Thursday, July 14, 2005

Back to the Basics

There has been a rash of reportings of data theft lately that has a very strange effect of causing many to become complacent about their data protection measures because, after all, their system is working.The problem is that there is no way to know if your data is bulletproof. You can only be certain when it is not, and you have evidence that your security has been breached. The vast majority of data theft, including PHI, is undetectable, and unprosecutable, because unlike physical theft, the stolen data is still there. If someone sneaks into a museum in the dead of night, dressed in spandex and night googles, and makes off with a Bottecelli, in the morning there is a big square of unfaded wall, an empty nail, a light dusting of tracked-through laser-detection talcum powder, and no painting. The problem with stolen data is that most of the time there is no way to know that your system has been breached, or if it has been, that anything is missing because nothing is actually missing.So what do you do to keep your data secure?
The threats come in three flavors, and there are steps that you can take to protect yourself from each one.
1. The Barbarians at the Gates. There are people out there who don't like you. There are people out there who don't care about you, but want what you have. And there are people out there who don't care about you, or what you have, but want inside just. because. they. can.
These are the folks that firewalls were invented to thwart, and I assume that y'all have covered this loophole. Firewalls, encryption, strong passwords, and some sort of Intrusion Detection System (IDS) cover you there. If you don't understand or like this stuff (hard for me to believe, but then again I went heavily into BetaMax, so what do I know) hire someone who does. A competent IT security consultant can set up most small practices in a few hours of system hardening. Do make sure that the contract includes some basic training for your users concerning the changes and best practices.
2. The Enemy Within. Far more likely to cause you grief is the viper cherished in your bosom. No one knows for sure, but I would guess that the retail model applies here--- 90% internal theft. After all, who else holds the keys to your kingdom? Training, monitoring, set usage policies, and careful terminal check-out procedures can help, but you never know. If you have 20 employees and they all seem perfectly content, either you are the shining example all other bosses should aspire to, or at least 5% of your workforce is adept at hiding their dissatisfaction. I know which one seems most likely to me.
3. Stupid is as Stupid Does. And Stupid seems to be doing more than his fair share lately. Data theft is the classic crime of opportunity. "It was just laying there, so I took it." Or "The web site was unsecured" (here) or "The safe was left open" (here) or -one that I recently was asked about- "I left the box of records in the back seat, and someone borrowed my car." I love consulting, but dang, please make it harder for me, will ya? No more post-it notes with passwords conveniently stuck to the monitor, or so cleverly stuck under the keyboard. No more backup tapes on a shelf behind your desk, or stacked on top of the server. No more shared passwords for the entire office.
Once again, if you don't know about this stuff, contract someone who does. It is so very much cheaper and less stressful to spend a few bucks and a few hours hardening your system and providing a few hours of common sense training for your crew than it is to learn about your PHI disclosure from the guy with good hair and too many teeth holding the mike and standing sideways in your lobby so his cameraman can get a good shot.

Thursday, June 16, 2005

Wireless Best Practices

Some excellent practical suggestions on wireless from ComputerWorld---

"Stehman listed several best practices executives can follow to avoid compliance problems. Among them are making sure of the following:

  • All user devices are tested and certified by the IT staff prior to being connected to the wireless network.
  • Help desk support personnel receive hands-on training for all of the wireless devices certified by IT staffers.
  • Wireless users are briefed on how to comply with enterprise security requirements.
  • All wireless-enabled applications pass security and performance requirements prior to being deployed.
  • All wireless applications have a designated owner."
More stuff like this is needed--- there is no end of articles telling us about encryption, types of attacks, wireless protocols and technical stuff that you and I love, but to the users is just more crap in the way of doing their job.

Tuesday, June 07, 2005

Spyware FAQ

Here is a great set of FAQ's on spyware from TechTarget:

"You've seen it all on spyware – from what it is, to prevention, to remedies to quizzes. But have your spyware questions been answered? Ed Tittel answers the most frequently asked questions on spyware..."
Spyware is an increasingly prevalent problem, one that has been overshadowed in the public eye by the much more reported problems with viruses. But, truth be told, I spend more time lately dealing with spyware than with viruses. A recent infection with a new to me variation of the dreaded and pernicous CoolWebSearch wasted nearly half a day that I would have rather spent doing almost anything. Ed's FAQ mentions some remedies--- I would add the pugnaciously named Hijack This to his list.

