#1 Don Pardo, the voice of ‘Saturday Night Live,’ has died at 96 » Patch Always: Whether it’s ATMs » 2020-08-15 09:07:13

Replies: 0

According to security reporter Brian Krebs, the FBI issued a confidential alert to banks on Friday, warning that “cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme…commonly referred to as an unlimited operation.” The FBI further stated that “unlimited operations compromise a financial institution or payment card processor with malware to access bank customer card information and exploit network access, .

Enabling large scale theft of funds from ATMs.” ATM attacks are not new

The famous Barnaby Jack demonstrated how he could make ATMs spit out cash on the stage of Black Hat in 2010.
But this required physical access to unpatched machines.

The ‘unlimited operation’ ATM attack is much different and more devastating

Criminals infiltrate a bank’s infrastructure to steal and clone bank cards, remove fraud controls and withdrawal limits, and then coordinate large-scale withdrawals from physical ATMs to steal huge amounts of cash.

While it sounds like a bank robbery created in a Sci-Fi novel

this approach isn’t new either.
Just ask Roman Seleznev, a hacker arrested recently for coordinating a similar attack on RBS Worldpay, a payment processor in Atlanta, back in 2008.
The DOJ report stated at the time that the attack was “then the most sophisticated and organized computer fraud attack ever conducted.” Despite the RBS Attacks resulting in $9 million dollars stolen from 2,100 ATMs worldwide in less than 12 hours, the industry is still prone to such massive, coordinated attacks.
These attacks are possible for the same reason cyber attackers were able to steal $81 Million from the Bangladesh Bank in 2016 – a failure to properly secure IT infrastructure, specifically around privileged access.

In both the RBS ATM attacks in 2008 and the SWIFT attacks in 2016

attackers used simple means such as phishing to gain a foothold on an employee device, elevated privileges and moved laterally into the network.
Once on the network with this level of privileged access, attackers can study the security infrastructure and avoid controls, .

Unencrypt data and prepare for their coordinated assault on ATMs

Once attackers are on the network with elevated privileges, an attack on ATMs is a ‘path of least resistance.’ They can steal as much money as possible in a short time without sounding the alarms, since at this point, attackers literally “own” the organization.

The FBI urges banks to review how they handle security

specifically around “implementing strong password requirements and two-factor authentication using a physical or digital token when possible for local administrators…” A better way to phrase this is:  Lock down your privileged access.
But for those banks that have not learned the lessons taught over the past 10 years, here are a few essential principles of protection used by smart organizations:  Patch Now, Patch Always: Whether it’s ATMs, financial systems, IT infrastructure or endpoints, attackers seek out active vulnerabilities as an open invitation into your network.
It’s one thing to fall victim to an advanced phishing attack that is highly sophisticated.
It’s another to leave a proverbial backdoor open into the vault.
Contain Attack by Securing Privileged Access: The ATM attackers actively seek out endpoints with local admin rights – removing admin rights prevents attackers from moving into the network and installing malware.
But privileged access security doesn’t stop there – domain admin credentials, privileged SSH keys and any other credentials that provide access to sensitive accounts or systems need to be locked down and controlled.
By centrally securing privileged credentials, controlling access based on role, and enforcing multi-factor authentication before granting access, the attackers cannot move through the environment to remove security controls and execute their attacks.
Continuous Monitoring: Almost all bank attacks start with attackers targeting their networks.
By closely monitoring networks based on events or patterns, organizations can determine if an attacker manages to hijack credentials and gain access to target assets – such as ATMs.
Organizations must be able to quickly detect and address the malicious behavior.
Cyber criminals will continue to innovate and change tactics to reach their end goal – but only if organizations force them to do so by blocking the known pathways.
In this case, crime pays, at least until banks get better at privileged access security.

#2 Practical Steps to Safeguard Critical Infrastructure »  » 2020-08-15 08:44:45

Replies: 0

by Josh Arrington         Â  CyberArk explains how it is helping enterprises meet today’s advanced security challenges and highlights the new capabilities, offered in its largest release to date, further extending its long standing market leadership.
By focusing on continuously protecting the datacenter, learn how Cyber-Ark creates powerful solutions that fight internal and advanced threats and satisfy the growing demands of compliance.

#3 Another Breach, Another Reminder: Cyber Hygiene Isn’t Optional » pengguna juga bisa menggunakan fitur transfer sesama GoPay » 2020-08-15 07:15:52

Replies: 0
Pengguna Gopay kini semakin mudah untuk melakukan penarikan uang tunai

Kini Gopay menghadirkan fitur tarik tunai yang dapat digunakan di seluruh ATM BCA di Indonesia.
“Fitur tarik tunai GoPay ini didukung jaringan ATM BCA yang luas dan tersebar di seluruh wilayah Indonesia.
Hal ini tentu memudahkan pengguna untuk mengirimkan uang kepada rekan atau kerabat yang berada di luar kota atau belum memiliki akun bank," tutur VP Business Development Gopay Imam Akbar Hadikusumo.
Menurutnya, penerima bisa melakukan tarik tunai di ATM BCA di mana saja tanpa kartu dengan memanfaatkan fitur ini.
Fitur ini diklaim sangat membantu pengguna yang terbiasa cashless namun di beberapa kesempatan memerlukan penggunaan uang tunai.
Caranya cukup mudah, .

