Risk Management and Compliance

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

How Social Media Can Revolutionalise Your HR Department (gautamblogs.com)
Social Media In, Common Sense Out (socialmediatoday.com)
Managing Both Objections and Reputation Through Social Media (debbieweil.com)

Data Lifecycle Management: How to reduce risk, Part 2

Posted: 2nd May 2010 by admin in Compliance, Vendor Risk
Tags: Business, Company, Consultants, Data, Data Lifecycle Management, General and Freelance, Ponemon Institute, security

Comments Off

Data Lifecycle Management: How to reduce risk

Part 2
The Data Lifecycle Management (DLM) goes through 5 steps: creation, usage, transport, storage and destruction. Most companies have parts of this lifecycle under control, but that means there are lots of areas for gaps in the control measures that could let a threat affect the data. The multiple part blog, (I am not sure how many parts it will take), will walk through the steps of the data lifecycle and what a company can do to implement a good process for all the data management challenges.

In the first part of this series, we covered what it means to say you have or want a data lifecycle management process. So why do we need something different from what we are already doing around DLM?

Why does traditional security not work for DLM?

Users have risky behavior. They will always have risk behavior and we rely on mostly technology controls to keep them in a secure box. Solutions aimed at the external threats coming in, not the regulation and governance of internal communications going out. Problems we see are typically:

Unauthorized application use: 70% of IT say the use of unauthorized programs result in as many as half of data loss incidents.
Misuse of corporate computers: 44% of employees share work devices with others without supervision.
Unauthorized access: 39% of IT said they have dealt with an employee accessing unauthorized parts of a company’s network or facility.
Remote worker security: 46% of employees transfer files between work and personal computers.
Misuse of passwords: 18% of employees share passwords with co-workers.

The reasons typical technology controls will not work in the full DLM process are:

Products are not geared to protect a full life cycle of a customer records
Most solutions and processes are outward facing, based on perimeter security
Encryption can affect data management
Real-time intrusion detection and remediation is rare
Context and intent of messages was not analyzed properly
Functional areas in organizations create different policies, monitoring requirements, enforcement priorities and reporting
New technologies can avoid security measures
Technologies look at the network, the operating system or the application not the data across all environments
Not mapped properly to regulations

What risks does customer data loss pose for organizations?

If we know that security is not working, what are the risks we face? A very recent example of how this can have a practical affect is with the Massachusetts Privacy Law 201 CMR 17.00. Loss of data can have a great financial impact with this law. Key things we need to consider include:

Penalties: Not complying with regulations can cause civil and financial penalties
Confidence: Loss of customer confidence because of a customer data breach can lose customers
Reputation: Damage to reputation will lose customer and damage relationships
Competitive Advantage: Information and customers can move to competitors
Costs: Ponemon Institute’s 2008 annual study, average $6.6 million per breach.
Valuation: Decreased stock prices could result

I will continue this process in the next post…

Gary Bahadur
http://www.kraasecurity.com

http://twitter.com/kraasecurity
Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test

Analyst Study Shows Employees Continue to Put Data at Risk (newswire.ca)
Perception of Data Security at Odds with Reality, Accenture Study Finds (eon.businesswire.com)
Data protection a priority for CEOs (newstatesman.com)
HSBC admits to understating data theft (v3.co.uk)
Breach numbers fall while costs rise Ponemon study finds (v3.co.uk)
Symantec Shells Out $370 Million For Data Encryption Companies PGP and GuardianEdge (techcrunchit.com)

Data Lifecycle Management: How to reduce risk (part1)

Posted: 21st April 2010 by admin in Compliance, Security Assesment, Supplier Security, Unstructured Data, risk assessment
Tags: data lifecycle, Data management, risk reduction, security, Technology

Comments Off

What is Data Lifecycle Management?

The Data Lifecycle goes through 5 steps: creation, usage, transport, storage and destruction. Most companies have parts of this lifecycle under control, but that means there are lots of areas for gaps in the control measures that could let a threat affect the data. The multiple part blog, (I am not sure how many parts it will take), will walk through the steps of the data lifecycle and what a company can do to implement a good process for all the data management challenges.

Data lifecycle management (DLM) is a policy and procedure based approach to manage information movement. Data has to be classified and evaluated to properly protect it with the right resources. Ownership is a key factor in managing and maintaining data throughout the lifecycle

The 5 Steps

Creation – How does data creation get managed?
Usage – What limitations are on data usage?
Storage – What controls are in place for storage?
Transportation – How is data transmitted between company, customers and business partners?
Destruction – What is the validation and verification process over data destruction?

The Data Management Problem

Weak processes in place to track creation usage, transportation, storage and destruction
Weak ability to monitor and manage a customer record throughout the lifecycle
Inconsistent processes across each phase of data movement
Lack of enforcement capabilities

What should be the goal of data lifecycle management?

