Answer, it’s both.
Manufacturing is plowing full-speed ahead into the siren-like song of the Industrial Internet of Things (
Musings of a Corporate Consigliere
Thoughts & Advice on Consulting Challenges
Answer, it’s both.
Manufacturing is plowing full-speed ahead into the siren-like song of the Industrial Internet of Things (
When the HITECH Act of 2009 and Final Rule for HIPAA passed in 2013, the security of vendors and third parties became a concern for covered healthcare entities; big and small. Whenever a partner connects to your network and has access to your Protected Health Information (PHI) you are on the hook for their privacy and security readiness. The lack of a Business Associate Agreement (BAA) or other excuses no longer apply. This includes all entities that handle PHI, even dentists. For some reason a lot of dentists don’t believe HIPAA mandates apply to them.
With this in mind the FBI released a Private Industry Alert “Cyber Criminals Targeting FTP Servers to Compromise Protected Health Information” on March 22nd to be alert healthcare entities of (File Transfer Protocol) FTP server vulnerabilities, quote:
The FBI recommends medical and dental healthcare entities request their respective IT services personnel to check networks for FTP servers running in anonymous mode. If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI [Protected Health Information] or PII [Personally Identifiable Information] is not stored on the server.”
More dispatches from the front for this week’s post. Cloudflare, a premier cloud hosting and security provider was compromised back in September 2016. Several lines of faulty code in an HTML parser allowed user session data (cookies, credentials, keys, tokens, etc.) to be scattered about unrelated web sessions by the millions. This data was apparently spread in plain-text and is very difficult to remediate since the information was randomly dropped into unrelated sessions across a massive customer base. According to Cloudflare, the worst data leakage occurred between February 13 – 18th 2017.
I was approached by Snapmunk to provide commentary on this issue, which I did. However I have also have provided similar advice to clients more times than I care to count. We can point back to when the Heartbleed bug was identified back in 2014 but had been running rampant since 2012. Remediation of this issue isn’t the investment of a boatload of expensive tech solutions but can tackle this problem
Here a few of the tips I have provided:
1. What steps would you advise businesses affected by Cloudflare’s data leak take following the leak? How should they go about damage control?
They should immediately activate their breach incident response program. Then coordinate with Cloudflare on a daily basis to ensure they have the latest information on the scope and impact of the Cloudbleed breach. Depending on where the company is located they may have to contact state and local authorities that they have been impacted by the Cloudbleed.
The most proactive damage control would be to contact the users of your company’s services immediately. State what actions you are taking to address the breach and have a defined plan to follow up with those customers to keep them informed.
Internally these companies must review their security posture from top to bottom. Ensure that the CloudBleed incident did not compromise credentials that can access corporate assets and cause further security breaches in the future.
2. What can we learn from a breach like this?
We can assume that Cloudflare was using the latest security technologies with a focus on a “Defense-in-Depth” strategy. However one error in a line of code invalidated millions of dollars in expensive technology. The takeaway for both consumers and companies is no technology service is 100% percent secure. Companies will need to aggressively review software for vulnerabilities. This will sometimes mean very expensive software migrations from legacy applications. On the consumer side, customers have to realize that using the same password for multiple sites, especially sensitive ones, is a very bad idea.
From the Department of Redundancy Department here comes another set of regulatory hilarity that will definitely impact both business and security professionals alike. I give you the GDPR!
The General Data Protection Regulation (GDPR) is very similar to the U.S. NIST, PCI DSS, and HIPAA data security standards. Like U.S. HIPAA or PCI rules, GDPR lays down a foundation of data security and privacy requirements, how consumers can access and transfer their data, fines and penalties and how GDPR applies to EU member states.
GDPR will impact information security products and services globally. Security vendors will have to incorporate GDPR standards into their products and InfoSec professionals will have to be familiar with the various privacy and security rules within GDPR. However EU members have until May 28th 2018 before compliance becomes mandatory.
Information Security Professionals must have more than a passing knowledge of the various rules and regulations that impact the management of the enterprise data in their charge. InfoSec pros must be familiar with local, state, federal and international privacy and security guidelines that govern the confidentiality, integrity and availability of the data they protect. Knowledge of legal and regulatory frameworks is becoming as important a skill as proficiency in the security technologies they use to protect sensitive data.
I’m rather surprised the Certification Industrial Complex hasn’t jumped at the chance to create an overall certification for the mountain of legal and regulatory guidance that governs privacy and security. Maybe having a law degree will be the next prerequisite that HR folks will require for employment. I can see it now, “Corp X req: must have a law degree, CISSP, CRISC, PMP, MBA, 15 years experience. 6 month engagment @$45 per hour.”
Let me know your thoughts in the comments below.
An important conversation I’ve had with healthcare providers is the topic of MACRA or Medicare Access and CHIP Re-authorization Act. The biggest takeaway I’ve had is that physician’s are only vaguely aware of this massive piece of legislation that has the potential to upend how they practice medicine. I can understand why this is the case, over the last 10 years healthcare providers have been hammered with so many changes (HIPAA, HITECH, HL7, ICD-10, EMRs) that I’m surprised they still know how to get to work in the morning.
As an industry the consensus around MACRA and it’s benefits can be distilled to one word “terrible”. With an manifold increase in bureaucratic oversight and reporting and a tiny bump in compensation we will see doctors, who can, transition away from accepting insurance and move toward cash on the barrel.
These sentiments are reflected in the cybersecurity community as well. HIPAA and HITECH were a substantial, if ham-handed, push to get healthcare entities to address data security. MACRA has little in the way of assisting healthcare providers deal with securing patient data. The new legislation is primarily focused on the transition to “population health” and pay for performance models rather than cybersecurity. There is a nod toward data protection with MACRA requiring the removal of Social Security Numbers (SSNs) from Medicare Cards. The purported benefits from this initiative is to better protect patient financial and federal healthcare information.
