Loading...
News2019-09-17T17:24:23-05:00

Digital Transformations Carry Cybersecurity Concerns

Tom Egan – 10/11/2018

Cybercrime is an ever-evolving epidemic. Pharmaceutical companies face threats like phishing emails that pose as mail from reputable companies as well as malware and insider hacking. Some attackers will encrypt files and ask for a ransom to decrypt them, but not all cybersecurity threats are financially motivated—rather, such hackers seek proprietary information like product formulas. Cybersecurity threats can cause major business problems, creating discontent among customers or outright errors in the flow of their products or services in the supply chain.

The proliferation of cyberattacks on major U.S.-based pharmaceutical manufacturers underscores the importance of taking a holistic approach to cybersecurity. In the first quarter of 2017, cyberattacks directed at private healthcare organizations outstripped those against public organizations.1 The theft of intellectual property, as well as disruption of operations stemming from hackers, are of extreme concern to companies throughout the healthcare sector. The more digitized the manufacturing process becomes, the greater the potential for an attack if a manufacturer is not able to assure security measures on their identified assets, define and enforce who can access assets, and equip themselves and reputable third-parties beyond the organization with professional monitoring.

Identifying Valuable Assets and Setting Restrictions

As cyberattacks become stealthier, more sophisticated, and impactful, it is critical for brand owners and manufacturers to implement a layered approach to security and put up as many hurdles as possible for potential intruders. The first step is identifying the company’s most valuable digitized assets. The company should identify and locate their “crown jewels,” and determine what the firm is obligated to protect from a regulatory perspective.2

PMMI, The Association for Packaging and Processing Technologies, helps equip members with the knowledge to navigate the global marketplace through the OpX Leadership Network. There is an expanding need to monitor events in the network and in the business and to make sure that there is a buffer between suppliers and companies. This is especially important now that many pharmaceutical companies outsource their packaging operations.

Restricting access to important data to only those who are required to have it is another key action. Cybersecurity starts with people. There is a need for both constant training and reinforcement of that training for everyone working with electronics. While people are a company’s greatest asset, they can also constitute a company’s biggest vulnerability. Any time data interacts with the outside, it becomes a point of concern. Both outsiders and internal groups should have secure systems and understand how to use them.

Companies should also recognize the vulnerability that comes with allowing a PC maintained by a service provider/OEM to connect to their systems. To resist attacks stemming from this practice, Consumer packaged goods (CPGs) companies have begun to mandate that any service engineers can only use PC’s belonging to the customer on the customer’s network.

Internal Challenges

Profit is not the motivation of all hackers. Some are simply looking for challenges and will play around in networks to see what they can find, and others are former or disgruntled employees seeking revenge.3 Adopting a coordinated practice to teach staff how to safely and properly maneuver digitally, and implementing policies for handling sensitive information, represent best practices for limiting vulnerability and preventing attacks.

Pharmaceutical giant Merck & Co was hit by a massive cyberattack in June 2017, just a few weeks after a senior executive at the firm discussed the pharmaceutical sector’s vulnerability at a U.S. government committee meeting, pointing to more than a million health records exposed by breaches in recent years. The attack had an impact on Merck’s ability to supply its human papillomavirus (HPV) vaccine Gardasil, used to prevent cervical and related cancers.4 Implementing remediation measures in the wake of the attack cost around $175 million, pegging back the company’s gross margin in the third quarter of 2017, and forced Merck to borrow $240 million worth of Gardasil from U.S. government stockpiles. The event led to a disruption of its worldwide operations, including manufacturing, research, and sales operations, and affected both final product and active pharmaceutical ingredient manufacturing.

Looking Outside for Trained Resources

To avoid cyberattacks like the one that afflicted Merck, pharmaceutical manufacturers should employ tools that detect trouble beyond traditional security measures such as firewalls, access authentication, and anti-virus tools. Businesses should allocate security budget towards advanced intrusion detection systems that can reliably detect an ongoing intrusion and alert security.1 Exploring these practices will reduce the chances of an attack, or at the very least, alleviate impact in the event of one.

Pre-selecting a specialized vendor to assist in incident response and recovery is recommended. Working with a cyber incident vendor to install sound logging practices and other measures will facilitate both forensic analysis and risk mitigation. This will position the firm to respond quickly to an attack, ascertain what happened and, to the extent possible, limit the harm done.

There is a booming industry of businesses that offer solutions across all ranges of data sources to help organizations mitigate digital risk. Often, cybersecurity threats and risks span data sources and cannot be detected in full context by any one-point solution or even by multiple solutions used in isolation. Additionally, monitoring social media for mentions of your company can help you determine if you have or may be targeted, so you can proactively strengthen defenses.2

Find Solutions at Healthcare Packaging EXPO

As the pharmaceutical industry seeks new, advanced cybersecurity measures, PMMI’s OpX Leadership Network is developing a work product that guides OEMs working with CPGs to provide remote access in as secure a fashion as possible. The OpX Leadership Network is a catalyst for transformative solutions that improve operational excellence in today’s “do more with less, faster” environment. As companies struggle to add more security layers, OpX Leadership Network professionals can help outline the ways OEMs and customers can interface to keep their equipment operating without suffering problems associated with cyberattacks.

Pharmaceutical companies seeking the latest cybersecurity solutions can visit the PMMI-produced Healthcare Packaging EXPO, co-located with PACK EXPO International 2018 (Oct. 14-17; McCormick Place, Chicago). Healthcare Packaging EXPO provides access to a wide range of pharmaceutical and packaging technologies and offers real-world examples of how to deal with cybersecurity. Healthcare Packaging EXPO will showcase 300 exhibitors in one place from markets ranging from pharmaceuticals, biologics, and nutraceuticals to medical devices.

In addition to packaging solutions, the event will feature serialization insights and solutions in track-and-trace, automation and continuous processing, advanced automation, sensor-enhanced packaging, blockchain technology, and more.

For more information about PACK EXPO International and Healthcare Packaging EXPO visit packexpointernational.com or hcpechicago.com.

References

[1] https://www2.deloitte.com/jp/en/pages/life-sciences-and-healthcare/articles/ls/cyber-security-ls.html

[2] https://www.securityweek.com/latest-strains-attacks-pharmaceutical-and-healthcare-sector.

[3] https://www2.deloitte.com/jp/en/pages/life-sciences-and-healthcare/articles/ls/cyber-security-ls.html

[4] https://www.securingindustry.com/pharmaceuticals/cyber-attack-cost-merck-135m-in-lost-sales/s40/a6045/#.W1oq_VBKiUk

[5] https://www2.deloitte.com/jp/en/pages/life-sciences-and-healthcare/articles/ls/cyber-security-ls.html

[6] https://www.securityweek.com/latest-strains-attacks-pharmaceutical-and-healthcare-sector.

About the Author

Tom Egan is Vice  of President Industry Services at PMMI, The Association for Packaging and Processing Technologies.

Content retrieved from: https://www.rdmag.com/article/2018/10/digital-transformations-carry-cybersecurity-concerns.

Apple denies cybersecurity breach to Congress

By Ali Breland – 10/08/18 11:03 AM EDT

Apple’s top security employee told Congress on Monday that it has not found anything to suggest that its systems were compromised through a sophisticated breach of its supply chain.

George Stathakopoulos, the company’s vice president of information security, wrote in a letter to the Senate Commerce and House Energy and Commerce committees that Apple had conducted multiple investigations and not found evidence of the cybersecurity breaches detailed in a story published by Bloomberg Businessweek last week.

“We are eager to share the facts in this matter because, were this story true, it would rightly raise grave concerns,”  Stathakopoulos wrote in his letter.

The article reported that chips manufactured by Super Micro had been compromised by the Chinese government, which installed small chips, slightly larger than a grain of rice, onto motherboards which were sold to other companies including those with U.S. government contracts and Apple and Amazon.

Amazon has also denied the veracity of Bloomberg Businessweek’s report.

Apple said that it had conducted internal investigations on the claims in the Bloomberg report, but said that the most important points of the story were false.

“In the end, our internal investigations directly contradict every consequential assertion made in the article,” Stathakopoulos wrote.

“Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” he continued. “We never alerted the FBI to any security concerns like those described in the article, nor has the FBI ever contacted us about such an investigation.”

Apple has also denied the report in a public statement, as well as a statement to Bloomberg Businessweek.

Its denial to Congress follows the top British cyber agency supporting it and Amazon’s claims that it did not have evidence of such an attack occurring.

Content retrieved from: https://thehill.com/policy/technology/410392-apple-denies-cybersecurity-breach-to-congress.

Cybersecurity Is Not a Job for Humans

By Chris Wiltz – October 04, 2018

Keeping our networks secure from hackers is becoming too big a job for humans. The increasing complexity of networks, much of which is coming hand-in-hand with the expansion of the IoT—not to mention a dearth of available talent—is only pointing to one conclusion: Attacks and security breaches will only get more severe as more devices and data are brought online.

