How does this work?

We evaluate your healthcare software system or medical device from an attacker point of view, then from the management team point of view, and then recommend specific detailed action steps to close the gap between your product and HIPAA security and privacy requirements. We then train your product development team based on these recommendations.

Many medical devices still run on Microsoft Windows; variants of Windows XP, Windows XP embedded and Windows server systems are not uncommon.

Being a commodity operating system, primarily designed for ease of use by end-users and application development by programmers using Visual Studio, it is not uncommon to see malware attack medical devices and healthcare information systems.

If your’e a medical device or healthtech developer using Windows platforms, one of the first action steps we recommend is to setup a security ERT (emergency response team) with a clear response plan and division of responsibilities.

The security ERT will be your first responders in the case of a data leak or malware infection.

The ERT should have a clear, well-thought and debugged procedure for removing malware.  See this excellent malware removal guide for an example.

This time it was Netvision offering me a special deal on Symantec anti-virus and a $5/month service package for virus updates.

There has been a flurry of articles  about Stuxnet in the Israeli papers, speculating on the source of the Stuxnet virus and discussing if this is the beginning of cyber war (it isn’t…).  This weekend,  I saw two articles  - one an opinion piece and the other a review of the technology for the readers of the daily news.

The best work yet on the topic of Stuxnet and Israel is an outstanding essay written by Caroline Glick in the Jerusalem Post on October 1, 2010 – here is an excerpt:

IF we assume that Stuxnet is an Israeli weapon, what does it show us about Israel’s position vis-à-vis its enemies? What Stuxnet shows is that Israel has managed to maintain its technological advantage over its enemies. And this is a great relief. Israel has survived since 1948 despite our enemies’ unmitigated desire to destroy us because we have continuously adapted our tactical advantages to stay one step ahead of them. It is this adaptive capability that has allowed Israel to win a series of one-off battles that have allowed it to survive.

But again, none of these one-off battles were strategic game-changers. None of them have fundamentally changed the strategic realities of the region. This is the case because they have neither impacted our enemies’ strategic aspiration to destroy us, nor have they mitigated Israel’s strategic vulnerabilities. It is the unchanging nature of these vulnerabilities since the dawn of modern Zionism that gives hope to our foes that they may one day win and should therefore keep fighting.

Israel has two basic strategic vulnerabilities.

The first is Israel’s geographic minuteness, which attracts invaders. The second vulnerability is Israel’s political weakness both at home and abroad, which make it impossible to fight long wars.

Some Israelis have been quick to claim that the code was not sophisticated enough or that its distribution method was too sloppy to make it a military operation.

While I do not subscribe to a theory that  Stuxnet signals the  advent of cyber-war (targeted malware has been around for over 5 years), I think it would be naive to dismiss  Stuxnet as just another virus.Underestimating threats is a third strategic vulnerability I would add to the geographic minuteness and political weakness both at home and abroad that the esteemed Ms. Glick has already mentioned.

We can only speculate on the actual intent of the Stuxnet malware – direct attacks on Iranian nuclear weapons program SCADA systems or perhaps  intelligence gathering.  It is possible that the  rapid proliferation of Stuxnet into India, Pakistan and Indonesia is indeed an act of purposeful intelligence gathering – following the trail of removable devices and network connectivity used by people from countries collaborating with the Iranian nuclear weapons program.

Maybe, maybe not. The  software developers, who  wrote the attack code and the Stuxnet architects are not giving out interviews but in truth – kernel level software development and cryptographic expertise have nothing to do with it.

Like any military operation – there needs to be motive, means and opportunity – all 3 of which point at a military operation targeted at the Iranian nuclear effort and as Sun Tzu wrote – better to run quick and dirty military operations than to wait for the consequences:

I have heard of military operations that were clumsy but swift, but I have never seen one that was skillful and lasted a long time. Master Sun (Chapter 2 – Doing Battle, the Art of War)

Motive – Israeli wants to mitigate the Iranian nuclear threat.  Means – exploit software vulnerabilities in the Siemens SCADA systems (they hard code passwords and use Microsoft Windows). Opportunity – the sooner the better.

