As the business world reacts to the current health crisis, companies are offering remote access to any role that can work from home. Taking a cue from the changing environment, cyber-criminals are already taking advantage. Here are some recommendations on continuing to practice good information security hygiene as more of the access moves outside of the physical office.

We all know the stats of the Coronavirus, although they are changing by the minute. We know what to do personally and for our families but what about for our Company? Many customers do have Business Continuity Plans or Enterprise Risk management plans, but do they include plans for a Pandemic such as this?

Palo Alto Networks firewalls have the ability to create security policies and generate logs based on users and groups, and not just IP addresses. This functionality is called User-ID. User-ID™ enables you to map IP addresses to users on your network using a variety of techniques.

From a quick assessment on what has been published thus far on the CMMC regulation and its overall goal, it appears that contractors lack of information security will no longer be tolerated by the DoD. Beginning with the introduction of the new regulation to the public in January of 2020, it is expected that new contractual requirements will include CMMC starting in June of 2020, and enforcement for current contractors starting in September of 2020.

One of the greatest, yet seemingly unknown, dangers that face any cloud-based application is the deadly combination of an SSRF vulnerability and the AWS Metadata endpoint. As this write up from Brian Krebbs explains, the breach at Capital One was caused by an SSRF vulnerability that was able to reach the AWS Metadata endpoint and extract the temporary security credentials associated with the EC2 instance's IAM Role.

In a business environment where resources are limited, compliance requirements abound, and budgets are constantly challenged to meet cost containment targets, the complexity of the regulations your business is obligated to comply with can present a challenge. This challenge becomes even more difficult within the dynamic environment of hospitals, doctors’ offices, and all supporting elements of the medical profession.

The Health Insurance Portability and Accountability Act of 1996 establishes requirements for healthcare organizations with respect to ensuring security and privacy of protected healthcare information (PHI) and electronic protected healthcare information (ePHI). Broadly speaking, the overarching HIPAA principle for this type of data is that it is to remain private.

Microsoft Secure Score. If you’re an IT administrator or security professional in an organization that uses Office 365, then you’ve no doubt used the tool or at least heard the term. It started as Office 365 Secure Score, but it was renamed in April 2018 to reflect a wider range of elements being scored.

GDPR has been in place since May 25th, 2018 and has already been used in legal actions against companies, with over 200,000 cases reported within this first year. The law is expected to make a notable impact on companies, as it has considerable fines and penalties. Even when compared to HIPAA and FISMA, GDPR has the most threatening teeth of any law to date.

Are you using a framework to establish your information security program? If not, I get it; it’s complicated. On a second thought, have you lost your mind? If you are starting from scratch, there is a knowledge barrier that appears to be very steep. Once you see it, you undoubtedly ask yourself, “is it worth the climb?”  Then, the next time you get on an airplane, ask yourself, “are pre-flight checklists worth the effort?”