 |
|
 |
|
|
Redspin Research
|
A Behind The Scenes Look Into Our Audits
Interested in some of the research, presentations and articles we have prepared? The following material was created by various members of the Redspin team and includes academic security research, articles for publication and presentations to the business community.
If you have any questions or comments about this material feel free to contact us at info@redspin.com.
White Papers
Best Practices in Healthcare Information Security and Compliance
Successful healthcare information security starts with strong organizational leadership. Internal risk management is the key for ensuring information confidentiality, business process availability, and data integrity. The ability to adapt to continuously-evolving security threats can lead to
enduring competitive advantage.
 Read White Paper
Trends in Healthcare IT:
Understanding HITECH, the HIPAA Security Rule, and How to Safeguard Your Electronic Protected Health Information (EPHI)
There are increasingly strong private and public incentives to implement electronic exchange of health information. Recent federal legislation mandates greater enforcement of laws for safeguarding electronic protected health information.
Security risks should be mitigated to avoid costly penalties, protect company reputation, and gain competitive advantage.
Read White Paper
Top Information Security Issues and Threats
Knowing your enemy is just as important in security as it is in traditional warfare. Understanding the specific incidents and process breakdowns from the past and being prepared for the future is helpful in moving your security program forward. Our hope is that you find this report equally valuable in coming to terms with planning and implementing your security program.
Read White Paper
Can Healthcare Leaders Learn Information Security Lessons from the Financial Services Industry?
This paper provides forward looking guidance to health IT managers and healthcare executives who could significantly reduce business risks associated with the confidentiality requirements of electronic health information (EHI). We compare the healthcare regulatory environment to that of financial services regarding the handling of customer confidential information. Because each industry segment has followed very similar paths, and because critical milestones of the financial services legislation were passed years before, the healthcare industry has the opportunity to learn from financial service provider' mistakes. We discuss some of the lessons that can be learned from the financial services industry, how to avoid the pitfalls they have uncovered, as well as how to create an effective and efficient information security program.
Read White Paper
Information Security Considerations and Recommendations for IT and Business Decision Makers
This white paper outlines considerations and recommendations for reducing business risk through the use of an effective enterprise information security program. Our goal is to present information that will be helpful not only to IT and information security professionals but business unit general managers as well. Throughout, we take the perspective of presenting and considering choices based optimizing a security program for effectiveness, efficiency and business impact.
Read White Paper
The Greatest Risk to Your Website: 30% of Database-Driven Sites Vulnerable to SQL-Injection
SQL-injection refers to a set of methods and techniques designed to exploit an SQL
database server that sits behind web applications. While most firewalls block all
inbound traffic to the internal network, they typically allow traffic from the public
internet to web applications through HTTP/HTTPS. There are a range of SQL-injection
attack scenarios, all based around the insertion of simple characters into web-application
input forms.
Read White Paper
Data Sheets
Healthcare/HIPAA Security Assessment
Protecting your healthcare information is mission critical. The migration toward Electronic Health Records (EHRs) has heightened awareness of the need for increased healthcare information security. The business incentive for moving to EHRs was given a boost by the US Government through the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Read Data Sheet
Infrastructure Security Assessment
Your information security environment is under pressure. You must reduce the risk to the business, cope effectively with regulatory requirements and combat an increasingly sophisticated threat landscape including cybercrime, internal threats and malicious activity on the part of business partners. Each of these areas presents unique threats and security challenges.
Read Data Sheet
Web Application Security Assessment
Web application threats have become generally recognized as the most prevalent attack vector in the industry today. Whether these threats are directed from external attackers, malicious insiders or errant business partners, an informed approach calls for systematic assessments that can help you meet your business goals for software security.
Read Data Sheet
Questionnaires
Self Assessment Questionnaire:
Curious to see How Secure Your Network Is?
This checklist summarizes some common issues that can be addressed by your IT department or audit groups to target areas of probable risk to the confidentiality and integrity of data as well as system availability. This is an overview of common issues rather than a complete security guide, but we hope it serves to help you identify some areas on which to focus your mitigation resources.
