Information Security in the Healthcare Industry

25 04 2012

In not too distant past, information security was considered a “good to have” feature instead of a “must have” feature by almost everyone involved in the IT sector.  Over the years however, this notion has changed considerably for most sectors of the IT industry like banking, e-commerce, and both Federal and State governments and many more.  These entities have become increasingly aware of the long – term impact of security breaches in terms of company reputation, lost customer base, shareholder prices and most importantly, there is a consciousness of a dollar figure attached to the security breaches. Most of the IT companies in these sectors have realized that security threats are real and that the IT systems need to be strategically secured instead of implementing security as a reaction to an actual violation.

As the US Healthcare industry is becoming more digitized, it is also undergoing the same transition due to a realization of the importance of security.  When President Obama began his term in the White House, he along with the U.S. Senate passed an $838 billion stimulus bill in February 2009.  This bill apart from rebuilding American infrastructure like railroads, highways and bridges also enabled the digitization of medical records. Healthcare organizations began computerizing their medical records, in order to take advantage of the financial incentives which the government was offering [1] . In a rush to do this on Uncle Sam’s dime security often languished on the back burner.  These lagging security investments have left medical records more susceptible than ever to accidental or intentional disclosure, loss, or theft. What were once isolated records in paper files rapidly became electronic health data on millions of individuals that could be transmitted in seconds. According to a report prepared by Identity Theft Prevention and Identity Management Standards Panel (IDSP) of the American National Standards Institute (ANSI), in partnership with The Santa Fe Group/Shared Assessments Program Healthcare Working Group and the Internet Security Alliance (ISA), there were nearly 39.5 million electronic health records breached between 2005 and 2008 [2].  To provide a more recent figure, Ponemon Institute surveyed 72 organizations in November 2011 and found that 96% of respondents reported at least one data breach within the past 24 months [2].  Healthcare systems have caught the eyes and become a lucrative target for hackers because they seems to offer a greater return on investment for hackers due to the high price for which medical records sell when compared to financial records [2] and yet according to a survey conducted in 2011 by HIMMS [3] , 35% of respondents in the medical industry acknowledged spending not more than 3% of the total IT budget on information security. However, the respondents also admitted that there has been an increase in the security budget over the past year as a result of federal initiatives and security attacks.

The health care industry is particularly susceptible to data fraud and medical identity theft due to the sensitivity of the data it creates, collects and stores such as PII data, payment information, medical history of patients [3].  This information can enable criminals to file fraudulent claims that often go undetected for long periods of time [3] . One of the key areas where the industry specifically lacks in security is something as basic as encryption of devices used by employees because laptops have been the number one source of location of breached information [4]. For example, on September 20, 2010, a computer flash drive containing the names, addresses, social security numbers (SSNs), and protected health information (PHI) of 280,000 Medicaid members was stolen from the corporate offices of a health plan company [4]. It is even more surprising to know that the second highest source of breached information happens with paper records and this proves that the industry often lacks behind in the implementation of basic security measures [4].   To be fair, hospitals are often concerned about malpractice cases and in order to be safe on that front all patients are required to wear arms tags with names, DOB, insurance info and other data.  Medical procedures as mundane as feeding a medicine does not happen until a patient or an escort first positively identifies the patient and the nurses often are required to match that data numerous times on computer carts which are often left unsecured in the hallways when they are not in use.

Finally, most of such untoward happenings can be greatly reduced if sound security principles are adopted throughout the healthcare industry.  The government is doing its part by introducing legislation which allows punitive damages in case avoidable situations result in data being compromised.  But like most other businesses, the culprits are often a step ahead of the law.  As authorities are busy catching up, new avenues are being discovered which could results in devastation or in case of healthcare even death.  According to a recent Boston Globe article, computer scientists and Boston cardiologists have warned that it may be possible to hack medical devices like pacemakers which are implanted in the bodies of the patients [5].  Even devices used to monitor the health of patients remotely may be susceptible to security attacks [5]. Although no such occurrences have been reported so far, manufacturers of medical equipment like pacemakers are working hard to ensure things remain that way.  However, such proactive behavior as the one shown by these manufacturers is rather rare in this field where sadly most of the efforts are being directed towards the proverbial firefighting efforts instead of fire prevention efforts.  The patients and government on the other hand must also do their part in order to safeguard personal and taxpayer funds. For public safety a certain level of trust is essential between care seekers and care providers and implementing sound security measures will go a long way in building this trust.

______________

[1] Rick Kam; Jeremy Henley, “Healthcare Data Breaches: Handle with Care,” 20 March 2012. [Online]. Available: http://www.propertycasualty360.com/2012/03/20/healthcare-data-breaches-handle-with-care. [Accessed 25 March 2012].
[2] T. Olavsrud, “www.cio.com,” CIO, 06 03 2012. [Online]. Available: http://www.cio.com/article/701492/Healthcare_Industry_CIOs_CSOs_Must_Improve_Security. [Accessed 20 03 2012].
[3] HIMSS, “4th Annual HIMSS Security Survey,” [Online]. Available: http://www.himss.org/content/files/2011_HIMSS_SecuritySurvey.pdf.
[4] Kekley, Paul D, “Privacy and Security in Health Care,” 2011. [Online]. Available: http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/Health%20Reform%20Issues%20Briefs/US_CHS_PrivacyandSecurityinHealthCare_022111.pdf. [Accessed 25 March 2012].
[5] E. Cooney, “Security of medical devices is a concern,” Boston Globe, 05 July 2010.
[6] “www.himss.org,” himss, [Online]. Available: http://www.himss.org/ASP/topics_FocusDynamic.asp?faid=280. [Accessed 20 03 2012].
[7] A. ZIMMERMAN and L. RADNOFSKY, “Doctors accused of big Medicare Scam,” The Wall Street Journal, 29 02 2012.

