Part 2
The Data Lifecycle Management (DLM) goes through 5 steps: creation, usage, transport, storage and destruction. Most companies have parts of this lifecycle under control, but that means there are lots of areas for gaps in the control measures that could let a threat affect the data. The multiple part blog, (I am not sure how many parts it will take), will walk through the steps of the data lifecycle and what a company can do to implement a good process for all the data management challenges.

In the first part of this series, we covered what it means to say you have or want a data lifecycle management process.  So why do we need something different from what we are already doing around DLM?

Why does traditional security not work for DLM?

Users have risky behavior. They will always have risk behavior and we rely on mostly technology controls to keep them in a secure box.  Solutions aimed at the external threats coming in, not the regulation and governance of internal communications going out. Problems we see are typically:

• Unauthorized application use: 70% of IT say the use of unauthorized programs result in as many as half of data loss incidents.
• Misuse of corporate computers: 44% of employees share work devices with others without supervision.
• Unauthorized access: 39% of IT said they have dealt with an employee accessing unauthorized parts of a company’s network or facility.
• Remote worker security: 46% of employees transfer files between work and personal computers.
• Misuse of passwords: 18% of employees share passwords with co-workers.

The reasons typical technology controls will not work in the full DLM process are:

• Products are not geared to protect a full life cycle of a customer records
• Most solutions and processes are outward facing, based on perimeter security
• Encryption can affect data management
• Real-time intrusion detection and remediation is rare
• Context and intent of messages was not analyzed properly
• Functional areas in organizations create different policies, monitoring requirements, enforcement priorities and reporting
• New technologies can avoid security measures
• Technologies look at the network, the operating system or the application not the data across all environments
• Not mapped properly to regulations

What risks does customer data loss pose for organizations?

If we know that security is not working, what are the risks we face? A very recent example of how this can have a practical affect is with the Massachusetts Privacy Law 201 CMR 17.00. Loss of data can have a great financial impact with this law.  Key things we need to consider include:

• Penalties: Not complying with regulations can cause civil and financial penalties
• Confidence: Loss of customer confidence because of a customer data breach can lose customers
• Reputation: Damage to reputation will lose customer and damage relationships
• Competitive Advantage: Information and customers can move to competitors
• Costs: Ponemon Institute’s 2008 annual study, average $6.6 million per breach.
• Valuation: Decreased stock prices could result

I will continue this process in the next post…

Gary Bahadur
http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity
Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test

Related articles by Zemanta

• Analyst Study Shows Employees Continue to Put Data at Risk (newswire.ca)
• Perception of Data Security at Odds with Reality, Accenture Study Finds (eon.businesswire.com)
• Data protection a priority for CEOs (newstatesman.com)
• HSBC admits to understating data theft (v3.co.uk)
• Breach numbers fall while costs rise Ponemon study finds (v3.co.uk)
• Symantec Shells Out $370 Million For Data Encryption Companies PGP and GuardianEdge (techcrunchit.com)

The Data Lifecycle goes through 5 steps: creation, usage, transport, storage and destruction. Most companies have parts of this lifecycle under control, but that means there are lots of areas for gaps in the control measures that could let a threat affect the data. The multiple part blog, (I am not sure how many parts it will take), will walk through the steps of the data lifecycle and what a company can do to implement a good process for all the data management challenges.

Data lifecycle management (DLM) is a policy and procedure based approach to manage information movement. Data has to be classified and evaluated to properly protect it with the right resources. Ownership is a key factor in managing and maintaining data throughout the lifecycle

The 5 Steps

1. Creation – How does data creation get managed?
2. Usage – What limitations are on data usage?
3. Storage – What controls are in place for storage?
4. Transportation – How is data transmitted between company, customers and business partners?
5. Destruction – What is the validation and verification process over data destruction?

The Data Management Problem

• Weak processes in place to track creation usage, transportation, storage and destruction
• Weak ability to monitor and manage a customer record throughout the lifecycle
• Inconsistent processes across each phase of data movement
• Lack of enforcement capabilities

What should be the goal of data lifecycle management?

