Maintain Safe Harbor: Check Your Compliance Status

July 14, 2011, 9:12 am

≪ Previous: Not Validating IRS TIN Records May Mean 28% Revenue Withholding

When a business is financially safe from fines and penalties that a business would normally incur from a card data breach, they are said to be inSafe Harbor. To attain Safe Harbor status a business must validate and maintain full PCI compliance at all times.

Visa defines Safe Harbor as the following:

“Safe Harbor provides members protection from Visa fines and compliance exposure in the event its merchant or service provider experiences a data compromise.”

Computer network and software application weaknesses are discovered by criminals daily. Last October, the PCI standard changed from PCI DSS 1.2 to PCI DSS 2.0 to clarify, expound, and evolve certain requirements in effort to protect against emerging criminal trends.

Many PCI compliant businesses may not realize PCI validation needs to take place either quarterly, or yearly, depending on how payment cards are processed. Staying current with the PCI standard must be part of a business’ culture to continually prevent theft and fraud. See if your business maintains Safe Harbor by checking your PCI compliance status at your SecurityMetrics account. Visit www.securitymetrics.com/login.adpto sign in.

↧

IRS TIN Validation- Explained

September 16, 2011, 12:56 pm

≫ Next: Is Your Printer an Informant?

≪ Previous: Maintain Safe Harbor: Check Your Compliance Status

What is IRS TIN validation? Where did it come from? What does this government mandate mean for you and your business? Phyllis Richards, VP of Merchant Services Product Management for SunTrust Merchant Services explains IRS TIN validation.

For more details on IRS TIN Matching, visit:
http://blog.securitymetrics.com/2011/07/not-validating-irs-tin-records-may-mean.html

↧

Is Your Printer an Informant?

September 19, 2011, 9:22 am

≫ Next: Portfolio Compliance: A Custom Approach

≪ Previous: IRS TIN Validation- Explained

In recent security conferences, network printers have been revealed to be potential doorways into a secure network. How can this be? They just receive print jobs from inside your network and create hard copies...right? Nowadays, multifunction printer devices have many avenues for receiving and sending communication and may inadvertently be storing sensitive information about your network. Here are some things you should know about your potential “informant.”

I need to secure a printer?!

Often printer security is neglected or ignored. ”It’s just a printer. Why do I need to secure it?” Commonly, printers are plugged into the corporate network, integrated with business systems, and given Local Area Network (LAN) authentication. New passwords aren’t generated to replace factory defaults and neither are passwords for administrative function access. Since they are considered hardware, printers are bypassed on the regular system update/patch management schedule. Unsecure setup of these devices can lead to serious exposure of sensitive data.

Dangerous printer capabilities

Many of these features, if not secured, could result in sensitive data or password harvesting.

Document scanning to a file. The printer allows access to a scanned file via File Transfer Protocol (FTP) or may copy the file to a network file server. Authentication credentials to that file server are stored by the printer.
Document scanning to email. Credentials are required to access the local mail server. A local printer may also store email and user addresses.
Email notification. An address book of internal e-mails may be stored by the printer to enable various types of notification (fax, print job finished, etc.). If this information can be gleaned from the printer, the attacker now knows more than he should about internal e-mails.
A remote administration portal, usually an embedded web server, can be reached from the network where the printer resides or even from the Internet. Often system administrators are not changing the default access password to this administration page.

How are printers being attacked?

One of the most common and simple attacks hackers use on these devices is leveraging the default password set by the manufacturer to gain access to the administrative portal on the printer. Even if defaults have been changed, a simple attack against this administrative portal may allow someone to bypass the authentication layer of the device. (There are known attacks of this sort on some HP and Toshiba devices using a well-placed extra character in the administrative portal’s URL.) With access to the portal, it can be very easy to glean network access information.

IT personnel often use directory service administrator level username/passwords when setting up the printer to access shared resources. This login information might be visible from the printer’s administrative interface or accessible directly from the printer’s password settings page by viewing hidden HTML variables kept right in the page HTML source. Not securely protecting password information allows the hacker to collect this information from the printer and then “become” an administrator of the network or other sensitive systems.

Some printer attacks allow an attacker to enumerate all email addresses stored in the address book and maybe even file share credentials that allow the printer to deposit scanned files direct to specific file servers. This data would then allow the attacker to gain authenticated access to many systems within the network environment, and from there direct his attacks to systems where financial or other sensitive company information may be stored or processed.

Other types of attacks trick the printer into communicating with an attacker rather than a standard configured service like Lightweight Directory Access Protocol (LDAP) and Simple Mail Transfer protocol (SMTP). The results of these types of attacks can allow an attacker to gather internal IP addresses, communication port information, and usernames/passwords.

What can I do?

Change default passwords on printers.

Develop an update management process to keep printer software and firmware up–to-date.
Avoid using administrator level usernames and passwords when granting the printer access to network resources.
Tools like Praeda are used by security professionals to help secure printers. (Note: these same tools are also available to attackers). You can follow Praeda’s progress at www.foofus.net

Multifunction and network enabled printers may contain very sensitive information about your internal network and may be a “weak link” in your overall security strategy. Do not neglect them.

--The SecurityMetrics Audit Team

↧

Portfolio Compliance: A Custom Approach

September 22, 2011, 12:32 pm

≫ Next: Network Security for Small Businesses

≪ Previous: Is Your Printer an Informant?

A successful PCI program doesn't come in a can. Every portfolio is unique and has different needs. PCI compliance programs can be as successful as you want them to be. SecurityMetrics provides solutions to match your definition of a successful program.

When you use SecurityMetrics as your PCI vendor you are able to customize your program, produce successful program results, and keep your merchants happy. Tell us your goals, and we'll do everything we can to make them happen. Whether it be a hands-on, full-service, or online approach, SecurityMetrics will create a custom PCI solution for your portfolio needs.

PCI compliance can easily frustrate merchants. Over the years, we've developed methods that greatly simplify the compliance process. You never have to worry about how your merchants are treated. SecurityMetrics has helped over 1 million merchants with PCI compliance and prides itself on its ability to interact positively with merchants.

↧

Network Security for Small Businesses

September 26, 2011, 9:06 am

≫ Next: PCI FAQ

≪ Previous: Portfolio Compliance: A Custom Approach

Small businesses are the primary target for data breaches. Most do not have the time, money, knowledge, or patience to secure their business network. In the black hat hacker community, these facts are well known and provide the incentive to steal important data from the unprotected small business.

Mainstream media does not publish small-scale breaches nearly as often as large corporate breaches such as Sony or Citigroup, but they still happen. Hundreds of businesses go under every year because the fines are too much for a small business to handle.

Until recently, most network security solutions for small businesses were produced for large corporations with big budgets, data centers, and full time IT staff.