Pengguna hanya perlu membuka menu Gopay di aplikasi Gojek lalu pilih fitur Tarik Tunai

Kemudian, masukkan jumlah nominal saldo yang ingin ditarik.
Selanjutnya, lakukan otentikasi dengan pin.
Setelah proses otentikasi selesai, pengguna akan menerima 6 digit kode transaksi yang bisa langsung digunakan untuk melakukan tarik tunai tanpa kartu di ATM BCA terdekat.
Tidak perlu khawatir akan keamanannya karena kode transaksi tersebut bersifat rahasia dan hanya berlaku selama satu jam dari waktu pemberian kode.
Untuk menikmati fitur ini, .

Pengguna GoPay harus melakukan upgrade akun ke GoPay Plus terlebih dahulu

Selain dapat memanfaatkan fitur Tarik Tunai, pengguna juga bisa menggunakan fitur transfer sesama GoPay, rekening bank, limit GoPay lebih besar, .

Serta ekstra proteksi Jaminan Saldo GoPay Kembali

Editor: Ramadhan Triwijanarko.

#4 Practical Steps to Safeguard Critical Infrastructure » Once Bing has grabbed the first set of search results » 2020-08-15 06:24:37

Replies: 0

No, Microsoft hasnt launched a new feature that will allow users to find out who is talking about them, but it has just tweaked its search engine so that a quest for information is less like dealing with an algorithm and more like conversing with a knowledgeable friend.
Once Bing has grabbed the first set of search results, you can carry on asking more questions about the same topic, within the same search.
In a blog post to announce the update, Yan Ke.

The principal development lead on the Bing relevance team

gives the example of asking Bing who is the President of the US.
From there you might ask, who is his wife or how tall is he.

Bing maintains the context and keeps the conversation moving forward


#5 More on Vendor Management » Sounds like a great place to retreat for some HIT immersion » 2020-08-15 05:30:49

Replies: 0

Hats off to the Board of the Montana HIMSS Chapter for organizing this first-ever gathering of its kind for its valued members and sponsors.

The two-day conference will be held at the Fairmont Hot Springs and Resort in Fairmont

famous for its natural mineral hot springs pools and beautiful setting.
Sounds like a great place to retreat for some HIT immersion.
CynergisTek CEO, Mac McMillan, will serve as the keynote speaker on May 11, 2012, providing attendees with a state of the union on healthcare privacy and security in the era of meaningful use, OCR HIPAA enforcement and the prospective impact of the Omnibus Rule.
Please visit the Montana HIMSS Chapter website at http://montana.himsschapter.org/ for more information.

Our sincere thanks to the MT HIMSS Chapter Board for inviting us to contribute


#6 Scientists reconstruct speech through soundproof glass by watching a bag of p.. » The post City offices closed Thursday » 2020-08-15 02:47:15

Replies: 0

City offices.

Including the Library, Clay Madsen Recreation Center, Municipal Court

Baca Center and Utility Billing Office will be closed Thursday and Friday, Nov.
28-29, for the Thanksgiving holiday.
Utility bills and court-related fines can be paid online.
Residential trash and recycling pickup will shift from Thursday to Friday, and from Friday to Saturday.

Questions regarding this change should be directed to Round Rock Refuse

The post City offices closed Thursday, .

Friday for Thanksgiving holiday appeared first on City of Round Rock


#7 Effective Password Management: Random, Yet Sophisticated » and the first word that popped into my head was Energy » 2020-08-15 02:41:15

Replies: 0

What’s your one word for 2019.
This is a question I saw in a tweet on Jan 1, 2019 from Jesse Cole.
It got me thinking, and the first word that popped into my head was Energy.

I responded back to Jesse letting him know

and because I put it out into the world I now have to commit to living it.

Here is why Energy is my word for 2019

For me to make 2019 the best year of my life I need to get better at figuring out what I am putting my energy towards.
Focusing on the things that are truly important vs the things that aren’t.
With all the distractions in the world and requests being thrown at you this can be a huge challenge.
Because of this I need to constantly remind myself of what I am focusing on. Having your energy focused on the truly important things can have a massive impact on your success, whereas a slight deviation of putting energy towards the wrong things can stunt your growth.

In Tim Grover’s book Relentless (which is one of my favorites)

he has a passage that says: Even Michael (Jordan) used to say he had butterflies before a big game.
“Get ’em all going in the same direction,” I’d tell him.
They’re not going away, but now you’re controlling how you feel about them, instead of allowing them to make you feel nervous.

