Making Things Easy is Hard

Was an IT simplification tool the key to the recent Target breach?

Today’s reading brought me to another article by Brian Krebs about his continuing research into the breach at Target. The lengthy article points to some newly uncovered clues, and provides some conjecture as to how the breach may have been exercised. A part of it definitely caught my eye, because it is closely related to some of the work we get called on to do on a regular basis.

That “Best1_user” account name seems an odd one for the attackers to have picked at random, but there is a better explanation: That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas base (sic) BMC Software — includes administrator-level user account called “Best1_user.”

an easy button that reads "not easy at all"

It seems in this case, the attack vector may have been through this IT management software suite. Looking at BMC’s site, I looked at what seems to be the current version of that product, and one of the benefits listed is “Reduce administration time by up to 50% – freeing up staff for IT innovation.”

IT is Already Overwhelmed

It is no secret that the typical information technology organization is overloaded and overwhelmed. Scott Adams’ Dilbert comics poked fun at this decades ago, with Mordac, the Preventer of Information Services. A Canadian graduate school study uncovered that IT employees need help handling stress… in 2007. Follow that with seven straight years of increased technology demands, flat budgets, “work smarter, not harder”, and staff reductions, and you have created a recipe for disaster.

It’s hard enough for IT folks to get their day job done that automation tools have become a burgeoning market of their own. Gartner’s latest magic quadrant in this area lists 13 companies that generate at least $10M annual revenue from their automation tools. And in the wake of the Snowden affair, the NSA recently announced that it would begin the process of automating nearly 90 percent of its system administration duties.

Remain Ever Vigilant

System administration, by its very nature, requires administrative access to systems. Administrative access is what all attackers seek in order to take advantage of a system for their own purposes. So every IT automation tool that is used is essentially creating another potential opening into that system for attackers. The goal of information security professionals like me is to reduce the “attack surface” of a system, but tools like this increase it.

So, what to do?

The only possible path is vigilance, and unfortunately no solution will be perfect. However, my recommendations are as follows:

  1. Determine whether the increased risk to the system is worth the convenience of the IT automation tool.
  2. Assess the security of the IT automation tool or tools you are considering the use of, and allow security concerns to drive the purchase decision. If you aren’t convinced a tool can be secure, find a different one that can.
  3. Document the configuration and installation of the IT automation tool, in order to ensure it is installed in its most secure state. For example, configure it to only accept instructions that can be verified as having come from your organization.

If you have questions about how to assess the security of a piece of software, or need help figuring out the best or most secure configurations it offers, feel free to contact us.

Posted January 29 2014

HIPAA Information Access Management

This article describes the HIPAA information access management requirements for accessing electronic protected health information. The relevant subsection of the HIPAA law is §164.308(a)(4)

Section §164.308 of the Health Insurance Portability and Accountability Act describes the administrative safeguards that a covered entity must employ. This article will explore section §164.308(a)(4), which deals with ensuring that appropriate authorization mechanisms are in place when electronic protected health information (ePHI) is accessed.

HIPAA Information Access Management

“Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.” [§164.308(a)(4)]

A covered entity is responsible for isolating and guarding ePHI from unauthorized access. This section outlines the implementation requirements of a covered entity pertaining to protecting health information while still allowing access by those who need it for business purposes.

Isolating Health Care Clearinghouse Functions

This requirement is only applicable for health care clearinghouses which are part of a larger organization. In this case, the clearinghouse is responsible for implementing policies to protect ePHI from unauthorized access by the larger organization. An auditor will verify this by obtaining and examining formal policies to ensure that access controls exist and are sufficient, as well as verifying that these policies are approved and updated periodically.

This implementation specification is required for health care clearinghouses.

Access Authorization

Covered entities must implement formal policies and procedures for authorizing users before granting access to ePHI. Just authenticating workforce members to a system is not sufficient. Workforce members must also be granted access privileges through a documented process that strongly establishes the identity of the user and the need to access the ePHI. To verify this rule is implemented, an auditor will inspect these policies to ensure that they are sufficient for determining the need for access before granting it. The auditor will also determine if the policies are approved and updated on a periodic basis. Additionally, the auditor will verify that the entity’s IT department has the capability to enforce the access controls laid out in the policy through technical means wherever possible.

This implementation specification is addressable. If it is not applicable or reasonable for the entity to implement, there must be formal documentation explaining why, and what (if any) related controls are implemented instead.

