The Ashimmy Blog

My friends at iScan Online, Billy Austin and Carl Banzhof have just released their latest whitepaper on BYOD Security Scanning.  This is an area of vulnerability scanning and compliance management that is not really being covered by any particular company today. 

Where mobile device management and anti-malware for mobile devices meet, there is a gap. This gap is filled by iScan Online. They can do on demand full vulnerability scans on mobile devices, configurations scans for misconfigurations and data discovery scans for credit card numbers, social security numbers and other personal or confidential data.

This paper highlights the 5 reasons why BYOD security scanning is a must have and what a good BYOD security scanning solution must do.

You can view the paper below or head over to iScan Online to download it.

An exclusive offer for the Security Bloggers Network - Hugh Thompson Invites you to celebrate the release of the book The Plateau Effect by NYT bestselling author Bob Sullivan and RSA Conference Program Chair Dr. Hugh Thompson.

You can get a free signed bookplate from the authors to insert into your book if you: 

1. Tell your readers about the book’s publication using the hashtag #PlateauEffect on your social media before May 4th

2. Send a link to your tweet or screenshot of your blog or Facebook post to PlateauContest@gmail.com

3. For the first 50 we receive (sorry, U.S. only), we'll mail you the book plate!

The book will be available on May 2nd at bookstores and through Amazon.

Hugh Thompson is a friend of the SBN, so if you can give it a shout out and help a friend out!

Image via CrunchBase

This is a great question for a business school class, but there are also real life situations where this is more than a mental exercise. The very survival of a business and the livelihood of all its employees can hang in the balance.

My case in point for this blog post is Shutterfly.  I have been a Shutterfly member/customer since it first started around the time my younger son was born. Over the years I have stored literally thousands of pictures and videos on Shutterfly, ordered prints and recently created share sites for all of the sports teams I coach. 

Shutterfly has some great things you can do and buy with your digital pictures. I never bought a lot of products, but they looked very nice. 

The situation changed a couple of months ago when I decided to order some photo products with photos from oldest son’s Bar Mitzvah.  I ordered some larger prints, leather bound photo books, acrylic prints, etc.  I think the prices Shutterfly charges are fair and didn’t have a problem with them.

Unfortunately about half of the products I have ordered have had to be refunded or returned.  Each and every time the folks at Shutterfly have been great. In fact on one of them they said my photo book was being delayed, but they were sending me a free cheaper photo book to make up for it. That one came with a mistake and they sent me another free one.  After a few weeks they finally sent me the original book I ordered and when it came, it was literally falling apart. 

Again the customer service folks were very nice. They gladly refunded the price and told me to keep the book. But frankly after spending 10’s of hours working on the book, I was disappointed that it was all for nothing.

I really want to keep using Shutterfly. I want to be a customer and buy products so they stay in business. I like the company and think their customer service is tops. But how long and how many times can you put up with sub-quality products before enough is a enough?  What do you think?  Customer service can make up for some product issues, but when does it tip over to the point of no return?

Am interested to you hear your thoughts on this.

If your midmarket enterprise is like most, sooner or later you will be the victim of a data breach. Data breaches are never fun, but how and what you tell your customers can be the difference between minimizing the impact to your company’s bottom line and a full-fledged disaster.

Informing your customers about everything you know and taking reasonable precautions will always work better than sugar coating and trying to minimize the potential damage. Trying to minimize the situation to your customers so as to not panic them could wind up costing you customers in the long run.

As a case in point I want to contrast two recent data breach cases. One is the case of local deals vendor LivingSocial and the other is the video rental service Vudu.

I recently received the following email from Living Social:

IMPORTANT INFORMATION

LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.

The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords -- technically 'hashed' and 'salted' passwords. We never store passwords in plain text.

Two things you should know:

1.     The database that stores customer credit card information was not affected or accessed.

2.     If you connect to LivingSocial using Facebook Connect, your Facebook credentials were not compromised.

You do not need to take any action at this time, but we wanted to be sure you were fully informed of what happened.

The security of your information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.

Please note that LivingSocial will never ask you directly for personal or account information in an email. We will always direct you to the LivingSocial website - and require you to login - before making any changes to your account. Please disregard any emails claiming to be from LivingSocial that request such information or direct you to a website that asks for such information.

If you have additional questions about this process, the "Create New Password" button on LivingSocial.com will direct you to a page that has instructions on creating a new password and answers to frequently asked questions.

We are sorry this incident occurred, and we look forward to continuing to introduce you to new and exciting things to do in your community.

Sincerely,
Tim O'Shaughnessy, CEO

Now, I understand that LivingSocial wants to minimize the potential damage here. To me though they have made two crucial errors. One is that they are giving their customers the impression that because their passwords were encrypted (actually salted and hashed), there is a low likelihood that they would be useable. This is not necessarily true. In fact there have been several cases and much written about the relative ease that hackers have in cracking these passwords.

Based upon their opinion that there is a low likelihood of these passwords being compromised, they tell their customers that they do not have to do anything at this time, but if they want to change their passwords they can. Knowing that these passwords could be compromised why not make everyone change their passwords? It would seem a rather trivial thing to do and ensure the integrity of your customer’s accounts to force a password change. In a similar situation you should strongly lobby for mandatory password resets.

Secondly again LivingSocial is telling their customers that they don’t have to do anything. But clearly customer names, email addresses and dates of birth were stolen. It doesn’t take much for a criminal to take that, match it up with public record information and quickly gather enough information to start using a false identity for nefarious purposes.

While some states mandate complimentary credit watch services for customers in these kinds of cases, at least suggesting to be on the lookout for fraudulent credit transactions and suggesting a credit watch service seems called for here.

Again in the interest of keeping customers calm and downplaying this breach, customers could be potentially at greater risk. The breach happened already, breaches happen. Good security practice and customer service should require you to place the bar high in terms of protecting and warning your customers.

