Risk // Compliance
News & Commentary
How PCI DSS 3.0 Can Help Stop Data Breaches
Troy Leach and Christopher Strand, Chief Technology Officer, PCI Security Standards Council & Senior Director of Compliance, Bit9Commentary
New Payment Card Industry security standards that take effect January 1 aim to replace checkmark mindsets with business as usual processes. Here are three examples.
By Troy Leach and Christopher Strand Chief Technology Officer, PCI Security Standards Council & Senior Director of Compliance, Bit9, 12/23/2014
Comment1 Comment  |  Read  |  Post a Comment
The Internet's Winter Of Discontent
Paul Vixie, Chairman & CEO, Farsight Security, Inc.Commentary
The new great cybersecurity challenge in trying to sum up the most dangerous weaknesses in the world’s connected economy is that the hits just keep on coming.
By Paul Vixie Chairman & CEO, Farsight Security, Inc., 12/19/2014
Comment1 Comment  |  Read  |  Post a Comment
Cyber Security Practices Insurance Underwriters Demand
Natalie Lehr, Co-Founder & VP Analytics, TSC AdvantageCommentary
Insurance underwriters aren’t looking for companies impervious to risk. They want clients that understand the threat landscape and have demonstrated abilities to mitigate attacks.
By Natalie Lehr Co-Founder & VP Analytics, TSC Advantage, 12/11/2014
Comment2 comments  |  Read  |  Post a Comment
The Real Cost of Cyber Incidents, According To Insurers
Sara Peters, Senior Editor at Dark ReadingNews
Healthcare is hit by the most malicious insiders and the highest legal costs, according to a NetDiligence report.
By Sara Peters Senior Editor at Dark Reading, 12/3/2014
Comment3 comments  |  Read  |  Post a Comment
OCR Audits: Don’t Fall Victim To Past Mistakes
Mark Fulford, Partner at LBMC’s Security & Risk ServicesCommentary
The Office of Civil Rights is not out to get you. But it does expect you to make good-faith efforts at protecting patient data.
By Mark Fulford Partner at LBMC’s Security & Risk Services, 11/21/2014
Comment2 comments  |  Read  |  Post a Comment
Enter The Digital Risk Officer
Nick Sanna, President, Digital Risk Management InstituteCommentary
In the brave new world of digital risk management, a CISO would report up to a DRO who manages risk from a business perspective and works with peers in business ops, compliance, and IT security.
By Nick Sanna President, Digital Risk Management Institute, 11/20/2014
Comment1 Comment  |  Read  |  Post a Comment
NOAA Blames China In Hack, Breaks Disclosure Rules
Sara Peters, Senior Editor at Dark ReadingNews
The National Oceanic and Atmospheric Administration finally confirms that four websites were attacked and taken down in September, but details are sketchy and officials want answers.
By Sara Peters Senior Editor at Dark Reading, 11/13/2014
Comment2 comments  |  Read  |  Post a Comment
Cyberspace Expands Threat Matrix
Patience Wait, News
National security experts warn there is no privacy or security any more.
By Patience Wait , 11/3/2014
Comment1 Comment  |  Read  |  Post a Comment
Financial Breaches Show ‘Trust Model’ Is Broken
Bob West, Chief Trust Officer, CipherCloudCommentary
It’s a full-blown crisis when a dozen major financial services firms admit to having their networks probed by the same attackers as those behind the JPMorgan Chase breach.
By Bob West Chief Trust Officer, CipherCloud, 10/31/2014
Comment7 comments  |  Read  |  Post a Comment
Chipmaker Disables Counterfeits With Software Update
Jai Vijayan, Freelance writerNews
FTDI's update, targeting counterfeit chips, could disable systems widely embedded in healthcare, critical infrastructure, and consumer products.
By Jai Vijayan Freelance writer, 10/28/2014
Comment3 comments  |  Read  |  Post a Comment
This Week In 60 Seconds: Crypto Outcry, Compliance & More
Andrew Conry Murray, Director of Content & Community, InteropCommentary
Hot stories this week include saying 'No' to crypto backdoors for law enforcement, new roles for IT on Wall Street, and more.
