In the healthcare industry, data sets are growing rapidly, both in volume and complexity, as the sources and types of data keep on multiplying. As of now, 30 percent of the world's information is assessed to be medical services data, and in the U.S., many hospitals collect over 100 data points per patient per day. This healthcare data keeps on being...

ABBYY, the developer of optical character recognition and text-scanning software, left a server containing 142GB of a customer's scanned documents exposed for anyone on the internet to access, no password required. The AWS-hosted MongoDB server, accidentally left configured for public access, contained some 203,896 properly OCR'd contracts, non...

If you are like most infosec professionals, each day brings new and interesting challenges. However, like most jobs, there are valleys that we fall into along the course of our professional development. How long can you stare at your SIEM tool before you start to experience some mild tunnel vision, or worse, severe burnout? Neither of these are...

Earlier this year, the City of Atlanta suffered a ransomware attack on the city’s computer systems. The attack affected more than one-third of Atlanta's 424 essential programs, close to 30 percent of which were “mission critical” functions. While most of the visible damage has been remedied, the effects of the attack will be felt for a long time....

March 15, 2018, was a momentous day for U.S. homeland security officials. On that date, the Department of Homeland Security (DHS) and the Federal Bureau of Investigations (FBI) for the first time ever attributed digital attacks on American energy infrastructure to actors associated with the Russian government. Their joint technical alert (TA)...

Hackers planted malware on an automated teller machine (ATM) server belonging to an Indian bank as part of a criminal scheme which saw the theft of nearly 944 million rupees (US $13.5 million) in a co-ordinated attack across 28 countries last weekend. India's Cosmos Bank, based in the western city of Pune, suffered an attack which saw hackers use...

What is Caller ID? Caller identification (Caller ID) is a service that allows the receiver of a phone call to determine the identity of the caller. Caller ID is initially sent over at the start of the phone call and identifies the incoming caller before the receiver answers the phone. Caller ID is not associated with the actual phone number but is...

The landmark NYS DFS cybersecurity regulation that took effect in New York State in March 2017 is approaching its third of four milestones. This was the first regulation of its kind that included prescriptive direction for the protection of personally identifiable information handled by all financial institutions that conduct business in the State....

In early August, I will be leading a couple of sessions at the Community College Cyber Summit about cyber security fundamentals. I've also been spending time working with my amazing colleagues thinking about DevOps. Spending so much time going back and forth from "back to basics" and "the future of development" had me thinking that securing DevOps...

I’m an executive-level security headhunter. That means I spend a lot of my week doing two things: talking to CISOs or those people ready to be CISOs and consulting with companies that are in the market for a security leader. My experience is that companies looking for a security leader fall into three categories. The first category consists of...

European Union data protection law restricts the transfer of EU-origin personal data to countries outside the European Economic Area unless there is a mechanism in place to ensure an adequate level of protection of the personal data. In 2000, the European Commission approved the EU-SU Safe Harbor Privacy Principles that allowed many U.S. companies...

Someone leaked the source code for the Exobot Android banking trojan online, leading the malware to circulate widely on the underground web. Bleeping Computer said it received a copy of the source code from an unknown individual in June. In response, it verified the authenticity of the code with both ESET and ThreatFabric. Security researchers from...

In the age of DevOps, application security is an increasing concern for organizations. But attention on application-specific security bugs is comparatively low. We have extensive online security scanners for testing online threats, but they are not so effective for detecting security vulnerabilities that are application-specific in Python, Node.js...

What does a human need to survive? Typically, the first two items are food and water followed by a place live. Most of us take for granted that our water supply is always safe and drinkable. As such a vital resource, one would think that the critical infrastructure that purifies and monitors water must be completely secure at all times....

Controls—SOC 2 is all about controls. It's right there in the name: Service Organization Controls, S-O-C. A SOC 2 report is a de facto requirement for any organization that wants to store any customer data in the cloud, which means most SaaS or cloud service providers. Unlike PCI DSS, which is prescriptive and very technical, the American Institute of...

So, you recognize that insider threats are a considerable risk inside your company? Just imagine how serious those threats are for a business that designs mobile spyware for helping law enforcement and intelligence agencies spy on "people of interest." NSO Group is a firm that, in its own words, provides "authorized governments with technology that...

Insider threats top the list of the most dangerous cyber risks for organizations worldwide. It doesn’t take much effort for insiders to steal your sensitive data, while such activities are hard to discover and impossible to prevent. Unfortunately, lack of visibility into user behavior is one of the key reasons why companies suffer from data breaches...

Last time, I had the pleasure of speaking with Susan Ballestero. She taught me a lot about what it’s like to work in a security operations center. This time, I got the opportunity to speak with Rebecca Herold. She’s been in the cybersecurity field for quite a long time now. She founded SIMBUS, LLC, a thriving information security, privacy and...

On June 28, California passed a sweeping data privacy law after only one week of work. Unless AB 375 (the California Consumer Privacy Act of 2018) is amended before its January 1, 2020, effective date, the law will be the strictest data privacy law in the United States, and will require data privacy protections and requirements similar to or broader...