Risk Management and Compliance&#187; Security Assesment

*Vulnerability Management

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Compliance & Policy Development

*PGP Security

What are the challenges with protecting electronic documents?

admin — Mon, 29 Mar 2010 12:36:37 +0000

: Image via Wikipedia

We have seen a lot of problems with Adobe vulnerabilities. Adobe has been getting beat up with all the negative publicity in the past few months. Apple is restricting access to Adobe on their devices. Has anyone tried their remote desktop sharing? I wonder if some vulnerability will be release in that application. What is the real problem with electronic document sharing and what are some of the solutions? Adobe is just an example; the whole industry of electronic documents is finally coming into its own.

Problems with Electronic Douments

How are people accessing electronic documents and how are they signing them and verifying them? Well there are multiple companies out there touting secure signature applications for documents. When do you use these companies? Some questions to ask include:
1. When and how do you determine the importance of the document?
2. Have you implemented a data classification scheme for electronic documents?
3. Who has the right to sign and read these documents?
4. How do you track usage and distribution?
5. Is there a time frame associated with the life of the document?
6. Can you prevent screen scraping of the secured document?
7. What is the “hackability” of the secure document?

Signing an electronic document can be a challenge for the technology challenged. Some documents might trigger antivirus or malware protection applications. If some intrusion detection applications can read a document or data loss prevention applications do not have access, you could be blocked from that document. Convenience of use is a major hurdle for the adoption of secure documents.

Printing, modifying, viewing, and deleting these documents require all kinds of levels of authorization that is probably difficult to manage. If you can have a location based “bomb” in the document for when it left the organization domain, that would be an interesting play on data loss prevention. We know client side options are easily broken, how do we change the mentality of secure document management?

I do not see how secure documents make too much sense in any public forum. Its not worth the effort to worry about secure documents outside of a strictly controlled corporate environment. Different forms of watermarking have their place in identification but not much in control.

The most likely areas are in Research and Development, Legal, Banking and Healthcare. These should be the quickest to adopt a secure framework for electronic documents. Some industry standards need to be followed and a process developed that all companies can follow. This would make it into all the data loss prevention applications eventually and really provide some security.

Gary Bahadur

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

McAfee unveils new data loss prevention tools (v3.co.uk)
Hackers used malicious PDFs to attack Google and Adobe (infoworld.com)
Certified Document Services (CDS) Program Grows to Six with Post.Trust Announcement (blogs.adobe.com)

What is Social Media INSecurity?

admin — Wed, 24 Mar 2010 17:30:54 +0000

: Image via CrunchBase

The trends in Social Media are heading towards more sharing of information. But sharing of information has moved beyond your circle of friends and family. Social media is becoming less social and more… well more corporate. Or more like many people shouting in a bar, you are all in close proximity, but you can’t distinguish the individual conversations, you can’t make out who people really are or who is a potential quality relationship.

How many random friend requests do you get now from Facebook, Friendster, MySpace, LinkedIn, etc. Twitter is a bit different obviously, but that’s a whole other story. Now you are also getting bombarded with corporate Fanpages, groups and other means of luring you to their sites, brands and social following. This is the erosion of your true social circle.Social Media Security is really more about Insecurity. The distribution of your information across multiple platforms used to be in a restricted circle. This can be true data loss. Now its pretty much everywhere. You can find a person’s LinkedIn profile with a generic Google search. This should be restricted to the LinkedIn environment, but it’s not.With the advent of location based services, we will see physical insecurity based on social media usage. A recently popular site Please Rob Me http://pleaserobme.com has already begun taking advantage of the Twitter location feature. Imagine what can be done by a stalker following someone on twitter or a deranged Ex-boyfriend following you based on the events you are attending on Facebook? It’s easy to see how you can give away all your personal information without event thinking of it. Trends towards making information available will lead to Insecurity. Insecurity will lead to data breaches and compromise. Compromise will lead to lots of crying, money lost, probably lawsuits and other painful results. How do we get past this Social Media Insecurity?

Gary Bahadur

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

The Seven Deadly Sins of Social Media (markevanstech.com)
The Age of Social Networks (briansolis.com)
Facebook Roundup: FTC, Design Changes, Nestlé, URLs and More (insidefacebook.com)
Cloud Computing Elasticity Drives Social Media (web2.sys-con.com)
Use Google Analytics to Track Inbound Links from Social Media Profiles (thecustomercollective.com)
13 Essential Social Media Lessons for B2B Marketers from the Masters (mashable.com)
Social Media Engagement Starts with Monitoring (bettercloser.com)

When will Vendors provide Risk Assessments of their products?

admin — Thu, 18 Feb 2010 04:22:56 +0000

: Image via Wikipedia

Vendor risk assessment are not part of everyday corporate managememnt but it should be. If you drive a car and every week you have to get something fixed it would prove pretty annoying, disgusting, outrageous and you probably you would never buy that model again and probably wouldn’t by from that manufacturer either. So why do we accepts buggy software that is vulnerable to things like cross site scripting attacks, buffer overflows, malware and such? But we do that everyday.