• Provide practical steps to manage each step of the customer record management process
• Provide cost effective solution for risk mitigation
• Provide framework for data management
• Reduce risk of data loss

Challenges to Customer Data Records Management

• Rarely does a company have a centralized process to track controls over data, over management processes around data, over logging and monitoring, and removal
• Organizations rely on technology to secure data not processes that drive technology purchases
• The 5 steps of data management are not followed by all functional groups in a company
• No clear ownership and classification of customer data elements

Did you know…

• 1 in 400 emails contains confidential information
• 1 in 50 network files contains confidential data
• 4 out of 5 companies have lost confidential data when a laptop was lost
• 1 in 2 USB drives contains confidential information
• Companies that incur a data breach experience a significant increase in customer turnover—as much as 11%
• Over 35 states have enacted security breach notification laws
• Can openers were invented 48 years after cans

Related articles by Zemanta

• Infosec 2010: A quarter of all firms have seen data integrity attacks (computing.co.uk)

There is a lot of focus on network security and application security today. Years ago it was operating system security that was all the rage. But with the advent of the strict requirements of some of the regulations such as HIPAA, PCI, SOX, and FISMA, more attention needs to be paid to the operating system. As Windows is still dominant, what are some of the features you need to be concerned with in an application?

Some key feature of a host security assessment tool are: 

1. Ability to quickly audit
2. Ability to inventory
3. Structure for classification of components
4. Patch management of course
5. Ability to baseline and report against the baseline
6. Templates of the regulatory requirements
7. Templates of different levels of security configurations
8. Threat identification and classification
9. User management
10. Port security assessment and management
11. Service and process analysis

A baseline configuration for operating system security, cover things such as patch levels, ports, services, processes, logging, policy settings and user configuration, should be the first step for any company in host security assessment and diagnostics. If you build from scratch, or don’t use a secure template, you will always be in trouble. Timely updates and reconfiguration of your baseline is necessary.

Your operating system like your network security should match your corporate business practices and procedures. Policies should be in place for this of course.  Over time you should be able to benchmark your host security problems, solutions and changes.

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test 

Related articles by Zemanta

• Lumension Highlights Six Critical Elements To Ensure Painless FISMA Compliance (prweb.com)
• Security vs. Compliance in the Cloud (web2.sys-con.com)
• Security Compliance Manager – beta signup now available (blogs.technet.com)

PCI laws are expanding around the country. Washington State is the latest to add a law to their books. Washington state follows Nevada and Minnesota in implementing Payment Card Industry Data Security Standard (PCI), the law is HB 1149. It changes the breach notification law they already had on the books. The key point is that it allows issuing banks a method of collecting the costs to reissue payment cards after a breach.

Organizations who must abide by the law

It defines “business(es)” as merchants processing more than six million cards and sell to Washington state residents.  “Processors” manage account information for others and “vendors” sell software or equipment that processes, transmits or store account information.  Account information can is not so clearly defined. It will be interesting to see how companies outside of the state are affected. PCI Security Assessments are going to become even more prevelant.

How is the law implemented?

Entities that fall under the law are required to provide reasonable security measures. They can be liable for damage and if they have to reimburse their banks for reissuance of card, that can get very expensive.  The law should probably have been more clear on this point

Determining a breach has been defined as “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.”  There is the possibility of confusion between account information and personal information. That will probably cause problems in the future lawsuits. Encryption is also going to be a challenge in the implementation and review for compliance requirements.

How this law integrates or conflicts with PCI requirements will news worthy. The different levels of PCI compliance and the levels identified by the law are now completely consistent. Can PCI SAQ assessment be enforced by the law? Can you be PCI compliant and not compliant with the law, or vice versa? I would venture to say yes.

If only we have a National Standard for all of this. Wouldn’t that be a progressive move?