Provide practical steps to manage each step of the customer record management process
Provide cost effective solution for risk mitigation
Provide framework for data management
Reduce risk of data loss

Challenges to Customer Data Records Management

Rarely does a company have a centralized process to track controls over data, over management processes around data, over logging and monitoring, and removal
Organizations rely on technology to secure data not processes that drive technology purchases
The 5 steps of data management are not followed by all functional groups in a company
No clear ownership and classification of customer data elements

Did you know…

1 in 400 emails contains confidential information
1 in 50 network files contains confidential data
4 out of 5 companies have lost confidential data when a laptop was lost
1 in 2 USB drives contains confidential information
Companies that incur a data breach experience a significant increase in customer turnover—as much as 11%
Over 35 states have enacted security breach notification laws
Can openers were invented 48 years after cans

Infosec 2010: A quarter of all firms have seen data integrity attacks (computing.co.uk)

What are the features you need a Windows Security Host Diagnostic tool?

Posted: 1st April 2010 by admin in Compliance, Could Computing, HIPAA, Managed Security, PCI, risk assessment
Tags: Federal Information Security Management Act of 2002, Health Insurance Portability and Accountability Act, Operating system, Policy

Comments Off

: Image via Wikipedia

There is a lot of focus on network security and application security today. Years ago it was operating system security that was all the rage. But with the advent of the strict requirements of some of the regulations such as HIPAA, PCI, SOX, and FISMA, more attention needs to be paid to the operating system. As Windows is still dominant, what are some of the features you need to be concerned with in an application?

Some key feature of a host security assessment tool are:

Ability to quickly audit
Ability to inventory
Structure for classification of components
Patch management of course
Ability to baseline and report against the baseline
Templates of the regulatory requirements
Templates of different levels of security configurations
Threat identification and classification
User management
Port security assessment and management
Service and process analysis

A baseline configuration for operating system security, cover things such as patch levels, ports, services, processes, logging, policy settings and user configuration, should be the first step for any company in host security assessment and diagnostics. If you build from scratch, or don’t use a secure template, you will always be in trouble. Timely updates and reconfiguration of your baseline is necessary.

Your operating system like your network security should match your corporate business practices and procedures. Policies should be in place for this of course. Over time you should be able to benchmark your host security problems, solutions and changes.

Gary Bahadur

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Lumension Highlights Six Critical Elements To Ensure Painless FISMA Compliance (prweb.com)
Security vs. Compliance in the Cloud (web2.sys-con.com)
Security Compliance Manager – beta signup now available (blogs.technet.com)

Washington State implements PCI law

Posted: 30th March 2010 by admin in Compliance, Could Computing, HIPAA, PCI, Security Assesment, risk assessment
Tags: Data security, Minnesota, Payment Card Industry Data Security Standard, security

Comments Off

: Image via Wikipedia

PCI laws are expanding around the country. Washington State is the latest to add a law to their books. Washington state follows Nevada and Minnesota in implementing Payment Card Industry Data Security Standard (PCI), the law is HB 1149. It changes the breach notification law they already had on the books. The key point is that it allows issuing banks a method of collecting the costs to reissue payment cards after a breach.

Organizations who must abide by the law

It defines “business(es)” as merchants processing more than six million cards and sell to Washington state residents. “Processors” manage account information for others and “vendors” sell software or equipment that processes, transmits or store account information. Account information can is not so clearly defined. It will be interesting to see how companies outside of the state are affected. PCI Security Assessments are going to become even more prevelant.

How is the law implemented?

Entities that fall under the law are required to provide reasonable security measures. They can be liable for damage and if they have to reimburse their banks for reissuance of card, that can get very expensive. The law should probably have been more clear on this point

Determining a breach has been defined as “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” There is the possibility of confusion between account information and personal information. That will probably cause problems in the future lawsuits. Encryption is also going to be a challenge in the implementation and review for compliance requirements.

How this law integrates or conflicts with PCI requirements will news worthy. The different levels of PCI compliance and the levels identified by the law are now completely consistent. Can PCI SAQ assessment be enforced by the law? Can you be PCI compliant and not compliant with the law, or vice versa? I would venture to say yes.

If only we have a National Standard for all of this. Wouldn’t that be a progressive move?

Gary Bahadur

*Vulnerability Management

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Compliance & Policy Development

*PGP Security

What are the challenges with protecting electronic documents?

Posted: 29th March 2010 by admin in Compliance, Corporate Stupidity, Security Assesment, antivirus, risk assessment
Tags: Adobe Systems, Apple, Data loss prevention products, Document management system, malware, security

Comments Off

: Image via Wikipedia

We have seen a lot of problems with Adobe vulnerabilities. Adobe has been getting beat up with all the negative publicity in the past few months. Apple is restricting access to Adobe on their devices. Has anyone tried their remote desktop sharing? I wonder if some vulnerability will be release in that application. What is the real problem with electronic document sharing and what are some of the solutions? Adobe is just an example; the whole industry of electronic documents is finally coming into its own.

Problems with Electronic Douments

How are people accessing electronic documents and how are they signing them and verifying them? Well there are multiple companies out there touting secure signature applications for documents. When do you use these companies? Some questions to ask include:
1. When and how do you determine the importance of the document?
2. Have you implemented a data classification scheme for electronic documents?
3. Who has the right to sign and read these documents?
4. How do you track usage and distribution?
5. Is there a time frame associated with the life of the document?
6. Can you prevent screen scraping of the secured document?
7. What is the “hackability” of the secure document?

