Main

New Windows Worm Squirming Through RDP

Posted on August 28, 2011 by Mark Marshall in Main | Leave a comment

I haven’t seen a Windows worm in the wild in a long time. The last time a major worm infestation took place was in 2003 in the days of Blaster which spread via an unpatched flaw in RPC. That same year was Slammer, and Code Red a few years before in 2001.

This new worm code named ‘Morto’ has been seen in the wild and is accounting for a spike in RDP traffic on 3389/tcp as it spreads. Users are reporting infections of systems on Microsoft’s Technet website.
Morto appears to be a dumb worm and doesn’t actually exploit anything but people’s stupidity. Morto is simply attempting to guess weak passwords for the Administrator account via RDP.

The following password list is being used:

admin
password
server
test
user
pass
letmein
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin123
111
123
369
1111
12345
111111
123123
123321
123456
654321
666666
888888
1234567
12345678
123456789
1234567890

If Morto successfully guesses a password it then proceeds to mount the remote C:\ and D:\ drives and copy a version of itself over. Once it has copied itself to a new victim it scans the local subnet that the newly compromised box is located on and attempts to spread to neighboring machines via the same method.
Compromised machines are fully controllable remotely. Command and control servers have been noted to be jaifr.com and qfsl.net.
Morto is currently being identifed by F-Secure AV as Backdoor:W32/Morto.A and Worm:W32/Morto.B
How do you protect yourself from this new squirmy foe? Simple, don’t use dumb passwords for critical accounts including the Administrator account. Furthermore, don’t ever have RDP open to the internet. We’ve been telling everyone this for years now.

Installing Metasploit 4 in Ubuntu 11.04

Posted on August 19, 2011 by Mark Marshall in Main | 3 Comments

Install the latest version of the Metasploit 4 Framework (MSF4) on Ubuntu 11.04 Natty Narwhal using the following commands. This downloads and installs the generic Linux binary which comes bundled with all the necessary components you need for Metasploit to install and run. This should work for most users and is the easiest way to get Metasploit Framework running under Ubuntu and other Debian based Linux distros quickly.

In a Terminal type the following

 wget http://updates.metasploit.com/data/releases/framework-4.0.0-linux-full.run

If you’re installing on a 64bit build of Ubuntu, use this instead

wget http://updates.metasploit.com/data/releases/framework-4.0.0-linux-x64-full.run

This downloads the current version of the Metasploit framework via wget.
Before you can run the installer you need to make it executable.

chmod +x framework-4.*-linux-full.run

And now execute the installer.

sudo ./framework-4.*-linux-full.run

Assuming all went well MSF 4 should now be installed. You should update it before running it.

sudo msfupdate

Now run it.

msfconsole

You should now be rewarded by one of the awesome ascii art logos and a functional Metasploit install.

If this fails for any reason you’ll want to do a manual install instead, which is a bit more complicated but if followed correctly should get you up and running. Find the official directions at Rapid7

Testing Windows Passwords with Metasploit

Posted on August 17, 2011 by Mark Marshall in Main | 2 Comments

An attacker will take the path of least resistance in order to gain access to critical systems and data. During a penetration test we’ll take the same tactic as well.

Frequently this is accomplished by guessing a password to a users account and then either using the privileges of that account to gain access to critical data or escalating that account to an administrator or root level account. Once credentials have been acquired for one host you’ll want to determine what other systems they work against. It is fairly common to gain access to a local administrator account on a workstation or server for example, but not a domain account and in this case you will want to try that local administrator account against a whole slew of other systems.

There are a number of ways to accomplish this task but one of the most efficient ways is using the smb_login module of Metasploit Framework 4 to test a single username/password combination against a lot of boxes very quickly.

