Blog

Blog

5 Tips to Improve Your Defenses Against Social Engineering

Social engineering is perhaps the most dangerous vector of attack available to hackers. Social engineering could be a phone call made by an attacker to extract data; an email phishing attack that is composed to look like a legitimate request to gain sensitive information; or a physical intrusion into the building by someone claiming false...
Blog

Survey: 88% of IT Pros Say Forcing Tech Companies to Give Data Access to Gov't Would Undermine Security, Privacy

88 percent of security professionals feel that forcing technology companies to give the U.S. government access to encrypted data stored on consumer devices would undermine user security and privacy. That is just one of the findings of a new survey in which Tripwire asked 198 security professionals attending the RSA Conference 2016 their thoughts...
Blog

An Apathetic Afterthought: The Security Challenge of the Healthcare Industry

What you are about to read is not from 1995. This is not Throwback Thursday. What follows is an account of the first full day of booth duty at Healthcare Information and Management Systems Society (HIMSS) 2016 conference in sunny Las Vegas. For those of you who have never heard of HIMSS, (I certainly hadn’t until my boss asked me to attend.) it is a...
Blog

Making the Case for a Security Budget

As an IT consultant, I visit with a variety of organizations looking for me to assess and tell them how much they need to budget for security. There are two common scenarios: The organization is ready to make a commitment to security. They ask me to quantify their security investment based on a certain metric, such as number of PCs/Servers or how...
Blog

RSA Conference 2016 Takeaways – Part 2

Yesterday, we at The State of Security offered a recap of some of the notable presentations that have occurred at RSA Conference USA 2016. We now continue our coverage of this week's event with Part 2 of our RSA Conference 2016 Takeaways series. Dreaming of IoCs: Adding Time Context to Threat Intelligence Speaker: Travis Smith (@MrTrav), Senior...
Blog

RSA Conference Badge-Scanning Smartphones Exhibit Poor Security

The RSA Conference is taking place in San Francisco this week, and all the big names in computer security have converged on the Moscone Center where they will happily tell you all about their products, services and latest research. And the only cost for you is that the vendors will likely want to scan your badge if they think you're a potential lead...
Blog

Hit by Ransomware? Do Not Pay!

Imagine you have been hit by a ransom Trojan. If you do not have a backup – you pay. You either pay the price with money, or you pay it with your files. That’s it. Money or files, no win. Criminals are wise enough not to demand too much for your data. They calculate their ransomware pricing based on country of residence, company size, etc. For...
Blog

Is Relying on Anti-virus Making You Insecure?

The world of technology is never in stasis, but as frantic as the field is, information security moves even faster. Those of us who work to stay aware of the latest trends in cyber security sometimes lose sight of the sobering reality that most people don't have the time or drive to do this--especially if it's not paying the bills. The combination...
Blog

The Hot Topic of Cyber Security & Healthcare

This week, I am torn between attending RSA 2016 in San Francisco or HIMSS (Healthcare Information Management Systems Society), a very large healthcare conference in Las Vegas that annually attracts over 44,000 healthcare & IT professionals. Well, there's good news. I am going to both. Why? Cyber security is a major focus at HIMSS. In fact, there is...
Blog

Delaying PCI 3.1: Time to Dance the Compliance and Security Waltz

The recent announcement from the Payment Card Industry Security Standards Council (PCI SSC) that it will be moving the PCI 3.1 deadline to June 2018 – giving an extra 24 months – caught my attention and reminded me of the ongoing dance between compliance and security. From a compliance and operational standpoint, the new deadline gives organizations...
Blog

Snapchat Responds to Leak of Payroll Data Following Phishing Attack

The popular video messaging application Snapchat has responded to a partial leak of its former and current employees' payroll information following a recent phishing attack. On Monday, Team Snapchat published a statement on their company's blog: "We’re a company that takes privacy and security seriously," the statement begins. "So it’s with real...
Blog

A Timeline of the Apple-FBI iPhone Controversy (UPDATED: 3/29/16)

Apple has been making headlines recently for its refusal to comply with a court order requiring it to help federal authorities unlock a mass shooter's iPhone. This story dates back to the late spring of 2015. The timeline below summarizes how this controversy has played out thus far. June 8, 2015 The Information Technology Industry Council (ITI)...
Blog

The World of Unknowns and the First Responder

When it comes to known unknowns, there is one fact you can be sure of, which is based on the conundrum of “Am I being, or have I been hacked?” – with the knowing component here representing the high probability that the answer is in the affirmative. However, when reflecting on the unknown element, this may well result in a number of unknown answers...
Blog

UX in the Security World

The cyber security industry is growing faster than ever as companies increase their level of monitoring and analysis to protect themselves from breaches and data loss. The imperative for security professionals to be fast and accurate in recognizing and remediating security threats makes the user experience in security products absolutely critical. ...
Blog

U.S. ICS-CERT Confirms 'Cyber Intrusions' Behind Ukraine Power Outages

The United States Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has confirmed that 'cyber intrusions' caused a series of Ukraine power outages late last year. In a statement published on Thursday, the team provides an overview of what it learned from an investigation into an incident that occurred on December 23, 2015. ...
Blog

Some Tips For Dealing With Phone Scammers

Have you recently received any of the popular scam phone calls from someone claiming to be from Microsoft offering to fix your computer? Or the IRS scam call, alerting you that you owe taxes and that you must pay immediately? Or a representative from a utility company, threatening to shut off your electricity if you don’t immediately pay with a pre...
Blog

Invisible Porn-Clicking Trojans Invade Android's Google Play Store

If malware on your Android phone doesn't steal any of your information, doesn't spy upon your activities, doesn't infect any of your files, and remains invisible... can we still consider it a bad thing? I think the answer is yes, but some security measures appear to turn a blind eye to a Trojan that security researchers at ESET have dubbed "Porn...
Blog

DDoS Group Claims Responsibility for Xbox Live Outages

A distributed denial-of-service (DDoS) group has claimed responsibility for a series of global outages to Xbox Live, Microsoft's online gaming network for the Xbox console. Recently, members of the group, which calls itself the New World Hackers, sat down with Newsweek to explain the motivation behind its alleged attacks. “Well, didn’t even take as...
Blog

Endpoint Protection Warrants a Proactive Approach

Endpoints are more important than ever in today's connected world. As business increases, most organizations find it necessary to connect a variety of new devices to their networks to keep up with the demands of competing in a global economy. Each of these endpoint nodes may be devices with which employees interact on an ongoing basis, but they...
Blog

Access Control in 2016 - What you Need to Know

Access control is one of those topics that often means different things to different people. In its most basic form, it is simply the “restriction of access to a resource." Unfortunately, as you drill down into what that actually means for your organization, things usually get muddy. For some people, it is simply selectively granting user access to...