As I mentioned earlier, Vudu also recently had a breach. Here is the email I received regarding that one:

Dear alan,
We want to let you know that there was a break-in at the VUDU offices on March 24, 2013, and a number of items were stolen, including hard drives.
Our investigation thus far indicates that these hard drives contained customer information, including names, email addresses, postal addresses, phone numbers, account activity, dates of birth and the last four digits of some credit card numbers. It's important to note that the drives did NOT contain full credit card numbers, as we do not store that information. Additionally, please note if you have never set a password on the VUDU site and have only logged in through another site, your password was not on the hard drives.
While the stolen hard drives included VUDU account passwords, those passwords were encrypted. We believe it would be difficult to break the password encryption, but we can't rule out that possibility given the circumstances of this theft. So we think it's best to be proactive and ask that you be proactive as well.
SECURITY PRECAUTIONS:
If you had a password set on the VUDU site, we have taken the precaution of expiring and resetting that password. To create a new password, go to www.vudu.com. Click the "Sign In" button at the top of the page. Enter your current username and current password when prompted, then follow the instructions to reset your password securely. Also, if you use your expired VUDU password on any other sites, we strongly recommend that you change it on those sites as well.
As always, remember that VUDU will never ask you for personal or account information in an e-mail. Please use caution if you receive any emails or phone calls from anyone asking for personal information or directing you to a web site where you are asked to provide personal information.
As an added precaution, we are arranging to have AllClear ID protect your identity for one year at no cost to you. We have FAQs on our web site (vudu.com/passwordreset) to answer questions on the incident and to more fully describe how to use the AllClear ID service. We have reported this incident to law enforcement and are cooperating fully with their investigation. We want you to know that we take this matter very seriously, and we apologize for any inconvenience this may have caused you.
Thank you,
Prasanna Ganesan
Chief Technology Officer, VUDU

Can you see the difference? VUDU also states that the passwords were encrypted and unlikely to be cracked, but nevertheless they have expired everyone’s password forcing you to pick a new one. They are also making arrangements for ID protection for one year.

This makes me feel that VUDU is serious about protecting me and is not sugar coating or minimizing the consequences of the data breach. To me this is text book on how to communicate a breach to your customers.

In both cases I don’t blame VUDU or LivingSocial for being victims of data theft. It can and does literally happen to everyone. Also both companies are successful businesses. But as a midsize enterprise how you communicate a breach to your customers can communicate an awful lot.

If your company is the victim of a breach, follow best practices to inform and most importantly protect your customers.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

IBM’s X-Force research team recently released their “2012 Trend and Risk Report”. The report is a great look back at last year and is full of metrics and analysis on the kinds of threats and risks seen across the spectrum of different verticals last year in information security. It also has some excellent advice on how to institute and operate a successful information security and risk management program. If you are interested in security (and who isn’t?) you should definitely download and give it a read.

One section I wanted to highlight and expand on though was the “If IBM X-Force were running the IT department” section. Here is the X-Force’s top 10 list to make you more secure. This is especially relevant for mid-market companies who may not have the budget or resources to do everything they might like around risk and threats. If you could check each of these ten off you would have the foundation of a solid strategy

1. Perform regular third party external and internal security audits – Many organizations are so reluctant to bring in an outside party to conduct security audits. I am not sure if it is a case of now wanting to share dirty laundry with outsiders or a case of “ignorance is bliss”, but either way it is a mistake. Having a security expert come in on a regular basis to give you a “hacker’s eye view” is one of the best ways to see really how your security plan holds up. My recommendation is a full internal and external audit annually, with external only audits quarterly if possible.

2. Control your endpoints – This used to be a whole lot easier. The advent of BYOD has made control of your endpoints more like being the sheriff in the Wild West. Of course it is probably futile to try and prohibit BYOD devices from accessing your network, data and applications. A more realistic goal may be to at least have a mobile device management solution in place. The first step is to have policies defining what is acceptable in terms of endpoints, what configurations are required, what applications can be accessed and what security should be installed on them. Regular security scanning, including vulnerability and configuration testing should be mandatory across the board! Of course traditional company owned devices are a lot easier to manage and control.

3. Segment sensitive systems and information – You need to treat your high value assets as high value. That means giving them an extra level of protection. This starts with segmenting them off from rest of the network. Too many mid-size organizations run flat networks where once you have access to the network, you can see and access everything on the network. This is obviously a mistake. High value assets should be segregated out from the rest of the network. Access and even visibility to these networks should be on a “need to know” basis. This can be accomplished using VLANs, firewalls and identity and access control.

4. Protect your network via basics (firewalls, anti-virus, intrusion prevention devices, etc.) – Too many of us are always lusting after and chasing the latest and greatest shiny new technology widgets. A perfect example of this is the latest infatuation with some of the newest threat detection technologies that run incoming packets in sandboxes before allowing them into the network. While new technologies can be exciting and effective, they should not be instituted at the expense of the “meat and potatoes” of your security program. They may not be sexy, but firewalls, AV and IPS are still front line tools for the defense. A recent report by 451 Research about the “Real Cost of Security” by Wendy Nather showed that most CISOs would still pick AV and firewall among their top choices in building out a security program. You should too!

5. Audit your web applications – Web application security is perhaps the hottest area of security today. An increasing percent of attacks are targeting web applications. SQL injection, cross-site scripting, drive by attacks have all become all too common in the news. There are different aspects to securing web applications. It starts with secure code development. Building security into the development process is a great way to start with a strong foundation. Just as having a 3^rd party audit is a must, an audit of your web, including not only the code but the implementation as well should be performed before an app is deployed and after every change to code and infrastructure. There are any number of firms that can perform this type of test for you.

6. Train end users about phishing and spearphishing – This sounds like a no brainer, but you would be surprised how many companies don’t take the time for security awareness training. It is even more important today when so many of the most sophisticated attacks actually start with a targets spearphish aimed at a key person in your organization. Recognizing phishing attempts and not to click on links in email, social media or anywhere unless you are sure of who sent it and where it goes is a must if you hope to keep your organization out of the next headlines.

7. Search for bad passwords – This can be automated and strong password requirements can be built into many applications today. Passwords still represent one of the weakest links in our security technology. At some point hopefully 2-factor authentication, biometrics and other technologies may make passwords obsolete. But until then we are stuck with them. Passwords like 123456 and password are just not acceptable and should not be allowed. Password managers offer lots of choices so that users don’t have to remember strong passwords. Also requirements to change passwords regularly should be instituted and enforced.

8. Integrate security into every project plan – Microsoft did this years ago with their Trustworthy Computing initiative and it forever changed Windows. Security is too important to be an afterthought bolted on after the fact. Everything you do or plan to do has to be seen through the prism of security. Failing to do so could wind up putting your organization at dire risk.

9. Examine the policies of business partners – We live in an interconnected world, no one exists in a vacuum. However, our partners often have to have access to our data and systems in order to work with us. However, they can also represent a vector into our systems for hackers and criminals. You must institute a policy on what and how 3^rd parties have to show before they are given access to your network. Also this should be regularly audited and re-examined.

