Doctors Poor Penmanship Have Deadly Results

Not sure why technology hasn't been introduced sooner and currently more widespread than it is in order the address the issue of not being able to read the doctors writing. One interesting point though - the technology is not the cure all. Like all security problems - policy, process & people also need to be carefully considered.

read more | digg story

A Warning to Retailers Everywhere

In order to prevent identity theft in retail organizations the PCI data standard states that credit and debit card information cannot be stores by point of sales applications/terminals. Unfortunately, most point of sale providers never got the memo. Corporations have to sensitive protect data all the time - why is this any different?

read more | digg story

When Computers Attack

ANYONE who follows technology or military affairs has heard the predictions for more than a decade. Cyberwar is coming. But how bad would a cyberwar really be — especially when compared with the blood-and-guts genuine article? Whatever the answer, governments are readying themselves for the Big One.



read more | digg story

High Profile Data Theft - Yet Again

Another high profile breach has been reported - with over 225,000 personal records being stolen. The breach happened when an intern in the Ohio State Government was given the responsibility of storing back-up data - off-site, in her home. Unfortunately, it was stolen from her car before she even got it home.

This has happened many times over the past few years - yet I am not surprised to hear that these types of practices continue - seemingly unabated. Here is a tiny sampling:

• Feb. 25, 2005: Bank of America lost a backup tape with 1,200,000 records on it.
• March 11, 2005: Univ. of CA, Berkeley lost a laptop with 98,400 records on it.
• Jan, 12, 2006: The People's Bank lost backup tapes with 90,000 records on it
• Jan. 25, 2006: Providence Home Services had backup tapes stolen with 365,000 records on it
• Feb. 13, 2006: Ernst & Young employee had laptop stolen from car containing 38,000 records
• March 2, 2006: Hamilton County Clerk of Courts posted information improperly to their website leading to the exposure of 1.3 million records. Of note: An identity thief was sentenced to 13 years in prison for the crimes. She stole 100 identities and nearly $500,000.
• Feb. 8th, 2007: St. Mary's Hospital lost a laptop containing 130,000 confidential records
  

This is just a very, very small fraction of the total number of incidents reported over the past two years. For a complete list, please refer here.

These types of security breaches point to the fact that information security is not all about technology. A comprehensive, "best practices" security program takes into consideration 4 key things: Policy, Process, People & Technology. Here's an example of how consideration of these 4 key areas could have prevented this breach from ever happening:

Policy: All back-up information is to be stored off-site in a secure facility and managed by authorized representatives only. (no interns, no storing in your house or car!)

Process: All back-up media are to be delivered to and from secure facilities via secure encrypted links or bonded, tier-1 couriers. Even this is not enough because couriers can be stolen from too. This is why we need to consider multiple layers of defense.

People: Only select people shall be responsible for back-up media safe keeping (managing the process). This person must be trained on what is the security protocol & risks are!

Technology: All back-up information shall be encrypted such that if it is stolen or lost, information will be rendered useless.

In a recent report, Forrester concluded that the cost of a data breach varies widely, from about US$90 to $305 per customer record, depending whether the breach is “low-profile” or “high-profile” and the company in a non-regulated or highly regulated area, such as banking. These costs are related to the money spent to cover legal fees, notification costs, increased call centre costs, marketing and public relations expenses.

Implementing mechanisms to prevent this type of data loss does not have to be expensive and certainly not cost prohibitive. Just implementing changes to policy, process and people significantly reduces the risk. Unfortunately, it is obvious that the reporting of hundreds of similar breaches is not enough for many organizations to act and reduce the risk. Our advice is to not wait till it happens to you - reducing the risk does not have to be expensive or complicated - just well thought out.

NAC Gaining Momentum

The Challenge:

Permitting internal & external users with secure access to resources. Secure access mean:

• properly authenticated & authorized
• free of spyware and viruses
• access only to information users need to do their job

NAC: Securing access to information

The Network Access Control space has received much press over the past few years. Many companies have been leary of making the jump citing implementation complexities, lack of standards and the inability to source a product that met all company requirements.

