Want to know what's happening next in healthcare?

MedCityNews is the leading online news source for the business of innovation in healthcare.


“MedCity news is a peerless national resource for those of us who really want to stay on top the very latest news in healthcare from incumbents to startups. ”

Elliot Menschik, DreamIt Ventures partner; Venturef0rth founder; Penn professor


Sign up for our daily newsletter


Topic: Health Data

Published in partnership with the Health Data Consortium. The Health Data Consortium is a collaboration among government, non-profit, and private sector organizations working to foster the availability and use of health data to drive innovations that improve health and health care.

Don’t wait for lawmakers! Set up network security standards for the BYOD era now

February 3, 2013 5:07 pm by | 1 Comments

cloud security camera

Steve King is COO of Netswitch.

With the government failing to create any sort of standardized security regulations, the private sector is left to wonder what level of network security will be best for protecting company and client data. As the popularity of personal smart devices being used in the workplace increases, policies must be enacted in order to maintain a secure network.

The first step is to create a corporate policy on how employees will use smartphones and other personal computing devices on your network. Make sure that human resources and your legal department weigh in and that your policies become part of new employee orientation and ongoing employee training. But what other steps can be taken?

Advertisement

Here are six precautions to take to ensure security in the BYOD (bring your own device) era:

1) Training & understanding

All information technology networks are exposed to the difficult-to-control human element. Upgrading your servers and ensuring your firewall is solid is great. Right up until one of your employees clicks on a phish and your network is infected. A surprising majority of our clients (over 80 percent) offer no regular security training to their end users.

IT departments should conduct annual security and BYOD training for all users, teaching workers to avoid common security threats like phishing attacks and using established best practices for dealing with them when they occur. Since phishing attacks are so common, we assume that everyone knows how to handle them, but most employees have no idea how to recognize an attack or a scam. Companies that ignore this sort of employee training are unnecessarily exposing their networks to cyber threats.

2) Encrypt any data you don’t control

Over 70 percent of our client IT organizations don’t encrypt all of their cloud data and almost all of their cloud transactions. The reason is that it is costly in terms of bandwidth and requires faster and more expensive servers. Most public cloud services offer encryption services, and companies would be smart to both avail themselves of those as well as make sure that their most sensitive corporate data is encrypted. If the loss of the data doesn’t put your company at risk, then there is no need to take the extra steps, but if compromised data affects your bottom line, then it must be encrypted.

3) Start using a monitoring system

Now that you have defined a corporate policy to deal with personal smart devices on your network, you must implement a system to register, track, monitor and report on personal mobile device activity. You want to be sure that any smartphone an employee brings into the workplace to be used for company business is registered on your network and associated with that particular employee and his or her authorizations.

When an employee downloads an app to their device, you want to be sure that the employee is authorized to access the data and programs the app uses and that their behavior is consistent with a user profile (employee is stationed in New York, but her iPhone just accessed the Order Processing app from San Francisco).

The system should notify your network administrators when anomalies occur as well as prevent unauthorized access. It should also track and report on specific usage and activity created by these mobile devices, so you can optimize your network and identify suspicious behaviors.

4) Rotate SSH keys (at least) annually

Secure Shell (SSH) is a network protocol that allows data to be exchanged over a secure channel between two computers. SSH keys serve as a means of identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. One immediate advantage this method has over traditional password authentication is that you can be authenticated by the server without ever having to send your password over the network. Anyone eavesdropping on your connection will not be able to intercept and crack your password because it is never actually transmitted.

Additionally, using SSH keys for authentication virtually eliminates the risk posed by brute-force password attacks by drastically reducing the chances of the attacker correctly guessing the proper credentials.

A huge majority (over 80 percent) of our client IT departments fail to rotate SSH keys every 12 months. Because employees turn over about every two years on average, failure to rotate SSH keys at least once a year leaves critical network infrastructure wide open to malicious access from former staffers. And there are usually a few pretty unhappy former staffers. This should be done at least every year.

The differences between 1024-bit and 2048-bit are academic in that both have proven to be uncrackable. Most companies have not upgraded their encryption keys and are in serious danger of unnecessary exposure to brute force cyber attacks.

5) Have a plan for replacing compromised certificate authorities (CA)

Digital certificates are vulnerable to fraud, and must be replaced when they are compromised. We have found that most companies we evaluate have no management processes in place to ensure business continuity by quickly replacing a compromised certificate and its accompanying encryption keys.

There has already been a lot written about the CA compromises at DigiNotar, GlobalSign and Comodo in 2011. Browsers accept certificates as trusted in that they have the signing CA certificate in their local browser store. Browsers do not check that a particular CA is authorized to actually issue a particular server certificate. The trust is universal. That is why the attacks on DigiNotar, GlobalSign, and Comodo are so serious and have global impact.

