TRICARE Breach

I read that TRICARE is not going to provide free credit monitoring services in their breach response and that makes me ponder how effective that service is to retaining customers and/or preventing litigation.

In the grand scheme of things who is to say that TRICARE did not execute a Cost-Benefit Analysis (CBA) and realized that the damage is done.

Will further breach responses without free credit monitoring services lead to mandates to do so in the future?

CSA & STAR

The Cloud Security Alliance (CSA) has rolled out the Security, Trust and Assurance Registry (STAR) initiative where Cloud Service Providers (CSP) can publish their controls, safeguards and/or practices so that cloud consumers may know how secure they are. This effort involves previous research by the CSA in the way of their Cloud Controls Matrix (CCM) and Consensus Assessment Initiatives Questionnaire (CAIQ).

See the link below.

https://cloudsecurityalliance.org/star/

It will be interesting to see how this turns out.

Why CAs Matter

Great point: http://www.healthcareinfosecurity.com/articles.php?art_id=4067

HIPAA Audit Checklist

Here is a link to a HIPAA audit checklist that you may want to at least glance at prior to KPMG/ONC knocking on your door.

http://www.healthcareinfosecurity.com/articles.php?art_id=4010&pg=1

Cloud Computing & ROI

I have spent several hours today reading about various takes on calculating the ROI on cloud computing and the consensus seems to be that it is nebulous. Though, one can break down the cloud into various buckets, such as: hardware, software administration, provisioning, etc. and each of these can be measured better.

These buckets may assist in the overall ROI of the cloud, but my experience is that a Business Analyst/Manager type uses ROI to build a business case for going to the cloud for a specific application. So, in that case I believe a TCO for an internal solution could be used for calculating the ROI for a one-off app going to the cloud.

At the end of the day, you need a number the CxO will be satisfied with. If that happens then the how you came about that number may not be questioned.

Dart: Google's New Web Procedural Language

So, Google has announced that they are rolling out a new web procedural language called Dart, which strikes my fancy as I wonder if security was built from the ground up.


Specifically, IAM, encryption/hashing, prepared statements/input validation, enhanced error/exception checking all come to mind as points I hope they considered.


We will see.

Top 10 Cloud Computing Security Threats

Cloud Security Alliance and Gartner published several research reports addressing cloud computing security issues. There are numerous risks that can hamper the integrity of a Cloud Infrastructure, but here we will focus on those that emerged as the

Top 10 Security Threats and Risks of the cloud.

1. Abusive use of Cloud Computing Resources:
Cloud computing technologies can be used as a platform for launching attacks, hosting Spam/Malware, software exploits publishing and for many other unethical purposes. Cloud computing service platforms, especially PaaS with its enhanced service portfolio and the independence, allows anyone to propagate their malicious intent. IaaS based perforations are also picking up pace with PaaS. Cloud computing service providers normally provide literally anyone with a valid credit card to avail their services, thus opening wide horizon of users to facilitate from their platform; malicious hackers & crackers cannot be filtered easily from that large pool of users.

2. Privileged Access & Malicious Insiders:
Cloud computing provides flexibility by outsourcing the services, but it also brings inherent risks of malicious insiders and abusive use of login access by an unauthorized person. The customer’s security controls remain outside the cloud security mechanism and customer has no control over the service provider’s internal security control. This brings substantial risk where any infiltration of such sort can deliver organization a great deal of loss in terms of financial, productive and /or brand image depreciation.

3. Insecure API’s:
Cloud computing vendors provide APIs for customers to interact and avail services and often the customers using these APIs are offering much more services based on them to facilitate their own customer base. Cloud APIs with weak authentication and access control can jeopardize the confidentiality, integrity and availability of the pertaining customer. As the services are spread over vast domain of users, any vulnerability in the API can be exploited for malicious intents.

4. Shared Technology and Data Segregation:
Public cloud infrastructure components are typically not designed for compartmentalization and are prone to vulnerabilities than can be exploited. There might be scenarios where an attacker tries to gain unauthorized access or excessively use the resources which can affect the performance of other user residing in the same infrastructure. One of the prevailing cloud security issues is the lack of encrypting schemes which can dent the integrity of the data stored and absence of proper controls can make the data totally unusable.

5. Identity or Service Theft:
Account or service credentials if stolen can jeopardize the confidentiality, integrity and availability of the entire services linked with that account. It’s just like giving the keys of all cloud resources to the attacker. Furthermore cloud computing service theft can be used for array of attacks which take illegal benefit of the user’s cloud infrastructure as their launching platform.

6. Data Loss:
Cloud computing architecture provides greater challenges in controlling and mitigating risks due to its unique framework and operational attributes. Data in the cloud is prone to so many threats, such as deletion of record, loss of encryption key and weak encryption, resulting in corruption of data. Any organization no matter how big or small relies heavily on data, and any puncture, trespassing by an unauthorized person can have devastating impact on business.

7. Forensic Support:
In cloud computing, it’s very difficult to get forensic evidence in case of a breach or incident because your data might be spread across many different hosts & data centers and possibly reside in a multi-tenant environment. Usually the applications deployed on cloud computing service models are designed without data integrity and security in mind hence being left with vulnerabilities & security issues. Contractual support by the provider for investigation on when and where the incident occurred is a must have clause in the Service Level Agreement otherwise a business can be exposed to serious threats.

8. Geographical Location of Data and its Recovery:
There is a big question mark when it comes to geographical location of data in the cloud computing environment. The data can be stored on many severs, in different locations, possibly different cities, even different country or continent. In case of a disaster, systems with no Disaster Recovery Plan and no Business Continuity Plan to ensure that business runs smoothly again are most vulnerable to failure. There might also be legal or government regulations involved in recovering data if the data is hosted in a different country. This can get tricky if there has been a breach or a criminal act associated with that specific data.