Just this month, Facebook fell victim to a network attack that exposed the personal information of 50 million of its users. The same week as the Facebook breach, ridesharing company Uber was fined $148 million for failing to disclose a 2016 breach that exposed personal data, including driver’s license information, for roughly 600,000 of Uber’s drivers as well as information on 57 million Uber mobile app users. Uber tried to cover up the breach and paid the hackers a $100,000 ransom in 2017 for the stolen data to be destroyed.

Regarding the Uber hack, Ankur Laroia, a security data management expert and strategy solutions leader at Alfresco (an enterprise software company), told Design News that breaches of this level are going to become the new normal and will also be very costly. A recent study by the Ponemon Institute, commissioned by IBM, estimated the average cost of a data breach to be $3.86 million in 2018—a 6.4 percent increase from 2017.

“Securing applications as well as computing infrastructure is a shared responsibility between those that make, deploy, and maintain these systems,” Laroia said. “Over time, our ability to remain vigilant has waned, and our attention to keeping our house tidy and in order has also dwindled significantly. We must do more than secure the firewall; we have to properly identify, tag, and curate information and ultimately dispose of it when it isn’t of value or per statutes.”

An AI Arms Race

“Why is it so relatively easy to hack both low- and high-end enterprises?,” asked Adi Ashkenazy, VP of product at XM Cyber, an Isaeli cybersecurity company. “It’s because it’s really, really hard to understand your existing security culture. What are the existing potential attack paths toward your critical assets?”

XM Cyber is among a number of companies leveraging a new tool in the battle over cybersecurity: artificial intelligence. HaXM, a simulation platform developed by XM Cyber, uses AI bots to continuously simulate network attacks and also provide actions and remediations against security holes and exploits.

Speaking with Design News, Ashkenazy said the sophistication of today’s systems is making cybersecurity too arduous of a task for humans to manage alone. “If you look at a modern enterprises, you’re talking hundreds or thousands of endpoints in the cloud and otherwise,” he said. “As a defender, you’re expected to keep track of all of this—checking for needed patches, vulnerabilities, and even human mistakes. And you realize this is not a task for a human being.”

Ashkenazy is not alone in this assessment. UK startup Darktrace uses a machine learning solution to monitor devices and users on networks, learning and seeking out normal and suspicious activity and acting accordingly. In a recent interview with Bloomberg, Nicole Egan, CEO of Darktrace, talked about the growing need for sophisticated AI tools to counteract similar measures being taken by hackers themselves, where organized cyber crime rings are beginning to use AI algorithms in cyberattacks. “This is fast becoming a war of algorithms—it’s going to be machine learning against machine learning; AI against AI,” Egan told Bloomberg.

Companies like San Jose-based SafeRide are leveraging AI specifically for securing connected and autonomous vehicles. The company’s vSentry product suite for private and fleet vehicles uses AI to monitor both in-vehicle systems as well as connected vehicle networks for malicious activity. In June of this year, Saferide announced a partnership with Singapore-based ST Engineering to integrate vSentry into ST Engineering’s hardware platforms for electric and autonomous vehicles.

XM Cyber’s Ashkenazy believes it’s important for companies to adopt AI tools now—before they become even more widely available to hackers. “The way I look at this is hackers, at the end of the day, have limited resources and are economically constrained. So they’re trying to be cost effective with what they do. Hackers do not have a marketing department…They will use anything and everything as long as it makes economic sense,” he said. “The use of AI will start making sense when we have a large number of AI-based security controls that will need to be defeated. If you’re a hacker today, do you really have to defeat that many controls based on AI? Not really.”

The Human Condition

Ashkenazy continued, “Unfortunately, sometimes you can trust a machine. Human mistakes result in networks being compromised. And this will be an area where machines will replace humans quite fast.”

A typical cybersecurity simulation will involve humans working in two teams: a “red team” tasked with attacking a network, and a “blue team” charged with stopping the red team and plugging any security holes. “If you’re a manufacturing company working with 300 suppliers, you may be concerned about a supply chain attack, for example,” Ashkenazy said. “What happens if someone starts at the server, where suppliers are connecting? Can they reach critical assets, such as product designs and diagrams, from that point?”

Checking all of this can be grueling work. And when both teams come from the same security company, it can even create unintentional human biases. One team may not want to make the other look too bad and thus miss out on fixing a critical issue.

XM Cyber’s solution is to let AI act as a “purple team:” a combination of both red and blue. “What we decided to do was build an automated hacking machine,” Ashkenazy said. “The goal for this machine is to be scalable enough to work in large environments—continuous and very safe for production environments…As it attacks, it’s collecting information. This results in a very tight list of issues that the blue team will be using to evolve its network.”

Every time a security control is added to a system, it also adds inherent risks since that system itself may have unknown vulnerabilities. This is where many see the most opportunity for AI. Similar to how AI is being touted for being able to take human workers out of repetitive, tedious factory work, it’s being credited as doing the same for cybersecurity experts—thus allowing them to focus on higher level functions and needs.

Of course, with any AI system, there’s always a matter of training. AI hasn’t evolved to the point where it can be creative enough to devise cyberattacks on its own. And for XM Cyber, this is where the human element should still come into play. Let cybersecurity experts discover clever attacks and let the AI go about the work of trying to implement them. Ashkenazy said the core of XM Cyber’s HaXM system is still an expert system with deep learning AI being used for niche activities like password guessing or trying to understand the value of a target. “We feed it manually through our research team with new categories and types of attacks,” he explained.

The day may never come when humans can be removed entirely from the cybersecurity equation. But as AI technologies become more widely accessible and affordable for benevolent and malicious parties alike, humans aren’t going to be able to win the battle alone.

“We’re not solving security. There’s no drop-the-mic moment where we’re done, ” Ashkenazy said. “I don’t tell people to fire their entire red team. They use [AI] to help them concentrate on what they do best. Humans find new attacking methods and they feed it back into the machine. They keep finding new methods, and the machine scales it to the entire organization and checks it continuously so the humans don’t have to.”

Content retrieved from: https://www.designnews.com/electronics-test/cybersecurity-not-job-humans/86006162259563.

Cybersecurity tops ECRI’s list of Top 10 Health Technology Hazards

By Mike Miliard October 03, 2018

The prospect of hackers gaining access to remote access to networked IT systems and connected medical devices raises concerns about serious safety risks.

ECRI Institute has published its annual Top 10 Health Technology Hazards for 2019, and cybersecurity is atop the list as the biggest risk to patient safety.

Researchers at ECRI say they’re concerned about software vulnerabilities that could allow  hackers or cyber criminals to gain unauthorized remote access to hospitals’ networked IT systems and devices, disrupting operations, hindering care delivery and putting safety at risk.

WHY IT MATTERS

Cyber attacks on healthcare have been steadily increasing, even as defenses have been stalling. ECRI noted that it has published 50 alerts and problem reports related to cybersecurity in just the past 18 months.

With so many hospitals running legacy software, networked with vulnerable medical devices, security is no longer just about costly fines for HIPAA noncompliance or the embarrassment of publicized data breaches – it’s a critical patient safety issue.

ECRI’s list is meant to help health system decision-makers plan and prioritize their efforts –  including technology strategies and investments – to protect patient safety

WHAT IS THE TREND

The risks of hackers exploiting remote access to connected devices and systems “remain a significant threat to healthcare operations,” according to ECRI.

“Attacks can render devices or systems inoperative, degrade their performance, or expose or compromise the data they hold, all of which can severely hinder the delivery of patient care and put patients at risk,” researchers wrote. “Remote access systems are a common target because they are, by nature, publicly accessible.”

It’s little surprise to see it lead ECRI’s list of Top 10 Health Technology Hazards for 2019:

1. Hackers Can Exploit Remote Access to Systems, Disrupting Healthcare Operations

2. “Clean” Mattresses Can Ooze Body Fluids onto Patients

3. Retained Sponges Persist as a Surgical Complication Despite Manual Counts

4. Improperly Set Ventilator Alarms Put Patients at Risk for Hypoxic Brain Injury or Death

5. Mishandling Flexible Endoscopes after Disinfection Can Lead to Patient Infections

6. Confusing Dose Rate with Flow Rate Can Lead to Infusion Pump Medication Errors

7. Improper Customization of Physiologic Monitor Alarm Settings May Result in Missed Alarms

8. Injury Risk from Overhead Patient Lift Systems

9. Cleaning Fluid Seeping into Electrical Components Can Lead to Equipment Damage and Fires

10. Flawed Battery Charging Systems and Practices Can Affect Device Operation

ON THE RECORD
“The consequences of an attack can be widespread and severe, making this a priority concern for all healthcare organizations,” says David Jamison, executive director of ECRI’s Health Devices program, speaking of the list’s top cyber risk. “In critical situations, this could cause harm or death.”

