Monday, November 30, 2009

Ponemon Institute Cyber Mega Trends

Ponemon Institute recently released their Cyber megratrends as listed below. While I agree with these I think there were a couple that could easily be added to the list. First I would either add or modify Web 2.0 into Web 3.0. Lets look to what is going to happening versus what is happening and just changing. Secondly, I suggest adding Vendor Risk Management. The vendor does not have to be offshore to pose a problem. Vendors are so integrated into companies and business processes that they are like an employee but are not subjected to the same network security assessment requirements in many cases.

Gary Bahadur
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning

Cyber Security Mega Trends Study
Prepared by Dr. Larry Ponemon, November 18, 2009

The Cyber Security Mega Trends Study was conducted by Ponemon Institute and sponsored by CA to better understand if certain publicized IT security risks are, or should be, more or less of a concern for organizations in the federal sector. We believe the results of our study will be helpful to organizations struggling to understand how they should allocate resources to help ensure their information systems are adequately protected.

Based upon in-depth interviews with IT security experts of Application security risk assessment and prior Institute research, we focus on 10 cyber security mega trends in this study. Each mega trend is believed to affect significantly an organization’s security ecosystem.

Cloud computing – refers to distributed computing solutions that can be owned by thirdparties on data center locations outside the organization’s IT infrastructure.

Virtualization – refers to enabling technologies that allows end-users to access multiple secure networks from a single computer, wherein the PC or laptop essentially acts as the authenticating device.

Mobility – refers to a workforce with access to information no matter where they work or travel and wherein employees can use mobile devices when they travel or work at home: laptops, smart phones, PDAs, memory sticks and more.

Cyber crime – usually describes criminal activity in which the computer or network is an essential part of the illegal criminal activity. This term also is used to include attacks in which computers or botnets are used to enable illicit activity such as data theft or denial of service attacks.

Cyber terrorism – is a specific form of cyber crime in which the end goal is to disrupt or harm a targeted country or region of the world. This term also is used to describe attacks that attempt to steal national secrets including information that minimizes a nation’s defense or economic posture.

Open source – is computer software for which the source code and certain other rights normally reserved for copyright holders are provided under a software license that is in the public domain. This permits users to change, improve the software, and redistribute software in modified or unmodified forms.

Data breach – is defined as the loss or theft of information about people and households. A majority of U.S. states now require organizations to notify individuals when their information is lost or stolen.

Unstructured data – is electronic information on file servers and other storage devices that are not stored in a database or other structured formats, usually resulting from workplace collaboration tools such as SharePoint.

Outsourcing – usually pertains to the transfer of sensitive and confidential information to third parties for data processing or other activities. Outsourcing is done to reduce processing costs and improve operating efficiencies.

Web 2.0 – refers to a plethora of Internet tools that enhance information sharing and collaboration among individuals. These concepts have led to the evolution of web-based communities and hosted services, such as social networking, social messaging, wikis and blogs.

Thursday, November 12, 2009

HIPAA Vendor Compromised Healthcare Records

This is story that is several months old, but as I came across it, i thought it would make a good point. A vendor handling healthcare records has lost social security numbers of people in March of 2009. In this case, Health insurer Aetna, Inc., is reportedly providing 65,000 individuals with free credit monitoring for a year after its job application Web site was breached, the Associated Press has reported.

The Web site, which was maintained by an outside vendor, had Social security numbers of current and past employees and individuals who received job offers from the insurer, the AP reported.

The site reportedly held e-mail addresses for about 450,000 individuals who had applied for jobs or submitted resumes to the company and were waiting to be notified about job openings. Spokeswoman Cynthia Michener said Aetna doesn't know how many were copied, but the site has been disabled and is undergoing a "thorough forensic review" or you can say network security audit by an outside company.

So here we have a health insurer compromising personal data. People already recieve so much spam email that their real email is suspect. If your provider Aeata seems to be sending ligitimate emails to you, that can get confusing.

As noted in the article "This is not the first time the Hartford, Conn.-based insurer has had to provide free credit monitoring services. In April 2006, Aetna notified approximately 38,000 members that an employee's laptop computer containing certain personal member information was stolen from a car in a public parking lot."

