Risk // Compliance
News & Commentary
Escalating Cyberattacks Threaten US Healthcare Systems
Rick Kam and Larry Ponemon, Rick Kam, President & Co-founder, ID Experts & Larry Ponemon, Chairman & Founder, Ponemon InstituteCommentary
Electronic health records are prime targets because healthcare organizations lack the resources, processes, and technologies to protect them. And it’s only going to get worse.
By Rick Kam and Larry Ponemon Rick Kam, President & Co-founder, ID Experts & Larry Ponemon, Chairman & Founder, Ponemon Institute, 5/27/2015
Comment0 comments  |  Read  |  Post a Comment
Deconstructing Mobile Fraud Risk
Subbu Sthanu, Director, Mobile Security & Application Security, IBMCommentary
Today’s enterprise security solutions don’t do enough to manage BYOD risk, credit card theft and the reputational damage resulting from a major data breach.
By Subbu Sthanu Director, Mobile Security & Application Security, IBM, 5/5/2015
Comment1 Comment  |  Read  |  Post a Comment
7 In 10 Businesses Struggle To Sustain PCI Compliance
Jai Vijayan, Freelance writerNews
Maintaining PCI compliance is a bigger challenge that achieving it for many companies, Verizon study finds.
By Jai Vijayan Freelance writer, 3/12/2015
Comment1 Comment  |  Read  |  Post a Comment
6 Ways The Sony Hack Changes Everything
John B. Dickson, CISSP,  Principal, Denim GroupCommentary
Security in a post-Sony world means that a company's very survival in the wake of a cyber attack is more of a concern than ever before.
By John B. Dickson CISSP, Principal, Denim Group, 3/11/2015
Comment5 comments  |  Read  |  Post a Comment
Second Look: Data Security In A Hybrid Cloud
Bill Kleyman, Director of Strategy & Innovation, MTM TechnologiesCommentary
Today’s big cloud providers were built around an architecture for hosting and securing data. They will continue to thrive, only by keeping your workloads safe.
By Bill Kleyman Director of Strategy & Innovation, MTM Technologies, 3/9/2015
Comment12 comments  |  Read  |  Post a Comment
Anthem Refuses To Let Inspector General Conduct Full Security Audit
Dark Reading Staff, Quick Hits
A ‘Building Code’ For Internet of Things Security, Privacy
Greg Shannon, Ph.D., chair, IEEE Cybersecurity Initiative & Chief Scientist, CERT Division, Carnegie Mellon University Software Engineering InstituteCommentary
In the fast-emerging IoT, medical device safety is reaching a critical juncture. Here are three challenges InfoSec professionals should begin to think about now.
By Greg Shannon Ph.D., chair, IEEE Cybersecurity Initiative & Chief Scientist, CERT Division, Carnegie Mellon University Software Engineering Institute, 3/4/2015
Comment6 comments  |  Read  |  Post a Comment
Compliance & Security: A Race To The Bottom?
Kevin E. Greene, Software Assurance Program Manager, Department of Homeland Security Science & Technology DirectorateCommentary
Compliance is meaningless if organizations don’t use it as a starting point to understand and mitigate risks within their environment.
By Kevin E. Greene Software Assurance Program Manager, Department of Homeland Security Science & Technology Directorate, 3/3/2015
Comment0 comments  |  Read  |  Post a Comment
Box Giving Customers Control Over Encryption Keys
Sara Peters, Senior Editor at Dark ReadingNews
Box says they've eliminated the last major barrier to cloud adoption, even in highly regulated organizations.
By Sara Peters Senior Editor at Dark Reading, 2/10/2015
Comment1 Comment  |  Read  |  Post a Comment
Anthem Breach Prompts New York To Conduct Cybersecurity Reviews Of All Insurers
Sara Peters, Senior Editor at Dark ReadingNews
Meanwhile, Anthem victims are now being harassed by scammers trying to collect even more personal information.
By Sara Peters Senior Editor at Dark Reading, 2/9/2015
Comment4 comments  |  Read  |  Post a Comment
A Mere 8 Days After Breach, Anthem Healthcare Notifies Customers
Sara Peters, Senior Editor at Dark ReadingNews
Was the data encrypted in storage? Investigators aren't saying, but they hint that it wouldn't matter either way.
By Sara Peters Senior Editor at Dark Reading, 2/5/2015
Comment13 comments  |  Read  |  Post a Comment
Obama Calls For 30-Day Breach Notification Policy For Hacked Companies
Kelly Jackson Higgins, Executive Editor at Dark ReadingNews
But chances of this becoming a mandatory national breach notification law are no sure thing, even in the wake of the past year's high-profile hacks, experts say.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 1/12/2015
