Fast forward to the DarkReading article that I first noticed this past weekend.  In 2008, California passed two laws Assembly Bill 211 and Senate Bill 541, which were aimed at further incentivizing health care providers to ensure the privacy of medical records.  The laws went into effect 01/01/2009, but last week marks the first time that the California Department of Public Health (CDPH) has wielded its expanded power of  fining facilities up to $25,000/per record for allowing unauthorized access to a patient’s medical record.  CDPH has published the details here.

Five separate facilities were fined a total of $675,000.  In total, the confidentiality of 245 medical records were breached.  Although the fines varied (sometimes based on the number of people that accessed the records), in aggregate, that puts the cost/record breached at $2,755. A far cry from the $25,000/record mark (though some instances did receive that level of penalty), but still a substantial cost.  Given the relative low volume (when compared to the numbers frequently seen in credit card breaches), it is hard to anticipate if thousands or tens of thousands of records were breached whether the penalties would remain this high.

While I welcome the increased penalties that might help persuade organizations to make further strides in ensuring the confidentiality of sensitive data, I am worried about the (un)anticipated side effects.  The CDPH has made the sanitized reports available on their website.  One phrase seems to be a fairly common theme, “the facility reported the breach”.  I applaud the facilities for reporting these breaches of medical privacy, but will every facility be so forthcoming given the potential for fines.  Would a private for-profit hospital be hesitant to report the breach of 1,000 records knowing that it could  result in $25,000,000 in fines?  I hope so, but something tells me that not every health care provider would reach the conclusion that self-reporting is in their best interest.  As a parting shot, know what the cost/day fine is if it is found that a facility didn’t report a breach? A hundred bucks…  Seriously?  Not sure a benjamin is a strong incentive for early reporting…

The code to be used is: IN401

Here is the link to the class particulars: http://www.sans.org/info/52819

If you aren’t already familiar, the vlive format is an online delivery method that basically allows you to take the full course in weekly live webcast-style chunks.  Dr. Cole and I will be co-teaching the course beginning 1/19.  The sessions will run from 7-10PM Eastern every Tuesday and Thursday for approximately 6 weeks.

Personally, I find the vLive format to be quite compelling because it gives you both substantially more time to digest the material in each book (as opposed to 6 bootcamp style days at a conference), as well as having access to the instructors for an extended period of time.  Also, the folks signing the checks tend to really appreciate the lack of travel and conflict with most folks’ normal business hours.  Incidentally, if you happen to miss a session (or just need to hear it again) then the you can access a recorded version of the session that is available the day after we teach live.

Please let me know if you have any questions about SEC401, the vLive format, or anything else.

Hope to see you there.

Seth

http://www.sans.edu/resources/musings/1439.php

I just got my hands on a copy of the bill, and am gonna try to read through it while waiting at the doctor’s office this afternoon…  Hopefully can cobble some thoughts together this weekend.

Even if it doesn’t pass or gets completely rewritten, I expect this bill will be important for our field.

Please feel free to leave a comment or email me at seth combined with this domain name.

Seth Misenar

Here is the text of the email, which includes the discount code of  STS_OD

To help you with your training needs, SANS is offering a Spring Training
Special on ALL courses in our extensive SANS OnDemand online course
library. Register and pay now through Thursday March 26th, 2009 and
receive a 20% discount on ANY SANS OnDemand course! Register at
http://www.sans.org/info/40138 and use the discount code "STS_OD".

For group or multi-course training needs, save an additional 10% on our
already discounted SANS OnDemand Flex Passes through March 26, 2009.
Check it out at http://www.sans.org/info/40133.

Not sure online training is for you?  Try any of our OnDemand course
demos at http://www.sans.org/info/40123.

With SANS OnDemand, students receive:
 * 4-months access to our 24/7 online training and assessment system
 * Full set of course books and hands-on CDs
 * Synchronized online courseware and lectures
 * Integrated assessment quizzes throughout the course
 * Access to OnDemand Virtual Mentors
 * Labs & hands-on exercises
 * Progress Reports

In today's economy, travel budgets are very tight and even justifying
money for critical training can be difficult.  Many students have found
SANS OnDemand online training and assessment as a great alternative.  It
allows you to receive the same high quality SANS training while saving
100% of your travel costs.  Furthermore, it allows you to learn without
leaving home or the office. You can train anytime, anywhere!

Check out what a few of our students say about SANS OnDemand...

 "I got more out of this course than I had with any of the other SANS
 classes that I participated in. The quizzes at the end of each
 presentation helped reinforce the information presented.  I couldn't
 fake it.  I had to know it and retain it." - Richard Gancze, OCI

 "It was like having the teacher right there. Having each piece of the
 lecture broken up into little pieces helped me retain the information.
 You guys did an outstanding job creating this program." - Robert
 Urbanowicz, Parkway Insurance Company

 "I have several GIAC certs. My highest exam scores are from when I use
 OnDemand training." - Brad Fulton, SMS Data Products

If you have any questions about SANS OnDemand, write to
ondemand@sans.org or call us at (301)654-7267.

And remember that every SANS OnDemand purchase earns you points towards
future OnDemand training! http://www.sans.org/info/40128

Be sure to tell your friends and colleagues about this great opportunity!

