RSI Security

Blog

  • PCI Logging Requirements 2023: Everything You Need to Know

    PCI Logging Requirements 2023: Everything You Need to Know

    The PCI DSS Requirements mandate organizations that handle cardholder data to log and monitor access to sensitive data environments. Compliance with these PCI logging requirements will help successfully track network and data security in the long term. Read our blog to learn everything you need to know about these requirements. (more…)

  • Password Hashing

    Password Hashing

    Following up on our earlier blog on the topic of Password Hacking, here is a deeper technical dive into the process of Password Hashing, and how it helps to keep your passwords secure.

    (more…)

  • Are Apple Computers More Secure Than Windows?

    Are Apple Computers More Secure Than Windows?

    Today, organizations use a mix of Apple and Windows computers, with some leaning towards either type. When looking to acquire or update their computer inventory, organizations ask a common security question: are Apple computers more secure than Windows? Read our blog to learn more about the security of these operating systems—and which might be best for you. (more…)

  • What is Risk Acceptance in Cyber Security?

    What is Risk Acceptance in Cyber Security?

    Cybersecurity risk management is critical to minimizing the impact of risks on data security and safeguarding the integrity of your IT infrastructure. Managing these risks may require risk acceptance, especially for controllable or low-impact risks. Read on to learn more about when and how cybersecurity risk acceptance works.

     

    Cybersecurity Risk Acceptance: A Brief Overview

    Understanding how risk acceptance in cyber security works will help you effectively control risks and optimize the security controls you implement across your organization.

    So, in this blog, we’ll cover:

    • A definition of risk acceptance and how it works
    • How to implement risk acceptance
    • Why you should implement risk acceptance

    Implementing a robust risk management framework will help you mitigate cyber threats and data breach risks, especially in partnership with a threat and vulnerability management specialist.

     

    What is Risk Acceptance?

    As the name suggests, risk acceptance means believing that the risks posed by certain threats or vulnerabilities will not significantly impact your assets. A risk acceptance approach accounts for risk management with predefined, existing controls.

    For instance, low-impact, constant risks, such as viruses and malware, can be identified and mitigated by controls like firewalls and anti-malware programs. Risk acceptance is one of four common strategies used to control cybersecurity risks. 

    Other strategies for managing risks include:

    • Risk avoidance, where risks are completely avoided (e.g., refraining from collecting sensitive data at risk for privacy and security risks)
    • Risk transfer, where risks are passed on to third parties (e.g., outsourcing security to a managed security services provider (MSSP))
    • Risk reduction, where risk impact is lowered by implementing processes that the overall likelihood of data being compromised

    In cybersecurity, risk acceptance may be implemented along with one or more of the three other risk management strategies.

     

    Risk Retention vs Risk Acceptance: What’s the Difference?

    Although risk acceptance and risk retention are somewhat similar, they are different when it comes to the consequences of risks. Retention of risk means that if an organization is impacted by a risk, the organization takes responsibility for the outcomes of not avoiding, transferring, or reducing that risk. Choosing to retain risks also accounts for disruptions to business operations.

     

    [su_button url=”https://www.rsisecurity.com/request-demo/” target=”blank” style=”flat” size=”11″]Request a Free Consultation[/su_button]

     

    How the Risk Acceptance Process Works

    Before you can accept risks, you must understand what they are and how they can impact your sensitive data environments. You can conduct a risk assessment to identify the risks, evaluate risk level, and then determine whether to invest in risk mitigation or simply accept that risks can be controlled with existing processes.

     

    What is an Acceptable Level of Risk?

    An acceptable level of risk is that which will not compromise sensitive data environments and poses minimal risks to your broader information security infrastructure. For instance, installing up-to-date malware blockers or anti-phishing email software on every device connected to your organization’s network means you have reduced malware and phishing threats to an acceptable level of risk. However, it is always best to consult with a threat and vulnerability management partner on recommended acceptable levels of risk for your unique assets.

    incident

    Implementing a Risk Acceptance Framework

    Risk acceptance can be challenging without criteria for when, how, and why risks can be accepted. A risk acceptance framework can provide guidance on best practices for accepting cybersecurity risks. Doing so minimizes guesswork during risk acceptance and streamlines overall risk management.