10. Have a solid incident response plan – It is not a question of if, but when something is going to happen. Do not let your pride and ego get in the way of putting in a place a plan to do when you have an incident. While you are at it, you should have a worst case scenario as part of your planning. Today’s threat and risk landscape means you should assume that you will have security incidents. How you respond to these incidents as a mid-market company could mean the difference between survival or not of the organization. Well thought out incident response plans make all of the difference in the world in the fluid, fast moving situations that follow discovery of a security incident.

There is a whole lot more in this great report from the IBM X-Force team. Go download it and read it at least twice!

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions

Tomorrow, April 23, 2013 at 2pm eastern time my friend Dominique Karg of Alien Vault and I are doing a webinar on “Who Moved the Cheese in Security”.  It should be a lot of fun and I invite everyone to listen in and participate.

This grew out of a conversation Dominique and I had after RSA. It was amazing to us that some security executives actually believed that the Cloud, BYOD and such were passing fads. That soon we would return to traditional networks and traditional security. Talk about putting your head in the sand.

We will discuss that not only has the technology changed but how. We will also discuss how attacks and attack vectors have changed.  Finally what should you do and how is success defined.

It should be a great webinar. If you can make it please do.  If not you will be able to listen in to a recording of the webinar, but of course no live questions.  You can register down below or by going to: http://www.alienvault.com/resource-center/tech-talks/who-moved-the-cheese-in-security

You were just hired as the Chief Information Security Office (CISO) of a mid-market one thousand employee company. Your first day on the job you are told that the company really hasn’t done anything about information security to this point. You need to submit your prioritized plan and budget by the end of the week! What do you do? This is exactly the scenario that Wendy Nather, Senior Research Director of 451 Research put to literally dozens of CISOs. What they picked, what they think it may cost and the actual cost may really surprise you. Wendy’s new report, “The Real Cost of Security” (warning this is not free unless you are a 451 client) details her findings and analysis.

I had a chance to sit down and chat with Wendy about the report and its findings for Network World. Below you can listen to our conversation where Wendy provides some detail and depth to the report.

Despite all of the buzz about new and more sophisticated attacks, it was surprising that for the top priorities the oft-maligned technologies of firewall and AV were most often picked. In fact of the top 7 choices among CISOs, almost all of them are tried and true traditional products. I guess the old “no one ever gets fired for buying IBM” is still true today. According to the report, these are the top 7 recommended technologies

Figure 1 courtesy of 451 Research

The difference between the purple and gold lines is those that would recommend the technology if all they had was enough for the bare minimum (purple) versus if they had a blank check (gold).

Beyond the top 7, the next tier of choices represent a little more diversity:

Figure 2 courtesy of 451 Research

What was interesting about these next 6 is the wider disparity between the gold and purple lines. This indicates that many CISOs considered these more of an optional choice, but not bare minimum.

I was surprised that App Security and App firewalls were not in the top tier of solutions, given that so many attacks today use Port 80 and Web Apps as their vector of choice.

Bringing up the rear in the survey were the following:

Figure 3 Courtesy of 451 Research

You can see here the very wide disparity between some the minimum requirements and blank check scenario. This plainly labels some of these technologies as “nice to haves” but not required. GRC, NAC and Risk Management and Analysis seem to fall into this category by the widest margin. I was disappointed to see Training have such a wide disparity between minimum and blank check. I think dollar for dollar, security awareness training for your organization is some of the most effective security you can buy.

Beyond picking what technologies to buy, the cost of security as detailed in the report may surprise you. 451 Research looked at not only the cost of the technologies (not easy getting prices out of vendors), but also added in the cost of actually running these security solutions. When the total cost was figured in at a minimum an organization is looking at a budget of $250k. A more realistic budget for a 1000 person organization is probably somewhere between $500k and $800k. If you went all the way, you are closer to $1.2m dollars for security! Another metric from the report is that most organizations have about one security admin for every 500 employees.

What about your organization? What technologies have you deployed and what you are planning to deploy? What is your budget? Do you match the 1 to 500 ratio? There is a ton of great info in this report if you buy it or are lucky enough to be a 451 Research customer.

My full conversation with Wendy is here:

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

My friends Carl Banzhof and Billy Austin continue to make it happen at iScan Online. This is one of my most favorite companies to work with. They are always thinking of new ways to solve problems and fun ways to get the word out. They have been pretty busy too.

After releasing their Android App around RSA, they have been heads down developing the next versions of their apps.  Also they announced that David Raphael, who has worked with Carl and Billy at Citadel and McAfee has joined the team as Director of engineering.

Additionally the company exhibited at the MSPWorld event in Orlando last month.  MSPWorld is run by the MSPAlliance which has over 20,000 members.  iScan Online won the prestigious MSPWorld Cup 2013 as the conference MVP.  The BYOD security scanning message was very near and dear to the attendees.

Now this past week the company released what I think is coolest marketing video I have seen in a while. 

I really like this one! You can get a free scan for your Windows, Mac or Android device right now too by heading over iscanonline.com

The company will be rolling out some more news soon so stay tuned. In the meantime the mobile and BYOD security market continues white hot.  Keep your eye on iScan Online.

I am happy to report that Brian Honan with a big hand from Jack Daniel and our good friends at Tenable Network Security are putting on the 2nd annual Security Bloggers Meet up during Infosec Europe.

The European Bloggers Meetup is of course based on the RSA Conference Bloggers Meet up that we hold every year.  From what I understand it was a nice get together last year thanks to Firemon for sponsoring it.  Now in this second year they are going to try and add European Security Blogger Awards to the mix as well.

I am both flattered and pleased to see the idea being franchised over across the pond. I am waiting to hear all about it and hope to make it out to the event next year!

In the meantime head over to Brian’s blog for details and links to register for the event, nominate blogs and vote.

(Photo credit: Wikipedia)

I read with a smile Winn Shwartau’s rant in SC Magazine about his disappointment at the RSA show floor. While much of what Winn said is true, instead of blaming the people exhibiting on the show floor, maybe Winn and the rest of the attendees should take a good look in the mirror.

Blaming the exhibitors to me is the same as blaming the spammers for spam. There really is a very easy solution here. The same way that spammers would not be in business if people would not click on spam, exhibitors at trade shows like RSA would adopt different methods if they were not getting the results they want using current methods. The facts are that most every exhibitor at RSA gets the leads they want. On top of this as you saw, RSA had to open another exhibit hall this year. I also hear that perhaps as many as 50 other vendors inquired but were shut out of exhibit space.

