But let's look at this from an institutional risk perspective. 1) it is possible to reasonably defend your infrastructure using: network firewalls, active intrusion detection monitoring, antiviral appliances, desktop firewalls and antiviral software, spyware checkers, solid security policies properly followed and audited. Nothing is perfect, but properly implemented, with constant attention to patches and upgrades, you can be "reasonably secure". In short, the whole BS7799 package on steroids (as my grandma used to say).
2) IP sourcing is not 100% reliable unless you know ALL of the potential servers your business partners will use, and have reporting mechanisms in place to track their changes. I do agree (an use this method myself to control spam) that vast blocks of IP space should be "blacked out". Most US HCOs have no business receiving packets from Asia or Africa for example, and these are notorious as points of attack. But there is little, from an IP perspective, you can do the black out in advance the teen down the street, except use your firewall to block because he/she is most likely using a DHCP assigned IP for that session, that next time around may be used by a doctor or a patient. 3) it is impractical to require sever AND client keys. Even VeriSign client certificates are problematic in actual practice unless you rigidly control both sides of the connection and the physical machines. You can even go so far as to be your own certificate authority, but in the end, with lesser skilled individuals, the overhead drowns you. I have deployed client AND server certificates in apps that I have designed in the past, and deployed world wide - it can be done economically - but you have to eliminate extraneous systems to control the help desk issues. Help desk issues are a major factor in whatever you do - PGP implementations have produced numerous horror stories about the end user support requirements. 4) where real security is required, you use "Trusted" services. There are a small number of vendors who provide real trusted networks for the big boys at CIA and NSA. Here is one such, and it's free! www.lok.com The bottom line from my perspective is that you do it by the numbers and be thorough. If you have a properly layered defense against internet attacks, properly maintained and monitored, I would argue that your real risks from the outside are low - in other words it will take a determined attacker to get through - which they will anyway. At least with layering of protections, including full intrusion monitoring, at least you can constrain the attack, and do something about it (hopefully in time). I am a big fan of managed services that will be there 24/7 - their cost is relatively low compared to your own time in managing the same activity. An example of this were stats given by my personal favorite CounterPane, where they flagged 100,000 problematic events - their automated screening system tossed out all but 50, which were passed to a human for analysis, of which only 5 were serious enough to call the IT staff. That's 5 wake up calls vs. 100,000. In my opinion, tools by any vendor, be it ISS, CounterPane, or others, extend your protections in depth and are essential in real security (mythic though that may actually be). And remember, external consultants that do assessments are great for a snap shot, but only work where their recommendations are implemented, but a single vendor is a bad idea - they all have their unique and sometimes conflicting agendas, not to mention skill sets (myself included) - always layer! When in doubt, pile it higher and deeper (the Ph.D. philosophy!). For those that are focused on the external, I suggest subscribing to a monthly external penetration testing service. They are as cheap as $25 a month now. They at least tell you if your firewall is solid. My contention is that the major risks are mostly internal. These represent the disgruntled employee, or just the lazy employee. Either way, these are more likely to result in Privacy abuses in my opinion, and create security vulnerabilities. These are the ones that will have to be defended in civil litigation. For example, with web-based apps proliferating, how many of you actually have a policy to control the browser cache? There is a major point of privacy vulnerability at the very least! Deep Thoughts quote of the day "Broken promises don't upset me. I just think, why did they believe me?" :) Nudge nudge, wink wink, say no more! I promise! Tim McGuinness, Ph.D. Consulting Specialist in Privacy and Security [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> President, HIPAA Help Now Inc. [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> www.hipaahelpnow.com <http://www.hipaahelpnow.com/> Executive Co-Chairman for Privacy, HIPAA Conformance Certification Organization (HCCO) www.hipaacertification.org <http://www.hipaacertification.org> __________________________________________________________________ Phone: 727-787-3901 Cell: 305-753-4149 Fax: 240-525-1149 Instant Messengers: ICQ# 22396626 - MSN IM: [EMAIL PROTECTED] - Yahoo IM timmcguinness - AOL IM: mcguinnesstim __________________________________________________________________ =========================================================================== IMPORTANT NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature. -----Original Message----- From: Anthony Mercaldi [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 17, 2002 10:26 AM To: Chris Riley; Bill Pankey; [EMAIL PROTECTED] Subject: Re: 'Integrity Conrol' vs 'Message Authentication' I still believe to avoid the fear of spoofing, that an authenticator such as VeriSign, PGP, and many others, offer keys on both sides. So if I was to spoof my IP, but did not have the correct key