Content retrieved from: https://www.healthcareitnews.com/news/cybersecurity-tops-ecris-list-top-10-health-technology-hazards.

Business leaders expect suppliers to ensure they are cyber secure

Warwick Ashford – 9/24/2018

Some 31% of UK businesses would terminate contracts with suppliers whose negligence caused them to become a victim of cyber crime, according to a survey published by business internet service provider Beaming.

How to improve your cyber security with security analytics

Download this e-guide to read how many firms are looking to security analytics to keep abreast of the ever-evolving world of cyber threats. With traditional approaches to cyber security proving less effective against increasingly sophisticated and automated cyber-attacks, security analytics may well be your knight in shining armour.The research, conducted by consultancy Opinium, revealed that most UK business leaders polled believe their suppliers are obligated to ensure they do not expose them to unnecessary cyber security risks.

One in five (17%) would take legal action to recover financial losses incurred from a breach as a result of a supplier’s negligence, and a similar number (20%) would use the incident to negotiate a further discount. Just 3% of businesses said they would take no action.

The survey also showed that victims of cyber crime could find it more difficult to attract new customers, with 35% of the business leaders questioned saying they would not work with a supplier they thought would make them more vulnerable to cyber crime, while just over a quarter (27%) said they would avoid using a company that had been publicly associated with a major cyber security breach.

A quarter of those questioned said they would not work with companies that did not have a documented cyber security policy in place, a quarter said they would not work with a supplier that had not met any information security certifications, such as ISO27001 or Cyber Essentials, and one in five (19%) said they would avoid potential suppliers that had no cyber security insurance.

The research showed that small businesses are most at risk of damaging their reputation and business relationships by neglecting their cyber security obligations. Of the firms surveyed that employ between 10 and 49 people, just over half (51%) had a documented cyber security policy and one-third (38%) had insurance in place for breaches and data theft at the beginning of 2018.

Meanwhile, only half (51%) of businesses employing fewer than 10 people were using a network perimeter firewall to stop threats from reaching their systems, and just one in three (30%) had intrusion detection systems to spot malicious activities or cyber security policy violations.

Sonia Blizzard, managing director of Beaming, said cyber attackers often seek to infiltrate one organisation as a stepping stone to attack others.

“This research clearly shows that business leaders see cyber security as a shared responsibility,” she said. “Businesses that neglect to take the steps necessary to protect themselves and their partners could find that a single breach could irreparably damage their hard-earned reputations and relationships.”

According to Blizzard, consideration of risk must extend beyond businesses’ own boundaries to incorporate customers, partners and other organisations they come into contact with.

“Rather than simply guarding what is ours, we need a cyber security culture that means we all look out for those we do business with too,” she said. “If enough businesses are well secured, the ability for denial of service attacks, viruses and other attacks to spread will be greatly diminished.”

Content retrieved from: https://www.computerweekly.com/news/252449149/Business-leaders-expect-suppliers-to-ensure-they-are-cyber-secure.

Cybersecurity Specialist: Kirstjen Nielsen Wasn’t Overstating Cyber Threat

By Elizabeth Dohms – 9/11/2018

United States Homeland Security Director Kirstjen Nielsen’s Sept. 5th comments that the risk from cyber threats to the U.S. is greater than the potential for a physical attack isn’t an overstatement, said the leader of a cybersecurity research nonprofit.

Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, told Rob Ferrett on WPR’s “Central Time” that a sophisticated cyber attack on the U.S. would be eclipsed in damage only by a nuclear attack. He pressed that while systems are generally secure now, any advancement by terrorist organizations pose significant risks for the nation’s infrastructure systems.

This interview has been edited for brevity and clarity.

RF: I think a lot of people might think of a cyberattack as an abstract thing, but how could it manifest itself in such a serious way?

SB: Pretty much everything these days is run by computers. If you think of any industry that we depend on all the time — electricity, oil and gas, banking and railroads — it’s all run by computers. A really sophisticated cyberattack would be like putting an enemy agent in charge of the computers that run all those things.

Imagine the damage you could do if you could control all the railroad switches and signals, direct the trains at any speed you wanted to crash into each other, arrange the crashes to take place on tunnels and bridges, control all the pressures and temperatures at an oil refinery. Pretty much all of these critical infrastructures could be physically destroyed by cyberattacks.

RF: Have we paid enough attention to security when computerizing these key infrastructures? 

SB: Actually, the cybersecurity of our critical industries is pretty good, otherwise horrible things like the kind I just described would have already taken place. The problem is we are staying ahead of the attackers, but the margin here isn’t all that great. If the attackers suddenly have a surge in creativity and increase their capabilities, or if the capabilities that are currently held by Russia and China and major nation states spread to terrorist organizations, suddenly that safety margin disappears altogether and we become just enormously vulnerable.

RF: Gen. David Petraeus co-wrote an op-ed saying we need a full-scale cyber force. What do you think of that? 

SB: We have a military cyber force already. The proposal is to have a separate agency focused on cybersecurity. In principle, that’s a very good idea. In fact, in principle, I think that should be a cabinet-level job and that should be an entirely separate major department of government.

In practice, I’m not sure if this is such a good idea because there’s so little understanding on the part of politicians and senior people in Washington — so little understanding of cyberattacks.

RF: What should people know about the basic elements of cybersecurity issues?

SB: People, especially politicians, don’t appreciate the full range of cyberattacks.

Some years ago, people thought a cyberattack was a mass disruption — a virus shutting down lots of servers. Now they seem to think a cyberattack is stealing personal account information. They’re forgetting that any time you’re interfering with the proper functioning of systems, that’s a cyberattack. That means if you’re falsifying IP addresses, if you’re making it look like communications are coming from different sources than they are, if you’re putting up false identities all over the place and often running them by bots, that’s a cyberattack.

The Russians and the Chinese understand this. They’re mounting coordinated cyber campaigns that are manipulating our media, manipulating global information flows and coordinating that with criminal cyberattacks all at once. America’s mostly functioning like a blind man here like someone with tunnel vision.

RF: One theme I keep reading about is that we have a talent or recruitment problem in brining people into government with in-demand cyber-security skills. Is that something you’re seeing?

SB: Yes. People who get degrees in computer science often have never had a course in cybersecurity. They don’t know about secure coding. They don’t know how to produce software that has basic security features. So this is a real crisis. One of the things that would help is if we could just get the word out how much you’re paid if you have a solid degree in computer science and a specialty in cybersecurity.

We really need people who are using this technology all the time to drive things forward because the politicians are mostly not up to it.

One of the big stumbling blocks here is that most politicians don’t really know much about cybersecurity or information technology. An ordinary citizen comes home from work and they check their email if they haven’t already checked it on their smartphone on the way home. They stream videos, they web surf, they manage their photographs, they know what a JPG is. They manage their music. They know what an MP3 is. Politicians generally don’t know what a JPG or an MP3 is. Politicians generally don’t even do their own email.

RF: What are you most concerned about in 2018?

SB: I’m most worried about the way the Russians and the Chinese are coordinating cyberattacks at a level that America is mostly oblivious to. Let me give an example. Russian-organized cyber crime is able to survive without being prosecuted or extradited because they keep the Russian government happy. One of the ways they do this is by coordinating their criminal cyberattacks with Russian foreign policy.

Even if an attack is an attempt to steal money using computers, if it’s coming out of Russia or China or actually a number of other countries it’s part of a national agenda. America isn’t even recognizing that this is going on. Nobody’s talking about it.

Content retrieved from: https://www.wpr.org/cybersecurity-specialist-kirstjen-nielsen-wasnt-overstating-cyber-threat.

Who is responsible for cyber security in the enterprise?

By Nick Ismail -10 September 2018

‘Money alone won’t save a company; the organisational co-operation must match budget, otherwise security maturity and efficacy will not change’
Different organisations place the responsibility of cyber security at the feet of different roles. This depends on the type of organisation, its culture and size.

This idea is confirmed by a Global Economist Intelligence Unit survey, sponsored by Willis Towers Watson, which found that there is a variety of approaches on how leadership implements cyber resiliency across their organisations.

Stronger communication and collaboration is needed across all various cyber security functions and practices, including between the board and the CTO or CISO.

The cyber security responsibility

With the increase of more stringent data regulations – like GDPR and California Consumer Privacy Act – and the widespread media coverage of data breaches, the impetus on cyber security has never been so high. Poor security practice will now inevitably lead to a breach, which will in turn cause financial loss and reputational damage. Corporate heads will also roll.

The problem is that the majority of executives around the world feel they face a “specialist-generalist” dilemma as to whom leads on cyber resiliency, according to the survey from Willis Towers Watson. This is because, the challenge of security is company-wide, but whoever is in charge of it needs specific, up-to-date cyber training. Are these business-focused, cyber-savvy, “specialist-generalist” individuals in short supply?

