Is an incident involving ransomware a HIPAA breach?
The article below gives some guidance on whether or not it is a breach, though the scope of the incident is a HUGE determination in whether or not it is a breach.
http://www.databreaches.net/when-do-covered-entities-need-to-report-ransomware-incidents-to-hhs/
Basically, an enterprise-wide structured / unstructured ePHI (database, file share / SAN / NAS) ransomware event is certainly a HIPAA breach.
Thursday, March 24, 2016
Tuesday, March 22, 2016
Need for Droid App Vetting
With the news below divulged today, does anyone disagree that public apps for individual consumption would be better off with some type of security attestation?
http://www.itworld.com/article/3047056/google-warns-of-android-flaw-used-to-gain-root-access-to-devices.html?token=%23tk.ITWNLE_nlt_itworld_today_2016-03-22&idg_eid=a809ad5f805944d2fd35ae84bd28bd94&utm_source=Sailthru&utm_medium=email&utm_campaign=ITworld%20Today%202016-03-22&utm_term=itworld_today
http://www.itworld.com/article/3047056/google-warns-of-android-flaw-used-to-gain-root-access-to-devices.html?token=%23tk.ITWNLE_nlt_itworld_today_2016-03-22&idg_eid=a809ad5f805944d2fd35ae84bd28bd94&utm_source=Sailthru&utm_medium=email&utm_campaign=ITworld%20Today%202016-03-22&utm_term=itworld_today
HR Background (Credit) Checks & Internal Threats
The article below states that some insiders are open to selling a password for $1,000 (U.S.).
How does an organization prevent this?
Well, a credit check may help to understand an applicants judgment and financial position for starters. Though, counsel (employment specialists) better approve this beforehand.
http://www.infosecurity-magazine.com/news/employees-would-sell-passwords-for/
Also, while difficult to quantify, ensure leaders (notice the lack of mentioning "managers") foster esprit de corps to mitigate such actions.
How does an organization prevent this?
Well, a credit check may help to understand an applicants judgment and financial position for starters. Though, counsel (employment specialists) better approve this beforehand.
http://www.infosecurity-magazine.com/news/employees-would-sell-passwords-for/
Also, while difficult to quantify, ensure leaders (notice the lack of mentioning "managers") foster esprit de corps to mitigate such actions.
Monday, March 21, 2016
Current iOS Zero-day (March '16) = False Alarm
An alarming trend is happening. "Cybersecuirty" hype:
http://www.theregister.co.uk/2016/03/21/zero_day_apple_grapple_dredges_imessage_photos_videos_in_ios_9/
Yes, it is a vulnerability. Is it front-page, five-alarm, news-worthy? No, cryptography can be broken, that is why compensating controls are put in place.
With that said, will the U.S. Justice Department focus in on this exploit? If so, will they leave Apple alone? Time will tell....
http://www.theregister.co.uk/2016/03/21/zero_day_apple_grapple_dredges_imessage_photos_videos_in_ios_9/
Yes, it is a vulnerability. Is it front-page, five-alarm, news-worthy? No, cryptography can be broken, that is why compensating controls are put in place.
With that said, will the U.S. Justice Department focus in on this exploit? If so, will they leave Apple alone? Time will tell....
Friday, March 18, 2016
Data Masking for Oracle or MSSQL
Vendors (like hotels & now airlines) love their add-ons. Oracle offers a data masking service for a decent charge, while Microsoft offers a native, dynamic data masking (DDM) service for contemporary versions of MSSQL.
http://www.oracle.com/technetwork/database/options/data-masking-subsetting/overview/ds-security-dms-2245926.pdf?ssSourceSiteId=ocomen
https://azure.microsoft.com/en-us/documentation/articles/sql-database-dynamic-data-masking-get-started/
http://searchsqlserver.techtarget.com/tip/An-introduction-to-SQL-Server-2016-dynamic-data-masking
Why not trim the strings at the application-side & go from there? Ohh, you need an identifier. How about using a tokenization service (e.g., Vormetric, SafeNet) and a more comprehensive crypto / KMS strategy?
http://www.oracle.com/technetwork/database/options/data-masking-subsetting/overview/ds-security-dms-2245926.pdf?ssSourceSiteId=ocomen
https://azure.microsoft.com/en-us/documentation/articles/sql-database-dynamic-data-masking-get-started/
http://searchsqlserver.techtarget.com/tip/An-introduction-to-SQL-Server-2016-dynamic-data-masking
Why not trim the strings at the application-side & go from there? Ohh, you need an identifier. How about using a tokenization service (e.g., Vormetric, SafeNet) and a more comprehensive crypto / KMS strategy?
Monday, March 14, 2016
Crypto-shredding & retention policies...
Most orgs these days perform key rotation at least annually. However, what about key disposal?
Key disposal should go hand-in-hand with disposition periods on one's retention policy, though seven (7) years is an answer if one does not have a retention policy.
Just remember how different the technology landscape was in 2009? Yeah, seven should do, predicated on the data classification...
Key disposal should go hand-in-hand with disposition periods on one's retention policy, though seven (7) years is an answer if one does not have a retention policy.
Just remember how different the technology landscape was in 2009? Yeah, seven should do, predicated on the data classification...
Friday, March 11, 2016
Java & Vulnerabilities
http://www.itworld.com/article/3043062/two-year-old-java-flaw-re-emerges-due-to-broken-patch.html
The world's love-hate relationship with Java continues....
Particular relevance is that this issue affects server deployments (J2EE, J2ME) versus solely JWS and applets.
The world's love-hate relationship with Java continues....
Particular relevance is that this issue affects server deployments (J2EE, J2ME) versus solely JWS and applets.
Subscribe to:
Posts (Atom)