to upload my file to you, your system would reject the transaction. I believe although not an expert in SSL, that holes have been found in it. Someone originally posted a link to an article explaining this. As far as integrity control. my opinion is this must come from within the organization. I also agree that most attacks on systems, come from within. So messages, and the authentication should come from encryption key pairs. I setup VeriSign site server and issued keys to my clients. So they can have any IP they want, but if they didn't have the certificate to match, they were shot down.Then there are simple programs such as NeoTrace, to trace the IP that has hit your firewall. If the company sending is supposed to be in CT, and the IP trace goes to England, something is up. Either they are using proxy servers, or you have a fraudulent transmission. Between the two, I have managed to keep many people out of my systems. Let's add another attack, DOS (Denial Of Service). I have seen top notch organizations get pounded by packets to the point of taking down their system. All this was done by was a kid, using a port scanner, and then selecting who he wanted to flood. The system he used for packet flooding was indeed genius, not just someone playing, but it has and will continue to be attempted. Trojans(programs planted on your server to send information out) are another issue to deal with.Many times I find these planted by angry employees of organizations. In conclusion, my entire point is this; we will continue to get false messages, port scans, Trojans, and even in some cases DOS attacks. Properly configure software, and hardware is the best we can do to countermine these efforts. http://grc.com/default.htm XP hole, that allows deletion of files. http://grc.com/dos/drdos.htm A brutal attack for no apperant reason. This is just a sampling of what is going on out there. That's my nickel. Hope this made some sense :-)) Anthony Mercaldi ----- Original Message ----- From: "Chris Riley" <[EMAIL PROTECTED]> To: "Bill Pankey" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, September 16, 2002 3:37 PM Subject: Re: 'Integrity Conrol' vs 'Message Authentication' > Bill, > I think when we talk about TCP being a reliable transport we are just saying > that the packets are guaranteed to be delivered somewhere. It doesn't > guarantee that each packet in the message came from the same author or even > same machine. SSL takes this a step further and guarantees ( via the > certificate) that the message packets came from an authenticated source and > that the message in total has integrity. Both 2001 and 2002 FBI/CSI > Computer Crime Reports highlight the fact that a much higher percentage of > intrusions/attacks are from the inside the LAN. Given the fact that it is a > fairly unsophisticated operation to set up a "man in the middle" attack on a > LAN carrying un-encrypted data, I think it makes relatively good sense to > transmit PHI over a LAN with integrity and authentication controls. > > I would be interested to hear what others think, > Chris Riley, CISSP > > > Bill Pankey wrote: > > > Tim > > > > I admit to finding this aspect Security NPRM difficult. Message > > 'integrity' is the sine qua non of the HCO enterprise network ... and > > multiple layers of controls are used to ensure as much. To pull off any > > single control (or a limited set) and say 'this is my integrity service' > > seems misleading at best. > > > > So, when asserting that 'the network' (from TCP to detection and audit) > > is the integrity control or that 'integrity' is a property of the > > network, what do you suppose is the 'compliance test'? To implement > > ipsec or ssl merely to simplify demonstration of compliance is obviously > > bad headed and (I hope) a non-starter. > > > > Thanks, > > > > Bill Pankey > > -- > Chris Riley, CISSP > Information Tool Designers Inc. > http://www.info-tools.com/ > > > > > To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security > and enter your email address. > > <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The > discussions on this listserv therefore represent the views of the individual > participants, and do not necessarily represent the views of the WEDI Board of > Directors nor WEDI SNIP. If you wish to receive an official opinion, post > your question to the WEDI SNIP Issues Database at > http://snip.wedi.org/tracking/. > Posting of advertisements or other commercial use of this listserv is > specifically prohibited. > > To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security and enter your email address. <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.
BEGIN:VCARD VERSION:2.1 N:McGuinness;Tim;;;Ph. D. FN:Tim McGuinness Ph. D. ORG:HIPAA Help Now Inc. TITLE:President TEL;WORK;VOICE:(727) 787-3901 TEL;CELL;VOICE:(305) 753-4149 TEL;WORK;FAX:(240) 525-1149 ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;Corporate Office:=0D=0A1920 East Hallandale Blvd., Suite 600,;Hallandale B= each;Florida;33009;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Corporate Office:=0D=0A1920 East Hallandale Blvd., Suite 600,=0D=0AHallandal= e Beach, Florida 33009=0D=0AUnited States of America ADR;POSTAL;ENCODING=QUOTED-PRINTABLE:;;Tampa Bay Office:=0D=0A687 First Court;Palm Harbor;Florida;34684;United St= ates of America LABEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Tampa Bay Office:=0D=0A687 First Court=0D=0APalm Harbor, Florida 34684=0D= =0AUnited States of America URL;WORK:http://www.hipaahelpnow.com EMAIL;PREF;INTERNET:[EMAIL PROTECTED] EMAIL;INTERNET:[EMAIL PROTECTED] REV:20020906T095704Z END:VCARD To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security and enter your email address. <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.