As my brother used to say when I gained weight on a diet and claimed I wasn’t getting any food in the house, “someone is sneaking it in”. Whatever they are doing it is working, so why change it? Here is a fact for Winn and those who consider themselves security pros, who are beneath what is dished out on the floor at RSA. You are in the minority and perhaps not even the target of the exhibitors.

On the other hand the attendees at RSA Conference exhibits are quite a bunch. I can’t tell you how many people I see walking around with multiple bags full of chotchkes and swag. I call them adult trick or treaters. Then there are the guys who take pictures with the booth babes to show their friends. There are the lottery players who get their badge scanned at every booth in the hopes of getting that free iPad. What about the people drawn to the motorcycles and the cars? What does that have to do with security? For far too many of the people walking that show floor, a sales guy collecting their lead info is all that is required. They don’t want to speak to an engineer.

On top of this do you know how much arm twisting you would have to do to get a sales engineer or similar talent to spend the week on the show floor? There is a reason that the people at these booths are the people they are. They are good enough to do the job. As a security company executive how many engineers should I tie up for the week for the 3 or 4 “real security pros” who might walk by? 

Here is the bottom line, RSA is a good place to find out about new companies and technologies. But if you want a deeper dive, you should set up a time after the craziness of the show to do so. 

Now don’t get me wrong. I have written for years about the fact that we don’t need booth babes. On top of that I understand that most of the booths are manned by marketing and junior sales people who don’t know enough about the technology. Too many of the marketing people try to cover up not having a good message about what they do and why we must have their product with fancy, glitzy marketing.

The fact is that the exhibits at RSA are not any different than the exhibits at Black Hat, Infosec or any number of large security conferences. The tracks at RSA are in my opinion superior, but that is neither here nor there. As an exhibit floor, RSA represents the industry only maybe bigger. Just because it is larger, why should we expect a higher level of technical prowess at the booth?

Speaking as an executive of a firm who exhibited at RSA for more than a few years, I can tell you that getting real live “security pros” like Winn to the booth is a pretty rare occurrence. The best we could hope for was collect names and sift through them separating the real leads from the fluff. We would take one sales engineer (usually the west coast guy) in case someone had a real question. Other than that we made sure everyone could demo the product and knew the high points.

I am not sure what Winn wants, but I know that what the show floor represents at RSA is what the attendees respond to. It is the free market at work. If enough so called security pros stay away from the booth babes, refuse to be scanned and truly walk away from Joe the sales guy, the exhibitors will change their tactics. But until that happens the blame rests squarely in the mirror.

This past RSA was a memorable one for several reasons. First of all I was glad to see the security industry move off of compliance as its reason for being. Compliance had taken the industry hostage for too many years. It seems that we are now finally focusing back on security and preventing breaches rather than some least common denominator check box model. I think in the long run we will all be more secure for this.

Another thing I saw at RSA was the idea of security using virtualization. It is not just securing virtual environments, but it is using hardened virtual containers to run code and apps to make sure they are not malware and they can’t do any harm to our devices. These hardened virtual containers run on our devices or they can run in the cloud or anywhere in between. The important thing is they can’t (supposedly anyway) get to anything valuable on our networks. If this pans out, it could have a profound impact on the way we secure our data in every segment of the market.

Perhaps one of the biggest trends though was the realization that we are under attack by very sophisticated forces, perhaps even nation states who are using very sophisticated and highly organized techniques. The report by security company Mandiant on the alleged acts by a unit of the Chinese PLA codenamed APT1 was chilling.

The thing about APT attacks is that no matter whether you are a big company or small, government related or not, you are a target. Midmarket companies should not be fooled into a false sense of security that these attacks are not aimed at you. They are! If you have IP that could be valuable, you are a target. Manufacturing, media, technology and financial companies are all potential targets. Not to be an alarmist, but if you are not doing something about defending yourself against this type of breach¸ you are foolish.

The good news is that many of these attacks while they use 0 day attacks and other unknown exploits almost always start with a simple spearphishing attempt or something similar. Most of these attacks still take place because the weakest link is still the person behind the keyboard. In this regard security awareness training is still a strong tool. If you can afford a 3^rd party to come in an implement a security training program, you should do so. If not there are plenty of web resources available that you can put together and make your own. So much of this is common sense about not clicking on links you aren’t sure about.

Of course there is no guarantee that even with all of the security awareness training in the world you will prevent an attack from being successful. That is why it is also important to have a plan in place for what to do when something happens. Don’t wait until something happens to figure out what you should do. Assume something is going to happen.

Planning for a breach is as important as trying to prevent a breach. Again this is as important for a midsize firm as it is for a large firm. In fact many security experts say that midsize firms are more of a target than some of the larger organizations. So again, not to be a scaremonger, but you should be planning this for your company right now. Again there are 3^rd parties who can really help with this. IBM and their partners have lots of options. But there are plenty of resources available on the web that you can use to craft your own plan as well. Don’t let budget stand in the way of your preparedness.

I will write up some more news from RSA around BYOD, Big Data and the Cloud in my next report so stay tuned.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

Image via CrunchBase

My friends at Spectorsoft makers of Spector 360 have invited me to participate in a webinar next Wednesday, the 13th at 2pm eastern time, 10am pacific time.  The webinar is entitled “Getting More Out of DLP”.  It will cover how using Spector 360 can enhance your DLP coverage and give you greater control over controlling your confidential data.

The webinar is being conducted along with the great people over at SC Magazine. 

If you can’t make it live, there will be taped versions available, but no questions then.  You can register for the webinar here.

Hope to hear or see you next Wednesday!

I am very pleased to report that once again the good folks over at Microsoft's Trustworthy Computing Group have agreed to sponsor the Security Bloggers Network.  The SBN has a long history of working with TWC and we are happy to work with them again.

Microsoft is holding their second annual Security Development Conference in San Francisco, May 14-15, 2013. The conference will feature Scott Charney, Corporate VP Trustworthy Computing, Microsoft; Edna M Conway, Chief Security Strategist Global Supply Chain, Cisco Systems; Brad Arkin, Senior Director of Security Adobe Secure Software, Engineering Team (ASSET).

Conference specialty tracks target three different types of professionals: Engineers, Project Management, and Leadership. Combining keynotes from thought leaders as well as specialized breakout sessions, this conference is a can’t-miss for security professionals at any level. You can register now and USING THIS CODE AND SAVE $300 OFF THE REGISTRATION PRICE: SBN@SDC#13!

I had a chance to chat with director of TWC Tim Raines. We were going to talk about the conference, but Tim and I started talking about the TWC, the world of security and what the challenges on the horizon are. By the time we were done, we never got to the conference, LOL!