Energy instead of emotion. Big difference

This is something that has stuck with me since the moment I read it.
For 2019 to be the best year of my life I need to put myself in more uncomfortable situations.
Situations that stretch me and help me grow.
In those instances there is a good chance I am going to be nervous or get butterflies.
However, .

If I can constantly remind myself “Energy instead of emotion” then I’ll be good

I learned from two of my mentors Ed Mylett and Andy Frisella that the person with the highest energy influences a conversation.
I am naturally a very positive and energetic person, so bringing energy to a conversation is something I am good at.
However, I can always be better.
I need to be constantly aware of the energy that I am bringing to every conversation.
This can be as simple as talking to the cashier at the grocery store, all the way up to one of those growth oriented, potentially butterfly inducing conversations with someone I’ve always dreamed of building a relationship with, plus everything in between.
I always want to be aware of the energy that I am putting out too.
This can be anything from on social media to what I am talking about in a conversation.
I want to make an important distinction between my energy level I am bringing to a conversation, and the positive or negative energy I am putting out in a conversation.

Am I talking about positive things and having positive energy

opposed to being someone who talks negatively.
This is something that takes a ton of self awareness because it is not easy to avoid getting caught up in gossip or being the one creating it.
With high energy also comes the ability to transfer energy to others.
The same way hearing one of your favorite songs can cause you to dance or be in a good mood, the same rings true for being a positive influence towards others.
The world is filled with so much negativity that being a positive ray of sunshine in others lives one day at a time can have a huge impact.
I also want to be aware of the energy that is around me and the energy I receive.
I am a big believer in “you are the average of the 5 people you spend the most amount of time with.” Am I spending time with people that positively add to my energy? Along the same lines, to have a positive mindset you need to control your inputs.

Am I feeding my mind with things that give me positive energy

opposed to letting in crap (ex.
the news, gossip, trash television, others negative energy)? I want energy that keeps me moving forward.
I don’t have time for anything else.
One thing I am aware of on a daily basis is my own energy and the mindset attached to it.
We all have good days and bad days, but what happens when you are having a bad day.
How quickly can you change your energy and make it positive.
Every entrepreneurial journey is filled with endless obstacles.
It is how I respond when the times are toughest that will have a major impact on my success.
Because of this setting my daily intention for my energy is a huge thing.
The way I’ve implemented this into my daily routine is every morning I go through a daily primer of 10 questions I ask myself.
One of them is “what is my energy for today?” I will then write down the answer. The challenge I faced at first when doing this exercise is how do you describe your daily energy without just being vague or repeating the same thing every day.
The way I did it was just by showing up every day and seeing what popped into my head.
Here’s a look at my responses so far this year: great, optimistic, excited (x3), focused, bouncing, driven, curious, open, positive Costanza, good vibes, weekend hustle.
Another way in which I make sure that I live the word of Energy every day is each morning in my 10x Planner when I am writing down my goals and targets for the day, I also write down a series of words of phrases that I want to keep top of mind.
One of them is ENERGY.
That way I have yet another positive reinforcement and reminder of setting my positive energy intention for the day.
I am confident that not only being aware of the various ways in which energy impacts my life, but also living it in practice on a daily basis will help make 2019 the best year of my life.
May your 2019 be filled with tons of positive energy and good vibes.
– I’d love to hear from you.
What are you doing on a daily basis to check in on your energy? Also, what is your one word for 2019.

You can hit me up on Twitter @RobCressy or on Instagram @Rob_Cressy

*NEW PROJECT ALERT* Have you always wanted to create a podcast but didn’t know where to start.

Then head to LaunchingPodcast.com

It’s a step by step video course to easily launch a podcast.

The post Why Energy Is My Word For 2019 appeared first on Bacon Sports


#8 The software revolution laps the insurance shore »  » 2020-08-15 02:10:11

Replies: 0

The Round Rock City Council approved a contract with Phoenix I Restoration and Construction for the relocation of the Old Stagecoach Inn at a regularly scheduled meeting on Thursday, Feb.
The relocation contract.

Funded through Hotel Occupancy Tax in the amount of $796,000

includes the relocation of the historic structure as well as stabilization once relocated to the planned Bathing Beach Park along Brushy Creek.  Phoenix I Restoration and Construction has extensive experience with the restoration of historic structures throughout the state, including the Fort Bend County Courthouse, Navarro County Courthouse and the Texas State Capitol.
The Old Stagecoach Inn was built between 1848 and 1853 to serve travelers along the historic Chisholm Trail, making it one of the oldest surviving buildings from Round Rock’s founding era.
Buildings from this “pre-railroad” period were constructed by skilled builders using traditional techniques and materials.  Manufactured building materials would not become widely available until the railroad reached central Texas several decades later.  Few buildings remain from Round Rock’s “pre-railroad” era.
In February 2017, a feasibility study outlining relocation options for the Old Stagecoach Inn was presented to Council by preservation architecture firm, Architexas.
The study provided insight on the process required to relocate the existing structure from its current location at 901 Round Rock Avenue to the planned Bathing Beach Park on Chisholm Trail, as necessitated by continued progress on the RM 620 Safety Improvement Project.
The relocation is currently anticipated to occur by June of this year.
Round Rock Preservation is raising funds through a brick fundraiser in order to restore the Inn once it’s secured at the new site.
More information on the history of the Stagecoach Inn relocation project can be found online: https://www.roundrocktexas.gov/departments/planning-and-development-services/historic-preservation/stagecoach-inn/ The post City Council approves contract to relocate historic Stagecoach Inn appeared first on City of Round Rock.

