Ponemon Institute recently released their Cyber megratrends as listed below. While I agree with these I think there were a couple that could easily be added to the list. First I would either add or modify Web 2.0 into Web 3.0. Lets look to what is going to happening versus what is happening and just changing. Secondly, I suggest adding Vendor Risk Management. The vendor does not have to be offshore to pose a problem. Vendors are so integrated into companies and business processes that they are like an employee but are not subjected to the same network security assessment requirements in many cases.
Regards
Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning
++++++++++++++++++++++++++++++++++++++++++++++++
Cyber Security Mega Trends Study
Prepared by Dr. Larry Ponemon, November 18, 2009
The Cyber Security Mega Trends Study was conducted by Ponemon Institute and sponsored by CA to better understand if certain publicized IT security risks are, or should be, more or less of a concern for organizations in the federal sector. We believe the results of our study will be helpful to organizations struggling to understand how they should allocate resources to help ensure their information systems are adequately protected.
Based upon in-depth interviews with IT security experts of Application security risk assessment and prior Institute research, we focus on 10 cyber security mega trends in this study. Each mega trend is believed to affect significantly an organization’s security ecosystem.
Cloud computing – refers to distributed computing solutions that can be owned by thirdparties on data center locations outside the organization’s IT infrastructure.
Virtualization – refers to enabling technologies that allows end-users to access multiple secure networks from a single computer, wherein the PC or laptop essentially acts as the authenticating device.
Mobility – refers to a workforce with access to information no matter where they work or travel and wherein employees can use mobile devices when they travel or work at home: laptops, smart phones, PDAs, memory sticks and more.
Cyber crime – usually describes criminal activity in which the computer or network is an essential part of the illegal criminal activity. This term also is used to include attacks in which computers or botnets are used to enable illicit activity such as data theft or denial of service attacks.
Cyber terrorism – is a specific form of cyber crime in which the end goal is to disrupt or harm a targeted country or region of the world. This term also is used to describe attacks that attempt to steal national secrets including information that minimizes a nation’s defense or economic posture.
Open source – is computer software for which the source code and certain other rights normally reserved for copyright holders are provided under a software license that is in the public domain. This permits users to change, improve the software, and redistribute software in modified or unmodified forms.
Data breach – is defined as the loss or theft of information about people and households. A majority of U.S. states now require organizations to notify individuals when their information is lost or stolen.
Unstructured data – is electronic information on file servers and other storage devices that are not stored in a database or other structured formats, usually resulting from workplace collaboration tools such as SharePoint.
Outsourcing – usually pertains to the transfer of sensitive and confidential information to third parties for data processing or other activities. Outsourcing is done to reduce processing costs and improve operating efficiencies.
Web 2.0 – refers to a plethora of Internet tools that enhance information sharing and collaboration among individuals. These concepts have led to the evolution of web-based communities and hosted services, such as social networking, social messaging, wikis and blogs.
Monday, November 30, 2009
Thursday, November 12, 2009
HIPAA Vendor Compromised Healthcare Records
This is story that is several months old, but as I came across it, i thought it would make a good point. A vendor handling healthcare records has lost social security numbers of people in March of 2009. In this case, Health insurer Aetna, Inc., is reportedly providing 65,000 individuals with free credit monitoring for a year after its job application Web site was breached, the Associated Press has reported.
The Web site, which was maintained by an outside vendor, had Social security numbers of current and past employees and individuals who received job offers from the insurer, the AP reported.
The site reportedly held e-mail addresses for about 450,000 individuals who had applied for jobs or submitted resumes to the company and were waiting to be notified about job openings. Spokeswoman Cynthia Michener said Aetna doesn't know how many were copied, but the site has been disabled and is undergoing a "thorough forensic review" or you can say network security audit by an outside company.
So here we have a health insurer compromising personal data. People already recieve so much spam email that their real email is suspect. If your provider Aeata seems to be sending ligitimate emails to you, that can get confusing.
As noted in the article "This is not the first time the Hartford, Conn.-based insurer has had to provide free credit monitoring services. In April 2006, Aetna notified approximately 38,000 members that an employee's laptop computer containing certain personal member information was stolen from a car in a public parking lot."
If a compromise occurs once, you would think that a lot of new HIPAA data security protections would be put in place. But as we see in almost all industries, its very hard for a company to learn from its mistakes. Maybe there will not be a third time after this second breach.
Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning
The Web site, which was maintained by an outside vendor, had Social security numbers of current and past employees and individuals who received job offers from the insurer, the AP reported.
