Monthly Archives: May 2018

GDPR Day. Let the privacy regulation games begin!

May 25, 2018 was “GDPR Day;” the day enforcement of the European Union’s new General Data Protection Regulation began; the day so many information security professionals have been preparing for over the past two years; the day so many have been anticipating and fearing.

GDPR Day is a day many have been treating as a deadline to comply with an entirely new privacy regulation, and woe to all who are not ready by the deadline.

However, GDPR Day is not a deadline — it’s a starting date.

If you’re new to the GDPR game, last Friday was the first day the new regulation could be enforced in the EU against any organization collecting personal data and failing to comply with the new rules.

Max Schrems, the Austrian attorney and privacy activist who helped bring down the long-established Safe Harbor framework governing trans-Atlantic data flows over privacy concerns in 2015, is on the job now as well. His group, NOYB (“None of Your Business”) filed the first complaints under GDPR, alleging that Facebook and its Instagram and WhatsApp services, as well as Google, were attempting to do an end-run around GDPR consent policies by “forcing” consent: telling users there is a new privacy policy, but giving them no way to opt out of sharing other than to stop using the service entirely.

And, anyone who imagined Facebook and Google would be the only companies facing this type of charge was simply wrong.

Monday morning after GDPR Day saw more complaints: Seven claims against Facebook and Google (in three separate complaints against Gmail, Youtube and Search) as well as claims against Apple, Amazon and LinkedIn by the French digital rights group La Quadrature du Net. The group had originally intended to target a dozen services but held back on complaints against Whatsapp, Instagram, Android, Outlook and Skype in order to avoid overwhelming the system.

The intent of the GDPR is to return control of their data to EU data subjects. Up until now, companies like Facebook and the rest have been gathering data about their users and then finding ways to turn that data into revenue, for example, through targeted advertisements. Previously, there have been no significant obstacles keeping those big data companies from sharing or reselling some or all of the personal data they collect with other companies. And users have had little to no recourse to prevent all of this from happening. At best, services would bury controls to opt out of targeted advertising deep in settings and at worst, even leaving (or not joining) the service all together might not stop the data collection and sale as was the case with Facebook’s “shadow profiles.”

What was seen in the run-up to GDPR Day from the big data companies has been a form of “opting in” consent policies that effectively force consent from users. This forced consent is not just a bad look on the part of these big corporations but, as NOYB put it in its statement, it is in fact illegal under the new rules.

Schrems said in a statement that when Facebook blocked accounts of users who withheld consent, “that’s not a free choice, it more reminds of a North Korean election process.”

 

NOYB pointed out that, under Article 7(4) of the GDPR, “such forced consent and any form of bundling a service with the requirement to consent” is prohibited under GDPR — and Schrems said that “this annoying way of pushing people to consent is actually forbidden under GDPR in most cases.”

Schrems and NOYB also note that the GDPR doesn’t mean companies can’t collect any data from their users, because there are some pieces of information that they need in order to provide their services. “The GDPR explicitly allows any data processing that is strictly necessary for the service – but using the data additionally for advertisement or to sell it on needs the users’ free opt-in consent.”

In other words, if the data is required for the service provider to be able to provide the service, consent is no longer required — but for any other use, the users must be given a real choice.

 

In the days since GDPR Day and the start of enforcement, it is clear that companies that have failed in some way to comply with the new rules — especially those that have attempted to comply in a way that circumvents the consumer protections provided by GDPR — should be worried.

If your organization has taken the steps necessary to comply — in good faith — with the GDPR, it is probably safe. If your organization cares for the personally identifying data of its customers, employees and anyone else whose data it collects, you are also probably safe.

However, if your company is making an effort to appear to be in compliance with GDPR, but in a way that attempts to subvert the privacy regulation, you should worry.

