Home/Tag: Consulting

How to Check for Dangerous Certificates and Unsigned Windows OS Files

Sigcheck is a light weight Windows command-line utility that does an amazing job at scanning the digital certificate stores on your system for anything irregular and not part of the official Microsoft Trusted Root Certificate list. Additionally, the utility will also check the digital signatures of files and identify all unsigned files in a directory while simultaneously running them against [...]

By |2020-08-04T15:45:40+00:00February 16th, 2016|Cyber Risk Management, IT Audit & Compliance|8 Comments

Developing & Implementing a Data Classification Policy

Properly classifying and labeling information assets is fundamental to a successful information security program, yet many organizations fail to implement one. Without proper asset classification, the organization exposes itself to additional risk of data breaches, accidental loss/release of sensitive information, losses in efficiency or additional costs associated with securing data that may not require it (hardware-based encryption doesn’t come cheap!). It [...]

2016 Cyber Risk Reports Reveal the Need for Effective Risk Assessments to Better Allocate Resourses

As companies continue to shift data and resources to electronic formats, a trend growing faster year over year, information and cyber risks shift to the top of management's priority list. This means that management must dedicate more resources - resources that don't exist - to the management information risk. This shortage of human resources combined with an exponentially growing digital attack surface means companies must [...]

By |2020-01-17T21:21:32+00:00December 7th, 2015|Cyber Risk Management, IT Audit & Compliance|0 Comments

How to Improve the Broken Risk Assessment Process

I recently participated in a CIO round-table to discuss mechanisms in which management teams assess information technology risks. Almost all of the CIOs said they were performing regular risk assessments, but they also expressed a lot of concern that the assessments were performed consistently or with high quality. The major concern between the CIOs was that they didn't have a realistic view [...]

By |2020-01-17T21:21:43+00:00December 2nd, 2015|Cyber Risk Management, IT Audit & Compliance|0 Comments

Differentiating Penetration Tests, Vulnerability Scans, and Risk Assessments

Penetration testing has become another hot, and often misused term in the marketplace, joining the ranks of other buzz words such as “Cybersecurity”, “Hacker” and “The Cloud”. Often times, organizations confuse penetration testing with vulnerability scans or security posture assessments (a.k.a risk assessment). While penetration testing does include utilizing vulnerability scans and overlaps with security posture assessments, penetration testing encompasses a [...]

By |2020-01-17T21:21:48+00:00November 25th, 2015|Cyber Risk Management|3 Comments

Are Penetration Tests Worth the Risk?

I have had several conversations with executives recently about the role of penetration testing and whether or not penetration testing is worth the risk? There seems to be two schools of thought on this issue. One side argues that pen testing is inherently more risky than the risk it's trying to mitigate, the other side calls it necessary for security hardening. Here [...]

By |2020-01-17T21:22:00+00:00October 27th, 2015|Cyber Risk Management|3 Comments

Bridge the Gap Between Internal Audit & Enterprise Risk Management – Identify Business Drivers (PART 4)

Author’s Note: This series will help you build an ERM system that will bridge the gap between Internal Audit (IA) and Enterprise Risk Management (ERM). Part 1 | Part 2 | Part 3 | Part 4 Business Drivers are typically defined by executive management with guidance from the board of directors. From an internal audit or ERM perspective, though we do not define business drivers, [...]

Target 2013 Breach: Understanding the Need for Secure Network Segmentation

A recent post from Cyber Security Investigative Reporter, Brian Krebs, does a great job of reminding IT and Information Security professionals everywhere why proper Network Segmentation is so important. The post, “Inside Target Corp., Days after 2013 Breach” goes into detail about how once criminals infiltrated Target’s corporate network, they were able to run free within the network/domain, easily gaining access [...]

By |2020-01-17T21:22:04+00:00October 1st, 2015|Cyber Risk Management|2 Comments

Bridge the Gap Between Internal Audit & Enterprise Risk Management – ERM Framework (PART 3)

Author’s Note: This series will help you build an ERM system that will bridge the gap between Internal Audit (IA) and Enterprise Risk Management (ERM). Part 1 | Part 2 | Part 3 In Part 2 of this series I discussed what an ERM Dashboard might look like, but that still leaves out the details when it comes to creating one for yourself. [...]

By |2020-01-17T21:22:05+00:00September 28th, 2015|Cyber Risk Management, IT Audit & Compliance|0 Comments