Vulnerability Scanning


Vulnerability scanning is the systematic identification, analysis and reporting of technical security vulnerabilities that unauthorized parties and individuals may use to exploit and threaten the confidentiality, integrity and availability of business and technical data and information. External vulnerability scanning specifically examines an organization’s security profile from the perspective of an outsider or someone who does not have access to systems and networks behind the organization’s external security perimeter. Your external IPs be scanned once a year, once a quarter or monthly.

Read More

Mobile Application Scanning


Mobile platforms by default make certain promises about their environment. Development teams should not rely on these promises to protect critical data and code. Architecture review and threat modeling process will includes assessing and documenting security risks in the context of use cases, services, roles and functions unique to your application. The threat modeling is performed in collaboration with your business, engineering, operations and corporate security teams to understand and create the system’s security objectives, threat profile, attacks, vulnerabilities and countermeasures from design to deployment.

Read More

Darkweb Credential Monitoring


We provide the best approach to eliminate the biggest cause of massive data breaches, the weak and/or stolen password. We continuously monitor the dark web for stolen databases and identities, and maintains the encrypted data in our proprietary database. When integrated with an IAM solution, we can provide superior visibility into user-centric risk and the ability to automate appropriate corrective actions, preventing the abuse of compromised credentials.

Read More

Do Hospitals Need to Promote Privacy By Limiting The Use of Social Media?

Social media has taken the world by storm, but there are many instances when it has been used inappropriately to abuse privacy. Hospitals, especially, are in danger of this – the privacy levels required in a hospital are high and social media breaks down all barriers of privacy. Social websites like Facebook and Twitter, video websites like YouTube and even blogs have made it easy to pass on information, and since there is no one policing the information, boundaries are crossed easily. The HIPAA Security Rule can be easily broken. Social media security has become very important. Information Security policies are required for HIPAA risk requirements.

Imagine a situation where someone is ill and has to stay in the hospital for a few days. Or where someone is diagnosed with something that people treat as particularly embarrassing, or that holds the threat of death. All it takes is for one person to post a message or a picture taken in the hospital of the patient, and in minutes, the whole world will be able to access the information. If malicious things are said about this patient and they get to hear about it, it might harm their health further. A HIPAA security assessment would be required after such a data breach.

Hospital employees in particular need to be extra careful, because they can easily break the HIPAA Security Rules and get into legal trouble. Blogs where hospital employees meet are a great idea for them to discuss their work, but these same blogs can easily cross boundaries and find themselves discussing a particular patient. The hospital employee can be fired and sued. The hospital itself is in particular danger of being sued.

Social media has changed the way we communicate but we need to know when it’s appropriate and when it is not. In hospitals, in can be especially damaging if used in the wrong way. To stay out of trouble, hospitals need to have a clear policy on social media and how their employees use it and have consistent HIPAA risk assessments.

What are the Top 5 Internet Security Trends for 2013

As the Internet and technology advances at increasing speeds, the concerns over security are keeping pace. New threats to security emerge every day. Check out the National Vulnerability Database . With access to the Internet expanding to various devices other than the laptop or desktop, there are more opportunities for attacks. With the ever increasing connectedness of our society, it is important to look at the Internet security trends 2013 and be prepared.

Each time you access the Internet, you are putting yourself and your technology at risk by exposing it to the security risks, known and unknown. The security trends for the coming year are looking to focus around a variety of threats including cyber conflict, ransomware, madware, social software and cloud-based cyber attacks. Like it or not, these concerns aren’t going away any time soon, so it is best to gain a baseline understanding of them so that you’ll be able to protect yourself in the coming year.

1. Cyber Conflict

Increasingly, cyber conflict is becoming a serious threat between states, organizations and individuals. While the threats at the state and organizational level may not be of immediate concern, cyber conflict can become very serious when you’re dealing with others sitting behind a computer screen. People are less considerate and often more bold when sitting at a keyboard. Threats and aggression come quickly as discussions online become heated. You can protect yourself and your family from cyber conflict by becoming more aware of how you interact on the Internet. Bullying and aggression are of great concern for families with children. Be sure to educate your children and monitor their Internet usage closely.

2. Ransomware

It’s actually just what it sounds like – virtual ransom demands from criminals. This is a growing threat due to the increasing sophistication of cyber-criminals. Be aware and protect yourself online by consulting with an Internet security firm if you are in a position where you feel exposed to the threat of cyber-criminals. Fast incident response is key when dealing with Ransomware.

3. Madware

Mobile adware or Madware is a growing concern as more and more people are using mobile devices to connect to the Internet. Madware can cause a HIPAA security violation easily of you lose patient data to an attack as well as pose a problem to the functionality of your mobile devices. Often mobile apps expose mobile device users to various forms of madware. Consult your mobile device dealer or an Internet security firm in order to protect yourself from madware. See this good illustration of madware from

4. Social Software

Social media security is a growing concern as more and more people and social media platforms emerge. The social media reputation risk is high when people use social media platforms carelessly or are uneducated about the multitude of privacy and security risks that come from social media.

5. Cloud-based Cyber Attacks

Cyber attackers are turning to the cloud as more people and companies are using it as a way to store the massive amounts of data they accumulate through their desktops, laptops, tablets and mobile devices. This can be a great concern for people who are relying on these cloud-based services to store their valuable documents, entertainment collections and pictures. The recent news article of Wired technology journalist Mat Honan getting hacked through Amazon and Apple cloud services, “Apple account hack raises concern about cloud storage”  illustrates the damage.

As you can see, each of the Internet security trends of 2013 pose a real threat to your security online. Now is the time to take serious steps to protect yourself from these emerging trends so that you will be able to start the new year off right. It may seem like these things will never happen to you, but usually these attacks come when you least expect it. Just like home invasion, if you’re an easy target, you’re more likely to get hit by any one of these threats. The best defense is a good offense and in this case. For help in cloud, network and social media security, contact us at KRAA Security.

