Category Archives: Audit

Government is No Better at Managing Supply Chain Risk Than we Are

The GAO, formerly known as the General Accounting Office, works for Congress and does studies of how horribly inefficient the government is. In theory, that is so Congress can create new laws to make them do what any sensible organization would do without the laws. Here is one example.

The GAO reviewed the security practice of 23 government agencies with regard to information and communications technology products (what you and I call networks and computers). They identified 7 practices for managing these risks and then they graded the agencies on how they were doing. What they found was:

  • Few implemented the practices
  • None had FULLY implemented the practices
  • 14 had implemented NONE of the practices

Feel better? The only downside is the government gets hacked too – as we have seen very publicly lately.

Here are some of the highlights from the report.

Here is where these agencies get their stuff from. This is not where the sales office is, but rather where the stuff is made.

Figure 1: Examples of Locations of Manufacturers or Suppliers of Information and Communications Technology Products and Services

The one practice that was implemented by the most agencies – that only included 6 of 23 agencies. OUCH!

So then they tallied up the results. Here is what they found:

\\vdifs02\FR_Data\WatsonA\Desktop\Bar.tiff

Notice all the white? That is the part where the agencies are not implementing any part of the practice to reduce their risk. The vast majority of the agencies are asleep at the switch.

The most common excuse given was “no one told me how to do this” or something close to that. So, a billion dollar agency, apparently, needs to be treated likely a toddler and told how to do its job. Lets ignore for the moment that NIST issued guidance in 2015 and the OMB told all agencies to implement supply chain risk management (SCRM) in 2016. But no one held their hand. Or, until now, swatted their behind.

Most agencies, when called on the carpet by the GAO said, oh, my bad, I will fix that (yeah, maybe). A few said bug off. Those are the ones who should not be allowed to use computers or networks.

Here are the 7 areas that the GAO asked about. See how many of these you are doing company wide.

  1. establishing executive oversight of ICT activities, including designating responsibility for leading agency-wide SCRM activities;

2. developing an agency-wide ICT SCRM strategy for providing the organizational context in which risk-based decisions will be made;

3. establishing an approach to identify and document agency ICT supply chain(s);

4. establishing a process to conduct agency-wide assessments of ICT supply chain risks that identify, aggregate, and prioritize ICT supply chain risks that are present across the organization;

5. establishing a process to conduct a SCRM review of a potential supplier that may include reviews of the processes used by suppliers to design, develop, test, implement, verify, deliver, and support ICT products and services;

6. developing organizational ICT SCRM requirements for suppliers to ensure that suppliers are adequately addressing risks associated with ICT products and services; and

7. developing organizational procedures to detect counterfeit and compromised ICT products prior to their deployment.

Credit: the Government Accountability Office

Security News for the Week Ending November 27, 2020

Senate Passes Legislation to Protect Against Deep Fakes

While I agree that deep fakes – photos and videos that use tech to make it look like someone is saying something or doing something that they never did – can be nasty, is that really the best use of the Senate’s time right now? In any case, they did pass the legislation, the IOGAN Act (S.2904) and sent it to the House. It directs the NSF to support deep fake research and NIST measure the problem and see if they can get private companies to spend their money on solving the problem. The bill plans to allocate a total of $6 million over 6 years towards the problem. Credit: The Register

Apple’s Global Security Team Charged with Bribing Sheriff with iPads

Not only is Apple in trouble but so is the Sheriff. Apparently the Santa Clara County Sheriff’s office has decided that concealed carry weapons permits can be bought and sold – or at least they can be bought. Apple offered the Sheriff’s Department 200 iPads worth $75,000 if they got the permits. The undersheriff and a captain are now charged with soliciting bribes. Other folks, including Apple’s security chief are charged with offering bribes. Business as usual. Credit: The Register

Feds Fine JPMorgan $250 Million For Failing to Maintain Controls

The Office of the Comptroller of the Currency fined JPMorgan Chase Bank for failing to maintain sufficient internal controls and internal audit. The OCC said the bank’s risk management practices were deficient. Probably not something you want the feds to tell you. Credit: Reuters

You Know Those Nigerian Hacker Stories – They Are Real

The feds have broken a Business Email Compromise (BEC) scam operating out of Lagos, Nigeria. So far they have identified 50,000 targeted victims and 26 different malware tools. BEC attacks are growing in size and some Russian attacks netted over a million dollars each. Three men have been arrested. Credit: Threatpost