9. Regulatory Compliance in Cloud Computing:
Cloud computing services have certain benefits for an end user. But what about the internal control, compliance, internal security procedures and patch updating of all applications? Lack of adherence to regulatory compliance is a serious risk considering that provider is the custodian of your data. In case of an incident, providers who are not complying with regulatory standards and not providing the auditing and logging of data, leave the customer with high risk profile and it’s a cloud computing security issue worth considering.

10. Stability of the Cloud Provider:
Perhaps this is not a security risk but it’s a very threatening risk if the provider is not financially stable enough to sustain the operations as per the goals of the customer. A cloud computing provider if swallowed up by a merger can ring bells for the confidentiality, integrity and availability of data. Absence of a Recovery Plan resulting by a disaster or a complete shutdown can affect the operations of the customer until it’s recovered. Any cloud computing provider with meager financial stability, lack of back-up infrastructure and no long terms plans to complement the needs of the customer is a definite risk for any mission critical deployment.

Let the hacking games begin.

Hackers from Vietnam and China are squaring off against one another.

http://www.bbc.co.uk/news/world-asia-pacific-13707921

Mobile Security & Web Content Surveys

So, I am finally catching up on reading, and here are some results from Kaspersky's Mobile security survey, as well as a Web Content survey from Websense:

• Only 31% of respondents were required to have security software (secware) on their mobile device (company supplied and/or BYOD).
• 68% said that the company did not provide any mobile security training.
• 28% have experienced a malicious/suspicious app.

• 22% of the sites brought up in search results had malware.

RIM/BlackBerry, Cross-Platform Support & Security

So, I just heard this morning that Ubitexx has been acquired by RIM. The key component of this M&A deal is that RIM plans to integrate cross-platform support into BES. As many companies have an existing investment with BES this is good news.

I do wonder though if this means that non-BlackBerry devices will encounter improved security when in this environment. As most of the vulnerabilities of Droid, etc. are patch issues, MDM through BES should improve this dilemma. The questions is if REM will integrate Mobile Application Management (MAM) and enterprise app stores to further lock down the non-BlackBerry devices.

Shout out to Avira and File Scavanger

I had a virus last weekend and used Avira and File Scavenger with (cue Borat voice) great success... So, this is a shout out to them...

Will the Skype-Microsoft Deal Affect Privacy

I anticipate some privacy concerns/hearings/suits from this merger down the road. Here is a nice article touching upon this.

http://www.washingtonpost.com/blogs/post-tech/post/the-circuit-microsoft-and-skype-mobile-privacy-googles-cloud-music-locker/2011/03/08/AFccJegG_blog.html

Good People Are Hard to Find

So, now that SecureWorld-Philadelphia is officially over I wanted to send a thank you to the individuals that helped man the CSA-DelVal booth, and to those who stopped by.

Furthermore, I wanted to articulate my belief that good people are hard to find. I mention this as we had a no show for manning the booth, and it is the second time that this person has reneged on me. Well, I will not deal with this person anymore, AND this person has taught me a lesson, which is to continue to trust my gut (I was available to fill in for this person given their history).

Birds of a feather flock together, so find quality people, invest in them, and use their referenceable contacts.

Amazon's Outage

The article below states that Amazon's Web Services (AWS) outage did not violate their SLA; so, I ask do we now need to mandate in a SLA that geographically separate locations be used for high availability? Or, should one use multiple providers for high availability?

http://blogs.forbes.com/kevinjackson/2011/04/25/will-amazon-outage-stop-govcloud/

Adobe's Zero-Day Exploit

I receive more and more spam every day and I hear of more and more attacks like this one (as well as RSA's). It seems that malicious code within a Microsoft Word document can exploit a vulnerability in Adobe's Flash Player.

http://searchsecurity.techtarget.com/news/2240034656/Adobe-warns-of-Flash-Player-zero-day-exploit-via-Word-document?asrc=EM_NLN_13648303&track=NL-102&ad=825684

I would think organizations would have their Office documents locked down due to the risk of malicious VBA, but who am I to think...

Cloud Computing & ROI - Realistic/Practical Expectations

The Delaware Valley chapter of the Cloud Security Alliance (CSA-DelVal) is hosting a roundtable on Wednesday, May 18th to discuss many concerns, such as what is a practical/realistic expectation regarding the ROI for cloud computing. I believe the research data is not there yet, but it is only a matter of time before Gartner/Forrester, etc. come up with some numbers. What % are you expecting (for using a private/public cloud)?

Data Management

From the Dodd-Frank bill to eDiscovery, the impetus for data/records management is increasing. See below for another view. http://www.bbc.co.uk/news/business-12842944

Tablet Security

The link below is to a nice article on tablet security. I believe the market for mobile device management (MDM) is going to grow exponentially in the next several years for all devices (Android, RIM BlackBerry, Apple iPhone/iPad). By the way, has anyone tried Juniper's Junos Pulse product (http://www.juniper.net/us/en/products-services/software/junos-platform/junos-pulse/mobile-security/)? http://searchmobilecomputing.techtarget.com/tip/Tablet-security-Best-practices-for-the-tablet-tsunami

SIEM Ramblings Post RSA Breach & Ponemon Cost of Cyber Crime Report

So, after the RSA breach and Ponemon's Cost of Cyber Crime report I have to say the case for SIEM is stronger than ever. I advocate Splunk whenever I can due to its versatility; however, I say each to their own when it comes to SIEM tools. Just use one and make sure it works correctly....test, test, and test some more!

