The history of viruses. Pretty cool actually to look back at where we’ve been and the advances made in nefarious code. Courtesy of Bitdefender.
Governor Sandoval signed Senate Bill 43 to move forward with the State Health Information Technology Strategic and Operational Plan using federal stimulus funds. This essentially gets the ball rolling for the development of a statewide system for the electronic exchange of health information. The intent is to improve health care quality, prevent medical errors and reduce medical costs.
The new law appears to pull from HIPAA and HITECH in regards to data security and privacy. Interesting that Texas, also driving forward on stimulus funding for electronic health records, just enacted tougher protections because of the perceived weakness and lack of enforcement in the federal laws. From the June 28, 2011 article “Texas Enacts Health Privacy Law” at govinfosecurity.com:
“…she was frustrated by the lack of HIPAA enforcement at the federal level and wanted to pave the way for ramped up enforcement of healthcare privacy rights at the state level.” – Sponsor of the Texas law Lois Kolkhorst.
” The federal attempt to stop the sale of protected health information without consent in the HITECH Act appears to have been weakened so much that it’s not going to have any noticeable effect.” – Privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights.
While Texas has defined broader protections, Nevada seems much more in line with HIPAA and places the design of standards in the hands of the Director of Health and Human Services. Two different approaches with hopefully good results in relation to protected health information. Time will tell if the expected outcome of of privacy and security required in this new electronic health information exchange will match the desired benefits to quality of care and reduced costs.
Photo credit: Tabitha Kaylee Hawk
Mobile devices, use of social networking sites, and consumer cloud services are quickly becoming, if they aren’t already, a part of your business environment. As is often the case, the ability and tools to securely manage new technologies lags behind the flood of use in organizations leaving a gap in the protection of sensitive information.
Quite frankly, we should have seen this coming. The “new” workforce communicates differently and often more efficiently (not necessarily more effectively). Text messages, tweets, IM, oh my! There is a different, and often reduced, perspective on risk even while regulatory requirements for privacy and security become more stringent.
Now here we are. Playing catch up in order to enable business to keep up with the times while preventing the unauthorized release of protected information (and the associated costs). It’s not enough to deploy the “hope” method of information security but when the cat is out of the bag, it’s often hard to reign in perceived freedom without suffering a blow to the new work culture and reputation of information security. To do nothing isn’t an option as quoted from a recent CSO Online article:
Organizations that have no control over unauthorized use of technologies on their networks are in “serious peril,” says David Knight, executive vice president of product management and marketing at Proofpoint. Sooner or later an unprotected device, social media site or IM platform will provide unauthorized access to regulated information, he says. - “Security concerns aside, consumer devices, services take over the enterprise” CSOOnline article by Bob Violino
Can you sandbox work applications and data on mobile devices to separate it from “personal” use? Can you require connections to business functions and data over secure channels? Can you remotely wipe a “lost” phone? Can we provide the services and functionality required for the “new” workforce to be efficient and effective without sacrificing security and compliance?
We’ll see.
Photo credit: David Fisher
I love this conversation:
“Is your workstation protected?”
“Of course, I have anti-virus installed.”
While anti-virus products are one piece of protecting your workstation, it isn’t enough. Most AV products do a poor job of detecting new malware. It does better over time protecting against old malware that happens to still be floating around IF (and a big “if” at that) signatures are updated frequently.
So what else is needed?
Single technologies can fail. Think in layers when it comes to comprehensive security. Here are a few considerations:
I could have sworn I was in a Dilbert cartoon when I got a phone call over the weekend from a small business owner who claimed a system on our network was attacking him. The conversation went something like this:
Him: “Your system has been attacking me on port 3389″
Me: “Port 3389? Did this just start?
Him: “Yeah. I’ve been having issues but I just looked at the firewall log today and saw your IP address.”
Me: “What else is happening? Can you send me the log for this?”
Him: “Sure. Just sent it. As far as the server, my firewall rules have changed. I keep getting gigabytes of files that I think are X-box games that keep reappearing after I delete them. Oh, and there are some services running that look to be just one letter off from legitimate ones.”