Comcast Imposes More Bandwidth Caps

While bandwidth caps have no real effect on network performance, they do have a great impact on Comcast’s balance sheet, so they are back to imposing them across the country. If you use more than 1.2 terabytes a month, they will charge you $10 for every extra 50 gigabytes up to $100 extra a month. Unless, of course, you buy their unlimited plan for an extra $30 a month, whether you use extra or not. Or unless you rent a modem from them for $25 a month. Given that American Internet prices are among highest in the world and American mobile Internet performance is below countries like Ethiopia and Uganda (see chart), it makes perfect sense that Monopolistic Internet providers will figure out how to charge us more for less. Credit: Vice

The Trump-Bytedance Dance Continues

The Trump administration has been trying to force Bytedance, owner of TikTok to sell the company or the administration was going to shut it down. The only problem is that there are 100 million users of TikTok in the U.S. and some percentage of them are Republicans and, politically, pissing off 100 million Americans is not a really great thing to do. As a result, the administration, which told Bytedance to sell in August, gave Bytedance another 15 day extension recently and now gave it another 7 day extension. Personally, I am fine with the administration killing TikTok off; it doesn’t seem like an important national asset, but those 100 million American users/voters probably disagree with me. Credit: Cybernews

Facebook Stored Millions (Billions?) of Passwords Unencrypted for Years

Seems like Facebook can’t catch a break.  Whether it is Cambridge Analytica or one of the many other scandals plaguing the company, it seems like the only news coverage they get is bad coverage.

This time it is information that Facebook logged users’ passwords in plain text for anyone to read, stored those logs on internal company servers and gave access to that data to tens of thousands of employees.

Other than that Mrs. Lincoln, how was the play tonight?

The internal investigation, which began in January and is still ongoing, discovered that 2,000 employees made 9 million queries for data elements that contained plain text user passwords.

Facebook says that the passwords were logged in plain text “inadvertently”.  Possibly, but since protecting passwords is like programming 101 or maybe even programming 001, how could that be?

Facebook now says that they plan to tell people that their passwords were exposed.   Sometime.  They did post an announcement of the situation, here.

Facebook says that they will need to notify hundreds of millions of Facebook light users (light is the version that is used in the places where bandwidth is at a premium), tens of millions of other Facebook users and tens of thousands of Instagram users.

So what should you do?

I would recommend changing your Facebook password no matter whether you receive notice from them or not.

If you use the same password on any other web sites, change those passwords too.

Enable two factor authentication on the Facebook web site.  This is very simple to do and provides a lot of extra protection.

Review what third party apps you have given permission to access your Facebook data.

If you were sharing passwords between web sites, this is perfect reason not to do that.  Using a password manager makes it a lot easier to use unique passwords.

Facebook supports using an authenticator app such as Authy or Google Authenticator as the second factor rather than text messages.  It APPEARS that if you have a phone number associated with your account, they insist on allowing you to use that in an emergency.  Which means a hacker can declare an emergency.  Remove your phone number from your account to solve that problem.  Probably a good idea anyway.

Information for this post came from Brian Krebs.

 

25% of Web Apps Are Vulnerable to 8 of the OWASP Top 10

Let that title sink in for a minute.  A quarter of all web apps fail security miserably.  That does not mean that the other 75% are secure;  it means that the other 75% are less unsecure.  For the 25%, it means that things are pretty hopeless.

For a quick cheat sheet on the OWASP top 10, click here.

The study continues to dissect the state of unsecurity:

  • 69% of web applications have vulnerabilities that could lead to exposing sensitive data.
  • 55% of web applications have cross site request forgery flaws
  • Broken authentication and session management issues affected 41% of the applications
  • 37% of the applications had security misconfiguration issues
  • Function level access control is missing or ineffective in 33% of the web applications
  • 80% of the applications tested contained at least one vulnerability
  • And, the average number of vulnerabilities per application is 45.

So just a question – does it concern you that 80 percent of the web applications tested had at least one vulnerability and 25 percent had 8 out of the top 10?

The only way to know is to test for it.  The best way to know is you have an independent third party test for application vulnerabilities.    Think of this as a network penetration test, but for your applications.

While you can test the applications that your team writes, you can’t test applications on the Public Internet – the owner might frown upon it.  As a business, if you have to use a particular web application as part of your business AND you have a business relationship with the web application owner (such as a supplier or a business partner), you can make completing a web application independent third party penetration test a requirement for doing business.  This is easier for larger companies, but if you don’t ask, you won’t get it.

This also means that you should be careful about what applications that you use and what applications you enter sensitive data in.  Since there is no equivalent to the “Good Housekeeping Security Seal”, although Underwriters Lab is working on one, there is no easy way to know which applications are secure and which ones are not.

Unfortunately, at the moment, there is no good solution to this problem.  In almost all cases, developers have no liability at all – the user shoulders all of the responsibility.  The best that I can say is be cautious.

Information for this post came from Help Net Security.

The SEC is Coming, The SEC is Coming!

