Security Suggestions – The Cloud and Your Data

Posted on 1, Oct | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

The CloudI am often asked to discuss IT and data security as it relates to storing data on the Cloud. Nine out of ten times I am asked two inevitable questions: “What is the Cloud?” and “Where is the Cloud?”. Hopefully I will answer these questions as I discuss ways to keep your data secure on the Cloud.

There are a number of services that allow you to store data on their servers. Examples of these for an individual or a small business are Dropbox, Sharefile, Google Mail, iCloud, Google Drive, Office 365, and many more. These services quite often are automatically connected to you by your smartphone, iPhone, laptop and/or your desktop computer once you initially login. Think about using your phone – you don’t have to type in a password to get your Gmail each time. As long as you can access the email app on your phone, you’re in. This is because you have instructed the app to trust your smartphone as a conduit to get your Gmail. This goes for almost any mail account you access from your device.

Go one step further and consider that you may have an account with Dropbox, Office 365, or Sharefile. The same concept applies – you have instructed the app to trust your smartphone as a conduit. To make matters worse, if you have these accounts available on your laptop or desktop they too are accessible without typing in a password once you have initially logged in. This is most often the case because we have instructed the app to remember our password.

Now that we understand – to just a small degree – what the Cloud is as it relates to most users and what as individuals we may have on the Cloud, let’s discuss how to keep it secure. First, don’t store sensitive information in the Cloud. I am not talking about using the online version of TurboTax, for example. I am referring to storing birth certificates, passports, and other scanned documents with sensitive information. There is nothing wrong with a safe deposit box for items like these.

Don’t use the same password for every account and change passwords regularly. I believe that password security is such an important issue I could write an entire topic on it. By using the same password for email, banking, computer login, online purchases, social media sites, and other activities, you jeopardize the security of all of your accounts if just one gets hacked. Hackers are smart enough to know that if your password to “website.com” is 12345678 and your user name to “website.com” is user@gmail.com, they will try and login to the Gmail account with the password they have uncovered. You should choose a random password and change it at least every 90 days if not sooner.

Consider reading the terms of service or user agreements to find out how the service works. This is very important if you intend to take advantage of a free 30-day trial. It is possible you will not have access to the data after 30 days without paying for the service. Think about encrypting your data or utilizing a service that includes encryption with data storage.

These are just a few suggestions for securing your data on the Cloud, and this is only a starting point.
I am not suggesting that no one should use the Cloud for storing data. For the most part, everyone who uses a computer, smartphone, or tablet is using the Cloud already. The Cloud can be an efficient way to centralize and share data with authorized users. I am suggesting you use it wisely, securely, and with the knowledge that you have done everything possible to protect the data you put on the Cloud.

Continue reading

Behind the Scenes of the Recent IHSSF Crime Survey

Posted on 11, Jun | Posted by Dana M. Frentz, CHPA

hospitalIn summer 2013, the International Healthcare Security and Safety Foundation (IHSSF) tasked a small group of members to develop a hospital Crime Survey based on a common metric regardless of the number of participants or size of the facility.

The goal of the Crime Survey was to create measurable and trending data based on three different denominators – bed count, average daily census, and square feet. These indicators, combined with the crime data would then provide a framework in which future Crime Surveys could be conducted with consistency. Since the team was establishing this new framework for the survey with timing permitted, they were able to collect 2012 and 2013 data, which allowed an equivalent foundation upon which to base answers.

Survey results revealed that average daily census was either not completely understood as a metric or was not readily available to respondents. However, bed count and square footage corresponded so consistently that bed count was used for the common denominator.

The team agreed the most valuable and accurate questions would come from the basis of the FBI’s UCR (Uniform Crime Report), since these are national definitions and not based on an individual state’s penal code or a particular organization’s crime classification. Because the organization is international and there is a large contingent of Canadian members, a separate survey was sent to the Canadian membership with questions based on the Canadian Criminal Code. To further assure consistency in the survey, the team provided respondents with the UCR definition, along with a healthcare-related example.