msf > use auxiliary/scanner/smb/smb_login
msf  auxiliary(smb_login) > set smbpass Password!
smbpass => Password!
msf  auxiliary(smb_login) > set smbuser administrator
smbuser => administrator
msf  auxiliary(smb_login) > set user_as_pass false
user_as_pass => false
msf  auxiliary(smb_login) > set rhosts 10.0.0.100-110
rhosts => 10.0.0.100-110
msf  auxiliary(smb_login) > show options
Module options (auxiliary/scanner/smb/smb_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   true             no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   PASS_FILE                          no        File containing passwords, one per line
   PRESERVE_DOMAINS  true             no        Respect a username that contains a domain name.
   RHOSTS            10.0.0.100-110   yes       The target address range or CIDR identifier
   RPORT             445              yes       Set the SMB service port
   SMBDomain         WORKGROUP        no        SMB Domain
   SMBPass           Password!        no        SMB Password
   SMBUser           administrator    no        SMB Username
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      true             no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts
msf  auxiliary(smb_login) > exploit

[*] 10.0.0.100:445 SMB - Starting SMB login bruteforce
[*] 10.0.0.101:445 SMB - Starting SMB login bruteforce
[*] Scanned 02 of 11 hosts (018% complete)
[*] 10.0.0.102:445 SMB - Starting SMB login bruteforce
[*] Scanned 03 of 11 hosts (027% complete)
[*] 10.0.0.103:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 04 of 11 hosts (036% complete)
[*] 10.0.0.104:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 05 of 11 hosts (045% complete)
[*] 10.0.0.105:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 06 of 11 hosts (054% complete)
[*] 10.0.0.106:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 07 of 11 hosts (063% complete)
[*] 10.0.0.107:445 SMB - [1/2] - Starting SMB login bruteforce
[*] 10.0.0.107:445 SMB - [1/2] - |WORKGROUP - FAILED LOGIN (Windows 5.1) administrator :  (STATUS_LOGON_FAILURE)
[+] 10.0.0.107:445|WORKGROUP - SUCCESSFUL LOGIN (Windows 5.1) 'administrator' : 'Password!'
[*] Scanned 08 of 11 hosts (072% complete)
[*] 10.0.0.108:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 09 of 11 hosts (081% complete)
[*] 10.0.0.109:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 10 of 11 hosts (090% complete)
[*] 10.0.0.110:445 SMB - [1/2] - Starting SMB login bruteforce
[*] Scanned 11 of 11 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(smb_login) >

In this example I successfully compromised one of my test systems that was using the password ‘Password!’ for the local administrator account. This may seem far fetched, but I’ve seen worse than this before on engagements.

Be aware that this type of activity is very noisy and easily detectable by a sysadmin or security goon, as it will create a failed login attempt for the Administrator account on every machine in the subnet.

Exporting GPO’s Via the Commandline

Posted on August 8, 2011 by Mark Marshall in Main | Leave a comment

As security guys (and Linux/GNU fanboys), we tend to do absolutely everything possible via the commandline. This is pretty easy in Linux/Unix OS’s, but unfortunately we deal with a lot of Windows boxen in our line of work, where it is less than easy at times.

One common scenario we need to undertake is exporting all the GPO’s in a certain domain or forest for later analysis. For a small place this isn’t a big deal as there may only be a half dozen or so GPO’s applied, which equals out to several dozen clicks to export them. When the client is upwards of several thousand systems and has many OU’s and Sites defined, it can be common for there to be many hundreds of GPO’s applied. This is fairly standard for large healthcare organizations and hospitals, which we see frequently during HIPAA audits.

Thankfully Microsoft realizes that manually clicking around just doesn’t scale and they’ve provided a fair number of nice little scripts to accomplish menial tasks quickly. One of these tools is a glorious little item called ExportAllGPOs.wsf which is installed when Group Policy Management Console (GPMC) is installed. If you aren’t using GPMC yet to manage your GPO’s then you are needlessly causing yourself much pain and suffering. Go install GPMC now. GPMC runs on all current versions of Windows server and on Windows XP/Vista/7.

Using this script it’s possible to quickly export all GPO’s to HTML and XML. Here’s how:

Navigate to C:\Program Files\GPMC\Scripts. Before running the script create a directory for the output to be saved to, here I’m using c:\gpo. The directory has to exist or the script will fail. You also need to specify the full DNS name of the domain, e.g. mars.local works whereas just using mars will not.

Now run the following command.

cscript GetReportsForAllGPOs.wsf c:\gpo /domain:mars.local

Output from running the command on my dev environment.

