Category Archives: Physical security

safeguard your head office small business

4 steps to small business security

Physical security, Risk Assessment, ,

Software Associates specializes in security and compliance for biomed.  Many of our biomed clients are small 3-10 person startups working out of a small office and not having neither the IT budget nor the IT best practices to take care of their own network.

According to the latest statistics from the FBI in their annual Uniform Crime Report, one burglary occurs in the U.S. every 14.4 seconds. As bad as it is to be the victim of a burglary, when you have a home office or small business, the effects can bring your operation to a standstill as you try to reorganize your affairs.

Here are four things you can do to protect your small business systems:

1. Physical security – install an alarm system

Adding an alarm system is an effective way to protect your office from a break-in.  How do you find a reputable service provider for a security system for your home office/small business office?

According to SecurityCompanies.com, a comparison shopping resource for alarm systems, there are over 5,000 home security providers in the U.S. market. That’s a lot – and you will need to do a little research and preparation before you start.

Try Google Local – a Google search for alarm systems will usually pop-up a number of providers in your neighborhood with their phone numbers.

After you have a list of 3 home security providers – prepare a checklist before making the calls.  When you call a home security provider you should get answers to these 6 questions:

  • Do you want a hard-wired system or a wireless one?
  • Do you need professional monitoring or would you prefer a sensor-activated system?
  • How big is your home?
  • Do you want advanced features like home automation?
  • Do you need remote access?
  • Will you be installing security cameras as well?

After getting satisfactory answers  – ask for references (recent ones) and guaranteed service levels – if the alarm goes off when you’re on vacation, what  are your options?

2.  Network security – being a good neighbor and assuring your bandwidth

Working on open  wireless network enables other people to jack in.

This has an upside and downside.

The upside of an open wireless router is that its good neighbor policy.  If a passers-by asked you for a glass of water, you would gladly offer them on.   The risk of having sensitive business information stolen or other private information compromised from your home office/small business office network by a casual surfer is practically zero – there are far more interesting targets for drive-by attacks than your small office.

The downside of an open router is assuring bandwidth.  Guests  and neighbors can dramatically slow down your Internet connection. If bandwidth and fast response time is really important to you –  protect your wireless network with a personal password and share it selectively with friends and colleagues.

Do you regularly have clients over, or other guests, who need access to your Internet connection? Set up a separate network for guests, protecting it with a unique password that you can share with guests.

3.  Access security – protecting passwords

With so many online services requiring you to enter strong passwords – it is hard to remember the passwords to your own network and small office server.   Having said that – the last thing you want is to use the same Google password and/or Facebook password for your small business.  That is a really bad idea because if someone hacks your office password – their first attack will be on your Google and Facebook services.

You can try a password generator program to generate unique passwords that are nearly impossible to hack. Top-rated programs include – KeePass, Sxipper and RoboForm & Data Vault.

Another equally good option is to use phonetic passwords that you can easily remember with combinations of letters and numbers – like Xcntu8B4F6g (Accentuate before fixing)

4. Data security –  develop and implement a backup protocol

How often do you backup your files? Once a day? Weekly or monthly?

Having your computer stolen isn’t your only risk.

While modern hardware is very reliable, it’s  not perfect and even the most expensive, dependable computers can crash without any warning.  Even a faulty motherboard can cause disk corruption.

To protect yourself from the panic and anxiety of losing your work, make a plan to backup your work at the end of each work day. Save files to a free cloud-based storage system, like DropBox, or use a removable hard drive. If using a removable hard drive, be sure to store it in a different area of your home, out of the office, to prevent theft. If any harm should come to your computer in a fire or other natural disaster, you will want your hard drive to be stored in a separate location that is out of harm’s way.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Treat passwords like cash

Physical security, Risk Assessment, Risk management,

How much personal technology do you carry around when you travel?  Do you use one of those carry-on bags with your notebook computer on top of the carry-on?

A friend who is a commercial pilot had his bag swiped literally behind his back while waiting on line to check-in to a 4 star Paris hotel. The hotel security cameras show the thief moving quickly behind his back, quietly taking the bag and calmly walking off.

