIPAA

What Is The HIPAA Privacy Rule? Accoprding to, "The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically." In other words, the privacy rule sets forth standards to protect health related information specifically controlled by organizations that handle electronic forms of medical records. What is the HIPAA Security Rule? Also according to, "The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or [...]

By | 2014-09-30T08:25:37-05:00 September 30th, 2014|Compliance, Data Breach, HIPPA, Information Security, Research|0 Comments

Shellshock, What Does It Mean For Your Organization?

Updated: Added information about Macs and some additional reference links. This new vulnerability is much easier to exploit than heartbleed and can have a huge negative impact to your organization.  Windows Server environments are not immune either.  We have been waiting for the dust to settle before jumping on the media hype about all of this, and we wanted to make sure that information was gethered from multiple sources, official security organizations had made their opinions public, and that we weren't just posting information to try and gather web hits. According to Errata Security What is ShellShock? Shellshock is a vulnerability [...]

By | 2014-09-30T08:23:03-05:00 September 29th, 2014|Compliance, Information Security, Research|0 Comments

Budgeting For Security

Security budgeting is a layered approach Security is important, for an organization, and its customers. However, there is often a misconception that security costs are included in the IT budget. Security best practices follow a layered approach, and budgeting is no different. There is no such thing as being 100% secure and mistakes can happen anywhere. Where should you focus your efforts? Cover the Basics first Before you look at some of the newest security solutions, it is important to make sure the basics are covered. Here are a few items to consider: Review your security policy Ensure security patches [...]

By | 2014-09-04T09:55:41-05:00 August 15th, 2014|Compliance, Information Security, Research|0 Comments

Ebola: Is Your Organization Prepared?

All organizations should have a business continuity plan.  I know that many do not.  How will your business respond if: Your building burns down A flood destroys facilities A tornado takes out a primary distributor and disrupts a supply chain A pandemic infection affects any key component of your business A pandemic plan addresses this specific scenario within a business continuity plan.  Do we have remote access capabilities that allow everyone to perform their job?  What happens if the whole IT department is sick?  If accounting is sick, who will send invoices and pay bills?  If our distributor's source in a foreign [...]

By | 2014-10-03T08:44:35-05:00 August 6th, 2014|Compliance, Research|0 Comments

The Hitlist: BYOD

"Bring Your Own Device" or BYOD is becoming an ever increasing topic among CIOs and other executives.  We are not here to argue the merits of BYOD, but we do want to mention a few key topics to think about if you consider implementing it. 1. Policy The first thing an organization should have before implementing BYOD are policies that govern it.  They should cover topics such as: What is acceptable use, what types of devices can be used, what should I do if my device is lost or stolen, is MDM required, etc. 2. Corporate MDM (Mobile Device Management) If [...]

By | 2014-06-13T08:42:18-05:00 June 13th, 2014|The Hitlist|0 Comments

The Hitlist: Perimeter Network Security Part 2

Part 1 of our “Perimeter Network Security” Hitlist covered the virtual considerations one must consider when securing their network.  Now, we will cover the things one should consider when securing the physical side of their network. Physical Considerations: Even though the virtual perimeter is the most obvious and most likely to be attacked, the physical perimeter can provide just as much access to resources inside of your network. 1. Wireless There was some debate as to whether to include WiFi in the "physical security" section of this post, however, the fact remains that someone must physically be on site (or [...]

By | 2014-06-10T09:21:05-05:00 June 3rd, 2014|The Hitlist|0 Comments

The Hitlist: Perimeter Network Security Part 1

To “completely” secure an enterprise network is a very complex, and often, nearly impossible task.  There are several different factors that come into play that must be considered and weighed: business requirements, stakeholders, network configuration, compliance requirements, etc.  We have told a number of our clients that, in most situations, if someone really wants to get into a network, they will, and you can't stop them.  However, you can prepare yourself to better recognize, and respond to attacks.  This list is designed to offer a list of basic  key points of entry into a network, both virtual and physical, one [...]

By | 2014-06-03T16:22:03-05:00 June 2nd, 2014|The Hitlist|0 Comments