Security Boulevard

ISO 27001 audit can be a challenging yet rewarding journey for any organization. This international standard outlines the requirements for an Information Security Management System (ISMS), enabling organizations to protect their sensitive information. However, many businesses encounter common pitfalls during implementation that can impede their progress and effectiveness.  One significant issue is neglecting the vital […]

The post Common Mistakes to Avoid During ISO 27001 Audit appeared first on Kratikal Blogs.

The post Common Mistakes to Avoid During ISO 27001 Audit appeared first on Security Boulevard.

A report published this week by Sysdig predicts global cyberattacks will cost over $100 billion in 2025 based om the fact that the average cost of a public cloud breach alone has eclipsed $5 million, with the number of attacks having increased 154% year over year.

The post Sysdig Predicts Global Cyberattacks Costs Will Exceed $100B in 2025 appeared first on Security Boulevard.

New Cybersecurity Rules for Financial Institutions in New York State Take Effect November 1, 2024
madhav
Fri, 10/25/2024 - 06:09

The next major deadline for compliance with the updated cybersecurity rules from the New York State Department of Financial Services (NYDFS) is November 1, 2024.

These new rules date back to March 1, 2017, when the NYDFS implemented comprehensive cybersecurity regulations for financial services companies and other covered entities. The regulations were most recently updated on November 1, 2023, with phased effective dates starting on December 1, 2023. Several key provisions of the amended regulations will take effect on November 1, 2024, with additional measures rolling out in 2025.

The cybersecurity regulations apply to entities overseen by the NYDFS, such as financial institutions, insurance companies, agents, and brokers, as well as banks, trusts, mortgage lenders and brokers, money transmitters, check cashers, and other related businesses. Under the revised regulations, larger entities classified as Class A companies face additional obligations, while smaller businesses are exempt from some specific requirements.

The Requirements

By November 1, banks and other firms under the department's jurisdiction must demonstrate, among other requirements, that they must:

• Have a CISO who regularly reports significant cyber incidents to senior management. Additionally, the senior governing body must possess the expertise to oversee the company's cybersecurity program.
• Encrypt "non-public" data both at rest and in motion or use effective alternative compensating controls for information at rest if approved by the CISO in writing. The feasibility of encryption and effectiveness of the compensating controls shall be reviewed by the CISO at least annually.
• Update the incident response plan to include procedures such as the internal process for responding to cybersecurity events, recovery from backups, and conducting a root cause analysis after an event.
• Implement a business continuity and disaster recovery plan that complies with specific requirements and ensures backups are available to restore critical operations.
• Train to employees responsible for executing the incident response and disaster recovery plans, ensuring they understand their roles and responsibilities.
• Test employees responsible for these plans to assess their understanding of their roles and responsibilities.
• Conduct annual tests of the incident response plan, disaster recovery plan, and backup systems.

NYDFS-regulated companies should review their cybersecurity policies, practices, and training to ensure they comply with the amended regulations by November 1, 2024.

The Data Security Challenge

Thales recently released the 2024 Thales Data Threat Report – Financial Services Edition which highlights the latest data security challenges and threats to financial services organizations. Some of the key findings from the report include:

• The percentage of financial services organizations reporting a breach in the last 12 months decreased from 29% in 2021 to 14% in 2024.
• About one in five financial services organizations (18%) reported that they have experienced a ransomware attack.
• Human error was the leading cause of cloud-based data breaches.

Achieving NYDFS Compliance

Thales’ solutions can help Financial Institutions comply with NYDFS by simplifying compliance and automating security, reducing the burden on security and compliance teams. We help address essential cybersecurity requirements under NYDFS Part 500, including:

• Encrypting and monitoring access to non-public information
• Providing an audit trail to detect and respond to cybersecurity events
• Managing access privileges and providing multi-factor authentication
• Securing development of applications
• Assessing risk, discovering and classifying sensitive data
• Managing third party service provider risk
• Securing disposal of information

Download a copy of the 2024 Thales Data Threat Report – Financial Services Edition, and learn more about Thales solutions for NYDFS Compliance.

Data Security Compliance Regulation and compliance Encryption

Kevin Williams | VP, Americas Sales
More About This Author > Schema {
"@context": "https://schema.org",
"@type": "BlogPosting",
"headline": "New Cybersecurity Rules for Financial Institutions in New York State Take Effect November 1, 2024",
"description": "Understand the new cybersecurity regulations for financial institutions in New York State, effective November 1, 2024, including requirements for encryption, incident response plans, and business continuity measures.",
"datePublished": "2024-10-25",
"author": {
"@type": "Person",
"name": "Kevin Williams",
"url": "https://cpl.thalesgroup.com/blog/author/kwilliams",
"sameAs": "https://www.linkedin.com/in/kevin-williams-a24ba91a/"
},
"publisher": {
"@type": "Organization",
"name": "Thales Group",
"description": "The world relies on Thales to protect and secure access to your most sensitive data and software wherever it is created, shared, or stored. Whether building an encryption strategy, licensing software, providing trusted access to the cloud, or meeting compliance mandates, you can rely on Thales to secure your digital transformation.",
"url": "https://cpl.thalesgroup.com",
"logo": "https://cpl.thalesgroup.com/sites/default/files/content/footer/thaleslogo-white.png",
"sameAs": [
"https://www.facebook.com/ThalesCloudSec",
"https://www.twitter.com/ThalesCloudSec",
"https://www.linkedin.com/company/thalescloudsec",
"https://www.youtube.com/ThalesCloudSec"
]
},
"mainEntityOfPage": "https://cpl.thalesgroup.com/blog/data-security/new-cybersecurity-rules-ny"
}

basic

The post New Cybersecurity Rules for Financial Institutions in New York State Take Effect November 1, 2024 appeared first on Security Boulevard.

