04. March 2011 · Comments Off on Carpe Breachum: How the HBGary breach can make us stronger – CSO Online – Security and Risk · Categories: blog · Tags: ,

Carpe Breachum: How the HBGary breach can make us stronger – CSO Online – Security and Risk.

Nick Selby makes an interesting point in his analysis of the HBGary Federal breach – we are all targets and we all get hacked. Therefore we should be more willing to share information about attacks which will enable us all to better defend ourselves.

A famous security researcher once answered my question about how he avoids being hacked, “Hell, Nick, I get hacked all the time”. He said it as if I were asking a really stupid question, because in fact, I was.

Admitting that we are all targets; admitting that we’ve all been hacked; admitting that we all face the same issues, means that we can move from psychological and marketing objections, and look instead to solving or at least addressing the logistical and pragmatic barriers to information and intelligence sharing.



03. March 2011 · Comments Off on Securosis Blog | What No One is Saying About that Big HIPAA Fine · Categories: blog · Tags: , ,

Securosis Blog | What No One is Saying About that Big HIPAA Fine.

Rich Mogull at Securosis is claiming that security vendors should not use the HHS HIPAA fine to Cignet Health for $4.3 million as a motivator to improve information security.

While I agree that this HHS fine and the $1 million Mass General fine had nothing to do with IT security, it seems to me that HHS is signaling that it is serious about enforcing HIPAA security and privacy rules. After all, HIPAA was passed in 1996 and these are the first ever fines issued.

You certainly can take Rich’s approach that the Cignet fine is just about “big boxes of paper and a bad attitude.” But I would not want to be the organization that suffers an information security breach due to lax controls.

For example, if you had decided to use the SANS 20 Critical Security Controls as your prescriptive information security guide and had implemented all of the Quick Wins and Visibility/Attribution sub-controls, some/most of the Config/Hygiene sub-controls, with a plan for the rest and the appropriate Advanced sub-controls, and still suffered a breach, you surely could not be tagged with “willful negligence.”

We will see what if any fine HHS levies against the New York City hospital system which admitted to a breach affecting 1.7 million hospital staff, patients, vendors, and contractors.


03. March 2011 · Comments Off on Content Security Policy · Categories: blog · Tags: , ,

W3C today released a draft specification for a method to detect and block XSS-type attacks:

The purpose of this specification is to provide a method for web applications to broadly address a large class of vulnerabilities known as content injection which is the primary focus of Content Security Policy. Other threats, such as cross-site request forgery, are not a focus of this specification.

Content Security Policy is a declarative policy framework that enables web authors and server administrators to specify the permitted sources of content in their web applications and to restrict the capabilities of that content. Content Security Policy mitigates and detects content injection attacks such as cross-site scripting (XSS).

Content Security Policy is not intended to be a fool-proof security system, but it is intended to provide an effective layer of security that will dovetail with any site’s existing web application security program.

Content Security Policy is an opt-in mechanism which requires that servers explicitly declare a security policy in order to receive any of the protection described in this document. Content Security Policies are applied by the user-agent on a per resource basis, so servers must emit a security policy with each resource that the server wants protected.

via Content Security Policy.

03. March 2011 · Comments Off on TrueDLP » Is It Time to Take HIPAA Seriously? · Categories: blog · Tags:

TrueDLP » Is It Time to Take HIPAA Seriously?.

Last week Cignet Health was fined $4.3 million by the OCR for violating privacy provisions in HIPAA.  The fine was based on a failure of that organization to comply with requests from 41 patients to access their records and resulting failure to cooperate with the HHS Office for Civil Rights investigation.  In addition, Massachusetts General Hospital was fined $1 million for potential HIPAA violations.

These are the first two fines issued by HHS and they were large due to HHS’s classifying these incidents as “willful neglect.”

I would say the answer is yes, it’s time to take HIPAA seriously.