Join Our List
 |
|  | |
'Lunarline's success primarily comes from listening to their customers, attracting quality employees and maintaining a myriad of skill sets that distinguishes them from their competitors.'
- Audrey Sawyer, CEO ASIS
|
|
|
| Issue: # 0610 | Lunarline Newsletter |
 |
| ARRA HITECH Stimulus - $19 Billion at Stake |  Develop Your Roadmap to Attain Meaningful Use and HIPAA Security Rule Compliance
In a time when hospitals and physicians are seeing declining reimbursements, the American Reinvestment and Recovery Act (ARRA) Medicare/Medicaid Electronic Health Record (EHR) Incentive Program is a rare opportunity to be eligible for substantial incentives. However, the road to attaining the incentives is complicated. Uncertainties related to the definition and documentation of meaningful use can translate to lost incentives or, even worse, penalties! As the definitions governing " meaningful use of certified technology" continue to evolve, it is critical to develop a roadmap to help your organization comply with the moving target of rules regarding compliance and documentation and get your fair share of the incentives.
3 Myths of the Hospital Program
1) Hospitals must decide between the Medicare or Medicaid ARRA incentives: FALSE - "Eligible hospitals can qualify to receive payments from both the Medicare and Medicaid EHR incentive programs."
2) Hospitals must meet all requirements by October 1st, 2010 to receive the 2011 incentives: FALSE - "Centers for Medicare & Medicaid Services (CMS) propose that, for the first year an eligible hospital demonstrates meaningful EHR use, an EHR Reporting Period equals any 90 continuous days beginning and ending within the year."
3) In 2011, hospitals must electronically transmit all Meaningful Use objectives to CMS. FALSE- "In 2011, all of the results for all objectives/measures, including clinical quality measures would be reported by Eligible Providers (EPs) and hospitals to CMS, or for Medicaid EPs and hospitals to the states, through attestation."
3 Myths of the EP Program
1) PAs and FNPs are eligible for both the Medicare and Medicaid ARRA incentives: FALSE- "A Medicare EP is a doctor of medicine or osteopathy, a doctor of dental surgery or dental medicine, a doctor of podiatric medicine, a doctor of optometry, or a chiropractor." "EPs (Medicaid) are physicians, dentists, nurse practitioners, certified nurse midwives, and physician assistants practicing predominantly in a Federally Qualified Health Center or Rural Health Clinic (FQHC/RHC) that is directed by a physician assistant."
2) Eligible Providers must meet all requirements by January 1st, 2011 to receive the 2011 Medicare incentives: FALSE - "For the first year an EP applies for and receives an incentive payment, CMS proposes that an EHR Reporting Period is 90 days for any continuous period beginning and ending within the year."
3) Eligible Providers must meet all ARRA criteria in 2011 to receive the maximum Medicare incentives. FALSE - "In general, a qualifying EP can receive an annual incentive payment as high as $18,000 if their first payment year is 2011 or 2012."
To read more about satisfying meaningful use requirements, click here. |
| The C&A Transformation |  Get ready for more growing pains.
It happens every day. Someone is frantic because they developed a system and sold it to the Federal Government and Department of Defense (DoD), each requiring a separate accreditation package following different standards.
The 'C&A Transformation Initiative' was released by General Dale Meyerrose, CIO for the Office of the Director of National Intelligence (ODNI), in June 2006. Since this release, DoD, the National Institute of Standards and Technology (NIST), and ODNI have been working together to determine the way-ahead for the C&A process. DoD and ODNI decided to work with NIST to develop and update the NIST 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, to minimize work efforts and meet the needs of all communities.
The new NIST 800-37 looks at the C&A process, which is now referred to as real time risk management. The intent of this movement is to eventually have one set of standards and processes for the security of the entire US government, to include DoD, Federal, and intelligence agencies. This will assist us in ensuring a unified presence in protecting our information.