Ultimately, there is a huge disparity across organisations as to who should be responsible for cyber security. The survey of over 450 companies found that almost 40% of executives felt that the board should oversee cyber, compared with 24% who felt it should be the role of a specialised cyber committee. This would presumably be overseen by the CTO or CISO. A small portion of respondents surveyed believed it should be the responsibility of audit, risk or some other subgroup.

“When you dig into the details of a breach you will find warnings from the information security team well before the problem is finally exposed,” said Stephen Moore, Chief Security Strategist at Exabeam. “Most of these warnings are ignored. The real question is why is that?”

“It’s often said that security is everyone’s responsibility and academically the CISO has the authority, both are lies. Organisationally, we should worry less about responsibility and more about barriers to success. The responsible owner is the person or team who can best enact the qualified recommendations of the security team. Often the threat isn’t the adversary, it’s the lack of internal support, warnings being buried, and even the fear of outages that creates the conditions for failure.”

“Recommendations should be tied observable failures to prevent, detect, or disrupt attacks – not things like workbook-based audit findings. The ownership and delivery of cyber security in an organisation must be owned outside of the IT department.”

Tim Brown, VP of Security at SolarWinds MSP, agreed and said that cyber security isn’t the responsibility of one department. Security needs to be built into how a business operates.

“From finance, to HR, to marketing, to operations – everyone needs to be a good cyber steward. It’s really all hands on deck to make sure the entire organisation is adhering to the right protocols, practicing good cyberhygiene, and understanding how their specific job plays into the cyber landscape.”

Cyber security challenge

The main challenge, hindering the decision of who is responsible for cyber security, is a lack of communication within leadership roles.

Alarmingly, or perhaps unfairly, only 8% of executives said that their CISO or equivalent performs above average in communicating the financial, workforce, reputational or personal consequences of cyber threats. At the same time, under 15% go executives gave their CISOs or equivalent a top rating from a scale of one to ten.

“It is no surprise that one of the main challenges companies face when implementing a cyber risk mitigation or resiliency plan is the communication gap between the board and the CISO,” said Anthony Dagostino, global head of cyber risk with Willis Towers Watson.

“Cyber resiliency starts with the board because they understand risk and can help their organizations set the appropriate strategy to effectively mitigate that risk. However, while CISOs are security specialists, most of them still struggle with adequately translating security threats into operational and financial impact to their organisations – which is what boards want to understand.”

“To close this communication gap, CISOs [or CTOs] need tools that can help them quantify and translate the vulnerabilities uncovered from their cybersecurity maturity assessments. These tools enable them to better communicate the risk to the board, seek adequate budget, and enable the board to provide meaningful guidance.”

Cyber security budget

Enterprise security budgets depend on the size of the organisation and the type of industry they are a part of. In general, funds dedicated to security move between 3% and 15% of an IT budget.

“With enterprises, the budget is often shared across many different departments and the budget can be fairly significant depending on their specific needs,” said Brown.

“With affordable and scalable outsourcing options available through today’s managed service providers, security certainly doesn’t have to break the bank to be effective and even smaller businesses can ensure they’re doing these types of basics. Couple that with the idea that security should be viewed as a ubiquitous function of the organisation, and you’ve got a great foundation.”

More budget: Better security?

More budget doesn’t mean better security, according to Moore. “Money alone won’t save a company; the organisational co-operation must match budget, otherwise security maturity and efficacy will not change.”

“If placed within the IT organisation, information security will operate in a conflict of interests. Security requires reactive corrections to flawed environments. Corrections always come at an operational cost, often in the form of an outage. IT works on performance and availability, and cares little for security – especially if it erodes their two favourite metrics – often tied to their bonus dollars.”

Content retrieved from: https://www.information-age.com/responsible-cyber-security-enterprise-123474640/.

New Silence hacking group suspected of having ties to cyber-security industry

By Catalin Cimpanu for Zero Day – September 5, 2018 

At least one member of a newly uncovered cybercrime hacking group appears to be a former or current employee of a cyber-security company, according to a new report released today.

The report, published by Moscow-based cyber-security firm Group-IB, breaks down the activity of a previously unreported cyber-criminal group named Silence.

According to Group-IB, the group has spent the last three years mounting silent cyber-attacks on financial institutions in Russia and Eastern Europe.

The group went undetected for years, mainly because of its predisposition for using legitimate apps and tools already found on victims’ computers, in a tactic known as “living off the land.”

But Silence also created their own tools, such as:

  • Silence– a framework for infrastructure attacks;
  • Atmosphere–a set of software tools for attacks on ATMs;
  • Farse–a tool to obtain passwords from a compromised computer;
  • Cleaner–a tool for logs removal.

These tools, coupled with the group’s lay-low tactics helped it go under the radar for far longer than many of its counterparts.

Following a year-long investigation into the group’s modus operandi, Group-IB says the group has been linked to hacks going as far back as 2016.

The first recorded hack attributed to Silence took place in July 2016. The hack was a failed attempt to withdraw money via the Russian inter-bank transaction system known as AWS CBR (Automated Work Station Client of the Russian Central Bank).

“Hackers gained access to the system, but the attack wasn’t successful due to improper preparation of the payment order. The

bank’s employees suspended the transaction,” Group-IB explained in its report.

However, the bank’s remediation efforts weren’t up to par, and Silence regained access to the same bank’s network a month later, in August 2016. This time, they took another approach.

“[Silence] downloaded software to secretly take screenshots and proceeded to investigate the operator’s work via video stream. This time, the bank asked Group-IB to respond to the incident. The attack

was stopped. However, the full log of the incident was unrecoverable, because in an attempt to clean the network, the bank’s IT team deleted the majority of the attacker’s traces,” Group-IB said.

But the Silence group didn’t stop after these initial clumsy hacking attempts. They did manage to hack into a bank and finally steal some money, more than a year later, in October 2017.

According to Group-IB, the group stopped attempting to wire money using the AWS CBR system and switched to targeting the bank’s ATM control systems, making ATMs spew out cash (known as jackpotting) at desired hours.

Investigators say that Silence stole over $100,000 during their first successful cyber-heist. Other hacks following the same pattern were later discovered and traced back to the Silence group in the following months, such as the theft of over $550,000 in February 2018, and another $150,000 in April 2018.

The group is nowhere as successful as other criminal groups known to target financial institutions, such as Cobalt, Buhtrap, or MoneyTraper, all linked to multi-million dollar heists.

The reason, according to Group-IB experts, is that Silence is only a two-man operation –hence, they don’t have the same vast human resources to throw at their targets as other groups do.

This is the reason why it took them more than a year to develop the Atmosphere malware they used in the 2017 and later ATM money-dispensing attacks

But it was when Group-IB researchers analyzed the group’s entire malware arsenal that they discovered that despite being a two-man group, Silence was actually pretty good at what it did.

Researchers say the group was very efficient at crafting spear-phishing emails. These spear-phishing emails used exploits for the following Windows and Office vulnerabilities CVE-2017-0199, CVE-2017-11882+CVE-2018-0802, CVE-2017-0262, CVE-2017-0263, and CVE-2018-8174.

The exploits implanted the Silence modular malware framework on victim’s systems. The group would use locally installed tools for reconnaissance and lateral movement, and would only deploy Atmosphere when they knew they infected the proper computer that ran ATM-specific software.

When needed, the group would also manually modify malware developed by other crooks, such as the Kikothac backdoor, the Smoke downloader, or the Undernet DDoS bot.

Group-IB says that these modifications to third-party malware are what led its researchers to reach the conclusion that at least one of the Silence group members used to, or still works, in the cyber-security industry.

Group-IB codenamed the Silence group’s members as The Developer and The Operator. They say the former developed or modified all the group’s malware, while the latter was the one using them to infect banks and carry out the hacks.

The Developer, in particular, showed advanced knowledge of malware families and reverse engineering skills, but lacked the knowledge to write top-quality code from scratch –a typical trait of most security researchers, who spend most of their time reverse engineering other people’s code, rather than writing their own.

“It is obvious that the criminals responsible for these crimes were at some point active in the security community. Either as penetration testers or reverse engineers,” said Dmitry Volkov, Chief Technology Officer and Head of Threat Intelligence at Group-IB.

“[The Developer] knows exactly how to develop software, but he does not know how to program properly.”

As for Silence’s origin, Group-IB believes the two are based either in Russia or another Russian-speaking country.

“Group-IB experts concluded that Silence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan),” the Russian cyber-security firm said today in a press release.

“Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services.”

Group-IB did not share the names of the hacked banks but only said that “successful attacks currently have been limited to the CIS and Eastern European countries,” although the group sent spear-phishing emails to banks all over the world.

Content retrieved from: https://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/.

Cyber security training: Is it lacking in the enterprise?