Everything from vulnerable operating systems such as Windows to vulnerable applications such as Adobe and weak website such as Facebook. As stated by CIO.com, “SANS and Mitre, a Bedford, Mass.-based non-profit, federally funded technology research and development organization, today is also releasing its second annual CWE/SANS Top 25 list of the most common programming errors currently being made by software developers. The authors say the errors on the list are responsible nearly every major type of cyber attack, including the recent intrusions at Google (GOOG), and numerous utilities and government agencies.” The biggest companies are culprits.

So what are we do to about buggy software? How do you force a vendor risk assessment on all yoru vendors? Maybe scream “I’m mad as hell and I am not going to take it anymore!” Might feel good for a second or two, but not going to solve the almost daily patch process we have to go through for our software. Patch management is a thriving sector!

As I see it, some theoretical things the end user can do to change the deadly cycle of poor software:

Sue! I don’t know if that’s possible, but if you bought a car with bad acceleration problems (ahem Toyota) you might just sue the manufacturer if you got into an accident. What can we do that if some hacker breaks in through buggy software?
Stop buying from that vendor! Apple seems to be taking this tactic by not allowing Flash on the IPad. But can we all move away from Microsoft tomorrow? Probably not.
Make the vendors conduct Risk Assessments of their products prior to release. A third party risk assessment is probably a good idea. Something with more teeth than a SAS70 type review.

Gary Bahadur

http://www.kraasecurity.com

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Apple vs. Microsoft: Making Platform Enemies and Friends (seekingalpha.com)
Adobe Reader And Acrobat Get Yet Another Security Update (ghacks.net)
Microsoft investigates new Internet Explorer flaw (news.cnet.com)
Google readies Flash for Android devices (infoworld.com)
IBM: Vulnerabilities fell in ‘09, but other risks abound (computerworld.com)
Update: Adobe issues emergency PDF patches (computerworld.com)
Serious web vuln found in 8 million Flash files (theregister.co.uk)
Hold vendors liable for buggy software, group says (computerworld.com)

Gary Bahadur

http://blog.kraasecurity.com

http://twitter.com/kraasecurity
Managed Firewall
Managed Vulnerability Scanning

What is the value of a Data Breach?

admin — Thu, 28 Jan 2010 02:33:53 +0000

: Image by Getty Images via Daylife

SC magazine just reported that the Ponemon Institute has determined the cost of a data breach is $204 per record. “Data breaches last year cost organizations $204 per exposed record on average, which represents an almost two percent increase over 2008, according to the fifth annual “Cost of Data Breach” study released on Monday by the Ponemon Institute… The study, which examined the experiences of 45 U.S. companies that suffered breaches last year, also found that the number of data breaches that were caused by malicious attacks and botnets doubled from 12 percent in 2008 to 24 percent in 2009. In addition, data breaches caused by malicious attacks cost organizations 30 to 40 percent more on average than those caused by human negligence or by IT system glitches.” There are a number of ways to protect your data in transit such as PGP Encryption but when the companies looses data, there isnt much the end user can do to protect themselves.

Thats a lot of money. If we look at the data breach of Heartland, which was over 100 million records, that, well let me do the math, may take a minute. Its $20,400,000,000. Thats a lot of money. Condidering I was a shopper mostlikely of Heartland, I do not recall getting a check from anyone for $204. I will not hold my breath for that. We all asked if the retailers like Heartland and TJ Max had a PCI Audit done. Would this have protected our information?

So far, I am pretty sure I recieved a letter offering me free 2 year credit monitoring from Chase, Citibank, Bank of America and Countrywide because thet lost my records. I am waiting for my check for $204 from each of those companies. Also, over the past few years I have had to have my credit cards replaced with Chase, American Express, and several Visa versions. So I am still waiting for those $204 checks. Maybe in total I am owed about 9x$204=$1,836. That will be a nice check when I get it.