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development  

*PGP Security

We have seen a lot of problems with Adobe vulnerabilities. Adobe has been getting beat up with all the negative publicity in the past few months. Apple is restricting access to Adobe on their devices. Has anyone tried their remote desktop sharing? I wonder if some vulnerability will be release in that application. What is the real problem with electronic document sharing and what are some of the solutions? Adobe is just an example; the whole industry of electronic documents is finally coming into its own. 

Problems with Electronic Douments

How are people accessing electronic documents and how are they signing them and verifying them? Well there are multiple companies out there touting secure signature applications for documents. When do you use these companies?  Some questions to ask include:
1. When and how do you determine the importance of the document?
2. Have you implemented a data classification scheme for electronic documents?
3. Who has the right to sign and read these documents?
4. How do you track usage and distribution?
5. Is there a time frame associated with the life of the document?
6. Can you prevent screen scraping of the secured document?
7. What is the “hackability” of the secure document?

Signing an electronic document can be a challenge for the technology challenged. Some documents might trigger antivirus or malware protection applications. If some intrusion detection applications can read a document or data loss prevention applications do not have access, you could be blocked from that document. Convenience of use is a major hurdle for the adoption of secure documents.

Printing, modifying, viewing, and deleting these documents require all kinds of levels of authorization that is probably difficult to manage. If you can have a location based “bomb” in the document for when it left the organization domain, that would be an interesting play on data loss prevention. We know client side options are easily broken, how do we change the mentality of secure document management?

I do not see how secure documents make too much sense in any public forum. Its not worth the effort to worry about secure documents outside of a strictly controlled corporate environment. Different forms of watermarking have their place in identification but not much in control.

 
The most likely areas are in Research and Development, Legal, Banking and Healthcare. These should be the quickest to adopt a secure framework for electronic documents. Some industry standards need to be followed and a process developed that all companies can follow. This would make it into all the data loss prevention applications eventually and really provide some security.

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development 

*PGP Security

*FREE Website Security Test 

Related articles by Zemanta

• McAfee unveils new data loss prevention tools (v3.co.uk)
• Hackers used malicious PDFs to attack Google and Adobe (infoworld.com)
• Certified Document Services (CDS) Program Grows to Six with Post.Trust Announcement (blogs.adobe.com)

Vendor risk assessment are not part of everyday corporate managememnt but it should be. If you drive a car and every week you have to get something fixed it would prove pretty annoying, disgusting, outrageous and you probably you would never buy that model again and probably wouldn’t by from that manufacturer either. So why do we accepts buggy software that is vulnerable to things like cross site scripting attacks, buffer overflows, malware and such? But we do that everyday.

Everything from vulnerable operating systems such as Windows to vulnerable applications such as Adobe and weak website such as Facebook. As stated by CIO.com, “SANS and Mitre, a Bedford, Mass.-based non-profit, federally funded technology research and development organization, today is also releasing its second annual CWE/SANS Top 25 list of the most common programming errors currently being made by software developers. The authors say the errors on the list are responsible nearly every major type of cyber attack, including the recent intrusions at Google (GOOG), and numerous utilities and government agencies.”  The biggest companies are culprits.

So what are we do to about buggy software? How do you force a vendor risk assessment on all yoru vendors? Maybe scream “I’m mad as hell and I am not going to take it anymore!”  Might feel good for a second or two, but not going to solve the almost daily patch process we have to go through for our software. Patch management is a thriving sector!

As I see it, some theoretical things the end user can do to change the deadly cycle of poor software:

1. Sue! I don’t know if that’s possible, but if you bought a car with bad acceleration problems (ahem Toyota) you might just sue the manufacturer if you got into an accident. What can we do that if some hacker breaks in through buggy software?
2. Stop buying from that vendor! Apple seems to be taking this tactic by not allowing Flash on the IPad. But can we all move away from Microsoft tomorrow? Probably not.
3. Make the vendors conduct Risk Assessments of their products prior to release. A third party risk assessment is probably a good idea. Something with more teeth than a SAS70 type review.

