There have been quite a few headlines recently regarding various aspects of cyber war. A number of folks in the information security community have contributed to the discussion. I happen to like the comments from Ben Tomhave and Richard Bejtlich. There is an interesting crossover between the military domain and the commercial world. In the military sector one often thinks that victory is all about killing more of the other guys. But this raises some questions – who are the … →
I bought an iPhone 4 last week. It has 32 GB of memory, nearly as much as my two and a half year old Windows notebook. It does a lot of cool things and as Steve Jobs would say, it is “insanely great”. Now having said that, one of the reasons I got the device was to better understand the ecosystem. Part of this assessment is an understanding of the information security issues. The short answer is that the iPhone … →
In the last few weeks I have talked with several customers about their data loss prevention initiatives. It seems that most of the programs are focused on inadvertent data loss. These are issues such as employees sending spreadsheets with PII data to their Gmail account so they can be productive at home (a VPN is such a hassle). Another example is even more basic – sending email with PII data in the clear to business associates. What I have heard … →
Often the government sector is viewed as unwieldy and cumbersome when it comes to moving rapidly to take advantage of new technology. When it comes to information security this is often the case as well. Since 2002, the U.S. Federal Information Security Management Act (FISMA) has been used to help government agencies manage their information security programs. For many years FISMA has driven a compliance orientation to information security. However, new and more sophisticated threats are causing a shift in … →
More often than not security and IT teams might not care to admit that decisions around information security sometimes get made in an ad hoc fashion. Organizations should invest in developing the processes to make systematic decisions about how to understand the threat environment and the optimum mechanisms to protect their business. The following discussion illustrates the systematic use of risk analysis to evaluate security approaches to a healthcare web application. We will use risk assessment methods to evaluate the … →
The Washington Post reported this morning on the latest development related to Stuxnet malware. The Stuxnet code was designed from the bottom up to attack Supervisory Control and Data Acquisition (SCADA) systems, or those used to manage complex industrial networks, such as systems at power plants and chemical manufacturing facilities. The malware, which has been the subject of much discussion over the last month or so in the security and cyber war community, is capable of taking over systems that … →
This week the Economist featured an article about an anti-censorship product called Haystack. The product was supposed to provide anti-censorship technology. The effort was motivated by events related to the Iranian opposition movement in 2009 when activists used mobile versions of Twitter and Facebook to upload videos of police brutality and spread messages of demonstrations. The Iranian government cracked down by tracing users, blocking services and closing websites as well as arresting dissenters. Haystack entered the picture earlier this year … →
In my last blog post I discussed information security risk management and why the financial services sector aggressively adopted the practice. My recommendation was that the healthcare industry segment needs to follow suit to increase the effectiveness and efficiency of their information security programs. It is refreshing to see evidence that this is taking place. Last week at OWASP’s AppSec USA conference some leaders from the healthcare sector shared their perspectives on information security risk management. The panel session, entitled … →
Lately I have been thinking about risk in the context of information security and the healthcare industry. I have written an article that you can find here about using risk management to help healthcare organizations manage their information security, privacy and compliance programs more effectively and efficiently. For the most part using risk to manage information security is new territory for the healthcare industry. Yet it has been common practice in the financial services sector for more than ten years. … →
This month’s edition of Harvard Business Review features an article on service driven innovation at Kaiser Permanente. Kaiser is well known in the healthcare industry as a leader in applying IT to improve quality of care and producing better business results. The organization routinely outspends its peers on IT as a percent of revenue and has always rejected the fee for service model that is often blamed for excessive healthcare costs across the industry. What struck me as interesting about … →
