All posts by Michelle Drolet

Let’s Meetup and learn about Phishing and the threats to your organization

Wednesday, October 11, 2017
6:00 PM to 8:00 PM
319 Speen Street, Natick, MA

Despite record investments in cyber security technology, the data continues to paint a bleak picture:

  • 91% of breaches start with spear phishing
  • 146 Days – the average time to identify a breach
  • 82 Days – the average time to contain a breach
  • $4 Million – the global average cost of a data breach

Our heavy reliance on technology to protect against constantly evolving cyber threats ignores the most critical element— the human element. Phishing targets people and with 92% of global information workers using email regularly as part of their job, it’s no surprise. By targeting employees, attackers are playing the odds and hoping for an easy mark. The powerful combination of PhishMe’s Human Phishing Defense Solution disrupts the core of the adversary’s attack chain – their targets and tactics. PhishMe focuses on engaging the human–your last line of defense after a phish bypasses other technologies and enables incident response teams with automation tools to quickly analyze and respond to targeted phishing attacks.

Click here to Register >

MassBay Receives $10,000 Donation for Cyber Security Scholarships

WELLESLEY HILLS, MA (September 20, 2017) – Massachusetts Bay Community College is pleased to announce it has received a generous donation of $10,000 from this year’s annual Information Security Summit to support student scholarships in the field of cyber security.

The Information Security Summit, held each year on MassBay Community College’s Wellesley Hills campus, was established in 2013 to help professionals advance their programs and knowledge base on the latest network security and technology issues. The net proceeds from the Summit are awarded to students in the form of two scholarships in support of Cyber Security education.

To date, the Information Security Summit and its attendees and sponsors have raised a total of $38,000 to support student scholarships.

Towerwall CEO Michelle Drolet, whose Framingham-based cyber security company is one of the co-sponsors of the Information Security Summit, along with MassBay’s Chief Information Officer Michael Lyons were on hand to present this year’s scholarship check to President Dr. David Podell, Computer Science Professor Shamsi Moussavi and to Mary Shia, the Executive Director of the MassBay Foundation and the College’s Vice President for Institutional Advancement and Alumni Relations. Drolet is also a member of the MassBay’s Foundation Board.

Sponsors of this year’s Information Security Summit also include: Varonis, Alien Vault, GovConnection, LogRhythem, Securonix, SnoopWall, Sophos, RSA, CDW, CyberSN, Darktrace Ltd, Gigamon, Juniper Netwroks, PhishMe, SHI, Stealthbits, SuperCom, TCG Network Services, Big Switch and Xerox Corporation.

Scholarships are available to full-time and part-time MassBay students in the form of Information Security Summit (Cyber Security) scholarships and given out by the MassBay Foundation

The MassBay Foundation gives 100% of donations back to students in the form of student scholarships. The Information Security Summit Scholarship was created and is supported by the generous sponsors of the Information Security Summit established by Towerwall and MassBay Community College to support student’s studying in the Cyber Security field. Anyone interested in donating to student scholarships, learning more about our student scholarship program or getting involved with the MassBay Foundation can contact Mary Shia at

*Attached is a photo of the check presentation (left to right) MassBay President Dr. David Podell, Towerwall CEO Michelle Drolet, MassBay Computer Science Professor Shamsi Moussavi, MassBay Vice President for Institution Advancement and Alumni Relations and the Executive Director of the MassBay Foundation Mary Shia, and MassBay Chief Information Officer Michael Lyons.

To learn more about the Information Security Summit, visit

MassBay Community College was recently ranked by the Brookings Institution as one of the top schools for value added and earned salaries in the workforce. Ranked #1 for 2-year colleges in Massachusetts, #2 in New England and ranked #16 nationally. The College’s facilities in Wellesley Hills, Framingham and Ashland house day, evening and weekend classes that meet the needs of degree-seeking students and career minded life-long learners. Online options provide convenience and allow faculty to facilitate the learning process. Since its founding in 1961, MassBay has been accredited by several governing bodies and strives to meet the needs of the diverse local communities it serves.

