Tag Archives: data security

PCI DSS is a standard for the card associations not for your business

 

I recently saw a post from a blog on a corporate web site from a company called Cloud compliance, entitled “Compliance is the New Security Standard“.

Cloud Compliance provides a SaaS-based identity and Access Assessment (IdAA) solution that helps identify and remediate access control and entitlement policy violations. We combine the economies of cloud computing with fundamental performance management principles to provide easy, low cost analysis of access rights to prevent audit findings (sic) and ensure compliance with regulations such as SOX, GLBA, PCI DSS, HIPAA and NERC.

The basic thesis of the blog post was that since companies have to spend money on compliance anyhow, they might as well spend the money once and rename the effort “security”.   This is an interesting notion – although perhaps “placebo security” might be a cheaper approach.

Compliance is not equivalent to security  for several fundamental reasons.  Let’s examine this curious notion, using  PCI DSS 1.2 as a generic example of a regulatory compliance standard that is used to protect payment card numbers:

A. Filling out a form or having an auditor check off a list is not logically equivalent to installing and validating security countermeasures. A threat modeling exercise is stronger than filling out a form or auditing controls – it’s significant that threat modeling is not even mentioned by PCI DSS, despite the ROI in think time.

B. Although PCI DSS 1.2 is better than previous versions – it still lags the curve of typical data security threats – which means that even if a business implements all the controls – they are probably still vulnerable.

C. PCI DSS was designed by the card associations – there is no way that any blanket standard will fit the needs of a particular business – anymore than a size 38 regular suit will fit a 5′ 7″ man who weighs 120 kg and wrestles professionally.

D. PCI DSS talks about controls with absolutely no  context of value at risk. A retailer selling diamond rings on-line, may self-comply as a Level 4 merchant but in fact have more value at risk than then the payment processor service provider he uses. (See my previous post on Small merchants at risk from fraudulent transactions )

E. PCI DSS strives to ensure continued compliance to their (albeit flawed) standard with quarterly (for Level 1) and yearly (for everyone else) audits.   The only problem with this is that a lot of things can happen in 3 months (and certainly in a year).   The automated scanning that many Level 2-4 merchants do is essentially worthless but more importantly – the threat scenarios shift quickly these days – especially when you take into account employees and contractors who as people are by definition, unpredictable.

F. Finally – PCI DSS is a standard for whom? It’s a standard to help the card associations protect their supply chain.   It is not a policy used by the management of a company in order to improve customer service and grow sales volume.

F. PCI DSS 1.2 mandates security controls for untrusted networks and external attacks.   The phrases “trusted insider” or “business partner” are not mentioned once in the standard. This is absurd, since a significant percentage of the customer data breaches in the past few years involved trusted insiders and business partners. A card processor can be 100 percent compliant but because they have a Mafia sleeper working in IT – they could be regularly leaking credit card numbers. This is not a theoretical threat.

To summarize:

  • PCI DSS is a standard for the card associations not for your business nor for your customers.
  • As a security standard it is better than none at all but leaves much to be desired because it is not oriented towards the business and consumer protection
Tell your friends and colleagues about us. Thanks!
Share this
Security is not fortune telling

The importance of risk analysis for HIPAA compliance

A chain of risk analysis

The HIPAA Final Rule creates a chain of risk analysis and compliance from the hospital, downstream to the business associates who handle / process PHI for the hospital and sub-contractors who handle / process PHI for the business associate.

And so on.

The first thing an organization needs to do is a risk analysis.   How important is a risk analysis?  Ask Cancer Care Group who were just fined $750,000 for non-compliance with the Security Rule.

$750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies

Cancer Care Group, P.C. agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Cancer Care paid $750,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. Cancer Care Group is a radiation oncology private physician practice, with 13 radiation oncologists serving hospitals and clinics throughout Indiana.

On August 29, 2012, OCR received notification from Cancer Care regarding a breach of unsecured electronic protected health information (ePHI) after a laptop bag was stolen from an employee’s car. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care patients.

