Intent, Opportunity and Capability (week 12)

If someone asked you who Harold T. Martin III was would you know? What about Edward Snowden? Most people know the latter individual. These 2 people do have something in common; Snowden ‘took’ a huge cache of classified documents and fled the United States in 2013. Martin on the other hand is in custody as of right now, arrested in August of last year for allegedly stealing classified material which was found in his home and car. In Martin’s case, some of the material he took, like the NSA-developed exploits, ended up being published online.

Image Courtesy of beforeitsnews.com

The debate is still on whether he published them or he was hacked and someone else published them. What these 2 contractors have in common is that they both worked for Booz Allen Hamilton, a well-known and established government contractor; nothing against Booz Allen, just the case of bad apples falling from their tree.

The National Counterintelligence and Security Center (NCSC) defines insider threat as “…when a person with authorized access to U.S. Government resources, to include personnel, facilities, information, equipment, networks, and systems, uses that access to harm the security of the United States”. While the NCSC’s definition focuses on the U.S. Government, the same logic can be rightfully applied to private corporations with the key takeaway being, these people have ‘approved’ access and knowledge of your system. Kind of tough to catch the insider threats then… wow! How do I know Joe Blow from accounting has no malicious intent when he reads the company’s financials or what Jane Doe from IT is intending to do with the firewall policy report. We simply can’t. Intent is something that can’t be measured.

The threat triangle states that 3 things have to be present for the threat to materialize; Intent, Opportunity and Capability. If any one of those elements is missing, the threat may not materialize. Of the three, intent is the intangible element. You can measure whether someone is capable of doing something, you can measure what your security landscape is therefore determine what opportunities may be present in terms of security gaps/lapses, but you can’t measure whether someone is intending to commit a crime. We can speculate based on other factors like debt issues, personal problems, negative emotions towards the company; but all these are at best simply guesses or speculations. The focus, therefore, should be on opportunity and capability when are crafting an insider threat mitigation plan.

In conclusion

As noted by the Snowden-Martin case, even the best of the best can and do experience cases of insider threats. Every company has their ‘secret-sauce’ and none wants their proprietary advantage or whatever keeps them at the top of their food chain exposed to the public. Many companies would fold if their trade secrets got publicized. Think about what Pepsi would do if Coke’s ‘recipe’ got publicized or what Bing would do if Google’s search engine algorithms were readily available for the public to scrutinize. The insider threat is surreal and can cause a lot of damage to a company. Every company should pay attention to their ‘approved’ humans and invest in controlling both external and internal threats accordingly.

Resources for Planning using NIST SP 800 Series (week 10)

Just like any other aspect of an organization, for the Information Security Program to be successful, planning is required. With proper planning, the business can be able to succeed in meeting its overall business objective as it can map out the issues that may affect its day to day operations like adhering to industry standards and regulations.

The U.S. Department of Commerce has an agency that publishes guidelines and recommendations that can be adopted by organizations to meet their Security Obligations. This agency, National Institute of Standards and Technology (NIST) uses three Special Publication (SP) subseries to publish reference material regarding computer, cyber, and information security guidelines and recommendations. 

The three are as follows:
SP 500, Computer Systems Technology – Started in January 1977 and is a more general IT subseries used by NIST to cover broad topics.

SP 800, Computer Security – Started December 1990 and is NIST’s primary mode of publishing computer, cyber and information security guidelines, recommendations and reference materials.

SP 1800, NIST Cybersecurity Practice Guides – Started 2015 as a complement to SP 800. It’s more focused and covers Cybersecurity challenges in both the public and private sectors.

About the Special Publications (800 Series)
Focus will be on the SP 800 series which is a set of publications that describe the United States Federal government computer security policies, procedures and guidelines. In her article, NIST 800 Series, Margaret Rouse (2006) states that the NIST 800 Series publications cover NIST-recommended procedures and criteria for assessing and documenting threats and vulnerabilities. Under SP 800 Series, many publications have been documented from its inception in 1990 to the latest release (a draft) SP 800 -178 dated December 2, 2015. 