The site reportedly held e-mail addresses for about 450,000 individuals who had applied for jobs or submitted resumes to the company and were waiting to be notified about job openings. Spokeswoman Cynthia Michener said Aetna doesn't know how many were copied, but the site has been disabled and is undergoing a "thorough forensic review" or you can say network security audit by an outside company.
So here we have a health insurer compromising personal data. People already recieve so much spam email that their real email is suspect. If your provider Aeata seems to be sending ligitimate emails to you, that can get confusing.
As noted in the article "This is not the first time the Hartford, Conn.-based insurer has had to provide free credit monitoring services. In April 2006, Aetna notified approximately 38,000 members that an employee's laptop computer containing certain personal member information was stolen from a car in a public parking lot."
If a compromise occurs once, you would think that a lot of new HIPAA data security protections would be put in place. But as we see in almost all industries, its very hard for a company to learn from its mistakes. Maybe there will not be a third time after this second breach.
Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning
Tuesday, November 10, 2009
Ways to Maintain Website Security
With the advancement in technology comes the heavy responsibility of monitoring an organization's sensitive and valuable information. The use of the Internet has become a necessity in organizations to exchange their data and various other business details with their business partners, vendors and clients. In many cases, during transmission of datahackers compromise a network or transmission medium and illegally gain the data. It maligns not only the market value of the company but also the number of clients that place trust in the company and the company’s infrastructure or website.
There are preventive measures that every company can adopt to maintain the value of the company as well as the client base. It is very important for any company to maintain the data securityase and safeguard the internal information of the company. The clients and business partners share their data only after confirming that the partner company will keep it safe and intact under the safety norms of the company.
By taking a few cautionary measures, one can easily secure the sensitive information of the company. Installing a firewall in the network system keeps the security intact and safe. Earlier, this was a bit expensive for companies but with the advent of technology, this has become an easily accessible tool for the organization. Affordable monthly subscriptiuons are available for firewalls, Intrusion detection systems and host intrusion prevention systems . hey need not spend a lot of money in availing these services now.
A firewall is the main defense. A firewall carries out routine security checks and blocking techniques at particular time intervals and this helps stop attacks. It will sound an alert in case of any threat posed to the data and will automatically start blocking and reporting. on it. It never compromises on your company's security and safety and always keeps the information safe. Firewall protection can be easily availed from various online sources at quite reasonable rates but one must always cross-check the credentials of the source company as well and only then purchase it from experts in the field.
Other than installing these tools to maintain web security, companies are also hiring third parties to review the policies and procedures of the organization and also to keep track of the online process of distribution of data of the company. These third parties install web applications that thoroughly review the codes installed in the process and provide valuable feedback to update and upgrade the quality of network systems. hough it is somewhat expensive to employ third-parties but they really keep a detailed track of the security system of their clients' information.
Many network systems of very renowned companies are getting hacked and misused these days by the hackers. It is high time that the companies take proper action against such activities and thefts as the number of incidents are growing day-by-day. Otherwise, people will start losing their trust in sharing their personal information through web sites.
A web security expert with the skills of application security risk assessment has written this article.
Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning
There are preventive measures that every company can adopt to maintain the value of the company as well as the client base. It is very important for any company to maintain the data securityase and safeguard the internal information of the company. The clients and business partners share their data only after confirming that the partner company will keep it safe and intact under the safety norms of the company.
By taking a few cautionary measures, one can easily secure the sensitive information of the company. Installing a firewall in the network system keeps the security intact and safe. Earlier, this was a bit expensive for companies but with the advent of technology, this has become an easily accessible tool for the organization. Affordable monthly subscriptiuons are available for firewalls, Intrusion detection systems and host intrusion prevention systems . hey need not spend a lot of money in availing these services now.
A firewall is the main defense. A firewall carries out routine security checks and blocking techniques at particular time intervals and this helps stop attacks. It will sound an alert in case of any threat posed to the data and will automatically start blocking and reporting. on it. It never compromises on your company's security and safety and always keeps the information safe. Firewall protection can be easily availed from various online sources at quite reasonable rates but one must always cross-check the credentials of the source company as well and only then purchase it from experts in the field.
Other than installing these tools to maintain web security, companies are also hiring third parties to review the policies and procedures of the organization and also to keep track of the online process of distribution of data of the company. These third parties install web applications that thoroughly review the codes installed in the process and provide valuable feedback to update and upgrade the quality of network systems. hough it is somewhat expensive to employ third-parties but they really keep a detailed track of the security system of their clients' information.
Many network systems of very renowned companies are getting hacked and misused these days by the hackers. It is high time that the companies take proper action against such activities and thefts as the number of incidents are growing day-by-day. Otherwise, people will start losing their trust in sharing their personal information through web sites.