Server Baselines

The link below, which is to a tool called Security Compliance Manager from Microsoft, leads me to question the need for documented server baselines versus automated tools. I ask as I do not know of any tools for the other platforms, which may lead some shops to just have a baseline for Microsoft only. I suppose this is the case for the SMBs.... http://www.microsoft.com/downloads/en/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3e&displaylang=en

AppSec & ROI

Apparently Microsoft has a need for ROI with their security efforts (AppSec, InfoSec, etc.) too.... http://www.microsoft.com/downloads/en/details.aspx?FamilyID=813810f9-2a8e-4cbf-bd8f-1b0aca7af61d&displaylang=en

There is a privacy 'Commercial Bill of Rights' coming out that uses the term 'Covered Entity', much like HIPAA. I think the FTC will confuse people with this.

Cloud-based PCI DSS, PA DSS & HIPAA Compliance

The wisdom given below can be extended to HIPAA, GLBA, etc...

http://searchcloudsecurity.techtarget.com/news/2240033583/PCI-DSS-compliant-cloud-providers-No-PCI-panacea?asrc=EM_NLN_13525922&track=NL-102&ad=821279

Cloud Service Brokerages, Personal Health Records, and Electronic Health Records

So I keep hearing, and reading, about these Cloud Service Brokerages (CSBs) and I wonder how this model will be applied to the healthcare industry. Will this model extend to Electronic Health Record (EHRs) and/or Personal Health Record (PHR) systems?

Cloud, Vendors & Maturity Model

I received a document (see link) this morning, and it got me thinking about how a holistic maturity model is needed for vendor audits/assessments as there are so many different types of guides/frameworks/certs (i.e. PCI/COBIT/SAS 70/FISMA/HITRUST/BITS/ISO). Would something like a CMM/GARP maturity model work?

http://www.ncontrol-llc.com/ISF_Cloud_Computing_Executive_Summar_Public_version_170311.pdf

Symantec's Internet Security Threat Report

Some highlights from the link below:

-$0.85-$30.00 USD/Credit Card Number/PAN
-Physical Theft Accounted for 37% of Breaches Related to Identity Theft
-Attacks on Browser-based Applications is Increasing
-88% of Email is Spam
-Hacking Exposed 60% of Identity Theft Incidents

http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf

Monitoring Employees' Personal Social Media Content

Does your HR department need to monitor your employees' personal tweets, etc.? If so, is this explicitly in your Acceptable Use policy?

http://itknowledgeexchange.techtarget.com/total-cio/using-social-media-and-networking-to-spy-on-understand-your-employees/?track=NL-964&ad=817927&asrc=EM_NLN_13443889&uid=8266525

Call Centers, Recorded Calls & PCI Security Compliance

When I read the PCI SSC's (Security Standards Council) advice/clarification on protecting credit card information over the phone (call center recordings) I think of call recording/Business Activity Monitoring (BAM) solutions like Verint, and the large amount of recorded data.

I know of several clients/organizations that have years/months of legacy data in this context (including WAV files that have been sent as email attachments). My advice is to encrypt this legacy data before/after archiving it to tape/disk, and to scrub new recordings prior to being archived.

https://www.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf

Records Compliance & Management

The second example of a HIPAA civil case in the link below highlights the need for proper records compliance and management controls. I assume this person intended to take some work home; however, if the right controls/safeguards were in place I would think this person would have be given an encrypted CD/DVD versus hard-copies.

Regardless, we need to be trained on how to handle manual/paper records, as much as electronic.

http://blogs.healthcareinfosecurity.com/posts.php?postID=896&rf=2011-03-18-eh&hq_e=el&hq_m=1002363&hq_l=25&hq_v=bb1cf70608

RSA hit by Advanced Persistent Threat (APT)

It seems even RSA is not safe from the APT dilemma. Apparently, this affects RSA's SecurID two-factor authentication systems (2FA). If this is not a great use case for defense in depth, then I do not know what is.

http://www.healthcareinfosecurity.com/articles.php?art_id=3444&rf=2011-03-18-eh&hq_e=el&hq_m=1004386&hq_l=28&hq_v=bb1cf70608

8 Breach Prevention Tips

This article is catered to the healthcare market, but I feel it is relevant to all parties.

http://www.healthcareinfosecurity.com/articles.php?art_id=3405&pg=1

Federal HIPAA Audit Program

See the link below for an interview with a honcho from HHS OCR about the upcoming pilot for the federal HIPAA Audit Program.

http://www.healthcareinfosecurity.com/podcasts.php?podcastID=1039&rf=2011-03-14-eh&hq_e=el&hq_m=997025&hq_l=28&hq_v=bb1cf70608

Archiving Logs from the Cloud, to the Cloud

As I have started a trial of Arkivo, which is a social media archiving solution, while concurrently looking at cloud-based log archiving solutions (e.g. Monitis); I wonder when a best of breed one stop shop will be created in the cloud for all archiving needs.

I guess we should get to work on that one....

Social Media In Healthcare

Some good stuff from the Mayo clinic:

http://www.healthcareinfosecurity.com/articles.php?art_id=3421&rf=2011-03-11-eh&hq_e=el&hq_m=995881&hq_l=29&hq_v=bb1cf70608

Archiving Social Media & Integrating It With Email, SharePoint, File Shares, etc.

We have advised clients to implement social media archiving, but we have not done the engineering/implementation yet. Regardless, I wonder when the large archiving software solution providers (Symantec, EMC) will acquire, build and integrate social media archiving solutions with their product. I see this as a separate module versus a completely integrated system, but I unified system just the same.

Incident Response & Notification Systems

There has been an incident at one of the higher education institutions I teach at, which has kicked off their notification system (via texts/SMS, etc.). However, it is pretty apparent the kinks of the system and/or communication process have not been worked out.

This reminds me of how ALL organizations need to test their notification workflow, whether that is manual call flows or an automated system. Such a test should cover the following: (physical/cyber) incident response, business continuity, and/or vendor management.

