Start 2018 with our top blogs to help you with your data security and compliance efforts.
It may be an understatement that 2017 was a big year for cybersecurity. From crippling ransomware, to massive data breaches like Equifax, to changes in the Payment Card Industry Data Security Standard (PCI DSS)--2017 brought some milestone changes.
We're starting out 2018 by reviewing our top 5 most popular blog posts from last year. What can we learn, and what tips are most important to remember as we begin a new year?
On May 12 of 2017, many organizations with Windows-running machines were attacked by WannaCrypt, also known as WannaCry. This attack affected individuals, businesses, and organizations in over 150 countries. Victims were told they could free their machines and files by paying the equivalent of US $300 in Bitcoin. The ransomware threatened to delete the files within 7 days if no payment was made.
Over 230,000 computers worldwide were crippled. Healthcare organizations in particular were affected by this ransomware, including many National Health Services hospitals in England.
The WannaCry worm was contained by British security researcher Marcus Hutchins (yes, that Marcus Hutchins.) The attack itself targeted outdated versions of Windows, and its spread was compounded by social engineering tactics like phishing emails which contained an infected Word document.
On October 16, 2017, security researcher Mathy Vanhoef made public his discovery of a serious vulnerability, dubbed “KRACK.” This vulnerability lies within the current industry standard encryption protocol "Wi-Fi Protected Access II" (WPA2). WPA2 encrypts traffic on all modern Wi-Fi networks, so any device connected to Wi-Fi could be affected.
This vulnerability is serious, but we haven't yet seen symptoms of a KRACK attack "in the wild." This post directed readers to watch for and install updates and patches for affected devices. Android and Linux devices are most easily affected. Most versions of iOS and Windows are only vulnerable when using non-typical multicast communications on a wireless network.
The Payment Card Industry Security Standards Council (PCI SSC) announced PCI Data Security Standard (PCI DSS) version 3.2 on April 28, 2016. This latest version adds clarification, guidance as well as some new requirements to the standard. On February 1 of 2018, the changes in PCI DSS 3.2 will be considered requirements.
The new version includes a few new requirements specifically for service providers, additional guidance about multi-factor authentication and scoping, as well as new requirements for most of the SAQ categories.
This popular post helped our readers understand the timeline of events surrounding the PCI DSS version 3.2, and gave a list of resources to help them study, prepare, and train employees if needed.
Like the above post, this one clarified the changes that have come with PCI DSS 3.2, specifically the ones that affect service providers. And just like the entire 3.2 standard, the "service-provider-only" requirements are considered best practice until January 31, 2018, and become requirements starting February 1, 2018.
Service providers will need to fulfill new requirements including the following:
With so many serious data breaches, hacks, and discovered vulnerabilities in 2017, it follows that our readers are concerned with preparing for and mitigating possible data breaches at their own companies. There's a terrifying spectrum of possible consequences of a data breach, and businesses are right to seek guidance in their preparation for that possibility.
An incident response plan should be set up so that it will address a suspected data breach in a series of phases. Within each phase, there are specific areas that should be considered.
Your response plan should be well-documented, thoroughly explaining everyone’s roles and responsibilities. Then the plan must be tested in order to assure that your employees will perform as they were trained. The more prepared your employees are, the less likely they’ll make critical mistakes.
A New Year inevitably brings with it new resolutions. Using the takeaways and lessons from our 5 most popular posts, you can see what areas your company should pay special attention, as well as where resources will be best allocated.
Whether you're protecting patient data, complying with the PCI DSS, or just beefing up data security at your company, SecurityMetrics has a solution for you.
.svg)