 

Advertisements




Bring Your Own Device – Are The Savings Worth the Risks?

24 04 2012

By Brett Vermette

There was a time, not many years ago, that computers and information technology were primarily within the business domain and most often only within large businesses.  This has changed as a result of years of continuously improving technology performance/price ratios along with the consumerization of information technology, which has largely been driven by the iPad, iPhone and other tablet and smartphone platforms.   According to Tony Bradley of PCWorld magazine “it used to be that IT departments drove technology, but that has changed dramatically in recent years”. [1]   The focus of much of the innovation in the IT industry has moved from the enterprise to the consumer, which is, in turn, driving cutting edge technology first into the hands of consumers.  Furthermore, the second half of the technically savvy and always connected Generation Y group are now entering the corporate work force.  These circumstances have created a dynamic where consumers frequently have more advanced personal technology than is available to them through their employers.

BYOD Defined

More and more frequently employers are allowing and even encouraging employees to use their personally owned and liable mobile devices for work related purposes.  These initiatives, which are often referred to as Bring Your Own Device (BYOD) programs, offer a number of advantages to both employees and employers.   In fact, Good Technology Corporation found, in their 2012 State of BYOD survey, that “formal BYOD programs, combined with supporting solutions and policies to ensure security and compliance, are fast-becoming the predominant models for enabling broad employee mobility, across multiple industries, and around the globe”[2].  However, BYOD programs also come with costs and risks, which if not managed properly, can have severe consequences.

What’s the Appeal?

There are aspects of BYOD programs that appeal to both the employer and the employee.  Increased mobility and the corresponding improvement in productivity and efficiency are the primary benefits of BYOD programs.  CIO Magazine stated that employees that use a mobile device for both personal and employment related activities actually put in 240 more hours per year than those that do not [3].  Increased employee satisfaction resulting from their ability to use a mobile device of their personal choosing is also seen as a significant benefit.  Individuals choose devices for their personal use that are technologically advanced and most appealing to them.  Extending these devices to their work environment simplifies their end user experience, reduces the necessity for training and support and eliminates the need to carry multiple devices.  From the employers’ perspective, reduced cost is the primary appeal.  iPass, an enterprise mobility services company, conducted a survey that found that employers spend between $124 and $89 per month, per employee just for mobile connectivity related charges [4].  For a large enterprise these costs can be very significant and BYOD programs offload or share this burden with employees.

The Costs & Risks

Employers considering a BYOD program must also carefully weigh the related security, cost and policy implications.  Effectively managing security in a BYOD environment requires implementation of both effective policies and supporting tools.  Organizations wishing to manage the increased risk of information loss associated with BYOD programs must develop a comprehensive policy that addresses items such as password use and strength, remote device management, remote device wipe, permissible operating systems, on-device storage of data and regulation compliance.  Development, implementation and monitoring of these policies can be a drain on organizational resources.  Additionally, tools such as mobile device management software and identity management suites are often required to support implementation of these policies.  These tools can be very expensive to purchase and maintain from both a cost and resource perspective.

Enabling employees to conduct their job related duties using their personal mobile devices requires that corporate applications be available via these alternate end points.  Refactoring applications for suitable access management and security from the wide variety of device software and hardware platforms introduced through a BYOD program can represent a daunting cost and resource drain for organizations. As noted by the Computer Dealers Network “the cost of internal app development can rise dramatically with BYOD.  Companies that ‘go native’ must invest in each platform in the BYOD portfolio”. [5]

Shifting the contractual responsibility from mobile devices back to employees can actually result in an overall increase in cost for the same services.  Corporations have traditionally had the advantage of large volume contracts and the ability to negotiate terms and conditions resulting in significantly lower costs on a per user basis.  Costs based on a corporately negotiated contract can be as much as 42% lower when compared to those incurred through individually negotiated agreements.  [6]

It is commonly believed that IT related support costs in a BYOD environment will be lower as a result of increased user familiarity with the devices that they choose.  This must be carefully considered as application support costs could increase as a result of increased proliferation of device platforms, operating systems and mobile browsers.

Finally, and perhaps most importantly, organizations considering a BYOD program must carefully consider the information loss related implications.  In a BYOD environment employee provisioned devices are still an endpoint on the corporate network.  These devices will have access to critical systems and can download and contain highly confidential information.  By their very nature, mobile devices are subject to an increased likelihood of loss and theft.  Typically corporate organizations are much more concerned with information security than the average individual mobile device owner.  Lost and stolen devices and the fact that an employee owned device cannot be confiscated upon an employees’ termination of employment are key information loss risks that must be considered and mitigated.

Conclusion

The ongoing consumerization of IT coupled with the expectations of today’s younger employees will continue to drive the adoption of BYOD programs in the enterprise environment.  While there are potential cost reduction benefits to employers, the primary benefits will be increased employee satisfaction, increased mobility and improved productivity.  CIO magazine stated that “by 2014, 90 percent of organizations will support corporate applications on devices owned by workers”. [3]  The ubiquity of mobile computing and increasing employer expectations regarding employee availability will drive employee desires for convenient access to key work related systems and data anywhere at any time on a device of their choosing.   As Gartner points out “the line between personal and professional lives now intersects in the smartphone and tablet” [7].  However, employers considering BYOD programs must be careful to fully comprehend the complete risk and cost profile of these programs.  Difficult to anticipate costs including the cost of device management across multiple platforms, network and identity management infrastructure costs and the cost associated with an increase in the likelihood of data loss can be substantial.

