The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) are national standards put into place to: 1) protect the privacy of personally identifiable heath information, 2) secure personally identifiable health information stored and/or transmitted electronically, and 3) promote the meaningful use of health information technology. As of September 23, 2013, compliance with these standards will be mandatory for all applicable healthcare entities AND their third-party vendors. Failure to comply with these standards can result in both civil and criminal penalties.

Do you know if you and your third-party vendors are HIPAA compliant? Do you need some help finding out?

Thankfully, RJS Smart Security provides healthcare organizations and their business associates with a comprehensive evaluation of their protected health information and data environment with a HIPAA assessment. RJS follows the emerging Penetration Test Execution Standard (PTES) as the model for these assessments.

HIPAA Compliance with RJS Smart Security

Our HIPAA assessment focuses on HIPAA regulations for companies who may or may not be facing an audit. During this engagement, we look at the following:

Compliance is not the same as security. Compliance defines the bare minimum needed to protect specific data types or industries. This engagement identifies lean ways to meet HIPAA requirements so that your business still has resources for security.

Strategy is perhaps the most critical security task, as well as the least used. A strategy engagement identifies what HIPAA compliance pieces you already have, what you need and how to get there. Several risk assessment methodologies are available to guide us in crafting a security plan that ideally fits your health care business.

Policies and Procedures review the body of written controls that are currently in use and assess how well they are being followed. Policies often age as technology improves and procedures are followed poorly as they lose applicability.

And, depending on the scope of your engagement, we also examine:

Network Vulnerability involves scanning your network to identify the operating systems and applications in use. Older applications are a common vector in successful attacks, but these flaws can only be addressed if you know they exist.

Web Vulnerability focuses on the many common problems found in web applications, such as SQL injections looking to steal or alter data, scripting to exploit users or weak configurations.

Data Analysis identifies the documents and databases an organization is storing and the risks resulting from possible data leakage. This analysis helps you determine ways to centralize storage and eliminate the unnecessary.

A Success Story

Healthcare Services Provider*

A medical services company had grown by acquisition and upon examination of their network infrastructure, an increasing number of legacy applications were cause for mounting concern. With fewer people on staff who knew how they functioned, it was increasingly difficult to maintain their security and comply with the regulations of HIPAA and HITECH.

To help simplify the process of application management while working within a tight budget, the company hired RJS to review one legacy application each quarter. In the short term, this approach helps the firm meet their Business Associate requirements. In the long term, the newly-built applications can be maintained at a lower cost.

* The company name has been kept anonymous due to the sensitivity of the work performed.

Last week, I got my copy of All Yesterdays (not the used Amazon versions, as the pricing algorithm is failing hilariously). I’ve been a fan of Darren Naish’s work since I discovered Tet Zoo years ago. It turns out that in addition to writing amazing articles on the cladistics of extinct crocodilians, he is also good at writing about paleo art.

You might think that paleo art is art done by prehistoric people, but no. In this case, it is art done to provide imaginative reconstructions of life from fossils. I imagine that most people these days are aware of the belief that many of the two-legged dinosaurs were feathered. However, as it often turns out, things are more complex than that. This book explores the history of dinosaur art and, along the way, draws on what we know about natural history, camouflage and mating habits of contemporary species.

So why am I posting this review on a blog that is (more or less) focused on information security?

Well, in addition to this book being about pretty pictures of dinosaurs, it is also about an industry working over time to make guesses about the truth, analyze their mistakes in the face of new evidence and, through a constant stream of screw ups, come closer and closer to consensus. As they’ve done this, everyone has had to constantly adjust to the shifting truth.

In effect, it is a book about evolution … the evolution of species … the evolution of understanding … and the evolution of the understanding of evolution, so to speak. This happens in all industries, but the younger the industry is, it seems, the less we like to acknowledge that we don’t have all the answers. In Information Security, we don’t like to be wrong and we particularly don’t like to be wrong in front of other people. This is understandable, as when we make a mistake in security, people could get hurt. However, when we don’t get a chance to discuss our mistakes as a community, we don’t get a chance to improve.

Today, there is some discussion in the community, but mostly within closed mailing lists and at conferences. Unlike in the realm of paleo art, our mistakes tend not to be public, so there are fewer eyes on them and fewer opportunities to get better. Fortunately, there are more hackers than professionals who draw dinosaurs, so we do get an advantage of numbers. Still, there is ample room for improvement.

This book explores the problems that arise from:

• Taking a superficial view of evidence
• Not comparing logical conclusions to examples of modern data
• Avoiding analysis and basing beliefs on the misguided work of others
• Looking strictly at hard evidence and ignoring behavior
• Hyper-focusing on dramatic scenarios

Sound familiar?

Several people have been asking me lately if I still prefer Sophos technology. After all, they recently released a bad update and Tavis Ormandy’s recent paper illustrated some design flaws in the product.