Comment12 comments  |  Read  |  Post a Comment
How PCI DSS 3.0 Can Help Stop Data Breaches
Troy Leach and Christopher Strand, Chief Technology Officer, PCI Security Standards Council & Senior Director of Compliance, Bit9Commentary
New Payment Card Industry security standards that took effect January 1 aim to replace checkmark mindsets with business as usual processes. Here are three examples.
By Troy Leach and Christopher Strand Chief Technology Officer, PCI Security Standards Council & Senior Director of Compliance, Bit9, 12/23/2014
Comment9 comments  |  Read  |  Post a Comment
The Internet's Winter Of Discontent
Paul Vixie, Chairman & CEO, Farsight Security, Inc.Commentary
The new great cybersecurity challenge in trying to sum up the most dangerous weaknesses in the world’s connected economy is that the hits just keep on coming.
By Paul Vixie Chairman & CEO, Farsight Security, Inc., 12/19/2014
Comment1 Comment  |  Read  |  Post a Comment
Cyber Security Practices Insurance Underwriters Demand
Natalie Lehr, Co-Founder & VP Analytics, TSC AdvantageCommentary
Insurance underwriters aren’t looking for companies impervious to risk. They want clients that understand the threat landscape and have demonstrated abilities to mitigate attacks.
By Natalie Lehr Co-Founder & VP Analytics, TSC Advantage, 12/11/2014
Comment3 comments  |  Read  |  Post a Comment
The Real Cost of Cyber Incidents, According To Insurers
Sara Peters, Senior Editor at Dark ReadingNews
Healthcare is hit by the most malicious insiders and the highest legal costs, according to a NetDiligence report.
By Sara Peters Senior Editor at Dark Reading, 12/3/2014
Comment3 comments  |  Read  |  Post a Comment
OCR Audits: Don’t Fall Victim To Past Mistakes
Mark Fulford, Partner at LBMC’s Security & Risk ServicesCommentary
The Office of Civil Rights is not out to get you. But it does expect you to make good-faith efforts at protecting patient data.
By Mark Fulford Partner at LBMC’s Security & Risk Services, 11/21/2014
Comment2 comments  |  Read  |  Post a Comment
Enter The Digital Risk Officer
Nick Sanna, President, Digital Risk Management InstituteCommentary
In the brave new world of digital risk management, a CISO would report up to a DRO who manages risk from a business perspective and works with peers in business ops, compliance, and IT security.
By Nick Sanna President, Digital Risk Management Institute, 11/20/2014
Comment1 Comment  |  Read  |  Post a Comment
NOAA Blames China In Hack, Breaks Disclosure Rules
Sara Peters, Senior Editor at Dark ReadingNews
The National Oceanic and Atmospheric Administration finally confirms that four websites were attacked and taken down in September, but details are sketchy and officials want answers.
By Sara Peters Senior Editor at Dark Reading, 11/13/2014
Comment2 comments  |  Read  |  Post a Comment
Cyberspace Expands Threat Matrix
Patience Wait, News
National security experts warn there is no privacy or security any more.
By Patience Wait , 11/3/2014
Comment1 Comment  |  Read  |  Post a Comment
More Stories
Current Conversations
More Conversations
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9710
Published: 2015-05-27
The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time windo...

CVE-2014-9715
Published: 2015-05-27
include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5 uses an insufficiently large data type for certain extension data, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via outbound network traffic that trig...

CVE-2015-2666
Published: 2015-05-27
Stack-based buffer overflow in the get_matching_model_microcode function in arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for write access to t...

CVE-2015-2830
Published: 2015-05-27
arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrate...

CVE-2015-2922
Published: 2015-05-27
The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message.

Dark Reading Radio
Listen Now Incident Response War Gaming: Practicing the Post-Breach Panicking
After a serious cybersecurity incident, everyone will be looking to you for answers -- but you’ll never have complete information and you’ll never have enough time. So in those heated moments, when a business is on the brink of collapse, how will you and the rest of the board room executives respond?