However, a recent report by Network Computing based on a broad survey stated that; "most said NAC is easier to deploy, is less disruptive and requires fewer changes to network configurations, and has less of an impact on productivity than was expected."

This is not to say that there are no longer difficulties or complaints. There are over 30 vendors in this space with 4 - 6 competitors occupying the lions share. The proliferation of proprietary standards poses challenges to interoperability. Word to the wise, understand your requirements thoroughly before jumping in - NAC implementations can be expensive with the mean average of survey respondents having spent 12% of their entire enterprise IT budget on the project.

Additional NAC Points of Interest:

Infrastructure Impact:

• NAC deployments are notorious for demanding infrastructure changes - on average, respondents expected to have to change up to 30% of their infrastructure for NAC readiness
• Understanding what the impact on the network is is critical to accurate budgeting and product selection processes.
  

Productivity Impact:

• There have been concerns that NAC might keep legitimate users from doing their jobs - and add work for IT. These concerns may be unfounded given the opportunity for productivity enhancements, i.e. allowing infected systems to be quarantined and remediated in an automated fashion.

Interoperability, Frameworks & Standards:

• Here is a general pictorial of the NAC standard
• Cisco and Microsoft have announced an initiative to ensure interoperability between their platforms - putting a wrench into the Trusted Computing Group's attempt to create an open standard based on non-proprietary technologies.
• Cisco and Microsoft are coincidently "most trusted" in this space

In spite of their being numerous proprietary methodologies in place, there are a number of "common" enforcement techniques, as this article explains well.

Suggestions for NAC consideration:

• Measure twice, cut once: plan, plan plan first - this is critical to success. Understand exactly what you'd like to accomplish.
  

Choosing a NAC vendor is largely dependent on the primary issue you want address, since vendors now tend to be either good at posture assessment, quarantine, remeditation and ongoing threat assessment, or identity-based policy enforcement--but not both. If you're like most respondents, you want it all--in which case you may want to wait until best of breed solutions emerge.

• Set expectations with senior management: the ROI on NAC is difficult to quantify - but regarded by those who have implemented NAC as worthwhile
• Evaluate impacts to existing infrastructure

Security & Health Care-Enter the Privacy Commissioner

A recent security breach at a clinic in Sudbury has prompted a fleury of activity from the provinces Privacy Commissioner Ann Cavoukian. Evidently, an unsecured wireless access point allowed someone driving by to pick up a signal from a feed used to monitor Methodone addicts in the clinic while in the washroom.

While they did have consent to conduct this monitoring - they did not have consent to broadcast it out to the world. Wireless and wired networks need to be secured. The principles and philosophies behind securing both are exactly the same.

The incident has prompted the commissioner to issue a fact sheet illustrating the precautions to be taken when implementing and utilizing wireless networking technologies. Good advice for us all.

I would however like to take issue with one comment in the article made by Ms. Cavoukian:

"I don't expect that level of tech expertise on the part of healthcare providers," the Privacy Commissioner said. "But it's got to be incumbent on people who provide this technology to tell their customers how insecure such wireless surveillance systems can be."

Lets see here, our Privacy Commissioner is sending the direct message that the organizations that are in possession of highly private information are not responsible for securing it, it is their providers. Hmmm.....I see. Shame on you Ms. Cavoukian, in my humble opinion, this is exactly the opposite message of what we should be sending.

Work Force? What Work Force?

There has been significant press over the past few years about declining labour rates as a result of reduced fertility rates and an aging population in Canada. This article puts a pretty fine point on the extent of the issue and what we might expect in future.

The repercussions can be significant and affect many aspects of a companies ability to conduct business. From servicing customers, order entry to I.T. management - shortages can have major impacts. The business case to start thinking about this looms large:

1. What employee retention strategies are in place? Are there plans to change? This article provides an excellent overview what companies are and are not doing in regards to recruitment & retention strategies.
   
2. How do you plan on adapting recruitment practices to adjust to changing circumstances?
3. How does your organization plan on augmenting skills gaps where talent cannot be readily found?

