Information Security Leader, Author, Instructor and Speaker

Healthcare and Internet of Things Security

There are now more things connected to the Internet than people on the planet, and the number is growing rapidly: within five years, according to Strategy Analytics, there will be four devices for every person. The Internet that once consisted of only computers, smartphones and tablets, now includes connected blood pressure monitors, smoke detectors and washing machines. Experts predict this trend will only continue, doubling the number of devices over the next five years. That’s a tremendous number of devices, generating a tremendous amount of data.
Where will all this data go? How will individuals and service providers protect the confidentiality, integrity and availability of sensitive information generated by the Internet of Things (IoT)? What about when that data includes personal health information? The staff of the Federal Trade Commission (FTC) tackled these questions in a workshop and released its findings in a report entitled, Internet of Things: Privacy and Security in a Connected World.

Read the full story: Healthcare and Internet of Things Security

Published 5/28/2015 on

Posted in Articles | Tagged , | Leave a comment

Optional No More: Five PCI DSS Requirements Become Mandatory June 30th

If you reviewed the impact of the PCI DSS 3.0 changes on your organization two years ago, you might recall a set of requirements marked “Requirement X is a best practice until June 30, 2015, after which it becomes a requirement.” If your response was “Oh, good, we can handle that later!,” you may be realizing that “later” is about to arrive!

When the PCI SSC released the final PCI DSS 3.0 standard in November 2013, they realized that five particular requirement modifications would have an outsized impact on organizations. They provided merchants and service providers with a 20-month grace period to slowly adapt to those changes. Let’s take a look at the five optional requirements that are about to become mandatory and their impact on your organization.

Read More: Optional No More: Five PCI DSS Requirements Become Mandatory June 30th

Published April 30, 2015 on

Posted in Articles | Tagged , , | Leave a comment

Malware Isolation for Dummies

Web browsers are a primary vector for malware attacks that jeopardize network security.  These attacks threaten the confidentiality, integrity, and availability of sensitive information.  Browser isolation technology mitigates the risk of malware infection by separating the browser from the user and creating a safe browsing environment.

Malware Isolation for Dummies, Published April 2015 by John Wiley and Sons


Posted in Books | Leave a comment

A Year of Cloud First: Lessons Learned

I had the privilege of spending an hour with the Internet2 NET+ team today sharing some of the lessons we’ve learned during Notre Dame’s cloud journey.

Posted in Presentations | Tagged , | Leave a comment

Malware Exposed

Malware is perhaps the most dangerous threat to the security of the average computer system. Research by Microsoft recently estimated that 17.8% of computers worldwide were infected by malware during a three-month period. That is an astonishing number that underscores the real and present danger posed by malicious software on the modern Internet.

Information technology professionals must educate themselves about the risks posed by malware and use that knowledge to defend their organizations against the malware threat. In this article, we provide background information on malware and describe ways that you can create a defense-in-depth approach to protecting your computing assets.

Read More: Malware Exposed

Published April 5, 2015 in Certification Magazine

Posted in Articles | Tagged , | Leave a comment

Tech Tips: Running a Vulnerability Scan

Vulnerability scanning plays a critical role in the information security program of any educational institution. Conducting regular security scans ensures that administrators remain aware of the state of security on their networks and allows them to quickly remediate vulnerabilities before an attacker exploits them.

Conducting vulnerability scans consumes network bandwidth and ties up resources on the systems being scanned. In the worst case, these scans may inadvertently result in system outages or other operational issues. IT staff preparing to scan campus networks should follow a set of best practices to protect the integrity of their institution’s information systems. In this article, I offer four tips on operating a safe and effective vulnerability scanning program.

Read More: Tech Tips: Running a Vulnerability Scan

Published March 17, 2015 in EdTech Magazine

Posted in Articles | Tagged | Leave a comment

Could Apple Pay fundamentally change PCI DSS compliance?

Apple Pay, the recently released mobile payment system on Apple’s iPhone 6, is making waves in the security community and being praised for the attention it provides to securing credit card transactions. Tokenization, the technology underpinning Apple Pay’s security model, is not new, but Apple Pay may provide the impetus for this technology to go mainstream.

From the consumer’s perspective, Apple Pay is an ideal way to conduct a transaction with a merchant because it preserves the consumer’s privacy during the transaction. During a normal credit card transaction, the merchant reads the consumer’s name and credit card number from the magnetic stripe on the back of the card. During an Apple Pay transaction, the merchant receives only an anonymized one-time-use code that facilitates the transaction.

Read More: Could Apple Pay fundamentally change PCI DSS compliance?

Published March 8, 2015 on

Posted in Articles | Tagged , , | Leave a comment

Context-Aware Intrusion Prevention

Over the past few years, security professionals around the world have undertaken projects to convert their enterprise firewalls to the latest technology – next generation firewalls (NGFW). These systems leveled up firewall technology by providing the firewall with more information – data that provided context about applications and users and allowed the firewall to make more intelligent decisions about network access. It’s now time for intrusion prevention systems (IPS) to make that same leap.

The newestintrusion prevention technology, next generation IPS (NGIPS), is able to incorporate new data sources that dramatically improve the IPS’ ability to protect networks against attack. With these systems, you can incorporate information about your network and applications into your intrusion prevention strategy to build more robust defenses for your organization’s network.

Read more: Context-Aware Intrusion Prevention

Published March 4, 2015 in BizTech Magazine

Posted in Articles | Tagged , | Leave a comment

Can legal departments complement IT security?

Legal teams have long played an important role in information security and compliance programs. The expertise that attorneys bring to the table complements the technical subject matter expertise of IT professionals and, when working toward a common purpose, contributes to a well-rounded IT risk management program. In this tip, I look at three different ways that legal teams can contribute to information security efforts in enterprises of all sizes.

Legal departments often find themselves thrust into the middle of enterprise risk management programs for two reasons. First, they are normally privy to many of the sensitive risks facing different areas of the business. Second, many organizational risks are legal in nature, requiring the expertise of an attorney to assist in interpreting laws and regulations and to estimate the impact on the organization should a violation arise.

Read more: Can legal departments complement IT security?

Published February 27, 2015 on

Posted in Articles | Tagged , , , | Leave a comment

What the Community Health Systems Breach Can Teach Your Organization

In the spring of 2014, hackers penetrated the systems of Community Health Systems (CHS), a network of 206 hospitals located across the United States. They made off with sensitive personally identifiable information from over 4 million patients, including names, Social Security numbers, birthdates and employment information.

What happened at Community Health Systems? What can enterprises learn from the breach? This tip looks at the lessons you can extract from the CHS breach to protect your organization’s health information and keep HIPAA regulators at bay.

Read the full story: What the Community Health Systems Breach Can Teach Your Organization

Published February 19, 2015 on

Posted in Articles | Tagged , | Leave a comment

Mike Chapple, CISSP, Ph.D.

Mike is an IT leader, information security professional, author, speaker and trainer with over fifteen years of experience in the field.

Full Biography