Cost of a Data Breach: $214/Compromised Record

On average, a data breach costs $214/compromised record.

http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon&om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Mar_worldwide_costofdatabreach

AppSec & Code Reviews

I was at an OWASP meeting last night where this slide deck was presented. Good stuff!

http://www.owasp.org/images/7/79/2010-DC_The_Power_of_Code_Review.pptx

Discovering a Data Breach

I just discovered a data breach for a local municipal authority in the way of hard-copy printouts containing Personally Identifiable Information (PII) flying across the street on this windy day.

I called to report this, so I hope they act on it. I am interested in how well they respond to this incident.

Cloud Security Alliance, Delaware Valley Chapter: 3/22 IT Executive Roundtable

We will be holding our first Cloud Security Alliance, Delaware Valley Chapter (CSA-DelVal) event on Tuesday, March 22nd at 6pm at Widener University. This event will be an IT Executive roundtable regarding the cloud. Additional details are available via the link below.

http://www.ncontrol-llc.com/CSA-DelVal_IT_Exec_Roundtable_Flyer.pdf

Android Malware

It looks as if malware is becoming more prevalent on the Android platform.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1528123,00.html?track=NL-1647&ad=815672&asrc=EM_NLN_13387858&uid=8266525

Cloud Services versus Splunk in the Cloud

I want to test out Splunk in the cloud and I would like to monitor that (probably AWS EC2) image with Monitis (http://portal.monitis.com/).

Look for future posts to discuss this in more detail.

Top 10 Cloud Providers

Here is a slideshow enumerating the top 10 cloud providers per Cloud Computing Digest.

http://searchcloudcomputing.techtarget.com/feature/Top-10-cloud-computing-providers-of-2011

Testing Cloud Backups

After reading the article below it reminded me to post a recurring thought I've had, which is the ability to test one's online backups. I ask as I have had a difficult time getting SMB orgs with tape backups to test their backups. What about those using the cloud? Has anyone thought of the effect of a regional disaster where limited connectivity exists? Also, in the event of another Katrina, etc. what is the capability for the provider to do multiple restores across the wire?

http://viewer.media.bitpipe.com/1157126723_318/1296839150_593/CloudBackupEGuide.pdf

Legacy Apps & the Cloud

The article below does a good job of articulating that many organizations are running large and/or legacy apps that were not built with virtualization (e.g. the cloud) in mind. What this means to me is that a full cloud distribution model is a long way away for many organizations.

http://searchcloudcomputing.techtarget.com/news/2240032717/Applications-interfere-with-cloud-computing-adoption?asrc=EM_EDA_13369712

Federal Cyber Director

A federal Cyber Director with budget override/veto power on agency security budgets has been created. The article talks about this individual's ability to deem a cybersecurity budget inadequate, but how about the other way? Could this person invoke cost cutting measures, and if so, how much political pressure would that involve?

http://www.govinfosecurity.com/articles.php?art_id=3367

Additional Breach Prevention Tips

Some good points in the link below, however I think they forgot encrypting unstructured data (PHI/PII) on laptops as well.

http://www.healthcareinfosecurity.com/podcasts.php?podcastID=1008&rf=2011-02-28-eh&hq_e=el&hq_m=973064&hq_l=27&hq_v=bb1cf70608

HIPAA Settlement

Is this a sign of things to come (e.g. a more stringent OCR)?

http://www.healthleadersmedia.com/content/LED-263046/MGH-to-Pay-1-Million-to-Settle-Potential-HIPAA-Violation

How about this:

http://www.dataguidance.com/news.asp?id=1456

Educating the (Tech) Masses About SAML

SAML: Security Assertion Markup Language

Layperson Denotation: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

Techie Specific: http://saml.xml.org

Magnetic Stripe Alternatives

With ATM/credit card skimmers so prevalent I thought I would give my $0.02 on the good, the bad and the ugly as far as magnetic stripes are concerned.

First, credit cards now have RFID chips inside, so that technology is now serving as a second authentication method. However, RFIDs can be spoofed as well, though this is not as prevalent. At least not YET!

Second, some have suggested/advocated bar codes. This is not cost effective due to the need for additional infrastructure. And, the same vulnerabilities exist as with magnetic strips.

So, magnetic strips are not fool proof, but neither are the alternatives.

VPN-Cubed

I had a service provider for a client mention this solution the other day and I like what I see so far. It looks like the client is going to implement this within Amazon's Web Service (AWS) offering, so we shall see.

http://www.cohesiveft.com/vpncubed/

PCI DSS v2.0 & One Function Per Server Component

PCI DSS v2.0 #2.2.1 states that you can only use one function per server component, and I have SMB clients that strain over this requirement. We are developing plans to segment these servers out, but I question the capability of some organizations to do this.

I say this because I have seen Incentive Compensation and Customer Relationship Management (CRM) solutions that couple the application server and database server together, and these solutions are for Fortune 500 types. It will be interesting to see how quickly and efficiently these architectures change.

I am also waiting to see how the QSAs are going to handle a system coupled with a proprietary database system (e.g. Exchange).

Backup Tape Breaches

Frequently, I hear about breaches due to a stolen/lost backup tape (see the link below), and after a conversation with a colleague over lunch yesterday I am curious as to the extent that this data is successfully 'ripped'.

To elaborate, for a malicious person to really use this information they must find the correct hardware and software to 'rip' the data off of the tape. How often does this happen? What is the success rate? Inquiring minds would like to know.....

http://www.healthcareinfosecurity.com/articles.php?art_id=3363&rf=2011-02-18-eh&hq_e=el&hq_m=956282&hq_l=27&hq_v=bb1cf70608

Since when is the following new/recent news? 'Social Networking: Is Your Institution Ready for the Risks?'

