But let's look at this from an institutional risk perspective.

1) it is possible to reasonably defend your infrastructure using: network
firewalls, active intrusion detection monitoring, antiviral appliances,
desktop firewalls and antiviral software, spyware checkers, solid security
policies properly followed and audited.  Nothing is perfect, but properly
implemented, with constant attention to patches and upgrades, you can be
"reasonably secure".  In short, the whole BS7799 package on steroids (as my
grandma used to say).

2) IP sourcing is not 100% reliable unless you know ALL of the potential
servers your business partners will use, and have reporting mechanisms in
place to track their changes.  I do agree (an use this method myself to
control spam) that vast blocks of IP space should be "blacked out".  Most US
HCOs have no business receiving packets from Asia or Africa for example, and
these are notorious as points of attack.  But there is little, from an IP
perspective, you can do the black out in advance the teen down the street,
except use your firewall to block because he/she is most likely using a DHCP
assigned IP for that session, that next time around may be used by a doctor
or a patient.

3) it is impractical to require sever AND client keys.  Even VeriSign client
certificates are problematic in actual practice unless you rigidly control
both sides of the connection and the physical machines.  You can even go so
far as to be your own certificate authority, but in the end, with lesser
skilled individuals, the overhead drowns you.  I have deployed client AND
server certificates in apps that I have designed in the past, and deployed
world wide - it can be done economically - but you have to eliminate
extraneous systems to control the help desk issues.  Help desk issues are a
major factor in whatever you do - PGP implementations have produced numerous
horror stories about the end user support requirements.

4) where real security is required, you use "Trusted" services.  There are a
small number of vendors who provide real trusted networks for the big boys
at CIA and NSA.  Here is one such, and it's free!  www.lok.com

The bottom line from my perspective is that you do it by the numbers and be
thorough.  If you have a properly layered defense against internet attacks,
properly maintained and monitored, I would argue that your real risks from
the outside are low - in other words it will take a determined attacker to
get through - which they will anyway.  At least with layering of
protections, including full intrusion monitoring, at least you can constrain
the attack, and do something about it (hopefully in time).

I am a big fan of managed services that will be there 24/7 - their cost is
relatively low compared to your own time in managing the same activity.  An
example of this were stats given by my personal favorite CounterPane, where
they flagged 100,000 problematic events - their automated screening system
tossed out all but 50, which were passed to a human for analysis, of which
only 5 were serious enough to call the IT staff.  That's 5 wake up calls vs.
100,000.  In my opinion, tools by any vendor, be it ISS, CounterPane, or
others, extend your protections in depth and are essential in real security
(mythic though that may actually be).  And remember, external consultants
that do assessments are great for a snap shot, but only work where their
recommendations are implemented, but a single vendor is a bad idea - they
all have their unique and sometimes conflicting agendas, not to mention
skill sets (myself included) - always layer!  When in doubt, pile it higher
and deeper (the Ph.D. philosophy!).

For those that are focused on the external, I suggest subscribing to a
monthly external penetration testing service.  They are as cheap as $25 a
month now.  They at least tell you if your firewall is solid.

My contention is that the major risks are mostly internal.  These represent
the disgruntled employee, or just the lazy employee.  Either way, these are
more likely to result in Privacy abuses in my opinion, and create security
vulnerabilities.  These are the ones that will have to be defended in civil
litigation.

For example, with web-based apps proliferating, how many of you actually
have a policy to control the browser cache?  There is a major point of
privacy vulnerability at the very least!

Deep Thoughts quote of the day "Broken promises don't upset me.  I just
think, why did they believe me?"  :)  Nudge nudge, wink wink, say no more!
I promise!

Tim McGuinness, Ph.D.
Consulting Specialist in Privacy and Security
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>

President,
HIPAA Help Now Inc.
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
www.hipaahelpnow.com <http://www.hipaahelpnow.com/>

Executive Co-Chairman for Privacy,
HIPAA Conformance Certification Organization (HCCO)
www.hipaacertification.org <http://www.hipaacertification.org>

__________________________________________________________________
Phone:   727-787-3901   Cell: 305-753-4149    Fax: 240-525-1149
Instant Messengers:  ICQ# 22396626 - MSN IM: [EMAIL PROTECTED] -
Yahoo IM  timmcguinness - AOL IM:   mcguinnesstim
__________________________________________________________________


===========================================================================

IMPORTANT NOTICE: This communication, including any attachment, contains
information that may be confidential or privileged, and is intended solely
for the entity or individual to whom it is addressed. If you are not the
intended recipient, please notify the sender at once, and you should delete
this message and are hereby notified that any disclosure, copying, or
distribution of this message is strictly prohibited. Nothing in this email,
including any attachment, is intended to be a legally binding signature.