There’s spin on both sides. Unsurprisingly, Sophos is downplaying the issue and Tavis Ormandy’s tone in his second paper is much like that of his first. So I thought it would be good to explore the issues more fully.

I am disappointed in Sophos’s recent fumbles, but not disheartened. I still think that, for a great many companies, they have the best solution available.

There are two core problems here. The first is that of scaling. As companies grow bigger, they often become slower to react. Sometimes, they fail to adjust to their new reality. Sometimes, however, they get through it and become incredible companies. There are indications that Sophos is beginning the turnaround.

The second problem is industry-wide and has to do with market-splintering. Today, we are facing a splintering security vendor space and reports like the ones from Tavis are a symptom. Reports we’ve been getting for the past few years about AV and IDS being “dead” is yet another symptom.  There’s nothing wrong with these reports and it’s good that people are thinking about the issues. But unfortunately, they’re missing the big picture.

In a splintering space, there is an increasing deviation between what a product actually does and how it is branded. This continues until the vendors wake up and pivot their branding to better match what they actually do. This always takes longer than we’d like, because employees of a company are driven by their brand even more than their customers.

As I see it, the AV vendor space is breaking apart into four chunks:

• Traditional AV – Focused on being lightweight and supplementing the protections built into an operating system.
• Anti-Malware – Focused on monitoring and responding to bad and potentially bad things that can happen to an operating system.
• Application Whitelisting – Focused on locking down an operating system to only allow known applications to run.
• Malware Analytics – Focused on providing detailed data about events so human analysts can make appropriate decisions.

We are also seeing the attack space splintering as well. Specifically, we’re seeing a tiered structure emerging:

• Background Radiation – A constant stream of trivial attacks, legacy viruses and worms that float about the internet.
• Industry-focused Asset Attack – Attacks that focus on specific industries aiming to steal monetary assets. These often rotate between industries, “campaign” style. At present, Western banks are in vogue. Indications are that these attacks are run by organized criminal groups. If you have above average protection in this space, you gain significant competitive advantage as attacks are driven to those that do not.
• State-sponsored IP Attack – Attacks that also focus on specific industries, but are run by better-organized groups suspected of being funded by state agencies. They aim to steal intellectual property. You get significant benefit from being above-average here too.
• Industrial Espionage – Attacks focus on specific companies and likely come from other specific companies. There is no benefit to be gained from being above-average in defense, as that just creates rapid escalation in an arms-race pattern of growth.

The third splintering effect is familiar to those of you who have heard my talks or read my comic book.

In the defense space, we have two primary trends emerging based on complexity. Both are valid, but they are completely incompatible with one another (at least on the large scale).

• Simplification – This trend involves firms who outsource much of their operations and infrastructure to managed SOC providers, cloud providers, SAAS providers, etc. The idea is that by focusing on their core business and finding trustworthy partners, they can become more nimble and therefore, more profitable.
• Complexification – This trend involves firms who increasingly centralize their infrastructure through virtualization, log management, analytics, etc. The idea is by taking more control, you can better analyze the business and find regions of improvement.

So after this rather long diversion, what does it mean for Sophos? Well, their core strength is offering administrators a solution to rapidly and consistently provide a reasonable level of protection that gives early indicators of attack. This means they’re a great fit for anti-malware up to and including the State-sponsored IP attack tier and work best in simpler environments or in simpler subsets of complex environments.

I do not think that they’re the best solution for highly-targeted complex companies, as they are not an analytics tool. They’re also not the best solution for extremely simple firms that want “set it and forget it” technologies. Security takes work and if you put the work in, you get better security. You should pick a solution that allows you to put in more work than you currently do, but does not require that additional work for the product to still be effective.

Many of the critiques of Sophos tend to be at the edges. And Sophos doesn’t help these concerns by marketing as if they fit everywhere for everyone. I think they’ll eventually reach this goal, but they’re not there today.

If you’re in a highly complex environment that is facing constant incursion from well-funded foreign governments, Sophos better not be your only tool. You need Analytics, too.

If you want the cheapest solution out there that you can install and ignore, Sophos won’t work well for you either. That’s where Traditional AV and the ability to wipe and reload when it fails comes in.

Operationally, you need to figure out what sort of attack and defense space you’re in, so you can select the tool(s) that will provide the best protection for your business. If you overlap spaces, you’re going to need multiple tools. One of the biggest reasons I really like Sophos is because of their flexibility to play in overlapping spaces. They layer quite well with other security products, which is a great benefit for their customers.

Just remember: We live in a complex world. There are no magic bullets. Security requires thought.

As many of you know, when I am not protecting people and their businesses, I’m often out taking pictures. My camera of choice has been the Nikon d300, which is over five years old now. As with all technology, when cameras age, they become increasingly unreliable and it became apparent over a year ago that my camera was experiencing legacy issues. The weather protection was weakening, the sensor was staring to fail and the batteries were draining faster and faster. If I am going to practice what I preach, it was time to ruthlessly eradicate legacy.