As an organization plans its Information Security Program, some of these documents can be adopted. 

NIST Special Publication 800-122 – Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

“With the increased use of computers for the processing and dissemination of data, the protection of PII has become more important to maintain public trust and confidence in an organization, to protect the reputation of an organization, and to protect against legal liability for an organization”. (McCallister, Grance, & Scarfone, 2010)

This document provides guidelines for a risk based approach to protecting the confidentiality of PII. PII can be described as any information that can be used to identify an individual; Full Names, SSN, ID numbers just to mention a few can be considered PII. SP 800-122 states that organizations should identify what PII data exists within their systems, only retain PII data on a as needed basis, categorize the PII data based on confidentiality impact levels and apply safeguards, develop an incident response plan in case of a breach and ensure that there is cohesiveness between the different responsible parties/departments including the legal counsel.

NIST Special Publication 800-163 – Vetting the Security of Mobile Applications 

The current trend in many organizations is to allow for mobile work capabilities and with this new open business world, mobile applications have become increasingly popular. SP 800-163 authors Quirolgico, S., Voas, J., Karygiannis, T., Michael, C., & Scarfone, K. (2015) state “such apps have increased productivity by providing an unprecedented level of connectivity between employees, vendors, and customers, real-time information sharing, unrestricted mobility, and improved functionality”. The downside to this trend is that app developers do not always have security in mind when building their applications. This publication acts as a guide for helping organizations develop a plan for vetting mobile applications through the app acquisition stage all the way to its adoption or rejection phase.

Conclusion

The National Institute of Standards and Technology (NIST) SP 800 series guides can assist an organization plan the development of an Information Security Program at an organization. These documents although mainly targeted at Federal institutions and its affiliates, can prove to be valuable to any organization. One example is in regards to protection of PII data. Just in June of 2015, the Office of Personnel Management (OPM) was breached and PII data was exfiltrated from its systems. All organizations have PII and if OPM (a government agency) was breached, then ‘civilian’ organizations should rethink their current setup (if any) and adopt some of the guidelines listed out by SP 800-122. Also with the current advancements and changes in how we work, things like BYOD, Wireless technologies, working from Home, organizations need to follow more structured and proven guidelines when it comes to protecting their information, assets and people. Using the SP 800 series documents might just ease the adoption of such security measures even in the civilian world. 

References

McCallister, E., Grance, T., & Scarfone, K. (2010). Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). Special Publication 800-122. 

Quirolgico, S., Voas, J., Karygiannis, T., Michael, C., & Scarfone, K. (2015). Vetting the Security of Mobile Applications. NIST Special Publication 800-163. 

Rouse, M. (2006, May 1). NIST 800 Series. Retrieved December 19, 2015, from http://whatis.techtarget.com/definition/NIST-800-Series 

Intrusion Detection Systems (week 9)

You are watching your favorite news channel and the breaking news for that day is about a ‘bandit’ who broke into a 7-eleven store and made away with a case of warm beer. Reports state that the unidentified hoodlum used a bat to break the glass door which triggered the alarm and as he rushed into the store to grab his loot the camera recorded his every move. The picture is a little bit blurred but you can identify him if you knew him. The local PD is appealing to the community to help apprehend the suspect. Now to link that story to what intrusion detection systems (IDS) are; the alarm system that went off after he broke the front door and the CCTV that captured the burglars every move can be considered intrusion detection systems. The alarm detected the break in and the CCTV captured the burglary. Both systems only ‘detected’ and ‘recorded’ but did not stop the burglar from breaking and entering. The local PD used one of the detection systems (cameras) to try to resolve the case and the convenient store owner and possibly law enforcement were notified of the break in by the alarm going off. 