OCR’s subsequent investigation found that, prior to the breach, Cancer Care was in widespread non-compliance with the HIPAA Security Rule. It had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012. Further, Cancer Care did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization. For more information see the HHS Press Release from Sep 2, 2015 $750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies

Risk analysis is the first step in meeting Security Rule requirements

I have written here, here, here and here about the importance of risk analysis as a process of understanding the value of your assets, the impact of your threats and the depth of your vulnerabilities in order to implement the best security countermeasures.

The HIPAA Security Rule begins with the analysis requirement in § 164.308(a)(1)(ii)(A). Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is fundamental to the entire process of HIPAA Security Rule compliance, and must be understood in detail by the organization in order to specifically address safeguards and technologies that will best protect electronic health information. See Guidance on Risk Analysis Requirements under the HIPAA Security Rule. Neither the HHS Guidance nor NIST specify a methodology – we have been using the Practical Threat Analysis methodology for HIPAA Security risk analysis with Israeli medical device companies since 2009 and it works smoothly and effectively helping Israeli medical device vendors comply and implement robust security at the lowest possible cost.

§ 164.308(a)(1)(ii)(A) Risk Analysis (R1): As part of the risk management process, the company performs information security risk analysis for its services (see company procedure XYZ) analyzing software application  security, data security and human related vulnerabilities. Risk analysis is performed according to the Practical Threat Analysis methodology.

1 A refers to addressable safeguards, and R refers to required safeguards.

Do it.  Run Security like you Run your business

Tell your friends and colleagues about us. Thanks!
Share this
Protecting your blackberry

Dealing with DLP and privacy

Dealing with DLP and privacy

It’s a long hot summer here in the Middle East and with 2/3 of  the office out on vacation, you have some time to reflect on data security. Or on the humidity.  Or on a cold beer.

Maybe you are working on building a business case for DLP technology like Websense or Symantec or Verdasys, or Mcafee or Fidelis in your organization.  Or maybe you  already purchased DLP technology and you’re embroiled in turf wars that have put your DLP implementation at a standstill as one of your colleagues is claiming that there are employee privacy issues with DLP and you’re trying to figure out how to get the project back on track after people get back from their work and play vacations in Estonia and brushing up on their hacking skills.

Unlike firewall/IPS, DLP is content-centric. It is technology that drives straight to the core of business asset protection and business process.  This frequently generates opposition from people who own business assets and manage business process. They may have legitimate concerns regarding the cost-effectiveness of DLP as a data security countermeasure.

But – people who oppose DLP on grounds of potential employee privacy violations might be selling sturm and drang to further a political agenda.   If you’re not sure about this – ask them what they’ve done recently to prevent cyber-stalking and sexual harassment in the workplace. 

For sure, there are countries such as France and Germany where any network or endpoint monitoring that touches employees is verboten or interdit as the case may be; but if you are in Israel, the US or the UK, you will want to read on.

What is DLP and what are the privacy concerns?

DLP (data loss prevention) is a solution for monitoring/preventing sensitive outbound content not activity at an endpoint. This is the primary mission. DLP is often a misnomer, as DLP is more often than not, DLD – data loss detection but whatever…Network DLP solutions intercept content from the network and endpoint DLP agents intercept content by hooking into Windows operating system events.  Most of the DLP vendors offer an integrated network DLP and endpoint DLP solution in order to control removable devices in addition to content leaving network egress points. A central command console analyzes the intercepted content and generates security events, visualizes them and stores forensics as part of generating actionable intelligence. Data that is not part of the DLP forensics package is discarded.

In other words, DLP is not about reading your employees email on their PC.  It’s about keeping the good stuff inside the company.    If you want to mount surveillance on your users, you have plenty of other (far cheaper) options like browser history capturer or key loggers. Your mileage will vary and this blog does not provide legal guidance but technically – it’s not a problem.

DLP rules and policies are content-centric not user-centric.

