External Penetration Testing: Why Your IDS/IPS Gets in the Way

hacker on laptop

Ted Raffle, Information Security Analyst

One of the most common information security services TraceSecurity provides is an External Penetration Test, given its value of assessing security risks and its ability to simulate a real-world attack. During external penetration testing, an information security analyst (ISA) reviews and tests the ports and services available on the organization’s external network. These are the ports and services that would be visible to anyone on the public Internet. When scoping these assessments, the ISA will typically ask that the organization’s source IP addresses are whitelisted in any Intrusion Detection System (IDS) or Internal Prevention System (IPS) for the purpose of providing a complete and accurate review of their external ports and services.

Posted in Network Protection, Uncategorized | Leave a comment

Information Security 101: Basics Everybody Should Know to Protect Their Confidential Data

information security

Bridget Powell, Project Coordinator

In a world where everyone from the family pet to your favorite restaurant have social media accounts, we often forget that there is still some information we should keep to ourselves. Information we were warned ten years ago to never give out to anyone, like our social security and credit card numbers, are entered into website forms on a daily basis. We file our taxes online, we post pictures of our kids and families, we buy tea from China and have it shipped to our front door – all while putting ourselves at risk for giving hackers another piece of our identity puzzle. There are a lot of ways to protect our information, but in a world where technology gets more complex by the day, it’s easy to miss out on or forget the basics.

Posted in Information Security | Leave a comment

The Online Trust Alliance’s (OTA) 2015 Security Report

report

Madeline Domma, Product Design Specialist

Many organizations fell prey to notable data breach attacks in 2014, and unfortunately no one anticipates an end in sight. The non-profit organization, Online Trust Alliance (OTA), published their 2015 Security and Privacy Best Practices Report which analyzed over five hundred online security breach attack reports from the first half of 2014 and recommended actions based on their findings. In the report, the OTA highlights the shocking fact that almost 90% of the attacks could have been prevented by implementation of basic information security controls.

An All-Encompassing IT Governance, Risk Management and Compliance (GRC) Solution

Posted in IT GRC | Leave a comment

The Importance of Effective Vendor Management in Today’s Cybersecurity Landscape

vendor screenJonathan Harrell and Madeline Domma, Product Design Specialists

Increasing interdependence amongst organizations has become essential to achieving successful objectives in today’s complex world of business. Now, more than ever, organizations rely heavily on vendors to maintain their operations but with this expertise and convenience comes added risk. According to Forrester Research, Inc. in a report titled “Understand the Business Impact and Cost of a Breach” published January 12, 2015, “Third parties often enjoy the same liberties as employees, depending on trust and access levels, which can spell disaster for businesses. Many companies that have relied on their business partners and service providers to protect their information are finding that these third parties do not have the appropriate security controls.” Efficient management and oversight of the services your organization’s vendors provide are critical in mitigating this risk, and with tremendous forthcoming enhancements, TraceCSO will better enable your organization to achieve its goals of effective vendor management.

Posted in Vendor Management | Leave a comment

Law Firms Are a Hacker’s Dream

Hacker on computer

Wes Withrow, IT GRC Subject Matter Expert 

When we talk about some of the tactics, techniques, and procedures (TTPs) used by hackers during a cyber breach, we usually think of things like sophisticated malware, military-grade encryption-cracking tools, and ransom notes delivered to the world via Twitter. We usually don’t think about the countless hours the attackers had to spend weeding through the terabytes of stolen data to find the nuggets of valuable information they were looking for.

Posted in Information Security, IT Security and Compliance | Leave a comment

Free Self-Service OWASP Web Application Risk Assessment

After the recent influx of large-scale data breaches, application security has quickly made its way to the forefront of IT security topics, and a web application risk assessment is used to determine what types of controls are required to protect an application from threats – allowing organizations to reduce exposure and maintain an acceptable risk tolerance.

TraceSecurity’s self-service risk assessment guides users through three easy steps to attest to controls already in place, discover any present threats due to unimplemented controls and to view and download a full Web Application Risk Assessment Report of the findings.

Posted in IT Risk Management and Assessments | Tagged , | Leave a comment

Exploring the Unexpected Results and Benefits of IT Security Initiatives

Wes Withrow, IT GRC Subject Matter Expert

When organizations begin to roll out their IT security initiatives, there’s no shortage of expected and unexpected results. It’s a simple cause and effect relationship, but with IT security initiatives, some of the unexpected results tend to surface in unique ways. For example, one organization might begin to tighten up Windows security in their environment only to realize a 10x increase in the amount of Macs in their environment over a one year period. They soon understand it isn’t because most of their staff lost their love for Windows, it is because they don’t want to have all of the new IT security tools bogging down their Windows systems.

Posted in IT Security and Compliance | Tagged | Leave a comment

Your First Look into Trends and Topics at the 2015 RSA Conference (RSAC)

RSAC 2015 Word Cloud

This word cloud was provided by the RSA Conference during its December 15th, 2014 webinar and reflects the most frequent terms used across more than 1700 speaking submissions. The largest words are those most commonly cited in conference session titles that were submitted for consideration to be included in this year’s RSA Conference agenda. 

During this December 15th RSAC webinar, Britta Glade, Senior Content Manager and Hugh Thompson, Program Committee Chair, for RSA Conferences shared insight they derived from the submissions and how these trends will be reflected during the conference this April in San Francisco. TraceSecurity’s interpretation of that insight, as relevant to the TraceSecurity audience, is explored below:

Posted in Audit Management, Compliance and Regulatory Change Management, Governance, Incident Response Management, IT GRC, IT Risk Management and Assessments, IT Security and Compliance, Policy Development and Management, Social Engineering, User Awareness Training, Vendor Management, Vulnerability Management | Tagged , , , | Leave a comment

From “None” to “Won” – Effectively Managing Your Vulnerabilities

Mark Thorburn, Information Security Analyst and Security Services Manager

When opening a newly-generated vulnerability report, one’s focus immediately turns towards the “High” risk vulnerabilities on the organization’s critical devices. Next, focus shifts to examine the “Medium” and then “Low” vulnerabilities. And lastly, depending on resources available, perhaps the “Informational/None” vulnerabilities are attended to. This approach makes sense and is certainly not bad, but unfortunately, those “Informational/None” vulnerabilities may never be reviewed because the report indicates that the risk to the device under this categorization is, well, none.

Posted in Uncategorized, Vulnerability Management | Tagged | Leave a comment