IDS Depiction Photo: Courtesy of IBM Systems Magazine

So the definition of an IDS is a system that flags all anomalies or suspicious activity that are deemed harmful to the network or devices being monitored. SANS Critical Security Control number 12 (CSC 12) talks about boundary defense and one of the line items under this control is deployment of Intrusion Detection Systems (IDS sensors). IDS looks for anomalies within traffic and reports or alerts on the observed ‘issues’. 

IDS can be classified into 2 categories based on how they are deployed; Host Based Intrusion Detection System (HIDS) or Network Based Intrusion Detection System (NIDS). 

HIDS is when the system is deployed at the host level (endpoint) for example on workstations while NIDS is when the solution is deployed at the perimeter level for example at the demilitarized zone (DMZ) or edge of the network. NIDS yield more false-positive alerts due to the way they work; they attempt to read the network activity pattern to determine what is normal and what isn’t.

Whether a system is deployed at the host or network level, they both analyze traffic based on either signature or anomaly (patterns). Signature based analysis entails pattern matching. The IDS may have predefined signatures that are matched against the observed traffic and if there is a ‘hit’, the system will flag that traffic as bad. The signature match may be known malicious IP addresses or domains, malicious files, web requests just to mentions a few. The downside with this technique is that if there are no matching signatures as with the case with zero day exploits (newly discovered, unpublished), the system will miss it. Regular updates are required with this technique to ensure that the system is covering most types of attacks out in the wild. The advantage with the technique is that it is not resource intensive and apart from the regular updates does not require much maintenance. A well-known open source IDS solution that utilizes signature based techniques is snort. With snort, you can subscribe to receive regular updates that are pushed to the system to correct existing signatures (if needed) and add any new alerts that may have come out.

Anomaly based (aka behavior-based) works by first establishing a baseline and then generating alerts whenever this set baseline is breached. Anomaly based technique is good for detecting any new threats like the zero day exploits that signature based techniques miss. Problem with this technique is that it requires a lot of processing power since it is constantly trying to compare the current activity to the baseline. It is also prone to a lot of false-positive triggers in environments that experience a lot of changes.

Current IDS systems seem to utilize both analysis techniques to maximize the effectiveness of the system. The systems have signatures saved in its data bank and also monitor the traffic to capture any trends that may appear to form an anomaly based on the baseline. This type of system is more resource intensive but is more efficient in comparison to systems that only employ one technique.

Conclusion

Both Host and Network based IDS systems provide a level of protection that can be beneficial to any organization. Some cons of one system can be counter-measured by deploying the other system as a complement. For example, a NIDS may not be able to view encrypted traffic traversing the wire but a HIDS may be able to as the host will expose the already decrypted traffic to the host based IDS. If possible, a business would be better off deploying both solutions as a security in depth strategy. In cases where budget does not allow, a small business should deploy a network based IDS and then eventually add a host based system if possible. The network level intrusion detection system provides a much broader coverage for the entire business at a cheaper cost as opposed to the host based system which may require more sensors being deployed at the host level. With a network based system, the sensor(s) can be deployed at the entry point and this will cover all traffic (outbound) from the internal network and also inbound traffic from the external world.

As with any IDS solution, the ultimate effectiveness of the chosen solution be it host or network based, depends on human interaction and action.

References

The CIS Critical Security Controls for Effective Cyber Defense Now. (n.d.).

     Retrieved February 21, 2016, from sans.org website: https://www.sans.org/

     critical-security-controls

Security 101 at Home (week 8)

Just like most of the millions of computer users out there, I’m positive, if you peruse through my personal computer, you may run into some personal information saved there. Before the introduction of computers and its saving capabilities, people saved important documents in files locked in file cabinets either at home or at work. Now that computers are available to most individuals, these physical storage (file cabinets) have converted to hard drives on computers. Due to the convenience, like many others, I am guilty of readily embracing the change and ‘sadly’ saving information that may be critical to my personal life and definitely my families too. The only advantage I can say I have is that the information is not all saved in one place and it would take some digging around to gather the information.