The 10 different types of crime deemed relevant to hospitals included: murder, rape, robbery, aggravated assault, assault (simple), disorderly conduct, burglary, larceny/theft, motor vehicle theft, and vandalism. Both types of assaults were further broken into sub-categories as they are considered workplace violence incidents:

Type 1: Violent acts by criminals, who have no other connection with the workplace, but enter to commit robbery or another crime.
Type 2: Violence directed at employees by customers, clients, patients, students, inmates, or any others for whom an organization provides services.
Type 3: Violence against coworkers, supervisors, or managers by a present or former employee.
Type 4: Violence committed in the workplace by someone who does not work there, but has a personal relationship with an employee – an abusive spouse or domestic partner.

Overall, the survey results showed a significant increase in violent crimes between 2012 and 2013 and a minimal increase in property crimes such as vandalism and burglary during this same time period. The greatest increase fell into the category of disorderly conduct and assaults. Respondents further provided the requested breakdown in types of violence for assaults. The Type 2 category accounted for more than 90% of all assaults.

While the number of this year’s survey respondents was higher than in years past, there is still room for improvement. The team believes that by establishing this basis of calculating crime rates on bed count and square footage, it will mitigate issues that can arise from the number of respondents or different hospitals responding year after year.

The 2014 HealthCare Crime Survey Committee was comprised of Lead Author Karim Vellani, CPP, CSC; IHSSF President Steve Nibbelink, CHPA; David Gibbs, CPP; and Dana Frentz, CHPA. For more information about the 2014 IHSSF Crime Survey, please visit http://iahss.org/PDF/crimesurvey2014.pdf.

IHSSF, the International Healthcare Security and Safety Foundation, was founded in 1981 as the philanthropic arm of IAHSS. The International Healthcare Security and Safety Foundation was established to foster and promote the welfare of the public through educational and scientific research and development of healthcare security and safety body of knowledge.

IHSSF promotes and develops educational research into the maintenance and improvement of healthcare security and safety management as well as develops and conducts educational programs for the public.

Continue reading

RMA Presents at CSI Week at Meredith College

Posted on 25, Oct | Posted by RMA

Chris Peterson presented Enemies at the Gate – or Are They Already Inside? as part of CSI Week at Meredith College. CSI Week allows students at Meredith to explore career opportunities in law enforcement and related fields. The event is sponsored by the Sociology and Criminology Programs, and the Sociology & Criminology Club (and with the support of Political Science, Accounting, & Social Work).

Other presenters during the week included:

  • Special Agent Jahaira Torrens spoke about Homeland Security Investigations.
  • Cat Flowers, owner of Cat Eye Detective Agency, presented.
  • Police Officer and Social Worker Renea Lockhart spoke about domestic violence and being both an officer and a social worker.
  • U.S. Marshals talked about the work they do tracking down fugitives and other law enforcement activities.
  • Wake Country Prosecutors spoke about their work.
  • RPD Gang Unit talked about their work with gang prevention and dealing with gangs in Raleigh.
  • Crime Scene Analysis, RPD patrol officer, CCBI investigator (the local CSI) and a detective from Raleigh Police talked about how they work and investigate a crime scene.
  • Cary Police Department crime mapping analyst Elise Pierce spoke about her work in the use of Crime Scene mapping to facilitate the work of police in Cary.

Chartered in 1891, Meredith College is one of the largest independent private women’s colleges in the U.S. Meredith also offers coeducational graduate programs in business, education and nutrition, as well as post-baccalaureate certificate programs in pre-health and business, a dietetic internship program, a didactic program in dietetics and a paralegal program. Meredith’s programs – undergraduate and graduate — challenge each individual student to think deeply, push hard, discover new strengths and grow even stronger. Meredith has been cited as one of the “best colleges” in the region and the country by U.S. News & World Report, The Princeton Review and Forbes.com.

Continue reading

RMA Completes Security Assessment of RTP

Posted on 18, Sep | Posted by RMA

Risk Management Associates, Inc. has completed a security assessment of Research Triangle Park. The Research Triangle Foundation has developed and is in the process of implementing a new master development plan for the Research Triangle Park (RTP) community. As a critical component of that plan, the foundation decided to conduct a security assessment to provide stakeholders with the current security posture of RTP. A security assessment is one of the most cost effective means to assess the current security people, processes, and technology that are in place today and plan for the security needs of the community moving forward.

