For Better Password Policies: OWASP Passfault

OWASP Passfault improves on password strength and password policies.

By |September 9th, 2015|General, Security|0 Comments|

Improve Cybersecurity with Continuous Monitoring

Cybersecurity has now superseded terrorism as our country’s #1 threat. Can continuous monitoring save the day?

For 2012—Security is On the Mind

Increased security seems to be on the mind of everyone this year. The President made promises to increase Cybersecurity in his State of the Union Address. President Obama’s budget calls for the strengthening of government cybersecurity while reducing overall information technology spending by more than a half-billion dollars. The document provides a roadmap to the administration’s thinking on the direction it wants to take on cybersecurity. The White House Proposal supports a number of research and development projects the administration envisions to promote a secure and reliable cyberspace.

The National Science Foundation would receive $110 million for basic research initiatives aimed to secure the nation’s critical information infrastructure, the mostly privately owned networks that control the flow of money, energy, food and other vital things that make society function.
The National Institute of Standards and Technology, under the budget, would get $86 million above current levels to fund research for a number of projects, including ones focused on cybersecurity.
The budget proposes spending $769 million to support the operations of the Department of Homeland Security’s National Cybersecurity Division, which safeguards federal computer systems and sustains efforts under the Comprehensive National Cybersecurity Initiative to protect American information networks from the threat of cyberattacks and disruptions. Some $202 million of the DHS IT security budget would go to improve government-wide continuous monitoring of vulnerabilities in government IT systems.

Several key Senators have banned together to propose new legislation to codify some of the authority the Obama administration has granted the Department of Homeland Security over federal civilian agency IT security. The legislation would create the National Center for Cybersecurity and Communications within DHS to coordinate federal efforts to battle cybersecurity threats facing the government and the nation’s critical information infrastructure, […]

By |February 16th, 2012|General, Security|0 Comments|

The Impact of eCommerce

Over the last 15 years, eCommerce has fundamentally changed the way we buy things. Before the advent of eCommerce,  individuals and businesses looking to purchase items were forced to either shop from store to store, or search through stacks of paper catalogs and then call the merchant to order.

Now you can sit at a computer in the convenience of your home or office and purchase things from all over the world.  They will arrive at you home or office in 2 to 7 business days or overnight for a little extra money. This has been a boom for the both the consumer and the business person, particularly the small business owner. Instead of setting up a brick and mortar storefront, many small businesses start with an online store. They have immediate access to millions of customers who might need their wares. Consumers who live in smaller communities have easy access to goods and services that might not be available locally.

Although online sales have steadily increased since the advent of the internet and are expected to increase into the future, event more sales are influenced by on-line research. The Forrester Research Group did a resesent study of s web-influences sales. While $155 billion worth of consumer goods were bought online in 2009, a far larger portion of offline sales were influenced by online research. Forrester estimates that $917 billion worth of retail sales last year were “Web-influenced.” It also estimates that online and Web-influenced offline sales combined accounted for 42 percent of total retail sales and that percentage will grow to 53 percent by 2014, when the Web will be influencing $1.4 billion worth of in-store sales.

There is a lot of room for improvement in helping […]

Medical Records Access Report Too Burdensome

On May 31, 2011, the Department of Health and Human Services’ (HHS) Office for Civil Rights proposed a new rule recommending that patients have the right to ask for a report on who has accessed their medical records. The recommendation has been out for public comment since that time.

A number of healthcare organizations including the Medical Group Management Association (MGMA), the College of Healthcare Information Management Executives and the American Health Information Management Association are asking the Department of Health and Human Services’ Office for Civil Rights to reconsider the access report requirement.

The reasons given give are:

Few patients request such information and it would cost too much to add that feature to every system. 55% of 1,400 physicians surveyed stated that they had not received such a request in the past year.
MGMA contends the access report proposal could do more harm than good. There is concern that the proposed rule could serve as a “disincentive” for adoption of Electronic Health Records.
There was also concern about compromising the privacy of the health care professionals,  particularly Mental Health care providers who sometimes use pseudonyms “to avoid patients stalking or contacting them outside the workplace.”

The recommended solution is for the patient to provide a list of specific names to determine whether those individuals have or have not accessed the patient’s information.

The HHS is accepting comments on the proposed rule till August 1st.  Apparently, they will have a number of positions to reconsider before they find the right balance of cost effectiveness and protecting the privacy rights of both patients and clinicians.

Safeguarding EHRs from Snoopers

With the National Health Information Network Direct (NHIN Direct) working to create a standard for the transfer of Electronic Health Records (EHRs), the need for segmented and secure patient records is becoming apparent to all who are working on this technology. A segmented EHR would allow for providers with different roles to access only the portions of the EHR relevant to their task.  Protecting personal health information through the use of data segmentation is partially rooted in state and federal privacy laws addressing abuse of information.

Such laws include: HIPAA – Privacy Rule, HIPAA – Security Rule, the federal Confidentiality of Alcohol, and GW SPHHS Department of Health Policy ES-1 Drug Abuse Patient Records regulations (Part 2).  These laws protect the exchange of health information without patient consent.

Lesser-known but equally stringent state laws protect a broad range of information. For example, health data related to minors or incidents of sexual violence1.  Other justifications for the use of data segmentation in protecting health data include established principles of patient autonomy and the need to encourage greater patient trust and participation in the health care system.

Data segmentation provides the potential means of protecting specific elements of health information. Both within an EHR and in broader electronic exchange environments, segmentation can prove useful in implementing current legal requirements and honoring patient choice.

Most patients want to control access to their medical records, and restrict which parts of their medical record are accessed.  Not all health providers need access to the patient’s full record (for example, billing clerks and X-Ray technicians), but they do require access to portions of the record.

