Craftsmanship in Music and Compliance

If you’ve been on stage for a speech or performing arts, you know stage fright is real. Businesses can get nervous when they hear the word “audit” in the same way musicians can get nervous before a performance. However, there is one great way to alleviate that fear: preparation. If your business prepares well, you[…]

Managing an Organization’s Passwords

How to keep the keys to the kingdom from escaping the kingdom. Proper password management is a huge step that an organization can take to strengthen security. It also addresses multiple criteria for all the major security frameworks. For example, see examples from ISO 27001 and SOC 2 as of the date of this writing:[…]

Planning, Executing and Learning from Tabletop Exercises

Throughout the process of maturing your governance and compliance environment, you have likely encountered the need for conducting an annual or quarterly preparedness exercise, commonly referred to as a “tabletop exercise”. These exercises are required for compliance with numerous standards, including ISO 27001/22301, GDPR, and SOC 2 just to name a few. While the focus[…]

Business Continuity Planning: It Takes a Village

  Business Continuity Planning (BCP) and Disaster Recovery are essential tools for organizations of any size and maturity level; but what may not be apparent is the appropriate amount of resources required to ensure organizations are prepared with an effective BCP. All too often, the task of constructing and maintaining the organizations Business Continuity Plan[…]

Are Pen Test and Vulnerability Scans Required for a SOC 2 Report?

Are Pen Test and Vulnerability Scans Required for a SOC 2 Report? There has been much confusion lately in the SOC 2 market as companies seek to understand the need-to-haves vs. the nice-to-haves when it comes to obtaining a SOC 2 report.  Much of this confusion was brought about by the December 2018 upgrade of the Trust Services Criteria, and associated Point of Focus, intended to align SOC 2 with the 2013 COSO framework.

Beyond Vulnerability Scans: Mitigating and Monitoring for Malware Leveraging C2 Systems

Many modern forms of malware are now file-less and rely on Command & Control (C2) infrastructure to assist outsiders with gaining unauthorized access to networks. This malware “phones home” to remote attackers, who then leverage the internal foothold to infiltrate networks and execute attacks. These attacks can be difficult to detect when security monitoring is[…]

Securing Enterprise Networks with Port-Based Network Access Control

One of the biggest threats facing enterprises are outsiders plugging directly into an Ethernet port and being granted instant, unauthenticated access to the network. This threat is especially common in hospitals where there is heavy use of computer systems mixed with untrusted outsiders roaming the halls. Shutting down unused ports is the traditional mitigation. Still[…]

Analyzing Your Attack Surface Like A Hacker

When most people think of hacking, they think of what Hollywood portrays. In a dark basement, a hooded, perhaps tattooed outcast rapidly types nonsensical keystrokes at a flashy computer monitor for several seconds before snidely muttering, “I’m in.” By that representation, the hacking process seems pretty straightforward: find a vulnerability, exploit it and ride off[…]

Understanding Different Types of Penetration Testing Engagements

There is understandably quite a bit of confusion in the market place when it comes to offensive security engagements. Consultants use a number of terms and phrases that often times overlap with one another quite a bit, but often times fail to differentiate effectively. For example: Vulnerability assessment Vulnerability research Penetration test Security Audit Red[…]