Kind Regards,

Kimie Cabreira
Director
SANS OnDemand

The live stream should go up around 1845 EDT with the show starting around 1900EDT.  Further details can be found here: http://pauldotcom.com/security-weekly/

Hope to see you there.

Seth Misenar

Not sure when this was released, but I am sure that it was pretty recently.  From the title I wasn’t really expecting much, but was pleasantly surprised by the clarity with which the tips were explained.  Frank Kim and Ed Skoudis co-authored this pithy 6 page paper.

Here is the description from the SANS Reading Room:

Many web application vulnerabilities are a direct result of improper input validation and output filtering, which leads to numerous kinds of attacks, including cross-site scripting (XSS), SQL injection, command injection, buffer overflows and many others. This article describes some of the best defenses against such attacks, which every Web application developer should master.

This offering looks to be part of a new series from SANS entitled, Working Papers in Application Security. I am looking forward to future papers if they are written as lucidly as this one.

Good work, Frank and Ed.

Here is the link to get the document: http://www.sans.org/reading_room/application_security/protecting_web_apps.pdf

Build Your Own Army of Darkness: XSS Frameworks for Zombies and Profit

Featuring: Seth Misenar

In this preview to the newly updated SEC542 Web Application Penetration Testing course being offered in Amsterdam, you will learn how build and control your very own zombie battalion/Army of Darkness. The discussion will start with a whizz|bang overview of the new 6 day version of SEC542, and quickly move to XSS Frameworks and, of course, zombies galore. Whether you are excited or petrified by the prospect of zombies, join Seth Misenar for this hour long webcast. As Bruce Campbell/Ash of Evil Dead fame would say, “Groovy”.

Speaker Bios:

Seth Misenar:

When not watching zombie films, Seth Misenar serves as Founder/Lead Consultant for Context Security, which provides information security though leadership, independent research, security training, and security consulting services. His background includes network and web application penetration testing, vulnerability assessment, regulatory compliance efforts, security architecture design, as well as general security consulting. He has previously served as both a physical and network security consultant for Fortune 100 companies as well as the HIPAA and Information Security Officer for a state government agency.

In his former life, Seth received a B.S. in Philosophy from Millsaps College where he was twice selected for a Ford Teaching Fellowship. Also, Seth is no stranger to certifications and thus far has achieved credentials which include, but are not limited to, the following: CISSP, GSEC, GCIA, GCIH, GCWN, GCFA, GHTQ, GWAS, and MCSE credentials. He has previously taught numerous SANS classes including SEC401: Security Essentials, SEC504: Hacker Techniques, and SEC542: Web Application Penetration Testing. In addition to serving SANS in an teaching capacity, Seth also serves as both Virtual Mentor and Technical Director for SANS OnDemand.

Ed Skoudis (of InGuardians and SANS 504/517/560 fame) twitted about the release of 3 new cheat sheets this morning.  The sheets are hosted on SANS website and links to them can be found on InGuardians (http://www.inguardians.com/pubs/articles.html).

Here is the description from InGuardians:

“Ed Skoudis releases 3 new cheat sheets for the most useful Windows command-line tools, Netcat, and other useful attack tools (Metasploit, Fgdump, and Hping). Get ‘em while their hot!”

Links:
Netcat: http://www.sans.org/resources/sec560/netcat_cheat_sheet_v1.pdf

Windows command line: http://www.sans.org/resources/sec560/windows_command_line_sheet_v1.pdf

Metasploit, Fgdump, Hping, etc.: http://www.sans.org/resources/sec560/misc_tools_sheet_v1.pdf

Seth Misenar

This seems to follow nicely with the previous post referencing, CeWL.  Also dovetails nicely with me currently listening to Day 4: Password Attacks of SANS 560: Network Penetration Testing and Ethical Hacking …

So what does AWLG do?

“The Associative Word List Generator (AWLG) is a tool that generates a list of words relevant to some subjects, by scouring the Internet in an automated fashion.”

The about page indicates that MySpace pages, Wikipedia articles, etc. are searched.  That etc. is pretty important, but it is a fun tool to play around with.  Although the same Darknet article makes mention also of Wyd, but I think AWLG is a nice addition as you don’t have to have already downloaded the files to be searched, and can instead rely on internet search engines.  Likewise this tool has some facility beyond CeWL also, again because you don’t have to already know where the associated content can be found.  All in all a nice addition to my kit.

Also worth mentioning is that the stated privacy policy for AWLG to “not record any transmitted search strings or user information”

Definitely check out the cute stick figure animated explanation of AWLG – pretty funny: http://www.awlg.org/whatis.gen

SANS OnDemand online training has extended the 25% off discount promotion that was being run at the end of 2008.  This is one of the steepest discounts I’ve seen for SANS training of any kind.  In the current economy, training without travel can certainly be amenable to those signing the checks for ongoing education.

This is, of course, a limited time deal.  You must register before 01/22/2009.

Use discount code: ODEY_08E

Please let me know if you have any questions about SANS training in general or SANS OnDemand in particular.

http://www.sans.org/ondemand/