Info Risk Today Podcast

The technology and know-how exists to build a hack-proof computer, but doing so won't be easy, says Howard Shrobe, principal research scientist at the Massachusetts Institute of Technology's Computer Science and Artificial Intelligence Laboratory.

Paid breach notification site LeakedSource has disappeared. Given the site's business model - selling access to stolen credentials to any potential buyer - breach notification expert Troy Hunt says the site's demise is no surprise.

Leading the latest version of the ISMG Security Report: a look at how various sectors are moving away from checkbox compliance, instead taking proactive measures to secure their information assets. Also, big increase in e-commerce fraud and Yahoo's costly breach.

What's required to access the Dark Web? And how does one separate fact from fiction? These are two of the five things Dark Web users need to know, says Danny Rogers, co-founder and CEO of Terbium Labs.

Emerging insider threats have quickly proven that the proverbial "walled garden" is not so walled after all, and without true end-to-end encryption, insiders and outsiders can compromise sensitive data, says Dr. Phillip Hallam-Baker of Comodo Group.

Through a technique known as "retrospection," organizations can replay attacks, going back to scan their networks for malware identified after their networks were infected, says Ramon Peypoch of Protectwise.

Federal regulators are considering the role that blockchain technology could play in advancing the secure exchange of healthcare information, says Steve Posnack of the Office of the National Coordinator for Health IT, who explains ongoing research efforts.

Could attitudes about cybersecurity in the healthcare sector be at a tipping point? A new study shows a shift from a focus on compliance to managing business risks, says David Finn, health IT officer at Symantec.

Organizations across sectors have come to understand the inherent security risks posed by third-party vendors. But too many approach vendor risk management with a manual process, says Daniel de Juan of Rsam.

Ari Schwartz, former special assistant to the president and senior director for cybersecurity in the Obama administration, sizes up what cybersecurity actions the Trump administration could take.

Card-not-present fraud skyrocketed in 2016, jumping 40 percent from 2015, according to new research, says Al Pacqual of Javelin Strategy & Research, who analyzes the reasons why.

Organizations are increasingly turning to user behavioral analytics to help more quickly detect new attacks - emanating from inside or outside the enterprise - as well as mitigate those threats, says CA's Mark McGovern.

Major healthcare breaches involving hackers accessing patient information soared in 2016. But now more cybercriminals are shifting their attention to ransomware attacks because of the glut of stolen health information hitting the black market, says Dan Berger of CynergisTek.

As more IoT devices are compromised to wage large-scale attacks, related litigation and regulatory scrutiny will grow, which means device manufacturers - and users - could be held more accountable, says Richard Henderson, global security strategist at Absolute.

Increasing regulatory oversight is overwhelming smaller banks and credit unions, pushing them to continue to focus more on compliance than overall cybersecurity and resilience, says Sean Feeney, CEO of Defense Storm.

Staying current in threat detection is key, which is why more security companies need to embrace a more open way of thinking when it comes to solutions integration, says Christopher Kruegel, CEO of Lastline.

A pending federal regulation - called for under the HITECH Act - that would allow regulators to share with breach victims money collected in HIPAA violation cases eventually could have implications for class-action breach lawsuits, says privacy attorney Adam Greene.

Because most malware is spread via phishing, experts at Webroot are focusing their attention on stopping phishing attacks before they have a chance to infect a system with malicious code, says David Dufour, the company's senior director of engineering and cybersecurity.

Risk analysis is at the core of most card fraud prevention platforms used today, says Carol Alexander of CA Technologies. But what if the industry could take the lessons it's learned to other channels, enabling banking institutions to more readily identify potentially fraudulent transactions before they happen?

The honeymoon period for smaller players in cybersecurity is nearing an end, predicts Trend Micro CTO Raimund Genes. Achieving profitability has proven to be challenging for startups, while more established companies are thriving, he contends.

By applying analytics to user behavior, organizations can better prioritize the actual risks facing their business, thus helping cut through the sheer volume of security alerts they face daily, says Doug Copley, deputy CISO of Forcepoint.

Attackers continue to target enterprise assets both from outside and - too often - inside the corporate perimeter. To help, more organizations are turning to software-defined secure networks, says Mihir Maniar of Juniper Networks.

To help prepare for ever-evolving cyber threats, healthcare entities need to learn from the security practices of other sectors, says Lucia Savage, former chief privacy officer at the Office of the National Coordinator for Health IT.

Because so many healthcare organizations are growing through mergers and acquisitions at a time when cyber threats are multiplying, effective access control is becoming increasingly important - and more complex, says Joe Meyer of the security consulting firm NCC Group.

An analysis of integrity - a core foundation of cybersecurity - in the era of fake news leads the latest edition of the ISMG Security Report. Also, a new initiative aims to help ensure the security of medical devices and financial institutions in New York face new state cybersecurity regulations.

Plans to launch some onsite HIPAA compliance audits are now on hold while the agency that enforces HIPAA completes more than 200 desk audit reports, says Deven McGraw, deputy director of the Department of Health and Human Services' Office for Civil Rights.

