Incident management isn’t enough — here’s what IT really needs

incident managementIn all of the latest IT security threat reports, one theme is clear: Breaches and compromises are on the rise, both in quantity and sophistication, and there’s no sign of them slowing down. Organizations of all sizes are at risk. Businesses need to be ahead of the game, maintain a strong security posture, and be prepared for anything.

But is it possible to be prepared for the unexpected? Yes it is, but only if you focus on developing and implementing sound incident management practices.

This includes everything from initial detection of an intrusion in the IT environment to response and recovery services. But here’s the rub: Incident management programs are useless if they can’t detect an incident or attack in real time. This is the key component to the IT security universe. Continue Reading…

Tags: , , , ,

Is it a patch, or just another problem for your network?

security patchWhen is a patch not a patch? When it becomes another exploit on your network.

We sometimes lose sight of these obvious points when talking about patching and vulnerability management. At Tenable, we often discuss vulnerability management (it is what we do), which leads to conversations about patching and patch management (even though that is not what we do). Patch Tuesday has driven systems administrators and vulnerability management professionals into a myopic patch mentality; sometimes it works well, sometimes it works just well enough, and sometimes it leads to stupidity.

Patching isn’t always the answer. When vulnerabilities are found, there should be a logical process for dealing with them. While “slap a patch on that bad boy” is often a great answer, and frequently the easiest, it is not the only response to network vulnerabilities. Continue Reading…

Tags: , , , , ,

Tackling security vulnerabilities in health care

health care data securityNetwork security is critical for any organization, but in the health care space, with the personal and medical details of millions of individuals in the balance, the stakes are even higher. Out-of-date software, unimplemented patches, or even outdated passwords could be the vulnerability that exposes the sensitive information of an innocent and unsuspecting patient base. Two recent security breaches suffered by prominent U.S. health insurers highlight these vulnerabilities.

In February, Anthem Inc., the second-largest health insurer in the U.S, revealed that a previously-disclosed hacker attack compromised the health care records of as many as 80 million individuals. A few weeks later, Premera Blue Cross reported that the personal, bank, and health data of an estimated 11 million individuals was exposed when hackers penetrated its system in a similar assault.

These two high-profile security breaches have intensified the spotlight on data security, and raised several important questions for health care organizations (what HIPAA calls “connected entities”) and groups that provide supporting services to health care entities (called “business associates”). These groups should be asking the following questions: Continue Reading…

Tags: , , , , , , ,

The biggest security mistake you can make (and how to avoid it)

biggest security mistakeNo organization is immune to security risks. Between malware, viruses, network attacks, and data breaches, organizations must keep a watchful eye on the health of their IT environment.

But often the biggest security risk is the one you’re not paying attention to. It’s not forgetting to patch security vulnerabilities, or not running antivirus, or relying on outdated software. Those are bad ideas, for sure, but there is one idea that’s worse than all of those combined: Not conducting regular data backups.

Organizations that don’t follow through with regular data backups aren’t alone, and a proper system backup solution doesn’t have to be a budget-busting endeavor. IT can easily fill this security gap with the right support. Continue Reading…

Tags: , , , , , ,