Tuesday, May 31, 2005

House votes to outlaw spyware

From Reuters:

"Consumers have a right to know and have a right to decide who has access to their highly personal information that spyware can collect," said California Republican Rep. Mary Bono, who sponsored one of the bills.
The bills prohibit a number of practices often associated with spyware, such as reprograming the start page on a user's Web browser, logging keystrokes to capture passwords and other sensitive data, or launching pop-up ads that can't be closed without shutting down the computer.
The practice known as "phishing" -- in which scam artists pose as banks or other businesses in an attempt to trick consumers into divulging account information --would also be outlawed. "

Hard to enforce, but certainly a good first step. Spyware sucks up way too much of my day, and the security issues raised by phishing, which combines the two hardest to police vulerabilities, users and the web, into one nasty little package is an especial headache.

Wednesday, May 25, 2005

Seven Laws

Catchy title, what?

From IT Observer comes this well written and timely piece called The Seven Laws of Information Risk Management. Number 6 is a good example:

"6. Be afraid - it will happen to you Expect the unexpected by assigning responsibilities before a privacy breach occurs. Information theft only happening to the "other guy" is just a myth and the chance is greater than 50 percent that it has already happened at your organization. Access to customer demand forecasts, financial records and patents is very valuable, not just to your trusted partners, but also to thieves and harvesters."

Wednesday, May 18, 2005

Wi-Fi Webcast

From ZDNet by way of Tech Republic comes this webcast---

"IT professionals who administer wireless networks often find that, in addition to securing their organizations' own Wi-Fi access points, they must also police rogue wireless hot spots that are brought in by employees or students. Such rogue hot spots can conflict with an organization's own wireless networks, causing headaches for administrators and putting those networks at even greater risk of incurring security breaches. "

Watch it, learn, and report back.

Monday, May 16, 2005

Wireless Security

I have been asked a lot recently about wireless networks, and how to secure them. On this subject there is good news and bad news. Sadly sometimes its the same news. So let's do some FAQ's here, and see if I can clear up a few questions.
Q: Is a wi-fi network as secure as a wired network?
A: Nope. All of your traffic is broadcast via radio waves, which means that anyone with a wireless card can tune in. Using a laptop to troll for unsecured wireless networks is called wardriving. Ten minutes in the parking lot of any medium sized medical office complex will provide a wardriver with a half-dozen networks just laid out for the asking.
Q: Can wi-fi be made more secure?
A: Yep. Jeff at HIPAA blog has some excellent suggestions here. Your basic security concern with any network, wireless or not, is to conform to what security experts call the CIA model-- Confidentiality, Integrity, and Accessibility. You want your information to be confidential--- meaning that it stays off of the phosphor of the bad guys, have integrity, meaning that the bad guys haven't changed it, and accessible to the folks who need it, but not accessible to those who don't.
Q: Okay, then. Let's talk about confidentiality and how to achieve it.
A: To start with, encryption is your friend. It is possible to encrypt/decrypt your information without the user having to do anything--- we call this transparency. Use a protocol like WEP to keep the blackhats out. Make certain that the default names and passwords have been changed on your wireless router. And try to limit the range of your wireless broadcast to the offices you are in. Wardrivers love to be able to sit in a car in your parking lot, and crack your system at leisure.
Q: Integrity seems important.
A: It is! One of the favorite tricks of malicious users is to change stuff around, which is pretty funny unless it is your customer information, patient health records, or your website being changed. A strong password policy is the least you can do. Couple this with biometrics like fingerprint scanners or tokens like smartcards and you will be killing two birds with one implementation--- your personnel will have access and non-personnel won't.
Q: Fine. So how do I do all this?
A: Here is one of my favorite sources--- The Unofficial 802.11 Security Web Page. If this seems too much for you, consider hiring a consultant. Your network can be hardened by a pro in a surprisingly short time, and the cost of the hired gun is far less that you might think. Especially if someone gets into your system and changes your order forms so they point to something that would make your Marine Corps DI blush.