Could Your Computer Breach Have Lasted Three Years?

Irvine, CA - Juniper had a flaw in their networking equipment that may have allowed breaches in government networks for as long as three years.  I would presume the same risk applies to Juniper users in private enterprises as well.The [...]

Could Your Computer Breach Have Lasted Three Years?2015-12-19T03:24:37-08:00

What 12 Security Things Should I Focus on to Be Defensible in 2016?

Here is a sneak-peek and what is likely my most important blog for the upcoming New Year.  This is just a partial teaser....

----------------------------------------------------------------------

Irvine, CA - I was recently asked by a roundtable of CEOs to advise them on network security.  They had a lot of questions and a lot of misinformation.  I was surprised as this was a group of technology company CEOs and what I quickly found out is that they did not know much more than my non-tech company CEO clients.  From that discussion they asked me to come back and present to them a short list of actions they should take in 2016 to better secure their systems.  Initially I wanted to present them with a list of 10 things they should focus upon.  For anyone that knows, it is easy to create a list of 100 things that should be done to secure a system. However, I decided in order to make the list actionable and not overwhelming I needed to focus on the 10 things I have seen in the past year or two that have caused the most real-life grief for our new and existing clients.  I wanted to keep the list to 10 items, but I had to fudge a bit and expand to 12 core items. Then I added three bonus items for those who are over-achievers and another three for those in regulated businesses like healthcare, financial services and Sarbanes-Oxley.

This list is not complete nor absolute.  It is a list I have created largely in order of my perceived importance based upon the real-life hacks, breaches and other maladies related to failures of network security to keep the bad guys out.  You will need to assess the requirements that are appropriate for your firm.  If you are looking for a good place to start, I offer up my suggestions below.

1.       You need to do a vulnerability assessment or security assessment.  It is impossible for you to know what actions you should take to properly secure your systems without first doing an assessment.  Assessments are common practice at many firms, yet completely ignored at others.  It is fairly easy for you to order a vulnerability assessment and the best part is that it takes very little time and participation from you and your IT staff.  The cost for this service ranges from a few thousand dollars for a very small firm to several tens-of-thousands or even hundreds of thousands of dollars for larger enterprises.  These should be done at least once per year just like your financial audit.

2.       Patching for Software Security Updates is perhaps one of the most overlooked and under-rated security measures you can implement to better secure your systems.  I maintain that good software patching measures are in some ways more important than your firewall.  A firewall is a formidable device that once it gets set-up has a number of ports opened up so that your firm can transact business.  That is where it gets weak.  Through these legitimately opened ports attackers will send nasty payloads that compromise your system, often without you knowing.  Imagine a hardened castle all buttoned up, but the draw bridge must be opened in order to conduct commerce.  Through that legitimately opened bridge come the sneak attacks, the scammers, crooks, mischievous and spies....

What 12 Security Things Should I Focus on to Be Defensible in 2016?2015-11-12T03:10:52-08:00

BlueCross BlueShield Announces August 5th Data Breach Discovery

Tustin, CA - The most interesting part of this BlueCross BlueShield announcement is not that they found the breach on August 5th.  What is interesting when you read further into the announcement is that they say “Our investigation further revealed [...]

BlueCross BlueShield Announces August 5th Data Breach Discovery2017-09-18T00:38:04-07:00

Password Tip and Weekly Tips on Smart Business Practices

David Berkus writes a very good weekly blog on “cutting edge business success tips.”  The series of blogs is called Berkonomics and it is worth your time to go there and register to receive the weekly e-mails.  Here is an example of his writing on the topic of “Switching Costs.”  You can sign-up HERE.  Dave’s series of blogs is also available in three Berkonomics books.

While I love reading Dave’s blogs and I am therefore sharing the information above, my main reason for writing this blog today is to share another piece of the endless wisdom that comes from Dave.  This week his blog e-mail started with this paragraph:

First, let me PLEAD with you to take care with your email and strengthen your email password. A clever hacker invaded....

Password Tip and Weekly Tips on Smart Business Practices2015-06-10T17:00:00-07:00

Some Good Q&A on Backup and Disaster Recovery

1. Where should small businesses start with disaster recovery, whether or not they already have a DR plan in place? What is the first question the small business owner needs to ask?

I recommend starting with determining RTO and RPO.  If the small business owner starts here he or she will be off to a good start with the DR plan.  What are RTO and RPO?

•         RTO – Recovery Time Objective, the time between the disaster and when the system has been made operational again.  Why is this important?  Different businesses have different costs associated with...

Some Good Q&A on Backup and Disaster Recovery2015-03-02T15:43:00-08:00

What nineteen audiences in twelve months taught me?

Navigating Fear in the Security and Compliance World

In advancing technology it is fear of having a project go sideways, over budget or fail to accomplish the stated objective that has many frozen. What if that technology we recommend doesn’t work as we hope? What if it is something required by law (such as encryption in healthcare) that we fear an unknown outcome so much that we won’t act? What if we miss a key component of a project or underestimate the effort required and the entire project goes over our budget?

What nineteen audiences in twelve months taught me?2014-12-17T23:02:14-08:00

Senate Passes Retroactive Tax Relief Under Section 179

This is one time you may want to make a quick call to your accountant, then order up some of those infrastructure items you are putting off. A bill known as “tax extenders” if signed by the president will reinstate Section 179 tax [...]

Senate Passes Retroactive Tax Relief Under Section 1792023-08-11T01:47:43-07:00

How Can An IT Security Breach Cost Me My Job? The Sony Pictures Case

I don’t normally give a moments notice to stuff that goes on in Hollywood, but the story “Future of Sony's Amy Pascal questioned after hacked email revelations” caught my attention because of the cyber security aspect involved.  So often I hear executives say something similar to “I don’t worry about our security because we don’t have anything anyone would want to hack into.”

That complacent assessment is wrong as most everyone knows since today nearly all hacking/security breach incidents are the result of indiscriminate malware that scans the Internet searching for vulnerable systems.  When that malware finds a vulnerable system most of them run automated code that looks for passwords, bank account information, encrypts data for ransom, etc.

In this particular case a ton of data was stolen and released.  The implication for Sony Pictures Co-Chairman is that her personal e-mails were....

How Can An IT Security Breach Cost Me My Job? The Sony Pictures Case2024-03-14T00:18:56-07:00

Why Will My Company be Listed on the HHS Wall of Shame?

6 Reasons Organizations Fail to Encrypt ePHI

The drumbeat of HIPAA breaches in the media is incessant, and the refrain is the same: yet another PC containing electronic protected health information is stolen, so the organization is compelled to notify patients, Health and Human Services, and the media.  The Office of Civil Rights swoops in, levies a 7 figure fine, and posts the offender on the HHS “Wall of Shame”, resulting in a damaged reputation and loss of future earnings.

Ironically, had the PC’s hard-drive been encrypted, the loss would have been a non-event, unreportable given the Safe Harbor provisions of HIPAA.  And inexpensive encryption technology has been readily available for years.  Yet, 538 or 46% of the 1,171 Breach Notifications posted on the Wall of Shame stem from the simple loss of a computer with an unencrypted hard-drive.

So, if it is so obvious how to correct the deficiency that single-handedly accounts for the most frequent HIPAA Breach Notifications, why don’t more organizations properly encrypt and protect the ePHI entrusted to them?  Here are the six most common reasons we discover during our risk assessments …

Why Will My Company be Listed on the HHS Wall of Shame?2014-12-08T18:10:15-08:00