A web security expert with the skills of application security risk assessment has written this article.
Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning
Friday, November 6, 2009
HIPAA Compliance Data Breach with a Foreign Supplier
Recently, the Economic Times Report in India discussed a successful “Sting operation by a UK agency in which some health related data was bought from a medical transcription company” . What this means is all that perosnal and HIPAA confidential data that was being transfered for transcription got stolen in the most likely scenario. There have been few stories of this type of Data Breach so far. The Suppliers to US companies have not made the headlines but this might be just the begining fo that wave. The two components of HIPAA Security are Logical and Physical Security. Remote partners can easily breach your logical security controls.
Is there any real view that the US can export the security laws such as HIPAA Security to all parts of the world that handle US customer data? How do you monitor the activities of your suppliers once the data has left yoru network? In the US, a company can control all the security devices such as Firewalls, Intrusion Detection Systems, Antivirus on Servers and Patch Management of servers hosting confidenial data. There are all parts of most security regulations including PCI, SOX, GLBA and more. But the endpoint of security has left these shores and resides in India, China, South America, Vietname and anywhere else you have a supplier.
As your data now resides in a foreign country, what are the reporting requirements of a breach? HIPAA security policy has timeframes, reporting requirements and penalties. The only real penalty a company oversea may face is loss of the contract. Few governments are upt o enforcing security rules outside of actual hacker activity.
So what are some steps you can take to implement Supplier Security?
1) Conduct a Vulnerability Assessment of your connectivity to your Suppliers’ networks
2) Define process and policy controls that the Supplier has to have in place in order to hold your data
3) Assign risk ratings to all data the Supplier handles
4) Conduct an risk assessement of the impact of losing the data
5) Develop a Incident Response plan for the Supplier losing your data
6) Asses the supplier security procedures on a yearly basis
Is there any real view that the US can export the security laws such as HIPAA Security to all parts of the world that handle US customer data? How do you monitor the activities of your suppliers once the data has left yoru network? In the US, a company can control all the security devices such as Firewalls, Intrusion Detection Systems, Antivirus on Servers and Patch Management of servers hosting confidenial data. There are all parts of most security regulations including PCI, SOX, GLBA and more. But the endpoint of security has left these shores and resides in India, China, South America, Vietname and anywhere else you have a supplier.
As your data now resides in a foreign country, what are the reporting requirements of a breach? HIPAA security policy has timeframes, reporting requirements and penalties. The only real penalty a company oversea may face is loss of the contract. Few governments are upt o enforcing security rules outside of actual hacker activity.
So what are some steps you can take to implement Supplier Security?
1) Conduct a Vulnerability Assessment of your connectivity to your Suppliers’ networks
2) Define process and policy controls that the Supplier has to have in place in order to hold your data
3) Assign risk ratings to all data the Supplier handles
4) Conduct an risk assessement of the impact of losing the data
5) Develop a Incident Response plan for the Supplier losing your data
6) Asses the supplier security procedures on a yearly basis
Monday, October 26, 2009
IPhone Apps Every Road Warrior Entrepreneur Needs
The Blackberry has been the mainstay of the business world for years. But as we know, the IPhone is eating away at market share. There are over 75,000 apps for the IPhone now and growing steadily. For those who have Blackberry Thumb, you can probably look forward to IPhone Index Finger at some point in the future as you switch away from the Blackberry.
Why should you switch from the Blackberry? Well there may not be a good reason. The Blackberry has a number of apps and it is secure, it has encryption and has been beaten up on the security front like network security assessment and application security testing. It’s ingrained in businesses and Blackberry Enterprise Server is well known to many IT administrators.
The Entrepreneur can use both devices. Let’s assume there are at least some people using the IPhone, what apps should they have in their toolkit? Of the thousands of apps, how can you pick a few that would be beneficial to the Entrepreneur Road Warrior? Well the way I picked them is through word of mouth , that are of benefit to me and comes with network security assessment tools. I travel, work in my car, have meetings at all times of day, I am away from the office for days or weeks.
Take these with a grain of salt and do not send any flame emails. But please send in the apps that you think should be shared with the world or at least readers of this Blog.
Urban Spoon
First up is Urban Spoon. You are thinking, well that’s not some kind of spreadsheet or financial app. What is the business purpose? The lifeblood of the Entrepreneur is networking , managed security services, application security risk assessment and deal making. Where deal making most of the time involves some kind of meal. Urban Spoon can find you restaurants by cuisine, by neighborhood, by cost, by distance. Everything you need for a meeting is the most random city.