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

Address: 200 Se 1st St #601 Miami FL 33131

 *Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

 *FREE Website Security Test 

Related articles by Zemanta

• Apple vs. Microsoft: Making Platform Enemies and Friends (seekingalpha.com)
• Adobe Reader And Acrobat Get Yet Another Security Update (ghacks.net)
• Microsoft investigates new Internet Explorer flaw (news.cnet.com)
• Google readies Flash for Android devices (infoworld.com)
• IBM: Vulnerabilities fell in ‘09, but other risks abound (computerworld.com)
• Update: Adobe issues emergency PDF patches (computerworld.com)
• Serious web vuln found in 8 million Flash files (theregister.co.uk)
• Hold vendors liable for buggy software, group says (computerworld.com)

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity
Managed Firewall
Managed Vulnerability Scanning

SC magazine just reported that the Ponemon Institute has determined the cost of a data breach is $204 per record. “Data breaches last year cost organizations $204 per exposed record on average, which represents an almost two percent increase over 2008, according to the fifth annual “Cost of  Data Breach” study released on Monday by the Ponemon Institute…  The study, which examined the experiences of 45 U.S. companies that suffered breaches last year, also found that the number of data breaches that were caused by malicious attacks and botnets doubled from 12 percent in 2008 to 24 percent  in 2009. In addition, data breaches caused by malicious attacks cost organizations 30 to 40 percent more on average than those caused by human negligence or by IT system glitches.” There are a number of ways to protect your data in transit such as PGP Encryption but when the companies looses data, there isnt much the end user can do to protect themselves.

Thats a lot of money. If we look at the data breach of Heartland, which was over 100 million records, that, well let me do the math, may take a minute. Its $20,400,000,000. Thats a lot of money. Condidering I was a shopper mostlikely of Heartland, I do not recall getting a check from anyone for $204. I will not hold my breath for that. We all asked if the retailers like Heartland and TJ Max had a PCI Audit done. Would this have protected our information?

So far, I am pretty sure I recieved a letter offering me free 2 year credit monitoring from Chase, Citibank, Bank of America and Countrywide because thet lost my records. I am waiting for my check for $204 from each of those companies. Also, over the past few years I have had to have my credit cards replaced with Chase, American Express, and several Visa versions. So I am still waiting for those $204 checks. Maybe in total I am owed about 9x$204=$1,836.  That will be a nice check when I get it.

Security Requirements

So what can a company do to help reduce these data breaches? The easy answers, yet not implemented, include:
1) Encryption of back-up data and tapes
2) Conduct yearly Vulnerability Assessments
3) Conduct Quarterly or Monthly Vulnerability Scanning
4) Implement a Data loss prevention solution
5) Go through a PCI Audit or HIPAA Security Assessment yearly

Related articles by Zemanta

• Data breach costs continue to rise (v3.co.uk)
• Survey: Data breaches from malicious attacks doubled last year (news.cnet.com)
• Breach numbers fall while costs rise Ponemon study finds (v3.co.uk)
• Humans Continue To Be ‘Weak Link’ In Data Security (it.slashdot.org)
• Cost of a Data Breach – $204 per record (pindebit.blogspot.com)
• Private Sector Keeps Mum on Cyber Attacks (online.wsj.com)

Regards
Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity
Managed Firewall
Managed Vulnerability Scanning

Its a difficult thing to try and forecast. The good thing about it is that no one really remembers your forecaste anyway.

Regards
Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning

++++++++++++++++++++++++++++++++++++++++++++++++
Cyber Security Mega Trends Study
Prepared by Dr. Larry Ponemon, November 18, 2009

Related articles by Zemanta

• Think Tank Study Shows Top Web Trends Are Security Risks (readwriteweb.com)
• The cloud is a powder keg (myventurepad.com)

Why should you switch from the Blackberry? Well there may not be a good reason. The Blackberry has a number of apps and it is secure, it has encryption and has been beaten up on the security front like network security assessment and application security testing. It’s ingrained in businesses and Blackberry Enterprise Server is well known to many IT administrators.

