WPA2 is the “secure” implementation option used by the vast majority of enterprise WiFi systems – other protocols have their own security issues, which is why everyone moved to WPA2. Unfortunately, researches have found a way to break that security.
The good news is, for most attacks the attacker has to be on the
A good lesson for technology providers: if security researchers reach out to you, acknowledge them as quickly as possible, especially when they’ve discovered a critical vulnerability. If you work with them to remediate the issue, you may be able to get a patch out before they feel the need to publish the vulnerability for the
Free and Open-Source Software (FOSS) is computer software that can be classified as both free software and open-source software. Anyone who wishes to use FOSS is freely licensed to use, copy, study, and change the software in any way, and the source code is openly shared so that people are encouraged to voluntarily improve upon the design of the software. The Apache Software Foundation (web servers and other projects), the GNU Project (Linux) and the Android Open Source Project (mobile device platform) are some of the more popular FOSS projects that have been used to build the foundation of other products that are not free, like RedHat Linux.
Software development and licensing can be an expensive proposition: free, open-source projects can offer a tempting shortcut in software development (the code is already there) and an attractive cost-saving alternative to purchasing or licensing expensive “off the shelf” solutions. However, with the use of FOSS comes a serious risk decision: everything is provided “as is.” With a commercial solution you have warranty and support contracts that you can rely on to keep the software as current and bug-free as possible. There is no such assurance with the use of FOSS, where you’re directly responsible for the quality and security of the ‘free’ code.
Before you decide whether or not to use FOSS either as a solution to a technical issue or as part of a software development project, ensure you address the following risk factors – seeking adequate counsel in any area where you don’t feel 100% sure you’ve covered all the angles:
Code review: Open source projects are coded by the public at large. While there is certainly a Wikipedia-like argument that “the more people that work on it, the better the product,” you will still carry the liability for anything you produce/use using open source code. Be careful that your IT teams apply the same level of rigor reviewing any open-source component of your products as they would to something they coded themselves. If you don’t have the staff for this kind of review I recommend sticking with off-the-shelf business solutions as much as possible.
Continue Reading What is FOSS, and why should I be worried about it?
If you’ve been looking for a simple tool to help you with an initial self-assessment of how compliant you are with the HIPAA Security Rule, the ONC – in collaboration with the HHS Office for Civil Rights (OCR) and the HHS Office of the General Counsel (OGC) – developed a downloadable tool to help guide
As you work to finalize your cyber insurance riders or supplemental policies, it’s important to pay attention to the language around what is specifically covered. To ensure you’re receiving the coverage desired, the first step is to understand the difference between hacking and phishing, and how this is being applied to your policy, and to ensure the language is mutually interpreted as clearly and uniformly as possible.
Hacking is the use of exploits and vulnerabilities to gain access to and extract information from, disrupt or tamper with a computer system. Hackers break into a system and take information.
Phishing is the use of social engineering via e-mail to trick the recipient into revealing personal or confidential information, or granting access to a computer system either directly or through the installation of malicious software. Phishers convince you to let them into a system or give them information.
Why is this so important to your cyber coverage? Because there’s been some fairly significant litigation around these differences that has supported both the upholding and denial of coverage. Here are 3 examples of cases where interpretation of the rider/supplemental policy language led to litigation:
Universal American Corp. v. National Union Fire Insurance Co., 37 N.E. 3d 78 (N.Y. June 25, 2015)
Continue Reading Hacking vs. Phishing – and Why the Difference is Important for Cyber Insurance Coverage