 

via: techtarget

Electronic Health Records Under Attack: How to Protect and Secure These Critical Assets

If breaches to electronic health record systems continue at their current pace, each and every American can expect their private medical data to be compromised at least once by 2024. Once adversaries obtain a patient’s health information (PHI), they can sell it to the highest bidder—leaving targets vulnerable to all manner of fraud and theft.

Medical records aren’t just about health information, either. It often also includes highly sensitive info such as a patient’s address, driver’s license number, credit card information and social security number. So how do hackers get a hold of PHI in the first place? For the most part, ransomware is to blame.

That’s why it is imperative that healthcare organizations go beyond check-box HIPAA compliance to truly secure their environment. They can do this by embracing end-to-end visibility and monitoring critical assets, including EHR systems—the repository of PHI.

With the help of Tripwire solutions, healthcare organizations can implement the following best practices to protect sensitive patient data.

Immediately recognize unauthorized changes in your EHR environment

Tripwire Enterprise is the industry leader in File Integrity Monitoring (FIM) and change management. This means that you’ll always have deep visibility into each and every relevant change occurring in your environment.

Many data breaches go unnoticed for long periods of time, but Tripwire Enterprise gives you the advantage of immediate knowledge about what changes are made, when they’re made and by whom—all while filtering out the noise of nonessential data.

Avoid misconfigurations in your EHR environment

An adequately hardened system is one of your best defenses against cyber adversaries. Reduce your attack surface with proper configuration management using the continuous monitoring capabilities of Tripwire Enterprise. Ninety-four percent of malicious data access takes place because of compromised servers.

You can avoid catastrophic EHR breaches by understanding exactly how your assets are configured and protected to begin with. Critical configuration errors need immediate corrective measures, and Tripwire’s remediation capability provides guidance for rapid repair of non-compliant systems and security misconfigurations.

 

 

via:  tripwire

You know that silly fear about Alexa recording everything and leaking it online? It happened

US pair’s private chat sent to coworker by AI bug.

It’s time to break out your “Alexa, I Told You So” banners – because a Portland, Oregon, couple received a phone call from one of the husband’s employees earlier this month, telling them she had just received a recording of them talking privately in their home.

“Unplug your Alexa devices right now,” the staffer told the couple, who did not wish to be fully identified, “you’re being hacked.”

At first the couple thought it might be a hoax call. However, the employee – over a hundred miles away in Seattle – confirmed the leak by revealing the pair had just been talking about their hardwood floors.

The recording had been sent from the couple’s Alexa-powered Amazon Echo to the employee’s phone, who is in the husband’s contacts list, and she forwarded the audio to the wife, Danielle, who was amazed to hear herself talking about their floors. Suffice to say, this episode was unexpected. The couple had not instructed Alexa to spill a copy of their conversation to someone else.

“I felt invaded,” Danielle told KIRO-TV. “A total privacy invasion. Immediately I said, ‘I’m never plugging that device in again, because I can’t trust it.'”

The couple then went around their home unplugging all their Amazon Alexa gadgets – they had them all over the place to manage various smart home devices, including a thermostat and security system – and then called the web giant to complain about the snooping tech.

According to Danielle, Amazon confirmed that it was the voice-activated digital assistant that had recorded and sent the file to a virtual stranger, and apologized profusely, but gave no explanation for how it may have happened.

“They said ‘our engineers went through your logs, and they saw exactly what you told us, they saw exactly what you said happened, and we’re sorry.’ He apologized like 15 times in a matter of 30 minutes and he said we really appreciate you bringing this to our attention, this is something we need to fix!”

She said she’d asked for a refund for all their Alexa devices – something the company has so far demurred from agreeing to.

Alexa, what happened? Sorry, I can’t respond to that right now

We asked Amazon for an explanation, and today the US giant responded confirming its software screwed up:

Amazon takes privacy very seriously. We investigated what happened and determined this was an extremely rare occurrence. We are taking steps to avoid this from happening in the future.

For this to happen, something has gone very seriously wrong with the Alexa device’s programming.