Access Establishment and Modification

The covered entity must implement policies and procedures to establish, document, review, and modify user access rights to ensure that the appropriate level of access is granted at all times. This HIPAA information access management rule covers access to workstations, programs and other processes that may display, contain or process ePHI. To verify this rule is implemented, an auditor will inquire of management whether such policies exist, obtain and review formal documentation of these policies, and determine whether or not the policies are sufficient and periodically reviewed and updated.

This implementation specification is also addressable. (See above for explanation of addressable.)

Changes in the 2013 HIPAA Update

No changes to the HIPAA security awareness and training requirements were included in the 2013 HIPAA Omnibus Rule. However, as described in this article, business associates of covered entities are also liable for complying with the Security Rule. Therefore, these requirements also apply to business associates.


HIPAA information access management is designed to control access to electronic protected health information (ePHI) and is a crucial part of HIPAA compliance. By restricting access to PHI, the likelihood of a breach is reduced. Creating and maintaining formal policies and procedures to implement and routinely review HIPAA information access management rules and procedures will greatly increase the chances of passing a HIPAA audit, as well as diminishing the risk of a data breach.


This article has been cross-posted from the Gemini Security Solutions website.

Posted March 26 2013

Inside a Breach of Patient Information

Serious doctor with touchpad.I recently got directed to this article called First-Hand Experience with a Patient Data Security Breach. It is a really good breakdown of the elements of what happens during a breach and the subsequent events. It starts with the theft of a laptop from an employee’s car. 
 After the theft was reported, they looked at a recent backup of the machine and learned that the laptop contained data files about healthcare patients. Well, not directly. It contained logs of problems with health information systems, and within those logs were the healthcare records. Oops. While the laptop did not belong to a healthcare provider directly, it still managed to have files that were important and potentially could result in a breach according to HIPAA regulations, as well as Massachusetts state data breach laws.

One of the items that is most telling from the article is the following:

Add to that the fact that the rules to implement the HITECH modifications are still just proposals and not final regulations yet, and what we were left with was a grab-bag of statutory and legal piece-parts that we ourselves had to assemble without any instructions or diagrams.

The article has a long section that describes what they and their lawyers determined was necessary and prudent for them to do, followed by all of the analysis they did to determine exactly whose records were affected and warranted breach notification. From the original 14,475 records in the lost laptop, they determined that only 1000 records (7%) would have a “significant risk of harm if their data was actually accessed”.

The most telling breakdown of the entire article were the hard and soft costs of the breach. Losing a single unencrypted laptop with 14,475 records on it resulted in $288,808.00 of direct costs. The overwhelming majority of this was the money spent on legal fees ($150K) and 600 hours of staff time to do the analysis and response ($125K). Their insurance covered the majority of the non-staff-time costs, which resulted in a $5,000.00/year increase in their insurance premiums as well.

The article concludes with a breakdown of what they did in the aftermath, and a list of lessons learned from the incident. A final quote though to wrap up the article:

In my opinion, the penalties we paid for an honest mistake with very low risk (a random theft of a password-protected laptop containing a patchwork of demographic data) seem disproportionately high ($300,000 to us; national public exposure to the practice.)

It is important to contrast this with the failure to report this breach, which could have resulted in fines under HIPAA/HITECH. This breach seemed to fit the case of “the violation was due to reasonable cause and not to willful neglect” which caps the fines at $1,000 per record, or $100,000 per calendar year. So for about 1/3 of what they actually spent, they might have considered just accepting the HITECH fines.

Posted February 21 2013

Flight of the Black Swan

The term “black swan event” was introduced by Nassim Nicholas Taleb in the book Fooled By RandomnessBlack swan events have three major characteristics: they are rare, they cause a significant or extreme impact, and upon retrospection, they are actually predictable.
As described very well in this Wired article, “getting hacked” is a black swan event. While “getting hacked” can mean many different things, let’s take the example as used in the Wired article of having your identity stolen by hackers.

  • It is rare enough that many of us will probably never experience it.
  • Some cases have an extreme impact such as having your identity stolen, losing funds from your bank account, or having your computer or mobile devices wiped.
  • And as this blog and any number of other websites, news outlets, and information security professionals will tell you, hacking is a predictable event – it is not a question of if, but when you will be hacked.

The Wired article points out an interesting point regarding behavioral economics when it comes to situations such as this:

we already know how we should protect ourselves online, we just choose not to do so. Hardening your internet identity, whether through new passwords, a backup regimen, or other means, costs time and energy in the present, and pays dividends only in some far-off hypothetical future.