If it is even suspected that your CA may have been breached, make sure that you have processes in place to both replace them and to evaluate their vulnerability on an ongoing basis.

6) Make sure your encryption keys are up to snuff

We have seen lots of companies that don’t use appropriately strong encryption keys, relying on the old 1024-bit symmetry. Back in 2011, NIST began reporting that 1024-bit encryption keys have depreciated in effectiveness, and minimally, the 2048-bit encryption should be used for all encryption keys. The shorter key length has already been broken twice, which is why you can’t guarantee that it won’t happen again with your website. You should make sure your root key is at least 2048-bit when generating your CSR (Certification Signing Request). This encryption level hasn’t been cracked yet and it is safe.

Ultimately, there is almost nothing an enterprise IT Manager can do to prevent these sorts of attacks and this is a technical and procedural problem that the browser vendors and device makers have to fix. In the meantime, however, we can at least replace any certificates that we know or suspect to be breached.

While the Electronic Frontier Foundation and other groups have spent months arguing over the various faults in the Cyber-security Act that just died in Congress, here is where the federal cyber-security legislation might actually have come in the handiest. We could actually use a central, non-bureaucratic organizing agency that concerned itself with issues like the global compromise of Certificate Authorities and support the required trust in our Internet enabled world, but alas, that may be just a hopeful oxymoron.

In the meantime, protect yourself with BYOD policies, a network that monitors and controls, encryption that makes sense, and employees who are smart about network security and the ways in which it may affect them.

Security camera image via Shutterstock

Steve King is COO of Netswitch Technology Management, a provider of managed services for secure technology infrastructure, and SAP in Thailand, China, and the US. He has over 30 years of computer industry experience in software engineering, product development, and sales and founded three software and services startups.


Filed under: Business, Cloud, Enterprise, Mobile, Security

This article originally appeared on VentureBeat

Copyright 2014 MedCity News. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.
1 comments
Fred
Fred

Great article! I think you're spot on with the statement about lack of standardization, especially with regard to cloud-based services. Encrypting your data so that plaintext is never outside of your control is salent point that many cloud storage providers ignore today. Even when data is encrypted at your provider, most of the time they have the key to your data, which ultimately means the data is outside your control.

 

End-to-end encryption is certainly the answer here. I wrote a post in response to another article I read about recommending encryption to protect your data. I tried to highlight the different types of encryption that can be used and when to use each type in hopes of clarifying that encryption is not a panacea. I hope you find it adds to the context of your post. http://blog.laconicsecurity.com/2013/02/for-true-cloud-security-devil-is-in.html 

Health Data Consortium

Published in partnership with the Health Data Consortium. The Health Data Consortium is a collaboration among government, non-profit, and private sector organizations working to foster the availability and use of health data to drive innovations that improve health and health care. More information on the Health Data Consortium can be found at HealthDataConsortium.org.


Latest From HDC Blog

#HealthData


Recommended Links

Health Data Consortium

Website | LinkedIn | Twitter

HealthData.gov

Website | Facebook | Twitter

Health Data Initiative Forum

Website


Profiles

Todd Park

United States Chief Technology Officer

Todd Park is the United States Chief Technology Officer and in this role serves as an Assistant to the President. Todd joined the Administration in August 2009 as Chief Technology Officer of the U.S. Department of Health and Human Services (HHS). In this role, he served as a change agent and “entrepreneur-in-residence,” helping HHS harness the power of data, technology, and innovation to improve the health of the nation.


Bryan Sivak

Chief Technology Officer, Department of Health and Human Services

Bryan Sivak joined HHS as the Chief Technology Officer in July 2011. In this role, he is responsible for helping HHS leadership harness the power of data, technology, and innovation to improve the health and welfare of the nation.


Steven Randazzo

Communications Lead for Innovations Team, Department of Health and Human Services

Steven works with the HHS's Chief Technology Officer to promote the formation and adoption of innovative processes and products in government. Steven is the manager of three open data and innovation blogs and his primary duties focus on external communication of the initiatives and priorities undertaken by HHS and outlined in the Open Government Plan.


Jim Cashel

Chairman of Forum One Communications

Forum One Communications is a digital communications firm which works at the nexus of technology, public policy, and online community. With offices in Washington DC, Seattle and San Francisco, Forum One has completed 1000 projects for 300 clients, including foundations, nonprofit organizations, government agencies and commercial groups. Prior to Forum One Jim co-founded the Eurasia Foundation, a Washington, D.C.-based grant-making organization.