Answer, it’s both.
Manufacturing is plowing full-speed ahead into the siren-like song of the Industrial Internet of Things (
Thoughts & Advice on Consulting Challenges
Answer, it’s both.
Manufacturing is plowing full-speed ahead into the siren-like song of the Industrial Internet of Things (
Popular culture has done one thing for the cyber security profession; make it seem relatively cool. A standard crime or action drama has trendy cyberpros, fingers dancing on slick keyboards while reams of incomprehensible text or graphics scroll smoothly by. These folks are abnormally attractive, luxuriously ensconced in palatial trendy offices who report to serious, considerate, worldly leaders.
Sadly in reality the script is entirely flipped. Most security folks desperately try to make the case for an organization to patch their hardware, eliminate access to insecure consumer technology and make do with skimpy budgets. Security tools are purchased without training or robust implementation services, staffing is minimal and technology and security risks remain unmanaged at the enterprise level. Offices are micro-cubicles that are harshly lit with soul-sucking corporate florescent. No tasteful coffee bars or inviting work nooks to be found. Plus I look exceptionally stupid in slouchy beanie.
One area that meshes with TV reality is the plethora of security tools in the enterprise space. Firewalls, IDS/IPS, SIEM, Endpoint, Asset Managers, Vulnerability Scanners, Policy tools, ad infinitum. Over a dozen screens with hundreds of reports, alerts and klaxons complete for the few infosec folks who attempt to reduce the risk of a data breach on a daily basis. With the enterprise security market flooded with products equivalent to the melon baller, security vendors are churning out more products that 80 percent of the market will never use or at least use effectively. [Read more…]
When the HITECH Act of 2009 and Final Rule for HIPAA passed in 2013, the security of vendors and third parties became a concern for covered healthcare entities; big and small. Whenever a partner connects to your network and has access to your Protected Health Information (PHI) you are on the hook for their privacy and security readiness. The lack of a Business Associate Agreement (BAA) or other excuses no longer apply. This includes all entities that handle PHI, even dentists. For some reason a lot of dentists don’t believe HIPAA mandates apply to them.
With this in mind the FBI released a Private Industry Alert “Cyber Criminals Targeting FTP Servers to Compromise Protected Health Information” on March 22nd to be alert healthcare entities of (File Transfer Protocol) FTP server vulnerabilities, quote:
The FBI recommends medical and dental healthcare entities request their respective IT services personnel to check networks for FTP servers running in anonymous mode. If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI [Protected Health Information] or PII [Personally Identifiable Information] is not stored on the server.”
Over the last twenty years or so the Project Management discipline has risen obscurity to an integral part of corporate life. If you are reading this from the cubicle farm chances are gaggles of contract project managers are generating countless spreadsheets that dutifully filled out with carefully curated data. This data may or may not be plugged into a vast, unwieldy PMO tool. That data will flow to the various managers and directors who vaguely review the information in status reports. From there it fall into the great bitbucket never to be seen again. Unless a project is heading toward failure, then it will be used to clobber parties who lack the right political protection. That is usually the sad contract project manager who originally created the spreadsheet. Of course the PM is supposed to be part of a project team that should include project coordinators, business analysts, approved budgets, PMO resources etc. Instead, the PM is usually the only management resource assigned to the project. They’ve come in two or three months into the execution phase, there aren’t any requirements, the last PM was fired or left and by the way you have six other projects like this that you are responsible for.
So how did the project management role become the fallguy/girl for the corporate world? If the above statements hold up, how is the project they are assigned to going to be a success? How did the profession get to this point and what can be done to reverse the trend?
More dispatches from the front for this week’s post. Cloudflare, a premier cloud hosting and security provider was compromised back in September 2016. Several lines of faulty code in an HTML parser allowed user session data (cookies, credentials, keys, tokens, etc.) to be scattered about unrelated web sessions by the millions. This data was apparently spread in plain-text and is very difficult to remediate since the information was randomly dropped into unrelated sessions across a massive customer base. According to Cloudflare, the worst data leakage occurred between February 13 – 18th 2017.
