Wednesday, February 25, 2015

Healthcare will see a substantial increase of data stealing attacks





According to the Identity Theft Resource Center, healthcare data accounted for 43 percent of major data breaches reported in 20131. Medical records and patient data are logical targets for cybercriminals. Healthcare records hold a treasure trove of data that is valuable to an attacker. No other single type of record contains as much Personally Identifiable Information (PII) that can be used in a multitude of different follow-up attacks and various types of fraud.

Healthcare records not only contain vital information on the identity of an individual (name, address, social security) but also often link to financial and insurance information. Access to PII allows an attacker to commit identity fraud, while the financial information can lead to financial exploitation. This is a logical and profitable secondary attack area for cybercriminals who have already dealt in stolen credit card data.



Healthcare professionals are also at risk. Often, they have an increased tendency to try and get around IT security policies in order to better serve their patients. In a medical emergency, the stakes couldn’t be higher. When a doctor or nurse needs access to computing resources or data because a patient’s health is at risk, IT policy takes a back seat to the patient’s health. In the heat of the moment, such behavior can lead to increased risk to cyber threats or insecure access and storage of sensitive information.

This is also occurring in a healthcare environment that is still undergoing a transformation to digital and electronic records. While there has been a huge political push to move to electronic health care records, hospital and medical care security (especially in smaller offices) has not yet caught up to the challenge of protecting this valuable patient data. As a result, targeted cyber-attacks against healthcare organizations.                   

Will continue their rapid rise in frequency and success.

at No comments:

Monday, February 16, 2015

3 Persistent Security Myths

I have this Friend, and you probably know someone like this too—the one that is always sending forwards even though you asked them to stop 10 years ago, and even though you’ve told them that forwarded messages can present safety risks online.
Besides the fact that netiquette has been well established and widely understood for years, and these friends (or relatives) are being impolite by spamming you, the more important fact is the messages also present a security risk, for individuals as well as organizations.
After the most recent forwarded link, I mentioned to my Friend that I hoped she had good security software. Her response: “My friend sent this to me. It’s a valid clip/link and virus free.”
And I just had to shake my head at the security fallacies in those brief statements. I hate to be the smart-ass of the family who tries to lecture or educate the less tech-savvy, but I also don’t want to see my relatives fall victim to dumb social engineering scams. Now, this particular link probably was virus-free and safe enough, but when someone continually sends links and forwards, I start to worry they don’t know how to stay safe online.
So, what’s a conscientious security professional or blogger to do?
I’d love to hear your approaches and comments on this topic. For now, I’m going to try breaking down the myths that seem to persist, and see if I can think of a way to quietly explain the issue.


1. “My friend sent this to me.”
Of course you trust your friend, but that doesn’t make it safe to always trust the links they send out. First, the link could contain a virus or malware that your friend doesn’t know about either. Say your friend’s coming down with a cold, but doesn’t know it yet. You both share a drink at a cafĂ©—two days later, you both get sick because your friend passed the cold on to you. Same idea.
In computers, it’s even more dangerous, because you may never know you’re sick. Spyware, for example, is designed to watch what you do and send information to the hackers about your online behavior, or even about your passwords. Malware can install itself on your computer without your even knowing. Many people get infected with software that forms a network with other computers, called a botnet. When the hacker contacts all those computers, they can be activated and do whatever he wants—like send messages from your computer to your friends.
These hackers don’t want your or friends to know you’ve been hacked. Your computer might just slow down a few hours a day…because it’s being used secretly by someone else. They can change your security settings, see your passwords, or even corrupt your files and shut down your computer without your permission.
If your password information is stolen, hackers can access your accounts and send forwarded links and emails to your friends without your even knowing. Those messages can contain more malware that installs on your friends’ computers, or spreads through your accounts.
Of course we trust our friends. But that doesn’t mean that our friends won’t have problems online, or that they won’t get infected.


2. “It’s a valid clip/link.”
Images, documents, and all sorts of valid files are used to send viruses and malware to users. The most popular are PDFs and Microsoft Office documents lately, but picture and video files can also be suspect—and for many years it was images most of all that were most dangerous. The link might contain something useful, entertaining, or even work-related. Just because the link works and does what you expect it to, doesn’t mean that it’s safe. It could also contain other problematic files– while you’re being entertained or even learning a fun factoid, something bad might be happening in the background…


3. “And it’s virus-free.”
Again, just because it works and your friend sent it, you can’t assume it’s virus free.
First, did you scan it for viruses? If your scanner says it’s virus-free, how well do you trust your scanner? Many well known and popular anti-virus programs, even if they’re mostly reliable, can’t pick up every infection. Additionally, viruses aren’t the only problems you have to worry about online.
Everyone—hey, even MAC users—should get themselves a good anti-virus/malware program and check regularly for updates. But it’s also good to keep in mind that even the best program won’t always protect you. The best defense is being careful about what you click, and what the source is.

at No comments:

Third party / vendor management - due diligence standards



Third Party Due Diligence Standards

Things every organization should look at when conducting initial or annual due diligence on a vendor/client.
 