Overall, while organizations must carefully manage the associated costs and risks, BYOD programs are quickly becoming a mandatory component of a modern and competitive approach to information technology and cannot be ignored.

_____________________________________________________________________________________

  1. Bradley, Tony.  Pros and Cons of Bringing Your Own Device to Work.  PC World Business Center.  Dec 2011.  <http://www.pcworld.com/businesscenter/article/246760/pros_and_cons_of_bringing_your_own_device_to_work.html>

  2. Good Technology Incorporated.  Good Technology – State of BYOD Report.  Good Technologies.    <http://www.good.com/resources/Good_Data_BYOD_2011.pdf>
  3. Fogarty, Kevin.  5 Things You Need to Know about BYO Tech.  CIO Magazine.  Dec 2010.  <http://www.cio.com/article/647100/5_Things_You_Need_to_Know_about_BYO_Tech?page=1&taxonomyId=3112>
  4. iPass Incorporated.  The iPass Mobile Enterprise Report.  iPass Corporation.   2011.  <http://mobile-workforce-project.ipass.com/cpwp/wp-content/uploads/2011/12/iPass_Mobile_Enterprise_Report_2011.pdf?utm_source=FormSubmit&utm_medium=web&utm_campaign=MER_Download>
  5. Kaneshige, Tom.  The high cost of BYOD.  Computer Dealer New.  April 2012.   <http://www.itbusiness.ca/IT/client/en/CDN/News.asp?id=66884&PageMem=1>
  6. ProfitLine.  The Hidden Risks of a “Bring your own Device” (BYOD) Mobility Market.  ProfitLine Incorporated.  2011.   <http://i.zdnet.com/whitepapers/Profitline_The_Hidden_Risks_of_a_Bring_your_own_Device_BYOD_Mobility_Model_1_19_2011.pdf>
  7. Disabato, Michael.  Field Research:  Mobility in the Age of Consumerization.  Gartner Incorporated.  Jan 2012.  <http://my.gartner.com/portal/server.pt?open=512&objID=256&mode=2&PageID=2350940&resId=1901215&ref=QuickSearch&sthkw=BYOD>





Security, Privacy, and the Internet of Things

18 04 2012

Introduction

The Director of the CIA, General David Petraeus, recently discussed the “emergence” of the ‘Internet of Things’ (IoT) and the capabilities that it can provide to spy agencies in terms of collecting data on targeted individuals (Ackerman, 2012).  His frank discussion highlights the potential impact of the IoT on society.  The IoT offers many advantages for improving quality of life, but associated privacy and security risks must also be considered.

What is the Internet of Things?

In the RFID Journal, Kevin Ashton (2009) claims to have coined the term ‘Internet of Things’ in 1999 as a means of linking RFID technology to the Internet in order to automate industrial supply chains.  Whatever its origins, the term has evolved to describe the increasing deployment of embedded, network devices into everyday items (Grau, 2012; Samani, 2012).  Well beyond “PCs, phones, and tablets”, the IoT includes items such as “televisions, cars, medical devices, and ATMs” (Samani, 2012), whose functionality can controlled by inputs from other devices, humans, and sensors.

For example, grocery products could be fitted with the ability to signal the “internet-connected refrigerator” to automatically place an order for replacement items once they are sufficiently depleted (Burton, 2012).  Other scenarios could include, a burglar alarm automatically arming itself when the homeowner’s smartphone GPS indicates that he or she has departed or the development of “self driving vehicles” (Samani, 2012).  Given the possibilities, and enabled by Internet advances such as IPv6, “Ericsson predicts that by 2020, there will be 50 billion Internet-connected devices” in the world (Samani, 2012).

Privacy and Security Issues

From a privacy perspective, the IoT could enable the collection of a trove of information by governments or corporations.  As noted from Gen Petraeus’ discussion (Ackerman, 2012), embedded systems can provide intelligence operators with the means to remotely tag, track, locate, and monitor targets without the need to install a physical bug; the target’s interaction with the network through his or her devices would likely provide all of the information required.

Further, MacManus (2009) argues that marketing agencies will have increased access to “personal preferences” and user behaviours through the IoT.  For example, a very accurate consumer profile can be built by merging television viewing information with “web browsing history”, payment card information, “email data”, and “recorded movements” from “facial recognition cameras”, RFID tags, and “mobile device signals”.

The proliferation of embedded devices also implies more access paths to the internet, and hence, a larger attack surface to be exploited (Fulton, 2012).  Coupled with inadequate controls, this could lead to a wider level of insecurity across the Internet. Grau (2012), citing a study by the Intrusion Detection Systems Lab at Columbia University, notes that “embedded devices were over 15 times more vulnerable to Internet-based threats than enterprise networks”.

A large portion of security issues arise from the “constrained memory and processor speed” (Polk and Turner, 2011) of embedded devices.  Resource constrained environments make it difficult to use common security tools such as HIPS/HIDS, firewalls, and anti-virus (Fulton, 2012).  Further, while cryptography could play a significant role in providing security, current cryptographic suites have been designed under the assumption that sufficient resources would be available (Polk and Turner, 2011).  If current algorithms are found to require more resources than would be available in such environments, it could potentially lead to the use of ‘weaker’ cryptography.  This would provide a significant advantage to the attacker who is not subject to the same limitations, potentially making brute-force attacks trivial (Polk and Turner, 2011).

