Tag Archives: compliance

[ISN] 6 Biggest Blunders in Government’s Annual Cyber Report Card

http://www.nextgov.com/cybersecurity/2015/03/6-biggest-blunders-governments-annual-cyber-report-card/106512/ By Aliya Sternstein Nextgov.com March 2, 2015 The White House has released its yearly assessment of agency compliance with the governmentwide cyber law known as the Federal Information Security Management Act. And given the spate of breaches and hacks that hit both government and the private sector, the results may not be all that surprising. Sensitive agency data is often not encrypted. Many departments do not use two-step verification for accessing government networks, despite post-Sept. 11 requirements that employees carry login smart cards. And cyber training is deficient in one of the most unlikely areas… 2014’s Biggest Federal Computer Security Blunders 1. Federal agencies reported 15 percent more information security incidents in fiscal 2014 compared to fiscal 2013, rising from 60,753 to nearly 70,000 events. These incidents included phishing attempts, malware infections and denial-of-service attacks, as well as leaks of paper records and sensitive emails sent without encryption. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] 3 things CSOs can learn from CPOs

http://www.csoonline.com/article/2877972/security-leadership/3-things-csos-can-learn-from-cpos.html By Maria Korolov CSO Jan 29, 2015 The role of the CSO and CIO has been changing dramatically as technology becomes more and more vital to business strategies. Sometimes, it can be hard to keep up. Amol Joshi, SVP of business development at Redwood City, Calif.-based Ivalua Inc., suggests that CSOs and CIOs can pick up a few tricks from Chief Procurement Officers. 1. Create and use contract templates Many CIOs and CSOs are faced with the responsibility of creating or reviewing contracts with outsourcers, contractors, part-time help, software vendors, data centers, cloud services providers and other vendors and suppliers. CPOs have been doing this for a long time, and one trick that the use is create a library of clauses that they can put into a contract when needed. These clauses have to be kept up to date, Joshi said. For example, cloud SLAs evolve all the time, as do compliance requirements. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Cyber Security Audit: Washington Agencies Not In Full Compliance

http://boisestatepublicradio.org/post/cyber-security-audit-washington-agencies-not-full-compliance By AUSTIN JENKINS NPR Radio December 15, 2015 The state of Washington has good cyber security standards, but state agencies don’t always adhere to those standards. That’s the finding of a performance audit released Monday. Cyber security has emerged as a leading threat to the U.S government and corporate America. Sony Pictures is the latest high-profile victim, but state and local governments are also potential targets. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The 10 Biggest Bank Card Hacks

http://www.wired.com/2014/12/top-ten-card-breaches/ By Kim Zetter Threat Level Wired.com 12.02.14 The holiday buying season is upon us once again. Another event that has arrived along with the buying season is the season of big box retailer data breaches. A year ago, the Target breach made national headlines, followed shortly thereafter by a breach at Home Depot. Both breaches got a lot of attention, primarily because the number of bank cards affected was so high—more than 70 million debit and credit card numbers exposed in the case of Target and 56 million exposed at Home Depot. Luckily, very little fraudulent activity occurred on the stolen card numbers, primarily because the breaches were caught fairly soon, making them relatively minor incidents in the scheme of things, compared with other breaches that have occurred over the years that resulted in losses of millions of dollars. The Target breach was notable for one other reason, however: when it came to security, the company did many things right, such as encrypting its card data and installing a multi-million-dollar state-of-the-art monitoring system not long before the breach occurred. But although the system worked exactly as designed, detecting and alerting workers when it appeared that sensitive data was being exfiltrated from its network, workers failed to act on these alerts to prevent data from being stolen. Below, we look back on a decade of notable breaches, many of which happened despite the establishment of Payment Card Industry security standards that are supposed to protect cardholder data and lessen the chance that it will be stolen or be useful to criminals even when it’s nabbed. The PCI security standard (.pdf) which went into effect in 2005, is a list of requirements — such as installing a firewall and anti-virus software, changing vendor default passwords, encrypting data in transit (but only if it crosses a public network) — that companies processing credit or debit card payments are required by card companies to have in place. Companies are required to obtain regular third-party security audits from an approved assessor to certify ongoing compliance. But nearly every company that was victim to a card breach was certified as compliant to the PCI security standard at the time of the breach, only to be found noncompliant in a post-breach assessment. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Why Health Data Security Still Has Catching Up To Do

