Cincinnati FAIR Community of Interest

We are happy to report that Cincinnati is now the 3rd city in Ohio to have a FAIR Community of Interest (COI). Our guest presenter, Mr. Chad Weinman led us through a fun and enlightening review of FAIR concepts, as well as two real-world risk scenarios. We also discussed the frequency, duration and location of future meetings. The general consensus was to have monthly meetings in the morning from 8 – 9:30am. Dates and locations will be communicated in the near future.

If you want to be notified about future meetings, contact Apolonio Garcia via email (agarcia@hgitsecurity.com) or phone (513.744.9114 x221). Meeting dates will also be posted on HealthGuard’s events calendar.

FAIR expert Chad Weinman leading the discussion

Additional Resources:

• Linkedin FAIR support community
• Introduction to FAIR
• Bald Tire Scenario
• Decomposing Risk

This data is very valuable to online marketers and business trying to sell their products. Consumer data is a multi-billion dollar industry, with the amount spent on online data sources expected to reach $840 million in 2012, according to a report in the WSJ.

HealthGuard/CAPC Group’s Expert Interviewed by WCPO

Terms

• Cookie – small file that contains a unique ID, that is placed on PC to track a site visitor. Originally developed to help with maintaining shopping carts for online stores.
• Trackers – track your browsing activity, typically by placing 3rd party cookies on PCs
• Ad networks – use 3rd party cookies to track users browsing activity between sites.
• Data brokers – harvest public information that is available online
• Scrapers – have tools to collect information from websites
• Listeners – monitor, in real-time, information that is being posted to sites

Concerns

• Safety of public officials
• Safety of victims of domestic violence
• Victims of stalking
• Identity theft
• Unscrupulous marketing (i.e. drug company targeting someone with mental condition)
• Difficult (and in some cases impossible) to have data removed.

Solutions

• Remove information from directory listings such as telephone book/directory service
• Submit opt-out requests to data broker
• Submit complaints to FTC and State Attorney General

Additional Resources

• List of common public and confidential government records
• List of Data Brokers http://www.privacyrights.org/ar/infobrokers.htm
• What they Know – WSJ analyzed tracking files from 50 most popular US websites.

Medical identity theft occurs when someone uses a person’s name and sometimes other parts of their identity — such as insurance information — without the person’s knowledge or consent to obtain medical services or goods, or uses the person’s identity information to make false claims for medical services or goods. Medical identity theft frequently results in erroneous entries being put into existing medical records, and can involve the creation of fictitious medical records in the victim’s name.

Medical identity theft is a crime that can cause great harm to its victims. Yet despite the profound risk it carries, it is the least studied and most poorly documented of the cluster of identity theft crimes. It is also the most difficult to fix after the fact, because victims have limited rights and recourses. Medical identity theft typically leaves a trail of falsified information in medical records that can plague victims’ medical and financial lives for years. – World Privacy Forum  n.d. Web. May 2012

CIOs must embrace the fact that end-users are going to utilize cloud based services and solutions that are outside of IT’s control. IT organizations must transition from “command and control” to “cooperative IT” .  One of IT’s expanding roles in this new world is to develop and implement security and other policies that help rather than hinder employees, regardless of the device they use to do their work.

http://www.cio.com/article/704780/The_Upside_of_Shadow_IT?page=1&taxonomyId=3172

Considerations

• Research vulnerability and known exploits/threats (see links below for a good start).
• Triage the vulnerability (see Vulnerability Triage Process below if you don’t already have a method) to determine the appropriate threat mitigation strategy.
• Communicate the potential risk and plan of attack to management (solicit feedback/approval).
• Test workaround/mitigation strategy before deployment.
• Adjust strategy (if necessary) and execute plan.

Vulnerability Research

Microsoft Technet

PCWorld

Exploit/Threat Research

Symantec Research

Wikipedia: Duqu

Vulnerability Triage Process

Cisco’s Vulnerability Risk Triage Model

Details

Firesheep is a free plugin for the Firefox browser, which allows attackers to monitor wireless hot-spots. Once a person logs in to their account, the attacker is able to steal their browser cookie (a process called “session hijacking” or “sidejacking”) and access the victim’s account with just a few mouse clicks, virtually undetected. Firesheep is almost idiot-proof, and gives even the most inexperienced computer user a tremendous amount of power.

Privacy and Business Implications

The capability that this puts into the hands of an average computer user poses a significant threat to peoples privacy, and the security of hospitals and other businesses as well. Once an account is compromised, an attacker could impersonate the victim and/or monitor all communication to and from the victim. Additionally, marketing and other business professionals that maintain social media sites for organizations can have those accounts compromised.

HealthGuard Expert Interviewed by WCPO.

Detection

Be on the look out and report any suspicious account activity including strange emails/posts and wrong password errors.

