Archive for the 'Compliance PCI, HIPAA etc.' Category



When John Matherly released SHODAN, search engine which could collect data on web servers like HTTP port 80, FTP etc. It was considered a success, in the hackers point of view. And now there’s censys.


Censys was created by a group of scientists from the University of Michigan as an instrument to make Internet more secure. In fact, both Shodan and Censys are meant for security researches, but as the duo gains more and more attention, there certainly can be a lot of people who would try to use it for more nefarious purposes.
Censys is just like shodan but, more user friendly and works in a better and broader way. Censys is like a time saving buddy for the system lovers or the so called hackers.






Millions of devices like the home routers, ip cameras, mobile phones use same set of cryptographic keys for SSH secure shells or https. Which makes them vulnerable to hijacking. The vendors build and deploy their products. Typically, the vendors build their device’s firmware based on software development kits (SDKs) received from chip makers. They are too lazy to change the codes.


Censys conducts a daily scan on whole internet database almost everything. It scans all the IPv4 addresses which controls the majority internet traffic. It makes sure that it checks all the possible vulnerabilities. When researcher conducted the mass scan of 4 billion ip addresses the result was shocking.


“We have found everything from ATMs and bank safes to industrial control systems for power plants. It’s kind of scary,” said Zakir Durumeric, the researcher leading the Censys project at the University of Michigan and inventor of ZMap. Censys uses mainly two tools.








The first step of collecting data is Zmap(20) it performs single packet host discovery and scans all the Ipv4 address space. Hosts found by ZMap seed pluggable application scanners, which perform a followup application layer handshake and produce structured JSON data describing a certain aspect of how a host is configured. Typically, application scanners only perform a single handshake and measure one aspect of how a service is configured. For example, they perform separate horizontal scans and use different pluggable scanners to measure how HTTPS hosts respond to a typical TLS handshake, whether hosts support SSLv3, and whether a host is vulnerable to the heart bleed attack. Since collecting all the data from a single scan may cause load on the host., it instead uses scheduled scans thereby aggregating the data collected from each scheduled scans.





It is a fast and more extensible application scanner. At this time, ZGrab supports application handshakes for HTTP, HTTP Proxy, HTTPS, SMTP(S), IMAP(S), POP3(S), FTP, CWMP, SSH, and Modbus, as well as StartTLS, Heartbleed, SSLv3, and specific cipher suite checks. On a dual-Xeon E5-2640 (6-cores at 2.5 GHz) system with an Intel X520 ethernet adapter, ZGrab can complete HTTPS handshakes with the full IPv4 address space in 6h20m, and a banner grab and StartTLS connection with all publicly accessible SMTP hosts in 3h9m, 1.86k and 1.32k hosts/second respectively. In simple words ZMap quickly identifies hosts and ZGrab produces structured data about each of those hosts. Zgrab can be used independently. It does on even on one host from simply reading and writing a data to initiating a handshake.


Censys exposes data back to the community, which ranges from researchers who need to quickly perform a simple query to those who want to perform in-depth analysis on raw data. In order to meet these disparate needs, they are exposing the data to researchers through several interfaces, which offer varying degrees of flexibility.


1) a web-based query and reporting interface,

2) a programmatic REST API,

3) Public Google BigQuery tables,

4) Raw downloadable scan results. They are planning to publish pre-defined dashboards that are accessible to users outside of the research community.

Neither Shodan nor Censys are likely to be used by some serious cyber criminals — the real big bad guys have had botnets for a while, which can serve the very same purpose yet yield more power. It took Shodan’s creator John Matherly only 5 hours to ping and map all the devices on the whole Internet, and a botnet utilising hundreds of computers would probably do that even faster.


But there are a lot of other people who already have tried to misuse Shodan and Censys to play bad tricks and pranks on other people. And while the problem with the IoT security is mostly for the manufacturers to solve, there are a few things that you can do about it to secure those connected things that actually belong to you.




If any part of your business network is connected to the Internet, then the information your business handles is within the reach of hackers and cybercriminals. For this reason, the Payment Card Industry Data Security Standard (PCI DDS) requires that your IT network undergo a penetration test. Because the network penetration test is, at minimum, an annual event and because it involves a human resource, you want to be sure that the vendor you’re hiring is well worth its salt.

Selecting the appropriate penetration testing vendor involves asking the right questions to properly vet the security testing tools, methods and experts they employ:

Question 1

1. How does the penetration test differ from other types of security testing – such as a vulnerability assessment? Although you will already know the answer to this question, it should still be asked to ensure that the prospective vendor can articulate the differences which make penetration testing unique. Beware of any vendor that uses the words “penetration” and “scans” interchangeably, or claims that their penetration testing process is fully automated.