Signing an electronic document can be a challenge for the technology challenged. Some documents might trigger antivirus or malware protection applications. If some intrusion detection applications can read a document or data loss prevention applications do not have access, you could be blocked from that document. Convenience of use is a major hurdle for the adoption of secure documents.

Printing, modifying, viewing, and deleting these documents require all kinds of levels of authorization that is probably difficult to manage. If you can have a location based “bomb” in the document for when it left the organization domain, that would be an interesting play on data loss prevention. We know client side options are easily broken, how do we change the mentality of secure document management?

I do not see how secure documents make too much sense in any public forum. Its not worth the effort to worry about secure documents outside of a strictly controlled corporate environment. Different forms of watermarking have their place in identification but not much in control.

The most likely areas are in Research and Development, Legal, Banking and Healthcare. These should be the quickest to adopt a secure framework for electronic documents. Some industry standards need to be followed and a process developed that all companies can follow. This would make it into all the data loss prevention applications eventually and really provide some security.

Gary Bahadur

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

McAfee unveils new data loss prevention tools (v3.co.uk)
Hackers used malicious PDFs to attack Google and Adobe (infoworld.com)
Certified Document Services (CDS) Program Grows to Six with Post.Trust Announcement (blogs.adobe.com)

What is Social Media INSecurity?

Posted: 24th March 2010 by admin in Entrepreneur, Security Assesment, Social network, Web 2.0, social media
Tags: Facebook, Friendster, Google, LinkedIn, MySpace, Online Communities, social media, Twitter

Comments Off

: Image via CrunchBase

The trends in Social Media are heading towards more sharing of information. But sharing of information has moved beyond your circle of friends and family. Social media is becoming less social and more… well more corporate. Or more like many people shouting in a bar, you are all in close proximity, but you can’t distinguish the individual conversations, you can’t make out who people really are or who is a potential quality relationship.

How many random friend requests do you get now from Facebook, Friendster, MySpace, LinkedIn, etc. Twitter is a bit different obviously, but that’s a whole other story. Now you are also getting bombarded with corporate Fanpages, groups and other means of luring you to their sites, brands and social following. This is the erosion of your true social circle.Social Media Security is really more about Insecurity. The distribution of your information across multiple platforms used to be in a restricted circle. This can be true data loss. Now its pretty much everywhere. You can find a person’s LinkedIn profile with a generic Google search. This should be restricted to the LinkedIn environment, but it’s not.With the advent of location based services, we will see physical insecurity based on social media usage. A recently popular site Please Rob Me http://pleaserobme.com has already begun taking advantage of the Twitter location feature. Imagine what can be done by a stalker following someone on twitter or a deranged Ex-boyfriend following you based on the events you are attending on Facebook? It’s easy to see how you can give away all your personal information without event thinking of it. Trends towards making information available will lead to Insecurity. Insecurity will lead to data breaches and compromise. Compromise will lead to lots of crying, money lost, probably lawsuits and other painful results. How do we get past this Social Media Insecurity?

Gary Bahadur

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

The Seven Deadly Sins of Social Media (markevanstech.com)
The Age of Social Networks (briansolis.com)
Facebook Roundup: FTC, Design Changes, Nestlé, URLs and More (insidefacebook.com)
Cloud Computing Elasticity Drives Social Media (web2.sys-con.com)
Use Google Analytics to Track Inbound Links from Social Media Profiles (thecustomercollective.com)
13 Essential Social Media Lessons for B2B Marketers from the Masters (mashable.com)
Social Media Engagement Starts with Monitoring (bettercloser.com)

Can you protect yourself on Social Media?

Posted: 1st March 2010 by admin in Identity theft, Social network, antivirus, social media
Tags: antivirus, Antivirus software, Facebook, LinkedIn, malware, MySpace, network security, Phishing, security, social media, Social network, Spyware, Twitter

Comments Off

: Image via Wikipedia

One of the greatest challenges to privacy and security in the next several years is Social Networks and Social Media. Sites like Facebook, Twitter, LinkedIn, MySpace and others can be the downfall of valuing information. The ability to share and provide information is completely the opposite of network security requirements. This is really encouraging people to do things that are not security conscious activities. Social media encourages:

Lack of privacy
Encouraging information sharing
Giving away answers to security questions
Social engineering

As we have seen recently, a lot of spam, spyware and malware is attacking social network. Just in the past week I have probably recieved a 100 requests to be my friend on Facebook from people who I do not know and funny enough, all the message have the exact same personal message. Malicious people are attracted to social networks because of the ease of gaining trust and availability of data for social engineering. Relationship building is easier through social media which can easily lead to phishing attacks.

With these sites, people install applications without knowing what goes on in the background, and its easy to download malicious code to your computer. There are no external third party audits of these applications before the make it to your Facebook application. Your computer can be easily infected by a virus or spyware.

What does the Social Media user to protect their information?
No Personal information – This is anti-social network, but there are things you can limit about what you post. Don’t post your Birthday! Or your address or your mothers middle name or any really personal data.

