Thursday, August 27, 2009

ISO/IEC 27000 ISMS Standard

Recently i study a lot on Information Security standard and compliance. Just finish read a book " Implementing the ISO/IE 27001 Information System Standard" by Edward Humphreys. I will implement some requirements especially access control management in the my medical data security project.

ISO/IEC 27001 is a family of Information Security Management System (ISMS) standards:

27000 ISMS Overview and vocabulary
27001 ISMS requirements
27002 Code of Practice for ISMS
27003 ISMS implementation guidelines
27004 ISMS measurement
27005 Information security risk management
27006 Accreditation requirement for certification bodies (CB)

As my 1st glance to this family, I think my project should comply to ISO/IEC 27002. Here come the paragraph that remind me about the different of 27002 and 27001.

"The idea of compliance with ISO/IEC 27002 is therefore very much a question of management requirements since this is a code of practice and not a mandatory specification.ISO/IEC 27002 has no recognition as a compliant standard as is ISO/IEC 27001,which is an internationally recognized standard for compliance assessment"

Many organisations have "acceptable use policy" to control the use of Internet of their staff. For example, it could provide a clear warning of what strictly prohibited in network, eg accessing pornographic, use certain messaging services, unauthorised access to the organisation information.

As mentioned in the book, several control lists available at the Annex A. For SME case, they no need to implement all the controls. Selection and attention should be focus on those controls that reduce the the risks and impacts. Apprioprate ISMS implementation should be build to suit most of its management needs.

For authentication, the simplest way to do it is based on what user know (a password or a PIN). This is the "one-factor" authentication.If two factors such as what a user knows and has (eg. a PIN and bank card) then this commonly known as "two-factor" authentication.

The book is a comprehensive guide on Information security management based on ISO 27001 standard. Data security is much more than just the technical element. It will involve every single element that access the system, ranging from policy, operation method, human resources to software and hardware. PDCA (Plan, Do, Check, Act) cycles is long and alway on-going process to ensure the info security within the organisation and thus comply to the standard.

" Nothing is a constant as change" -Greek philosopher Heraclitus

Tuesday, August 25, 2009

SANS webcast about Wireless Security

Just watch the SANS webcast clips "Exploiting and Defending Wireless


1.airpwn - wireless injection

2.PSPF not robust
-To bypass PSPF: wifitap ( python tools using Scapy for linux)

3. karmetaspoilt (evil tools)
-KARMA + metasploit
-If run the program normally, we cant really know what happen in

karmetaspoilt. We need use $sqlite karma.db to dig more

4. wireless driver bugs
-usually wireless driver never update!
-it run on Ring0

Friday, August 14, 2009


Soon, i will be working on a Medical Data Security Model.


In August 1998, the United State Department of Health and Human Services (HHS) published the Security and Electronic Signature Standards; Proposed Rule (Security Rule). The Security Rule covers all healthcare information that is electronically maintained or used in electronic transmissions. It is defined by HHS as a set of requirements with implementation features that providers, plans, and clearinghouses must include in their operations to assure that electronic health information remains secure[1].

The Security Rule is merely a set of common best practices that is intended to be comprehensive, technology neutral, and scalable for different-sized organizations. It is a high-level information security framework that documents what needs to be done to secure healthcare information systems. At the same time, and much to widespread chagrin, the Security Rule is not a set of how-to instructions outlining the exact steps for securing healthcare information systems[1].
To ensure the confidentiality, integrity and accessibility of healthcare information, the Security Rule outlines various technologies, policies that must be implemented[1].
The policies and procedure for technology-based systems include:
• Logical access controls
• Physical access controls
• User authentication controls
• Authorization controls
• Audit controls
• Data encryption mechanisms[1]
General medical security models fall short of what is needed. From the policies and from the environment where the information is kept, the requirements for the security model can be deduced:

1) Attribute and credential -based authorization
2) Content-dependent authorization
3) Context-dependent access modes
4) Delegation of rights
5) Administration of security
6) Temporal restrictions
7) Need for coordinated authentication and encryption
8) Consideration of web standards
9) Consideration of different architectural levels
10) Compliance with laws protecting security and privacy of health care information
11) Explicit audit[3]

It is clear that no single model can satisfy all these requirements. Thus it needs several related models at different abstraction levels to cover all the requirements.[3]


[1] Kevin Beaver, Healthcare Information System, Second Edition, United State of America: Auerbach, 2003, 173-180.
[2] E.Supriyanto, S.C.Seow, “Java Based Automatic Curriculum Generator for Children Trisomy 21”, WASET, vol. 32, pp 237-249, 2007.
[3] Eduardo B. Fernandez, MarĂ­a M. Larrondo Petrie, and Tami Sorgente, “Security Models for Medical and Genetic Information”, 2004.