The Entrepreneur can use both devices. Let’s assume there are at least some people using the IPhone, what apps should they have in their toolkit?  Of the thousands of apps, how can you pick a few that would be beneficial to the Entrepreneur Road Warrior? Well the way I picked them is through word of mouth , that are of benefit to me and comes with network security assessment tools. I travel, work in my car, have meetings at all times of day, I am away from the office for days or weeks.

Take these with a grain of salt and do not send any flame emails. But please send in the apps that you think should be shared with the world or at least readers of this Blog.

Urban Spoon

First up is Urban Spoon. You are thinking, well that’s not some kind of spreadsheet or financial app. What is the business purpose? The lifeblood of the Entrepreneur is networking , managed security services, application security risk assessment and deal making. Where deal making most of the time involves some kind of meal. Urban Spoon can find you restaurants by cuisine, by neighborhood, by cost, by distance. Everything you need for a meeting is the most random city.

AroundMe

In the same vein as Urban Spoon, is AroundMe . Say you are on your way to an important lunch you have setup with a restaurant you found on Urban Spoon but you are almost out of gas. Use AroundMe to find the closed gas station. Or if you need cash to pay for that gas because your Amex Card has been cancelled, find the closest bank.

GoogleMaps

Well this is pretty obvious. But when you are traveling and maybe forgot to bring your Garmin GPS and do not feel like paying the rental company an extra $11.99 a day to rent their GPS , this is just as good.

ReQall

This is a pretty useful app. The developers were one of the www.TiE.org Top 50 companies this year at TiECon. The app captures your voice, translates it to text, organizes your calendar based on your voice messages, integrates into Outlook or Google Calendar and provides memory assistance. It’s great when you have no pen or driving in a car or need a memory reminder.

FlightAware

For the true Road Warrior, there is no road, there is the sky. So when you are rushing to the airport or think you need to rush to the airport, track down what is going on with your flight. Check out FlightAware to get an update and help you plan that trip to the airport.

TweetDeck

Social Media, the latest buzz word, actually has some teeth. Small companies and the Entrepreneur have to be connected to the work whether you like it or not.  Twitter is a way of life these days even if people seem to be twittering their lives away. How do you tell your followers that you are stuck in an airport in Baltimore? Try using TweetDeck.

These Apps don’t seem very business-like, but the Entrepreneur is practical, cheap, requires network security audit tools and has to get things done today . These help you achieve your million tasks on a timely basis.

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

Related articles by Zemanta

• Urbanspoon: Half A Billion Shakes And Counting (techcrunch.com)
• Will the iPad make a great car gadget? (blogs.computerworld.com)
• What are your favorite iPhone apps? (scienceblogs.com)
• My iPhone Apps (lenestrada.com)

The Federal Trade Commission (FTC) recently issued a rule which gives more scope to the data breach notification rules as part of the Health Insurance Portability and Accountability Act (HIPAA). The addition targets companies that provide health info in an online storage facitlity. Things like Google Health or Healthvault would fall under this category.

This seems like it should be an obvious thing to do. Why would you let any entity keep your health information without following strict regulatory requirements?  It is definitely a good thing to force companies that keep your health information to notify consumers following a data security breach if the breach involves more than 500 people or even 5 people. The question is how do you track down all these companies that store health information and force the the company notify customers? How do you know when a smaller companay has lost information? We still struggle with this question for the hospitals and healthcare organizations that currently have to comply with the HIPAA regulations or the Hipaa Security Rule. CVS recently had to pay $2.5 million in fines. I wonder what that is in comparison to the cost to consumers who have problems with their data being stolen. (I wouldn’t use the term “lost”)

Part of the changes coming from the FTC is the utilization of mobile devices that capture, use, transmit and store data. What are the hospital security requirements of these devices? Does a mobile hand scanner or a mobile device that stores info have to have a built in firewall and antivirus as would a laptop? The only real way to deal with this is to conduct Hipaa Risk Assessment but how many companies actually do it properly?