Nick Ismail – 9/4/2018

As part of Information Age’s Cyber Security Month, we are looking at the importance of cyber security training and education in the enterprise

“The training that you may have received in the recent past is being replaced by new knowledge at a very fast pace. It is very hard to stay current”

The topic of cyber security is one of the most contentious and discussed subjects in the world; in the news, at conferences and in the boardroom. As cyber attacks continue to bombard businesses, public sector organisations and even critical infrastructure, effective cyber security represents the great challenge of the internet age.

Cyber attacks like WannaCry, NotPetya and the Equifax breach have gained almost myth-like status – thrusting the issue of cyber security into the public eye like never before. Crucially, attacks are not only impacting businesses, and their reputation and finances, but also affecting the average person. The potential danger to privacy, livelihoods and life itself, is only increasing as more data is generated and more devices are incorporated into every facet of society; from virtual assistants to pacemakers.

Focusing on the enterprise, cyber security should now be a consideration of every boardroom. But, how best to mitigate the threat?

Cyber threats represent the greatest challenge to overcome in the internet age.

Cyber security training

In Information Age’s latest cyber security best practice feature, it was clear that improved cyber security training and education were the most important factors to address in mitigating the cyber threat.

In the UK, for example, 88% of UK data breaches were caused by human error, and not direct cyber attacks, over the last two years. So, while it is necessary to employ technological solutions to detect malicious code and to help prevent it ever entering a network, improving cyber security training must be the priority. And, these initiatives should be led by the CTO.

“Cyber security training can be split into two categories,” according to Avishai Wool, the CTO and co-founder of Algosec – the security management firm.

1. General training of non-cyber staff

Everyone in an organisation who is connected to the internet should be given general cyber security training. This is “definitely lacking,” says Wool. As phishing scams – among others – surge, the untrained employee remains a constant risk to the security of their company.

The level of training needs to be improved, because currently “there is a poor understanding of the basics of the threat landscape,” according to Wool. “This is something that should be taught in elementary schools. When children learn how to use Excel, PowerPoint and Google, it makes sense for them also to be trained on basic safety rules, just like crossing the street.”

In order to reduce the cyber risk caused by human error, cyber security training should be mandatory in the enterprise for everyone who has access to the internet.

“Cyber security training hasn’t been done for most people in the workforce. I think it’s really important to do that kind of basic training just as we do any on-the-job training. Anybody who has a mobile, or is connected to the internet at home or at work has to know that there are cyber threats to worry about.”

2. People who work directly in cyber security

The cyber security experts within an organisation – the CISOs, the heads of IT security – “need specialised training, and lots of it,” says Wool. Worryingly, this is also lacking.

Wool beliefs this is more difficult to do, however, because the threat landscape and technologies are constantly changing. “The training that you may have received in the recent past is being replaced by new knowledge at a very fast pace. It is very hard to stay current.”

Avishai Wool, CTO and co-founder at AlgoSec, believes not enough cyber training is being done in the enterprise.

Cyber security training… it takes time

“A lot can be done and it can be effective, but it takes a very long time to put together,” explains Wool.

“Think: how long did it take the human race to figure out what needs to be done to make vehicle transportation reasonably safe. Think about sidewalks, zebra crossings, highway exit and entry ramps and so on. It took 100 years from the invention of the automobile to where we are now. When it comes to safety, we can always do better.”

>Read more on The comprehensive IT security guide for CIOs and CTOs

The same is true of cyber security – it is improving, but truly effective systems will take time to be put in place. The problem is that as recently as 10 years ago, nobody knew that cyber security would arise as an issue. The internet and threats against it were still in a stage of relative infancy compared to today. As a result, “universities and training organisations didn’t teach anything about it. There wasn’t any obvious need,” says Wool.

The cyber security skills gap

The cyber skills gap is an issue that businesses, governments and universities are trying to resolve. The need for these skills is growing at a significant rate.

As the need for cyber security skills continues to rise, the people involved in protecting an organisation have had “to generate their own know-how since they had no formal training,” according to Wool.

“Because cyber challenges are growing at the speed of the internet, the gap remains.”

Combine this with the rapidly changing cyber threat landscape, the challenge increases.

“Things that were the major concerns a few years ago, and the major tools we used then, are obsolete already. New threats require new tools, new procedures, new mitigations, making your previous knowledge less relevant.” Cyber security training, therefore, must be a continuous journey, with regular updates.

Here is an example: “It used to be common advice not to write down passwords. In order to remember, people used the same password for many products, computers, websites, bank accounts, etc. In 2018, that is a big mistake. Today, you should write down your passwords. Yes, there is a threat, but that threat is actually quite small. A password thief requires close proximity to the computer or notepad where the passwords are stored. On the other hand, if you do write your passwords down, you don’t have to rely on your memory. Today, we recommend different passwords for each service. There is no way for the human being to remember them all. The only way to do that is to write them down.”

The technology industry is facing a skills crisis as a whole. But, in particular, the cyber security industry is struggling to fill vacant positions.

Cyber education

Cyber security training at work should be a necessity for any enterprise wanting to reduce the threat to their business and their reputation.

This should be factored into budgets and be a priority for the decision-makers. However, more can be done, and it should start at school. “Education institutions need to develop special courses for cyber security training at all levels, training operators, technicians, etc,” says Wool. “Every Computer Science of Software Engineering degree should be accompanied by cybersecurity courses. Higher education needs to be involved.”

Even at the early stages of education, school children should be taught the rudiments of cyber safety. And we are seeing more of this, with subjects in coding being introduced to primary schools across different countries education systems.

“Cyber education cuts across the entire society.”

Vendor view

For AlgoSec, security is a business focus because it is a vendor in that space.

Wool notes that his customers’ concern with security functions is growing. “Now, there is more visibility and attention from senior management all the way up to the boardroom. I think the importance and focus on cyber security, network security and computer security is on the rise especially in major corporations and in companies that are prime targets for cybercrime. But also in other industries like retail, manufacturing, healthcare, education. Really, everywhere.”

“Today, cyber security is part of everyday business operations.”

Content retrieved from: https://www.information-age.com/cyber-security-training-123474550/.

Evolution of Cyber Security in Healthcare

Tripwire Guest Authors – Aug 29, 2018

In the healthcare industry, data sets are growing rapidly, both in volume and complexity, as the sources and types of data keep on multiplying.

As of now, 30 percent of the world’s information is assessed to be medical services data, and in the U.S., many hospitals collect over 100 data points per patient per day. This healthcare data keeps on being the most valuable and highly sought-after resources that attackers are targeting.

The healthcare industry is one of the top sectors at the highest risk of cybersecurity. Take ransomware, for example. As per 2017 Verizon Data Breach Investigations Report, ransomware raised to the 5th most common type of malware in 2017 from the 22nd most common in 2014. In 2016, due to Locky ransomware attacks, Los Angeles-based Hollywood Presbyterian Medical Center paid 40 bitcoins to retrieve access to its system.

And also in 2017, WannaCry and Petya both targeted systems that were running Windows operating systems by encrypting files and demanding bitcoin payment. This threat hit providers hard.

Ransomware is just one of many hurdles. Phishing attacks that compromise sensitive information from employees, as well as patients, can be similarly harmful to an enterprise.

To fight against these attacks, some cybersecurity solution providers have started to focus on the healthcare industry specifically.

Following HIPAA Guidelines to Secure Patients

HIPAA – short for Health Insurance Portability and Accountability Act – provides data privacy and security provisions for protecting patients’ private medical information from different threats. Cybersecurity experts play a vital role in helping care provider industries to maintain network integrity, agree to HIPPA directions and secure patient confidentiality in a world that develops more associated every day.

The increasing threat posed by cybercriminals has prompted healthcare industries around the world to spend more on data security and look for highly qualified IT specialists. As the technology usage increases and the risk to patient data increases, the demand for cybersecurity specialists who have earned a graduate degree or higher will keep on rising.

As connectivity and proliferation of devices like telemedicine, wearables, smart beds, and portal, medical technologies encompassing the Internet of Things (IoT) become more numerous day by day, the requirement for data security has never been more prominent. Today, healthcare industries must expel data from information shared for medical research, or different reasons, that can be utilized to identify patients to conform to HIPAA’s Privacy Rule.

To do this, medical services associations use cybersecurity experts who ensure that common shared data is anonymous and encoded. Cybersecurity experts ensure that the data targeted by hackers remain protected and confidential. This process is very complex in our current situations where scientists must analyze vast stores of data using big data technologies.

Raising Importance of Data Security

The size, rapid growth, and diversity of medical data make it challenge for big data evaluation. However, pioneers in the cybersecurity field have created standard accepted procedures for utilizing big data resources to research medical data. The standards are imperative for securing the data coveted by cyber attackers.

Big data resources also used for identifying and isolating network threats. The main objective of new technology tools is to secure the integrity of patient data.