Outsourcing is one major consideration that has received much attention over the years. Offloading "non-core" competencies sounds great in theory - but history has shown that outsourcing is fraught with peril if not approached pragmatically. Here are a couple of things to consider before deciding whether outsourcing is right for you:

1. Is the process under consideration for outsourcing easily extractable from the organization? An example of "easily extractable" is payroll processing.
2. Is your company experiencing a skills shortage now? Has this resulting in service deficiencies?
   
3. Is there a plan to better use internal resources to achieve business objectives?
4. Are current costs and service levels well understood?
5. Is there an opportunity to add value beyond just dollars and cents?? (improved employee and customer experiences, etc)
6. Does everyone involved understand how outsourcing can improve the organization's performance and their roles in the new arrangement?
   

While outsourcing will prove to be a viable strategy to address skills shortages now and into the future - it will not ever be a panacea for all that ails. This is especially true if organizations do not consider the fine tactical details of the approach. After all, as they say, the devil is in the details.

Innovation in 2-Factor Authentication, Finally...

Implementing strong authentication just got much more affordable. A new company on the scene called TriCipher just announced the introduction of a USB authentication device capable of authenticating to multiple sources (say for example, multiple banks if you are a consumer) - for around $2 - $3 per device. Encumbents such as Vasco and RSA have been accused of lethargy in this space - and offering little in regards to innovation in improving cost competitiveness. In fact, in the last 10 years - a dogs age in the technology space - the price or basic capabilities of the hardware token have changed very little.

This move by TriCipher will bring into reach much better authentication methods - and therefore much stronger security capabilities to the small and medium sized business owner. Weak passwords have long been criticized as the bane of the security practitioners existence. Hopefully, we will see more and more organizations addressing authentication deficiencies and move one step closer towards a best practices approach to securing their company's critical information.

SonicWall Acquires Aventail

SSL VPN provider Aventail was acquired by SonicWall yesterday. SonicWall has been a well known force in the mid-range firewall market (predominantly for SMB and retail). Firewall vendors have been struggling to add capabilities as new entrants and approaches have increased competition in the space. Vendors such as Fortinet have come to market with appliances that have multiple security capabilities such as network appliance based anti-virus, intrusion prevention, firewall, VPN, content filtering and traffic shaping creating the so-called UTM space.

The security industry seems poised for a new round of consolidation after a period of inactivity. Watch for more announcements to come.

BotNet Armies Uncovered

It's disturbing to know that the FBI recently uncovered over 1 million computer systems under the control of botnet operators. Even more disturbing is that these are only systems that:

1. Have been found - surely there are way more.
2. These are only systems found in the U.S. - certainly a small proportion of the amassed botnet armies worldwide.

For the average citizen and small / medium sized company - the threat of being the recipient of such a botnet attack is small - unless of course, you are in the public forum - particularly a controversial one. However, as this article points out - the need for citizens, and anyone who owns a network for that matter, must be diligent about protecting their systems from being compromised - and exasperating the problem.

How you ask? Following network and security management best practices is a start. From a high level, here is how such a process might work:

1. Assess: the world around us changes constantly and so must our protection mechanisms. Continuous efforts to identify and assess the risk of new and existing threats leads us to an understanding of what needs to change and why.

2. Be Proactive: constantly assessing what is going on around us is a good first step. It is also 'best practice' to: (a) apply preventative maintenance measures to reduce the threat of exploitation; (b) monitor the network for unusual activity so that reactive measures can be taken immediately at the first sign of trouble.

3. Continuous Improvement & Change Management: by instituting a process that forces us to plan changes to our network we are able to make sure that security is taken into consideration early on. Secondly, the information we glean from monitoring and maintaining the network enables us to identify potential issues that might later cause grief - and address them ahead of time.

There is one additional benefit to following this approach: it costs less in the long run! Unnecessary downtime, lost productivity, emergency service calls and unplanned capital expenditures can all be reduced or eliminated leading to much improved returns on IT capital investments - not to mention less gray hair and aggravation.