Achieving long-term resilience with NIST’s Cybersecurity Framework

The need for continuous monitoring, effective metrics and skilled workers.

The laudable aim of the National Institute of Standards and Technology (NIST) is to build a common language through a set of best practices and security principles that any organization can apply to combat cybercrime. We’ve looked at what NIST’s Cybersecurity Framework can do for you. We’ve also drilled a little deeper to reveal the importance of solid analysis in assessing your risk and requirements to ensure that you built it right first time.

A solid foundation is a great start, but you also need to implement continuous monitoring and find a way to measure how successful your efforts have been. Because security is a race, rather than a destination, it’s vital to keep identifying gaps, making improvements, and validating your activities. To do that, you’ll need the right attitude and the right talent.


Change is constant

Cybercriminals and would-be hackers are constantly developing new techniques and uncovering fresh vulnerabilities, so defenses must be monitored and updated continually. While the Cybersecurity Framework offered up is a great starting point, with lots of useful advice, it’s not easy to assess how effective it has been within organizations.

That’s the main reason why, at the beginning of the year, the NIST Cybersecurity Framework, Assessment and Auditing Act of 2017 was passed into law. It’s an attempt to ensure that progress is measured, but establishing metrics to measure the effectiveness of security policies is a tricky business. Different organizations have different priorities.

The framework provides a skeleton that you can flesh out with your own organization’s requirements, and the metrics you adopt to measure the efficacy of your efforts are no different. If you don’t take the time to build a solid set of metrics, then you really don’t know if your efforts are paying off.

Later this year, there will also be a major revision to the document, which is available in draft form right now. Collaborators have been working to integrate privacy and cyber controls and align them with NIST’s cybersecurity framework recommendations. You can currently review and comment on this document, ahead of a final draft at the end of the year.


A very large skills gap

One of the biggest challenges facing any organization that’s trying to put NIST’s cybersecurity framework into practice is the lack of workers with the right skillset. Take a look at the interactive map at for an overview of the problem. There were 112,000 InfoSec analyst job openings last year in the United States, but only 96,870 workers to go around.

Another 200,000 openings requested cybersecurity-related skills. Cloud security skills were apparently the hardest to find, with jobs remaining open an average of 96 days. This worrying shortfall has prompted the creation of the National Initiative for Cybersecurity Education (NICE). Just as the cybersecurity framework creates a common language for discussing security issues and best practices, NICE aims to help you assess workforce skills and identify certification and training requirements.

Many organizations struggle to find people who possess the right knowledge, skills and abilities, and worse, they often can’t fully articulate precisely what they need. This is one of the reasons that a virtual CISO can be a real boon for an organization trying to get its cybersecurity polices on track and recruit an effective team.


Security for all

Because the cybersecurity space is developing so quickly, it’s understandable that some of the risks caught some organizations unawares. But ignorance can no longer be used as an excuse. Data breaches and other cybersecurity incidents can often now result in regulatory fines and serious reputational damage.

While there seems to be a general acceptance about the level of threat, we are still not seeing the positive action required to nullify it. Verizon’s 2017 Data Breach Investigations Report found that 88% of breaches still fall into one of the nine patterns it identified back in 2014. The difficulty organizations are having is in validating implementation and building resilience.

The fact that NIST is working hard with the wider community to pool resources and knowledge is very encouraging. The importance of this endeavor comes into sharp relief when you consider the bi-partisan cooperation in a generally combative political climate. The government and wider cybersecurity community are committed to effecting real change and tightening our collective defenses, but we all need to pitch in.


This article was originally posted on CSO Online >

Introducing “Lunch with a vCISO” A Webinar Series from Towerwall

Each session will provide unprecedented access to the industry’s top Virtual Chief Information Security Officers and cover critical issues in the field. The interactive series will cover a variety of topics, such as aligning information security policies with your firm’s culture and how to prepare for an audit.