Have you seen the list of breaches on Privacyrights.org? I like this recent one in particular. You cant find such a list on the FTC site.

“ July 31, 2009 Jackson Memorial Hospital: (Miami, FL) A Miami man was charged with buying confidential patient records from a Jackson Memorial Hospital employee over the past two years, and selling them to a lawyer suspected of soliciting the patients to file personal-injury claims.”

Is every company required to do network security assessment and register their device if it captures, uses, transmits any kind of health information? Is any website that does the same required to register with the FTC?  But I wonder if you had such as database and hackers got into it, how much more trouble would we be in? Check out our HIPAA Top 5 Steps to Compliance for some fun reading.

I do not think I came to any real conclusions with this post. Isn’t blogging wonderful?Gary Bahadur

Gary Bahadur

http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
Miami, Fl

*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*Website Security Assessment

According to Bloomberg, “Albert Gonzalez, a 28-year-old Miami resident, and two hackers living “in or near Russia” were indicted yesterday by a federal grand jury in Newark, New Jersey, for stealing data from Heartland Payment Systems Inc., 7-Eleven Inc., Delhaize Group’s Hannaford Brothers Co. and two unidentified national retailers.”

It always amazes me when really smart computer folks insist on hacking from the US. Why not just head down the the Caribbean and hack from there, let likely to get caught.

My question about this is whats the value of regulations such as PCI or HIPAA.  A PCI Security Audit and Hipaa Security policy are supposed to prevent this type of thing when the companies being hacked usually come out after the fact and say they were compliant?

Privacyrights.org has this list of breaches in the month of August alone. I wonder what the compliance or network security audit was like for these companies? I dont suppose there really is a good answer to what to do about compliant companies getting breached. They will just keep giving you a year of free credit monitoring I guess.

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

My posts are all usually information security related. Some interesting things on web security, vulnerability assessment, risk assessment, all that good stuff. Well today I cannot blog about that. As much as I love it, get a probably un-natural excitement about it, I can’t do it.

I have been sitting in BWI airport since 7pm. Its about 11pm and I am still waiting for the plane to get here. Or it might be here and we can’t get on, not v ery clear on that. So there was a light sprinkle of rain in the BWI area. All up and down the east coast there was storms. And Boston got whacked. When Boston has problems, everybody has problems. Something like the Regan trickly down theory.

Its about 11:20pm now and I just heard the announcement that the flight landed from Portland and potentially I might get home to Miami sometime around 3am. I am not a newbie to travel and being stuck in an airport is old hat. I recall being stuck in Amsterdam on Thanksgiving in the airport for about 11 hours. Patience Grasshopper.

So whats so new about this experience? Well I was thinking that the algorithims to route planes around the country were developed 30 or 40 years ago.  So think about all the changes, all the potential of planes these days and not updating how planes are handled. Or maybe I am wrong since I am not an airline expert and they have all new routing plans. Probably. But my view of the world, well I see it as really sucking. So I make the assumption that there needs to be a (cringe) “paradigm shift” in how planes are handled. Maybe we need an Airport Czar.

My other problem with the waiting thing is that the Bar closed at 9:30pm!!!! My flight will not leave until about Midnight. When will the hurting stop?!!?!?

This was obviously not of any value to anyone except me to channel my airport anger.

I usually have a list of things in my posts. Here is my list which is pretty much of no value
1) when sitting in the bar in an airport that closes at 9:30, listen for last call
2) Never take the later flight out in the day if you can avoid it
3) Avoid BWI
4) Never believe the monitors about if your flight is on time
5) Actually speak to people at the bar, keeps things entertaining
6) Girls wearing short shorts shouldn’t lie down, knees akimbo at the airport
7) Never pass up a trip to Vegas to for a trip to Baltimore
The restaurants close early at BWI, eat early
9) BWI sucks
10) BWI sucks

The website is the open frontdoor to many companies. Security education for both the developers of website applications and the users of web sites is sadly lacking. If we look at most of the compliance regulations such as HIPAA or PCI, there is a component of education required, but most companies do not spend the time to provide more than a written manual that no one reads. In those same regulations, there are requirements for a Secure Development Lifecycle strategy, but how many web application developers actually follow a strict methodology?