In May, 2011, SecurityMetrics released a new product for small businesses that provides internal network security called SecurityMetrics Vision. This Network Threat Sensor installs on the inside of a business network and searches for threats through internal scanning, wireless Internet detection, event log management, and an industry-leading firewall.

Once threats are identified, warning alerts are delivered to a business’ secure account at the SecurityMetrics website and by email so threats can be eliminated. For all businesses that need assistance with threat remediation, SecurityMetrics 24/7 technical support is available to help.

If a small business purchased all these features from other sources, they would spend thousands of dollars, SecurityMetrics Vision is made and priced for small businesses. Click here for more information.

↧

PCI FAQ

May 16, 2014, 1:15 pm

≫ Next: HIPAA FAQ

≪ Previous: Network Security for Small Businesses

Your most common questions about the payment security standard, answered.
By David Ellis, GCIH, QSA, PFI, CISSP

As you may expect, we get a lot of questions about PCI DSS compliance. I thought I’d post the most common as an easy go-to source for those with questions.

What is PCI compliance?

The Payment Card Industry Data Security Standard (PCI DSS) was established in 2006 by the major card brands (Visa, MasterCard, American Express, Discover Financial Services, JCB International).
All businesses that process, store, or transmit payment card data are required to implement the standard to prevent cardholder data theft. Your card-handling practices and processing environment determine which PCI DSS requirements apply to your business.

What is PCI validation?

The Payment Card Industry Security Standards Council mandates that all merchants comply with PCI standards. Annual validation (or proof) of that is mandated by some merchant processors and is a way of documenting your compliance. Validation requirements vary based upon annual payment card transactions and may require a self-assessment or independent onsite audit.

Who is required to become PCI compliant?

All businesses that process, store or transmit payment card information are required to comply with the PCI DSS.

Why haven't I heard of PCI compliance until now?

PCI compliance was first mandated in 2006. The Payment Card Industry Security Standards Council, the card brands, and your merchant processor are doing their best to make sure all merchants are aware of the standards.

Is PCI compliance a federal law?

No, the government does not regulate PCI*; however, by signing the payment card contract confirming your desire to accept credit and debit cards at your business, you agreed to follow card brand rules. If you wish to safely accept Visa, MasterCard, JCB, American Express, and Discover, you must comply with PCI DSS.

*Note: Some states, such as Nevada, now require PCI DSS compliance.

When is the deadline to become PCI compliant?

For most merchants the deadline for compliance has already passed. Contact your merchant processor to receive details on your merchant account. The sooner you become compliant, the less likely you are to be hacked.

What happens if I don't become PCI compliant?

If you are not PCI compliant, you are more vulnerable to data compromise, and may also be fined by your merchant processor and/or the card brands for not validating PCI compliance.

What if I only process a few cards a year? Do I still need to be PCI compliant?

Yes. Even if you only process one transaction per year, you must implement the PCI DSS in your processing environment.

What is required to become PCI compliant?

Typical steps for merchants to become PCI DSS compliant include, but are not limited to:

Determine your validation type
Address all requirements found in your Self-Assessment Questionnaire (SAQ) (e.g., external vulnerability scans, penetration tests, employee training, etc.)
Attest to your compliance annually
Complete and report quarterly results of all scans performed by an Approved Scanning Vendor (ASV)

Which SAQ am I supposed to complete?

Ultimately, you must choose the SAQ that’s right for your processing environment, but generally speaking:

SAQ A is for merchants that use a third party service provider to handle their card information
SAQ B is for merchants that use a phone line terminal and are not connected to the Internet in any way
SAQ CVT is for merchants that use a virtual terminal on one computer solely used for card processing
SAQ C is for any merchant connected to the Internet
SAQ D is for merchants that store credit card data electronically
SAQ P2PE-HW is for merchants using approved point-to-point encryption (P2PE) devices

Please visit the PCI Council website for more detailed explanations.

What is a PCI compliance certificate?

Some QSA/ASV companies provide certificates confirming that an organization is PCI DSS compliant. An actual compliance certificate is not mandatory, and you don’t necessarily need a certificate to be PCI compliant.

Am I PCI compliant if my site has an SSL certificate?

Unfortunately, no. An SSL certificates is an important element in a secure website, but alone do not meet PCI DSS requirements.

Do I need to be PCI compliant if I don't use a computer to process credit cards?

Yes. PCI compliance doesn't require a connection to the Internet, or even a computer system. PCI compliance is determined by the way you store, handle, or process credit card information, whether the card information is in a locked filing cabinet, or on the computer.

Who enforces PCI compliance?

The Payment Card Industry Standards Security Council was formed in 2006 by the major card brands (Visa, MasterCard, American Express, Discover Financial Services, JCB International) to regulate and enforce PCI DSS compliance. Generally speaking, your merchant bank enforces PCI DSS compliance.

What is SecurityMetrics' role in PCI compliance?

SecurityMetrics assists merchants in validating compliance and implementing the Payment Card Industry Data Security Standard. SecurityMetrics is an Approved Scanning Vendor and is certified to perform PCI scans, onsite PCI audits, payment application software audits, point of sale terminal security audits, penetration tests, and forensic analysis to assess card data compromises. You may validate our PCI certifications directly at the Payment Card Industry's website.

My SecurityMetrics account has just been created, what now?

You should log in to your account and begin the process of becoming PCI compliant. This means going through each section of the SAQ and ensuring compliance with all the requirements.

What should I do if I think my business has been compromised?

Disconnect your system from the Internet, call your merchant processor, andcall a forensic investigator. PCI forensic investigators help you find and fix the security holes in your processing environment. They help you identify how and when attackers breached your systems, determine if card data was compromised, and document for the card brands your efforts to remediate the vulnerabilities that lead to the data breach.

If you have any further questions about PCI, contact our PCI gurus.

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience.

↧

HIPAA FAQ

May 16, 2014, 1:16 pm

≫ Next: PCI Compliance Maintenance - You're Not Done Yet!

≪ Previous: PCI FAQ

Your most common questions about the Healthcare Information Portability and Accountability Act, answered.

By Tod Ferran, CISSP, QSA

As you may expect, we get a lot of basic questions about HIPAA compliance. I thought I’d post the most common as an easy go-to source for those with questions.

What is HIPAA compliance?

HIPAA (The Health Information Portability and Accountability Act) is a federal mandate that, among other things, requires organizations to keep patient data secure. Compliance requires a myriad of privacy and security actions outlined in the mandate’s specific rules, such as password policy creation, patient data protection, and employee training.

What is required to become HIPAA compliant?

Requirement implementation can vary from organization to organization, but as a general rule, entities are expected to complete a risk analysis, create and complete a risk management plan, conduct regular employee training, andimplement updated policies and procedures.

Who is required to become HIPAA compliant?

