The 6 Best Ways to Prevent Privacy and Security Vulnerabilities

Mar 20, 2015
In the previous blog article we mentioned the Anthem data breach. Since then, another large scale breach of financial and medical records was announce by Premera Blue Cross, affecting up to 11 million individuals.

THE SOLUTIONS

Preventative measures provide the best protection. Actively searching out privacy and security issues is the key. This requires creating a list of the various services, infrastructure, personnel, stored data, etc. and then brainstorming as many vulnerabilities as possible that the identified assets may be susceptible to.

It is important to have traceability. If unauthorized access does happen, audit logs should exist that show where the access originated from and how much access was obtained. This can also be used as an Intrusion Detection System (IDS) where automated monitoring for anomalies are done (for example: one user logged in from two different locations simultaneously; or logins from unlikely or suspicious locations).

Some possible solutions to the issues identified in the blog “The 6 Most Common Privacy and Security Vulnerabilities” are:

  1. Application vulnerabilities – Secure coding practices and methodologies are very important. Without them, vulnerabilities will be exposed and it becomes a race to rewrite insecure code (patching) before attackers exploit it. Penetration testing is a very useful to test applications for vulnerabilities, but does not mean one can become lenient regarding secure coding. There are many such tools that scan for these types of vulnerabilities. However, the results must be carefully reviewed, as automated tests can be misleading and they cannot find everything. Creating a role-based permissions structure for users is a good way to provide access control.

     

  2. Configuration vulnerabilities – Security considerations and controls must be implemented during each step of the configuration process. The process should be planned out beforehand and software reviewed for any default insecure accounts or settings. The application code should run using a limited system account so that in the event of an application compromise, the attacker cannot use the application account to change the server configuration.

     

  3. Login Portal – Very similar to Application Vulnerabilities, secure coding (including code review) and penetration testing is needed to be confident of the login security. Multifactor authentication greatly enhances login security (most phishing emails will not be successful as having just a password is not enough). Review how session tokens are handled and use appropriate SSL (https) configurations, which can be tested online here (https://www.ssllabs.com/ssltest/).

     

  4. Insecure Servers - Servers should be reviewed periodically for their local firewall rules, old accounts, and unnecessary services that remain running. Keeping servers and installed software up-to-date and having a patch management program is essential. 0-Day vulnerabilities are common, so being even a few days late can mean the difference between compromise or not. Make sure encryption is used whenever possible, even if the traffic is only internal to the company (if the network is compromised, the data could be sniffed). Subscribe to software vendors’ security mail lists to get timely notices of any vulnerabilities.

     

  5. Network Vulnerabilities – A well-configured Firewall is needed that segregates the network into appropriate access areas (separating office, production, and development systems). An Intrusion Detection System is another control that helps monitor the network, both regarding network traffic and network devices and can be tied into application monitoring. Intrusion Prevention Systems are trickier because of the possibility of mistakenly blocking legitimate access. Review the network layout and physical access points. It is possible to lock MAC addresses to specific ports or use network port authentication to limit access to the network. There are also tools that can map out local networks and systems, such as NMAP.

     

  6. Internal Compromises / Breaches – A security and privacy awareness plan is needed to help control internal compromises or breaches. Many of these issues cannot be easily solved technically, which is why they are still so common. Frequent staff education is the best line of defense for many of these, along with technical controls (spam filtering, restricted admin levels, etc.) Any mobile device or portable storage should be encrypted. Even if not storing confidential information, losing an unencrypted laptop is bad for an organizations reputation. Using password management tools can help prevent staff from leaving passwords on post-it notes. An organization-wide desktop patch management and centralized anti-virus solution provides an added layer of security.
IT security is still very much an afterthought in most of the industry. It may seem like hacking is relatively new, but it was going on strong decades ago, popularized in movies like War Games (1983!) and Hackers (1995) and many more, but still so many don't take it seriously.

Contact CoreHealth to learn about our platform and privacy security.

ABOUT COREHEALTH TECHNOLOGIES

CoreHealth Technologies Inc. is the leading corporate wellness platform trusted by more than 1000 organizations, ranging from medium-sized businesses to Fortune 500 enterprises. At CoreHealth, we believe that developing the best employee wellness programs is all about giving wellness companies the right code, design and access to the latest innovations. With the most customization, integrations and reliability of any software in its class, CoreHealth’s powerful platform lets users focus on growing great companies. For more information, visit corehealth.global

Cindy Danielson

Written by Cindy Danielson

Cindy Danielson is CoreHealth's Marketing Maverick and team leader with a passion for connecting people and technology. In addition to marketing, she has experience as a Benefits Brokers, HR Professional and Project Manager.