Attendees will be given the opportunity to ask questions of these experts during each session. Sessions will be held every other month and are designed to fit into your lunch hour.


Join us for our first live webinar:

Do you know your risk tolerance?
The role of a vCISO

Tuesday, September 19, 2017   |   12:00 PM EDT – 1:00 PM EDT

Featuring Michelle Drolet,
Founder & CEO of Towerwall


Session will discuss:

  • What is a Virtual CISO?
  • Who needs a vCISO?
  • How a vCISO integrates into your security culture.
  • Why an experienced second set of eyes matters.


Register Now > 



Build it right with NIST’s Cybersecurity Framework

Diving into NIST Special Publication 800-53 for practical advice.

We’ve already laid out a broad overview of what NIST’s cybersecurity framework can do for you, so today we’re going to drill into Special Publication 800-53. Published by the National Institute of Standards and Technology, and based on important research from the Information Technology Laboratory, this publication offers a comprehensive set of security controls to help you protect your data.

The document refers to Federal information systems, but this terminology will be removed in the forthcoming fifth revision, because the advice here is applicable to all organizations.

It may seem dense and inaccessible at first, so we’re going to break down some of the key elements and explain their importance.


Establishing a baseline

It’s not easy to calculate the business impact of a cyberattack, because there are many knock-on effects that take time to reveal themselves. The latest research from the Ponemon Institute suggests a global average cost of $3.62 million for a data breach. The level of potential risk is your starting point in developing and building solid cybersecurity defenses.

Before you can select the right set of security controls, you must consider the importance and sensitivity of the data. The FIPS 199 document explains how you might go about categorizing your systems, taking into account confidentiality, integrity, and availability to figure out if the potential impact of a breach is low, moderate, or high risk.

Having established the potential impact levels, you can select a security control baseline. It’s deliberately called a baseline, because it’s something to build on.


Tailoring your security controls

The guidelines are broad and make certain assumptions that might not apply to your organization, so the next step is to tweak your security control baseline to ensure that it’s aligned with your business functions, systems and operating environment. You may be able to drop some controls, but will probably have to add or enhance others.

Part of the aim during this process is to arrive an approach that strikes a good balance between security and cost. There’s no such thing as a perfect set of security controls. You must weigh in regulations, emerging threats, new and legacy technologies and systems, plus your business goals, to arrive at the right blend for your organization.


Implementation and assessment

Detailed documentation laying out the design, development and implementation of your security controls is vital for regulatory bodies to be able to audit your efforts. It also provides a sound rationale that can be continually applied for the future, because cybersecurity is a travelling cliché – it’s not a destination, but a journey.

Being able to refer to this documentation could be hugely valuable for the long haul, particularly if you have a new system to integrate, or your CISO resigns, or you hired a virtual CISO for the short term.

A common mistake that organizations make is to draft the plan, implement it, and then trust that it’s working as expected. Without in-depth, regular assessments you have no idea if your security controls have been implemented correctly, if they’re operating as intended, or if they’re meeting your expectations for security. Get an outside party with no vested interest to put your security through its paces and don’t forget to test your third-party service providers to ensure they meet your standards.


Continuous monitoring

You’ve set a baseline, tweaked it to fit your needs, implemented it and tested to ensure that it’s working properly, now you can take it easy, right? Wrong!

Your work is never done when it comes to cybersecurity because things change. You might adopt a new system, integrate a new third-party service, or change your business goals. To comply with your legal requirements, you need to be up to date with the latest regulations. And all the while, new software vulnerabilities are being discovered, and hackers are probing your defenses and developing new techniques to gain entry.

At the heart of NIST’s holistic approach to infosec and risk management are two simple ideas – “Built it right” and “continuous monitoring.”

Take your time and create a solid cybersecurity foundation, but accept that you’ll need to be vigilant for cracks in your defenses and continually make improvements if you want to ensure that your data is truly protected.


