Software Associates specializes in helping medical device and healthcare vendors achieve HIPAA compliance and improve the data and software security of their products in hospital and mobile environments.

The first question any customer asks us regarding HIPAA compliance is how little he can spend. Not how much he should spend. This means we need simple and practical strategies to reduce the risk of data breaches.

There are 2 simple strategies to reduce the risk of data breach, one is technical, one is management:

1. Use real time detection of security events to  directly protect your customers. 
2. Build your security portfolio around specific threat scenarios (e.g a malicious employee stealing IP, a business partner obtaining access to confidential commercial information, a software update exposing PHI etc…) and use the threat scenarios to drive your service and product acquisition process.

Use real-time detection to directly protect your customers

Systems like ERM, SIM and Enterprise information protection are enterprise software applications that serve the back-office business of security delivery; things like log analysis and saving on regulatory documentation. Most of these systems excel at gathering and searching large volumes of data while providing little evidence as to the value of the data or feedback into improving the effectiveness of the current security portfolio.

Enterprise IT security capabilities do not have  a direct relationship with improving customer security and privacy even if they do make the security management process more effective.

This not a technology challenge but a conceptual challenge: It is impossible to achieve a meaningful machine analysis of  security event data in order to improve customer security and privacy using data that was uncertain to begin with, and not collected and validated using standardized evidence-based methods

Instead of log analysis we recommend real-time detection of events. Historical data in  log files  has little intrinsic value in the here-and-now process of event response and mediation.

1. Use DLP (data loss prevention) and monitor key digital assets such as credit cards and PHI for unauthorized outbound transfer.  In plain language – if you detect credit cards or PHI in plain text traversing your network perimeter or removable devices, then you have just detected a data breach in real time, far cheaper and faster than mulling through your log files after discovering 3 months later that a Saudi hacker stole 14,000 credit cards from an unpatched server.
2. Use your customers as early warning sensors for exploits. Provide a human 24×7 hotline that answers on the 3d ring for any customer who thinks they have been phished or had their credit card or medical data breached.  Don’t put this service in the general message queue and never close the service.   Most security breaches become known to a customer when they are not at work.

Build your security portfolio around specific threat scenarios

Building your security portfolio around most likely threat scenarios makes sense.

Nonetheless, current best practices are built around compliance checklists (PCI DSS 2.0, HIPAA security rule, NIST 800 etc…) instead of most likely threat scenarios.

PCI DSS 2.0 has an obsessive preoccupation with anti-virus.  It does not matter if you have a 16 quad-core Linux database server that is not attached the Internet with no removable device nor Windows connectivity. PCI DSS 2.0 wants you to install ClamAV and open the server up to the Internet for the daily anti-virus signature updates. This is an example of a compliance control item that is not rooted in a probable threat scenario.

When we audit a customer for HIPAA compliance or perform a software security assessment of an innovative medical device, we think in terms of “threat scenarios”, and the result of that thinking manifests itself in planning, penetration testing, security countermeasures, and follow-up for compliance.

In current regulatory compliance based systems like PCI DSS or HIPAA, when an auditor records an encounter with the customer, he records the planning, penetration testing, controls, and follow-up, not under a threat scenario, but under a control item (like access control). The next auditor that reviews the  compliance posture of the business  needs to read about the planning, testing, controls, and follow-up and then reverse-engineer the process to arrive at which threats are exploiting which vulnerabilities.