#9 City selects KemperSports to manage Forest Creek Golf Club » to end diplomatic relations with Israel » 2020-08-15 01:33:25

Replies: 0

After the OPM breach, you would assume the government immediately took measures to make sure there wasn’t a second hack.
It looks like whatever efforts they made didn’t work, because they were breached yet again.
The names, titles, phone numbers, email addresses, .

And job descriptions of thousands of FBI employees were leaked

But wait, it gets worse.
Similar information was also breached for 9,000 homeland security workers just the day before.
Luckily, the government has impeccable timing, as the breach hasn’t gotten much press, largely overshadowed by President Obama’s announcement of his Cybersecurity National Action Plan.
Here’s everything you need to know about the breach: A Justice Department staffer’s email account was compromised by the hackers, the group releasing the information on Superbowl Sunday, and Monday, as they promised to do on social media.  According to US News, the hackers appear to have significant political motivations.
The group tweeted that they would continue to release the information they took until there is a free Palestine, urging the U.S.
to end diplomatic relations with Israel.
They also tweeted  The same hackers released the information of 9000 DHS employees and 20,000 FBI workers.

The message on top of the data dump reads “Long Live Palestine

Long Live Gaza”.

The Department of Justice has stated that

as of now, it doesn’t look like any sensitive identifiable information was breached. The hackers also claim that they have access to hundreds of gigabytes of DOJ data, which they are waiting to release.  The pro-Palestine hacker group taking credit for the attack is called “DotGovs”.
The group has been very active on twitter, .

Typically using #FreePalestine in their tweets

Following the breach they tweeted, “When will the US government realize we won’t stop until they cut relations with Israel.” Government officials have commented on the breach and are working to make it seem unimportant, comparing the leaked information to what you could find in an old phone book.
However, it should be noted that while some of the information was out of date, other information was extremely accurate.   Additional thoughts…  It seems that the most perplexing, and worrisome, aspect of this hack is that the government is acting like it isn’t a very big deal.
You would think that following the OPM breach and the announcement of the President’s new cybersecurity plan, they would use this cyberattack as a catalyst to move the plan forward, instead of painting it as a non issue.
The media, mostly concentrating on the announced cybersecurity plan, seems to have forgotten about this breach, as reporting has been lax.
The scary part of this breach isn’t necessarily the content that was released, but rather, the response and the fact that it occurred in the first place.

The OPM breach was devastating, exposing 25.7 million records

Following this attack, putting basic information security fundamentals in place should have been top priority.

It is very dangerous for DOJ officials to portray this breach as insignificant

There is still a large amount of unknown data that the hackers allegedly possess, information poor information security practices allowed them to access.
The government must take these events more seriously.
Hackers will continue to work to breach the government and soon, as we have seen in the  past, more than just names and email addresses will be compromised.
This breach should be used as a conversation starter to put more secure practices in place.As the presidential election continues to heat up, and international struggles move forward, we are more vulnerable than ever to hackers trying to access sensitive data for political gain.
Hopefully this newly released cybersecurity plan will spark more conversations around security, help ensure that information is more closely protected, and lessen the likelihood of cyberattacks in the future.

#10 Bitcoin trade »  » 2020-08-15 01:23:37

Replies: 0

By Michael Gold TAIPEI (Reuters) – Taiwans Hon Hai Precision Industry Co Ltd reported a third consecutive quarterly profit gain Wednesday as the worlds largest contract maker of electronic goods continued to benefit from demand for products from No.1 client Apple Inc.
Hon Hai, also known as Foxconn.

Earns as much as 50 percent of revenue assembling Apple devices such as iPhones and iPads

analysts say.
In the meantime, the widely expected release in the coming months of larger-screen iPhones will keep Apple as Hon Hais biggest cash cow for the foreseeable future, according to company-watchers.
Still-hot sales of iPhones drove Hon Hais net profit in April-June to T$20.19 billion ($673 million), versus the T$17.66 billion mean estimate of 13 analysts polled by Reuters.

Shares of Hon Hai closed up 1.4 percent before the earnings release on Thursday

versus a 0.7 percent rise in the benchmark TAIEX index.

