How ransomware extortionists hide their tracks

Cybercriminals extorted about one billion dollars from ransomware victims last year, according to the FBI. And nearly all of those […]

Full Details

5 steps to a winning incident response team

People are the core of any incident response effort.  You must have the right people to provide the right response.  […]

Full Details

Pokemon Go ransomware virus is out to catch’em all

A Pokemon Go themed ransomware virus has appeared on Windows computers, tablets, and phones. The ransomware is the latest in […]

Full Details

Securing Hybrid IT the Right Way

The average company today is a hybrid collection of traditional on-premise and cloud-based IT solutions.  On-premise solutions may include identity […]

Full Details

Adding Ransomware to Security Radars

Ransomware is the quickest way to turn your valuable data into garbage.  Ransomware is a form of malicious software that […]

Full Details

The human brain vs. computers in the identity challenge

The concept of identity is core to the protection of data.  Data and other computing resources exist to be used […]

Full Details

The missing leg – integrity in the CIA triad

Information security is often described using the CIA Triad. The CIA stands for Confidentiality, Integrity, and Availability and these are […]

Full Details

Regaining your anonymity online

Anonymity has been a longstanding hallmark of the Internet but you should no longer assume that your online activities are […]

Full Details

Point/counterpoint: Breach response and information sharing

Some breaches require notification such as those involving patient data or customer information, but sharing is optional. Of course, notification […]

Full Details

Future ready cloud security

In 5 to 10 years, the cloud will be as ubiquitous as the Internet is today. It is predicted that […]

Full Details

Is your culture interfering with data security?

With the ease and prevalence of global expansion, security leaders must understand how to implement security across a global organization […]

Full Details

Don’t be a victim. Be a protector

As vigorously as many organizations are working to prevent them, data breaches are becoming more of a common occurrence, and the consequences […]

Full Details

The case for consistency in security

Security spending could be compared to the stock market. It increases and decreases depending on intangibles such as how “at-risk” […]

Full Details

The 5 W’s of data identification and inventory

I always figured that you would need to know what you have in order to protect it. However, I have […]

Full Details

How to Promote Cybersecurity without using Fear

We’ve seen quite a variety of online threats recently. A simple email containing a convincing subject line can compromise a […]

Full Details

Cloud security empowerment

The cloud has received a lot of negative press from security professionals and, I have to admit, we’ve come off […]

Full Details

Cybersecurity and the boy who cried wolf

It seems like security practitioners are still saying the same things they said ten years ago. Use complex passwords. Change […]

Full Details

Cybersecurity debriefs are core to continuous improvement

Do you conduct debriefing sessions after completing a cybersecurity project? Quite often, our minds are moving on to the next […]

Full Details

The five stages of cybersecurity maturity

As an organization becomes more conscious and engaged in protecting information, it progresses along a path of security maturity. I […]

Full Details

Preventing Fraud from Top to Bottom | Information Security Summit 2014

An estimated 5% of annual corporate revenues are lost each year to fraud, represented in part by computer fraud. Protection […]

Full Details

Information security leader to follow on Twitter

I was recently listed as the number 10 information security leader to follow on Twitter in Information Security Buzz’s 25 […]

Full Details

Cyber Security and your Information

I appeared on the Sound of Ideas program on National Public Radio channel 90.3, WCPN on November 3.  In the […]

Full Details

Companies with Virtual CSOs get ahead without losing an arm and a leg

Security remains a complex discipline.  This ever-changing challenge grows in complexity daily as new threats emerge and compliance requirements increase.  […]

Full Details

Ineffective Security Policy Adherence Results in Another Data Breach

The Florida Department of Juvenile Justice (DJJ) had a mobile device containing 100,000 youth and employee records stolen on January […]

Full Details

Malware behind university data breach

Salem State University in Massachusetts issued a data breach warning to faculty and students on March 11.  The warning informed […]

Full Details

50,000 Medicaid providers’ data breached

On March 8, 2013, a contractor working for North Carolina’s Department of Health and Human Services (HHS) billing department stored […]