Fooling hackers into giving up traceable information about themselves through "reflective" social engineering is helping researchers curb fraud losses and protect would-be victims, say Dell Secureworks researchers Joe Stewart and James Bettke.

A new website is now available for reporting medical device vulnerabilities, says Dale Nordenberg, M.D., executive director of the Medical Device Innovation, Safety and Security Consortium, who explains how MD-VIPER works in this in-depth interview.

The uptick of ransomware and other cyberattacks in the healthcare sector has prompted healthcare provider RWJBarnabas Health to make a number of important moves to help prevent, detect and respond to breaches, says CISO Hussein Syed.

This edition of the ISMG Security Report features updates from RSA Conference 2017 on emerging technologies, the forthcoming White House cybersecurity executive order and Microsoft's call for a "Digital Geneva Convention."

U.S. Rep. Michael McCaul says Washington must accept that we are losing on the global cyber battlefield. But the Homeland Security Committee chairman contends the Trump administration has the opportunity to turn the tide by prioritizing cybersecurity and investing the right resources in partnerships and defense.

A discussion on how the understanding of epidemiology, immunology and genetic research processes can help developers create methods to secure information systems leads the latest episode of the ISMG Security Report. Also featured: insights on strengthening ATM defenses.

For too long, ensuring that code is securely written - and bug free - has been a business afterthought. But there's been new hope for building security into the development lifecycle, thanks to the rise of DevOps, aka rugged software, says Chris Wysopal, CTO of the application security firm Veracode.

In this edition of the ISMG Security Report: An evaluation of the challenges law enforcement faces in using lawful hacking and metadata as an alternative way to collect evidence when cracking an encrypted device is not an option. Also, a look at Trump's revised cybersecurity executive order.

Just like epidemiologists studying disease outbreaks, cybersecurity professionals can benefit from identifying and mitigating certain behaviors, says Dr. Elizabeth Lawler, an epidemiologist who is CEO of Conjur, a data security firm.

Plenty of healthcare organizations have been stung by data breaches caused by their business associates. That's one reason why Beaufort Memorial Hospital has been taking a variety of measures to help prevent reportable incidents involving its BAs, says CIO Ed Ricks.

We know why phishing works; we know how it works. And yet the schemes still succeed, and they're only getting more effective. How can we stop phishing? Jim Hansen of PhishMe has some ideas, and they just might surprise you.

In this edition of the ISMG Security Report: an analysis of a major fine against a Texas hospital and its implications for how the Trump administration might enforce HIPAA rules. Also, an IRS-related phishing scheme targets businesses.

Karl West, CISO of Intermountain Healthcare, and Mike Nelson, vice president of healthcare solutions at DigiCert, provide an analysis of the FDA's recent guidance on cybersecurity for medical devices. They'll also be speaking on that topic at the HIMSS 2017 Conference in Orlando, Fla.

When Army intelligence specialist Chelsea Manning leaked classified documents to WikiLeaks in 2010, the federal government's security clearance process served as the main defense against malicious insiders. CERT's Randy Trzeciak explains how insider threat defenses have changed since then.

A report on passage by the House of Representatives of a bill aimed at toughening insider threat defenses at the Department of Homeland Security leads the latest edition of the ISMG Security Report. Also, analyzing the use of blockchain technology to secure healthcare data.

With great efficiencies and cost savings also come great threats and fraud risks. This is today's digital reality, and it is why cybersecurity and the user experience need to be aligned to create digital trust, says Scott Clements of VASCO Data Security.

Cybersecurity strategies developed for data-centric information technology are not necessarily suitable for protecting operational technology, where availability, rather than confidentiality, is the key security concern, says Vikram Kalkat of Kaspersky Lab.

Blockchain, the distributed ledger technology for cryptocurrency, has the potential to improve the privacy and security of health information exchange, says Shahram Ebadollahi, vice president of innovations at IBM Watson, which is collaborating with the FDA on a research project.

This edition of the ISMG Security Report debunks recent reports suggesting that Austrian hotel guests were locked into - and out of - their rooms by ransomware. Also, would a cybersecurity executive order from U.S. President Donald Trump advance the nation's existing efforts?

Attorney Steven Teppler analyzes the significance of a federal appellate court's ruling vacating a lower court's decision to dismiss a class action lawsuit against Horizon Blue Cross Blue Shield that was filed in the wake of a breach affecting 840,000 individuals.

Gartner analyst Avivah Litan has long been the go-to expert for insights on fraud detection. Now she has broadened her focus to cover endpoint security and user and entity behavioral analytics. Where do these topics converge, and what insights can she share on the 2017 cybersecurity outlook?

This edition of the ISMG Security Report leads with news that several senior White House staffers had been using a private email server. Also, fueled by worries over Russian hacking, the Australian government plans to educate political parties on improving cybersecurity.

Privacy and security attorney Kirk Nahra offers a forecast for how the Trump administration might address various health data security issues, including HIPAA enforcement, and an assessment of the Obama administration's record on those issues.

Targeted breaches are increasing and they share a common thread - a kill chain that exploits privileged users and their credentials to gain access to sensitive systems. Steve McCullar of CA Technologies discusses how privileged access management can break that kill chain.