State-by-State Breakdown of Cybersecurity Legislation (Whitepaper)

As cybersecurity incidents, such as the Equifax data breach, continue to occur, states are beginning to recognize the need to impose cybersecurity requirements on companies in order to protect the personal information of individuals resident in the state. Many states’ cybersecurity laws have traditionally been focused on penalizing hackers and cybercriminals for criminal behavior. However,[…]

Thoughts on Building an Information Security Program that Sticks

Most executives realize that information security (and cybersecurity) is a rising threat within their organization. This is the new normal in the digital economy. As result information security professionals that used to be viewed as technical practitioners are finding seats at the executive table and at with the board of directors. The problem for most[…]

Petya Ransomware & Mitigation Steps

They Petya Ransomeware outbreak is the second such global attack in the last couple of month. The malware is spreading using same Microsoft Windows vulnerability that was exploited by the recent WannaCry ransomware event. Symantec confirmed that Petya uses the “Eternal Blue” exploit. Microsoft released a patch for the Eternal Blue exploit in March (MS17-010), but if you have put off installing the patch[…]

The Future of IoT Security

Required Reading: 1) IoT Growing Faster Than the Ability to Defend it 2) DDoS on DYN Impacts Twitter, Spotify, Reddit Until recently the security concerns associated with IoT devices have been mostly speculative. It’s easy to ignore how a webcam or a inexpensive gadget might be a cyber-security concern. Most people don’t think in terms[…]

Securing Corporate Wireless Access Points (WAPs)

The set of controls and conditions IT auditors look for during assessments of Wireless Access Points (WAPs) tends to vary auditor to auditor. In some cases, the IT auditor may make great suggestions for controls I have not seen many organizations put into place while in other cases, the auditor might point out the absence[…]

How to Check for Dangerous Certificates and Unsigned Windows OS Files

Sigcheck is a light weight Windows command-line utility that does an amazing job at scanning the digital certificate stores on your system for anything irregular and not part of the official Microsoft Trusted Root Certificate list. Additionally, the utility will also check the digital signatures of files and identify all unsigned files in a directory[…]

Developing & Implementing a Data Classification Policy

Properly classifying and labeling information assets is fundamental to a successful information security program, yet many organizations fail to implement one. Without proper asset classification, the organization exposes itself to additional risk of data breaches, accidental loss/release of sensitive information, losses in efficiency or additional costs associated with securing data that may not require it[…]

Tracking Data Breaches & Staying Informed

The Identity Theft Resource Center (ITRC) is a nonprofit organization that focuses on educating consumers, corporations, government agencies and other organizations on best practices related to fraud and identity theft detection, reduction and mitigation. Additionally, the organization does an excellent job of indexing and documenting data breaches as well! ITRC’s 2015 year-end report indexed 781[…]

2016 Cyber Risk Reports Reveal the Need for Effective Risk Assessments to Better Allocate Resourses

As companies continue to shift data and resources to electronic formats, a trend growing faster year over year, information and cyber risks shift to the top of management’s priority list. This means that management must dedicate more resources – resources that don’t exist – to the management information risk. This shortage of human resources combined with an exponentially growing[…]

I am an OPM Data Breach Victim- Next Steps

Nearly six months after the fact, I received a letter from the Office of Personnel Management notifying me that my information had officially been lost in the June 2015 breach. To add insult to injury, I was never actually a federal government employee. A few years ago, I consulted on a few enterprise systems migrations[…]