Many teams working with health care providers receive requests to sign a Business Associate Agreement. In this blog, we break down HIPAA’s definition of a…| TrustedSec
<p>Windows Server Update Services (WSUS) is a trusted cornerstone of patch management in many environments, but its reliance on HTTP/HTTPS traffic makes it a prime target for attackers operating on the local network. By…</p>| TrustedSec
<p>Some organizations within the health care sector may believe that they are a Covered Entity simply because they handle health records (spoiler alert: this might not be the case). This often occurs due to…</p>| TrustedSec
Password-spraying is a popular technique which involves guessing passwords to gain control of accounts. This automated password-guessing is performed against all users and typically avoids account lockout since the logon attempts with a specific password are performed against every user. This technique is popular with penetration testers, Red Teams, and threat actors alike because it works so well. Password-spray detection typically involves correlating bad password attempts based on time. Th...| TrustedSec
Many organizations don’t understand that not all health information is PHI and apply HIPAA more broadly than is required. This has implications for which organizations are considered Business Associates (because an organization must handle PHI to be considered a Business Associate) and how HIPAA is applied within Covered Entities and Business Associates. This post takes a deep dive into the definition of PHI to help organizations determine if and how HIPAA applies to them.| TrustedSec
<p>Ransomware attackers frequently target backups and recovery systems to force victims into paying ransoms, making robust protection strategies essential for all organizations. This blog introduces the Defensive Backup…</p>| TrustedSec
It's that feeling of your nerves being stretched like sinew over mounting expectations and due dates. When your attention keeps an exhausted but stubborn focus on an ever-shifting goal because there is always one more attack to check, one more use-case to implement, or one more task added to the pile that, before you realize it, has already broken out of manageable control. But you have to do it!| TrustedSec
A major step on the CMMC rollout timeline was completed recently as the regulatory change that will create the CMMC contract clause made its way to the Office of Information and Regulatory Affairs (OIRA). This post covers what that means for contractors that want to know when to expect CMMC clauses in their contracts.| TrustedSec
<p>Many DoD contractors are struggling to understand what requirements will apply to them once CMMC rolls out. CMMC defines three levels, but CMMC Level 2 may allow a self-assessment or may require a third-party…</p>| TrustedSec
<p>Implementing CMMC and other Controlled Unclassified Information (CUI) protection obligations depends on the accurate identification of CUI, and in some cases also depends on the identification of the CUI categories and…</p>| TrustedSec
Defense subcontractors may already be seeing CMMC clauses in their contracts, even though the CMMC contracting procedures and contract clause have yet to be finalized (as of this post in August 2025). However, the Department of Defense (DoD) is not currently putting CMMC requirements in contracts, and the clauses that are showing up in contracts today are not legitimate CMMC clauses from the government.| TrustedSec
While digging into the internals of my new Lenovo ThinkPad P1 Gen7, I came across an unexpected discovery that quickly escalated from curiosity to a viable privilege escalation vulnerability. | TrustedSec
Experience fundamentally different cybersecurity for business success, providing end-to-end consulting from penetration testing to design and hardening.| TrustedSec
Understand NIST's Digital Identity Guidelines for secure password implementation and access control, ensuring risk-based authentication and minimizing…| TrustedSec
May 28, 2025 update: | TrustedSec