Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [ISN] Fed up hospitals defy patching rules

from [InfoSec News] Network Security [Permanent Link]
Subject: RE: [ISN] Fed up hospitals defy patching rules
Date: Fri, 13 Aug 2004 12:01:39 -0500 (CDT) 
Forwarded from: PaulBlair@westhillscollege.com


"Security of the systems is the primary focus of the letter," says
Holt Anderson, executive director of NCHICA. Without the operating
systems properly maintained in terms of patching, "there is no way
to secure devices that are connected to a LAN or wireless facility,"
he says.


This is not true. There are more than a few ways to mitigate Windows
Security issues in this type of situation. IPSEC can be used to
regulate traffic between devices, and prevent the spread of the common
RPC based Worms, and VLANs can keep sensitive devices confined to
their own.


Some manufacturers, including Philips, contend that hospitals must
do a better job of applying security defenses to protect medical
devices by buying intrusion-prevention systems (IPS )  and internal
firewalls.


I agree, but the manufacturers need to do their part by certifying
patches In a more expedient manner.


There have been several instances in which viruses originated from
medical instruments straight from the vendors, says Bill Bailey,
enterprise architect at ProHealth Care, a Milwaukee healthcare
provider. Medical equipment arrived with computer viruses on it or
service technicians introduced the viruses while maintaining the
equipment, he says.


Based on my own personal experience with 'third party devices', this
is not surprising to me at all.  In my case, the device was a Windows
server which handled our voice mail. Twice it was infected with a SQL
based worm and once with Blaster. None of the other machines on our
network were infected, due to some of the mitigating factors I
mentioned above, but they very well could have been. In the case of
the SQL based worm, the infected server saturated our internal network
to the point of it being useless. After these incidents, we put
pressure on the vendor to certify patches more quickly. If we feel
that there is a threat we now apply patches to these servers,
regardless of their 'certification'. Hospitals should not be faulted
for doing the same when critical patches are released.


Paul Blair
Information Technology Services
West Hills College
spam1@toadlife.net



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - 
http://www.osvdb.org/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RE: [ISN] Fed up hospitals defy patching rules, InfoSec News <=
Previous by Date:  [ISN] Los Alamos vulnerable to PC theft, inspector general declares, InfoSec News
Next by Date:  [ISN] Secunia Weekly Summary - Issue: 2004-33, InfoSec News
Previous by Thread:  [ISN] Los Alamos vulnerable to PC theft, inspector general declares, InfoSec News
Next by Thread:  [ISN] Secunia Weekly Summary - Issue: 2004-33, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]