Limit who can view and contact you – Don’t let your profile be truly public, restrict to people you know for requested users. Remember you can’t retract information you put out there.

Don’t trust strangers – Your mother was right, don’t open the door to strangers. Limit who you accept chat or friend requests from and well as even communicate with.

Trust no Profile – People lie, it’s sad but true. So profiles lie, they might say they went to your college or high school. They might be interested in your groups, so don’t take anyone at their word.

Restrict your privacy – There are some configuration setting in all the social media applications that can allow you to turn on some restrictions on your privacy. Take a minute to actually look at them. One easy example is in Facebook you can create groups that you can place friend in; you don’t want business people seeing what your friends are posting.

Password management – An oldie but a goodie, always use a strong password and don’t share it. And change it periodically.

Layers of protection – You should be running a personal firewall and antivirus software on the machine you are viewing social networks. This will help if a malicious piece of software tries to download something to your machine. Keep your protection software up to date as well and run the patch management software on your machine, this is especially important for you Windows users.

Child protection software – You should have some kind of child protection software running on machines where children under 13 are using. This will help with all that shady software that is out there.

Gary Bahadur

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Half of Online Adults Use Social Networks at Least Monthly (seekingalpha.com)
Firms worry about social networks, but don’t block access (arstechnica.com)
Google Buzz proves problems with single online identities (thewayoftheweb.net)
Are Consumers Becoming More Suspicious of Social Networks? (marketingvox.com)
Seven Steps to Safe Social Networking (dominica-weekly.com)
13 Essential Social Media Lessons for B2B Marketers from the Masters (mashable.com)
Social Media for CEOs (slideshare.net)

When will Vendors provide Risk Assessments of their products?

Posted: 17th February 2010 by admin in Compliance, Hacking News, Security Assesment, Supplier Security, Web Security, antivirus, risk assessment
Tags: Adobe, Adobe Systems, Apple, CIO.com, Cross-site scripting, Flash, Google, Microsoft, Operating system, security

Comments Off

: Image via Wikipedia

Vendor risk assessment are not part of everyday corporate managememnt but it should be. If you drive a car and every week you have to get something fixed it would prove pretty annoying, disgusting, outrageous and you probably you would never buy that model again and probably wouldn’t by from that manufacturer either. So why do we accepts buggy software that is vulnerable to things like cross site scripting attacks, buffer overflows, malware and such? But we do that everyday.

Everything from vulnerable operating systems such as Windows to vulnerable applications such as Adobe and weak website such as Facebook. As stated by CIO.com, “SANS and Mitre, a Bedford, Mass.-based non-profit, federally funded technology research and development organization, today is also releasing its second annual CWE/SANS Top 25 list of the most common programming errors currently being made by software developers. The authors say the errors on the list are responsible nearly every major type of cyber attack, including the recent intrusions at Google (GOOG), and numerous utilities and government agencies.” The biggest companies are culprits.

So what are we do to about buggy software? How do you force a vendor risk assessment on all yoru vendors? Maybe scream “I’m mad as hell and I am not going to take it anymore!” Might feel good for a second or two, but not going to solve the almost daily patch process we have to go through for our software. Patch management is a thriving sector!

As I see it, some theoretical things the end user can do to change the deadly cycle of poor software:

Sue! I don’t know if that’s possible, but if you bought a car with bad acceleration problems (ahem Toyota) you might just sue the manufacturer if you got into an accident. What can we do that if some hacker breaks in through buggy software?
Stop buying from that vendor! Apple seems to be taking this tactic by not allowing Flash on the IPad. But can we all move away from Microsoft tomorrow? Probably not.
Make the vendors conduct Risk Assessments of their products prior to release. A third party risk assessment is probably a good idea. Something with more teeth than a SAS70 type review.

Gary Bahadur

http://www.kraasecurity.com

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Apple vs. Microsoft: Making Platform Enemies and Friends (seekingalpha.com)
Adobe Reader And Acrobat Get Yet Another Security Update (ghacks.net)
Microsoft investigates new Internet Explorer flaw (news.cnet.com)
Google readies Flash for Android devices (infoworld.com)
IBM: Vulnerabilities fell in ’09, but other risks abound (computerworld.com)
Update: Adobe issues emergency PDF patches (computerworld.com)
Serious web vuln found in 8 million Flash files (theregister.co.uk)
Hold vendors liable for buggy software, group says (computerworld.com)

Gary Bahadur

http://twitter.com/kraasecurity
Managed Firewall
Managed Vulnerability Scanning

What is the value of a Data Breach?

Posted: 27th January 2010 by admin in Compliance, HIPAA, Hacking News, PCI, Security Assesment
Tags: Citibank, Data Breach, Health Insurance Portability and Accountability Act, Ponemon Institute, Pretty Good Privacy

Comments Off

: Image by Getty Images via Daylife

SC magazine just reported that the Ponemon Institute has determined the cost of a data breach is $204 per record. “Data breaches last year cost organizations $204 per exposed record on average, which represents an almost two percent increase over 2008, according to the fifth annual “Cost of Data Breach” study released on Monday by the Ponemon Institute… The study, which examined the experiences of 45 U.S. companies that suffered breaches last year, also found that the number of data breaches that were caused by malicious attacks and botnets doubled from 12 percent in 2008 to 24 percent in 2009. In addition, data breaches caused by malicious attacks cost organizations 30 to 40 percent more on average than those caused by human negligence or by IT system glitches.” There are a number of ways to protect your data in transit such as PGP Encryption but when the companies looses data, there isnt much the end user can do to protect themselves.