So on Linkedin, I asked the quesion “what are the Web security tools” that are favored by the security community (www.linkedin.com/gbaha). These can provide some help and insight for those looking to conduct some security testing. Some are paid and some are free. Here is the list in no particular order.

1) Foundstone             http://www.foundstone.com
2) Acunetix WVS        http://www.acunetix.com
3) Scrawlr                      https://h30406.www3.hp.com/
4) N-Stalker                  http://www.nstalker.com/
5) Nikto                          http://cirt.net/nikto2
6) Scarab                       http://www.owasp.org
7) WebInspect            http://www.hp.com
Fiddler -                   http://www.fiddlertool.com
9) Samurai Web Testing Framework – http://samurai.inguardians.com/
10) FireCAT -               http://www.security-database.com
11) W3af                         http://w3af.sourceforge.net/
12) CORE Impact        http://www.coresecurity.com/content/web-app-pro
13) Appscan                 http://www-01.ibm.com/software/awdtools/appscan/

Having listed these and of course there a re a number of other tools, we can begin to secure the environment. (Please send me any comments on other tools you like). Running a tools is a first and easy step you can take to close that open web door (Webdoor, I am going to try and coin that phrase). If you can target tactical prablems, get them fixed quickly, you can then tackle the strategic problems that led to your web vulnerabilities.

The basic steps you want to take in website security are:
1) Vulnerability testing
2) Secure Code Review
3) Architecture review
4) Monitoring and Logging
5) Consistent Testing (monthly) and Validation of Controls

Do not get lax when it comes to Web security. Its a bit black magic and a lot of hard work but as its the “webdoor” try and keep it closed.

Gary Bahadur

baha@kraasecurity.com

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

The study also found that 33 percent of C-level executives replied that attacks happened “hourly or more often,” while only 17 percent of CEOs said the same thing. That’s a pretty big difference of opinion. Whose responsibility is it to manage, monitor and report on hacker activity? Obviously tactically speaking it fall under IT, the CIO or maybe even the Chief Compliance Officer. But ultimate responsibility in any company falls to the CEO. If a data breach happens such as in the case of TJ Max, it’s the CEO who has to appear on television to explain what happened and answer to their customers.

How do you apply security metrics to report appropriately to the CEO? That magic “Dashboard” is what everyone is after and no one gets right. A good Compliance dashboard that you may want to check out comes with the reports from RiskWatch software (www.riskwatch.com). Its worth a look.

The category of technology CEO’s need to focus on these days is Data Loss Prevention (DLP). Every major company in security has a DLP product and the reason is probably because the education is finally in the market around the necessity of looking at all inputs and output of data in the organization. A data breach can be caused by lack of proper firewalls, no antivirus, no browser protection, not malware protection, lack of patch management or no vulnerability management. Or it could be a hundred other things. A CEO needs to know these terms, how data flows and what the data life cycle really means if they are to truly grasp the threat to their environment.

Prevention is really worth more than detection. If the CEO doesn’t bridge the gap to thinking they might be secure to understanding that they are under attack ever day and perhaps every minute, data breached will continue to occur.

Gary Bahadur

CEO KRAA Security,  baha@kraasecurity.com

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity
 

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Technorati Tags: data breach, data loss

The definition of a Covered Entity for HIPAA compliance really reaches out to more companies than just hospitals and doctors offices. Not only companies like CVS will get fined but business partners of hopsitals and doctors offices storing patient data will be in trouble if they do not conduct Risk Assessments.