Question 2

2. What is your process for performing the penetration test? Penetration testing methods and techniques often differ slightly from organization to organization, but some core activities are common across all penetration tests. Even if they do not use a defined methodology, the vendor should be able to provide a straightforward outline of the steps involved and which tools are used at each step in the process.

Question 3

3. Do your testers hold industry standard certifications? It’s important to know that the individuals conducting your test are knowledgeable and remain up-to-date on security trends. Find out which certifications are held by the team. There are a variety of certifications which demonstrate knowledge in information security and technology in general, but penetration testers often hold certifications such as CEH, CISSP, GPEN and GWAPT. Keep an eye out for skills-based certifications such as the OSCP, which are becoming highly prized in the information security community.

Question 4

4. How will you protect my data during and after testing? Find out how the tester will secure your data during the test and throughout delivery. If devices will be shipped to your location or testers will be visiting with laptops, ensure that disk-based encryption is being used to protect data obtained during the test. When it’s time to deliver the final report, your tester should also offer a secure method for its delivery. Confidential data, including test reports, should never be sent via email; secure FTPs or secure file-sharing sites that use SSL should be employed.

Question 5

5. How will you ensure the availability of my systems and services while the test is taking place? Because penetration tests are actual attacks against your systems, it is impossible to guarantee uptime or availability of services throughout the test. However, most testers have some idea of whether or not a particular attack will bring down your system or “hang” a service. (You can also assist your tester by alerting them to any legacy or otherwise less-than-robust systems on your network.) The ideal penetration testing vendor will work closely with you to address operational concerns and monitor progress throughout the process.


Sarbanes-Oxley (SOX) Cheat Sheet

Author: Martin Voelk
April 9, 2015

The Sarbanes-Oxley Act (SOX) provides a legal model for running corporations of all sizes, regardless of whether they’re publicly traded and technically subject to SOX. The best legal minds agree that good liability-limiting governance after SOX requires corporations to do the following:

Evaluate your board members.

After SOX, shareholders expect the directors who sit on the boards that run companies to be independent and financially literate.

Create the correct kinds of committees.

After SOX, well-governed companies of all sizes break their board members up into audit committees, nominating committees, compensation committees, and maybe even disclosure committees.

Get good counsel for corporate officers.

The legal trend is that chief executive officers (CEOs) and chief financial officers (CFOs) are held responsible for everything that appears on financial statements. CEOs and CFOs need good legal counsel inside and outside the company to help them ask questions and spot issues necessary to reasonably protect these officers from liability.

Set defensive communication standards.

When a legal battle ensues, communications processes within the company are scrutinized. Establish clear communication procedures that reflect responsibility and accountability within the company.

Know the “hidden” risks to board members.

Board members are responsible to shareholders and third parties that rely on the company’s financials. Even in small, private companies, board members can be sued by creditors and third parties that rely on the financial statements.

Know when to say “no” to a Section 404 auditor.

Attorney opinions can be instrumental in cutting Section 404 costs in a company’s first year of Section 404 compliance. Attorneys can help cut costs in the Section 404 process by identifying areas in which legal liabilities and exposures are minimal.

Don’t treat whistle-blowers like whiners.

Whistle-blowers are people who alert the company to breaches of internal policy and government regulations, and they must be treated with special care after SOX.

Know when to file an 8-K report.

SOX Section 404 contains a list of seemingly routine events in the life of a corporation that call for the filing of an 8-K report. These events include (among many others) changes in management and loss of a major client. Know these triggering events.

Figure out whether your company needs an SAS 70 Form.

Even small companies that technically don’t have to comply with SOX Section 404 may be asked to provide certifications about their internal control to their clients who do have to comply using this form.



HIPAA Requirements (At-A-Glance)

Author: Martin Voelk
March 26, 2015


the ability to read, write, modify, or communicate data/information or otherwise use any system resource (computer, servers, fax machine, etc.).

Administrative safeguards:

actions, and policies and procedures, to manage protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.


ensuring that a person is who they say the are.

Business Associate:

a person or entity who (1) on behalf of a covered entity performs or assists in a function or activity involving the Use or Disclosure of Individually Identifiable Health Information, including claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; repricing; and other functions and activities; or (2) provides legal, actuarial, accounting, consulting, Data Aggregation, management, administrative, accreditation or financial services that involves the disclosure of Individually Identifiable Health Information.

