What to do with the last of your 2017 cyber security budget?

Posted by:

Late in the financial year, it can difficult to figure out the best way to spend what’s left over in the information security budget.

No one wants to leave money on the table, especially when it could significantly reduce your exposure to cyber risk. The problem is that for any experienced IT security lead, you know there are thousands of ways that money could be spent: training, new security software, hardware upgrades, policy or system reviews, etc

Any of ...

Read More →
0

Lessons learned from the Equifax Breach – Part 2

Posted by:

Here is Part 2 of Lessons learned from the Equifax Breach. See Part 1.

Own up, make changes and say sorry:

According to Whois, Equifax registered their Equifax Security 2017 site (would Equifax insecurity have been a better name I wonder?) in late August. Incidentally, this is a month *after* they claim to have witnessed suspicious network traffic associated with their US online dispute portal.  

Yet they only informed the world via ...

Read More →
1

Lessons learned from the Equifax Breach – Part 1

Posted by:

First, Props to @briankrebs for the evil Equifax logo. 

While those unaffected by the Equifax breach have been stuffing their faces with proverbial popcorn as they watch the latest unveilings and press announcements, those worried that their most sensitive and identifying details have been leaked simply look on in horror, unknowing how to proceed.

The exact details of how the hackers made off with so much data remain fairly obscure. Equifax has

Read More →
1

NYDFS tweak proposed cybersecurity regulations; start date pushed back to 1 March 2017

Posted by:

Last September, TBG Security wrote a helpful blog article on the proposed cybersecurity regulations put forward by the the New York State Department of Financial Services (NYDFS).

The NYDFS aimed to have these new cybersecurity requirements (23 NYCRR 500) enforceable by 1 Jan 2017. However, last week, on the 28th of December, NYDFS issued the following press release, effectively delaying the launch date to March 1, 2017.  


Read More →
0

IoT and DDOS: security advice following the Marai botnet attack on Brian Krebs

Posted by:

A giant botnet made up of zombie internet-connected devices (or IoT devices) was used to strike a massive Distributed Denial-of-Service attack (DDoS) against Brian Krebs’ website, the site of a well-known cybersecurity blogger, last month.

Some have estimated the botnet’s size may have been a million strong.

Worse, as Krebs reported on the 1 Oct:

 “The source code that powers the “Internet of Things” (IoT) botnet responsible for launching ...

Read More →
0

How to provide IT security training that works

Posted by:

All IT teams in medium to large organizations know that they should be providing regular IT security training to staff members. Small businesses should be doing it too, but might not be as aware of the need for cybersecurity training for non-IT staff.

Thing is, other jobs always seem to get in the way. Firefighting system availability, authentication, confidentiality and security issues means that training often drops down the priority list.

Even in security-conscious organizations, months, and even years, can pass without ...

Read More →
0

Addressing the PEBCAK scenario: protecting systems against rogue employees (PART 2)

Posted by:

malicious employeeIn the PART 1, we discussed how non-malicious employees can disrupt business continuity. This post will focus on the malicious or rogue employee and outline what you can do to obstruct an inside job.

First off, many wonder just how big of a problem is posed by rogue employees? Take a look at these recent ...

Read More →
0

The PEBCAK scenario: securing systems against non-malicious employees

Posted by:

Ever use the expression PEBCAK? What about ID-Ten-T error?*

While many variations exist, they all mean the same thing: user error. Ignoring the negative sentiment implied, it’s effectively a shorthand to say, “not our fault.”

In the world of, say, technical support, perhaps this expression might be acceptable. Many tech support teams exist simply to ensure their widgets are functioning correctly. But when an IT representative uses such terms to refer to a user within the organization, shouldn’t it raise a red ...

Read More →
1
})
SEC Cybersecurity Exams