March 31st, 2015

Raj_Goel_headshot (1)

The IT Support/MSP game has changed.  Clients are no longer satisfied with just getting their desktops managed and servers supported.

Almost every industry has customer privacy and security compliance regulations – and clients are looking at us, their IT providers and business confidantes, to help them become and remain compliant.

So what do you need to know about compliance?

First – determine what industry or vertical you will tackle, then dive into it.

In my experience, clients do not want a generalist firm that says we provide HIPAA/HITECH/PCI-DSS/Sarbanes-Oxley/GLBA/SEC Cybersecurity /  [insert acronym here] compliance. More and more, savvy buyers want MSPs that focus on their vertical.

If you’re tackling healthcare, you must deep-dive into HIPAA/HITECH, FTC Health Breach, State Records Retention, SEC Cybersecurity guidance and State Privacy Laws.  If medium-to-large retailers ($10M-$4B) are your targets, then a thorough understanding of PCI-DSS and State Privacy Breach Laws is required.  If banking and finance is your focus, then GLBA, SOX-404, State Privacy Breach, FINRA regulations, PATRIOT ACT and FFIEC compliance knowledge is a must.

Underpinning all these regulations, standards and statutes are 3 simple truths:

  1. Every regulation or standard requires good, tested, verifiable backups
  2. Use of strong passwords and tested security configurations is a must
  3. Encrypting data in-motion, and data-at-rest is a very, very, good idea.

As you start your journey towards becoming a compliance-oriented MSP, I can offer you a few resources for HIPAA/HITECH, PCI-DSS, SEC Cybersecurity and PRIVACY LAW compliance.

HIPAA/HITECH Compliance: Email me and request the

  • HIPAA Compliance Checklist
  • Articles and newsletters regarding trends in HIPAA enforcement and compliance


  • Overview of the state privacy breach laws
  • Trends in Financial Crimes
  • Lessons Learned from Superstorm Sandy

SEC Cybersecurity Compliance

  • Overview of SEC Requirements
  • Trends in Financial Crimes
  • Lessons Learned from Superstorm Sandy
  • Challenges endemic to the financial sector

As always, if you have questions regarding security, privacy or compliance, feel free to contact me at

Latest articles, blog posts, presentations and webinars are available at

Come meet Raj in person and hear him present on “What MSPs Need to Know About Compliance” at the Datto Partner Conference.

Topic Articles, Events, News
April 29th, 2014

"And finally, I’m actually here today to win the ‘Most Creative Use of Tor’ award I’m actually here today to win the ‘Most Creative Use of Tor’ award," she said, followed by roars of laughter in the audience. "I really couldn’t have done it without Tor, because Tor was really the only way to manage totally untraceable browsing. I know it’s gotten a bad reputation for Bitcoin trading and buying drugs online, but I used it for"Genius, right? But not exactly foolproof. Vertesi said that by dodging advertising and traditional forms of consumerism, her activity raised a lot of red flags. When her husband tried to buy $500 worth of Amazon gift cards with cash in order to get a stroller, a notice at the Rite Aid counter said the company had a legal obligation to report excessive transactions to the authorities."Those kinds of activities, when you take them in the aggregate … are exactly the kinds of things that tag you as likely engaging in criminal activity, as opposed to just having a baby," she said.Vertesi said we need to be more aware of the information we give our servers voluntarily, and wondered if a time will ever come when we can opt out of giving personal information to the Internet.

via How One Woman Hid Her Pregnancy From Big Data.

Topic News
April 28th, 2014

…and here’s what a brand knows when you login via facebook

What Facebook Sells About You To Corporations, Governments, etc.

via Twitter / TheBakeryLDN: …and here’s what a brand ….

Topic CISSP, News
April 28th, 2014

Welcome to the land of the Free (surveillance) and the home of the Brave (spies)

Utah law enforcement officials searched, without a warrant, the prescription drug records of 480 public paramedics, firefighters and other personnel to try to figure out who was stealing morphine from emergency vehicles.

This type of snooping doesn’t require crypto-cracking technology or other National Security Agency spying tools disclosed by former NSA contractor Edward Snowden. All it took was a law enforcement official’s hunch in this case to search every member of the Unified Fire Authority’s prescription records.

The American Civil Liberties Union on Monday derided the 2013 dragnet search as “shocking” and called it a “disregard for basic legal protections” to provide law enforcement with “unfettered” access to such private data.

The warrantless search of Utah’s database chronicling every controlled substance dispensed by a pharmacist resulted in charges against one paramedic that have nothing to do with the original investigation. Instead, the authorities discovered an employee whose records exhibited “the appearance of Opioid dependence” and lodged prescription fraud charges against paramedic Ryan Pyle. Now Pyle faces a maximum five-year prison sentence if convicted of the felony.

“To me, it’s outrageous government conduct,” Pyle’s attorney, Rebecca Skordas, said in a telephone interview Monday.

via Utah cops warrantlessly search prescription drug records of 480 emergency personnel | Ars Technica.

Topic News
April 28th, 2014

Imitation is the best form of flattery.  The DOJ is flattered.


Updates to the email privacy law called the Electronic Communications Privacy Act ECPA are long overdue. It’s common sense that emails and other online private messages like Twitter direct messages are protected by the Fourth Amendment. But for a long time, the Department of Justice DOJ argued ECPA allowed it to circumvent the Fourth Amendment and access much of your email without a warrant. Thankfully, last year it finally gave up on that stance.

But now it appears that the Securities and Exchange Commission SEC, the civil agency in charge of protecting investors and ensuring orderly markets, may be doing the same exact thing: it is trying to use ECPA to force service providers to hand over email without a warrant, in direct violation of the Fourth Amendment.

