Lessons from the Reddit Breach

An attacker gained access in June to Reddit users’ data, including usernames, passwords, email addresses and private messages from 2005-2007. The attacker also gained access to more recent data, including current usernames and emails.

This data allows hackers to try to break into sites where users might still be using the same passwords. Although the compromised passwords were encrypted, they are likely crackable using today’s tools.

Because the email digests also include current usernames and emails, this linkage could allow attackers to determine the actual identity of users. If those users have been receiving content or engaged in posts that could be embarrassing, this may lead to blackmail; hackers might threaten to make private messages public or share them with family or friends.

Reddit users should ensure that, across platforms, they are not still using any passwords from the breached timeframe. Users should also consider passwords that are in line with NIST’s recent guidance.

What your organization can do to prevent a similar breach
Periodic password changes and secure password choices are good practices for Reddit users and non-users alike. Additionally, there are system-wide changes that organizations can make to protect against breaches.

Employees with access to sensitive systems or with powerful privileges, like admin accounts, represent a high-value target for attackers, so organizations should pay particular attention to the security of such accounts.

One way to improve account security is the implementation of strong multifactor authentication. SMS is often used for consumer user account two-factor authentication, but can be compromised with some effort by attackers as occurred with the admin accounts in the Reddit breach.

A  cryptographic token system is a more secure alternative to the SMS two-factor authentication method that was compromised in the Reddit breach. Tokens take more effort to implement than SMS two-factor authentication, but they are also difficult to spoof. Authentication tokens are generated cryptographically and often have limited lifetimes: sometimes, as little as one or two minutes.

Many organizations have been using strong authentication based on physical or software tokens for decades. For particularly sensitive accounts like admin accounts, this has long made sense and is hardly a new idea.

Other detection tools your organization should use for breach prevention
Organizations should also use auditing and intrusion detection tools to quickly alert them to a situation when such an account is engaged in abnormal behavior.

Since admin accounts are very powerful, the information security team and IT auditors should carefully review the protection for these types of accounts, including the use of multifactor authentication, and determine if audit trails and intrusion detection tools can be turned off or tampered with by the admin accounts in question. Otherwise, attackers who breach such admin accounts will have the ability to simply bypass the monitoring. In many cases, the underlying operation system or application does not provide tamper-proof audit trails and intrusion detection; third-party tools will need to be implemented.

Organizations should also discover and find old files that contain personally identifying information, like email addresses, usernames or encrypted passwords. These files should be securely deleted or protected in some fashion. In many cases, it is older files that were not well protected, copied and then forgotten about, often due to employee turnover, that potentially pose regulatory compliance risks.

Proactive data governance measures are more important than ever in today’s landscape, as the Reddit breach and countless others attest.

Rob Clyde, ISACA board chair, executive chair of the board of directors for White Cloud Security and independent board director for Titus

[ISACA Now Blog]

Persuasion: A Core Competency for GRC Professionals

Imagine this as a GRC professional. It’s April 2016. The European Parliament passes the General Data Protection Regulation (GDPR) with an enforcement date of May 2018. Your organization is impacted.  You are going to own this.

At first, you ask yourself – should I get going on this now? The answer is yes; the reality is you won’t. A year passes and the media pipes up about the clock ticking. You start to hear in your peer groups that people are starting to think about what they are going to do, but there’s little action. The clock strikes Q4 2017, your anxiety elevates, the consulting firms and professional organizations inundate your inbox with updates, trainings, services, etc., so you start your journey (late). You get organized, start reaching out to HR, IT, anyone who could be impacted. Crickets. A month passes. Two months pass, and it’s Q1 2018. You follow up. Finally, a response, maybe two come in. Finally, some momentum!

You re-engage your stakeholders, you email, call, try and set up meetings. Crickets. Q1 earnings come around. Analysts are asking. Your CEO says you are all over it and ready for the go live. Senior leadership is looking for an update. You’re working on it as best you can. The emails get responded to, finally. It’s a fire drill. You work tirelessly. GDPR goes live. You’re not quite there, but close enough that you finish by your Q2 earnings release. It’s been a disaster, but it’s over (until the next time).