Business Unit

means one or more Workforce members who are subject to the HIPAA regulations and who are engaged in providing a specific product or service that involves Protected Health Information on behalf of the Covered Entity.


means the property that data or information is not made available or disclosed to unauthorized persons or processes.

Covered Entity

means entities to which the HIPAA rules apply and includes Health Plans, Health Care Clearinghouses and Health Care Providers who transmit any health information in electronic form in connection with a Transaction covered by HIPAA laws and regulations.

De-identified Health Information

means health information that is not individually identifiable health information. The following identifiers of the individual, relatives, employers or household members of the individual must be removed for data to be De-Identified:

(1) Name;
(2) Street address, city, county, precinct, zip code and equivalent geocodes;
(3) All elements of dates (except year) for dates directly related to an individual and all ages over 89;
(4) Telephone number;
(5) Fax number;
(6) Electronic mail address;
(7) Social Security Number;
(8) Medical record numbers;
(9) Health plan ID numbers;
(10) Account numbers
(11) Certificate/license numbers;
(12) Vehicle identifiers and serial numbers, including license plate numbers;
(13) Device identifiers and serial numbers
(14) Web addresses (URLs);
(15) Internet IP addresses;
(16) Biometric identifiers, including finger and voice prints;
(17) Full face photographic images and any comparable images; and (18) Any other unique identifying number, characteristic or code.


the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.

Electronic media means:

( 1) Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card, thumb drive; or

(2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media.

Certain transmission, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.

Electronic protected health information:

individually identifiable health information that is transmitted or maintained in electronic media.


the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.


the physical premises and the interior and exterior of a building(s).

Individually Identifiable Health Information

is information that is a subset of health information, including demographic information collected from an individual, and:

(I) Is created or received by a Health Care Provider, Health Plan, employer, or Health Care Clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an Individual; the provision of Health Care to an Individual; or the past, present, or future payment for the provision of Health Care to an Individual; and
(A) Identifies the Individual; or
(B) reasonably could be used to identify the Individual.

Information system

means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.

Physical safeguards

are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion(i.e. Keypad door entry).

Protected Health Information

means Individually Identifiable Health Information that is transmitted by electronic media; maintained in any electronic media; or transmitted or maintained in any other form or medium. Protected health information excludes Individually Identifiable Health Information in education records covered by the Family Educational Right and Privacy Act.

Security or Security measures

encompasses all of the administrative, physical, and technical safeguards in an information system.

Security incident:

the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Technical safeguards:

the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.


means the transmission of information between two parties to carry out financial or administrative activities related to Health Care. It includes the following types of information transmissions:

(1) Health care claims or equivalent encounter information (2) Health care payment and remittance advice
(3) Coordination of benefits
(4) Health Care claim status

(5) Enrollment and disenrollment in a Health Plan (6) Eligibility for a Health Plan
(7) Health Plan premium payments
(8) Referral certification and authorization

(9) First report of injury
(10) Health claims attachments
(11) Other transactions that the Secretary may prescribe by regulation


means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for your practice, is under the direct control of you whether or not they are paid by you.


means an electronic computing device, for example, a laptop or desktop computer, thin client, or any other device that performs similar functions, and electronic media stored in its immediate environment.


PCI-DSS v3.0 Excel Cheat Sheet

Author: Martin Voelk
March 13, 2015

The new PCI-DSS v3.0 requirements will come into force in summer 2015 and we have already heard from many customer that it causes some of them some concerns. There is actually nothing to be worried about. It’s a very structural approach and the aim is to make things easier rather than harder.

A few very important changes have been introduced, especially around Penetration Testing and Segmentation Auditing requirements.

Here you can download a PCI-DSS v3.0 excel cheat sheet:



PCI DSS v3 Penetration Testing

Author: Martin Voelk
November 30, 2014

PCI DSS v3 now requires Penetration Testing and standard Vulnerability Assessments by automated tools are no longer sufficient.

Implement a methodology for penetration testing that includes the following:

  • Is based on industry accepted penetration testing approaches (for example NIST SP800-115)
  • Includes coverage for the entire CDE perimeter and critical systems
  • Includes testing from both inside and outside the network
  • Includes testing to validate any segmentation and scope-reduction controls
  • Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
  • Defines network-layer penetration tests to include components that support network functions as well as operating systems
  • Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
  • Specifies retention of penetration testing results and remediation activities results.

If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems.