Monday, November 30, 2009

Ponemon Institute Cyber Mega Trends

Ponemon Institute recently released their Cyber megratrends as listed below. While I agree with these I think there were a couple that could easily be added to the list. First I would either add or modify Web 2.0 into Web 3.0. Lets look to what is going to happening versus what is happening and just changing. Secondly, I suggest adding Vendor Risk Management. The vendor does not have to be offshore to pose a problem. Vendors are so integrated into companies and business processes that they are like an employee but are not subjected to the same network security assessment requirements in many cases.

Regards
Gary Bahadur

baha@kraasecurity.com

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning

++++++++++++++++++++++++++++++++++++++++++++++++
Cyber Security Mega Trends Study
Prepared by Dr. Larry Ponemon, November 18, 2009

The Cyber Security Mega Trends Study was conducted by Ponemon Institute and sponsored by CA to better understand if certain publicized IT security risks are, or should be, more or less of a concern for organizations in the federal sector. We believe the results of our study will be helpful to organizations struggling to understand how they should allocate resources to help ensure their information systems are adequately protected.

Based upon in-depth interviews with IT security experts of Application security risk assessment and prior Institute research, we focus on 10 cyber security mega trends in this study. Each mega trend is believed to affect significantly an organization’s security ecosystem.

Cloud computing – refers to distributed computing solutions that can be owned by thirdparties on data center locations outside the organization’s IT infrastructure.

Virtualization – refers to enabling technologies that allows end-users to access multiple secure networks from a single computer, wherein the PC or laptop essentially acts as the authenticating device.

Mobility – refers to a workforce with access to information no matter where they work or travel and wherein employees can use mobile devices when they travel or work at home: laptops, smart phones, PDAs, memory sticks and more.

Cyber crime – usually describes criminal activity in which the computer or network is an essential part of the illegal criminal activity. This term also is used to include attacks in which computers or botnets are used to enable illicit activity such as data theft or denial of service attacks.

Cyber terrorism – is a specific form of cyber crime in which the end goal is to disrupt or harm a targeted country or region of the world. This term also is used to describe attacks that attempt to steal national secrets including information that minimizes a nation’s defense or economic posture.

Open source – is computer software for which the source code and certain other rights normally reserved for copyright holders are provided under a software license that is in the public domain. This permits users to change, improve the software, and redistribute software in modified or unmodified forms.

Data breach – is defined as the loss or theft of information about people and households. A majority of U.S. states now require organizations to notify individuals when their information is lost or stolen.

Unstructured data – is electronic information on file servers and other storage devices that are not stored in a database or other structured formats, usually resulting from workplace collaboration tools such as SharePoint.

Outsourcing – usually pertains to the transfer of sensitive and confidential information to third parties for data processing or other activities. Outsourcing is done to reduce processing costs and improve operating efficiencies.

Web 2.0 – refers to a plethora of Internet tools that enhance information sharing and collaboration among individuals. These concepts have led to the evolution of web-based communities and hosted services, such as social networking, social messaging, wikis and blogs.

Thursday, November 12, 2009

HIPAA Vendor Compromised Healthcare Records

This is story that is several months old, but as I came across it, i thought it would make a good point. A vendor handling healthcare records has lost social security numbers of people in March of 2009. In this case, Health insurer Aetna, Inc., is reportedly providing 65,000 individuals with free credit monitoring for a year after its job application Web site was breached, the Associated Press has reported.

The Web site, which was maintained by an outside vendor, had Social security numbers of current and past employees and individuals who received job offers from the insurer, the AP reported.

The site reportedly held e-mail addresses for about 450,000 individuals who had applied for jobs or submitted resumes to the company and were waiting to be notified about job openings. Spokeswoman Cynthia Michener said Aetna doesn't know how many were copied, but the site has been disabled and is undergoing a "thorough forensic review" or you can say network security audit by an outside company.

So here we have a health insurer compromising personal data. People already recieve so much spam email that their real email is suspect. If your provider Aeata seems to be sending ligitimate emails to you, that can get confusing.

As noted in the article "This is not the first time the Hartford, Conn.-based insurer has had to provide free credit monitoring services. In April 2006, Aetna notified approximately 38,000 members that an employee's laptop computer containing certain personal member information was stolen from a car in a public parking lot."

If a compromise occurs once, you would think that a lot of new HIPAA data security protections would be put in place. But as we see in almost all industries, its very hard for a company to learn from its mistakes. Maybe there will not be a third time after this second breach.

Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning

Tuesday, November 10, 2009

Ways to Maintain Website Security

With the advancement in technology comes the heavy responsibility of monitoring an organization's sensitive and valuable information. The use of the Internet has become a necessity in organizations to exchange their data and various other business details with their business partners, vendors and clients. In many cases, during transmission of datahackers compromise a network or transmission medium and illegally gain the data. It maligns not only the market value of the company but also the number of clients that place trust in the company and the company’s infrastructure or website.

There are preventive measures that every company can adopt to maintain the value of the company as well as the client base. It is very important for any company to maintain the data securityase and safeguard the internal information of the company. The clients and business partners share their data only after confirming that the partner company will keep it safe and intact under the safety norms of the company.

By taking a few cautionary measures, one can easily secure the sensitive information of the company. Installing a firewall in the network system keeps the security intact and safe. Earlier, this was a bit expensive for companies but with the advent of technology, this has become an easily accessible tool for the organization. Affordable monthly subscriptiuons are available for firewalls, Intrusion detection systems and host intrusion prevention systems . hey need not spend a lot of money in availing these services now.

A firewall is the main defense. A firewall carries out routine security checks and blocking techniques at particular time intervals and this helps stop attacks. It will sound an alert in case of any threat posed to the data and will automatically start blocking and reporting. on it. It never compromises on your company's security and safety and always keeps the information safe. Firewall protection can be easily availed from various online sources at quite reasonable rates but one must always cross-check the credentials of the source company as well and only then purchase it from experts in the field.

Other than installing these tools to maintain web security, companies are also hiring third parties to review the policies and procedures of the organization and also to keep track of the online process of distribution of data of the company. These third parties install web applications that thoroughly review the codes installed in the process and provide valuable feedback to update and upgrade the quality of network systems. hough it is somewhat expensive to employ third-parties but they really keep a detailed track of the security system of their clients' information.

Many network systems of very renowned companies are getting hacked and misused these days by the hackers. It is high time that the companies take proper action against such activities and thefts as the number of incidents are growing day-by-day. Otherwise, people will start losing their trust in sharing their personal information through web sites.

A web security expert with the skills of application security risk assessment has written this article.

Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning

Friday, November 6, 2009

HIPAA Compliance Data Breach with a Foreign Supplier

Recently, the Economic Times Report in India discussed a successful “Sting operation by a UK agency in which some health related data was bought from a medical transcription company” . What this means is all that perosnal and HIPAA confidential data that was being transfered for transcription got stolen in the most likely scenario. There have been few stories of this type of Data Breach so far. The Suppliers to US companies have not made the headlines but this might be just the begining fo that wave. The two components of HIPAA Security are Logical and Physical Security. Remote partners can easily breach your logical security controls.

Is there any real view that the US can export the security laws such as HIPAA Security to all parts of the world that handle US customer data? How do you monitor the activities of your suppliers once the data has left yoru network? In the US, a company can control all the security devices such as Firewalls, Intrusion Detection Systems, Antivirus on Servers and Patch Management of servers hosting confidenial data. There are all parts of most security regulations including PCI, SOX, GLBA and more. But the endpoint of security has left these shores and resides in India, China, South America, Vietname and anywhere else you have a supplier.

As your data now resides in a foreign country, what are the reporting requirements of a breach? HIPAA security policy has timeframes, reporting requirements and penalties. The only real penalty a company oversea may face is loss of the contract. Few governments are upt o enforcing security rules outside of actual hacker activity.

So what are some steps you can take to implement Supplier Security?
1) Conduct a Vulnerability Assessment of your connectivity to your Suppliers’ networks
2) Define process and policy controls that the Supplier has to have in place in order to hold your data
3) Assign risk ratings to all data the Supplier handles
4) Conduct an risk assessement of the impact of losing the data
5) Develop a Incident Response plan for the Supplier losing your data
6) Asses the supplier security procedures on a yearly basis

Monday, October 26, 2009

IPhone Apps Every Road Warrior Entrepreneur Needs

The Blackberry has been the mainstay of the business world for years. But as we know, the IPhone is eating away at market share. There are over 75,000 apps for the IPhone now and growing steadily. For those who have Blackberry Thumb, you can probably look forward to IPhone Index Finger at some point in the future as you switch away from the Blackberry.

Why should you switch from the Blackberry? Well there may not be a good reason. The Blackberry has a number of apps and it is secure, it has encryption and has been beaten up on the security front like network security assessment and application security testing. It’s ingrained in businesses and Blackberry Enterprise Server is well known to many IT administrators.

The Entrepreneur can use both devices. Let’s assume there are at least some people using the IPhone, what apps should they have in their toolkit? Of the thousands of apps, how can you pick a few that would be beneficial to the Entrepreneur Road Warrior? Well the way I picked them is through word of mouth , that are of benefit to me and comes with network security assessment tools. I travel, work in my car, have meetings at all times of day, I am away from the office for days or weeks.

Take these with a grain of salt and do not send any flame emails. But please send in the apps that you think should be shared with the world or at least readers of this Blog.

Urban Spoon

First up is Urban Spoon. You are thinking, well that’s not some kind of spreadsheet or financial app. What is the business purpose? The lifeblood of the Entrepreneur is networking , managed security services, application security risk assessment and deal making. Where deal making most of the time involves some kind of meal. Urban Spoon can find you restaurants by cuisine, by neighborhood, by cost, by distance. Everything you need for a meeting is the most random city.

urbanspoon1

AroundMe

In the same vein as Urban Spoon, is AroundMe . Say you are on your way to an important lunch you have setup with a restaurant you found on Urban Spoon but you are almost out of gas. Use AroundMe to find the closed gas station. Or if you need cash to pay for that gas because your Amex Card has been cancelled, find the closest bank.

aroundme

GoogleMaps

Well this is pretty obvious. But when you are traveling and maybe forgot to bring your Garmin GPS and do not feel like paying the rental company an extra $11.99 a day to rent their GPS , this is just as good.