Thats a lot of money. If we look at the data breach of Heartland, which was over 100 million records, that, well let me do the math, may take a minute. Its $20,400,000,000. Thats a lot of money. Condidering I was a shopper mostlikely of Heartland, I do not recall getting a check from anyone for $204. I will not hold my breath for that. We all asked if the retailers like Heartland and TJ Max had a PCI Audit done. Would this have protected our information?

So far, I am pretty sure I recieved a letter offering me free 2 year credit monitoring from Chase, Citibank, Bank of America and Countrywide because thet lost my records. I am waiting for my check for $204 from each of those companies. Also, over the past few years I have had to have my credit cards replaced with Chase, American Express, and several Visa versions. So I am still waiting for those $204 checks. Maybe in total I am owed about 9x$204=$1,836. That will be a nice check when I get it.

Security Requirements

So what can a company do to help reduce these data breaches? The easy answers, yet not implemented, include:
1) Encryption of back-up data and tapes
2) Conduct yearly Vulnerability Assessments
3) Conduct Quarterly or Monthly Vulnerability Scanning
4) Implement a Data loss prevention solution
5) Go through a PCI Audit or HIPAA Security Assessment yearly

Data breach costs continue to rise (v3.co.uk)
Survey: Data breaches from malicious attacks doubled last year (news.cnet.com)
Breach numbers fall while costs rise Ponemon study finds (v3.co.uk)
Humans Continue To Be ‘Weak Link’ In Data Security (it.slashdot.org)
Cost of a Data Breach – $204 per record (pindebit.blogspot.com)
Private Sector Keeps Mum on Cyber Attacks (online.wsj.com)

Regards
Gary Bahadur

http://www.kraasecurity.com

http://twitter.com/kraasecurity
Managed Firewall
Managed Vulnerability Scanning

HIPAA Vendor Compromised Healthcare Records

Posted: 12th November 2009 by admin in HIPAA
Tags: Aetna, Health care, Health insurance, Health Insurance Portability and Accountability Act, security

Comments Off

This is story that is several months old, but as I came across it, i thought it would make a good point. A vendor handling healthcare records has lost social security numbers of people in March of 2009. In this case, Health insurer Aetna, Inc., is reportedly providing 65,000 individuals with free credit monitoring for a year after its job application Web site was breached, the Associated Press has reported.

The Web site, which was maintained by an outside vendor, had Social security numbers of current and past employees and individuals who received job offers from the insurer, the AP reported.

The site reportedly held e-mail addresses for about 450,000 individuals who had applied for jobs or submitted resumes to the company and were waiting to be notified about job openings. Spokeswoman Cynthia Michener said Aetna doesn’t know how many were copied, but the site has been disabled and is undergoing a “thorough forensic review” or you can say network security audit by an outside company.

So here we have a health insurer compromising personal data. People already recieve so much spam email that their real email is suspect. If your provider Aeata seems to be sending ligitimate emails to you, that can get confusing.

As noted in the article “This is not the first time the Hartford, Conn.-based insurer has had to provide free credit monitoring services. In April 2006, Aetna notified approximately 38,000 members that an employee’s laptop computer containing certain personal member information was stolen from a car in a public parking lot.”

If a compromise occurs once, you would think that a lot of new HIPAA data security protections would be put in place. But as we see in almost all industries, its very hard for a company to learn from its mistakes. Maybe there will not be a third time after this second breach.

Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com

http://www.kraasecurity.com

http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning

HIPAA Compliance Data Breach with a Foreign Supplier

Posted: 3rd November 2009 by admin in HIPAA
Tags: Compliance, HIPAA, Supplier

Comments Off

Recently, the Economic Times Report in India discussed a successful “Sting operation by a UK agency in which some health related data was bought from a medical transcription company” . What this means is all that perosnal and HIPAA confidential data that was being transfered for transcription got stolen in the most likely scenario. There have been few stories of this type of Data Breach so far. The Suppliers to US companies have not made the headlines but this might be just the begining fo that wave. The two components of HIPAA Security are Logical and Physical Security. Remote partners can easily breach your logical security controls.

Is there any real view that the US can export the security laws such as HIPAA Security to all parts of the world that handle US customer data? How do you monitor the activities of your suppliers once the data has left yoru network? In the US, a company can control all the security devices such as Firewalls, Intrusion Detection Systems, Antivirus on Servers and Patch Management of servers hosting confidenial data. There are all parts of most security regulations including PCI, SOX, GLBA and more. But the endpoint of security has left these shores and resides in India, China, South America, Vietname and anywhere else you have a supplier.

