I often talk about #experience and #security. I don’t see them as mutually exclusive; you can have both great experience and strong security. People are making a different trade-off on a regular basis and aren’t considering the ramifications. I’m speaking about #privacy vs. #convenience. The explosion of smartphones and apps have afforded us tremendous convenience. Much of that comes at a price – reducing our privacy. Yes, it’s convenient to get deals at your favorite store, or be alerted to changing traffic or weather conditions, or get alerted to sports updates in real time. To deliver these services, the applications require information about you. What stores you like, where you are, where you live and work, what your favorite teams are. Most have very little regard[…]

I often tell people that #security is not a thing you can buy. It’s a feeling. You do something and it makes you feel secure. Businesses spend a lot of money on products in the top-right of a #Gartner magic quadrant to feel better. They see “improve security” as a goal, and equate spending on the tool with accomplishment of that goal. No tool is a silver bullet; it won’t prevent every imaginable risk. You find a gap, and it makes you feel insecure. Next year you budget for a tool that fills that gap. And that tool has a gap, and you repeat the process every year. The spending spins out of control… and you’re no closer to that feeling of security. An[…]

Businesses now require their digital efforts to have both security and usability at their core. If one is less than the other, it will be ultimately be surpassed.

In April, 2014, CVE-2014-0160 was released, better known as the Heartbleed bug. Heartbleed is devastating – it can reveal sensitive information not just of the user, but anything on the machine. In practice it has been used to export private keys for TLS/SSL certificates. These stolen private keys can then be used to impersonate a legitimate website for the purposes of stealing credentials, performing phishing attacks, and other malicious activity. It is hard to understate the potential damage that Heartbleed could create. When Heartbleed was first released,┬áRobert Graham scanned 28 million machines across the Internet, and found over 615,000 of them were vulnerable to Heartbleed. As soon as the vulnerability was disclosed, web hosting providers, commercial software vendors, and even[…]

After a long hiatus, Security Musings is returning to its roots. This blog is going to be equal parts education and entertainment – you’ll learn some things, and you’ll learn some things that make me angry. I won’t follow a set frequency although I intend to post at least twice a month. The look and feel has changed, and I’m sure some older posts may not look right. I’m not going to dwell on that unless specific requests are made to get certain posts working again. It’s time to move forward.

After the 2013 HIPAA Omnibus rules went into effect, there was a delay as the Department of Health and Human Services (HHS)’ Office for Civil Rights (OCR) brought their auditing program in line with the new requirements. Based on last month’s announcement in the Federal Register, it seems like they are about ready to start auditing organizations again. I suppose most healthcare covered entities and business associates don’t read the Federal Register regularly, so here are the pertinent details. OCR is planning an information collection (survey) effort, targeting 1,200 covered entities (typically health plans, health care clearinghouses, and health care providers) as well as business associates. The announced goal of the survey is: to determine suitability for the Office for[…]