Administrative Safeguards « Risk Analytics

Archive for the ‘Administrative Safeguards’ Category

Trojan Linked to 2008 Spanair Plane Crash

Monday, August 23rd, 2010

plane_lock Authorities investigating the recent 2008 plane crash of Spanair flight 5022 discovered that there is a probability that the central computer system that’s used to monitor technical issues with the plane was infected with malware.

The plane, a McDonnell Douglass MD-82, held 172 passengers and crew, crashed upon takeoff rolling to the right and split into two, exploding almost immediately. 154 people died and only 18 survived the crash, which was Spain’s deadliest in 25 years.

According to a preliminary report by the U.S. National Transportation Safety Board, the aircraft took off with its flaps and slats retracted, and there was no alarm that notified of the issues because the central computer system that typically delivers the power and message to the take-off warning system had failed. In addition, there were two smaller earlier events that also were not reported by the system. In short, built-in safeguards that would have prevented the crash, failed to do so.

Head researcher, Jamz Yaneeza for Trend Micro indicated that malware on the infected computer system was a type of Trojan horse. While there are a number of ways the malware could have entered the computers system, the most likely scenario is it was transferred via a USB stick. This type of transfer of malicious code is not new to the transportation, or hi-tech industry, as the International Space Station was also infected in this manner in 2008. Another possibility is that the infection occurred through a remote VPN connection.

A complete report is due in December of 2010 regarding the full investigation. Researchers have indicated that a preliminary investigation indicates that it does not appear that the malware was specifically intended for the planes computer systems.

However, what this does bring to light is the bridging of the gap between two distinct types of risk management that historically have been on either end of the ravine. Conventional risk management such as employee health and safety, transportation safety, process safety, and environmental protection are typically managed by a “risk manager” at most larger organizations while the cyber security is managed by a “technical officer” (or similar designation).

As technology develops, and cyber criminals begin to expand their operations, directed attacks towards this type of exposure can and should be expected, especially with regards to extortion and blackmail. This incident is a classic example where the health and safety of employees, the public, owned materials and vehicles, company image and network security were all adversely impacted.

In this case, it’s likely that malware was not the direct cause for the flaps to be at the dangerous 0 degree angle, but they were a contributing factor to the crash occurring since the computer systems did not respond and communicate accordingly as they should have when alarming on the problem. It is certainly possible in the future that we’ll see more customized malicious attempts to hijack planes, vehicles and even automated equipment run by computers in an attempt to create harm or havoc for financial or terrorist gain.

UPDATE:

New information is now surfacing 3 days after this initial story ran at MSNBC and TechNewsDaily. Apparently the internal Spanair Report that reported many of these issues and came to some of the determinations outlined in this blog may not have been entirely accurate according to security experts around the web. So while the accuracy of this initial report is still up in the air, the overall message and threat of malware and cyber security concerns with integrated systems is still valid. As technology develops, so too will the criminals and malicious entities that take advantage of it.

Posted in Administrative Safeguards, Business Process Risk Management, Cyber Risk Management, Technical Safeguards, Transporation Management | No Comments »

Rite Aid to Pay Out $1 Million to Settle HIPAA Privacy Case

Wednesday, July 28th, 2010

In yet another groundbreaking privacy case, Rite Aid has recently agreed to pay out $1 million in a privacy case involving policy controls and procedures where employees where voluntarily disposing of prescription containers with Personal Identifiable Information (PII) written on them. This action is a direct violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, in addition there were violations that occurred that violate the Federal Trade Commissions (FTC) FTC Act.

Rite Aid is one of the nations largest chains of drug stores and will be required to implement best practices and corrective actions to prevent the violations from occurring in the future. Policies, programs and procedures should be implemented in this case as well as a strict education and training program for the employees handling and exposed to these types of containers with customers PII on them. Amazingly, this is no the the first time this type of violation has occurred in the drugstore industry. In February of 2009, CVS Caremark Corp. agreed to pay $2.25 million to settle identical violations of the HIPAA rule. One might think a corporation would learn from their competitors mistakes, but this is yet another instance where corporations appear to not take the HIPAA rules seriously, and understand there are serious ramifications that can occur when not complied with.

