Securing a Mobile Operation / Security Features in AngelTrack

Suggestions for securing your operation, and explanations of AngelTrack's many security features.

SteelShield.2.210x237

Many initial steps, plus ongoing company policies and enforcement, are required to secure a mobile, paperless operation in today's hostile security environment. Most are necessary for HIPAA compliance, but all are sensible and inexpensive.

Role-Based Access Control

AngelTrackShield.64x102AngelTrack uses role-based access control to grant access to its features and data.

When an employee is a member of a role (such as "dispatcher"), that employee has all the privileges of that role, including read and (sometimes) write access to that role's data. Some roles are very powerful, with write access to large amounts of company data.

Greater access creates greater opportunities for accidental damage. So, do not add employees to any role unless they have a bona fide and ongoing need for those access privileges. Promptly remove them from roles they no longer perform.

Use the Administrator Account Only When Necessary

We strongly recommend never use AngelTrack's built-in administrator account for day-to-day operations. The administrator account has full read/write access to everything in AngelTrack, so a person logged-in as administrator has many opportunities to accidentally modify something important. This is a liability, no matter how trustworthy or careful your employees are.

Furthermore, the administrator account does not have any specific person's name on it. As such, its activities cannot be positively traced to an individual.

Use the administrator account to create yourself a separate employee account. Add yourself to whichever roles you require. Then logout, and log back in using your new account.


ComputerSecurity

Do Not Share Accounts

We strongly recommend that every person who accesses your AngelTrack cloud server have their own separate employee account. No exceptions.

We urge you to resist the temptation to create an employee account named "QAReview" or "Billing" for multiple people to use. When multiple people share an account in that manner, it becomes impossible to tell which one of them performed which action. You won't be able to trace a mistake back to the person who needs retraining.

This also applies to any outside contractors who you invite in to your cloud server. Even if the contractors all operate under a single company ("Acme Billing"), do NOT create them an "AcmeBilling" account even if they specifically request it. It is best if each one of Acme Billing's employees has a separate account in their own name.

Provisional Access / IP Whitelist for High-Access Employees

AngelTrackShield.64x102The high-access security roles of Dispatcher, Call-taker, Biller, Lieutenant, and Captain can be made subject to AngelTrack's IP whitelist, by marking them ☑ Provisional.

A provisional employee will enjoy their high access only when they are connecting from an IP address in AngelTrack's list, i.e. only when connecting from a company-owned network. At all other times, they will lose the aforementioned access, but will still enjoy their other access roles.

The provisional setting does not affect user accounts who are marked as Administrator.

Fort Knox Mode / Locking Out Unfamiliar Devices

AngelTrackShield.64x102You can further lock down your AngelTrack server by forbidding login from any computer or device that AngelTrack has not seen before.

This dramatically increases the security for your data, but also creates a minor ongoing hassle as new devices must be registered from time to time. To learn more, read the Login Mode Guide.

Securing Passwords

Password policy is a pillar of IT security. Appropriate password policy is already built in to AngelTrack, and no further action is required unless you wish to adjust it.

Password expiration

AngelTrackShield.64x102AngelTrack has a password expiration interval, configurable on the Preferences page underneath the Settings page. By default, the expiration interval is 180 days. You can choose any interval from 1 to 999 days, or set it to 0 to disable password expiration.

When an employee's password is expired, they will be prompted to change it when they next access AngelTrack. As with announcements, the password expiration prompt will not be shown if the employee has an active dispatch assigned.

Password expiration has another benefit: When employees are prompted to reset their password, they are also prompted to update their mobile number, their mailing address, and their emergency contact... in case these are outdated.

If an employee enables two-factor authentication [2FA] on their account, and has a valid messaging address on file for that purpose, then AngelTrack will double their password expiration interval. For example, if the system is configured for 180-day password expiration, then anyone using 2FA on their account will only have to reset their password once every 360 days.

Common passwords automatically prohibited

AngelTrackShield.64x102AngelTrack has a built-in list of the 150 most commonly-used passwords. Attackers have the same list, and routinely use it to conduct brute-force attacks. To protect you from such attacks, AngelTrack does not permit any employee to choose a password that is on the list.

Ampersand (&) and less-than (<) characters forbidden

AngelTrack forbids users from choosing any password containing an ampersand character & or a less-than character <.