Securing Web Applications: An Overview

As this article implies, organizations are increasingly being attacked via web applications. This trend is expected to proliferate as organizations both:

1. Deploy increasing numbers of web applications (especially customer apps).

2. Deploy extensive network based security mechanisms (IPS, firewalls, Anti-Virus, etc.) - ensuring the path of least resistance will no longer be your network - but rather web applications themselves.

What are the specific and most notable threats to our Web Applications? There is a well respected organization called OWASP that has for many years been a leader in bringing these issues to light.

There are a number of options to addressing these threats:

1. Better Coding Practices / Code Review Processes
2. Layer 7 Protection Mechanisms to Block Web Exploits entirely.
3. Don't deploy web applications!

This remainder of this post will address the second option. Web Application Firewalls have been around since early 2000 - 2001 when products from Teros, Magnifire and other start up companies began introducing products. Like any nascent industry, understanding exactly what the products do, and how they do them - is difficult to ascertain. There are signs that the market is maturing though, as this overview by the Burton Group suggests.

This article by Network Computing offers an excellent overview of how web application firewalls work, how web application firewall architectures vary and what the ramifications are from an implementation perspective.

Another article from Network Computing evaluates various players in the space, from F5 Networks to SecureSphere and NetContinuum. Offers good insight as to the relative strengths and weaknesses of each approach.

This article by the Web Application Security Consortium offers good insight into how to evaluate web application firewall products & vendors.

Lastly, an interesting consideration is that ICSA Labs has only certified two players in this space: F5 Networks & Citrix Systems. This is a copy of the document describing the criteria that has been applied in evaluating products for certification.

There is no question that web application firewalls will play an increasingly important role in securing our environments. I hope this post provides some good insight into how to proceed with a project of this nature.

Please let us know if there is something else you'd like to discuss on this issue. Feedback is welcome.

Quick Ref: Identity Management Solution Components

Identity Management Components

Virtual Directories: A Disscussion - What is is? Who's supplies it? Who needs it?

Network Access Control: A Dissertation

How does NAC fit in? What are the key considerations? What is the framework? What are the risks, what are the potential benefits?

I.T. Automation: Identity Management Overview

Identity Management has received much - mostly bad - press over the past several years. It is not something to be taken lightly to be sure - and promises many benefits if implemented correctly. Potential benefits include:

• improvements in security / achieve cost reductions by automating activities associated with provisioning / deprovisioning
• improvements in security by reducing the number of passwords users have to remember across multiple applications
• improve help desk efficiency by automating password reset activities

While these benefits can be significant to many an organization, we must keep in mind, as this article points out, "there are many dead bodies along this highway". Identity Management initiatives are not to be taken lightly to be sure. They often require multi-disciplinary teams comprised of members of the I.T., Security, & Human Resources departments - to name a few.

This article by Network Computing is an excellent dissertation on the key issues, benefits and risks associated with Identity Management options.

What is your option? Please feel free to share your stories (both successes and failures) - as you are in a position to help others not make the same mistakes...

Technorati Registration

Technorati Profile

Identity Theft in Florida

Most of us that read the latest in security news heard about this high profile breach a number of months ago. Great that they tracked down the offenders, but do you think TJX is feeling better about it? Doubt it.

TJX Security Breach

The CIO's Role is Evolving

The CIO's Role is Ramping up...

Good article on what role today's and tomorrow's I.T. leaders will be expected to play.

Does there remain a dearth of I.T. leaders in executive positions with business acumen?

Web Exploit

http://www.darkreading.com/document.asp?doc_id=126169&WT.svl=news1_4

Yet another university has been hit in the U.S. for identity theft. Increasingly, attackers are moving up the stack and going after web applications.

Welcome

Welcomes you. Please feel free to leave your comments about how we can make this resource more useful and relevant. Or, if you cannot find the answers you are looking for, feel free to blow off some steam and leave a rant on our wall. I know it will make you feel better.

Excellent Source of Best Practices Information

http://www.sans.org/

Good Network Management Posts & Links

http://www.networkcmdb.com/category/value-added-resellers/