Having a wife and kids in the household means that multiple users have access to the files and information on the computer but the extent to which they have visibility varies. If this information was lost, it would not be as detrimental since I still believe in the traditional way of having a hard ‘paper’ copy of important documents. I can probably get away with this until when the entities I deal with decide to go all paperless. If on the other hand, the information was somehow compromised, then some personal information may be obtained and the extent of the damage would only be dependent on the motives of the attacker. I have also backed up the content of the computer in case of data loss.

It is scary thinking about what information can be retrieved from our personal computers. To try to minimize the risks, I adhere to some basic security practices like password enforcement. Having multiple users in the household means creating different user accounts to worry about and with kids, if not monitored, the extent of exposure is immense. For any activity that requires administrative privileges, a password is required. The kids are also not allowed to download or open any windows that have not been sanctioned by us, the parents. The kids use the guest account when using the computer. We also limit the usage of the computer to certain times and they are mostly allowed some free reign on the gaming console and tablets which don’t have any personal information. 

The steps or precautions I mentioned above are all educational and policy related measures but on the technology aspect of protecting personal information, I ensure that all systems in the house are patched and up to date. All computers have a paid anti-malware software installed on them which is, in my opinion, slightly better than free versions which may miss some signatures or have a delayed span between signature updates. The subscription is up to date to ensure updates are downloaded as they become available. Not many people know that Windows provides a firewall; I also have this enabled in addition to the firewall capability of the anti-virus software. For online protection, the anti-malware software provides protection. 

To ensure the weakest link doesn’t fail us, I constantly remind my kids and wife the importance of being aware of their surroundings and being vigilant when on the net.

In conclusion, 

I don’t think there is anything wrong with saving personal information on a computer; we just need to take extra precaution of ensuring this information is not compromised. My plan is to always save personal information on an external hard drive and only expose it to systems that are connected to the internet when I need to view that information.   

Why Cybercrime Awareness is Important (week 7)

Cybercrime photo: Courtesy of State of Jersey Police

Cybercrime is any crime that involves a computer and a network whereby the computer may be used to commit a crime or the computer may be the target of an attack. Interpol classifies Internet-related crimes as either advanced cybercrime which involves attacks against the computer hardware/software and cyber-enabled crimes which is the traditional crime being conducted with the aid of a computer.

IT professionals should be concerned with cybercrime because of the impact it has on our day to day life. Although there are a lot of devices connected to the Interconnected networks (Internet), it’s foundation is considered shaky. 

Cybercrime affects the entire society given that the Global Economy is dependent on the proper working of the Internet. Dependence means a vulnerability which can be exploited. Attackers are known to use encrypted methods to communicate amongst each other which makes it difficult for law enforcement to intercept their communication. The Internet also provides a wealth of information for hackers and cyber-terrorists to reference for different cyber-attack methods. This means that hacking pranksters who cause annoyance by taking down popular web sites and also professional hackers who are employed by criminal organizations and rogue states can easily look up how to attack an organization and get the information from the Internet easily. 

Critical infrastructure like the power grid, transportation, financial institutions are at risk and there is no capability to identify where the threat will come from and when it will even take place; the anonymity of the attacks make the battle tougher. Shutting down the power grid, the command and control center, attacks on Federal agencies are just some of the acts of cyber-terror that can be propagated. Terrorists using physical threats like bombs and also information warfare to disrupt emergency response services cause double the havoc.

Cyberattacks on the financial sector can cause the same damage as an actual physical attack on the infrastructure. Some of the major computer facilitated crimes that hit the financial sector include Web auctions, General merchandise frauds, Internet services, pyramid money laundering schemes, credit card fraud, advance fee loans among many others. These same crimes have long been propagated via wire fraud where attackers call up victims to try to con them into a bad deal, but now they are through the Internet as well.

To counter law enforcement, criminals are using police scanners which can track law enforcement activities. These helps them avoid detection and the can also intercept intel and communication that can be used to evade capture.

