Risk Management and Compliance » Identity theft http://blog.kraasecurity.com Risk Assessment, Vulnerabilities, Website Security Wed, 06 Jul 2011 01:12:12 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 Pleasant Grove man sentenced to 6 years in federal prison for role in prescription fraud case http://blog.kraasecurity.com/2011/05/27/pleasant-grove-man-sentenced-to-6-years-in-federal-prison-for-role-in-prescription-fraud-case/ http://blog.kraasecurity.com/2011/05/27/pleasant-grove-man-sentenced-to-6-years-in-federal-prison-for-role-in-prescription-fraud-case/#comments Fri, 27 May 2011 20:06:14 +0000 admin http://blog.kraasecurity.com/?p=321 The Birmingham news (http://blog.al.com/spotnews/2011/05/pleasant_grove_man_sentenced_t.html)  reported that a Pleasant Grove man received six years in prison for HIPAA violations. Included in his crimes was aggravated identity theft and disclosures. These violate the HIPAA regulations.

Identity theft with regards to healthcare information is on the rise. There is a lot of value in stealing an identity to get healthcare. If you could do that for someone under 18, then you might have several years before they actually notice. Kids generally do not need to check their credit ratings until they get that first credit card in college. BY then the thief could have racked up a lot of charges on that identity.

Using healthcare access can allow the thief access to drugs which are then resold. In this case the thief used the stolen identity to cause the prescription drug plan to pay for $72,746 in drugs.

The Obama Administration announced a cyber security plan recently. Does it take into account the rise in identity theft? Are government agencies actively trying to find solutions? So far the answer seems to be No.

Regards

Gary Bahadur

www.kraasecurity.com

blog.kraasecrity.com

Related articles
Enhanced by Zemanta
]]> http://blog.kraasecurity.com/2011/05/27/pleasant-grove-man-sentenced-to-6-years-in-federal-prison-for-role-in-prescription-fraud-case/feed/ 0 Vanguard Security Conference – Supplier Security http://blog.kraasecurity.com/2009/06/02/supplier-security/ http://blog.kraasecurity.com/2009/06/02/supplier-security/#comments Tue, 02 Jun 2009 15:44:29 +0000 admin http://blog.kraasecurity.com/?p=48 I spoke yesterday at the Vanguard Security Conference (http://www.go2vanguard.com) Vanguard has been doing this conference for a number of years. The focus is on Mainframe security. Most security professionals these days have never worked on MF security. I am proud to say I have back in the mid-90′s. We perhaps I shouldnt be do happy, it was over a decade ago.

The point being, that there are so many areas of security out there that most of us will never touch yet there is a dire need for professionals. The conference was less attended, as are most conferences this year, but I found the folks here are REALLY interested in learning and excited about the classes.

My topic was on Supplier Risk Management processe. You are asking yourself, what is that? I asked myself that same question in coming up with some good processes to target Supplier security. We have to go way beyond a SAS70 if you want real security over the hundreds or thousands of vendors that a large company may work with.

The Problem:

  1. No framework for managing vendor risk
  2. Inconsistent processes for tracking vendors
  3. Lack of enforcement capabilities

The Opportunity:

  1. Provide practical steps to manage vendor access/management
  2. Provide cost effective solution for risk mitigation
  3. Provide numerical risk analysis of vendor/partner security issues
  4. Risk reduction or risk acceptance
  5. Documented exposure
  6. Iterative process for risk management
  7. Happy CIO

So a Supplier Security assessment follow 4 main steps:

  1. Analyze current vendor database, catageorize each
  2. determine risk of each supplier, determine threats posed by each supplier
  3. Perform assessment tests of each supplier, their processes of interaction, and data access
  4. develop risk mitigation plan, update processed, monitoring processes

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

]]> http://blog.kraasecurity.com/2009/06/02/supplier-security/feed/ 0 Healthcare Security- Identity Theft and Hacker ransom http://blog.kraasecurity.com/2009/05/07/healthcare/ http://blog.kraasecurity.com/2009/05/07/healthcare/#comments Thu, 07 May 2009 22:57:45 +0000 admin http://blog.kraasecurity.com/?p=34 I hope no one is actually shocked by this story. Records are stolen everyday. Typically, the hackers will sell the information in the underground somewhere is Eastern Europe or Asia. The fact that someone is asking for ransom, and so publicly it actually a good thing in my opinion. Why is it good you ask? (I assume you are asking that, vulcan mind meld and all that..) Maybe the industry (meaning all industries) need a sensational story to get real change in their IT Security environments.

When the Heartland data breach happened, it was interesting but the general public didnt find it sexy enough. A ransom note, publicly done makes for good drama. Equate it to the Somali pirates. They really broke in the news because of the weapons they captured. This might be the “weapons” story that gets the general public asking about security of the places they use on the Internet.

Identity theft is on the rise. Most companies never do a web application security assessment. They almost never do a database security review. If the hacker can break in through your web portal but your database of customer data is encrypted, well your last line of defense can save your hide.

So what are some things you can do to protect your website?

1) Conduct a web application security assessment. You should probably do this twice a year or anytime you make any significant changes to the application.

2) Conduct an architecture review. If your network architecture has holes in it, a hacker can find away around the application and perhaps get to the data through a different port.

3) Conduct a host security diagnostic review. If the hacker can get on the system and take advantage of an operating system weakness, you will still be compromised

4) Conduct a database security review. Your last line of defense, make sure the data in encrypted, access is completely authenticated and IDS on the database to flag and stop inappropriate access

5) Hire someone smart to do your security assessment.

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

+++++++++++++++++++++++++++++++++++++++++++++++

The Channel Wire
May 06, 2009
]]> http://blog.kraasecurity.com/2009/05/07/healthcare/feed/ 0