Blog

Blog

5 Speaker Sessions Not to Miss at the 2017 Retail Cyber Intelligence Summit

In 2016, I shared just a few of the exciting presentations planned for the Retail Cyber Intelligence Sharing Center's (R-CISC) inaugural Retail Cyber Intelligence Summit. The event brought together CISOs and their IT security teams from the retail and consumer services industries in North American. For two days, these notable attendees shared best...
Blog

Irish Teachers' Union Learning Website Suffers Data Breach

The learning website of an Irish teachers' union has suffered a breach that might have exposed some members' personal information. On 11 September 2017, the Irish National Teachers' Organization (INTO), one of Ireland's oldest and largest teachers' trade unions, announced a security incident involving unauthorized access of its Learning website....
Blog

Tripwire Patch Priority Index for September 2017

BULLETIN CVE S2-052 Apache Struts REST Plugin Java Deserialization Vulnerability CVE-2017-9805 Oracle Security Alert Advisory - CVE-2017-9805 CVE-2017-9805 Microsoft 2017-September Developer Tools Vulnerabilities CVE-2017-8759 Microsoft 2017-September Browser Vulnerabilities CVE-2017...
Blog

HL7 Data Interfaces in Medical Environments

Ask healthcare IT professionals where the sensitive data resides, and most will inevitably direct your attention to a hardened server or database with large amounts of protected health information (PHI). Fortunately, there is likely nothing wrong with the data at that point in its lifetime. But how did those bits and bytes of healthcare data get to...
Blog

How Harmless Is Your Company’s Paramount Data?

In today’s rapid technological evolution, information from particular sources can be easily accessed, copied and shared out to a larger audience. If an organization fails to complete its basic role of being a guardian of the confidential business information within the company, it could convey unfavorable effects for business’ stability and...
Blog

New BankBot Android Malware Variant Exclusively Targets Google Play

A new variant of the BankBot malware family is exclusively targeting Google Play in a bid to steal Android users' credit card details. Infection begins when an unsuspecting user downloads Jewels Star Classic, a mobile game created by a developer named "GameDevTony." Upon successful installation, the app's malicious functionality waits 20 minutes...
Blog

Evolution Of ATM Theft: Sledgehammers To Skimmers

Over 10 billion transactions are performed every year at ATMs, and there are over 425,000 of these cash-dispensing machines throughout the U.S. for a total of 3,000,000 used globally. ATMs hold anywhere from $3,000 to upwards of $100,000 per machine, so they naturally become a prime target for thieves. Physically breaking open an ATM is not trivial,...
Blog

Women in Information Security: Kim Wong

Last week, I spoke with Candy Alexander. An attack by the famous Kevin Mitnick started her cybersecurity career! This time, I had the pleasure of interviewing Kim Wong. She recently started in a cybersecurity role in the UK's financial services industry. Kim Crawley: Tell me a bit about what you do. Kim Wong: I’m a security analyst in the cyber...
Blog

Opinion: It Is Time for a Duress Code on Cell Phones

Have you seen the stories about the warrantless devices searches by various border agents? It seems that many folks have had their cell phones confiscated (sometimes forcibly) in order to protect the borders as people travel into the United States. Many of the folks subject to these searches are American citizens, some of whom work for the...
Blog

Excellence in the Essentials: Implementing Foundational Controls

It’s not about whether you implement foundational controls but about how well you do it. Only when excellence in the essentials of security and compliance are achieved, will an organization be able to have confidence that it is able to mitigate most cyber threats. We as cyber-defenders have an embarrassing problem. We are routinely susceptible to...
Blog

SEC Announces Data Breach Dating Back to 2016

The Security Exchange Commission (SEC) announced on Wednesday that its EDGAR database was compromised in 2016. This database stores non-public information on businesses, such as quarterly earnings, and statements on merger and acquisition dealings. According to the agency, the compromise was due to a software vulnerability being exploited on its...
Blog

APT33 Group Targeting Aerospace and Energy Sectors with Spear Phishing

A threat actor known as APT33 is actively targeting organizations in the aerospace and energy sectors with spear phishing campaigns. Between mid-2016 and early 2017, the suspected Iranian digital espionage group attacked a U.S. organization in the aerospace sector, a Saudi Arabian conglomerate with aviation holdings, and a South Korean company known...
Blog

On Bug Bounty Programs: An Interview with HackerOne's CEO

In September 2017, I created a list of 10 essential bug bounty programs for 2017. Readers with a keen eye for detail might have noticed that nearly half of the companies included in that catalog host their vulnerability research programs, otherwise known as vulnerability disclosure programs and responsible disclosure programs, through HackerOne. A...
Blog

Most Orgs Worried Skills Gap Will Leave Them Exposed to Security Flaws

In my previous post about Tripwire's latest skills gap survey, I noted that over the past couple years, it has become more challenging to hire adequately skills cybersecurity professional. In this post, I'll share Tripwire's second set of findings. These results cover which technical skills are most needed and what organizations plan to do about...
Blog

The Myth of “False Positives” in Vulnerability Assessments

While false detections should be eliminated as much as possible, these are an inherent part of any vulnerability assessment tool. Possible reasons for false detections include rapid changes in vendor-specific patches/updates, zero-day vulnerabilities, access restrictions, and network glitches. The goal is to have the fewest vulnerabilities detected...
Blog

5 Things You Should Know about PCI DSS Penetration Testing

The Payment Card Industry Data Security Standard (PCI DSS) was introduced to provide a minimum degree of security when it comes to handling customer card information. While the Standard has been around for over a decade, penetration testing has only recently been officially incorporated into the process. There’s a lot to cover in a PCI DSS...
Blog

Women in Information Security: Candy Alexander

Last time, I had an excellent discussion with Keirsten Brager, a security engineer for a utility company. This time, I had the pleasure of speaking with Candy Alexander. She got into cybersecurity at least partly because of Kevin Mitnick. Kim Crawley: Please tell me about what you do. Candy Alexander: I am currently working as a vice CISO and...
Blog

CCleaner App Hacked to Deliver Malware, 2.3 Million Users Infected

Researchers have discovered that certain versions of the popular CCleaner app were modified by hackers to deliver malware to millions of unsuspecting users. Created by Piriform and recently acquired by security firm Avast, the application allows users to perform routine maintenance on their systems, including the cleaning of temporary files and...
Blog

7 Things To Consider When Creating An Acceptable Use Policy

If you have read any of my posts or attended my webinars about security awareness, training, compliance, or other IT risk management items, you will notice a recurring theme: expecting technology to do all of the work in preventing a security or risk-related event is not the correct mindset. Rather, creating a culture of risk management is the key....