The Research Triangle Park is home to more than 170 global companies – including IBM, GSK, Syngenta, RTI International, Credit Suisse, and Cisco – that foster a culture of scientific advancement and competitive excellence. RTP is located between three major universities: Duke University in Durham, North Carolina State University in Raleigh, and the University of North Carolina at Chapel Hill.

Through five decades, the Park still holds to its founders’ aspirations: to generate economic activity, engage the talents of local graduates and citizens and carry North Carolina forward to ever-greater prominence and prosperity.

Continue reading

WRAL: Security measures not foolproof, consultant says

Posted on 17, Sep | Posted by RMA

Continue reading

Held Hostage by a Dishonest Employee

Posted on 16, Sep | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

power shiftI recently was involved in a case in which a company employee was discovered using a company credit card for personal reasons. This happens occasionally, and one would think that immediately terminating the employee would resolve the issue. But what happens when the employee is the one and only IT person for the company?

Many companies have only one person to manage all of their IT needs. There is nothing wrong with this. Considering that 99.7 percent of U.S. employer firms are a small business (http://www.sba.gov/sites/default/files/FAQ_Sept_2012.pdf), having a sole IT person may be very common. The problem with this situation is the lack of oversight and management of the IT person by company executives and owners. What are the consequences caused by this scenario? How can companies and organizations prevent the backlash experienced when a single person has the “keys to the kingdom”?

This issue can occur in any business with a small IT staff. This particular case involved an employee who had been with the company for eight years. In that time, the employee came to be the only person who dealt with all IT issues. He managed the website, the phone system, the internet service, all servers, all workstation, the data connections for multiple facilities – you get the point. The employee could have brought the company to a standstill for several days if not several weeks, if he had wanted to do so. It was not until deciding that he needed to be fired that someone finally asked the question “What does he do and can we do it without him?” The answer was, “No.”

In this case, the employee was being terminated for cause. What if he had been hit by a bus? The company would still be in the same position. The only option left for the company was to hire someone to come in and inventory the network to help them prepare for the employee’s termination. This involved hundreds of man hours. Fortunately, the transition was successful and the company lost no production time.

There are several steps that can be taken to prevent this from occurring in your business. The person responsible for a company’s IT needs should document everything and provide this documentation to management or ownership in a reviewable format on a regular basis. This document should be considered a living document, and any time there is a network change or system change, the document should be edited to reflect the change. The document should include but not be limited to:

  • A list of service providers and all information needed to contact this service provider for support or changes. This includes the Internet service provider, phone service provider, web hosting company, cell phone provider, cloud services, or any other service provider used by the company.
  • Administrator passwords. These can be sealed in an envelope and/or put in a safe.
  • Device passwords and configuration. Think about firewalls, switches, wireless routers, and other equipment.
  • Software passwords and configurations. The IT administrator may be the only person aware of specialized software used in the office that requires specialized configuration or passwords. Make sure this information is documented and available to company executives.
  • Procedures for backing up and restoring systems.
  • A “What if…” document. This document would include instructions on how to deal with and recover from system outages, power outages, or other unique IT failures.

Depending on your network, the information needed in this document will differ. The best way to determine what you may need to document is to sit back and think of the problems created if your IT person were gone. What questions would you have? The document should answer all of these questions. It is also important to make the person responsible aware that this document is a “Continuity of Operations” document. There are many reasons why an IT employee may not be able to come to work, but their absence should not disable any part of the IT infrastructure.

It is also critical to make sure there are two people on the point-of-contact list with all service providers. The second person on the list should be an owner or executive of the company. If the IT person should be unable to perform his or her duties for any reason, the executive or owner of the company can call the service provider and make necessary changes without jumping through a lot of hoops to gain ownership of the service.

Finally, have a third party review this information at least once a year. That third party could be an outside consultant or even a current employee with knowledge of the network and need for business continuity. An outside consultant has the advantage of being objective when looking at an environment and utilizing their experience to help direct and drive a “Continuity Plan” that will protect the company in the event of any number of unexpected events.