5 min read Balancing non-human IAM for access – and governance for oversight – is key to ensuring security, compliance, and accountability in managing these next-generation systems.

The post 5 Security Considerations for Managing AI Agents and Their Identities appeared first on Aembit.

The post 5 Security Considerations for Managing AI Agents and Their Identities appeared first on Security Boulevard.

A national security memo released by the Biden Administration is order government agencies to ensure the development and use of AI enables the United States to keep its edge in AI over global adversaries while continuing to align with the countries values.

The post White House Memo Puts the Focus of AI on National Security appeared first on Security Boulevard.

The business case for a modern test data generation platform—designed with the enterprise and the developer in mind—is clear. By streamlining the de-identification process and allowing for efficient scaling across teams and environments, Tonic boosts engineering team productivity so you can maximize your investment in valuable team members.

The post De-identifying Data for Software Development and Testing at Enterprise Scale appeared first on Security Boulevard.

The post How is AI Used in Cybersecurity? 7 AI Use Cases appeared first on AI-enhanced Security Automation.

The post How is AI Used in Cybersecurity? 7 AI Use Cases appeared first on Security Boulevard.

Authors/Presenters:Wang Zhilong, Xinzhi Luo

Our sincere appreciation to DEF CON, and the Presenters/Authors for publishing their timely DEF CON 32 erudite content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – AppSec Village – Defeating Secure Code Review GPT Hallucinations appeared first on Security Boulevard.

The post How we managed Aurora Serverless V2 Idle connections in RDS Proxy and saved RDS costs by 50% appeared first on Strobes Security.

The post How we managed Aurora Serverless V2 Idle connections in RDS Proxy and saved RDS costs by 50% appeared first on Security Boulevard.

While code repositories are the major source, GitGuardian data reveals the full scope of secret sprawl: for every 42 secrets found in code, 1 is found in ticketing systems like JIRA; for every 21, 1 is in collaboration tools like Confluence; and for every 9, 1 is in messaging systems like Slack.

The post The extent of Hardcoded Secrets: From Development to Production appeared first on Security Boulevard.

Blackwire Labs launched a platform that combines generative artificial intelligence (AI) with blockchain technologies to provide cybersecurity teams with recommendations based on a trusted data source that is immutable.

The post Blackwire Labs AI Cybersecurity Platform Incorporates Blockchain to Validate Data appeared first on Security Boulevard.

via the comic humor & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘RNAWorld’ appeared first on Security Boulevard.

Authors/Presenters:Jen Ozmen, Aaron Shim

Our sincere appreciation to DEF CON, and the Presenters/Authors for publishing their timely DEF CON 32 erudite content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – AppSec Village – Securing Frontends at Scale;Paving our Way to Post XSS World appeared first on Security Boulevard.

As businesses navigate an increasingly digital landscape, leveraging advanced technologies has become essential. At GITEX 2024, Seceon proudly showcased its commitment to empowering organizations with AI-driven cybersecurity solutions, with our story prominently featured in What’s On, published by Tech First Gulf (TFG). Key Highlights from GITEX 2024 Seceon participated at TFG’s stand located in Hall

The post Embracing Innovation: Seceon’s Journey at GITEX 2024 appeared first on Seceon Inc.

The post Embracing Innovation: Seceon’s Journey at GITEX 2024 appeared first on Security Boulevard.

We’re just weeks away from November 12, 2024—the date when Google Chrome will begin distrusting newly issued certificates from Entrust Roots. Shortly after, Mozilla will implement its distrust in Entrust Roots by the end of November. If your organization hasn’t yet switched to a reliable public Certificate Authorities (CA), it’s time to do so. This […]

The post The Entrust Distrust Deadline is Closing In. Are you Prepared? appeared first on Security Boulevard.

Our daily lives depend on critical infrastructure – water treatment facilities, power grids, transportation systems. Unfortunately, these systems are increasingly becoming targets for cyberattacks.

The post The Rise of Cyberattacks on Critical Infrastructure: Are You Prepared? appeared first on Security Boulevard.

Reading Time: 2 min Read the inspiring story of how UK-based MSP CloudTech24 automated and simplified domain security management for multiple client domains with PowerDMARC.

The post DMARC MSP Case Study: CloudTech24 Simplies Domain Security Management for Clients with PowerDMARC appeared first on Security Boulevard.

Since 2022, the FBI and other agencies have been sounding the alarm about North Koreans posing as US or other non-North Korean based IT workers and infiltrating companies. In July, security firm KnowBe4 publicly revealed that they unknowingly hired a fake IT worker from North Korea. Fortunately they detected and blocked access as he attempted to load malware onto his system-connected laptop. Since then, similar stories have flooded in. Last week, reports surfaced that a fake North Korean IT worker hired by an unnamed company stole proprietary data and demanded a ransom payment in order to keep the hack secret.

The post Fake IT Workers: How HYPR Stopped a Fraudulent Hire appeared first on Security Boulevard.

A recent alert jointly issued by a myriad of governmental agencies including CISA, FBI, EPA, DOE, NSA and NCSC-UK has spotlighted activities by Russians targeting U.S. and European critical infrastructure.

The post Strengthening Critical Infrastructure Defense: Shifting to an Exposure Management Mindset appeared first on Security Boulevard.

The SEC fined Unisys, Avaya, Check Point, and Mimecast millions of dollars for disclosures in the wake of the high-profile SolarWinds data breach that intentionally mislead investors and downplayed the impact the supply chain attack had on them.

The post SEC Fines Four Tech Firms for Downplaying SolarWinds Impacts appeared first on Security Boulevard.