Samani (2012) provides two examples where IoT devices have been exploited for malicious use. In an incident in Texas, 100 vehicles with remote disable functionality installed by a car dealership were subverted by a “former disgruntled employee” who “remotely disabled the cars and wreaked havoc by setting off car horns”.  In a demonstration by academic researchers in 2008, medical information was “intercepted from implantable cardiac devices and pacemakers”, allowing them to be disabled or be issued “life-threatening electrical shocks”.

Thoughts for the Future

Given the power that this technology could have over our information and everyday lives, significant countermeasures will be required to mitigate the overall risk.  The European Commission is taking a step in the right direction; presently, they are discussing legislation to ensure that the IoT does not compromise “security, privacy, and the respect of ethical values” (Burton, 2012).

Notwithstanding potential governmental action, enterprise and individual users will need to remain cognizant of privacy and security risks.  Enterprise users can continue to invest in additional security countermeasures to protect their networks, but standards and regulating bodies will also need to consider the average user when designing protocols, standards, and regulations.  Novel solutions could include the use of “pairing protocols” similar to those used with Bluetooth, “automated [device] re-key after deployment”, and “mandatory security features” that “stretch the capability of” IoT devices (Polk and Turner, 2011), however, past experience does not provide much cause for optimism.

As Polk and Turner (2011) point out:

“The experience with home and small-business WEP wireless deployments is informative; weak cryptography was rapidly discovered and exploited.  Deploying the IoT without security will surely have the same result”.

Maintaining an acceptable level of security and privacy in an increasingly connected world will remain challenging if it is even attainable at all.  Continued education will be required to promote awareness of the issues, prompt the government for proper legal protections, and otherwise provide individuals with the means to protect themselves.

______________

Ackerman, Spencer. (15 March 2012).  “CIA Chief: We’ll Spy on You through Your Dishwasher,” in Wired Magazine Website. Available from http://www.wired.com/dangerroom/2012/03/petraeus-tv-remote/.  Last accessed 15 April 12.   

Ashton, Kevin. (22 June 2009).  “That ‘Internet of Things’ Thing,” in RFID Journal Website.  Available from http://www.rfidjournal.com/article/view/4986.  Last accessed 15 April 12.

Burton, Graeme.  (13 April 2012).  “Europe to Legislate on the ‘Internet of Things’,” in Computing.co.uk.  Available from http://www.computing.co.uk/ctg/news/2167448/europe-legislate-internet-things.  Last accessed 15 April 12.

Fulton, Scott M.  (27 February 12).  “Would an Internet of Things Threaten the Internet of People?” in Read Write Web Website.  Available from http://www.readwriteweb.com/hack/2012/02/would-an-internet-of-things-th.php.  Last accessed 15 April 12.

Grau, Alan.  (29 March 12).  “Embedded Device Security and the Internet of Things,” in Hearst Electronic Products Website.  Available from http://www2.electronicproducts.com/Embedded_device_security_and_the_Internet_of_things-article-FAJH_IconLabs_Apr2012-html.aspx.  Last accessed 15 April 12.

MacManus, Richard.  (14 August 2009).  “Should Consumers Fear the Internet of Things?” in Read Write Web Website.  Available from http://www.readwriteweb.com/archives/rfid_fear.php.  Last accessed 15 April 12.

Polk, Tim & Turner, Sean.  (14 February 2011).  “Security Challenges for the Internet of Things,” in Internet Architecture Board Website.  Available from http://www.iab.org/wp-content/IAB-uploads/2011/03/Turner.pdf.  Last accessed 15 April 12.

Samani, Raj.  (4 April 2012).  “The Internet of Things: Surfing Securely,” in the Huffington Post Website.   Available from http://www.huffingtonpost.co.uk/raj-samani/internet-surfing-securelyy_b_1396742.html.  Last accessed 15 April 12.





BYOD Password Policies – First Level of Defense

14 04 2012

A  ThreatPost tweet (Donohue, 2012) and coverage on NBC’s Today Show (How safe is your smartphone’s data?, 2012) provided broad visibility to a recent study sponsored by Symantec and Sprint called The Symantec Smartphone Honey Stick Project. (Haley, 2012)  In late 2011, the experiment was conducted by placing fifty smartphones in five large cities in places where the phones would have appeared to have been misplaced by their owners in an effort to identify what would happen with the phones when found.  Phony personal and corporate applications were loaded on the phones along with software that tracked the access to these applications and GPS location of the phones.  No passwords or any other security features had been enabled on any of the fifty phones.  The project’s results showed that 83% of the phones’ finders accessed the phony corporate data.   The fake corporate email application was accessed on 45% of the phones while the corporate data planted on the phones was accessed on 53% of the devices.  ([OPERATION HONEY STICK] Where’s Your Smartphone?, 2012)

The experiment summary document includes several recommendations for both corporations and consumers to better protect the data that resides on smartphones.   One recommendation specifically targeted the password policies established by corporations for these devices.  “Organizations should develop and enforce strong security policies for employees using mobile devices for work; this includes requiring password-enabled screen locks. Mobile device management and mobile security software can aid in this area.” (Wright, 2012)  This experiment commissioned by Symantec reinforces the need for corporations creating policy statements to integrate BYOD (Bring Your Own Device) into their operating models to ensure that strong password policies be established for employee-owned smartphones that have access to corporate data.

Good Technology (Bring Your Own Device Individual Liable User Policy Considerations, 2012) recommends establishing password and device locking policies for employee-owned devices that are similar to those established for company-owned PCs:

  1. Policy should state the requirement of a password for the device.
  2. Policy should specify the required length of the password to be 6 characters.
  3. Policy should specify that the password include at least one letter or number where the device supports alphanumeric passwords.
  4. Policy should state the frequency required for password changes to be every 90 days.
  5. Policy should state the number of passwords retained in password history is four.
  6. Policy should state that after 30 minutes of inactivity, the device will be locked requiring the password to unlock.
  7. Policy should state that after 10 invalid logins, the device locks the account.