The machines are designed to constantly listen out for the “Alexa” wake word, filling a one-second audio buffer from its microphone at all times in anticipation of a command. When the wake word is detected in the buffer, it records what is said until there is a gap in the conversation, and sends the audio to Amazon’s cloud system to transcribe, figure out what needs to be done, and respond to it.

The talking, always listening system is remarkably effective, which has led to it becoming extremely successful as a consumer product and sparked competing voice-controlled gizmos from Google and Apple.

Amazon has since been doing everything it can to position Alexa as a foundational technology, opening it up to apps, tying in smart-home products so voice commands can be used to make changes inside a house and, more recently, allowing it to access contact lists and make phone calls.

Which all sounds terrific until it goes wrong and your device acts like a bug, recording what you say in the privacy of your own home and sending a recording to a seemingly random contact.

The truth is that in its determined effort to expand Alexa’s usefulness and so consolidate its lead in the market, Amazon has been moving too fast. All too often in recent months the devices have been wrongly hearing its wake word – something that users tend to discover only when the device provides an unexpected response to a question it wasn’t asked.

The voice recognition and AI system behind Alexa is also far from perfect, leading to misunderstandings. So long as those misunderstandings and unexpected responses are not too frequent though, users put up with it because of the usefulness of the product overall.

Expansion problems

The problem with constantly increasingly what the device can do, however, is that a misunderstanding can have a far greater impact than provided a nonsensical response. The device is now expecting to hear commands that allow it to interact with a huge range of features and services – from calling people to warming up the house – and it appears as though Amazon has turned the dial too far in allowing Alexa to act immediately on what it thinks it heard rather than double check a command if it isn’t clear.

Presumably in this case, the system not only heard its wake word incorrectly but then also misinterpreted the conversation as asking it to call the person in the contacts list. Which it then did, and then at some point decided that was the end of the conversation and go back to sleep.

Whether the device announced what it was doing – which it is designed to do – and wasn’t heard, or failed to announce it will be something important to know. Although for the end user, it’s a distinction that may not actually matter.

Clearly there is going to be some serious fallout from the situation since everyone’s fear about such a system has just been realized.

Amazon will be hotly debating how to respond and how much information to provide over what went wrong. We have no doubt that the company will inform us in a few days that it has discovered the issue and fixed it so it will never happen again. And we expect to see some plausible reason why this was a one-off.

But the truth is that if Alexa devices can easily be turned into bugs if there is a hardware or software mistake and we are willing to bet that in its haste to constantly update its devices Amazon let a big mistake through.

And now, dear readers, enjoy yourselves in the comments section. ®

Updated to add

A spokesperson for Amazon has been in touch with more details on what happened during the Alexa Echo blunder, at least from their point of view. We’re told the device misheard its wake-up word while overhearing the couple’s private chat, started processing talk of wood floorings as commands, and it all went downhill from there. Here is Amazon’s explanation:

The Echo woke up due to a word in background conversation sounding like “Alexa.” Then, the subsequent conversation was heard as a “send message” request. At which point, Alexa said out loud “To whom?” At which point, the background conversation was interpreted as a name in the customers contact list. Alexa then asked out loud, “[contact name], right?” Alexa then interpreted background conversation as “right.” As unlikely as this string of events is, we are evaluating options to make this case even less likely.

 

via:  theregister

Infosecurity Europe Preview: Shifting Left – Integrated Container Security and DevSecOps

There is little doubt that DevOps philosophies have been taking over in many different types of organizations, providing the advantages of faster time to market as well as greater flexibility and resiliency.

You’ve probably heard about shifting security to the left or of the need to inject security into each step of the DevOps cycle. But why do we need so much security, how are we supposed to fit it in and just where is “the left”?

This year at Infosecurity Europe 2018, I’ll be discussing these topics in my talk “Shifting Left: Integrated Container Security and DevSecOps,” which you can find in the Tripwire booth theatre at stand E50.

