Learn about cybersecurity and get the top tips from each of our most popular 2017 posts.

It may be an understatement that 2017 was a big year for cybersecurity. From crippling ransomware, to massive data breaches like Equifax, to changes in the Payment Card Industry Data Security Standard (PCI DSS)--2017 brought some milestone changes.


We're starting out 2018 by reviewing our top 5 most popular blog posts from last year. What can we learn, and what tips are most important to remember as we begin a new year?


WannaCrypt Ransomware Attacks: What You Should Do

On May 12 of 2017, many organizations with Windows-running machines were attacked by WannaCrypt, also known as WannaCry. This attack affected individuals, businesses, and organizations in over 150 countries. Victims were told they could free their machines and files by paying the equivalent of US $300 in Bitcoin. The ransomware threatened to delete the files within 7 days if no payment was made.

Over 230,000 computers worldwide were crippled. Healthcare organizations in particular were affected by this ransomware, including many National Health Services hospitals in England.

The WannaCry worm was contained by British security researcher Marcus Hutchins (yes, that Marcus Hutchins.) The attack itself targeted outdated versions of Windows, and its spread was compounded by social engineering tactics like phishing emails which contained an infected Word document.

Top tips from this post:

-Keep all systems up to date. Watch for patches and stay informed about vulnerabilities.
-NEVER open an unexpected or unverified attachment in an email. If it looks like it might be malicious, it probably is.
-Don't pay ransoms to attackers. Instead, contact an expert.

WPA2 Security Flaw Puts Wireless Devices at Risk

On October 16, 2017, security researcher Mathy Vanhoef made public his discovery of a serious vulnerability, dubbed “KRACK.” This vulnerability lies within the current industry standard encryption protocol "Wi-Fi Protected Access II" (WPA2). WPA2 encrypts traffic on all modern Wi-Fi networks, so any device connected to Wi-Fi could be affected.

This vulnerability is serious, but we haven't yet seen symptoms of a KRACK attack "in the wild." This post directed readers to watch for and install updates and patches for affected devices. Android and Linux devices are most easily affected. Most versions of iOS and Windows are only vulnerable when using non-typical multicast communications on a wireless network.

Top tips from this post:

-Follow your manufacturer's patches, updates, and bulletins. Follow their directions. 
-Make sure you're always connected to your intended Wi-Fi network. Using Ethernet, cellular data, or a VPN will protect you from such an attack. 
-HTTPS websites provide an extra layer of encryption, so make sure to only send sensitive information over HTTPS websites (never HTTP). 

Are You Ready for PCI DSS 3.2?


The Payment Card Industry Security Standards Council (PCI SSC) announced PCI Data Security Standard (PCI DSS) version 3.2 on April 28, 2016. This latest version adds clarification, guidance as well as some new requirements to the standard. On February 1 of 2018, the changes in PCI DSS 3.2 will be considered requirements.

The new version includes a few new requirements specifically for service providers, additional guidance about multi-factor authentication and scoping, as well as new requirements for most of the SAQ categories

This popular post helped our readers understand the timeline of events surrounding the PCI DSS version 3.2, and gave a list of resources to help them study, prepare, and train employees if needed. 

Top tips from this post:

-PCI compliance involves many steps, details and technicalities, so it’s important to start as soon as possible with any changes you need to make in order to be compliant with PCI DSS 3.2. 
-Keeping up on the standard and its associated guidance/clarification will help you understand data security and clear up any previous confusion. 
-There are many resources and experts available to clarify the new version of the standard and to help you comply.


New 3.2 Requirements for Service Providers: What You Should Know 

Like the above post, this one clarified the changes that have come with PCI DSS 3.2, specifically the ones that affect service providers. And just like the entire 3.2 standard, the "service-provider-only" requirements are considered best practice until January 31, 2018, and become requirements starting February 1, 2018.

Service providers will need to fulfill new requirements including the following:

  • Maintain a documented description of cryptographic architectures.
  • Implement a timely detection and alerting process to identify failure of critical security control systems.
  • Establish responsibility for the protection of card-holder data and a PCI DSS compliance program
  • Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures.
  • Perform penetration testing on segmentation controls at least every 6 months and after any changes to segmentation controls/methods.

Top tips from this post:

-Make time your friend, not your enemy; if any of these new requirements apply to you, get started as soon as possible.
-Stay up to date on the PCI requirements to give yourself a leg up on future attacks. 

6 Phases in the Incident Response Plan


With so many serious data breaches, hacks, and discovered vulnerabilities in 2017, it follows that our readers are concerned with preparing for and mitigating possible data breaches at their own companies. There's a terrifying spectrum of possible consequences of a data breach, and businesses are right to seek guidance in their preparation for that possibility.

An incident response plan should be set up so that it will address a suspected data breach in a series of phases. Within each phase, there are specific areas that should be considered.

The incident response phases are:

  • Preparation
  • Identification
  • Containment
  • Eradication
  • Recovery
  • Lessons Learned

Your response plan should be well-documented, thoroughly explaining everyone’s roles and responsibilities.  Then the plan must be tested in order to assure that your employees will perform as they were trained.  The more prepared your employees are, the less likely they’ll make critical mistakes.

Top tips from this post: 

-An ounce of prevention is worth a pound of cure.
-PCI DSS requirement 12 calls for businesses to keep an incident response plan on file.
-Be prepared for a range of possibilities and make sure all employees and staff are on board.

New Year, Better Security

A New Year inevitably brings with it new resolutions. Using the takeaways and lessons from our 5 most popular posts, you can see what areas your company should pay special attention, as well as where resources will be best allocated.

Whether you're protecting patient data, complying with the PCI DSS, or just beefing up data security at your company, SecurityMetrics has a solution for you.


Wednesday, January 3, 2018