Thursday, March 24, 2016

HIPAA & Ransomware

Is an incident involving ransomware a HIPAA breach?

The article below gives some guidance on whether or not it is a breach, though the scope of the incident is a HUGE determination in whether or not it is a breach.

http://www.databreaches.net/when-do-covered-entities-need-to-report-ransomware-incidents-to-hhs/

Basically, an enterprise-wide structured / unstructured ePHI (database, file share / SAN / NAS) ransomware event is certainly a HIPAA breach.

Tuesday, March 22, 2016

Need for Droid App Vetting

With the news below divulged today, does anyone disagree that public apps for individual consumption would be better off with some type of security attestation?

http://www.itworld.com/article/3047056/google-warns-of-android-flaw-used-to-gain-root-access-to-devices.html?token=%23tk.ITWNLE_nlt_itworld_today_2016-03-22&idg_eid=a809ad5f805944d2fd35ae84bd28bd94&utm_source=Sailthru&utm_medium=email&utm_campaign=ITworld%20Today%202016-03-22&utm_term=itworld_today

HR Background (Credit) Checks & Internal Threats

The article below states that some insiders are open to selling a password for $1,000 (U.S.).

How does an organization prevent this?

Well, a credit check may help to understand an applicants judgment and financial position for starters.  Though, counsel (employment specialists) better approve this beforehand.

http://www.infosecurity-magazine.com/news/employees-would-sell-passwords-for/

Also, while difficult to quantify, ensure leaders (notice the lack of mentioning "managers") foster esprit de corps to mitigate such actions.

Monday, March 21, 2016

Current iOS Zero-day (March '16) = False Alarm

An alarming trend is happening.  "Cybersecuirty" hype:

http://www.theregister.co.uk/2016/03/21/zero_day_apple_grapple_dredges_imessage_photos_videos_in_ios_9/

Yes, it is a vulnerability.  Is it front-page, five-alarm, news-worthy?  No, cryptography can be broken, that is why compensating controls are put in place.

With that said, will the U.S. Justice Department focus in on this exploit?  If so, will they leave Apple alone?  Time will tell....

Friday, March 18, 2016

Data Masking for Oracle or MSSQL

Vendors (like hotels & now airlines) love their add-ons.  Oracle offers a data masking service for a decent charge, while Microsoft offers a native, dynamic data masking (DDM) service for contemporary versions of MSSQL.

http://www.oracle.com/technetwork/database/options/data-masking-subsetting/overview/ds-security-dms-2245926.pdf?ssSourceSiteId=ocomen

https://azure.microsoft.com/en-us/documentation/articles/sql-database-dynamic-data-masking-get-started/

http://searchsqlserver.techtarget.com/tip/An-introduction-to-SQL-Server-2016-dynamic-data-masking

Why not trim the strings at the application-side & go from there?  Ohh, you need an identifier.  How about using a tokenization service (e.g., Vormetric, SafeNet) and a more comprehensive crypto / KMS strategy?


Monday, March 14, 2016

Crypto-shredding & retention policies...

Most orgs these days perform key rotation at least annually.  However, what about key disposal?

Key disposal should go hand-in-hand with disposition periods on one's retention policy, though seven  (7) years is an answer if one does not have a retention policy.

Just remember how different the technology landscape was in 2009?  Yeah, seven should do, predicated on the data classification...

Friday, March 11, 2016

Java & Vulnerabilities

http://www.itworld.com/article/3043062/two-year-old-java-flaw-re-emerges-due-to-broken-patch.html

The world's love-hate relationship with Java continues....

Particular relevance is that this issue affects server deployments (J2EE, J2ME) versus solely JWS and applets.

Thursday, March 10, 2016

NOC (MSP) & SOC (MSSP) Selection

Guidance like the link below always reminds us of how MSP & MSSP vendors need to play nice together.

While it is not advocated that one vendor should provide both services, it is paramount that they collaborate on incident response, ticketing, patching, etc.

https://github.com/secureworks/dcept


Wednesday, March 9, 2016

AWS Glacier & Retention Policies

https://aws.amazon.com/blogs/aws/glacier-vault-lock/

For orgs that want to move AWS data (e.g., S3, EBS) to offline storage Glacier is the answer.

However, an org will want to set access controls and retention periods for the data "vaults" in Glacier.

Per the link above, one can do that via the API.  Note that the output screenshots show JSON.

Understanding NoSQL

Many technology professionals who are not developers seem to have some difficulty in understanding the nuances of NoSQL.  So, please see the article below:

http://www.isaca.org/Journal/archives/2012/Volume-3/Documents/12v3-A-Primer-on-Nonrelational.pdf

The bottom-line is that NoSQL is more flexible, but traditionally less secure out of the box.

Hopefully, homomorphic encryption (HE) will assist: http://www.zdnet.com/article/encryptions-holy-grail-is-getting-closer-one-way-or-another/.

Tuesday, March 8, 2016

AWS Inspector = AWS DAST Scanning

https://aws.amazon.com/inspector/

Nice work AWS!  However, does this include the AWS WAF and / or AWS API Gateway?

Also, how does one integrate Inspector's findings in GRC & ticketing systems?

Will WhiteHat feel the heat from the competition?  Chances are yes as they run on the high side, though many orgs have loads of apps for DAST scanning, on and off AWS.

Monday, March 7, 2016

HIPAA & PCI Contact Center Compliance

HIPAA & PCI compliance transcends traditional IT security and privacy controls to include business processing.

HIPAA EDI, PCI, and / or contact center compliance is a different nut to crack with management needing to decide whether to tokenize, mask, or ecncrypt PHI or CHD recorded data.

Beyond the need to notify some or all of the parties that calls may be recorded, management must decided whether to take an all or focused (PHI, CHD) protection strategy.  Deciding factors include size, scale, geographic location, and / or the budget for protecting sensitive information.

Thursday, March 3, 2016

Cloud Security & Key Management

Does one leverage a cloud provider's implicit encryption keys, their own key management system (KMS) service, or use a third-party?

First, it makes sense for an org to rely on a cloud provider's implicit key management until they are of scale to have InfoSec FTEs.

Second, some cloud consumers use multiple cloud providers (AWS, Rackspace), while some use a cloud provider via multiple regions.  So, as always it is about the requirements and budget.

With that said, here are some options:

  • AWS KMS
  • Rackspace / OpenStack Cloud Keep 
  • Vormetric
  • KeyNexus
  • Intuit
Also note that software providers, especially database vendors, also have their own offerings:

  • Microsoft
  • Oracle
As usual, there is no silver bullet, though crypto is something that a org certainly needs to do correctly.

Wednesday, March 2, 2016

U.S. Federal Government Bug Bounty Program

http://www.wired.com/2016/03/pentagon-launches-feds-first-bug-bounty-hackers/

Will they eventually have issues similar to Facebook / Instagram?

http://www.forbes.com/sites/thomasbrewster/2015/12/17/facebook-instagram-security-research-threats/#dd31bd22d82a

Tuesday, March 1, 2016

More prescriptive guidance on EU / US Privacy Shield

https://beta.commerce.gov/sites/commerce.gov/files/media/files/2016/eu_us_privacy_shield_full_text.pdf.pdf

Don't we need prescriptive guidance on security here?  Maybe not on par with PCI DSS, but somewhere close.