The Barking Seal

Q1 2010 Printed Barking Seal Newsletter Hot off the Presses

16Mar

Author: beth Categories: Ramblings Comments: 0

Did you know that in addition to the Barking Seal blog, Applied Trust also has a quarterly print newsletter called The Barking Seal that features entirely different content? If not, now is the time to check it out! The printed Barking Seal first debuted in 2005, with the goal of providing a trusted source of useful information about the IT security and infrastructure arena to our clients, supporters, and friends. Since then we’ve covered many hot topics in the industry, and our latest issue is no exception. The Q1 2010 issue includes a feature article about the importance of change management, as well as a secondary article about our recent awarding of QSA certification status by the PCI DSS. You can read the issue online here, and if you’d like to subscribe to the printed edition, you can sign up here. Happy reading!

Tags: applied trust, newsletter, Security

Enlightening the Confused Deputy

09Mar

Author: zack Categories: Infrastructure, Security Comments: 0

Confused Deputy
One of the most interesting (in other words, “dangerous”) vulnerabilities that almost every existing web application falls victim to is cross-site request forgery (CSRF – “sea-surf”). CSRF is a type of malicious attack vector whereby unauthorized commands are transmitted from a user that the website trusts. It is an example of the confused deputy problem. This is different than the widely-known cross-site scripting (XSS) in that CSRF exploits the trust that a site has in the user’s browser, and XSS exploits the trust a user has for a particular web site.

Why do we do Social Engineering exercises, anyway? They seem so far-fetched sometimes.

04Mar

Author: terry Categories: Security Comments: 0

Frequently during the course of a security assessment, we get asked about social engineering. People want to know if it is really worth the time it takes, and what is the point, anyway? Well, the bottom line is that the access an intruder can achieve either by physically walking into an office or data center, or by convincing an employee to click on a link or divulge information over the phone, can be one of the quickest ways to a data breach. In fact, according to the FBI data security survey in 2009, non-malicious insiders (folks that just make mistakes such as the ones listed below) are a much bigger problem than malicious insiders. In fact, 16% of respondents reported that nearly all of their losses were due to these well-meaning insiders.

PCI-DSS Compensating Controls

25Feb

Author: randy Categories: Security Comments: 0

Applied Trust recently achieved Payment Card Industry (PCI) Qualified Security Assesssor (QSA) status. Most companies that pursue this credential do so solely for the purpose of being able to perform QSA-certified audits as defined by the PCI standards council. The PCI standard requires that an organization is 100% compliant across all requirements. For requirements that cannot be exactly met, PCI allows the use of compensating controls. For a variety of reasons, we think that this area is an important aspect of our PCI compliance practice.

When real-world conditions present challenges to compliance with the PCI standard as written, we work with our clients to identify, document, and evaluate appropriate alternatives. These compensating controls are not a get out of jail free card – there are specific rules as to when and how they may be applied. Specifically:

Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other, or compensating, controls.

Compensating controls must satisfy the following criteria:

Read more »

Tags: compliance, Security

Pursuit of Happiness

16Feb

Author: zack Categories: IT Management, Ramblings Comments: 0

Boulder, CO

In a recent study conducted by The Gallup-Healthways Well-Being Index, Boulder received top honors as the overall happiest, healthiest, and most optimistic city in the United States. The study surveyed more than 350,000 Americans across the country and assessed their lives based on a variety of pre-defined categories. While Boulder did not sweep every category looked at by the researchers, it did get the highest rank in the “Work Experience” arena. At Applied Trust we have always known this was true, but it is nice to get some nationwide visibility for it.

We care about having a good work and life balance for everyone that works here. That’s why the ATE Employee Canon is so important to us. Having this realization and making conscious, proactive maneuvers to maintain it is a key component to fostering a positive “work experience” like the one discussed in the survey. The section measured job satisfaction, ability to use one’s strengths at work, trust and openness in the workplace, and whether one’s supervisor treats him or her more like a boss or partner. These metrics align very closely to how we view work and how we want to spend our time there.

PCI DSS-driven assessment

15Feb

Author: ned Categories: IT Management, Security Comments: 0

The PCI DSS (Payment Card Industry Data Security Standard) sets a number of expectations for IT assessment. Activities, from scanning for rogue wireless access points to reviewing vendor contracts, are scattered throughout the PCI Data Security Standard document.

Below is an attempt to assemble those requirements into a single schedule. Where the standard didn’t specify a frequency, I used reasonable “best practices” values. I hope this is a useful starting place for organizations working toward compliance, but it is definitely not a holistic IT security plan! There are lots of other security activities that should be taking place at every organization – this is just a summary of those discussed in the PCI DSS.