Enhanced by Zemanta

Data Breach Problems on BYOD

In today’s world, more and more employees are using their own devices to access company websites and work screens. iPhones and iPads are two devices that are very popular now and being used as the all in one device for many people. They don’t realize that these devices may not be that secure and for a company, it can have very costly data breach situations. Healthcare companies are especially susceptible to HIPAA patient data loss implications. If you lose data that is federally protected, then you open yourself up to legal repercussions and lawsuits from individuals as well and potential monetary penalties.

Many companies have adopted bring your own device (byod) policies because a lot of employees would just as soon use their own equipment. After all, they already have it and they are quite used to using it in most aspects of their lives. While this may seem like a perfectly reasonable solution, it may not be wise unless companies have truly looked at the issues with their risk management team. Fines as high as $1.5 million dollars

Person with PDA handheld device.

Person with PDA handheld device. (Photo credit: Wikipedia)

have already been assessed in at least one situation in a teaching hospital that lost data on a mobile device that was unencrypted.

Companies are now required to perform a risk assessment and implement a data breach protection program, including for mobile devices. Those without a plan in place can be on the receiving end of some pretty hefty fines. Some important numbers that companies should be aware of are:

-84% of employees use their smart phone for everything, including work and personal use

-47% of all people don’t use a password protection on their mobile devices

-51% of companies have no ability to erase data from a lost or stolen device

-49% of employees have received no training at all on mobile device security from their company

These issues are going to need to be addressed by all companies if they truly wish to remain out of hot water and avoid these issues with HIPAA protected data loss. A BYOD policy may save money in not having to supply equipment to employees but it also may leave you open to lawsuits and big fines. Deciding which route they want to take should rely heavily on risk assessment.

Data needs to remain safe at all times and this needs to be addressed by technology companies as well. Being able to erase information from a lost device, over the air and remotely is a technology that is a must for these sorts of companies who handle sensitive materials. Companies should really explore all options in protecting and destroying data if they follow a BYOD policy.

Enhanced by Zemanta
Social media sites have gained popularity in the past ten years as a medium to keep in contact with loved ones, business associates and friends. However, there can be drawbacks to the usage of said media when one is employed in certain career fields, such as the healthcare industry. Utilizing social media networks can inadvertently give way to the sharing of confidential patient information with people that may not have a need to know which would then cause the company to violate HIPAA Security Rule compliance. Social media applications are not just a part of one’s personal lifestyle; this has also become incorporated in the corporate climate. Many places use these applications for marketing, file sharing, communication, and employee recruitment. While these applications can open up a great many doors of communication, some type of guidance or governance is necessary. Because banning the use of such sites is most likely unenforceable or impractical, a hospital or other such entity that must shield private information should at least ask or force their employees to adhere to some Social Media Policy guidelines. For instance, when utilizing social networking sites, one should use separate passwords for the different sites, as an individual can easily hack all of one’s accounts if they know the one password. A security breach of one account could snowball. Passwords should be complex and change every 90 days. Accessing social media sites should be over SSL and only from trusted network connections, not coffee shops especially for business purposes! In the case of company documents or patient information, if it isn’t found on the company’s web page it probably should not be posted elsewhere. There are sites that exude a feeling of privacy and security, but are far from it. Allowing one’s corporate information security team to determine what sites are acceptable is the best option. Another thing one should not do is post his or her own identifying information publicly, such as date of birth, his or her social security number, or an employee ID number. If a site requires this information, 1) it is most likely not a reputable site, and/or 2) one could make something up or ensure that it is not going to be displayed in a profile that will be public. Some information may not be considered confidential; yet not posting these items to public social media sites is probably a good idea. This can include anything from rumors, to purchases the company plans on making, anything about the technology one’s company uses or will use, and any projects the individual may be working on. So in one’s personal endeavors, it is most beneficial to all involved if confidential information, or information that could be considered secret, stays out of the hands of the public. Follow practical posting guidelines and do not share more information than is necessary in corporate social media activities. Gary Bahadur CEO KRAA Security, *Managed Security Services *Vulnerability Management *Compliance & Police Development *PGP Security *Free Website Security Test
Enhanced by Zemanta
Windows 7 is the latest stable Windows operati...
Image via Wikipedia
There is a lot of focus on network security and application security today. Years ago it was operating system security that was all the rage. But with the advent of the strict requirements of some of the regulations such as HIPAA, PCI, SOX, and FISMA, more attention needs to be paid to the operating system. As Windows is still dominant, what are some of the features you need to be concerned with in an application? Some key feature of a host security assessment tool are: 
  1. Ability to quickly audit
  2. Ability to inventory
  3. Structure for classification of components
  4. Patch management of course
  5. Ability to baseline and report against the baseline
  6. Templates of the regulatory requirements
  7. Templates of different levels of security configurations
  8. Threat identification and classification
  9. User management
  10. Port security assessment and management
  11. Service and process analysis
A baseline configuration for operating system security, cover things such as patch levels, ports, services, processes, logging, policy settings and user configuration, should be the first step for any company in host security assessment and diagnostics. If you build from scratch, or don’t use a secure template, you will always be in trouble. Timely updates and reconfiguration of your baseline is necessary. Your operating system like your network security should match your corporate business practices and procedures. Policies should be in place for this of course.  Over time you should be able to benchmark your host security problems, solutions and changes. Gary Bahadur Address: 200 Se 1st St #601 Miami FL 33131 *Managed Security Services *Vulnerability Management *Compliance & Policy Development *PGP Security *FREE Website Security Test 
Reblog this post [with Zemanta]