lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: shrdlu at deaddrop.org (Etaoin Shrdlu)
Subject: More Unusual request

First, I must say I'm surprised that the only two posts I've seen in answer
to this have come from folk whom I suspect have absolutely NO experience
with HIPAA. The answer here needs to be more specific to the problem.

Eric Wright wrote:
> 
> Seeing the positive and helpful comments from the before mentioned thread
> 'Unusual request', I would also like to ask for help.  I work for a company
> that deals a good bit in healtcare and with the hippa requlations coming
> down the pipe I have been asked to help with the security aspects of our
> network.

First, if you are attempting to help address HIPAA, then the security
aspects you need to address are quite specific, and already well
documented. I can only hope that you are working with others in this
matter, and have not been cast alone on the waters, in some strange belief
that there is anything you can possible do in the very short time before
these requirement come into effect.

As others have requested, you really need to supply more information. What
exactly is your role? How many others are helping you? Is there an IT audit
group of some sort that is charged with ensuring various portions of the
company? Have you someone whose specific task it is to know whether you are
complying with HIPAA, and you are just trying to harden the network?

>  I have been in the comp field for a number of years but am fairly
> new to security (at least to the depth that I need now).  I am only asking
> for help, knowledge, experience, guidance, or anything else that would be
> useful.

You may or may not have come to the right place, depending on your answers
to the questions above. If this is your company's first real attempts at
addressing HIPAA, run, don't walk, to the nearest group of want ads. You're
in a lot of trouble. Unless your company is very, very small, with a very
limited budget, hearing that you are "new to security" is not good. You
need to acquire a consultant that is NOT new, and is well-versed in the
specific industry you are in, and that needs to be done yesterday. If there
isn't the budget for that, tell them you don't want the job.

>  It's easy to search for exploits and run them but what I am after
> is an "Understanding".  I am not a programmer so code is a new area and
> challenge.  I need help in understanding the exploits and how to search for
> them and diagnose them on our network.

You should not be concerned with "exploits" but rather with hardening your
network. I suspect that it is something older, and I'm wondering if it is
the usual shop of ex-mainframe types transferring all they know and do to a
pile of PCs, without the requisite knowledge that would keep them safe. You
have already identified precisely who and where you work (don't you just
LOVE hotmail), so I can see that it is indeed a medical place of business,
and that you really, truly do need help.

>  I would like to work on a personal
> basis with anyone who is willing to help, but could also go directly through
> this board, if that is a better way.     Thanks in advance.

Putting more public information on this, or any mailing list, would be a
bad idea for you, since it seems that you are quite open in your
inexperience. I answer publically in the awareness that this list is
archived, and that there may be other innocents also reading who will gain
information from this. I have a certain experience in HIPAA and similar
privacy issues, and can point you in helpful directions if you'd like to
take this off line.

--
Open source should be about giving away things voluntarily. When
you force someone to give you something, it's no longer giving, it's
stealing. Persons of leisurely moral growth often confuse giving with
taking.    -- Larry Wall

Powered by blists - more mailing lists