Any covered entity (CE) or business associate (BA) that stores, processes, transmits, maintains, or touches protected health information (PHI) in any way must be compliant. Examples of covered entities include any healthcare service provider such as a hospital, pharmacy, or physician. Examples of BAs are persons or entities that provide services to a CE that involve the disclosure of PHI, such as a medical records vendor, prosthetic manufacturer, or outside medical consultant.

Who is responsible for HIPAA?

Both the healthcare organization and individual staff member who accesses PHI are responsible. The organization is responsible to put all necessary safeguards in place for HIPAA compliance. Every individual (office manager, doctor, etc.) is held responsible for health information they should, can, or do access. Individuals and companies can independently face criminal charges for mishandling PHI.

What’s the difference between the HIPAA Security and Privacy rules?

The Privacy Rule addresses appropriate PHI use and disclosure practices by healthcare organizations. The same rules, regulations and policies that regulate Privacy do not necessarily extend to the Security Rule. The Security Rule revolves around safeguarding the systems that house or transmit PHI.

Who enforces HIPAA compliance?

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is the federal organization responsible for enforcing HIPAA compliance.

What is the Final Omnibus Rule?

The Omnibus Rule, enacted in January 2013, is an extension of the HITECH Act that expands patient rights, assigns liability to business associates, and increases penalties for security violations. The deadline to comply with the rule was September 2013.

What happens if I don't become HIPAA compliant?

If you are found in violation of HIPAA, you could be levied severe fines by both the HHS and state attorney generals. In fact, the HHS assesses fees of up to $50,000 per day per violation.

If noncompliance leads to a breach, you are required by law to notify the HHS, your patients, and, if more than 500 records are involved, the media. This could severely damage brand equity and publically embarrass your organization. According to a recent survey, 76% of patients state they will stop dealing with an organization responsible for a privacy breach.

In this presentation we take a look at the purpose and components of the HIPAA Security Rule and detail ways you can comply with the mandate and protect your organization from a compromise of Protected Health Information (PHI). www.securitymetrics.com/hipaa © SecurityMetrics | www.securitymetrics.com/hipaa | 801.995.6801 |

[Webinar] An introduction to the HIPAA Security Rule, including its purpose and components.

What is a HIPAA violation?

Each failure to appropriately implement one or more HIPAA standards, requirements, or implementation specifications is classified as a violation. For example, sharing passwords among nurses, not implementing an industry-standard firewall, and not encrypting emailed patient data are all separate violations.

What’s the difference between a required and addressable rule?

Required rules are quite cut and dried. Either you implement them, or you automatically fail to comply with the Security Rule. Addressable rules are often technical, and allow organizations of varying size the flexibility to implement different security controls that accomplish the requirement’s objective.

SEE ALSO: Required vs. Addressable HIPAA Requirements

What does it mean to have a HIPAA audit?

The HHS expects healthcare providers to actively work on their HIPAA compliance and tests them through organizational audits. An entity could be chosen for a HIPAA compliance audit at random, or because of a reported breach by an employee or customer. Entities can best prepare for an audit by having an aggressive and fully functional HIPAA compliance program already in place. Performing a ‘mock’ audit by having an experienced and knowledgeable third party follow the HHS audit protocol can help identify areas of noncompliance.

What should I do if I think PHI has been compromised at my organization?

Contact the HHS immediately following the Breach Notification Rule protocols. They’ll tell you what to do next.

What do I need to know about business associates?

Every covered entity with BAs (virtually all) is required to obtain assurances that their business associates treat patient data the way the HHS wants them to. You could choose to personally audit each BA, recognize a third party certification, or require documented data security procedures.

Sample HIPAA compliance certificate

What is a HIPAA compliance certificate?

A HIPAA compliance certificate shows that you have completed all the necessary requirements your individual HIPAA consultant requires. Although this document doesn’t disqualify you for random HHS audits, it does show your devotion to HIPAA compliance, the government, and your patients.

What is SecurityMetrics' role in HIPAA compliance?

SecurityMetrics assists healthcare entities in achieving true HIPAA compliance. We offer guided HIPAA Risk Analysis (the first and most important step toward compliance), HIPAA compliance, HIPAA audits, HIPAA policy templates, HIPAA training, and other security services.

If you have any further questions about HIPAA, contact our HIPAA gurus.

Did we miss a FAQ? Tell us on Facebook!

Tod Ferran (CISSP, QSA) is a Security Analyst for SecurityMetrics with 25 years of IT security experience. He provides security consulting, risk analysis assistance, risk management plan support, and performs HIPAA and PCI compliance audits.

↧

PCI Compliance Maintenance - You're Not Done Yet!

May 16, 2014, 1:16 pm

≫ Next: HIPAA Compliant Passwords

≪ Previous: HIPAA FAQ

Compliance is a day-by-day security process.
By Brandon Barney, CISSP

Brandon Barney, Security Support Director

PCI compliance isn’t an event. It’s an ongoing process! Lots of people believe they can ‘finish’ or ‘complete’ PCI requirements, but it doesn’t really work like that. A submitted Self-Assessment Questionnaire (SAQ) is only as good as the proactive, ongoing security of the business behind it.

I think Bob Russo, head of the PCI Security Standards Council said it best.

Bob Russo, PCI SSC

"Organizations must not take solely a checklist approach to security, or rely on periodic validation on a specific day as their security goal, but must instead exercise continuous vigilance and maintain a strict security program that ensures constant and ongoing PCI DSS compliance."

Watch the video to learn the best ways to maintain your hard-earned compliance.

Want to see more vids like this? Subscribe on YouTube forPCI security tips.

So let’s recap.

How exactly are you supposed to maintain compliance?

Ensure your security policies are updated. Anytime you change the way you store, process, or transmit cardholder data, update those policies to reflect the changes!
Train your employees. While training new (and current) staff members, remind them about the rights and wrongs of correct card data handling.
Update your SAQ if things change. If anything in your card processing environment changes, your SAQ is no longer valid! Update and resubmit your SAQ for best results.
Run external vulnerability scans. If your business is required to scan for vulnerabilities, make sure scans run at least quarterly and when you make any network changes. (Do you see a pattern yet?)
Understand where your credit card data is stored. One of the reasons it’s hard to maintain compliance is because businesses accidentally store unencrypted card data. Identify unencrypted card data with card discovery tools like PANscan®.

Have a business security question? Tweet me and you may see your question answered on the next SecurityQ.

Brandon Barney, CISSP, is the Security Support Director at SecurityMetrics and has over 10 years of compliance, data security, and database management experience.

↧

HIPAA Compliant Passwords

May 16, 2014, 1:16 pm

≫ Next: How Does a Firewall Protect a Business?

≪ Previous: PCI Compliance Maintenance - You're Not Done Yet!

The best (and worst) password strategies for healthcare.
By Tod Ferran, CISSP, QSA

Passwords. It’s strange that such a teeny line of text is sometimes the only thing that stands between a hacker and a boatload of valuable PHI.