I was approached by Snapmunk to provide commentary on this issue, which I did. However I have also have provided similar advice to clients more times than I care to count. We can point back to when the Heartbleed bug was identified back in 2014 but had been running rampant since 2012. Remediation of this issue isn’t the investment of a boatload of expensive tech solutions but can tackle this problem
Here a few of the tips I have provided:
1. What steps would you advise businesses affected by Cloudflare’s data leak take following the leak? How should they go about damage control?
They should immediately activate their breach incident response program. Then coordinate with Cloudflare on a daily basis to ensure they have the latest information on the scope and impact of the Cloudbleed breach. Depending on where the company is located they may have to contact state and local authorities that they have been impacted by the Cloudbleed.
The most proactive damage control would be to contact the users of your company’s services immediately. State what actions you are taking to address the breach and have a defined plan to follow up with those customers to keep them informed.
Internally these companies must review their security posture from top to bottom. Ensure that the CloudBleed incident did not compromise credentials that can access corporate assets and cause further security breaches in the future.
2. What can we learn from a breach like this?
We can assume that Cloudflare was using the latest security technologies with a focus on a “Defense-in-Depth” strategy. However one error in a line of code invalidated millions of dollars in expensive technology. The takeaway for both consumers and companies is no technology service is 100% percent secure. Companies will need to aggressively review software for vulnerabilities. This will sometimes mean very expensive software migrations from legacy applications. On the consumer side, customers have to realize that using the same password for multiple sites, especially sensitive ones, is a very bad idea.
From the Department of Redundancy Department here comes another set of regulatory hilarity that will definitely impact both business and security professionals alike. I give you the GDPR!
The General Data Protection Regulation (GDPR) is very similar to the U.S. NIST, PCI DSS, and HIPAA data security standards. Like U.S. HIPAA or PCI rules, GDPR lays down a foundation of data security and privacy requirements, how consumers can access and transfer their data, fines and penalties and how GDPR applies to EU member states.
GDPR will impact information security products and services globally. Security vendors will have to incorporate GDPR standards into their products and InfoSec professionals will have to be familiar with the various privacy and security rules within GDPR. However EU members have until May 28th 2018 before compliance becomes mandatory.
Information Security Professionals must have more than a passing knowledge of the various rules and regulations that impact the management of the enterprise data in their charge. InfoSec pros must be familiar with local, state, federal and international privacy and security guidelines that govern the confidentiality, integrity and availability of the data they protect. Knowledge of legal and regulatory frameworks is becoming as important a skill as proficiency in the security technologies they use to protect sensitive data.
I’m rather surprised the Certification Industrial Complex hasn’t jumped at the chance to create an overall certification for the mountain of legal and regulatory guidance that governs privacy and security. Maybe having a law degree will be the next prerequisite that HR folks will require for employment. I can see it now, “Corp X req: must have a law degree, CISSP, CRISC, PMP, MBA, 15 years experience. 6 month engagment @$45 per hour.”
Let me know your thoughts in the comments below.
An important conversation I’ve had with healthcare providers is the topic of MACRA or Medicare Access and CHIP Re-authorization Act. The biggest takeaway I’ve had is that physician’s are only vaguely aware of this massive piece of legislation that has the potential to upend how they practice medicine. I can understand why this is the case, over the last 10 years healthcare providers have been hammered with so many changes (HIPAA, HITECH, HL7, ICD-10, EMRs) that I’m surprised they still know how to get to work in the morning.
As an industry the consensus around MACRA and it’s benefits can be distilled to one word “terrible”. With an manifold increase in bureaucratic oversight and reporting and a tiny bump in compensation we will see doctors, who can, transition away from accepting insurance and move toward cash on the barrel.
These sentiments are reflected in the cybersecurity community as well. HIPAA and HITECH were a substantial, if ham-handed, push to get healthcare entities to address data security. MACRA has little in the way of assisting healthcare providers deal with securing patient data. The new legislation is primarily focused on the transition to “population health” and pay for performance models rather than cybersecurity. There is a nod toward data protection with MACRA requiring the removal of Social Security Numbers (SSNs) from Medicare Cards. The purported benefits from this initiative is to better protect patient financial and federal healthcare information.
