Interview With Medical Privacy Author Adam Tanner [TRANSCRIPT]


Adam Tanner, author of Our Bodies, Our Data, has shed light on the dark market in medical data. In my interview with Adam, I learned that our medical records, principally drug transactions, are sold to medical data brokers who then resell this information to drug companies. How can this be legal under HIPAA without patient […]

Continue Reading →

Binge Read Our Pen Testing Active Directory Series


With winter storm Niko now on its extended road trip, it’s not too late, at least here in the East Coast, to make a few snow day plans. Sure you can spend part of Thursday catching up on Black Mirror while scarfing down this slow cooker pork BBQ pizza. However, I have a healthier suggestion. […]

Continue Reading →

Update: New York State Finalizes Cyber Rules for Financial Sector


When last we left New York State’s innovative cybercrime regulations, they were in a 45-day public commenting period. Let’s get caught up. The comments are now in. The rules were tweaked based on stakeholders’ feedback, and the regulations will begin a grace period starting March 1, 2017. To save you the time, I did the […]

Continue Reading →

Adam Tanner on the Dark Market in Medical Data, Part II


More Adam Tanner! In this second part of my interview with the author of Our Bodies, Our Data, we start exploring the implications of having massive amounts of online medical  data. There’s much to worry about. With hackers already good at stealing health insurance records, is it only a matter of time before they get […]

Continue Reading →

Pen Testing Active Directory Environments, Part VI: The Final Case


If you’ve come this far in the series, I think you’ll agree that security pros have to move beyond checking off lists. The mind of the hacker is all about making connections, planning several steps ahead, and then jumping around the victim’s network in creative ways. Lateral movement through derivative admins is a good example of […]

Continue Reading →

Adam Tanner on the Dark Market in Medical Data, Part I


In our writing about HIPAA and medical data, we’ve also covered a few of the gray areas of medical privacy, including  wearables, Facebook, and hospital discharge records. I thought both Cindy and I knew all the loopholes. And then I talked to writer Adam Tanner about his new book Our Bodies, Our Data: How Companies Make Billions Selling […]

Continue Reading →

Pen Testing Active Directory Environments, Part V: Admins and Graphs


If you’ve survived my last blog post, you know that Active Directory group structures can be used as powerful weapons by hackers. Our job as pen testers is to borrow these same techniques — in the form of PowerView — that hackers have known about for years, and then show management where the vulnerabilities live […]

Continue Reading →

EU GDPR Spotlight: Do You Have to Hire a DPO?


I suspect right about now that EU (and US) companies affected by the General Data Protection Regulation (GDPR) are starting to look more closely at their compliance project schedules. With enforcement set to begin in May 2018, the GDPR-era will shortly be upon us. One of the many questions that have not been full answered […]

Continue Reading →

Pen Testing Active Directory Environments, Part IV: Graph Fun


If we haven’t already learned from playing six degrees of Kevin Bacon, then certainly Facebook and Linkedin have taught us we’re all connected. Many of the same ideas of connectedness also play out in Active Directory environments. In this post, we’ll start out where we left off last time in thinking about the big picture […]

Continue Reading →

What We Learned From Talking to Data Security Experts


Since we’ve been working on the blog, Cindy and I have chatted with security professionals across many different areas — pen testers, attorneys, CDOs, privacy advocates, computer scientists, and even a guru. With 2016 coming to an end and the state of security looking more unsettled than ever, we decided it was a good time […]

Continue Reading →

Ransomware: Legal Cheat Sheet for Breach Notification


You respond to a ransomware attack in many of the same ways you would to any other cyber attack. In short: have plans in place to analyze the malware, contain the damage, restore operations if need be, and notify any regulatory or enforcement authorities. And your legal, IT, and communications team should be working together […]

Continue Reading →