If a compromise occurs once, you would think that a lot of new HIPAA data security protections would be put in place. But as we see in almost all industries, its very hard for a company to learn from its mistakes. Maybe there will not be a third time after this second breach.

Gary Bahadur
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning

Tuesday, November 10, 2009

Ways to Maintain Website Security

With the advancement in technology comes the heavy responsibility of monitoring an organization's sensitive and valuable information. The use of the Internet has become a necessity in organizations to exchange their data and various other business details with their business partners, vendors and clients. In many cases, during transmission of datahackers compromise a network or transmission medium and illegally gain the data. It maligns not only the market value of the company but also the number of clients that place trust in the company and the company’s infrastructure or website.

There are preventive measures that every company can adopt to maintain the value of the company as well as the client base. It is very important for any company to maintain the data securityase and safeguard the internal information of the company. The clients and business partners share their data only after confirming that the partner company will keep it safe and intact under the safety norms of the company.

By taking a few cautionary measures, one can easily secure the sensitive information of the company. Installing a firewall in the network system keeps the security intact and safe. Earlier, this was a bit expensive for companies but with the advent of technology, this has become an easily accessible tool for the organization. Affordable monthly subscriptiuons are available for firewalls, Intrusion detection systems and host intrusion prevention systems . hey need not spend a lot of money in availing these services now.

A firewall is the main defense. A firewall carries out routine security checks and blocking techniques at particular time intervals and this helps stop attacks. It will sound an alert in case of any threat posed to the data and will automatically start blocking and reporting. on it. It never compromises on your company's security and safety and always keeps the information safe. Firewall protection can be easily availed from various online sources at quite reasonable rates but one must always cross-check the credentials of the source company as well and only then purchase it from experts in the field.

Other than installing these tools to maintain web security, companies are also hiring third parties to review the policies and procedures of the organization and also to keep track of the online process of distribution of data of the company. These third parties install web applications that thoroughly review the codes installed in the process and provide valuable feedback to update and upgrade the quality of network systems. hough it is somewhat expensive to employ third-parties but they really keep a detailed track of the security system of their clients' information.

Many network systems of very renowned companies are getting hacked and misused these days by the hackers. It is high time that the companies take proper action against such activities and thefts as the number of incidents are growing day-by-day. Otherwise, people will start losing their trust in sharing their personal information through web sites.

A web security expert with the skills of application security risk assessment has written this article.

Gary Bahadur
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning

Friday, November 6, 2009

HIPAA Compliance Data Breach with a Foreign Supplier

Recently, the Economic Times Report in India discussed a successful “Sting operation by a UK agency in which some health related data was bought from a medical transcription company” . What this means is all that perosnal and HIPAA confidential data that was being transfered for transcription got stolen in the most likely scenario. There have been few stories of this type of Data Breach so far. The Suppliers to US companies have not made the headlines but this might be just the begining fo that wave. The two components of HIPAA Security are Logical and Physical Security. Remote partners can easily breach your logical security controls.

Is there any real view that the US can export the security laws such as HIPAA Security to all parts of the world that handle US customer data? How do you monitor the activities of your suppliers once the data has left yoru network? In the US, a company can control all the security devices such as Firewalls, Intrusion Detection Systems, Antivirus on Servers and Patch Management of servers hosting confidenial data. There are all parts of most security regulations including PCI, SOX, GLBA and more. But the endpoint of security has left these shores and resides in India, China, South America, Vietname and anywhere else you have a supplier.

As your data now resides in a foreign country, what are the reporting requirements of a breach? HIPAA security policy has timeframes, reporting requirements and penalties. The only real penalty a company oversea may face is loss of the contract. Few governments are upt o enforcing security rules outside of actual hacker activity.

So what are some steps you can take to implement Supplier Security?
1) Conduct a Vulnerability Assessment of your connectivity to your Suppliers’ networks
2) Define process and policy controls that the Supplier has to have in place in order to hold your data
3) Assign risk ratings to all data the Supplier handles
4) Conduct an risk assessement of the impact of losing the data
5) Develop a Incident Response plan for the Supplier losing your data
6) Asses the supplier security procedures on a yearly basis