MPLS Testing

I am reading up on MPLS testing, which should be an attack vector included in your regular penetration testing. WAN-based testing needs to be done regardless of the technology used (e.g. MPLS, Frame Relay, ATM).

http://www.govinfosecurity.com/whitepapers.php?wp_id=377

What Constitutes A "Good, Secure" System

This comes from the link below. Here, a Physician enumerates on what constitutes a "good, secure" system to her. Points to note include:

-Usability
-Web-based
-Mobile
-Open
-Secure Messaging (Text, Email, Fax, Internally & Externally)
-eCommerce
-Iteration (Versioning)

http://www.emrandhipaa.com/emr-and-hipaa/2011/02/10/items-that-make-a-strong-emr-system/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+EmrAndHipaa+%28EMR+and+HIPAA%29

GLBA, Safe Harbor & New Model Forms

We are reviewing the GLBA new model forms for several financial service clients and it never ceases to amaze me the amount of confusion between GLBA and Safe Harbor.

I always advocate that a firm should cover the most comprehensive jurisdiction first (Safe Harbor), and then work their way down (GLBA).

Internal Breaches

The article below highlights the continuous internal threat to confidential data.

http://www.healthdatamanagement.com/news/breach-university-of-iowa-football-players-41885-1.html?ET=healthdatamanagement:e1653:145757a:&st=email&utm_source=editorial&utm_medium=email&utm_campaign=HDM_Daily_020811

After reading this I wonder why such breaches are more prevalent in healthcare versus financial services. I assume it is due to medical charts, which represent consolidated data, versus relational data, etc.

ONC Has a Long Data Security and Privacy To-Do List Post Blumenthal

Blumenthal's successor will have a lot of work to do, especially from a data security and privacy standpoint.

http://www.healthcareinfosecurity.com/articles.php?art_id=3333&rf=2011-02-09-eh&hq_e=el&hq_m=940104&hq_l=27&hq_v=bb1cf70608

Rocky & Re-invention

It is corny and cliche, but I like the series of Rocky movies. As a born and bred Philly boy I certainly have a bias, and these movies are simple, but there are three recurring themes in these movies that we all could use.

These themes are:
-Mental Toughness: Rocky had the guts to step into the ring against formidable opponents. He also bounced back from defeat and setbacks.
-Re-invention: Rocky has to calibrate/re-calibrate his fighting style, and himself.
-Preparation: Rocky trained and trained some more. Preparation gives us confidence in life and reinforces our work ethic.

Moving to the Cloud

Google created the document below as a case study for moving to the cloud. I thought it could include more meat and less potatoes, but at least it shows some thought leadership.

http://viewer.media.bitpipe.com/1087307072_932/1278447656_279/MovingToTheCloud.pdf

NIST SP 800-144: Regs for the cloud

http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf

So, I read this SP and while it has brought up points omitted by the Cloud Security Alliance's Guide it is not as detailed as I thought it would be. I also find the document structure to be lacking. I expect the authors wanted to differentiate their work from past efforts (e.g. CSA, ENISA). Here are some points in SP 800-144 worth mentioning:

-Composite Services: a great point that cloud providers may use the services of other providers.
-Virtual Network Segmentation: peripherals as well as servers are mentioned here.
-Ancillary Data: account info and virtual images are mentioned, but not log data.
-Attack Vectors: they allude to rootkits and leave room for other nastiness.

5 Essentials of Global Leadership

Saw this in the inbox and thought I would share it:

http://www.bankinfosecurity.com/articles.php?art_id=3317&rf=2011-02-04-eb

It includes:

-Online Collaboration
-Constant Communication
-Establish a Reporting Structure
-Training and Education
-Frequent Travel

I would also add:
-Customization and Innovation

5 Common InfoSec Pitfalls for Healthcare

The author of the article below does a good job. However, we need to add mobile devices, search engine tracking and social media to that equation.

http://www.healthcareitnews.com/news/top-5-most-common-gaps-healthcare-data-security-and-privacy

Carrots and Sticks (for Privacy/Compliance/InfoSec)

I just read a blog post (below) that advocates/suggests that orgs/CPOs/CCOs/CISOs/ISOs use carrots (vs. the usual sticks) to entice employees, etc. to embrace privacy/compliance/InfoSec.

However, I have found that carrots work for training & awareness on an individual basis. In my (humble) opinion, the best way to have individuals follow best practices/policies/processes/procedures is to provide carrots to functions/departments/business units.

Why, you ask?

Well, such a strategy embraces espirit de corps, AND to be able to have such a competition one must have security metrics defined via an Enterprise Security Architecture (ESA)! Last but not least, to measure and analyze the results one must have a privacy/compliance/InfoSec dashboard and/or balanced scorecard....

So, a savvy CPO/CCO/CISO/ISO can leverage these methods for much more than having the org read and follow best practices.

Blog:
http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1526876,00.html?track=NL-430&ad=811361&asrc=EM_NLT_13246141&uid=8266525

Now the genesis for all of this is a report (below) from the Ponemon Institute that states that those who embrace compliance have a lower cost associated with a data breach than those who ignore compliance all together.

Ponemon Report:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1526917,00.html?track=NL-430&ad=811361&asrc=EM_NLT_13246143&uid=8266525

Firefox 4 & Do-Not-Track

Firefox 4, which when released this month (February '11) will be the latest version of Mozilla's browser, promises to enable the Do-Not-Track feature.

http://www.v3.co.uk/v3/news/2274519/mozilla-firefox-privacy-chrome

Kudos to Mozilla! Now it is up to Mozilla's competition to follow suit.

Cloud Consolidation: Software Giants and ISPs

With Verizon buying Terremark I see the beginning of the inevitable consolidation of cloud providers. I also believe that you will see additional ISPs/Telecom companies (e.g. AT&T, Virgin) go into the cloud to compete against the large software companies (e.g. Microsoft, Google).