Watch this video to learn how to create secure and HIPAA worthy passwords.

In 60 seconds, learn the password requirements necessary to maintain HIPAA compliance. Need help with HIPAA? © SecurityMetrics | hipaa@securitymetrics.com | 801.995.6801 |

SEE ALSO: Vendor-Supplied Default Passwords Are a Serious Threat.

Remember, random but non-complex passwords are easily broken by hackers utilizing simplistic password cracking software.

Here are some tips for strong (and HIPAA compliant) passwords

•8 characters (at least)
•Uppercase letters
•Lowercase letters
•Numbers
•Special characters

Let’s see what you’ve learned with a password quiz! Decide if the following passwords deserve a security high five, or a hackable thumbs down.

Password Quiz!

1.nurse
2.Dr77we$t
3.PaSsWoRd
4.@sTer955!
5.drmichellewalkeroffice123
6.frontdesk1
7.Utn*9f1U

Let’s see how you did.

2, 4, and 7 all have special characters, numbers, and uppercase letters. Woot! The rest, even if they look secure, probably won’t guard your PHI very well.

Here is alink to the Kaspersky Labs Password Checker where you can test different passwords to see just how strong they really are. (Please don’t enter your real password! Even though we might trust Kaspersky, there are bad guys between them and us!)

Speaking of horrible passwords…

Group passwords are not cool.

As per HIPAA regulations, each nurse, doctor, office manager, surgeon, staff member, janitor, etc. should have his or her own password. That’s right guys, no more group or department passwords.

Have a HIPAA security question? Leave a comment and you may see your question answered on the next HIPAA Snippets video.

Tod Ferran (CISSP, QSA) is a Security Analyst for SecurityMetrics with 25 years of IT security experience. He provides security consulting, risk analysis assistance, risk management plan support, and performs HIPAA and PCI compliance audits.

↧

How Does a Firewall Protect a Business?

May 16, 2014, 1:16 pm

≫ Next: Stay Off the HHS Naughty List

≪ Previous: HIPAA Compliant Passwords

Keepin’ the bad guys out of your internal network and away from your data.
By Brandon Barney, CISSP

What is a firewall? What do they look like? Do I have a firewall at my business? These are some of the most common questions I get from business owners. Most have heard of firewalls, but still don’t fully understand their purpose.

Watch the video to learn more about how a firewall protects your business.

To meet PCI DSS requirements, you must have a software and hardware firewall. Need a firewall? Follow Brandon on TwitterFollow us on Facebook © SecurityMetrics | www.securitymetrics.com/pci | 801.705.5656 |

Want to see more vids like this? Subscribe on YouTube for more security tips.

Remember – to meet Payment Card Industry Data Security Standard (PCI DSS) requirements you must have both a software and hardware firewall. But it’s not enough to just own them. They must be configured properly to prevent data from accessing (or leaving) your network when it’s not supposed to.

Here are some tips for proper configuration:

Work with your IT service provider to configure firewalls and routers
Google your firewall manufacturer to find helpful ‘how to’ articles
Quarterly test your network with internal and external network vulnerability scans

↧

Stay Off the HHS Naughty List

May 16, 2014, 1:17 pm

≫ Next: What Are Addressable HIPAA Requirements?

≪ Previous: How Does a Firewall Protect a Business?

HHS Wall of Shame exposes the not so careful…
By Tod Ferran, CISSP, QSA

With an average of 1.5 million unique visitors per month on hhs.gov (complete.com), the Wall of Shame is an extremely public record of healthcare organizations with PHI breaches of 500 records or more. The interesting thing about the Wall of Shame is that it’s actually a requirement of HITECH [section 13402(e)(4)] that The Department of Health and Human Services (HHS) Secretary enables public awareness of patient data breaches.

One of many HHS pages filled with compromised entities

Don’t want to end up on the Wall? Get more info on HIPAA compliance plans, vulnerability scans, and HIPAA Privacy and Security policies.

According to Cintas, two-thirds of US adults would not return to a business (or healthcare organization) if their personal information were stolen. I can say with confidence that brand degradation and patient exodus will likely occur every time an organization shames their name through a data breach. How do I know this? As a well-informed patient, I always check The Wall before giving my business (and information!) to a new dentist or doctor.

What do the stats tell us?

By analyzing the Wall of Shame, I can tell you that as of May 2014:

The total number of breaches reported to the HHS exceeds 990
238 organizations were reported on the WoS as breached in 2013 (that’s 4.5 breaches a week!)
7.7 million records were compromised in 2013
In the history of the Wall of Shame, 72 breaches occurred because of hacking
The three largest breaches ever reported were 4,901,432 (TRICARE), 4,029,530 (Advocate Health and Hospitals Corporation) and 1,900,000 (Health Net, Inc.)
7 health care organizations reported security breaches that involved one million or more records
In the history of the Wall of Shame, the total number of individuals affected is over 31 million.
Business associates are involved in 27% of reported breaches
Who knows how many records unreported breaches (under 500 individuals affected) would add to this list…

"It'll never happen to me"

If you are a healthcare organization, I hope this post has inspired you to reconsider the common false assumptions of medical practices nationwide. “It’ll never happen to me.” “My legal guy takes care of HIPAA.” Those thoughts are what get organizations breached and sent into the corner wearing a dunce cap.

Was this post interesting? Then share it!

Tod Ferran (CISSP, QSA) is a Security Analyst for SecurityMetrics with 25 years of IT security experience. He provides security consulting, risk analysis assistance, risk management plan support, and performs HIPAA and PCI compliance audits.

↧

What Are Addressable HIPAA Requirements?

May 16, 2014, 1:17 pm

≫ Next: Top 10 Types of Phishing Emails

≪ Previous: Stay Off the HHS Naughty List

Contrary to popular belief, addressable does NOT mean optional
By Tod Ferran, CISSP, QSA

In each HIPAA Security Rule, implementation specifications are either “addressable” or “required” and describe how standards should be executed.

Required

“Required” rules are quite cut and dried. Either you implement them, or you automatically fail to comply with the Security Rule. These mandatory rules represent 48% of the HIPAA Security Rule. “Addressable” constitutes 52% of Security Rule specifications, and many entities do not fully understand what that entails.

Addressable

Addressable requirements are often technical, and allow organizations the flexibility to implement different security controls to accomplish the requirement’s objective.

For example, if I had addressable specifications to cook a turkey, I could cook it in the oven like the recipe dictates, or I could BBQ, deep-fry, smoke, or microwave it. It doesn’t matter how I cook it, just that it gets cooked (and doesn’t give me food-poisoning).

What are my options with addressable HIPAA requirements?

The HHS explains entities have three options with addressable implementation specifications.

Implement the specification
Implement alternative measures to accomplish the same purpose
Not implement anything

Each entity must individually assess whether addressable specifications are reasonable and appropriate for their environment.

