Hackin9

Healthcare IT News

American Dental Association sends malware-infected USB drives to its members
Healthcare IT News
In a statement supplied to Healthcare IT News, the ADA, which represents more than 159,000 members, said it began distributing its 2016 manual CDT dental procedure codes, "which included flash drives in the back pocket," in late 2015. A "small ...

and more »
 

Infosecurity Magazine

American Dental Association Mails Malware-Laced USB Drives to Thousands
Infosecurity Magazine
“Like sharing passwords, connecting untested thumb drives to information systems containing sensitive data like personal health information (PHI) violates the most fundamental rules of InfoSec,” he said. “The healthcare industry—which includes ...

and more »
 
Under Secretary of Commerce for Standards and Technology andNational Institute of Standards and Technology (NIST) Director Willie E. May today announced the appointment of Christopher Boyer as chairperson of the NIST Information Security ...
 

MSPmentor (blog)

How Changing SMB Client Requirements Are Reshaping the MSP Market
MSPmentor (blog)
It's now common for SMBs to adopt IT functions such as end user security, password management, multifactor authentication, network/systems management and InfoSec (threat monitoring and firewall management), all of which are required as SMBs' ...

 

A new version of the standard was released today, version 3.2. There are a number of changes that will affect those that need to comply with thestandard, especially for service providers. For service providers struggling to move customers away from SSL and weak TLS there is some good news. The deadline for this requirement has been moved to June 30 2018. Service providers will however berequired to have a secure environment (i.e. accepting TLS v1.2 or v1.1) by June 30 2016 (yes two months). This shouldnt be to onerous as most service providers will already have this in place. ">There are a few new requirements in the standard. The majority of these only apply to service providers and relate to ensuring that processes are followed throughout the year rather than a once a yeareffort.">Theyare best practice until 1 February 2018, after which they must be in place. A number of these are also quarterlyrequirements. ">They include:">

  • 3.5.1 Maintain a documented description of the cryptographic architecture.
  • 11.3.4.1 If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.
  • 12.4 Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program.
  • 12.11 Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. ">The other big change affecting everyone relates to multi factor authentication for administration of the Cardholder Data Environment (CDE). Currently this requirement is only needed when remote access is used to access the CDE. Thisrequirementhas now been extended to include ALL administrative access of the CDE. This means that you will need to roll out some form ofmulti factorauthentication for all administrative access tothe environment. ">Other changes in the standard are generally clarifications.The new release of the standard is effective immediately, version 3.1 will be retired October 31, 2016. Your next assessment will likely be against the new version of the standard.">The councils Summary of changes document from PCI DSS version 3.1 to 3.2 (https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2_Summary_of_Changes.pdf) outlines all of the changes and is well worth a read.">Mark H -Shearwater
  • (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
     
    [SECURITY] [DSA 3561-1] subversion security update
     
    SQL Injection in GLPI
     
    Wordpress Truemag Theme - Client Side Cross Site Scripting Web Vulnerability
     

    The Register

    PCI DSS 3.2 lands, urges you to make haste slowly
    The Register
    And those who adhere to a purist view of infosec probably won't be pleased. For example, as explained by the PCI SSC's CTO Troy Lynch here, organisations should be migrating away from SSL and older TLS, but there remains two years for that transition ...

    and more »
     
    [security bulletin] HPSBUX03583 SSRT110084 rev.1 - HP-UX BIND Service running Named, Remote Denial of Service (DoS)
     
    Mozilla doesn't care for upstream security fixes, and doesn't bother to send own security fixes upstream
     
    Internet Storm Center Infocon Status