Other actors such as government agencies (DHS for example) and security researchers go through the same process. They all have their own methods of churning through the planning, test results, controls, and follow-up, to reverse-engineer the data in order to arrive at which threats are exploiting which vulnerabilities

This ongoing process of “reverse-engineering” is the root cause for a series of additional problems:

• Lack of overview of the the security threats and vulnerabilities that really count
• No sufficient connection to best practice security controls, no indication on which controls to follow or which have been followed
• No connection between controls and security events, except circumstantial
• No ability to detect and warn for negative interactions between countermeasures (for example – configuring a firewall that blocks Internet access but also blocks operating system updates and enables malicious insiders or outsiders to back-door into the systems from inside the network and compromise  firewalled services).
• No archiving or demoting of less important and solved threat scenarios (since the data models are control based)
• Lack of overview of security status of a particular business, only a series of historical observations disclosed or not disclosed.  Is Bank of America getting better at data security or worse?
• An excess of event data that cannot possibly be read by the security and risk analyst at every encounter
• Confidentiality and privacy borders are hard to define since the border definitions are networks, systems and applications not confidentiality and privacy.

Get  PTA ( Practical Threat Analysis) Professional software from our colleagues at Practical Threat Analysis Technologies totally free for one year. After the year is up, just drop them an email, and you’ll get a free license renewal.

When you perform risk assessment with the popular PTA (Practical Threat Analysis) modeling tool, you’re not only joining  thousands of security analysts all over the world who use PTA Professional in their risk and compliance practice, you all also get great software and valuable benefits.

You can perform an unlimited number of quantitative risk assessments for an unlimited number of clients  with their business assets and their  threat scenarios. Download the  free risk assessment software and while you’re at it –  download  the Software Associates Practical Threat Analysis library for ISO 27001 

• It’s quantitative: enables business decision makers to state asset values, risk profile and controls in familiar monetary values. This takes security decisions out of the realm of qualitative risk discussion and into the realm of business justification.
• It’s robust: enables analysts to preserve data integrity of complex multi-dimensional risk models versus Excel spreadsheets that tend to be unwieldy, unstable and difficult to maintain.
• It’s versatile: enables organizations to reuse existing threat libraries in new business situations and perform continuous risk assessment and what-if analysis on control scenarios without jeopardizing the integrity of the data.
• It’s effective: helps determine the most effective security countermeasures and their order of implementation, saving you money.
• It’s databased: based on a robust threat data model with the 4 dimensions of threats, assets, vulnerabilities and countermeasures
• It’s management level: with a few clicks, you can product VaR reports and be a peer in the boardroom instead of staffer waiting in the hall.

This article presents a systematic method for selecting and cost-justifying data security technology to protect  intellectual property theft and abuse.

The original presentation was given at the October 2, 2009 DLP-Expert Russia meeting in Istra (just outside of Moscow)

Click here to download the presentation

In April President Obama signed the National Strategy for Trusted Identities in Cyberspace (NSTIC) which charts a course for the public and private sectors to collaborate on raising the level of trust associated with identity in online transactions.

NSTIC focuses on upgrading outdated password-based authentication systems and reducing the barriers associated with identity proofing and deployment of strong credentials, while also enabling end-users to have more control over when and what information they disclose in a range of transactions.

Could someone please translate this for me?

How is giving an end-user more control over information disclosure is going to mitigate the risk of data breaches when over 300 million credit cards have already been breached?

What about online merchants vulnerabilities and better data security countermeasures for online Web services?

Will PCI DSS discover Data loss prevention technology anytime in the next decade?

Where  I come from, that’s called shutting the barn-door after the horses have flown.

However – there is an important class of small business operations that is often overlooked when it comes to information security and is the technology startup.   A high tech startup is an SME by all definitions – usually less than 50 employees but it doesn’t buy and sell and neither does it provide professional services.   Unlike other small businesses, a high tech startup is almost purely focussed on product research and development. Almost all startups have a very high percentage of software development. Even if the startup develops hardware – there is still a strong software development focus.

Intuitively – one would say that a primary concern for a startup is IP (intellectual property) protection and that starts with protecting source code.

Counter-intuitively this is not true. There are two basic reasons why source code leakage is not necessarily a major threat to a startup:

1) If the startup uses FOSS (free open source software), there is nothing to hide.  This is not strictly speaking correct – since the actual application developed using FOSS has immense value to the startup and may often involve proprietary closed  source code as well.

