Mark Starry's Blog

Is it Finally Time to Take Cyberwarfare Serious? February 17, 2011

Cyberwarfare has been defined by government security expert Richard A. Clarke, in his book Cyber War (May 2010), as “actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.”

William J. Lynn, U.S. Deputy Secretary of Defense, states that “as a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain in warfare.” At RSA he declared cyber warfare as “the fifth domain of warfare” which has become just as critical to military operations as land, sea, air, and space.”

I’m thinking it’s time to take Cyberwarfare seriously, but don’t believe everything you read in the press. I sleep well knowing that Cyberwarefare and Information Security is finally being taken serious by the Pentagon.

Do You Confuse the Terms Privacy and Security? February 17, 2011

Based on the research discussed at RSA today, the answer is yes. I have to say I can’t agree more. If I had a nickel for every time the terms privacy and security were used interchangeably in the corporate environment, I would be a rich man.

With respect to health information, privacy is defined as the right of an individual to keep his/her individual health information from being disclosed. This is typically achieved through policy and procedure. Privacy encompasses controlling who is authorized to access patient information; and under what conditions patient information may be accessed, used and/or disclosed. This is achieved through mechanisms like Role Based Access (RBA), business partner agreements and concepts like “Trust but Verify”.

Unfortunately, you can’t obtain privacy without security controls. In health care, security is defined as the mechanism in place to protect the privacy of health information. This includes the ability to control access to patient information, as well as to safeguard patient information from unauthorized disclosure, alteration, loss or destruction. Security is typically accomplished through operational and technical controls.

Privacy and security teams need to work together in order to protect PHI in the health care organization, but do me a favor, don’t confuse the two terms, or use them interchangeably.

Software as Service (SAAS) Applications February 16, 2011

Do you know how many SAAS applications are deployed your organization? I believe I do, but I’m not certain. SAAS applications run outside the walls of the corporate network and house many types of corporate data. Employees can access these applications from any device with Internet access.

Most SAAS providers manage authentication credentials within their applications. If credentials are managed by the SAAS provider, do you have a de-provisioning process for users that leave the company? If the user is not deleted from the SAAS application in a timely manner, access to corporate data will remain until the internal and external accounts are reconciled. This is a manual process and subject to human error.

Organizations need to tie SAAS credentials to their internal corporate directory. Identity management is critical to moving applications to SAAS or cloud computing models. This insures that when an employee is terminated and their network account is disabled, they no longer have access to the data housed in SAAS applications.

The Importance of Securing Protected Health Information (PHI) February 16, 2011

How many times have you received a notice from your bank or financial institution that your credit/debit card may have been compromised and your card has been re-issued with a new number and expiration date? This has happened to me on several occasions. The fact that I’m not responsible for charges to the card or even the cost of replacing it is somewhat disturbing, yet convenient. The bank just changes the numbers on my card. Financial institutions see this as a cost of doing business and pass the cost to the consumer through higher interest rates and fees.

Things are a bit different in the world of health care. I have a blood type. I have allergies to certain medications. I might be in a treatment program for a certain type of disease. If PHI is compromised my physician cannot re-issue me a new blood type. They cannot change my allergic reaction to certain medications. More importantly, they cannot roll back the clock to a time when I did not have a disease and/or problem list. Once my PHI is compromised the genie is out of the bottle never to return. There is no re-issuance. There is no second chance.

As healthcare organizations rush to the digital world to get financial incentives from the HITECH act, they should not ignore the responsibility to protect the patient’s right to privacy. With solid investments in information security and privacy programs, health care organizations can have one’s cake and eat it too.

RSA Day 2 – The Key Notes February 15, 2011

Day One Jet Lag – McKesson Healthcare IT Solutions finally at RSA? February 14, 2011

Yes! I spent almost an hour speaking with McKesson’s John B. Sapp Jr. tonight at a private security leader’s function at the Four Seasons Hotel sponsored by Lancope. John reports to the Office of the CTO in Alpharetta as the Director of Product Development Standards for Security, Risk and Compliance. John’s responsibility is to align all 16 of McKesson’s product groups to offer consistency in information security. This includes secure code development, web application security, authentication standards and secure product life-cycle development.

John has a remarkably tough road to travel. I’m initially impressed with John’s critical thinking skills and I think he really gets it. The challenge of aligning these product groups to the same security standards seems like a daunting task to most information security professionals, but not to John. Even better, John believes that my organization is an important strategic partner with McKesson and I look forward to discussing information security challenges in health care one on one with him later this week.

More riveting headlines from RSA Day 2 tomorrow.

2011 – The Year for Self Encrypting Drives (SEDs) February 14, 2011

Do you encrypt the data contained on your corporate hard drives? If you do, are you using File and Folder encryption (FFE), Software Based Full Disk Encryption (FDE) or Self Encrypting Drives (SEDs)? If your answer is SEDs, you are in the minority. If you are using FFE you’re taking a pretty big chance. According to data provided by the Aberdeen Group at RSA today, FFE encryption has about 25% more data loss incidents than full disk encryption. This is due to burden placed on the user of the device to make sure sensitive data is stored only in certain folders. To date, software based FDE has been the standard. Although effective, in my experience it is hard to manage, provides a performance hit to the system and is just overall clunky. Key management and single sign on remain challenges in the FDE world.

Now is the time for Self Encrypting Drives (SEDs). Although SEDs have been around for over four years, the adoption rate has been low. This is mainly due to the lack of standards and the associated price tag. Never mind managing SEDs into the enterprise environment. This has changed over the past year or so as hard drive manufacturers have embraced the Trusted Computing Group’s (TCG) OPAL standard for SEDs. The OPAL standard is allowing hard drive manufacturers to seamlessly integrate their wares into OEM markets in order to reduce the cost of SEDs.

All major pc and laptop vendors provide SEDs based on the OPAL standard as an option in their system configuration. Although the SEDs are a little more expensive than standard hard drives, I would never purchase a laptop without one. All major FDE vendors are retooling their software to add support for the use of SEDs alongside their current FDE offerings. Now is the time to implement SEDS and move away from traditional software based FDE. According to the TCG, the key benefits of OPAL based SEDs include:

• Transparency: No system or application modifications required; encryption key generated in the factory by on-drive random number process; drive is always encrypting
• Ease of management: No encryption key to manage; software vendors exploit standardized interface to manage SEDs, including remote management, pre-boot authentication, and password recovery
• Re-encryption: With SED, there is no need to ever re-encrypt the data
• Performance: No degradation in SED performance; hardware-based
• Standardization: Whole drive industry is building to the TCG/SED OPAL Specification.

RSA Day One – TCG Day February 14, 2011

The Trusted Computing Group (TCG) is incorporated as a not-for-profit industry standards organization focused on developing, defining, and promoting open standards for trusted computing that will benefit users. The organization’s structure has been designed to enable broad participation, efficient management, and widespread adoption of the organization’s specifications. Part of the TCG is the Trusted Platform Module (TPM) Chip. The TPM chip is used for authentication and encryption.

Every pc, laptop and server built by the leading manufacturers has had a TPM chip installed for almost five years now, so why is there no wide spread adoption. After listening to a couple of case studies I now know why. TPM implementation at this point is still too complicated for most IT/IT Security teams. TPM implementation is similar to NAC as a successful implementation requires many disparate IT groups to work together. Infosec, Desktop Engineering, Server Engineering and Application development.

At 2pm I will be attending another TCG session where I will learn about the TPM and hard drive encryption. Should be good!! Out for now.