Security program vendors use big data to analyze information about cyber attacks such as identify known threats and patterns that indicate malicious activities. The organizations additionally use advanced technologies like AI & Machine Learning to detect new and unknown attack strategies.

At this phase of evolution, organizations can’t get away from its reliance on data technology. The need to secure delicate information will proceed as long as this endures. Incredibly, according to one poll of more than 4,000 organizations, 70 percent of associations don’t have an alternate course of action against cyber attacks.

The organizations announced that they have the assets to buy what was expected to secure their systems yet can’t find trained specialists to deploy the measures. This sort of industry feedback strengthens the way that there’s a solid demand for highly trained cybersecurity experts.

Content retrieved from: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/evolution-of-cyber-security-in-healthcare/.

Healthcare Cybersecurity: How Providers Can Catch Up

By Axel Wirth – 8/24/2018

While cybersecurity threats continue to increase in healthcare, the sheer volume of attacks only represents one part of the challenge. Cybercriminals are applying their creative skills to devise novel ways to breach defenses through increasingly targeted and sophisticated attacks.

The rise of security incidents, such as the notorious ransomware WannaCry or the recent proliferation of cryptocurrency coin miners, are a timely reminder that not only is the volume of attacks increasing, their diversity is expanding, as well — and so is the risk of them disrupting care delivery.

For the healthcare industry, this shines a light on the larger transformation that’s occurring as organizations shift from a narrower, compliance- and HIPAA-focused approach to a more comprehensive and security-centric strategy.

Healthcare Attack Vectors Continue to Expand

Exploiting the software supply chain is a new tactic favored by cybercriminals — and one that is particularly dangerous for healthcare organizations, as this industry has a high degree of reliance on a network of partners. Attackers may choose a supply-chain-based attack when they are unable to breach the actual target organization, or when they want to target the larger industry via one of its key suppliers.

This type of backdoor attack is a significant threat for healthcare organizations, as hackers have a much broader base of possible breach points with which to work. Also, supply chain attacks may be able to stay under the radar as they come in via a trusted channel. These attacks typically take one of three forms:

  • A hacker may hijack a supplier’s domain and direct traffic to another, infected domain.
  • An attacker may attempt to directly compromise the software of a supplier. This is a particularly difficult attack to defend against, as once the software is infected it is signed with the manufacturer’s certificate, meaning any receiving systems checking for valid certificates may become exposed.
  • Attackers may also choose to target third-party hosting services. Websites associated with the host may become infected and spread that infection to other organizations along the supply chain.

Because healthcare has such high exposure to third-party services and business partnerships, it faces a high degree of exposure to these kinds of attacks.

Healthcare Industry Breach Trends in 2018The U.S. Department of Health and Human Services requires that security breaches involving the data of more than 500 people be reported within 60 days of discovery. HHS investigates these breaches and posts them on the HHS OCR Breach Portal, providing useful data that can be analyzed to understand security trends in healthcare. According to the data, in 2017, the overall number of security breaches within the healthcare space rose by about 10 percent, which is largely in line with historic trends. The number of actual records breached, however, dropped significantly.

In terms of where these breaches are occurring, 90 percent of breached records were attributed to healthcare providers — meaning that, even though the absolute number of breaches has decreased, the proportion of breaches reported by providers is growing relative to health plans and business associates.

The industry’s approach to security is changing, though. A study conducted by HIMSS Analytics and Symantec revealed that:

  • Eighty-two percent of participating healthcare organizations said that cybersecurity policies are discussed at the boardroom level, yet only 40 percent said cybersecurity is a regularly scheduled item.
  • The top three drivers for cybersecurity investment among healthcare organizations are risk assessments, HIPAA compliance and security or financial audits.
  • Seventy-five percent of healthcare organizations are still spending six percent or less of their IT budgets on cybersecurity — a lower number than more security-mature industries, such as banking and finance.
  • Budget, staffing and skill set were the three most significant barriers preventing healthcare firms from achieving a higher level of security.

These results indicate that, while cybersecurity concerns are now being viewed as a strategic organizational priority, implementation is still being done in something of an ad hoc fashion. Healthcare organizations are increasingly understanding that cybersecurity must extend beyond mere HIPAA compliance. A strong security program should be nimble, but also broadly focused — a realization that is beginning to take root within the healthcare industry.

Medical Devices Pose Notable Security Risks

Medical devices are increasingly understood as an emerging cybersecurity risk, which makes them one of the more interesting security topics in the healthcare field. According to a recent Ponemon Institute study, 80 percent of device-makers and healthcare delivery organizations rate the level of difficulty in securing medical devices as very high. Meanwhile, 67 percent of device manufacturers and 56 percent of healthcare organizations are expecting a security breach of a device over the next 12 months.

The prospect of hackers taking control of medical devices or impacting their functionality is a frightening proposition. Malware infections from software installed on these devices could lead to inappropriate therapies or treatments being delivered to patients.

In addition to compromising patient safety, malware on medical devices can result in interruptions of care delivery, additional infections to the larger security network or other issues that could seriously impact the business of care delivery. Though the complexity of many medical devices and device networks makes cybersecurity an even greater challenge, the potential for serious risk to patient safety should make this an area of keen emphasis moving forward.

Healthcare Security Best Practices for Providers

The presence of skilled and highly active groups of malicious actors is a threat that must be taken seriously. Hospitals, prominent corporations and even city governments have fallen victim to sophisticated ransomware attacks in recent years. Instead of focusing primarily on HIPAA compliance, healthcare organizations must now confront pressing threats from organized collectives of cybercriminals, hackers for hire, and, possibly, nation states.

To help meet these significant challenges, healthcare organizations should:

  • View cybersecurity as a business risk rather than just a technical challenge.
  • Address security at the board level and do so on a regular basis.
  • Educate employees across the organization to be cyber aware and provide training according to their roles and responsibilities.
  • Focus on hiring and retaining qualified staff.
  • Create new roles, such as Medical Security Officer or Medical Device Security Specialist, to address specific security challenges.
  • Consider security implications when purchasing equipment.
  • Implement and test cybersecurity incident response protocols.

Organizations that incorporate steps such as these into their overall cybersecurity frameworks will be best positioned to successfully navigate the challenges that await.

With security threats increasing and becoming more diverse and dangerous in nature, cybersecurity has never been more challenging — or more critically important. In order to keep pace, healthcare organizations should focus on the steps outlined above. These practices will ultimately help develop a nimble, comprehensive and effective cybersecurity posture for the healthcare community.

Content retrieved from: https://healthtechmagazine.net/article/2018/08/healthcare-cybersecurity-how-providers-can-catch.

New Zealand to run national cyber security exercise

Beverley Head – 8/22/2018

New Zealand will run its first full-scale national cyber security exercise this November – almost a year after it was first scheduled.

The delay was prompted by the country’s 2017 change of government, according to Paul Blowers, chief information security officer for New Zealand Police and the orchestrator of the exercise which has been two years in the making.

The forecast for the future is in and, in typical British fashion, it looks like it’s going to be cloudy. Our IT Priorities survey has revealed that organisations are planning on making the most of the cloud in the future. Download our IT Priorities results for more insights into where the IT industry is going.

Speaking at the Gartner security and risk management summit in Sydney, Blowers stressed the importance of national security tests, citing New Zealand’s broadcasting, communications and digital media minister Clare Curran, who warned that advanced cyber threats have the potential to cause NZ$640m of harm annually to New Zealand organisations of national significance.

According to Blowers, one of the goals of the exercise is to test the cyber resilience of New Zealand, and assess how well the multiple agencies involved with cyber security work together and communicate.

New Zealand is growing its investment in cyber security tools and services at a faster rate than Australia at present, according to Gartner.

The technology research firm said that worldwide cyber security spending will rise 12.4% this year to more than US$114bn. In Australia, growth will be a more moderate 6%, rising to 9.8% in 2019.

In New Zealand, security spending is expected to grow 9% this year to NZ$550m, followed by 9.9% in 2019.

Potential savings

Delegates at the summit were told that if they bake security into their systems early on, there are potential savings to be had.

Hadi Rahnama, head of cyber security for the Bank of Queensland, said any organisation embarking on digital transformation needs to ensure security receives proper attention from the get-go and apply a “defence in depth” strategy with multiple layers of protection and monitoring.

“When you start a digital journey, you need to consider cyber security in parallel – if you try to do it later it will cost you more and cost you more as a risk,” he said.

“We put a platform in with highly sensitive data, but could not implement secure transmission and got an exemption,” said Rahnama.

Although it would have cost A$500,000 to implement secure transmission at the start, he said it eventually cost the bank A$2m, noting that much of the money went into regression testing as a result of the delay.

Like Blowers, Rahnama is a big fan of security exercises and recommended all organisations to invest in penetration testing of their systems.

“We did our first ever exercise last year which came up with findings we could never imagine – it’s a bit costly, but you are going to get a lot of value about whether your system is secure or not. The result will be scary, but if you don’t do it someone will do it to you,” he said.