GRC professionals, a lot of them, live this awful cycle every time there’s a new regulation, accounting standard, etc. Why is this? Our jobs should be simple. We carry the big stick! Most of what we support is tied to law, standards and regulations. Our organizations have to comply or face potentially stiff penalties and reputational damage. Why don’t they? They claim no resources, or budget, or time.  We’ve heard it all.

Why aren’t they listening? I argue that we don’t leverage persuasion and build the skills to persuade.

The reality we live in as GRC professionals is that we simply can’t be successful in our job if we don’t persuade, and if we can’t persuade, we risk insufficiently addressing or failing to address risks to the organization. The repercussions could be severe. We could hinder our own and our teams’ careers and damage our reputations. In the narrative above, we all know who’s going to be on the hook if there’s a problem. And it won’t be those who ignored us for the better part of a year.

Persuasion is a skill. Some of it can be taught; most of it we already know (or could be defined as common sense). We simply need to be aware of this and implement some simple (in most cases) techniques to tilt the scales:

  1. Rapport is critical. If they don’t like you, send in someone else they do.  We can’t persuade someone who doesn’t like us.
  2. Acknowledge the stigma that may be attached to your title and role. Let’s be honest – colleagues not may really enjoy getting a visit from a GRC colleague. Acknowledging this might help remove the first barrier.
  3. Recognize the impact of mood. Having a bad day? Your counterpart having a bad day? Move the meeting; it simply won’t be productive.
  4. Get out of a negative environment. The workplace can be a source of stress, so go grab a coffee or lunch or a drink. This is the real reason so many folks utilize “let’s grab a coffee” or similar approach to get things done.
  5. In person is always better. Smile a lot and use your colleagues’ name when you see them – people like hearing their name. Keep your tone of voice positive and upbeat. And while you’re at it, avoid using the word “I” – it will turn them off.
  6. Use how, not why, when requesting support. To most people, “why?” feels like an accusation.  Don’t believe me? Think about how you feel when your boss or your spouse ask “why” you didn’t do something. It puts most people right on the defensive. “How” invites both parties to strive toward a common goal. The simple statement “GDPR goes live in 6 months – how do we ensure our organization is prepared?” invites both potential solutions and a sense of ownership in both parties.
  7. Listen. I mean it. Really listen. Can you do it? I can’t. Why? Because when I’m not talking, I’m thinking about what I am going to say next. Is that really listening? Bring someone with you to important meetings, and make it their job, and only job, to listen (take note of tone), watch body language, take notes, etc. Review that feedback after the meeting.

This seems easy enough, but the reality is if you don’t thoughtfully leverage some of these steps routinely, you’ll never reap the rewards. These won’t work all the time, but they’ll help increase the chance of success in your GRC role.
Have they helped me? You tell me – ever convinced a subsidiary to upgrade their ERP as part of an audit report? I have. And it was by using these tactics.

I’ll be discussing this topic further at the GRC conference next week in Nashville, Tennessee, USA. Track me down at GRC; I’d love to speak about these topics and lend a hand if I can.

Brian Tremblay, Chief Audit Executive, Acacia Communications

[ISACA Now Blog]

Cybersecurity Canon Review: “Exponential Organizations”

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

 

Executive Summary

Exponential Organizations is not a must-read for all cybersecurity professionals. You do not need the information in this book to do your day-to-day cybersecurity job today, and I am not recommending it as a Cybersecurity Canon candidate. However, it is a must-read for business leaders as a roadmap for what we all might be facing in the next 10 to 15 years. The authors describe how some future-thinking companies are taking advantage of an information-processing-capability phenomenon whereby the number of calculations per second, per $1,000 has been doubling since the early 1900s. This phenomenon of doubling compute power has manifested exponentially in such research areas as artificial intelligence, robotics, biotech, nanotech, medicine, neuroscience, energy, and computing. All of these technologies have been doubling in price-performance every couple of years.

This kind of rapid growth is changing the standard business problem of managing and selling scarcity, like oil, to managing and selling abundance, like energy. The implications are staggering both in terms of how the world will change and in terms of what future businesses will look like. This book is about how organizations are already taking advantage of this notion of “exponential organizations” and how you might evolve your current organization into this new framework.