http://healthitsecurity.com/2014/11/17/health-data-security-still-catching/ By Elizabeth Snell Health IT Security November 17, 2014 There is no question that the healthcare industry and its subsequent health data security options have made great strides over the last several years. However, with cyber thieves more interested than ever before in medical information, it is essential for healthcare organizations to go beyond the standard HIPAA compliance standards. Mark Ford, Principle of Deloitte Cyber Risk Services, specializes in the healthcare industry and discussed the current cyber threats and health data security issues with HealthITSecurity.com. According to Ford, the healthcare sector has come a long way in the last five years alone. However, the industry is still behind others – such as manufacturing and financial services – in terms of implementing the necessary cyber risk prevention measures. “What I’ve seen over time is the industry is making progress,” Ford said. “It’s still kind of slow, it’s more reactive, and has a more compliant focus still. There’s a pretty significant gap between where they are today and where they ultimately need to be. The only way to close that gap is to obviously understand what it is and does to make sure they can lift themselves up to another level of maturity in the future.” For example, Ford explained that from the mid-1990s to the early 2000s, approximately 70 percent of the online threats to the healthcare industry were from insider threats. The rest was relegated to hacker threats. However, that has shifted as there are now different types of hackers. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] DISA in Compliance with Cloud Security Standards

http://www.nextgov.com/defense/whats-brewin/2014/11/disa-compliance-cloud-security-standards/98120/ By Bob Brewin Nextgov.com November 4, 2014 The Defense Information Systems Agency currently offers its military customers certified cloud computing services from three vendors and has another seven under assessment for compliance with governmentwide security standards, top agency officials told Nextgov. FedRAMP reviews aim to speed the adoption of cloud deployments across government by allowing cloud services to be vetted once – at a particular security level – and then deployed by a multitude of agencies. Agencies must comply with FedRAMP as a matter of federal policy. But as noted in a recent review from the Council of Inspectors General on Integrity and Efficiency, neither the FedRAMP program office nor the Joint Authorization Board


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Spike in Malware Attacks on Aging ATMs

http://krebsonsecurity.com/2014/10/spike-in-malware-attacks-on-aging-atms/ By Brian Krebs Krebs on Security October 20, 2014 This author has long been fascinated with ATM skimmers, custom-made fraud devices designed to steal card data and PINs from unsuspecting users of compromised cash machines. But a recent spike in malicious software capable of infecting and jackpotting ATMs is shifting the focus away from innovative, high-tech skimming devices toward the rapidly aging ATM infrastructure in the United States and abroad. Last month, media outlets in Malaysia reported that organized crime gangs had stolen the equivalent of about USD $1 million with the help of malware they’d installed on at least 18 ATMs across the country. Several stories about the Malaysian attack mention that the ATMs involved were all made by ATM giant NCR. To learn more about how these attacks are impacting banks and the ATM makers, I reached out to Owen Wild, NCR’s global marketing director, security compliance solutions. Wild said ATM malware is here to stay and is on the rise. BK: I have to say that if I’m a thief, injecting malware to jackpot an ATM is pretty money. What do you make of reports that these ATM malware thieves in Malaysia were all knocking over NCR machines? OW: The trend toward these new forms of software-based attacks is occurring industry-wide. It’s occurring on ATMs from every manufacturer, multiple model lines, and is not something that is endemic to NCR systems. In this particular situation for the [Malaysian] customer that was impacted, it happened to be an attack on a Persona series of NCR ATMs. These are older models. We introduced a new product line for new orders seven years ago, so the newest Persona is seven years old. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

My Latest Gartner research: Emerging Market Analysis: Data Center Security IT Strategy and Monetization in Midsize Organizations — A Global Perspective

Organizational priorities on security technologies vary significantly, from compliance and regulatory enforcement, to outsourcing and the impact on security services. Midsize organizations seek security deployments that minimize complexity, and increasingly favor cloud-based security …

Gartner clients can access this research by clicking here.


Facebooktwittergoogle_plusredditpinterestlinkedinmail