StateTech: Ensuring telehealth solutions are HIPAA-compliant remains critical, even amid relaxed rules

Archive for the ‘News’ Category

StateTech: Ensuring telehealth solutions are HIPAA-compliant remains critical, even amid relaxed rules

Posted by

Excerpt from: How States Can Secure Public Health Telehealth Deployments

At a time when public health departments have been stretched thin by the coronavirus pandemic, telehealth solutions have helped ease the strain by connecting doctors remotely to patients. That has been especially useful during a time when everyone has been advised to maintain social distancing to help reduce the spread of the virus.

Part of the issue involves making sure the professionals who are operating the telehealth tools “have good visibility into who is compliant and who is not,” says Wolf Goerlich, advisory CISO at Cisco’s Duo Security. “A good deal of time and attention is spent on that.”

The actual appointment itself presents challenges, Wolf notes, because doctors and patients may all have different devices, different network settings and conditions, and varying bandwidth constraints.

Throughout this process, there are a number of security systems at work, says Goerlich. There is a need to confirm the clinician is who they say they are. The clinician and patient devices need to be certified as healthy and free of malware or are not going back to a command-and-control site.

“From a technical perspective, it comes down to really good authentication, access controls, adaptive access policies, device health and the integrations that happen along the way,” Goerlich says.

Read the full article here:

Dark Reading: SMB Security Catches Up to Large Companies

Posted by

Excerpt from: SMB security catches up to large companies

Small and midsize businesses (SMBs) have long had a reputation for being behind the curve in cybersecurity, especially compared with large companies that have more resources. A new report shows SMBs are just as capable of defending themselves, despite facing similar challenges.

“We see time and time again that SMBs are actually punching above their weight,” says Wolfgang Goerlich, advisory CISO with Cisco Security. “They’re doing better than we would’ve anticipated.”

Overall, the numbers indicate small businesses are placing a stronger focus on security over time. The same sentiment is echoed in data from The Manifest, which recently released results from a survey of 383 smaller organizations, most of which had fewer than 50 employees.

“Training is a long-term strategy to ensure employees aren’t acting careless,” says The Manifest’s Riley Panko.

Read the full article here:

SC Magazine: Rethinking Risk

Posted by

Excerpt from: Rethinking risk

Everyone agrees that risk is essential. They just have different versions of what risk is, Evan Schuman reports.

It’s time to rethink risk – both how to operationalize it and how to define it. With all the incompatible views of risk from different stakeholders through an enterprise, it’s hardly surprising that so many organizations struggle to get beyond checklist security mentality.

“Start with a listening tour: What (those other LOB executives) care about, what their business objectives are,” says J. Wolfgang Goerlich, advisory CISO of Duo Security. “You must interpret and explain security needs as business outcomes. Security can no longer be about avoiding the bad things. It must align to the business direction.”

Read the full article here:

With continuous security, Sec DevOps deconstructs CI/CD

Posted by

Excerpt from: With continuous security, SecDevOps deconstructs CI/CD

“All of the DevOps teams I work with have some integration between cybersecurity and development,” said J. Wolfgang Goerlich, cybersecurity strategist at Creative Breakthroughs Inc., a Detroit-based IT security consultancy. Some organizations have embedded security architects in the DevOps teams. Others have security champions within DevOps who work directly with the cybersecurity team. “In both cases, the partnership is a means to introduce security concepts while maintaining DevOps velocity,” he said.

Goerlich said roughly one in four DevOps teams integrate and automate some level of security controls. “This integration is generally performing scans and checks against the static code, the application, and the underlying environment composition,” he said.

But this level of automation often requires tuning and adjustments to ensure it keeps pace with DevOps. For example, he said, traditional code-level scans take several days. “That’s not effective when DevOps is changing the code on a daily or even hourly basis,” Goerlich said.

Effective SecDevOps teams secure without slowing, and they add continuous security without exceeding the team’s capacity to change, he said. “It’s paradoxically fast and slow, with security controls being added slowly while tuned to execute very quickly.”

Success comes from balancing protection for the DevOps product while protecting the DevOps productivity.

Read more here:


Hybrid cloud security: 8 key considerations

Posted by

Hybrid cloud should strengthen your organization’s security posture, not diminish it. But that doesn’t mean improved security is a default setting. While security fears are declining as cloud matures, security remains an ongoing challenge that needs to be managed in any organization. And a hybrid cloud environment comes with its own particular set of security considerations.


1. Ensure you have complete visibility.

Too often in modern IT, CIOs and other IT leaders have blind spots in their environments, or they focus too narrowly (or even exclusively) on their on-premises infrastructure, says cybersecurity veteran J. Wolfgang Goerlich, who serves as VP of strategic programs at CBI.

Now that companies and their end users can use hundreds of cloud-based apps, and multiple departments can spin up their own virtual server on an Infrastructure-as-a-Service platform, complete visibility across private cloud, public cloud, and traditional infrastructure is a must. A lack of visibility, says Goerlich, snowballs into much greater security risks than are necessary.

2. Every asset needs an owner.

If you lack 360-degree visibility, you probably lack ownership. Every piece of your hybrid cloud architecture needs an owner.

“A key tenet in IT security is having an owner identified for every asset, and having the owner responsible for least privilege and segregation of duties over the asset,” Goerlich says. “Lack of visibility results in a lack of ownership. This means, quite often, hybrid cloud environments have loosely defined access controls and often are without segregation of duties. Excessive permissions introduce risk, and unowned risk is unaddressed risk.”