Anyway, I think you will find the conversation very interesting. Enjoy and if you can go to the conference.

Well it was an epic Security Blogger Meetup and awards this year. In many ways it was the best one we have had. But nothing is perfect and we are already planning to be bigger, better and more inclusive next year.  In the meantime I know many folks have been waiting to see who the winners of the Social Security Blogger Awards were.  So without further adieu, for the record here are the nominees and winners:

Best Corporate Security Blog

Other nominees:

McAfee Blog: click here

CloudFlare Blog: click here

SecureWorks Blog: click here

Solutionary Minds Blog: click here

Kaspersky Lab Securelist Blog: click here

Veracode Blog: click here

Trend Micro Blog: click here

AND THE WINNER IS:

Naked Security Blog: click here

Best Security Podcast

Other nominees:

Liquidmatrix Security Digest: click here

EuroTrashSecurity: click here

SANS Internet Storm Center: click here

Southern Fried Security: click here

Risky Business: click here

Sophos Security Chet Chat: click here

And the winner is:

Paul Dotcom: click here

The Most Educational Security Blog

Other nominees:

BH Consulting's Security Watch Blog: click here

Security Uncorked Blog: click here

Dr. Kees Leune's Blog: click here

Securosis Blog: click here

Social-Engineer.org Blog: click here

Critical Watch Blog: click here

The Security Skeptic Blog: click here

The New School of Information Security Blog: click here

And the winner is:

Krebs On Security: click here

The Most Entertaining Security Blog

Other nominees:

Packet Pushers Blog: click here

Securosis Blog: click here

Errata Security Blog: click here

Naked Security Blog: click here

Uncommon Sense Security Blog: click here

PSilvas Blog: click here

And the winner is:

J4VV4D's Blog: click here

The Blog That Best Represents The Security Industry

Other nominees:

SpiderLabs Anterior Blog: click here

1 Raindrop Blog: click here

Naked Security Blog: click here

The Firewall (Forbes) Blog: click here

Threat Level (Wired) Blog: click here

Securosis Blog: click here

Michael Peters Blog: click here

And the winner is:

Krebs On Security Blog: click here

The Single Best Blog Post or Podcast Of The Year

Other nominees:

The Epic Hacking of Mat Honan and Our Identity Challenge: click here

Application Security Debt and Application Interest Rates: click here

Why XSS is serious business (and why Tesco needs to pay attention): click here

Levelling up in the real world: click here

Secure Business Growth, Corporate Responsibility with Ben Tomhave: click here

And the winner is:

Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees): click here

The Security Bloggers Hall Of Fame

The other nominees are:

Richard Bejtlich

Gunnar Peterson

Naked Security Blog

Wendy Nather

And the winner is:

Jack Daniel

Congratulations to all of the nominees and of course congrats to the winners.  See you next year at the Security Bloggers Meetup. If you did not get an invite this year, be sure to write to info@securitybloggersnetwork.com requesting to add your blog and be on the list!

Special thanks to our sponsors: Qualys, Sourcefire, Akamai, Fortinet, Barracuda Networks and Jeanne Friedman and the RSA Conference!  Also a special shout out to Trainer Communications for helping with the voting as always!

Rich Mogul has a good post up about the security bloggers meetup today. It gives the history and details of how and why we started the Security Bloggers Meetup.  I don’t disagree with anything he has to say.

On the other hand I am here in San Francisco.  Seeing some of you whom I consider my friends upset about not being invited to a party is upsetting to me.  If you know me, you know that I would gladly take dollars out of my pocket and make sure you drink, eat and have a good time.  But really that is not what it is about. As Rich said we have a waiting list for sponsors, so money is not the issue. 

There are two issues at play here and they are very different. I want to make sure we understand that.

Issue 1: This is a party for the bloggers by the bloggers.  As Rich wrote, that has always been the idea behind the bloggers meetup and the blogger awards.  It is a marketing free zone. No PR, no marketing, only bloggers. If you don’t blog, podcast or write about security, you should not be there. Have people gotten been admitted in years past who didn’t blog? Yes.  Some names always sneak in that we don’t catch. If you were lucky enough to get in one year, doesn’t mean you will next year or even this year though.

Will this change in the future? I really don’t think so, though I think we need to do a better job of defining what qualifies.  We will get started on that as soon as this years event is in the books.

Issue 2: Just because you are invited, who can you bring with you.  I hear you on this one. I brought my wife out with me to RSA this year for the first time. If she had not already gone home, I would be hard pressed to not bring her with me to the party. Same goes for your significant other, best friend, partying buddy, etc.  But guys it really becomes an issue of space. The location has capacity rules, if we go over the SFFD can close the whole thing down.  We can’t do it.  As Rich said we will look into a bigger place for next year and look at how we accommodate these kinds of requests.  But for this year, the cake is already baked.

So if I or any of us have offended you, pissed you off or you think we are being arbitrary and capricious, please forgive us. We are really do try to throw the best party and awards we can for the security blogger community!  Write to me with suggestions and we will do better next year.

For those two hundred or so of you who did get an invite, I am looking forward to lifting a glass and catching up.

RSA Conference is THE information security event of the year.  As part of my coverage of this years conference I did a series of podcasts with some cloud/hosting providers who are exhibiting in the Alert Logic Partner Pavilion. This is the third in the series and is with Urvish Vashi, VP of marketing at Alert Logic.

I know Urvish for over 10 years, since our time together at Interliant.  Urvish was the force behind the Partner Pavilion for Alert Logic this year.  Having 5 of the leading hosting/cloud providers exhibiting at the worlds largest security conference may at first blush seem a stretch. After all, are these cloud providers security providers? Yes they are!

Urvish's point is that with partners like Alert Logic, these cloud providers are providing a wide range of best-in-breed cloud security services.

This is just a short 15 minute or so interview, but Urvish gives us some great insights.  Check out what he has to say and be sure to visit the Alert Logic Partner Pavilion on the show floor at RSA!

Related articles

Where is AShimmy at RSA?

Mandiant @ RSA USA 2013: Who, What, Where & When

RSA Conference 2013, YOU READY!?

Qualys CEO to Address Security in a Hyperconnected World During Keynote Session at RSA Conference USA 2013

RSA Conference is THE information security event of the year.  As part of my coverage of this years conference I did a series of podcasts with some cloud/hosting providers who are exhibiting in the Alert Logic Partner Pavilion. This is the second in the series with Chris Patterson of Navisite.

My friends at Alert Logic have 5 of the largest cloud and hosting providers in the world exhibiting with them this year.  I thought it was worthwhile to expore why these cloud/hosting providers were exhibiting at the largest security conference in the world.