C:\Program Files\GPMC\Scripts>cscript GetReportsForAllGPOs.wsf c:\gpo /domain:mars.local
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

== Found 3 GPOs in mars.local

Generating XML report for GPO 'Pasture.Rules'
Generating HTML report for GPO 'Pasture.Rules'

Generating XML report for GPO 'Default Domain Policy'
Generating HTML report for GPO 'Default Domain Policy'

Generating XML report for GPO 'Default Domain Controllers Policy'
Generating HTML report for GPO 'Default Domain Controllers Policy'

Report generation succeeded for 6 reports.
Report generation failed for 0 reports.

This will export an HTML and an XML version of each GPO you have defined in your domain. Once they’ve been exported they can be manually viewed, or processed via further tools. I’ve cobbled together a bunch of scripts I use in order to easily parse large amounts of GPO’s and pull out the interesting data I’m looking for.

HIPAA Audits – Paying a Little Attention Now Will Pay Big Benefits Later

Posted on August 3, 2011 by Dan Berger in Main | Leave a comment

In July, the HHS’ Office of Civil Rights (OCR) announced that they had appointed consulting firm KPMG to conduct up to 150 HIPAA audits of covered entities and business associates by the end of 2012. The implementation of the audit program fulfills a compliance enforcement mandate of the 2009 HITECH Act.

The KPMG contract enables OCR to put “feet on the street,” while retaining an oversight role in the process. Sue McAndrew, OCR’s deputy director for health information privacy, confirms that some audits could even result in OCR enforcement action. “Certainly, if we uncover in the course of the audit major violations or potential violations … we will be dealing with those … in the same manner we would through our formal enforcement process,” she said recently, according to www.healthcareinfosecurity.com

Details of the focus and scope of HIPAA audits have yet to be fully defined. However a few things are clear. Each audit will follow a “typical onsite audit process” with an in-person visit and interviews with key management personnel such as the CIO, privacy officer, legal counsel, and health information management/medical records director. Draft reports will be shared with the organization before they are completed, and management responses will be incorporated in the final audit report.

Fair enough, but further details are a little murkier.  Ms. McAndrew goes on to say that the audits will “initially offer comprehensive assessments of compliance with the HIPAA privacy and security rules rather than specific narrower issues.” For covered entities, it must be a little confusing to see the words “comprehensive assessment” juxtaposed with “rather than specific, narrower issues.”

At Redspin, we use the term “comprehensive security assessments” to mean that we include specific, narrow issues. After all, we’re guided by the HIPAA Security Rule— 84 pages long, even in its simplified version! See following link: (Administrative Simplification Regulation Text, March 2006). It’s also unclear how the OCR and KMPG will select organizations to audit. While the projected number of 150 audits in 2012 makes the likelihood of an audit visit to your organization fairly low – keep in mind, OCR has a separate initiative underway to train State Attorneys General on the HIPAA audit process as well.

We think it would be prudent for a healthcare organization to consider what it can do now, knowing there’s a possibility of a HIPAA audit sometime in the future.  An old Scouting motto comes to mind: “Be Prepared.” This is a good time for covered entities and business associates to review their HIPAA privacy and security programs and ensure that their documentation is up to date.

Most importantly, given the increased civil penalties and liabilities for PHI breach, it can now be considered a fiduciary responsibility for healthcare companies to assess whether their security programs are effectively safeguarding electronic protected health information (ePHI). Organizations participating in the EHR “meaningful use” plan already have a compelling incentive to “conduct or update a security risk analysis” but note, with or without meaningful use, this is a mandatory requirement for all covered entities and business associates, taken verbatim from the HIPAA Security Rule itself.

To help you prepare, let’s fast forward to what an actual HIPAA security audit may look like. The first thing any security auditor looks for is the policies and controls that you have in place, how they are documented, implemented, communicated, enforced, and lastly, how effective they’ve been. They’ll want to review whether or not you have identified vulnerabilities within your organization in the past and what steps you’ve taken to mitigate them.  At Redspin, we’ve worked with IT auditors for nearly a decade in our banking and financial practice. We’ve found that companies that have previously engaged independent firms like Redspin to conduct comprehensive Security Risk Assessments (rather than checkbox compliance solutions) benefit greatly when audit time rolls around.