2) A more significant reason that source code leakage is of secondary importance is that a startup IP is invariably based on a combination of three components:    Domain expertise, implementation know-how and the implementation itself (the software source code).   The first two factors – domain expertise and  implementation know-how are crucial to successful execution.

The question of how to protect IP still remains on the table but it now is reshaped into a more specific question of how best to prioritize security countermeasures to protect the startup’s domain expertise and  implementation know-how.  Prioritization is of crucial importance here, since startups by definition do not generate revenue and have little money to spend on luxuries like data loss prevention (DLP ) technologies.

Software Associates works exclusively with technology and medical device developers and I’d like to suggest a few simple guidelines for getting the most security for your money:

The startup management needs to know how much their information security measures will cost and how it helps them run the business. Business Threat Modeling (TM) is a practical way for a manager to assess the operational risk for the startup in dollars and cents. The advantages of the business threat modeling methodology are:

These are similar objectives to GRC (Governance, risk and compliance) systems.

The problem with most GRC (governance, risk and compliance) and ERM (enterprise risk management) systems is that they don’t calculate risk, they make you work hard and they’re not that easy to use.

Startup management needs a simple security management approach that they can deploy themselves, perhaps assisted with some professional consulting to help them get started and get a good feel for their exposure to security and compliance issues.

How does a practical security management methodology like this work? Well – it works by using common language of threat modeling.

You own assets – for example, expensive diamond jewelry stored at home. These assets have a dollar value.

Your asset has vulnerabilities – since you live on the ground floor and your friendly German Shepherd knows where the bedroom is and will happily show anyone around the house.

The key threat to the asset is that an attacker may break in through the ground floor windows.

The countermeasures are bars for the windows, an alarm system and training your dog to be a bit less friendly around strangers with ski-masks.

Using countermeasure costs, asset value, threat probability of occurrence and damage levels, we calculate Value at Risk in financial terms, and propose an prioritized, cost-effective risk mitigation plan.

That’s it – adopt a language with 4 words and you’re on a good start to practical security management for your high tech startup.

Courtesy of my friend Alan Norquist from Veriphyr

Information and Privacy Commissioner Ann Cavoukian ordered a Hospital in Ottawa to tighten rules on electronic personal health information (ePHI) due to the hospital’s failure to comply with the Personal Health Information Protection Act (PHIPA).

“The actions taken to prevent the unauthorized use and disclosure by employees in this hospital have not been effective.” – Information and Privacy Commissioner Ann Cavoukian

The problem began when one of the hospital’s diagnostic imaging technologists accessed the medical records of her ex-husband’s girlfriend. At the time of the snooping, the girlfriend was at the hospital being treated for a miscarriage.

Commissioner Cavoukian faulted the hospital for:

• Failing to inform the victim of any disciplinary action against the perpetrator.
• Not reporting the breach to the appropriate professional regulatory college.
• Not following up with an investigation to determine if policy changes were required.

“The aggrieved individual has the right to a complete accounting of what has occurred. In many cases, the aggrieved parties will not find closure … unless all the details of the investigation have been disclosed.” – Information and Privacy Commissioner Ann Cavoukian

It was not the hospital but the victim who instigated an investigation. The hospital determined that the diagnostic imaging technologists had accessed the victim’s medical files six times over 10 months.

The information inapprorpriately accessed included “doctors’ and nurses’ notes and reports, diagnostic imaging, laboratory results, the health number of the complainant, contact details … and scheduled medical appointments.” – Information and Privacy Commissioner Report

Sources: 
(a) Privacy czar orders Ottawa Hospital to tighten rules on personal information - Ottawa Citizen, January, 2011

al-Qaeda operates as a network comprising both a multinational, stateless army and a radical SunniMuslim movement calling for global Jihad…Characteristic techniques include suicide attacks and simultaneous bombings of different targets…beliefs include that a Christian-Jewish alliance is conspiring to destroy Islam,  embodied in theU.S.-Israel alliance, and that the killing of bystanders and civilians is religiously justified in jihad. (From Wikipedia)

William Lynn is the same official at the US Department of Defense who doesn’t believe in offensive measures to combat cyber terror. In his article several months ago in Foreign Affairs Lynn claims:

Given these circumstances, deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation.To stay ahead of its pursuers, the United States must constantly adjust and improve its defenses.