AngelTrackShield.64x102AngelTrack does this as part of its defense against Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) attacks. CSRF and XSS attacks make use of the aforementioned characters because ampersands and less-thans are used in the HTML language as control characters, which can stealthily direct a user's browser to visit a hostile website, or send data to a third party, or download hostile third-party scripts and content.

Warn employees to not share their passwords

Employees should be counselled -- and then occasionally reminded -- that they are strictly prohibited from sharing passwords with other employees.

Avoiding password-sharing protects both the employee and the agency.

Let AngelTrack choose your new password

Probably you are like most people, using the same or similar password on many different websites and online services.

The danger is, if one of those websites gets breached, and your favorite password gets exposed, the hackers will then try the same username and password on as many other websites as they can, to see if you used the same credentials elsewhere.

AngelTrackShield.64x102For this reason it is best to let AngelTrack choose your password for you. But don't worry, it won't give you a jumble of letters, numbers, and symbols that is impossible to remember. Instead, your new password will be a string of ordinary English words separated by dots. This makes it easy to remember, and easy to type on your smartphone, but very difficult for a hacker to guess, because AngelTrack's wordlists are so large that it would take billions of attempts, which will not work against AngelTrack due to the auto-lockout feature discussed below.

Built-in defenses against account takeover

AngelTrackShield.64x102High-level users (members of the HR and Administrator roles) have the authority to change the password of another user.

Medium-level users (members of the Captain, HR, and Administrator roles) also have the authority to change another user's primary messaging address, if that user is not a high-level user (HR or Administrator). The new primary messaging address could then be used for a self-service password reset.

Therefore, if a medium- or high-level user account became compromised, it could try to take over other similar-access accounts in order to conceal its actions.

AngelTrack protects against this by sending a notification message to the target user account if anyone ever changes its password or its primary messaging address, so that they can intervene if the change was not anticipated.

Self-service password reset

If an employee has typed their messaging address (email or SMS) into their employee file in AngelTrack, they will be able to reset their own password if locked out. In this situation, AngelTrack will offer a reset button to the employee:

Login.PasswordReset

The employee will then receive a message containing a new, randomly-generated, high-security AngelTrack password.

Two-Factor Authentication / 2FA

AngelTrackShield.64x102Every user account in AngelTrack can be enabled for two-factor authentication, as long as it has a messaging address (email or SMS) on file.

Any employee using 2FA on their account will enjoy twice the normal password expiration interval; for example, if all employees must reset their passwords every 180 days, then 2FA users must reset every 360 days.

You can use the Employees Missing HR Data report under HR Home to see which employees have and have not enabled 2FA on their AngelTrack accounts.

If your user account has Administrator access, be sure to enable two-factor authentication. Any user account that has Administrator access but which does not have two-factor authentication will be automatically deactivated after 90 days of inactivity.

Automatic Account Lockout

AngelTrackShield.64x102In order to defend against brute-force password guessing attacks, AngelTrack automatically locks its user accounts after several unsuccessful password attempts.

This prevents an attacker from running a program all day and night to try logging in using common passwords. Here is what AngelTrack's login page will show when an account gets locked after several incorrect passwords:

Login.AccountLocked

When locking a user account after repeated password failures, AngelTrack follows this lockout schedule:

Consecutive Incorrect Passwords Lockout Duration
 3 2 minutes
 4 5 minutes
 5 10 minutes
 6+ 15 minutes

If the user account's login name is "admin", then the lockout duration is always four hours, and the above chart does not apply. This is because it is easy for any attacker to guess that "admin" is a valid login name, and therefore the "admin" account will probably be the target of any brute-force password-guessing attack.

A locked account can be unlocked by anyone with Captain, Lieutenant, Dispatcher, or HR privileges. Just visit the Employees List, find the locked row, and click the red "Locked" button.

Automatic defense against username-guessing attacks

AngelTrackShield.64x102The logon page automatically defends against attempts to guess logon names, by refusing to confirm or deny whether any particular logon name is valid.

AngelTrack will even allow the attacker to attempt a self-service password reset via email, offering them a fake email address so that they cannot tell whether a logon name is valid. This is why, if you accidentally try to logon with the wrong username, you might see AngelTrack offer to send a password reset message to an email address that you don't recognize. AngelTrack won't actually send that email.

