11/10/2012

Test your web site's security!

QualysQualys (Photo credit: Wikipedia)

One of Jacadis' longest standing partners is Qualys. Qualys produces a vulnerability management suite that helps our customers manage vulnerabilities, measure compliance and maintain security.

Qualys also publishes a set of free tools for the public to use. You can check your web site with FreeScan.

With your FreeScan, you can run scans to detect security threats:

  • Network perimeter vulnerabilities
  • Web application vulnerabilities
  • Malware hosted on your website

We recommend and some regulatory or contractural obligations may require regular site scanning. Scanning regularly for vulnerabilites and malware is part of a best practice security program.

We find that many customers that come to us after a breach through their web properties built their web sites without thinking about security requirements. The sites were released into production without a security test. The sites were on the net for years without proper attention to their security needs.

Does that sound like your web properties?

Are you aware of the how secure your web properties are?

Get a sense of where you stand with FreeScan.

Enhanced by Zemanta

Posted by at 07:50 AM in Application Development, Assessments and Tests, Jacadis, Secure Coding, Secure Value, Secure Web Development | | Comments (2) | TrackBack (0)

| | |

10/31/2012

Are you ready for the next big storm?

Is your business prepared for the next big storm? Have you considered the potential obstacles to your successful ongoing operations that a man made or natural disaster might create?  Have you changed your operation to reduce the impact? Do you know what you'll do if you lose key technologies? or access to facilities? or if your employees can't get to work? 

Sandy is a reminder that bad things happen.  In the news we'll see the emotional stories about lost loved ones, miraculous rescues, incredible destruction, innocent animals, ruined fortunes and so on.  We won't see much about the small business that loses a month of revenue as they rebuild infrastrucure, shuts its doors because it  GL system wasn't backed up or lost enormous value becuase key intellectual property was destroyed.

We do formal disaster recovery plans.  We also conduct contingency tests that test those plans.

A formal plan is best, but you don't need formality.

Here's a simple way to start.

You'll need your key leadership including executives, line staff and technical staff and a few hours. I suggest pizza or Chinese food and a long lunch, but that's just personal preference to keep a tough topic a little bit on the ligther side.

Simply brainstorm through the following list:

  • What are your key information, process and technology?
  • Where are they?
  • What bad things, man made and natural, might happen in an area like yours?
  • How might those bad things impact your key assets?
  • What can be done now to reduce that impact?
  • If something can't be done now, what needs to be done when a negative event begins?

Given our increasing dependency on information and information technology to run and grow our businesses this is a vital use of your time.  You may find that the questions asked informally raise bigger questions that require expert advice. If the impact seems large enough and it represents a risk bigger than what you want to take on make some calls and find someone to work with you.

My experience is that many small businesses never get to that point because in the hustle and bustle of the day to day we don't make the time to as the "what if".  Many of our small business and entreprenuerial peers are suffering out East for that simple reason.  Similar suffering has occured in central Ohio from snow, storm, wind and power outages.

_____________________________________________________________________________________

It won't happen to you?  Many think that.  I'm a political junkie.  I like reading the background story to the election.  One of my favorite sites is National Review Online.  NRO has writers covering conservative politics all over, but they base their operations in New York. 

Earlier today I went to their site and got an error message.

Soon after this was displayed:

Snip

 

 

 

 

 

 

 

 

And now a visit tonight shows this:

Snip NRO Sandy Tumblr

 

 

 

 

 

 

 

 

It appears as if their hosting infrastructure was somehow knocked off the net.  They managed to stand up a temporary site on Tumblr but it is bare bones compared their usual fll site with a huge collection of good writing supported in parts by ads. 

Behind the obvious web site moves is a story about reduced revenues, scrambling staff (who are worried, more than likely, about personal issues in the aftermath of the storm) and an interrupted business.

Don't let it happen to you. 

Take the time to ask the "what if's" now.

Posted by at 10:36 PM | | Comments (0) | TrackBack (0)

| | |

10/07/2012

Not Just another HIPAA presentation!

I've been invited to present to the GroundWork Group's Nonprofit IT forum over the lunch hour on Tuesday, October 10th.  The presentation is titled Not Just Another HIPAA Presentation: Canary in a coal mine: 5 questions to ask to confirm your HIPAA compliance.

Are you familiar with the role of the canary in a coal mine? Back in the old days coal miners would carry canaries in small cages down deep into the mines with them. If deadly gases such as methane or carbon monoxide were collecting in the shafts and tunnels, the canary would die alerting the miners to get out! Great for the miners, but not so great for the canary.

We have identified a handful of questions that serve as canaries in the coal mine for organization’s trying to get a handle on whether they are HIPAA compliant or not.

If you can answer these question with a firm yes (and prove it) the canary lives! If you can’t say yes or can’t prove it earns a yes, the canary dies! Well, actually, no canary dies ... but you are more than likely not HIPAA compliant. And rather than deadly gases you risk falling victim to civil and criminal penalties from Health and Human Services and Federal Trade Commission as well as negative impacts such as lost reputation and an etremely negative impact on individuals in the populations you serve. Putting your client’s privacy at risk as a service organization most likely runs counter to your central mission.

