Much of the focus in recent news is on attacks on retailers and the financial industry. It is easy to see the results of these money-motivated attacks in the form of large thefts of money or credit cards. As a result, it may surprise you to know your health care information is under attack. You are mistaken if you think that HIPAA’s data security protections are working to protect it. Health care organizations are not meeting the security table stakes. By rushing to implement electronic health records without minimum viable security, health care organizations are leaving the door wide open for criminals. How Bad Is It? A recent study by the Ponemon institute revealed that 94% of medical institutions have[…]

At the RSA conference, I attended a panel discussion entitled “Changing User Behavior: The Science of Awareness.” The panel focused on explaining the failure of traditional awareness efforts, and made suggestions about what improved solutions might look like. During the panel, surrounded by a room full of security professionals, it hit me: we are technologists trying to figure out how to solve a communication problem. Maybe security’s “people problem” is relying on the wrong people to solve this challenge. Are People The Problem? Our industry is quick to put the blame on “users” when security problems occur. Whether it is the takeover of CNN and the AP’s twitter feeds, or a hack of Target’s HVAC contractor leading to their breach, people are[…]

As a small business owner, I often find myself having some of my most productive time on Friday afternoons. My clients have gone home for the weekend, my staff members are wrapping up their week’s work and completing their timesheets. I’ve got a few hours of time to myself to get things done. Dinner time rolls around and I’m inevitably the last one out of the office, shutting off the lights and locking the door behind me. What a lot of people don’t realize is that even once they’ve turned out those lights and locked that door, strangers might still be coming into their place of business. Network Connections Are Like Doors Just like a door, a network connection can[…]

Some people said it was the biggest startup to come out of Stanford since Google. After securing some seed funding from professors, and then raising $25 million in a party round, Clinkle was destined for greatness among startups. Clinkle was designed to become the payment service all of us could use to manage credit cards, banks, and cash from our smartphones. And yet, I’m guessing the majority of this blog’s readers have never heard of them. Why could that be? The rise comes before… Launched in 2011, Clinkle got a lot of hype. Big names like Richard Branson and Peter Thiel, and organizations like Intuit and Intel were among the investors. They were clearly excited about something. But Clinkle has[…]

Recently, an article came to my attention about social networks being gamed in order to hurt the reputations of competitors and enemies. With all the talk these days of search engine optimization, social media experts, and the “internet of things” we are looking to connect our information to as many people, and in as many ways, as possible. Have you considered the ways this might hurt you instead? We are beginning to get a handle, as a society, on the minimum viable security that every organization needs in order to stay in business and not be destroyed by the constant noise of attacks facing us on the Internet. But what happens when instead of facing a distributed denial of service[…]

Today’s reading brought me to another article by Brian Krebs about his continuing research into the breach at Target. The lengthy article points to some newly uncovered clues, and provides some conjecture as to how the breach may have been exercised. A part of it definitely caught my eye, because it is closely related to some of the work we get called on to do on a regular basis. That “Best1_user” account name seems an odd one for the attackers to have picked at random, but there is a better explanation: That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas base[…]