Andrew Jaquith, Chief Technology Officer of Perimeter E-Security, has a more practical approach toward setting password and device locking polices for mobile devices aimed at balancing a strong, secure password selection with device usability. (Jaquith, 2011)

  1. Policy should state the requirement of a password for the device.
  2. Policy should state the requirement of an  8-digit numeric PIN (not allowing the use of simple PINs)
  3. Policy should state that the device will lock after 15 minutes of inactivity (with a 2 minute grace period)
  4. Policy should state that the device will automatically be wiped or permanently locked after 8 invalid login attempts.

(No policy exists specifying the frequency of PIN changes or requirement to maintain password history.)

In a recent Forbes article (Gupta, 2012), PJ Gupta sites that one of the common BYOD policy mistakes is “Leaving Passwords Up to the Users”, as users will not consistently implement password protection on mobile devices unless required.   He instead sees the need for IT departments to establish BYOD policies that require passwords on all devices with appropriate levels of complexity standards set for these passwords.

Of all the policies required for the integration of BYOD into a corporation, password policies represent only a subset of those that are required.  But as shown by Symantec’s Honey Stick Project, password and device locking policies can provide the first level of defense in the protection of corporate data on mobile assets.

NOTE:  Symantec is in the process of building its capabilities to manage mobile devices across the enterprise with its recent purchases of two companies, Odyssey Software and Nukona.  Odyssey Software provides Management Device Management (MDM) services while Nukona provides Management Application Management (MAM) services. (Symantec Corporation, 2012)  The recent results of the study encourage the consideration of their new product offerings.

_________

[OPERATION HONEY STICK] Where’s Your Smartphone? (2012). Retrieved from symantec.com: http://www.symantec.com/content/en/us/about/presskits/b-honey_stick_wheres_your_smartphone.en-us.pdf

Bring Your Own Device Individual Liable User Policy Considerations. (2012). Retrieved from http://www.good.com: http://www.welcometogood.com/byod/byod_policy_wp.pdf

How safe is your smartphone’s data? (2012, March 8). Retrieved from msnbc.msn.com: http://today.msnbc.msn.com/id/26184891/vp/46665467#46665467

Donohue, B. (2012, April 4). Symantec Experiment: Half Of Those Who Find Smartphones Don’t Return Them. Retrieved from threatpost.com: http://threatpost.com/en_us/blogs/symantec-experiment-half-those-who-find-smartphones-dont-return-them-040412

Gupta, P. (2012, February 27). Developing a BYOD Strategy: The 5 Mistakes To Avoid. Retrieved from forbes.com: http://www.forbes.com/sites/ciocentral/2012/03/27/developing-a-byod-strategy-the-5-mistakes-to-avoid/

Haley, K. (2012, March 9). Introducing the Symantec Smartphone Honey Stick Project. Retrieved from symantec.com: http://www.symantec.com/connect/blogs/introducing-symantec-smartphone-honey-stick-project

Jaquith, A. (2011, March 7). Picking a Sensible Mobile Password Policy. Retrieved from perimeterusa.com: http://blog.perimeterusa.com/1180/

Symantec Corporation. (2012). Symantec Advances Enterprise Mobility with Odyssey Software and Nukona. Retrieved from symantec.com: http://www.symantec.com/theme.jsp?themeid=nukona-odyssey

Wright, S. (2012). The Symantec Smartphone Honey Stick Project. Retrieved from symantec.com: http://www.symantec.com/content/en/us/about/presskits/b-symantec-smartphone-honey-stick-project.en-us.pdf





New Online Data Privacy Rules?

12 04 2012

On March 26, 2012, the Federal Trade Commission (FTC) issued its final report on online data privacy entitled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers”.[1] While the FTC did not require businesses to immediately make any changes, it encouraged companies engaging in online commerce to adopt “best practices” in protecting consumer data otherwise Congress would legislate that protection.[2] The “agency suggests Congress pass something resembling the Fair Credit Reporting Act, or an update of that act. Under the FTC’s suggested legislation, people would have access to the information collected and stored about them, and, perhaps, be able to delete or edit it.”[3]

The major recommendations from the report include:

  • Design and construction of added privacy and accuracy components at every stage of the software development life cycle
  • Simplified and easy to understand mechanisms for consumers to choose what data is collected and with whom that data is shared
  • Disclosure and viewing of the consumer data already collected by online firms[4]

The report includes five main action items for the FTC to focus on:

  • Enabling consumers to eliminate the amount of data collected about them through a “Do-Not-Track” mechanism
  • Expansion of the rules to include mobile devices such as smartphones
  • Establishment of a “data broker” centralized website to define the data broker organizations and how those organizations collect and process consumer data
  • Recognition of the privacy risks associated with “large platform providers” such as browser and operating system vendors, phone companies, and social media firms such as Facebook
  • Creation of “codes of conduct” unique to each industry[5]

Analysis

With respect to the construction of privacy components, the recommendations comprehend a known fact in software development: retrofitting production software to meet a requirement is considerably more difficult and expensive than including that requirement in the design and development effort. While the privacy requirements have not been fully defined, “The final FTC Privacy Report is a must-read for virtually every company that collects or uses identifiable consumer data – online or otherwise.”[6] Individuals involved in information technology in the companies that process consumer information will need to make assumptions and modify their software accordingly regarding how user information is collected, stored, and disseminated based on the information in the FTC report.