This capability for patients to have complete control over their EHR is slightly ahead of the current US law.  However, […]

Will the Government go Mobile?

With everyone using smart phones for personal use, will the government be forced to accept them in the work place? According to Cisco data traffic numbers, global mobile data traffic will increase by a factor of 26 by 2015. With all those phones in service, there will be overlap with the workplace.

Linda Cureton, the CIO of NASA, recently stated in a January 11, 2011 Blog Post, “CIOS need to remember that people in their organizations – their customers – are all consumers. CIOs shouldn’t be content in their ability to rule their worlds as expectations of consumers continue to creep into the workplace.”

A Global Business Center Survey in November 2010 showed that people in Federal Agencies use a variety of devices when working outside the office.

59% use agency issued laptops
28% use personal laptop
25% use agency issued smart phone
17% use personal smart phone

A few years ago, it would have been unheard of for an agency to sanction the use of personal devices for work, though a lot of people were doing just that. In a March 10, 2011 GovLoop Training session, Gary Galloway, Deputy Director of the Office of Information Assurance, Bureau of Information Resource Management, U.S. Department of State, commented that use of personal smart phones and laptops was increasing and frequently used to support Telework. He stated that the Department of State has all but stopped using laptops.

The biggest concern with “Going Mobile” in the government is security, but there has been a recent paradigm shift from risk avoidance to risk management.  The DOD is using Common Access Cards (CACs) to secure laptops, but these are expensive and require additional equipment like card readers. 2011 will see the advent of security devices for […]

Keeping Credit Card Data Safe

Having your credit card stolen is a major concern for any cardholder. Combine that with the responsibility of buying supplies for the government and it is enough to lose sleep over.  Attacks on payment card processing systems are on the rise. Organized internet thieves target all sizes of on-line merchants. According to a study by the University of Michigan, 76 per cent of websites from 214 US financial institutions suffer from at least one security design flaw that prevents secure usage (you can find the full report at

No one is completely safe.

Fortunately, there’s a clear path of action for merchants that can help prevent compromise of payment card data. The Payment Card Industry Data Security Standard is the authorized program of goals and associated security controls and processes that keep payment card data safe from exploitation. The standard is often called by its acronym PCI DSS or PCI.

This standard was created to help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations that hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands. This includes deploying multiple firewalls within the  ecommerce  system and separating the credit card database from other system processes.

As principle developer of the DOD EMALL eCommerce site, Partnet recognized the vulnerabilities of the system. In 2008, when the Defense Logistics Agency mandated that DOD EMALL be moved into a DISA enterprise data center, Partnet recommended that the ecommerce system network be redesigned to move toward PCI compliance. This was the first time the Department of Defense dealt with this commercial standard. Partnet […]

Protective Plugins for Safer Surfing

How will you stay safe when surfing the web this new year?  We’d like to offer some tips.  Security takes up a large part of our work in building a web site for the DOD.  As we try to keep current on new web attacks, we often find vulnerabilities that cannot easily be fixed.  It seems to take years for web-sites to address the problems.  For example, session side-jacking has been around for years.   But it wasn’t until firesheep made the vulnerability so easy to exploit that major websites like hotmail and facebook have started to address it (Facebook still hasn’t fixed the problem, but they say they are working on it.)

We don’t have to wait years for web-sites and browsers to address these new attacks.  To protect ourselves, we use Firefox or Chrome with an arsenal of pro-active plugins.  Here is a collection of our favorite Firefox add ons that help us use the web more safely.  These are what we recommend to our friends and family.  Here is a list, in order, of the most protective add ons for firefox and why:

NoScript –  turns on and off javascript, java, and flash from web sites.  You can turn these features on for sites you trust.  It helps you consciously think about which pages you trust.  WARNING: This is intrusive and will probably break some web sites the first time you go there.  But it is worth the time to learn how to use it.  Here is a quick video describing how to use it
RequestPolicy – keeps web-sites contained to their own domain, helping prevent cross-site attacks, specifically Request Forgery(CSRF).  Here is a CSRF attack scenario: Suppose you are logged into you bank, […]

By |January 18th, 2011|General, Security|0 Comments|

DOD Security Needs are both Internal and External

Security has been a top priority for DOD in 2010. On November 3, 2010, the Department of Defense announced that U.S. Cyber Command had achieved Full Operational Capability (FOC).  The mission of Cyber Command is to keep intruders out of government websites. This has been a primary focus of security personnel over the past several years with the alarming increase of attacks on government websites.

In November, the Defense Information Systems Agency (DISA) announced the development of an application that provides smart phone users with a secure way to access DOD networks. Designed by Good Technologies, Go Mobile is intended to allow DOD end-user employees to use their smart phones in a secure way. It uses a plug-in, called a dongle, to connect via Bluetooth to a Common Access Card (CAC). A personal identification number ensures the physical security of the phone. When Go Mobile is active, it disables other features on the phone to secure data storage and provide safe data transfer. The application supports DOD security policy management, enforcement and compliance while providing a secure web browser and a secure apps container. The application is still under testing and evaluation but should be available sometime in 2011.

While these efforts are extremely important and help safeguard external access to government networks and websites, a bigger threat may come from government personnel working within the highly-secure government network. WikiLeaks is a prime example of this internal threat where a single rogue U.S. Army Private was able to download thousands of secret cables and hand them over to Assange’s fledgling organization. No matter how secure a network is, there is always the possibility of a breach from the inside.

Just weeks after the Wikileaks initial release of information, […]

By |December 14th, 2010|General, Security|0 Comments|