Rite Aid was cited for several infractions from the Office of Civil Rights (OCR) and FTC, who handle HIPAA compliance:

Rite Aid failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process;
Rite Aid failed to adequately train employees on how to dispose of such information properly; and
Rite Aid did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information.

Under the HHS resolution agreement, RAC agreed to pay a $1 million resolution amount to HHS and must implement a strong corrective action program that includes:

Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
Training workforce members on these new requirements;
Conducting internal monitoring; and
Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

Pretty straightforward controls that ALL companies that fall under HIPAA regulations should follow. RiskAnalytics CyberRiskTools (CRT) Software platform provides the necessary policies and programs, training materials and best practice assessment tools to provide compliance and risk assessment for all of the above infractions. Implementing the training, tracking the testing, and monitoring results are all benefits such a company can achieve by utilizing our innovative platform to achieve proper cyber risk management.

Click Here to read the official U.S. Department of Health & Human Services (HHS) news release.

Posted in Administrative Safeguards, Cyber Risk Management, HIPPA, Regulations | No Comments »

Dodd-Frank Act Signed into Law

Thursday, July 22nd, 2010

President Obama signed the Dodd-Frank Wall Street Reform and Consumer Protection Act (to be aptly named the “Dodd-Frank Act for short) into law on Wednesday July 21, 2010. The complete act covers every bit of 2,300 pages and has bearing on almost every single financial services company and industry in the country.

The goals and basis of the Act include restoring “public confidence” in the United States financial system, preventing future crisis and predicting and foreshadowing future financial asset bubble inflations. In addition, additional regulation of the financial services industry will spur change in the way financial institutions do business.

To read the bill in it’s entirety Click Here.

Below are some quick links to pertinent Business Process and Cyber Security related legislation within the Act:

Section 929I: Protecting Confidentiality of Materials Submitted to the Commission

Section 1071: Small Business Data Collection

Section 1082: Amendments to the Privacy Act of 1974

Section 1093: Amendments to the Gramm-Leach-Bliley Act

Section 1494: Study of Effect of Drywall Presence on Foreclosures

Section 1503: Reporting Requirements Regarding Coal or Other Mine Safety

Whether you manage Environmental Health & Safety or your businesses Cyber Security Risk, the Dodd-Frank Act will have an impact on your risk management efforts. Continue to check back and read our blog about current events, regulations and risk identification, mitigation and controls to support your business operations.

Tags: Act, Frank-Dodd, Law, Regulations
Posted in Administrative Safeguards, Business Process Risk Management, Construction, Cyber Risk Management, Dodd-Frank, Regulations | No Comments »

States becoming more aggressive in HIPAA enforcement

Monday, July 19th, 2010

Connecticut Attorney General Richard Blumenthal has sued Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach.

Blumenthal is also seeking a court order blocking Health Net from continued violations of HIPAA (Health Insurance Portability and Accountability Act) by requiring that any protected health information contained on a portable electronic device be encrypted.

This case marks the first action by a state attorney general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health Act (HITECH) authorized state attorneys general to enforce HIPAA.

Obviously, the best policy is to ensure safeguards are in place to prevent these breaches from happening in the first place.

Administrative policy combined with technical controls and employee education are key to preventing these episodes from occurring. Breaches can effect an organization financially and can result in decreased productivity.

Tags: data breach, HIPAA, regulation
Posted in Administrative Safeguards, Cyber Risk Management, HIPPA, Personal Identifiable Information (PII) | No Comments »

Microsoft will retire XP SP2 July 13th

Monday, June 7th, 2010

Half of the enterprise computers running the aged Windows XP operating system are still relying on the soon-to-be-retired Service Pack 2 (SP2), a researcher said today.

