Object Access Limitations. . . While offering some visibility, there are limitations to object access monitoring. If your organization has to comply with industry regulations such as GLBA, HIPAA, or Sarbanes Oxley, you know that maintaining data security and privacy are important, and one of the ways you can accomplish that is with object access […]

The first in our guest author series, this article by Eric Kroeger and Jason Mikolanis explains the difference between patch and vulnerability management.

The controversial new regulations are the first in the nation, and may not be the last… An article review. On March 1 New York State became the first in the nation to impose its own cybersecurity regulations on banking institutions. Though banking institutions have 180 days to come into compliance, there are complaints that the […]

Questions from vendor management to mitigating controls covered in the new document. An article review.   The FFIEC released a document earlier this month covering some of the most frequently asked questions surrounding the Cybersecurity Assessment Tool (CAT), and it’s certainly worth taking a look at as many of their answers are eye-opening! Many have wondered […]

If you think you have a good patch management and verification program in place, think again! Sure, you’re supplementing WSUS with Nessus scans or some other third party patch verification process. But are you scanning your mobile devices?

The Federal Financial Institutions Examination Council (FFIEC) has announced that the organization has upgraded the functions and features of the InfoBase for the FFIEC Information Technology Examination Handbook (IT Handbook). The IT Handbook consists of 11 booklets covering a variety of technology and technology-related risk management guidance for financial institutions and examiners.

Vulnerabilities come in all shapes and sizes and while operating system patch management has largely been simplified with tools like WSUS, there is still a high degree of risk due to many popular third party applications and the lack of any centralized patching mechanism for maintaining those installations.  Vendors such as Adobe and Mozilla regularly release updates for their software packages, but managing those updates has been an arduous task for many system administrators.  Until recently, the only centralized option was to create your own MSI packages and deploy them via group policy or SCCM.

In November 2011, the FBI replaced rogue DNS servers with clean servers to prevent millions of Internet users infected with the DNSChanger malware from losing Internet connectivity when the members of a ring where arrested during Operation Ghost Click. However, the court order allowing the FBI to provide the clean servers is set to expire on March 8, 2012. Computers that are infected with the DNSChanger malware may lose Internet connectivity when these FBI servers are taken offline.

One audit test we perform that sets us apart from many audit firms is a review of code, content, and infrastructure using the OWASP Top Ten Vulnerabilities as a framework.

I just got off the phone with Dan after he spent the last couple of days at the Indiana Bankers Association’s IT Security Conference. He said it went great! Lots of good information and wonderful speakers. Long story short: I’m a multi-tasker. So, while discussing the conference, I needed something to do to fill that multi-tasking gap (I couldn’t work on the IT Audit report and listen to him at the same time). This is what I did…