Continue reading

Security in the Office – A Checklist

Posted on 30, Jul | Posted by Christine L. Peterson, CPP, ISP

  • Comply with and support your company’s safety and security program and regulations, and insist that others do the same.
  • Protect wallets, keys, purses, and other personal valuables on the job. This especially includes smartphones and tablets.
  • Challenge strangers in restricted areas. The best way to approach this is from a helpful perspective, such as “Can I help you?”
  • Do not discuss company affairs off the job.
  • When leaving the office, even for a short period of time, clean up and secure your work space, with special attention to confidential documents. Also provide for the protection of company equipment assigned to you.
  • If you handle money as a part of your job, insist on positive identification before you cash checks, and refuse obviously counterfeit or questionable currency.
  • If you work in a retail establishment or any other business, guard against shoplifting and employee theft within the frameworks of the law. To deter shoplifting, speak to all customers in your area. Be wary of bulky coats, large shopping bags, partially opened umbrellas, and folded newspapers. Know your company’s policy on dealing with shoplifters, and adhere to it.
  • Make certain your employer has clear and adequate guidelines for handling complaints of sexual harassment.
  • Retain security guards, because they provide a substantial deterrent to the criminal’s expectation of success.
Continue reading

Security Assessment of RTP

Posted on 10, Jun | Posted by RMA

Risk Management Associates, Inc. will be conducting a security assessment of Research Triangle Park. The Research Triangle Foundation has developed and is in the process of implementing a new master development plan for the Research Triangle Park (RTP) community. As a critical component of that plan, the foundation needs to conduct a security assessment that will provide the stakeholders with the current security posture of RTP. A security assessment is one of the most cost effective means to assess the current security people, processes, and technology that are in place today and plan for the security needs of the community moving forward.

The Research Triangle Park is home to more than 170 global companies – including IBM, GSK, Syngenta, RTI International, Credit Suisse, and Cisco – that foster a culture of scientific advancement and competitive excellence. RTP is located between three major universities: Duke University in Durham, North Carolina State University in Raleigh, and the University of North Carolina at Chapel Hill.

Through five decades, the Park still holds to its founders’ aspirations: to generate economic activity, engage the talents of local graduates and citizens and carry North Carolina forward to ever-greater prominence and prosperity.

Continue reading

Hidden Costs of Security Problems

Posted on 7, Jun | Posted by Tasha D. Dyson

strikeOn Wednesday, April 10, 2013, staff members at the Louvre in Paris staged a protest, and the museum did not open. (Read the full story from the BBC here.) They were not protesting about wages, benefits, or hours.

They were protesting about a security problem.

Pickpockets are apparently a huge problem at the museum, so much so that over 200 workers were willing to protest. According to news reports, employees were afraid of the thieves who were becoming “increasingly aggressive”.

When we think of the cost of security problems, we tend to think in terms of the monetary value of direct losses. In this example, if someone stole a painting from the Louvre – or even attempted to steal a painting – the response would be swift.

Although the protest lasted only a single day, how much revenue was lost? What damage was done to the museum’s reputation?

How bad does a security problem have to be before action is taken?

Continue reading

Where’s Your Wallet?

Posted on 31, May | Posted by Kevin M. McQuade, CPP

walletIdentity theft is talked about constantly, and when it happens to someone, their response is normally “I don’t know how this happened to me”. Sometimes it is just too easy.

On a recent business trip – to a security conference no less – as we walked into a restaurant for breakfast we passed an empty booth with no one close to it. In the booth was a woman’s purse, open and just waiting to be taken.

Shortly after that, we boarded the bus that transports us to the security conference. When I took my seat, I looked over to the seat beside me. There was a man’s wallet just lying on the seat next to his backpack. The owner of these items – who works for a large security integration company – was sitting in the seat in front of his belongings. It would have been very easy to take either the wallet or the bag without his knowledge.

Maybe because this was a bus full of security professionals going to a security conference, this individual thought he was safe. He was this time, but he may not be the next time.

Let’s not make it any easier for those who insist on stealing your identity. Keep your purse, wallet, credit cards, and other items secured at all times and not left for someone to take.

 

Continue reading