Trey Ford raises some good questions that are very much the same as asking about systems that may (or do not have) cardholder data but are important enough to beg scope creep analysis.

Of course it’s easy for us to say “test all of them” when we sell security testing services. However, in my experience explaining ways to reduce scope without increasing risk are far more popular. :)

Security managers are not always blessed with a budget that can afford a “test all” approach. They usually only get support to build a keep smaller than the entire castle, if you will. Although you hinted at it, I would add that PCI DSS compliance should come from a risk-based approach. This is how to safely reduce scope as well as costs for validation.

Note that DSS 1.2 changed Requirement 6 to say “a risk-based approach may be used to prioritize patch installation”. Can the same be said for selecting sites and systems to be in scope? If cardholder data is transmitted, processed or stored, then it’s for sure in scope, if it doesn’t exist, then the asset value, frequency and likelihood of compromise related to the non-CHD could bring them into scope. Know your sites, but more importantly know your processes.

Back to my cheesy castle example, this is like saying if you are someone within the walls who has access or potential access to the king, then you also should be within scope of a keep security assessment. Your identity and your possessions are important to know, but your routine (processes) are also a key to understand (pun intended). The king’s security should assess the risk from this perspective and consider changing to a more isolated routine, which would thus reduce the scope/cost of protection.

All that being said, I noted a curious mistake in Trey’s writing:

Four good questions ome

Don’t you just hate when that happens? Automated checks, visual cues (e.g. code highlight)…and yet bugs still creep into web sites, even those of web security experts.

Fraudsters are trying to manipulate the HMRC web interface to redirect tax rebates.

All they need is a password and some personal details to redirect the rebates.

The HMRC has posted related scam examples, apparently meant to help stop the fraud, but it has some confusing language itself:

HMRC would not inform customers of a tax rebate via email, or invite them to complete an online form to receive a rebate of tax.

Do not visit the website contained within the email or disclose any personal or payment information.

Email addresses used to distribute the tax rebate emails include:

* hmrc@tax-revenue.uk
* refundsdept@hmrc.gov.uk
* tax-credits@hmrc.tax-credits.co.uk
* hmrc@tax-revenue.uk
* refunds@hmrc.gov.uk
* Tax-credits-office@hmrc.co.uk
* taxcredits@hmrc.co.uk
* refunds@hmrc.co.uk
* tax-service@hmrc.customs.gov.uk
* refundtax@hmrc.gov.co.uk
* TaxRefund@hmrc.gov.uk
* service@hmrc.gsi.gov.uk
* notice@hmrc.gov.uk
* hmrc@hmrc.gov.uk
* admin@hmrc.gsi.gov.uk
* info@hmrc.gsi.gov.uk
* services@hmrc.gsi.gov.uk

HMRC does not send out emails using these email addresses.

“Email addresses used to send out email are…the HMRC does not send out email using these addresses.”

Also confusing will be the phrase “Do not visit the website contained within the email…” since the website may actually be the HMRC with a hidden/bogus redirect as the actual reference. In other words “HMRC Website” could have “http://attacker.badsite.co.uk” as the actual and obscured link.

Perhaps they could say instead that you should never click on a link in email. Users should adopt the latest secure browser and only go directly to the HMRC site: http://www.hmrc.gov.uk/

Examples of the fraud can be found here, or by going directly to http://www.hmrc.gov.uk/security/examples.htm ;)

Jackson Memorial Hospital advertises itself as ranked among “America’s Best Hospitals” by U.S. News & World Report.

I wonder if the insider breach reported in the Sun Sentinel might change that status.

Ruben E. Rodriguez allegedly paid JMH ultrasound technician Rebecca Garcia $1,000 a month for the hospital records of hundreds of patients treated for slip-and-fall accidents, car-crash injuries, gunshot wounds and stabbings, federal authorities said.

Rodriguez then brokered the patients’ names, addresses, telephone numbers and medical diagnoses to the lawyer, according to an indictment.

The story supports several of my predictions in the “Top 10 Security Breaches” presentations. Note, for example, the theft occurred for several years without detection by even simple security measures.

The story goes that a business proposition was made in 2006 by Rodriguez. Garcia agreed in 2007 and started to access patient records outside her department or that had not been treated by her. Easy to detect? Absolutely. When I ran computer security for a radiology department around the time HIPAA was being ratified the Ultrasound systems were very distinct from even other radiology procedures and processes, let alone treatments outside the department. The more different a care center operates, the easier to distinguish user behavior on the network. It might seem impossible to tighten controls around role based access until you take a high-level view of the business and realize that everyone already sees differences between themselves and the other teams, shifts, departments, etc..

Was this a HIPAA violation? I’m not a lawyer, but…fortunately in 2009 Garcia had a change of heart and contacted authorities herself.

My question is still whether the type and frequency of incidents will be incorporated into future ratings of hospitals in America.

The humor never stops at the Onion. Now owned by Chinese, America’s Finest News Source has posted a series of Hot New Consumer Products, such as the Loyalty Bracelet.

Yu Wan Mei Loyalty Bracelet: Show your loyalty to Yu Wan Mei and its line of products in a high-fashion way! The bracelet looks so nice for men or women—even the GPS chip inside is designed with an eye for style. Do not remove the Loyalty Bracelet.

Do not remove the GPS loyalty chip. Ha ha clever, but I am curious if they could have named it the LiveWong bracelet?