In light of the global pandemic caused by COVID-19, many companies are adapting to a new reality. For many organizations, that means that most, if not all, of their employees are working remote. This allows employees to adhere to social distancing guidelines while still being productive. While there are many distractions and challenges to overcome […]
In the cybersecurity world, there are acronyms for everything from certifications, tools, compliance requirements, and agencies. Today, we continue exploring the various agencies that exist and what they offer to the cybersecurity world with a deep dive on the Federal Financial Institutions Examination Council or “FFIEC“. FFIEC History The FFIEC was established on March 10, […]
One of the most common tests we perform for clients is an internal penetration test, designed to explore the vulnerabilities across a company’s internal networks. This testing emulates what an attacker that gained an initial foothold on the network could do or what kind of problems a malicious insider could cause, to put it briefly. […]
The Gramm-Leach-Bliley Act or GLBA is also known as the Financial Modernization Act of 1999. The GLBA requires companies defined under the law as “financial institutions” to ensure the security and confidentiality of consumer’s financial information. As part of its implementation of the GLBA, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires […]
Today, we look at 2 dangers of shared accounts. Many compliance requirements, for example PCI DSS, require users to have unique accounts and prohibits the use of shared accounts. However, rather than blindly complying with the requirement, let’s take a look at why this is important. First, shared accounts have shared passwords. In other words, […]
In today’s blog, we are going to take a look at a key concept in information security: nonrepudiation. Simply put, nonrepudiation is the assurance that someone cannot deny an action they took. This can apply to an email, for example. If the sender sends the message with a digital signature, this proves that the sender […]
Measuring the effectiveness of a penetration test is tough. Everyone has a different method to determine if a penetration test was “effective”. We recently completed an assessment for a client that came back with over 100 vulnerabilities. They had the exact same penetration test performed the prior year by a different firm and had less […]
In this blog, we’re going to do a quick review of PCI DSS Requirement 12.11 and provide some strategies for service providers who need to maintain PCI compliance. As you may have guessed from context clues in the first sentence of this blog, this requirement only applies to service providers and does not need to […]
The users who are in your domain administrators group have the keys to the kingdom. With few exceptions (non-Windows systems), they can access any system and any file in your network. This includes the privacy information, HR information, and intellectual property that you are trying to protect. As such, the domain administrators group must be […]
As we continue our series of blogs hitting on some tips to help your organization maintain PCI compliance, we’re going to take a look at network documentation. When preparing for an initial PCI-related audit or trying to maintain your compliance program over time, an important part of that is your network documentation. This includes things […]