Security Requirements

So what can a company do to help reduce these data breaches? The easy answers, yet not implemented, include:
1) Encryption of back-up data and tapes
2) Conduct yearly Vulnerability Assessments
3) Conduct Quarterly or Monthly Vulnerability Scanning
4) Implement a Data loss prevention solution
5) Go through a PCI Audit or HIPAA Security Assessment yearly

Data breach costs continue to rise (v3.co.uk)
Survey: Data breaches from malicious attacks doubled last year (news.cnet.com)
Breach numbers fall while costs rise Ponemon study finds (v3.co.uk)
Humans Continue To Be ‘Weak Link’ In Data Security (it.slashdot.org)
Cost of a Data Breach – $204 per record (pindebit.blogspot.com)
Private Sector Keeps Mum on Cyber Attacks (online.wsj.com)

Regards
Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity
Managed Firewall
Managed Vulnerability Scanning

FTC’s Additional Rules for HIPAA Security

admin — Sun, 23 Aug 2009 20:24:35 +0000

FTC’s Additonal Rules for HIPAA Security

The Federal Trade Commission (FTC) recently issued a rule which gives more scope to the data breach notification rules as part of the Health Insurance Portability and Accountability Act (HIPAA). The addition targets companies that provide health info in an online storage facitlity. Things like Google Health or Healthvault would fall under this category.

This seems like it should be an obvious thing to do. Why would you let any entity keep your health information without following strict regulatory requirements? It is definitely a good thing to force companies that keep your health information to notify consumers following a data security breach if the breach involves more than 500 people or even 5 people. The question is how do you track down all these companies that store health information and force the the company notify customers? How do you know when a smaller companay has lost information? We still struggle with this question for the hospitals and healthcare organizations that currently have to comply with the HIPAA regulations or the Hipaa Security Rule. CVS recently had to pay $2.5 million in fines. I wonder what that is in comparison to the cost to consumers who have problems with their data being stolen. (I wouldn’t use the term “lost”)

Part of the changes coming from the FTC is the utilization of mobile devices that capture, use, transmit and store data. What are the hospital security requirements of these devices? Does a mobile hand scanner or a mobile device that stores info have to have a built in firewall and antivirus as would a laptop? The only real way to deal with this is to conduct Hipaa Risk Assessment but how many companies actually do it properly?

Have you seen the list of breaches on Privacyrights.org? I like this recent one in particular. You cant find such a list on the FTC site.

“ July 31, 2009 Jackson Memorial Hospital: (Miami, FL) A Miami man was charged with buying confidential patient records from a Jackson Memorial Hospital employee over the past two years, and selling them to a lawyer suspected of soliciting the patients to file personal-injury claims.”

Is every company required to do network security assessment and register their device if it captures, uses, transmits any kind of health information? Is any website that does the same required to register with the FTC? But I wonder if you had such as database and hackers got into it, how much more trouble would we be in? Check out our HIPAA Top 5 Steps to Compliance for some fun reading.

I do not think I came to any real conclusions with this post. Isn’t blogging wonderful?Gary Bahadur

Gary Bahadur

http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
Miami, Fl

*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*Website Security Assessment

Data Loss, this time with Network Solutions

admin — Mon, 27 Jul 2009 16:55:02 +0000

Data Loss, this time with Network Solution

Network Solutions, one of the largest domain registrars recently announced a data breach. Malicious code was found on its e-commerce server which may have captured transactions from thousands of websites and capturing half a million or more credit cards. The company said they found the code during a routine check. Since the breach occurred between March 12 and June 8th, how routine was the actual checks? I wonder when their last vulnerability assessment or Information security risk assessment was conducted? Data loss prevention is sorely lacking in just about every industry.

Here is what the company said “At this point, we have no reports or other reasons to believe that any credit card account information has been misused and, under established practice, credit card issuing companies generally will not hold our merchants’ customers liable for any fraudulent purchases made using their credit card account numbers that are reported in a timely way to the issuer,” a statement from the company reads. All these statements around hacker breaches and stolen credit cards read the same.

The process now begins where all the merchants have to be identified, then each merchant has to notify their customers. Their customer then have to work with their banks to stop credit cards, have to get credit monitoring and thus goes the Circle of Life (of data breaches) Here is the list of data breaches in 2009 alone. If you recall the breaches of Heartland Payment Systems and RBS WorldPay, the breachescaused them to be removed from the PCI security audit () list . Well that should be obvious, or should they have been rated compliant int he first place. Known non-compliance might be a better than weak compliance.

The basic question is what was Network Solution not doing to have malicious software installed on key servers? Was it a breach through a web application, was it through malicious email, a browser based attack, some insider who didn’t know enough about security and clicked on the wrong thing? What routine check found it and why wasn’t this check run on a more routine basis, such as weekly or even daily?

At the end of the day, security is a moving target. We can utilize encryption, vulnerability management, application security risk assessment, email filtering, backup and recovery, but all will be useless is we follow poor practices or do not have good procedures in place to take into account the human element. Most breaches are insider problems or mis-configurations or plain old stupidity.

Gary Bahadur
http://www.kraasecurity.com

http://blog.kraasecurity.com

*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test

Data Breaches are still misunderstood

admin — Mon, 20 Jul 2009 04:27:14 +0000

The Ponemon Institute and Ounce Labs (www.ouncelabs.com) released a study on the view CEOs have regarding data protection in their environment. In the study of 213 CEOs and other senior executives, CEOs did not share the same view on how secure their organization is with their executives. 92 percent of respondents said they were attacks. Who has the more realistic view of data security? Could it also be the fault of the executives who usually do not share all the bad information with the CEO? That is probably part of the security education challenge the CEO faces.