SP3 was released two years ago. Similar situations have existed with Internet Explorer 6 being phased out and being a security risk but users are reluctant to upgrade.

Microsoft will officially retire Windows XP SP2 on July 13. After that date, although it will continue to provide security updates for XP SP3, it will stop issuing patches for the older SP2.

This will make defending XP SP2 systems increasingly more difficult.

Patching is one leg in a multi-layer defense in depth security strategy. Many forms of malware are easily defeated by keeping systems patched and up to date. Other tiers of that strategy need to include network monitoring for malware and dynamic blacklisting, all features of RiskAnalytics Cyber Risk Tools S2 sensor.

Tags: patching
Posted in Administrative Safeguards, Cyber Risk Management, Physical Safeguards, Technical Safeguards | No Comments »

Is it possible to measure IT security success?

Friday, May 28th, 2010

It is a commonly held principle in many areas of business that if you can’t measure something “quantitatively”, it will be difficult to raise the quality objectively. The applicability of this statement to the world of IT security is clear. Without having some form of metrics in place, it is tough, if not impossible, to judge whether security is getting better over time. Indeed, it is probably fair to say that many organisations have only one way to assess security – namely, “did anything go wrong” – but this is hardly a metric for the forward-looking.

Meanwhile, of course, the drivers for proactively monitoring ’security’ and the associated effectiveness of security solutions are becoming increasingly high-profile. Regulatory pressures on organisations to secure their operations are more explicit than in the past, while customers and shareholders are less prepared to tolerate IT security breaches. The continuing spread of legislation dictating that organisations actively notify affected parties when data is potentially lost or at risk is certain to add to the pressure to demonstrate that security measures are properly established.

This is exactly what RiskAnalytics Cyber Risk Tools does. It monitors and defends in real time but also offers a wealth of quantifiable information on exactly which way is IT security headed in an organization. Is it getting better or worse? More importantly from a productivity standpoint, the system will tell you what areas represent the largest risk to the organization and thus IT should focus efforts to “clean up” those issues first.

We have many clients that when they started with us, they would swear their network was clean, in reality, most are massively infected with malware and employees often engage in electronic policy violations that can lead to information leakage.

CRT will alert in real time to security and policy issues that face an organization. Over time, the combination of real time alerting of events, shunning malware and addressing user policy issues will lead to a measurable reduction in security issues.

Tags: IT Security, measurement metrics
Posted in Administrative Safeguards, Botnets, Cyber Risk Management, Personal Identifiable Information (PII), Physical Safeguards, Technical Safeguards | No Comments »

McAfee Update shutting down millions of Windows XP computers

Wednesday, April 21st, 2010

A bad McAfee update for Windows XP has shut down thousands, possibly millions, of computers around the world.

Twitter has been buzzing with the news this afternoon that McAfee updates were shutting down XP PCs, and we’ve heard that California sent out an email to state workers a little while ago warning them of the problem. Also apparently affected: the University of Illinois at Urbana-Champaign, over 100,000 computers serviced by a UK IT firm, and presumably countless others based on the reports that keep coming in.

“DAT update 5958 deletes the svchost.exe file, which then triggers a false-positive in McAfee itself and sets off a chain of uncontrolled restarts and loss of networking functionality.”

McAfee has issued the following statement:

“McAfee is aware that a number of customers have incurred a false positive error due to incorrect malware alerts on Wednesday, April 21. The problem occurs with the 5958 virus definition file (DAT) that was released on April 21 at 2.00 PM GMT+1 (6am Pacific Time).
Our initial investigation indicates that the error can result in moderate to significant performance issues on systems running Windows XP Service Pack 3.
The faulty update has been removed from all McAfee download servers, preventing any further impact on customers. We are not aware of significant impact on consumers and believe we have effectively limited such occurrence.
McAfee teams are working with the highest priority to support impacted customers and plan to provide an update virus definition file shortly. McAfee apologizes for any inconvenience to our customers.”