-----Original Message-----
From: Anthony Mercaldi [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 17, 2002 10:26 AM
To: Chris Riley; Bill Pankey; [EMAIL PROTECTED]
Subject: Re: 'Integrity Conrol' vs 'Message Authentication'


I still believe to avoid the fear of spoofing, that an authenticator such as
VeriSign, PGP, and many others, offer keys on both sides. So if I was to
spoof my IP, but did not have the correct key to upload my file to you, your
system would reject the transaction. I believe although not an expert in
SSL, that holes have been found in it. Someone originally posted a link to
an article explaining this.
As far as integrity control. my opinion is this must come from within the
organization. I also agree that most attacks on systems, come from within.
So messages, and the authentication should come from encryption key pairs. I
setup VeriSign site server and issued keys to my clients. So they can have
any IP they want, but if they didn't have the certificate to match, they
were shot down.Then there are simple programs such as NeoTrace, to trace the
IP that has hit your firewall. If the company sending is supposed to be in
CT, and the IP trace goes to England, something is up. Either they are using
proxy servers, or you have a fraudulent transmission. Between the two, I
have managed to keep many people out of my systems.
Let's add another attack, DOS (Denial  Of Service). I have seen top notch
organizations get pounded by packets to the point of taking down their
system. All this was done by was a kid, using a port scanner, and then
selecting who he wanted to flood. The system he used for packet flooding was
indeed genius, not just someone playing, but it has and will continue to be
attempted.
Trojans(programs planted on your server to send information out) are another
issue to deal with.Many times I find these planted by angry employees of
organizations.
In conclusion, my entire point is this; we will continue to get false
messages, port scans, Trojans, and even in some cases DOS attacks. Properly
configure software, and hardware is the best we can do to countermine these
efforts.
http://grc.com/default.htm XP hole, that allows deletion of files.
http://grc.com/dos/drdos.htm A brutal attack for no apperant reason.

This is just a sampling of what is going on out there.
That's my nickel.
Hope this made some sense :-))

Anthony Mercaldi


----- Original Message -----
From: "Chris Riley" <[EMAIL PROTECTED]>
To: "Bill Pankey" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, September 16, 2002 3:37 PM
Subject: Re: 'Integrity Conrol' vs 'Message Authentication'


> Bill,
> I think when we talk about TCP being a reliable transport we are just
saying
> that the packets are guaranteed to be delivered somewhere.  It doesn't
> guarantee that each packet in the message came from the same author or
even
> same machine.  SSL takes this a step further and guarantees ( via the
> certificate) that the message packets came from an authenticated source
and
> that the message in total has integrity.  Both 2001 and 2002 FBI/CSI
> Computer Crime Reports highlight the fact that a much higher percentage of
> intrusions/attacks are from the inside the LAN.  Given the fact that it is
a
> fairly unsophisticated operation to set up a "man in the middle" attack on
a
> LAN carrying un-encrypted data, I think it makes relatively good sense to
> transmit PHI over a LAN with integrity and authentication controls.
>
> I would be interested to hear what others think,
> Chris Riley, CISSP
>
>
> Bill Pankey wrote:
>
> > Tim
> >
> > I admit to finding this aspect Security NPRM difficult.  Message
> > 'integrity' is the sine qua non of the HCO enterprise network ... and
> > multiple layers of controls are used to ensure as much.  To pull off any
> > single control (or a limited set) and say 'this is my integrity service'
> > seems misleading at best.
> >
> > So, when asserting that 'the network' (from TCP to detection and audit)
> > is the integrity control or that 'integrity' is a property of the
> > network, what do you suppose is the 'compliance test'?   To implement
> > ipsec or ssl merely to simplify demonstration of compliance is obviously
> > bad headed and (I hope) a non-starter.
> >
> > Thanks,
> >
> > Bill Pankey
>
> --
> Chris Riley, CISSP
> Information Tool Designers Inc.
> http://www.info-tools.com/
>
>
>
>
> To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=Security
> and enter your email address.
>
> <P>The WEDI SNIP listserv to which you are subscribed is not moderated.
The
> discussions on this listserv therefore represent the views of the
individual
> participants, and do not necessarily represent the views of the WEDI Board
of
> Directors nor WEDI SNIP.  If you wish to receive an official opinion, post
> your question to the WEDI SNIP Issues Database at
> http://snip.wedi.org/tracking/.
> Posting of advertisements or other commercial use of this listserv is
> specifically prohibited.
>
>


To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=Security
and enter your email address.

<P>The WEDI SNIP listserv to which you are subscribed is not moderated.  The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of
Directors nor WEDI SNIP.  If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.
BEGIN:VCARD
VERSION:2.1
N:McGuinness;Tim;;;Ph. D.
FN:Tim McGuinness Ph. D.
ORG:HIPAA Help Now Inc.
TITLE:President
TEL;WORK;VOICE:(727) 787-3901
TEL;CELL;VOICE:(305) 753-4149
TEL;WORK;FAX:(240) 525-1149
ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;Corporate Office:=0D=0A1920 East Hallandale Blvd., Suite 600,;Hallandale B=
each;Florida;33009;United States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Corporate Office:=0D=0A1920 East Hallandale Blvd., Suite 600,=0D=0AHallandal=
e Beach, Florida 33009=0D=0AUnited States of America
ADR;POSTAL;ENCODING=QUOTED-PRINTABLE:;;Tampa Bay Office:=0D=0A687 First Court;Palm Harbor;Florida;34684;United St=
ates of America
LABEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Tampa Bay Office:=0D=0A687 First Court=0D=0APalm Harbor, Florida 34684=0D=
=0AUnited States of America
URL;WORK:http://www.hipaahelpnow.com
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
EMAIL;INTERNET:[EMAIL PROTECTED]
REV:20020906T095704Z
END:VCARD


To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security
and enter your email address.

<P>The WEDI SNIP listserv to which you are subscribed is not moderated.  The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP.  If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.

Reply via email to