The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) are national standards put into place to: 1) protect the privacy of personally identifiable heath information, 2) secure personally identifiable health information stored and/or transmitted electronically, and 3) promote the meaningful use of health information technology. As of September 23, 2013, compliance with these standards will be mandatory for all applicable healthcare entities AND their third-party vendors. Failure to comply with these standards can result in both civil and criminal penalties.

Do you know if you and your third-party vendors are HIPAA compliant? Do you need some help finding out?

Thankfully, RJS Smart Security provides healthcare organizations and their business associates with a comprehensive evaluation of their protected health information and data environment with a HIPAA assessment. RJS follows the emerging Penetration Test Execution Standard (PTES) as the model for these assessments.

HIPAA Compliance with RJS Smart Security

Our HIPAA assessment focuses on HIPAA regulations for companies who may or may not be facing an audit. During this engagement, we look at the following:

Compliance is not the same as security. Compliance defines the bare minimum needed to protect specific data types or industries. This engagement identifies lean ways to meet HIPAA requirements so that your business still has resources for security.

Strategy is perhaps the most critical security task, as well as the least used. A strategy engagement identifies what HIPAA compliance pieces you already have, what you need and how to get there. Several risk assessment methodologies are available to guide us in crafting a security plan that ideally fits your health care business.

Policies and Procedures review the body of written controls that are currently in use and assess how well they are being followed. Policies often age as technology improves and procedures are followed poorly as they lose applicability.

And, depending on the scope of your engagement, we also examine:

Network Vulnerability involves scanning your network to identify the operating systems and applications in use. Older applications are a common vector in successful attacks, but these flaws can only be addressed if you know they exist.

Web Vulnerability focuses on the many common problems found in web applications, such as SQL injections looking to steal or alter data, scripting to exploit users or weak configurations.

Data Analysis identifies the documents and databases an organization is storing and the risks resulting from possible data leakage. This analysis helps you determine ways to centralize storage and eliminate the unnecessary.

A Success Story

Healthcare Services Provider*

A medical services company had grown by acquisition and upon examination of their network infrastructure, an increasing number of legacy applications were cause for mounting concern. With fewer people on staff who knew how they functioned, it was increasingly difficult to maintain their security and comply with the regulations of HIPAA and HITECH.

To help simplify the process of application management while working within a tight budget, the company hired RJS to review one legacy application each quarter. In the short term, this approach helps the firm meet their Business Associate requirements. In the long term, the newly-built applications can be maintained at a lower cost.

* The company name has been kept anonymous due to the sensitivity of the work performed.

Be Sociable, Share!

• 

“Every student in every school should have the opportunity to learn to code.”

We couldn’t agree more!

As you probably know, the United States has constantly lagged behind in global math and science scores. As the New York Times reported this past December, “In the United States, only 7 percent of students reached the advanced level in eighth-grade math, while 48 percent of eighth graders in Singapore and 47 percent of eighth graders in South Korea reached the advanced level. As those with superior math and science skills increasingly thrive in a global economy, the lag among American students could be a cause for concern.”

I would argue that a substantial part of the issue is what we’re not teaching. In 41 states, coding courses do not count toward high school graduation. This is a terrible oversight for several reasons:

1) The backbone of computer programming is … math and science.

2) Computers have become a necessity in our culture, on par with food, water and shelter. Global and national business transactions, online connectedness to family and friends, mobile applications, web-based games and social media are all computerized elements that are daily fixtures for most Americans.

3) Because of the computer industry’s relative youth (we’ve only been using the internet for a little more than 20 years) and still untapped potential (mobile and cloud for example), possibilities for growth are virtually endless.

So wouldn’t you think the leaders of our educational system would start putting two and two together, identify this huge opportunity and create a game-plan to proactively solve a problem that is as crystal clear as bottled water? The stats are available for all to see. Here’s what we’re looking at:

Thankfully, the non-profit, Code.org, has taken notice and is dedicated to growing computer programming education. It’s time we engage our legislators, youth and education professionals to make the changes necessary to embrace computer science as the present and future of math and science.

And if you have a couple minutes, check out Code.org’s video, “What Schools Don’t Teach,” starring a who’s who of the computer industry, including Bill Gates, Mark Zuckerberg, Jack Dorsey and many more.

Be Sociable, Share!