What if I don't implement an addressable HIPAA requirement?

Many small and medium practices believe they can just ignore addressable items. Addressable does not mean optional, and the decision not to address a specification should not be made casually.

IMPORTANT: If you decide not to implement an addressable item, you must fully document why you chose not to implement the specification, implement an alternative, or implement a partial solution. If you are forced to go through a HIPAA audit, the Office for Civil Rights (OCR) will review your documentation and determine if they agree with your decision. If you don’t have solid documentation that dictates the reason and business justification for disregarding the specification, you will be fined.

The decision not to implement an addressable item may be appropriate in some situations. Perhaps security measures are already in place that render this requirement moot, perhaps the security measures would actually decrease the overall security of PHI, or perhaps it simply doesn’t apply to your situation.

Here’s an example. If a small covered entity does not transmit PHI electronically outside their organization, addressable Integrity Control §164.312(e)(2)(i) and Encryption Control §164.312(e)(2)(ii) requirements are not applicable. This could apply to a dentist office that sends records by hand (vs. an Internet connection or email) to other covered entities.

In this specific case, staff should be interviewed to validate no data leakage occurs through any form of electronic transmission, and no extra data is received by contracted business associates.

You can’t be penalized for going above and beyond on addressable rules, but you can be penalized for accidentally (or purposefully) forgetting about one that applies to your entity. So if you aren’t sure if an addressable applies to you, do it anyway!

Here is a complete list of Addressable Implementation Specifications

Administrative

Workforce Security

Authorization and/or supervision
Workforce clearance procedure
Termination procedures

Information Access Management

Access authorization
Access establishment and modification

Security Awareness and Training

Security reminders
Protection from malicious software
Log-in monitoring
Password management

Contingency Plan

Testing and revision procedures
Applications and data criticality analysis

Physical Safeguards

Facility Access Controls

Contingency operations
Facility security plan
Access control and validation procedures
Maintenance records

Device and Media Controls

Accountability
Data backup and storage

Technical Safeguards

Access Control

Automatic logoff
Encryption and decryption

Integrity

Mechanism to authenticate electronic protected health information

Transmission Security

Integrity controls
Encryption

Was this post helpful? If so, please share!

Tod Ferran (CISSP, QSA) is a Security Analyst for SecurityMetrics with 25 years of IT security experience. He provides security consulting, risk analysis assistance, risk management plan support, and performs HIPAA and PCI compliance audits.

↧

Top 10 Types of Phishing Emails

May 16, 2014, 1:17 pm

≫ Next: 7 Ways to Recognize a Phishing Email

≪ Previous: What Are Addressable HIPAA Requirements?

Criminals have countless methods to trick email users.
By David Ellis, GCIH, QSA, PFI, CISSP

David Ellis, Director of Forensic Investigations

Phishing is the electronic version of social engineering and has found a huge market in our email-obsessed world. Hackers send fraudulent emails out to tens of thousands of people, hoping a few will click on attached links, documents, or pictures. The goal? Get recipients to willingly provide valuable social security numbers, passwords, banking numbers, PINs, and credit card numbers.

This is achieved through a few different methods. Sometimes, cybercriminals trick email recipients into opening an email attachment that loads harmful malware onto their system. Other times, they trick recipients into providing sensitive personal information directly via web forms. Either way, these seemingly teeny mistakes could make serious ripples across your organization, compromising either corporate or personal security.

SEE ALSO: 7 Ways to Recognize a Phishing Email.

Typically, phishers send legitimate-looking emails that appear as though they originated from reputable companies that many people do business with like BestBuy, Amazon, Federal Express, DHL, and PayPal. The emails often ask customers to confirm information or to go to the business site by clicking on a provided link, and often include a statement of impending consequences if you fail to act.

Here are a few common ploys cybercriminals use to trick you.

1.The Government Maneuver

This type of email looks like it originated from a federal body, such as the FBI, and tries to scare you into providing your information. Common messages include, ‘Your insurance has been denied because of incomplete information. Click here to provide your information.’ Or, ‘Because you illegally downloaded files, your Internet access will be revoked until you enter the requested information in the form below.’

2.The Friend Tactic

If an unknown individual claims to know you in an email, you are probably not suffering from amnesia. More than likely, it is an attempt to get you to wire him/her money. A variation on this theme is that one of your known friends is in a foreign country and needs your help. Before you send your ‘friend’ money, give them a call to verify. Your true friend’s email contact list was probably hijacked.

3.The Billing Problem

This phishing tactic is tricky because it appears quite legitimate. This email states that an item you purchased online cannot be shipped to you because the credit card was expired (or billing address wasn’t correct, etc.). If you click on the provided link, it takes you to a spoofed website and asks for updated payment/shipping information, etc.

A lot of folks have personal and business PayPal accounts. Here, notice that the email header is from paypal@update.com. While that may sound legit, everything from PayPal will have an address of ...@paypal.com

4.The Expiration Date

This type of email falsely explains that your account with [company name] is about to expire, and you must sign in as soon as possible to avoid losing all your data. Conveniently enough, there is a link in the email, which again takes you to a spoofed login page.

5.The Virus Scare

This type of email states that your computer has been infected! In order to avoid losing your data and infecting your computer the email instructs you to follow the provided link, or download the “anti-virus” attachment.

Whatever you do, DON'T CLICK ON THE LINK!

6.The Contest Winner

Don’t get too excited when you receive emails that claim you’ve won something, or received an inheritance from a relative you've never heard of. 99.9% of the time, these are absolutely bogus. To claim your prize, the email requires you click a link and enter your info for prize shipment.

7.The Friendly Bank

Your bank may offer account notifications when certain amounts are withdrawn from your accounts. This ploy tricks you with a fake account notification stating that an amount has been withdrawn from your account that exceeds your notification limit. If you have any questions about this withdrawal (which you probably would), it gives you a convenient link that leads to a web form asking for your bank account number “for verification purposes.” Instead of clicking on the link, give your bank a call. They may want to take action on the malicious email.

Due to the graphics and opt-out instructions, this phishing attempt seems very legitimate.

8.The Victim

Being wrongly accused of something doesn’t feel good. This type of phishing email acts as an angry customer whom supposedly sent you money in return for a shipped product. The email concludes with the threat that they will inform the authorities if they don’t hear from you.

This is another type of victim scam. Who wouldn't be a little worried after receiving this email?

9.The Tax Communication

Practically everyone has annual taxes to submit. That’s why this phishing attempt is so popular. The message states that you are either eligible to receive a tax refund, or you have been selected to be audited. It then requests that you submit a tax refund request or tax form.

10.The Checkup

This is one of the more unassuming phishing email attempts. It claims [company name] is conducting a routine security procedure and requests you verify your account by providing information. This scam is especially effective if you happen to be a customer of the named business.

