By Diana-Lynn Contesti, CISSP-ISSAP, ISSMP, CSSLP, SSCP and John Martin, CISSP-ISSAP In February 2020, we put together our thoughts on Security Predictions for the upcoming year in a two-part series (Part 1, Part 2). Little did we know that COVID-19 would happen and change the way that folks work in our organizations, nor we as security practitioners work. In our original blog, we suggested that the following issues would be of concern to the industry: Data Privacy changes Lack of secure coding practices 5G and WiFi-6 Phasing out passwords Lack of perimeters Backups and their role with ransomware We believe that we got several predictions right. However, due to COVID-19, we have moved a few to 2021 or beyond, increased

U.S. healthcare institutions are under constant attack from cybercriminals, and unless hospitals take concrete steps to protect themselves, the situation won’t get any better. In 2019, the healthcare industry was the number one target for cyber attackers, with the cost of breaches totaling $4 billion, according to a new report. 2020 Vision: A Review of Major IT & Cybersecurity Issues Affecting Healthcare, published by security intelligence firm CyberMDX, provides an in-depth look at the causes and types of cybersecurity threats affecting the industry, as well as recommendations for healthcare institutions to fortify their cyber defenses. Attacks on healthcare are prevalent, according to the report, because the industry handles “valuable patient medical records” and has shown a “willingness to pay ransoms

As published in the November/December 2019 edition of InfoSecurity Professional Magazine By Naresh Kurada, CISSP Threat modeling is gaining even more attention with today’s dynamic threat environment. The sophistication of threat actors and development of advanced tactics, techniques and procedures (TTPs) has put a brighter spotlight on the process of finding vulnerabilities by incorporating the attacker’s point of view. There are several threat modeling approaches and techniques to consider. Often, these can be classified as asset-centric, system-centric, people-centric or risk-centric. For instance, Microsoft’s STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege) is system-centric, while PASTA (Process for Attack Simulation and Threat Analysis) is risk-centric. Regardless of the model, the primary objectives remain the same—identify threats and

The number of U.S. data breaches bumped up 17% in 2019 but despite the increase, the volume of sensitive consumer records that were exposed declined substantially by 65%, according to a newly published report. These statistics are a complete reversal of what happened in 2018, when the number of exposed consumer records soared by 126% and breaches declined by 23%, according to the Identity Theft Resource Center’s (ITRC) End-of-Year Data Breach Report for 2019  Data breaches tracked in 2019 in the United States jumped to 1,473, from 1,257 in the previous year, the report revealed. Meanwhile, 164,683,455 sensitive records were exposed, compared to 471,225,862 in 2018. The ITRC notes, however, that the 2018 Marriott data alone exposed 383 million records,

By Diana Contesti, CISSP-ISSAP, ISSMP, CSSLP, SSCP Ransomware is in the news lately with attacks on Norsk Hydro, multiple cities in Florida, Baltimore and Atlanta, not to mention the numerous hospitals that have been hit. These attacks have cost companies like Norsk an estimated $45 million due to lost revenues and the cost to restore and recover their IT department. The cost to the two cities in Florida is estimated to be $1.1 million and the tally continues to grow. Ransomware is short for ransom malware and has been around since the late 1980s, but is now gaining in popularity from bad actors. The software typically prevents users from accessing their system or personal files and then will demand a