News & Noteworthy
RedPenSec is proud to be a sponsor of the Florida-based non-profit Center for Cyber Safety & Education
2021 Cyber Safety Day.
This annual event highlights the importance of cybersecurity awareness to the youth of our community. And, now more than ever, with our children attending school remotely, and being exposed to the internet - and its' dangers - this initiative is even more meaningful.
The Ultimate PCI Compliance Guide
Why it’s Essential + 10 Expert Tips
We are proud to have been among the featured experts included in this panel.
Crafted Compliance, Inc., dba RedPenSec announces its increased focus on the Health Insurance Portability and Accountability Act (HIPAA)
Steve Strater underwent and successfully completed an intensive HIPAA training course through http://www.hipaatraining.net, a leading provider of HIPAA compliance solutions.
Nina Strater & Jamie Beth Maragas are recipients of the DRI International's Foundation's prestigious Women in Business Continuity Scholarship for women, earning their ABCP & CBCP Certifications respectively
The WBCM is the international business continuity group that offers training in business continuity and grants the professional certifications that employers are looking for in the industry.
Crafted Compliance, Inc., dba RedPenSec adds two ISO/IEC 27001 ISMS Certified Lead Auditors to its' professional roster
The Certified ISO 27001 ISMS Lead Auditor training course, led by experienced ISO 27001 auditors and practitioners and designed by experts, is aligned with the best-practices Guidelines for auditing management systems and audit methodology. Successfully completed by Steve Strater and Jamie Beth Maragas, this certification demonstrates their ability to effectively plan, conduct, report, summarise, and follow-up on an audit. The course is accredited by the International Board for IT Governance Qualifications (IBITGQ), as well as CIISec (The Chartered Institute of Information Security), and certified by the International Board for IT Governance and the Global Association for Software Quality and in Technology (GASQ).
Crafted Compliance, Inc., dba RedPenSec announces its increased focus on the Health Insurance Portability and Accountability Act (HIPAA), the federal law that protects patient health information.
By providing in-depth HIPAA training and subsequent certification to several employees who play a key role in HIPAA compliance, Crafted Compliance, Inc., dba RedPenSec is well-equipped to address the intricacies and ever-changing requirements of HIPAA.
In particular, Steve Strater underwent and successfully completed an intensive 22-hour HIPAA training course through http://www.hipaatraining.net, a leading provider of HIPAA compliance solutions. After course completion, Steve successfully passed a two-hour timed exam to validate his knowledge and become a Certified HIPAA Privacy Security Expert (CHPSE).
Steve fully understands the HIPAA privacy and security rules as well as new changes to the regulation in light of the Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH mandated new requirements for sharing protected health information with business associates, for ensuring identity theft protection, for using and disclosing protected health information for marketing purposes, and for reporting breaches of protected health information.
The CHPSE credential denotes that Steve has an in-depth knowledge of the application of the HIPAA security and privacy rules as they relate to the uses and disclosures of electronically protected health information (ePHI)/protected health information (PHI). This includes using and disclosing ePHI/PHI for treatment, payment, and healthcare operations as well as disclosure for public purposes. As a CHPSE, Steve also has an in-depth knowledge of the application of the HIPAA security rule as it relates to the security of ePHI/PHI, and can identify technical or electronic threats to the healthcare enterprise and explain the technology available to reduce or prevent those threats. He has received advanced training in the topics of administrative, physical, and technical safeguards and is able to develop policies and procedures to describe those safeguards and address larger risk management strategies.
The CHPSE credential signifies that Steve is an expert in overall HIPAA compliance. He is able to evaluate whether policies and procedures are HIPAA-compliant and ensure that Crafted Compliance, Inc. is taking every possible step to protect the privacy and security of protected health information.
Nina Strater & Jamie Beth Maragas are recipients of the Disaster Recovery Institute (DRI) International's prestigious Women in Business Continuity Management (WBCM) Scholarship, earning their ABCP & CBCP Certifications respectively
The Disaster Recovery Institute International (DRI) is the oldest and largest nonprofit that helps organizations around the world prepare for and recover from disasters by providing education, accreditation, and thought leadership in business continuity, disaster recovery, cyber resilience and related fields. Founded in 1988, DRI has certified 15,000+ resilience professionals in 100+ countries and at 95 percent of Fortune 100 companies.
The DRI Foundation’s Women in Business Continuity Management (WBCM) committee is part of the charitable arm of DRI International, which is the international business continuity group that offers training in business continuity, and grants the professional certifications that employers are looking for in the industry. The Women in Business Continuity Management (WBCM) is a volunteer board that seeks to promote, connect, and help develop the industry skills and knowledge of those who identify as women. DRI International offers training in the core Professional Practices of business continuity, disaster recovery, and incident response, and how to execute best practices in different organizations.