The “simplified and easy to understand” mechanisms recommended by the FTC aren’t necessarily met by existing software. On Microsoft Explorer version 8, the user must go to the Tools menu, select Internet Options, then Privacy. On the Privacy menu there are options for “InPrivate Filtering” and Cookie Handling” as shown in Figure 1 below.

Figure 1 – Privacy Options

According to Microsoft Online Help, “InPrivate Filtering works by analyzing web content on the webpages you visit, and if it sees the same content being used on a number of websites, it will give you the option to allow or block that content. You can also choose to have InPrivate Filtering automatically block any content provider or third-party website it detects, or you can choose to turn off InPrivate Filtering.”[7] As can be seen from Figure 1, the InPrivate default settings used within GM are to:

  • Allow collection of InPrivate data
  • “Disable toolbars and extensions when InPrivate browsing starts
  • Override automatic cookie handling
  • Accept First-party Cookies
  • Allow session cookies
  • Block Third-party Cookies”[8]

The Tools option from Internet Explorer also includes “InPrivate Filtering Settings”. Those settings on my PC listed over 100 websites where the web company was “Allowed” to collect data from my workstation. There are options to “Block” this data collection, but none of the websites were blocked.[9]

To determine whether a central repository of data on me existed, I did a Google search on my name and found over 22 million sites referenced. While my name is relatively unique, the references included others with the same first and last names. To narrow the search, I selected my name at General Motors, with the results showing over 71 thousand references, including:

  • Facebook
  • Twitter
  • LinkedIn
  • White Pages
  • Blogs from CMU classes
  • A professional publication while I was a consultant
  • Sites that had collected my name from public records[10]

Note while I have accounts with Facebook, Twitter, and LinkedIn, there is no personal information on those sites and my phone number is unlisted, so individuals who do provide personal information should have considerable more data online.

Other Views

Larry Magid, who writes about the internet for Forbes and other publications, agrees: “One area where the commission did call for “targeted legislation” is to address consumers’ lack of control over how data brokers collect and use our information. The amount of information floating around about each of us is staggering. Anyone with a phone, a bank account or a “loyalty” card, such as the one I use to get fairer prices when I shop at Safeway, is giving up information every time they shop, make a call or get on an airplane … So, thank you FTC for outlining a broad approach to transparency when it comes to accessing our own data. Now it’s time for Congress to enact legislation that truly benefits consumers, not just those who profit from our information.”[11]

Google, not surprisingly, had a dissenting opinion: “What is sometimes referred to as tracking is often data collection that helps ensure the security and integrity of data, determines relevancy of served content and also helps create innovation opportunities. It is important not to let a single negatively-loaded term obscure the fact that data collection is the source for the creation of value as well as the legitimate concerns of different parties.”[12]

The FTC membership was also not unanimous in publishing the report. Commissioner J. Thomas Rosch wrote “the current state of “Do Not Track” still leaves unanswered many important questions” (which leaves IT organizations guessing regarding the complete requirements of how to implement “Do Not Track”), “opt-in” will necessarily be selected as the de facto method of consumer choice” and “although characterized as only “best practices,” the Report’s recommendations may be construed as federal requirements”.[13]

Conclusion

While the FTC report was not met with universal agreement and still leaves portions of the implementation open to interpretation, the report in my view is a welcome improvement to online activity. There is:

  • Far too much software that has been developed that doesn’t sufficiently include privacy requirements,
  • The current methods to protect privacy are vague, confusing, and difficult to implement, and
  • The amount of data being collected for even security conscious individuals is excessive.

My personal view is legitimate companies should immediately work to implement the FTC’s recommendations, and Congress should enact similar legislation to govern those companies who choose to circumvent the rules.


[1] FTC Issues Final Commission Report on Protecting Consumer Privacy: Agency Calls on Companies to Adopt Best Privacy Practices, March 26, 2012. http://www.ftc.gov/opa/2012/03/privacyframework.shtm

[2] Ibid

[3] FTC Issues Final Report On Online Privacy Recommendations, Marketing Land, 3/26/12, Pamela Parker http://marketingland.com/ftc-issues-final-report-on-online-privacy-recommendations-8620

[4] FTC Issues Final Commission Report on Protecting Consumer Privacy: Agency Calls on Companies to Adopt Best Privacy Practices, March 26, 2012. http://www.ftc.gov/opa/2012/03/privacyframework.shtm

[5] Ibid

[6] FTC Releases Final Privacy Report and Framework for Protecting Consumer Privacy, Privacy and TechComm Client Alert, Patton Boggs LLP, http://www.pattonboggs.com/files/News/f362e7db-4c27-4a5a-a444-05d620bad7f2/Presentation/NewsAttachment/b9242d77-c0ec-489a-ae9b-0872415f79a7/TechComm_Client_Alert_FTC_Privacy_Report_03_28_12_2012.pdf

[7] Windows Help and Support, InPrivate: frequently asked questions, installed on my computer

[8] Windows Internet Explorer, Internet Tools options, status on my GM computer, April 7, 2012

[9] Windows Internet Explorer, InPrivate Filtering options, status on my GM computer, April 7, 2012

[10] Google search on my name at General Motors, April 7, 2012

[11] Ibid

[12] Transparency and Choice: Protecting Consumer Privacy in an Online World, Alma Whittena, Sean Harveyb, Ian Fettec, Betsy Masielloc, Jochen Eisingerd, Jane Horvathe, http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/en/us/pubs/archive/37350.pdf

[13] FTC Issues Final Commission Report on Protecting Consumer Privacy: Agency Calls on Companies to Adopt Best Privacy Practices, March 26, 2012. http://www.ftc.gov/opa/2012/03/privacyframework.shtm





Are SCADA Systems Secured?