 

Introduction

In 2014, Jeremiah Owyang, a founding partner at Kaleido Insights, noticed that a number of companies had emerged across multiple verticals that were completely disrupting the marketplace. These companies, like Airbnb and Uber, were outperforming the competition by a factor of four or more by staying small and flat but leveraging the information provided by their customer base. In other words, they were destroying their competition by operating counter to what every other business in the world was doing. Owyang coined this phenomenon the “collaborative economy.” [1] In that same year, Ismail, Malone, and Geest published this book, Exponential Organizations, which characterizes the kinds of companies that have had success with this new way of thinking. [2]

In Exponential Organizations, the authors describe how some future-thinking companies are taking advantage of an information-processing-capability phenomenon that has been noticed by the likes of Gordon Moore, Intel’s founder, and famous futurist Ray Kurzweil. Moore predicted in 1965 that the number of components on integrated circuits would double every year. [3] Kurzweil went further back and noticed the same doubling pattern as far back as the early 1900s. [4] Kurzweil came up with an interesting metric to track the behavior: what is the number of calculations per second, per $1,000. In 1900, with Charles Babbage’s mechanical Analytical Engine, the number of calculations was extremely small at 0.000005821. [4] But every five to ten years, that numbered doubled. By 1949, the number was 1.837, and we were off to the races. By 1977, the number was 26,870. By 1998, the last year in the study, the number was 133,300,000. [4]

This phenomenon of doubling compute power has manifested exponentially in such research areas as artificial intelligence, robotics, biotech, nanotech, medicine, neuroscience, energy, and computing. All of these technologies have been doubling in price-performance every couple of years. What the authors of Exponential Organizations say is that this kind of rapid growth is changing the standard business problem of managing and selling scarcity, like oil, to managing and selling abundance, like energy. [5] For example, they predict that within 10 years, because of this exponential doubling in the renewable energy space alone, there will be enough solar power available to produce five times what is needed in the world today. Energy will become essentially free and entrepreneurs in those markets will have to figure out how to profit in a new environment where the value of the “thing” is essentially zero.

The implications are staggering both in terms of how the world will change and in terms of what future businesses will look like. This book is about how organizations are already taking advantage of this notion “exponential organizations” and how you might evolve your current organization into this new framework.

 

Body

Ismail, Malone, and van Geest define the key attribute of an exponential organization as “a minimum 10x improvement in output over four to five years.” [2] That is a metric that is easy to detect, and the authors describe how the organizations that attain those metrics are different from the traditional business. One of the authors of Exponential Organizations, Salim Ismail, is the founding executive director of Singularity University, whose mission is to train visionary entrepreneurs to use these exponential ideas to solve some of the world’s intractable problems. [6] He believes that, if you don’t transform your own organization into an exponential organization in the very near future, your competition will start to sprint away from you by leaps and bounds. [2] I have said similar things about the DevOps movement, and I believe that most exponential organizations in the future will have embraced DevOps as the key development strategy to attain their goals. [7]

As the authors point out, most traditional organizations fail to see the doubling effect in their own industries. They project linearly as to what the future will hold. “That is: x amount of work takes y amount of resources, 2x needs 2y, and so on of ever-greater arithmetic magnitude.” [2] But, exponential organizations work by reducing staff and hierarchy and informationally enabling their company. They enlist their customer base and their communities for every aspect of the business. “They float atop the existing infrastructure rather than try to own it.” [2] An x amount of work takes less than y resources but the impact on growth is 2n (exponential). And these are just some of the recognizable companies that have managed to pull this off:

  • Airbnb: 90x more listings per employee
  • GitHub: 109x more repositories per employee
  • Valve: 30x more market cap per employee
  • Tesla: 30x more market cap per employee

Source: [2]

 

The authors note that successful exponential organizations tend to have three key components:  a Massive Transformative Purpose (MTP) statement, some key external attributes of SCALE (staff on demand, community & crowd, algorithms, leveraged assets, and engagement), and some key internal attributes of IDEAS (interfaces, dashboards, experimentation, autonomy, and social).

