Research

/Research

The Hitlist: Corporate WiFi

Many organizations are faced with the decision to implement or to forgo corporate WiFi. There are a number of considers to think about when contemplating this and many are business and security related and not merely technical in nature. Here are some things to consider: 1. Is it necessary? The first question to ask yourself is whether or not WiFi is necessary, and you must also realize that there are different levels of what is "actually" necessary.  If the CEO says that it is necessary to implement WiFi, you must consider the business reason for why it is needed. Would [...]

By | 2014-06-02T14:22:41-05:00 May 27th, 2014|The Hitlist|0 Comments

The Hitlist: Compliance

The Hitlist is a new series where we will attempt to provide a quick list of security considerations for a particular technology or initiative within an organization.  Our first post will be on compliance.  What we mean is if your organization is attempting to become compliant to an industry standard or regulation, these are things that will have to be considered and more than likely implemented across the board for things such as PCI-DSS, HIPAA, ISO27k, FISMA and more.  Here is the hitlist for things to consider when planning to meet a compliance standard: 1. Patch Your Stuff Everyone hates [...]

By | 2015-03-31T08:57:16-05:00 May 22nd, 2014|The Hitlist|2 Comments

Trustwave Global Security Report 2014: An Overview

The Trustwave Global Security Report for 2014 was recently released.  There are a number of very useful and insightful statistics in this report, which we can corroborate, based on our assessments of numerous organizations' networks.  We wanted to highlight a few of these statistics below: Top 10 Internal Network Penetration Test Vulnerabilities - which include weak passwords, shared accounts, and unencrypted storage [av_hr class='short' height='50' shadow='no-shadow' position='center'] Top 10 External Network Penetration Test Vulnerabilities - which include default SNMP strings and weak passwords: [av_hr class='short' height='50' shadow='no-shadow' position='center'] Top 10 Web Application Vulnerabilities - including path traversal, authentication bypass, SQL injection, unencrypted pages [...]

Study: Cost of Data Breaches Increasing

A study published by Ponemon Institute, and sponsored by IBM, purported that the average total cost of data breaches increased 15% in the last year to $3.5 million, or $145 per record containing protected information.  The study included participants from 314 companies in at least 10 countries.  There are a number of key facts that the study shows regarding reduction factors in the cost of a breach, as well as factors that increase the cost.  The study found that appointing CISO, maintaining a business continuity management program, and developing an incident response program can reduce the cost per record of a [...]

Verizon Breach Report 2013: What Does It Mean For Your Organization

Each year Verizon releases their Breach Report; it is sort of a state of the union with regard to last year's breaches.  It is worthy research to help determine the industry trends that could help steer the budgets and focus of IT departments.  This year's report includes 1,367 Confirmed Data Breaches, and 63,437 Security Incidents. No one is immune: [av_image src='https://1tukuss9160zg44d2sae7jbj-wpengine.netdna-ssl.com/wp-content/uploads/2014/04/verizon-300x126.jpg' attachment='1929' align='center' animation='no-animation' link='' target=''] According to the report, 92% of all breaches can be categorized in 9 groups.  Here is a summary of things every organization should be doing to keep from being included in next year's report: [...]

Leave no stone un-turned when patching Heartbleed

Most people are now up to speed about the existence of Heartbleed, but new information is coming out that the focus has only been on server side exploits.  Meldium, released a blog post titled Testing for "reverse" Heartbleed.  According to Meldium, "While patching our systems for the recent Heartbleed vulnerability, we found that some sites (including huge web properties), which had patched their servers were still vulnerable to a variant of the attack that we're calling "reverse heartbleed."  They have also released a tool to test this. What does this mean? Basically it means that OpenSSL patching can't stop just at servers [...]

The Heartbleed Bug

The Heartbleed Bug is a recently discovered critical vulnerability found in widely used open-source implementations of the SSL/TLS protocols, OpenSSL .  SSL/TLS is used to provide security and privacy in many internet applications such as email, instant messaging, VPN, and secure web pages. The vulnerability was the result of an implementation problem (or a program mistake) in OpenSSL, which has left a large amount of private data exposed to the internet.  Most people are likely to be directly, or indirectly affected by this bug due to OpenSSL being the most popular cryptographic library and transport layer security currently in use [...]

Data Breach?

UPDATED 4/15 A colleague was notified today by his bank, BBVA Compass, that his account was likely involved in a breach and that shortly his debit card was going to be cancelled and he would be issued a new one.  He went to a branch office to deposit a check and asked the teller why  a recording from the bank called the day before asking him to call back for important information(confirming that it was not a robo-call). His point was if it was really important shouldn't a person have been on the other end of the line? It is [...]

By | 2014-04-15T14:23:32-05:00 April 1st, 2014|Data Breach, Information Security, Research|0 Comments

News Brief – 03/13/14

Critical crypto flaw in Facebook’s WhatsApp for Android exposes chats Tread carefully when allowing apps access to features on your phone like access to the SD card. The Android version of WhatsApp, the cross-platform instant messaging app purchased by Facebook for $16 billion, has a loophole that leaves chat histories wide open to other apps installed on the same smartphone, a security consultant says. 162,000 WordPress instances abused for DDoS attack Security researchers have uncovered a recent distributed denial-of-service (DDoS) attack that used at least 162,000 WordPress-powered websites to knock another site offline.Source If you use wordpress, it must be updated [...]

By | 2014-05-21T15:06:58-05:00 March 13th, 2014|Research|0 Comments

The Switch to Chip and PIN. Will it change anything?

Chip & PIN, the future of credit cards Late next year the U.S. will finally catch upto the rest of the world when it comes to credit card transactions.  Customers will no longer be signing credit card receipts, instead they will enter a PIN, similar to making a debit transaction.  The U.S. is the last major market to still use the old-fashions signature system, which is the primary reason why about half of the world's credit fraud happens in the U.S. What is Chip & PIN? Basically, we are replacing our signature with a PIN code.  Each card will include [...]

By | 2014-05-20T14:03:47-05:00 February 10th, 2014|Compliance, Computer & Network Security, PCI, Research|0 Comments