Leave a comment

The State of Being Secure: A Primer on Security in your Organization

Karel Gonzalezby Karel Gonzalez, Senior Software Engineer

A few weeks ago, I had the opportunity to attend the Lonestar Application Security Conference here in Austin. Security is something I have always been mindful of during my development, but I still felt a sense of futility about it. I ask myself on a fairly regular basis “I’m doing something, but am I doing enough?” Continue reading

Leave a comment

Mobile Device Security in an Insecure World

by John Kulas, Software Security Analyst

by John Kulas, Bridge360 Software Security Analyst

It’s all but futile to resist mobile devices. They’re everywhere, and because of their convenience and portability they’ve become an integral part of how we live and work, becoming smaller and smaller as we approach the singularity where we ditch handheld computers for subcutaneous implants and access to our UI with the blink of an eye. Sadly, until that day comes, the very convenience and portability that make our mobile devices so, well… convenient, also create the greatest security risks.

The first rather obvious security issue is that these devices are in our hands, purses, and pockets when we’re out and about—which makes them droppable, snatchable, and even forgettable. You may have heard of smart phones being lifted from the purses and shopping bags of European tourists. In the USA, people are more likely to set the device on a counter or table for a moment, where it can be grabbed or forgotten. Or, someone might pickpocket the device in a crowded place, such as on a bus, train or the entrance to a theatre.

Let’s look at a few other possible security issues (some obvious, some you may not have thought of) with mobile devices, and a few of the clever security precautions now offered on the latest technology.

The first answer to someone else obtaining your handheld device is to have the screen lock activated and also install a “remote wipe” capability.

A screen lock on a mobile device is very similar to your desktop or laptop’s screen lock. In order to access the information within, the person must enter a code. A screen lock should also lock the screen after a few moments of no activity. On some devices, after a person tries and fails a few times to unlock it, the screen lock silently uses the device’s camera to email a picture of that person to the owner. A screen lock is a standard feature on most devices.

“Remote Wipe” is the capability to erase all the information on a device as soon as the device connects to the Internet. Some desktop and laptops also have this capability installed. When the device has gone missing, the owner can logon to a website to have the erasure action activated. There are free and fee-based “remote wipe” products available.

If your handheld was lost, and you performed a remote wipe, could you recover all of your data from backups? People sometimes do not realize how much information they are storing on their phones or tablets until they lose them. Most devices have some backup/synchronization process to a website for Name+Address contact lists, but not all to-do lists, notes or photographs are automatically backed up.

A slightly more subtle theft tactic issue is the use of “free” wireless. As you walk around, your handheld may alert you of available “free” unsecured wireless service, or it might automatically connect, depending on your device’s configuration. Hackers have been known to operate unsecured wireless access points, particularly in airports, coffee houses and other places where lots of people are passing through, just so they can capture the network activity and steal information. Your device should be configured to connect only when you explicitly want to, and you should be careful about what you connect to.

Another subtle tactic involves taking advantage of your device’s Bluetooth capability. If your device’s Bluetooth is always on, always searching for compatible devices in range, and automatically connecting to them, then a hacker could easily overhear your telephone conversations and also gain access to your phone’s information. Even you have not used Bluetooth on your handheld device, you should check the settings so you are not inadvertently exposed to this kind of hacking.

With the ubiquitous freedom to compute whenever and wherever you want comes the responsibility to protect your data and device. Luckily, the engineers who design these devices and their apps are pretty smart too. Stay on the lookout for new ways and applications to protect your smart phone or tablet, which are emerging and evolving almost as quickly as the devices themselves.

If there are other security topics or compliance standards that you are interested in having me write about, please let me know by leaving a comment here.

Leave a comment

18 months and No Reports of Zombie Attacks

by John Kulas, Bridge360 Software Security Analyst

This month of November marks the 18-month anniversary of the warning by the Centers for Disease Control and Prevention (better known as the CDC) that everyone should be prepared for a zombie apocalypse. Apparently everyone is well prepared, and the zombies must know this because the zombies have not shown themselves.

All silliness aside, there really is a serious point about to this post, and that is to talk about Business Continuity Planning (“BCP”), which addresses how to continue your business operation during and after a disaster. I’d even add “before a disaster,” because sometimes there is fair warning in advance of an impending disaster, like the recent Hurricane Sandy event.

In the past, people used to focus on Disaster Recovery (“DR”); however if all the focus is on recovering from the disaster, then there probably is no planning done for how to continue serving customers during or just prior to the disaster. In fact, in the business world the term “disaster” is being replaced by a more accurate term: “business continuity disruption event.”

In the event of a business continuity disruption event, if your competitors recover faster than you, or perhaps they are not even affected by whatever disrupted your business, then your customers may go to your competitors for service while your business is not operating. In that case, what happens when your business resumes operation? If there are no customers wanting your services, then your business fails.

With the focus now on BCP, and with DR now a subtopic of BCP, your business can put measures in place to continue serving customers before, during and after a business continuity disruption event. Your level of service during a disruption event may not be as spectacular as usual, but you are sufficiently meeting customers’ needs; meanwhile your business can work on recovering (DR) to normal business operating speed and capacity.