An MTP is kind of a vision statement, but it has more definition and is way more aspirational. It is not like a mission statement that states what an organization does. The MTP is more about what the organization desires to accomplish. It should be so well-crafted that it starts a cultural movement within the community. Here are some example MTPs of exponential organizations [8]:

  • TED: “Ideas worth spreading.”
  • Google: “Organize the world’s information.”
  • X Prize Foundation: “Bring about radical breakthroughs for the benefit of humanity.”
  • Tesla: “Accelerate the transition to sustainable transportation.”
  • Palo Alto Networks: “To protect our way of life in the digital age by preventing successful cyberattacks.
  • Unit 42 – Palo Alto Networks intelligence team: “Stop bad guys from winning.”

 

Conclusion

Exponential Organizations is not a must-read for all cybersecurity professionals. You do not need the information in this book to do your day-to-day cybersecurity job today. I am not recommending it as a Cybersecurity Canon candidate. However, it is an important book for business leaders as a roadmap for what we all might be facing in the near future, say 10 to 15 years. In other words, how we flip our business away from a scarcity mindset and toward an abundance mindset might very well determine if our organizations survive. How we information-enable our organizations so that we break free of the traditional shackles of linear thinking toward exponential thinking will determine if we remain competitive in the marketplace.

There is one thing to note: transforming into an exponential organization is radical change for most organizations. As the authors points out, change from the status quo is almost immediately attacked by the organization’s immune system – an immune system that will fight any change that deviate from its current path. Organizations that have had success here build black ops teams that operate on the fringe of the organization and which report to the CEO only. This gives the black ops team some breathing room to make things happen without the constant pressure from the organization’s immune system.

That is what happened when Palo Alto Networks helped build the Cyber Threat Alliance: an alliance of security vendors dedicated to sharing adversary playbook intelligence with each other so that our common customers do not have to develop the intelligence themselves. When we began, there were many people within the Palo Alto Networks organization who thought it was nuts to give away our intelligence for free and complete insanity to share it with our greatest competitors. But the CEO gave the mission to a team on the fringe who could operate freely and gave them resources to accomplish the task. Today, the Cyber Threat Alliance is a non-profit company that consists of security vendors who share threat intelligence with each other every day as a best practice.

 

Sources

[1] “The Exponential Enterprise: Your Most Feared Competitor Now Has A Name,” by Giovanni Rodriguez, Forbes, 31 October 2014, last visited 8 May 2018,

https://www.forbes.com/sites/giovannirodriguez/2014/10/31/the-exponential-enterprise-your-most-feared-competitor-now-has-a-name/#15e8bef42b4d

https://www.forbes.com/sites/giovannirodriguez/2014/10/31/the-exponential-enterprise-your-most-feared-competitor-now-has-a-name/#15e8bef42b4d

[2] Exponential Organizations, by Salim Ismail, Michael S. Malone, Yuri van Geest, 14 October 2014, Diversion Books,

https://www.goodreads.com/book/show/22616127-exponential-organizations?from_search=true

[3] “Cramming more components onto integrated circuits,” by Gordon E. Moore, Electronics, Volume 38, Number 6, 19 April 1965, last visited 4 July 2018,

https://drive.google.com/file/d/0By83v5TWkGjvQkpBcXJKT1I1TTA/view

[4] “Exponential Growth in Computing,” by Ray Kurzweil, The Singularity is Near, last visited 8 May 2018,

http://www.singularity.com/charts/page70.html

[5] “Exponential Organizations,” by Salim Ismail, at USI, 9 July 2015, last visited 8 May 2018,

https://www.youtube.com/watch?v=FNQSM4ipZog

[6] “Hi, We’re Singularity University; We prepare you to seize exponential opportunities,” Singularity University, last visited 10 July 2018,

https://su.org/about/

[7] “The Cybersecurity Canon: Site Reliability Engineering: How Google Runs Production Systems,” by Rick Howard, 26 September 2017, last visited 11 July 2018,

https://researchcenter.paloaltonetworks.com/2017/09/cybersecurity-canon-site-reliability-engineering-google-runs-production-systems/

[8] “The Motivating Power of a Massive Transformative Purpose,” by Alison E. Berman, Singularity Hub, 8 November 2008, last visited 11 July 2018,

https://singularityhub.com/2016/11/08/the-motivating-power-of-a-massive-transformative-purpose/#sm.0004irhsuffef1g10hp1eldfklb29