I am interested to see if Verizon reached out to Rackspace, and if anyone else has them in their cross-hairs.

SMBs & the Cloud

I have seen for many years SMBs embracing the ASP/cloud delivery model. Now the rate of adoption has exponentially increased.

I am regularly seeing SMBs now having an Internet/border router, a WAP and shared desktop/laptop resources.

When will the larger organizations grab hold?

HITECH repealed...say what?

It looks as if the topic of repealing HITECH has started.

http://www.emrandhipaa.com/emr-and-hipaa/2011/01/28/the-meaningful-use-sky-is-falling/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+EmrAndHipaa+%28EMR+and+HIPAA%29

7 Health Information Privacy (HIP) Trends for '11

Per the article below, here are the seven (7) trends for HIP. Input was provided by the Ponemon Institute, Patient Privacy Rights, ID Experts, etc.

-Health Information Exchanges (HIEs) will be forced to deal with security and privacy issues.
-Increased fines and action by the states and regulatory bodies.
-The costs associated with data breaches will increase.
-Hospital governing boards will exert their power to hedge data breach risk.
-A significant 'data spill' is inevitable, and will force the national issue/agenda.
-HHS could remove the harm threshold, which may desensitize the public/patients.

http://www.healthcareitnews.com/news/experts-name-top-7-trends-health-information-privacy-2011

Inclement Weather: a 'live' business continuity drill

Over the years I have found inclement weather to be the best 'live' business continuity drill as executives, staff, property management, physical security and business partners clamor to: communicate a holistic plan of action, decide on when to open the 'doors', and if and when to follow the BCP/DRP.

The communication part is made much more difficult when it comes to larger, geographically dispersed organizations. What I find in such enterprises is the ubiquitous duplicity of formal and informal communication channels, which these days is easy to imagine with mobile devices.

Red Hat Fedora & Security Breach

It seems that a contributor for Fedora had his/her credentials taken the other day.

http://blog.internetnews.com/skerner/2011/01/fedora-linux-suffers-a-securit.html

Social Media & Employee Privacy

The article below starts to discuss the line employers should draw for using social media for hiring or retaining employees. My question is where does the first amendment come in when it comes to a candidate's employability?

http://www.healthcareinfosecurity.com/podcasts.php?podcastID=951&rf=2011-01-26-eh&hq_e=el&hq_m=916974&hq_l=28&hq_v=bb1cf70608

RFID Access Card Hacks

I spoke with a data security and privacy executive today about a potential attack vector of RFID hacking the access cards. While still not a popular attack vector, or a vulnerability to test in physical access controls, RFID hacks and the tools to do it are gaining ground.

With that said, I can dress in a utility person's uniform and bypass most card access controls anyways...

http://cyberinsecure.com/billion-rfid-access-cards-can-be-hacked/

Bank Systems & Technology 10 Trends for '11

I finally read the January 2011 issue of BS&T, and they had this to say for '11 trends:

-Mobile Banking
-Large Banks & Hybrid Clouds
-Automated Branch
-Social Media
-Balancing Business Gain with Added Risk
-Modern(ization)
-Analytics
-Mobile Payments
-Collaboration
-Loan Automation

IRS Toughens Stance on Online Tax Filing Software

The article below elaborates on what is now a year-long effort by the IRS to ensure Online Tax Filing Software providers have their act together from a privacy standpoint.

http://www.boston.com/business/personalfinance/managingyourmoney/archives/2011/01/irs_security_an.html

Copiers, Printers and Fax Machines...oh my!

The article below discusses a data breach that happened due to overlooking the need to securely wipe/overwrite data on copiers, etc. FYI, even fax machines and scanners hold residual information.

http://www.ama-assn.org/amednews/2011/01/10/bica0110.htm

Does Privacy Give a Competitive Advantage?

I just read an article where the CEOof TRUSTe stated that privacy gives an organization/company a competitive advantage.

My response is that having proper privacy safeguards in place and articulating these through a privacy policy will certainly give some business partners and clients/consumers peace of mind. However, privacy is only a competitive advantage for some industries/sectors and/or business models, namely: social networking, cloud computing, legal, financial services, healthcare and anything that deals with records management. Maybe supermarkets, with all of your data on their 'value cards' are next....

More on cyberwar....

Amen to the fact that we are in an ever present cyberwar.

http://blogs.bankinfosecurity.com/posts.php?postID=828&rf=2011-01-21-eb

Security Training

I read the article below and was reminded of my times in the U.S. Army. During my tenure in the military we trained, and trained, and trained some more.

There is a fine line between when employees/partners/patients/customers stop listening to a CISO/ISO/CPO warnings versus when they drink the Kool-Aid. All of us need to find this fine line, which is different based on our specific audiences (Sales, Trading, ER/ED, Radiology, HR, etc.)....

http://www.healthdatamanagement.com/news/breach-indianapolis-email-hacker-notification-41758-1.html?ET=healthdatamanagement:e1618:145757a:&st=email&utm_source=editorial&utm_medium=email&utm_campaign=HDM_Daily_012011

The Semantics Between a Data, Privacy and/or Security Breach

These days consultants and consulting firms, like mine, present their opinions and perform knowledge transfer through webinars, white papers and/or articles. In the midst of all of these artifacts are the semantics between what constitutes a data, privacy and/or security breach.

Data Breach: In my (humble) opinion this is a catch all. Data/information has been exposed and it does not matter whether it was a privacy and/or security flaw.

Privacy Breach: This often occurs due to a lack of security. However, a privacy breach is an event where someone without authorization gained access to or received information/data.

Security Breach: Is an event where an individual gained physical or logical access to a facility, system or network location.