11 04 2012

Prior to a few years ago, I had no knowledge of a SCADA (Supervisory Control and Data Acquisition) System.  How are power houses, water treatment, gas pipelines, waste water treatment plants, pump stations, and other mechanical systems maintained in a plant, area, or within a country?  I didn’t have a need to know nor did I care.  SCADA Systems are the brains or backbone of mechanical infrastructure in a plant.  Maintenance Engineers use the system as a supervisory tool for pumps, HVAC system, nuclear plants, water flow systems, fans, turbines, generators, etc.  As an IT Manager, I soon learned the importance of the systems and how to support and protect the maintenance systems by protecting the SCADA System of a plant.

Scada Systems are not limited to plants of companies; they are used to maintain mechanical systems for cities, states, or even countries. On a larger scale, the risk of attack on the SCADA systems becomes tenfold more dangerous and the effect could result in some form of a catastrophe.

How Attacks occur and examples

The SCADA System is an industrial control system. The components of a networked SCADA system consist of main computer system to store and process data with web-base interfacing. HMI (human machine interface) and computer provide the operator/ engineer’s ability to input, monitor, and manipulate the system.  Data is gathered from the mechanical devices thru a Remote terminal such as PLC (programmable logic controller) and sent to the server.  The use of SCADA systems has grown over the years.  North America, Africa, Europe and the Middle East are the biggest consumers of SCADA systems.  Analyst believes the use of SCADA systems will continue to grow 10 percent for next five years, which increases the risk of SCADA attacks globally.  (1)  SCADA systems can be seen as a tool to turn on and off pumps in a water treatment facility to controlling spaceships for the government.  It’s a powerful tool and used by many businesses from small companies to the government, who depend on IT to support and maintain the SCADA systems.  The three cornerstones of IT security CIA (confidentially, integrity and availability), Integrity and availability are critical to the SCADA system.  Due to the type of systems that are managed with the SCADA system, engineers and maintenance employees rely on the information obtain to be accurate and available.  Any tampering of data could result in making the wrong decision in turning on or off devices within the system.  Also during a crisis or non-crisis moment, the available of information must be there.  It’s extremely hard to make a decision based on no data.

It is believed that the infrastructure of SCADA system is vulnerable to attacks.  The attack can occur from internal as well as external point.  Downsizing within corporations, has brought on high number of disgruntled employees or ex-employees.  An internal attack could result from changes made to the system thru personal computers or PLC interfacing; a disgruntled employee can change settings, turn off motors or pumps, or implant a virus or worm.  External attacks can occur thru hacking of weak passwords, phishing attack against a hardware, entry thru enabled supply back entry access, or thru a control system modems installed to allow remote users access.  For example, the US government reported in December 2011 a railroad system had experienced a cyber attack. (2)  Railroad cars were delayed on several lines, which increased the risk of cross lines and a potential railway collision.  The incident was a result of external hacking into the Railroad SCADA system.

Methods to Prevent

To reduce attacks on SCADA systems, Information Technology departments will need to increase security protection of the system.  Information Technology departments will need to enforce rules to have users create strong password that require changing every 30 days.  Restrict remote access to SCADA system thru secure IP VPN and remove access modems.   Web servers to the SCADA systems should be placed behind firewalls to provide protection from hackers thru the internet.  In addition, employ the use of DMZ buffer or routers and firewalls to create a separation between the SCADA system and the rest of the corporate network. (3)   Using a combination of the available security measures will reduce the potential of an attack.

Conclusion

With the improvement of technology, the ability to manage railroad systems, gas pipelines, water cooling system, waste water treatment facilities, and other systems have migrated to using SCADA Systems.  There are several manufactures that produce SCADA systems such as Square D,  Modicon, Siemens, Iconics, and CSWorks.  As the use of SCADA system increases, the market of SCADA manufacturers increases as well.  Not all SCADA systems are created with the same level of security, so the buyer must be aware of the risks that exist.  SCADA systems have been and will continue to be targets of attackers.  However, the Information Technology department can work with the maintenance groups to deploy a system that provides a higher level of protection from internal and external attacks.  SCADA systems control many vital systems globally; it is up to the IT departments to migrate the risk of possible attacks as much as possible.  Even the smallest of attack can cause havoc on many.  No one wants to be the organization that’s been hacked.

___________

(1) The Increased Threat of Attacks on SCADA Systems, author Kevin Coleman by defensetech.org, released November September 26, 2011

(2) Reports of a possible cyber-attack against a rail company highlight the issues of protecting industrial control systems that keep the country’s critical infrastructure running, author Fahmida Rashid, by eweek.com/c/a/Security/SCADA-Systems-in-Railways-Vulnerable-to-Attack-124045, released January 26, 2011

Securing integrated Scada systems against cyber attacks, author Paul Hurst by http://www.citect.com, released April 9, 2009

SCADA Systems,  by www.scadasystems.net





Network Reconnaissance: The Hacker’s Pre-Attack

10 04 2012

by Jim Forystek

Perhaps the majority of computer attacks occur without the perpetrator gaining physical access to the victim’s PC.  In other words, the perpetrator or attacker gains access to the victim’s PC via network.  But how does an attacker access information on a victim’s PC in an environment that appears to be relatively secure?  An attempt to gather unauthorized information on a network PC is not automatic.  The events leading up to the attack are usually subtle, requiring the perpetrator to snoop around a network until he or she finds something on interest.  The attacker usually sizes up his victim by utilizing several techniques to identify where a destination host PC may be vulnerable.  Andrew Landsman has identified five common phases of a hacker’s approach [LAN09]:

