2013-3Q The Security Savant

In this issue (Download the Full Copy)

savanture

    Exploring High Risk IT Security Threats  P.1

    • In The Security Savant we focus on identifying the high risk areas within IT Security and the role of Chief Information Security Officer. We expose you to information we track.  We have fulltime researchers focused on security business trends, evolving risk, and threats.  We combine this with our security team’s experience and best practices we are establishing in the SAVANTURE CISO Practice which are most relevant to you.

    Advanced Persistent Threat (APT).  A Primer. A Refresher.    P1

    • Advanced Persistent Threat (APT) refers to a group, such as a government or an organization, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information but applies equally to other threats such as that of traditional espionage or attack.  APTs typically are achieved over a long period of time where patience leads to obfuscation of low impact activities.
    • There are several ways APT may penetrate a customer’s network to deploy an automated propagating malware through a wide variety of vectors, even in the presence of properly designed and maintained defense-in-depth strategies:
      • Internet-based malware infection such as drive-by download, phishing, and file sharing.
      • Physical malware infection through external device connections such as a USB
      • External exploitation such as vishing, rogue access points, or remote access through a trusted third-party

      War of the World-Wide Internet (aka Worldwide Web War, World Wide Internet War, World Wide Cyber [World Wide C], Cyber War, Cyberwar)

      Every conflict tagged as a “war” historically has been of the physical world.  So why is the conflict  over the internet with nation-states attacking each other electronically not a war?
      Many arguments can be made that few lives have been lost, no mass destruction has resulted, and so forth.  Yet, we believe these catastrophic events are coming.   Call it World War C (Cyber), World War I (Internet) or any other creation … the cyberwar is coming.   Planes, trains, and ever increasingly automobiles, utilities, financial systems, and even our homes are all connected and subject to external influences via the internet.  Few in the industry would argue that within 2 years, life loss and physical damage will be caused due to a cyber attack.

      The Domain Name Service Achilles Heal   P.2   Contributing Industry Expert and Strategy Consultant to SAVANTURE,  Rick Rumbarger

      Most people, even seasoned IT professionals, don’t give the Domain Name System (DNS) the attention it deserves.  As TCP/IP have become the dominant networking protocols, so has the use of DNS.  Most organizations use DNS to not only direct customers to their website, but to conduct almost every aspect of their day-to-day business operations.  DNS is the hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network that converts complicated IPv4 & IPv6 device addresses into easy to understand names (e.g. mail.domain.com) that humans can use and understand.  On private networks it is used to address even the most mundane things like printers and servers.

      To understand the risk to which your business is exposed, you must understand the security threats that exist.  The most common security issues for DNS are:

      • Unauthorized Authoritative DNS Record Changes – see newsletter pdf for more detail
      • Denial of Service Attacks – see newsletter pdf for more detail
      • Recursive DNS Spoofing/Cache Poisoning – see newsletter pdf for more detail

      Security best practices for DNS:

      • Registrar Lock Your Domain Names –see newsletter pdf for more detail
      • Outsource Your DNS Services – see newsletter pdf for more detail
      • Utilize Strong Access Controls – see newsletter pdf for more detail
      • Activate DNSSEC On Your Domain Names – see newsletter pdf for more detail
      • Continuously Monitor Your Critical Services & DNS Records – see newsletter pdf for more detail
      • Promote The Use of Protected Recursive DNS Servers –see newsletter pdf for more detail
      • Protect Your DNS Service Against DDoS Attacks – see newsletter pdf for more detail

      The Role of Chief Information Security Officer P.3

      A generally accepted definition for the role of Chief Information Security Officer (CISO) is a senior level executive within a business or organization who is responsible for managing the risks and business impacts of IT security. The CISO is responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing and maintaining security across the organization including people, processes and technology to reduce information and information technology (IT) risks. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information technology security related regulatory compliance.

      Regulatory Changes P.3

          Americas

      2013 HIPAA regulator changesdue to willful neglect, instead of first attempting to resolve the matterthrough informal means. Penalties for HIPAA violations are significant. Penalties for violations caused by willful neglect, which are corrected, range from $10,000 to $50,000 per violation. The minimum penalty for an uncorrected HIPAAviolation caused by willful neglect is $50,000 per violation. The penalties are capped at $1.5 million for all violations of an identical requirement in a calendar year. HIPAA.

