Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

villain trio

Healthcare Data Breaches Thanks To Insiders

Posted January 10, 2012    Peter McCalister

A Ponemon Institute report published this month found that healthcare data breaches have risen 32 percent since 2010. Ninety-six percent of all healthcare providers say they have had at least one data breach in the last two years and that most of these were due to employee mistakes and sloppiness, while 46 percent of respondents…


SumatraPDF “fz_crash_abort()” Null Byte Write Remote Code Execution Vulnerability

Disclosed January 10, 2012    Fully Patched
Vendors: SumatraPDF (Krzysztof Kowalczyk)
Vulnerability Severity: High
Exploit Impact: Remote Code Execution
Exploit Availability:
Zeroday Tracker

Top 5 Data Breach Excuses Of 2011 (And What They Really Mean): Part 5

Posted January 9, 2012    Peter McCalister

DON’T COMMENT AT ALL – EVEN WHEN A GOVERNMENT WATCHDOG OUTS YOUR POOR PRACTICE MUCH LATER – Numerous UK Local Authorities up to Nov 2011 This strategy is used by organisations who know that trying to make an excuse for such widespread poor practice is like pouring petrol on a fire. Best to keep quiet…


Top 5 Data Breach Excuses Of 2011 (And What They Really Mean): Part 4

Posted January 6, 2012    Peter McCalister

WE’RE STILL INVESTIGATING HOW IT HAPPENED, IT’S TOO CONFIDENTIAL TO SAY MORE, BUT REST ASSURED EVERYTHING IS OK NOW. – The IMF, June 2011 This excuse is often used by organisations that decide to mop up media interest with an early announcement confirming investigations are underway (we’re taking this seriously) while reassuring people everything is…


Top 5 Data Breach Excuses Of 2011 (And What They Really Mean): Part 3

Posted January 5, 2012    Peter McCalister

BLAME IT ON A THIRD PARTY/MALWARE/THE WEATHER – Frequently throughout the year…. With so much out-soucing today, it’s easy to divert attention away from your role in allowing data to be breached, by focusing on slopping practices of third party suppliers and contractors (while not saying of course that it was you who hired them…


Top 5 Data Breach Excuses Of 2011 (And What They Really Mean): Part 2

Posted January 4, 2012    Peter McCalister

SHUT THE DOOR AFTER THE HORSE HAS BOLTED. High Point Regional Health System, USA, September 2011 This excuse allows the breached organization to sound authoritative by providing an answer to how the breach could have been prevented to the media and public, even if it is a solution they haven’t put into practice yet. Unfortunately,…


Top 5 Data Breach Excuses Of 2011 (And What They Really Mean): Part 1

Posted January 3, 2012    Peter McCalister

SADLY, IT’S NOT POSSIBLE TO TRUST ALL PEOPLE ALL OF THE TIME – Gwent Police, Wales, UK, May 2011 This is one of the more favored excuses used by organizations who prefer to show some attrition for taking their eye off the ball for a few days, months, years,… (fill in the blank) later. In…


Amazon Kindle Winner Announced. Join our January VEF and Win!

Posted December 30, 2011    Sarah Lieber

As you all know, every month we host our Vulnerability Expert Forum (VEF) webinar. This is a time where our experts share valuable insight regarding new vulnerabilities that are discovered and the actions that need to be taken as a result. It’s a quick way to get up to speed on current potential risks to your…

, ,

HashDoS Crashes Your New Year’s Eve Party (and your web server)

Posted December 29, 2011    The eEye Research Team

Microsoft made the last few days of 2011 somewhat exciting by releasing an out -of-band patch, the only time all year they’ve deviated from a normal Patch Tuesday distribution. We’ll update this blog with new developments, so keep checking back for new information. So, what’s all the excitement about?

Privileged Account Management

Is VDI More Secure Than Regular Desktops? I Think Not!

Posted December 29, 2011    Peter McCalister

I’ve made the argument in the past that VDI has a far greater potential for damage than normal desktops, in fact making them less secure in point of fact. If effective security is defined as (security profile) x (risk profile) = (effective operational risk), then the same exact same security profile applied to a standard…