Full Details

Data breach threats of 2013

A recent study by Deloitte, titled Blurring the lines: 2013 TMT global security study, shows that 59% of Technology, Media, […]

Full Details

U.S. Department of Energy suffers data breach

Two weeks ago hackers took control of 14 servers and 20 workstations at the U.S. Department of Energy (DOE), obtaining […]

Full Details

HIPAA Omnibus increases data breach response requirements

The Department of Health and Human Services (HHS) released the HIPAA Omnibus rule on January 17, 2013, designed to give […]

Full Details

Canadian Hack Back

Back in November, I blogged about the hack back initiative here in the United States.  Well, similar debates are taking […]

Full Details

Small healthcare data breaches can result in significant fines

On January 2, 2013, the Department of Health and Human Services (HHS) fined the Hospice of North Idaho $50,000 for […]

Full Details

Dexter malware threatens data breaches on point of sale equipment

Security researchers have identified a new malware called Dexter that specifically targets Point of Sale (POS) systems such as cash […]

Full Details

Effectively gathering facts following a data breach

It is easy for miscommunication to happen after a data breach.  There could be many people working on the incident […]

Full Details

Who’s stealing your data?

Here is a fact that many of us would like to forget.  Most data theft occurs by insiders.  This is […]

Full Details

Hospitals are the highest risk for data breaches

Recent research shows that hospitals are the highest risk for data breaches.  The third annual benchmark study on patient privacy […]

Full Details

Friday Fun – Which workspace do you prefer?

Our Security Operations center keeps track of a lot of information.  Here are two workspaces in the SOC.  Let me […]

Full Details

Organizations are failing at early breach detection

A recent finding by Gartner titled “Using SIEM for Targeted Attack Detection” is that 85% of breaches go undetected.  Those […]

Full Details

Data breach notification: Are you meeting customer’s expectations?

Government regulation, including the well-known HIPAA and GLBA, are quite clear on the notification requirements for businesses suffering a data […]

Full Details

Hack back: The latest ethical consideration in cyberspace

Like paparazzi on celebrities, hackers pound on our organizational doors almost every second of the day.  It makes us want […]

Full Details

Using eDiscovery data mapping to prevent data breaches

Data breaches are occurring more frequently and companies are searching for a way to help prevent the breach by understanding […]

Full Details

Large government breach shakes confidence in state security

On October 10, the Secret Service’s electronic crimes task force discovered that the South Carolina Department of Revenue’s systems were […]

Full Details

Culture change through incident response

An organization’s security culture in relation to information security determines how receptive employees will be to security initiatives.  Culture can […]

Full Details

Immunize your Business

At the upcoming Information Security Summit, I will be presenting on the topic, “Eradicate the Bots in the Belfry.”  Bots […]

Full Details

Concerning Data Breach News for Small Businesses

A recent survey of small business owners showed that while 77 percent believe that security is important for their company’s […]

Full Details

Cybersecurity plans and legislation

Last month, Senator John D. Rockefeller IV, Chairman of the U.S. Senate Committee on Commerce, Science and Transportation, sent the […]

Full Details

The Latest Cyber Attacks Against US Banks

Did you know that computers often become infected with virus-like programs called “bots” causing “denial of service” incidents on websites? […]

Full Details

Windows Password Reset

Many people have asked me how to reset their Windows password so I decided to write this blog about it.  […]

Full Details

Blind Security: A case of site intimidation

Every once in a while, a website will try to convince you to change your security settings.  I was looking […]

Full Details

Independence Day

As we think of today, our Independence Day, consider also the information security and cyber security professionals who guard our […]

Full Details

Buying or Selling? An Investigation into Craigslist Scams

It seems no matter where you turn; someone is waiting to rip you off.   Our inboxes drown in spam and […]

Full Details
Data Classification

Achieving the Benefits of Data Classification on a Budget

Data classification is a term that is not usually associated with the small business.  It tends to invoke thoughts of […]

Full Details

Developing a Security Oriented Corporate Culture

  Managing the security of an organization can be quite confusing. It can seem like an uphill battle when basic […]

Full Details

What is the real cost of a breach?