A DLP implementation will involve writing custom content signatures (for example to detect top-secret projects by keyword, IP or source code) or selecting canned content signatures from a library (for example credit cards). 

The signatures are then combined into a policy which maps to the company’s data governance policy – for example “Protect top-secret documents from leaking to the competition”. 

One often combines server endpoints and Web services to make a more specific policy like “Alert if top-secret documents from Sharepoint servers are not sent via encrypted channels to authorized server destinations“. 

In 13 DLP installations in 3 countries, I never saw a policy that targeted a specific user endpoint. The reason for this is that it is far easier using DLP content detection to pickup endpoint violations then to white list and black list endpoints which in a large organization with lots of wireless and mobile devices is an exercise in futility.  

We often hear privacy concerns from people who come from the traditional firewall/IPS world but the firewall/IPS paradigm breaks when you have a lot of rules and endpoint IP addresses and that is why none of the firewall vendors like Checkpoint ever succeeded in selling the internal firewall concept. 

Since DLP is part of the company data governance enforcement, it is commonly used as a tool to reinforce policy such as not posting company assets to Facebook. 

It is important to emphasize again, that DLP is an alert generation and management technology not a general purpose network traffic recording tool – which you can do for free using a Netoptics tap and  Wireshark.

 Any content interception technology can be abused when in the wrong hands or in the right hands and wrong mission.  Witness NSA. 

Making your data governance policy work for your employees

Many companies, (Israeli companies in particular) don’t have a data governance policy but if they do, it should cover the entire space of protecting employees in the workplace from cyber-threats.

An example of using DLP to protect employees are the threat scenarios of cyber-stalking, sexual harassment or drug trafficking in the workplace where DLP can be used to quickly (as in real-time) create very specific content rules and then refined to include specific endpoints to catch forensics and offenders in real-time. Just like inCSI New York New York.

In summary:

There are 3 key use cases for DLP in the context of privacy:

  1. Privacy compliance (for example PCI, HIPAA, US State and EU privacy laws) can be a trigger for installing DLP. This requires appropriate content rules that key to identifying PHI or PII.
  2. Enforcement of your corporate  data governance and compliance policies where privacy is an ancillary concern.   This requires appropriate content rules for IP, suppliers and sensitive projects. So long as you do not target endpoints in your DLP rules, you will be generating security events and collecting forensics that do not infringe on employee privacy.   In some countries like France and Germany this may still be an issue.  Ask your lawyer.
  3. Employee workplace protection – DLP can be an outstanding tool for mitigating and investigating cyber threats in the workplace and at the very least a great tool for security awareness and education. Ask your lawyer.

If you liked this or better yet hated it,  contact  me.  I am a professional security analyst specializing in HIPAA compliance and medical device security and I’m based in Israel and always looking for interesting and challenging projects.

Idea for the post prompted by Ariel Evans.

Tell your friends and colleagues about us. Thanks!
Share this
dilbert-paradigm-intro1

10 ways to detect employees who are a threat to PHI

Software Associates specializes in software security and privacy compliance for medical device vendors in Israel.   One of the great things about working with Israeli medical device vendors is the level of innovation, drive and abundance of smart people.

It’s why I get up in the morning.

Most people who don’t work in security, assume that the field is very technical, yet really – it’s all about people.   Data security breaches happen because people or greedy or careless.    100% of all software vulnerabilities are bugs, and most of those are design bugs which could have been avoided or mitigated by 2 or 3 people talking about the issues during the development process.

I’ve been talking to several of my colleagues for years about writing a book on “Security anti-design patterns” – and the time has come to start. So here we go:

Security anti-design pattern #1 – The lazy employee

Lazy employees are often misdiagnosed by security and compliance consultants as being stupid.

Before you flip the bozo bit on customer’s employee as being stupid, consider that education and IQ are not reliable indicators of dangerous employees who are a threat to the company assets.

Lazy employees may be quite smart but they’d rather rely on organizational constructs instead of actually thinking and executing and occasionally getting caught making a mistake.