ReQall

This is a pretty useful app. The developers were one of the www.TiE.org Top 50 companies this year at TiECon. The app captures your voice, translates it to text, organizes your calendar based on your voice messages, integrates into Outlook or Google Calendar and provides memory assistance. It’s great when you have no pen or driving in a car or need a memory reminder.

reqall

FlightAware

For the true Road Warrior, there is no road, there is the sky. So when you are rushing to the airport or think you need to rush to the airport, track down what is going on with your flight. Check out FlightAware to get an update and help you plan that trip to the airport.

flightaware

TweetDeck

Social Media, the latest buzz word, actually has some teeth. Small companies and the Entrepreneur have to be connected to the work whether you like it or not. Twitter is a way of life these days even if people seem to be twittering their lives away. How do you tell your followers that you are stuck in an airport in Baltimore? Try using TweetDeck.

tweetdeck

These Apps don’t seem very business-like, but the Entrepreneur is practical, cheap, requires network security audit tools and has to get things done today . These help you achieve your million tasks on a timely basis.

Gary Bahadur

http://www.kraasecurity.com/

http://blog.kraasecurity.com/

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

Sunday, July 26, 2009

This Time Its Network Solutions Reporting a Data Breach

For a long time, various well known companies have been the target of hackers. This has resulted in huge data losses for the company as well as the client's that are associated with the company. Many companies have faced several financial charges by the government or by business partners to satisfy penalty fees.

Network Solutions, which specializes in the domain name registration industry, has recently reported an incident of a breach of data. The breach occurred during March 12 to June 8 2009 and was detected in a check carried out by the company. Though this breach was detected in June, the company took around a month's time to decipher the code that was used in hacking the domain. By that time the hackers had hacked their e-commerce services and had already diverted the transaction details of more than 500,000 registered companies. This shows that industries are still lacking in security measures to prevent the loss of important data.

Network Solutions company issued a statement saying that till now no incidence reporting misuse of information has been reported by any merchant company. The company is now enlisting all those merchant clients' who had made any transaction in between that period. These clients will in turn notify their customers who will then inform their banks to block the credit cards to avoid any misuse.

Network Solutions has offered to bear all the expenses that the customers have suffered. But isn't it more correct to take a few precautionary measures beforehand than facing such incidents? Data loss prevention and a network security assessment are the best tools available for the security assessment of any website and it also helps in avoiding such incidents.

There have been many such companies reporting breaches in the past that have resulted in the bad reputation of those companies. Heartland Payment Systems and RBS WorldPay are a few examples of such breaches. Both these companies had been removed from the Payment Card Industry Data Security Standard (PCI Audit) services' list. The loss of clients and market value was an additional issue.

These incidents indicate that various other similar companies are exposed to such risks. But if they take certain measures to keep their network system in check, they can surely avoid experiencing these kinds of losses. This also ensures the goodwill of the company in the market thereby attracting more clients.

An expert with knowledge of Information Security Risk Assessment has written this article.


Gary Bahadur
http://www.kraasecurity.com
http://blog.kraasecurity.com
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test

Tuesday, July 21, 2009

Web Security Testing has come of age

Website security is the one of the most dangerous places for a company. If you look at a layered security approach, we start out with the internal network. There we have host security, patch management, host IDS and other server based technologies. Next we have the network security layers, network intrusion detection, network monitoring and firewall protection. So if we have the internal servers secured, the network protection place, what is left is the only wany an attacker can possible get into a secure environment.

The website is the open frontdor to many companies. Security education for both the developers of website applications and the users of web sites is sadly lacking. If we look at most of the compliance regulations such as HIPAA or PCI, there is a component of education required, but most companies do not spend the time to provide more than a written manual that no one reads. In those same regulations, there are requirements for a Secure Development Lifecycle strategy, but how many web application developers actually follow a strict methodology?

So on Linkedin, I asked the quesion of what are the Web security tools that are favored by the security community (www.linkedin.com/gbaha). These can provide some help and insight for those looking to conduct some security testing. Some are paid and some are free. Here is the list in no particular order.

1) Foundstone http://www.foundstone.com
2) Acunetix WVS http://www.acunetix.com
3) Scrawlr https://h30406.www3.hp.com/
4) N-Stalker http://www.nstalker.com/
5) Nikto http://cirt.net/nikto2
6) Scarab http://www.owasp.org
7) WebInspect http://www.hp.com
Fiddler - http://www.fiddlertool.com
9) Samurai Web Testing Framework – http://samurai.inguardians.com/
10) FireCAT - http://www.security-database.com
11) W3af http://w3af.sourceforge.net/
12) CORE Impact http://www.coresecurity.com/content/web-app-pro
13) Appscan http://www-01.ibm.com/software/awdtools/appscan/

Having listed these and of course there a re a number of other tools. (Please send me any comments on other tools you like). Running a tools is a first and easy step you can take to close that open web door (Webdoor, i am going to try and coin that phrase). If you can target tactical prablems, get them fixed quickly, you can then tackle the strategic problems that led to your web vulnerabilities.

The basic steps you want to take in website security are:
1) Vulnerability testing
2) Secure Code Review
3) Architecture review
4) Monitoring and Logging
5) Consistent Testing (monthly) and Validation of Controls

Do not get lax when it comes to Web security. Its a bit black magic and a lot of hard work but as its the “webdoor” try and keep it closed.

Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity

Monday, July 20, 2009

HIPAA Assessments are the next wave

In February, CVS was ordered to pay a fine of 2.5million dollars by the FTC. This fine was because their employees threw out personal information about patients. Who knew poor recycling programs could cost so much? HIPAA has been around for a number of years but not until recently did we see that it has teeth and companies are going to be held accountable. CVS has to have an assessment every other year now for 20 years. And assessments are not cheap! Assessments based on the Security Rule cover many areas of technology controls such as Firewall protection, Antivirus, Encryption, Vulnerability Scanning and much more. I am sure conducting an assessment rather than getting fines would have been much cheaper for CVS.

The definition of a Covered Entity for HIPAA compliance really reaches out to more companies than just hospitals and doctors offices. Not only companies like CVS will get fined but business partners of hopsitals and doctors offices storing patient data will be in trouble if they do not conduct Risk Assessments.

There are a number of ways to conduct these assessments, make them practical and stay out of trouble with “The Man”. One company that is pretty helpful in this regard is RiskWatch, http://www.riskwatch.com Their software allows you to conduct HIPAA, PCI, Red Flag Rule and other types of assessments.

For security professional, these regululations provide a strong insentive for companies to get their act together regarding privacy and security of data. Its unfortunate they have to be fined first to get them to the ball rolling. But hopefully, more will take a proactive stance for compliance but also to get an ongoing security program in place.

Regards
Gary Bahadur
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
ta8vuc4i3r

Data Breaches are misunderstood

The Ponemon Institute and Ounce Labs (www.ouncelabs.com) released a study on the view CEOs have regarding data protection in their environment. In the study of 213 CEOs and other senior executives, CEOs did not share the same view on how secure their organization is with their executives. 92 percent of respondents said they were attacks. Who has the more realistic view of data security? Could it also be the fault of the executives who usually do not share all the bad information with the CEO? That is probably part of the security education challenge the CEO faces.

The study also found that 33 percent of C-level executives replied that attacks happened "hourly or more often," while only 17 percent of CEOs said the same thing. That’s a pretty big difference of opinion. Whose responsibility is it to manage, monitor and report on hacker activity? Obviously tactically speaking it fall under IT, the CIO or maybe even the Chief Compliance Officer. But ultimate responsibility in any company falls to the CEO. If a data breach happens such as in the case of TJ Max, its the CEO who has to appear on television to explain what happened and answer to their customers.

How do you apply metrics to report appropriately to the CEO? That magic "Dashboard" is what everyone is after and no one gets right. A good Compliance dashboard that you may want to check out comes with the reports from RiskWatch software (www.riskwatch.com). Its worth a look.

The category of technology CEO's need to focus on these days is Data Loss Prevention (DLP). Every major company in security has a DLP product and the reason is probably because the education is finally in the market around the necessity of looking at all inputs and output of data in the organization. A data breach can be caused by lack of proper firewalls, no antivirus, no browser protection, not malware protection, lack of patch management or no vulnerability management. Or it could be a hundred other things. A CEO needs to know these terms, how data flows and what the data life cycle really means if they are to truly grasp the threat to their environment.

Prevention is really worth more than detection. If the CEO doesn’t bridge the gap to thinking they might be secure to understanding that they are under attack ever day and perhaps every minute, data breached will continue to occur.

Gary Bahadur
CEO KRAA Security, baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test

Monday, June 22, 2009

Wireless Risk Assessment needed Keep Problems at Bay


Every organization works towards making itself more secure and protected. Its main aim is to protect the data relating to both the organization as well as it’s valued customers. With so many security breaches happening in companies these days, it has become essential to save a company's sensitive information from being stolen or hacked. The article talks about importance of wireless risk assessment to avoid a serious security threat in a company.

Wireless security has become a major challenge for the companies as wireless become pervasive. Companies do install security systems but they forget that it needs to be checked both internally and externally on a daily basis. They need to understand the importance of wireless security system to secure the channels through which they share and transfer their data. Otherwise, it would be tough to control, monitor and verify the network sources of wireless data.

To help these organizations carry out their task efficiently and effectively, there are many tools and services available. Wireless Application security risk assessment is the a service that offers complete security. It thoroughly checks the data you use and transfer, checks the various policies and procedures of your company, keeps conducting routine checks for data analysis and offers guidance for safeguarding these kinds of activities against future problems.

You can maintain the information of your organization by using this risk assessment process. It conducts both internal and external tests. . It also offers a complete report of the results found and offers solutions to solve the problems. These services can be affordable in a typical environment.

This security assessment process is also available for various mobile phones as they are also becoming the targets of attack Typical safety measures that you can install for safeguarding your information include installing firewall protection, intrusion detection, and host monitoring.


Things will be alright if you take a few steps to avoid problems beforehand. By installing these security processes and tools in the network, you can easily ensure the long-term safety and security of the organization. After all, this is ultimately going to benefit your company and customers. Maintaining wireless security in both the network system and mobile phones has become necessary as they hold valuable information.

An expert of network security assessment , of KRAA Security a leading application security risk assessment company, has written this article.

Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test

Saturday, June 6, 2009

Vanguard Security Conference - Supplier Security

I spoke at the Vanguard Security Conference (http://www.go2vanguard.com) Vanguard has been doing this conference for a number of years. The focus is on Mainframe security. Most security professionals these days have never worked on MF security. I am proud to say I have back in the mid-90’s. We perhaps I shouldnt be do happy, it was over a decade ago.

The point being, that there are so many areas of security out there that most of us will never touch yet there is a dire need for professionals. The conference was less attended, as are most conferences this year, but I found the folks here are REALLY interested in learning and excited about the classes.