If you had a breach of your most sensitive data tomorrow, how much would it cost you?  There are quite […]

Full Details

Monetizing vulnerabilities

The phrase “Knowledge is power” has never before become so clear and scary.  The knowledge that is kept secret can […]

Full Details

A Certified Lack of Confidence: The Threat of Rogue Certificate Authorities

For more than a decade, computer-generated digital certificates have made it possible to authenticate the identity of computer systems, data, […]

Full Details

Risk Homeostasis and its impact on risk reduction

Gerald Wilde had a theory called risk homeostasis.  This theory hypothesizes that people have a level of acceptable risk.  When […]

Full Details

Is Your TV a Security Risk? IoT May be the Next Threat

The latest televisions and Blu-Ray players come equipped with more than HD video and audio.  Internet access and a host of […]

Full Details

Effective Data Retention

Organizations are accumulating data at a pace that would cause a hoarder to blush.  Just like that old bicycle seat […]

Full Details

ISO 27000 Compliance

ISO 27000 is a set of security standards that organizations can implement to provide an industry-recognized minimum level of security.  […]

Full Details

Defending Against DDoS (Distributed Denial-of-Service)

The site is down!  These are haunting words for most businesses, and today’s topic: the DDoS (Distributed Denial-of-Service) attack. This […]

Full Details

Protecting against data breaches and security incidents with cyber insurance

Data breaches and security incidents are a significant risk for organizations and some are using cyber insurance to transfer the […]

Full Details

Data Breach Prevention Guide

Losing data can be tremendously devastating to a company. It could compromise security, information, and jobs. Today, we will look […]

Full Details

Paranoid, Skeptical, Cheater Wanted for Security Position: Compensation Commensurate with Experience

As you laugh at my title, anticipating several paragraphs of satire, think about what I’ve just said because I’m serious…to […]

Full Details

Security and Compliance Synergies with DLP, SIEM, and IAM

The use of SIEM, DLP, and IAM can significantly enhance the capabilities of information security departments. SIEM allows a company to […]

Full Details

Security Focus at the Corporate Board Level

Imagine a boardroom a generation ago.  Smoke fills the air, and sidebar discussions thrive while the board members wait for […]

Full Details

Six Phishing Tactics you Should Recognize

Scams exist.  That is a simple truth.  There are honest people, and then there are others who try to cheat.  […]

Full Details

RAT Hacking Evidence fresh from the source

Previously, we have discussed the dangers of hacking and measures to take against an attack in the LulzSec blogs.  Now […]

Full Details

PCI Compliance Primer

PCI applies to a wide range of corporations and companies that deal with credit card transactions, and it can be […]

Full Details

Information Security Compliance: HIPAA

HIPAA is regulation intended to help covered entities and their business associates protect Electronic Protected Health Information (ePHI).  The U.S. […]

Full Details

Information Security Compliance: Which regulations relate to me?

Information security is often feared as an amorphous issue that only the IT department has to deal with. The reality […]

Full Details

iPad Enterprise Security

“Thinner. Lighter. Faster. Facetime. ” That is the catchphrase from the Apple page dedicated to the iPad. While Apple is […]

Full Details

LulzSec Hacking of Sony

Thank you for staying tuned into our third case study and final installment of our four-part series on the Lulz […]

Full Details

LulzSec Hacking of Infragard and Univeillance

This post is the third part of a four-part series on the LulzSec hackers. Our first entry titled “Awareness Pains: […]

Full Details

LulzSec Hacking of PBS

As promised, here is the first case study regarding the events surrounding the Lulzsec group. If you are reading that […]

Full Details

LulzSec Security Awareness Tipping Point

Bob set down the phone with a sigh. After six hours, five phone calls, countless emails, and two meetings, it […]

Full Details

The Social Networking Security Threat

Social Networking is a godsend and concern, a help and a hindrance, an amazing feat and a terrible nuisance. While […]