There are numerous examples of these “black swan” events all around; passwords are being stolen from websites at an alarming rate. The latest Identity Theft Resource Center breach statistics report (pdf) reveals that there were 399 breaches in the first 11 months of 2012, compromising over 15 million records. Most people have heard stories like what happened to Mat Honan, or even what happened to me.

This particular black swan is in flight. There will be a hack that will affect you. While it is rare, it will have a significant impact and is completely predictable. The question now is, what are you doing about it?

Our recommendation is that you take a hard look and assess how prepared you are for certain kinds of attacks, such as a breached password, an unlocked file cabinet, or an unpatched operating system. Understanding what might happen if things go bad will help you understand where you need to get better. Our Information Protection Assessment (IPA) solution provides this capability for organizations. We conduct guided conversations with the knowledgeable individuals about all the different areas where information must be protected.

By knowing what information needs to be protected, what protections you do (or don’t) have in place, and what risks you’re willing to take even in the face of this knowledge, you can be better prepared for the eventuality of this black swan visiting you.

Posted January 15 2013

Sending the wrong message

An attack on the South Carolina Department of Revenue exposed 3.6 million social security numbers, and about 387,000 credit and debit card numbers of South Carolina residents. Data breaches like this are so common, they are barely newsworthy… and we certainly try not to cover every single data breach event on this blog.

However, today’s followup to the story is what made it interesting. Governor Nikki Haley went on the record in a press conference trying to defend their lack of good practices. I’ve embedded the video below and hopefully it will start at the good part, 12:43 into the video:

This is a really good example of sending the wrong kind of message. I understand her desire to defend the state workers that failed to foresee this type of breach, and adequately protect their citizens’ information. I also agree that she might be right – there are many situations in which social security numbers don’t get encrypted. However, I’d like to break down some specific problems with the way she made this statement.

  • By saying “a lot of banks don’t encrypt” she is essentially lumping the practices of the banks in with the practices by the S.C. Department of Revenue. However, I don’t think I’m going out on a limb by saying most banks have better security controls and incident response capabilities than the S.C. Department of Revenue. Not encrypting is not the same as not protecting, and there are definitely different ways to protect information.
  • Another statement she made against encryption was “because it is very complicated.” Yes, these days we are facing complex challenges and sometimes the actions we have to take in response are also complex. Encryption is meant to be complicated. You wouldn’t want just anyone to get those social security numbers, right?
  • “It is cumbersome and there’s a lot of numbers involved with it.” Again, making too much of how complicated it is. Never mind the fact that encryption is actually pretty easy these days, you have a social, governmental, and fiduciary responsibility to protect that information. And “a lot of numbers”? Really? Are we channeling Teen Talk Barbie?
  • “It’s not just that this was a Department of Revenue situation, this is an industry situation.” Actually, this is just a Department of Revenue situation. The industry is working to get better. The industry and government are working together to pass standards and regulations. Forward-thinking organizations are proactively assessing themselves and trying to get better. The industry is being held accountable, and so should the state of South Carolina.

Governor Haley, you sent the wrong message to the public today. You tried to deflect blame and throw other organizations and the industry under the bus. Instead, you need to take a long look at what you’re doing to protect information and promise to your citizens that you’ll work to do better.

Posted November 1 2012

Data Leakage

Data leaks in very interesting ways. The other night I was watching one of the political conventions, and the camera crew of the station I was watching loved to cut away from the speaker to catch glimpses of the crowd reactions. When I saw this image, I thanked %deity% for my TiVo, paused, and rewound a bit. Then, I took a picture of the TV with my cellphone.

Sure enough, this woman – Edith Byrd – is proudly showing the camera her Medicare card. And, the broadcaster is sending out a full 1080p high definition signal, meaning that I could read every detail of the woman’s card. (It’s far more readable on my TV than in this picture.) I see that she’s female, I can even see her signature well enough to copy it. I can see she qualifies for both Part A and Part B Medicare, and the dates when she became eligible, and oh, what’s that blurred out box there? You guessed it. It’s her social security number.

Let’s now combine this with the fact that we can see she’s taking oxygen and I know where in the country was at the time this was taken, and I have absolutely everything I need to cause her a world of hurt. It would not be hard to make false medical claims under her name. Or, use any of a myriad of techniques to try and steal her entire identity outright. This was a major faux-pas on the part of the broadcaster, and Ms. Byrd herself – it doesn’t make a lot of sense to wave your ID cards in front of broadcast television cameras.

In this day and age, where there are cameras everywhere, it makes you pause to think how easily we are able to leak information… Even information stored in non-electronic forms. Good luck, Ms. Byrd. You’re going to need it.

Posted September 7 2012