However, SSNs cost about a buck on the black market and it’s a good chance that any patient that is receiving federal benefits has already had their SSN compromised long ago. Just look at the government hacks (OPM, IRS, VA, etc.) that have occurred over the last several years.
As for private financial information, the removal of the SSN on the cards may have some small positive impact but financial institutions have done only a fraction better at protecting sensitive information. A quick data correlation on a patient name in widely available online hacker databases can confirm SSNs and other information without physical access to a Medicare or Medicaid card.
In the end the removal of SSNs from Medicaid cards smacks of too little and far too late. More akin to government mandates on buggy whip construction.
Let me know your thoughts in the comments below.
A reoccurring theme in Information Security and Technology is the issue of communication. While this trope has been on the books since the 90’s there hasn’t been much progress toward a lasting solution. Executives appear to be ill-informed of technology risks, issues, needs and wants while those in the tech & security trenches complain bitterly about the apparent cluelessness of leadership.
After a recent conversation with a client about this apparent disconnect, I’ve attempted to sum up the current state of this ongoing problem as well as provide a few tips on how to clear up some of the clutter.
What priorities are not getting through from IT security to the board and C-suite?
What is not translating in the other direction, from the top down?
What are the cultural and other differences between the two extremes that are garbling communications?
How do we fix the communications process and deliver the key points from each end to the other with sufficient clarity and weight?
Let me know your thoughts in the comments below about my approach. What are your ideas on how to help solve these issues?
Is cyber-liability insurance a must have for today’s enterprise? How should an organization go about evaluating adding this type of policy to their other stable of risk management vehicles? Let’s take a look at the current market and a few of the questions that need answers before a company invests in a cyber-liability policy.
Cyber-liability insurance is gaining in popularity as a supplement to Commercial General Liability policies (CGL) and could be a good investment for a business looking to hedge their risk. The ROI for this type of policy would have to be weighed against the business model, the data stored and the potential damages they could incur in the event of a data breach. Companies in the healthcare and financial sectors should seriously consider obtaining one of these policies due to the regulatory burden and potential non-compliance penalties these industries face.
Is the cost worth it?
Currently, the cost of cyber-liability policies are quite low. However, with a record number of data breaches in 2015, the cost of these policies is climbing quickly. However they are still quite reasonable. Based on a small breach of 100,000 client records, an enterprise would pay nearly $50k in postage for sending notification letters alone. Most cyber-liability premiums, based on revenue, size and industry hover between $1500. Large multi-billion dollar firms may pay up around $50,000. [Read more…]
The model(s) behind technology spending has been changing dramatically over the last several years with virtualization, consumer devices and “as a service” offerings complicating the procurement process. While they offer tremendous opportunities for astute technology consumers, there are also significant risk that the unprepared enterprise technology consumer may realize with insufficient information.
Add to this the increasing cybersecurity concerns, regulatory compliance regimens and staffing issues; even the largest firms are facing difficulty making informed decisions.
One of the questions I get from my small business clients is how can I perform technology audit to take stock of what it has, identify gaps, and create a plan for new tech purchases?
The first step would be to look at your enterprise strategic plan. What are your business goals for the next three years? What technologies would facilitate reaching those goals? Do you have technologies in house that fill that need currently? Can they be upgraded or configured to meet these objectives? If not, what technologies are available (Cloud or on-premise) to meet your objectives?
These very high level steps fall into the basic strategic planning process, governance and portfolio management. [Read more…]
Not really.
Security risks for 2016 look a whole lot like those for 2015 and, if we are honest, 2005.
Alright, so nothing really new, but what are the biggest vulnerabilities and threats facing US businesses?
The top attack surfaces are going to be mobile devices (smartphones & tablets), cloud services, unpatched vulnerabilities and poor security risk management. Unpatched vulnerabilities has been the top target of malicious actors since the beginning of computer hacking. With the OPM breach and the details surrounding it, it provides malicious third parties the impetus to continue pushing in that direction.
Securing data in the Cloud can be problematic, before the added complexity of managing the data on a mobile device. However, mobile platforms (phones, tablets, etc.) are becoming the access point of choice for the enterprise and so this issue needs to be addressed swiftly.
What should a companies’ leadership do to prepare for or thwart a cyber security attack and data breach?
Defense-In-Depth. That should be a phrase that all enterprise leadership should understand. [Read more…]
Is there hype and hysteria around security breaches? Is this going to give rise to a cyber-industrial complex? These questions were recently posed to me by a client at a large insurance company.
Well, let’s look at the current situation. Security breaches are growing in scope and visibility due to the increasing automation and interconnected systems, mobile devices and the sharing of personal data. The financial incentive is there for the criminal, nation-state, malicious actor to perpetrate these crimes.
Cyber-security preparedness in the business community, while becoming more visible in recent years, is still far behind the curve when compared to those who wish to commit cybercrime. There is still a tremendous disconnect with employees and general public regarding the current security threats and what impacts their behavior have in propagating or thwarting a breach.
People should be concerned about security breaches since personal data can be used to damage or destroy an individual’s financial and even personal life. An example of this is the OPM breach were millions of pages of security forms were stolen that contained intimate details of individuals. These can and will be used for leverage against those federal employees in sensitive positions within the government by malicious actors.
Are cybersecurity companies using these incidents as a means to feed the hysteria behind breaches? Of course they are. You see this in any industry when a company sells a product or service that can remediate concerns faced by that industry. However, security is still a comparatively low priority at the executive level within corporations. This is changing, but it remains bailiwick of technologists who have minimal say in enterprise decision making. [Read more…]