Cyber Security Informer, Network Infrastructure Security, Web Security - 2009.08.04

August 4, 2009

In this issue:

• Healthy Data Privacy and Security Habits
• Case for Security Webinar: Top 25 Dangerous Programming Errors, Part 1
• Webinar Participants: Discount on Your Network Security Assessment or Web Security Assessment
• Ask A Security Expert
• Hacker Bait

CYBER SECURITY INFORMER - news and tips to help you stay safe online and protect your network

Cyber Security Informer is distributed by Boonbox, the security-focused division of Pacific Coast Information Systems Ltd. (IT Consulting) in Vancouver, BC, Canada.

Contact Boonbox Toll-free 1.877.744.7558 or visit www.boonbox.net

Healthy Data Privacy and Security Habits

It's hard to think of data more private and in need of protection than the information in your medical bills. ID thieves could have a field day with these records. This week, Cyber Security Informer picked up tips from MedBillsAssist, medical reimbursement specialists, including lessons other organizations can use to protect their business and customer data.

Organizations dealing with health care data are subject to HIPAA, national standards for electronic health care transactions and must use national identifiers for providers, health insurance plans, and employers. The regulations are often poorly understood by individual organizations, leading to inconsistent procedures, notes MedBillsAssist CIC Katalin Goencz. "Some organizations are willing to give you patient information in messages with no security in place, while others won’t even provide you with the first name of a patient".

PCIS advises organizations that must be HIPAA-compliant to consult with an expert to ensure they are following the rules.

As well, organizations should not be storing any kind of private customer information on their own website. They may also want to look into having a third-party organization storing their data, an option MedBillsAssist has been looking into. By outsourcing the storage, you at least have the option of finding and using a company that specializes in secure data handling (Liability isn't so easily outsourced, though. Outsourcing security doesn't make you less liable, but it could show that your company has taken reasonable steps to protect data).

Network security is a must. "My business is behind a firewall," Goencz says. "My computer hard drive is password protected and it's also set up so that after three unsuccessful tries at guessing the password, it shuts down. If it's ever lost or stolen, they won't be able to get in." She also uses antivirus software to keep malware out.

There are plenty of other things organizations can do today to ensure company data is protected, Goencz notes. "For instance, don't give away private information if you don't need to. I went to get insurance and my broker asked for my social insurance number. But they don't need that information. I gave him my business ID number and that was enough."

As well, she warns against logging into your computer as an “administrator”. "Have a user account set up with a user name and own password. Your administrator account should only be used when working on installing programs, that you need and for your IT administrator to work on your computer."

These tips can help ensure healthy security for your organization's data. For more information about how you can protect your business today, contact Boonbox.

Case for Security Webinar: Top 25 Dangerous Programming Errors, Part 1

Continuing our series on web application security, in this webinar we will discuss the top 25 web application programming errors that lead to security issues.

The discussion will cover definitions of the programming errors, how to identify and assess risks in your application, and references to resources surrounding best practices in web application development

How to Register
1. Go to http://boonbox.webex.com/meet/boonbox
2. Click "Show All Meetings".
3. Click the "Register" link on the right in the Status column for "Part 1: Top 25 Dangerous Programming Errors" and fill in the short registration form. You will be sent your registration confirmation information and instructions on how to participate.

Who Should Register
Business owners and IT professionals looking to improve their business operations through better use of IT solutions.

As an additional benefit of signing up for this Case for Security webinar, you will also receive a complimentary subscription to our newsletters, Cyber Security Informer and Pacific Coast Informer.

More event information for Top 25 Dangerous Programming Errors, Part 1

Webinar Participants: Discount on Your Network Security Assessment or Web Security Assessment

If you've registered for one of our Case for Security webinars, then you know how important it is for your business to protect its network and web assets. We want to help you make that commitment. Register for one of our webinars and you can take advantage of either of the following offers.

With your Devfense Web Security Assessment engagement, receive a $600 discount on the follow-up Delta Scan.

Alternatively, with a Network Security Assessment engagement, you can receive a half-day of consulting to remediate the network vulnerabilities we discover. This offer is valid until September 31, 2009.

Ask A Security Expert

"I've been looking at cloud computing applications to enable certain business functions and cut costs. Is cloud computing a secure option for my business?"

Cloud computing may be a good option for your business, but it does have some known security drawbacks.

If you're using social networking sites, you're already using the cloud. Google Docs, Yahoo! Business, Salesforce.com... cloud, cloud, cloud. The cloud is integrated into a lot of what we do.

Many businesses have held off on full adoption of cloud computing because of security concerns. By outsourcing your information to a provider outside your network, your security profile depends entirely on them. If that provider gets hacked, goes bankrupt, cuts corners on security due to short-term budget constraints, changes its own data-handling rules, gets a sanctioned request from the authorities for your private data or just stops offering the service for any reason, your data could be deleted, stolen or sold to the highest bidder.

As security professional Bruce Schneier advises, if your organization is determined to use the cloud for your business, do your research on the service provider. "You need to make sure the terms of service you sign up to are ones you can live with. You need to make sure the location of the provider doesn't subject you to any laws that you can't live with. And you need to make sure your provider is someone you're willing to work with. Basically, if you're going to give someone else your data, you need to trust them."

Weekly Feature - Hacker Bait

The latest Hacker Bait list contains highly trafficked websites that have been found to have vulnerabilities that hackers and cyber criminals could exploit. 

This is not a complete list of all vulnerable sites on the Internet, but only represents websites where vulnerabilities were found within the past 90 days. These are only the latest additions to an ever-growing club of sites found to be insecure according to various public sources and online tools used in the web security industry.

If you would like more information on our data and why these sites are listed here, please contact PCIS

Hacker Bait Sites With Vulnerabilities Discovered in Past 90 Days

about-knowledge.com
bootcampmedia.com
breaknews.com
chinatownconnection.com
competitionmaster.com
deadseanatural.biz
designmeme.com
indiacareerportal.com
infocomercial.com
koreatimes.com

linksback.org
localendar.com
localhikes.com
multichannelmerchant.com
netsecurityweb.com
pdfbooks.net
precisesecurity.com
realtrafficbroker.com
saudistocks.com
thebusinesscardpeople.com