    Risk acceptance frameworks may vary from one organization to another.

    Most organizations develop unique risk acceptance and risk management frameworks based on standardized controls recommended by bodies like the National Institutes of Standards and Technology (NIST).

     

    Why Risk Acceptance is Important

    Risk acceptance is crucial when it comes to allocating resources to risk management. Some risks are more impactful than others and can cause significant damage to your organization if they develop into threats. In instances where an organization is faced with budget or operational constraints, risk acceptance can be applied to lower-impact risks—freeing up resources to address more pressing, higher-impact risks.

     

    Risk Acceptance Examples

    In cybersecurity, acceptable risks may include:

    • Keeping legacy systems active if they are not connected to sensitive data environments
    • Allowing employees to connect their own devices to an organization’s networks if traffic from these devices is segmented from sensitive networks

    Acceptance of risk will likely vary at each organization. Understanding how risk acceptance works in your industry and for your specific needs will help you effectively manage risk in the short and long term.

     

    How RSI Can Help

    Implementing risk acceptance within a robust risk management framework will help you maximize your available resources and optimize your security ROI. With the help of an experienced threat and vulnerability management services provider like RSI Security, you can mitigate cybersecurity risks before they develop into full-blown threats.

    Contact RSI Security to learn more!

     

    [su_button url=”https://www.rsisecurity.com/request-demo/” target=”blank” style=”flat” size=”11″ center=”yes”]Request a Free Consultation[/su_button]

     

  • Benefits of PCI Compliance Management Services

    Benefits of PCI Compliance Management Services

    Maintaining compliance with the PCI DSS framework is essential for protecting cardholder data (CHD) from evolving security threats. Partnering with a trusted provider that offers PCI Compliance Management Services helps organizations stay compliant year-round by streamlining assessments, monitoring, and reporting.

    Read on to explore the key benefits of outsourcing PCI compliance and how managed services can enhance your organization’s data security posture.

    (more…)

  • Is Cybersecurity Recession Proof?

    Is Cybersecurity Recession Proof?

    With speculation of a possible recession, your organization will likely consider budget adjustments in preparation for tough economic times. You might be wondering what to do about cybersecurity spending and asking: is cybersecurity recession-proof? Read on to learn how you can think about cybersecurity during a recession. (more…)

  • What is Vishing in Cybersecurity?

    What is Vishing in Cybersecurity?

    As social engineering attacks like vishing become more prevalent, many organizations are now  asking, “what is vishing, and how can we prevent it?” Cybercriminals use phone calls and other vishing tactics to compromise sensitive data from unsuspecting individuals. Read on to learn more about these attacks and how to prevent them.

     

    What is Vishing? A Primer to a Common Social Engineering Scam

    Cybercriminals who deploy vishing attacks are motivated and have plenty of techniques to increase their chances of success. Staying informed about these attacks will help mitigate them from compromising your organization’s sensitive data. To that effect, this blog will cover:

    • The definition of vishing in cybersecurity
    • How to prevent vishing attacks

    Protecting your sensitive digital assets from vishing attacks doesn’t stop at defining “what is vishing in cybersecurity?” By partnering with an incident management services provider, you will effectively develop and implement effective anti-vishing practices.

     

    What is Vishing in Cybersecurity?

    In cybersecurity, vishing is a type of phishing and is the short form for “voice phishing.”

    Phishing attacks are the most common social engineering scams today, impacting many individuals and organizations caught unaware when these attacks unfold. Like other phishing attacks, vishing pretexts unsuspecting individuals into divulging sensitive information to a cybercriminal. When vishing perpetrators deploy these attacks, they leverage psychological tactics to convince their targets that these requests are legitimate.

    Overall, vishing attacks are designed to manipulate human behavior based on emotions.

    Understanding the psychology behind these attacks will help your organization effectively prevent vishing attempts from becoming serious threats.

     

    [su_button url=”https://www.rsisecurity.com/incident-management/” target=”blank” style=”flat” size=”11″]Assess your Incident Management plan[/su_button]

     

    Common Vishing Attack Scenarios

    The best way to describe what is a vishing attack is to use examples of vishing scenarios.