My topic was on Supplier Risk Management processe. You are asking yourself, what is that? I asked myself that same question in coming up with some good processes to target Supplier security. We have to go way beyond a SAS70 if you want real security over the hundreds or thousands of vendors that a large company may work with.

The Problem:

-No framework for managing vendor risk
-Inconsistent processes for tracking vendors
-Lack of enforcement capabilitiesThe Problem:

The Opportunity:

-Provide practical steps to manage vendor access/management
-Provide cost effective solution for risk mitigation
-Provide numerical risk analysis of vendor/partner security issues
-Risk reduction or risk acceptance
-Documented exposure
-Iterative process for risk management
-Happy CIO

So a Supplier Security assessment follow 4 main steps:

1 Analyze current vendor database, catageorize each determine risk of each supplier,

2 Determine threats posed by each supplier
3 Perform assessment tests of each supplier, their processes of interaction, and data access
4 Develop risk mitigation plan, update processed, monitoring processes

Gary Bahadur

baha@kraasecurity.com

http://www.kraasecurity.com

http://blog.kraasecurity.com

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Friday, May 29, 2009

US to set out cyber security plan -Baha to the rescue

Why did it takes us over 2 decades to really approach the cybersecurity topic. When I started in informatio security in in 1994, it was the wild west. People were creating processes, developing security frameworks and growing a whole new industry. I like to think I played some part in being on the early team at PriceWaterhouse and we had the first ever corporate "Hacking Lab" in NJ to test our clients security weaknesses. Those were Good time. Now we are just in Regular times.

So what can we expect from the Czar?

The White House must take the cybersecurity lead. The current approach to cybersecurity is untenable, said Hathaway at RSA in April.

Well that was obvious. When you have hackers runing around American corporations and in and out of government agencies, I would agree that is "untenable".

Here is my plan for cybersecurity:
1) Put ME in charge of the whole thing.

Good plan right?

My point is you have to have someone with a practical approach. You to address this both straategically and tactically. Tactically in the short term and strategic in the long term.

We know government cant get out of its own way, so let the private sector have more say in how this is done. Simple way to start:
1) Have a time line, say 2 year to have every government and quasi government computer defined in a risk classification scheme.
2) Conduct continuous vulnerability assessment of the High and Medium risk systems.
3) MUSt have Patch management for all systems.
4) Encrypt any data leaving a secure internal system
5) Figure out what Data Loss Prevention means!
6) FUND Cybersecurity like its part of the Defense Budget.

Baha - new Cybersecurity Czar
baha@kraasecurity.com
www.kraasecurity.com
http://blog.kraasecurity.com
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test

+++++++++++++++++++++++++++++++++++
BBC
US President Barack Obama is to set out plans for securing American computer networks against cyber attacks.

In a speech that follows a 60-day review, Mr Obama is expected to announce the creation of a cyber security office in the White House.

Both US government and military bodies have reported repeated interference from hackers in recent years.

In a separate development, the Pentagon is to create a new military command for cyber space, the New York Times said.

Mr Obama will not discuss the Pentagon plan during Friday's announcement, the newspaper said.

But he is expected to sign a classified order to establish the military command in coming weeks, it reported, citing officials.

'Serious threats'

The 60-day review was carried out by Melissa Hathaway, who has been serving as interim White House cyber security adviser.

The new office is expected to co-ordinate a multi-billion dollar effort designed to restrict access to government computers and to protect systems - such as those that run the stock exchange and air traffic control - that keep the country going, reports BBC defence and security correspondent Rob Watson.

Friday, May 22, 2009

Buying Malware rather than getting it for free

This kind of incident (see article below) seems to be happening every few months. So you purchase a product (netbook) and it comes infected. No longer do you just have to worry about it working, or if the OS will behave nicely or the drivers will work with your printer. If the manufacturer can not control malware, what hope is there?

I am pretty puzzled about how the malware actually got on the machine. The article doesnt delve into too much detail, but looks like maybe a driver was infected that got placed on the machine. This seems to say the manufacturer does not use any kind of antivirus, or antimalware to test the security of the system before shipping it out. It also calls into question the security processes in place around managing software and development. A bit scary.

So what are some things you can do to protect against malware (i hope you know most of these already)

1) Use a firewall - A good personal firewall will help defend your system, especially if it has the capability to monitor outbound traffic or stop unknow programs from being run or installed. Try Zonealarm, free version.

2) Run anti-virus - This is obvious. while many antivirus programs will miss a lot of malware, you need a defense in depth strategy. Try AVG or Avast.

3) Install patches - A must do. Keep your systems patched because many worms, virus, and malware take advantage of unpatched system vulnerabilities

4) Use antispyware - This is a bit different from antivirus. It can stop malicious code from running and warn you of registry changes. A good start for the beginner is SpywareGuard and Spybot S & D.

5) Protect the browser - Browser protection software can stop activex controls from running, protect you from tracking cookies and known malware. Two examples are SpywareBlaster and IE-SpyAd

6) Stop Surfing Porn!

Baha

baha@kraasecurity.com

www.kraasecurity.com

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test


++++++++++++++++++++++++++++++++++++++++++++++++++++

Netbook comes with factory-sealed malware
Chuck MillerMay 20, 2009
SC Magazine
In a rare occurrence, a brand-new factory-sealed netbook has been found to contain malware, according to researchers at Kaspersky Lab.