I caught up with Chris Patterson, VP of Product Management at Navisite.Chris is one of the driving forces behind the Navi cloud.  He also has some great insight into the state of cloud security and what market drivers are influencing the direction of future innovation.

Chris shares some great insight into Navisite's offerings including not just cloud, but security, managed desktop and the state of the market.

Related articles

Where is AShimmy at RSA?

RSA Conference 2013, YOU READY!?

Get Knowledgeable About IT Security: RSA is Here Again!

Alert Logic Releases New Log Manager To Integrate All Customer Environments

RSA Conference is THE information security event of the year. Kicking off my coverage of RSA this year is a series of podcasts I did with cloud/hosting providers who are exhibiting this year in the partner pavilion of Alert Logic.  

My friends at Alert Logic have 5 of the largest hosting/cloud providers in the world exhibiting with them. I was curious why these cloud and hosting providers wanted to exhibit at a security conference.

The first provider I spoke with was Sunguard. Specicifally Sunguard Availability Services. I spoke with Cara Camping, Product Manager, Managed Security Services for Sunguard AS. Cara talks about Sunguard's approach to security in depth, why they partner with Alert Logic and what they expect from exhibiting at RSA Conference.

Below are two slides that Cara references in our discussion:

Related articles

RSA Conference 2013, YOU READY!?

Where is AShimmy at RSA?

Security Blogger Awards Finalist Voting Is Now Open!

Last week I wrote a “Tales from the PCI Crypt” blog article in regard to the findings of iScan Online that many of the merchants they scanned had credit card data contained in their email files. The fallout from that was that many organizations only worry about what is in their “audit zone”. What is the audit zone? It is those devices and those parts of your IT infrastructure that are subject to regulatory compliance or other types of audit. It may also include your policies and process that are subject to audit as well.

A popular strategy for dealing with compliance audits, especially in the mid-market has been to move as much as possible “outside the scope” of the audit. In PCI for instance, if the device is not involved in the recording, storing or transmitting of cardholder data, it is not subject usually to a QSA or other type of PCI audit. But as my friends at iScan Online found out, that is not necessarily the case. While technically, because these devices do have cardholder data they are subject to PCI audit, when asked by the auditor they are usually excluded because they don’t “touch” the cardholder data environment. But in fact they do!

A bigger issue though is that most organizations, especially in the midmarket, seek to do as little as possible to pass compliance. Compliance becomes a substitute for being secure. In the iScan Online case for instance, it was more important to say that sales persons cell phones and tablets are not part of the cardholder data environment so that they were “outside the scope” of PCI. But turns out those devices were vulnerable and had card data. A breach on those devices would not only have PCI consequences, but it could have more dire consequences to the bottom line. For instance according to several breach reports the average cost of a record lost is between 200 and 300 dollars. The average breach has a few thousand records lost. Do the math. That is enough to crater many smaller and midsize companies.

As we are seeing in many IBM Midmarket highlights such as this one on the Huffington Post, small and medium business are moving more and more to mobile, phones and tablets. If anyone thinks moving to mobile moves these devices outside of the audit zone they are mistaken. Even if they are not being audited, they represent security risks that must be addressed. You need a strategy for these devices outside of your audit zone.

A successful strategy has to go outside of the audit zone. You need to look at your real security and risk factors. Don’t be fooled into thinking that minimizing your audit profile, minimizes your risk. In fact it could be just the opposite. Minimizing your audit profile, could be at the expense of increasing your risk.

This dilemma is the result of our compliance at all costs mentality which has ruled in infosec for these past years. Checkbox security for compliance sake alone gives us a false sense of security. It does more harm than good. So next time you are looking at a compliance audit, try to think outside the audit zone and do what is best for the security and risk of your organization.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

You can feel the pace rising to a crescendo, you sense it coming. But don’t look now, RSA is just next week.  The last two months have been pretty much a blur in getting ready for the big conference.  As usual I should have done 12 things I didn’t, but the dozens of things I have done is going to have to be enough. 

I am happy to be chairing two panels during RSA week this year.  The first is on Monday, the 25th (also my 23rd wedding anniversary) at the annual and well attended Americas Growth Capital Conference, over at the Westin.  The panel I am chairing is at 11:30 a.m..

The topic is Cloud Security Services: The Evolution Continues

Here is the abstract:

With the initial gold rush to the cloud it seemed that every security vendor was pushing a cloud security service. Every security company had to have their “story on the cloud” for customers, analysts and investors. But over the months and years we have seen a steady evolution of cloud security services beyond those early “everything but the kitchen sink” strategies.

More than just putting data and analysis off premises, today’s cloud security services are truly leveraging the unique features of the cloud like elasticity, massive scale and instant on provisioning.

Just because you can do it in the cloud doesn’t mean the cloud is the best place to do it. As we move beyond the explosion of cloud security services, which types of security services are best suited to the cloud? Which cloud security services will have markets large enough to create substantial business opportunity? Which cloud security services are so disruptive that they will eliminate or replace non-cloud based security services?

Evolution can be a cruel master, only the strong survive. The losers fall into the trash heap of history. Our panel will tell you who the winners will be in cloud security services.

I am joined on the panel by:

Matthew Prince, Co-Founder, Chief Executive Officer, CloudFlare

Dave Dewalt, Chief Executive Officer, Chairman, FireEye, Chairman, Mandiant

Jay Chaudhry, Founder, Chief Executive Officer, Zscaler

Stuart Scholly, President, Prolexic

Carson Sweet, Co-Founder and CEO of CloudPassage

It should be a great panel!

Then on Wednesday I am chairing a great panel at RSA at 9:20 am in room 304 on Ipv6 Vulnerability Management: From Theory to Reality. The agenda:

Join the leading lights of the vulnerability management industry as they carry forward their discussion on the challenges of managing vulnerabilities and network security in an IPv6 network. Where last year the discussion was theoretical, this years panel will focus on actual case studies of standing IPv6 networks in govt., retail, large enterprise and the cloud.

My fantastic panel for this one is:

Wolfgang Kandek - Chief Technology Officer, Qualys
Ron Gula - Chief Executive Officer and Chief Technical Officer, Tenable Network Security
HD Moore - Chief Security Officer, Rapid 7
Tim Keanini - Chief Research Officer, nCircle
Misha Govshteyn - Vice President Emerging Products, Alert Logic

Besides that I will of course be at the Security Bloggers Meet up and Security Blogger Awards on Wednesday.  Besides that I will be in and out of meetings and sessions, parties at night and usually at the W bar before heading in for the night.  If you see me, be sure to say hi.