    Some vishing attacks are simple, whereas others are more nuanced and sophisticated. For instance, a perpetrator may call an employee in your organization pretending to be a remote support technician requesting access to a sensitive data environment. By creating a false sense of urgency (e.g., scaring the employee into believing there is a serious technical issue), a vishing attacker can successfully compromise your access controls and steal sensitive data.

    In other instances, vishing attempts are more subtle. The attacker may call your unsuspecting employees and politely ask questions that reveal sensitive information. For example, the perpetrator may ask who is the best contact for a request to modify certain IT privileges. 

    Without knowing, an employee may share insider information that the vishing perpetrator can then use to deploy another more sophisticated phishing attack. And vishing attacks are not only targeted towards organizations. Many vishing perpetrators are interested in stealing personal information from individuals so they can access their finances or other sensitive data.

    planning

    Best Practices for Mitigating Vishing Attacks

    So, how can you stop vishing attacks from impacting your staff and the broader organization? The most effective vishing cyberdefenses improve security awareness, starting from your top-level executive leadership all the way to the most junior-level employees.

    With security awareness training, your staff will learn how to identify potential vishing attacks based on signs such as:

    • Phone call requests for sensitive data, including:
      • Personally-identifiable information (PII) (e.g., social security numbers, bank account information)
      • User account IDs and passwords
      • Corporate financial information
      • Contact information for other staff in the organization
    • A caller’s unusual sense of urgency
    • Callers claiming to be Internal Revenue Service (IRS) or Social Security Administration (SSA) representatives

    Even with security awareness training, vishing attacks can still be successful. Your organization is best protected when additional security controls are implemented to mitigate vishing attacks.

    For instance, vishing attacks may be deployed simultaneously with other social engineering scams like email phishing, text message phishing (smishing), or whaling.

    You can minimize the risks of these attacks becoming successful by:

    • Conducting phishing simulation exercises (whether via email, voice, or text message) to help employees easily identify potential social engineering scams
    • Deploying malware on devices with access to sensitive data environments
    • Implementing strong access control measures (e.g., strong password use requirements, quarterly password resets)

    Vishing perpetrators are typically persistent when looking to compromise sensitive data and may use various tactics and techniques to improve their odds of success. If your organization becomes a victim of a vishing attack, working with a security incident management partner will help you contain the threat before it impacts the rest of your digital infrastructure.

     

    Develop Resilient Social Engineering Defenses

    For your organization to develop cyber resilience against vishing and other social engineering attacks, you must understand what you’re up against. A great place to start is to ask, “what is vishing and how can you prevent it?” Another way is to trust an incident management specialist like RSI Security to provide guidance on best practices for mitigating vishing attacks.

    To learn more and get started, contact RSI Security today!

     

    [su_button url=”https://www.rsisecurity.com/incident-management/” target=”blank” style=”flat” size=”11″ center=”yes”]Speak with an Incident Management expert today![/su_button]

     

  • PCI SSF (Software Security Framework) Requirements & Objectives

    PCI SSF (Software Security Framework) Requirements & Objectives

    Compliance with the PCI SSF Requirements is essential for securing cardholder data (CHD) and other sensitive information as it is stored, processed, or transmitted via software assets. Read on to learn more about the PCI SSF core requirements and how best to apply them in your organization. (more…)

  • Breaking Down The Requirements for 23 NYCRR 500

    Breaking Down The Requirements for 23 NYCRR 500

    Financial institutions operating in New York must comply with the 23 NYCRR 500 requirements to prevent cybersecurity risks from impacting sensitive consumer data. Complying with 23 NYCRR 500 will help you implement best practices to secure financial service transactions. (more…)

  • PA-DSS Listing Expiry Dates: What to Know & Preparing for SSF

    PA-DSS Listing Expiry Dates: What to Know & Preparing for SSF

    For payment application software developers, vendors, or retailers, compliance with the PA-DSS— and now the PCI SSF—is critical to keeping sensitive PCI data safe as it is processed through these applications. So, what are the PA-DSS listing expiry dates and how do they affect your business operations? Read on to learn more. (more…)