Is your user password 123456?

The Wharton School at UPenn recently posted an article – is your password 123456?

As the article notes – “Hack attacks have recently hit government agencies, news sites and retailers ranging from the U.S. Justice Department and Gawker to Sony and Lockheed Martin, as hackers become more sophisticated in their ability to steal customers’ identities and personal information.”

But, you don’t need sophisticated hack attacks to know that many people use simple minded passwords like 123456 and thieves use simple techniques like grab and run.

So – why don’t we all use strong passwords?

Every Web site and business application you use has a  different algorithm and password policy.  For users, who need to maintain strong passwords using 25 different policies on 25 different systems and web sites, it’s impossible to maintain a strong password policy without making some compromises.

The biggest vulnerability is using your corporate password on an online porn site.  Since adult sites are routinely subject to attack and cheesier, more marginal adult sites – (mind you we’re not talking Penthouse.com or Playboy.com perish the thought) are frequently unwitting malware distribution platforms.

Here are 5 rules for safe password management :

  1. Use technical aids to manage your passwords.  Consider using Keepass password management
  2. Match password  strength to asset value. In other words – use a complex combination of letters and numbers for online banking and a simple easy to remember password for Superball news.
  3. Don’t reuse.   Don’ use the same strong password on more than one sites.
  4. Make passwords easy to remember but hard to guess.  Adopt mnemonics – like 4Tshun KukZ that you can remember
  5. Maintain physical security of your passwords.  Treat your passwords like you treat the cash in your wallet.  If you have to write passwords down, put them on a piece of paper in your wallet and treat that piece of paper like a $100 bill,  make sure you don’t lose that wallet.

 

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Ehud Barak, information leaks and political activism

Physical security, , , , , ,

What do Anat Kamm, Ehud Barak and Meir Dagan have in common?

Ehud Barak is current Israeli Minister of Defense, former IDF Chief of Staff and former Prime Minister  that led the disastrous withdrawal from Lebanon that fomented Intifada II and then Lebanese War II.  Barak is famous for quotes like “If I was a Palestinian, I would also be a suicide bomber” or “If I was an Iranian, I would also build nuclear weapons“.

During her military service as an assistant in the Central Command bureau Anat Kamm secretly copied over 2,000 classified documents, copied the documents to a CD and leaked it to the Israeli Haaretz journalist Uri Blau. Kamm  was recently convicted of espionage and leaking confidential information without authorization and sentenced to 4.5 years in prison after a plea bargain.

Former Mossad chief Meir Dagan has recently voiced unrestrained criticism of the current administration’s defense policy in the service of his political activism; criticism which is supposedly based on his inside knowledge from the Mossad.

Meir Dagan, together with Gen. Gabi Ashkenazi (former chief of staff), Gen. Amos Yadlin (former head of military intelligence), and Yuval Diskin (former head of Shin Bet), opposed an attack on Iran. While in office (they all retired between November 2010 and May 2011), the Gang of Four successfully blocked attempts by Netanyahu and Barak to move forward on the military option.

Of the four, only Dagan has spoken openly, after leaving office, about what he considers to be the folly of an attack on Iran —  and openly criticized Netanyahu and Barak for irresponsibly pushing Israel to an unnecessary war, relying on his former position of responsibility as chief of intelligence as as implying that what he said must be true.

It was unclear why Dagan would speak of plans best left undisclosed. Unclear, at least until last week, when Dagan announced his plans for a movement to change the method of Israeli government, leaving his options to enter politics in the future open.

I wish Dagan luck.  I’m not happy with his way of publicizing his political activism at the risk of treading the thin line of information leak. It places him on the same slippery slope as Anat Kam who lamely attempted to justify her actions as an act of political protest.

In comparison with Dagan, Barak is circumspect (despite his unfortunate quotes and bad decisions).

Barak was asked about the possibility of making a decision on attacking Iran in the Israeli daily Ha’aretz.