Me: “How long has this been going on? ”
Him: “Oh, I don’t know. I ran out of disk space about a week ago and have been cleaning it off every day.”
Me: “Sir, I’m pretty confident your server has been compromised and if you are allowing RDP connections from the Internet, you might want to reconsider that. You might also want to wipe and reload your server.”
Him: “Oh, I had to do that just six months ago. I had a SQL server that was compromised just like this. Crazy. I’m not sure why I’m a target.”
Me: “So, you keep getting compromised. Did you have RDP running on that server as well and open to the Internet?”
Him: “Yeah. It sure is convenient since I travel a lot.”
Me: “Oh. Just checking the log file you sent me sir and it looks like you may have transposed some numbers. This isn’t coming from our network but it’s coming from a network in Texas.
Him: “Oh. I’m terribly sorry to bother you then.
Me: “Not a bother at all. If you dont’ mind can I make a suggestion?
Him: “Sure.”
Me: “You may want to consider getting some help securing your server and finding a safer way to access it when you’re traveling. It may help so you don’t have to rebuild your system every few months and you can concentrate on more pressing business matters.
Him: “Thanks but really, no need. I’ve got it under control.”
Me: “I wish you good luck then. Have a good day.”
Certainly he had all good intentions but probably lacked the skills to adequately protect himself and his customers. I’m a bit saddened that he wasn’t open to getting some help with this problem because I’m sure he has better things to do than rebuilding a server every few months. Small business owners should concentrate on their core competencies and get some assistance in areas where they may not be as strong (or simply don’t want to spend the time). In this case, it appears this business owner will be a repeat customer in the land of self-inflicted problems.
The FTC and White House are once again throwing their support behind a “Do Not Track” tool meant to protect user privacy on the Internet. I think it’s easy to jump on board the good ship Privacy but anytime the federal government engages in such rule enforcement and legislation, you have to wonder what the unintended consequences might be. Will it really make a difference?
For instance, if this models the Do Not Call list, does the collection of internet activity not apply to politicians and their election campaigns? Or do they get a pass again?
Will it change the business model that provides free content and services?
If legislation is created and passed, will it also include funding for ant farms in Alabama or other items that have no business being in a privacy bill?
More importantly, will it really change people’s behavior? I’m not sure. People have been giving away information about themselves for a long time whether it’s to get 3 cents off a loaf of bread or to win money in a lottery they’ve never entered. Can you really legislate personal responsibility anyway?
I think providing a choice is a good thing. I think it’s reasonable to inform people how their information will be used. I’m just not sure the end result of this effort will resemble the good intentions.
Anup Ghosh wrote in his SC Magazine article titled “Unwitting accomplices and complicit security teams“:
Cyber miscreants have figured out there is no sense in spending the energy trying to break through firewalls when you can simply ask any one of the thousands of users connected to the internet to invite you in.
How true! What Ghosh refers to as castles and moats I call the Cyber Maginot Line. The over reliance on simple perimeter defenses ignores the shift of focus that has been made to user behavior. While not as sexy as the “hack” seen in movies it is simply easier to just ask. Many users will oblige with information or are easily convinced to click on an official looking link in an e-mail. Most are “addicted to click”.
While I agree with Ghosh that the philosophy of “users should know better” is not a strategy, awareness IS a component of an overall security strategy. The problem is, many companies use hour long presentations on policy in hopes of convincing users to change their behavior. Good luck with that. A series of 5 minute videos over the course of a year is much more effective. The goal isn’t to “train” people. It’s to raise the level of awareness. If an employee gets an “aha” moment and reports strange behavior or decides not to click on a link, mission accomplished. If it helps them keep their home computer safe, all the better for everybody. But again, it’s a small piece and can’t be relied on to adequately protect an organization.
That said, implementing technology that makes users “mistakes irrelevant” is absolutely a good approach AND the technology to do that exists while continuing to be refined. Ghosh’s suggestion to isolate the desktop from web browsing would be a significant step in the right direction. The threatscape continues to evolve and we need to be agile in our defense. That includes protecting our users from themselves by not enabling their “click habit”.
