A federal Cyber Director with budget override/veto power on agency security budgets has been created. The article talks about this individual's ability to deem a cybersecurity budget inadequate, but how about the other way? Could this person invoke cost cutting measures, and if so, how much political pressure would that involve?
http://www.govinfosecurity.com/articles.php?art_id=3367
Monday, February 28, 2011
Additional Breach Prevention Tips
Some good points in the link below, however I think they forgot encrypting unstructured data (PHI/PII) on laptops as well.
http://www.healthcareinfosecurity.com/podcasts.php?podcastID=1008&rf=2011-02-28-eh&hq_e=el&hq_m=973064&hq_l=27&hq_v=bb1cf70608
http://www.healthcareinfosecurity.com/podcasts.php?podcastID=1008&rf=2011-02-28-eh&hq_e=el&hq_m=973064&hq_l=27&hq_v=bb1cf70608
Friday, February 25, 2011
HIPAA Settlement
Is this a sign of things to come (e.g. a more stringent OCR)?
http://www.healthleadersmedia.com/content/LED-263046/MGH-to-Pay-1-Million-to-Settle-Potential-HIPAA-Violation
How about this:
http://www.dataguidance.com/news.asp?id=1456
http://www.healthleadersmedia.com/content/LED-263046/MGH-to-Pay-1-Million-to-Settle-Potential-HIPAA-Violation
How about this:
http://www.dataguidance.com/news.asp?id=1456
Educating the (Tech) Masses About SAML
SAML: Security Assertion Markup Language
Layperson Denotation: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
Techie Specific: http://saml.xml.org
Layperson Denotation: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
Techie Specific: http://saml.xml.org
Thursday, February 24, 2011
Magnetic Stripe Alternatives
With ATM/credit card skimmers so prevalent I thought I would give my $0.02 on the good, the bad and the ugly as far as magnetic stripes are concerned.
First, credit cards now have RFID chips inside, so that technology is now serving as a second authentication method. However, RFIDs can be spoofed as well, though this is not as prevalent. At least not YET!
Second, some have suggested/advocated bar codes. This is not cost effective due to the need for additional infrastructure. And, the same vulnerabilities exist as with magnetic strips.
So, magnetic strips are not fool proof, but neither are the alternatives.
First, credit cards now have RFID chips inside, so that technology is now serving as a second authentication method. However, RFIDs can be spoofed as well, though this is not as prevalent. At least not YET!
Second, some have suggested/advocated bar codes. This is not cost effective due to the need for additional infrastructure. And, the same vulnerabilities exist as with magnetic strips.
So, magnetic strips are not fool proof, but neither are the alternatives.
Tuesday, February 22, 2011
VPN-Cubed
I had a service provider for a client mention this solution the other day and I like what I see so far. It looks like the client is going to implement this within Amazon's Web Service (AWS) offering, so we shall see.
http://www.cohesiveft.com/vpncubed/
http://www.cohesiveft.com/vpncubed/
Monday, February 21, 2011
PCI DSS v2.0 & One Function Per Server Component
PCI DSS v2.0 #2.2.1 states that you can only use one function per server component, and I have SMB clients that strain over this requirement. We are developing plans to segment these servers out, but I question the capability of some organizations to do this.
I say this because I have seen Incentive Compensation and Customer Relationship Management (CRM) solutions that couple the application server and database server together, and these solutions are for Fortune 500 types. It will be interesting to see how quickly and efficiently these architectures change.
I am also waiting to see how the QSAs are going to handle a system coupled with a proprietary database system (e.g. Exchange).
I say this because I have seen Incentive Compensation and Customer Relationship Management (CRM) solutions that couple the application server and database server together, and these solutions are for Fortune 500 types. It will be interesting to see how quickly and efficiently these architectures change.
I am also waiting to see how the QSAs are going to handle a system coupled with a proprietary database system (e.g. Exchange).
Friday, February 18, 2011
Backup Tape Breaches
Frequently, I hear about breaches due to a stolen/lost backup tape (see the link below), and after a conversation with a colleague over lunch yesterday I am curious as to the extent that this data is successfully 'ripped'.
To elaborate, for a malicious person to really use this information they must find the correct hardware and software to 'rip' the data off of the tape. How often does this happen? What is the success rate? Inquiring minds would like to know.....
http://www.healthcareinfosecurity.com/articles.php?art_id=3363&rf=2011-02-18-eh&hq_e=el&hq_m=956282&hq_l=27&hq_v=bb1cf70608
To elaborate, for a malicious person to really use this information they must find the correct hardware and software to 'rip' the data off of the tape. How often does this happen? What is the success rate? Inquiring minds would like to know.....
http://www.healthcareinfosecurity.com/articles.php?art_id=3363&rf=2011-02-18-eh&hq_e=el&hq_m=956282&hq_l=27&hq_v=bb1cf70608
Monday, February 14, 2011
Friday, February 11, 2011
MPLS Testing
I am reading up on MPLS testing, which should be an attack vector included in your regular penetration testing. WAN-based testing needs to be done regardless of the technology used (e.g. MPLS, Frame Relay, ATM).