View Self Assessment Questionnaire
Articles and Industry Research
Ensuring Security and Privacy in the Rapidly Growing
Healthcare Information Exchange Market
Recently, the first major distribution of HITECH Act funds occurred when the Department of Health and Human Services (HHS) awarded over $547 million to states and territories for the establishment of public Health Information Exchanges (HIEs). These exchanges are intended to provide the technology and infrastructure to support electronic sharing of data among hospitals, physicians, clinical laboratories, pharmacies, health plans (insurers), and public health departments.
Read Industry Brief
Identity Theft Check Up:
Electronic Medical Records are the New Credit Cards
–Researched by David Bailey, Security Engineer at Redspin
As reported in HealthcareInfoSecurity.com, this article explores the increasing risk of medical identity theft as more hospitals and physicians adopt electronic medical records (EMR). It will shed light on the emerging trend of thieves targeting patient records for the medical information contained within them and will outline recommendations for how healthcare organizations can safeguard EMRs.
Read Article |  Download PDF (379K)
Security Report | Top 10 Network Security Threats of 2008
Q2 Update
Understanding the trends and patterns of the past is the key to understanding the future, and security is no exception. The following security threat trends for 2007/2008 have been compiled as a result of their frequency and growing prominence over the course of audits performed during the previous year. These common and fundamental security issues typically arise from the same categorical underlying cause. Most organizations have had enough compliance audits and posses enough intuition of best practices to understand that security controls are necessary to mitigate risk. However, there continues to be significant discrepancy between what management believes the controls are doing and what the controls are — in fact — actually doing from a security standpoint.
Read Security Report
Anatomy of a Hack
The following story is true. It took place on a live production network. The tools, methods, vulnerabilities, and
risks are all very real. Names and IP addresses have been changed to protect the businesses involved.
What makes this interesting to me, and why I thought it would be educational to document this, is the unique
chain of misconfiguration and vulnerabilities that had to line up to allow a hack of this scale. The vulnerabilities
by themselves weren't that critical, but the information I was able to obtain and the level of access I had are the
things that nightmares are made of. This isn't skimming a few credit card numbers or sniffing some sensitive
docs over unsecured wireless. This is the type of hack that makes businesses close their doors with little chance
of recovery. If there is one thing I hope you can learn from this, it's: care about the little things, because fixing
even one of the minor vulnerabilities described here could have broken this entire chain of events.
Read Article
ATM Security: The Real Inside Man
The purpose of this effort is to elevate the awareness of the risks associated with automated teller machines (ATMs) connected to a bank's internal network. Given the number and severity of current debit/ATM card incidents, it is time to reexamine existing security controls.
Download PDF (156K)
Laptop Security
Did you know that your company's confidential information is climbing over your corporate firewall and escaping from your fancy intrusion detection systems? Every day, gigabytes of information walk right out your front door—on your company's laptops. How expensive would it be if one of these laptops was stolen?
Read Article | Download PDF (91K)
Digital Forensic Reconstruction
This paper presents ViSe, a virtual security testbed, and demonstrates how it can be used to efficiently study computer attacksand suspect tools as part of a computer crime reconstruction. Based on a hypothesis of the security incident in question, ViSe is configured with the appropriate operating systems, services, and exploits. The attack is formulated as an event chain and replayed on the testbed. The effects of each event are analyzed in order to support or refute the hypothesis. The purpose of the approach is to facilitate forensic testing of a digital crime using minimal resources.
Read Article | Download PDF (292K)
Operational Integrity
Cost effective strategies for community bank security. This is a summary of a presentation to members of the banking and financial services industry.
Read Strategy Outline | Download PDF (238K)
Security Checklist
This is a summary checklist provided to bankers as part of the Operational Integrity presentation above. While this is by no means a complete checklist, it summarizes common issues we have repeatedly identified after completing hundreds of audits in the financial services industry.
Read Checklist | Download PDF (90K)
|
|
 |