KeypadDoorknob

Reducing the CSRF Attack Surface

A CSRF attack is when you inadvertently visit a hostile website, and the hostile website runs code in your browser to try to forge a request to your AngelTrack server. It does this by utilizing the stored authentication ticket that AngelTrack had earlier issued to your browser.

To reduce the risk of such attacks, you can do any and all of the following:

  • Implement a URL whitelist on the company network that prevents work computers from visiting any websites other than those needed for work;
  • Forbid the use of personally-owned computers and devices, through a combination of Provisional access and Fort Knox mode.
  • AngelTrackShield.64x102Disable the "Keep me logged in" option, which you can do from the Preferences page under Settings. Once this option is disabled, employee logins are valid only as long as they keep their browser open; once they close their browser, they will be logged-out, even if they did not remember to click the "Logout" button.

Securing Desktop Computers

We strongly recommend desktop computers used by back-office staff (dispatchers, billers, and the like) have a passworded screen-saver configured to protect the computer after 5 minutes of inactivity. Back-office staff enjoy a great deal of access to AngelTrack, and there is always the risk they will go home for the night without remembering to logout of AngelTrack. The passworded screensaver secures that vulnerability.

Another alternative is to secure the door of the dispatch office and the billing office. Install automatic door-closer mechanisms on the doors, and then install keypad doorknobs so that only authorized employees may enter. Once that's done, you could set a longer screen-saver lock on the computers inside -- perhaps thirty minutes instead of just five.

Avoid old operating systems that are no longer supported by the vendor

Upgrade your desktop computers to an operating system version that is still being supported by Microsoft or Apple, ensuring that the computer will have the latest security updates.

Windows 7 is no longer being supported by Microsoft, and so may have an escalating number of vulnerabilities. Consider immediately upgrading or replacing all Windows 7 computers.

Likewise for old web browsers, such as the venerable Internet Explorer, which has since been superseded by the Microsoft Edge browser.

Install a subscription anti-virus solution

Each desktop computer should run a subscription anti-virus solution, where the subscription enables constant updates as new threats emerge in the wild. There are even PDF-born viruses that can arrive via email, so the anti-virus solution must include an email scanning feature.

Protect laptops and desktops with BitLocker or equivalent

It's only a matter of time until your organization loses a laptop. Protect yourself by enabling BitLocker or other whole-disk encryption on it, so that whoever finds the laptop cannot scrape any privileged information from it.

Even your desktop computers might go astray, if your dispatch office ever gets burgled, so consider protecting them in the same way.

In any case, as soon as you activate BitLocker, SAVE THE RECOVERY KEY. You can print these recovery keys and store them in a safe, or upload them to AngelTrack as employee document attachments.

Securing Mobile Devices

Automatic screen lock

A lost or stolen tablet creates a security vulnerability, if an employee was left logged-in on its web browser when the tablet went astray. The vulnerability is magnified when the tablets are set to remember the password of its user.

To secure this vulnerability, iPads and other tablets taken into the field should be configured with a lock screen and passcode. Choose a simple passcode that every employee can remember -- perhaps the last four digits of the company's main phone number? -- and then configure tablets to delete themselves after a few unsuccessful attempts.

Many modern tablets now have a thumbprint scanner integrated into their home/lock button, making it easy for crews to unlock the device using a single gesture.

UglyIpadCase

Distinctive cases

To reduce the odds that company-owned mobile devices get stolen, select a protective case that is distinctively colored or decorated, and use the same case on every company-owned device.

A bright and ugly color is best: orange, lime green, fuschia. Not only do such colors make the device unappealing to steal, but they also make it easier to find when accidentally left somewhere.

Central registration and remote wipe

Company-owned mobile devices can be registered to a central authority (e.g. iTunes), which then allows tracking and remote wipe. Do not hesitate to remote wipe a mobile device that has gone missing; if it is subsequently recovered, no EMS information was lost, as AngelTrack does not store any information on the device.

Securing personal mobile devices

If you permit your employees to use their personal mobile devices in the line of duty, then announce a HIPAA rule which they must follow:

If you use your personal mobile device to photograph HIPAA-protected patient documents, then federal law requires you to set a password on your device. Configure the device to wipe itself after ten unsuccessful password attempts.

At the end of each shift, after all reports are sent to QA, delete all HIPAA-protected photographs from your device.