      Changes to Children’s Online Privacy Protection Act (COPPA)
      Updates are to continue to strengthen the laws to protect children that go in effect in July 1, 2013.

      GLOBAL
      99 Countries with Privacy Laws.  Read more.

      Q&A P.3
      What security standard is the best to use as the foundation for my Security Plan? (Download the Full Copy)

     

      2013-2Q The Privacy Savant

      In this issue (Download the Full Copy)

      savanture

      Exploring Privacy Regulation P.1

      In our inaugural issue of The Privacy Savant we focus on establishing some basic definitions within Privacy including the role of Chief Privacy Officer. We expose you to the filtered information we track on a global basis.  From a researcher uniquely focused on privacy who lives nothing but evolving privacy laws and mandatory breach disclosure reports each and every day to our own CPO’s experiences and discussing the best practices he is establishing in the SAVANTURE Privacy Practice, we try to capture and report the ones most relevant to you.   This is a journey that we believe is worthy of the effort and believe privacy will be one of the next major regulatory forces impacting businesses and driving IT security.

      HIPAA P1

      Any organization that electronically stores, processes or transmits medical records, medical claims, remittances, or certifications must comply with HIPAA regulations. Although many people believe that HIPAA only applies to electronic medical records (EMR), it also governs medical information in paper and even verbal form!  HIPAA further requires that all patients be able access their own medical records, correct errors or omissions, and be informed how their personal information is used. Other provisions involve notification of privacy procedures to the patient. HIPAA is divided into five Rules:

      • Privacy Rule
      • Security Rule
      • Transactions Rule
      • Identifiers Rule
      • Enforcement Rule

      The Relationship: Privacy and Security P.2
      In the rush to protect consumers, lawmakers and politicians don’t always look at the broader picture of data protection or the ramifications of tactically addressing one issue while strategically falling short on their ultimate intent.  The protection of data is paramount within privacy laws yet generally limits the data protected to individually or Personal Identifiable Information (PII).  Oddly, privacy laws are often written less about the demand of information protection and provide minimal, or in most cases no, requirements for a minimum level of security.  Rather the laws focus on

          1. penalties should a breach that results in the unauthorized disclosure of PII and
          2. notification requirements to any individual who’s data was compromised.

      Also overlooked, these laws cover any losses of PII, not just in breach situations.

      Proper Controls to Limit Breach Impacts P.2

      Most laws and regulations require that a breach requires notification to those individuals whose records are compromised and the Attorney General of their state. An example; you have two servers with PII information.  One is compromised and the other is not.  Assuming the compromised records were exposed, you must follow ALL the laws for each country, state, and region for ALL the individuals on that server. You however do not need to make disclosures for individuals on the server that was not compromised.

      The Role of Chief Privacy Officer P.3

      A generally accepted definition for the role of Chief Privacy Officer (CPO) is a senior level executive within a business or organization who is responsible for managing the risks and business impacts of privacy laws and policies. The CPO role  was created to respond to 1) consumer concern over the use of personal information, including medical data and financial information, and 2) laws and regulations, such as protection of patient medical records (e.g., The Health Insurance Portability and Accountability Act of 1996 also known as HIPAA), the use and safeguarding of consumer financial and banking transactions (e.g.,  The Fair Credit Reporting Act and its Disposal Rule or the Gramm-Leach-Bliley Act) and international regulations (e.g.,  The European Union Data Protection Directive).

      Regulatory Changes P.3

          Americas

      2013 HIPAA regulator changesdue to willful neglect, instead of first attempting to resolve the matterthrough informal means. Penalties for HIPAA violations are significant. Penalties for violations caused by willful neglect, which are corrected, range from $10,000 to $50,000 per violation. The minimum penalty for an uncorrected HIPAAviolation caused by willful neglect is $50,000 per violation. The penalties are capped at $1.5 million for all violations of an identical requirement in a calendar year. HIPAA.

      Changes to Children’s Online Privacy Protection Act (COPPA)

      Updates are to continue to strengthen the laws to protect children that go in effect in July 1, 2013.

      GLOBAL

      99 Countries with Privacy Laws.Read more.

      Q&A P.3

      We support consumers.  Should we require date of birth (DOB) as part of online signup process?

      (Download the Full Copy)