First impressions are always important, and when an auditor sees that you’ve already conducted a Security Risk Assessment in accordance to the HIPAA Security Rule, they know their work is more than halfway-done. And so is yours. The follow-up demands on your organization’s time and resources will be much lighter and the outcome is virtually guaranteed to be more positive. You’ll be able to show well-documented policies and procedures, an objective rating of the effectiveness of your controls, the actions management has taken to address known vulnerabilities and how your security risk posture has improved over time.

When Redspin conducts a Security Risk Analysis, we make all of the information above accessible to you from our secure, web-base client portal. This further enhances your ability to navigate through large amounts of information quickly and present summary results in a compelling, graphical, easy-to-understand format. Lastly, if requested, we’ll stand side-by-side with you during an audit. Redspin security engineers are always available to you to discuss the results from your assessments. We’re also happy to discuss those findings, validations and final reports with outside auditors at no additional charge.

 

Metasploit 4.0 Highlights

Posted on July 29, 2011 by Mark Marshall in Main | Leave a comment

Earlier this week HD Moore gave a live webcast demoing the new highly anticipated Metasploit 4 release. The live demo went as smoothly as a live demo can go, and as always HD Moore is great to hear talk no matter what the topic is. This presentation was particularly excellent because he’s so passionate about the Metasploit project – which he single-handedly created nearly 10 years ago, and has since watched grow into the de-facto tool used by penetration testers and infosec warriors.

Some statistics about Metasploit over the years:

  • 2003 – Metasploit 1.0 – 11 exploits
  • 2004 – Metasploit 2.0 – 18 exploits
  • 2007 – Metasploit 3.0 – 177 exploits
  • 2011 – Metasploit 4.0 – 716 exploits

1 million unique downloads in the past 12 months
Rapid 7 sponsorship of Metasploit has doubled the line count of the codebase

HD’s excitement over new features that he and his team have been working on
for nearly a year was quite obvious, and he said that they’ve barely
slept in the last 3 months as the release date looms ever closer and
crunch time arrives.

Going through every new feature is beyond the scope of this quick blog post, so here’s the highlights as shown in the slides.

 

 

 

 

 

 

 

I’ll touch on a couple of new features and why they’re interesting. A number of new features are exclusive to Metasploit Pro, but a lot of the core stuff is available in every version of Metasploit, including the Metasploit Framework which is free and open source.

  • Optimization for large scale penetration tests. Previously Metasploit really didn’t scale beyond a thousand hosts.  Now it’s possible to load full vulnerability scans of upwards of 10,000 hosts without any issue.
  • Standardized XML API. The entire XML API is documented and will be released under an open source license.
  • Persistent agents and listeners. This is sweet. Now if you lose connection with a box you’ve compromised all isn’t lost. You can setup the payload to persistently attempt reconnects back to your listener. If the network goes down temporarily or a WiFi connection drops, all isn’t lost now. You can configure every aspect of it too, set an expiration date after which it’ll remove itself and other fun stuff.
  • Full integration with John the Ripper. Rapid7 now sponsors the JtR project, and has fully integrated it into MSF. As sad as it is, most compromises happen via a trivially guessed password on a critical box.  MSF now has many, many options for mutating wordlists as well as seeding password lists with data discovered during scanning.
  • Full remote control of MSF via a brand new RPC interface written in Ruby (msfrpc-client).
  • Support for imports from over a dozen other scanners , including Appscan, Netsparker and many more.
  • Shiny graphs and pretty pictures to look at. Don’t really care about this, but it’s great for higher level suits and execs. MSF can now spit out a pretty report with all kinds of details and graphs after the pentest is complete.

And obligatory screenshot of the brand new interface

 

 

 

 

 

 

 

Metasploit 4 looks like a great release and continues Rapid 7′s charge into the enterprise market, but without totally alienating the core users who’ve been using MSF for years.

