May 30, 2017
While sitting in a waiting area at a business in Dallas, TX I started looking at my phone. As time went by I started looking for a wifi connection so I wasn't using all of my data surfing the Internet. There were two open networks. So, I clicked on one, brought up Safari, and I landed right at the business's fax/scanner. You can't imagine the type of data pertaining to the business I saw. However, here is the real big no...no.
They had, mixed in with other documents, faxes of customer orders. Complete with credit card data (all of it...and it was still valid). The following is a sample that I smudged out pretty much everything that might get me into trouble.
May 29, 2017
I'm seeing more people use Ansible as their deployment and configuration management tool. A while back, Ansible created a way to encrypt playbooks so that they can't be read when they are in a stored state. This is important if you have passwords incorporated into variables or maybe even proprietary code in your playbooks.
Now with your playbook being encrypted, the contents are secured from those that don't have the need to know. Or in the event of a hack, and the hacker gets your playbooks, they won't have all of your secrets.
Ansible makes this very simple by using the ansible-vault command to create, view, and edit an encrypted playbook.
The password that encrypts the playbook can be supplied at runtime in a couple of different ways.
See the full documentation for examples and keep your code secure.
May 26, 2017
This style of attack isn't going away anytime soon. There is a long history of criminals gaining profit from encrypting individual hosts and holding them for ransom. While the large companies have been talked about in the news in respect to how to defend, it is the home user that I'd like to address here.
There are several things that you should be doing:
Now, if you get hit by a nasty bug that encrypts all of your files, just restore your computer and retrieve the latest backups of your files.
May 2, 2017
HIPAA is like so many other compliance initiatives where companies perform what's required, check all the boxes, and move on with their everyday business. I find that a lot of companies maybe setup a program and did the initial investment to become compliant but many have slipped since and are no longer doing what they should. The truth is that we should be doing so much more than just complying with HIPAA.
Some recent news articles point out issues with maintaining a secure environment for healthcare data:
Some things to think about:
If you feel like you should be doing more, then maybe it's time for a 3rd party to come in and take a look. AgileSecOps can assist in performing a gap analysis of your HIPAA compliance and of your operational environment. Call or email us today so we can discuss next steps.