The factory-infected device, an M&A Technology Touch netbook, came with trojans on the disk image, found during a routine compatibility test.

“This case shows once again that even brand new products can leave the factory infected,” wrote Roel Schouwenberg, senior anti-virus researcher with Kaspersky Lab, on the company's Viruslist blog. “Safeguarding against infected new devices is particularly difficult.”

The machine seems to have been infected while technicians were installing drivers for the machine, he said.

“Given the dates associated with the files, it was clear that the infection had to occur somewhere in the process of putting these things together, or while installing drivers,” Schouwenberg told SCMagazineUS.com on Tuesday. “So it's logical to assume that a whole batch of these machines is infected.”

The infections found were examples of a common malicious family that tries to steal the online passwords of gamers and to spread to USB devices. The nature of the malware seemed to indicate that it showed up on the computer purely by accident.

“Games are very graphics intensive," Schouwenberg said. "Netbooks are not necessarily the best platforms for games. That means the malware was probably not specifically targeted to these machines.”

Manufacturers should have proper security processes in place, he said. Some makers, for example, actually have metal detectors to be sure that nobody walks into the factory with a USB stick, which they may use to accidentally introduce malware into new hardware.
Individuals at M&A Technology, which makes products for education, government and corporate customers, were informed of the problem, but did not respond publicly other than to say that they would look into it, Schouwenberg said.

Sunday, May 17, 2009

iECon 2009 Conference - great companies you should know

The TieCon 2009 conference just concluded (www.tiecon.org). It was two days of meeting some very interesting entrepreneurs, hearing some good talks on everything from CleanTech to VC funding strategies.

What I thought was very interesting and different, was the TiE50. 50 companies were selected that were successful, interesting and hopefully on the road to making an impact. Several that I thought were worth a shot are:

1) Jajah (www.jajah.com) Global phone-to-phone. Make a JAJAH call anywhere - on your mobile or landline phone to save money and keep in touch with friends and family. JAJAH can save you up to 98% on your international phone calls. It connects you using your existing phone. No contract, no software, no headset, easy to use!
2) Kiva (www.kiva.org) Lets you make loans to entrepreneurs in developing nations. Microlending is really a way to change the world.

3) Splunk (www.splunk.com) Splunk is the IT Search company changing the way organizations manage, secure and audit their IT infrastructures. Splunk is software that lets you search and analyze all your IT infrastructure data from a single location in real time. With Splunk, now you can troubleshoot application outages, investigate security incidents, and demonstrate compliance in minutes, not hours or days.

4) Xobni (www.xobni.com) The Outlook plugin that finds people & email in your inbox.

5) Reqall (www.reqall.com) Remember what's important to you with reQall. reQall is a voice-enabled memory aid that seamlessly integrates your mobile phone, email, text messaging and IM into a powerful organizer, reminder system and productivity assistant. reQall lets you capture your ideas, tasks and commitments before you forget, and it proactively keeps you well-prepared and memory-strong.

Check them out,

Gary Bahadur

http://www.kraasecurity.com

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Healthcare Security- Identity Theft and Hacker ransom

I hope no one is actually shocked by this story. Records are stolen everyday. Typically, the hackers will sell the information in the underground somewhere is Eastern Europe or Asia. The fact that someone is asking for ransom, and so publicly it actually a good thing in my opinion. Why is it good you ask? (I assume you are asking that, vulcan mind meld and all that..) Maybe the industry (meaning all industries) need a sensational story to get real change in their IT Security environments.

When the Heartland data breach happened, it was interesting but the general public didnt find it sexy enough. A ransom note, publicly done makes for good drama. Equate it to the Somali pirates. They really broke in the news because of the weapons they captured. This might be the "weapons" story that gets the general public asking about security of the places they use on the Internet.

Identity theft is on the rise. Most companies never do a web application security assessment. They almost never do a database security review. If the hacker can break in through your web portal but your database of customer data is encrypted, well your last line of defense can save your hide.

So what are some things you can do to protect your website?

1) Conduct a web application security assessment. You should probably do this twice a year or anytime you make any significant changes to the application.

2) Conduct an architecture review. If your network architecture has holes in it, a hacker can find away around the application and perhaps get to the data through a different port.

3) Conduct a host security diagnostic review. If the hacker can get on the system and take advantage of an operating system weakness, you will still be compromised

4) Conduct a database security review. Your last line of defense, make sure the data in encrypted, access is completely authenticated and IDS on the database to flag and stop inappropriate access

5) Hire someone smart to do your security assessment.

Gary Bahadur

http://www.kraasecurity.com

o:888-KRAA-911

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test



+++++++++++++++++++++++++++++++++++++++++++++++

The Channel Wire
May 06, 2009
Hacker Holding Health Records Hostage Demands Ransom
A hacker wants $10 million for the return of nearly 8.3 million patient records stolen from a Virginia prescription database last week.When users logged into the Virginia Prescription Monitoring Program (PMP) site April 30, they found a ransom note that also was posted on Wikileaks, a site that posts untraceable documents. The PMP has since disabled the link.
"I have your [expletive]!" read the note on the Wikileaks site. "In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uh-oh :( For $10 million, I will gladly send along the password."

Virginia set up the database in November 2007 after a spate of serious crimes primarily involving OxyContin made headlines, including a segment on "60 Minutes." The PMP was designed so that pharmacists can cross-reference prescriptions to see if a patient is issued multiple scripts for narcotics by different physicians.