With the initial movement of the C&A process, the DoD and DNI CIOs published seven goals for transforming C&A processes across the DoD and the IC.
- Define a common set of impact levels and adopt and apply them across the DoD and IC.
- Adopt reciprocity as the norm, enabling organizations to accept the approvals by others without retesting or reviewing.
- Define, document, and adopt common security controls, using NIST SP 800-53 as a baseline.
- Adopt a common lexicon, using CNSSI 4009 as a baseline, thereby providing both the DoD and IC a common language and common understanding.
- Institute a senior risk executive function, which bases decisions on an enterprise view of risk considering all factors, including mission, IT, budget, and security.
- Incorporate IA into enterprise architectures and deliver IA as common enterprise services across the DoD and IC.
- Enable a common adaptable process that incorporates security within the lifecycle processes and eliminates security-specific processes.
These goals have been morphing as the C&A transformation slowly moves forward, but the intent to develop one set of policies and guidelines has maintained consistent. As well, moving into an enterprise view of security and managing risk has also maintained as a top priority of the transformation.
Anyone currently working in C&A, or security in general is highly encouraged to read NIST 800-37 Rev 1 and begin preparing for the upcoming changes in your organization.
For more information about how we provide a gap analysis on what the deltas are for the system design and documentation requirements between the two processes, click here. |
| Social Engineering Attacks | | Minimizing your exposure to real-world threats.
 Social engineering attacks are continually evolving and are now geared more as highly targeted attacks against high profile individuals, applications, and businesses. These sensitive targets present an easy and high reward return for social engineering attackers. One of the most common and enduring forms of social engineering is "Phishing", which is defined as the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. (1)
Where does the word "phishing" come from? Its origin is believed to be homage to the first known form of hacking, known as "Phreaking". Phreaking describes the act of hacking telephone systems in order to make free long distance calls by using a Blue Box to simulate the phone tones used to control phone system switches. As hacking evolved along with technology, the first internet scammers lured "fish" via emails to obtain passwords and financial data. Today's phishing attacks have grown into more ominous and organized criminal behavior. Phishing attacks now focus on attacking users of online banking, payment, and e-commerce services. Phishing attacks are consistently increasing in number and sophistication, which is attributed to the increasing use of web based services, including social networking sites. These sites allow for attackers to more easily target users due to widespread use of technologies that unintentionally leave typical users blind to the potential risks of phishing. Some of these technologies include abbreviated URL services that make it easier to mask the links that users are asked to click. Also, the heavy and mostly blind, distribution of applications (Facebook, Apple's App Store) could be targeted by an attacker looking to abuse the relationships established between a trusted site and their users. Email phishing is still a favorite attack against individual users, businesses, and even the government. It is carried out by sending out spoofed e-mails, often from known and trusted sources (friends, family, coworkers, or legitimate business). These emails will lead consumers to attacker controlled websites designed to lure recipients into revealing sensitive information (usernames/passwords, PII, financial information) or will plant malicious software on the individual's computer that is used to steal credentials, misdirect the individual, or intercept key-strokes. Although laws exist to force businesses that have fallen victim to any sort of data breach involving customer personal information to report that breach to the affected customers, they rarely publicize such incidents. Some recent and high profile phishing attacks that have reached the public include:
- An attack in 2009 disclosed as "GhostNet". GhostNet was comprised of a network of at least 1,295 compromised computers in 103 countries, belonging primarily to government, aid groups, and activists. The attack was carried out by emails with subject lines related to the Dalai Lama or Tibet. The emails carried malicious attachments that connected the infected machines to systems located in China. (2)
- In another attack in 2009, the Swiss organization MELANI, the Reporting and Analysis Centre for Information Assurance, reported a targeted wave of attacks against the management of major companies. An email with an attachment referring to a wire transfer was used in this attack. When the victim opens the attachment, an .rtf file, malware installs that record all directories accessed with Windows Explorer, all websites visited, and all data entered in forms. The malware then sent this information to various servers. (2)
- Another attack in 2009 shows that not only top management or governments can be victims, but journalists have suffered, as well. An attack in September targeted journalists from various media organizations, including Agence France Press, Dow Jones, and Reuters based in China. The attacks seemed to come from an editor of the Straits Times, an English-language paper in Singapore, with an attachment in PDF format. Opening the attachment would exploit a vulnerability in Adobe Acrobat and result in malware being installed that connected to compromised computers in Taiwan. (2)
Detection is very difficult when dealing with phishing attacks. Detection of the malicious email payloads is very difficult using typical anti-virus software, which is expected in such targeted attacks due to the care taken by the attacker to disguise their software against well known virus definitions. Also, it is difficult for corporations to ensure that their networks and devices are completely secure and resistant to such attacks.