The study also found that 33 percent of C-level executives replied that attacks happened “hourly or more often,” while only 17 percent of CEOs said the same thing. That’s a pretty big difference of opinion. Whose responsibility is it to manage, monitor and report on hacker activity? Obviously tactically speaking it fall under IT, the CIO or maybe even the Chief Compliance Officer. But ultimate responsibility in any company falls to the CEO. If a data breach happens such as in the case of TJ Max, it’s the CEO who has to appear on television to explain what happened and answer to their customers.

How do you apply security metrics to report appropriately to the CEO? That magic “Dashboard” is what everyone is after and no one gets right. A good Compliance dashboard that you may want to check out comes with the reports from RiskWatch software (www.riskwatch.com). Its worth a look.

The category of technology CEO’s need to focus on these days is Data Loss Prevention (DLP). Every major company in security has a DLP product and the reason is probably because the education is finally in the market around the necessity of looking at all inputs and output of data in the organization. A data breach can be caused by lack of proper firewalls, no antivirus, no browser protection, not malware protection, lack of patch management or no vulnerability management. Or it could be a hundred other things. A CEO needs to know these terms, how data flows and what the data life cycle really means if they are to truly grasp the threat to their environment.

Prevention is really worth more than detection. If the CEO doesn’t bridge the gap to thinking they might be secure to understanding that they are under attack ever day and perhaps every minute, data breached will continue to occur.

Gary Bahadur

CEO KRAA Security, baha@kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Technorati Tags: data breach, data loss

HIPAA Assessments are the next wave

admin — Sun, 12 Jul 2009 21:06:10 +0000

In February, CVS was ordered to pay a fine of 2.5million dollars by the FTC. This fine was because their employees threw out personal information about patients. Who knew poor recycling programs could cost so much? HIPAA has been around for a number of years but not until recently did we see that it has teeth and companies are going to be held accountable. CVS has to have an assessment every other year now for 20 years. And assessments are not cheap! Assessments based on the Security Rule cover many areas of technology controls such as Firewall protection, Antivirus, Encryption, Vulnerability Scanning and much more. I am sure conducting an assessment rather than getting fines would have been much cheaper for CVS.

The definition of a Covered Entity for HIPAA compliance really reaches out to more companies than just hospitals and doctors offices. Not only companies like CVS will get fined but business partners of hopsitals and doctors offices storing patient data will be in trouble if they do not conduct Risk Assessments.

There are a number of ways to conduct these assessments, make them practical and stay out of trouble with “The Man”. One company that is pretty helpful in this regard is RiskWatch, http://www.riskwatch.com Their software allows you to conduct HIPAA, PCI, Red Flag Rule and other types of assessments.

For security professional, these regululations provide a strong insentive for companies to get their act together regarding privacy and security of data. Its unfortunate they have to be fined first to get them to the ball rolling. But hopefully, more will take a proactive stance for compliance but also to get an ongoing security program in place.

Regards
Gary Bahadur

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Vanguard Security Conference – Supplier Security

admin — Tue, 02 Jun 2009 15:44:29 +0000

I spoke yesterday at the Vanguard Security Conference (http://www.go2vanguard.com) Vanguard has been doing this conference for a number of years. The focus is on Mainframe security. Most security professionals these days have never worked on MF security. I am proud to say I have back in the mid-90’s. We perhaps I shouldnt be do happy, it was over a decade ago.

The point being, that there are so many areas of security out there that most of us will never touch yet there is a dire need for professionals. The conference was less attended, as are most conferences this year, but I found the folks here are REALLY interested in learning and excited about the classes.

My topic was on Supplier Risk Management processe. You are asking yourself, what is that? I asked myself that same question in coming up with some good processes to target Supplier security. We have to go way beyond a SAS70 if you want real security over the hundreds or thousands of vendors that a large company may work with.

The Problem:

No framework for managing vendor risk
Inconsistent processes for tracking vendors
Lack of enforcement capabilities

The Opportunity:

Provide practical steps to manage vendor access/management
Provide cost effective solution for risk mitigation
Provide numerical risk analysis of vendor/partner security issues
Risk reduction or risk acceptance
Documented exposure
Iterative process for risk management
Happy CIO

So a Supplier Security assessment follow 4 main steps:

Analyze current vendor database, catageorize each
determine risk of each supplier, determine threats posed by each supplier
Perform assessment tests of each supplier, their processes of interaction, and data access
develop risk mitigation plan, update processed, monitoring processes

Gary Bahadur