In summary, a hacker gaining access to a system is a security breach. If that hacker extracts data from that system, it is now a data/privacy breach. If a doctor is able to retrieve healthcare information about a celebrity in their hospital, and it is not their patient, that is a privacy breach. Finally, if someone looses unprotected data/information (hard-copy report, laptop, mobile device) on the subway this is a data breach.

Sandboxing: the Good, the Bad and the Ugly

So, I just read the article below and it reminded me of a conference call I had the other day with a venture capitalist (VC). Basically, the VC had a client working on a Sandbox solution for mobile devices, and the VC wanted an idea on the viability of the product and the market potential.

http://searchsecurity.techtarget.com/news/interview/0,289202,sid14_gci1526250,00.html

What I told the VC, and what the article above reiterates/reinforces, is that sandboxing is another tool in the toolbox. Like antivirus (AV) solutions, etc. we still need to rely upon a comprehensive defense-in-depth strategy. Regardless of Adobe/Apple/Microsoft, etc. coming out with sandboxing methods users & orgs need multiple towers, parapets, moats & Alligators....

Cloud Orgs vs. Cloud Vendors

I just downloaded Microsoft's Windows Azure Security Notes, and after giving a cursory look I noticed that they do not even refer to CSA, ENISA or any of the other groups that are providing objective, independent guidance with the cloud.

Is it me, or are the vendors snubbing these groups? This does not surprise me as they have done so in the past with other groups (e.g. OWASP, HITRUST).

As we have launched the CSA-DelVal chapter here in the Greater Philadelphia area my hope is that the vendors get on board, literally and figuratively.

RSA's Cybercrime Trends Report

RSA published the following:

https://www.rsa.com/go/wpt/wpindex.asp?WPID=11221

Honestly, I do not see eye-to-eye with the 800-pound Gorilla here. I do think their interest/prediction in mobile app vulnerabilities is on target, but I think Advanced Persistent Threats (APT) are no where near as high a risk as the cloud. From brute-force hacks off of cloud providers' beefed-up boxes to economic denial of service (eDoS) attacks, the cloud is a coming.

Medical Image Archiving

This white paper touches upon one of the largest dilemmas, at least in my opinion, in HIT today.

http://www.healthcareinfosecurity.com/whitepapers.php?wp_id=398&rf=2011-01-18-wp-txt&hq_e=el&hq_m=903672&hq_l=11&hq_v=bb1cf70608

National Data Breach Legislation

This morning I saw an article from the link below stating that a national data breach registrar/notification system is needed.

http://www.bankinfosecurity.com/

I concur, however I think we need holistic data breach legislation that will dictate: what constitutes a breach, baseline security controls/safeguards to prevent a breach, a database/website enumerating all breaches and finally the incident response workflow (including timeline, information dissemination, etc.) that an organization would follow once a breach is detected/determined.

Classifying Data & Users

Master Data Management (MDM), Information Lifecycle Management (ILM) and other acronyms are gaining ground as organizations see the need and/or requirement for classifying data.

Beyond data classification strategies, I find the need to classify/identify users, especially super users. My respect and acknowledgement towards classification strategies also extends to the higher education classroom, where I frequently find a substantial difference in students' ability, motivation and prior experience in the course topic.

Cyber-warfare

Cyber-warfare is here, and has been for a while. Relatively recently Russia used such tactics against the country of Georgia, and according to the NY Times, now the U.S. and Israel have used such tactics against Iran.

http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=1&hp

I also remember reading several years ago about West Pointers studying such topics as well....

Banking & Mobile/Cloud P2P

When I see the article below I think of a bank using this for a competitive advantage, BUT I also think of the numerous holes/vulnerabilities in P2P apps (BTW, Skype IS NOT secure) and the lack of security controls/safeguards surrounding most individuals' mobile devices (i.e. ignoring access controls, like a user-generated PIN, for the device).

http://www.bankinfosecurity.com/articles.php?art_id=3250&rf=2011-01-15-eb

Another Reason to Move Beyond SHA-1

I have been identifying SHA-1 as oblselete in audit/vulnerability reports for a while now, with some occasional push-back from clients. While SHA-1 is better than nothing, the article below highlights another reason to upgrade.

http://infoworld.com/t/data-security/amazon-ec2-enables-brute-force-attacks-the-cheap-447

Insecure Mobile Apps for Cars

I keep seeing the Big 3 American car companies advertise their latest bells and whistles for their cars, namely mobile applications for unlocking doors, ignition, etc. and I wonder, wonder when we will see a breach or an incident.

http://news.cnet.com/8301-27080_3-20015184-245.html

The public is still ignorant of the vulnerabilities in 802.11 (Wi-Fi) & 802.15 (Bluetooth), so let's wait and see what happens with mobile apps for cars.

Banking, Financial Services & the Cloud

According to InformationWeek Analytics 47% of Banking & Financial Services firms use the cloud, which surprises me. With that said, I am very interested to learn more about what specific services they are using (PaaS, IaaS, SaaS), what size they are (SMB, Multinational), and what types of firms (I-banks, Invest Mgmt, Life Insurance, etc.) are the most prevalent as far as cloud users.

More to come.

Barriers to Automation

As we work more and more in the SMB space (it is certainly underserved from an InfoSec standpoint) I continually notice that business owners/professionals use the data security and privacy segment as a barrier to automation, amongst many other excuses. Below is a great example.

http://www.emrandhipaa.com/emr-and-hipaa/2011/01/11/convincing-doctors-to-do-emr/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+EmrAndHipaa+%28EMR+and+HIPAA%29

As a technologist first, and as a data security and privacy guru/advocate being a very close second, I feel that it is our job to enable optimal performance through technology, instead of being the data security and privacy Gestapo. In other words, and yes it is cliche, we are and should be business enablers. Such matters are easier these days (e.g. WPA-enabled wireless routers), but it is a sales pitch that we must continually execute.

