» John Abraham

How An Internal Penetration Test Can Help Your Organization

Posted on December 22, 2011 by John Abraham in Main | Leave a comment

Every IT department faces the challenge of having to apply limited resources (headcount, technology, 3rd party assessments) against a plethora of potential security risks. Choosing wisely is often the difference between an effective security strategy and an ineffective one. With that in mind and a number of possible assessment approaches available, what benefits can be gained from an internal penetration test? First, since security terminology is often misunderstood, let’s first define internal penetration testing. An internal pen test is a … →

Wireless security controls are often too lax for the data they need to protect

Posted on October 6, 2011 by John Abraham in Main | Leave a comment

At Redspin we are often asked to perform wireless security assessments for organizations that have recently deployed or upgraded their wireless infrastructure with top-of-the-line access points (APs), controllers and wireless intrusion detection systems (WIDS). Many deployments are to support inter-office mobility – a need that has gone from a rising tide to a tsunami in parallel with the mass adoption of mobile devices such as smart phones and Apple iPads. Virtually every CIO and CSO that I meet these days … →

Improving Authentication for Online Services

Posted on July 10, 2011 by John Abraham in Main | Leave a comment

The FFIEC (Federal Financial Institutions Examination Council), the banking interagency body that creates unified standards across the various regulatory agencies, recently issued new guidance on managing risks in user authentication for online transactions. The guidance is practical and has relevance for any industry in which sensitive transactions are conducted online. Categorically this applies to banks (of course) but also to healthcare organizations. As more and more electronic protected health information (ePHI) comes online with the rapid adoption of EMR/EHR systems, … →

The CWE/SANS Top 25 Most Dangerous Software Errors Announced… Along With a New Set of Standards

Posted on June 28, 2011 by John Abraham in Main | Leave a comment

In a new and revised format, SANS along with MITRE has published the latest list of the highest risk software security vulnerabilities; the revision to the list is based on the CWE, CWSS and CWRAF security standards. The announcement leverages and highlights these new standards and collaboration efforts among the security community (including corporate, non-profit and government entities). As this announcement publicizes some new standards efforts that many of us will undoubtedly hear a lot about in the coming months, … →

International Monetary Fund Breach – mums the word from the I.M.F.

Posted on June 12, 2011 by John Abraham in Main | Leave a comment

The New York Times reported this weekend on a potentially serious breach at the International Monetary Fund (I.M.F.). The Times reports that the breach occurred perhaps several months ago, yet the fund only disclosed this to internal staff and board members on Wednesday. Other than the report from the Times, there is not a lot of available information about the incident. The I.M.F. itself has made no public statement about the breach. Surprising for an organization that is capable of a half-dozen … →

RSA: More concerned with their revenue than your security?

Posted on June 9, 2011 by John Abraham in Main | Leave a comment

The RSA Breach, their initial reaction, and their follow-up communication regarding the Lockheed Martin attack (which they are admitting is related to the initial RSA breach) makes us question their priorities. Revenue and brand come first. Customer security is second. Of course both of these are inter-related: you surely can’t build a robust security brand given security incidents like this and RSA’s brand is forever tarnished with this breach. Nonetheless, in the short term RSA’s reaction to this incident clearly … →

OIG’s Review of CMS HIPAA Security Rule Oversight – What a Scathing Report Means For You

Posted on May 30, 2011 by John Abraham in Main | Leave a comment

The OIG (the Office of Inspector General – the audit arm of the Department of Health& Human Services) recently released their report on the CMS’s (Centers for Medicare & Medicaid Services) oversight and enforcement regarding hospitals’ HIPAA Security Rule implementation. In the scathing report* the OIG clearly characterizes the current regulatory compliance efforts by the CMS as lax. While the report is full of interesting statistics about the extent that the hospitals it audited as part of the analysis were … →

HIPAA Security Risk Analysis: Compliance vs Security

Posted on May 23, 2011 by John Abraham in Main | Leave a comment

Security vs Compliance As an independent provider of security assessments, we are keenly aware of the 2 primary drivers of an objective security assessment – security or compliance. Roughly, these two views of risk management can be thought of as follows: Security: For organizations in this camp, ensuring that ePHI is protected is mission critical to the business. Any impact to data security would be viewed as negatively impacting business value: whether it be monetary, brand value or customer loyalty, … →

HIPAA Security Risk Analysis: How to Achieve Both Security and Compliance

Posted on April 26, 2011 by John Abraham in Main | 1 Comment

Lets review different viewpoints driving why healthcare organizations implement a HIPAA Security Risk Analysis. The purpose of exploring these different perspectives is to show that the primary objectives for doing a HIPAA Security Risk Analysis can be categorically defined as either security or compliance – and that both of these objectives can be achieved if a practical approach to the analysis is utilized. Here I use the term security as the goal of safeguarding electronic protected health information (ePHI) and … →

Preparing for a HIPAA Security Risk Analysis: ePHI & Critical Applications

Posted on April 19, 2011 by John Abraham in Main | 1 Comment

We are often asked: “How do we prepare for a HIPAA Security Risk Analysis?” The short answer is: “It’s easy!” It’s actually better to be under-prepared than to delay the process in the hopes of having your IT environment stabilized and your documentation completed – both are dynamic, always in flux and will never be “done”. Its better to get the risk analysis completed as it will prioritize important issues and drive limited organizational and IT resources to focus on … →