what we’re reading, week of 7/27

Endpoint-Security Info…
US Federal Agencies Flunk the Security Standards Exam
Agent Smith provides some shocking information about the US federal civilian agencies. According to a report by the Government Accountability Office (GAO) almost all the agencies had major flaws in security controls and management—in particular, one that was lacking was the use of firewalls (see page 19 in the report). Failure to comply with standards could allow for successful cyberattacks.

Schneier on Security…
Risks of Cloud Computing
Using an excerpt from an article that appeared in the New York Times, Bruce Schneier agrees with the risks Jonathan Zittrain raises about cloud computing. Real life, cloud computing scenarios are put in to perspective with this essay. With cloud computing being such a big hype, it’s a great read to understand the risks associated with it.

Around the Blogosphere…
Black Hat is taking place this week and many of our friends are at the event. For those who couldn’t attend the show (like us), here are some helpful resources to learn about the show’s happenings: LinkedIn Group, @BlackHatEvents, Delicious, @JeremiahG and Security Warrior Blog.

Network Security with electronic health records

In last week’s highlights, we included a post from Branden Williams’ Security Convergence Blog on EMRs. We thought this weeks’ post would be a good opportunity to elaborate on Branden’s and our own from earlier in the year, How can businesses ensure HIPAA compliance?

The push is on for adoption and if healthcare providers don’t adapt, they face some potentially sharp teeth. We read that, “Failure to implement EMR by 2014 may result in increased malpractice premiums and increased exposure to malpractice claims, as well as a reduction in Medicare reimbursement, beginning in 2015”. Ouch!

So what’s the tie to VPN’s? We see a significant portion of the EMR communications being wireless. Don’t believe us? Next time you’re in a hospital, take note of all the handheld devices the staff is marching around with. How about hospice workers who update records via PDA’s? How about in-facility WLAN and WiFi networks? Doctors use laptops from room to room and hotspots are popping up in cafeterias, waiting rooms, etc. all over the country. The list goes on and as it grows so does the threat to information traveling wirelessly.

EMRs are a great benefit to the healthcare industry and have the potential to improve patient care definitively. With solid VPN’s in place, HIPAA can be satisfied as well as protecting the great benefits wireless communications have on worker productivity. The right VPN tech is important too – avoiding vendor lock, ensuring the tech fits facility policy and doesn’t force policy changes, and it must be easy enough to users that they don’t even notice it’s running (otherwise, they’ll find a way around it!).

what we’re reading, week of 7/20

Branden Williams’ Security Convergence Blog…
Guest Post: HITECH Alters HIPAA—Will HIPAA be ‘Hip’?
Guest blogger, Bindu Sundaresan discusses the changes to HIPAA, and how they will impact healthcare management’s current way of dealing with electronic health records (or EMRs). As these ‘rules are here to stay’, Bindu reminds us to seek advice from our security consultant to stay compliant. How does this relate to VPN? EMRs need to be sent over secured VPN networks—check out NCPs Rene Poot’s comments on HIPAA.

IT Blog Watch | ComputerWorld…
Windows 7 ready (to manufacture): 7600.16385 is RTM ID
Yesterday, Microsoft announced that Windows 7 is now available as an RTM, as well as Windows Server 2008 R2. Since W7 was announced, bloggers and journalists have all shared their two cents. Now that it’s finally ready for manufacturing, Richi Jennings captures a few recent reactions —some excited, shocked, bored. If you’re unsure of how W7 may impact you, it’s a great source to get a handful of the various opinions all in one place.

Assets Protection Blog…
It’s Official: Your Internet Address Isn’t Private
Mark Nestmann reports on a recent ruling by U.S. District Court Judge Richard Jones which, states an individual does not have the right to keep his/her IP address anonymous. This means any Website can legally collect IP addresses. What is more troublesome is that Website ownersr can easily combine an IP address with other information to determine someone’s identity. To secure your ID and web-surfing habits use a VPN—this way the website records your IP address of the proxy, not of your PC.

Where do you keep your VPN Gateway?

We’re following a great discussion on LinkedIn as to where to keep a VPN gateway – in the DMZ or on the LAN directly. Pros and cons are argued for both sides (mostly pro-DMZ) and we’d like to hear your views on this debate. The views split over admin setup issues and effective security.

Placing the gateway within the DMZ provides an extra security cushion, with significant admin work related to the firewall settings. Of interest to us was Joerg Gerschuetz’s comment:

So to allow the full LAN access to legitimate VPN users you simply have to implement a ‘allow IP-Pools LAN-IPs any’ rule in the inner firewall. And make sure that these VPN-IP-pools are blocked at the outer firewall. So security relies on your VPN authentication method and robustness, but with a multi-factor authentication these is a valid approach from my perspective.

The DMZ also gives network admins the comfort of knowing that even if an attacker get’s a hold of the gateway’s static IP, they can’t get out of the DMZ an into the LAN. There’s also the issue of PCI compliance, namely to be compliant the gateway has to be in the DMZ.

All agree that placing the gateway on the LAN directly by-passes the safety of the DMZ (IPS/IDS, two firewalls, etc), however with two-factor authentication this might be ok.

Bottom line: placing the gateway in the DMZ is the most secure option, but it comes with the headache of managing how to manipulate both firewalls. Read it for yourself and comment on VPN Haus.

what we’re reading, week of 7/13

WiFi Net News…
Summer Time, and Wireless Fear Mongering Is in the Air
Glenn Fleishman disputes a recent article which claims users’ systems will be hacked due to “phony Wi-Fi hot spots” i.e. in airports, hotels, etc. The article recycles what is now a myth that free WiFi networks are ‘havens of hackers’, which they are not; and blends VPNs and secure network connections together. Refuting the points in the article, Glenn “heavily recommends” the use of VPNs—it’s as simple as that.

Examiner…
IT Considerations for a New Branch Office
Chaz Popovich provides a thorough checklist of IT factors to consider when opening up a new branch location. In this article, Chaz’s insight to VPN and WiFi are helpful for those organizations that are indeed branching out—especially because branch offices need reliable access to the company’s network.

Enterprise Windows | InfoWorld…
Windows 7 and Windows Server 2008 R2: Joined at the hip
Within an enterprise setting, Windows 7 and Windows Server 2008 R2 are meant to work together. As this co-development isn’t typical, J. Peter Bruzzese gives us a tour on the two technologies coming together, and provides IT with some insight on what they need to know before the crossover. One aspect to highlight is Windows 7 built-in VPN solution, DirectAccess. In order for DirectAccess to work, an organization needs to invest in Windows Server 2008 R2, which can be pricey and timely.