If you receive a phishing email:

Don’t click on any links, open attachments, or expand any included pictures
Don’t try to reply to the sender
Report the scam (forward the e-mail to the FTC – spam@uce.gov)
Delete the email from your computer
If you do legitimate business with a company mentioned in the phishing email, you can call the business and ask if they would like you to forward the email to them, so they may take further action.

Was this post helpful? Share it!

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience.

↧

7 Ways to Recognize a Phishing Email

May 16, 2014, 1:17 pm

≫ Next: How to Send HIPAA Compliant Emails

≪ Previous: Top 10 Types of Phishing Emails

"You can fool some of the people all of the time, and all of the people some of the time, but you cannot fool all of the people all of the time."–Abraham Lincoln
By David Ellis, GCIH, QSA, PFI, CISSP

Are you sure that email from UPS is actually from UPS? (Or Costco, BestBuy, or the myriad of unsolicited emails you receive every day?) Companies and individuals are often targeted by cybercriminals via emails designed to look like they came from a legitimate bank, government agency, or organization. In these emails, the sender asks recipients to click on a link that takes them to a page where they will confirm personal data, account information, etc.

This technique is called phishing, and it’s a way hackers con you into providing your personal information or account data. Once your info is obtained, hackers create new user credentials or install malware (such as backdoors) into your system to steal sensitive data.

SEE ALSO: Examples of common phishing attempts.

It’s often difficult to distinguish a fake email from a verified one, however most have subtle hints of their scammy nature. Here are seven ways to help you recognize a phishing email and maintain email security.

1. Legit companies don’t request your sensitive information via email

Chances are if you receive an unsolicited email from an institution that provides a link or attachment and asks you to provide sensitive information, it’s a scam. Most companies will not send you an email asking for passwords, credit card information, credit scores, or tax numbers, nor will they send you a link from which you need to login.

Notice the generic salutation at the beginning, and the unsolicited web link attachment?

2. Legit companies call you by your name

Phishing emails typically use generic salutations such as “Dear valued member,” “Dear account holder,” or “Dear customer.” If a company you deal with required information about your account, the email would call you by name and probably direct you to contact them via phone.

Sir/Madam? Also, what's up with the 17 in the middle of the sentence?

3. Legit companies have domain emails

Don’t just check the name of the person sending you the email. Check their email address by hovering your mouse over the ‘from’ address. Make sure no alterations (like additional numbers or letters) have been made. Check out the difference between these two email addresses as an example of altered emails: michelle@paypal.com michelle@paypal23.com Just remember, this isn’t a foolproof method. Sometimes companies make use of unique or varied domains to send emails, and some smaller companies use third party email providers.

"Costco's" logo is just a bit off. This is what the Costco logo is supposed to look like.

See the difference? Subtle, no?

4. Legit companies know how to spell

Possibly the easiest way to recognize a scammy email is bad grammar. An email from a legitimate organization should be well written. Little known fact – there’s actually a purpose behind bad syntax. Hackers generally aren’t stupid. They prey on the uneducated because they are easier targets.

Notice the apostrophe in the word 'friends'? Me neither. Other than that tiny grammar mistake, this is a very convincing email.

5. Legit companies don’t force you to their website

Sometimes phishing emails are coded entirely as a hyperlink. Therefore, clicking accidentally or deliberately anywhere in the email will open a fake web page, or download spam onto your computer.

This whole email is likely a gigantic hyperlink.

6. Legit companies don’t send unsolicited attachments

Unsolicited emails that contain attachments reek of hackers. Typically, authentic institutions don’t randomly send you emails with attachments, but instead direct you to download documents or files on their own website. Like the tips above, this method isn’t foolproof. Sometimes companies that already have your email will send you information, such as a white paper, that may require a download. In that case, be on the lookout for high-risk attachment file types include .exe, .scr, and .zip. (When in doubt, contact the company directly using contact information obtained from their actual website.)

Just remember, curiosity killed the cat.

7. Legit company links match legitimate URLs

Just because a link says it’s going to send you to one place, doesn’t mean it’s going to. Double check URLs. If the link in the text isn't identical to the URL displayed as the cursor hovers over the link, that's a sure sign you will be taken to a site you don’t want to visit. If a hyperlink’s URL doesn’t seem correct, or doesn’t match the context of the email, don’t trust it. Ensure additional security by hovering your mouse over embedded links (without clicking!) and ensure the link begins with https://.

Although very convincing, the real Nokia wouldn't be sending you a "Save your stuff" email from info@news.nokia.com

It doesn’t matter if you have the most secure security system in the world. It takes only one untrained employee to be fooled by a phishing attack and give away the data you’ve worked so hard to protect. Make sure both you and your employees understand the telltale signs of a phishing attempt.

Was this post helpful? If so, please share!

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience.

↧

How to Send HIPAA Compliant Emails

May 16, 2014, 1:18 pm

≫ Next: HIPAA Compliance vs. PCI DSS Compliance

≪ Previous: 7 Ways to Recognize a Phishing Email

Do you know the rules when it comes to emailing PHI?
By Tod Ferran, CISSP, QSA

Sending snail mail is tedious. That’s why email was invented, right? Unfortunately for healthcare providers, email security is a bit tricky.

Email encryption is one of the topics that I am asked about most frequently. Due to the nature of email and the struggles to properly secure it, I recommend avoiding it whenever possible.
The use of patient portals is preferred for sending information to patients, and secure file transfer options are preferred for covered entity to covered entity or covered entity to business associate communications.

For those that cannot find an alternative to email, hopefully this post helps you figure out exactly what is required of you when sending ePHI.

What do HIPAA regulations say?

According to the HHS, “the Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control, integrity and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.”

Let me translate. Basically, you can send ePHI via email, but you have to do it securely, on HHS terms.

Understanding the challenge

To understand the reason you should secure email, it helps to grasp email transmission specifics. Typically, email follows a path similar to this:

There are a lot of links in this chain.

Every time the email is sent from one machine to another, such as from the sender workstation to the sender email server, it may traverse the Internet where bad guys are hidden.

A copy of the email is stored on each machine it traverses. So there is a copy on the sender’s workstation, on the sender’s email server, on the recipient’s email server, and on the recipient’s workstation.

No wonder email is a scary and insecure way to send data. Every message may cross the Internet multiple times, plus it’s stored on at least four different machines!

Transmission security

First, you must understand transmission security. HIPAA requires that PHI remains secure both at rest and in transit. That means PHI must be protected while sitting on workstations and servers, and encrypted each time your sent email crosses the Internet/other insecure networks. Upholding transmission security significantly affects which email systems healthcare professionals can use.

There is a clear distinction between an email platform being HIPAA capable and HIPAA compliant. Most are capable, but in and of themselves, not compliant. As you can see by the path an email takes, it is pretty difficult for one product to protect that entire chain.