The PMP extortionist warns that, "If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid. Now I don't know what all this [expletive] is worth or who would pay for it, but I'm bettin' someone will. Hell, if I can't move the prescription data at the very least I can find a buyer for the personal data (name, age, address, social security #, driver's license #)."

This is not the first time and certainly won't be the last that hackers have broken into health information records and demanded money for the return of confidential records.

In November 2008, Express Scripts, one of the largest pharmacy benefit management companies in North America, fell victim to this practice that has been dubbed "cryptoviral extortion."

"A small number of its clients have received letters threatening to expose the personal information of its members," the company said in a letter on its Web site. "The threats are believed to be connected to an extortion threat the company made public last week."

Those letters included personal information such as Social Security numbers, dates of birth and, in some cases, prescription information, the company said.

Express Scripts said it first received a letter the previous month that threatened to publicly expose millions of the company's members' records if an extortion threat was not met. The original letter included the personal data of 75 Express Scripts members.

The company is working with the FBI, and has posted a $1 million reward for the arrest and conviction of whoever is responsible for the breach. Express Scripts also said it would offer its members free identity restoration services from Kroll, a New York-based risk-consulting and global data security firm, if they become victims of identity theft because of the hacker.

Express Scripts said that it is not aware of any actual misuse of its members' data.

Friday, May 1, 2009

Encrypt Your Laptops to Safeguard Information

With the advancement of technology come its disadvantages as well. As the technology is improving, the number of thefts and fraud activity is on the rise. To hear about stolen laptops has now become a normal news story. Companies usually store their data in their systems or laptops and forget to keep a backup copy of the same data or even to encrypt that data. This data includes all information regarding the employees of the company, business clients and the valued customers of the company. Recently, Oklahoma’s Department of Human Services (DHS) had reported that an unencrypted laptop containing information regarding millions of customers was stolen by an employee of the agency. The laptop contained their all important information regarding their complete background as well as their social security numbers, though the agency is somewhat sure about the safety of the data as the laptop was protected by a password.

The personal data stored on the laptop should be on an encrypted share or drive, i.e., it needs to be there in a way so that no one other than the assigned person can get access of this highly valuable data. You may have highly confidential details that should not be disclosed. The customers share their information on the basis of the fact that as per the guidelines of the company, the data would be safe within the company only.

There have been many laptop thefts reported by many reputable companies. The laptops containing sensitive information get stolen, posing a security threat to the company. Whether the amount of customer data on the laptop is for one or one hundred, it can have a very damaging affect on the company and the customers. IN most cases, the records number in the thousands or even millions. not like only one or hundred clients are associated with the company. But the client base encompasses a mass of millions of people and certainly involves huge risks if they face any security breach.

There are many ways to ensure safety of the data even if the laptop gets stolen. First of all, it should be encrypted with PGP Encryption system which helps in protecting all the data by offering various encryption applications. the chances of growth and profitability of any company. Automated patch management is another way of keeping your laptop's sensitive information safe. Firewall protection is also necessary for protecting your laptop against harmful attacks or when surfing suspicios sites. To keep it safer, you should also protect your hard disk with a password as it makes the cracking very tough for the fraudsters.

on increasing. Recently, Oklahoma’s Department of Human Services (DHS) had reported that an unencrypted laptop containing information regarding millions of customers was stolen by an employee of the agency. The laptop contained their all important information regarding their complete background as well as their social security numbers, though the agency is somewhat sure about the safety of the data as the laptop was protected by a password.

So, it is better to take some measure beforehand, rather than facing such risks in the future. These are easily available tools that need to be used by every organization so as to maintain their clients and growth.

An expert with the knowledge of Application Security Risk Assessment has written this article.

Monday, April 20, 2009

Twitter Your Security Away

As social networking takes over our lives, much like the Borg, we are freely giving away our personal information. Its information devaluation. Twitter, facebook, MySpace, Flickr, Linkedin, etc are all pretty much conditioning us to be one with the Internet universe. Why shouldnt every person we know have the latest update on what you had for lunch or what your favorite color is or your dogs name or your highschool?

Interesting that these are the same questions your online back account asks you as challenge questions. How long until some really cool tool gets released by the underground that can scan a Profile, and ctageorize data into all the fields a bank usually asks as a challenge question? (I should trademark the concept)

Stop the madness. That includes all these Blogs! Down with Blogs!

Gary

baha@kraasecurity.com

www.kraasecurity.com

Managed Security Services

++++++++++++++++++++++++++++++++++++++++++

Gartner have published a document (in PDF format) on their analysis and recommendations on the above subject:

QUOTE
Analysis
Twitter's recent security issues follow the same arc that many other consumer-grade services have experienced. An innovative idea is quickly turned into a cool Web site that attracts lots of consumer use. Security is, however, not typically part of the cool site's business model. Hype about the potential businesses use of the new technology quickly leads to malware attacks. After a successful attack, security measures that were not built in are "sprinkled on."

This pattern will not change anytime soon. There will always be real reliability and security differences between consumer- and business-grade technologies. But there will also be real business benefits to using consumer-grade technologies before they are "business-strength." Enterprises must consider the cost of integrating or adding security controls to contain the risks of using these technologies before they reach security maturity. Trying to ignore or block them simply will not work.

