nGenuity

Get a Security Assessment

Responsible Disclosure Can Be A Painful Process

Out of the 5 institutions I located running the medical software publicly online, only two of them contacted me back for more information. As an aside I discovered that most organizations do not have an easy way for outsiders to contact them regarding issues such as this. Every company / site should have a privacy policy detailing how it details with information handling. Your privacy policy is a great place to put in this process and contact information. A security@example.com would also be a big help for us researchers.

One of the institutions was kind (and responsible) enough to contact me back and let me know that the vendor (after 6 months) had finally released a patch for this vulnerability.

Here are some lessons learned from the process.

The Vendor: If you are a vendor or service provider of software products and services take note. You need to be proactive and take security seriously. You should have a documented public process that researchers and your customers can follow to notify you and get notified about security updates in your product. Companies are feeling the pressures of regulatory compliance and the need for stability and security and will start to demand this. Start now before you fall behind to a wiser competitor.

The Customer: Pressure your vendors into providing quantifiable proof that they have put significant effort into securing the products you purchase from them. For missions critical software ask if they have had a third party security audit. Ask to find out if they keep track of metrics such as; how long does it take to fix a security issue from first report to customer notification. If they keep those metrics, as for them. Find out what they are doing to lower that number. Ask them if they provide proactive notification to their customers on security issues (or if you have to hunt for the info in the sparse content they call the README).

The final post on this series will be the advisory so you can see just how silly, but dangerous this vulnerability was.

filed under HIPAA, Policy, Privacy, and Responsible Disclosure View Comments

posted by Adam Baldwin
blog comments powered by Disqus

Fixing The SMB Security Process

The typical small/medium business (SMB) security process is a reactive process that typically represents something like the following.

  1. Something breaks / data is accidentally deleted or goes missing / a computer is infected with malware  or the company website got hacked.
  2. The SMB reacts. This typically requires one of the following; Fixing the problem, determining a creative work around or simply realizing nothing can be done so giving up (which might fall into the creative work around category). All of these cost the SMB time and/or money.

So how can the typical SMB reduce the need for costly reactions or be better prepared in the event they need to react to an incident? The simple answer is be proactive about their business related technology risks. Here are a few more detailed recommendations.

Reduce Ignorance to Technology Dependence:

Many SMB’s utilize technology to reduce costs and increase productivity, but many do not understand that with these benefits come some pretty serious risks. Do the following exercise to better understand your technology dependence. Essentially you are doing the reactive work ahead of time.

  1. Walk through your businesses typical day outlining business processes such as ordering, payroll, payables, customer service, and sales.
  2. Write down the pieces of technology that are required to make these business transactions happen.
  3. Imagine what the day would be like should each one of those technology advantages be missing, unavailable, perform poorly, etc.
  4. Write down any low-tech alternatives you may have (such as manual credit card transactions, using that really ugly and cumbersome imprinting machine, hey it works!)

This information will help you understand some of the major risks to critical business processes, sure you will miss some, but you will be better off than when you started.

Adopt Automated / Managed Systems:

Sure these come with their own set of risks, but automated systems implemented properly can save a SMB a lot of headaches and even prevent some incidents from happening. Here are a few examples;

  • Offsite data backups
  • Antivirus / Desktop firewalls centrally monitored and controlled to ensure updates are applied and network policies are enforced.
  • Near real time integrity monitoring of company website
  • Managed services for weekly/monthly/quarterly, proactive checkups of systems (let somebody else worry about it).

Do It Over Again:

Environments change and with that your plan should evolve. Consider reviewing the assessments, planning, and systems you have put in place over the course of the past year. Adjust them to fit your current business strategy. Remember technology should enable business and ignoring your technology based risks won’t make the risks go away and certain won’t make enabling your business any easier.

filed under Access, Automation, MSS, Plan, Process, and SMB View Comments

posted by Adam Baldwin
blog comments powered by Disqus

New Year Resolution: Change All Your Passwords

If you can actually remember all of the places you signed up for accounts over the years and the unique passwords for those accounts you can stop reading this now.

All the rest of you still reading should know that passwords are an important part of keeping prying eyes from your data (and probably have just as hard of a time remembering passwords as I do.) Passwords are very similar to a combination for a safe. Know the right combination and it is easy to obtain the contents. If you don’t happen to know the combination you could try a whole bunch of combination in succession and eventually get the combination. The key word there is eventually. While there are other limiting factors such as frequency of guesses and other controls that I’m going to ignore for the sake of this introduction, passwords for the most part protect against time. The more complex, the more difficult it is to guess, the longer it should supposedly take to obtain the right one.

Make password management easy on yourself and get a password safe application like Password Gorilla. If you are wondering why you need one of these applications here is just a few reasons.

  • Remembers your passwords for you (in an encrypted vault!)
  • Passwords can be as complex and long as you want them to be.
  • You have a convenient list of passwords so that when the New Year comes around you can change them, all of them.
  • You can keep information, such as answers to “security questions” in the notes field. You don’t have to use answers like “What is the name of your first pet?  Max”  Instead make them just as complex as your passwords.
  • Password Gorilla is cross-platform and works on Windows, OS X and Unix systems. No excuses here!

We all know you aren’t going to go to the gym like you need to, so why not pick a New Year resolution that is attainable, like caring about strong password management, one of the most basic principles in security.

filed under Gorilla, Management, and Passwords View Comments

posted by Adam Baldwin
blog comments powered by Disqus