[8] “Analytical Engine: COMPUTER,” by Paul A. Freiberger and Michael R. Swaine, Encyclopedia Britannica, last visited 11 July 2018,

https://www.britannica.com/technology/Analytical-Engine

 

References

 

“How 20-Year-Old Kylie Jenner Built A $900 Million Fortune In Less Than 3 Years,” by Natalie Robehmed, Forbes, 11 July 2018, last visited 11 July 2018,

https://www.forbes.com/sites/forbesdigitalcovers/2018/07/11/how-20-year-old-kylie-jenner-built-a-900-million-fortune-in-less-than-3-years/

 

“What is Moore’s Law?” by Lee Bell, 28 August 2016, last visited 8 May 2018,

http://www.wired.co.uk/article/wired-explains-moores-law

 

“Abundance: The Future Is Better Than You Think,” by Peter H. Diamandis and Steven Kotler, Free Press, 2012, Last Visited  9 May 2018

https://www.goodreads.com/book/show/13187824-abundance?ac=1&from_search=true

 

Exponential Organizations by Salim Ismail,” by Sheldon Nesdale, 21 December 2015, last visited, 8 May 2018,

https://www.marketingfirst.co.nz/2015/12/exponential-organizations-by-salim-ismail-michael-s-malone-yuri-van-geest/

 

“Organizations of the Future,” by Mark Looi, Medium, 9 May 2017, last visited 8 May 2018,

https://medium.com/@marklooi/organizations-of-the-future-8f08caf9f067

 

“Salim Ismail – Exponential Organizations,” USI Blog, 8 December 2015, last visited 8 May 2018,

https://blog.usievents.com/salim-ismail-exponential-organizations/

 

The Singularity is Near: When Humans Transcend Biology, by Ray Kurzweil, Penguin, 2006,

https://www.goodreads.com/book/show/83518.The_Singularity_is_Near?ac=1&from_search=true

[Palo Alto Networks Research Center]

CSA Releases Top Threats to Cloud Computing: Deep Dive

BLACKHAT LAS VEGAS – AUGUST 8, 2018 – The Cloud Security Alliance(CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, today announced the release of the Top Threats to Cloud Computing: Deep Dive, a case-study analysis that provides more technical details dealing with architecture, compliance, risk and mitigations for each of the cloud computing threats and vulnerabilities identified in the Treacherous 12: Top Threats to Cloud Computing (2016).

“Last year’s Top Threats report cited multiple recent examples of issues found in the original Treacherous 12 survey, and while those anecdotes allowed cybersecurity managers to better communicate with executives and peers, they did not provide in-depth detail of how everything fits together from a security analysis standpoint,” said Jon-Michael C. Brook, co-chair of the Top Threats Working Group and a principal/Security, Cloud & Privacy at Guide Holdings. “This new report addresses those limitations and offers additional details and actionable information that identify where and how top threats fit in a greater security analysis, while simultaneously providing a clear understanding of how lessons, mitigations and concepts can be applied in real-world scenarios.”

“Security professionals recognize that the Treacherous 12 threats provide only a fraction of the whole picture. Other factors, such as actors, risk, vulnerabilities, and impacts, must also be considered,” said J.R. Santos, executive vice president/Research for CSA. “To address these missing elements, the Top Threats Working Group decided the next document would provide even greater context that could act as a springboard for architects and engineers conducting their own analysis of security issues in cloud computing and comparisons.”

This case study attempts to connect all the dots when it comes to risk management by using the following nine anecdotes cited in the Top Threats for its foundation:

  1. LinkedIn (Top Threats: Data Breaches; Insufficient Identity, Credential and Access Management; Account Hijacking; Denial of Service; Shared Technology Vulnerabilities)
  2. MongoDB (Top Threats: Data Breaches; Insufficient Identity, Credential and Access Management; Insecure Interfaces and APIs; Malicious Insiders; Data Loss)
  3. Dirty Cow (Top Threats: Insufficient Identity, Credential and Access Management; System Vulnerabilities)
  4. Zynga (Top Threats: Data Breaches; Insufficient Identity, Credential and Access Management; Malicious Insiders)
  5. Net Traveler (Top Threats: Data Breaches; Advanced Persistent Threats; Data Loss)
  6. Yahoo! (Top Threats: Data Breaches; Data Loss; Insufficient Due Diligence)
  7. Zepto (Top Threats: Data Breaches; Data Loss; Abuse and Nefarious Use of Cloud Services)
  8. DynDNS (Top Threats: Insufficient Identity, Credential and Access Management; Denial of Service)
  9. Cloudbleed Top Threats: Data Breaches; Shared Technology Vulnerabilities)