Crime in the Cloud

An interesting read indeed....

http://searchcloudcomputing.techtarget.com/generic/0,295582,sid201_gci1525619,00.html?asrc=EM_EDA_13137264&uid=8266525

It looks like this is the new area for digital forensics too.

Incident Response

As I hear about the events of the Tucson, AZ shooting I am reminded of how we need to test our incident response plans and procedures.

What is resoundingly clear is our need to integrate the P&Ps of InfoSec with Physical Security and/or BCP/DRP. We live in a crazy world, and these public shooting sprees are all too common. Sad, but true...

Time to Get a Cloud Strategy

I saw this online today, and yep it is about time...

http://itknowledgeexchange.techtarget.com/total-cio/whether-public-private-or-hybrid-its-time-to-get-a-cloud-strategy/

However, orgs also need a social media & mobile device strategy as well....

CERN & Private Cloud

So, apparently CERN, which should sound familiar for anyone who has read Dan Brown's novel 'Angels & Demons' and/or seen the movie, has created their own private cloud for research purposes. See below.

http://viewer.bitpipe.com/viewer/viewDocument.do?accessId=13768479

This makes sense, and as time goes by I would not be surprised to see NIST, PARC, John's Hopkin's U and other large, well-funded research orgs go to the private cloud. However, I must say that I am surprised that we don't hear about private clouds in the large Pharma space yet. I suspect that is close to our horizon.

Predictions from EMRandHIPAA.com

Thanks to John from EMRandHIPAA.com for the following:

-Doctors Returning to House Calls.
My $0.02: This is inevitable thanks to mobile technology, the high overhead of keeping an office, and the economic reality that middle-aged children will have to house their aging (mobility-limited) parents.

-First EMR Lawsuit.
My $0.02: I see this happening from a HIPAA violation of a cloud-based EMR provider, namely one of their vendors, or a business associate of a business associate within the Healthcare space. Similar events have happened before with everyone pointing the finger at each other.

The Dichotomy of Authentication

After reading the article below, and helping my Father's law practice transition out to retirement, I am reminded of the HUGE dichotomy involving authentication.

http://www.healthcareinfosecurity.com/podcasts.php?podcastID=920&rf=2011-01-05-eh&hq_e=el&hq_m=886443&hq_l=26&hq_v=bb1cf70608

Now, this difference is due to dollars and regulatory requirements, but as the Geisinger techie above states you can not be content with your authecntication strategy. The problem is that most SMBs, and some Multinationals, are happy with just having the most basic authentication in place.

Will the cloud change this? I hope so.

2011 Data Security Predictions

I just wrapped up a webinar from this past December that was presented by Andrew Jaquith, who is the CTO of Perimeter E-Security. He goes on to present the following as 2011 data security predictions:

1. Employers will lock down phones.
2. DLP will gain (quasi ubiquitous) traction.
3. The term 'Abstract Persistent Threats' will die off.
4. The U.S. will creep towards EU-styled protections.
5. Public (Federal) data security benchmarks will emerge.

My $0.02 here:

-Employers need to lock down (& archive) social media too.....
-DLP, End-Point Security & Cloud-based IAM (IdM) solutions will all gain traction.....
-Who cares about APT....
-It is about time for the U.S. to have a thoughtful, coherent, cross-industry data security/privacy requirement. The States, and all of the Lawyers, have been having a field day with this. And, it is a barrier to entry.

Back in Black

Like the subject says we at nControl are hitting the ground running on all cylinders this week as life returns to normal. For us that means hectic and exciting.

Between new projects & clients, launching the CSA-DelVal Chapter, new workgroups (e.g. HITRUST's Cloud Security, etc.), and finally new schools & classes, life has ramped up big time.

It seems that SMBs are turning around, and as they do, so does nControl.

Happy 2011!

Intellectual Property, Privacy and Entrepreneurs

I just read the article below, which discusses a common thread amongst entrepreneurs, and that is failure. Specifically, elegant failure, and learning from it. Additionally, the article discusses how the entrepreneur in question avoids patent/Intellectual Property (IP)-specific fields for his venture capital (VC) efforts.

My thoughts about this are:

-IP/commercial privacy is a competitive advantage.
-If everything is open commercially, isn't that a dangerous precedent for individual privacy?
-This entrepreneur discusses openness due to high costs for IP licensing, so why not make IP less cost prohibitive?

http://www.bbc.co.uk/news/business-12019713

Happy New Year & HIPAA

Happy New Year everyone!

I woke up this morning to find an email from a listserv I subscribe to asking about HIPAA data, namely PHI storage. After some replies from the various readers, it was apparent that many know a little about HIPAA and its requirements, but few know a lot.

Is this what the creators of HIPAA/HITECH had in mind? Speaking of which, ask your Dentist about HIPAA?

Excuse my venting here, but in this economy I find the corners being cut at the expense of patients'/customers' expense...... Is this the new status quo?

Cloud Security

As usual I have stepped into a domain surrounded by smart go-getters, and find myself falling down the Rabbit hole. With 2011 here, and with my increased optimism in the U.S. economy, it is time to step up the networking, namely: Cloud Camp, PhillyAWS, PHL-VMUG and CSA-DelVal.

More posts on CSA, and the cloud to follow.....

Red Flags Rule Recision

The Red Flags Rule has been revoked for the vast majority of the Healthcare industry, and looking back on 2010 I question this precedent as other industries (namely Legal) have successfully pushed back too.

What does this say for the state of regulation and privacy in the U.S.? Regardless, as I hear the reality that U.S. companies have ramped up hiring overseas, maybe mandates like EU and J-SOX will serve American consumers interests as well.