Apple Releases Lion into the Wild

Posted on July 21, 2011 by Mark Marshall in Main | Leave a comment

Today Apple released OSX 10.7 Lion the latest version of their desktop and server OS. A number of new security features have been introduced with Lion which are very welcome, as well as a bunch of new usability tweaks and other generally cool things. I upgraded my i7 Macbook Pro to it a few hours ago and have a few quick observations:

  • It’s only available as a download via the App store. No going to the Apple store and picking up a DVD. Gotta download the whole 3.5 gig thing, which is going to suck for anyone on a slow connection. Apples servers were getting crushed when I downloaded it and it took a few hours instead of a few minutes on my 150mb/s FiOS connection. Should get quicker once the initial rush dies down.
  • You can only upgrade from Snow Leopard. If you’ve got anything older than that then you’re out of luck.
  • FileVault can now do full disk encryption instead of file level encryption. This is awesome. I hated having just my home directory encrypted previously with FileVault, and TimeMachine couldn’t back up your home directory while you were logged into OSX, which made backups a royal pain.
  • Safari now runs in a sandbox.  This should decrease the impact of browser exploits targeting Safari on OSX (who uses Safari tho?) because even if an exploit is successful it will be locked in the sandbox and should have a limited impact on the system and the users documents and files.
  • OSX now has Address space layout randomization (ASLR) which is a geeky way to say that hackers and exploit writers will have a harder time executing shell code after a successful exploit occurs, as important data that an attacker needs in order to execute code is stored  in unpredictable locations and moved around.
  • Fullscreen Terminal! I’m actually the most excited about this. I spend nearly all my time in Terminal and love being able to fullscreen it now. Hit Command + Option + F to enter fullscreen mode and enjoy some totally distraction free hacking and coding :D

That’s my $0.02 for the time being.

Improving Authentication for Online Services

Posted on July 10, 2011 by John Abraham in Main | Leave a comment

The FFIEC (Federal Financial Institutions Examination Council), the banking interagency body that creates unified standards across the various regulatory agencies, recently issued new guidance on managing risks in user authentication for online transactions. The guidance is practical and has relevance for any industry in which sensitive transactions are conducted online. Categorically this applies to banks (of course) but also to healthcare organizations. As more and more electronic protected health information (ePHI) comes online with the rapid adoption of EMR/EHR systems, end users can expect more and more online access to their ePHI, and thus risk that someone will heist their credentials to log into their online account.

First, it’s important to understand why the FFIEC issued the new guidance. They make that very clear: current authentication strategies are not working. The FFIEC cites the loss of “hundreds of millions of dollars resulting from online account takeovers and unauthorized funds transfers” based on the government’s IC3 Annual Internet Crime Reports. With our extensive experience in the financial services industry we can vouch for the losses incurred by the industry due to online account takeovers.

The FFIEC guidance essentially breaks down to three primary recommendations or activities:

  1. Periodic risk assessments (“prior to implementing new electronic financial services, or at least every twelve months“)
  2. Layered security
  3. Customer awareness and education

In the FFIEC’s press release, (July 28, 2011), it states that regulatory examiners will be focused on this issue starting next year: “The FFIEC member agencies [FDIC, NCUA, OCC, OTS] will continue to work closely with financial institutions to promote security in electronic banking and have directed examiners to formally assess financial institutions under the enhanced expectations outlined in the supplement beginning in January 2012“. This means that banking industry players should expect to present to examiners that they’ve taken some action in this regard by the time of their 2012 regulatory examinations. While healthcare organizations are not regulated by the FFIEC member agencies, this guidance provides a practical approach to managing risk in an increasingly risky online environment.

We strongly urge any organization that requires user authentication for sensitive online transactions to evaluate the guidance - Authentication in an Internet Banking Environment - and ensure that your controls are evolving commensurate with the nature of the online transactions you provide your customers as well as evolving nature of the risk.

Furthermore, because so many banks and healthcare organizations (both providers and payers) are relying on third-party software for their online services, we recommend that you push your vendors for better controls. While some of the smaller upstarts (such as online banking service providers and new EMR vendors) are agile and aggressively pushing new controls for differentiation, some of the more established players can be slower to react to the dynamic nature of security threats. Given how difficult it can be to move to a new system there is not always much leverage for service providers to aggressively improve their offerings. Nonetheless, I urge both banks and healthcare organizations to push hard for improved controls.