Penetration testing is one the few security tasks that he believes should be outsourced to a third party.

However, Rahnama called for organisations to keep the most important functions in-house, such as analysing security logs where knowing the business context of whether an activity is normal or not is critical.

“We had a lot of our monitoring outsourced, but we struggled with it. It’s easier to have an in-house skill set,” he said.

In-house capability is particularly important for DevOps, where code needs to be assessed before it is deployed, but the process cannot be unnecessarily slowed, said Rahnama.

He also recommended that companies embracing DevOps have their security teams occasionally scour public source code repositories to see what developers have loaded, as there could be surprises and potential vulnerabilities.

Content retrieved from: https://www.computerweekly.com/news/252447200/New-Zealand-to-run-national-cyber-security-exercise.

Cybersecurity: States ramp up election protections ahead of midterms with $380 million in federal funds

Deborah Barfield Berry – Aug. 21, 2018

WASHINGTON – With just three months until the midterms, states are spending an infusion of federal money to hire experts, add layers of security and adopt paper trails to thwart cyberthreats to their election systems.

“There is no going back to the way things were,” said Rhode Island Secretary of State Nellie Gorbea, co-chair of the Elections Committee at the National Association of Secretaries of States. “We have to constantly be wary and face the facts that our elections are under threat at an international level. We have to safeguard our democracy.”

The federal Election Assistance Commission will release a report Tuesday highlighting what states and territories plan to do with the $380 million Congress approved earlier this year to help them protect against cyberthreats. USA TODAY got an advance copy of the report.

Nearly all the states and territories have received their share of the federal funds, ranging from $6 million for Alabama to $19 million for Florida.

States plan to use nearly 37 percent of the funds to improve cybersecurity and 28 percent to buy new voting equipment, according to the report.

“By and large you see very robust, very earnest plans around security and infrastructure improvement across the board,” said Mark Abbott, director of grants at the EAC.

Here are what some battleground states plan to do:

• Florida, which recently hired five cybersecurity experts, plans to use some of its $19 million to train local election officials on cybersecurity.

• Pennsylvania plans to use a chunk of its $13 million to upgrade its aging voting machines and add a paper record.

• Indiana wants to use some of its $7.5 million to test its voting equipment, including poll books, for vulnerabilities.

Abbott noted that Indiana proposed nine steps to harden its security, including voter registration security scans, email encryption and digital signatures.

“They already had some robust stuff going on around cyber, but with this plan and with input from their stakeholders they really amped it up,” he said. “I think it’s a good example of how serious states are taking the security posture of their systems.”

With the midterms looming, many states are using the funds to make changes quickly, including training staff, hiring cybersecurity experts and adding verification steps. They also plan to pay for post-election audits. Several states are upgrading or replacing voter registration systems.

Others plan to use the funds for long-term projects, including buying new voting machines.

Still, many state election officials say they need more money, said Thomas Hicks, the  commission chairman.

“Wherever we go I hear from folks saying, ‘Thank you for this money. This is a great down payment, but we need additional resources,’” said Hicks, who recently met with local election officials in Mississippi and plans to go to Louisiana next week. “They were always preparing for 2018, but the additional funding helps them even more for 2018 and 2020 and beyond.”

Over the years, elections officials have faced challenges ranging from hanging chads to long lines and attempts by Russians to interfere in the 2106 elections.

Congressional lawmakers and security experts warn there may be more attempts ahead of the midterms.

Microsoft reported Tuesday it had uncovered Russian hackers targeting conservative think tanks.

Last month, President Donald Trump met with his National Security Council about election security. Trump pledged a “whole-of-government” effort to prevent foreign interference in U.S. elections after drawing criticism for not doing enough to protect America’s ballot boxes.

Congress also has been under pressure to do more, and in March approved the extra pot of money. So far, the EAC has disbursed nearly 96 percent of it to states.

The agency used a formula under the 2002 Help America Vote Act to determine each state’s portion. States had to provide a 5 percent match.

“We had strings attached to the money,” Abbott said. “You had to have (a) match, you had to spend it within five years (and) you can’t simply replace your money with ours.”

The EAC also prioritized security and infrastructure.

“People got that loud and clear,” said Abbott, adding that there was also a focus on improving access to the polls.

Even before the federal money came available, states had taken their own steps to protect election data by encrypting their systems and asking the Department of Homeland Security to check for vulnerabilities.

“They all take the cybersecurity threats seriously and are working hard to make sure that they’re prepared for 2018 and beyond,” said Amy Cohen, executive director of the nonpartisan National Association of State Election Directors. “Elections don’t stop after November.”

Cohen said state election directors feel more prepared now than in 2016 in part because of better information sharing between their agencies and DHS officials.

Despite those efforts, experts and state officials note that most elections are run at the local level where resources are limited.

Most local jurisdictions don’t have the resources to “battle something of this nature in a field that is very expensive,” said Gorbea, who called the recent round of federal funding a “start.”

“We really need to have consistent federal funding going forward to address cybersecurity and the threats that we’re facing as states,” she said. “There has been very little appetite to really include the ongoing support to address cyberthreats.”

Adam Ambrogi, director of the Election Program at the Democracy Fund, said a Senate committee is scheduled Wednesday to consider the “Secure Elections Act,” a bipartisan bill proposed by Sens. James Lankford, R-Okla., and Amy Klobarchar, D-Minn., that aims to address election security concerns by, among other things, requiring federal officials to share information about cyberthreats. But the legislation doesn’t include funding, he said.

“It’s really important that Congress steps up and provides a regular stream of funding for these risks. The states just don’t have the funds,” said Ambrogi. “It’s important that after we get through 2018 … that states have the capacity and knowledge to begin prepping for the 2020 presidential election.”

Content retrieved from: https://www.usatoday.com/story/news/politics/elections/2018/08/21/midterms-states-beef-up-cybersecurity-ahead-pivotal-vote/1047759002/.

6 reasons gamification improves cybersecurity training

By Michael Kassner – August 19, 2018

To no one’s surprise, end users continue to be the favorite target of cybercriminals. Verizon’s 2017 Data Breach Digest, the companion to its annual data breaches report, states that of the data-loss incidents studied, 90% involved phishing or the social engineering of end users. A July 2018 Cybersecurity Insiders report (PDF) concluded, once again, that more than 90% of the participating organizations felt vulnerable to insider malicious behavior or inadvertent errors by end users.

Some experts suggest attitude is a big reason why end users are targeted. “Some IT pros will say that training end users is a waste of time, as they [end users] will click through the training but not heed the warnings,” writes CompTIA product manager Stephen Schneiter, in his CompTIA.org article We Are All End Users: Cybersecurity Training as a Life Skill. “That end users are of the mindset that network security is someone else’s responsibility or that if antivirus software is running, they are protected, or that really, there is nothing of importance on my computer.”

Try a new approach to cybersecurity training

That seems harsh, and whether it’s true or not is irrelevant. Schneiter is more concerned about finding a solution. “There is another theory, however, one of which I am a proponent,” explains Schneiter. “It is the theory that end users on our networks are not the problem, but, in fact, our first and most important line of defense!”

To make this theory work, Schneiter suggests, first and foremost, training departments need to avoid what he calls “fire-hose training” where end users are inundated with what to do, and then sent back to their desks. “First, we need to evaluate the level of knowledge that users have about securing personal information and our network,” suggests Schneiter. “Training should include adult learning principles and participants’ prior learning experiences and engage the participants through structured activities. Include the participants in the planning to find out what they want to learn.”

Why gamification might be the answer

Engaging end users is especially of interest to Mark Stevens, senior vice-president of global services at Digital Guardian. “In addition to using traditional training methods, businesses are increasingly looking for other more immersive solutions,” writes Stevens in his SiliconRepublic article 6 top tips to make cybersecurity training more fun. “This is where gamification can play a role.”

Stevens continues:
“Gamification is the process of engaging people and changing behaviour using game mechanics in a non-game context. Essentially, it’s taking what’s fun about games and applying it to situations that aren’t much fun—like how to block the next hacker from infiltrating a company’s network.”
To make his point, Stevens’ offers the following reasons why gamification is a good idea.

1. Recognize positive cybersecurity behavior. Stevens is well aware that employees must be considered when determining what factors could affect a company’s cybersecurity posture. By using gamification, he suggests, employees can be rewarded when they abide by the rules, which in turn encourages good behavior.

2. Talk about data protection. Gamification, according to Stevens, will inspire open dialogue among employees when discussing how to properly handle sensitive data—important now that the General Data Protection Regulation (GDPR) is in place. Stevens adds, “Instead of the topic being boring or rogue, workers hopefully will talk about their achievements, challenges, or lessons learned.”