A slogan of the DevOps movement is to “Move Fast and Break Things,” striking fear into the hearts of traditional IT and security professionals.

Modern teams are moving fast by combining elements of software development and system administration. This rapid delivery is a huge advantage in the midst of a demanding and competitive market, but it can also introduce new risk and vulnerabilities if security is compromised for speed.

Effective DevSecOps requires a mix of modern tools and methods with foundational security controls.

For example, build systems, containers and orchestration tools can be used together with more traditional security mechanisms, such as file integrity monitoring, access control and vulnerability management.  Implementing controls and security features from the start provides a layered defense against even the most agile attackers. This allows for the advantages of DevOps without sacrificing your organization’s security.

In my presentation, I’ll discuss some of the ways Tripwire can help in the pursuit of a robust DevSecOps practice. I’ll be diving into the Container Analyzer Service, a new offering providing an integration point for vulnerability management of Docker images within your build pipeline. The Container Analyzer Service adds the ability to evaluate Docker images for vulnerabilities before they hit production.

 

via:  tripwire

Integrity Management: What It Is and How It Can Protect Your Data

In a previous article, I noted that organizations are witnessing a surge in integrity-based attacks targeting their networks. Enterprises can defend themselves against these types of threats by turning to the National Institute of Standards and Technology (NIST) Cybersecurity Framework. They can then pair the risk-based approach with NIST SP 800-53 and other security control catalogs that enable integrity management.

This discussion begs two questions: what is integrity management, and what does it do?

A Breakdown of Integrity Management

Integrity management is the process by which organizations work to ensure the integrity of their data. Their interest is to make sure they can trust their stored data. As such, they need to protect their corporate information against tampering from attackers.

Ron Ross, a fellow at the National Institute of Standards and Technology (NIST), expands upon the importance of systems and data integrity for organizations:

“Integrity is one of the three pillars of cybersecurity.  Establishing strong configuration settings and ensuring that changes to software and firmware are strictly controlled, can promote integrity and reduce an organization’s susceptibility to cyber-attacks that can have devastating effects on organizational missions and business functions.  Configuration management and control are critical components in a robust and holistic cybersecurity program—facilitating both system and data integrity.”

At its core, integrity management is made up of countermeasures and safeguards which organizations can use to assess for vulnerabilities and monitor for weaknesses on their networks. These protections, if implemented correctly, help prevent the majority of breaches from occurring. As such, they are effective in reducing an enterprise’s attack surface and addressing operational risks in business-critical systems.

How NIST and Tripwire Play a Part

Many standards already contain a number of security controls that go to the heart of data integrity. Take NIST Special Publication 800-53, for instance. Underpinned by NIST’s Cybersecurity Framework, this document emphasizes the implementation of log management, vulnerability management, change management (also known as file integrity management), secure configuration management and asset discovery/management. Professionals can use those controls to identify points of risk that should be communicated to C-level executives.

Recognizing the utility of the Cybersecurity Framework and other special publications, Tripwire has designed its solutions to emphasize foundational controls that closely align with NIST’s guidance. These utilities support automation, monitoring and configuration management, to name a few, within the context of different environments. They even help harden industrial setting, per Tripwire’s ICS cyber resiliency suite.

David Meltzer, chief technology officer at Tripwire, says this underscoring of integrity management is one of Tripwire’s key advantages:

“In so many ways, Tripwire is better positioned than most cybersecurity vendors to provide the critical components of good, solid foundational cybersecurity programs… from asset identification to vulnerability assessment to change identification and impact. We’ve got the tools that work together to solve integrity management challenges and they can do it at a scale better than most. So, we are uniquely positioned in a lot of ways to respond to the breadth of the NIST expectations for critical infra- structure organizations and beyond.”