The third party’s controls must either meet or exceed the defined controls required by PCI and meet GLBA compliance.


 


The GLBA safeguard rule requires all financial institutions to have security plans in place to ensure the confidentiality and integrity of customer data. An Information Security Plan must make use of the following:


 


  • Administrative safeguards, such as employee oversight and training;
  • Physical safeguards, such as restricted access to hardware and disaster recovery plans;
  • Technical safeguards, such as firewalls, encryption, access controls and secure computer networks.


 


Safeguards must be implemented in proportion to the scope of and risk to the institution and the information it handles. Furthermore, the safeguards rule requires that an employee oversees the development and coordination of security in the institution.


 


The following areas should be reviewed during the due diligence process.


 


Incident Response


Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. An incident response plan includes a policy that defines, in specific terms, what constitutes an incident and provides a process that should be followed when an incident occurs.


 


  • The incident response document should include the following:
  • Define an incident response team with assigned roles and responsibilities
  • Categorize or identify what types of detected activities require incidence response
  • Define incident response investigation and validation requirements. For example all administrative and/or privileged activities must be logged including date, time, activity performed and any suspect information identified.
  • Define evidence gathering and handling techniques that will be used as part of the response activity
  • Define a containment strategy and who has the authority to make critical or business impacting decisions when a breach occurred. Time is critical waiting for executive approval could be costly.
  • Define requirements for who must be contacted, and within what time period should that contact occur when reporting a compromise or breach.
  • Include requirements to use an association approved forensics vendor listed or referenced within the document
  • Reference the creation of a formal incident report. Include historical tracking, training and lessons learned.
  • Include a schedule for the plan to be practiced and reviewed.
  • Assign responsibility for creating and distributing security incident response and escalation procedures.


 


Information Security


A security policy is a document that states in writing how your organization protects the company’s physical and logical information technology assets. A security policy is often considered to be a “living document”, meaning that the document is never finished but is continuously updated as technology and employee requirements change. A company’s security policy may include an acceptable use policy, a description of how the company plans to educate its employees about protecting the company’s assets, an explanation of how security measurements will be carried out and enforced, a procedure for evaluating the effectiveness of the security policy, and steps taken to ensure that necessary corrections will be made.


 


The Information Security Policy should include the following:


  • Define access controls for device management (routers, firewalls and switches)
  • Define roles and responsibilities
  • Define the process followed for user creation and modifications
  • Define the process for removing/disabling user accounts immediately upon termination
  • Define the requirements that all employees and contractors sign an acceptable use policy
  • Define the requirements that all employees and contractors sign non-disclosure agreements regarding confidential information
  • Define server hardening procedures
  • Define system patching procedures and schedules
  • Define logging requirements for all critical systems as well as review retention requirements
  • Define authentication requirements
  • Define a formal access approval process
  • Define the requirements that criminal background checks are performed on employees
  • Define the frequency for penetration tests and location of documented results
  • Define anti-virus standards including actions to be taken when a virus is detected
  • Define the risk management program
  • Categorize data based on sensitivity
  • Define due diligence preformed on third parties
  • Define data encryption requirements
  • Define encryption key management requirements
  • Define remote access procedures
  • Define a log and  firewall review schedule
  • Define automated alerts on security, logging and monitoring systems
  • Define security awareness training is performed annually
  • Define data retention and destruction procedures
  • Define how visitors are identified and logged
  • Define data center environmental controls
  • Define how facility entry points are secured including the use of cameras to monitor sensitive areas, a definition of the retention plan for these videos
  • Is wireless being utilized, define strong authentication and encryption that is in place for mobile devices
  • Define the process for the inventory and review for all computer equipment maintained



Business Continuity


Business continuity describes the processes and procedures an organization has in place to ensure that essential functions will continue during and after a disaster. Business contingency planning seeks to prevent interruption of mission-critical services and to recover as swiftly and smoothly as possible. A document review and update should occur at least annually or as systems are modified and/or enhanced.