#11 The NFL is finally coming to Apple TV, but not how you want it » and Ransom Riggs chose Srisahiti’s essay » 2020-08-15 01:12:50

Replies: 0

Srisahiti Maddipatla.

A member of the Round Rock Public Library’s Teen Writing Group

entered the 2018 Penguin Young Readers Peculiar Writing Contest and was chosen as a runner-up from hundreds of entries.

She won 20 signed copies of Ransom Riggs’ latest book

A Map of Days for the library.

One copy was given to Srisahiti

and the other copies will be used as Summer Reading prizes.
Jane Dance, teen librarian, meets monthly with the Teen Writing Group, and has recognized that there are some talented writers.
When a national competition came along she asked if anyone would be interested in entering, and one member, Srisahiti decided she would.
The contest required entrants to write a 500–1000 word story inspired by the world of Ransom Riggs’ Miss Peregrine’s Peculiar Children series.
Since a photo could be submitted with the entry.

Jane brought the teens some old black and white photos of Bournville Cadbury Factory

where she grew up in England, as she thought they might inspire them…and they did.
Srisahiti wrote her story.

“The Bournville Mystery,” and it began:  “The wide

brick building started biting down to my tears.
The wide, brick building reminded me of my mother and her beautiful smile, long hair, and fantastic cooking skills.
The wide, brick building seeped into my heart more than any other location I had ever encountered.” In January, .

Jane received the congratulatory news from Penguin Random House: “Congratulations

We are pleased to inform you that your student’s essay submission has been selected as one of 4 runners-up for the 2018 Penguin Young Readers Peculiar Writing Contest.
We received submissions from schools and libraries nationwide, and Ransom Riggs chose Srisahiti’s essay, along with 3 others, as a runner-up.” Teens are welcome to join the library’s Teen Writing Group which meets the 2nd Tuesday of each month in the Teen Room, 6:30 to 8 p.m., except during Summer Reading.

Contact Jane Dance for more information at 512-218-7012

The post Round Rock teen recognized in national writing competition appeared first on City of Round Rock.

#12 CyberArk is Heading to #RSAC To Find the Anomaly, Eliminate the Threat with P.. » Click to Enlarge The post Pavement improvements on A.W » 2020-08-15 00:39:28

Replies: 0
Pavement improvements have begun along A.W
Grimes Boulevard from Gattis School Road to SH-45
This work will require alternating lane closures along A.W

Grimes and is scheduled for completion at the end of October.  Work will be performed from 9 a.m.
through 4 p.m.
During the construction process, the roadway will remain open to traffic, however drivers should expect delays and are advised to reduce their speed and increase their spacing distance while workers are present.
Additionally, the intersection of A.W.

Grimes and Gattis School Road is scheduled for pavement improvements starting Monday

2, through Thursday, Oct.
All traffic entering the intersection on those days will be required to detour around the construction.
Drivers should expect heavy delays and are encouraged to seek other routes, if possible.

The improvements are a part of the City’s annual Street Maintenance program

specifically the 2017 In-Place Pavement Recycling project.
The project is composed of five phases of work performed in sequential order: concrete work, edge milling, pavement repairs, pavement recycling, and pavement marking.
A map showing the impacted area is included below.
Click to Enlarge The post Pavement improvements on A.W.

Grimes from Gattis School Road to SH-45 appeared first on City of Round Rock


#13 Tower seeks to leave rivals in the dust with tailored digital insurance model » VersionOne appeared first on The Pedowitz Group » 2020-08-15 00:09:41

Replies: 0

Peter Herbert, Vice President of Marketing with VersionOne made the decision 18 months ago to transform how they did marketing and adopt Account Based Marketing (ABM).
As a company they moved from a transaction model to one where they focused on the Global 2000 organizations that would use the company’s software to do enterprise wide transformation.

As part of the VersionOne marketing transformation they employed ABM
In Peter’s own words: “We’ve employed ABM to help us target our efforts more effectively

personalize [messaging] and have more success with our ideal customer profile.” When asked what the results of adopting ABM was, Peter replied “Our specific ABM effort where we went through the whole process to select accounts, get alignment with sales, change our marketing stack, and transition all of our campaigns to this new mode; we are about 6 months into it, we converted 20% of our top 100 accounts into pipeline, and we’re currently sourcing about two thirds of the new business.” Other topics he addresses in this 15 minute video include the reasons why he made the switch to ABM, what processes had to change, what technology stack he adopted to help, and what metrics and KPI changes he had to make.
Peter Herbert has nearly 20 years’ experience in strategic marketing and corporate communications including demand generation, public relations, corporate product positioning, content strategy, and channel development for both global and emerging technology companies.
VersionOne helps companies succeed with Agile software development and they specialize in helping some of the largest organizations in the world scale agile successfully across their entire organizations and succeed with agile transformation.
Watch to learn how VersionOne marketing leveraged ABM to convert 20% of their top 100 accounts to pipeline.

