Tag: RISC Management and Consulting

Data Breach, News Events, OpenSSL, Trends & Technology

The Heartbleed Bug

Rose

heartbleed_bugThe big news in internet security right now is the Heartbleed Bug. Announced this week, it affects OpenSSL versions 1.0.1 through 1.0.1f and 1.0.2-beta. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the site. A successful intruder could obtain your private information from an affected site and impersonate that site until its operators catch on. Since the bug has been in the wild since OpenSSL released version 1.0.1 in March 2012, it is likely that your organization is vulnerable along with many of the sites you frequent throughout the day.

To address this issue in your organization, you need to create an inventory of any web servers and certs using OpenSSL version 1.0.1 and 1.0.2-beta. Once you have that inventory, you can patch affected sites by upgrading to OpenSSL 1.0.1g, released April 7, 2014. Users unable to immediately upgrade can alternatively recompile OpenSSL with the handshake removed from the code by compile time option -DOPENSSL_NO_HEARTBEATS. Version 1.0.2 will be fixed in 1.0.2-beta2. Link: https://www.openssl.org/source/

Then All User populations that logged in via that site have to change their passwords, and any other encrypted sensitive information that got transmitted across that server, with OpenSSL, must be addressed. This might be notification, changing of account numbers, or that no reasonable action can be taken.

A Web based test to see if your server is vulnerable is here: http://filippo.io/Heartbleed/

There is a test utility/proof of concept available here: https://gist.githubusercontent.com/sh1n0b1/10100394/raw/4f24ff250124a03ad2d3d6010b6402c3a483d2f3/ssltest.py

Snort signatures to look for malicious Heartbleed activity can be found here: http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/

As a consumer, keep an eye open for popular websites updating their security practices and change your passwords once the bug has been fixed.

This recent announcement is just another reminder to be vigilant with your organization’s data and your personal information.

For more information or to inquire about RISC Management’s Risk Mitigation services, visit our website at www.RISCsecurity.com.

Business Continuity, Disaster Recovery, Education, HIPAA / HITECH Enforcement, News Events, Risk Analysis/Risk Management, Tip of the Week, Upcoming Events, Vulnerability Testing & Management

Upcoming Events for RISC

Rose

Chris Heuman, the Practice Leader for RISC Management and Consulting will be presenting at the Genesis Health Alliance (GHA) Vendor Fair at Evansville, IN.

When: April 10th, 2014

Chris will join key partners to present to members of GHA on the topic of HIPAA’s Contingency Plan Standard – What’s required, what steps should be completed, how to develop documentation, how and what to test

What to Test

Chris Heuman and RISC Management will cover the HIPAA Contingency Plan areas of:

  1.        Data Backup Plan
  2.        Disaster Recovery Plan
  3.        Testing and Revision Procedures
  4.        Emergency Mode Operation Plan
  5.        Data and Applications Criticality Analysis

Join Chris Heuman and RISC to learn real world scenarios and steps for success in meeting this extremely difficult Standard in the HIPAA Security Rule. RISC will introduce leading edge solutions that facilitate a Covered Entity or Business Associate’s compliance with these difficult-to-manage requirements.

To bring this presentation to your site or via WebEx ,Contact RISC to receive more information in identifying, documenting, addressing, and eliminating risk to all of your sensitive information.

In support of knowing what data and which systems are most critical to an organization, and which systems and applications are in-scope for HIPAA, RISC recommends Data Loss Prevention (DLP) solutions.

RISC DLP Solutions

​The first step in any information security and compliance program is understanding what data your organization has, where it is located, and who is using it; authorized or unauthorized. RISC Management’s DLP solution can assist you in finding the sensitive information that is created, collected, stored, processed, transmitted, disclosed, or archived by your organization. Complete and accurate knowledge is necessary in order to understand what laws or requirements apply to your organization, and which members of your workforce may require training or monitoring.

Data Loss Prevention Solution

RISC Management delivers data loss prevention (DLP) solutions that protect regulated, sensitive, or confidential employee, customer, or company information and safeguard intellectual property across all electronic communications channels.

RISC Management can help you watch the sensitive information flowing into, throughout, and out of your network without impacting performance or requiring infrastructure modifications.

Genesis Health Alliance (GHA) is an organization that brings together 20 hospitals from the Southeast Illinois, Southwest Indiana, and Western Kentucky with the mission of improving the health status of the community they serve.  Their other objective is to provide a group purchasing initiative to assist the hospital members in improving services and reducing operational costs. GHA is governed by a Board of Directors that meets quarterly.

To bring this presentation to your site or via WebEx, Contact RISC to receive more information in identifying, documenting, addressing, and eliminating risk to all of your sensitive information.

Rose Rienton

Rose.Rienton@RISCsecurity.com

www.RISCsecurity.com

2014HIMSS       2014RISC