AroundMe
In the same vein as Urban Spoon, is AroundMe . Say you are on your way to an important lunch you have setup with a restaurant you found on Urban Spoon but you are almost out of gas. Use AroundMe to find the closed gas station. Or if you need cash to pay for that gas because your Amex Card has been cancelled, find the closest bank.
GoogleMaps
Well this is pretty obvious. But when you are traveling and maybe forgot to bring your Garmin GPS and do not feel like paying the rental company an extra $11.99 a day to rent their GPS , this is just as good.
ReQall
This is a pretty useful app. The developers were one of the www.TiE.org Top 50 companies this year at TiECon. The app captures your voice, translates it to text, organizes your calendar based on your voice messages, integrates into Outlook or Google Calendar and provides memory assistance. It’s great when you have no pen or driving in a car or need a memory reminder.
FlightAware
For the true Road Warrior, there is no road, there is the sky. So when you are rushing to the airport or think you need to rush to the airport, track down what is going on with your flight. Check out FlightAware to get an update and help you plan that trip to the airport.
TweetDeck
Social Media, the latest buzz word, actually has some teeth. Small companies and the Entrepreneur have to be connected to the work whether you like it or not. Twitter is a way of life these days even if people seem to be twittering their lives away. How do you tell your followers that you are stuck in an airport in Baltimore? Try using TweetDeck.
These Apps don’t seem very business-like, but the Entrepreneur is practical, cheap, requires network security audit tools and has to get things done today . These help you achieve your million tasks on a timely basis.
Gary Bahadur
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
Sunday, July 26, 2009
This Time Its Network Solutions Reporting a Data Breach
For a long time, various well known companies have been the target of hackers. This has resulted in huge data losses for the company as well as the client's that are associated with the company. Many companies have faced several financial charges by the government or by business partners to satisfy penalty fees.
Network Solutions, which specializes in the domain name registration industry, has recently reported an incident of a breach of data. The breach occurred during March 12 to June 8 2009 and was detected in a check carried out by the company. Though this breach was detected in June, the company took around a month's time to decipher the code that was used in hacking the domain. By that time the hackers had hacked their e-commerce services and had already diverted the transaction details of more than 500,000 registered companies. This shows that industries are still lacking in security measures to prevent the loss of important data.
Network Solutions company issued a statement saying that till now no incidence reporting misuse of information has been reported by any merchant company. The company is now enlisting all those merchant clients' who had made any transaction in between that period. These clients will in turn notify their customers who will then inform their banks to block the credit cards to avoid any misuse.
Network Solutions has offered to bear all the expenses that the customers have suffered. But isn't it more correct to take a few precautionary measures beforehand than facing such incidents? Data loss prevention and a network security assessment are the best tools available for the security assessment of any website and it also helps in avoiding such incidents.
There have been many such companies reporting breaches in the past that have resulted in the bad reputation of those companies. Heartland Payment Systems and RBS WorldPay are a few examples of such breaches. Both these companies had been removed from the Payment Card Industry Data Security Standard (PCI Audit) services' list. The loss of clients and market value was an additional issue.
These incidents indicate that various other similar companies are exposed to such risks. But if they take certain measures to keep their network system in check, they can surely avoid experiencing these kinds of losses. This also ensures the goodwill of the company in the market thereby attracting more clients.
An expert with knowledge of Information Security Risk Assessment has written this article.
Gary Bahadur
http://www.kraasecurity.com
http://blog.kraasecurity.com
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
Network Solutions, which specializes in the domain name registration industry, has recently reported an incident of a breach of data. The breach occurred during March 12 to June 8 2009 and was detected in a check carried out by the company. Though this breach was detected in June, the company took around a month's time to decipher the code that was used in hacking the domain. By that time the hackers had hacked their e-commerce services and had already diverted the transaction details of more than 500,000 registered companies. This shows that industries are still lacking in security measures to prevent the loss of important data.
Network Solutions company issued a statement saying that till now no incidence reporting misuse of information has been reported by any merchant company. The company is now enlisting all those merchant clients' who had made any transaction in between that period. These clients will in turn notify their customers who will then inform their banks to block the credit cards to avoid any misuse.
Network Solutions has offered to bear all the expenses that the customers have suffered. But isn't it more correct to take a few precautionary measures beforehand than facing such incidents? Data loss prevention and a network security assessment are the best tools available for the security assessment of any website and it also helps in avoiding such incidents.
There have been many such companies reporting breaches in the past that have resulted in the bad reputation of those companies. Heartland Payment Systems and RBS WorldPay are a few examples of such breaches. Both these companies had been removed from the Payment Card Industry Data Security Standard (PCI Audit) services' list. The loss of clients and market value was an additional issue.