I was recently reminded how easy one can become focused on a single, technical solution to a problem and completely miss process or people solutions. With the pressure of a fast-paced environment and constantly changing priorities, technically oriented people will often fall back on their bread-and-butter to churn out a quick solution. I’m guilty of this just like many others I’m sure. This is unfortunate.
I’m convinced that the best solutions can only be found if all options are on the table and you can’t possibly understand all the options if you don’t gather information from affected business units and the people actually doing the work. How dumb would I have been if I had suggested spending tens of thousands of dollars on a technical solution when a simple change in work flow or business process/procedure could solve the problem equally well?
Sometimes you have no choice but you owe it to yourself, your company or your client, to examine all possible options (within reason). Explore the benefits and impacts of each. Show the costs of each proposed solutions in dollars, resources, and reputation. By all means, don’t think you can adequately come up with a solution sitting behind a desk and not talking with those affected. Don’t let the pressure of deadlines and multiple priorities prevent you from tapping into the valuable resource of the folks performing the day to day work.
It’s easy to fall back into a comfort zone of technical solutions but to add value to your organization as a security professional, you must learn to provide a broad range of business solutions that encompass technology, people, and processes.
Last night I was thinking about my start in the information security field. I was working as a network analyst for an international company and was simply assigned “the firewall” for the relatively new Internet connectivity. I quickly caught the security bug, attended a conference or two, read anything I could get my hands on and then presented a new idea of an “information security” function for my boss and his boss.
I thought I was being diligent in explaining the security triad – Confidentiality, Integrity, and Availability when I hit a road block. The Director at the time said “Availability isn’t a security issue at all… you don’t know what you’re talking about.” Perhaps I could have talked about Denial of Service attacks or viruses preventing employees from accessing resources needed to do their job. I could have talked about lost revenue, customers going with alternative products, or other examples of how “availability” could impact the business bottom line but, I didn’t have the skills at the time to counter her argument. Security remained an “other duties as assigned function” for the rest of my tenure there.
Revisiting with the organization after 18 years I found their security posture to have matured dramatically since then (along with my business, communication and security skills). Good for them! They have a fantastic security team that has the ear of senior leadership.
What’s funny is after 18 years, I will still come across similar failures in understanding. For instance, at one organization their primary servers filled with customer data, including personally identifying information, sat outside of their firewalls. The executive leadership at the time didn’t think that was a big deal because “the servers are secure”. Another time, a plan to eliminate social security numbers that weren’t needed on a server was met with near hostility and a comment of “it’s protected by a firewall anyway”.
Examples like this continue to plague the information security field. Is this an executive problem or a problem with CISO’s not educating or communicating the issues in a way that is understood by “business-minded” folks? If we can’t relate the threat in terms that are used in other business disciplines, in 18 years, we’ll be hearing the same stories repeated by the next generation of security professionals.
It should come as no surprise that with the proliferation of mobile devices (Blackberry, Android, iPhone) that phishing attacks have also gone mobile. From an article at Help Net Security, “Mobile users more vulnerable to phishing attacks“, log files from a compromised web server hosting phishing web sites revealed these interesting tidbits:
1. Mobile users (Blackberry, Android, iPhone) are three times more likely to submit their login info than desktop users.
2. Eight times more iPhone users accessed these phishing websites than Blackberry users.
This shouldn’t be a surprise to anybody. Individuals have grown accustomed to getting information on the go. It’s simple to click on a link within an e-mail on your mobile device and be taken to a website. This site can be legitimate or it could be serving up malware or asking for sensitive information.
I’m equally not surprised by the fact that, by a large margin, more iPhone users are going to phishing sites than Blackberry users. Even though Blackberry users still beat iPhones in market share they tend to be more business driven while iPhones are widely consumer driven devices. While certainly not validated, I agree with the reasonable assumption in the article that business users tend to be more “security aware” than the average consumer and are less likely to fall for “phishing” scams.
Since “awareness” is a good defense against phishing scams, who is positioned to provide it? Should providers of consumer devices such as the iPhone and Android also be providing awareness information since their devices are now much more than phones?
PaulMudgett Twitter Feed SANS Institute Newsbites ThreatLevel – Wired.com