Conclusion

The Government cannot address cybercrime alone and it seems as though the criminals are always one step ahead in the game. Including teams like Systems Engineering and Technical Assistance (SETA) should be a common theme as the private sector has a wealth of information and they can bring a different angle and ideas to the table when it comes to trying to stay ahead of attackers. Preventing cybercrime is an all-inclusive game given that the criminals always seem to be one step ahead of the good guys. 

Firewalls, Patches and System Updates (week 6)

A firewall is a system designed to prevent unauthorized access from one point to another within a network and can be implemented as hardware or software components. Firewalls are considered gate-keepers and if setup and configured correctly can be vital in stopping a lot of potential threats. A good example would be setting up Geo-blocks for next generation firewalls if a business does not conduct any business transactions with foreign entities. Having the firewall in place instantly blocks traffic from outside the United States.

Patch Tuesday: Courtesy of Windows10update.com

Patches and Updates

If you are in IT, you should know about the infamous ‘Patch Tuesday’. This is when (second Tuesday of the month) Microsoft releases patches. As much as this is a known date, most organizations still don’t push out the patches and updates as they are released to the public. Patching and ensuring that systems are up to date is crucial in covering known vulnerabilities and having security updates current. Patching however is not always smooth sailing. Microsoft’s regular “Patch Tuesdays” have led to “Recall Thursdays,” with various patches breaking Office, affecting the functionality of Windows and even resulting in complete system crashes and the dreaded Blue Screen of Death (Shinder, 2015).

To ensure that patches and updates don’t break systems, we need to establish change control polices which should include testing the patches in non-production environments before deploying. Despite the issues that can come about from system patches and updates, the pros far outnumber the cons and systems should always be kept current. In cases where the systems cannot be updated due to some business reason, isolating those systems is advisable to prevent exposing the business to risks.

Protection against threats

Simply propping up a firewall and ensuring systems are patched and up to date is not the end of securing networks. Security needs to be approached from a multi-tiered layer. Some attacks tend to focus on the weakest link in the system; humans. A well-known avenue of this exploit is via email scams such the Nigerian (419) scams which many people fall for and lose fortunes chasing more fortunes. Phishing emails are used to compromise personal information from unsuspecting users. Counterfeit software gets installed on our systems and tracks our every move.

The Web is full of booby traps everywhere we turn or click. Malware, adware, Trojans, viruses, the list is endless. Seems like the only way to stay safe is to operate in a vacuum but for the many businesses and individuals who don’t have this luxury, steps need to be taken to at least stay safe while connected to the world wide web. Anti-malware, anti-viruses and verifying software and hidden add-ons before installing is one way of protecting ourselves from these threats.

References:

Whitman, M., & Mattord, H. (2014). Introduction to the Management of Information Security. In Management Of Information Security (Fourth ed.). Cengage Learning.

Finley, K. (2014, June 6). Online Security Is a Total Pain, But That May Soon Change. Retrieved December 6, 2015, from http://www.wired.com/2014/06/usable-security/

Shinder, D. (2015, January 14). Patch or Not? Weighing the Risks of Immediate Updating. Retrieved December 6, 2015, from http://www.windowsecurity.com/articles-tutorials/misc_network_security/patch-or-not-weighing-risks-immediate-updating.html 

Cloud Computing …Why Not? (week 5)

I believe most technically savvy individuals are aware of Amazon Web Services (AWS), Microsoft Azure, Salesforce or even Google Cloud (part of Alphabet). A commonality with all these companies, apart from the fact that they are in almost every aspect of our lives, is their cloud services. If you love to binge on Netflix shows like I do (please watch Narcos or House of Cards if you haven’t…Netflix original classics), then you should know that all those shows you love have to be stored on someone’s servers and when you ‘demand’ them, they will need to be 'served up' to you without any interruptions. Well, the ‘cloud’ makes all this possible. We will define the cloud as simply assets (i.e. infrastructure, platform, software) on someone else’s servers and premises other than yours. For this blog, I won’t talk about how wonderful the cloud is but we will approach it from this point of view:

-- Its late Friday afternoon (of course 😠), your boss walks over to your cube and anoints you the devil’s advocate. “John Doe, your weekend assignment is to come up with reasons why we should not join the cloud bandwagon. And at that, please remember to enjoy your weekend!”