Enjoy RSA, let the fun begin!

I have written recently about two friends of mine from the security industry, Carl Banzhof and Billy Austin and a company they started called iScan Online.  Carl and Billy first told me what they were thinking about last spring or so. Over the next months they kept me in the loop as they continued to develop. Over the summer they showed me early versions of a new kind of security scanner they had developed. They started offering free scans in the fall and today they officially launched iScan Online.

I have been very impressed with what Carl and Billy are doing. So impressed in fact that I have been helping them with the launch activities and consulting with them over the last few weeks.  I really like what they are doing and the space they play in.  Utilizing the cloud for a SaaS based security scanner, they actually do internal scanning on any device, anytime, anywhere. The internal scan is done on the endpoint itself, so no hardware or virtual appliance necessary, no complicated software. Fast and accurate, it is a great security tool for a BYOD world. They call it Opportunistic Scanning.

The company has written a white paper that I really like and even helped with, that explains what they do. It talks about the dark matter of your network.  What is the dark matter of your network?  Well like the dark matter of our universe, it makes up a large percentage of the mass of your network. These dark devices access your network, but are largely invisible to your current vulnerability management solutions. They are not always on, are not in your office regularly and are not static desktops, servers or infrastructure. Nevertheless they represent a significant risk to your security.  Using iScan Online you can gain visibility to this dark matter. You can download the white paper (without the usual “give me your contact info”) right now from the web site here.

The scans are quick and easy delivered via a web browser plug in, command line or API. They work on PCs and Macs, with mobile apps coming very soon.  The scans themselves are done on the endpoints so thousands of scans can be done at once. iScan Online can scan for traditional vulnerability scans, compliance scans (PCI, HIPAA) and data scans (PAN, PII).  You get instant reports per device and there is a cloud based portal for organization wide reporting that is pretty sophisticated.  You can get a free scan right now so you can see for yourself what it is does and how it works. Go check it out.

Carl and Billy have a lot of experience in this area. Both guys worked at Citadel Security, makers of the Hercules Patch management solution. Carl was the CTO there. Billy went on to be the CSO at SAINT, a vulnerability management company. After the sale of Citadel to McAfee, Carl was a VP over there continuing to work on endpoint security.  Both Carl and Billy are really passionate about what they are doing. iScan Online has already attracted seed investment from a strategic investor and will be expanding in the near future with more capabilities, as well as sales and marketing activities.

I really do like what they have done and how they are doing it. I think this represents a “next gen” approach to vulnerability management, just when we need one. BYOD, mobile and remote workers and offices have left a gap in our vulnerability management coverage, iScan Online’s opportunistic scanning is a great solution to fill that gap. I am looking forward to seeing how the market responds and am happy to be helping them.

Also many thanks to Mike Rothman of Securosis for allowing iScan Online to put a quote from the Securosis Evolution of Vulnerability Management research in the release. What Mike wrote is dead on to the issues that iScan Online solves.

“Two thousand years ago the proudest boast was civis Romanus sum ["I am a Roman citizen"]. Today, in the world of freedom, the proudest boast is "Ich bin ein Berliner!"... All free men, wherever they may live, are citizens of Berlin, and, therefore, as a free man, I take pride in the words "Ich bin ein Berliner!" ~ President John F. Kennedy, Berlin, June 1963

I along with many of you were horrified when we read Brian Krebs post today about security firm Bit9 being the victim of a hacking that allowed malware into their customers software which was digitally signed by Bit9 themselves.  Shortly after Bit9 confirmed this with a blog post of their own detailing what happened.

As you have read it seems some Bit9 assets were not protected with Bit9 software itself, they were compromised and allowed the perps to do their evil deed.  As Jeremiah Grossman says in Brian’s article, obviously Bit9 was only the means to the ends in this attack. By using Bit9 as a conduit into their customers including some sensitive government networks and Fortune 100 customers, they were able to infiltrate and we don’t know what the full results of that are yet.  Nevertheless this is probably every security company’s worst nightmare.  When the security company becomes the risk, it is not a good thing.

Shortly thereafter I started seeing posts on my Facebook timeline of friends in the security business putting up memes with things like “Why the F*^k is my security vendor sending me digitally signed malware”?  But I am sure the Bit9 folks are asking themselves the same question. In fact as my friend Don Macvittie said in a comment on one of those memes, it is a bad day to be over there. 

How right Don is. It is a bad day to be at Big9.  I have friends who work at Bit9.  My heart goes out to them. This is not the first time a security company has been hacked. It happened to RSA not too long ago and it has happened before that.  Here is a news flash, it will happen again too.

In fact it can and does happen to any one of us.  We are all one step away. In fact as part of being in the security profession we are a high profile targets for hackers to make a statement.  I know this first hand from when I was hacked years ago. It really can be anyone of us.  There is no joy in security-ville about one of our own being subjected to this.

I am sure there will be sales people at competitors of Bit9 who will try to move on their customers by leading with this. I say a pox upon them.  Anyone who stoops to such tactics to make a sale are beneath the standards that should be acceptable.

The security industry has matured over the last few years. At least I hope so. At times like this we should close ranks as an industry.  We should say as John F. Kennedy said back in 1963.  On days like today we are all Bit9’ers.  That is the message that we should send as industry to the type of people who do this.  We stand together and are more committed then ever to stopping these criminals from doing what they do. On this day the security industry should stand and say “Ich bin ein Bit9er”

My friend Billy Austin is a co-founder of a new company called iScan Online. They perform scans on endpoints of all types in what they call an opportunistic basis.  You can read all about them on their website and standby for some big news coming out from Billy, Carl Banzhof and team.

iScan Online is really great for the new PCI internal scanning requirements (11.2 of the DSS). But Billy made a great point in a recent blog post he wrote.  Billy noted that by doing a data scan for PAN (personal account numbers) in an ungodly amount of instances they turned up credit card data in merchants email.  The typical scenario was a sales person (remote usually) or order taker who takes an order over the phone or in person and then “writes it up” for the processing department.  They send the order over via email (usually not encrypted) and of course a copy of the sent mail is stored on the senders machine.  Yikes!

Billy makes an excellent point. The person who receives this mail in most instances will enter the order into a PCI compliant terminal and network. They will probably even delete the email with the card data when they are done.  For all intents are purposes they are PCI compliant.  But what about that sales guy or gal who “lives outside the PCI Audit Zone”? 

