Is an incident involving ransomware a HIPAA breach?
The article below gives some guidance on whether or not it is a breach, though the scope of the incident is a HUGE determination in whether or not it is a breach.
http://www.databreaches.net/when-do-covered-entities-need-to-report-ransomware-incidents-to-hhs/
Basically, an enterprise-wide structured / unstructured ePHI (database, file share / SAN / NAS) ransomware event is certainly a HIPAA breach.
Thursday, March 24, 2016
Tuesday, March 22, 2016
Need for Droid App Vetting
With the news below divulged today, does anyone disagree that public apps for individual consumption would be better off with some type of security attestation?
http://www.itworld.com/article/3047056/google-warns-of-android-flaw-used-to-gain-root-access-to-devices.html?token=%23tk.ITWNLE_nlt_itworld_today_2016-03-22&idg_eid=a809ad5f805944d2fd35ae84bd28bd94&utm_source=Sailthru&utm_medium=email&utm_campaign=ITworld%20Today%202016-03-22&utm_term=itworld_today
http://www.itworld.com/article/3047056/google-warns-of-android-flaw-used-to-gain-root-access-to-devices.html?token=%23tk.ITWNLE_nlt_itworld_today_2016-03-22&idg_eid=a809ad5f805944d2fd35ae84bd28bd94&utm_source=Sailthru&utm_medium=email&utm_campaign=ITworld%20Today%202016-03-22&utm_term=itworld_today
HR Background (Credit) Checks & Internal Threats
The article below states that some insiders are open to selling a password for $1,000 (U.S.).
How does an organization prevent this?
Well, a credit check may help to understand an applicants judgment and financial position for starters. Though, counsel (employment specialists) better approve this beforehand.
http://www.infosecurity-magazine.com/news/employees-would-sell-passwords-for/
Also, while difficult to quantify, ensure leaders (notice the lack of mentioning "managers") foster esprit de corps to mitigate such actions.
How does an organization prevent this?
Well, a credit check may help to understand an applicants judgment and financial position for starters. Though, counsel (employment specialists) better approve this beforehand.
http://www.infosecurity-magazine.com/news/employees-would-sell-passwords-for/
Also, while difficult to quantify, ensure leaders (notice the lack of mentioning "managers") foster esprit de corps to mitigate such actions.
Monday, March 21, 2016
Current iOS Zero-day (March '16) = False Alarm
An alarming trend is happening. "Cybersecuirty" hype:
http://www.theregister.co.uk/2016/03/21/zero_day_apple_grapple_dredges_imessage_photos_videos_in_ios_9/
Yes, it is a vulnerability. Is it front-page, five-alarm, news-worthy? No, cryptography can be broken, that is why compensating controls are put in place.
With that said, will the U.S. Justice Department focus in on this exploit? If so, will they leave Apple alone? Time will tell....
http://www.theregister.co.uk/2016/03/21/zero_day_apple_grapple_dredges_imessage_photos_videos_in_ios_9/
Yes, it is a vulnerability. Is it front-page, five-alarm, news-worthy? No, cryptography can be broken, that is why compensating controls are put in place.
With that said, will the U.S. Justice Department focus in on this exploit? If so, will they leave Apple alone? Time will tell....
Friday, March 18, 2016
Data Masking for Oracle or MSSQL
Vendors (like hotels & now airlines) love their add-ons. Oracle offers a data masking service for a decent charge, while Microsoft offers a native, dynamic data masking (DDM) service for contemporary versions of MSSQL.
http://www.oracle.com/technetwork/database/options/data-masking-subsetting/overview/ds-security-dms-2245926.pdf?ssSourceSiteId=ocomen
https://azure.microsoft.com/en-us/documentation/articles/sql-database-dynamic-data-masking-get-started/
http://searchsqlserver.techtarget.com/tip/An-introduction-to-SQL-Server-2016-dynamic-data-masking
Why not trim the strings at the application-side & go from there? Ohh, you need an identifier. How about using a tokenization service (e.g., Vormetric, SafeNet) and a more comprehensive crypto / KMS strategy?
http://www.oracle.com/technetwork/database/options/data-masking-subsetting/overview/ds-security-dms-2245926.pdf?ssSourceSiteId=ocomen
https://azure.microsoft.com/en-us/documentation/articles/sql-database-dynamic-data-masking-get-started/
http://searchsqlserver.techtarget.com/tip/An-introduction-to-SQL-Server-2016-dynamic-data-masking
Why not trim the strings at the application-side & go from there? Ohh, you need an identifier. How about using a tokenization service (e.g., Vormetric, SafeNet) and a more comprehensive crypto / KMS strategy?
Monday, March 14, 2016
Crypto-shredding & retention policies...
Most orgs these days perform key rotation at least annually. However, what about key disposal?
Key disposal should go hand-in-hand with disposition periods on one's retention policy, though seven (7) years is an answer if one does not have a retention policy.
Just remember how different the technology landscape was in 2009? Yeah, seven should do, predicated on the data classification...
Key disposal should go hand-in-hand with disposition periods on one's retention policy, though seven (7) years is an answer if one does not have a retention policy.
Just remember how different the technology landscape was in 2009? Yeah, seven should do, predicated on the data classification...
Friday, March 11, 2016
Java & Vulnerabilities
http://www.itworld.com/article/3043062/two-year-old-java-flaw-re-emerges-due-to-broken-patch.html
The world's love-hate relationship with Java continues....
Particular relevance is that this issue affects server deployments (J2EE, J2ME) versus solely JWS and applets.
The world's love-hate relationship with Java continues....
Particular relevance is that this issue affects server deployments (J2EE, J2ME) versus solely JWS and applets.