No need for panic, this blogger has your back …read on

These 7 reasons should be enough to get your boss thinking

Security (cloud security) – this barrier is one of the top concerns for most businesses. Some questions to ask are: How do I secure my data in the cloud? What security measures are in place? Depending on the sensitivity and value of the data to be stored in the cloud, some businesses may not be comfortable adopting cloud computing. In-house computing ensures you have total control of all your data, whether that data is safe(er), is a story for another day; focus here is on total control of your data.

Privacy (Trusting the cloud) – with the ever-growing competitive business-world, no business wants to expose their ‘secret sauce’ to their competitors. With cloud computing, if due diligence is not done, a business may end up with a cloud provider who’s not very reliable when it comes to privacy concerns.

Independence from CSPs – most Cloud Service Providers (CSPs) prefer to lock in their customers through contracts and if there’s a need to move services to another provider, the exercise is sometimes stressful, especially with inter-operability issues amongst cloud providers.

Economic Values (Return on investment) – this in my opinion is the most heavily weighted barrier of all from a business standpoint. All businesses regardless of size, type or location are in it to make money (excluding the not-for-profit ones which actually still make money). Before migrating to the cloud, a business needs to ask whether it makes economic sense. Is the venture going to save the business money or add extra costs? The return on investments need to be analyzed and presented to the decision makers. Most business will only adopt cloud computing if it makes economic sense.

Inter-operability – most cloud infrastructure and applications are current and advanced but this is not always the case for businesses that want to integrate their infrastructure with the cloud. When you have inter-operability issues, this may mean adopting other services for example IaaS, PaaS, and SaaS even though the initial intent was to only buy one service model. You should ask yourself, is my business compatible with the cloud provider’s?

IT Governance – IT governance determines the direction that the business will take. If cloud computing is not part of the governance plan, then cloud migration may be hindered.

Political issues Due to Global Boundaries – For cloud computing to be successful, there needs to be no borders or jurisdictions. The goal for cloud computing is to enable fast and easy access to resources regardless of the user’s location. Some businesses may be reluctant to adopt cloud computing especially if the provider is geographically located in different countries. A European company for example may be skeptical or fearful of subscribing to Amazon given it operates under U.S. jurisdiction. Also, some European laws may dictate that certain data or information should not be transmitted across its borders. So, the question here is, what laws or regulation requirements bind you as a company?

And there you have it. I hope this information made your task easier. Go forth and conquer now and thank you for reading. 

References

Arellano, N. E. (2015, March 6). Top 5 cloud barriers for most businesses.
     Retrieved June 24, 2016, from IT World Canada website:
     http://www.itworldcanada.com/article/top-5-cloud-barriers-for-most-businesses/
     177871 

Mather, T., Kumaraswamy, S., & Latif, S. (2009). Cloud security and privacy.
     Beijing: O'Reilly. 

Rodrigues, T. (2012, October 1). Unseen barriers to cloud adoption. Retrieved
     June 24, 2016, from TechRepublic website: http://www.techrepublic.com/blog/
     the-enterprise-cloud/unseen-barriers-to-cloud-adoption/ 

U.S Privacy Breach Laws (week 4)

Having worked for an MSSP (Managed Security Services Provider), I had the privilege of interacting and working with many different clients from different industrial sectors. Each organization depending on the sector they fell under had different reasons for signing up with the MSSP. Even within the same sectors, the different organizations had different drives as to why they needed an information security company to partner with them. We would get the security focused kind to the ‘check-box’ kind, but what was common across board was that for most, the decision was somehow beyond their control and due to regulation, they had to have some security controls in place to avoid being in violation of whatever regulation they fell under. Currently, I work for a financial institution and I now understand how powerful the audit team within the company is. The financial sector is one of the most heavily regulated industry with healthcare being the other ‘unlucky’ candidate and seeing first-hand the pull or push regulators have, I now have a new-found appreciation of why audit is so much revered or avoided depending on when the project deadline is due.

