HIPAA (1996) and HITECH/ARRA (2009) were further refined by the release of the HIPAA Omnibus Rule (1/25/2013). These regulations coupled with the increased regulatory scrutiny can make compliance difficult and expensive. HHS estimated it will cost companies up to $255.4 million to comply with the Omnibus Rule (Rule)! What will a ¼ of a billion dollars buy? Let’s invest a few minutes to analyze the impact to covered entities (e.g., hospitals, doctors, insurance), their service providers (i.e., business associates or BA), and consumers of healthcare services (i.e., you and I).

CISPA, the Cyber Intelligence Sharing and Protection Act, passed the House last month, and the Senate has indicated that they will not vote on the bill.

The Obama administration has also been outspoken in not supporting the bill, specifically citing concern over how this information could be used by the government.

In recent years, social networking has exploded in popularity and utilization within the business environment. One of the initial efforts by the current presidential administration was to bring this social networking to the federal sector. Based on this article those efforts have increased the adoption for social media within the workplace.

I have been performing Vulnerability Assessments for many years and I still hear the same objection almost every time I tell the client that they need to whitelist our scanner’s IP addresses in their Intrusion Prevention System (IPS) before running the scan! The objection is something like “If I whitelist these IP addresses, then I will not get an accurate view of my current security posture.”

C12.22 is an ANSI protocol enabling smart meters to exchange data via TCP/IP networks. This is good news for penetration testers looking to attack meters remotely; however C12.22 implements key security features that make this a challenging task.

In today’s world of interconnected corporations, outsourced business units and cloud services, the walls around valuable corporate assets have become increasingly blurred. It’s difficult to know exactly where your data assets sit within your own corporation, let alone within 3^rd parties that you do business with daily! And each time a corporation is breached through an outsourced printer provider or document processing service, the regulators tighten the screws and expect stronger vetting of your vendors.

The events that happened during the Boston Marathon yesterday were tragic, scary, and unnerving. As technology improves, the amount and quality of evidence and content that is produced during these types of events continue to increase. It’s times like these where we all drop what we’re doing and tune in to the world around us. Exchanges on news sites, social media, and email immediately start happening to distribute the most up-to-date information.

Through regular discussions with a client in the utilities industry, the director of security at a large utilities provider approached SecureState with a problem.  The CIO had decided to move a number of the company’s core applications to the cloud and needed their security requirements for this project within two weeks.  The utility already had security requirements in place for traditional third-party vendors; however, these requirements were not a good fit for the cloud services the company was looking to adopt.

Much buzz as been flying around the air waves this past month regarding NERC’s release of CIP version 4. Most of this discussion is centered on two major concepts I have seen with nearly every security standard. One involves the concern over meeting requirements of one version of the standard with an expectation to turn around and meet the next version shortly afterward. This causes additional and often unnecessary financial strains to meet security requirements. The second involves determining the scope of affected components. During conversations with clients, the biggest concern regarding the changes from Version 3 to 5 is focused on CIP-002, asset classification. The following graphic provides a very high level overview of what guidance is provided for system scoping and identification from Version 3 to Version 4 and Version 4 to Version 5.

As directed by the February Executive Order from President Obama, the Federal Government issued a Request for Information to receive feedback regarding the National Institute of Standards and Technology’s (NIST) plans to develop a Cybersecurity framework for Critical Infrastructure. The purpose of the RFI was to gain information on what best practices and standards should be included in the future framework from Owners and Operators of Critical Infrastructure.  But it’s about time that the security industry stops looking to new standards to solve the problem and learn how to adopt and implement what they already have!  The problem does not lie in the standards themselves, but in the marketing and execution behind the standards to get the business executives involved.