There are a number of ways to conduct these assessments, make them practical and stay out of trouble with “The Man”. One company that is pretty helpful in this regard is RiskWatch, http://www.riskwatch.com  Their software allows you to conduct HIPAA, PCI, Red Flag Rule and other types of assessments.

For security professional, these regululations provide a strong insentive for companies to get their act together regarding privacy and security of data. Its unfortunate they have to be fined first to get them to the ball rolling. But hopefully, more will take a proactive stance for compliance but also to get an ongoing security program in place.

Regards
Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

So what can we expect from the Czar?

The White House must take the cybersecurity lead. The current approach to cybersecurity is untenable, said Hathaway at RSA in April.

Well that was obvious. When you have hackers runing around American corporations and in and out of government agencies, I would agree that is “untenable”.

Here is my plan for cybersecurity:
1) Put ME in charge of the whole thing.

Good plan right?

My point is you have to have someone with a practical approach. You to address this both straategically and tactically. Tactically in the short term and strategic in the long term.

We know government cant get out of its own way, so let the private sector have more say in how this is done. Simple way to start:
1) Have a time line, say 2 year to have every government and quasi government computer defined in a risk classification scheme.
2) Conduct continuous vulnerability assessment of the High and Medium risk systems.
3) MUST have Patch management for all systems.
4) Encrypt any data leaving a secure internal system
5) Figure out what Data Loss Prevention means!
6) FUND Cybersecurity like its part of the Defense Budget.

Baha – new Cybersecurity Czar

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

+++++++++++++++++++++++++++++++++++
BBC
US President Barack Obama is to set out plans for securing American computer networks against cyber attacks.

In a speech that follows a 60-day review, Mr Obama is expected to announce the creation of a cyber security office in the White House. Both US government and military bodies have reported repeated interference from hackers in recent years.

In a separate development, the Pentagon is to create a new military command for cyber space, the New York Times said. Mr Obama will not discuss the Pentagon plan during Friday’s announcement, the newspaper said.

But he is expected to sign a classified order to establish the military command in coming weeks, it reported, citing officials.

There are preventive measures that every company can adopt to maintain the value of the company as well as the client base. It is very important for any company to maintain the data securityase and safeguard the internal information of the company. The clients and business partners share their data only after confirming that the partner company will keep it safe and intact under the safety norms of the company.

By taking a few cautionary measures, one can easily secure the sensitive information of the company. Installing a firewall in the network system keeps the security intact and safe. Earlier, this was a bit expensive for companies but with the advent of technology, this has become an easily accessible tool for the organization. Affordable monthly subscriptiuons are available for firewalls, Intrusion detection systems and host intrusion prevention systems. hey need not spend a lot of money in availing these services now.

A firewall is the main defense. A firewall carries out routine security checks and blocking techniques at particular time intervals and this helps stop attacks. It will sound an alert in case of any threat posed to the data and will automatically start blocking and reporting.  on it. It never compromises on your company’s security and safety and always keeps the information safe. Firewall protection can be easily availed from various online sources at quite reasonable rates but one must always cross-check the credentials of the source company as well and only then purchase it from experts in the field.

Other than installing these tools to maintain web security, companies are also hiring third parties to review the policies and procedures of the organization and also to keep track of the online process of distribution of data of the company. These third parties install web applications that thoroughly review the codes installed in the process and provide valuable feedback to update and upgrade the quality of network systems. hough it is somewhat expensive to employ third-parties but they really keep a detailed track of the security system of their clients’ information.

Many network systems of very renowned companies are getting hacked and misused these days by the hackers. It is high time that the companies take proper action against such activities and thefts as the number of incidents are growing day-by-day. Otherwise, people will start losing their trust in sharing their personal information through web sites.

A web security expert of application security risk assessment has written this article.

Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning

Related articles by Zemanta

• Electronic Health Record Security Analysis (schneier.com)
• SaaS demand to fuel growth in security services (channelweb.co.uk)
• Fake servers even less secure than real ones (go.theregister.com)