The onus really falls onto each individual to ensure that they are aware of corporate security policies concerning how to identify and react to social engineering attacks. Each organization should ensure that security policies are enacted that include information on the latest social engineering and phishing attacks as well as methods to protect against such attacks. Also, a periodic spot-check of employee's awareness is beneficial as it allows for security staff to make a determination of the effectiveness of their security policies and training material. Such spot checks could include annual user base refresher courses and/or 3rd party social engineering testing services from an experienced vendor.
1 http://en.wikipedia.org/wiki/Phishing
2 Mcaffe Labs, 2010 Threat Predictions
For more details on Lunarline's penetration testing approach and how we can help secure your environment, click here. |
| Occupant Emergency Plan: SP 800-34 Revision 1 |  Understanding SP 800-34 and the related continuity plans.
In the March issue we provided a list of the 8 different types of continuity-related plans listed in NIST SP 800-34 revision 1:
- Occupant Emergency Plan (OEP)
- Critical Infrastructure Plan (CIP)
- Information System Contingency Plan (ISCP)
- Disaster Recovery Plan (DRP)
Incident Response Plan (IRP)
- Business Continuity Plan (BCP)
Crisis Communications Plan (CCP)
- Continuity Of Operations Plan (COOP)
In this issue we will discuss the Occupant Emergency Plan (OEP). Federal Management Regulations (FMR) subpart 103-74.230A requires Federal agencies that occupy Federal property to develop an OEP. This requirement includes Federal agencies that occupy space leased by the General Services Administration (GSA).
The purpose of an OEP is to ensure that all occupants know how to respond in an emergency, regardless of the nature of the emergency whether it's man-made or natural. An OEP must address:
- Who will be in charge
- Facility characteristics and security
- Criteria for plan activation
- Actions to be taken
- Training
- Who will be in charge? Establish an Incident Command Structure with a succession of authority. Make sure that everyone knows who will be in charge to avoid any confusion. Identify and appoint floor captains who will ensure complete evacuations and arrange assistance for those employees who have physical challenges.
- Facility characteristics. Map out evacuation routes and shelter-in-place locations ("shelter-in-place" refers to a safe room at work when the situation warrents that it is best to stay inside and not attempt to leave). Make every effort to clearly mark along those routes so that even in the most confusing situations everyone knows where to go and how to get there. Make sure that the rallying areas are clearly marked so everyone knows where to go for personnel accountability. Make arrangements to compare attendance records against those who are out of the building for vacation, or meetings, and don't forget the visitors to the building. Coordinate with security to make sure EVERYONE is safe. Build into your OEP when it's best to evacuate and when it's safer to shelter-in-place.
- When is the plan activated? Identify criteria that can reduce the ambiguity. Remember, personnel safety comes first - when in doubt, activate.
- Actions to be taken. When building your checklists, remember the 3 key points: Recognize the situation for what it is, React appropriately and calmly, Report to the necessary facility and civil authorities the nature of the emergency. Build your plans to be checklist centric. You don't want to sift through 5 pages of narrative to get to step 1. Short, concise steps/actions should be clear with a method for recording the commencement and completion of each action.