Those folks are usually not scanned or subject to the higher PCI standards because on the surface they are isolated from the card processing infrastructure that a QSA looks at or that we normally think of in terms of PCI.

As Billy also points out, too many of us in the PCI world shrug our shoulders and give you the “sorry, outside the scope” face.  Billy calls BS on this and so do I. It is BS.  This is card data that is being floated around in regular email and is being stored on usually non-encrypted, mobile devices which could be easily lost or stolen.

If we are going to truly give a rats you know what about doing something about credit card data being stolen we need to be thinking about life outside the PCI Audit Zone. We need to be thinking about who in an organization comes into contact with card data. If they do, we need to make sure they are following PCI standards as well. 

It makes no sense guarding just the castle, when the valuables can be reached from an outhouse. We need to think about life outside the Audit Zone.

Good job Billy bringing this blind spot to our attention for another tale from the PCI Crypt.

Well finally I am happy to report that the finalists have been selected and voting for the 5th annual Social Security Blogger Awards is now open!. I know many of you did not understand and were confused by the preliminary rounds of voting. However, our new method of picking finalists has resulted in what we think is our strongest group of finalists ever.

We have many of the blogs and podcasts that have been nominated before (quality is quality), but we also have many new or never before nominated sites as well.  Many thanks to our all star panel of judges who nominated some of the finalists – Bill Brenner of CSO, Kelly Jackson-Higgins of Dark Reading, Wendy Nather of The 451 Group and none other than Beaker himself, Chris Hoff.

Also many thanks to all of the blogs and podcasts who requested to be nominated. Whether you made the finals or not, keep blogging.

You can go vote for your picks here. As in years past, to vote in the finals you have to be a security blogger or podcaster yourself.  All votes are reviewed by humans, so please just vote once and don’t try to game the system.

Special thanks to Trainer Communications for all of the help with voting and helping. Also special thanks to sponsors of the Bloggers Meetup – Qualys, Fortinet, Sourcefire, Akamai, Barracuda Networks and RSA Conference.

Here are the finalists.  Good luck to them all!  Of course winners will be announced at the Bloggers Meet up at RSA Conference 2013.

Best Corporate Security Blog

McAfee Blog: click here

CloudFlare Blog: click here

SecureWorks Blog: click here

Solutionary Minds Blog: click here

Kaspersky Lab Securelist Blog: click here

Veracode Blog: click here

Trend Micro Blog: click here

Naked Security Blog: click here

Best Security Podcast

Liquidmatrix Security Digest: click here

EuroTrashSecurity: click here

Paul Dotcom: click here

SANS Internet Storm Center: click here

Southern Fried Security: click here

Risky Business: click here

Sophos Security Chet Chat: click here

The Most Educational Security Blog

BH Consulting's Security Watch Blog: click here

Security Uncorked Blog: click here

Dr. Kees Leune's Blog: click here

Securosis Blog: click here

Social-Engineer.org Blog: click here

Critical Watch Blog: click here

The Security Skeptic Blog: click here

Krebs On Security: click here

The New School of Information Security Blog: click here

The Most Entertaining Security Blog

Packet Pushers Blog: click here

J4VV4D's Blog: click here

Securosis Blog: click here

Errata Security Blog: click here

Naked Security Blog: click here

Uncommon Sense Security Blog: click here

PSilvas Blog: click here

The Blog That Best Represents The Security Industry

SpiderLabs Anterior Blog: click here

Krebs On Security Blog: click here

1 Raindrop Blog: click here

Naked Security Blog: click here

The Firewall (Forbes) Blog: click here

Threat Level (Wired) Blog: click here

Securosis Blog: click here

Michael Peters Blog: click here

The Single Best Blog Post or Podcast Of The Year

The Epic Hacking of Mat Honan and Our Identity Challenge: click here

Application Security Debt and Application Interest Rates: click here

Why XSS is serious business (and why Tesco needs to pay attention): click here

Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees): click here

Levelling up in the real world: click here

Secure Business Growth, Corporate Responsibility with Ben Tomhave: click here

The Security Bloggers Hall Of Fame

Jack Daniel

Richard Bejtlich

Gunnar Peterson

Naked Security Blog

Wendy Nather

A smaller hospice in Northern Idaho was fined Fifty Thousand Dollars by the Department of Health and Human Services (HHS) for a breach that involved the loss of just a few hundred patient records.  This marks the first time that a breach of fewer than 500 medical records drew a fine from HHS. This could be a message that smaller health care providers are now squarely in the sights of the HIPAA enforcement authorities.

The Hospice of Northern Idaho was the victim of the data breach when an unencrypted laptop containing patient’s personally identifiable information (PII) was stolen from a workers car. Though the thief was apprehended, the laptop was never recovered. Luckily, it seems none of the sensitive information was used for any type of fraud or theft.

The Hospice itself only has about 100 employees and an equal amount of volunteers; it claims to serve thousands in its community. The bigger picture though is that this could have been any midsize or smaller health care provider. The Hospice is a non-profit and the 50k fine will cut deep. Think about what a 50k fine would do to any midmarket business.  HIPAA is not just for large health care providers anymore.

One of the factors at play here is the fact that the stolen laptop data was not encrypted. HIPAA regulations call for the encryption of all PII. Many speculate that the reason the HHS came down hard on the hospice is not that the laptop was stolen, but that the data was not encrypted.

There are many options to encrypt your data and disks today. On Windows laptops, Microsoft themselves offer a disk encryption tool. There are free, open source encryption tools like TrueCrypt, that can also do the job without costing anything for the software.  If the data had been encrypted, the PII would have been useless even if the laptop was stolen.

Encryption regulations are not just for health care providers and HIPAA. Other regulations like PCI DSS also call for the encryption of confidential data. Whether you keep this data only on servers or on laptops and other endpoints (phones and tablets offer data encryption options as well), you need to be encrypting confidential data.

The number of records lost here were not many, it should serve as a wakeup call that this kind of thing can happen to any organization. Don’t be the next example by HHS or the PCI Council, take the time to encrypt your confidential data today.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

Related articles

Security Education Because the Weakest Link in the Chain Still Sits Behind the Keyboard

What is HIPAA compliant Email? Health BI Reveals the Facts about HIPAA...

New HIPAA Omnibus Rules Certainly Encourage the Use of a Personal Health Record for Patients With Getting Copies of Their Medical Records

How to encrypt (almost) anything

Idaho Non-Profit Agrees to Pay $50,000 for HIPAA Violation

Idaho Hospice to Pay $50,000 for HIPAA Violation for Data Breach