health-spreadsheet-tilted

The Worst Assumption You Can Make About Healthcare Information

There’s a common misconception that HIPAA only applies to database records. It’s somewhat understandable because “health record” is used frequently on the Health and Human Services (HHS) web site. However, if you read the actual language of HIPAA more closely, you’ll see that the rules cover protected health information (PHI) in any electronic format. Have…

Traitorware

PoS Cyber Attack Insight: Malware Isn’t What You Think It is

As headlines over the last few months have shown, hackers are becoming more and more resourceful at getting through corporate firewalls to directly attack retail terminals and back-end PoS servers. If IT can’t stop them from getting through the front door, is there a second line of defense to, at a minimum, contain the cyber-thieves…

dhs - backoff

Driving a Stake through Backoff and other PoS Malware

Despite a US CERT warning and several well-publicized hacking incidents over the summer, Backoff malware continues to add new corporate victims. Krebs has been on the case and has more details on the most recent attacks against two well-known brands. The government warning pointed out that anti-virus vendors may not have the latest signatures for…

399px-Buckingham-palace-guard-11279634947G5ru

Getting Ready for PCI DSS 3.0 and Beyond: A New Focus on Testing

To get a sense of where the PCI Data Security Standard (DSS) is heading, it helps to take a look beyond the actual language in the requirements.  In August, PCI published a DSS 3.0 best practices document that provided additional context for the 12 DSS requirements and their almost 300 sub-controls. It’s well worth looking at. The…

Test_(student_assessment)

PCI Penetration Testing and Vulnerability Scanning: There’s Room for Improvement

One of the criticisms against PCI DSS is that it isn’t keeping up with the dynamic threat environment. As we all know, phishing, APTs, and PoS malware have been especially effective in the retail sector. The Verizon PCI report I mentioned in my last post has some revealing data as to why this may be…

tilt-cards

State of PCI Compliance: Verizon Report Tracks Highs and Lows

In addition to publishing the Metadata Era’s favorite source for hacking stats, Verizon also has a separate survey on PCI Data Security Standard (DSS) compliance. Since 2009, Verizon and its associated QSA testers have done 4,000 assessments of mostly large multi-national companies. With the recent high-profile credit card number heists, it’s a particularly opportune time…

privacy ftc

FTC Says Do the Reasonable Security Thing

Metadata Era readers know the FTC has become the de facto enforcer of data privacy and security protection. When there aren’t specific laws to apply, it uses the broad powers given to it by Congress—back in the earlier part of the last century—to prohibit “unfair or deceptive acts or practices” in the digital realm.  A…

399px-Golden_North_Samon_Derby_Winner_1955_Meyer

Phishing Attacks Classified: Big Phish vs. Little Phishes

The CMU CERT team I referred to in my last post also has some interesting analysis on the actual mechanics of these phishing attacks. Based on reviewing their incident database, the CERT team was able to categorize phishing attacks into two broader types: single- versus multi-stage. What’s the difference? Think of single-stage as catching lots of…

personality-traits-more-prone-to-phishing

Do Certain Traits Make People Vulnerable to Phishing?

The Computer Emergency Response Team (CERT) at Carnegie-Mellon University is a research institute devoted to computer and network security. CERT is often referenced by other security researchers, and for good reason: they have deep knowledge of vulnerabilities and have developed cyber-engineering techniques both to analyze and prevent attacks. CERT also has an entire practice area…

pos attack

Point-of-Sale Cyber Attacks Are Back With Backoff

Point-of-Sale attacks are back in the news. But they never really left us. In the wake of the Target attack, the FBI issued a bulletin in January warning about future incidents. They identified the malware type (RAM scrapers) and the infection vector (phish mails, and compromised websites or “watering holes”). And they even pointed out…