Read the full article:

Hybrid cloud security: 8 key considerations

Don’t want the public to see your newsroom’s gossip?

Posted by

Last year, instant messages from Gawker staffers were cited as evidence in the defamation lawsuit filed by professional wrestler Hulk Hogan.

What they revealed wasn’t pretty: tasteless jokes about the former pro-wrestler’s sexual trysts and his genitals, snide remarks that weren’t meant for publication.

The transcripts quickly became a cautionary tale for journalists who might exchange sensitive information via instant message (and the companies that host them).

Newsroom instant messaging apps have only gained momentum since then, with Slack among the vanguard thanks to its ease of use and its cool-kid factor.

Journalists should exercise more caution when it comes to digital tools like Slack, said Wolfgang Goerlich, director of cyber security strategy at CBI, a risk management firm that provides security solutions for companies.

“As no chat system is immune to being misconfigured or misused, my advise is to limit any information over such channels,” Goerlich said. “Meeting in person for conversations remains the gold standard for the highest level of privacy.”

Read the full article:

Don’t want the public to see your newsroom’s gossip? Don’t put it on Slack.



Prevent ransomware threats to cloud apps with backup, security tools

Posted by

Ransomware — a form of cyberattack that interrupts access to an organization’s data until that organization pays a ransom fee — has grown from a rare occurrence in IT to a substantial and growing threat for enterprises. Ransomware encrypts files with a key only the attacker has, making it impossible for target organizations to crack it.

Ransomware has blossomed to the point where it now represents about one-third of the incidents handled by Creative Breakthrough Inc. (CBI), a managed services provider focused on IT security and risk assessments, based in Detroit.

“This is a reflection of the criminalization of hackers that we have seen over the past several years,” said J. Wolfgang Goerlich, director of security strategy at the company, adding that, just because your workloads are in the cloud, “doesn’t mean you are in the clear.”

Read the rest here:

Drowning in a sea of cybersecurity tools

Posted by

Posted on TechTarget SearchSecurity: Drowning in a sea of cybersecurity tools?

How can CISOs get the information and benchmarks they need to evaluate the enterprise effectiveness of promising technology and find the best security tools beyond point solutions?

“There is too much for any one leader to take in; therefore, the first step is in focusing on key areas,” says J. Wolfgang Goerlich, a cybersecurity strategist at Creative Breakthrough Inc. (CBI) in Ferndale, Mich. A former information systems and security manager at Munder Capital Management, Goerlich recommends networking with CISOs in other organizations to gain insight into the best security tools and industry-specific trends. “Building a strong peer network within the organizations gives visibility into the line-of-business technologies,” he explains.

Enterprises should leverage the resources and interactions available through clearinghouses like the Information Sharing and Analysis Centers (ISACs) for financial services, healthcare and other industries to focus on emerging threats. “Taking into account these areas, a CISO can then pare down the list to essential technologies and get deep in the areas that directly affect their organization,” Goerlich says.

Read the full article at:

Appetites for more government actions

Posted by

SC Magazine: Appetites for more government actions

J Wolfgang Goerlich, cybersecurity strategist with CBI, a Troy, Mich.-based firm that manages IT security risk to help ensure data is secure, compliant and available, explains that InfraGard, a partnership between the FBI and organizations deemed to be critical infrastructure (such as those in energy, finance and transportation), has been sharing criminal information between the public-private sectors since 1996. Similarly, these organizations have been handicapped over the years due to limitations on their information-sharing abilities and those same concerns for potential liability. Information Sharing and Analysis Centers (ISACs) have been sharing sector-specific information on attacks and threats since 1999. Eighteen different ISACs currently serve sectors ranging from health care to financial services. “An open question is how the proposed ISAOs will complement and coordinate with the existing ISACs,” notes Goerlich.

Yet another initiative, a NIST Cybersecurity Framework, was previously launched after President Obama’s 2013 executive order. It provides guidance on the controls and practices that organizations can implement to improve their security posture. “The functions of the framework include ‘Identify’ and ‘Detect,’ which will both be bolstered by better information sharing of threat indicators and criminal tactics proposed by this year’s executive order,” says Goerlich.

Read the rest at:

Developers find themselves in hackers’ crosshairs

Posted by

CSO: Developers find themselves in hackers’ crosshairs

Attackers have long targeted application vulnerabilities in order to breach systems and steal data, but recently they’ve been skipping a step and going directly after the tools developers use to actually build those applications.

Strategist with IT risk management firm CBI, J. Wolfgang Goerlich, explains why the recent spate of attacks on Apple’s development tools are notable. “The number of OS X computers continues to raise in the enterprise environment. Few organizations are considering Macs from a security perspective as the numbers have long been small and most security controls are Windows-based,” he says.

“These types of attacks – infecting the compiler – used to be considered a potential threat by high security governmental organizations. You would be considered paranoid to present such a scenario as something that could impact the general public. And yet here we are,” says Yossi Naar, co-founder of Cybereason, a provider of breach detection software.

If these types of two-stage attacks are no longer threats only to the paranoid, and enterprise development environments are targeted, what does this mean for enterprises trying to ensure they are developing and deploying secure applications.

“From a development perspective, the best practices in continuous integration and deployment would have prevented the attack against Apple’s App Store,” says Goerlich.

Read the rest at