Prove it or Lose it Pop quiz: what are security controls? Are they ethereal, like policies, standards, or procedures, or are they physical things like firewalls and WAFs? The answer is all of the above. A security control is something you do or use that is intended to make you or your data more secure. That includes policies, training materials, and all other tools and solutions employed. So obviously we need controls, and we have often put in considerable effort to get them, but what about needing to prove how well the controls are performing?
Overview During an application security assessment performed for a client, we encountered an application that was relying heavily on the encryption features of the Tabular Data Stream (TDS) protocol implemented in Microsoft SQL Server to protect communications over untrusted networks. Out of curiosity, we investigated how different configuration settings on both the server and client change the security properties of this protocol. We quickly realized that their communications were insecure.
Interview with Kate Othus We recently had an opportunity to chat with Kate Othus, Partner and Healthcare Business Advisor at Aldrich. Kate asked us about the changes to HIPAA under the Omnibus Final Rule and how they will impact medical practices. We’ve include the transcript below. What are some of the recent changes to HIPAA that are causing heartburn for medical practices? HIPAA, as we experience it in the Privacy and Security Rules, went into effect in 2003 and 2005, respectively.
What is IP whitelisting? Why do you want us to whitelist you against our WAF/IPS? When we perform penetration tests and vulnerability assessments, we often ask clients to whitelist our source IP addresses. This allows us to be unfettered in our interactions and assessments of a client’s server. We request this to accomplish the following: a) To aid the client in recognizing and differentiating the network traffic we generate during a test