However, SSNs cost about a buck on the black market and it’s a good chance that any patient that is receiving federal benefits has already had their SSN compromised long ago. Just look at the government hacks (OPM, IRS, VA, etc.) that have occurred over the last several years.
As for private financial information, the removal of the SSN on the cards may have some small positive impact but financial institutions have done only a fraction better at protecting sensitive information. A quick data correlation on a patient name in widely available online hacker databases can confirm SSNs and other information without physical access to a Medicare or Medicaid card.
In the end the removal of SSNs from Medicaid cards smacks of too little and far too late. More akin to government mandates on buggy whip construction.
Let me know your thoughts in the comments below.
A reoccurring theme in Information Security and Technology is the issue of communication. While this trope has been on the books since the 90’s there hasn’t been much progress toward a lasting solution. Executives appear to be ill-informed of technology risks, issues, needs and wants while those in the tech & security trenches complain bitterly about the apparent cluelessness of leadership.
After a recent conversation with a client about this apparent disconnect, I’ve attempted to sum up the current state of this ongoing problem as well as provide a few tips on how to clear up some of the clutter.
What priorities are not getting through from IT security to the board and C-suite?
What is not translating in the other direction, from the top down?
What are the cultural and other differences between the two extremes that are garbling communications?
How do we fix the communications process and deliver the key points from each end to the other with sufficient clarity and weight?
Let me know your thoughts in the comments below about my approach. What are your ideas on how to help solve these issues?
Healthcare entities and Cloud Service Providers (CSPs) have been reluctant to form business partnerships due to the uncertainty of HIPAA Privacy and Security concerns. Cloud technology was not mentioned in the original HIPAA legislation from 1996 nor included in the HITECH Act of 2009. Barring large-scale EMR outsourcing to a private cloud hosted by their vendor; healthcare organizations shied away from other CSP services. The Department of Health and Human Services had not provided any definitive guidance and healthcare providers did not have a clear understanding of the risk and compliance pitfalls.
This hasn’t stopped healthcare staff from utilizing all manner of consumer-grade cloud solutions. From Dropbox, Box and iCloud, healthcare staff sync their mobile, tablet and laptop device files to readily available solutions that are not HIPAA “compliant” nor do any of these entities have a Business Associate Agreement (BAA) with the overall healthcare provider. This is a huge compliance risk to healthcare organizations. There will be a large cost associated with the move toward CSPs who will sign a Business Associates Agreement (BAA) since many consumer solutions will not agree to the privacy and security stipulations of HIPAA.
Recently HHS released their Guidance on HIPAA & Cloud Computing. Providing the basic risk and compliance building blocks so healthcare entities can start making appropriate decisions with an eye toward managing their compliance and risk obligations.
I had the opportunity to review the new guidance document with the Connected Health Initiative (CHI). This group is heavily involved in the promotion of innovation in mHealth, telehealth and provides a group of like-minded companies to discuss and navigate the regulatory waters in healthcare. [Read more…]
Is cyber-liability insurance a must have for today’s enterprise? How should an organization go about evaluating adding this type of policy to their other stable of risk management vehicles? Let’s take a look at the current market and a few of the questions that need answers before a company invests in a cyber-liability policy.
Cyber-liability insurance is gaining in popularity as a supplement to Commercial General Liability policies (CGL) and could be a good investment for a business looking to hedge their risk. The ROI for this type of policy would have to be weighed against the business model, the data stored and the potential damages they could incur in the event of a data breach. Companies in the healthcare and financial sectors should seriously consider obtaining one of these policies due to the regulatory burden and potential non-compliance penalties these industries face.
Is the cost worth it?
Currently, the cost of cyber-liability policies are quite low. However, with a record number of data breaches in 2015, the cost of these policies is climbing quickly. However they are still quite reasonable. Based on a small breach of 100,000 client records, an enterprise would pay nearly $50k in postage for sending notification letters alone. Most cyber-liability premiums, based on revenue, size and industry hover between $1500. Large multi-billion dollar firms may pay up around $50,000. [Read more…]