That said, for this week I would like to talk about U.S. privacy breach laws.

You may be wondering how this relates to cybersecurity. You may be asking yourself “…I thought as a cybersecurity professional, the focus would be catching the bad guys?” Well, for one, both IT security and audit teams within an organization need to be aware of their State’s data privacy breach laws in order to avoid any nonconformity to compliance requirements which may mean financial penalties and other legal ramifications. When the business gets impacted (negatively), all business units feel the pain, and this includes IT and Information security. Another thing to also note, is that IT or cybersecurity strategy should always align with the business strategy so if regulators ask the business to abide by some rules and regulations, the IT team should be also mapping out ways of meeting those requirements.

Back to U.S. Privacy Breach Laws

Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data/ information brokers, government entities, etc.); definitions of “personal information” (e.g., name combined with SSN, driver’s license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information) ("SECURITY BREACH," 2016). Companies should therefore review their data privacy, data security and incident response policies and procedures to not only keep up with requirements, but also any changes that may be made to the State laws. Some of the laws may require a company to be compliant even when not located within the confines of the State. A good example is with third-party service providers who may handle PII data on behalf of their client. This means those vendors are required to adhere to the laws regardless of where they are located. The organization needs to ensure the vendor also implements security measures appropriate to the size, scope, industry and purpose of use of the information collected are implemented and maintained (Halpert & Anderson, 2015).

Another example of how different laws change is with HIPAA and ePHI. Due to the technological advancements under HIPAA, we have ePHI (electronic Protected Health Information) which covers “individually identifiable” “protected health information” sent or stored electronically. Doctors now are using mobile devices and electronic devices to review patient records and even share this information with other medical providers. ePHI dictates how this information can be handled. The HIPAA Ombibus rule defines this transitive chain of possession such that all businesses that may come into contact with ePHI are made responsible for the privacy and security of that information.  This includes many companies that previously had no idea they had to be HIPAA compliant. This shows that all businesses need to be aware of what laws or regulations apply to them even if not directly. The HIPAA Omnibus rule is one such rule that traverses supporting companies and has far reaching consequences if the 3^rd party providers do not abide by those mandates.

In conclusion

Due to the rampant data breaches that have occurred over the years attributable to the advancements in technology, in the period between 2006 and 2009, forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information (PII). The three States that do not have security breach laws are Alabama, New Mexico and South Dakota. It is important for us, as security professionals, to be conversant on what legal requirements bind our industries based on the areas of operation. We may be called upon one day by senior leadership to explain some of these requirements and staying ahead of the curve can come in handy when that time comes.

References

Halpert, J., & Anderson, M. J. (2015, July 20). Data Protection, Privacy and

     Security Alert (US). Retrieved September 9, 2016, from DLA Piper website:

     https://www.dlapiper.com/en/us/insights/publications/2015/07/

     state-breach-notification-laws/

SECURITY BREACH NOTIFICATION LAWS. (2016, January 4). Retrieved September 9,

     2016, from National Conference of State Legislatures website:

     http://www.ncsl.org/research/telecommunications-and-information-technology/

     security-breach-notification-laws.aspx

Internet of Things Overload (week 3)

The Spanish-born American philosopher, George Santayana wrote in his book titled “The Life of Reason”, 1905 that those who cannot remember the past are condemned to repeat it. Time and time again we have seen this school of thought proven true. If we look at it from a social perspective, pick fashion for example; how many times have we ‘brought back’ a style that was the ‘in thing’ back in the days? Plenty of times, I would say. While this is not necessarily a bad thing, it just shows that humans are somehow wired to repeat things. Apply this human nature to computing and information security and we see the same type of threats being resurrected from the ‘dark web cemetery’ and lo and behold! We always get a ‘Gotcha moment’.

