INFOSECURITY NEWSLETTER

March 22, 2017

Cisco Issues Critical Warning After CIA WikiLeaks Dump Bares IOS Security Weakness

Michael Cooney, Networkworld.com, March 20, 2017

A vulnerability in Cisco’s widely deployed IOS software that was disclosed in the recent WikiLeaks dump of CIA exploits has triggered the company to release a critical warning for its Catalyst networking customers.

Read More

Latest Phishing Tactics: Infected PDFs, Bogus Friend Requests, Fake HR Emails

Bill Brenner, Nakedsecurity.sophos.com, March 15, 2017

There’s good and bad news on the phishing front.
The good news: attackers don’t seem to be coming up with many new tactics to target their victims. The bad news: they don’t have to. They’re doing just fine hooking their prey with the same old tricks.

Read More

Cobol Plays Major Role in U.S. Government Breaches

Patrick Thibodeau, Computerworld.com, March 16, 2017

New research is turning on its head the idea that legacy systems — such as Cobol and Fortran — are more secure because hackers are unfamiliar with the technology.

Read More

Inside Kerberoasting: Cracking Weak Network Service Account Passwords

Paul Brandau, Delta-risk.net, March 17, 2017

In our previous blog posts, we demonstrated how important it is for penetration testers to get credentials that grant administrative access over hosts within the organization to escalate their permissions. This week, we will discuss a relatively recent privilege escalation technique known as Kerberoasting, which pen testers and malicious hackers can use to crack weak network service account passwords.

Read More

The Importance of a Strategic Response to Cyber Incidents

Tripwire.com, March 20, 2017

There are a variety of ways a company can experience cyber incidents, ranging from a distributed denial of service network attack to internal information theft.
The first response is usually to enlist incident response professionals to resolve the issue as quickly and efficiently as possible. However, there are several factors companies should consider in determining the best response to an incident. The fact is, a poorly executed response or ill-thought-out strategy can have long-term consequences for your business.

Read More

Why Cybersecurity is a Business Manager’s New Best Friend

Rajiv Gupta, Cmswire.com, March 13, 2017

Say “Silicon Valley startup” and people think innovation. And innovation for many is synonymous with the creed, “Move fast and break things.”
But when Zenefits was caught up in a regulatory scandal, the company reinvented itself with a culture of compliance to regain consumer trust in its software. Companies pursuing innovation and agility are now investing in trust as a competitive differentiator.

Read More

The Canadian Government Has Been Hacked, And Experts Say Many More Hits Are Coming

Pymnts.com, March 14, 2017

The Canadian government was forced to pull the plug on its website for filing federal taxes after it became clear that cybercriminals had broken into the statistics bureau last week. The hack was reportedly made possible by a newly-disclosed bug in the software.

Read More


Google Points to Another POS Vendor Breach

Brian Krebs, Krebsonsecurity.com, March 16, 2017

For the second time in the past nine months, Google has inadvertently but nonetheless correctly helped to identify the source of a large credit card breach — by assigning a “This site may be hacked” warning beneath the search results for the Web site of a victimized merchant.

Read More

Health Law Alert: 2017: Time to Update Your Organization’s HIPAA Risk Assessment?

Kimberly L. Cappleman, Phelpsdunbar.com, March 17, 2017

The HIPAA security rule requires covered entities, including health care providers and health plans, and their business associates to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” Many compliance plans require this assessment on an annual or periodic basis. If your organization has not updated its risk assessment recently, a review of recent enforcement activity by the Department of Health and Human Services’ Office for Civil Rights (OCR) indicates that now may be the time to do so.

Read More

HIPAA and Hospitals: Five Reasons Medical Data Storage is Often Not Compliant

Arman Sadeghi, Hitechanswers.net, March 15, 2017

With so much of the data controlled by doctors and hospitals on electronic devices, including mobile devices, desktop computers, servers, and in the cloud, the security of that data is quickly becoming the most important aspect of HIPAA (not HIPPA) compliance.

Read More