Was Heartbleed at the Heart of This Health Care Breach?
Community Health Systems (CHS), a publically-held company operating 206 hospitals in 29 states, recently announced in an 8-K filing that it has become one of the latest victims of a major data breach. The filing revealed that the attack most likely occurred in April and June of 2014, compromising approximately 4.5 million records. This number surpasses the previous health care data breach record of 1.3 million records at the Montana Department of Public Health in May 2014.
While no credit card information was revealed, the attackers did gain access to non-medical personal health information (PHI) that included “patient names, addresses, birthdates, telephone... read more >
Understanding Social Engineering Tools, Tactics and Techniques
This blog was co-written by Solutionary Offensive Security Consultants Tim Roberts and Brent White.
Attendees stood shoulder to shoulder, many carrying with bags with antennas that bumped into mini-drones flying overhead. Eyeballs were poked by mohawks. Laptop lights illuminated the hordes of people marching down the hall of the Rio Hotel and Casino in Las Vegas, NV.
Consultants, cyber-punks, script kiddies, old oracles and government agents all mingled together, blurring the line of who is who. Some of the most talented, professional, ambitious and mischievous hackers gathered in the desert for a long weekend of exploits, lectures, networking, lock picking, hardware modifications, competitions and the sharing of war stories.
This was DEF CON 22.
A plethora of subjects were presented this year. In addition to the... read more >
Assessing and Balancing Risk in Life as well as Information Security
My wife and I went to Destin, FL this past weekend. Both of us are beach lovers. We were even married on the beach back in May. This beach trip, however, was a little different for us. For the first time ever, we were worried about the risk involved with both going in the water and enjoying raw oysters (one of our favorite treats).
You may be thinking that we were worried about going in the water because of the Discovery Channel’s Shark Week (which was last week) or the recent surge in shark sightings. You may be thinking that we were concerned with eating raw oysters because they are “icky.”
Neither of those are true.
In fact, we were concerned about the risk associated with the water and the oysters because of the tiniest of threats, a bacterium known as... read more >
Top 10 Questions to Ask Before a Security Assessment
Companies need information security assessments (such as penetration testing, application security assessments, architectural assessments, etc.). Among other reasons, they need assessments to check their current security state, verify their practices are sound, identify and fix issues and check for regulatory compliance.
Before doing anything else, a company should understand exactly why they are having a security assessment completed. Most companies considering assessments probably have questions for which they want answers. What are some of those questions?
Here is my top 10 list of questions a client company may want to address when preparing to hire an outside firm to conduct an information security assessment:
- How much is it going to...
A Top 10 List for Securing the Internet of Things
The “Internet of Things” or "IoT" is a phrase that describes all possible devices that will interact with one another via digital communications. When you think of possible devices, consider all that have become digital, and not just the obvious choices.
Automobiles are now using computerized components, allowing for better diagnostics and performance. Medical facilities have transitioned from basic pacemakers to digital pacemakers with monitoring capabilities. Technology has also revolutionized the housing market with remote access features that can regulate thermostats, turn lights on or off and lock doors from mobile devices.
The Day the Business no Longer Owns The Data
Working as an information security assessor provides me with opportunities to interact with a variety of Information Technology (IT) executives and understand the core risks to organizations.
As a result, I have identified a recurring theme across many of these organizations: risks remain unaddressed due to IT blindly serving the business. Similar to the insurance and Payment Card Industry Data Security Standard (PCI DSS) models, key IT decisions result in the transference of risk instead of taking ownership of the risk.
To ensure higher profits, IT departments are driven to cut costs and remain lean. IT seems to run as if the business is responsible for all key decisions, especially when it is convenient to neglect the organization's environment. This mantra leads to the logic “the business owns the data, so this is a business decision.”
From an information... read more >
Russian Cybercrime Gang
Russian hackers, over a period of several years, have bought or compromised websites to amass 4.5 billion account records (usernames, passwords and email addresses), according to a recent report released from Hold Security. This is a total of about 1.2 billion unique entries. When you consider that there are something on the order of 3 billion total Internet users in the world, that means as many as 40% of all world-wide Internet users are directly affected by this compromise.
From available information, it appears that the Russian hackers bought or traded for site and account information, then built a prolonged process to locate and compromise websites that they could include in their botnet. Part of their process was to compromise website databases and steal any account credentials they could... read more >