By Andrew Conry Murray Director of Content & Community, Interop, 10/24/2014
Comment0 comments  |  Read  |  Post a Comment
20% Of 'Broadly Shared' Data Contains Regulated Info
Sara Peters, Senior Editor at Dark ReadingNews
Forget shadow IT. The new risk is "shadow data."
By Sara Peters Senior Editor at Dark Reading, 10/23/2014
Comment6 comments  |  Read  |  Post a Comment
Shellshock & Why EHRs Need Updating
Michael A.M. Davies, Founder & Chairman, Endeavour PartnersCommentary
Nearly half of all security breaches occur in healthcare, and outdated medical records systems make data more vulnerable. An up-to-date EHR system can help solve security concerns, save money, and improve patient care.
By Michael A.M. Davies Founder & Chairman, Endeavour Partners, 10/22/2014
Comment1 Comment  |  Read  |  Post a Comment
Compliance Is A Start, Not The End
Sara Peters, Senior Editor at Dark ReadingCommentaryVideo
Regulatory compliance efforts may help you get a bigger budget and reach a baseline security posture. But "compliant" does not necessarily mean "secure."
By Sara Peters Senior Editor at Dark Reading, 10/21/2014
Comment2 comments  |  Read  |  Post a Comment
4 ID Management Tips For Better Breach Resistance
Ericka Chickowski, Contributing Writer, Dark ReadingNews
AT&T insider attack case highlights the need for strong privileged identity management practices.
By Ericka Chickowski Contributing Writer, Dark Reading, 10/13/2014
Comment1 Comment  |  Read  |  Post a Comment
DHS Anti-Terrorism Program Could Provide Cyberattack Liability Protection
Kelly Jackson Higgins, Executive Editor at Dark ReadingNews
The SAFETY Act can offer a layer of legal protection for cyber security vendors, providers, and enterprise security policies in the wake of an attack, an attorney says.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 10/8/2014
Comment1 Comment  |  Read  |  Post a Comment
Tokenization: 6 Reasons The Card Industry Should Be Wary
Pat Carroll, Executive Chairman & Founder, ValidSoftCommentary
VISA’s new token service aims to provide consumers a simple, fraud-free digital payment experience. It’s a worthy goal, but one that may prove to be more aspirational than functional.
By Pat Carroll Executive Chairman & Founder, ValidSoft, 10/7/2014
Comment4 comments  |  Read  |  Post a Comment
How Cookie-Cutter Cyber Insurance Falls Short
Kevin Smith, VP, The Graham CompanyCommentary
Many off-the-shelf cyber liability policies feature a broad range of exclusions that won’t protect your company from a data breach or ransomware attack.
By Kevin Smith VP, The Graham Company, 10/6/2014
Comment9 comments  |  Read  |  Post a Comment
FDA Pushes To Improve Medical Device Security
Jai Vijayan, Freelance writerNews
Cyber attacks pose a grave threat to the integrity of healthcare services, agency says.
By Jai Vijayan Freelance writer, 9/29/2014
Comment1 Comment  |  Read  |  Post a Comment
DoE Preps Privacy Standards For Smart Grid
Jai Vijayan, Freelance writerNews
Department of Energy has released a set of voluntary privacy recommendations for smart grid owners, operators, and third parties; industry stakeholders have until October 14 to comment on draft.
By Jai Vijayan Freelance writer, 9/29/2014
Comment1 Comment  |  Read  |  Post a Comment
More Stories
Current Conversations
More Conversations
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2004-2771
Published: 2014-12-24
The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.

CVE-2014-3569
Published: 2014-12-24
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshak...

CVE-2014-4322
Published: 2014-12-24
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or c...

CVE-2014-6132
Published: 2014-12-24
Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3 through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 allows remote authenticated users to inject arbitrary web script or HTML vi...

CVE-2014-6153
Published: 2014-12-24
The Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3.x through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.