http://www.govinfosecurity.com/whitepapers.php?wp_id=377
http://www.govinfosecurity.com/whitepapers.php?wp_id=377
What Constitutes A "Good, Secure" System
This comes from the link below. Here, a Physician enumerates on what constitutes a "good, secure" system to her. Points to note include:
-Usability
-Web-based
-Mobile
-Open
-Secure Messaging (Text, Email, Fax, Internally & Externally)
-eCommerce
-Iteration (Versioning)
http://www.emrandhipaa.com/emr-and-hipaa/2011/02/10/items-that-make-a-strong-emr-system/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+EmrAndHipaa+%28EMR+and+HIPAA%29
-Usability
-Web-based
-Mobile
-Open
-Secure Messaging (Text, Email, Fax, Internally & Externally)
-eCommerce
-Iteration (Versioning)
http://www.emrandhipaa.com/emr-and-hipaa/2011/02/10/items-that-make-a-strong-emr-system/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+EmrAndHipaa+%28EMR+and+HIPAA%29
Thursday, February 10, 2011
GLBA, Safe Harbor & New Model Forms
We are reviewing the GLBA new model forms for several financial service clients and it never ceases to amaze me the amount of confusion between GLBA and Safe Harbor.
I always advocate that a firm should cover the most comprehensive jurisdiction first (Safe Harbor), and then work their way down (GLBA).
I always advocate that a firm should cover the most comprehensive jurisdiction first (Safe Harbor), and then work their way down (GLBA).
Internal Breaches
The article below highlights the continuous internal threat to confidential data.
http://www.healthdatamanagement.com/news/breach-university-of-iowa-football-players-41885-1.html?ET=healthdatamanagement:e1653:145757a:&st=email&utm_source=editorial&utm_medium=email&utm_campaign=HDM_Daily_020811
After reading this I wonder why such breaches are more prevalent in healthcare versus financial services. I assume it is due to medical charts, which represent consolidated data, versus relational data, etc.
http://www.healthdatamanagement.com/news/breach-university-of-iowa-football-players-41885-1.html?ET=healthdatamanagement:e1653:145757a:&st=email&utm_source=editorial&utm_medium=email&utm_campaign=HDM_Daily_020811
After reading this I wonder why such breaches are more prevalent in healthcare versus financial services. I assume it is due to medical charts, which represent consolidated data, versus relational data, etc.
ONC Has a Long Data Security and Privacy To-Do List Post Blumenthal
Blumenthal's successor will have a lot of work to do, especially from a data security and privacy standpoint.
http://www.healthcareinfosecurity.com/articles.php?art_id=3333&rf=2011-02-09-eh&hq_e=el&hq_m=940104&hq_l=27&hq_v=bb1cf70608
http://www.healthcareinfosecurity.com/articles.php?art_id=3333&rf=2011-02-09-eh&hq_e=el&hq_m=940104&hq_l=27&hq_v=bb1cf70608
Rocky & Re-invention
It is corny and cliche, but I like the series of Rocky movies. As a born and bred Philly boy I certainly have a bias, and these movies are simple, but there are three recurring themes in these movies that we all could use.
These themes are:
-Mental Toughness: Rocky had the guts to step into the ring against formidable opponents. He also bounced back from defeat and setbacks.
-Re-invention: Rocky has to calibrate/re-calibrate his fighting style, and himself.
-Preparation: Rocky trained and trained some more. Preparation gives us confidence in life and reinforces our work ethic.
These themes are:
-Mental Toughness: Rocky had the guts to step into the ring against formidable opponents. He also bounced back from defeat and setbacks.
-Re-invention: Rocky has to calibrate/re-calibrate his fighting style, and himself.
-Preparation: Rocky trained and trained some more. Preparation gives us confidence in life and reinforces our work ethic.
Monday, February 7, 2011
Moving to the Cloud
Google created the document below as a case study for moving to the cloud. I thought it could include more meat and less potatoes, but at least it shows some thought leadership.
http://viewer.media.bitpipe.com/1087307072_932/1278447656_279/MovingToTheCloud.pdf
http://viewer.media.bitpipe.com/1087307072_932/1278447656_279/MovingToTheCloud.pdf
Saturday, February 5, 2011
NIST SP 800-144: Regs for the cloud
http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf
So, I read this SP and while it has brought up points omitted by the Cloud Security Alliance's Guide it is not as detailed as I thought it would be. I also find the document structure to be lacking. I expect the authors wanted to differentiate their work from past efforts (e.g. CSA, ENISA). Here are some points in SP 800-144 worth mentioning:
-Composite Services: a great point that cloud providers may use the services of other providers.
-Virtual Network Segmentation: peripherals as well as servers are mentioned here.
-Ancillary Data: account info and virtual images are mentioned, but not log data.
-Attack Vectors: they allude to rootkits and leave room for other nastiness.