I realized this while engaging with a client who has a very smart VP – he’s so smart he has succeeded in maintaining a perfect record of never actually executing anything of significant worth at his company.

As a matter of fact – the issue is not smarts but believing that organizational constructs are security countermeasures in disguise.

So – how do you detect the people (even the smart ones) who are threats to PHI, intellectual property and system availability:

  1. Their hair is better organized then their thinking
  2. They walk around the office with a coffee cup in their hand and when they don’t, their office door is closed.
  3. They never talk to peers who challenge their thinking.   Instead they send emails with a NATO distribution list.
  4. They are strong on turf ownership.  A good sign of turf ownership issues is when subordinates in the company have gotten into the habit of not challenging the VP coffee-cup holding persons thinking.
  5. They are big thinkers.    They use a lot of buzz words.
  6. When an engineer challenges their regulatory/procedural/organizational constructs – the automatic answer is an angry retort “That’s not your problem”.
  7. They use a lot of buzz-words like “I need a generic data structure for my device log”.
  8. When you remind them that they already have a generic data structure for their device log and they have a wealth of tools for data mining their logs – amazing free tools like Elasticsearch and R….they go back and whine a bit more about generic data structures for device logs.
  9. They seriously think that ISO 13485 is a security countermeasure.
  10. They’d rather schedule a corrective action session 3 weeks after the serious security event instead of fixing it the issue the next day and documenting the root causes and changes.

If this post pisses you off (or if you like it),  contact danny Lieberman me.  I’m always interested in challenging projects with people who challenge my thinking.

Tell your friends and colleagues about us. Thanks!
Share this
skin mounted medical devices

Shock therapy for medical device malware

Israel has over 700 medical device vendors.  Sometimes it seems like half of them are attaching to the cloud and the other are developing mobile apps for all kinds of crazy, innovative applications like Healthy.io ( Visual Input Turned Into Powerful Medical Insight – translation: an app that lets you do urine analysis using your smart phone).

But – let’s not forget that many Medical devices  such as bedside monitors, MRI, nuclear medicine and  catheterization devices all reside on today’s hospital enterprise network.

An enterprise hospital network is a dangerous place.

Medical devices based on Microsoft Windows  can be extremely vulnerable to attack from hackers and malware who penetrate the hospital network and exploit typical vulnerabilities such as default passwords.

More importantly – medical devices that are attached to a hospital network are a significant threat to the hospital network itself since they may propagate malware back into the network.

While a thorough software security assessment of the medical device and appropriate hardening of the operating system and user-space code is the best way to secure a medical device in a hostile hospital network – this is not usually an option for the hospital once the medical device is installed.

Taking a page out of side-channel attacks and using the technique to detect malware, University of Michigan researchers have developed WattsUpDoc, a system designed to detect malware on medical devices by noting small changes in their power consumption.

The researchers say the technology could give hospitals a quick way to identify medical devices with significant vulnerabilities.

The researchers tested WattsUpDoc on an industrial-control workstation and on a compounder, which is used to mix drugs.

The malware detector first learned the devices’ normal power-consumption patterns. Then it tested machines that had been intentionally infected with malware. The system was able to detect abnormal activity more than 94 percent of the time when it had been trained to recognize the malware, and up to 91 percent of the time with previously unknown malware. The researchers say the technology could alert hospital IT administrators that something is wrong, even if the exact virus is never identified.

For the full article see WattsUpDoc

 

Tell your friends and colleagues about us. Thanks!
Share this
hipaa cloud security

Is your HIPAA security like a washing machine?

Is your HIPAA security management like a washing machine?

Most security appliance vendors use fluffy charts with a 4 step “information risk management” cycle.

It’s always a 4 step cycle, like “Discover, Monitor, Protect and Manage” and it’s usually on a circular chart but sometimes in a Gartner-style magic quadrant or on a line.

It’s a washing machine cycle that never stops.