 


  • The business continuity plan should include the following:
  • Include a risk analysis or reference to  risk assessment in the document
  • Include a Business Impact Analysis in the document
  • Define redundant processes that are in place to continue business
  • Define roles for all crisis management team members
  • Define cross-training in the plan
  • Define the BC/DR testing, including the frequency of the test (at least annually) and make sure the results are documented
  • Define communication responsibilities for clients and staff
  • Document the locations covered by the plan, including data center locations
  • Document that backup recovery testing occurs annually


 


Change Control


Change control is a formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner. It reduces the possibility that unnecessary changes will be introduced to a system without forethought, introducing faults into a system or undoing changes made by other users or software. The goals of a change control procedure usually include minimal disruption of services, reduction in back-out activities, and cost-effective utilization of resources involved in implementing change.


 


  • The change control procedure should include the following:
  • Define how infrastructure and software changes are documented and formally approved
  • Define the user acceptance testing process
  • Define how changes are tested in a separate user acceptance testing (UAT) environment prior to implementing into production
  • Define documented back out procedures required for changes
  • Define segregation of duties
  • Define change release cycles
  • Define the process for emergency changes


 


Risk Assessments


An effective risk management process is an important component of a successful IT security program. The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage IT systems, but as an essential management function of the organization.


 


Risk assessments are an important part of assessing your organizations controls and overall security.


 


The risk assessment should include the following:


  • Clearly defined process for accessing and scoring the threat likelihood, business impact, controls in place and residual risk of effectiveness of the control.  If the residual risk score exceeds the defined acceptable risk level a plan for remediation including proposed additional controls needed should be included.
  • Assessments should include all methods of handling customer information including;
    • Access, Collections, Storage, Use, Transmission and Disposal


 


Following publications can be used to assist in the development of the program.






 


CVV/PIN Generation Policy (Processors only)


Section 3.2 of the PCI DSS standards spells out specific requirements for CVV and PIN generation. CVV and PIN are some of the items that cannot be stored and must always be generated. The CVV/PIN generation policy should include:


  • Describe the equipment and methodologies used to ensure PINs are kept secure
  • Define the key creation and key management procedures
  • Define how are keys conveyed and/or transmitted
  • Define the process used to administer keys
  • Define the process used for key loading to hosts and PIN entry devices
  • Define how unauthorized key usage is prevented or detected
  • Define the manner in which equipment used to process PINs are keys are managed
  • Define key storage and management procedures
  • Define if PINs or CVV/CVV2s are stored anywhere on the network and how we detect if they were or ensure they are not in the future


 


SSAE16


The following information and controls should be included in this document.


  • An Information Security Policy exists and has been approved by an appropriate level of executive management
  • Procedures exist and are followed to authenticate all users of a system (both internal and external) to support the existence of transactions
  • Procedures exist and are followed relating to the timely action of requesting, establishing and issuing user accounts
  • Procedures exist and are followed relating to the timely action of suspending and/or changing user accounts
  • A control process exists and is followed to periodically review and confirm access rights
  • IT security staff monitors and logs security activity at the operating system, application and database levels and identified security violations are reported to senior management
  • Access to facilities is restricted to authorized personnel and requires appropriate identification and authorization.
  • Request for program changes, system changes and maintenance (including changes to system software) are standardized, logged, approved and documented and subject to formal change management procedures
  • Emergency change requests are documented and subject to formal change management procedures
  • Controls are in place to restrict migration of programs to production by authorized individuals only
  • The organization has a system development life cycle (SDLC) methodology, which includes security and processing integrity requirements for the organization.
  • Post-implementation reviews are performed to verify controls are operating effectively
  • A testing strategy is developed and followed for all significant changes in applications
  • The organization has policies and procedures regarding computer operations which is periodically reviewed, updated and approved by management
  • Management protects sensitive information – logically and physically, in storage and during transmission – against unauthorized access or modification
  • Management has implemented a strategy for critical backup of data and programs
  • The restoration of information is periodically tested


 


 


 

at No comments:
Subscribe to: Posts (Atom)

Protecting Your Business From Your Remote Employees

A significant portion of your workforce is currently moving to perform full- or part-time remote work as a result of COVID-19.  As you modif...

  • Home Depot information
    Home Depot   said today that cyber criminals armed with custom-built malware stole an estimated 56 million debit and credit card numbers fro...
  • Data Privacy Day
    Nearly every day is some kind of holiday or special observance at the local, state or national level. Some days are assigned to multiple ca...