Resources

Blog

Women in Information Security: Jen Fox

Last time, I got to speak with Leanne Williams. As a pen testing professional, she knows there’s a lot more to penetration testing than pointing a network vulnerability scanner at an IP address. This time I had the pleasure of chatting with Jen Fox. She’s all about cybersecurity in the very challenging compliance space. Kim Crawley: Tell me a bit...
Blog

Lending Website Cites GDPR Concerns as Reason Why It Shut Down

A lending website ceased all operations over concerns with the European Union's General Data Protection Regulation (GDPR). Chris Beach, the founder of Streetlend.com, decided to shut down the service after five years of operation due to uncertainty and risk created by the GDPR. He explained in a message posted to the site that the penalties...
Blog

Security Controls: The Key to Ensuring 'Security in the Cloud'

Organizations face a number of security challenges when migrating to the cloud from on-premise data centers. Their work isn't done once they've completed the move, either. At that stage, enterprises must decide on the best approach to fulfill their end of the Shared Responsibility Model and ensure "security in the cloud" with respect to protecting...
Blog

Canadian Government Unveils New Data Breach Regulations

The government of Canada has unveiled new regulations that specify how organizations must report and respond to a data breach. The Canadian Parliament in Ottawa, Canada. (Source: Wikipedia) On 18 April, the Governor General of Canada released the Breach of Security Safeguards Regulations (SOR/2018-64...
Blog

Why We Believe Georgia's S.B. 315 Bill Will Increase Cybersecurity Risk

In 2017, an independent security researcher discovered that a vulnerability had been exploited in the Kennesaw State University Election Center. The researcher responsibly reported the breach to authorities. In response, the Georgia Attorney General’s office requested that a bill be drafted to criminalize any unauthorized access to any computer or...
Blog

Women in Information Security: Leanne Williams

Last week, I had the pleasure of talking to Tripwire’s own marketing specialist, Cindy Valladares. Marketing fits a valuable and overlooked need in the cybersecurity field. Cindy’s creative talent for bringing out the best in people helps Tripwire shine in this industry. This time, I got to chat with pen testing whiz Leanne Williams. Enjoy! Kim...
Blog

Medical Device Security Standards

Medical devices can be vulnerable to security breaches in the same way as any other networked computing device. This may potentially affect its safety and effectiveness. The FDA (Food and Drug Administration) has issued final guidelines for manufacturers to consider cybersecurity risks as part of their medical device design and development. Its...
Blog

Overcoming DevOps Implementation Challenges

Most organizations have already adopted or are moving towards adopting a DevOps model into their work culture for improved productivity and workflow. In simple terms, DevOps is an application delivery methodology that encourages collaboration and communication between the developers and operations teams across all phases of the Software Development...
Blog

Blockchain and GDPR: Between a Block and a Hard Place

Blockchain and other emerging distributed ledger technologies offer the promise of increased security, transparency and resilience based on the use of distributed, immutable records. At the same time, the European Union General Data Protection Regulation (GDPR), which takes effect May 25, 2018, governs the use and protection of personal data...
Blog

FedRAMP and Federal Cloud Security

FedRAMP, or the Federal Risk and Authorization Management Program, is a standardized approach to security assessment, authorization, and monitoring for cloud applications. It was created by the U.S. General Services Administration in response to growing government usage of the cloud, which has obvious benefits at many levels of operation and...
Blog

The MITRE ATT&CK Framework: Defense Evasion

Defense Evasion has the most techniques of any of the other tactics discussed in the MITRE ATT&CK Framework so far. What I find interesting about these techniques is that they expose the tradecraft of the various threat actors behind malware attacks. https://www.youtube.com/watch?v=NDT2qnpvKTk Another interesting piece of this tactic is some malware...
Blog

A Look at the 2018 Verizon DBIR: Key Takeaways and Industry Highlights

Now in its 11th installment, Verizon’s Data Breach Investigations Report (DBIR) is a must-read for cybersecurity professionals across the globe. The 2018 edition dives deep into more than 53,000 real incidents and 2,216 confirmed data breaches with the ultimate goal of informing defenders on the threats they face and how to protect against them. The...
Blog

A Look Inside the April Update to the MITRE ATT&CK Framework

The MITRE ATT&CK Framework is an excellent resource when it comes to defining threat intelligence. The hundreds of techniques mapped across various tactics help define an adversary’s behaviors in enterprise networks. What’s better is that it provides prescriptive level guidance on how to both mitigate and detect the techniques. While it is not...
Blog

Excel pivot table data leak leads to £120,000 fine for London council

London's Royal Borough of Kensington & Chelsea has been fined £120,000 (approximately US $170,000) by the Information Commissioner’s Office (ICO) after it unlawfully identified 943 people who owned vacant properties in the borough. How did the sensitive data leak out? Because of a sloppy understanding of how to wipe information properly out of Excel...
Blog

#TripwireBookClub – Attacking Network Protocols

A while ago, I had the crazy idea that I needed to read more technical books, so I purchased a pair of books that appealed to me: Attacking Network Protocols and Serious Cryptography, both published by No Starch Press. I was interested in reading along with others and sharing our thoughts and opinions, so I spoke with members of VERT and our...
Blog

GDPR Is Coming, So What Now for WHOIS Domain Registration Data?

When the European Union General Data Protection Regulation (GDPR) comes into force on May 25, 2018, what will happen to currently-available domain registration data in WHOIS? The GDPR restricts how personal data about natural persons residing in the European Union can be collected, used and transferred, and it defines “personal data” very broadly....