The Associate Business Continuity Professional (ABCP) certification is for those who are new to business continuity. ABCP certification supports entry-level proficiency with knowledge in business continuity/disaster recovery and incident response planning.
The Certified Business Continuity Professional (CBCP) is DRI's most widely recognized and held business continuity certification in the world. CBCP's are professionals that have demonstrated both knowledge, working experience, and skill in the business continuity/disaster recovery industry.
Read the DRI International's Women In Business Continuity Management Spotlights here:
SAFE VOTING: Foreign hackers are a problem with cybercrime and the voting process has only increased their interest and role in the equation. This may be seen in false and fraudulent online ads on social media or other websites. The goal is for them to have an influence on your decision, they aren't hoping to steal your identity – just manipulate how you view certain situations.
The voting process, where and how you cast your ballot, has a very small likelihood of fraud happening. Officials from the FBI and the United States Cybersecurity and Infrastructure Security Agency are letting voters know that hackers can instill fear in your minds that they have affected or changed the voting records, but in truth, that is unlikely to happen. At the state level, there are measures implemented that monitor the networks for cyberattacks and regular check-ins for potential threats and assessment of vulnerabilities.
What about mail-in ballots? Your ballot can be tracked in some if not all states to put your mind at ease with this. The likelihood of fraud is extremely unlikely and mail-in ballots have been safely submitted for 150 years.
There will always be factors that we didn’t account for or suspicions that arise without a full explanation, but the bottom line is that the odds are in your favor to safely vote in whichever way you choose to do so. As with so many things in today’s world, the biggest threat to the process or situation is misinformation and that means trusting that what you see or read online is legitimate, safe, and true. Like you research your candidate or issue before the voting, pause, and take a moment to research the source of information that you are trusting.
For more information on voting safety and to report suspected election crimes, visit:
Help defend the right to vote by reporting any suspected instances of voter suppression—especially those received through a private communication channel like texting—to your local FBI field office or at tips.fbi.gov.
GDPR: The Second-Largest Fine Has Been Levied Under the European Union General Data Protection Regulation on Swedish Multi-National Fashion Giant H&M for Mishandling Employee Data
The Data Protection Authority of Hamburg (HmbBfDI) announced the fine on Thursday after the company was found to have excessively monitored and kept records on several hundred employees and their families, in a Nuremberg service centre. The watchdog said that since at least 2014, parts of the workforce had been subject to "extensive recording of details about their private lives". A German Subsidiary of Hennes & Moritz, H&M's privacy violations included extensive staff surveys, with details of holidays, medical symptoms and diagnoses for illnesses, the year-long investigation found. "After absences such as vacations and sick leave the supervising team leaders conducted so-called Welcome Back Talks with their employees. After these talks, in many cases not only the employees' concrete vacation experiences were recorded, but also symptoms of illness and diagnoses,” HmbBfDI said. “In addition, some supervisors acquired a broad knowledge of their employees' private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs.”
The investigation was launched in October 2019 after a DATA BREACH caused by a configuration error revealed just how much data H&M was collecting and storing about the private lives of its' employees.
After evaluating 60GB of H&M data and reviewing witness evidence and the company's internal procedures, HmbBfDI ruled that “the combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.”
The fine is the highest GDPR penalty levied in Germany since the legislation come into force in 2018, and the second highest of its kind throughout the continent. Last year, France’s data protection watchdog fined Google €50 million (U.S. $57 million).
The retail giant said it will now review the decision carefully. “The incident revealed practices for processing employees’ personal data that were not in line with H&M’s guidelines and instructions,” the company stated. H&M has apologized to its' employees and taken full responsibility and will compensate "all currently employed at the service centre, and all who have been employed for at least one month since May 2018, when GDPR came into force." H&M also revealed that it had taken "forceful measures" to correct any related shortcomings.
“A comprehensive action plan has been launched to improve the internal auditing practices to ensure data privacy compliance, strengthen leadership knowledge to assure a safe and compliant work environment, and continue to train and educate both staff and leaders in this area,” the company said.
Is Your Personal Information For Sale on the Dark Web? Simple Steps Can Help You Keep Your Personal Information, Personal.
It’s no secret that the dark web is full of stolen data that ranges from pilfered credit card information and hijacked payment services accounts to hacked social media accounts. But have you ever wondered how much your personal information goes for on the dark web? Researchers at Privacy Affairs have sifted through the listings in the internet’s seedy underbelly and created an overview of the average price tags attached to your stolen personal data.
