Vulnerability testing
Thanks Clifford,
Unfortunately, this is a hospital that’s decided to hire a consulting group that’s going through every vendor and expecting them to comply with certain guidelines. We’ve been assigned a risk rating that is “high” primarily because we’re a small company so we are getting a certain amount of scrutiny.
Jock
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jock Philip [jock@visionchips.com] Vision Chips, Inc.
888.517.7779 x 3563
www.visionchips.com/
Developers of OBserver OB/GYN Ultrasound Reporting and Image Archiving System
—–Original Message—–
From: omnisdev-en [mailto:omnisdev-en-bounces@lists.omnis-dev.com] On Behalf Of Clifford Ilkay
Sent: Thursday, December 14, 2017 3:43 PM
To: OmnisDev List – English <omnisdev-en@lists.omnis-dev.com>
Subject: Re: Vulnerability testing
Hi Jock,
Having been through both HIPAA and PCI processes, I can tell you that it’s mostly a matter of jumping through hoops that have more to do with CYA (Cover Your Assets) than actual security. Sure, the requirements sound great in theory but they’re not that difficult to meet and I can think of many ways that a perfectly compliant system can be hacked. You are walking into a legal minefield so before you put much effort into this, you need to discover why your customer is asking. Is there a new person in I.T. trying to impress their boss? Is this someone who wants to cover their butt in the event of a data leak? The penalties for data leakage in healthcare applications in the U.S. are onerous so this could be a customer trying to pass the hot potato back to you.
There are firms that do penetration testing and if you have to do that every time there is an update, it’s going to get pricey and that cost needs to be borne by your customers, eventually. You can’t have an open-ended liability even with all the pen testing in the world.
Doug mentioned SSL certificates. That reminded me of something surprising that I saw recently. Using Google Chrome, go to < www.bankofamerica.com/>, right mouse click and select Inspect. You should see messages in the JavaScript console like the following.
“(index):1 The SSL certificate used to load resources from www.bankofamerica.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See g.co/chrome/symantecpkicerts for more information.
(index):1 The SSL certificate used to load resources from secure.bankofamerica.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See g.co/chrome/symantecpkicerts for more information.
(index):1 The SSL certificate used to load resources from aero.bankofamerica.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See g.co/chrome/symantecpkicerts for more information.
(index):1 The SSL certificate used to load resources from boss.bankofamerica.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See g.co/chrome/symantecpkicerts for more information.
(index):1 The SSL certificate used to load resources from sofa.bankofamerica.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See g.co/chrome/symantecpkicerts for more information.
(index):1 The SSL certificate used to load resources from dull.bankofamerica.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See g.co/chrome/symantecpkicerts for more information.”
I was surprised to these messages so I clicked on the link for more information. If Google is going to stop trusting Symantec supplied SSL certificates within a year, why should we trust them now? Why is a banking site still using these certificates?
Here is a hair-raising excerpt from that Google blog post.
“Symantec’s PKI business, which operates a series of Certificate Authorities under various brand names, including Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL, had issued numerous certificates that did not comply with the industry-developed CA/Browser Forum Baseline Requirements.
During the subsequent investigation, it was revealed that Symantec had entrusted several organizations with the ability to issue certificates without the appropriate or necessary oversight, and had been aware of security deficiencies at these organizations for some time.”
These companies charge real money for what seems to be a false sense of security. How likely is it that Bank of America doesn’t know about this issue? How likely is it that the PCI certification companies that are charging good money for tests don’t know about this either?
Regards,
Clifford Ilkay
+1 647-778-8696
On Thu, Dec 14, 2017 at 6:04 PM, Jock Philip <jock@visionchips.com> wrote:
> Thanks Doug.
>
> HIPAA is requirement. I’ll take a look at that link.
>
> Jock
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~~~~~~~~~~~~~~~~~
> Jock Philip [jock@visionchips.com] Vision Chips, Inc.
> 888.517.7779 x 3563
> www.visionchips.com/
>
> Developers of OBserver OB/GYN Ultrasound Reporting and Image Archiving
> System
>
> —–Original Message—–
> From: omnisdev-en [mailto:omnisdev-en-bounces@lists.omnis-dev.com] On
> Behalf Of Doug Easterbrook
> Sent: Thursday, December 14, 2017 3:01 PM
> To: OmnisDev List – English <omnisdev-en@lists.omnis-dev.com>
> Subject: Re: Vulnerability testing
>
> hi Jock.
>
> others have alluded to PCI testing — but I think you need to ask the
> customer what this is about or what they are thinking.
>
>
>
> if you system does NOT use credit cards or does not allow credit cards
> to pass through the system, then vulnerability testing might be a
> whole different kettle of fish.
>
>
> If I recall, I think your world might mean HIPPA compliance for health
> care — I found this article online that mentions hippa .. I’m sure there
> are more.
> www.hitechanswers.net/hipaa-qa-on-penetration-
> testing-and-vulnerability-scanning/
>
>
>
> if your system processes credit cards and it is vulnerability testing,
> then there are people who do probes of a network from the outside to see if
> the network has introduced more open ports. I’ve not heard the need
> every time you sent out a patch to an application, only time based such as
> ‘once a month’ or ‘once a quarter’ penetration scans into the network.
>
>
> any way .. I suspect the request comes due to hippa compliance based on
> my recollection of what you do. thats the place to start.
>
>
>
>
>
>
>
>
>
> Doug Easterbrook
> Arts Management Systems Ltd.
> mailto:doug@artsman.com
> www.artsman.com
> Phone (403) 650-1978
>
>
>
>
> see you at the third annual users conference
> tickets.proctors.org/TheatreManager/95/online?performance=2908
> 6 <
> tickets.proctors.org/TheatreManager/95/online?performance=2908
> 6>
>
> > On Dec 14, 2017, at 12:35 PM, Jock Philip <jock@visionchips.com> wrote:
> >
> > Anybody doing vulnerability testing in a client server environment?
> >
> > Have a customer that is requiring evidence of vulnerability testing
> > on
> our software whenever we do updates. Oracle database, Studio 4.3.2.1,
> customer’s own network and their own server. Any examples,
> suggestions, tools or anything else of any help?
> >
> > Thanks
> >
> > Jock
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~~~~~~~~~~~~~~~~~
> > Jock Philip [jock@visionchips.com
> Vision Chips, Inc.
> > 888.517.7779 x 3563
> > www.visionchips.com/
> >
> > Developers of OBserver OB/GYN Ultrasound Reporting and Image
> > Archiving
> System
> >
> > _____________________________________________________________
> > Manage your list subscriptions at lists.omnis-dev.com
>
> _____________________________________________________________
> Manage your list subscriptions at lists.omnis-dev.com
> _____________________________________________________________
> Manage your list subscriptions at lists.omnis-dev.com
>
_____________________________________________________________
Manage your list subscriptions at lists.omnis-dev.com
_____________________________________________________________
Manage your list subscriptions at lists.omnis-dev.com