Last year, right about this time, I wrote a blog about Botnets and the Internet of Things. The post talked about Conficker and how its logic had a mechanism for seeking out new domains on a daily basis; by mid-2009, Conficker spread to over 10 million computers (Singer, 2011). Fast forward to October, 2016; a DDoS attack began creating problems for Internet users reaching an array of sites, including Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix. Researchers pegged the blame on hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders (Krebs, 2016). This massive DDoS attack was attributed to a malware dubbed ‘Mirai’ (Japanese for ‘the future’), a name that seems to suit the MO of the malware; locate and compromise IoT devices to further grow the botnet and launch DDoS attacks. Mirai scanned the Internet for devices that were not secured; those that still used default user names and passwords and by employing a dictionary attack against those devices with a pre-configured list of default username/password combinations, was able to compromise and take over those devices (Herzberg, Bekerman, & Zeifman, 2016). 

Image Courtesy of ReadWrite.com

We can now see the trend and why George Santayana’s statement is true even for computing and information security. We’ve all seen those pesky reminders setup by IT to change our passwords every so often. Do we receive those messages with joy or view them as just another nuisance from those IT fellas? I bet most of us hope they would stop reminding us about those damn passwords. 

Most issues we observe in today’s cyber world are simply reincarnations of old threats that were existent before and the same mistakes or vulnerabilities that propagated those threats are the same ones, although slightly modified, plaguing us again. An attack could be different in that there is a variant but the core of the attack or what makes it possible most of the time remains the same. Case in point, use of default passwords in devices making it easy for a malware code to perform a brute-force attack against the device successfully.

Question therefore is, why then would IoT manufacturers not step up their game and secure their appliances?

The answer of course is the good ol’ connectivity vs security battle. IoT manufacturers are focused on getting products to market as fast as possible with their priority being connectivity and not security. Market demand and profits associated with these demands are driving decisions and the manufactures are okay with dealing with security implications down the line rather than incorporating the measures at project kick-off.  The IoT realm being relatively new also makes the decision fall on the manufacturers as there are no set standards of what the security landscape should look like for those devices. We have a situation where the product manufacturers determine the appropriate trade-offs for themselves without any best-practice references.

My take on this lack of, or poor IoT security configuration, is that eventually the market and possibly regulators will arm twist the manufacturers into incorporating more solid plans that ensure their products are somewhat secure and the public is not victimized due to negligence on their end, as observed in the case of the Mirai related DDoS attacks. We all love our smart products and the luxury they afford us but if it means compromising our privacy and security, some consumers may opt to roll back to the stone age days where we wrote down our grocery lists on paper instead of the refrigerator sending us a text. I guess the devices aren't as smart as they purport to be after all :)   

References

Denning, T., Tadayoshi, K., & Levy, H. M. (2013). Computer Security and the Modern Home. Communications Of The ACM, 56(1), 94-103. doi:10.1145/2398356.2398377

Herzberg, B., Bekerman, D., & Zeifman, I. (2016, October 26). Breaking Down
     Mirai: An IoT DDoS Botnet Analysis [Blog post]. Retrieved from Imperva
     Incapsula website: https://www.incapsula.com/blog/
     malware-analysis-mirai-ddos-botnet.html

Krebs, B. (2016, October 21). Hacked Cameras, DVRs Powered Today’s Massive
     Internet Outage [Blog post]. Retrieved from KrebsonSecurity website:
     https://krebsonsecurity.com/2016/10/
     hacked-cameras-dvrs-powered-todays-massive-internet-outage/ 

Singer, P. W. (2011, October 21). Mark Bowden’s “Worm: The First Digital
     World War”. Retrieved February 7, 2016, from https://www.washingtonpost.com/
     entertainment/books/mark-bowdens-worm-the-first-digital-world-war/2011/08/30/
     gIQAwcKO4L_story.html