These incidents indicate that various other similar companies are exposed to such risks. But if they take certain measures to keep their network system in check, they can surely avoid experiencing these kinds of losses. This also ensures the goodwill of the company in the market thereby attracting more clients.
An expert with knowledge of Information Security Risk Assessment has written this article.
Gary Bahadur
http://www.kraasecurity.com
http://blog.kraasecurity.com
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
Tuesday, July 21, 2009
Web Security Testing has come of age
Website security is the one of the most dangerous places for a company. If you look at a layered security approach, we start out with the internal network. There we have host security, patch management, host IDS and other server based technologies. Next we have the network security layers, network intrusion detection, network monitoring and firewall protection. So if we have the internal servers secured, the network protection place, what is left is the only wany an attacker can possible get into a secure environment.
The website is the open frontdor to many companies. Security education for both the developers of website applications and the users of web sites is sadly lacking. If we look at most of the compliance regulations such as HIPAA or PCI, there is a component of education required, but most companies do not spend the time to provide more than a written manual that no one reads. In those same regulations, there are requirements for a Secure Development Lifecycle strategy, but how many web application developers actually follow a strict methodology?
So on Linkedin, I asked the quesion of what are the Web security tools that are favored by the security community (www.linkedin.com/gbaha). These can provide some help and insight for those looking to conduct some security testing. Some are paid and some are free. Here is the list in no particular order.
1) Foundstone http://www.foundstone.com
2) Acunetix WVS http://www.acunetix.com
3) Scrawlr https://h30406.www3.hp.com/
4) N-Stalker http://www.nstalker.com/
5) Nikto http://cirt.net/nikto2
6) Scarab http://www.owasp.org
7) WebInspect http://www.hp.com
Fiddler - http://www.fiddlertool.com
9) Samurai Web Testing Framework – http://samurai.inguardians.com/
10) FireCAT - http://www.security-database.com
11) W3af http://w3af.sourceforge.net/
12) CORE Impact http://www.coresecurity.com/content/web-app-pro
13) Appscan http://www-01.ibm.com/software/awdtools/appscan/
Having listed these and of course there a re a number of other tools. (Please send me any comments on other tools you like). Running a tools is a first and easy step you can take to close that open web door (Webdoor, i am going to try and coin that phrase). If you can target tactical prablems, get them fixed quickly, you can then tackle the strategic problems that led to your web vulnerabilities.
The basic steps you want to take in website security are:
1) Vulnerability testing
2) Secure Code Review
3) Architecture review
4) Monitoring and Logging
5) Consistent Testing (monthly) and Validation of Controls
Do not get lax when it comes to Web security. Its a bit black magic and a lot of hard work but as its the “webdoor” try and keep it closed.
Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
The website is the open frontdor to many companies. Security education for both the developers of website applications and the users of web sites is sadly lacking. If we look at most of the compliance regulations such as HIPAA or PCI, there is a component of education required, but most companies do not spend the time to provide more than a written manual that no one reads. In those same regulations, there are requirements for a Secure Development Lifecycle strategy, but how many web application developers actually follow a strict methodology?
So on Linkedin, I asked the quesion of what are the Web security tools that are favored by the security community (www.linkedin.com/gbaha). These can provide some help and insight for those looking to conduct some security testing. Some are paid and some are free. Here is the list in no particular order.
1) Foundstone http://www.foundstone.com
2) Acunetix WVS http://www.acunetix.com
3) Scrawlr https://h30406.www3.hp.com/
4) N-Stalker http://www.nstalker.com/
5) Nikto http://cirt.net/nikto2
6) Scarab http://www.owasp.org
7) WebInspect http://www.hp.com
Fiddler - http://www.fiddlertool.com
9) Samurai Web Testing Framework – http://samurai.inguardians.com/
10) FireCAT - http://www.security-database.com
11) W3af http://w3af.sourceforge.net/
12) CORE Impact http://www.coresecurity.com/content/web-app-pro
13) Appscan http://www-01.ibm.com/software/awdtools/appscan/
Having listed these and of course there a re a number of other tools. (Please send me any comments on other tools you like). Running a tools is a first and easy step you can take to close that open web door (Webdoor, i am going to try and coin that phrase). If you can target tactical prablems, get them fixed quickly, you can then tackle the strategic problems that led to your web vulnerabilities.
The basic steps you want to take in website security are:
1) Vulnerability testing
2) Secure Code Review
3) Architecture review
4) Monitoring and Logging
5) Consistent Testing (monthly) and Validation of Controls
Do not get lax when it comes to Web security. Its a bit black magic and a lot of hard work but as its the “webdoor” try and keep it closed.
Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
Subscribe to:
Posts (Atom)