Let’s see if we can connect the dots.

1. Who is the attacker?

Lynn has just reiterated that the Obama administration officially considers al-Qaeda a threat to the US, markedly ignoring the Muslim Brotherhood – since the US considers the Muslim Brotherhood a secular, democratic political organization.  Neither is Mr. Lynn concerned with other Islamic terror groups like Hamas or the PLO.

2. What are the best security countermeasures against the attack?
Despite believing in good cyber security defenses, Mr Lynn does not offer any security countermeasures against al-Qaeda deploying Stuxnet and falls back on the American shoe bomber security philosophy, considering yesterday’s attack, not tomorrow’s attack. This is the same security management strategy that resulted in millions of airline passengers taking off their shoes in a fruitless, ineffective security countermeasure against a one-time, one in a million attack.

3. Is Stuxnet a cost-effective attack against the great Satan?
Of course – al-Qaeda might deploy Stuxnet against US critical national infrastructures but then again it might be cheaper and more effective for a Muslim terror organization to do something different – like use Facebook to make friends with a DC college student, make a date with her in Manhattan and have her ride the Red Line to Reagan Airport in DC, go through the non-security measures there, not get profiled and use a text message to a bomb in her bag to blow up in the line of people taking off their shoes, killing 20-30 civilians and taking down the US transportation infrastructure for the day.

4. Is the Obama administration more concerned with media exposure than with combating Islamic cyber terror?

Director of National Intelligence James Clapper told a House panel. al-Qaeda appears more focused on making inroads to unsuspecting Muslim youth through social media. Is Mr Clapper speaking with Mr Lynn, or is the Obama administration making the same mistake that the Bush and Clinton administrations made where the CIA collects intelligence, the DOD defends, the FBI investigates civilian crimes but no one connects the dots?

As I wrote in April 2009 about the Obama cyber security policy review, I was reminded of Melissa Hathaway’s 2009 speech to the RSA Security conference which featured a few cute gems like this one:

“….Matthew Broderick in War Games, Robert Redford in Sneakers, Sandra Bullock in The Net, and Bruce Willis in Live Free and Die Hard. These and other movies present the types of issues that we should care about and solve together.“.

Ms. Hathaway’s perspective on security appears to be influenced by the movies, which is consistent with President Obama, who thinks he’s living in an episode of “The West Wing“.

As I wrote back in April 2009 – I thought we should wait 6 months after the report is made public and see how many cost-effective security countermeasures the government Cyberspace security task force has produced.

Less than 6 months later, Ms. Hathaway resigned. People familiar with the matter said Ms. Hathaway had been “spinning her wheels” in the White House, where the president’s economic advisers sought to marginalize her politically. (See Siobhan Gorman’s Wall Street Journal piece from August 2009. Gorman covers national intelligence issues at WSJ and has written stories exposing the NSA’s computer problems—including those in its multibillion-dollar Trailblazer program aimed at identifying electronic data crucial to the nation’s safety).

The owner and CEO of one of our customers (a rapidly growing regional airline) was a larger than life figure who kept chilled Finlandia vodka in a mini-freezer in his office and liked to tell stories. One day he told me a story. He said – “Danny, there are two kinds of consultants, good consultants and bad consultants. You ask them what time it is. The good consultant will look at your watch and say it’s 9:30, take his fee and leave. The bad consultant will tell you it’s 9:30, steal your watch and run with the money”.