The post CMO Insights – Peter Herbert

Vice President of Marketing, VersionOne appeared first on The Pedowitz Group.

#14 Tower seeks to leave rivals in the dust with tailored digital insurance model » or else donate money — usually $100 — toward fighting ALS » 2020-08-14 23:12:31

Replies: 0
Everyone youve seen is participating in the Ice Bucket Challenge

The challenge involves daring a person to dump a bucket of ice water over their head within the next 24 hours, or else donate money — usually $100 — toward fighting ALS.
The challenge is all about raising money and awareness for Lou Gehrig’s Disease ALS is amyotrophic lateral sclerosis, .

But you probably know it better as Lou Gehrig’s Disease


#15 Taking a look at version 9.4 » per the contract between the OCR and KPMG » 2020-08-13 06:20:10

Replies: 0

The first twenty audits conducted by KPMG on behalf of OCR are complete and under review as we speak by OCR.
We have published several posts and conducted several webcasts with respect to the audit process, timeline and how to prepare.
In our presentations we have covered the types of information requested by the auditors, but not the actual document request list.
The list contained here is the one received from our client.
It is instructive as to the types of information you will be asked to produce if audited, but there are a few caveats that I would like to remind everyone of as well.
The audit protocol and all of its supporting documentation to include this list are still under review by OCR and subject to revision.

If you recall the process that OCR laid out for the pilot phase of the first 20 audits

there would be a review and time to revise the audit protocol, as appropriate, then more audits, and more opportunity to review/revise, with the goal of having a final audit protocol by year’s end.
Sue McAndrew, OCR, reconfirmed this when she and I spoke this past week at the NCHICA Academic Medical Centers Privacy & Security Conference in Raleigh/Durham.
So the first caveat the list is subject to change.
Like any audit tool, this document request list may be applied differently depending on the size and type of organization and/or there may also be other forms of the list for other organizations.
The list shared here went to a hospital.
We understand that there are multiple, context-based audit protocols.

As well as protocols for the audits of particular aspects of the Rules

per the contract between the OCR and KPMG.
Sue McAndrew also provided that they hope to have the final protocol(s) and supporting documentation available for everyone before year’s end.
As we have shared with many of your, the list herein is communicated as an attachment to the Notice of Audit letter that each site receives to start the audit process.
It is related to the first requirement in the audit process, providing documentation to the audit team within 10 business days of the date of the audit letter, and represents the first opportunity for the site to demonstrate readiness.
Collecting and providing the documentation on the list can be a daunting task for large institutions, organizations with decentralized execution, of if organizations don’t have their documentation well organized and accessible.
As you look at this list be thinking about how readily you can collect, organize and transmit your responses to this request.
Is your documentation current.
Is it complete.
Does all of the “supporting” documentation referenced in your policies/procedures live together.
Does operational practice align with what is communicated in your documentation.
These are all important questions to answer before the audit.
So, without further adieu, .

Here is the list: Download OCR Audit Documentation Request List

#16 Round Rock teen recognized in national writing competition » giving Alice plenty of opportunities to login » 2020-08-13 06:01:05

Replies: 0

Key Pair Management: Cloud Security This is the second and final installment of our Key Management in the Cloud blog posts.
You can find part one here.
In the first part of this series, we described three concepts of key management:  A key pair is composed of a public and a private key.
Public keys are not secrets.
Selective distribution of public keys conflates authentication and authorization.
Today, let’s examine the flaws of “public key pushing”, and describe a better alternative.

Strike #1: “Public key pushing” allows escalation of privilege
Once Bob gains root access to a host

he can see all the public keys on that machine.
Normally this is not a problem, since public keys are public and not secrets; but here.

What happens if Bob finds Alice’s public key on the host (or finds it elsewhere)

and starts copying it to other hosts.
Bob is using his knowledge of Alice’s public key to escalate her privilege level in the infrastructure.
In effect, .

Bob can grant Alice access to any system that he himself has access to

The “public key pushing” technique is supposed to facilitate centralized management of SSH access, but in fact, the access is managed on each host itself in the authorized_keys file.
The host access list can be changed by anyone with root-level access to the host, and the intended authorization policy cannot be guaranteed to be correct.
Even if the management server is constantly re-pushing the public key lists out to every host, the key lists are only eventually consistent; as the server keeps wiping Alice’s key out of authorized_keys, Bob can keep putting it back, giving Alice plenty of opportunities to login.

Strike 2: Removing a user’s public key removes their ability to be identified

It’s important to be able to audit the succeeded and failed login attempts to all your hosts.

What happens when Alice tries to SSH to a host which hasn’t been “pushed” her public key
The host is unable to verify Alice’s identity

In effect.

It looks like a non-Alice person has tried to authenticate as Alice

but that is not what happened at all.
Alice is still Alice, but she doesn’t have access.
These are two very different things.
A failed authentication attempt means “someone you don’t know tried to claim to be someone you know”.
A failed authorization attempt means “someone you know tried to access a system she doesn’t have access to”.
From a security standpoint, these are quite different; but a “public key pushing” system can’t tell the difference.

Strike 3: Key-pushing scripts are fragile and easy to break

Key-pushing scripts are typically stored in a configuration management system, along with scripts that serve many other purposes.
Ideally, all these scripts function independently and reliably, but in practice, it’s easy to make an “unrelated” change to script A which breaks script B.
During the time it takes to get everything working again, the (already weak) capabilities of the key-pushing system are seriously compromised.
At this point it should be clear that public keys are not secrets and shouldn’t be treated as such.
So what is the right way to manage access to hosts.
SSH does have a proper mechanism for authorization: once authenticated, a user can be checked against an access list (e.g.
via LDAP search).
If the user isn’t authorized, they can’t login.
The system doesn’t deny their identity, but it does deny their access.

The proper outcome is effected (Alice can’t login)

and the proper event is recorded (Alice was authenticated, but not authorized).
Now, let’s turn our attention now to the private key.
Just as public keys should not be treated as secrets, there is an argument that private keys shouldn’t either.
It’s not uncommon to see private keys loaded into secrets storage (version control, configuration management, etc), or even shared by email.
What’s the problem with this.
In effect, private keys are intended to be so secret that they are not shared with anyone.
Sharing a private key is akin to sharing a password; it’s a security and compliance no-no.
When you choose a password for a web application, the web app doesn’t actually store your password; it salts and hashes your password in a non-recoverable way, which is sufficient to verify your identity in the future, but it’s not possible to recover the password itself from its salted hash.
Similarly, you should never provide a private key to any system or any other person.
The public key is specifically designed to be safely sharable.
If you need to authenticate yourself to another person or system, they don’t need to know your private key for that; just your public key.

#17 Join Us For an IAPP Web Conference on Breach Notification » With the new lease accounting changes » 2020-08-13 05:23:22

Replies: 0

Lease accounting changes: the onus and the opportunity It’s no secret: the lease accounting changes required by FASB ASC 842 and IFRS 16 have put a significant burden on companies, especially the accounting teams.
The effort to achieve compliance requires an investment of time and money, which can seem particularly onerous since you have no choice in the matter.
It’s like a huge black cloud hanging over your head.
But just as every cloud has a silver lining, there’s an upside to this effort.
The lease accounting changes are mandatory, but that doesn’t mean you can’t benefit from implementing the new lease accounting standard.
In fact, if you do things right, the process can lead to big changes in the way you manage leases, ultimately reducing expenses and improving your bottom line.
To reap those benefits, here’s what you need to do as you prepare for the lease accounting changes:  Implement lease accounting software with integrated lease management capabilities.
When you do that, you’ll have all your lease data in one single source of truth, the intelligence to show you opportunities for improvement, and the tools to reform inefficient and wasteful lease management practices.
Take advantage of working with both accounting and technology experts to get your house in order and improve operational and decision-making processes.
Let’s take a closer look at what you stand to gain from the lease accounting changes and how to make it happen.
Efficient and cost-effective lease management As leases become more visible and their impact on organizational finances is realized, the processes surrounding lease management will be increasingly scrutinized.
Here at Visual Lease, we work with organizations in every industry and we see the same trend: a lack of consistent practices related to leases.
In fact, when it comes to leases for equipment and other assets, many have no documented policies and processes at all.
Because of the lease accounting changes, that’s changing.
Not having lease management tools and controls in place costs you money.
Here are just a couple of examples:  Accounts payable continues to make monthly payments on outdated leases.
You pay for building repairs that are the landlord’s responsibility according to the terms of the lease.

With lease expenses appearing on financial reports because of lease accounting changes

those at the top of the food chain will be examining lease costs and looking to improve operational efficiency and decision-making.
Are you prepared to do that.
You will be if you’ve chosen the right technology to implement the lease accounting changes.

Your choice of lease accounting technology is critical Until now

most organizations used spreadsheets to handle lease accounting for FASB and/or lease accounting for IFRS.
With the new lease accounting changes, both the volume of work and the complexity have increased exponentially as virtually all leases must be brought onto the balance sheet.
That means the old methods are no longer sufficient and everyone is shopping for new technology.
Especially for public companies racing to meet the January 2019 compliance deadline, it’s easy to make the mistake of going with lease accounting software that merely takes data from other sources and spits out the calculations.
Doing that may seem simpler in the short term.
However, here’s what you’ll find out after the lease accounting changes are complete: having multiple systems for lease accounting and lease management leads to more complexity, more mistakes, and higher costs.
Even worse, you’re missing out on the opportunity to improve your lease administration. That’s the real silver lining in this situation.
How do you choose the right lease technology.
Learn 7 Things to Consider.
A complete lease platform enables process improvement What if you could eliminate the mistakes that drive up your lease-related expenses.
When you consider the costs associated with high-value property leases alone, it’s easy to see how much wasted money you can reclaim by eliminating overpayments, late fees, and payments that shouldn’t have been made at all.
An end-to-end lease accounting and management platform by Advertise" href="#48191274"> helps you put an end to that, by documenting the terms of every lease, calculating every payment, and alerting you if payments don’t match the lease terms.
That’s just the beginning.
A complete system alerts you about upcoming critical dates related to lease options, so you have the time to make the right decision about executing options.
As lease administrators know all too well, making the wrong call, or missing an option date entirely, can be a mistake that can cost millions on just one long-term real estate lease.
When everyone involved in managing leased assets, handling payments, and accounting for lease payments on the balance sheet is using the same system, you also eliminate data integrity problems that occur when data is moved between systems.
You can count on the accuracy of your lease data because it’s updated in real time by those working with leases.
Preparing for the upcoming lease accounting changes requires you to centralize lease data so calculations can be done and journal entries & disclosures added to your GL.
But don’t limit your consolidation of lease data to only what’s required for FASB & IFRS compliance.
When you centralize all lease data, including by Advertise" href="#46749151"> administration information that’s outside the scope of accounting calculations, you create a gold by Advertise" href="#44877530"> mine of business intelligence that can guide more cost-effective leasing decisions that are aligned with the goals of your business.

Have you considered integrating with your AP system

streamlining and tracking all expense payments.
What about auditing your large expenses, providing warnings or stop payments on landlord overcharges, such as CAM expenses.

Learn more: Equipment and Property Lease Accounting: Can One System Do Both

Expert advice for improving your lease management operations With the right tools in place and data at your fingertips, you’re in a great position to transform your operation and save money in the process.
But to make those decisions, you need the confidence that comes from experience.
Let’s face it: few organizations have implemented major lease accounting changes and transformed lease management operations throughout the company.
That’s why, as you work toward implementing the lease accounting changes, getting the advice of knowledgeable experts who have been down this road before is invaluable.
As you prepare for the lease accounting changes you’ll have the opportunity to work with knowledgeable technology professionals and your accounting partners.
However, these experts may not know very much about leases.
That’s an overlooked benefit to implementing an end-to-end lease accounting and management platform like Visual Lease.
We are lease experts, and we can by Advertise" href="#72851396"> help with every aspect of your transformation.
Our decades of experience working with global organizations to implement our technology, and to continuously improve it, enables us to guide our clients toward smart decisions and achieve the results they want.

Learn more: FASB Lease Accounting Changes: How to Assemble Your Readiness Team

#18 2014 Meaningful Use Attestation Timeline Extended » today announces its entry to the UK market » 2020-08-13 04:06:32

Replies: 0

EIS, a core and digital platform provider for insurers, today announces its entry to the UK market.
The San Francisco-based insurtech has launched its coretech platform in the UK to help domestic insurers offer a new generation of insurance products and services in response to changing consumer habits and an evolving regulatory landscape.
“For the insurance company of the future, providing the right cover and good service to policyholders are table stakes,” says Tony Grosso, Head of Marketing at EIS, “The real winners will be those who can move beyond protection and operate in an ecosystem of value with other, non-insurance providers.” In fact, a recent EIS poll of UK insurance providers and insurtechs showed that 1 in 3 respondents identified “moving beyond protection to deliver more value to customers” as the most important objective for the insurer of the future.
In response to the wave of innovation in the UK insurance sector, 75% of insurers are leaving legacy technology behind in favour of more dynamic and flexible ‘as a service’ models.

EIS aims to help UK carriers with the introduction of its coretech platform

which, unlike modern legacy technology, allows insurers to rapidly create and deploy new and innovative products and services via open APIs.
This new, flexible platform allows insurance companies to operate seamlessly with insurtechs and other providers to deliver lifestyle solutions beyond protection to consumers.

With customers at the heart of the EIS platform

insurers globally can now take a personalised approach to their customer experience by recognising and engaging customers as a whole, across all their insurance needs, rather than individual policy numbers.
“The agility and flexibility of the platform will be invaluable to UK insurers as they look to adapt to and sync regulatory changes post-Brexit and the demands of the market,” says Tony.

EIS is already helping forward-thinking insurance businesses in EMEA

North America and APAC.
“As we enter the UK market, we see a high demand for innovative approaches to insurance.
More so than other markets,” said Olivier Vayesse, Senior Vice President, EMEA at EIS.

“EIS has been resourceful in responding to this demand

One example is a local initiative where we are developing an intelligent digital ecosystem to enable insurers to take a more radical approach to transformation, offering a greenfield platform for transitioning away from legacy technology.” “EIS is committed to expansion in the UK market, creating jobs and revenue opportunities, in conjunction with our partner program,” Olivier continued.
The post EIS launches in the UK as insurance companies look beyond protection to deliver more value to consumers appeared first on EIS.


Board footer

Powered by FluxBB