• 

Last week, I got my copy of All Yesterdays (not the used Amazon versions, as the pricing algorithm is failing hilariously). I’ve been a fan of Darren Naish’s work since I discovered Tet Zoo years ago. It turns out that in addition to writing amazing articles on the cladistics of extinct crocodilians, he is also good at writing about paleo art.

You might think that paleo art is art done by prehistoric people, but no. In this case, it is art done to provide imaginative reconstructions of life from fossils. I imagine that most people these days are aware of the belief that many of the two-legged dinosaurs were feathered. However, as it often turns out, things are more complex than that. This book explores the history of dinosaur art and, along the way, draws on what we know about natural history, camouflage and mating habits of contemporary species.

So why am I posting this review on a blog that is (more or less) focused on information security?

Well, in addition to this book being about pretty pictures of dinosaurs, it is also about an industry working over time to make guesses about the truth, analyze their mistakes in the face of new evidence and, through a constant stream of screw ups, come closer and closer to consensus. As they’ve done this, everyone has had to constantly adjust to the shifting truth.

In effect, it is a book about evolution … the evolution of species … the evolution of understanding … and the evolution of the understanding of evolution, so to speak. This happens in all industries, but the younger the industry is, it seems, the less we like to acknowledge that we don’t have all the answers. In Information Security, we don’t like to be wrong and we particularly don’t like to be wrong in front of other people. This is understandable, as when we make a mistake in security, people could get hurt. However, when we don’t get a chance to discuss our mistakes as a community, we don’t get a chance to improve.

Today, there is some discussion in the community, but mostly within closed mailing lists and at conferences. Unlike in the realm of paleo art, our mistakes tend not to be public, so there are fewer eyes on them and fewer opportunities to get better. Fortunately, there are more hackers than professionals who draw dinosaurs, so we do get an advantage of numbers. Still, there is ample room for improvement.

This book explores the problems that arise from:

• Taking a superficial view of evidence
• Not comparing logical conclusions to examples of modern data
• Avoiding analysis and basing beliefs on the misguided work of others
• Looking strictly at hard evidence and ignoring behavior
• Hyper-focusing on dramatic scenarios

Sound familiar?

Be Sociable, Share!

• 

A big joke in the cellphone industry was the excuse Apple gave for the “antennagate” issue upon introduction of the iPhone 4: “you’re holding it wrong.”  Funny enough, holding it wrong may be the way to go in the future.

You’ve probably seen published lists of the most commonly used PIN numbers, including such creative numerology as 1111 or 5683 (spells out LOVE). Security experts look at those lists and shake our heads wondering what people were thinking when they hit “1” four times and thought their phone was secure.

Of course, at least they’re using a PIN of some sort in an effort to protect their phone. Even if the PIN is considered “weak,” the stark reality is most people don’t use one simply because PIN codes are inconvenient and take time to enter. In fact, most people don’t use any means of data protection at all.

Thank goodness you’re not one of those PIN-less cellphone users, right?

Well, what if I told you your PIN, no matter how cleverly created, is now trivial to hack?  And that nifty complicated thumb sliding lock pattern you came up with that would require the hacker to be double-jointed to pull off?  Even easier.

There’s a new PIN and lock pattern proof-of-concept hack from Dr. Adam Aviv and his team of researchers at the University of Pennsylvania that uses the accelerometer in your phone to detect how it moves in space specifically during the unlock process.  As you move your thumb to hit the PIN numbers or trace the unlock pattern, this hack track the accelerometer data and matches it against its database of known patterns. They’ve been working on this attack vector for a few years now. Their previous approach utilized the gyroscopic sensors which lead to very imprecise measurements, but this new approach uses the accelerometer sensor in a “high bandwidth” mode and the results are pretty spectacular. In controlled settings with the subject seated they were able to guess the PIN number used 43% of the time and the unlock pattern 73% of the time.  When the subject was walking, the accuracy dropped greatly due to the additional movement noise introduced to the sensors that resulted in only 20% of PINs and 40% of patterns guessed.  They also mention the possibility of utilizing machine learning to determine text-based passwords as well, but mention no collected data against it.

I suspect long key presses for alternate characters may be difficult to decipher from the accelerometer data, but they do briefly mention key permutations (each key having multiple values from long presses), which increases the number of guesses required to get a four number PIN combination. If one were to use a very complicated password or random characters you could make it highly unlikely to guess your password using this method. Of course, you would also be spending the bulk of your time on your Smartphone entering an unlock password.