Precisely for these reasons,  and as Caroline Glick noted; Stuxnet is a one-off operation that did not have to be extremely precise – whether the mission objective was to disrupt Iranian nuclear weapons program SCADA systems or collect information.

1. Run Ubuntu
2. Get your services in the cloud
3. Practice safe computing.

Run Ubuntu on desktops and operate production and development servers in the cloud (at slicehost.com – I don’t mind giving them the free publicity because they deserve it).  Don’t install anti-virus on any of your machines.   Your  servers will be regularly attacked by various pieces of automated software anyhow, but because you will  shut down unnecessary  services and  ports and update all the time – you won’t have unscheduled downtime.   Use strong passwords and change them on an irregular basis and you will be more secure than most.

Practice safe computing:

a) Don’t go to malware-infested sites and b) never insert a foreign USB into one of the machines  and c) patch regularly

What about anti-virus?

I really don’t understand all the hoopla about anti-virus,    If it’s a personal computer (PC) and you trashed it – what difference does it make if you took your eyes off your notebook on an airport conveyor belt and it got ripped off or didn’t bother to practice safe surfing and got attacked by Conficker?

Maybe the time has come for people to think about their PCs like people think about cash.

If you carry it around you have to protect it. If you lose cash – you can only blame yourself. If you got your pocket picked in the big city – you can only blame yourself.

The CEO of a client (a specialty brokerage with  about 100 employees) told me a few years ago that his security policy goes like this:

We have invested a lot of money in providing our employees with state of the art information technology. Your personal workstations have all the applications you need.   If you download software – you are fired.

Next – we’ll be buying metal helmets so that the CIA won’t be able to read our minds.

And – here, we have not even solved the problem of trusted insiders.

The letter of the law is always operative and the common denominator of the regulators (HIPAA, PCI etc..) is not to store or transmit personal information at all in the application software systems.

We are correct in identifying cloud providers as a potential vulnerability – however, storing data in the ‘cloud’ is no different from storing data in an outsourced data center and it’s subsequent exposure to employees, outsourcing contractors etc..If you have a medical file application,  ecommerce or an online application – your best data security countermeasure is NOT to store PII at all in your application.

I personally don’t buy into technology silver bullets and data obfuscation as effective security countermeasures.   They have their utility but even if the data is obfuscated in the cloud it still traverses some interface between the data provider and the cloud provider.

In my experience, since almost all data breaches occur on the interface – adding an additional technology layer will serve to increase your value at risk not reduce it – since more complexity and more third party software only adds additional vulnerabilities and increases your threat surface.

As far as I know, there have been no documented events of PII being leaked from an infrastructure cloud provider like Rackspace or IBM. Their standards of operation and security are far better than the average business.

Notwithstanding legal definitions, regulatory standards like HIPAA and SOX tell us to do a top down risk analysis and demonstrate why the risk of leaking PII is acceptably low.

If you are developing and maintaining an online application with patient or customer data, your best bet is good application engineering and resolving your data privacy exposure issues by simply removing ePHI and PII from your systems.

• Bloatware/system resource consumption – if you’re concerned with anti-virus system resource usage, imagine layering another 100MB of software, another 20MB of data security rules and loads of network traffic for management just for the luxury of getting a good deal from Symantec on a piece of integrated software that IT doesn’t know how to manage anyhow.
• Software vulnerabilities – if you have issues with the anti-virus – you don’t want them affecting your data flows via the DLP agent. Imagine a user uninstalling  the anti-virus and impacting the DLP agent.
• Diversity – the strong anti-virus products have weak DLP agents – which means that the advantage of a single management platform is spurious. Having strong anti-virus software on your Windows PCs from a vendor like McAfee complements having strong data loss prevention from a company like Verdasys.
• Not a good fit for the organization – IT manage the Anti-virus,   Security manage the data security and never the twain shall meet.

Leading up to the Al Quaeda attack on the US in 9/11, the FBI investigated, the CIA analyzed but no one bothered to discuss the impact of Saudis learning to fly but not land airplanes.