Full Details

Security Awareness Training Tips for Detecting Malicious Software

We have worked hard to educate users of the need for computer hygiene, using anti-spyware, multiple browsers, data backups, and […]

Full Details

Mitigating the Threat of Corporate Espionage

Corporate espionage is not just a plot for action movies; it is a real threat to small and large businesses.  […]

Full Details

Leveraging Vulnerability Scoring in Prioritizing Remediation

The average organization has numerous types of equipment from different vendors. Along with the equipment, businesses also utilize multiple software […]

Full Details

Achieving High Availability with Change Management

Change management is a key information security component of maintaining high availability systems. Change management involves requesting, approving, validating, and […]

Full Details

Guidelines for Username and Password Risk Management

Hackers often bypass some of the best security technologies by exploiting one of the oldest tricks in the book, your […]

Full Details

Physical Security for Data in Transit

Briefcase chained to his wrist, the officer cautiously looks for anything out of the ordinary as he makes his way […]

Full Details

Fail Secure – The Correct Way to Crash

Do you think there is a right way to crash?  A system crash sounds like a bad thing all around, […]

Full Details

Cisco Access Controls and Security

Many organizations use Cisco devices to interconnect, protect, filter, and manage networks so it is important to understand ways to […]

Full Details

Criteria for Selecting a Risk Assessment Methodology

An information security risk assessment is the process of identifying vulnerabilities, threats, and risks associated with organizational assets and the […]

Full Details

The Essential Link between Awareness and Security Policies

Information security policies and security awareness go hand in hand. Frankly, a policy is worthless if it sits on someone’s desk. […]

Full Details

Developing a Virtualization Security Policy

Since many organizations are rapidly virtualizing servers and even desktops, there needs to be direction and guidance from top management […]

Full Details

Understanding Data Loss Prevention (DLP)

Data Loss Prevention (DLP) is one of those terms that is often mentioned but less often defined. The term can […]

Full Details

Reducing privacy and compliance risk with data minimization

Companies collect millions of gigabytes of information, all of which has to be stored, maintained, and secured. There is a […]

Full Details

Business Continuity and Backups in the Virtual World

Virtualization has really become a mainstream technology and an effective way for organizations to reduce costs. Virtualization simplifies processes but […]

Full Details

Critical security considerations for server virtualization

Virtualization is an excellent way to make better use of existing IT resources but utilizing them for multiple tasks.  It […]

Full Details

Security Spending and ROI

I read an article by Bruce Schneier called Security ROI in CSO magazine. Here is an excerpt from it: “Assume […]

Full Details

Incident Response Workshop

At the incident response workshop I ran, we talked through a data breach caused when private data on an FTP […]

Full Details

New Phishing Messages Target Churches

Phishing has finally gotten more interesting.  I am tired of the Nigerian phishing schemes that continually enter into my mailbox.  […]

Full Details

Backtrack Cybersecurity Toolkit

I used to recommend Auditor for security testing through Linux.  Auditor was similar to Knoppix, the bootable “live” version of […]

Full Details

Cryptography Study Guide

Bruce Schneier has created a block cypher cryptanalysis study guide that you can download for free from his web site. […]

Full Details

Down with the SPAM King

Alan Ralsky, the “SPAM King” and one of the largest spammers in the world, was jailed by the Department of […]

Full Details
Wifi Rabbit

Nabaztagtag WiFi Rabbit

I was made aware of this little creature on the CWNP forums and it seems quite cool.  The Nabaztagtag WiFi […]

Full Details

CWSP

I am really cutting this close.  The CWSP test changes on January 1 and I just scheduled the test for […]

Full Details
Pen Testing

Penetration Testing: A proactive approach to secure computing

Kent State University is hosting me today to talk about penetration testing and what it can do for your company […]

Full Details

Techniques for Motivating Secure Behaviors

The problem of motivating employees to do the right thing in security is an increasingly hard one.  Many companies have […]

Full Details

Information Security Motivation

Information security seems like more of a human problem than a technological one.  Certainly, we spend a lot of time […]

Full Details