SEE: GDPR security pack: Policies to protect data and achieve compliance (Tech Pro Research)

3. Increase the frequency of cybersecurity training. To be effective any training—in particular cybersecurity training—needs to occur on a regular basis. The fact that gamification can be automated is a huge plus, because it allows employees to work on their skills without interfering with normal business operations.

4. Engage employees. Friendly competition is one reason gaming is so popular. “Through friendly leader board competitions, end users are instantly engaged in the game—or training—at hand,” suggests Stevens. “This increases internal communication and creates new relationships, improving employee engagement across the board.”

5. Find cybersecurity talent. Gamification is already helping increase interest in cybersecurity. “Organisations such as Cyber Security Challenge have been trying to tackle the talent gap by hosting yearly competitions,” writes Stevens. “Winners are then offered lucrative job opportunities at large tech firms and government agencies who sponsor the challenges.”

6. Audit to measure effectiveness. Gamification becomes nothing but additional work and expense if it is not effective. Stevens feels that businesses should conduct cybersecurity audits on a regular basis to determine if security is improving.

How to convince mangers about gamification for cybersecurity training

Ask any cybersecurity professional about the difficulty in getting funds for a project, and the person will likely have a story or two to tell. CompTIA’s Schneiter has an interesting idea that might help convince company management to invest in gamification:
“Professional development is something that organizations should be promoting with cybersecurity training. Everyone wants to gain more skills and succeed in their career, and cyber-training could be blended into a continuous training program.”

What about remote workers and cybersecurity?

Many sophisticated data breaches have started out by subverting an employee working from home or remotely. At-home or remote employees willing to apply security skills learned using gamification training can help eliminate a popular attack vector used by cybercriminals.

Content retrieved from: https://www.techrepublic.com/article/6-reasons-gamification-improves-cybersecurity-training/.

Hackers beware: These stealthy cybersecurity hunters speak your slang

By Steven Melendez – 8/17/2018

On a recent morning, Andrei Barysevich, director of advanced collection at cybersecurity firm Recorded Future, used a VPN and Tor connection to connect to an underground hacking forum.

The site, with posts in English and Russian, had a design similar to early-2000s web forums, but instead of fan fiction or thoughts on politics, users post offers to sell illegal goods like credit card numbers and security codes, forged shipping labels, and hosting for botnet operators. Some users on the forum even advertise that they’ll call banks or other companies on behalf of scammers, who may not speak their victims’ languages convincingly enough to impersonate them on the phone.

Barysevich and others at Recorded Future regularly visit such forums on the so-called dark web to gather information that can help their clients understand the digital threats against them.

Offers on such sites can also help discern which companies have been the target of hacks and breaches, and can help Recorded Future learn if online criminals are targeting specific industries—even if they haven’t been attacked yet. The approach works, Recorded Future says, because many hackers rely on dark web forums to sell the secrets they’ve stolen.

“They want to either steal stuff or make money—that’s what it comes down to,” says cofounder and CEO Christopher Ahlberg. “These guys have to go to the marketplace.”

Recorded Future, which was founded in 2009 and soon received funding from Google and the CIA-linked venture firm In-Q-Tel, made big news recently when it spotted a hacker selling training materials and other sensitive information about military drones through an underground forum. The documents weren’t classified, but in the wrong hands they could have helped U.S. adversaries learn about the operations and potential weaknesses of the planes. After Recorded Future reported the offering to the Department of Homeland Security, officials apparently fixed a security flaw that made it possible for the hackers to obtain the documents.

It’s not the first time Recorded Future has made national news for its watchdog efforts: In 2016, for instance, the company spotted a hacker selling access to U.S. Election Assistance Commission user accounts. And at any given moment, the firm is stumbling on lower-profile threats that don’t necessarily grab headlines. “There’s been many examples where we’ve found various sorts of hacking toolsets for attacking banks,” Ahlberg says. “They’re not going to get the same sort of PR.”

How They Do It

In general, Recorded Future uses automated systems to slurp in and sift through online posts, whether they’re news stories and blog posts or more transient content on text paste sites and forums commonly used by hackers. Other systems within the company use metadata about digital attacks themselves to spot trends in hacker behavior.

“We’ve built a model that will predict which will be the malicious IP addresses this week,” says Staffan Truve, cofounder and CTO. “You can actually preconfigure your IP firewalls.”

But Recorded Future also relies on a core group of human analysts who can understand the multiple languages and shifting slang of the hacker forums. In some cases, they can even convince forum sellers to engage with them in one-on-one chats about illicit data they have on offer or wrangle invitations to invite-only discussion venues. Some forums even escrow services to help their largely anonymous users transact business. And many hackers make connections on the forums then chat through other media, often using the decentralized and encrypted chat tool Jabber.

“You have to have some experience—you have to have some starting point,” says Barysevich. “If you just show up and say, ‘I’m a new guy,’ and no one knows you, and no one’s ever dealt with you, it’s very, very unlikely you’re going to get any intel or any useful information shared with you.”

The company occasionally does effectively “burn” an online identity, if hackers come to realize that talking to that particular forum user is likely what got their activities reported to authorities. The researchers also have to convince criminals that they’re trustworthy, all while staying within the confines of the law themselves and, of course, using digital safeguards like VPNs and virtual machines to keep their own systems safe.

“We are not allowed to commit crime,” Barysevich says. “We are good guys, but we have to pretend that we are bad guys.”

Barysevich and others on his team speak Russian, which he says is a serious advantage, as is knowing the idiosyncratic terms used by hackers on the forums. As other forums blossom in other languages, from French and German to Turkish and Brazilian Portuguese, the company is looking to further expand the number of employees fluent in some of those languages.

King And Country

Tracking nation state-backed hackers also has its own challenges, separate from tracking the hackers for hire and data sellers more commonly found on the dark web forums.

“The two types of actors that work for nations and cybercriminals just have completely different motivations, they have different communications strategy,” says Priscilla Moriuchi, Recorded Future’s director of strategic threat development, who joined the company after a stint at the National Security Agency.

Still, some of the techniques the company uses are the same: looking for attack metadata and published information that reveals the tactics and strategies of attackers, even indirectly. Earlier this year, the company reported that China’s National Vulnerability Database, which lists vulnerabilities in software, generally reports new bugs faster than its U.S. equivalent—except in some cases, in which, Recorded Future speculates, Chinese authorities are holding back bugs for their own spies to use. Bugs sometimes appear with one date in the database, despite not actually being published until a later point, according to the company.

And even government-funded hackers can still frequent hacker forums to purchase data, malware, and other tools, not too different from their private counterparts.

“The bad guys are, to a large extent, using the web to communicate,” says Truve. “They are very helpful.”

Content retrieved from: https://www.fastcompany.com/90216715/hackers-beware-these-stealthy-cybersecurity-hunters-speak-your-slang.

  • How Brunswick IT enables digital business
    Mike Adams joined Brunswick, the $4.3 billion manufacturing business, in 2017 to define its enterprise architecture function and to work with then CIO Danielle Brown to craft a modernization strategy. Since then, the company has sold off its non-marine businesses and is now fully focused on the marine market (its brands include Boston Whaler, SeaRay, […]
  • BrandPost: Episode 1: Introduction to CIAM and Why It’s Important
    If your customers and clientele don’t feel secure using your products and/or accessing your corporate websites, web portals, and web shops, they won’t sign up, share information, or otherwise engage with your brand. Developing a robust approach to customer identity and access management, aka CIAM, is essential for building this trust.But many CIOs and CISOs […]
  • Knowing where the line is in IT risk management
    Every organization should have an agreed understanding of risk, what that means for the company, and where the line of acceptability is (threshold). Knowing where this line is, and using it as a driving force for decision making within IT, can dramatically maximize resources and decrease costs. Decision making Risk Management sometimes has the unfortunate nickname […]

DEFCON HACKING CONFERENCE 2020

CYBER SECURITY IN THE NEW AGE

Originally started in 1993, it was a meant to be a party for member of “Platinum Net”, a Fido protocol based hacking network out of Canada. As the main U.S. hub I was helping the Platinum Net organizer (I forget his name) plan a closing party for all the member BBS systems and their users. He was going to shut down the network when his dad took a new job and had to move away. We talking about where we might hold it, when all of a sudden he left early and disappeared. I was just planning a party for a network that was shut down, except for my U.S. nodes. I decided what the hell, I’ll invite the members of all the other networks my BBS (A Dark Tangent System) system was a part of including Cyber Crime International (CCI), Hit Net, Tired of Protection (ToP), and like 8 others I can’t remember. Why not invite everyone on #hack? Good idea!.

Take The First Step.

PROTECT YOUR CITIZENS, CLIENTS, CUSTOMERS AND EMPLOYEES
Contact Us

What We Do:

Government Cyber provides state-of-the-art, military grade cyber security solutions for municipal, state and federal government agencies as well as corporate clients.

Security Solutions For:

News

Contact Us