  • Business Reconnaissance
  • Network & System Scanning
  • Gain Access to Networks and Applications
  • Maintain Access
  • Cover Tracks

The focus of this blog is on the second of Landsman’s five phases; Network and System Scanning.  Network & System Scanning, also known as ‘port scanning’, is a fundamental feature to the TCP/IP protocol – a query that returns services running on a PC.  All that is required for one to start scanning ports is port scanning software installed on a PC that is connected to the Internet.  For example, Nmap is a free software utility which can quickly scan broad ranges of devices and provide valuable information about the devices on a network.  It can be used for IT auditing and asset discovery as well as for security profiling of the network [BRA12].  For a particular IP address, the port scan software will identify which ports respond to messages (packets) and which of several known vulnerabilities seem to be present.  According to Pfleeger, port scanning will reveal three things to an attacker [PFL11]:

  • Which standard ports or services are running and responding on the target system
  • What operating system is installed on the target system
  • What applications and versions of applications are present

How does one scan ports?  There are several different port scanning techniques available.  These techniques range from rudimentary to expert/complex.  The latter may include a combination of port scanning techniques to achieve information.  It should go without saying that the port scan technique used is proportional to the scanner’s level of knowledge about the subject.  A commonly used command within the Nmap port scanning software is ‘TCP connect()’.  The TCP connect scan is named after the connect() call that’s used by the operating system to initiate a TCP connection to a remote device [MES11].  The TCP connect() scan uses a normal TCP connection to determine if a port is available.  According to Messer, this scan method uses the same TCP handshake connection that every other TCP-based application uses on the network.  In a TCP connect() scan operation, a source host sends a packet to a destination host and awaits a response.  If the response is ‘RST’ (reset) from the destination port, then the destination port is closed and the port scan will yield very little information to the inquirer.  However, if the response from the destination port is ‘SYN/ACK’, then the destination port is open and more willing to communicate potentially valuable information to the inquirer.

What can open ports reveal to a hacker?  Probing the network can reveal vulnerabilities.  The intent is to gain information and services that the hacker should not have access to.  This is where hackers learn more about firewalls, routers, IDS systems and other network components.  This ultimately leads to information about know vulnerabilities of network devices.  Open ports can lead to a hacker gaining direct access to services and possibly internal network connections [LAN09], which is phase three of Landsman’s definition of the hacker’s approach.  Port scanning is one of the most popular reconnaissance techniques attackers use to discover services that they can break into.  All machines connected to a network may run many services that listen and well-known, and not-so-well-known ports.  A port scan helps an attacker find which ports are available, i.e., what service might be listening to a port.  The type of response received from a port scan indicates whether the port is used and can therefore be probed further for weakness [MAT10].

Scanning ports within a network to determine available services is not illegal, so how does one prevent unwanted port scanning?  One cannot fully prevent port scanning without compromising their ability to communicate over a network.  However, there are a couple of things one can do to reduce their vulnerability during an unwanted port scan.  First, one can disable all unused services on your PC.  This can be accomplished by installing Nmap and scanning one’s own PC to see if there is anything of interest, then turning off what is not necessary.  Second, one can leverage a firewall to filter scan requests.  Your firewall can reply to a port scan in three ways; open, closed or no response [COB06].  Open ports are the most vulnerable, for obvious reasons.  If vulnerabilities exist on open ports, then one can patch the weakness, which will reduce the risk of being attacked.  A closed port will respond with a message indicating that it is closed, and ‘genuine’ requests will stop making attempts to query the port.  If repeated attempts are made, the firewall can log these unnecessary attempts and block the source IP from future scans.  ‘No response’ is similar to closed, but the destination IP will not respond to the source.

In summary, understanding port scanning and how it can reveal vulnerabilities is much like controlling the doors to your house.  Completely blocking off all traffic to your house may increase the safety of your home, but it does not provide an efficient method to enter and exit.  A more effective method is to install reliable locks and distribute keys to trusted members so they can freely enter and exit under controlled circumstances.  Whether one is controlling the doors to their house or ports within their PC, a disciplined and well-informed approach must be taken to ensure assets remain safe.

________________

[BRA12] Bradley, Tony.  Nmap Network Mapping Utility.  2012.  Can be found at: http://netsecurity.about.com/od/securitytoolprofiles/p/aaprnmap.htm

[COB06] Cobb, Michael.  How to Protect Against Port Scans.  2006.  Can be found at:  http://searchsecurity.techtarget.com/answer/How-to-protect-against-port-scans

[LAN09] Landsman, Andrew.  The Five Phase Approach of Malicious Hackers.  May 8th, 2009.  Can be found at: http://blog.emagined.com/2009/05/08/the-five-phase-approach-of-malicious-hackers/

[MAT10] Mateti, Prabhaker.  Port Scanning.  2010.  Can be found at: http://www.auditmypc.com/port-scanning.asp

[MES11] Messer, James.  Secrets of Network Cartography: A Comprehensive Guide to Nmap.  2011.  Can be found at: http://www.networkuptime.com/nmap/page3-3.shtml

[MIT12]  Mitchell, Bradley.  What is a Port Number?   2012.  Can be found at: http://compnetworking.about.com/od/networkprotocols/f/port-numbers.htm

[PFL11] Pfleeger, Charles P. and Lawrence Pfleeger, Shari.  Security in Computing, Fourth Edition.  Prentice Hall, 2011.