Another possible solution is to change the orientation of your phone (i.e. holding it wrong). Since Dr. Aviv’s team is only reading the accelerometer values and not the gyroscope values, which track pitch and roll of your phone, one could throw their data off. If they accounted for this circumstance and polled the gyroscope to determine orientation values while polling the accelerometer, the data sets would be much more complex as a result.

So clearly the best response to this type of attack method is to boogie down, run, jump, etc. while unlocking your phone. Personally, I’m working on some sick dubstep and James Brown moves to go along with my android unlock pattern that should make it near unreadable.

Be Sociable, Share!

• 

There have been two stories in the media lately and one event on a private mailing list that have me thinking.  First, the stories.

1) Former NFL Quarterback, Jon Kitna, has become a high school teacher. He did this as a way to give back to the community.  However, the most important part of the story is how he is giving back. This is a story about someone trying to change his community by teaching children that their actions have consequences, even if those consequences result in the entire team losing.

2) A Canadian computer science student by the name of Ahmed Al-Khabaz was expelled from Dawson College for running hacking tools against a system that contained data for numerous students. He found a flaw, reported the flaw, but because he did not have permission to run the test, he was kicked out. He has since been offered opportunities with firms and other schools.

3) On my private mailing list, a friend expressed concern over an issue in which one of his students sent a PDF of a book to the entire computer security class. This book was a copyrighted work by someone else that we both know. This was clearly illegal and, by most standards in the security community, unethical.

So, what do all of these stories have in common? Fundamentally, they’re about young people making mistakes. What might be hard to see, though, is that they’re also about adults making mistakes. We tend, in the Security and Legal communities to see the world in black and white. Dawson College expelled Ahmed Al-Khabaz because, in their view, he was “no longer suited to the profession.”  There was discussion about expulsion in the private story as well, because of similar concerns. In other words, we have colleges taking a hard line on students that screw up and are kicking them out.

The problem, though, is that one of the best ways to learn is by making mistakes. Many of the best people we have in IT Security have checkered pasts. Many of the worst people we have in IT Security also have checkered pasts.  While my own past is cleaner than most, I did cross the line a few times in school and got a talking to. I quickly learned both what to do and what not to do, but more importantly, how to do.

Actions must have consequences. Without pain, we do not learn. However, if those consequences are too severe, we don’t learn either. We give up.

If we look at these issues as a society, we have people working defense who are trying things and, if they try the wrong thing with the wrong person, they’re kicked out. We also have people working as attackers. These are well-paid individuals (due to the high risks involved) and are often highly skilled because they are not hampered by people trying to get them expelled or fired for experimentation. In fact, the more we take a hard line approach to these sorts of issues, the more likely we are to identify our best learners (the young people who make mistakes) and drive them to unethical and illegal activities, as we close the door to legitimate work in their face.

In a world where the attackers are massively out-competing the defenders, I have to ask whether this is wise.

Instead, consider Jon Kitna’s story. He’s adopted hard line rules for his football players. If they screw up, they’re out … but not completely … just a game or part of a game. They’re not off the team, they’re not kicked out of the community. This still means a mistake is punished, but done so in a way where people learn from it. Those who made the mistake get the most punishment. Those who supported the mistake while it was being made get a lesser punishment, and all of them serve as examples to keep everyone else where they need to be.

As people, we learn and grow over time. Of these three stories, which supports growth?  Of these three stories, which people would you rather work with as adults?  Who would you hire?

I know, for me, I’d take the under-educated, low-income kids over the college students any time.  Why?  It’s about community. Lincoln High School is making better adults than Dawson College is. The graduates from Jon Kitna’s football team might not be the best educated kids. They might need a lot of hand holding and training to make it in the real world, but they’ll have character. If I’m working a security problem with someone, I need someone I can trust. That means I need someone who has been raised to be trustworthy. Improvement is iterative and if you’re not given the ability to learn and grow from your mistakes, you’re just going to wind up making the same errors over and over again. As a security person, a professional and, really, just as an adult, I need people who have made mistakes, owned up to them and, where possible, fixed them. I need learners and I need people who can see the shades of grey in the world. I suspect that you do too.

Be Sociable, Share!

•