As your data now resides in a foreign country, what are the reporting requirements of a breach? HIPAA security policy has timeframes, reporting requirements and penalties. The only real penalty a company oversea may face is loss of the contract. Few governments are upt o enforcing security rules outside of actual hacker activity.

So what are some steps you can take to implement Supplier Security?
1) Conduct a Vulnerability Assessment of your connectivity to your Suppliers’ networks
2) Define process and policy controls that the Supplier has to have in place in order to hold your data
3) Assign risk ratings to all data the Supplier handles
4) Conduct an risk assessement of the impact of losing the data
5) Develop a Incident Response plan for the Supplier losing your data
6) Asses the supplier security procedures on a yearly basis

Gary Bahadur
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security

IPhone Apps Every Road Warrior Entrepreneur Needs

Posted: 22nd October 2009 by admin in Compliance, Could Computing, Entrepreneur, HIPAA, antivirus
Tags: airport delay, AroundMe, Business, data loss, FlightAware, Google, Google Calendar, Google Map, Google Maps, network solutions, reQall, security, Twitter

Comments Off

The Blackberry has been the mainstay of the business world for years. But as we know, the IPhone is eating away at market share. There are over 75,000 apps for the IPhone now and growing steadily. For those who have Blackberry Thumb, you can probably look forward to IPhone Index Finger at some point in the future as you switch away from the Blackberry.

Why should you switch from the Blackberry? Well there may not be a good reason. The Blackberry has a number of apps and it is secure, it has encryption and has been beaten up on the security front like network security assessment and application security testing. It’s ingrained in businesses and Blackberry Enterprise Server is well known to many IT administrators.

The Entrepreneur can use both devices. Let’s assume there are at least some people using the IPhone, what apps should they have in their toolkit? Of the thousands of apps, how can you pick a few that would be beneficial to the Entrepreneur Road Warrior? Well the way I picked them is through word of mouth , that are of benefit to me and comes with network security assessment tools. I travel, work in my car, have meetings at all times of day, I am away from the office for days or weeks.

Take these with a grain of salt and do not send any flame emails. But please send in the apps that you think should be shared with the world or at least readers of this Blog.

Urban Spoon

First up is Urban Spoon. You are thinking, well that’s not some kind of spreadsheet or financial app. What is the business purpose? The lifeblood of the Entrepreneur is networking , managed security services, application security risk assessment and deal making. Where deal making most of the time involves some kind of meal. Urban Spoon can find you restaurants by cuisine, by neighborhood, by cost, by distance. Everything you need for a meeting is the most random city.

AroundMe

In the same vein as Urban Spoon, is AroundMe . Say you are on your way to an important lunch you have setup with a restaurant you found on Urban Spoon but you are almost out of gas. Use AroundMe to find the closed gas station. Or if you need cash to pay for that gas because your Amex Card has been cancelled, find the closest bank.

GoogleMaps

Well this is pretty obvious. But when you are traveling and maybe forgot to bring your Garmin GPS and do not feel like paying the rental company an extra $11.99 a day to rent their GPS , this is just as good.

ReQall

This is a pretty useful app. The developers were one of the www.TiE.org Top 50 companies this year at TiECon. The app captures your voice, translates it to text, organizes your calendar based on your voice messages, integrates into Outlook or Google Calendar and provides memory assistance. It’s great when you have no pen or driving in a car or need a memory reminder.

FlightAware

For the true Road Warrior, there is no road, there is the sky. So when you are rushing to the airport or think you need to rush to the airport, track down what is going on with your flight. Check out FlightAware to get an update and help you plan that trip to the airport.

TweetDeck

Social Media, the latest buzz word, actually has some teeth. Small companies and the Entrepreneur have to be connected to the work whether you like it or not. Twitter is a way of life these days even if people seem to be twittering their lives away. How do you tell your followers that you are stuck in an airport in Baltimore? Try using TweetDeck.

These Apps don’t seem very business-like, but the Entrepreneur is practical, cheap, requires network security audit tools and has to get things done today . These help you achieve your million tasks on a timely basis.

Gary Bahadur

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

Urbanspoon: Half A Billion Shakes And Counting (techcrunch.com)
Will the iPad make a great car gadget? (blogs.computerworld.com)
What are your favorite iPhone apps? (scienceblogs.com)
My iPhone Apps (lenestrada.com)

Information Devaluation Through Phishing

Posted: 25th September 2009 by admin in Phishing
Tags: Facebook, LinkedIn, MySpace, Phishing, social media, Social network, Twitter

Comments Off

: Image via Wikipedia

Information Devaluation Through Phishing

The value of information has been decreasing over time. How do you see this isn the real world? There are two ways, one can be seen from the user perspective and the other from the attacker/bad guy perspective.

From a user point of view, the most obvious method to see information devaluation is Facebook, Twitter, MySpace, Linkedin etc. These may be seen as good ways to keep in contact, but look at all the personal data stored in these sites. Enough to authenticate to your bank account with such pieces of data as Name of Dog, Elementary School, Parents Lastname. Everything for secret question authentication. There was just a theft from a bank (http://www.networkworld.com/news/2009/092409-construction-firm-sues-after-588000.html) where the challenge questions were successfully answered.There are many Network security assessment tools to prevent such phishing ways to get the answer to these challenge questions.