Redspin’s Declaration of Network Security Independence

Posted on July 4, 2011 by Dan Berger in Main | Leave a comment

We hold these truths to be self-evident, that all networks are created for a higher purpose, that they are intended to support communication, productivity, and prosperity, and are endowed by their architects and administrators with certain unalienable Rights, that among these are Security, Confidentiality, and Integrity.

That to secure these systems, expertise arises among certain noble men, deriving their just powers from the deep understanding of inherent vulnerabilities — That whenever any Form of Hacker becomes destructive of these ends, it is the Right of the Business to defend and protect itself, and to institute new defenses, laying its foundation on prevailing standards and best practices, and organizing its full resources to implement such form, as to them shall seem most likely to improve their Safety and Security.

But after a long train of abuses and usurpations, it is their Right; it is their duty, to throw off such Hackers, and to provide new Guards for their future security. Such has been the patient sufferance of these Businesses; and such is now the necessity which constrains them to alter their former Systems of IT defense. The recent history of repeated data breaches, injuries and usurpations, all having in direct object the establishment of an absolute threat over these businesses and institutions.

The time has come, hear one, hear all, for the Redspin Revolution! An independent IT security assessment firm dedicated to abolition of network vulnerabilities, the end of the tyranny of hackers, and the pursuit of data and network sovereignty. Happy 4th of July!

Preventing a Healthcare Data Breach Epidemic

Posted on July 1, 2011 by Dan Berger in Main | Leave a comment

Certain types of computer dysfunction are analogous to disease, at least in a descriptive sense. For example, we say that a PC can get “infected” by a computer “virus.” The recent rash of hacker attacks makes me wonder if we’re on the verge of a data breach “epidemic?”

True epidemics occur when new human cases of a certain disease substantially exceed what is expected over a period of time. Epidemic diseases need not be communicable; they occur when there are an accelerating number of exploits of similar weaknesses in the human immune system. (Note the clever use of the analogy in reverse). It’s not much of a stretch then to apply the concept of an epidemic affecting  the human body to one that cripples IT infrastructures.

Perhaps recent events even warrant the use of pandemic. There have been over 11 million personal health records compromised in major data breaches in the U.S. since September 2008. Last week, 8.6 million health records were reported at risk due to an unencrypted missing laptop in London.  Add recent hacker intrusions at Epsilon, Sony, the IMF, Citibank, Sega etc. and reported incidents are clearly accelerating at a staggering rate.

This must be disturbing news for a healthcare industry moving forward aggressively on the implementation and adoption of electronic health records. But consider this instead a call-to-action. Providers and business associates should seize this moment to take preventative measures. Hospitals and providers can leverage the mandatory security requirements of the “meaningful use” EHR incentive program to build organization-wide consensus and gain budget approval to invest now in their IT security future.

To qualify for incentive payments under meaningful use, covered entities and eligible providers must “conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.” What an opportune time to revisit and revamp the outmoded, insufficient, neglected and/or minimal security risk programs that were likely put in place years ago.

For forward-thinking business associates, this is an opportunity too. Direct liability for ePHI data breach won’t transfer to business associates until sometime in 2012, but there’s no time like the present. In IT security, preventative action trumps reaction and damage control. Just ask Sony. And, as a “culture of security” grows among healthcare providers, business associates will find that data security becomes not only a requirement of doing business with health providers but also competitive differentiators.

So how do we all work together to prevent a data breach epidemic? In the 1995 movie “Outbreak” one proposed solution was to drop a fuel-bomb on a city where the virus had been contained.  But data breaches are rarely containable and even if they were, I doubt there would be many fuel-bombs dropped anywhere but in the computer war game Call of Duty.

Our “call of duty” to prevent data breach outbreaks or epidemics is to first understand that security is an end-to-end process. In this new environment where networks, and networks of networks, will be able to  provide an access path to the most sensitive personal information, there is no such thing as containment. To quote John Halamka, MD, MS, and CIO at Beth Israel Deaconess Medical Center) “the healthcare system is as vulnerable as its weakest link. Thus each application, workstation, network and server within the enterprise must be secured to a reasonable extent.” That is your mission.  And Redspin’s job is to help you achieve it.

« Previous   1 2 3 4 5 6 ... 15 16   Next »