 

 

via:  tripwire

Why You Need to Master the Basics – A Three Step Campaign

When I was growing up, my father enrolled me in martial arts at an early age. I liked everything about it. I liked the friends I made, I liked the sense of achievement getting the next belt, I liked breaking boards ,but more than anything, I liked to fight. Furthermore, I liked to win.

The first school I enrolled in, it wasn’t long until I was promoted to yellow belt. It was your typical “pay to play” karate school. The instruction was terrible. I learned to jump kick before I knew how to kick on the ground. Not only was this bad form, it was dangerous. Also, and perhaps the most important thing, I lost every tournament!

We moved to a new town, and I enrolled in a new school of instruction. This instructor was serious!  He was a Marine first and a professional boxer next, and he still competed in Mixed Martial Arts tournaments himself! I wish you could have been a fly on the wall when I walked into his class and thought I was fancy with jump kicking in class. I couldn’t even stand on one leg and hold my balance much less jump kick!

Out of habit, I continued to jump when I kicked. He pulled me to the side and told me, “Every time you jump, you owe me 10 pushups!” It broke the habit very quickly because I hated doing push-ups.

Fast forward a few months, and I started back at square one: mastering the basics. He drilled into me to master the basics of proper form. He drilled into me the idea that it doesn’t matter where you come from or what you’re doing; if you master the basics, you will succeed.

I went on to win National Championships in sparring and traveled the country competing in martial arts tournaments using nothing but what I learned as a white belt even though I had earned advanced level belts. Every single day, I practiced good form with the simplest kicks and punches until my technique was better than my opponents.

This applies to cyber security in what I call a three-step campaign to master the basics.

Step 1: Asset Management

The concept is simple, but the practice is difficult. With enterprises constantly growing, shrinking or acquiring other companies, knowing your inventory of assets is extremely difficult. Time, money and resources need to be allocated to asset management first. How in the world are you going to secure what you don’t know you have? All it takes is one host to get a foothold into the domain.

Step 2: Patch Management

Mastering the basics means getting into a good routine. A company culture should exist that allows for scheduled patching to happen during hours with minimal impact to the business. Most companies that I have worked for have decent IT-centered programs for scheduled patching. The trouble that comes in is when a new exploit is released or a vulnerability is announced that happens at a time during the interim.

All too often, teams are scrambling to find the resources they need to patch this efficiently. Proper processes and procedures need to be implemented and burned into a culture that these things happen frequently, and they need to be addressed quickly.

Step 3: Vulnerability Management

A vulnerability management program that constantly scans your environment for new assets should alert you when there are assets that you do not know about which are turned on and otherwise contain vulnerabilities that put your enterprise at risk.

These three steps are what I believe to be the cornerstones of what should provide a solid foundation of a security program. As you can see, two of the three steps aren’t usually an “information security” job position which means good security is a happy marriage of IT and infosec. Information security supports the business, after all. In conclusion, this three-step mastering the basics campaign I believe will provide you with a cost-effective foundation on which to build.

 

via:  tripwire

VPNFilter botnet has hacked 500,000 routers. Reboot and patch now!

At least half a million routers and storage devices in dozens of countries around the world have been infected by a sophisticated botnet, in preparation for an alleged planned cyber attack on Ukraine.

The botnet, which has been given the rather unglamorous name of VPNFilter, is believed to be likely to be controlled by a state-sponsored hacking group variously known variously as APT28, Pawn Storm, Sandworm, Fancy Bear and Sofacy.

Cisco Talos researchers have been working with security industry partners and law enforcement for months investigating the botnet, which like the infamous Mirai botnet focuses its attention on hijacking IOT devices like routers and network access storage (NAS) devices rather than regular PCs.

Although the investigation is not yet complete, the researchers decided to go public with their findings after uncovering evidence that an imminent cyber attack might be being planned against Ukrainian infrastructure.

For its part, Ukraine’s state security agency has claimed that the report suggests that Russia was planning a major cyber attack ahead of the UEFA Champions League football final, due to take place at the NSC Olimpiyskiy Stadium in Kiev on Saturday.