For Financial Service firms, the message is clear.  Both FINRA and the SEC are looking over your shoulder to make sure that you are taking cyber security seriously.

And the fines are not small.  From hundreds of thousands to millions of dollars, firms big and small are getting whacked with fines.

In 2014, the SEC office of Compliance Inspections and Examinations released a risk alert describing their new initiative designed to assess cybersecurity preparedness.  Among the requirements outlined in the program are:

  • Inventory of physical devices and systems
  • Inventory of platforms and applications
  • map of network resources, connections and data flows
  • The map above to include locations where customer data is housed
  • External connections are cataloged
  • Resources are prioritized for protection based on their sensitivity and business value
  • Logging capabilities and practices are assessed
  • A written information security policy is available
  • Periodic risk assessments conducted and findings mitigated
  • Periodic physical security risk assessments are conducted
  • Cyber security roles in the company are explicitly assigned and communicated
  • A written cyber business continuity plan has been implemented
  • The firm has a CISO or equivalent

This is only part of the list.  The list goes on for 8 pages.

Check out the end of this post for a list of references to FINRA and SEC documents describing these programs.

John Stark Reed of Reed Consulting has come up with some recommendations.  While paper is 12 pages long, here is the gist of the recommendations.  A link to the paper appears below.

  1. Review overall cyber security policies for adequacy
  2. Eliminate red flags (DUH!)
  3. Create the team (Now, not after a breach)
  4. Protect against identity theft
  5. Get private (protect private data)
  6. Choose the right monitoring technology
  7. Watch out for insiders (Chase learned the hard way)
  8. Consider cyber insurance (Don’t consider it, buy it)
  9. At the first sign of trouble, investigate

There is a ton of information in the articles listed below.

If your head is swimming after reading the articles, contact outside experts (yes, that is self-serving;  we do that for financial service companies, but it is very hard to do it yourself).  I liken fixing cyber security in a running business like paving a road while you are driving on it.  Not easy.

Each year the SEC and FINRA visit more businesses and each year their examiners get more knowledgeable about cyber, so don’t think you are going to fool them.

If you start early and have an active program, you are much more likely to get a friendly reception when the examiners come to visit.

It will take quite a while to put together an entire program, so we really do recommend starting early.  It is much easier to put together a program over a year or two rather than trying to get it done in a couple of months after you get that examination report.  If you wait, not only do you have to pay someone like us, but you also have to pay the fines.

LINKS to useful articles:

Cybersecurity and Financial Firms: Bracing for the Regulatory Onslaught by John Reed Stark

SEC National Exam Program risk alert.

SEC examination sweep results summary.

FINRA Report on cyber security practices.

FINRA cyber security report with small business checklist.

Feds to Increase Audits Of Doctors’ Protection Of Your Information

The Inspector General in the Health and Human Services Office for Civil Rights (OIG, HHS OCR) reported that OCR is not effectively auditing HIPAA covered entities.  A covered entity includes doctors and hospitals that have primary ownership of your health records.  As a result, the OCR is establishing a permanent audit program and working to identity potential audit targets.

One place OCR is, apparently, going to be looking, is at business associates or BAs.  In HIPAA speak, BAs are those vendors that a doctor or hospital uses that have access to your information.  Under the rules, your doctor needs to not only have a written agreement with that vendor, but doctors have to use reasonable diligence to make sure that the security of your information is protected.

Also, the rules are changing regarding what is a breach.  It used to be that you only had to report a breach if there was significant risk of financial or reputational harm – as evaluated by the doctor or hospital.  Needless to say, most lost data did not present significant risk.  Now any breach has to be reported.

Unless the data is encrypted in a way that there is no reasonable way for the hacker to be able to read the data.

And, this includes mobile devices (PHONES!) that contain patient data, so just encrypt patient data wherever it lives.

A Massachusetts dermatology clinic discovered this the hard way when they lost a thumb drive.  Their wallet is now $150,000 lighter.

Doctors that use computerized record keeping systems called EHRs now need to provide copies of those records within 30 days of a request, down from the old 90 window.  That could challenge doctors and hospitals that don’t have a system in place to do that.

And, there are many other rules that both doctors and their service providers need to comply with.

Now that the OCR is finally going to have an active audit program, expect more violations.    Its not that the violations weren’t happening before, it is just that no one was looking.

Those doctors and hospitals that do not have an active program for monitoring their HIPAA compliance may find themselves with a problem.  HIPAA and its cousin HITECH have been around for years.  One of the goals of HITECH was to put teeth in the enforcement of HIPAA.  That goal may have just been accomplished.

If you are a doctor, hospital or service provider to one, don’t say you did not know.

Information for this post came from Family Practice News.