Network security has been around almost as long as we’ve had networks, and it is easy to trace the various elements of network security to the components of networking that they try to mitigate. Over the past 30-35 years or so, the expansion of networking, especially the increased reliance on the Internet both as an avenue for commerce and as the...

Otherwise known as the measuring stick by which your GDPR compliance will be assessed, the six core principles of the GDPR are the basic foundations upon which the regulation was constructed. Unquestionable and pure in nature, they are rarely acknowledged for one simple reason: five of the six have no real application in helping you in peddling...

The Russian author of the notorious Citadel malware which infected over 11 million PCs and stole an astonishing $500 million from bank accounts has pleaded guilty to his crimes. 29-year-old Mark Vartanyan, who went by the online handle of "Kolypto", was arrested in the Norwegian town of Fredrikstad in 2015 at the request of the FBI. His extradition...

As I discussed in a previous blog post, a key security control known as file integrity monitoring (FIM) helps organizations defend against digital threats by monitoring for unauthorized changes to their system state. But that's only half the battle. A change could be authorized but still create new security risk. Organizations need to watch for these...

Just as traditional brick-and-mortar businesses are targeted by anarchists during protests or times of unrest, e-commerce businesses are targeted by cyber criminals, except they don’t wait for particular season or reason. Whether small, medium or large, every business is, sadly, at the mercy of hackers who will exploit every opportunity they get to...

At some point in your career, you will make mistakes—small mistakes, big mistakes, even career-defining mistakes. I am writing this in retrospect because during the course of my job duties, I recently made a mistake. The details are irrelevant, but I wanted to share my experience with making mistakes in the professional world. Mistakes and human...

There are a variety of ways a company can experience cyber incidents, ranging from a distributed denial of service network attack to internal information theft. The first response is usually to enlist incident response professionals to resolve the issue as quickly and efficiently as possible. However, there are several factors companies should...

CAPTCHAs – these things: A human creation built to foil robots. However, as is ever so common these days, the robots are winning. But! it doesn’t have to be that way. The first CAPTCHAs were created in 2000, and most every CAPTCHA since has remained virtually the same. This becomes problematic...

No matter how well-designed it is, a security program will never prevent every digital attack. But an assault need not escalate into a data breach. Organizations can reduce the likelihood of a major incident by investing in key security controls. One such fundamental security component is FIM. Short for "file integrity monitoring," FIM helps...

Everyone agrees that RSA Conference is a mainstay of information security. Every year, the event attracts tens of thousands of security professionals from around the world. As such, it's the perfect place for companies to gain a snapshot of the digital security landscape. That’s why Tripwire has made a tradition of capturing attendees’ thoughts on key...

In the modern world, it isn’t bank robbers we’re worried about – it’s cyber criminals. They can steal consumer information, alter data so that it gives false insights or remains corrupted for months or even years without notice, and even sell valuable intellectual property to the highest bidder, putting companies under. However, while many...

In part 1 and part 2 of this series, I reviewed some of the administrative and technical evolution of the cybersecurity legislation that has been proposed for all financial entities in New York State. As I started to write this, the final regulation was adopted. The good news is that most of the changes that were proposed in the first revision have...

In part 1 of this series about the proposed regulation promulgated by the New York State Department of Financial Services, the evolution of some of the administrative requirements were explored. The exemptions, appointment of a CISO and the utilization of cyber security personnel all changed from the originally proposed regulation. In this part,...

The annual RSA Conference is a lot of things to a lot of people (43,000 this year!). For me, it’s become an annual opportunity to step out of the stream and to look back at what has happened in the last year and peer forward at what’s to come. This year, I think we have reached an inflection point around the way we as a profession treat the “human...

The New York State Department of Financial Services has proposed a cyber security regulation that is unique in its breadth. The original proposed regulation underwent a 45-day review period, after which it was changed. It is currently under another 45-day review period pending further changes and should be published in the next few weeks. The...

UPDATE 2/24/17, 4:30 PM PST: Researcher Hanno Böck (@hanno) has confirmed that leaked CloudFlare data was not entirely purged from multiple search engine caches ahead of the public disclosure. In April 2014, the security community was shocked with the revelation that a poorly implemented TLS extension in OpenSSL could allow attackers to easily...

If the GDPR (General Data Protection Regulation), the EU's data protection harmonisation project, was to become Hollywood movie, its genre would most likely be horror. Focus on the regulation over the past twelve months has been mostly aimed toward its penalties, with scare stories in no short supply. The GDPR has been called many things; visionary,...

BSides is known for its collaborative and welcoming environment – something that truly sets it apart from the many other security conferences that are held these days. Today, the conference series has spread all across the world, yet its mission remains the same: to provide an open forum for infosec discussion and debate. Tony Martin-Vegue, a...

Large hacks and cyber-attacks aimed at exploiting information, affecting everyone from major company databases to politician’s email accounts, have now become a common occurrence in our ever-connected world. This hacked information – and the act of accessing it – has rapidly become a sought-after product and service on dark web marketplaces. Coupled...

What is GDPR, when is it coming, and what steps should you take to comply?If you’ve been following the information security news or Twitter feeds, then you’ve no doubt seen the increase in traffic around the General Data Protection Regulation (GDPR). And there’s a good chance you’ve been ignoring it, as well. It’s time to pay attention, for GDPR is...