Called Dark Web Price Index 2020, the price breakdown of various kinds of pilfered personal information shows that a cloned American Express card with PIN tops the payment card menu at a mere $35 a pop (other cloned credit cards sell for as little as $10), whereas stolen credentials to your online banking account can be purchased for just $65 on average. As for payment processing services, PayPal accounts are by far the most commonly listed items, with an average price of $320 for stolen account credentials that could net the cyber-criminal a transfer of up to $3,000. Gmail accounts command a relatively high price at an average of $156, which may be due to the fact that a lot of people use single sign-on options, making a compromised email account a treasure trove of data and access to various other services and information.
There's a good chance that the security of your personal information, bank and credit card accounts is worth much more to you than the low-low price it fetches on the black market, and you can help protect it by following a few simple rules to protect your identity and accounts:
Look out for suspicious emails - and texts! These phishing attacks may look like legitimate emails, but don't be fooled, they prey on trickery to get your login credentials, credit card details and other personal information.
Instead of using easy-to-remember passwords, opt for a strong and unique passphrase for each account.
Use two-factor authentication whenever it is available to further secure your accounts and personal information.
When answering the phone, never give out your personal or sensitive information - get a telephone number where you can call back and verify the legitimacy of the request.
Never use an unsecured or public Wi-Fi network to access your bank accounts or other sensitive data. If you must log in to a network you don't 100% trust, use a VPN to encrypt your session.
Keep your Firewall, Anti-Virus, Anti-Spyware and Operating Systems up to date, and turn off your computer (or at least disconnect your WiFi connection) when you step away.
Check your personal credit report at least annually and look for any unrecognized accounts that may have been opened in your name, and without your knowledge.
For more information on what to do should you find that your personal information has been exposed or compromised in a data breach, visit
RedPenSec Announces Commitment to Global Efforts Supporting and Promoting Online Safety and Privacy for Cybersecurity Awareness Month
October is Cybersecurity Awareness Month, a global effort to help everyone stay protected whenever and however you connect. The overarching theme for the month is, ‘Do Your Part. #BeCyberSmart.’ and RedPenSec, Powered by Crafted Compliance, Inc. is proud to be a champion and support this online safety and education initiative this October. This year’s initiative highlights the importance of empowering individuals and organizations to better protect their part of cyberspace in an increasingly connected world. The overarching message of this year’s theme, ‘If you Connect it, Protect it,’ dives into the importance of keeping connected devices safe and secure from outside influence. More than ever before, connected devices have been woven into society as an integral part of how people communicate and access services essential to their well being. Data collected from these devices can detail highly specific information about a person or business which can be exploited by bad actors for their personal gain. Cybersecurity Awareness Month aims to shed light on these security vulnerabilities while offering guidance surrounding simple security measures to limit the susceptibility of threats for commonly used devices.
This year, the Cybersecurity Awareness Month’s main weekly focus areas will revolve around:
Understanding and following general security hygiene for connected devices and home networks
The importance of connected devices security for remote workers
How connected devices play a pivotal role in the future of healthcare; and
The overall future of connected devices for consumers, professionals, and the public domain
If everyone does their part – implementing stronger security practices, raising community awareness, educating vulnerable audiences or training employees – our interconnected world will be safer and more resilient for everyone.
Now in its 17th year, Cybersecurity Awareness Month continues to build momentum and impact with the ultimate goal of providing everyone with the information they need to stay safer and more secure online. RedPenSec is proud to support this far-reaching online safety awareness and education initiative which is co-led by the National Cyber Security Alliance (NCSA) and the Cybersecurity and Infrastructure Agency (CISA) of the U.S. Department of Homeland Security.
“Cybersecurity is important to the success of all businesses and organizations. NCSA is proud to have such a strong and active community helping to encourage proactive behavior and prioritize cybersecurity in their organizations,” said Kelvin Coleman, Executive Director, NCSA.
For more information about Cybersecurity Awareness Month 2020 and how to participate in a wide variety of activities, visit staysafeonline.org/cybersecurity-awareness-month/. You can also follow and use the official hashtag #BeCyberSmart on social media throughout the month.
About Cybersecurity Awareness Month
Cybersecurity Awareness Month is designed to engage and educate public- and private-sector partners through events and initiatives with the goal of raising awareness about cybersecurity to increase the resiliency of the nation in the event of a cyber incident. Since the Presidential proclamation establishing Cybersecurity Awareness Month in 2004, the initiative has been formally recognized by Congress, federal, state and local governments, and leaders from industry and academia. This united effort is necessary to maintain a cyberspace that is safer and more resilient and remains a source of tremendous opportunity and growth for years to come. For more information, visit staysafeonline.org/cybersecurity-awareness-month/
NCSA is the Nation’s leading nonprofit, public-private partnership promoting cybersecurity and privacy education and awareness. NCSA works with a broad array of stakeholders in government, industry, and civil society. NCSA’s primary partners are the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and NCSA’s Board of Directors, which includes representatives from ADP; AIG; American Express; Bank of America; Cofense; Comcast Corporation; Eli Lilly and Company; ESET North America; Facebook; Intel Corporation; Lenovo; LogMeIn; Marriott International; Mastercard; MediaPro; Microsoft Corporation; Mimecast; KnowBe4; NortonLifeLock; Proofpoint; Raytheon; Trend Micro, Inc.; Uber: U.S. Bank; Visa and Wells Fargo. NCSA’s core efforts include Cybersecurity Awareness Month (October); Data Privacy Day (Jan. 28); STOP. THINK. CONNECT.™, the global online safety awareness, and education campaign co-founded by NCSA and the Anti-Phishing Working Group with federal government leadership from the Department of Homeland Security; and CyberSecure My Business™, which offers webinars, web resources and workshops to help businesses be resistant to and resilient from cyberattacks.