This article was originally posted on CSO Online > 

Medical Marijuana Dispensaries: Take Care of Patient Health Information or Pay The Price

Medical marijuana, like any controlled substance, requires a strong system of identifying patients properly. As the industry matures, the federal government has increasingly been more involved in enforcing ever more stringent laws and regulations on medical marijuana dispensaries.

While it is easy to dismiss this if you’re running your business on a strictly cash-only basis, the future could change and possibly require you to do this. Why not prepare now, so that you can avoid possible problems down the road?

Dispensaries use computerized systems to process and verify patient health information (PHI). This can pose certain risks, including security breaches. These systems are subject to the Health Insurance of Portability and Accountability Act of 1996 (also referred to as HIPAA). Under this law, medical marijuana is treated in a similar way as prescription drugs.

Due to its reputation, the medical marijuana industry is very keen on staying within the parameters of the federal law. Patient verification systems are crucial in this endeavor. They often contain a variety of protected health information (PHI), including patient contact information, medical record numbers, diagnoses, driver’s license, and other personal information.


Key Factors that signal you are serious about compliance

The most obvious signal that you are compliant is to have a Secure Socket Layer (SSL) certificate on your website. What is an SSL certificate? Sites with SSL certificates will indicate a lock in the address bar and/or be green to signal that the site’s traffic is securely encrypted. If you don’t already have this and want to see an example, visit some of your competitors’ websites and look for their SLL certificate signals to see this first hand.


Only Use a HIPAA-compliant hosting data center

Pay close attention to this crucial point, as keeping patient data on-site or on a typical server location can land you in a lot of deep trouble. For one thing, it is considered a serious crime and more often than not, violators have to pay hefty fines to the tune of tens of thousands of dollars. You’ll want to fully understand the differences between what is considered HIPAA compliant hosting and traditional web hosting. The following checklist will help you find the right HIPAA compliant data center for you. Remember, this is not about shopping for the best company who can work with you for a cheap price. HIPAA compliant hosting companies are more expensive than traditional ones, and for good reason.


HIPAA compliant checklist to use for hosting companies:

1. Signed business associate agreement
This is to cover yourself, as well as to experience peace of mind. You want your host to understand and accept the risks of hosting patient health information.

2. Multiple vulnerability scans of your servers on a monthly basis
Ask for the reports, the  hosting companies will gladly provide them for you.

3. Mitigating discovered vulnerabilities
HIPAA-compliant hosting companies should provide remediation services to fix the vulnerabilities.

4. Server hardening
Request copies for your hosting company’s server hardening steps. This will detail the process of how they apply their measures for security to your servers.

5. Regular off-site backup
Ask if they provide backups and how far away the backups are physically from your hosting company. Ideally, you want them at least 50 miles apart, to factor in the possibility of a local storm or some other unforeseen natural disaster, that could take out both your server and backup.

6. Keep a six year log retention
After you’re finished using a server, hard drives should not be used again, until they have had several passes of clean swipes. This is to be sure that PHI cannot be read again. Inquire as to what kind of process they use to wipe the hard drives clean and how many passes they make.

Medical marijuana dispensaries are by law required to keep confidential all of the patient health information aggregated during patient transactions. This starts from the very first time a patient provides information to qualify for a medical marijuana card. This, as well as any future patient health information, is covered under HIPAA federal law. It cannot be released to anyone without first obtaining the patient’s written consent or a court ordered subpoena.

Accidents in handling patient information will still result in a HIPAA violation and could result in a fine. This poses a problem, especially when credit cards are used to make medical marijuana purchases from a dispensary. It is not possible to completely restrict the transaction information. This is probably why Mastercard and Visa have been hesitant to allow medical marijuana purchases. In some instances, where the purchases were allowed, high per-transaction fees essentially eliminated any feasibility to accepting credit cards.


Here’s the simple, but crucial, part

The laws and rules concerning medical marijuana are almost exactly the same as the laws for traditional medical prescriptions and treatments. Your patients’ health information is protected under these laws. This doesn’t just include data storage, but also employees and business associates that handle PHI. It is necessary for you to get a signed business associate agreement from any associates that may be handling sensitive PHI.