The attackers are focusing Phishing efforts on Twitter and Facebook much more these days. Its pretty obvious why, so much information is available here. KRAA Security a Network security audit tool provider twitters, but we try to keep personal things off there. But many people lives their lives on twitter so much, its a mind boggling concept.

The Washington post just had an article where the list Facebook as the top phished site (http://voices.washingtonpost.com/securityfix/2009/04/facebook_among_top_phished_web.html). Part of this is the information people post and the Applications developed for it have many ways of phishing your information. Thus a Information security risk assessment is a necessity.

So is there is a solution the phishing problem in Social Media? Probably a security penetration test for such websites. Even though the phishing problem will probably get such more extensive as Social Media expands, takes over more aspects of our lives and invades every information dissemination media. Doomed I say.

This was a cheerful post.

Gary Bahadur

baha@kraasecurity.com

*Managed Security Services

*Vulnerability Management

*PGP Security

*FREE Website Security Test

FTC’s Additional Rules for HIPAA Security

Posted: 23rd August 2009 by admin in Compliance, Government Security, HIPAA, Security Assesment, risk assessment
Tags: Federal Trade Commission, Health care, Health Insurance Portability and Accountability Act, security rule

Comments Off

FTC’s Additonal Rules for HIPAA Security

Hipaa graphic The Federal Trade Commission (FTC) recently issued a rule which gives more scope to the data breach notification rules as part of the Health Insurance Portability and Accountability Act (HIPAA). The addition targets companies that provide health info in an online storage facitlity. Things like Google Health or Healthvault would fall under this category.

This seems like it should be an obvious thing to do. Why would you let any entity keep your health information without following strict regulatory requirements? It is definitely a good thing to force companies that keep your health information to notify consumers following a data security breach if the breach involves more than 500 people or even 5 people. The question is how do you track down all these companies that store health information and force the the company notify customers? How do you know when a smaller companay has lost information? We still struggle with this question for the hospitals and healthcare organizations that currently have to comply with the HIPAA regulations or the Hipaa Security Rule. CVS recently had to pay $2.5 million in fines. I wonder what that is in comparison to the cost to consumers who have problems with their data being stolen. (I wouldn’t use the term “lost”)

Part of the changes coming from the FTC is the utilization of mobile devices that capture, use, transmit and store data. What are the hospital security requirements of these devices? Does a mobile hand scanner or a mobile device that stores info have to have a built in firewall and antivirus as would a laptop? The only real way to deal with this is to conduct Hipaa Risk Assessment but how many companies actually do it properly?

Have you seen the list of breaches on Privacyrights.org? I like this recent one in particular. You cant find such a list on the FTC site.

“ July 31, 2009 Jackson Memorial Hospital: (Miami, FL) A Miami man was charged with buying confidential patient records from a Jackson Memorial Hospital employee over the past two years, and selling them to a lawyer suspected of soliciting the patients to file personal-injury claims.”

Is every company required to do network security assessment and register their device if it captures, uses, transmits any kind of health information? Is any website that does the same required to register with the FTC? But I wonder if you had such as database and hackers got into it, how much more trouble would we be in? Check out our HIPAA Top 5 Steps to Compliance for some fun reading.

I do not think I came to any real conclusions with this post. Isn’t blogging wonderful?Gary Bahadur

Gary Bahadur

http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
Miami, Fl

*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*Website Security Assessment

Credit Card Theft Put Miami on the Map

Posted: 19th August 2009 by admin in Compliance, Corporate Stupidity, Government Security, Hacking News
Tags: credit card theft, Debit card, hacking, Hannaford Bros. Co., Heartland Payment Systems, Miami, PCI, Social Security

Miami is a fun place to live and work (there are actually people who work here). Its a great vacation spot, people enjoy the nightlife and now we have something else to crow about. The largest credit theft ring was based here!

According to Bloomberg, “Albert Gonzalez, a 28-year-old Miami resident, and two hackers living “in or near Russia” were indicted yesterday by a federal grand jury in Newark, New Jersey, for stealing data from Heartland Payment Systems Inc., 7-Eleven Inc., Delhaize Group’s Hannaford Brothers Co. and two unidentified national retailers.”

It always amazes me when really smart computer folks insist on hacking from the US. Why not just head down the the Caribbean and hack from there, let likely to get caught.

My question about this is whats the value of regulations such as PCI or HIPAA. A PCI Security Audit and Hipaa Security policy are supposed to prevent this type of thing when the companies being hacked usually come out after the fact and say they were compliant?

Privacyrights.org has this list of breaches in the month of August alone. I wonder what the compliance or network security audit was like for these companies? I dont suppose there really is a good answer to what to do about compliant companies getting breached. They will just keep giving you a year of free credit monitoring I guess.