4a. Work with your risk managers. Determine which emergencies are the most likely. If you're located in the south west, flooding may not be an issue. If you're located in "tornado alley" shelter in place should be a very important factor in your plan.
- Training. Everyone must be trained in their responsibilities. Even if their responsibilities are limited to calm evacuation/shelter in place and ensure they are accounted for with those who are taking a roll call. Exercise the plan! You don't know what's broken until you try to use it.
In the next issue, we'll look at Information System Contingency Plans (ISCPs). To review an alphabetized list with a short synopsis of how each plan is used, click here.
To find out more information on Lunarline's extensive experience in identifying, developing and implementing recovery strategies, click here. |
| Career Opening Spotlight |
Apply Today! |
Opening:
Senior Security Engineer
Location: Tampa, FL
Salary: DOE/Performance Bonus/Full Benefits
Job Summary
Work directly for the Information Assurance Manager (IAM) in conducting Certification and Accreditation activities. Responsible for documenting security policy covering administrative, technical, and procedural documentation for C&A requirements. Prepare architecture documentation for Risk Assessments in support of Accreditation and Certification. Determine classes of threats and determine impact to provide accreditation recommendation to CA, assist in developing the certification decision. Assess the scope of IA recommendations by evaluating the proposed architecture in relation to associated community network architectures. Must interpret system and network architecture to determine current IA status.
Qualifications
Six years of information technology security experience. Demonstrate hands-on experience with government certification and accreditation (C&A) document creation to include:
ˇ Security Questionnaires
ˇ System Security Plans
ˇ Risk Assessments
ˇ Contingency Plans
ˇ Configuration Management Plans
ˇ Technical Architectures
ˇ Security Policies
ˇ Plans of Actions and Milestones
ˇ DoD Information Assurance Certification and Accreditation (DIACAP)
Applied experience implementing various security mechanisms for multi platforms and operating systems. A basic understanding of the ten domains of security. Extensive knowledge in government security regulations (e.g., DoD 8510.01, DoD 8500.2, CJCSI 6510, etc.). U.S. citizenship, with the eligibility to obtain and maintain a government security clearance (Top Secret preferred). Excellent customer service skills. Exceptionally strong verbal and written communication skills. Strong organizational and conceptual skills. The ability to self-start and self-motivate. The ability to adjust to changing focus and/or priority as well as the ability to successfully multi-task and set priorities as needed. Minimum Security+ certification required, CISSP or CISA certification skills desired.
Education Requirements
Bachelor's degree in Engineering, Computer Science, or related technical field.
If you are interested in this position, call Ashley Roan at 571.481.9303 or send your resume to ashley.roan@lunarline.com.
Lunarline is an equal opportunity employer. It is the policy of Lunarline that all employees and applicants for employment will be treated in all respects on the basis of their merit and qualifications and without regard to their race, color, national origin, age, disability, sexual orientation, religion, gender, military status, marital status or ancestry. |
|
About Lunarline:
Lunarline is a leading provider of Cyber Security Solutions, Specialized IA Services, and Certified Security Training to all US Federal Government (Civilian, DoD, and IC), as well as to customers in selected commercial markets. Lunarline is a VA Certified Service-Disabled Veteran-Owned Small Business (SDVOSB) that is appraised at maturity Level 2 of CMMIŽ, certified in ISO 9001: 2008, has a DCAA approved accounting system, and approved Earned Value Management (EVM) system. Lunarline offers DIACAP, FISMA, CNSS, Security +, CISA, CISSP, and Cyber Security Courseware Certificate Programs. Lunarline provides courses with NSA/CNSS (NSTISSI No. 4011 and 4015) Certified C&A Training Courseware. Lunarline ranks in the top 2% of D&B Rating, and is a recipient of the DOT Cyber Security Award and the Cyber Warfare Forum Initiative Award.
LUNARLINE: SOLUTIONS BUILT ON SECURITY™ For more information, visit www.lunarline.com. |
|
|