This article was originally posted on Cannabis Business Executive >

What NIST’s Cybersecurity Framework is and why it matters

Practical advice to help you build a solid InfoSec plan

The risk of your business falling victim to cybercrime has never been higher. Despite a seemingly endless parade of high profile data breaches, ransomware attacks, and phishing scams, many organizations still lack the necessary defenses to identify, prevent, or recover from an attack. The trouble is that it has become increasingly easy for would-be attackers. Anyone can hire a botnet or buy off-the-shelf malware, complete with technical support. New mobile devices, along with the ever-expanding Internet of Things, offer a wide range of insecure access points.

Although 61% of CEOs are concerned about cybersecurity, only 37% have a cyber incident response plan in place, according to PwC research.

If you acknowledge the scale of the threat and want to act, you may wonder where to start. The National Institute of Standards and Technology (NIST) has compiled a document called the Cybersecurity Framework that’s just for you.


NIST’s Cybersecurity Framework Explained

The idea behind the Cybersecurity Framework is to encourage all kinds of organizations to pool their knowledge and work together. Originally envisioned by the U.S. government as a voluntary framework to keep critical infrastructure safe, these guidelines have since been adopted by a very wide range of different organizations from retail chains and banks to small businesses. It’s a comprehensive document that organizes best practices and security principles into a guide that’s constantly evolving to help you stay one step ahead of the cybercriminals.

“The NIST Cybersecurity Framework should be the cornerstone of your cybersecurity strategy,” says George Wrenn, CEO of CyberSaint. “It’s time to run cybersecurity as a business function with clear objectives and measures based on the gold standard national framework.”

Common standards for collaboration

At the heart of the Cybersecurity Framework is the idea of creating a common language. It should be easy for everyone to share their experiences, discuss new tactics, and sketch out new strategies. To that end, the framework offers a holistic set of reference points that are accessible enough for anyone to employ. Executives, IT departments, and InfoSec professionals can work together towards a common security goal.

One of the great things about NIST’s framework is that you can use it to take the temperature of your current cybersecurity efforts and immediately see if your strategy is healthy or if it needs some emergency treatment. The framework is a great base to help you establish new targets and identify areas that need improvement.

In just two years NIST’s Cybersecurity Framework reached 30% adoption and that’s set to grow to 50% by 2020, according to Gartner. The more organizations adopt the framework and share their successes and failures, the stronger the collective grows. Widespread adoption also sparks the creation of automated tools and processes.


Flexible approach you can measure

Because cybercriminals are constantly working on new avenues of attack, it’s vital to continually improve your defensive efforts. That’s why the constantly evolving framework takes a risk-based approach that’s focused on general principles.

The Framework Core addresses five functions: Identify, Protect, Detect, Respond, and Recover. This isn’t a list to tick off as you work through it, but rather a set of functions that should be continually and concurrently addressed for a healthy cybersecurity strategy.

There are four Framework Implementation Tiers that are designed to aid organizations in moving from general reactive responses to threats to a more risk-informed strategy. This involves careful consideration of probable threats, legal and regulatory requirements, organizational constraints, and business goals.

The incredibly useful Framework Profile enables companies to uncover the differences between their current approach and their target goals for security. Once fully configured, it can accommodate an organizations goals for security balanced against their business needs and cost effectiveness.

This is just a brief overview, but you can see that the framework is easily adaptable to any industry. It offers a real opportunity to gain a big picture of your cybersecurity efforts, work towards improving them, and assess your success as you go. The battle against cybercrime is more of a race. You can’t implement a set of security guidelines and be done, you need to be proactive and work with others to ensure you stay out in front and that’s exactly what NIST’s Cybersecurity Framework is all about.


This article was originally featured in Cyber Defense Magazine >

Tips to Protect Your Business From Ransomware

Over the last few years we’ve observed the steady rise of ransomware with some trepidation. It is fast becoming a multi-million dollar business, and it’s getting surprisingly sophisticated. The ransomware industry is continually innovating, offering cybercriminals new technology, various business models, and all the support they need to conduct successful attacks on unsuspecting individuals and companies.

