Category: Security

Subscribe to Security RSS Feed

Working from Home? Here are 12 Steps to Reduce Data Privacy and Security Risk

Businesses are instituting widespread remote work policies and procedures to facilitate social distancing and “flatten the curve.” Enterprises simultaneously need to be mindful of increased data privacy and security risks. The risks can range from pandemic-related phishing emails to increased pressure on network architecture to well-intentioned employee shortcuts. Hackers will try to take advantage of … Continue Reading

Soon, all ransomware attacks may be data breaches

As this recent article illustrates, many ransomware operators are now collecting information from victims before encrypting their data, and then threatening to release what they’ve collected – or actually releasing some of it – to increase the chance they’ll get paid. There have been many cases already where at least a portion of data has … Continue Reading

Your Security Program Must Think Beyond Malware Protection

According to Crowdstrike’s most recent Global Threat Report, in 2019 they observed that malware-free attacks – attacks  where malicious files are not written to disk – outpaced malware attacks by 51% to 49%. In Malware-free attacks, the attackers leverage Tactics, Techniques and Procedures (TTPs) that are less likely to be detected by traditional anti-malware solutions.  … Continue Reading

Utah Considers a Cybersecurity Safe Harbor as Ransomware Runs Riot

Last year the FTC mandated what an organization’s written cybersecurity program should include to avoid being deemed “unfair and deceptive” to consumers,[1] and this year California consumers whose personal information is compromised may file lawsuits against organizations that failed to implement “reasonable security.”[2] But several states provide legal safe harbors to organizations with written cybersecurity programs. … Continue Reading

NIST Releases a Standard for Privacy

As states fill the legal void for consumer privacy rights,[1] a new federal standard has emerged to assist companies with their compliance efforts. The National Institute of Standards and Technology (“NIST”) Privacy Framework (“PF”) was released last month to help organizations manage the risks associated with their data processing activities. What the PF Does The … Continue Reading

CCPA Is Here – Is Your Security “Reasonable”?

Under the California Consumer Privacy Act, any California consumer whose personal information is compromised “as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices … may institute a civil action.”[1] Consumers can initiate this private right of action right now, whereas other consumer rights can only … Continue Reading

CCPA is Here – Are Your Agreements Ready?

On January 1, 2020, if your company sells goods or services to California consumers and meets certain criteria,[1] the agreements you have with companies that handle personal information on your behalf should be analyzed and, if necessary, updated just as your privacy notices should be updated.[2] Examples of companies that handle personal information on a … Continue Reading

Trickbot and Emotet Financial Malware Now Attacking the Healthcare Industry

In a recent Cybercrime Tactics and Techniques Report focusing on the health care industry, cybersecurity company Malwarebytes discovered a significant 82% spike in Trojan malware attacks on health care organizations in Q3 2019. Emotet and TrickBot, two especially sophisticated and dangerous forms of malware, were mostly responsible for this surge. Used primarily as ’banking Trojans” … Continue Reading

Achieving Industry Standards

For Cybersecurity and Privacy, “What Are the Industry Standards? Are We Meeting Them?” These are questions the FTC Chairman, Joseph Simons, strongly suggested a CEO must ask before a data breach occurs to avoid the prospect of personal liability. These questions and statements by other commissioners emphasizing the FTC’s role – to bring about a … Continue Reading

HHS Issues Practical New Cybersecurity Guidance for Healthcare Businesses of all Sizes

In late January, the U.S. Department of Health and Human Services’ Healthcare & Public Health Sector Coordinating Council issued a new cybersecurity guidance document for healthcare businesses of all sizes. The guidance document, entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” available at https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx, provides concrete and practical guidance for addressing what the … Continue Reading

New tool released that may allow bad actors with almost any skill set to bypass many implementations of Two-Factor Authentication (2FA)

Until recently, hackers have had limited success stealing Two-Factor Authentication (2FA) PIN and token information.  Unfortunately, a tool has been released that will now make it much easier for practically any bad actor to bypass many implementations of 2FA: https://www.zdnet.com/article/new-tool-automates-phishing-attacks-that-bypass-2fa/ This does not mean we should stop using Two-Factor Authentication (2FA). We should still use … Continue Reading

Anthem Pays OCR $16 Million in Record-Breaking HIPAA Data Breach Settlement

The Office of Civil Rights (OCR) announced in a press release this week that Anthem, Inc. (Anthem), one of the nation’s largest health benefit companies, has agreed to pay $16 million and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. This settlement … Continue Reading

When was the last time you looked at RDP access?

A presentation at Black Hat recently revealed that the creators of the “SamSam” ransomware have netted over $6M to date, attacking mostly medium-to-large public and private sector organizations. And they’re showing no signs of slowing down. In the most recent SamSam attacks, the attackers concentrated their efforts on brute-force hacking of weak passwords on devices accessible … Continue Reading

New threat targeting old medical imaging equipment

Health care providers and suppliers should be wary of the “Orangeworm” threat, an implementation of malware out in the wild that’s gathering information off of compromised medical equipment, especially old systems where file shares and Windows XP are still in use: https://www.zdnet.com/article/mysterious-cyber-worm-targets-medical-systems-found-on-x-ray-machines-and-mri-scanners/ While this group seems to be limiting their actions to reconnaissance and compromising … Continue Reading

Email tracking services – are they really worth it?

As illustrated in this recent article in Wired, email tracking services and their counterparts, anti-tracking services, have been rapidly gaining ground on the web; to the point that 40% of all email being sent, and 99% of the majority of the emails you receive (newsletters, marketing materials, notifications and transactional emails) are now being tracked. … Continue Reading

How does your leadership remain aware of cyber security threats?

Some notable stats showed up in the recently-released 2017 Veracode State of Software Security report: while “nearly a third (29 percent) of survey respondents indicated that they are actively pursuing digital transformation projects [and] … a further 29 percent stated that they are either planning for or considering digital transformation projects for the future,” there … Continue Reading

Funds transfer fraud in real estate transactions has seen an explosive increase this year

As a firm with a large real estate practice, we are keenly aware of the risks of wire transfer fraud in real estate transactions – which has exploded from a reported $19 Million in 2016 to almost $1 Billion in 2017. Often this fraud is the result of the hacker compromising a legitimate email account … Continue Reading

You may be subscribing to US-CERT … but have you heard of ICS-CERT?

The United States Computer Emergency Readiness team (US-CERT) operates within the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), protecting America by responding to major incidents, analyzing threats, and exchanging critical cyber security information with trusted partners around the world.  You may have already signed up for the popular email alert … Continue Reading

Cyber thieves will target anything they can hold for ransom

Back in August, the Associated Press ran this article profiling how a North Carolina manufacturer has been attacked twice by cyber criminals looking to install malware and cripple the “just-in-time” nature of their operations so that they’d be willing to pay a ransom to return to production. While this manufacturer avoided paying the ransom so far, … Continue Reading
LexBlog