Vulnerability testing
Hi Jock,
Having been through both HIPAA and PCI processes, I can tell you that it’s
mostly a matter of jumping through hoops that have more to do with CYA
(Cover Your Assets) than actual security. Sure, the requirements sound
great in theory but they’re not that difficult to meet and I can think of
many ways that a perfectly compliant system can be hacked. You are walking
into a legal minefield so before you put much effort into this, you need to
discover why your customer is asking. Is there a new person in I.T. trying
to impress their boss? Is this someone who wants to cover their butt in the
event of a data leak? The penalties for data leakage in healthcare
applications in the U.S. are onerous so this could be a customer trying to
pass the hot potato back to you.
There are firms that do penetration testing and if you have to do that
every time there is an update, it’s going to get pricey and that cost needs
to be borne by your customers, eventually. You can’t have an open-ended
liability even with all the pen testing in the world.
Doug mentioned SSL certificates. That reminded me of something surprising
that I saw recently. Using Google Chrome, go to <
www.bankofamerica.com/>, right mouse click and select Inspect. You
should see messages in the JavaScript console like the following.
“(index):1 The SSL certificate used to load resources from
www.bankofamerica.com will be distrusted in M70. Once distrusted,
users will be prevented from loading these resources. See
g.co/chrome/symantecpkicerts for more information.
(index):1 The SSL certificate used to load resources from
secure.bankofamerica.com will be distrusted in M70. Once
distrusted, users will be prevented from loading these resources. See
g.co/chrome/symantecpkicerts for more information.
(index):1 The SSL certificate used to load resources from
aero.bankofamerica.com will be distrusted in M70. Once distrusted,
users will be prevented from loading these resources. See
g.co/chrome/symantecpkicerts for more information.
(index):1 The SSL certificate used to load resources from
boss.bankofamerica.com will be distrusted in M70. Once distrusted,
users will be prevented from loading these resources. See
g.co/chrome/symantecpkicerts for more information.
(index):1 The SSL certificate used to load resources from
sofa.bankofamerica.com will be distrusted in M70. Once distrusted,
users will be prevented from loading these resources. See
g.co/chrome/symantecpkicerts for more information.
(index):1 The SSL certificate used to load resources from
dull.bankofamerica.com will be distrusted in M70. Once distrusted,
users will be prevented from loading these resources. See
g.co/chrome/symantecpkicerts for more information.”
I was surprised to these messages so I clicked on the link for more
information. If Google is going to stop trusting Symantec supplied SSL
certificates within a year, why should we trust them now? Why is a banking
site still using these certificates?
Here is a hair-raising excerpt from that Google blog post.
“Symantec’s PKI business, which operates a series of Certificate
Authorities under various brand names, including Thawte, VeriSign, Equifax,
GeoTrust, and RapidSSL, had issued numerous certificates that did not
comply with the industry-developed CA/Browser Forum Baseline Requirements.
During the subsequent investigation, it was revealed that Symantec had
entrusted several organizations with the ability to issue certificates
without the appropriate or necessary oversight, and had been aware of
security deficiencies at these organizations for some time.”
These companies charge real money for what seems to be a false sense of
security. How likely is it that Bank of America doesn’t know about this
issue? How likely is it that the PCI certification companies that are
charging good money for tests don’t know about this either?
Regards,
Clifford Ilkay
+1 647-778-8696
On Thu, Dec 14, 2017 at 6:04 PM, Jock Philip <jock@visionchips.com> wrote:
> Thanks Doug.
>
> HIPAA is requirement. I’ll take a look at that link.
>
> Jock
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~~~~~~~~~~~~~~~~~
> Jock Philip [jock@visionchips.com] Vision Chips, Inc.
> 888.517.7779 x 3563
> www.visionchips.com/
>
> Developers of OBserver OB/GYN Ultrasound Reporting and Image Archiving
> System
>
> —–Original Message—–
> From: omnisdev-en [mailto:omnisdev-en-bounces@lists.omnis-dev.com] On
> Behalf Of Doug Easterbrook
> Sent: Thursday, December 14, 2017 3:01 PM
> To: OmnisDev List – English <omnisdev-en@lists.omnis-dev.com>
> Subject: Re: Vulnerability testing
>
> hi Jock.
>
> others have alluded to PCI testing — but I think you need to ask the
> customer what this is about or what they are thinking.
>
>
>
> if you system does NOT use credit cards or does not allow credit cards to
> pass through the system, then vulnerability testing might be a whole
> different kettle of fish.
>
>
> If I recall, I think your world might mean HIPPA compliance for health
> care — I found this article online that mentions hippa .. I’m sure there
> are more.
> www.hitechanswers.net/hipaa-qa-on-penetration-
> testing-and-vulnerability-scanning/
>
>
>
> if your system processes credit cards and it is vulnerability testing,
> then there are people who do probes of a network from the outside to see if
> the network has introduced more open ports. I’ve not heard the need
> every time you sent out a patch to an application, only time based such as
> ‘once a month’ or ‘once a quarter’ penetration scans into the network.
>
>
> any way .. I suspect the request comes due to hippa compliance based on
> my recollection of what you do. thats the place to start.
>
>
>
>
>
>
>
>
>
> Doug Easterbrook
> Arts Management Systems Ltd.
> mailto:doug@artsman.com
> www.artsman.com
> Phone (403) 650-1978
>
>
>
>
> see you at the third annual users conference
> tickets.proctors.org/TheatreManager/95/online?performance=29086 <
> tickets.proctors.org/TheatreManager/95/online?performance=29086>
>
> > On Dec 14, 2017, at 12:35 PM, Jock Philip <jock@visionchips.com> wrote:
> >
> > Anybody doing vulnerability testing in a client server environment?
> >
> > Have a customer that is requiring evidence of vulnerability testing on
> our software whenever we do updates. Oracle database, Studio 4.3.2.1,
> customer’s own network and their own server. Any examples, suggestions,
> tools or anything else of any help?
> >
> > Thanks
> >
> > Jock
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~~~~~~~~~~~~~~~~~
> > Jock Philip [jock@visionchips.com
> Vision Chips, Inc.
> > 888.517.7779 x 3563
> > www.visionchips.com/
> >
> > Developers of OBserver OB/GYN Ultrasound Reporting and Image Archiving
> System
> >
> > _____________________________________________________________
> > Manage your list subscriptions at lists.omnis-dev.com
>
> _____________________________________________________________
> Manage your list subscriptions at lists.omnis-dev.com
> _____________________________________________________________
> Manage your list subscriptions at lists.omnis-dev.com
>
_____________________________________________________________
Manage your list subscriptions at lists.omnis-dev.com