Thursday, March 10, 2016
NOC (MSP) & SOC (MSSP) Selection
Guidance like the link below always reminds us of how MSP & MSSP vendors need to play nice together.
While it is not advocated that one vendor should provide both services, it is paramount that they collaborate on incident response, ticketing, patching, etc.
https://github.com/secureworks/dcept
While it is not advocated that one vendor should provide both services, it is paramount that they collaborate on incident response, ticketing, patching, etc.
https://github.com/secureworks/dcept
Wednesday, March 9, 2016
AWS Glacier & Retention Policies
https://aws.amazon.com/blogs/aws/glacier-vault-lock/
For orgs that want to move AWS data (e.g., S3, EBS) to offline storage Glacier is the answer.
However, an org will want to set access controls and retention periods for the data "vaults" in Glacier.
Per the link above, one can do that via the API. Note that the output screenshots show JSON.
For orgs that want to move AWS data (e.g., S3, EBS) to offline storage Glacier is the answer.
However, an org will want to set access controls and retention periods for the data "vaults" in Glacier.
Per the link above, one can do that via the API. Note that the output screenshots show JSON.
Understanding NoSQL
Many technology professionals who are not developers seem to have some difficulty in understanding the nuances of NoSQL. So, please see the article below:
http://www.isaca.org/Journal/archives/2012/Volume-3/Documents/12v3-A-Primer-on-Nonrelational.pdf
The bottom-line is that NoSQL is more flexible, but traditionally less secure out of the box.
Hopefully, homomorphic encryption (HE) will assist: http://www.zdnet.com/article/encryptions-holy-grail-is-getting-closer-one-way-or-another/.
http://www.isaca.org/Journal/archives/2012/Volume-3/Documents/12v3-A-Primer-on-Nonrelational.pdf
The bottom-line is that NoSQL is more flexible, but traditionally less secure out of the box.
Hopefully, homomorphic encryption (HE) will assist: http://www.zdnet.com/article/encryptions-holy-grail-is-getting-closer-one-way-or-another/.
Tuesday, March 8, 2016
AWS Inspector = AWS DAST Scanning
https://aws.amazon.com/inspector/
Nice work AWS! However, does this include the AWS WAF and / or AWS API Gateway?
Also, how does one integrate Inspector's findings in GRC & ticketing systems?
Will WhiteHat feel the heat from the competition? Chances are yes as they run on the high side, though many orgs have loads of apps for DAST scanning, on and off AWS.
Nice work AWS! However, does this include the AWS WAF and / or AWS API Gateway?
Also, how does one integrate Inspector's findings in GRC & ticketing systems?
Will WhiteHat feel the heat from the competition? Chances are yes as they run on the high side, though many orgs have loads of apps for DAST scanning, on and off AWS.
Monday, March 7, 2016
HIPAA & PCI Contact Center Compliance
HIPAA & PCI compliance transcends traditional IT security and privacy controls to include business processing.
HIPAA EDI, PCI, and / or contact center compliance is a different nut to crack with management needing to decide whether to tokenize, mask, or ecncrypt PHI or CHD recorded data.
Beyond the need to notify some or all of the parties that calls may be recorded, management must decided whether to take an all or focused (PHI, CHD) protection strategy. Deciding factors include size, scale, geographic location, and / or the budget for protecting sensitive information.
HIPAA EDI, PCI, and / or contact center compliance is a different nut to crack with management needing to decide whether to tokenize, mask, or ecncrypt PHI or CHD recorded data.
Beyond the need to notify some or all of the parties that calls may be recorded, management must decided whether to take an all or focused (PHI, CHD) protection strategy. Deciding factors include size, scale, geographic location, and / or the budget for protecting sensitive information.
Thursday, March 3, 2016
Cloud Security & Key Management
Does one leverage a cloud provider's implicit encryption keys, their own key management system (KMS) service, or use a third-party?
First, it makes sense for an org to rely on a cloud provider's implicit key management until they are of scale to have InfoSec FTEs.
Second, some cloud consumers use multiple cloud providers (AWS, Rackspace), while some use a cloud provider via multiple regions. So, as always it is about the requirements and budget.
With that said, here are some options:
First, it makes sense for an org to rely on a cloud provider's implicit key management until they are of scale to have InfoSec FTEs.
Second, some cloud consumers use multiple cloud providers (AWS, Rackspace), while some use a cloud provider via multiple regions. So, as always it is about the requirements and budget.
With that said, here are some options:
- AWS KMS
- Rackspace / OpenStack Cloud Keep
- Vormetric
- KeyNexus
- Intuit
- Microsoft
- Oracle
As usual, there is no silver bullet, though crypto is something that a org certainly needs to do correctly.
Wednesday, March 2, 2016
U.S. Federal Government Bug Bounty Program
http://www.wired.com/2016/03/pentagon-launches-feds-first-bug-bounty-hackers/
Will they eventually have issues similar to Facebook / Instagram?
http://www.forbes.com/sites/thomasbrewster/2015/12/17/facebook-instagram-security-research-threats/#dd31bd22d82a
Will they eventually have issues similar to Facebook / Instagram?
http://www.forbes.com/sites/thomasbrewster/2015/12/17/facebook-instagram-security-research-threats/#dd31bd22d82a
Tuesday, March 1, 2016
More prescriptive guidance on EU / US Privacy Shield
https://beta.commerce.gov/sites/commerce.gov/files/media/files/2016/eu_us_privacy_shield_full_text.pdf.pdf
Don't we need prescriptive guidance on security here? Maybe not on par with PCI DSS, but somewhere close.
Don't we need prescriptive guidance on security here? Maybe not on par with PCI DSS, but somewhere close.
Subscribe to:
Posts (Atom)