Recommendations

All enterprises:
Ensure that everyone who accesses enterprise systems is aware of the risks of using consumer-grade technologies such as Twitter.
Update Web security gateways and network intrusion prevention systems to block transmission of the malware used in the Twitter attacks.
Require malware blocking and data loss prevention capabilities in any business plans using Twitter or other consumer-grade technologies
The document can be downloaded from http://www.gartner.com/DisplayDocument?doc...;ref=g_homelink

Monday, April 6, 2009

Well it is really about time that firms figure out that is you look at the development cycle, you might find the vulnerabilities before you place you applications into production. An ounce of prevention is truly worth more that a pound of cure.

Having a third party review you app really does make sense. Its a bit more expensive on the front end, but you save a lot down the road by not being hacked, not having to spend money on testing a production environment and keeping you name out of the paper. Secure coding is such an obvious fix yet most companies do not spend nearly enough on dong this.

Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
Managed Security Services



++++++++++++++++++++++++++++++++
More companies seek third-party Web app code review, survey finds
By Robert Westervelt, News Editor
24 Mar 2009 | SearchSecurity.com
Companies are paying closer attention to secure software development to reduce shoddy code, which often results in gaping holes that expose sensitive information, according to a new survey conducted by the OWASP Foundation.
The OWASP Security Spending Benchmark Report surveyed about 50 organizations to determine their spending on secure coding; OWASP found that 61% of those surveyed had an independent third-party security review of software code to find flaws before Web applications are used live. The percentage surprised Boaz Gelbord, executive director of information security at Wireless Generation Inc., who organized the report with Jeremiah Grossman, chief technology officer of WhiteHat Security Inc. Gelbord said the predominant thinking has been that companies are conducting code review in-house if they're doing it at all.

"One thing that cuts across all the statistics is a growing approach toward secure coding," Gelbord said of the survey.

It's OWASP's first survey on secure software development budgets. Gelbord said the organization is trying to measure spending habits and over time gauge whether companies are placing an emphasis on building applications with more secure software code. The goal of the project is to establish an industry accepted benchmark for justifying overall Web application security spending, Gelbord said.

About half of the respondents consider security experience as at least somewhat important in hiring new developers. The figure is a positive sign that companies are trying to place a greater emphasis on secure software development, Gelbord said. The majority of those surveyed also said they provide software security training both internally and externally.

Spending on Web application development is expected to be flat or rise slightly during the economic downturn. But the survey results were somewhat inconclusive. The survey found that Web application security represents 10% of security spending in 36% of the companies surveyed. Another 33% of firms surveyed did not know what portion of security spending is on Web applications.

Sunday, March 22, 2009

U.K. to monitor, store all social-network traffic?

Social networks are the downfall of information value. Well maybe just personal information valuation. While this story is about Big Brother UK style, the real threat is people sticking their virtual assets out there in the wind. Think about all the questions a bank asks you when you are authenticating to you banking account. Pets name date of birth, hometown etc. People put all this info in their facebook, myspace etc.

So hacker will eventually come up with a data mining program that can go through a profile and categories all the answers to these types of questions and have a complete database on people. Sad but true.

Gary Bahadur
www.kraasecurity.com

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test



+++++++++++++++++++++++++++++++++++++++++++++++++
March 18, 2009 9:51 AM PDT

The U.K. government is considering the mass surveillance and retention of all user communications on social-networking sites, including Facebook, MySpace, and Bebo.


Vernon Coaker the U.K. Home Office security minister, on Monday said the EU Data Retention Directive, under which Internet service providers must store communications data for 12 months, does not go far enough. Communications such as those on social-networking sites and via instant-messaging services could also be monitored, he said.

"Social-networking sites such as MySpace or Bebo are not covered by the directive," said Coaker, speaking at a meeting of the House of Commons Fourth Delegated Legislation Committee. "That is one reason why the government (is) looking at what we should do about the Intercept(ion) Modernisation Programme, because there are certain aspects of communications which are not covered by the directive."

Under the EU Data Retention Directive, from March 15, 2009, all U.K. ISPs are required to store customer traffic data for a year. The Interception Modernisation Programme, or IMP, is a government proposal, introduced last year, for legislation to use mass monitoring of traffic data as an antiterrorism tool.

The IMP has two objectives: that the government use deep-packet inspection to monitor the Web communications of all U.K. citizens; and that all of the traffic data relating to those communications are stored in a centralized government database.




Tuesday, March 17, 2009

More Hacking Fun

Just another hacker story from New Zealand. The interesting thing is that it with all the data stolen fromt he online forms for credit card applications, the theft provides a great way to open legit credit cards somewhere else. So how do you stop legitimate applications from going through now? You have to love the "2 years of free credit monitoring" that all the hacked companies give you.

Hackers steal Shell customer information
Tue, 17 Mar 2009 10:17a.m.

Online hackers have stolen personal information from almost 6000 Shell customers in New Zealand and Australia. Shell spokeswoman Jackie Maitland confirmed to NZPA today that 1400 New Zealand customers were affected and another 4500 in Australia.
Both the New Zealand police e-crimes unit and the Queensland police were investigating.
Ms Maitland said the information obtained by the hackers was contained in online application forms for a Shell fuel card.


Gary Bahadur
KRAA Security
info@kraasecurity.com
www.kraasecurity.com
Managed Security and Consulting Services
Managed Firewall
Managed IDS
Managed Email