“Ruthlessly eradicate legacy” is one of my mantras when it comes to infrastructure management. Older systems take a surprising amount of resources to maintain and use. Modern technology is easier to update, cheaper to operate and easier for people to use. It also has modern features that can drastically improve capabilities. With servers, this means killing all that no longer get updates (Windows 2000, for example). With cameras, it means time to say goodbye to my old friend and look at other options.

This is not a camera post, however, so I’ll cut short the decision process and say that I settled on a d800 or d800E. For my purposes, there are no differences, so I went out looking for a good deal. After all, Black Friday is coming and now is the time to look for electronics. This, however, is where the story gets interesting.

In doing my research, there were indications that while camera accessories go on sale periodically, the high-end camera bodies and lenses I like only drop in price when a successor comes out. This means I’m stuck at the high end unless I buy used. Moreover, in the Nikon world, warranty is a huge factor and is significantly reduced when you buy used, so it only makes sense to look at that option if you are going to save over 20% off the purchase price.

Which is why, when I found a d800E on Amazon, I got a little excited. In fact, I got a little too excited. I almost got scammed.

The list price on a new d800E is $3,299.99 (which is why my d300 got to be five years old before I considered a replacement), but this camera listed on Amazon.com was just $1,836.73. 56% off is clearly a better deal than 20% … but the deal is a little too good. In fact, it’s so good that a lot of people are going to leap on the deal, so I had to move fast.

Or did I?

See, the deal was too good. I got suspicious. Luckily, the seller had a note in their little logo icon that said to email with questions, so I did… not before I did a bit of research, though.

Continue Reading

Today is a sad, and dangerous day. As you may have heard, Hostess is looking to go out of business. While it is likely that some of their bigger brands (Twinkie, Wonder Bread) will live on, it is the end of an era. While I never personally consumed much of their product line, as my mother would not let me (You can’t have a Twinkie, here’s an apple), I mourn with the rest of my generation over the loss.

However, unlike the mainstream news media, I am also deeply concerned about the fate of others in the wake of this decision … specifically due to the lack of Hostess Fruit Pies!

See, I remember when The Flash used them to save the city from the Bureauc-Rat. They were an essential tool for Captain America in preventing alien invasion. Aquaman used them to stop a shark invasion. Iron Man’s technology alone wasn’t enough to foil a bank robbery. And Spider-man used them to prevent the destruction of homes. In fact, there have been over 200 times that Hostess has helped save people.

Without this powerful tool, how will we ever survive?

Fortunately, most of our super heroes have contingency plans. DC heroes team up to become the Justice League to solve big problems. Marvel heroes team up to form the Avengers, first fighting among each other and then solving problems. Even the independents work up a good crossover now and then when they have to.

The question is, do you?

In IT in general and in Security in particular, we are highly dependent on a complex web of relationships and dependencies. This can be as simple as needing Microsoft to release their patches so we can protect ourselves. (Which you should do, as this month’s fixed some important issues.) Or it can be as complex as having systems dependent on Dell’s management appliances which are dependent on third party technologies.

Do you know which technologies you are dependent upon? How would you react to their sudden unavailability or to a problem in their supply chain? Do you have a contingency plan or will you have to figure things out in the moment?

Sadly, most people I talk to are in the latter category.

When you choose your vendors, it’s not enough to know if they can do the job today. You also have to know if they’ll be there for you tomorrow and to have a plan in case they’re not. All too often, I see companies who waste far too much time assessing vendors based on the “ideal” technology and no time at all looking at how it integrates into operations and loosely-coupling their technology to other systems.

I’m constantly visiting companies with networks that employ expensive technologies that don’t meet my clients’ needs, while cheaper and better  technologies remain unused. This isn’t just annoying, this is potentially catastrophic to the business. For a case study, look at Hostess. Specifically, look at the strike document. In 2009, technology was not refreshed, which helped to put them into the position they’re in today. Granted, they had other problems. However, whether we’re talking flow-improvement like Document Management or monitoring and control like Anti-malware or UTMs or DLP, technology serves as a multiplier.

If you choose the wrong technology, it will multiply your problems. If you don’t choose the right technology, the firms that do will multiply their profit and leave you in the dust.

When most people hear that we do assessments, they think vulnerability scans and penetration tests. And yes, we do those. However, most of our clients find a lot more value in our vendor assessments, disaster recovery assessments and strategy assessments. These focus on security AND the business. After all, security means nothing without a business to protect.

If Hostess had learned that lesson in their first restructuring attempt, perhaps they’d have lasted longer and a contingency plan of liquidating the entire company would have stayed … a contingency plan. As for me, I’m going to take a long lunch and stock up on fruit pies. After all, you never know when Spider-man might come-a-calling.

And if you haven’t downloaded our very own RJS Smart Security comic book yet, click here!