As a general rule, free and Internet-based web mail services (Gmail, Hotmail, AOL) are not secure for the transmission of PHI. In 2012, Phoenix Cardiac Surgery paid a $100,000 penalty for not taking the steps to protect data, and for using an internet-based email and calendar service for practice administration.

If you are determined to use an Internet-based email service, ensure they sign a Business Associate Agreement (BAA) with you. Microsoft and Google recently stated they will sign BAAs. However, a BAA only goes so far and you are still ultimately responsible. Omnibus rules state the covered entity is still responsible for ensuring the business associate does their part. If found in HIPAA violation, both parties are liable for fines. The BAA typically only covers their server, you’re in charge of protecting the rest of the chain.

Encryption
Unlike many believe, encryption does not mean password-protected. Encryption is a way to make data unreadable at rest and during transmission. Emails including PHI can’t be transmitted unless the email is encrypted using either a third party program or encryption with 3DES, AES or similar algorithms. If the PHI is in the body text, the message must be encrypted, and if it’s part of an attachment, the attachment can be encrypted instead.

Unlike email in transit, encrypting email at rest is an addressable requirement, which means if you don’t implement it, you need to have solid documentation explaining why. But, if an unencrypted computer or laptop containing unencrypted ePHI is stolen, you will likely be fined. Just look at what happened to Blue Cross Blue Shield of Tennessee, Massachusetts Eye and Ear, Hospice of North Idaho, and AP Derm.

Here’s another great tidbit of knowledge.

The HHS understands you have no control over which email clients your patients use.

“We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email… covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.” (US Department of Health and Human Services, Omnibus Final Rule, 2013)

Basically, HIPAA rules state patients have the right to receive unencrypted emails, and as long as you use a secure email service, you aren’t responsible for what happens on their end. Some caveats to remember:

You must have another fully secure option for the patient to receive their information
You must still inform your patients that their email client isn’t secure. If they say they still want the information, it’s then permissible to send it.
For your protection, ensure you document those conversations.

Securing different types of emails

In-office emails
Emails sent on your own secure server do not have to be encrypted. From nurse to doctor, office manager to nurse, surgeon to lab tech, etc. However, if you use remote access you must follow typical encryption rules. Options like Outlook Web Access can easily leak PHI, are difficult to properly secure, and should be avoided.

Doctor-to-doctor emails
One of the biggest questions I receive about email is, do I have to encrypt an email if it’s going to another doctor? The answer is, unless that doctor is in your office, on your own secure network and email server, YES. Remember, you are in charge of encryption during transmission.

Personal emails
Doctors sometimes work on cases using home computers, and then email the PHI back to their work email. Unless each of those emails is secured with encryption, that doctor just made a huge mistake. As a note to compliance officers and office administrators, if a doctor refuses to stop emailing information to his personal account, ensure you document his willfully negligent actions. Since HHS expects us to sanction employees who break policy, appropriate actions should be taken.

Mass emails
Mass emails?!?! Just say NO! If you need to send mass messages, use a mail merge program or HIPAA compliant service (think business associate) which creates a separate email for each recipient. The danger of using BCC? Email addresses aren’t usually hidden to the bad guys.

Reply emails
If someone replies to your email, is that communication secure? Technically, that’s not your concern. HIPAA states that the entity/person conducting the transmission is the liable party. So, if the replier is not a covered entity or business associate, it’s impossible for them to violate HIPAA. If the replier is a covered entity or business associate, the protection of that data is now their problem, not yours. As soon as you reply back, however, then you are again liable for the security of that transmission.

Patient emails
How do you protect messages initiated by patients? According to the HHS, the healthcare provider can assume (unless the patient has explicitly stated otherwise) that email communications are acceptable to the individual. Providers should assume the patient is not aware of the possible risks of using unencrypted email. The provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications. Remember, you must provide alternate secure methods of providing the information to the patient.

What to do?

Cloud-based email servers
One route is to use a secure cloud-based email platform, such as Office365, which hosts a HIPAA compliant server. It’s important to connect to the server via HTTPS so you have an encrypted connection between you and your email server. Unfortunately, this option does not control the email transmission from the cloud server to the recipient’s server or workstation, so though it seems attractive, I only recommend this option when all senders and all recipients have accounts on the same cloud-based email service.

Encrypted email services
Services such as Zixmail actually encrypt the message all the way from your workstation to the recipient’s workstation. If the recipient is not a Zixmail client, the system will notify them of the email and the recipient can then connect securely to the Zixmail server to retrieve the message.

Secure message portals
If your EMR/EHR system can provide a patient portal, this gives you a secure place to store information. An email is sent to the recipient informing them they have a message on the portal, where they can log in and securely receive the message. If your EMR/EHR does not have this capability, don’t despair! There are services such as eDossea and BrightSquid that can provide this type of portal for you.

Other email considerations

Email passwords

Make sure access to your email account is protected by strong passwords. Here’s a refresher: A password should not be found in a dictionary in any language. It should contain at least eight upper and lower case letters, numbers, and special characters. Passwords should be changed every 90 days.

Email disclaimers
Email disclaimers and confidentiality notices are not a free ticket to send PHI-filled unencrypted emails. That’s not their purpose. A disclaimer on your emails should merely inform patients and recipients that the information is PHI and should be treated as such. Your legal department can assist with the verbiage. The key to remember is that no disclaimers will alleviate your responsibility to send ePHI in a secure manner.

Did this post help you? If so, please share!

Tod Ferran (CISSP, QSA) is a Security Analyst for SecurityMetrics with 25 years of IT security experience. He provides security consulting, risk analysis assistance, risk management plan support, and performs HIPAA and PCI compliance audits.

↧

HIPAA Compliance vs. PCI DSS Compliance

May 16, 2014, 1:18 pm

≫ Next: Vendor-Supplied Defaults Are a Serious Threat

≪ Previous: How to Send HIPAA Compliant Emails

Why do you need to comply with PCI if you’ve already taken care of HIPAA?

By Tod Ferran, CISSP, QSA

Some are required to comply with both HIPAA (Healthcare Information Portability and Accountability Act) and the PCI DSS (Payment Card Industry Data Security Standard), namely, covered entities and business associates that accept credit, debit, or other payment cards. Many believe if they are compliant with one, it covers the other. Those people are mistaken.

HIPAA and PCI are two distinct and different sets of requirements. Each is specifically designed for different types of information. HIPAA was designed by government committees trying to protect citizen data. PCI was designed by a private industry to reduce fraud-related costs regarding loss of card data.

The PCI standard

The PCI standards have gone through several clarifying iterations that create the current set of PCI requirements. These requirements are generally very specific and focused.

The HIPAA standard

Conversely, HIPAA regulations, even though they’ve existed for about as long, haven’t gone through a single iteration. Because they were created without a sound basis of the types of technology required to secure patient data, these standards are vague. Even after a thorough examination of the standard, it’s difficult to know what really must be implemented to meet each requirement.