So, should you be concerned if you aren’t based in Ukraine? Well, of course you should!

Even if you aren’t in imminent danger of being targeted by the botnet itself, you certainly don’t want to be part of the problem. Everybody who is on the internet should play their part in ensuring that the internet stays as safe as possible – and that means not contributing to the problem.

If you follow basic security hygiene it’s not hard to protect your own IoT devices, but if you don’t you are making things more dangerous for everybody else on the internet.

So far VPNFilter has been seen affecting small office/home office routers from Linksys, MikroTik, Netgear, and TPLink, in addition to QNAP NAS devices. Affected devices include:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • QNAP NAS devices running QTS software
  • TP-Link R600VPN

VPNFilter relies upon a command-and-control infrastructure set up by the gang, who can send commands to the botnet through metadata hidden within particular images on Photobucket.com. With the images removed from Photobucket, the VPNFilter botnet turned to a backup server, toknowall.com, for its instructions.

As The Daily Beast reports, the FBI seized control of toknowall.com domain yesterday, preventing the malware from reactivating if affected IoT devices are rebooted.

In other words, the simplest action you can take to stop any attack from the botnet being executed from your router is to reboot your device. To be more certain that your devices have not been compromised, you should do a hard reset – returning the router or NAS device to its factory settings. This is often done by pressing and holding a reset switching while turning the device on and off again.

Obviously you should also check that your device is running the latest firmware update, ensure that you are not using an easy-to-crack or default password, and – if you have no need for it – I would recommend disabling remote management services.

In statement, John Demers, the US Assistant Attorney General for National Security, described the takeover of the botnet’s command-and-control infrastructure as an attempt to hamper the hackers’ efforts:

“This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities.”

VPNFilter is far from the only botnet out there, and there are lessons for computer users to learn about keeping their routers better secured from attack.

Here are some general tips about how to better harden your IoT security:

  • Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
  • Update IoT devices with security patches as soon as patches become available.
  • Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
  • Purchase IoT devices from companies with a reputation for providing secure devices.
  • Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
  • Understand the capabilities of any internet-enabled devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be exploited.

 

via:  tripwire

Mozilla Rolls Out Two-Step Verification for Firefox Accounts

Mozilla announced the rollout of two-step verification (2SV) as an optional security feature for all Firefox user accounts.

The engineers at Mozilla Foundation designed the feature without support for SMS-based codes. They likely did so for the same reasons as Twitter when it moved away from this form of verification in December 2017. Criminals previously found ways to steal users’ SMS text messages, thereby enabling attackers to compromise 2SV-protected accounts. This vulnerability led Twitter to make a change in how it handles login verification.

At the time of this writing, Mozilla’s 2SV feature worked with the support of three authentication mobile apps: Google Authenticator, Duo Mobile and Authy 2-Factor Authentication. It’s unknown whether Mozilla intends to add support for additional applications.

Users who’d like to protect their Firefox accounts with two-step verification should download one of the supported authentication mobile apps from their smartphone’s official app store. They should then click the menu button in Mozilla’s Firefox browser, go to preferences and expand the Two-step authentication section. Alternatively, they can visit https://accounts.firefox.com/settings?showTwoStepAuthentication=true.

When the Two-step authentication section appears, users will have the option of enabling the feature. Clicking the “Enable” button will subsequently display a QR code. Users must scan this code with their authentication mobile apps to add their Firefox accounts.

With that process complete, they will need to obtain obtain a six-digit code from their app and use it to confirm setup. They should then save the 10 recovery codes provided by Firefox in a safe location in case they ever lose access to their authentication mobile app.

The setup process for 2SV on Firefox accounts. (Source: Bleeping Computer)

Going forward, when users attempt to log in to their Firefox accounts, they’ll need to generate a one-time passcode using their verified account on their authentication mobile app after entering in their username and password. This step can therefore help protect their accounts even if attackers gain access to their login credentials.