See anything that I missed? Did I get something wrong? Let me know in the comments and we’ll work toward an accurate sample schedule together!!

HITECH business associate deadlines looming

10Feb

Author: ben Categories: IT Management, Security Comments: 0

We wrote about the HITECH act and its impact on business associates a little less than a year ago. By February 18, business associates are required to:

Comply with the HIPAA security and privacy rules
Provide medical information breach notifications
Work with the Department of Health and Human Services to perform compliance audits as requested
Train employees on HIPAA and its requirements for business associates

BAs, I hope you’re taking note. Violations can incur fines for as much as $1.5 million per year and, in the most serious circumstances, may include prison time. According to HITECH, DHHS audits are also mandatory beginning 2/18/2010. (See sections 13410 and 13411).

Most of the associates that I’m familiar with haven’t made many changes in the past year to improve HIPAA compliance. So what should any self-respecting business associate, now subject to these somewhat draconian and certainly expensive rules, do to avert heavy fines and lost productivity? Avoid becoming a business associate at all costs.

First, re-evaluate whether the business truly qualifies as an associate, for one. In the past, BAAs had very few directly applicable requirements, and those that were in place were rarely or never audited and enforced. Businesses should no longer haphazardly sign BAAs when they aren’t strictly necessary.

If the business has determined that they are indeed an associate, what can be changed to eliminate that status? If there isn’t a dire business need for access to medical records, but they’re being collected incidentally, eliminate that dependency and escape the compliance game. Of course, most health care organizations don’t freely distribute health records, and most organizations don’t want them unless they need them.

If the business is resigned to being an associate subject to HIPAA courtesy of HITECH, it’s time to get to work. Start at www.hipaasurvivalguide.com, an excellent resource for learning the regulation and applying its teachings.

And never forget the old proverb (that I’m making up right now): more regulation always improves security. Emphasis added.

Tags: Compliance series, HIPAA, regulations, Security

Five things network and system administrators can learn from Agile

15Jan

Author: ned Categories: IT Management, Infrastructure Comments: 1

hummingbird IT infrastructure work is certainly not the same as software development, but the Agile methodologies offer some good advice to us system and network administrators. In general, Agile has grown from a Manifesto about software development to a full-blown project management methodology. Powerful tools are available to help manage projects according to its tenants. Although Agile is based on lessons learned implementing complex software projects, its principles apply equally well to IT infrastructure projects and operations. Agile’s concept of “self-organizing teams” is particularly appealing to me, since Applied Trust is managed as a “company of peers”.

I’ve picked five of the Principles behind the Agile Manifesto that are particularly applicable to our field – read on to see how they look from an IT infrastructure perspective:

1) Our highest priority is to satisfy the customer through early and continuous delivery of valuable infrastructure.
2) Welcome changing requirements, even late in deployment. Agile processes harness change for the customer’s competitive advantage.
3) Business people and developers must work together daily throughout the project.
4) Simplicity–the art of maximizing the amount of work not done–is essential.
5) Continuous attention to technical excellence and good design enhances agility.

Tags: agile, Infrastructure, ITIL

Exploring your NIC for fun and profit

12Jan

Author: ben Categories: Infrastructure Comments: 0

Pile o' NICs

I know, you love your network card. You installed Linux, the NIC was autodetected at first boot, and everything “Just Worked.” Your server has been happily providing services over the network ever since.

But what do you really know about your network card? Is it the culprit of slower performance for your CPU-intensive application? Could you benefit from any of its advanced capabilities? Today’s network interface cards offer a number of hidden gems to the savvy administrator. In this article we’ll learn some of the most important tricks to understanding your NIC in Linux. Read more »

Tags: linux, networking

New Year’s Resolutions for IT (and free T-Shirt offer!)

01Jan

Author: trent Categories: IT Management, Ramblings Comments: 0

Ok, I admit it – I’m generally not a fan of New Year’s Resolutions. I believe that folks should always be looking for ways to make positive changes, and shouldn’t need a specific day/event as a trigger. That said, it does make a nice marker date for an annual evaluation of the state of things.

Last year, I posted an end-of-year IT checklist, which I again encourage all IT folks to take a quick look at — this is a great time to evaluate and update a number of key IT areas. At the very least, don’t forget to update your copyright dates!

I’m hoping 2010 can be a year of positive change for IT. In that light, as a community let’s make a few resolutions:

Tags: preventative maintenance

Categories

Archives

Recent Posts

Recent Comments