While there is some overlap between the two, it is surprisingly not as much as one might expect.

Let me give an example.

HIPAA regulations never mention the word ‘firewall’ and instead include vague language such as “implement technical security measures to guard against unauthorized access...” What does that mean? Experienced security personnel can connect the dots and know it likely means firewall implementation. Covered entities, their office staff, and even lawyers probably wouldn’t be able to come to that conclusion on their own. On the opposing side, PCI has an entire section devoted to firewalls including frequency of firewall rule review, inbound/outbound restrictions and so forth.

For those who learn best by cold hard facts and statistics, here are numeric comparisons to help clarify the disparity between HIPAA and PCI.

Each requirement usually requires multiple validation points. A validation point is specific evidence needed to support the appropriate implementation of the requirement. For example, interviewing management and reviewing policy documentation are two different validation points.

HIPAA at a glance

The Security Rule contains 75 requirements with 254 validation points
The Breach Rule contains 10 requirements with 26 validation points
The Privacy Rule contains 72 requirements with 255 validation points

PCI at a glance

PCI DSS 2.0 contains 292 requirements with 1030 validation points

Overlap between HIPAA and PCI

0 of 281 HIPAA Breach Rule/Privacy Rule validation points covered in PCI
70 of 254 HIPAA Security Rule validation points covered in PCI
316 of 1,030 PCI validation points are covered in HIPAA

I find that HIPAA assessors who have not performed PCI assessments typically don’t hold the overlapping HIPAA requirements to the higher, specific standards that a PCI assessor would.

The point is, if you are required to comply with both PCI and HIPAA mandates, you should understand they are distinct and require mostly different security procedures and protections. Just because you’re compliant with HIPAA, doesn’t mean your card processes are secure, and vise versa.

Was this post helpful? If so, please share!

Tod Ferran (CISSP, QSA) is a Security Analyst for SecurityMetrics with 25 years of IT security experience. He provides security consulting, risk analysis assistance, risk management plan support, and performs HIPAA and PCI compliance audits.

↧

Vendor-Supplied Defaults Are a Serious Threat

May 16, 2014, 1:18 pm

≫ Next: Forensic Files: The Case of the Suspiciously Flawless Investigation

≪ Previous: HIPAA Compliance vs. PCI DSS Compliance

Hackers are merely a Google search away from hacking your network.
By Brandon Barney, CISSP

Devices, like routers, come straight from the vendor with factory settings like default usernames and passwords. Defaults make device installation and support easier, but also mean every model originates with the same username and password. When those defaults aren’t changed, you give hackers Wonka’s Golden Ticket into your system.

Watch the video to learn more about vendor supplied defaults.

If your payment environment has default settings and accounts, hackers are just a Google search away from exploiting your network and stealing your data. Follow Brandon on TwitterFollow us on Facebook © SecurityMetrics | www.securitymetrics.com/pci | 801.705.5656 |

Want to see more vids like this? Subscribe on YouTube formore security tips.

During a recent SecurityMetrics forensic investigation, we discovered the IT company that configured the compromised merchant also set up 50 additional merchants with the same configuration and passwords. Yikes.

Once the hacker cracked the username/password, it was all downhill from there.

Don’t believe it? Google your device. Type: “[manufacturer] [model] default password.” It’s really quite simple to find your device’s default settings, along with a slew of hackalicious goodies.

This link here looks promising...

Looks like no matter what model Linksys router, the default username and password are usually admin. Doh!

Still don’t believe me? Here’s a sampler of a few common usernames/passwords.

Username: admin, username, test, admin1, sysadmin, default, public
Password: password, admin, 000000, 123456, test, 1, changeme, letmein

Seriously, change your vendor-supplied defaults!

Have a business security question? Tweet me and you may see your question answered on the next SecurityQ.

Brandon Barney, CISSP, is the Security Support Director at SecurityMetrics and has over 10 years of compliance, data security, and database management experience.

↧

Forensic Files: The Case of the Suspiciously Flawless Investigation

May 21, 2014, 10:25 am

≫ Next: Forensic Files: The Case of the Mistaken Malware

≪ Previous: Vendor-Supplied Defaults Are a Serious Threat

When business security is spotless, look to third parties for errors.

By: David Ellis

The following post is a segment in my Forensic Files series. I’ve found the best way to inspire better security practices is to show examples of true security blunders. Hopefully the security failures I’ve seen while investigating compromised businesses will help you realize some actions you should take to ensure your own business’ security.

What happens when forensic investigators can’t find evidence of a compromise? In a recent forensic investigation of an ecommerce ticketing site, we were placed in this exact scenario. As far as we could tell, the ticketing site was PCI compliant and showed no sign of vulnerability.

Eventually, we discovered that this ecommerce vendor licensed many third parties to sell tickets to their events. It dawned on us that the breach could have been caused by a third party.

Although the original ticketing site was secure, one of their resellers was not. The close shave inspired them to exercise extra diligence when selecting partners in the future.

View the Slideshare.

The Case of the Suspiciously Flawless Investigation from SecurityMetrics

Was this post informative? If so, please share!

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience.

↧

Forensic Files: The Case of the Mistaken Malware

May 29, 2014, 9:06 am

≫ Next: Forensic Files: The Case of the Stockpiled Credit Cards

≪ Previous: Forensic Files: The Case of the Suspiciously Flawless Investigation

Routine log review unearths rootkit, which leads to discovery of memory scraper

By: David Ellis

The following post is a segment in my Forensic Files series. I’ve found the best way to inspire better security practices is to show examples of true security blunders. Hopefully the security failures I’ve seen while investigating compromised businesses will help you realize some actions you should take to ensure your own business’ security.

In my line of work it’s quite common to be called in to investigate one piece of malware, and end up finding another. In this scenario, I was called in to investigate a piece of malware framed for stealing customer credit card data. While sifting through data, I found the real culprit. A memory scraper chameleon, capable of morphing into different versions to avoid anti-virus detection.

View the Slideshare below.

The Case of the Mistaken Malware from SecurityMetrics

↧

Forensic Files: The Case of the Stockpiled Credit Cards

June 2, 2014, 8:09 am

≫ Next: Why Encryption is (Sometimes) Not Enough

≪ Previous: Forensic Files: The Case of the Mistaken Malware

One unlucky man inherits a lot of problems

By: David Ellis

Looking for a good turnkey investment, a man buys a small delicatessen. The deli appeared to always be busy, had a good community reputation, and the financials looked strong. The new owner thought he covered everything before buying the deli, but he overlooked one small important detail. Three months later, the new owner’s merchant bank advised him that his customer’s credit cards were being stolen, and the number of stolen credit cards was staggering.

View the Slideshare below.

The Case of the Stockpiled Credit Cards from SecurityMetrics

↧