Dissonance in organizations is often resolved  by building separate silos of roles and responsibilities.

However, it is impossible to take wise decisions on risk management in the business when the risk intelligence is in separate silos.

We help protect customer data and intellectual property from fraud and breaches of confidentiality.  We’re always looking for interesting projects – call or text me at  +972 54 447 1114 at  any time.

I don’t really understand why anyone would want to pay Google money for Adwords.

I ran a little experiment recently to promote our web sites using Google Adwords and Twitter.

Here are the results:

The results of my little online marketing experiment show a huge advantage for Twitter with focused search phrases in bios over Google adwords with carefully chosen keywords.

Google Adwords
650 extra hits in 4 weeks
1 hour setting up 2 ads,
Campaigns ran for 4 weeks, cost 1100 sheqels,
Hit Relevance – none. (the keywords people actually used to arrive at the site were not the keywords I chose)

Twitter
2000 extra hits in 1 day
5′ in Twitter to create a user security_expert
1 hour in Twellow search looking for CSO, CISO, Chief Information Security, Security Director etc… in bios (about 300 people)
5′ posting 5 tweets from my blog
Campaign ran 1 day, cost: 0 sheqels
Hit Relevance – good, no spam on the blog in this 24 hour period (good sign…)

Now – I have to explain to my wife why I wasted 1100 sheqels on Google instead of  (insert requirement here)

Now I think we have reached a new level of Microsoft sycophancy with the Obama administration implementing a Bush decision to standardize IT but in a way that makes practically no sense at all – let’s ban all non IE browsers.  It’s really scary to what lengths the Obama administration will go undo Bush policy.

In keeping with the requirements of the Federal Desktop Core Configuration, all third-party browsers will be removed from customer workstations beginning Tuesday, Aug.18. Internet Explorer is the standard browser and will be maintained. Netscape, Google Chrome and Firefox will be removed.”

It does make sense to standardize on a browser – but why standardize on the most vulnerable browser and operating system?  Why not standardize on Ubuntu and FF 3 on the desktop or standardize on diskless workstations with Citrix or TightVNC?

The full item is here – USDA unit bans browsers other than Internet Explorer

Is a SME like the old German expression – Kleine Kinder kleine Sorgen, große Kinder große Sorgen? “Small children, small problems, big children, big problems”?

I wanted to call this post “The need to understand operational risk of information security” – but I realised that op risk is a concept used by big banks and that a SME with 40 employees is not even thinking in that direction and may not even have an IT manager, let alone an IT security and compliance group. Yet – a small payment processor,  or customer service outsourcing provider can be destroyed by a  single data loss event.

The impact of a data loss event on an SME can be proportionally much greater than for a large, globally dispersed organization.  An SME has all their eggs in one basket – outsourcing manufacturing to the Far East and providing sales and support using the Internet from offices in New York, Tel Aviv and Mumbai.

A typical SME buys network access from the ISP and installs standard network security in the office: like a SOHO firewall (Checkpoint or Cisco do fine), anti-virus on the workstations and anti-spam from the ISP.

The problem with firewall/anti-virus/anti-spam is that they are defensive means against known signatures rather than proactive means of mitigating the next attack launched from inside the network.

In order to understand the possible impact of an internally-launched attack on data (for example – an employee taking proprietary customer pricing with them to a competitor) or blogging new product plans from the office – or losing a database of payment card numbers to a hacker – the first step to being proactive is monitoring.

With a UTM box, security focus is on outside­-in attacks, despite the fact that the majority of attacks on customer data and intellectual property launch from inside the office/extended network. The notion of trusted systems inside a hard perimeter has disappeared with rise of Web 2.0 services and convergence of all applications to HTTP.

I cannot imagine an SME spending $150,000 on Fidelis XPS network DLP solution or Verdays Digital Guardian (which is oriented to Global 500 customers or translated into English – at least 2,000 seats) but the new network DLP  product – Traffic Monitor Lite from Infowatch is taking DLP technology into realm of pricing and ease-of-use from a Global SME. I look forward to having the opportunity to evaluate it and report back on my findings.