Additional information on this feature and how to set it up can be found here.

 

Via:  ripwire

Electronic Health Records Under Attack: How to Protect and Secure These Critical Assets

If breaches to electronic health record systems continue at their current pace, each and every American can expect their private medical data to be compromised at least once by 2024. Once adversaries obtain a patient’s health information (PHI), they can sell it to the highest bidder—leaving targets vulnerable to all manner of fraud and theft.

Medical records aren’t just about health information, either. It often also includes highly sensitive info such as a patient’s address, driver’s license number, credit card information and social security number. So how do hackers get a hold of PHI in the first place? For the most part, ransomware is to blame.

That’s why it is imperative that healthcare organizations go beyond check-box HIPAA compliance to truly secure their environment. They can do this by embracing end-to-end visibility and monitoring critical assets, including EHR systems—the repository of PHI.

Avoid misconfigurations in your EHR environment

An adequately hardened system is one of your best defenses against cyber adversaries. Reduce your attack surface with proper configuration management using the continuous monitoring capabilities of Tripwire Enterprise. Ninety-four percent of malicious data access takes place because of compromised servers.

You can avoid catastrophic EHR breaches by understanding exactly how your assets are configured and protected to begin with. Critical configuration errors need immediate corrective measures, and Tripwire’s remediation capability provides guidance for rapid repair of non-compliant systems and security misconfigurations.

Ensure continuous compliance

Tripwire Enterprise offers more than 800 out-of-the-box platforms and policies to keep your systems within compliance. Tripwire monitors systems for any unauthorized changes and misconfigurations to ensure health data is not compromised.

Meet HIPAA Security Rule (Part 164) and receive alerts when your systems drift out of compliance. Tripwire helps you ensure the confidentiality, integrity and availability of your “electronic protected health information” as required by the HIPAA regulations.

Register for the upcoming webinar “Electronic Health Record Systems Under Attack” today and join us on May 31, 2018, from 11:00 a.m. – 12:00 p.m. PDT to learn valuable strategies from Tripwire experts on how to protect and secure these critical assets.

 

via:  tripwire

PCI DSS Version 3.2.1 Published by PCI Security Standards Council

The Payment Card Industry Security Standards Council (PCI SSC) published a minor revision to version 3.2 of its Data Security Standard (PCI DSS).

On 17 May, PCI SSC published PCI DSS version 3.2.1. The purpose of the update was to clarify organizations’ use of the Standard and when they would need to upgrade their use of common cryptographic protocols. PCI SSC Chief Technology Officer Troy Leach expanded on the motive for the Standard’s revision in a press release:

This update is designed to eliminate any confusion around effective dates for PCI DSS requirements introduced in v3.2, as well as the migration dates for SSL/early TLS. It is critically important that organizations disable SSL/early TLS and upgrade to a secure alternative to safeguard their payment data.

In version 3.2.1, PCI SSC specifically removed notes referring to 1 February 2018 as an application deadline. It also updated the Standard’s requirements and Appendix A2 to limit the use of Secure Sockets Layer (SSL)/early-Transport Layer Security (TLS) to only point-of-sale point-of-interaction (POS POI) terminals and their service provider connection points after 30 June 2018.

Another important change involved the removal of multi-factor authentication (MFA) as a compensating control example in Appendix B of the standard. PCI SSC made this update to reflect the fact that all non-console administrative access now requires MFA, with one-time passwords serving as an effective alternate control in these scenarios.

The Security Standards Council enacted a few additional updates. It included a link to its Document Library so that organizations can learn more about the changes.

Without any requirements included in version 3.2.1, organizations can continue to use PCI DSS version 3.2 through 31 December 2018. If they decide to do so, they should familiarize with some of the key challenges of achieving compliance with this version and how they can overcome them.

 

via:  tripwire