Microsoft On “Silent Updates”

I’ve been saying it for years to anyone that I have met while involved in Vulnerability Management.  Microsoft packs more code into a patch than is required to fix the published vulnerabiilties, and is quietly patching unpublished security issues.  They have done this for years, and continue to do so.  Microsoft is known to also carry out silent fixes in major service pack releases.

These security vulnerabilities go unrecorded in the Common Vulnerabilities and Exposures (CVE) database, frequently used for statistical studies.  Microsoft justifies not applying for CVE records for these ‘vulnerability variants’ by pointing out that the CVE project purports to be a list of “publicly known” security vulnerabilities.  These vulnerabilities are out of scope since they were discovered internally.

Microsoft defends these ‘silent updates’, as they are known within the security community, in a blog posting by its Security Research & Defense team.

Advertisements

NY Hospital Data Theft Affects 1.7 Million

New York City officials have begun the process of notifying 1.7 million patients, staff, contractors, vendors and anyone else who was treated or that provided services during the past 20 years at 2 public hospitals in the Bronx.  The New York City Health and Hospitals Corporation said the theft could endanger the personal information of basically anyone who shared personal information with Jacobi Medical Center, North Central Bronx Hospital, or their many offsite clinics.

The stolen electronic records contained personal information, protected health information, and/or personally identifiable employee medical information.  HHC said in a statement that it “values and protects individuals’ privacy and confidentiality and deeply regrets any inconvenience and concern this may create for patients, staff and others affected.  The loss of this data occurred through the negligence of a contracted firm that specializes in the secure transport and storage of sensitive data.”  Computer backup tapes were stolen on Dec. 23, 2010, from a truck operated by GRM Information Management Services that was transporting them to a secure storage location.  The theft occurred while the GRM van was left unlocked and unattended during other pickups.  GRM reported the incident to the police and dismissed the driver.  The tapes were not encrypted.

There is no evidence that the data have been inappropriately accessed or misused, HHC said.  However, HHC is providing information and one year of free credit monitoring services to anyone who may be worried about possible identity theft.

All the details are at http://www.healthcareinfosecurity.com/articles.php?art_id=3349

So, what are they doing shipping unencrypted tapes around?  How is it possible that a hospital could be so negligent?  Why do their unencrypted tapes contain data collected over  TWENTY YEARS?  Shouldn’t it be purged occassionally?  Oh, the legal fur is going to fly over this one.

M&A Security Challenges

Merging IT and security strategies that were developed at different times, under different conditions, and different management teams is no simple task.  In one organization that I worked for, innovation and growth was handled through merger and acquisition.  A trend that is quite common in the current economy as businesses look for opportunities to gain new markets, increase their corporate strengths, and bring in new talent and ideas.

The organization when I arrived had just completed 2 substantial acquisitions, extending its reach across Canada, parts of the UK, and 2 US states.  The IT team and I faced huge challenges in merging technologies, introducing a structured IT strategy, and unifying information security practices.

All 3 businesses were considerably behind the times in terms of their security programs.  There were no security policies to speak of, and head office relied primarily on contract IT and information security staff used primarily for after-hours support and fire-fighting missions.  The smaller units had basically no security considerations beyond the firewall.  It was basically building the program from the ground up in terms of staffing, training, equipment, policies and procedures.

Continue reading