The zombie theme is not entirely silly for training purposes. A security company (the Halo Corporation)’s annual counter-terrorism conference (October 29 – November 2), usually attended by hundreds of Marines, Navy special ops, soldiers, police, firefighters and others (at a $1,000 entrance fee), is utilizing the CDC’s zombie theme. The watchdog organization “Project on Government Oversight” has said they do not see this as frivolous government spending, and they agree with CDC’s point about a zombie scenario being a useful teaching mechanism.

A well constructed BCP is not focused on a particular type of disaster. A well constructed BCP is flexible enough to address any type of disaster. There are three general categories of business continuity disruption events: loss of buildings, loss of personnel, and loss of technology. I’ll discuss more about those in later posts.

Leave a comment

HIPAA: Protecting your health data

by John Kulas, Bridge360 Software Security Analyst

The third and final compliance standard that I’ll comment on in our series on compliance is the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”, usually pronounced “hip-pa” even tho there is only one “P” and two “A”).

HIPAA is a very large and complex law that covers many facets of medical care. I am most interested in the portions that involve the security and privacy of health data, those portions protect you so that your medical information is not available for anyone who is interested.

In addition to all the usual information technology security aspects, HIPAA has some interesting compliance requirements. HIPAA requires documentation and disclosure to you of who updates your medical information, as well as tracking and documentation of who reads your medical information when. It also safeguards verbal discussion of your medical information.

For example, if two doctors meet in a hallway and begin discussing your medical information, there are potentially two HIPAA violations happening. First is if the second doctor is actually involved in your treatment, or if the first doctor is just spontaneously chatting about you. It’s OK if that first doctor talks generically about your medical condition, but that doctor is not supposed to mention specifics about you such that someone could figure out it was you the first doctor was talking about. Secondly, the two doctors must ensure that no one overhears them discussing your medical information. A hallway is not a good place to discuss confidential information such as you and your medical information.

One initial problem with HIPAA was that it lacked enforcement and lacked significant penalties. That was solved by the American Recovery and Reinvestment Act of 2009 (“ARRA”). Besides providing a stimulus package for the economy, it also significantly expanded HIPAA’s privacy and security regulations, including increased enforcement and penalties for HIPAA violations. Civil and criminal penalties for violations were increased, and most significantly, state attorneys general were given the power to prosecute and seek civil penalties for violations. You can now search the web for “HIPAA violation cases” to see reports of companies being fined, people being fined, people being fired and people being sentenced to jail time for HIPAA violations.

So HIPAA and ARRA’s enhancement to it are important, because they protect your medical information from just anyone learning about your medical condition(s).

If there are other compliance standards that you are interested in having me write about, please let me know at john_kulas@bridge360.com. I am more knowledgeable about the information technology and business continuity aspects, but I can comment on most of them.

This is the last of a three-part series on compliance presented by John Kulas, a software security analyst for Bridge360John is a Certified Information Systems Auditor with over a dozen years experience across at least a dozen companies. His technical background includes 23 years at IBM. Today, he assists Bridge360 client Xerox/ACS in meeting compliance standards, and enjoys helping non-technical business people understand compliance requirements.

Leave a comment

Sarbanes-Oxley: Protecting Stocks and Stopping Scandals

by John Kulas, Bridge360 Software Security Analyst

In my previous blog, we began a discussion on technology-related compliance standards, why we have them, how they work and the specific ways in which they protect us. I introduced the Payment Card Industry Data Security Standard (PCI-DSS) as one of the most well-known and widely applied standards in the U.S. economy.

Another major standard that many larger companies must comply with is the Sarbanes–Oxley Act of 2002, more commonly known as “SOX” (pronounced “socks”). Let’s talk more about SOX, because it has made some pretty big news over the last decade.
Continue reading

Leave a comment

Payment Card Industry Data Security Standard (PCI -DSS)

by John Kulas, Bridge360 Software Security Analyst

Why compliance you might ask?
Why do we need compliance,what good does compliance do?

I’ll define “compliance” in terms of obeying a request, a law, or, in particular, a standard. Obviously there are usually penalties if you are not compliant.

  1. If you do not comply with someone’s request, that person might be angry with you;
  2. If you do not comply with the speed limit sign, a policeman might observe your non-compliance and either write you a ticket to pay a fine or maybe remove you from your car and haul you off to jail;
  3. If you do not comply with a standard, depending on which standard, there are a variety of penalties, ranging from fines, mandated actions, delisting your company from the stock exchange and/or imprisoning your corporate officers.

I am a Certified Information Systems Auditor (a “CISA”, certified by ISACA, see http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/What-is-CISA/Pages/default.aspx) so I am most interested in the 3rd example. In the next few posts I’ll comment on three fairly well known technology-related compliance standards, why we need them, and how they work:

  1. Payment Card Industry Data Security Standard (“PCI-DSS”).
  2. Sarbanes–Oxley Act of 2002 (“SOX”)
  3. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and the American Recovery and Reinvestment Act of 2009 (“ARRA”)

Continue reading