Aug. 1, 2009	Williams Cos. Inc. (Tulsa, OK)	A laptop containing personal and compensation information for more than 4,400 current and former employees was stolen from a worker’s vehicle. The computer had names, birth dates, Social Security numbers and compensation data for every Williams employee since Jan. 1, 2007.	4,400
Aug. 3, 2009	National Finance Center (Washington DC)	An employee with the National Finance Center mistakenly sent an Excel spreadsheet containing the employees’ personal information to a co-worker via e-mail in an unencrypted form. The names and Social Security numbers of at least 27,000 Commerce Department employees were exposed.	27,000
Aug. 4, 2009	New Hampshire Department of Corrections (Laconia,NH)	A 64-page list containing the names and Social Security numbers of about 1,000 employees of the state Department of Corrections ended up under the mattress of a minimum security prisoner. The prison contracts with vendors to shred documents and investigators are trying to find out why documents were not destroyed.	1,000
Aug. 11, 2009	Bank of America Corp. (Charlotte, NC)	Charlotte-based BofA (NYSE:BAC) and Citigroup (NYSE:C) each recently issued replacement cards to consumers, telling them that their account numbers may have been compromised. Account information from certain Bank of America debit cards may have been compromised at an undisclosed third-party location. Bank officials are not certain if this is a new breach or a previously disclosed one.	Unknown
Aug. 11, 2009	Citigroup Inc. (New York City, NY)	Citigroup (NYSE:C) each recently issued replacement cards to consumers, telling them that their account numbers may have been compromised. Citigroup told credit-card customers in Massachusetts “your account number may have been illegally obtained as a result of a merchant database compromise and could be at risk for unauthorized use.” Bank officials are not certain if this is a new breach or a previously disclosed one.	Unknown
Aug. 11, 2009	University of California-Berkeley School of Journalism (Berkeley, CA)	Campus officials discovered during a computer security check that a hacker had gained access to the journalism school’s primary Web server. The server contained much of the same material visible on the public face of the Web site. However, the server also contained a database with Social Security numbers and/or dates of birth belonging to 493 individuals who applied for admission to the journalism school between September 2007 and May 2009.	493
Aug. 13, 2009	National Guard Bureau (Arlington, VA)	An Army contractor had a laptop stolen containing personal information on 131,000 soldiers. on the stolen laptop contained personal information on soldiers enrolled in the Army National Guard Bonus and Incentives Program. The data includes names, Social Security numbers, incentive payment amounts and payment dates.	131,000
Aug. 14, 2009	American Express (New York, NY)	Some American Express card members’ accounts may have been compromised by an employee’s recent theft of data. The former employee has been arrested and the company is investigating how the data was obtained. American Express declined to disclose any more details about the incident. The company has put additional fraud monitoring and protection controls on the accounts at issue.	Unknown
Aug. 14, 2009	Calhoun Area Career Center (Battle Creek, MI)	Personal information from 455 students at Calhoun Area Career Center during the 2005-2006 school year was available online for more than three years. The information included names, Social Security numbers, 2006 addresses and telephone numbers, birth dates and school information. There were about 1,000 students at the career center during that time, but an investigation by the Calhoun County Intermediate School district found that information for 455 students was available.	455
Aug. 15, 2009	Northern Kentucky University (Highland Heights, KY)	A Northern Kentucky University employee’s laptop computer – which contained personal information about some current and former students — was stolen from a restricted area. The personal information stored on the employee’s computer included Social Security numbers of at least 200 current and former students.	200

Gary Bahadur

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Stolen laptop with employee information- yet again

Posted: 7th August 2009 by admin in Corporate Stupidity, Identity theft
Tags: American International Group, Consultants, HSBC, network security, Pretty Good Privacy, security, United States

Comments Off

Stolen laptop with employee information- yet again

The Associated Press reported that a Williams Cos. Inc. laptop containing personal and compensation information was stopen from a workers vehicle. The laptop had over 4,400 current and former employees records. Information like names, birth dates, Social Security numbers and compensation data was on it. How many times have wee seen this story?

They said the laptop was password protected. Well then lets not worry eh? A password, run for Ze Hillz! They did not say whether other security measures like application security risk assessment and network security audit tools were used in place other than the PGP Whole Disk encryption , or of any kind of remote wiping utility was in place or even if a hard disk password was used. The people with stolen data can only hope this might be the case.

So not we have the hoke pokey dance of checking credit, getting free one year membership to credit monitoring, buring down the barn now that the horse was stolen, all that good stuff.

Here is a list fo some recent thefts

records	date	organizations
1,084	2009-08-06	Colorado Department of Corrections
131,000	2009-08-04	United States Army National Guard
1,000	2009-08-04	New Hampshire Department of Corrections
4,400	2009-07-31	Williams Companies, Inc.
766	2009-07-28	University of Colorado CO Springs
573,928	2009-07-25	Network Solutions
900	2009-07-24	Hampton Redevelopment and Housing Authority
1,000	2009-07-23	American International Group (AIG), American Life Insurance Co Japan
180,000	2009-07-22	HSBC Holdings plc, HSBC Life
1,917	2009-07-22	HSBC Holdings plc, HSBC Actuaries

The main problem with these events is that the user is uneducated when it comes to security and don’t bother to go for a security penetration test or information security risk assessment. No matter what kind of technology you put in place, the user can find a way around it to compromise your security. First educate them, then worry about technology to protect them from their own stupidity.

Gary Bahadur