This policy is already written for you as a built-in announcement in AngelTrack; you must simply activate the announcement.

Tracking of Employee HIPAA Training

AngelTrack has a built-in certificate type to track each employee's HIPAA training, and you can add custom certificate types to track other forms of recurring training... even something as simple as a ten-minute annual update on company policy regarding AngelTrack usage.

By means of these certificate types, you can use the Crew Certificates Overview report to easily monitor which employees need a refresher course on security-related topics.

Employee Termination Policy

When an employee is terminated, it is important to immediately suspend their access to AngelTrack. Although AngelTrack does not permit gross damage like report and document deletion, a disgruntled employee could nevertheless alter his or her run reports so as to cause problems in Billing, or alter the reports crewmates to add profanity and the like. Therefore it is important to add the task "Revoke the employee's AngelTrack access" to your termination procedure.

Revoking AngelTrack access is easy. Any user with HR privileges can mark any employee inactive, which immediately suspends all AngelTrack access. Employees can easily be reactivated later, so do not hesitate to deactivate an employee when termination is imminent.

Automatic warning of stale user accounts

AngelTrackShield.64x102When a user account has not been utilized during the past 45 days, AngelTrack automatically marks it with a  skull and crossbones in the Employee List. The account will also be reported in the "Stale Employee Records" dashboard under HR Home.

It is prudent to deactivate all stale user accounts, unless you know of a specific reason to keep them active.

Logging of AngelTrack Activity

AngelTrackShield.64x102You are already familiar with AngelTrack's journals, which track field-by-field changes to all dispatches, invoices, and timeclock entries. These journals cannot be altered or deleted by anyone, and hence are admissible in court as evidence.

There is also a journal of employee logon attempts and successes, available under HR Home and from each employee's Employee Self-Edit page.

In addition to these, AngelTrack keeps logs of all web activity at the request level. This means you can review who accessed your AngelTrack cloud server, including the date and time, their IP address, their device type, and the pages accessed. The log cannot be altered and is retained for a period of time specified in the Data Lifetime and Export policy.

To learn how to use AngelTrack's logs and other forensics features to trace a data leak or other malfeasance to the responsible employee, read the Data Leak Forensics Guide.

Live monitoring of connected users

AngelTrackShield.64x102Found under the Settings page, the Heartbeat feature allows you to monitor all active connections to your AngelTrack server, including IP addresses and summaries of each connection's previous two minutes of activity. You can click each IP address to geolocate it, which gives an approximate physical location plus the name of the ISP.

Data Watermarking

AngelTrackShield.64x102AngelTrack's .PDF, .CSV, and .XML exports are all watermarked in different ways, to indicate the date and identity of the person who generated the data.

Furthermore, AngelTrack's NEMSIS uploads are watermarked in a special way to indicate whom they were uploaded to, in case they later leak and a blamestorm begins. To learn more, refer to the Data Leak Forensics Guide.

AngelTrack's Multi-Tier Backup Schedule with Offsiting

AngelTrackShield.64x102AngelTrack's present storage and backup parameters for your data are as follows. These parameters exceed the minimums specified in AngelTrack's Terms of Service, and therefore are subject to change without notice, at the sole discretion of AngelTrack LLC.

100% of customer data* lives in an SQL cluster on a RAID-10 SAN in AngelTrack's secure datacenter. Customer data is automatically pruned of expired items, per the Data Lifetime Policy.

Customer data is backed-up at least once every three hours to a different RAID-10 SAN, where it is at rest. These backups are retained for at least 7 days.

The backups are re-backed-up at least once every 24 hours to an offsite data preservation facility administered by Rackspace, which retains them encrypted for at least 14 days.

*Does not include raw webserver logs.

Other Security Features

To further protect your organization, AngelTrack implements following additional security measures...

Rackspace hosting / SOC 2 data center

AngelTrackShield.64x102AngelTrack LLC does not attempt to save money on hosting. We host exclusively on dedicated hardware at Rackspace.

Rackspace datacenters are expensive, but they are SOC 2 and FedRAMP audited with physical access control and quadruple-redundant connectivity. If you would like to see the SOC2 documents that cover your AngelTrack server, they are available from AngelTrack LLC if you will sign an NDA.