So, I read this SP and while it has brought up points omitted by the Cloud Security Alliance's Guide it is not as detailed as I thought it would be. I also find the document structure to be lacking. I expect the authors wanted to differentiate their work from past efforts (e.g. CSA, ENISA). Here are some points in SP 800-144 worth mentioning:
-Composite Services: a great point that cloud providers may use the services of other providers.
-Virtual Network Segmentation: peripherals as well as servers are mentioned here.
-Ancillary Data: account info and virtual images are mentioned, but not log data.
-Attack Vectors: they allude to rootkits and leave room for other nastiness.
Friday, February 4, 2011
5 Essentials of Global Leadership
Saw this in the inbox and thought I would share it:
http://www.bankinfosecurity.com/articles.php?art_id=3317&rf=2011-02-04-eb
It includes:
-Online Collaboration
-Constant Communication
-Establish a Reporting Structure
-Training and Education
-Frequent Travel
I would also add:
-Customization and Innovation
http://www.bankinfosecurity.com/articles.php?art_id=3317&rf=2011-02-04-eb
It includes:
-Online Collaboration
-Constant Communication
-Establish a Reporting Structure
-Training and Education
-Frequent Travel
I would also add:
-Customization and Innovation
Wednesday, February 2, 2011
5 Common InfoSec Pitfalls for Healthcare
The author of the article below does a good job. However, we need to add mobile devices, search engine tracking and social media to that equation.
http://www.healthcareitnews.com/news/top-5-most-common-gaps-healthcare-data-security-and-privacy
http://www.healthcareitnews.com/news/top-5-most-common-gaps-healthcare-data-security-and-privacy
Carrots and Sticks (for Privacy/Compliance/InfoSec)
I just read a blog post (below) that advocates/suggests that orgs/CPOs/CCOs/CISOs/ISOs use carrots (vs. the usual sticks) to entice employees, etc. to embrace privacy/compliance/InfoSec.
However, I have found that carrots work for training & awareness on an individual basis. In my (humble) opinion, the best way to have individuals follow best practices/policies/processes/procedures is to provide carrots to functions/departments/business units.
Why, you ask?
Well, such a strategy embraces espirit de corps, AND to be able to have such a competition one must have security metrics defined via an Enterprise Security Architecture (ESA)! Last but not least, to measure and analyze the results one must have a privacy/compliance/InfoSec dashboard and/or balanced scorecard....
So, a savvy CPO/CCO/CISO/ISO can leverage these methods for much more than having the org read and follow best practices.
Blog:
http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1526876,00.html?track=NL-430&ad=811361&asrc=EM_NLT_13246141&uid=8266525
Now the genesis for all of this is a report (below) from the Ponemon Institute that states that those who embrace compliance have a lower cost associated with a data breach than those who ignore compliance all together.
Ponemon Report:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1526917,00.html?track=NL-430&ad=811361&asrc=EM_NLT_13246143&uid=8266525
However, I have found that carrots work for training & awareness on an individual basis. In my (humble) opinion, the best way to have individuals follow best practices/policies/processes/procedures is to provide carrots to functions/departments/business units.
Why, you ask?
Well, such a strategy embraces espirit de corps, AND to be able to have such a competition one must have security metrics defined via an Enterprise Security Architecture (ESA)! Last but not least, to measure and analyze the results one must have a privacy/compliance/InfoSec dashboard and/or balanced scorecard....
So, a savvy CPO/CCO/CISO/ISO can leverage these methods for much more than having the org read and follow best practices.
Blog:
http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1526876,00.html?track=NL-430&ad=811361&asrc=EM_NLT_13246141&uid=8266525
Now the genesis for all of this is a report (below) from the Ponemon Institute that states that those who embrace compliance have a lower cost associated with a data breach than those who ignore compliance all together.
Ponemon Report:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1526917,00.html?track=NL-430&ad=811361&asrc=EM_NLT_13246143&uid=8266525
Tuesday, February 1, 2011
Firefox 4 & Do-Not-Track
Firefox 4, which when released this month (February '11) will be the latest version of Mozilla's browser, promises to enable the Do-Not-Track feature.
http://www.v3.co.uk/v3/news/2274519/mozilla-firefox-privacy-chrome
Kudos to Mozilla! Now it is up to Mozilla's competition to follow suit.
http://www.v3.co.uk/v3/news/2274519/mozilla-firefox-privacy-chrome
Kudos to Mozilla! Now it is up to Mozilla's competition to follow suit.
Cloud Consolidation: Software Giants and ISPs
With Verizon buying Terremark I see the beginning of the inevitable consolidation of cloud providers. I also believe that you will see additional ISPs/Telecom companies (e.g. AT&T, Virgin) go into the cloud to compete against the large software companies (e.g. Microsoft, Google).
I am interested to see if Verizon reached out to Rackspace, and if anyone else has them in their cross-hairs.
I am interested to see if Verizon reached out to Rackspace, and if anyone else has them in their cross-hairs.
Subscribe to:
Posts (Atom)