Changing face of ransomware

Ransomware has come full circle since it first appeared on the scene in 2005. Early crypto ransomware soon gave way to misleading apps, fake antivirus tools, and lockers. But it’s back now, it’s mature, and it’s here to stay, according to Symantec’s Evolution of Ransomware report.

In the early days of ransomware, attackers would use misleading apps and fake AV tools to alarm victims and then ask for fees to fix the fake problems. Or they might flash up bogus FBI warnings, threatening prosecution unless money was paid. Eventually they began to lock down systems, blocking access to specific apps or the whole system until the ransom was met.

The main threat today is crypto ransomware, where files are securely encrypted and victims have to pay to secure the key and unlock their own files, and it’s very tough to beat.

“The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in Boston talking to The Security Locker. “To be honest, we often advise people just to pay the ransom.”

Cost of ransomware

There are lots of different ransomware packages out there. Just looking at one of the most popular examples, CryptoWall, the FBI’s Internet Crime Complaint Center (IC3) received 992 related complaints between April 2014 and June 2015, with victims reporting losses of more than $18 million. That’s just what was reported.

The Cyber Threat Alliance put together a report profiling the CryptoWall v3 threat and suggested that it had afflicted hundreds of thousands of users worldwide and caused damages in the region to the tune of $325 million.

Services for cybercriminals

In McAfee Labs 2016 Threats Predictions report ransomware features prominently, and the report makes special mention of the success of the ransomware-as-a-service business model. Experienced cybercriminals are offering high quality ransomware to would-be attackers with little or no technical knowledge or skills in return for a cut of the extortion profits. The ransomware is typically hosted on the Tor network and payment is made almost untraceable with virtual currencies like Bitcoin.

Users of these ransomware services can expect to get helpdesk support, and it’s in the interests of the extorters to ensure that data is returned to those who pay. The service providers will skim anywhere from 5 percent to 20 percent of each ransom, so they aim to make it as easy as possible for the cybercriminals who sign up.

What can you do?

Just like any other malware, you have to install ransomware before it can encrypt your files, so there are some simple precautionary steps that everyone can take to drastically reduce the risks:

  • Make sure you have updated AV software running.
  • Don’t open attachments in emails, unless you know what it is.
  • Don’t follow links in emails, close the email and go directly to the website in your browser.
  • Use strong passwords, and don’t reuse the same passwords.
  • Make sure all of your system software and browsers are patched automatically with security updates.
  • You should apply all of these rules to whatever device you’re using. Smartphones, tablets, and Macs are not immune to ransomware.

You can also mitigate the risk of ransomware by having a robust and regular backup routine. If your files are backed up and you can access them, there’s no need to pay to unlock them, but it may still require some serious effort to rid yourself of the ransomware once your system is infected.

Ransomware is sure to be an even bigger issue in 2017, so it’s very important that you take steps to prevent infection. If you do fall prey to something like CryptoWall v3, there’s no way around it. Your only realistic prospect of getting the files back is to pay the ransom.

When it comes to ransomware the old saying, “an ounce of prevention is worth a pound of cure,” could not be more fitting.


This article was originally posted in Cannabis Business Executive

Customer Case Study: Canna Care

Canna Care Docs is a dynamic company specializing in cannabinoid therapies.

Canna Care Docs hired Towerwall to assess their effectiveness in protecting sensitive information such as patient health information and employee personal information from security breaches.


Click here to read the Case Study >




Free Whitepaper: Banking Cannabis: The Information You Need to Know to Build a Successful Banking Cannabis Program

Free Whitepaper: Banking Cannabis: The Information You Need to Know to Build a Successful Banking Cannabis Program

This eBook is a quick start guide for financial institutions who are interested in Banking Cannabis. It covers: the Cannabis Outlook on a national and state level, who is banking cannabis today, the problem with banking cannabis today and how Towerwall can help.


Download Whitepaper Now >