For more information on NCSA, please visit https://staysafeonline.org.
The Cybersecurity Infrastructure Security Agency (CISA) Issues Final Vulnerability Disclosure Policy Directive for Federal Agencies
The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) division announced a final directive this week that requires all individual federal civilian executive branch (FCEB) agencies to “develop and publish a vulnerability disclosure policy (VDP) for their internet-accessible systems and services and maintain processes to support their VDP.”
Identified as the Binding Operational Directive 20-01 (BOD 20-01), this agency-wide initiative is in line with the goal of making 2020 the “year of vulnerability management”, including the focus of making disclosures of vulnerability easier for the public.
Now, aside from a whole lot of acronyms, what exactly does this mean?
The government is not only underlining the importance of cybersecurity with this, they are saying that the public needs to have easy access to contribute to aiding in making it relevant. This means that agencies need to make it easy for citizens to find and report vulnerabilities and do it in a legal manner. The collaboration component is important here because not only does it open up the conversation, it allows for the removal of the fear factor in being penalized for reporting and also will provide consistency in how the data and information is reported.
Yes, It Is THAT Important
The recognition by the federal government to not only make this mandatory for their agencies but also to get public input shows us just how important having strong cybersecurity is. This is not a political, religious, or other divisive topics. We must be unified in our efforts to fend off cyber criminals as a nation. That should emphasize to you as MSPs and to your clients how important it is to create a strong cybersecurity plan. One that is proactive as well as reactive in the case of a breach. This isn’t a one and done scenario. The changes to how businesses are attacked are ever-changing, and training and learning must be ongoing to provide current information.
As a community, we must work together to fight cybercrime. Otherwise, we could collectively fall to a breach of our information. This will not just affect one person with a stolen identity, but entire businesses may not recover, leading to job loss and a much larger impact. Together we are stronger!
Impersonation Nation: Don't be a Victim - Catch the Phish!
Business Email Compromise (BEC) is not a new term. BEC scams have been growing in popularity for some time now. If you’re not familiar with BEC, it’s when a fraudulent email is sent to a company or individual, and the email appears to be from a legitimate business resource or person, often varying from the legitimate email address by just a letter or two. There may be instructions within the scam email for the recipient to transfer money, purchase gift cards, click on a malicious link, or perform some other activity at the behest of the sender. Unfortunately, BEC scams often put the recipient at a disadvantage because they see the name or title of the sender and react quickly, or are hesitant to question authority.
So, what’s the secret sauce that cybercriminals use across the board when launching their attacks on unsuspecting victims? According to a recent report from Barracuda, it’s surprisingly simple and straightforward: legitimate email accounts.
Let’s elaborate on that. Barracuda found that hackers launched 100,000 BEC attacks on over 6,000 organizations by using 6,170 legitimate email accounts (which of course, were created with malicious intent). We’re talking Gmail, AOL, and other verified email services.
The report further outlines the details of the attacks, identifying that 45% of the BEC attacks since April of 2020 were carried out with these email accounts. It appears that Gmail is the platform of choice with 59% of the accounts originating there. This may be a result of the cost to create an account (it is free), the ease of registration of a new account, and the solid reputation that a company like Google carries – meaning it is much more likely to pass through security filters.
Change in Identity While the email account will remain the same, the sender name does get updated from time to time by the cybercriminal in order to go unnoticed by the recipient. These accounts are not often used for more than a 24-hour period and then will go dormant for a while to lessen suspicion or if it has been flagged already, to reduce the likelihood of being detected by another server. That doesn’t mean it goes away forever. Like your MySpace account, it stays out there in cyberspace waiting to be revisited.
Phishing for…Anything Again, BEC scams are not new and they are just a small ‘subdivision’ of the much bigger issue of phishing – the single most used point of entry to a company in order to breach the data contained within the business infrastructure. And with the cost being minimal (basically it is free to do) and return on investment being potentially huge, the risk far outweighs the benefits.
Ongoing training is one of the best ways to arm employees and clients (as well as your family and friends) with the right tools to catch the phish.