We will spend the lunch hour running through each question. We will detail some low cost strategies to handle some of the issues you may discover.

Our goal is to give you one or two items that you can take back to the office and use to make a small improvement without too much effort on your part. 

Visit the GroundWork Group's Nonprofit IT forum web site for additional information including how to RSVP.

Enhanced by Zemanta

Posted by at 11:54 AM in HIPAA, HITECH, Jacadis, Speaking Engagement | | Comments (0) | TrackBack (0)

| | |

09/05/2012

What did you do with that Incident Response template your cyber liability insurer provided?

InsuranceInsurance (Photo credit: Christopher S. Penn)

I’ve had two clients in two weeks present to us as part of an assessment an incident response plan template provided to them as part of the documents their cyber liability insurer provided them along with their policy. Neither client had done anything with the template yet presented them as proof that they did indeed have an incident response plan.

Incidents that are handled on the fly without any prepared plan can be a magnitude more costly thatn those that are managed through a prepared plan. For that reason I think it is a good thing that the insurance companies have provided a template that provides structures for a plan. It is good for the client, the insurer and everyone else involved.

My concern is neither client felt compelled to do anything with the templates that were provided. In the heat of the moment following an incident they are going to manage things on the fly. Will that impact their coverage?

Both clients thought that the template was the plan and didn’t realize that it needed additional attention to be completed.

So beyond saying incident response plans are good and templates that are not completed are bad, I’ve got more curiosity than conclusion.

Some questions for discusion:
  • Have you invested in cyberliability insurance as part of your risk management strategy? Are you doing what is necessary to meet the requirements of your insurer to have coverage in the event of an incident?
  • Did you get an incident response plan template or any other security operations templates along with your coverage? Is coverage incumbent on those templates being complete and used? Did you complete them?

I would welcome a conversation with you about the role cyberliability insurance plays in your risk management program including a discussion of your answers to my questions above.

Enhanced by Zemanta

Posted by at 10:02 AM in Committee Action, Risk Management, Secure Value | | Comments (2) | TrackBack (0)

| | |

08/27/2012

New Java Vulnerability Announced

I don't usually post these kinds of postings, but our Vulnerability Management Overwatch team responded to a question from a client this morning.  I thought I would pass it along for you to use.

Initial reports from this morning show that there is a new vulnerability in Java. This particular exploit can successfully infect a fully patched computer running Windows 7 and the latest Java Upate.

Currently there is no update from Oracle. This particular vulnerability works against across all browsers in different operating systems. Once activated the exploit will download a virus which will allow it to connect to a Command and Control (C&C) server allowing it to remotely control an infected computer.

Currently these attacks are coming from a site hosted in China.

The following software is known to be vulnerable with this Java update:

  • Windows 7, Vista and XP running Internet Explorer or Firefox with Java 7 Update 6
  • Chrome users currently using Windows XP with Java 7 Update 6
  • Firefox users with Ubuntu Linux 10.04 and Java 7 Update 6

This particular vulnerability does not affect earlier versions of Java. To mitigate the chances of being affected by this exploit:

  • Uninstall Java on your system if it is not being used for any business need.
  • Monitor IPS/IDS transactions between workstations and any known Chinese subnets
  • Implement web filtering to prevent viruses from being downloaded to any at risk workstations.

Jacadis' Vulnerability Management Overwatch service assists our clients in getting the full benefit of their vulnerability management program by providing assistance and expert level support over their QualysGuard system.

Posted by at 02:40 PM | | Comments (0) | TrackBack (0)

| | |

08/03/2012

DropBox Security Breach: What it means to your business

Image representing Dropbox as depicted in Crun...Image via CrunchBase

In what seems to be a common trend in Cloud service businesses, Dropbox announced a security breach this week in which an user e-mail addresses and passwords were obtained from an employee account.


Earlier this month, Yahoo made a similar announcement with at least 400,000 users e-mail addresses and passwords breached with the resulting information posted online by a group of hackers trying to push yahoo to secure their numerous vulnerabilities.


Back on June 6th, LinkedIn confirmed that there was a major security breach on their website and that “some passwords” were stolen from user accounts.  Those passwords were posted  on a website in Russia with containing 6.5 Million encrypted passwords  with additional reports of 200,000 of those passwords already been hacked.


In the next few days the media will probably pounce on this story and discuss various the various steps you should take in order to protect your identity online. What they will probably ignore is the fact that in the past year there have been over 800 security breaches and over 174 million compromised records.
And that’s only the security breaches that were discovered and reported on.


The truth is that most data breaches aren’t even discovered by the people who own the data, it’s usually a third party that makes the discovery.  It just goes to show that if big companies like Linkedin, Yahoo or Dropbox can be compromised, any business can be at risk.