TLS v1.2 and v1.3 / SHA-256 / RSA-2048

AngelTrackShield.64x102Your AngelTrack server requires your computer to connect by means of the secure TLS v1.2 or V1.3 protocol. This protects all of your internet traffic from eavesdropping.

Obsolete versions of TLS -- v1.0 and v1.1 -- are forbidden from connecting to AngelTrack, as is plain (unencrypted) HTTP. As such, very old mobile devices and very old desktop computers may be unable to connect, if they only support the insecure older versions of the internet protocols.

AngelTrack uses the SHA-256 algorithm for hashing, the AES-256 cipher for symmetric encryption, and the RSA-2048 algorithm for asymmetric encryption.

OV SSL Certificate

AngelTrackShield.64x102AngelTrack's SSL certificate, upon which the security of your connection depends, is a high-security Organization Validation (OV) certificate with a very string 2048-bit RSA key. If you check the SSL certificate that your browser is using to connect to AngelTrack, you can see the guarantee that it was issued to AngelTrack LLC, and not just a random website claiming to be angeltrack.com or angeltracksoftware.com.

No advertising and no third-party cookies

AngelTrackShield.64x102Your AngelTrack server is a 100% pure EMS and fire software application, 100% made in USA by native American citizens, containing zero advertising and zero third-party cookies.

AngelTrack therefore is not vulnerable to the "drive-by infection" risk created by banner-ad networks.

Dedicated per-customer SQL databases

AngelTrackShield.64x102Every AngelTrack customer gets their own dedicated SQL Server database, within AngelTrack's high-availability SQL cluster, to hold all of their data. Your data is never commingled with that of other providers. This forecloses the risk that a programming error could allow an admin user at a different company to access your data.

Nor do we store any data in a CDN. All customer data lives in their dedicated SQL database.

DNSSEC

AngelTrackShield.64x102AngelTrack's DNS domains are protected by DNSSEC, which prevents a hacker from spoofing AngelTrack's domain records in an attempt to redirect your browser to a fake website masquerading as AngelTrack.

Whenever you connect to your AngelTrack server, you can be confident that it's the real thing.

We own all similar domain names

AngelTrackShield.64x102AngelTrack LLC owns all the similar domain names, such as angeltrack.cc, angeltrack.net, angeltrack.us, and so forth. They are all locked down with DKIM, SPF, and DMARC, so that hackers cannot use those domains to send you phishing emails that superficially appear to be sent by AngelTrack employees.

100% dedicated (private) hardware

AngelTrackShield.64x102All of AngelTrack's routers, server blades, and SQL instances are dedicated (private) hardware in a high-availability (HA) cluster. AngelTrack's SQL cluster is likewise dedicated (private) to AngelTrack LLC and is deployed HA.

We do not share any hardware or virtual machines with any other application or organization.

Automatic Defenses Against Denial-of-Service Attacks

AngelTrackShield.64x102To defend you from denial-of-service attacks, your AngelTrack server imposes limits on its network activity:

  • Maximum number of simultaneous connections
  • Minimum client bandwidth
  • Maximum requests per client IP address per time period
  • Maximum simultaneous requests per client IP address

If you have a large headquarters where many employees simultaneously use AngelTrack via a NAT router which shares a single IPv4 address among them, you might exceed the latter two throttles. When that happens, AngelTrack will temporarily return HTTP error 403 ("Forbidden") and/or display error popups stating, "Server overload defenses are active".

To resolve this, you must upgrade your internet service to one which provides IPv6 addresses, including a router which assigns a different IPv6 address to each workstation.

Disclaimer

Please note that while the above advice, when properly followed and implemented, will drastically reduce the opportunity for a data breach, it is not a guarantee. AngelTrack LLC accepts no liability nor responsibility that occurs from any breach that is the result of an agency's, or an agency's employees, actions. The above does not constitute legal advice, nor is it a substitute for a cybersecurity or HIPAA compliance audit.

None of AngelTrack's security features can protect you against the possibility of long-term sabotage by a determined rogue employee. For that reason, and for all the reasons we cannot think of, AngelTrack LLC recommends you take advantage of AngelTrack's many data export facilities to regularly download copies of your data. Archive the copies in a private data preservation service to which only highly trusted employees have access. Remember that you could be liable to provide this data to HHS at any point in the future, even if you no longer own your business.