Each of the examples are presented as both a reference chart and detailed narrative. The reference chart’s format offers an attack-style synopsis of the actor, spanning from threats and vulnerabilities to associated controls and mitigations. The longer-form narratives provide additional context (such as how an incident came to pass or how it should be dealt with). For cases where details—such as impacts or mitigations—were not discussed publicly, the working group extrapolated to include expected outcomes and possibilities.

The paper goes on to outline recommended Cloud Controls Matrix (CCM) domains, sorted according to how often controls within the domains are relevant as a mitigating control. [Mitigations and controls applicable to the nine case studies cover 13 of the 16 Cloud Controls Matrix (CCM) domains.]

The CSA Top Threats Working Group is responsible for providing needed context to assist organizations in making educated risk management decisions regarding their cloud adoption strategies. The CSA invites interested companies and individuals to support the group’s research and initiatives. Companies and individuals interested in learning more or joining the group can visit the Top Threats Working Group page.

Download the Top Threats to Cloud Computing: Deep Dive now.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security- specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

CSA, OWASP Issue Updated Guidance for Secure Medical 
Device Deployment

BLACKHAT LAS VEGAS – AUGUST 7, 2018 –The Cloud Security Alliance(CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, in conjunction with the Open Web Application Security Project (OWASP) today released OWASP Secure Medical Device Deployment Standard Version 2.0, an updated guide to the secure deployment of medical devices within a healthcare facility.

Considerable enhancements were made throughout the document, especially to the section on purchasing controls with an eye to security audits and evaluation, privacy impact assessment, and support evaluation controls. Additionally, the updated document now includes relevant guidance from the Federal Drug Administration.

“Too many of today’s network-enabled security devices are still not being deployed with security in mind, exposing healthcare providers and their patients to data breaches at best and potential negative health consequences at worst. With ransomware and botnets targeting IoT devices, it is more essential than ever that devices are developed and deployed with security in mind,” said OWASP Project Leader Christopher Frenz, who authored the original paper.

This report is reflective of how organizations are increasingly putting more resources toward supporting the development community in equal parts with security.

“The growth of electronic medical records and network-enabled devices has allowed healthcare providers to enhance their level of service and the efficiency with which they provide care. However, this same interconnectedness has opened a Pandora’s box of security issues involving legacy systems and healthcare devices that were not designed with security in mind,” said Hillary Baron, Research Program Manager, CSA. “It’s our hope that this document provides a clear roadmap for healthcare organizations looking to ensure that medical devices and systems across the organization follow IT security best practices.”

The report, to which CSA’s Internet of Things (IoT) Working Group provided input and significant contributions, provides guidance in areas such as:

  • Purchasing controls: Security audits/evaluation, privacy impact assessment; and support evaluation;
  • Perimeter defenses: Firewalls, Network Intrusion Detection/Prevention System (NIDS/NIPS), and Proxy Server/Web Filters;
  • Network security controls: Network segmentation, internal firewalls, internal network IDS/IPS, syslog servers, log monitoring, vulnerability scanning and DNS sinkholes
  • Device security controls: Change default credentials, account lockout, enabling secure transport, spare copies of firmware/software, device configuration backup, baseline configurations, storage encryption, different user accounts, restricting access to management interface, updating mechanisms, compliance monitoring and physical security;
  • Interface and central station security: OS hardening, encrypted transport, and message security-HL7 v3 security standards;
  • Security testing: Penetration tests; and
  • Incident response: Incident response plan and mock incidents.

Download OWASP Secure Medical Device Deployment Standard Version 2.0.

About Open Web Application Security Project

The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Its mission is to make software security visible so that individuals and organizations are able to make informed decisions. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security- specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

English
Exit mobile version