Jacadis' advice:

 

  1. Have a monitoring system in place that tracks and reports aberrant network traffic on your network or on any server that is exposed to the internet.
  2. Make sure your computers and network systems are up to date on their service and firmware patches.
  3. Make sure all your computers are up to date with their anti-virus program.
  4. Have a quarterly security audit performed on any internet applications your business might have to identify any possible security vulnerabilities.
  5. Perform a regular audit on your systems to make sure that your anti-virus and patching solutions are performing properly.



Enhanced by Zemanta

Posted by at 03:50 PM in Information Security Basics, Jacadis, LinkedIn, Secure Value, Security in the Business News, Small Business | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , ,

| | |

07/28/2012

Jacadis adding to Services Team .... Analyst/Engineer and a PT specialist

Given upcoming customer committments and continued business growth, Jacadis anticipates adding two positions within the next 60 days.  We believe we need a Penetration Testing Specialist and a Security Analyst to add to our growing services team in that time period.

Before we formally posted at all the usual places I wanted to put both postings up here to see who might have an interest.  Again, we envision two positions:

For Jacadis, a  Network Security Engineer, works on assessments but primarly solves client problems post assessment with the implementation and operation of security technologies and controls. 

For Jacadis, a PT Analyst 2012, focuses on our penetration testing services as the lead delivery component in that effort, reporting to and supporting the efforts of our CTO to grow that part of our business.   We are open to extending our current team with an independent contractor who focuses on this type of work instead of adding this person to our team as a full-time employee.

If you know of anyone, including yourself, please reply to me to express your interest and start the proecess.

 

Posted by at 12:58 AM in Jacadis | | Comments (0) | TrackBack (0)

| | |

06/28/2012

Jacadis hiring! We are looking for an experienced office manager ...

Our company, Jacadis,is seeking a full-time office manager to join our information security team.  We seek a full-time, experienced administrative professional to manage and direct communication, provide support for company principals and field staff, manage the business office and finances, coordinate services invoicing and reporting and provide event support and planning.


Frankly, this is the person that will help us keep the details in order while we take care of our customers' information security needs. The Office Administrator will report directly to and be supervised by myself.  You'll be joining a fantastic team.  If you are interested I've provided more detail in the Download Office Manager 2012.

Posted by at 12:35 PM in Jacadis | | Comments (0) | TrackBack (0)

| | |

06/27/2012

HIPAA privacy, security & audit protocols published

Health and Human Services's Office of Civil Rights, the organization responsible for much of the HIPAA / HITECH enforcement process including audits has published its privacy, security and breach audit protocols yesterday. 

I'm putting them on my weekend reading list.  I wanted to let you know they were available should you want to dive into them yourselves. 

The protocols are available at http://ocrnotifications.hhs.gov/hipaa.html

At first blush, they seem to be extremely lightweight, but as with most regulatory efforts the devil is in the details.

This will be something you will want to incorporate into your health care compliance activities.  Some suggestions:

1.  Share a summary with your security, privacy and governance committee.

2.  Use the announcement as a trigger to send a security reminder to staff.

3.  Determine whether the announcement means you should change any of your current security and privacy activities with a particular emphasis on your Risk Assessment, Risk Analysis, Security Evaluation, Information System Activity Review and Security Awareness Training.

 

Posted by at 07:50 AM in HIPAA, HITECH | | Comments (1) | TrackBack (0)

| | |

06/26/2012

Microsoft Update Bulletin for June 2012

Jacadis helps some of its clients manage their vulnerability and patch management programs.  That includes providing some actionable information on the Microsoft patch digests. Here is the message that preceeded last week's Patch Tuesday.  I'll share these in the future in advance of Patch Tuesday.  Let me know if you are struggling with your vulnerability and patch management processes.  We can help.

Microsoft has released its advanced notification for the next round of security patches to be released on Tuesday June 12th. The updates patch the following products:

  • Windows XP Service Pack 3
  • Windows Vista
  • Windows 7
  • Windows Server 2003
  • Windows Server 2008 R2
  • Internet Explorer versions 7, 8 and 9
  • Microsoft Office 2003, 2007 and 2010

Out of these updates, three of them are rated Critical and four of them as Important. Based upon the Microsoft Exploitability Index it has been determined that these updates are addressing security issues where self-propagating malware can exploit these vulnerabilities without any warnings or prompting by the user.

Jacadis recommends that customers apply these critical and important updates immediately.

Sources:

http://technet.microsoft.com/en-us/security/bulletin/ms12-jun
http://technet.microsoft.com/en-us/security/gg309177.aspx

Posted by at 07:58 AM | | Comments (0) | TrackBack (0)

| | |

Next »
My Photo

About

TypePad Profile

Get updates on my activity. Follow me on my Profile.

Categories

Twitter Updates

    follow me on Twitter
    Blog powered by TypePad
    Creative Commons Attribution-ShareAlike 3.0 Unported