Prevention

Hospitals (and all organizations) should take the following steps to evaluate the potential risk (to the organization, patients and employees), and develop risk mitigation strategies:

• Evaluate business processes where privacy or security could be compromised (e.g. use of social media, patient & employee communication, etc.).
• Educate employees and patients and instruct them to report any suspicious activity (see detection above).
• Limit the use of wireless hot spots.
• Ensure the web address you are accessing begins with “https” and has a closed lock indicating a secure connection.

In 2010, so far 169 data breaches have been reported, causing nearly 3.5 million people to be affected. Because it is January and most organizations take at least a month or longer to report to the HHS, we expect more notifications to be reported.

Here are some other interesting statistics.

Top 5 Largest Breaches:

1. South Shore Hospital, MA – 800,000 people
2. Puerto Rico Department of Health, PR – 400,000 people
3. Triple-S Salud, Inc., PR – 398,000 people
4. Keystone/AmeriHealth Mercy Health Plans, PA – 285,691 people
5. Emergency Healthcare Physicians, Ltd., IL – 180,111 people

Top 5 Breach Types:

1. Theft – 78
2. Loss - 30
3. Unauthorized Access/Disclosure – 27
4. Improper Disposal – 11
5. Hacking/IT Incident – 7

Theft was overwhelmingly the largest cause of a breach. It would be useful to know whether these are insider thefts or other types (laptops left in cars for instance).

Top 5 Breach Locations:

1. Laptop – 40
2. Paper Records – 38
3. Desktop Computer – 21
4. Portable Electronic Device, Other – 16
5. Network Server – 15

Because the top location of breached data was held on laptops, we can speculate theft was involved. However, desktop computers and network servers lead us to believe either insider attacks or hacking causes a large percentage of breaches.

While the issues we have highlighted are certainly not indicative of all organizations, the breach data can help us learn where others are struggling.  We can ask questions about our own security in reference to the problems others are having.  This may help us discover blind spots, and determine where to focus resources to secure our assets.

As most of us in the information security profession know, managing risk is not a simple or straight forward task. There are many moving parts and

(click on image to enlarge)

dynamics within a security program that must be accounted for and addressed, even within relatively small organizations and organizations with a strong security culture. The never ending technical and human issues require constant attention by people in all areas, and at all levels of the organization.

The HealthGuard Functional Risk Management Model for Information Security (referred to as the Model) is intended to help organizations get a clear understanding of the key interactions and interdependencies that should exist within their information security risk management program. It should be adapted to reflect your organizational structure and terminology. One word of caution: when customizing the model for use in your organization, use care when deleting/eliminating any of the elements, or functional areas. We have taken care not to add any “fluff” or extra pieces to this puzzle. All the pieces you see are real and they belong there.

Multi-Purpose

The Model should be used by multiple levels in your organization as a discussion starter and visual aid that will help get stakeholders on the same page.

Executives and board committee members – the Model provides a governance tool that produces a 30,000 foot view of the interworkings of the organization’s information security risk management program.

CIOs – the Model provides a management tool to help CIOs explain the vision or “big picture” of the risk management program to staff and internal-business partners.

Security Managers – the Model can help drive conversation(s) with senior management and other functional areas in the organization. It can also serve as an assessment/inventory tool to help identify areas that need attention.

Communication

The Model indicates areas where there should be open lines of communication and collaboration between departments and operational areas  (e.g. risk management, information security, IT, compliance, etc). In organizations where departmental “silos” exist, this will likely take time and conscious effort by individuals, as well as continuous “care and feeding” by the organization’s leadership.

Thought Starters

Here are a few questions executives and organizational leaders should consider:

• Do our leaders and managers have adequate visibility into the organization’s information security related risk?
• Do our leaders and managers have the risk related information necessary to make well informed decisions?
• Are our information security policies and related controls aligned with the business requirements, priorities and risk tolerance level?

What the Model is Not

The Model is not intended to replace other risk management methodologies or frameworks that you may be using. It is only intended to provide another perspective for those tools, thereby augmenting them.

Future

In future posts, we will be discussing specific and practical applications of the Model as well as the functional areas and elements within the Model. Until then, feel free to take and use the Model (see license information below) within your organization. I also welcome comments and feedback on the Model, as we will be continuously refining and improving it based on real-world learnings.

Download a PDF version of the diagram here.

HealthGuard Functional Risk Management Model for Information Security by Apolonio R. Garcia III is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License. If you would like permission to modify/customize the model for your organization, email your request to author Apolonio Garcia (agarcia@hgitsecurity.com).

By itself, this exploit is not dangerous as it can only escalate privileges on a local machine, however if paired with another virus it can gain be used to gain kernel level privileges and compromise an entire system.  Currently, this exploit has not been seen in the wild, although it would be simple to implement by an attacker.

External References:

• http://isc.sans.edu/diary.html?storyid=9988&rss
• http://www.prevx.com/blog/160/New-Windows-day-exploit-speaks-chinese.html