In my various posts I’ve already seen all the possible permutations, as long as one thing remains constant: the role of the military is to prepare the plans. It is important that the political echelon listen very carefully to what the operational and intelligence echelons have to say, but at the end it is the political echelon that has the responsibility for the decision.
More here on Israeli defense minister Ehud Barak on Iran, U.S., and war
Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Rising the level of trust associated with identity in online transactions

Physical security, Privacy, Risk Assessment,

Obama’s National Strategy for Trusted Identities in Cyberspace

In April President Obama signed the National Strategy for Trusted Identities in Cyberspace (NSTIC) which charts a course for the public and private sectors to collaborate on raising the level of trust associated with identity in online transactions.

NSTIC focuses on upgrading outdated password-based authentication systems and reducing the barriers associated with identity proofing and deployment of strong credentials, while also enabling end-users to have more control over when and what information they disclose in a range of transactions.

Could someone please translate this for me?

How is giving an end-user more control over information disclosure is going to mitigate the risk of data breaches when over 300 million credit cards have already been breached?

What about online merchants vulnerabilities and better data security countermeasures for online Web services?

Will PCI DSS discover Data loss prevention technology anytime in the next decade?

Where  I come from, that’s called shutting the barn-door after the horses have flown.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Why Microsoft Windows is a bad idea for medical devices

Physical security, , , , , ,

I’m getting some push back on LinkedIn on my articles on banning Microsoft Windows from medical devices that are installed in hospitals – read more about why Windows is a bad idea for medical devices here and here.

Scott Caldwell tells us that the FDA doesn’t rule “out” or “in” any particular technology, including Windows Embedded.

Having said that, Microsoft has very clear language in their EULA regarding the use of Windows Embedded products:

“The Products are not fault-tolerant and are not designed, manufactured or intended for any use requiring fail-safe performance in which the failure of a Product could lead to death, serious personal injury, severe physical or environmental damage (“High Risk Activities”).”

Medical device vendors  that  use Windows operating systems for less critical devices, or for the user interface are actually increasing the threat surface for a hospital, since any Windows host can be a carrier of malware that can take down the entire hospital network, regardless of it’s primary mission function, be it user-friend UI at a nursing station or intensive care monitor at the bedside.

Medical device vendors that use Microsoft IT systems management “best-practices” often  take the approach of “bolting-on” third party solutions for anti-virus and software distribution instead of developing robust, secure software, “from the ground up” with a secure design, threat analysis, software security assessment and secure software implementation.

Installing third-party security solutions that need to be updated in the field, may be inapplicable to an embedded medical device as the MDA (Medical Device Amendments of 1976) clearly states:

These devices may enter the market only if the FDA reviews their design, labeling, and manufacturing specifications and determines that those specifications provide a reasonable assurance of safety and effectiveness. Manufacturers may not make changes to such devices that would affect safety or effectiveness unless they first seek and obtain permission from the FDA.

It’s common knowledge that medical device technicians use USB flash drives and notebook computers to update medical devices in the hospital. Given that USB devices and Windows computers are notoriously vulnerable to viruses and malware, there is a reasonable threat that a field update may infect the Windows-based medical device. If the medical device is isolated from the rest of hospital network, then the damage is  localized, but if the medical device is networked to an entire segment, then all other Windows based computers on that segment may be infected as well – propagating to the rest of the hospital in a cascade attack.

It’s better to get the software security right than to try and bolt in security after the implementation.Imagine that you had to buy the brakes for a new car and install them yourself after you got that bright new Lexus.

It is not unusual for medical device vendors to fall victim to the same Microsoft marketing messages used with enterprise IT customers – “lower development costs, and faster time to market” when in fact, Windows is so complex and vulnerable that the smallest issue may take a vendor months to solve. For example – try and get Windows XP to load the wireless driver without the shell.   Things that may take months to research and resolve in Windows are often easily solved in Linux with some expertise and a few days work. That’s why you have professional medical device  software security specialists like Software Associates.

With Windows, you get an application up and running quickly, but it is never as reliable and secure as you need.

With Linux, you need expertise to get up and running, and once it works, it will be as reliable and secure as you want.