This highlights two things. Organizations should be wary of depending on anti-virus as the only means of defense and obviously, it can have issues. Second, applications running on a host machine can have unintended consequences. This is especially true of un-vetted software such as malware. If a big name anti-virus company can bring down production systems, so can malware creators. The best policy is to not have un-vetted software gain a foothold on your systems in the first place.

Tags: anti-virus
Posted in Administrative Safeguards, Cyber Risk Management, Technical Safeguards | No Comments »

Microsoft bypasses kernel update on root kit infected machines

Friday, April 16th, 2010

Microsoft’s latest batch of patches contains a kernel update designed not to install on machines infected with a rootkit. This really highlights the case that the machine that never gets infected in the first place is the best policy.

The move is designed to prevent the confusion that occurred when one of the patches released in February resulted in a Blue Screen of Death and continuous reboot cycles on some Windows XP machines.

Microsoft copped a fair bit of criticism for the incident before the cause was pinned down to the interaction between the hard-to-detect Tdss rootkit and a Windows kernel security update. Rootkits are a type of malware that attempt to avoid detection by anti-virus scanners by burying themselves in the likes of Windows kernel code.

Redmond’s April patch batch also contains a Windows kernel patch. In an effort to prevent the same snafu as February, Microsoft is using technology designed to prevent the update from installing onto malware-compromised machines.

RiskAnalytics monitoring and network defense products are designed to prevent workstations from getting infected in the first place through a combination of real-time monitoring and by-directional shunning of aggressor IP addresses.

Tags: cyber crime, patching, rootkits
Posted in Administrative Safeguards, Botnets, Cyber Risk Management, Technical Safeguards | No Comments »

Counterfeit Check schemes via e-mail targeting US Law Firms

Thursday, January 21st, 2010

The FBI continues to receive reports of counterfeit check schemes targeting U.S. law firms.

In the most recent scenario, a fraudulent client seeking legal representation is an ex-wife “on assignment” in an Asian country. She claims to be pursuing a collection of divorce settlement monies from her ex-husband in the U.S. The law firm agrees to represent the ex-wife, sends an e-mail to the ex-husband, and receives a “certified” check for the settlement via delivery service. The ex-wife instructs the firm to wire the funds, less the retainer fee, to an overseas bank account. When the scam is executed successfully, the law firm wires the money before discovering the check is counterfeit.

All Internet users need to be cautious when they receive unsolicited e-mails. Law firms are advised to conduct as much due diligence as possible before engaging in transactions with parties who are handling their business solely via e-mail, particularly those parties claiming to reside overseas.

Tags: counterfeit checks, cybercrime
Posted in Administrative Safeguards, Cyber Risk Management, Email Scams | No Comments »

Is your Google Email at Risk?

Thursday, January 21st, 2010

The code that was used to hack Gmail accounts in China is now publicly available on the Internet. Computer users throughout the world are being warned not to use Internet Explorer 6 until a patch can be developed.

The hack involves Internet Explorer 6, the browser that came with the Windows XP operating system and dangerously compromised. Many users still use IE 6.

On Thursday, the code that was used to hack Gmail accounts in China and led Google to threaten to close shop there was posted to a malware-analysis Web site. By Friday, a demonstration of just how easily the exploit can be used to gain complete control over a computer.

The software is intended to let security professionals test out security threats via penetration testing. Such testing is beneficial to discover security holes.

Microsoft has yet to patch the hole in IE 6, a flaw so serious it’s prompted the German government to suggest citizens avoid IE. Microsoft has posted a security advisory detailing the problem, and urging users to upgrade to newer browsers.

Tags: cybercrime
Posted in Administrative Safeguards, Cyber Risk Management, Email Scams, Phishing, Physical Safeguards, Technical Safeguards | No Comments »

Blog