EFF and the Digital Due Process Coalition, a diverse coalition of privacy advocates and major companies, are fighting hard to push a common sense reform to ECPA. The law, passed in the 1980s before the existence of webmail, has been used to argue that emails older than 180 days may be accessed without a warrant based on probable cause. Instead, the agencies send a mere subpoena, which means that the agency does not have to involve a judge or show that the emails will provide evidence of a crime.

via Is the SEC Obtaining Emails Without a Warrant? | Electronic Frontier Foundation.

Topic News
April 28th, 2014

Seems like the NSA has competition (or is that a friendly rivalry)?


Russian law gives Russia’s security service, the FSB, the authority to use SORM “System for Operative Investigative Activities” to collect, analyze and store all data that transmitted or received on Russian networks, including calls, email, website visits and credit card transactions.

SORM has been in use since 1990 and collects both metadata and content.

SORM-1 collects mobile and landline telephone calls.

SORM-2 collects internet traffic.

SORM-3 collects from all media including Wi-Fi and social networks and stores data for three years.

Russian law requires all internet service providers to install an FSB monitoring device called “Punkt Upravlenia” on their networks that allows the direct collection of traffic without the knowledge or cooperation of the service provider. The providers must pay for the device and the cost of installation.Collection requires a court order, but these are secret and not shown to the service provider. According to the data published by Russia’s Supreme Court, almost 540,000 intercepts of phone and internet traffic were authorized in 2012. While the FSB is the principle agency responsible for communications surveillance, seven other Russian security agencies can have access to SORM data on demand. SORM is routinely used against political opponents and human rights activists to monitor them and to collect information to use against them in “dirty tricks” campaigns. Russian courts have upheld the FSB’s authority to surveil political opponents even if they have committed no crime. Russia used SORM during the Olympics to monitor athletes, coaches, journalists, spectators, and the Olympic Committee, publicly explaining this was necessary to protect against terrorism. The system was an improved version of SORM that can combine video surveillance with communications intercepts.

via Schneier on Security: Info on Russian Bulk Surveillance.

Topic Articles, CISSP, News
January 22nd, 2014

Welcome to the Panopticon.  Or surveillance circle-jerk.

With apologies to Tom Lehrer,

Global Surveillance Week!

Chinese spy on the Japanese
Russians Spy on the Chinese
Indians Spy on the Pakistanis
Aussies spy on the Kiwis
North Koreans spy on Dennis Rodman

The NSA spies on everyone
And EVERYONE spies on the Americans


A new security report confirms that Chinese hackers spied on The New York Times in 2012, as well as attendees of the G20 Summit in St. Petersburg last fall. Iranian hackers spied on dissidents in the lead up to state elections last May. The Syrian Electronic Army is only getting better, and North Korean hackers were behind a destructive cyberattack that wiped data from South Korean banks last year.

via New Security Report Confirms Everyone Is Spying on Everyone –

Topic News
January 22nd, 2014

As WSJ reports, the security guys tried to get chip-and-pin launched in the US 10 years ago.

This is the same technology that has REDUCED UK losses by 70%.


Why did it fail in the US?

VISA & MasterCard Greed.

Long transaction times.

Target’s short-sightedness.

And who pays for it all?  Us.  The consumers, taxpayers and shareholders.

Who doesn’t pay for it?  Executives at Target, VISA and MasterCard.

The US leads the world in credit card fraud.  Not a metric to me proud of.

From WSJ:

Executives in Target’s credit-card division tried to keep the program but lost out to the concerns of executives responsible for store operations and merchandising, a group that included Mr. Steinhafel, who worried the technology slowed checkout speeds and didn’t offer enough marketing benefits, according to a person familiar with the decision.

The risks of big, expensive attacks like Target’s could help spur a consensus on the issue.

“All of us have a common interest in being protected, so this might be a chance for retailers and banks to for once work together, as opposed to sue each other like we’ve been doing the last decade,” James Dimon, CEO of J.P. Morgan Chase JPM -1.00% & Co., said last week on an earnings call.

Mr. Steinhafel, in his first public comments since the breach, said momentum is picking up for mass adoption of chip cards. “I think we’re ready to move,” the Target CEO said in a Jan. 13 interview with CNBC. Target, he said, was “out front of the industry, and the industry didn’t follow.”

via Target Tried an Anti-Theft Credit-Card System Years Ago –

Topic News
January 22nd, 2014

As SC magazine reports, a contractor stole data on 20 million South Koreans and smuggled it out on a USB stick.

Data of 20 million South Koreans copied to USB stick, sold to marketing firms

An IT worker was arrested after allegedly copying names, Social Security numbers, and credit card details of 20 millions South Koreans to a USB stick, so the trove of information could be sold to phone marketing firms.

According to a Monday BBC News article, the IT worker under suspicion worked for the Korea Credit Bureau.

In response to the breach, top executives at three credit card firms impacted by the incident – KB Kookmin Card, Lotte Card, and Nonghyup Card – made a public apology and resigned from their positions.

The contractor suspected of stealing the information is thought to have obtained the data through the Korea Credit Bureau’s access to the credit card companies’ databases.

via Data of 20 million South Koreans copied to USB stick, sold to marketing firms – SC Magazine.

Topic News
August 17th, 2013

Here’s another excellent reason to NEVER buy digital content from iTunes, Google Play or Kindle.

Cross the border, lose your content…

Jim O’Donnell was at a library conference in Singapore when his Ipad’s Google Play app asked him to update it. This was the app through which he had bought 30 to 40 ebooks, and after the app had updated, it started to re-download them. However, Singapore is not one of the countries where the Google Play bookstore is active, so it stopped downloading and told him he was no longer entitled to his books.

via Cross a border, lose your ebooks – Boing Boing.

Topic News