The problem with the washing machine model is that it tackles the easy part of information security (running the appliance, discovering vulnerabilities, fixing things and producing reports) and ignores the hard stuff; quantification and prioritization of your actions based on financial value of assets and measurement of threat impact.

Modern security tools are good at discovering exploitable vulnerabilities in the network, Web servers and applications. However – since these tools have no notion of your business context and how much you value your information assets, it is likely that your security spending is misdirected.

With reported data breaches and medical devices and information system that doubled last year, and security budgets that are shrinking as the US economy stutters – you need to measure how well the product reduces Value at Risk in dollars (or in Euro) and how well it will do 3 years after you buy the technology.

In order to help make that happen – all you need to do is contact us via the site contact form or pick up a phone and give me a ring at +972-54-447.1114.

This is what we do – help you and your team take a leadership role in the board room and secure your medical devices instead of waiting for vendor proposals in your office.

Through specific Business Threat Modeling(TM) tactical methods we teach you how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data.

Data security is a war – when the attackers win, you lose. We will help you win more.

Tell your friends and colleagues about us. Thanks!
Share this
Bridging the security IT gap with BI

How to use BI to improve healthcare IT security


Information technology
management is about executing predictable business processes.

Information Security Management is about reducing the impact of unpredictable attacks to  your  healthcare provider organization.

Once we put it this way – it’s clear that IT and security and compliance professionals, as dedicated as they are to their particular missions – do not have common business objectives and key results. This is why we have so many software security issues – we have software that is developed and implemented with disregard to best practice security.

In order to bridge the gap – healthcare provider IT and security professionals need to adopt a common goal and a common language – a language  of customer-centric threat modelling

Typically, when a healthcare provider ( whether a hospital, HMO or primary care provider) needs  software application,  an IT consultant will do a system analysis starting with business requirements and then proceed to propose a solution to buy or build an application and deploy it.

Similarly, when the information security group needs an anti-virus or firewall, security consultants  make requirements based on the current risk profile of the healthcare provider, test products, and proceed to buy and deploy or subscribe and deploy the new anti-virus or firewall solution.

The problem is that the two activities never work together – as result, we get islands of software applications that are not integrated with the company information security and compliance portfolio and we get information security technologies that are unaware of the applications and in a worst case scenario – get in the way of business productivity.

Michael Koploy of Software Advice explains well on how BI (business intelligence, once the domain of IT expert consultants) is now highly accessible technology in his article 4 Steps to Creating Effective BI Teams.

Business intelligence–the use of sophisticated software to analyze complex data–is no longer the domain of a centralized group of IT staff or advanced data analysts. Today, powerful and Web-based BI tools are accessible to a wide range of business users.

BI is everywhere, and it’s everyone’s job. But with this proliferation comes new challenges. Teams of BI users today often lack the structure, guidance and leadership to effectively mine data. In this article, I’ll share four steps to establish guidelines, organize teams, delegate data management and allow the success of the BI team to permeate and drive innovation throughout the business.

I agree with Michael.

By using BI – we can explore vulnerabilities in business processes and bring the information back to healthcare IT and security management in a constructive way and start building that common language between healthcare IT  and healthcare security management that is so essential to protecting patient health records.

Tell your friends and colleagues about us. Thanks!
Share this

Five things a healthcare CIO can do to improve security

A metaphor I like to use with clients compares security vulnerabilities with seismic fault lines. As long as the earth doesn’t move – you’re safe, but once things start moving sideways – you can drop into a big hole. Most security vulnerabilities reside in the cracks of systems and organizational integration and during an M&A, those cracks fault lines can turn your local security potholes into the Grand Canyon.

Here are 5 practical things I would recommend to any healthcare organization CIO:

1. Do not rely on fixed controls

Any information security professional will tell you that security countermeasures are comprised of people, processes and technology.  The only problem is that good security depends on stable people, processes and technology. A stable organization undergoing rapid and violent change is an oxymoron.  Visualize your company has ISO 27001 certification but the stock drops by 90% because of an options back-dating scandal at the top, the company fires 900 employees and all of a sudden, the fixed controls are not as effective as you thought they were.  Think about the Maginot Line in WWII.

2. Use common sense when it comes to people

People countermeasures should be a mix of common-sense, background checks (at a depth proportional to job exposure to sensitive assets), and deterrence.  Andy Grove once said

“Despite modern management theory regarding openness – a little fear in the workplace is not a bad thing”.

When a lot of employees are RIF‘d – there is a lot of anger and people who don’t identify with their employer; the security awareness training vaporizes and fear and revenge take over. Some of the security people will be the first to go, replaced by contractors who may not care one way or the other or worse – be tempted by opportunities offered by the chaos. In  a large complex healthcare organization, large scale security awareness training is probably a hopeless waste of resources considering the increasing number of options that people have (Facebook, smartphones..) to do stuff that causes damage to the business.Security awareness will lose every time it comes up against an iPad or Facebook.

Why is  common sense a good alternative to awareness training?

Common sense  is easy to understand and enforce if you keep it down to 4 or 5 rules:  maintain strong passwords, don’t visit porn sites, don’t blog about the business, don’t insert a disk on key from anyone and maintain your notebook computer like you guard your cash.

3. Spend some money on securing your software applications instead of on security theater

It’s a given that business processes need to be implemented in a way that ensures confidentiality, integrity and availability of customer data.  A simplistic example is a process that allows a customer service representative to  read off a full credit card number to a customer. That’s a vulnerability that can be exploited by an attacker.  But – that’s a trivial example – while you’re busy managing processes and using security theater code words – the attackers are attacking your software and stealing your data.

4. Question your defenses 

Technology countermeasures are not a panacea – and periodically you have to step back and take a look at your security portfolio both from a cost and effectiveness perspective.  You probably reply on a defense in depth strategy but end up with multiple, sometimes competing and often ineffective tools at different layers – workstation, servers and network perimeter.

Although defense-depth is a sound strategy – here are some of the fault lines that may develop over time:

  • One – most defense in depth  information security is focussed on external threats while in an  organization undergoing rapid change – the problem is internal vulnerabilities.
  • Second – defense-in-depth means increased complexity which can result in more bugs, more configuration faults and … less security instead of more security.
  • Three – when the security and executive staff is cut, security monitoring and surveillance is suffers – since there are less (or no) eyeballs to look at the logs and security incident monitoring systems. With less eyeballs looking at events – you may have a data breach and only know about it 3 months later – are you still sure defense in depth was protecting you?

5. Invest in smart people instead  (instead of investing in business alignment)

Business alignment is one of those soft skill activities that keep people in meetings instead of mitigating healthcare  vulnerabilities – which requires hard professional skills and high levels of professional security competence. It’s a fact of life that problem solvers hate meetings and rightly so – you should invest in smart people and go light on the business alignment since it will never stop the next data breach of your patients’ data.

Claudiu Popa, president and chief security officer of data security vendor Informatica Corp. told  Robert Westervelt in an interview  on searchsecurity.com that:

…once an organization reaches the right level of maturity, security measures will not only save time and money, but also contribute to improved credibility and efficiency.

This is nonsense – security is a cost  and it rarely contributes to efficiency of a business (unless the business can leverage information security as part of it’s marketing messages) and as  for an organization firing 30% of it’s workforce over night – words like maturity, credibility and efficiency go out the door with the employees.

At that point –  highly competent and experienced security professionals who are thinking clearly and calmly are your best security countermeasure.

Tell your friends and colleagues about us. Thanks!
Share this

Encryption, a buzzword, not a silver bullet

Encryption,  buzzword, not a silver bullet for protecting data on your servers.

In order to determine how encryption fits into server data protection, consider 4 encryption components on the server side: passwords, tables, partitions and  inter-tier socket communications.

In these 4 components of a application / database server encryption policy, note that some countermeasures are required (for example one-way hashes of passwords, while other such as encrypting specify table columns may or may not be relevant to a particular application).

1. Encrypted password storage

You must encrypt passwords. It’s surprising to me how many Web sites don’t bother encrypting user passwords – See cases Universal Music Portugal where e-mail addresses and clear-text passwords are dumped on Internet.

What is more surprising is the confusion between encryption and hashing.

Don’t use AES for encrypting passwords in your MySQL or Oracle or MS SQL database.  You’ll end up storing the AES key somewhere in the code and an attacker or malicious insider can read the key by opening up one of your application DLLs in Notepad++ and read that key in a jiffy and breach your entire MySQL database with a single SELECT statement.

Database user passwords should be stored as MD5 hashes, so that a user  (such as a DBA) who has been granted SELECT access to the table (typically called ‘users’)  cannot determine the actual password. Make sure that different instances have different salts and include some additional information in the hash.

If you use MD5 encryption for client authentication, make sure that  the client hashes the password with MD5 before sending the data on the network.

2. Encrypt specific database table columns

The PostgreSQL 9.1 pgcrypto module allows certain fields to be stored encrypted. This is especially useful if some of the data is sensitive for example in the case of ePHI where the Web application needs to comply with the CFR 45 Appendix A Security rule. The client software provides the decryption key and the data is decrypted on the server and then sent to the client.  In most cases the client (a database driver in an MVC application such as Ruby on Rails or CakePHP or ASP.NET MVC is also a server side resource and often lives on the same physical server as the database server. This is not a bad thing.

3. Encrypt entire data partitions

Encrypting entire data partitions has its place.

On Linux, encryption can be layered on top of a file system using a “loopback device”. This allows an entire file system partition to be encrypted on disk, and decrypted by the operating system. Many operating systems support this functionality, including Windows.

Encrypting entire partitions is a security countermeasure for physical attacks, where the entire computer is stolen. Research we did in 2007 indicated that almost 50% of large volume data breaches employed a physical attack vector (stealing a notebook at a hotel checkin desk, hijacking a truck transporting backup tapes to Iron Mountain and smash and grab jobs where thieves know the rent-a-cop walkaround schedule and break in and steal desktop computers.

On the other hand, once the volume is mounted,  the data is visible.

4. Encrypt socket communications between server tiers

SSL has it’s place, although SSL is not a silver bullet countermeasure for Microsoft Windows vulnerabilities and mobile medical devices vulnerabilities as I wrote herehere and here.

SSL connections encrypt all data sent across the network: the password, the queries, and the data returned. In database client-server connections,  relational database systems such as PostgreSQL allow administrators to specify which hosts can use non-encrypted connections (host) and which require SSL-encrypted connections (hostssl). Also, clients can specify that they connect to servers only via SSL. Stunnel or SSH can also be used to encrypt transmissions.

 

Tell your friends and colleagues about us. Thanks!
Share this

Security is in the cracks

Yesterday I spent most of the day re-installing one of the  workstation in the office with Ubuntu 11.10. I like what I saw, but the Unity interface is not my cup of tea so I installed Gnome – what they call Classic Ubuntu.

In principle I shut down as many operating services as I can – especially those that call out and/or listen on the Internet but this is supposed to be a development machine with access to our private git repository and sending out email via a Postfix relay.

On our own  small scale of a lab with 6-7 machines for testing network and software security of customer applications, I  got  thinking that most system vulnerabilities live in the cracks of system integration of components and packaged software while most of the industry’s efforts in software security are directed towards new software implementations.

If you are preparing to implement a packaged application for financial management, CRM, data mining or ERP something in the back of your mind probably says that the vendor’s development organization is probably not a lot different than yours (although you hope they’ve thought through the security issues first)..

Here are a 2 ideas to help find the crud in the cracks:

  • Inspect and penetration-test the system; assess infrastructure components, database interfaces and Web applications for vulnerabilities using The Software Associates 6 step Business threat analysis methodology
  • You need to identify fault-prone modules in your particular operation and evaluate those modules with the most impact on system reliability and downtime.
Tell your friends and colleagues about us. Thanks!
Share this