What does CloudFare leak mean for your business and what you can do about it

For the last week, the internet has been ablaze with stories about an issue with CloudFare, an Internet Service Provider (ISP). At the heart of the issue is an overflow vulnerability that caused authorization information to become publicly available. Here is a handy comic from XKCD.com on how it works:

From https://xkcd.com/1354/


While there is plenty of advice on what the individuals and affected websites should be doing to protect themselves and their data (Change your passwords, use two-factor authentication methods such as Google Authenticator or Microsoft Authenticator wherever possible, change your username/sign-in information, etc.), there is very little guidance for what small and midsize business should be doing, if anything, in light of this.

Here is the issue that we often ignore or downright forget about – human beings are creatures of habit. That means that the password someone uses to log in to their OKCupid™ account is probably the same or at least very similar to their banking password, their Uber™ password, and their corporate login. Then there is the propensity of small and midsize business to use a username similar to one of the following iteration, for example for someone named Jane Doe: jdoe@company.com, jane.doe@company.com, janed@company.com. Alternatively, company.com can be company.local.

This means that now the company network, along with its sensitive data, is now vulnerable to external access. The difference between an organization and individual is that while individuals are responsible only for themselves, the organization is responsible for the sensitive information from itself, its owners, its employees, its clients, and sometimes the clients of the clients.

So how does one mitigate the risk? The answer is a phased approach. The initial step should be to force all users to change their passwords immediately. The next step is planning and implementing the following:

  • Ensure there is a policy forcing password changes at least every 90 days
  • Change all usernames to something other than outlined above. For example, initials + random 7 digit number
  • Use a third party tool to force password complexity that protects against usage of common dictionary words. This will safeguard against passwords like Janury2017 or Michelle18
  • Implement a two-factor authentication scheme on the local network
  • Implement a Privileged Account Management (PAM) solution to safeguard super-user type accounts

The last step is ensuring that items 1-5 are implemented and are being maintained via including them in your information security policy and your periodic audit policy. And if you do not have an Information Security Policy? Now is probably a very good time to get one created…and you can still pat yourself on the back for being proactive about it

As always, feel free to contact with any questions, comments, or requests

Email: ilya@aegisitsolutions.net

Facebook: https://www.facebook.com/AegisITSolutions

LinkedIn: https://www.linkedin.com/in/ilya-rubinshteyn-7467b34

Securing Data in the cloud. Part I: Approach

After the previous article, I received many questions about ensuring security and compliance when using resources hosted with a public cloud services provider. To begin with, I will restate what I said previously. Just because your cloud services provider is secure and compliant does not mean your organization is.

To start with, approach to cloud security and compliance is very similar to on premise infrastructure security and compliance. The pitfalls are similar as well. It starts with being proactive instead of being reactive. Security and compliance is not a list of checkboxes to be filled out; it must be included as part of the overall business strategy. Just like any other business plan, a security and compliance plan needs to contain explanation of what the company does, what the risks are, an approach strategy broken down into tactical steps, outline of appropriate action items, and a timeframe for implementation.

What makes it more challenging with cloud is properly classifying data stored and processed in various service offerings hosting different workloads. When the infrastructure is in-house, it is comparatively easy to control resource encryption, access control features, monitoring, and audit. When in cloud, not so much as we are reliant on tools available from the provider to secure and encrypt our workloads.

Securing cloud workloads starts with identifying two questions:

1) What type of workloads is the organization using?
2) What data is on these workloads?

The workloads can be virtual servers hosted on the public platform, virtual servers hosted on dedicated platform, or SaaS and PaaS offerings, such as SharePoint Online.

From the security standpoint, the data types revolve around what information is contained, i.e. personal data, financial data, or company data that is eyes only/confidential.

Answers to these questions will drive what options are available to you and your compliance.

Please bear in mind that different vendors have different approaches as to the granularity of access they provide to the client. This is one of the reasons why what is being secured and how it will need to be secured must be reviewed at the early stages of the decision making process. It can narrow down the field of available vendors considerably.

As always, feel free to reach out with any questions, suggestions and requests

HIPAA Compliance for medical practices and associated services

Over the last few months, I have had the pleasure of speaking to medical professionals, practice owners, and service providers that work with medical practices. A lot of them expressed confidence that they were HIPAA compliant simply because they were using cloud-based Electronic Medical Records and practice management systems. When probed on whether or not they had internal policies, sign-offs, and secure end-user systems, the response more often than not was a blank stare. When asked if they have every taken the opportunity to review the requirements on the Department of Health and Human Services website, the response was a wry smile and a shake of a head.

To dispel the myth, just because your cloud EMR/Practice management suite vendor is HIPAA compliant, does not mean that you are. Compliance means having and adhering to a written Information Security policy that

1) Identifies the organization and persons responsible for information security
2) Has a set of written policies and procedures that define how the data is accessed, stored, distributed and deleted
3) Has a set of written documents, policies and procedures that explain how the systems that are used to access and store the data are
designed, implemented, monitored and disposed
4) Explains the process to be followed in case there is a breach
5) Provides for periodic audit of the organization to ensure that the policy is adhered to
6) Is updated as the security requirements change

A baseline template for this policy as well as a checklist to help ensure that appropriate items are included can be obtained for a multitude of sources. Here are some of them:



Privacy & Security

I do recommend that when designing and implementing the information security policy, one consults a professional to ensure that everything is done properly. For any questions, feel free to reach out at ilya@aegisitsolutions.net or here on LinkedIn.