Prevalent-Blog-Logo

An Ode to Narcotics

I admit, the title of this blog was written to grab your attention.  But it was also legitimately inspired by recent personal events.  About a month ago, my daughter underwent shoulder surgery, and given her multiple shoulder injuries over the years, it was an extensive procedure that involved bone graphs and several medical terms I don’t understand and can’t pronounce (or spell).  We brought her home with a collection of Schedule II narcotics that would make the members of Aerosmith (circa 1978) salivate.

(more…)

Prevalent-Blog-Logo

When most of us think of our vendors handling sensitive information, we tend to gravitate toward the obvious: the payroll processing company, our contracts law firm, our accounting firm with our financial data, or the patent law firm with all our intellectual property. Frankly, the company that builds and maintains the company website isn’t typically top of mind.

Ask the Australian Red Cross if they agree.

(more…)

Prevalent-Blog-Logo

In a way, the Sony breach was really good for the cyber security community.  A watershed moment in the industry’s history, it began a transformation from infosec as a compliance requirement – a nuisance – to a legitimate enterprise need, right up there with sales and product development (well, not exactly, but you get the idea).  It prompted increased investment in infosec technologies (e.g. SIEM), and accelerated the development of new ones (e.g. UBA).

But, I’m afraid, it was not so good for the third party risk community.

“But Jeff.  That’s silly.  After Sony – and on the heels of Target especially – regulatory organizations and companies alike began to appreciate the importance of their vendors’ information security.”

My point exactly.

(more…)

Prevalent-Blog-Logo

It’s a foundational principle of all football offensive coordinators:  if something is working, keep running it until the defense proves they can stop it.  Your top wide receiver is consistently beating the opponent’s rookie cornerback?  Keep throwing to him.  Your offensive line is opening holes that result in 7 yards a carry every play?  Keep running the football.  Unfortunately, cyber criminals have learned the same lesson.

A recent report from the Anti Phishing Working Group (APWG) noted a 61% quarter-over-quarter increase in phishing attacks from the first quarter to the second in 2016.  The number of attacks from January through March was 289,371, while the number grew to 466,065 in the following three months.

Why?

Because if you spot a weakness in your opponent, keep exploiting it until they show they can stop it.  Phishing is all the rage among the bad guys… because it works.

(more…)

Prevalent-Blog-Logo

A quick quiz. What’s higher? 1) The percentage of Americans that correctly understand that the Earth revolves around the Sun, or 2) the percentage of organizations that admitted a phishing attack had penetrated their defenses in 2015. The winner? #2, by a comfortable margin.

In 2012, the National Science Foundation surveyed 2,200 Americans and asked them: “Does the Earth go around the Sun, or does the Sun go around the Earth?” 74% got it right.[1] {Insert your own American educational system joke here.}

In the spring of 2016, a Cloudmark-sponsored study surveyed 300 companies, all with more than 1,000 employees, and 84% admitted that a spear phishing attack had penetrated their security defenses in the last year.[2]

(more…)

Prevalent-Blog-Logo

The wheel. Fire. Antibiotics. Indoor Plumbing. HBO Go. That’s how I’d rank history’s greatest inventions nowadays given my addiction – shared with my wife – to Game of Thrones. We’re working our way rapidly though the entire series, and the dialogue in a Season 4 episode caught my attention recently. In a conversation with his “adopted” niece, Davos Seaworth was asked if he was a pirate in his younger days. He replied that he’d not been a pirate, but rather a smuggler. When asked by the girl what the difference was, he replied, “Well, if you’re a smuggler, and you’re well-known, you’re not doing it right.”

(more…)

Prevalent-Blog-Logo

Massachusetts General Hospital (MGH) announced this week that some of its patient data was compromised at one of its third parties, Patterson Dental, a company that provides software that helps manage dental practice information.  According to MGH’s version of events:

“On Feb. 8, MGH learned that an unauthorized individual gained access to electronic files stored on the system {Patterson Dental’ system, that is} and later confirmed the files contained some MGH dental practice information.”[1]

(more…)

Prevalent-Blog-Logo

As a life-long product manager, I’ve spent my share of long days enduring booth duty. And many of those days were spent in futile attempts to contort my product’s capabilities into a booth visitor’s challenge in Houdini-like fashion. Booth days are physically taxing under the best circumstances, but the mental strain of repetitively forcing a square product into a round problem is far more exhausting.

(more…)

Prevalent-Blog-Logo

In John Cougar’s nostalgic anthem Cherry Bomb, he writes, longing for the good ol’ days: “That’s when a sport was a sport.”

Last week, I was longing for the good ol’ days when a data breach was a data breach…

As the world knows, on May 3rd, US Bank announced that hackers had stolen some of their employees’ W-2 information and other data from US Bank’s ADP Employee Portal.  This has been widely reported and understood as the May 3rd “ADP Breach,” a somewhat disingenuous moniker for the episode, as it turns out.

(more…)

Prevalent-Blog-Logo

IT Security teams scrambled yesterday to upgrade all devices running older versions of OpenSSL to 1.0.2h or 1.0.1t which will, according to the OpenSSL project team, “…fix several security defects with maximum severity ‘high.’”  It’ll be a busy few days, but because your organization has a mature security team led by an experienced CISO, you’ve prepared for the new release, put a plan in place to execute the upgrades, and in short order, will have all your Internet-facing IPs securely patched.

Mission probably accomplished by the time you’ve read this.

(more…)