How Easily Could the Sony Breach Have Been Prevented?
Check out this short video of Jonathan Sandler of STEALTHbits talking about how their technology would very likely have kept Sony out of the headlines.
Check out this short video of Jonathan Sandler of STEALTHbits talking about how their technology would very likely have kept Sony out of the headlines.
Thank you so much for all your support in 2014. We are already planning for 2015. Many of you may have already gotten calls from me as I contact you to get feedback on a set of 10 questions I [...]
We wrote to you three weeks ago to remind you of your $25,000 for tax deduction and bonus depreciation on certain IT and other assets. We have a news flash, the senate just passed a bill to raise that accelerated [...]
Navigating Fear in the Security and Compliance World
In advancing technology it is fear of having a project go sideways, over budget or fail to accomplish the stated objective that has many frozen. What if that technology we recommend doesn’t work as we hope? What if it is something required by law (such as encryption in healthcare) that we fear an unknown outcome so much that we won’t act? What if we miss a key component of a project or underestimate the effort required and the entire project goes over our budget?
This is one time you may want to make a quick call to your accountant, then order up some of those infrastructure items you are putting off. A bill known as “tax extenders” if signed by the president will reinstate Section 179 tax [...]
I don’t normally give a moments notice to stuff that goes on in Hollywood, but the story “Future of Sony's Amy Pascal questioned after hacked email revelations” caught my attention because of the cyber security aspect involved. So often I hear executives say something similar to “I don’t worry about our security because we don’t have anything anyone would want to hack into.”
That complacent assessment is wrong as most everyone knows since today nearly all hacking/security breach incidents are the result of indiscriminate malware that scans the Internet searching for vulnerable systems. When that malware finds a vulnerable system most of them run automated code that looks for passwords, bank account information, encrypts data for ransom, etc.
In this particular case a ton of data was stolen and released. The implication for Sony Pictures Co-Chairman is that her personal e-mails were....
6 Reasons Organizations Fail to Encrypt ePHI
The drumbeat of HIPAA breaches in the media is incessant, and the refrain is the same: yet another PC containing electronic protected health information is stolen, so the organization is compelled to notify patients, Health and Human Services, and the media. The Office of Civil Rights swoops in, levies a 7 figure fine, and posts the offender on the HHS “Wall of Shame”, resulting in a damaged reputation and loss of future earnings.
Ironically, had the PC’s hard-drive been encrypted, the loss would have been a non-event, unreportable given the Safe Harbor provisions of HIPAA. And inexpensive encryption technology has been readily available for years. Yet, 538 or 46% of the 1,171 Breach Notifications posted on the Wall of Shame stem from the simple loss of a computer with an unencrypted hard-drive.
So, if it is so obvious how to correct the deficiency that single-handedly accounts for the most frequent HIPAA Breach Notifications, why don’t more organizations properly encrypt and protect the ePHI entrusted to them? Here are the six most common reasons we discover during our risk assessments …
...this then puts all the burden and stigma on Alvaka, our engineer and our NetPlan program. That fuels some of the debate we have with some clients. I remember two separate debates with a controller at a 20 year long client. He said he “should not have to pay for us to check our own work.” I have two answers for that objection:
1. He has two of his own guys that work on his IT system, along with other vendors. His employees can do things unintentionally, etc. This is not about checking on our Alvaka engineer. It is all about checking the overall integrity and operational state of his IT system, which has changing needs over time and changes due to different people touching it. It is simply a matter of doing a periodic review to make sure nothing is getting missed or looking for things that need to be done a different way. Changing and updating tape/disk backup jobs to accommodate new servers and software is a classic example. Without review these jobs don’t often get updated and that leads to tragic results down the road. I have seen it way too many times in 30 years. It is preventable.
2. Even if a client does not have their own IT staff, it is prudent to periodically check IT systems to make sure everything is working right, that the current needs are being met and that important requirements/practices are not getting overlooked or wrongly....
So what should you do at your company?
1. Identify your most valuable IT systems within your company. What is the most important data that resides there? Determine your obligations to protect that data and how important is it that those systems are up-and-running.
2. Do you have a current network/information security policy in place? Once you determine which systems and data are most important to protect, developing your policy becomes much easier.
3. Discover where you are most at risk. A quick and easy solution is to have someone perform a vulnerability assessment on your system. Alvaka Networks can help you with this. Vulnerability assessments are our most common security service we provide. It makes your work easy. We will help you match the protection needs of your most important IT assets with the vulnerabilities identified in the vulnerability assessment. From there you can easily create a roadmap for what you should do to protect you, your company and your IT assets from cyber-attack.
Under Section 179, your business is eligible to deduct up to $25,000 worth of equipment as long as it is purchased and operational by December 31, 2014.Phones, computers, software, office equipment and office furniture qualify for this deduction. If you [...]
The process typically involves making sure servers are rebooted in the right order, making sure they have completely rebooted, restarting applications in the right order, and then testing to be certain everything is working properly when users return to work in the morning.
This typically takes 30 minutes per server, depending upon your environment.
PCs are not typically smoke tested, or if so, not all of them.
Estimating an average time for patching servers and PCs can be a bit tricky. It can vary from one month to the next, depending upon the number and complexity of the patches released by your software vendors. You must consider all versions of operating systems and have a complete inventory of all your application software to do this job correctly. Our experience has shown that manual patching of systems takes on average of about 1.5 hours each.
There are many variables to consider. Some are:
You want to enter in a fully burdened labor rate for this field. What that means is that you want to take the base hourly rate, plus 25-30% for employer payroll taxes, benefits, vacation/holiday time, etc.
For example, someone making $80,000 per year will typically work 52 weeks of 40 hours, or 2080 hours. $80,000 divided by 2080 is $38.46/hour. Multiply that hourly rate by 1.3, and you get $50.00/hour. Of course, rates of pay, taxes and benefits will vary from city, state and company; but 30% is usually a good number to use. Don’t forget to account for time-and-a-half or after-hours rates of pay if patching is being done in the late evening, early morning, or weekends (in order to avoid impacting user productivity).
This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.
If you are presenting to management for a budget, and using this calculator as the basis for a Return on Investment (ROI), you will need to do more homework. An ROI measures as a ratio of the cost of investment against its expected benefit. For patching, calculating benefit can be very difficult to determine. How do you measure the cost of a system breach you have not yet had? You can estimate what expenses, penalties, and losses a company might incur when a breach occurs; but there is no certainty of a breach event and what those costs actually are. There are also regulatory compliance issues and/or potential fines for not patching, but those, too, can be vague. For calculating these potential risks and costs, it is advisable to enter into a discussion with your management team.