Extra! Extra!

Back to the future

Eight years ago around this time, I was busy in my secret lab cooking up my latest and greatest geeky tech project. A little scripting here, some hardware and networking there…not unlike the countless other times I’ve done this since my Dad bought my first computer (Commodore 64) when I was twelve. Except this time I was doing a proof of concept for a magazine article while working as the Senior Consultant for a Managed Service Provider. I guess that investment in my first computer paid off. Thanks, Dad!

Hakin9 Extra – Guide to Kali Linux: Kali Scanning for HIPAA

I was asked by Hakin9 Magazine to write an article for their (then) upcoming “Guide to Kali Linux”. But before we get to that, some background first – Linux is a popular free and open source operating system developed by Linus Torvalds. He created the new platform because he did not want to pay the expensive licensing fees for Unix, which was the operating system used in his university computer science courses. Today, Linux is the operating system that runs most of the Internet services we use every day. While many in the community debate whether “free” means “as in beer” or “as in speech”, Linux can be downloaded at no cost which makes it perfect for tech-savvy IT professionals who are seeking to build low-cost systems for niche applications. Windows and Microsoft Office are the business standard so Linux is not a recommended alternative for general business computing.

Kali Linux is what is called a Linux distribution or “distro” for short. Basically, it is a version of Linux with preinstalled applications and tools. Distros run the gamut from general purpose computing to niche applications. Kali, for example, is a security distribution and comes with computer forensic, penetration testing, and vulnerability scanning tools. It is the latter that was the focus of writing the magazine article. Specifically, how a low-cost, distributed system running Kali Linux on top of Raspberry Pi hardware (low cost non-Intel PC) could be used in the Healthcare industry to support HIPAA compliance. I chose OpenVAS as the application for vulnerability scanning.

The results from the proof of concept demonstrated the RPi+(Kali) Linux+OpenVAS combination was viable as an ad-hoc tool and could be further developed into an integrated, distributed reporting system. The gory technical details from the article can be found here: Hakin9 Extra – Guide to Kali Linux: Kali Scanning for HIPAA.

Back to the present

So what’s changed in the last eight years? In some ways, not much. In other ways, everything. Tools like Kali Linux are still useful and part of the solution. What has changed is the ever-evolving threat landscape and the cost of doing business due to the added layers of security needed to maintain business as usual. We have written other articles on defense-in-depth so I won’t get in the weeds on that topic here, but it is no longer the medical and financial industries (or other regulated business), but all businesses large and small that must invest in security to reduce risk and protect their business operations and data. The phrase often attributed to Vince Lombardi comes to mind, “Hope is not a strategy.”

Call to action

Great, we’ve identified a business problem…so now what?! Here’s the high level recipe for building an effective security strategy:

1. Discuss the need for addressing security with the top levels of the organization. This cannot be a bottom-up initiative. Too much is at stake.
2. Work with a trusted technology/security partner to explore options.
3. Invest in educating yourself and your team about the risks and how implementing security tools and best practices help mitigate these risks.
4. Measure the effectiveness of your security program to understand residual risk.
5. Rinse and repeat.

With an intentional focus on security and developing a plan to monitor and assess its effectiveness over time, your business can reduce risk of data loss and downtime. Much like how Linux is not for the faint of heart, Information Security can be tough to understand, so IT professionals are happy to work with you to formulate a winning game plan. Be like Lombardi and don’t just hope the problem will go away on its own!