Yves Rutschle says that outlawing Microsoft Windows from medical devices in hospitatls  sounds too vendor-dependant to be healthy (sic) (Seems to me that this would make the medical device industry LESS vendor-dependent, not more vendor-dependent, considering the number of embedded Linux options out there.)

Yves suggests that instead, the FDA should create a “proper medical device certification cycle. If you lack of inspiration, ask the FAA how they do it, and maybe make the manufacturers financially responsible for any software failure impact, including death of a patient“. (The FDA does not certify medical devices, they grant pre-market approval).

I like a free market approach but consider this:

(Held)The MDA’s pre-emption clause bars common-law claims challenging the safety or effectiveness of a medical device marketed in a form that received premarket approval from the FDA. Pp. 8–17.

Maybe the FDA should learn from the FAA but in the meantime, it seems to me if the FDA pre-market validation process had an item requiring a suitable operating system EULA, that would pretty much solve the problem.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Night walking on the freeway

Physical security, Risk mitigation

Ian Fleming once remarked how American road signs were so sexy – “winding curves” and “soft shoulders”.

I was thinking of Ian Fleming  taking an unexpected 5K walk at night on the shoulders of a 6 line freeway.

Last night I was driving my daughter’s car on Route 6.   There was a leak in the water pump, engine overheated and I stopped by the side of road and called a tow.

Visualize.  Route 6 South, 2km before the Kfar Daniel interchange. 7pm at night

The tow company (Derachim) told me – up to 3 hours + 60 sheqel surcharge for service on Route 6 – they asked me how I would like to pay and I said – “cash”.  After 1 1/2 hours – the tow shows up, takes the car and instead of taking the car (and me) to our garage in Shilat – he left me by the road side and drove off “to pick up another car in Rishon”.    I started walking, after a brisk 5 km hike – I got a ride from a woman who stopped by the side to change her shoes…. I got my wife on the horn and we rendezvou’d at the gas station at Latrun.

The icing on the cake was a series of phone messages on my cell from the tow company at 1130 pm – saying that they understood I was supposed to pay the Route 6 surchage by credit card….

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Jennifer Lopez Joins the Fight Against Pertussis

Information security, Physical security,

Help protect your baby by protecting yourself. Our daughter and son-in-law stayed with us over the weekend recently – listening to one of the babies cough, I realized that there is a lot more to life than enterprise information protection and cost-effective data loss prevention.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Swine flu and social networking

Physical security,

It just occurred to me – as our partner in Poland was getting ready to drive from Warsaw to Łęczyca for a sales call – that novel H1N1 (swine flu) and seasonal influenza is a great reason to use social media and Web conferencing for customer contacts, sales and support and reduce physical contact and risk of exposure.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

The threat behind the House Tri-Committee Bill on Health Care

Physical security, , , , , ,

Federal Healthcare Chart

Don’t ask me why, but I was invited (and joined) the Pakistan Networkers group on LinkedIn.  I see all kinds of cool job opportunities in the Emirates which I can’t really take but the traffic is interesting.

I saw this picture in a post today from the Pakistan Networkers group. It graphically describes the complexity of ObamaCare:  the Obama health care reform bill.   I then sat down and started to learn more about this proposed solution to the US health care system that will cost over a trillion dollars in the next 10 years.

The Obama Health plan and the problems the administration is currently facing getting it through Congress is second page news here in Israel (front pages this weekend in Israeli papers are how Obama and Rahm are throwing their weight around and dictating to the Jews where they can live and not live….)

I started reading about the House Tri-committee Health Care bill and my eyes started popping at the cost and complexity of the proposal. I then read the response of the Mayo Clinic – Mayo Clinic’s reaction to House Tri-Committee bill and I finally realized that just like in Cyber Security and data loss prevention – the Obama administration is more interested in compliance and big government than customers and health, safety and security.

I’ve been arguing for basing data security product purchasing decisions on value at risk and cost-effectiveness of the DLP product in reducing the value at risk of a data breach. Therefore, it is  obvious to me that the notion of a value-based decision is an important cornerstone in redefining health care – see a discussion on pay for value in health care in the open letter to congress

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow